ArithSub over Int52 has shouldCheckOverflow as always true
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-04-10  Saam Barati  <sbarati@apple.com>
2
3         ArithSub over Int52 has shouldCheckOverflow as always true
4         https://bugs.webkit.org/show_bug.cgi?id=196796
5
6         Reviewed by Yusuke Suzuki.
7
8         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
9         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
10         false. We shouldn't check something we assert against.
11
12         * dfg/DFGAbstractInterpreterInlines.h:
13         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
14
15 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
16
17         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
18         https://bugs.webkit.org/show_bug.cgi?id=196790
19
20         Reviewed by Ross Kirsling.
21
22         Original implementation lacks byte order specification. Network byte order is the
23         good candidate if there's no strong reason to choose other.
24         Currently no client exists for PlayStation remote inspector protocol, so we can
25         change the byte order without care.
26
27         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
28         (Inspector::MessageParser::createMessage):
29         (Inspector::MessageParser::parse):
30
31 2019-04-10  Devin Rousso  <drousso@apple.com>
32
33        Web Inspector: Inspector: lazily create the agent
34        https://bugs.webkit.org/show_bug.cgi?id=195971
35        <rdar://problem/49039645>
36
37        Reviewed by Joseph Pecoraro.
38
39        * inspector/JSGlobalObjectInspectorController.cpp:
40        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
41        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
42        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
43        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
44
45        * inspector/agents/InspectorAgent.h:
46        * inspector/agents/InspectorAgent.cpp:
47
48 2019-04-10  Saam Barati  <sbarati@apple.com>
49
50         Work around an arm64_32 LLVM miscompile bug
51         https://bugs.webkit.org/show_bug.cgi?id=196788
52
53         Reviewed by Yusuke Suzuki.
54
55         * runtime/CachedTypes.cpp:
56
57 2019-04-10  Devin Rousso  <drousso@apple.com>
58
59         Web Inspector: Timelines: can't reliably stop/start a recording
60         https://bugs.webkit.org/show_bug.cgi?id=196778
61         <rdar://problem/47606798>
62
63         Reviewed by Timothy Hatcher.
64
65         * inspector/protocol/ScriptProfiler.json:
66         * inspector/protocol/Timeline.json:
67         It is possible to determine when programmatic capturing starts/stops in the frontend based
68         on the state when the backend causes the state to change, such as if the state is "inactive"
69         when the frontend is told that the backend has started capturing.
70
71         * inspector/protocol/CPUProfiler.json:
72         * inspector/protocol/Memory.json:
73         Send an end timestamp to match other instruments.
74
75         * inspector/JSGlobalObjectConsoleClient.cpp:
76         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
77         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
78
79         * inspector/agents/InspectorScriptProfilerAgent.h:
80         * inspector/agents/InspectorScriptProfilerAgent.cpp:
81         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
82         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
83         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
84
85 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
86
87         Unreviewed, fix watch build after r244143
88         https://bugs.webkit.org/show_bug.cgi?id=195000
89
90         The result of `lseek` should be `off_t` rather than `int`.
91
92         * jsc.cpp:
93
94 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
95
96         Add support for incremental bytecode cache updates
97         https://bugs.webkit.org/show_bug.cgi?id=195000
98
99         Reviewed by Filip Pizlo.
100
101         Add support for incremental updates to the bytecode cache. The cache
102         is constructed as follows:
103         - When the cache is empty, the initial payload can be added to the BytecodeCache
104         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
105         top-level UnlinkedCodeBlock.
106         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
107         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
108         to the existing cache and updating the CachedFunctionExecutableMetadata
109         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
110
111         * API/JSScript.mm:
112         (-[JSScript readCache]):
113         (-[JSScript isUsingBytecodeCache]):
114         (-[JSScript init]):
115         (-[JSScript cachedBytecode]):
116         (-[JSScript writeCache:]):
117         * API/JSScriptInternal.h:
118         * API/JSScriptSourceProvider.h:
119         * API/JSScriptSourceProvider.mm:
120         (JSScriptSourceProvider::cachedBytecode const):
121         * CMakeLists.txt:
122         * JavaScriptCore.xcodeproj/project.pbxproj:
123         * Sources.txt:
124         * bytecode/UnlinkedFunctionExecutable.cpp:
125         (JSC::generateUnlinkedFunctionCodeBlock):
126         * jsc.cpp:
127         (ShellSourceProvider::~ShellSourceProvider):
128         (ShellSourceProvider::cachePath const):
129         (ShellSourceProvider::loadBytecode const):
130         (ShellSourceProvider::ShellSourceProvider):
131         (ShellSourceProvider::cacheEnabled):
132         * parser/SourceProvider.h:
133         (JSC::SourceProvider::cachedBytecode const):
134         (JSC::SourceProvider::updateCache const):
135         (JSC::SourceProvider::commitCachedBytecode const):
136         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
137         (JSC::CachePayload::makeMappedPayload):
138         (JSC::CachePayload::makeMallocPayload):
139         (JSC::CachePayload::makeEmptyPayload):
140         (JSC::CachePayload::CachePayload):
141         (JSC::CachePayload::~CachePayload):
142         (JSC::CachePayload::operator=):
143         (JSC::CachePayload::freeData):
144         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
145         (JSC::CachePayload::data const):
146         (JSC::CachePayload::size const):
147         (JSC::CachePayload::CachePayload):
148         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
149         (JSC::CacheUpdate::CacheUpdate):
150         (JSC::CacheUpdate::operator=):
151         (JSC::CacheUpdate::isGlobal const):
152         (JSC::CacheUpdate::asGlobal const):
153         (JSC::CacheUpdate::asFunction const):
154         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
155         * runtime/CachedBytecode.cpp: Added.
156         (JSC::CachedBytecode::addGlobalUpdate):
157         (JSC::CachedBytecode::addFunctionUpdate):
158         (JSC::CachedBytecode::copyLeafExecutables):
159         (JSC::CachedBytecode::commitUpdates const):
160         * runtime/CachedBytecode.h: Added.
161         (JSC::CachedBytecode::create):
162         (JSC::CachedBytecode::leafExecutables):
163         (JSC::CachedBytecode::data const):
164         (JSC::CachedBytecode::size const):
165         (JSC::CachedBytecode::hasUpdates const):
166         (JSC::CachedBytecode::sizeForUpdate const):
167         (JSC::CachedBytecode::CachedBytecode):
168         * runtime/CachedTypes.cpp:
169         (JSC::Encoder::addLeafExecutable):
170         (JSC::Encoder::release):
171         (JSC::Decoder::Decoder):
172         (JSC::Decoder::create):
173         (JSC::Decoder::size const):
174         (JSC::Decoder::offsetOf):
175         (JSC::Decoder::ptrForOffsetFromBase):
176         (JSC::Decoder::addLeafExecutable):
177         (JSC::VariableLengthObject::VariableLengthObject):
178         (JSC::VariableLengthObject::buffer const):
179         (JSC::CachedPtrOffsets::offsetOffset):
180         (JSC::CachedWriteBarrierOffsets::ptrOffset):
181         (JSC::CachedFunctionExecutable::features const):
182         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
183         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
184         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
185         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
186         (JSC::CachedFunctionExecutable::encode):
187         (JSC::CachedFunctionExecutable::decode const):
188         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
189         (JSC::encodeCodeBlock):
190         (JSC::encodeFunctionCodeBlock):
191         (JSC::decodeCodeBlockImpl):
192         (JSC::isCachedBytecodeStillValid):
193         * runtime/CachedTypes.h:
194         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
195         (JSC::decodeCodeBlock):
196         * runtime/CodeCache.cpp:
197         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
198         (JSC::CodeCache::updateCache):
199         (JSC::CodeCache::write):
200         (JSC::writeCodeBlock):
201         (JSC::serializeBytecode):
202         * runtime/CodeCache.h:
203         (JSC::SourceCodeValue::SourceCodeValue):
204         (JSC::CodeCacheMap::findCacheAndUpdateAge):
205         (JSC::CodeCacheMap::fetchFromDiskImpl):
206         * runtime/Completion.cpp:
207         (JSC::generateProgramBytecode):
208         (JSC::generateModuleBytecode):
209         * runtime/Completion.h:
210         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
211         (JSC::LeafExecutable::operator+ const):
212         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
213         (JSC::LeafExecutable::LeafExecutable):
214         (JSC::LeafExecutable::base const):
215
216 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
217
218         Unreviewed, rolling out r243989.
219
220         Broke i686 builds
221
222         Reverted changeset:
223
224         "[CMake] Detect SSE2 at compile time"
225         https://bugs.webkit.org/show_bug.cgi?id=196488
226         https://trac.webkit.org/changeset/243989
227
228 2019-04-10  Robin Morisset  <rmorisset@apple.com>
229
230         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
231         https://bugs.webkit.org/show_bug.cgi?id=196746
232
233         Reviewed by Yusuke Suzuki..
234
235         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
236
237         * runtime/ObjectConstructor.cpp:
238         (JSC::defineProperties):
239
240 2019-04-10  Antoine Quint  <graouts@apple.com>
241
242         Enable Pointer Events on watchOS
243         https://bugs.webkit.org/show_bug.cgi?id=196771
244         <rdar://problem/49040909>
245
246         Reviewed by Dean Jackson.
247
248         * Configurations/FeatureDefines.xcconfig:
249
250 2019-04-09  Keith Rollin  <krollin@apple.com>
251
252         Unreviewed build maintenance -- update .xcfilelists.
253
254         * DerivedSources-input.xcfilelist:
255
256 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
257
258         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
259         https://bugs.webkit.org/show_bug.cgi?id=193073
260
261         Reviewed by Keith Miller.
262
263         * bytecompiler/BytecodeGenerator.cpp:
264         (JSC::BytecodeGenerator::emitEqualityOpImpl):
265         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
266         * bytecompiler/BytecodeGenerator.h:
267         (JSC::BytecodeGenerator::emitEqualityOp):
268         Factor out the logic that uses the template parameter and keep it in the header.
269
270         * jit/JITPropertyAccess.cpp:
271         List off the template specializations needed by JITOperations.cpp.
272         This is unfortunate but at least there are only two (x2) by definition?
273         Trying to do away with this incurs a severe domino effect...
274
275         * API/JSValueRef.cpp:
276         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
277         * b3/air/AirHandleCalleeSaves.cpp:
278         * builtins/BuiltinNames.cpp:
279         * bytecode/AccessCase.cpp:
280         * bytecode/BytecodeIntrinsicRegistry.cpp:
281         * bytecode/BytecodeIntrinsicRegistry.h:
282         * bytecode/BytecodeRewriter.cpp:
283         * bytecode/BytecodeUseDef.h:
284         * bytecode/CodeBlock.cpp:
285         * bytecode/InstanceOfAccessCase.cpp:
286         * bytecode/MetadataTable.cpp:
287         * bytecode/PolyProtoAccessChain.cpp:
288         * bytecode/StructureSet.cpp:
289         * bytecompiler/NodesCodegen.cpp:
290         * dfg/DFGCFAPhase.cpp:
291         * dfg/DFGPureValue.cpp:
292         * heap/GCSegmentedArray.h:
293         * heap/HeapInlines.h:
294         * heap/IsoSubspace.cpp:
295         * heap/LocalAllocator.cpp:
296         * heap/LocalAllocator.h:
297         * heap/LocalAllocatorInlines.h:
298         * heap/MarkingConstraintSolver.cpp:
299         * inspector/ScriptArguments.cpp:
300         (Inspector::ScriptArguments::isEqual const):
301         * inspector/ScriptCallStackFactory.cpp:
302         * interpreter/CallFrame.h:
303         * interpreter/Interpreter.cpp:
304         * interpreter/StackVisitor.cpp:
305         * llint/LLIntEntrypoint.cpp:
306         * runtime/ArrayIteratorPrototype.cpp:
307         * runtime/BigIntPrototype.cpp:
308         * runtime/CachedTypes.cpp:
309         * runtime/ErrorType.cpp:
310         * runtime/IndexingType.cpp:
311         * runtime/JSCellInlines.h:
312         * runtime/JSImmutableButterfly.h:
313         * runtime/Operations.h:
314         * runtime/RegExpCachedResult.cpp:
315         * runtime/RegExpConstructor.cpp:
316         * runtime/RegExpGlobalData.cpp:
317         * runtime/StackFrame.h:
318         * wasm/WasmSignature.cpp:
319         * wasm/js/JSToWasm.cpp:
320         * wasm/js/JSToWasmICCallee.cpp:
321         * wasm/js/WebAssemblyFunction.h:
322         Fix includes / forward declarations (and a couple of nearby clang warnings).
323
324 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
325
326         [CMake] Apple builds should use ICU_INCLUDE_DIRS
327         https://bugs.webkit.org/show_bug.cgi?id=196720
328
329         Reviewed by Konstantin Tokarev.
330
331         * PlatformMac.cmake:
332
333 2019-04-09  Saam barati  <sbarati@apple.com>
334
335         Clean up Int52 code and some bugs in it
336         https://bugs.webkit.org/show_bug.cgi?id=196639
337         <rdar://problem/49515757>
338
339         Reviewed by Yusuke Suzuki.
340
341         This patch fixes bugs in our Int52 code. The primary change in this patch is
342         adopting a segregated type lattice for Int52. Previously, for Int52 values,
343         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
344         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
345         that the is outside of the int32 range.
346         
347         However, this got confusing because we reused SpecInt32Only both for JSValue
348         representations and Int52 representations. This actually lead to some bugs.
349         
350         1. It's possible that roundtripping through Int52 representation would say
351         it produces the wrong type. For example, consider this program and how we
352         used to annotate types in AI:
353         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
354         b: Int52Rep(@a) => m_type is SpecInt52Only
355         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
356         
357         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
358         However, the execution semantics are such that it'd actually produce a boxed
359         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
360         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
361         mean an int value in either int32 or int52 range.
362         
363         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
364         accepted Int52 values. It was wrong in two different ways:
365         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
366         was a boxed double, but represented a value in int32 range, the incoming
367         value would incorrectly validate as being acceptable. However, we should
368         have rejected this value.
369         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
370         was an Int32 boxed in a double, this would not validate, even though
371         it should have validated.
372         
373         Solving 2 was easiest if we segregated out the Int52 type into its own
374         lattice. This patch makes a new Int52 lattice, which is composed of
375         SpecInt32AsInt52 and SpecNonInt32AsInt52.
376         
377         The conversion rules are now really simple.
378         
379         Int52 rep => JSValue rep
380         SpecInt32AsInt52 => SpecInt32Only
381         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
382         
383         JSValue rep => Int52 rep
384         SpecInt32Only => SpecInt32AsInt52
385         SpecAnyIntAsDouble => SpecInt52Any
386         
387         With these rules, the program in (1) will now correctly report that @c
388         returns SpecInt32Only | SpecAnyIntAsDouble.
389
390         * bytecode/SpeculatedType.cpp:
391         (JSC::dumpSpeculation):
392         (JSC::speculationToAbbreviatedString):
393         (JSC::int52AwareSpeculationFromValue):
394         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
395         (JSC::speculationFromString):
396         * bytecode/SpeculatedType.h:
397         (JSC::isInt32SpeculationForArithmetic):
398         (JSC::isInt32OrBooleanSpeculationForArithmetic):
399         (JSC::isAnyInt52Speculation):
400         (JSC::isIntAnyFormat):
401         (JSC::isInt52Speculation): Deleted.
402         (JSC::isAnyIntSpeculation): Deleted.
403         * dfg/DFGAbstractInterpreterInlines.h:
404         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
405         * dfg/DFGAbstractValue.cpp:
406         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
407         (JSC::DFG::AbstractValue::checkConsistency const):
408         * dfg/DFGAbstractValue.h:
409         (JSC::DFG::AbstractValue::isInt52Any const):
410         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
411         * dfg/DFGFixupPhase.cpp:
412         (JSC::DFG::FixupPhase::fixupArithMul):
413         (JSC::DFG::FixupPhase::fixupNode):
414         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
415         (JSC::DFG::FixupPhase::fixupToThis):
416         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
417         (JSC::DFG::FixupPhase::observeUseKindOnNode):
418         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
419         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
420         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
421         (JSC::DFG::FixupPhase::fixupChecksInBlock):
422         * dfg/DFGGraph.h:
423         (JSC::DFG::Graph::addShouldSpeculateInt52):
424         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
425         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
426         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
427         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
428         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
429         * dfg/DFGNode.h:
430         (JSC::DFG::Node::shouldSpeculateInt52):
431         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
432         * dfg/DFGPredictionPropagationPhase.cpp:
433         * dfg/DFGSpeculativeJIT.cpp:
434         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
435         (JSC::DFG::SpeculativeJIT::compileArithAdd):
436         (JSC::DFG::SpeculativeJIT::compileArithSub):
437         (JSC::DFG::SpeculativeJIT::compileArithNegate):
438         * dfg/DFGSpeculativeJIT64.cpp:
439         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
440         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
441         * dfg/DFGUseKind.h:
442         (JSC::DFG::typeFilterFor):
443         * dfg/DFGVariableAccessData.cpp:
444         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
445         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
446         * ftl/FTLLowerDFGToB3.cpp:
447         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
448         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
449         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
450
451 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
452
453         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
454         https://bugs.webkit.org/show_bug.cgi?id=196708
455         <rdar://problem/49556803>
456
457         Reviewed by Yusuke Suzuki.
458
459         `operationPutToScope` needs to return early if an exception is thrown while
460         checking if `hasProperty`.
461
462         * jit/JITOperations.cpp:
463
464 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
465
466         [JSC] DFG should respect node's strict flag
467         https://bugs.webkit.org/show_bug.cgi?id=196617
468
469         Reviewed by Saam Barati.
470
471         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
472         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
473         in DFG and FTL to get the right isStrictMode flag for the DFG node.
474         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
475         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
476         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
477
478         * dfg/DFGAbstractInterpreterInlines.h:
479         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
480         * dfg/DFGConstantFoldingPhase.cpp:
481         (JSC::DFG::ConstantFoldingPhase::foldConstants):
482         * dfg/DFGFixupPhase.cpp:
483         (JSC::DFG::FixupPhase::fixupToThis):
484         * dfg/DFGOperations.cpp:
485         * dfg/DFGOperations.h:
486         * dfg/DFGPredictionPropagationPhase.cpp:
487         * dfg/DFGSpeculativeJIT.cpp:
488         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
489         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
490         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
491         (JSC::DFG::SpeculativeJIT::compileToThis):
492         * dfg/DFGSpeculativeJIT32_64.cpp:
493         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
494         (JSC::DFG::SpeculativeJIT::compile):
495         * dfg/DFGSpeculativeJIT64.cpp:
496         (JSC::DFG::SpeculativeJIT::compile):
497         * ftl/FTLLowerDFGToB3.cpp:
498         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
499         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
500
501 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
502
503         [CMake][WinCairo] Separate copied headers into different directories
504         https://bugs.webkit.org/show_bug.cgi?id=196655
505
506         Reviewed by Michael Catanzaro.
507
508         * CMakeLists.txt:
509         * shell/PlatformWin.cmake:
510
511 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
512
513         [JSC] isRope jump in StringSlice should not jump over register allocations
514         https://bugs.webkit.org/show_bug.cgi?id=196716
515
516         Reviewed by Saam Barati.
517
518         Jumping over the register allocation code in DFG (like the following) is wrong.
519
520             auto jump = m_jit.branchXXX();
521             {
522                 GPRTemporary reg(this);
523                 GPRReg regGPR = reg.gpr();
524                 ...
525             }
526             jump.link(&m_jit);
527
528         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
529         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
530         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
531         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
532
533         * dfg/DFGSpeculativeJIT.cpp:
534         (JSC::DFG::SpeculativeJIT::compileStringSlice):
535
536 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
537
538         [JSC] to_index_string should not assume incoming value is Uint32
539         https://bugs.webkit.org/show_bug.cgi?id=196713
540
541         Reviewed by Saam Barati.
542
543         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
544         this assumption since DFG may decide we should have it double format. This patch removes this
545         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
546         is within Uint32.
547
548         * runtime/CommonSlowPaths.cpp:
549         (JSC::SLOW_PATH_DECL):
550
551 2019-04-08  Justin Fan  <justin_fan@apple.com>
552
553         [Web GPU] Fix Web GPU experimental feature on iOS
554         https://bugs.webkit.org/show_bug.cgi?id=196632
555
556         Reviewed by Myles C. Maxfield.
557
558         Properly make Web GPU available on iOS 11+.
559
560         * Configurations/FeatureDefines.xcconfig:
561         * Configurations/WebKitTargetConditionals.xcconfig:
562
563 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
564
565         -f[no-]var-tracking-assignments is GCC-only
566         https://bugs.webkit.org/show_bug.cgi?id=196699
567
568         Reviewed by Don Olmstead.
569
570         * CMakeLists.txt:
571         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
572         and said problem evidently no longer occurs as of GCC 9.
573
574 2019-04-08  Saam Barati  <sbarati@apple.com>
575
576         WebAssembly.RuntimeError missing exception check
577         https://bugs.webkit.org/show_bug.cgi?id=196700
578         <rdar://problem/49693932>
579
580         Reviewed by Yusuke Suzuki.
581
582         * wasm/js/JSWebAssemblyRuntimeError.h:
583         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
584         (JSC::constructJSWebAssemblyRuntimeError):
585
586 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
587
588         Unreviewed, rolling in r243948 with test fix
589         https://bugs.webkit.org/show_bug.cgi?id=196486
590
591         * parser/ASTBuilder.h:
592         (JSC::ASTBuilder::createString):
593         * parser/Lexer.cpp:
594         (JSC::Lexer<T>::parseMultilineComment):
595         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
596         (JSC::Lexer<T>::lex): Deleted.
597         * parser/Lexer.h:
598         (JSC::Lexer::hasLineTerminatorBeforeToken const):
599         (JSC::Lexer::setHasLineTerminatorBeforeToken):
600         (JSC::Lexer<T>::lex):
601         (JSC::Lexer::prevTerminator const): Deleted.
602         (JSC::Lexer::setTerminator): Deleted.
603         * parser/Parser.cpp:
604         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
605         (JSC::Parser<LexerType>::parseSingleFunction):
606         (JSC::Parser<LexerType>::parseStatementListItem):
607         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
608         (JSC::Parser<LexerType>::parseFunctionInfo):
609         (JSC::Parser<LexerType>::parseClass):
610         (JSC::Parser<LexerType>::parseExportDeclaration):
611         (JSC::Parser<LexerType>::parseAssignmentExpression):
612         (JSC::Parser<LexerType>::parseYieldExpression):
613         (JSC::Parser<LexerType>::parseProperty):
614         (JSC::Parser<LexerType>::parsePrimaryExpression):
615         (JSC::Parser<LexerType>::parseMemberExpression):
616         * parser/Parser.h:
617         (JSC::Parser::nextWithoutClearingLineTerminator):
618         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
619         (JSC::Parser::internalSaveLexerState):
620         (JSC::Parser::restoreLexerState):
621
622 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
623
624         Unreviewed, rolling out r243948.
625
626         Caused inspector/runtime/parse.html to fail
627
628         Reverted changeset:
629
630         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
631         https://bugs.webkit.org/show_bug.cgi?id=196486
632         https://trac.webkit.org/changeset/243948
633
634 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
635
636         Unreviewed, rolling out r243943.
637
638         Caused test262 failures.
639
640         Reverted changeset:
641
642         "[JSC] Filter DontEnum properties in
643         ProxyObject::getOwnPropertyNames()"
644         https://bugs.webkit.org/show_bug.cgi?id=176810
645         https://trac.webkit.org/changeset/243943
646
647 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
648
649         [JSC] Partially fix the build with unified builds disabled
650         https://bugs.webkit.org/show_bug.cgi?id=196647
651
652         Reviewed by Konstantin Tokarev.
653
654         If you disable unified builds you find all kind of build
655         errors. This partially tries to fix them but there's a lot
656         more.
657
658         * API/JSBaseInternal.h:
659         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
660         * b3/air/AirHandleCalleeSaves.h:
661         * bytecode/ExecutableToCodeBlockEdge.cpp:
662         * bytecode/ExitFlag.h:
663         * bytecode/ICStatusUtils.h:
664         * bytecode/UnlinkedMetadataTable.h:
665         * dfg/DFGPureValue.h:
666         * heap/IsoAlignedMemoryAllocator.cpp:
667         * heap/IsoAlignedMemoryAllocator.h:
668
669 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
670
671         Enable DFG on MIPS
672         https://bugs.webkit.org/show_bug.cgi?id=196689
673
674         Reviewed by Žan Doberšek.
675
676         Since the bytecode change, we enabled the baseline JIT on mips in
677         r240432, but DFG is still missing. With this change, all tests are
678         passing on a ci20 board.
679
680         * jit/RegisterSet.cpp:
681         (JSC::RegisterSet::calleeSaveRegisters):
682         Added s0, which is used in llint.
683
684 2019-04-08  Xan Lopez  <xan@igalia.com>
685
686         [CMake] Detect SSE2 at compile time
687         https://bugs.webkit.org/show_bug.cgi?id=196488
688
689         Reviewed by Carlos Garcia Campos.
690
691         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
692         incorrect) static_assert.
693
694 2019-04-07  Michael Saboff  <msaboff@apple.com>
695
696         REGRESSION (r243642): Crash in reddit.com page
697         https://bugs.webkit.org/show_bug.cgi?id=196684
698
699         Reviewed by Geoffrey Garen.
700
701         In r243642, the code that saves and restores the count for non-greedy character classes
702         was inadvertently put inside an if statement.  This code should be generated for all
703         non-greedy character classes.
704
705         * yarr/YarrJIT.cpp:
706         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
707         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
708
709 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
710
711         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
712         https://bugs.webkit.org/show_bug.cgi?id=196683
713
714         Reviewed by Saam Barati.
715
716         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
717         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
718         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
719         can be still live.
720
721         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
722         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
723
724         * bytecode/CallLinkInfo.cpp:
725         (JSC::CallLinkInfo::setCallee):
726         (JSC::CallLinkInfo::clearCallee):
727         * jit/Repatch.cpp:
728         (JSC::linkFor):
729         (JSC::revertCall):
730
731 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
732
733         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
734         https://bugs.webkit.org/show_bug.cgi?id=196582
735
736         Reviewed by Saam Barati.
737
738         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
739         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
740         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
741         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
742
743         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
744         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
745
746         We also found that FTL recovery code is dead. We remove them in this patch.
747
748         * dfg/DFGOSRExit.cpp:
749         (JSC::DFG::OSRExit::executeOSRExit):
750         (JSC::DFG::OSRExit::compileExit):
751         * dfg/DFGOSRExit.h:
752         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
753         * dfg/DFGSpeculativeJIT.cpp:
754         (JSC::DFG::SpeculativeJIT::compileArithAdd):
755         * ftl/FTLExitValue.cpp:
756         (JSC::FTL::ExitValue::dataFormat const):
757         (JSC::FTL::ExitValue::dumpInContext const):
758         * ftl/FTLExitValue.h:
759         (JSC::FTL::ExitValue::isArgument const):
760         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
761         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
762         (JSC::FTL::ExitValue::recovery): Deleted.
763         (JSC::FTL::ExitValue::isRecovery const): Deleted.
764         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
765         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
766         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
767         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
768         * ftl/FTLLowerDFGToB3.cpp:
769         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
770         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
771         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
772         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
773         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
774         * ftl/FTLOSRExitCompiler.cpp:
775         (JSC::FTL::compileRecovery):
776
777 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
778
779         Unreviewed, rolling out r243665.
780
781         Caused iOS JSC tests to exit with an exception.
782
783         Reverted changeset:
784
785         "Assertion failed in JSC::createError"
786         https://bugs.webkit.org/show_bug.cgi?id=196305
787         https://trac.webkit.org/changeset/243665
788
789 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
790
791         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
792         https://bugs.webkit.org/show_bug.cgi?id=196486
793
794         Reviewed by Saam Barati.
795
796         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
797         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
798         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
799
800         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
801
802                 arrow => expr
803                 "string!"
804
805         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
806         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
807         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
808
809         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
810         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
811         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
812
813         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
814         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
815
816         * parser/ASTBuilder.h:
817         (JSC::ASTBuilder::createString):
818         * parser/Lexer.cpp:
819         (JSC::Lexer<T>::parseMultilineComment):
820         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
821         (JSC::Lexer<T>::lex): Deleted.
822         * parser/Lexer.h:
823         (JSC::Lexer::hasLineTerminatorBeforeToken const):
824         (JSC::Lexer::setHasLineTerminatorBeforeToken):
825         (JSC::Lexer<T>::lex):
826         (JSC::Lexer::prevTerminator const): Deleted.
827         (JSC::Lexer::setTerminator): Deleted.
828         * parser/Parser.cpp:
829         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
830         (JSC::Parser<LexerType>::parseSingleFunction):
831         (JSC::Parser<LexerType>::parseStatementListItem):
832         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
833         (JSC::Parser<LexerType>::parseFunctionInfo):
834         (JSC::Parser<LexerType>::parseClass):
835         (JSC::Parser<LexerType>::parseExportDeclaration):
836         (JSC::Parser<LexerType>::parseAssignmentExpression):
837         (JSC::Parser<LexerType>::parseYieldExpression):
838         (JSC::Parser<LexerType>::parseProperty):
839         (JSC::Parser<LexerType>::parsePrimaryExpression):
840         (JSC::Parser<LexerType>::parseMemberExpression):
841         * parser/Parser.h:
842         (JSC::Parser::nextWithoutClearingLineTerminator):
843         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
844         (JSC::Parser::internalSaveLexerState):
845         (JSC::Parser::restoreLexerState):
846
847 2019-04-05  Caitlin Potter  <caitp@igalia.com>
848
849         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
850         https://bugs.webkit.org/show_bug.cgi?id=176810
851
852         Reviewed by Saam Barati.
853
854         This adds conditional logic following the invariant checks, to perform
855         filtering in common uses of getOwnPropertyNames.
856
857         While this would ideally only be done in JSPropertyNameEnumerator, adding
858         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
859         invariant that the EnumerationMode is properly followed.
860
861         * runtime/PropertyNameArray.h:
862         (JSC::PropertyNameArray::reset):
863         * runtime/ProxyObject.cpp:
864         (JSC::ProxyObject::performGetOwnPropertyNames):
865
866 2019-04-05  Commit Queue  <commit-queue@webkit.org>
867
868         Unreviewed, rolling out r243833.
869         https://bugs.webkit.org/show_bug.cgi?id=196645
870
871         This change breaks build of WPE and GTK ports (Requested by
872         annulen on #webkit).
873
874         Reverted changeset:
875
876         "[CMake][WTF] Mirror XCode header directories"
877         https://bugs.webkit.org/show_bug.cgi?id=191662
878         https://trac.webkit.org/changeset/243833
879
880 2019-04-05  Caitlin Potter  <caitp@igalia.com>
881
882         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
883         https://bugs.webkit.org/show_bug.cgi?id=185211
884
885         Reviewed by Saam Barati.
886
887         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
888
889         This involves tracking duplicate keys returned from the ownKeys trap in yet
890         another HashTable, and may incur a minor performance penalty in some cases. This
891         is not expected to significantly affect web performance.
892
893         * runtime/ProxyObject.cpp:
894         (JSC::ProxyObject::performGetOwnPropertyNames):
895
896 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
897
898         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
899         https://bugs.webkit.org/show_bug.cgi?id=196631
900
901         Reviewed by Saam Barati.
902
903         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
904         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
905         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
906
907         * JavaScriptCore.xcodeproj/project.pbxproj:
908         * Sources.txt:
909         * interpreter/CallFrameInlines.h:
910         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
911         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
912         (JSC::DoublePredictionFuzzerAgent::getPrediction):
913         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
914         * runtime/JSGlobalObject.cpp:
915         (JSC::makeBoundFunction):
916         * runtime/Options.h:
917         * runtime/VM.cpp:
918         (JSC::VM::VM):
919
920 2019-04-04  Robin Morisset  <rmorisset@apple.com>
921
922         B3ReduceStrength should know that Mul distributes over Add and Sub
923         https://bugs.webkit.org/show_bug.cgi?id=196325
924         <rdar://problem/49441650>
925
926         Reviewed by Saam Barati.
927
928         Fix some obviously wrong code that was due to an accidental copy-paste.
929         It made the entire optimization dead code that never ran.
930
931         * b3/B3ReduceStrength.cpp:
932
933 2019-04-04  Saam Barati  <sbarati@apple.com>
934
935         Unreviewed, build fix for CLoop after r243886
936
937         * interpreter/Interpreter.cpp:
938         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
939         * interpreter/StackVisitor.cpp:
940         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
941         * interpreter/StackVisitor.h:
942
943 2019-04-04  Commit Queue  <commit-queue@webkit.org>
944
945         Unreviewed, rolling out r243898.
946         https://bugs.webkit.org/show_bug.cgi?id=196624
947
948         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
949         does not work well (Requested by yusukesuzuki on #webkit).
950
951         Reverted changeset:
952
953         "Unreviewed, build fix for CLoop and Windows after r243886"
954         https://bugs.webkit.org/show_bug.cgi?id=196387
955         https://trac.webkit.org/changeset/243898
956
957 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
958
959         Unreviewed, build fix for CLoop and Windows after r243886
960         https://bugs.webkit.org/show_bug.cgi?id=196387
961
962         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
963
964         * interpreter/StackVisitor.cpp:
965         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
966         * interpreter/StackVisitor.h:
967
968 2019-04-04  Saam barati  <sbarati@apple.com>
969
970         Teach Call ICs how to call Wasm
971         https://bugs.webkit.org/show_bug.cgi?id=196387
972
973         Reviewed by Filip Pizlo.
974
975         This patch teaches JS to call Wasm without going through the native thunk.
976         Currently, we emit a JIT "JS" callee stub which marshals arguments from
977         JS to Wasm. Like the native version of this, this thunk is responsible
978         for saving and restoring the VM's current Wasm context. Instead of emitting
979         an exception handler, we also teach the unwinder how to read the previous
980         wasm context to restore it as it unwindws past this frame.
981         
982         This patch is straight forward, and leaves some areas for perf improvement:
983         - We can teach the DFG/FTL to directly use the Wasm calling convention when
984           it knows it's calling a single Wasm function. This way we don't shuffle
985           registers to the stack and then back into registers.
986         - We bail out to the slow path for mismatched arity. I opened a bug to fix
987           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
988         - We bail out to the slow path Double JSValues flowing into i32 arguments.
989           We should teach this thunk how to do that conversion directly.
990         
991         This patch also refactors the code to explicitly have a single pinned size register.
992         We used pretend in some places that we could have more than one pinned size register.
993         However, there was other code that just asserted the size was one. This patch just rips
994         out this code since we never moved to having more than one pinned size register. Doing
995         this refactoring cleans up the various places where we set up the size register.
996         
997         This patch is a 50-60% progression on JetStream 2's richards-wasm.
998
999         * JavaScriptCore.xcodeproj/project.pbxproj:
1000         * Sources.txt:
1001         * assembler/MacroAssemblerCodeRef.h:
1002         (JSC::MacroAssemblerCodeRef::operator=):
1003         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1004         * interpreter/Interpreter.cpp:
1005         (JSC::UnwindFunctor::operator() const):
1006         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1007         * interpreter/StackVisitor.cpp:
1008         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1009         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
1010         * interpreter/StackVisitor.h:
1011         * jit/JITOperations.cpp:
1012         * jit/RegisterSet.cpp:
1013         (JSC::RegisterSet::runtimeTagRegisters):
1014         (JSC::RegisterSet::specialRegisters):
1015         (JSC::RegisterSet::runtimeRegisters): Deleted.
1016         * jit/RegisterSet.h:
1017         * jit/Repatch.cpp:
1018         (JSC::linkPolymorphicCall):
1019         * runtime/JSFunction.cpp:
1020         (JSC::getCalculatedDisplayName):
1021         * runtime/JSGlobalObject.cpp:
1022         (JSC::JSGlobalObject::init):
1023         (JSC::JSGlobalObject::visitChildren):
1024         * runtime/JSGlobalObject.h:
1025         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
1026         * runtime/VM.cpp:
1027         (JSC::VM::VM):
1028         * runtime/VM.h:
1029         * wasm/WasmAirIRGenerator.cpp:
1030         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1031         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
1032         (JSC::Wasm::AirIRGenerator::addCallIndirect):
1033         * wasm/WasmB3IRGenerator.cpp:
1034         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1035         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1036         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1037         * wasm/WasmBinding.cpp:
1038         (JSC::Wasm::wasmToWasm):
1039         * wasm/WasmContext.h:
1040         (JSC::Wasm::Context::pointerToInstance):
1041         * wasm/WasmContextInlines.h:
1042         (JSC::Wasm::Context::store):
1043         * wasm/WasmMemoryInformation.cpp:
1044         (JSC::Wasm::getPinnedRegisters):
1045         (JSC::Wasm::PinnedRegisterInfo::get):
1046         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1047         * wasm/WasmMemoryInformation.h:
1048         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1049         * wasm/WasmOMGPlan.cpp:
1050         (JSC::Wasm::OMGPlan::work):
1051         * wasm/js/JSToWasm.cpp:
1052         (JSC::Wasm::createJSToWasmWrapper):
1053         * wasm/js/JSToWasmICCallee.cpp: Added.
1054         (JSC::JSToWasmICCallee::create):
1055         (JSC::JSToWasmICCallee::createStructure):
1056         (JSC::JSToWasmICCallee::visitChildren):
1057         * wasm/js/JSToWasmICCallee.h: Added.
1058         (JSC::JSToWasmICCallee::function):
1059         (JSC::JSToWasmICCallee::JSToWasmICCallee):
1060         * wasm/js/WebAssemblyFunction.cpp:
1061         (JSC::WebAssemblyFunction::useTagRegisters const):
1062         (JSC::WebAssemblyFunction::calleeSaves const):
1063         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
1064         (JSC::WebAssemblyFunction::previousInstanceOffset const):
1065         (JSC::WebAssemblyFunction::previousInstance):
1066         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1067         (JSC::WebAssemblyFunction::visitChildren):
1068         (JSC::WebAssemblyFunction::destroy):
1069         * wasm/js/WebAssemblyFunction.h:
1070         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
1071         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
1072         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
1073         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
1074         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
1075         (JSC::WebAssemblyFunctionHeapCellType::destroy):
1076         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
1077         * wasm/js/WebAssemblyPrototype.h:
1078
1079 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1080
1081         [JSC] Pass CodeOrigin to FuzzerAgent
1082         https://bugs.webkit.org/show_bug.cgi?id=196590
1083
1084         Reviewed by Saam Barati.
1085
1086         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
1087         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
1088         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
1089
1090         * dfg/DFGByteCodeParser.cpp:
1091         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1092         * runtime/FuzzerAgent.cpp:
1093         (JSC::FuzzerAgent::getPrediction):
1094         * runtime/FuzzerAgent.h:
1095         * runtime/RandomizingFuzzerAgent.cpp:
1096         (JSC::RandomizingFuzzerAgent::getPrediction):
1097         * runtime/RandomizingFuzzerAgent.h:
1098
1099 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
1100
1101         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
1102         https://bugs.webkit.org/show_bug.cgi?id=194944
1103
1104         Reviewed by Keith Miller.
1105
1106         Based on profile data collected on JetStream2, Speedometer 2 and
1107         other benchmarks, it is very rare having non-empty
1108         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
1109
1110         - Data collected from Speedometer2
1111             Total number of UnlinkedFunctionExecutable: 39463
1112             Total number of non-empty parentScopeTDZVars: 428 (~1%)
1113
1114         - Data collected from JetStream2
1115             Total number of UnlinkedFunctionExecutable: 83715
1116             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
1117
1118         We also collected numbers on 6 of top 10 Alexia sites.
1119
1120         - Data collected from youtube.com
1121             Total number of UnlinkedFunctionExecutable: 29599
1122             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
1123
1124         - Data collected from twitter.com
1125             Total number of UnlinkedFunctionExecutable: 23774
1126             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
1127
1128         - Data collected from google.com
1129             Total number of UnlinkedFunctionExecutable: 33209
1130             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
1131
1132         - Data collected from amazon.com:
1133             Total number of UnlinkedFunctionExecutable: 15182
1134             Total number of non-empty parentScopeTDZVars: 166 (~1%)
1135
1136         - Data collected from facebook.com:
1137             Total number of UnlinkedFunctionExecutable: 54443
1138             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
1139
1140         - Data collected from netflix.com:
1141             Total number of UnlinkedFunctionExecutable: 39266
1142             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
1143
1144         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
1145         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
1146         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
1147         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
1148         it when `value != WTF::nullopt`. We also changed
1149         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
1150         `VariableEnvironment()` whenever the Executable doesn't have RareData,
1151         or VariableEnvironmentMap::Handle is unitialized. This is required
1152         because RareData is instantiated when any of its field is stored and
1153         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
1154         is `WTF::nullopt`.
1155
1156         Results on memory usage on JetStrem2 is neutral.
1157
1158             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
1159             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
1160
1161         * builtins/BuiltinExecutables.cpp:
1162         (JSC::BuiltinExecutables::createExecutable):
1163         * bytecode/UnlinkedFunctionExecutable.cpp:
1164         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1165         * bytecode/UnlinkedFunctionExecutable.h:
1166         * bytecompiler/BytecodeGenerator.cpp:
1167         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1168
1169         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
1170         is empty, so we can properly return `WTF::nullopt` without the
1171         reconstruction of a VariableEnvironment to check if it is empty.
1172
1173         * bytecompiler/BytecodeGenerator.h:
1174         (JSC::BytecodeGenerator::makeFunction):
1175         * parser/VariableEnvironment.h:
1176         (JSC::VariableEnvironment::isEmpty const):
1177         * runtime/CachedTypes.cpp:
1178         (JSC::CachedCompactVariableMapHandle::decode const):
1179
1180         It returns an unitialized Handle when there is no
1181         CompactVariableEnvironment. This can happen when RareData is ensured
1182         because of another field.
1183
1184         (JSC::CachedFunctionExecutableRareData::encode):
1185         (JSC::CachedFunctionExecutableRareData::decode const):
1186         (JSC::CachedFunctionExecutable::encode):
1187         (JSC::CachedFunctionExecutable::decode const):
1188         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1189         * runtime/CodeCache.cpp:
1190
1191         Instead of creating a dummyVariablesUnderTDZ, we simply pass
1192         WTF::nullopt.
1193
1194         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1195
1196 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1197
1198         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
1199         https://bugs.webkit.org/show_bug.cgi?id=196409
1200
1201         Reviewed by Saam Barati.
1202
1203         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
1204         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
1205         and therefore does not write the bytecode cache to disk.
1206
1207         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
1208         of pointers to offsets of already cached objects, in order to avoid caching
1209         the same object twice. Similarly, the Decoder keeps a mapping from offsets
1210         to pointers, in order to avoid creating multiple objects in memory for the
1211         same cached object. The following was happening:
1212         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
1213         an entry in the Encoder mapping that S has already been encoded at O.
1214         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
1215         We find an entry in the Encoder mapping for S, and return the offset O. However,
1216         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
1217
1218         3) When decoding, there are 2 possibilities:
1219         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
1220         this case, everything works as expected since we add an entry in the decoder
1221         mapping from the offset O to the decoded StringImpl* S. The next time we find
1222         S through the uniqued version, we'll return the already decoded S.
1223         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
1224         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
1225         which has a different shape and we crash.
1226
1227         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
1228         same implementation. Since it doesn't matter whether a string is uniqued for
1229         encoding, and we always decode strings as uniqued either way, they can be used
1230         interchangeably.
1231
1232         * jsc.cpp:
1233         (functionRunString):
1234         (functionLoadString):
1235         (functionDollarAgentStart):
1236         (functionCheckModuleSyntax):
1237         (runInteractive):
1238         * runtime/CachedTypes.cpp:
1239         (JSC::CachedUniquedStringImplBase::decode const):
1240         (JSC::CachedFunctionExecutable::rareData const):
1241         (JSC::CachedCodeBlock::rareData const):
1242         (JSC::CachedFunctionExecutable::encode):
1243         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1244         (JSC::CachedUniquedStringImpl::encode): Deleted.
1245         (JSC::CachedUniquedStringImpl::decode const): Deleted.
1246         (JSC::CachedStringImpl::encode): Deleted.
1247         (JSC::CachedStringImpl::decode const): Deleted.
1248
1249 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1250
1251         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
1252         https://bugs.webkit.org/show_bug.cgi?id=196396
1253
1254         Reviewed by Saam Barati.
1255
1256         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
1257         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
1258
1259         * runtime/CachedTypes.cpp:
1260         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1261
1262 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1263
1264         Unreviewed, rolling in r243843 with the build fix
1265         https://bugs.webkit.org/show_bug.cgi?id=196586
1266
1267         * runtime/Options.cpp:
1268         (JSC::recomputeDependentOptions):
1269         * runtime/Options.h:
1270         * runtime/RandomizingFuzzerAgent.cpp:
1271         (JSC::RandomizingFuzzerAgent::getPrediction):
1272
1273 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
1274
1275         Unreviewed, rolling out r243843.
1276
1277         Broke CLoop and Windows builds.
1278
1279         Reverted changeset:
1280
1281         "[JSC] Add dump feature for RandomizingFuzzerAgent"
1282         https://bugs.webkit.org/show_bug.cgi?id=196586
1283         https://trac.webkit.org/changeset/243843
1284
1285 2019-04-03  Robin Morisset  <rmorisset@apple.com>
1286
1287         B3 should use associativity to optimize expression trees
1288         https://bugs.webkit.org/show_bug.cgi?id=194081
1289
1290         Reviewed by Filip Pizlo.
1291
1292         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
1293         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
1294         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
1295         inherited from CSE.
1296         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
1297         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
1298
1299         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
1300         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
1301         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
1302         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
1303         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
1304
1305         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
1306         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
1307
1308         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
1309
1310         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
1311         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
1312
1313         * JavaScriptCore.xcodeproj/project.pbxproj:
1314         * Sources.txt:
1315         * b3/B3Common.cpp:
1316         (JSC::B3::shouldDumpIR):
1317         (JSC::B3::shouldDumpIRAtEachPhase):
1318         * b3/B3Common.h:
1319         * b3/B3EliminateDeadCode.cpp: Added.
1320         (JSC::B3::EliminateDeadCode::run):
1321         (JSC::B3::eliminateDeadCode):
1322         * b3/B3EliminateDeadCode.h: Added.
1323         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
1324         * b3/B3Generate.cpp:
1325         (JSC::B3::generateToAir):
1326         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
1327         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
1328         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
1329         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
1330         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
1331         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
1332         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
1333         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
1334         (JSC::B3::optimizeAssociativeExpressionTrees):
1335         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
1336         * b3/B3ReduceStrength.cpp:
1337         * b3/B3Value.cpp:
1338         (JSC::B3::Value::replaceWithIdentity):
1339         * b3/testb3.cpp:
1340         (JSC::B3::testBitXorTreeArgs):
1341         (JSC::B3::testBitXorTreeArgsEven):
1342         (JSC::B3::testBitXorTreeArgImm):
1343         (JSC::B3::testAddTreeArg32):
1344         (JSC::B3::testMulTreeArg32):
1345         (JSC::B3::testBitAndTreeArg32):
1346         (JSC::B3::testBitOrTreeArg32):
1347         (JSC::B3::run):
1348
1349 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1350
1351         [JSC] Add dump feature for RandomizingFuzzerAgent
1352         https://bugs.webkit.org/show_bug.cgi?id=196586
1353
1354         Reviewed by Saam Barati.
1355
1356         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
1357         The results is like this.
1358
1359             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
1360             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
1361
1362         * runtime/Options.cpp:
1363         (JSC::recomputeDependentOptions):
1364         * runtime/Options.h:
1365         * runtime/RandomizingFuzzerAgent.cpp:
1366         (JSC::RandomizingFuzzerAgent::getPrediction):
1367
1368 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1369
1370         -apple-trailing-word is needed for browser detection
1371         https://bugs.webkit.org/show_bug.cgi?id=196575
1372
1373         Unreviewed.
1374
1375         * Configurations/FeatureDefines.xcconfig:
1376
1377 2019-04-03  Michael Saboff  <msaboff@apple.com>
1378
1379         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
1380         https://bugs.webkit.org/show_bug.cgi?id=196477
1381
1382         Reviewed by Keith Miller.
1383
1384         The problem here is that when we advance the index by 2 for a character class that only
1385         has non-BMP characters, we might go past the end of the string.  This can happen for
1386         greedy counted character classes that are part of a alternative where there is one
1387         character to match after the greedy non-BMP character class.
1388
1389         The "do we have string left to match" check at the top of the JIT loop for the counted
1390         character class checks to see if index is not equal to the string length.  For non-BMP
1391         character classes, we need to check to see if there are at least 2 characters left.
1392         Therefore we now temporarily add 1 to the current index before comparing.  This checks
1393         to see if there are iat least 2 characters left to match, instead of 1.
1394
1395         * yarr/YarrJIT.cpp:
1396         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1397         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1398
1399 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1400
1401         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
1402         https://bugs.webkit.org/show_bug.cgi?id=196574
1403
1404         Reviewed by Saam Barati.
1405
1406         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
1407
1408         * dfg/DFGOperations.cpp:
1409
1410 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
1411
1412         [CMake][WTF] Mirror XCode header directories
1413         https://bugs.webkit.org/show_bug.cgi?id=191662
1414
1415         Reviewed by Konstantin Tokarev.
1416
1417         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
1418         builds.
1419
1420         * CMakeLists.txt:
1421         * shell/CMakeLists.txt:
1422
1423 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1424
1425         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
1426         https://bugs.webkit.org/show_bug.cgi?id=196530
1427
1428         Reviewed by Saam Barati.
1429
1430         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
1431         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
1432         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
1433
1434         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
1435         they should be fixed in subsequent patches.
1436
1437         * CMakeLists.txt:
1438         * JavaScriptCore.xcodeproj/project.pbxproj:
1439         * Sources.txt:
1440         * dfg/DFGByteCodeParser.cpp:
1441         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1442         * runtime/FuzzerAgent.cpp: Added.
1443         (JSC::FuzzerAgent::~FuzzerAgent):
1444         (JSC::FuzzerAgent::getPrediction):
1445         * runtime/FuzzerAgent.h: Added.
1446         * runtime/JSGlobalObjectFunctions.cpp:
1447         * runtime/Options.h:
1448         * runtime/RandomizingFuzzerAgent.cpp: Added.
1449         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
1450         (JSC::RandomizingFuzzerAgent::getPrediction):
1451         * runtime/RandomizingFuzzerAgent.h: Added.
1452         * runtime/RegExpCachedResult.h:
1453         * runtime/RegExpGlobalData.cpp:
1454         * runtime/VM.cpp:
1455         (JSC::VM::VM):
1456         * runtime/VM.h:
1457         (JSC::VM::fuzzerAgent const):
1458         (JSC::VM::setFuzzerAgent):
1459
1460 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1461
1462         Remove support for -apple-trailing-word
1463         https://bugs.webkit.org/show_bug.cgi?id=196525
1464
1465         Reviewed by Zalan Bujtas.
1466
1467         This CSS property is nonstandard and not used.
1468
1469         * Configurations/FeatureDefines.xcconfig:
1470
1471 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
1472
1473         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
1474         https://bugs.webkit.org/show_bug.cgi?id=196513
1475         <rdar://problem/49498284>
1476
1477         Reviewed by Devin Rousso.
1478
1479         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1480         (Inspector::RemoteInspector::receivedIndicateMessage):
1481         When we have a WebThread, don't just run on the WebThread,
1482         run on the MainThread with the WebThreadLock.
1483
1484 2019-04-02  Michael Saboff  <msaboff@apple.com>
1485
1486         Crash in Options::setOptions() using --configFile option and libgmalloc
1487         https://bugs.webkit.org/show_bug.cgi?id=196506
1488
1489         Reviewed by Keith Miller.
1490
1491         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
1492         the implicit CString temporary alive until after setOptions() returns.
1493
1494         * runtime/ConfigFile.cpp:
1495         (JSC::ConfigFile::parse):
1496
1497 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
1498
1499         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
1500         https://bugs.webkit.org/show_bug.cgi?id=182757
1501
1502         Reviewed by Don Olmstead.
1503
1504         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
1505         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
1506         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
1507
1508 2019-04-02  Saam barati  <sbarati@apple.com>
1509
1510         Add a ValueRepReduction phase
1511         https://bugs.webkit.org/show_bug.cgi?id=196234
1512
1513         Reviewed by Filip Pizlo.
1514
1515         This patch adds a ValueRepReduction phase. The main idea here is
1516         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
1517         to just be @x. This patch handles such above strengh reduction rules
1518         as long as we prove that all users of the ValueRep can be converted
1519         to using the incoming double value. That way we prevent introducing
1520         a parallel live range for the double value.
1521         
1522         This patch tracks the uses of the ValueRep through Phi variables,
1523         so we can convert entire Phi variables to being Double instead
1524         of JSValue if the Phi also has only double uses.
1525         
1526         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
1527         and OSR exit hints are not counted as escapes. All other uses are counted
1528         as escapes. Connected Phi graphs are converted to being Double only if the
1529         entire graph is ok with the result being Double.
1530         
1531         Some ways we could extend this phase in the future:
1532         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
1533           that the result of the DoubleRep of @x is not impure NaN. We could
1534           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
1535           with PurifyNaN(@x). Alternatively, we could see if certain users of this
1536           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
1537           their output type is always treated as if the input is impure NaN.
1538         - We could do sinking of ValueRep where we think it's profitable. So instead
1539           of an escape making it so we never represent the variable as a Double, we
1540           could make the escape reconstruct the JSValueRep where profitable.
1541         - We can extend this phase to handle Int52Rep if it's profitable.
1542         - We can opt other nodes into accepting incoming Doubles so we no longer
1543           treat them as escapes.
1544         
1545         This patch is somewhere between neutral and a 1% progression on JetStream 2.
1546
1547         * JavaScriptCore.xcodeproj/project.pbxproj:
1548         * Sources.txt:
1549         * dfg/DFGPlan.cpp:
1550         (JSC::DFG::Plan::compileInThreadImpl):
1551         * dfg/DFGValueRepReductionPhase.cpp: Added.
1552         (JSC::DFG::ValueRepReductionPhase::ValueRepReductionPhase):
1553         (JSC::DFG::ValueRepReductionPhase::run):
1554         (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):
1555         (JSC::DFG::performValueRepReduction):
1556         * dfg/DFGValueRepReductionPhase.h: Added.
1557         * runtime/Options.h:
1558
1559 2019-04-01  Yusuke Suzuki  <ysuzuki@apple.com>
1560
1561         [JSC] JSRunLoopTimer::Manager should be small
1562         https://bugs.webkit.org/show_bug.cgi?id=196425
1563
1564         Reviewed by Darin Adler.
1565
1566         Using very large Key or Value in HashMap potentially bloats memory since HashMap pre-allocates large size of
1567         memory ((sizeof(Key) + sizeof(Value)) * N) for its backing storage's array. Using std::unique_ptr<> for JSRunLoopTimer's
1568         PerVMData to keep HashMap's backing store size small.
1569
1570         * runtime/JSRunLoopTimer.cpp:
1571         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1572         (JSC::JSRunLoopTimer::Manager::registerVM):
1573         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1574         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1575         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1576         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1577         * runtime/JSRunLoopTimer.h:
1578
1579 2019-04-01  Stephan Szabo  <stephan.szabo@sony.com>
1580
1581         [PlayStation] Add initialization for JSC shell for PlayStation port
1582         https://bugs.webkit.org/show_bug.cgi?id=195411
1583
1584         Reviewed by Ross Kirsling.
1585
1586         Add ps options
1587
1588         * shell/PlatformPlayStation.cmake: Added.
1589         * shell/playstation/Initializer.cpp: Added.
1590         (initializer):
1591
1592 2019-04-01  Michael Catanzaro  <mcatanzaro@igalia.com>
1593
1594         Stop trying to support building JSC with clang 3.8
1595         https://bugs.webkit.org/show_bug.cgi?id=195947
1596         <rdar://problem/49069219>
1597
1598         Reviewed by Darin Adler.
1599
1600         It seems WebKit hasn't built with clang 3.8 in a while, no devs are using this compiler, we
1601         don't know how much effort it would be to make JSC work again, and it's making the code
1602         worse. Remove my hacks to support clang 3.8 from JSC.
1603
1604         * bindings/ScriptValue.cpp:
1605         (Inspector::jsToInspectorValue):
1606         * bytecode/GetterSetterAccessCase.cpp:
1607         (JSC::GetterSetterAccessCase::create):
1608         (JSC::GetterSetterAccessCase::clone const):
1609         * bytecode/InstanceOfAccessCase.cpp:
1610         (JSC::InstanceOfAccessCase::clone const):
1611         * bytecode/IntrinsicGetterAccessCase.cpp:
1612         (JSC::IntrinsicGetterAccessCase::clone const):
1613         * bytecode/ModuleNamespaceAccessCase.cpp:
1614         (JSC::ModuleNamespaceAccessCase::clone const):
1615         * bytecode/ProxyableAccessCase.cpp:
1616         (JSC::ProxyableAccessCase::clone const):
1617
1618 2019-03-31  Yusuke Suzuki  <ysuzuki@apple.com>
1619
1620         [JSC] Butterfly allocation from LargeAllocation should try "realloc" behavior if collector thread is not active
1621         https://bugs.webkit.org/show_bug.cgi?id=196160
1622
1623         Reviewed by Saam Barati.
1624
1625         "realloc" can be effective in terms of peak/current memory footprint when realloc succeeds because,
1626
1627         1. It does not allocate additional memory while expanding a vector
1628         2. It does not deallocate an old memory, just reusing the current memory by expanding, so that memory footprint is tight even before scavenging
1629
1630         We found that we can "realloc" large butterflies in certain conditions are met because,
1631
1632         1. If it goes to LargeAllocation, this memory region is never reused until GC sweeps it.
1633         2. Butterflies are owned by owner JSObjects, so we know the lifetime of Butterflies.
1634
1635         This patch attempts to use "realloc" onto butterflies if,
1636
1637         1. Butterflies are allocated in LargeAllocation kind
1638         2. Concurrent collector is not active
1639         3. Butterflies do not have property storage
1640
1641         The condition (2) is required to avoid deallocating butterflies while the concurrent collector looks into it. The condition (3) is
1642         also required to avoid deallocating butterflies while the concurrent compiler looks into it.
1643
1644         We also change LargeAllocation mechanism to using "malloc" and "free" instead of "posix_memalign". This allows us to use "realloc"
1645         safely in all the platforms. Since LargeAllocation uses alignment to distinguish LargeAllocation and MarkedBlock, we manually adjust
1646         16B alignment by allocating 8B more memory in "malloc".
1647
1648         Speedometer2 and JetStream2 are neutral. RAMification shows about 1% progression (even in some of JIT tests).
1649
1650         * heap/AlignedMemoryAllocator.h:
1651         * heap/CompleteSubspace.cpp:
1652         (JSC::CompleteSubspace::tryAllocateSlow):
1653         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
1654         * heap/CompleteSubspace.h:
1655         * heap/FastMallocAlignedMemoryAllocator.cpp:
1656         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory):
1657         (JSC::FastMallocAlignedMemoryAllocator::freeMemory):
1658         (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory):
1659         * heap/FastMallocAlignedMemoryAllocator.h:
1660         * heap/GigacageAlignedMemoryAllocator.cpp:
1661         (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory):
1662         (JSC::GigacageAlignedMemoryAllocator::freeMemory):
1663         (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory):
1664         * heap/GigacageAlignedMemoryAllocator.h:
1665         * heap/IsoAlignedMemoryAllocator.cpp:
1666         (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
1667         (JSC::IsoAlignedMemoryAllocator::freeMemory):
1668         (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
1669         * heap/IsoAlignedMemoryAllocator.h:
1670         * heap/LargeAllocation.cpp:
1671         (JSC::isAlignedForLargeAllocation):
1672         (JSC::LargeAllocation::tryCreate):
1673         (JSC::LargeAllocation::tryReallocate):
1674         (JSC::LargeAllocation::LargeAllocation):
1675         (JSC::LargeAllocation::destroy):
1676         * heap/LargeAllocation.h:
1677         (JSC::LargeAllocation::indexInSpace):
1678         (JSC::LargeAllocation::setIndexInSpace):
1679         (JSC::LargeAllocation::basePointer const):
1680         * heap/MarkedSpace.cpp:
1681         (JSC::MarkedSpace::sweepLargeAllocations):
1682         (JSC::MarkedSpace::prepareForConservativeScan):
1683         * heap/WeakSet.h:
1684         (JSC::WeakSet::isTriviallyDestructible const):
1685         * runtime/Butterfly.h:
1686         * runtime/ButterflyInlines.h:
1687         (JSC::Butterfly::reallocArrayRightIfPossible):
1688         * runtime/JSObject.cpp:
1689         (JSC::JSObject::ensureLengthSlow):
1690
1691 2019-03-31  Sam Weinig  <weinig@apple.com>
1692
1693         Remove more i386 specific configurations
1694         https://bugs.webkit.org/show_bug.cgi?id=196430
1695
1696         Reviewed by Alexey Proskuryakov.
1697
1698         * Configurations/FeatureDefines.xcconfig:
1699         ENABLE_WEB_AUTHN_macosx can now be enabled unconditionally on macOS.
1700
1701         * Configurations/ToolExecutable.xcconfig:
1702         ARC can be enabled unconditionally now.
1703
1704 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
1705
1706         [JSC] JSWrapperMap should not use Objective-C Weak map (NSMapTable with NSPointerFunctionsWeakMemory) for m_cachedObjCWrappers
1707         https://bugs.webkit.org/show_bug.cgi?id=196392
1708
1709         Reviewed by Saam Barati.
1710
1711         Weak representation in Objective-C is surprisingly costly in terms of memory. We can see that very easy program shows 10KB memory consumption due to
1712         this weak wrapper map in JavaScriptCore.framework. But we do not need this weak map since Objective-C JSValue has a dealloc. We can unregister itself
1713         from the map when it is deallocated without using Objective-C weak mechanism. And since Objective-C JSValue is tightly coupled to a specific JSContext,
1714         and wrapper map is created per JSContext, JSValue wrapper and actual JavaScriptCore value is one-on-one, and [JSValue dealloc] knows which JSContext's
1715         wrapper map holds itself.
1716
1717         1. We do not use Objective-C weak mechanism. We use WTF::HashSet instead. When JSValue is allocated, we register it to JSWrapperMap's HashSet. And unregister
1718            JSValue from this map when JSValue is deallocated.
1719         2. We use HashSet<JSValue> (logically) instead of HashMap<JSValueRef, JSValue> to keep JSValueRef and JSValue relationship. We can achieve it because JSValue
1720            holds JSValueRef inside it.
1721
1722         * API/JSContext.mm:
1723         (-[JSContext removeWrapper:]):
1724         * API/JSContextInternal.h:
1725         * API/JSValue.mm:
1726         (-[JSValue dealloc]):
1727         (-[JSValue initWithValue:inContext:]):
1728         * API/JSWrapperMap.h:
1729         * API/JSWrapperMap.mm:
1730         (WrapperKey::hashTableDeletedValue):
1731         (WrapperKey::WrapperKey):
1732         (WrapperKey::isHashTableDeletedValue const):
1733         (WrapperKey::Hash::hash):
1734         (WrapperKey::Hash::equal):
1735         (WrapperKey::Traits::isEmptyValue):
1736         (WrapperKey::Translator::hash):
1737         (WrapperKey::Translator::equal):
1738         (WrapperKey::Translator::translate):
1739         (-[JSWrapperMap initWithGlobalContextRef:]):
1740         (-[JSWrapperMap dealloc]):
1741         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
1742         (-[JSWrapperMap removeWrapper:]):
1743         * API/tests/testapi.mm:
1744         (testObjectiveCAPIMain):
1745
1746 2019-03-29  Robin Morisset  <rmorisset@apple.com>
1747
1748         B3ReduceStrength should know that Mul distributes over Add and Sub
1749         https://bugs.webkit.org/show_bug.cgi?id=196325
1750
1751         Reviewed by Michael Saboff.
1752
1753         In this patch I add the following patterns to B3ReduceStrength:
1754         - Turn this: Integer Neg(Mul(value, c))
1755           Into this: Mul(value, -c), as long as -c does not overflow
1756         - Turn these: Integer Mul(value, Neg(otherValue)) and Integer Mul(Neg(value), otherValue)
1757           Into this: Neg(Mul(value, otherValue))
1758         - For Op==Add or Sub, turn any of these:
1759              Op(Mul(x1, x2), Mul(x1, x3))
1760              Op(Mul(x2, x1), Mul(x1, x3))
1761              Op(Mul(x1, x2), Mul(x3, x1))
1762              Op(Mul(x2, x1), Mul(x3, x1))
1763           Into this: Mul(x1, Op(x2, x3))
1764
1765         Also includes a trivial change: a similar reduction for the distributivity of BitAnd over BitOr/BitXor now
1766         emits the arguments to BitAnd in the other order, to minimize the probability that we'll spend a full fixpoint step just to flip them.
1767
1768         * b3/B3ReduceStrength.cpp:
1769         * b3/testb3.cpp:
1770         (JSC::B3::testAddMulMulArgs):
1771         (JSC::B3::testMulArgNegArg):
1772         (JSC::B3::testMulNegArgArg):
1773         (JSC::B3::testNegMulArgImm):
1774         (JSC::B3::testSubMulMulArgs):
1775         (JSC::B3::run):
1776
1777 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
1778
1779         [JSC] Remove distancing for LargeAllocation
1780         https://bugs.webkit.org/show_bug.cgi?id=196335
1781
1782         Reviewed by Saam Barati.
1783
1784         In r230226, we removed distancing feature from our GC. This patch removes remaining distancing thing in LargeAllocation.
1785
1786         * heap/HeapCell.h:
1787         * heap/LargeAllocation.cpp:
1788         (JSC::LargeAllocation::tryCreate):
1789         * heap/MarkedBlock.h:
1790
1791 2019-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1792
1793         Delete WebMetal implementation in favor of WebGPU
1794         https://bugs.webkit.org/show_bug.cgi?id=195418
1795
1796         Reviewed by Dean Jackson.
1797
1798         * Configurations/FeatureDefines.xcconfig:
1799         * inspector/protocol/Canvas.json:
1800         * inspector/scripts/codegen/generator.py:
1801
1802 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
1803
1804         Assertion failed in JSC::createError
1805         https://bugs.webkit.org/show_bug.cgi?id=196305
1806         <rdar://problem/49387382>
1807
1808         Reviewed by Saam Barati.
1809
1810         JSC::createError assumes that `errorDescriptionForValue` will either
1811         throw an exception or return a valid description string. However, that
1812         is not true if the value is a rope string and we successfully resolve it,
1813         but later fail to wrap the string in quotes with `tryMakeString`.
1814
1815         * runtime/ExceptionHelpers.cpp:
1816         (JSC::createError):
1817
1818 2019-03-29  Devin Rousso  <drousso@apple.com>
1819
1820         Web Inspector: add fast returns for instrumentation hooks that have no affect before a frontend is connected
1821         https://bugs.webkit.org/show_bug.cgi?id=196382
1822         <rdar://problem/49403417>
1823
1824         Reviewed by Joseph Pecoraro.
1825
1826         Ensure that all instrumentation hooks use `FAST_RETURN_IF_NO_FRONTENDS` or check that
1827         `developerExtrasEnabled`. There should be no activity to/from any inspector objects until
1828         developer extras are enabled.
1829
1830         * inspector/agents/InspectorConsoleAgent.cpp:
1831         (Inspector::InspectorConsoleAgent::startTiming):
1832         (Inspector::InspectorConsoleAgent::stopTiming):
1833         (Inspector::InspectorConsoleAgent::count):
1834         (Inspector::InspectorConsoleAgent::addConsoleMessage):
1835
1836 2019-03-29  Cathie Chen  <cathiechen@igalia.com>
1837
1838         Implement ResizeObserver.
1839         https://bugs.webkit.org/show_bug.cgi?id=157743
1840
1841         Reviewed by Simon Fraser.
1842
1843         Add ENABLE_RESIZE_OBSERVER.
1844
1845         * Configurations/FeatureDefines.xcconfig:
1846
1847 2019-03-28  Michael Saboff  <msaboff@apple.com>
1848
1849         [YARR] Precompute BMP / non-BMP status when constructing character classes
1850         https://bugs.webkit.org/show_bug.cgi?id=196296
1851
1852         Reviewed by Keith Miller.
1853
1854         Changed CharacterClass::m_hasNonBMPCharacters into a character width bit field which
1855         indicateis if the class includes characters from either BMP, non-BMP or both ranges.
1856         This allows the recognizing code to eliminate checks for the width of a matched
1857         characters when the class has only one width.  The character width is needed to
1858         determine if we advance 1 or 2 character.  Also, the pre-computed width of character
1859         classes that contains either all BMP or all non-BMP characters allows the parser to
1860         use fixed widths for terms using those character classes.  Changed both the code gen
1861         scripts and Yarr compiler to compute this bit field during the construction of
1862         character classes.
1863
1864         For JIT'ed code of character classes that contain either all BMP or all non-BMP
1865         characters, we can eliminate the generic check we were doing do compute how much
1866         to advance after sucessfully matching a character in the class.
1867
1868                 Generic isBMP check      BMP only            non-BMP only
1869                 --------------           --------------      --------------
1870                 inc %r9d                 inc %r9d            add $0x2, %r9d
1871                 cmp $0x10000, %eax
1872                 jl isBMP
1873                 cmp %edx, %esi
1874                 jz atEndOfString
1875                 inc %r9d
1876                 inc %esi
1877          isBMP:
1878
1879         For character classes that contained non-BMP characters, we were always generating
1880         the code in the left column.  The middle column is the code we generate for character
1881         classes that contain only BMP characters.  The right column is the code we now
1882         generate if the character class has only non-BMP characters.  In the fix width cases,
1883         we can eliminate both the isBMP check as well as the atEndOfString check.  The
1884         atEndOfstring check is eliminated since we know how many characters this character
1885         class requires and that check can be factored out to the beginning of the current
1886         alternative.  For character classes that contain both BMP and non-BMP characters,
1887         we still generate the generic left column.
1888
1889         This change is a ~8% perf progression on UniPoker and a ~2% improvement on RexBench
1890         as a whole.
1891
1892         * runtime/RegExp.cpp:
1893         (JSC::RegExp::matchCompareWithInterpreter):
1894         * runtime/RegExpInlines.h:
1895         (JSC::RegExp::matchInline):
1896         * yarr/YarrInterpreter.cpp:
1897         (JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
1898         (JSC::Yarr::Interpreter::matchCharacterClass):
1899         * yarr/YarrJIT.cpp:
1900         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1901         (JSC::Yarr::YarrGenerator::matchCharacterClass):
1902         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
1903         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1904         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1905         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1906         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1907         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
1908         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
1909         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1910         (JSC::Yarr::YarrGenerator::generateEnter):
1911         (JSC::Yarr::YarrGenerator::YarrGenerator):
1912         (JSC::Yarr::YarrGenerator::compile):
1913         * yarr/YarrPattern.cpp:
1914         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1915         (JSC::Yarr::CharacterClassConstructor::reset):
1916         (JSC::Yarr::CharacterClassConstructor::charClass):
1917         (JSC::Yarr::CharacterClassConstructor::addSorted):
1918         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1919         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
1920         (JSC::Yarr::CharacterClassConstructor::characterWidths):
1921         (JSC::Yarr::PatternTerm::dump):
1922         (JSC::Yarr::anycharCreate):
1923         * yarr/YarrPattern.h:
1924         (JSC::Yarr::operator|):
1925         (JSC::Yarr::operator&):
1926         (JSC::Yarr::operator|=):
1927         (JSC::Yarr::CharacterClass::CharacterClass):
1928         (JSC::Yarr::CharacterClass::hasNonBMPCharacters):
1929         (JSC::Yarr::CharacterClass::hasOneCharacterSize):
1930         (JSC::Yarr::CharacterClass::hasOnlyNonBMPCharacters):
1931         (JSC::Yarr::PatternTerm::invert const):
1932         (JSC::Yarr::PatternTerm::invert): Deleted.
1933         * yarr/create_regex_tables:
1934         * yarr/generateYarrUnicodePropertyTables.py:
1935
1936 2019-03-28  Saam Barati  <sbarati@apple.com>
1937
1938         BackwardsGraph needs to consider back edges as the backward's root successor
1939         https://bugs.webkit.org/show_bug.cgi?id=195991
1940
1941         Reviewed by Filip Pizlo.
1942
1943         * b3/testb3.cpp:
1944         (JSC::B3::testInfiniteLoopDoesntCauseBadHoisting):
1945         (JSC::B3::run):
1946
1947 2019-03-28  Fujii Hironori  <Hironori.Fujii@sony.com>
1948
1949         Opcode.h(159,27): warning: adding 'unsigned int' to a string does not append to the string [-Wstring-plus-int]
1950         https://bugs.webkit.org/show_bug.cgi?id=196343
1951
1952         Reviewed by Saam Barati.
1953
1954         Clang reports a compilation warning and recommend '&PADDING_STRING[PADDING_STRING_LENGTH]'
1955         instead of 'PADDING_STRING + PADDING_STRING_LENGTH'.
1956
1957         * bytecode/Opcode.cpp:
1958         (JSC::padOpcodeName): Moved padOpcodeName from Opcode.h because
1959         this function is used only in Opcode.cpp. Changed macros
1960         PADDING_STRING and PADDING_STRING_LENGTH to simple variables.
1961         (JSC::compareOpcodePairIndices): Replaced pair with std::pair.
1962         * bytecode/Opcode.h:
1963         (JSC::padOpcodeName): Moved.
1964
1965 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
1966
1967         CodeBlock::jettison() should disallow repatching its own calls
1968         https://bugs.webkit.org/show_bug.cgi?id=196359
1969         <rdar://problem/48973663>
1970
1971         Reviewed by Saam Barati.
1972
1973         CodeBlock::jettison() calls CommonData::invalidate, which replaces the `hlt`
1974         instruction with the jump to OSR exit. However, if the `hlt` was immediately
1975         followed by a call to the CodeBlock being jettisoned, we would write over the
1976         OSR exit address while unlinking all the incoming CallLinkInfos later in
1977         CodeBlock::jettison().
1978
1979         Change it so that we set a flag, `clearedByJettison`, in all the CallLinkInfos
1980         owned by the CodeBlock being jettisoned. If the flag is set, we will avoid
1981         repatching the call during unlinking. This is safe because this call will never
1982         be reachable again after the CodeBlock is jettisoned.
1983
1984         * bytecode/CallLinkInfo.cpp:
1985         (JSC::CallLinkInfo::CallLinkInfo):
1986         (JSC::CallLinkInfo::setCallee):
1987         (JSC::CallLinkInfo::clearCallee):
1988         (JSC::CallLinkInfo::setCodeBlock):
1989         (JSC::CallLinkInfo::clearCodeBlock):
1990         * bytecode/CallLinkInfo.h:
1991         (JSC::CallLinkInfo::clearedByJettison):
1992         (JSC::CallLinkInfo::setClearedByJettison):
1993         * bytecode/CodeBlock.cpp:
1994         (JSC::CodeBlock::jettison):
1995         * jit/Repatch.cpp:
1996         (JSC::revertCall):
1997
1998 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
1999
2000         [JSC] Drop VM and Context cache map in JavaScriptCore.framework
2001         https://bugs.webkit.org/show_bug.cgi?id=196341
2002
2003         Reviewed by Saam Barati.
2004
2005         Previously, we created Objective-C weak map to maintain JSVirtualMachine and JSContext wrappers corresponding to VM and JSGlobalObject.
2006         But Objective-C weak map is really memory costly. Even if the entry is only one, it consumes 2.5KB per weak map. Since we can modify
2007         JSC intrusively for JavaScriptCore.framework (and we already did it, like, holding JSWrapperMap in JSGlobalObject), we can just hold
2008         a pointer to a wrapper in VM and JSGlobalObject.
2009
2010         This patch adds void* members to VM and JSGlobalObject, which holds a non-strong reference to a wrapper. When a wrapper is gone, we
2011         clear this pointer too. This removes unnecessary two Objective-C weak maps, and save 5KB.
2012
2013         * API/JSContext.mm:
2014         (-[JSContext initWithVirtualMachine:]):
2015         (-[JSContext dealloc]):
2016         (-[JSContext initWithGlobalContextRef:]):
2017         (-[JSContext wrapperMap]):
2018         (+[JSContext contextWithJSGlobalContextRef:]):
2019         * API/JSVirtualMachine.mm:
2020         (-[JSVirtualMachine initWithContextGroupRef:]):
2021         (-[JSVirtualMachine dealloc]):
2022         (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
2023         (scanExternalObjectGraph):
2024         (scanExternalRememberedSet):
2025         (initWrapperCache): Deleted.
2026         (wrapperCache): Deleted.
2027         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Deleted.
2028         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Deleted.
2029         (-[JSVirtualMachine contextForGlobalContextRef:]): Deleted.
2030         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Deleted.
2031         * API/JSVirtualMachineInternal.h:
2032         * runtime/JSGlobalObject.h:
2033         (JSC::JSGlobalObject::setAPIWrapper):
2034         (JSC::JSGlobalObject::apiWrapper const):
2035         * runtime/VM.h:
2036
2037 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2038
2039         In-memory code cache should not share bytecode across domains
2040         https://bugs.webkit.org/show_bug.cgi?id=196321
2041
2042         Reviewed by Geoffrey Garen.
2043
2044         Use the SourceProvider's URL to make sure that the hosts match for the
2045         two SourceCodeKeys in operator==.
2046
2047         * parser/SourceCodeKey.h:
2048         (JSC::SourceCodeKey::host const):
2049         (JSC::SourceCodeKey::operator== const):
2050
2051 2019-03-28  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2052
2053         Silence lot of warnings when compiling with clang
2054         https://bugs.webkit.org/show_bug.cgi?id=196310
2055
2056         Reviewed by Michael Catanzaro.
2057
2058         Initialize variable with default constructor.
2059
2060         * API/glib/JSCOptions.cpp:
2061         (jsc_options_foreach):
2062
2063 2019-03-27  Saam Barati  <sbarati@apple.com>
2064
2065         validateOSREntryValue with Int52 should box the value being checked into double format
2066         https://bugs.webkit.org/show_bug.cgi?id=196313
2067         <rdar://problem/49306703>
2068
2069         Reviewed by Yusuke Suzuki.
2070
2071         * dfg/DFGOSREntry.cpp:
2072         (JSC::DFG::prepareOSREntry):
2073         * ftl/FTLLowerDFGToB3.cpp:
2074         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2075
2076 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2077
2078         [JSC] Owner of watchpoints should validate at GC finalizing phase
2079         https://bugs.webkit.org/show_bug.cgi?id=195827
2080
2081         Reviewed by Filip Pizlo.
2082
2083         This patch fixes JSC's watchpoint liveness issue by the following two policies.
2084
2085         1. Watchpoint should have owner cell, and "fire" operation should be gaurded with owner cell's isLive check.
2086
2087         Watchpoints should hold its owner cell, and fire procedure should be guarded by `owner->isLive()`.
2088         When the owner cell is destroyed, these watchpoints are destroyed too. But this destruction can
2089         be delayed due to incremental sweeper. So the following condition can happen.
2090
2091         When we have a watchpoint like the following.
2092
2093             class XXXWatchpoint {
2094                 ObjectPropertyCondition m_key;
2095                 JSCell* m_owner;
2096             };
2097
2098         Both m_key's cell and m_owner is now unreachable from the root. So eventually, m_owner cell's destructor
2099         is called and this watchpoint will be destroyed. But before that, m_key's cell can be destroyed. And this
2100         watchpoint's fire procedure can be called since m_owner's destructor is not called yet. In this situation,
2101         we encounter the destroyed cell held in m_key. This problem can be avoided if we guard fire procedure with
2102         `m_owner->isLive()`. Until the owner cell is destroyed, this guard avoids "fire" procedure execution. And
2103         once the destructor of m_owner is called, this watchpoint will be destroyed too.
2104
2105         2. Watchpoint liveness should be maintained by owner cell's unconditional finalizer
2106
2107         Watchpoints often hold weak references to the other cell (like, m_key in the above example). If we do not
2108         delete watchpoints with dead cells when these weak cells become dead, these watchpoints continue holding dead cells,
2109         and watchpoint's fire operation can use these dead cells accidentally. isLive / isStillLive check for these weak cells
2110         in fire operation is not useful. Because these dead cells can be reused to the other live cells eventually, and this
2111         isLive / isStillLive checks fail to see these cells are live if they are reused. Appropriate way is deleting watchpoints
2112         with dead cells when finalizing GC. In this patch, we do this in unconditional finalizers in owner cells of watchpoints.
2113         We already did this in CodeBlock etc. We add the same thing to StructureRareData which owns watchpoints for toString operations.
2114
2115         * JavaScriptCore.xcodeproj/project.pbxproj:
2116         * Sources.txt:
2117         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2118         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::StructureWatchpoint): Deleted.
2119         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::PropertyWatchpoint): Deleted.
2120         * bytecode/CodeBlockJettisoningWatchpoint.h:
2121         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): Deleted.
2122         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2123         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
2124         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2125         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2126         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): Deleted.
2127         * bytecode/StructureStubClearingWatchpoint.cpp:
2128         (JSC::StructureStubClearingWatchpoint::fireInternal):
2129         (JSC::WatchpointsOnStructureStubInfo::isValid const):
2130         * bytecode/StructureStubClearingWatchpoint.h:
2131         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): Deleted.
2132         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2133         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
2134         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2135         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2136         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2137         * dfg/DFGAdaptiveStructureWatchpoint.h:
2138         (JSC::DFG::AdaptiveStructureWatchpoint::key const): Deleted.
2139         * dfg/DFGDesiredWatchpoints.cpp:
2140         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2141         * heap/Heap.cpp:
2142         (JSC::Heap::finalizeUnconditionalFinalizers):
2143         * llint/LLIntSlowPaths.cpp:
2144         (JSC::LLInt::setupGetByIdPrototypeCache):
2145         * runtime/ArrayBuffer.cpp:
2146         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
2147         * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp.
2148         (JSC::ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet):
2149         (JSC::ArrayBufferNeuteringWatchpointSet::destroy):
2150         (JSC::ArrayBufferNeuteringWatchpointSet::create):
2151         (JSC::ArrayBufferNeuteringWatchpointSet::createStructure):
2152         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
2153         * runtime/ArrayBufferNeuteringWatchpointSet.h: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h.
2154         * runtime/FunctionRareData.h:
2155         * runtime/JSGlobalObject.cpp:
2156         (JSC::JSGlobalObject::init):
2157         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
2158         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2159         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): Deleted.
2160         * runtime/StructureRareData.cpp:
2161         (JSC::StructureRareData::finalizeUnconditionally):
2162         * runtime/StructureRareData.h:
2163         * runtime/VM.cpp:
2164         (JSC::VM::VM):
2165
2166 2019-03-26  Saam Barati  <sbarati@apple.com>
2167
2168         FTL: Emit code to validate AI's state when running the compiled code
2169         https://bugs.webkit.org/show_bug.cgi?id=195924
2170         <rdar://problem/49003422>
2171
2172         Reviewed by Filip Pizlo.
2173
2174         This patch adds code that between the execution of each node that validates
2175         the types that AI proves. This option is too expensive to turn on for our
2176         regression testing, but we think it will be valuable in other types of running
2177         modes, such as when running with a fuzzer.
2178         
2179         This patch also adds options to only probabilistically run this validation
2180         after the execution of each node. As the probability is lowered, there is
2181         less of a perf hit.
2182         
2183         This patch just adds this validation in the FTL. A follow-up patch will land
2184         it in the DFG too: https://bugs.webkit.org/show_bug.cgi?id=196219
2185
2186         * ftl/FTLLowerDFGToB3.cpp:
2187         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2188         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2189         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2190         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2191         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
2192         * runtime/Options.h:
2193
2194 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
2195
2196         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
2197         https://bugs.webkit.org/show_bug.cgi?id=196217
2198
2199         Reviewed by Saam Barati.
2200
2201         Generalize the fix for f32.max to properly handle NaN by doing an extra GreatherThan
2202         comparison in r243446 to all min and max float operations.
2203
2204         * wasm/WasmAirIRGenerator.cpp:
2205         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2206         (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax):
2207         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2208         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2209         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2210         * wasm/wasm.json:
2211
2212 2019-03-26  Andy VanWagoner  <andy@vanwagoner.family>
2213
2214         Intl.DateTimeFormat should obey 2-digit hour
2215         https://bugs.webkit.org/show_bug.cgi?id=195974
2216
2217         Reviewed by Keith Miller.
2218
2219         * runtime/IntlDateTimeFormat.cpp:
2220         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2221
2222 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2223
2224         Heap::isMarked and friends should be instance methods
2225         https://bugs.webkit.org/show_bug.cgi?id=179988
2226
2227         Reviewed by Saam Barati.
2228
2229         Almost all the callers of Heap::isMarked have VM& reference. We should make Heap::isMarked instance function instead of static function
2230         so that we do not need to look up Heap from the cell.
2231
2232         * API/JSAPIWrapperObject.mm:
2233         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2234         * API/JSMarkingConstraintPrivate.cpp:
2235         (JSC::isMarked):
2236         * API/glib/JSAPIWrapperObjectGLib.cpp:
2237         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2238         * builtins/BuiltinExecutables.cpp:
2239         (JSC::BuiltinExecutables::finalizeUnconditionally):
2240         * bytecode/AccessCase.cpp:
2241         (JSC::AccessCase::visitWeak const):
2242         (JSC::AccessCase::propagateTransitions const):
2243         * bytecode/CallLinkInfo.cpp:
2244         (JSC::CallLinkInfo::visitWeak):
2245         * bytecode/CallLinkStatus.cpp:
2246         (JSC::CallLinkStatus::finalize):
2247         * bytecode/CallLinkStatus.h:
2248         * bytecode/CallVariant.cpp:
2249         (JSC::CallVariant::finalize):
2250         * bytecode/CallVariant.h:
2251         * bytecode/CodeBlock.cpp:
2252         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
2253         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2254         (JSC::shouldMarkTransition):
2255         (JSC::CodeBlock::propagateTransitions):
2256         (JSC::CodeBlock::determineLiveness):
2257         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2258         (JSC::CodeBlock::finalizeUnconditionally):
2259         (JSC::CodeBlock::jettison):
2260         * bytecode/CodeBlock.h:
2261         * bytecode/ExecutableToCodeBlockEdge.cpp:
2262         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2263         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
2264         (JSC::ExecutableToCodeBlockEdge::runConstraint):
2265         * bytecode/GetByIdStatus.cpp:
2266         (JSC::GetByIdStatus::finalize):
2267         * bytecode/GetByIdStatus.h:
2268         * bytecode/GetByIdVariant.cpp:
2269         (JSC::GetByIdVariant::finalize):
2270         * bytecode/GetByIdVariant.h:
2271         * bytecode/InByIdStatus.cpp:
2272         (JSC::InByIdStatus::finalize):
2273         * bytecode/InByIdStatus.h:
2274         * bytecode/InByIdVariant.cpp:
2275         (JSC::InByIdVariant::finalize):
2276         * bytecode/InByIdVariant.h:
2277         * bytecode/ObjectPropertyCondition.cpp:
2278         (JSC::ObjectPropertyCondition::isStillLive const):
2279         * bytecode/ObjectPropertyCondition.h:
2280         * bytecode/ObjectPropertyConditionSet.cpp:
2281         (JSC::ObjectPropertyConditionSet::areStillLive const):
2282         * bytecode/ObjectPropertyConditionSet.h:
2283         * bytecode/PolymorphicAccess.cpp:
2284         (JSC::PolymorphicAccess::visitWeak const):
2285         * bytecode/PropertyCondition.cpp:
2286         (JSC::PropertyCondition::isStillLive const):
2287         * bytecode/PropertyCondition.h:
2288         * bytecode/PutByIdStatus.cpp:
2289         (JSC::PutByIdStatus::finalize):
2290         * bytecode/PutByIdStatus.h:
2291         * bytecode/PutByIdVariant.cpp:
2292         (JSC::PutByIdVariant::finalize):
2293         * bytecode/PutByIdVariant.h:
2294         * bytecode/RecordedStatuses.cpp:
2295         (JSC::RecordedStatuses::finalizeWithoutDeleting):
2296         (JSC::RecordedStatuses::finalize):
2297         * bytecode/RecordedStatuses.h:
2298         * bytecode/StructureSet.cpp:
2299         (JSC::StructureSet::isStillAlive const):
2300         * bytecode/StructureSet.h:
2301         * bytecode/StructureStubInfo.cpp:
2302         (JSC::StructureStubInfo::visitWeakReferences):
2303         * dfg/DFGPlan.cpp:
2304         (JSC::DFG::Plan::finalizeInGC):
2305         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2306         * heap/GCIncomingRefCounted.h:
2307         * heap/GCIncomingRefCountedInlines.h:
2308         (JSC::GCIncomingRefCounted<T>::filterIncomingReferences):
2309         * heap/GCIncomingRefCountedSet.h:
2310         * heap/GCIncomingRefCountedSetInlines.h:
2311         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
2312         (JSC::GCIncomingRefCountedSet<T>::sweep):
2313         (JSC::GCIncomingRefCountedSet<T>::removeAll): Deleted.
2314         (JSC::GCIncomingRefCountedSet<T>::removeDead): Deleted.
2315         * heap/Heap.cpp:
2316         (JSC::Heap::addToRememberedSet):
2317         (JSC::Heap::runEndPhase):
2318         (JSC::Heap::sweepArrayBuffers):
2319         (JSC::Heap::addCoreConstraints):
2320         * heap/Heap.h:
2321         * heap/HeapInlines.h:
2322         (JSC::Heap::isMarked):
2323         * heap/HeapSnapshotBuilder.cpp:
2324         (JSC::HeapSnapshotBuilder::appendNode):
2325         * heap/SlotVisitor.cpp:
2326         (JSC::SlotVisitor::appendToMarkStack):
2327         (JSC::SlotVisitor::visitChildren):
2328         * jit/PolymorphicCallStubRoutine.cpp:
2329         (JSC::PolymorphicCallStubRoutine::visitWeak):
2330         * runtime/ErrorInstance.cpp:
2331         (JSC::ErrorInstance::finalizeUnconditionally):
2332         * runtime/InferredValueInlines.h:
2333         (JSC::InferredValue::finalizeUnconditionally):
2334         * runtime/StackFrame.h:
2335         (JSC::StackFrame::isMarked const):
2336         * runtime/Structure.cpp:
2337         (JSC::Structure::isCheapDuringGC):
2338         (JSC::Structure::markIfCheap):
2339         * runtime/Structure.h:
2340         * runtime/TypeProfiler.cpp:
2341         (JSC::TypeProfiler::invalidateTypeSetCache):
2342         * runtime/TypeProfiler.h:
2343         * runtime/TypeSet.cpp:
2344         (JSC::TypeSet::invalidateCache):
2345         * runtime/TypeSet.h:
2346         * runtime/WeakMapImpl.cpp:
2347         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
2348         * runtime/WeakMapImplInlines.h:
2349         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
2350
2351 2019-03-25  Keith Miller  <keith_miller@apple.com>
2352
2353         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
2354         https://bugs.webkit.org/show_bug.cgi?id=196176
2355
2356         Reviewed by Saam Barati.
2357
2358         convertToCompareEqPtr should allow for either CompareStrictEq or
2359         the SameValue DFG node. This fixes the old assertion that only
2360         allowed CompareStrictEq.
2361
2362         * dfg/DFGNode.h:
2363         (JSC::DFG::Node::convertToCompareEqPtr):
2364
2365 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
2366
2367         WebAssembly: f32.max with NaN generates incorrect result
2368         https://bugs.webkit.org/show_bug.cgi?id=175691
2369         <rdar://problem/33952228>
2370
2371         Reviewed by Saam Barati.
2372
2373         Fix the B3 and Air compilation for f32.max. In order to handle the NaN
2374         case, we need an extra GreaterThan comparison on top of the existing
2375         Equal and LessThan ones.
2376
2377         * wasm/WasmAirIRGenerator.cpp:
2378         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2379         * wasm/wasm.json:
2380
2381 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2382
2383         Unreviewed, speculative fix for CLoop build on CPU(UNKNOWN)
2384         https://bugs.webkit.org/show_bug.cgi?id=195982
2385
2386         * jit/ExecutableAllocator.h:
2387         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2388
2389 2019-03-25  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2390
2391         Remove NavigatorContentUtils in WebCore/Modules
2392         https://bugs.webkit.org/show_bug.cgi?id=196070
2393
2394         Reviewed by Alex Christensen.
2395
2396         NavigatorContentUtils was to support the custom scheme spec [1].
2397         However, in WebKit side, no port has supported the feature in
2398         WebKit layer after EFL port was removed. So there has been the
2399         only IDL implementation of the NavigatorContentUtils in WebCore.
2400         So we don't need to keep the implementation in WebCore anymore.
2401
2402         [1] https://html.spec.whatwg.org/multipage/system-state.html#custom-handlers
2403
2404         * Configurations/FeatureDefines.xcconfig:
2405
2406 2019-03-23  Mark Lam  <mark.lam@apple.com>
2407
2408         Rolling out r243032 and r243071 because the fix is incorrect.
2409         https://bugs.webkit.org/show_bug.cgi?id=195892
2410         <rdar://problem/48981239>
2411
2412         Not reviewed.
2413
2414         The fix is incorrect: it relies on being able to determine liveness of an object
2415         in an ObjectPropertyCondition based on the state of the object's MarkedBit.
2416         However, there's no guarantee that GC has run and that the MarkedBit is already
2417         set even if the object is live.  As a result, we may not re-install adaptive
2418         watchpoints based on presumed dead objects which are actually live.
2419
2420         I'm rolling this out, and will implement a more comprehensive fix to handle
2421         watchpoint liveness later.
2422
2423         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2424         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2425         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2426         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2427         * bytecode/ObjectPropertyCondition.cpp:
2428         (JSC::ObjectPropertyCondition::dumpInContext const):
2429         * bytecode/StructureStubClearingWatchpoint.cpp:
2430         (JSC::StructureStubClearingWatchpoint::fireInternal):
2431         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2432         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2433         * runtime/StructureRareData.cpp:
2434         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2435
2436 2019-03-23  Keith Miller  <keith_miller@apple.com>
2437
2438         Refactor clz/ctz and fix getLSBSet.
2439         https://bugs.webkit.org/show_bug.cgi?id=196162
2440
2441         Reviewed by Saam Barati.
2442
2443         Refactor references of clz32/64 and ctz32 to use clz and ctz,
2444         respectively.
2445
2446         * dfg/DFGAbstractInterpreterInlines.h:
2447         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2448         * dfg/DFGOperations.cpp:
2449         * runtime/JSBigInt.cpp:
2450         (JSC::JSBigInt::digitDiv):
2451         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
2452         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2453         (JSC::JSBigInt::toStringBasePowerOfTwo):
2454         (JSC::JSBigInt::compareToDouble):
2455         * runtime/MathObject.cpp:
2456         (JSC::mathProtoFuncClz32):
2457
2458 2019-03-23  Yusuke Suzuki  <ysuzuki@apple.com>
2459
2460         [JSC] Shrink sizeof(RegExp)
2461         https://bugs.webkit.org/show_bug.cgi?id=196133
2462
2463         Reviewed by Mark Lam.
2464
2465         Some applications have many RegExp cells. But RegExp cells are very large (144B).
2466         This patch reduces the size from 144B to 48B by,
2467
2468         1. Allocate Yarr::YarrCodeBlock in non-GC heap. We can avoid this allocation if JIT is disabled.
2469         2. m_captureGroupNames and m_namedGroupToParenIndex are moved to RareData. They are only used when RegExp has named capture groups.
2470
2471         * runtime/RegExp.cpp:
2472         (JSC::RegExp::finishCreation):
2473         (JSC::RegExp::estimatedSize):
2474         (JSC::RegExp::compile):
2475         (JSC::RegExp::matchConcurrently):
2476         (JSC::RegExp::compileMatchOnly):
2477         (JSC::RegExp::deleteCode):
2478         (JSC::RegExp::printTraceData):
2479         * runtime/RegExp.h:
2480         * runtime/RegExpInlines.h:
2481         (JSC::RegExp::hasCodeFor):
2482         (JSC::RegExp::matchInline):
2483         (JSC::RegExp::hasMatchOnlyCodeFor):
2484
2485 2019-03-22  Keith Rollin  <krollin@apple.com>
2486
2487         Enable ThinLTO support in Production builds
2488         https://bugs.webkit.org/show_bug.cgi?id=190758
2489         <rdar://problem/45413233>
2490
2491         Reviewed by Daniel Bates.
2492
2493         Tweak JavaScriptCore's Base.xcconfig to be more in-line with other
2494         .xcconfig files with regards to LTO settings. However, don't actually
2495         enable LTO for JavaScriptCore. LTO is not enabled for JavaScriptCore
2496         due to <rdar://problem/24543547>.
2497
2498         * Configurations/Base.xcconfig:
2499
2500 2019-03-22  Mark Lam  <mark.lam@apple.com>
2501
2502         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
2503         https://bugs.webkit.org/show_bug.cgi?id=196154
2504         <rdar://problem/49145307>
2505
2506         Reviewed by Filip Pizlo.
2507
2508         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2509         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2510
2511 2019-03-22  Mark Lam  <mark.lam@apple.com>
2512
2513         Placate exception check validation in constructJSWebAssemblyLinkError().
2514         https://bugs.webkit.org/show_bug.cgi?id=196152
2515         <rdar://problem/49145257>
2516
2517         Reviewed by Michael Saboff.
2518
2519         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2520         (JSC::constructJSWebAssemblyLinkError):
2521
2522 2019-03-22  Timothy Hatcher  <timothy@apple.com>
2523
2524         Change macosx() to macos() in WK_API... and JSC_API... macros.
2525         https://bugs.webkit.org/show_bug.cgi?id=196106
2526
2527         Reviewed by Brian Burg.
2528
2529         * API/JSBasePrivate.h:
2530         * API/JSContext.h:
2531         * API/JSContextPrivate.h:
2532         * API/JSContextRef.h:
2533         * API/JSContextRefInternal.h:
2534         * API/JSContextRefPrivate.h:
2535         * API/JSManagedValue.h:
2536         * API/JSObjectRef.h:
2537         * API/JSObjectRefPrivate.h:
2538         * API/JSRemoteInspector.h:
2539         * API/JSScript.h:
2540         * API/JSTypedArray.h:
2541         * API/JSValue.h:
2542         * API/JSValuePrivate.h:
2543         * API/JSValueRef.h:
2544         * API/JSVirtualMachinePrivate.h:
2545
2546 2019-03-22  Yusuke Suzuki  <ysuzuki@apple.com>
2547
2548         Unreviewed, build fix for Windows
2549         https://bugs.webkit.org/show_bug.cgi?id=196122
2550
2551         * runtime/FunctionExecutable.cpp:
2552
2553 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2554
2555         [JSC] Shrink sizeof(FunctionExecutable) by 16bytes
2556         https://bugs.webkit.org/show_bug.cgi?id=196122
2557
2558         Reviewed by Saam Barati.
2559
2560         This patch reduces sizeof(FunctionExecutable) by 16 bytes.
2561
2562         1. ScriptExecutable::m_numParametersForCall and ScriptExecutable::m_numParametersForConstruct are not used in a meaningful way. Removed them.
2563         2. ScriptExecutable::m_lastLine and ScriptExecutable::m_endColumn can be calculated from UnlinkedFunctionExecutable. So FunctionExecutable does not need to hold it.
2564            This patch adds GlobalExecutable, which are non-function ScriptExecutables, and move m_lastLine and m_endColumn to this class.
2565         3. FunctionExecutable still needs to have the feature overriding m_lastLine and m_endColumn. We move overridden data in FunctionExecutable::RareData.
2566
2567         * CMakeLists.txt:
2568         * JavaScriptCore.xcodeproj/project.pbxproj:
2569         * Sources.txt:
2570         * bytecode/UnlinkedFunctionExecutable.cpp:
2571         (JSC::UnlinkedFunctionExecutable::link):
2572         * runtime/EvalExecutable.cpp:
2573         (JSC::EvalExecutable::EvalExecutable):
2574         * runtime/EvalExecutable.h:
2575         * runtime/FunctionExecutable.cpp:
2576         (JSC::FunctionExecutable::FunctionExecutable):
2577         (JSC::FunctionExecutable::ensureRareDataSlow):
2578         (JSC::FunctionExecutable::overrideInfo):
2579         * runtime/FunctionExecutable.h:
2580         * runtime/GlobalExecutable.cpp: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2581         * runtime/GlobalExecutable.h: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2582         (JSC::GlobalExecutable::lastLine const):
2583         (JSC::GlobalExecutable::endColumn const):
2584         (JSC::GlobalExecutable::recordParse):
2585         (JSC::GlobalExecutable::GlobalExecutable):
2586         * runtime/ModuleProgramExecutable.cpp:
2587         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2588         * runtime/ModuleProgramExecutable.h:
2589         * runtime/ProgramExecutable.cpp:
2590         (JSC::ProgramExecutable::ProgramExecutable):
2591         * runtime/ProgramExecutable.h:
2592         * runtime/ScriptExecutable.cpp:
2593         (JSC::ScriptExecutable::clearCode):
2594         (JSC::ScriptExecutable::installCode):
2595         (JSC::ScriptExecutable::hasClearableCode const):
2596         (JSC::ScriptExecutable::newCodeBlockFor):
2597         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2598         (JSC::ScriptExecutable::recordParse):
2599         (JSC::ScriptExecutable::lastLine const):
2600         (JSC::ScriptExecutable::endColumn const):
2601         * runtime/ScriptExecutable.h:
2602         (JSC::ScriptExecutable::hasJITCodeForCall const):
2603         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
2604         (JSC::ScriptExecutable::recordParse):
2605         (JSC::ScriptExecutable::lastLine const): Deleted.
2606         (JSC::ScriptExecutable::endColumn const): Deleted.
2607         * tools/FunctionOverrides.h:
2608
2609 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2610
2611         [JSC] Shrink sizeof(RegExpObject)
2612         https://bugs.webkit.org/show_bug.cgi?id=196130
2613
2614         Reviewed by Saam Barati.
2615
2616         sizeof(RegExpObject) is 48B due to one bool flag. We should compress this flag into lower bit of RegExp* field so that we can make RegExpObject 32B.
2617         It saves memory footprint 1.3% in RAMification's regexp.
2618
2619         * dfg/DFGSpeculativeJIT.cpp:
2620         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2621         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2622         * ftl/FTLAbstractHeapRepository.h:
2623         * ftl/FTLLowerDFGToB3.cpp:
2624         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2625         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2626         * runtime/RegExpObject.cpp:
2627         (JSC::RegExpObject::RegExpObject):
2628         (JSC::RegExpObject::visitChildren):
2629         (JSC::RegExpObject::getOwnPropertySlot):
2630         (JSC::RegExpObject::defineOwnProperty):
2631         * runtime/RegExpObject.h:
2632
2633 2019-03-21  Tomas Popela  <tpopela@redhat.com>
2634
2635         [JSC] Fix build after r243232 on unsupported 64bit architectures
2636         https://bugs.webkit.org/show_bug.cgi?id=196072
2637
2638         Reviewed by Keith Miller.
2639
2640         As Keith suggested we already expect 16 free bits at the top of any
2641         pointer for JSValue even for the unsupported 64 bit arches.
2642
2643         * bytecode/CodeOrigin.h:
2644
2645 2019-03-21  Mark Lam  <mark.lam@apple.com>
2646
2647         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
2648         https://bugs.webkit.org/show_bug.cgi?id=196116
2649         <rdar://problem/48976951>
2650
2651         Reviewed by Filip Pizlo.
2652
2653         The DFG backend should not make assumptions about what optimizations the front end
2654         will or will not do.  The assertion asserts that the operand cannot be known to be
2655         a cell.  However, it is not guaranteed that the front end will fold away this case.
2656         Also, the DFG backend is perfectly capable of generating code to handle the case
2657         where the operand is a cell.
2658
2659         The attached test case demonstrates a case where the operand can be a known cell.
2660         The test needs to be run with the concurrent JIT and GC, and is racy.  It used to
2661         trip up this assertion about once every 10 runs or so.
2662
2663         * dfg/DFGSpeculativeJIT64.cpp:
2664         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2665
2666 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2667
2668         JSC::createError should clear exception thrown by errorDescriptionForValue
2669         https://bugs.webkit.org/show_bug.cgi?id=196089
2670
2671         Reviewed by Mark Lam.
2672
2673         errorDescriptionForValue returns a nullString in case of failure, but it
2674         might also throw an OOM exception when resolving a rope string. We need
2675         to clear any potential exceptions thrown by errorDescriptionForValue
2676         before returning the OOM from JSC::createError.
2677
2678         * runtime/ExceptionHelpers.cpp:
2679         (JSC::createError):
2680
2681 2019-03-21  Robin Morisset  <rmorisset@apple.com>
2682
2683         B3::Opcode can fit in a single byte, shrinking B3Value by 8 bytes
2684         https://bugs.webkit.org/show_bug.cgi?id=196014
2685
2686         Reviewed by Keith Miller.
2687
2688         B3::Opcode has less than one hundred cases, so it can easily fit in one byte (from two currently)
2689         This shrinks B3::Kind from 4 bytes to 2 (by removing the byte of padding at the end).
2690         This in turns eliminate padding from B3::Value, shrinking it by 8 bytes (out of 80).
2691
2692         * b3/B3Opcode.h:
2693
2694 2019-03-21  Michael Catanzaro  <mcatanzaro@igalia.com>
2695
2696         Unreviewed, more clang 3.8 build fixes
2697         https://bugs.webkit.org/show_bug.cgi?id=195947
2698         <rdar://problem/49069219>
2699
2700         In the spirit of making our code worse to please old compilers....
2701
2702         * bindings/ScriptValue.cpp:
2703         (Inspector::jsToInspectorValue):
2704         * bytecode/GetterSetterAccessCase.cpp:
2705         (JSC::GetterSetterAccessCase::create):
2706         (JSC::GetterSetterAccessCase::clone const):
2707         * bytecode/InstanceOfAccessCase.cpp:
2708         (JSC::InstanceOfAccessCase::clone const):
2709         * bytecode/IntrinsicGetterAccessCase.cpp:
2710         (JSC::IntrinsicGetterAccessCase::clone const):
2711         * bytecode/ModuleNamespaceAccessCase.cpp:
2712         (JSC::ModuleNamespaceAccessCase::clone const):
2713         * bytecode/ProxyableAccessCase.cpp:
2714         (JSC::ProxyableAccessCase::clone const):
2715
2716 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2717
2718         [JSC] Do not create JIT related data under non-JIT mode
2719         https://bugs.webkit.org/show_bug.cgi?id=195982
2720
2721         Reviewed by Mark Lam.
2722
2723         We avoid creations of JIT related data structures under non-JIT mode.
2724         This patch removes the following allocations.
2725
2726         1. JITThunks
2727         2. FTLThunks
2728         3. FixedVMPoolExecutableAllocator
2729         4. noJITValueProfileSingleton since it is no longer used
2730         5. ARM disassembler should be initialized when it is used
2731         6. Wasm related data structures are accidentally allocated if VM::canUseJIT() == false &&
2732            Options::useWebAssembly() == true. Add Wasm::isSupported() function to check the both conditions.
2733
2734         * CMakeLists.txt:
2735         * JavaScriptCore.xcodeproj/project.pbxproj:
2736         * heap/Heap.cpp:
2737         (JSC::Heap::runEndPhase):
2738         * jit/ExecutableAllocator.cpp:
2739         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
2740         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2741         (JSC::ExecutableAllocator::isValid const):
2742         (JSC::ExecutableAllocator::underMemoryPressure):
2743         (JSC::ExecutableAllocator::memoryPressureMultiplier):
2744         (JSC::ExecutableAllocator::allocate):
2745         (JSC::ExecutableAllocator::isValidExecutableMemory):
2746         (JSC::ExecutableAllocator::getLock const):
2747         (JSC::ExecutableAllocator::committedByteCount):
2748         (JSC::ExecutableAllocator::dumpProfile):
2749         (JSC::startOfFixedExecutableMemoryPoolImpl):
2750         (JSC::endOfFixedExecutableMemoryPoolImpl):
2751         (JSC::ExecutableAllocator::initialize):
2752         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
2753         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
2754         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
2755         * jit/ExecutableAllocator.h:
2756         (JSC::ExecutableAllocatorBase::isValid const):
2757         (JSC::ExecutableAllocatorBase::underMemoryPressure):
2758         (JSC::ExecutableAllocatorBase::memoryPressureMultiplier):
2759         (JSC::ExecutableAllocatorBase::dumpProfile):
2760         (JSC::ExecutableAllocatorBase::allocate):
2761         (JSC::ExecutableAllocatorBase::setJITEnabled):
2762         (JSC::ExecutableAllocatorBase::isValidExecutableMemory):
2763         (JSC::ExecutableAllocatorBase::committedByteCount):
2764         (JSC::ExecutableAllocatorBase::getLock const):
2765         (JSC::ExecutableAllocator::isValid const): Deleted.
2766         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
2767         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
2768         (JSC::ExecutableAllocator::allocate): Deleted.
2769         (JSC::ExecutableAllocator::setJITEnabled): Deleted.
2770         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
2771         (JSC::ExecutableAllocator::committedByteCount): Deleted.
2772         (JSC::ExecutableAllocator::getLock const): Deleted.
2773         * jsc.cpp:
2774         (functionWebAssemblyMemoryMode):
2775         * runtime/InitializeThreading.cpp:
2776         (JSC::initializeThreading):
2777         * runtime/JSGlobalObject.cpp:
2778         (JSC::JSGlobalObject::init):
2779         * runtime/JSLock.cpp:
2780         (JSC::JSLock::didAcquireLock):
2781         * runtime/Options.cpp:
2782         (JSC::recomputeDependentOptions):
2783         * runtime/VM.cpp:
2784         (JSC::enableAssembler):
2785         (JSC::VM::canUseAssembler):
2786         (JSC::VM::VM):
2787         * runtime/VM.h:
2788         * wasm/WasmCapabilities.h: Added.
2789         (JSC::Wasm::isSupported):
2790         * wasm/WasmFaultSignalHandler.cpp:
2791         (JSC::Wasm::enableFastMemory):
2792
2793 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2794
2795         [JSC] Fix JSC build with newer ICU
2796         https://bugs.webkit.org/show_bug.cgi?id=196098
2797
2798         Reviewed by Keith Miller.
2799
2800         IntlDateTimeFormat and IntlNumberFormat have switch statement over ICU's enums. However it lacks "default" clause so that
2801         the compile error occurs when a new enum value is added in ICU side. We should have "default" clause which just fallbacks
2802         "unknown"_s case. The behavior is not changed since we already have `return "unknown"_s;` statement anyway after the
2803         switch statement. This patch just suppresses a compile error.
2804
2805         * runtime/IntlDateTimeFormat.cpp:
2806         (JSC::IntlDateTimeFormat::partTypeString):
2807         * runtime/IntlNumberFormat.cpp:
2808         (JSC::IntlNumberFormat::partTypeString):
2809
2810 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2811
2812         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
2813         https://bugs.webkit.org/show_bug.cgi?id=196078
2814         <rdar://problem/35925380>
2815
2816         Reviewed by Mark Lam.
2817
2818         Unlike the other variations of putByIndex, it only checked if the index
2819         was larger than MIN_SPARSE_ARRAY_INDEX when the indexingType was
2820         ALL_BLANK_INDEXING_TYPES. This resulted in a huge butterfly being
2821         allocated for object literals (e.g. `{[9e4]: ...}`) and objects parsed
2822         from JSON.
2823
2824         * runtime/JSObject.cpp:
2825         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2826
2827 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2828
2829         CachedUnlinkedSourceCodeShape::m_provider should be a CachedRefPtr
2830         https://bugs.webkit.org/show_bug.cgi?id=196079
2831
2832         Reviewed by Saam Barati.
2833
2834         It was mistakenly cached as CachedPtr, which was leaking the decoded SourceProvider.
2835
2836         * runtime/CachedTypes.cpp:
2837         (JSC::CachedUnlinkedSourceCodeShape::encode):
2838
2839 2019-03-21  Mark Lam  <mark.lam@apple.com>
2840
2841         Placate exception check validation in operationArrayIndexOfString().
2842         https://bugs.webkit.org/show_bug.cgi?id=196067
2843         <rdar://problem/49056572>
2844
2845         Reviewed by Michael Saboff.
2846
2847         * dfg/DFGOperations.cpp:
2848
2849 2019-03-21  Xan Lopez  <xan@igalia.com>
2850
2851         [JSC][x86] Drop support for x87 floating point
2852         https://bugs.webkit.org/show_bug.cgi?id=194853
2853
2854         Reviewed by Don Olmstead.
2855
2856         Require SSE2 throughout the codebase, and remove x87 support where
2857         it was optionally available. SSE2 detection happens at compile
2858         time through a static_assert.
2859
2860         * assembler/MacroAssemblerX86.h:
2861         (JSC::MacroAssemblerX86::storeDouble):
2862         (JSC::MacroAssemblerX86::moveDoubleToInts):
2863         (JSC::MacroAssemblerX86::supportsFloatingPoint):
2864         (JSC::MacroAssemblerX86::supportsFloatingPointTruncate):
2865         (JSC::MacroAssemblerX86::supportsFloatingPointSqrt):
2866         (JSC::MacroAssemblerX86::supportsFloatingPointAbs):
2867         * assembler/MacroAssemblerX86Common.cpp:
2868         * assembler/MacroAssemblerX86Common.h:
2869         (JSC::MacroAssemblerX86Common::moveDouble):
2870         (JSC::MacroAssemblerX86Common::loadDouble):
2871         (JSC::MacroAssemblerX86Common::loadFloat):
2872         (JSC::MacroAssemblerX86Common::storeDouble):
2873         (JSC::MacroAssemblerX86Common::storeFloat):
2874         (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
2875         (JSC::MacroAssemblerX86Common::convertFloatToDouble):
2876         (JSC::MacroAssemblerX86Common::addDouble):
2877         (JSC::MacroAssemblerX86Common::addFloat):
2878         (JSC::MacroAssemblerX86Common::divDouble):
2879         (JSC::MacroAssemblerX86Common::divFloat):
2880         (JSC::MacroAssemblerX86Common::subDouble):
2881         (JSC::MacroAssemblerX86Common::subFloat):
2882         (JSC::MacroAssemblerX86Common::mulDouble):
2883         (JSC::MacroAssemblerX86Common::mulFloat):
2884         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
2885         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
2886         (JSC::MacroAssemblerX86Common::branchDouble):
2887         (JSC::MacroAssemblerX86Common::branchFloat):
2888         (JSC::MacroAssemblerX86Common::compareDouble):
2889         (JSC::MacroAssemblerX86Common::compareFloat):
2890         (JSC::MacroAssemblerX86Common::branchTruncateDoubleToInt32):
2891         (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
2892         (JSC::MacroAssemblerX86Common::truncateFloatToInt32):
2893         (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
2894         (JSC::MacroAssemblerX86Common::branchDoubleNonZero):
2895         (JSC::MacroAssemblerX86Common::branchDoubleZeroOrNaN):
2896         (JSC::MacroAssemblerX86Common::lshiftPacked):
2897         (JSC::MacroAssemblerX86Common::rshiftPacked):
2898         (JSC::MacroAssemblerX86Common::orPacked):
2899         (JSC::MacroAssemblerX86Common::move32ToFloat):
2900         (JSC::MacroAssemblerX86Common::moveFloatTo32):
2901         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2902         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2903         * offlineasm/x86.rb:
2904         * runtime/MathCommon.cpp:
2905         (JSC::operationMathPow):
2906
2907 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2908
2909         [GLIB] User data not correctly passed to callback of functions and constructors with no parameters
2910         https://bugs.webkit.org/show_bug.cgi?id=196073
2911
2912         Reviewed by Michael Catanzaro.
2913
2914         This is because GClosure always expects a first parameter as instance. In case of functions or constructors with
2915         no parameters we insert a fake instance which is just a null pointer that is ignored by the callback. But
2916         if the function/constructor has user data the callback will expect one parameter for the user data. In that case
2917         we can simply swap instance/user data so that the fake instance will be the second argument and user data the
2918         first one.
2919
2920         * API/glib/JSCClass.cpp:
2921         (jscClassCreateConstructor): Use g_cclosure_new_swap() if parameters is empty and user data was provided.
2922         * API/glib/JSCValue.cpp:
2923         (jscValueFunctionCreate): Ditto.
2924
2925 2019-03-21  Pablo Saavedra  <psaavedra@igalia.com>
2926
2927         [JSC][32-bit] Build failure after r243232
2928         https://bugs.webkit.org/show_bug.cgi?id=196068
2929
2930         Reviewed by Mark Lam.
2931
2932         * dfg/DFGOSRExit.cpp:
2933         (JSC::DFG::reifyInlinedCallFrames):
2934         * dfg/DFGOSRExitCompilerCommon.cpp:
2935         (JSC::DFG::reifyInlinedCallFrames):
2936
2937 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2938
2939         [GLib] Returning G_TYPE_OBJECT from a method does not work
2940         https://bugs.webkit.org/show_bug.cgi?id=195574
2941
2942         Reviewed by Michael Catanzaro.
2943
2944         Add more documentation to clarify the ownership of wrapped objects when created and when returned by functions.
2945
2946         * API/glib/JSCCallbackFunction.cpp:
2947         (JSC::JSCCallbackFunction::construct): Also allow to return boxed types from a constructor.
2948         * API/glib/JSCClass.cpp:
2949         * API/glib/JSCValue.cpp:
2950
2951 2019-03-21  Mark Lam  <mark.lam@apple.com>
2952
2953         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
2954         https://bugs.webkit.org/show_bug.cgi?id=196055
2955         <rdar://problem/49067448>
2956
2957         Reviewed by Yusuke Suzuki.
2958
2959         We are doing this because:
2960         1. We expect the array to be densely packed.
2961         2. SpeculativeJIT::compileAllocateNewArrayWithSize() (and the FTL equivalent)
2962            expects the array length to be less than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH
2963            if we don't want to use an ArrayStorage shape.
2964         3. There's no reason why an array with spread needs to be that large anyway.
2965            MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is plenty.
2966
2967         In this patch, we also add a debug assert in compileAllocateNewArrayWithSize() and
2968         emitAllocateButterfly() to check for overflows.
2969
2970         * assembler/AbortReason.h:
2971         * dfg/DFGOperations.cpp:
2972         * dfg/DFGSpeculativeJIT.cpp:
2973         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2974         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2975         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
2976         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2977         * ftl/FTLLowerDFGToB3.cpp:
2978         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2979         * runtime/ArrayConventions.h:
2980         * runtime/CommonSlowPaths.cpp:
2981         (JSC::SLOW_PATH_DECL):
2982
2983 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
2984
2985         [JSC] Use finalizer in JSGlobalLexicalEnvironment and JSGlobalObject
2986         https://bugs.webkit.org/show_bug.cgi?id=195992
2987
2988         Reviewed by Keith Miller and Mark Lam.
2989
2990         JSGlobalLexicalEnvironment and JSGlobalObject have their own CompleteSubspace to call destructors while they are not inheriting JSDestructibleObject.
2991         But it is too costly since (1) it requires CompleteSubspace in VM, (2) both objects allocate MarkedBlocks while # of them are really small.
2992
2993         Instead of using CompleteSubspace, we just set finalizers for them. Since these objects are rarely allocated, setting finalizers does not show
2994         memory / performance problems (actually, previously we used finalizer for ArrayPrototype due to the same reason, and it does not show any problems).
2995
2996         And we also add following two changes to JSSegmentedVariableObject.
2997
2998         1. Remove one boolean used for debugging in Release build. It enlarges sizeof(JSSegmentedVariableObject) and allocates one more MarkedBlock.
2999         2. Use cellLock() instead.
3000
3001         * CMakeLists.txt:
3002         * JavaScriptCore.xcodeproj/project.pbxproj:
3003         * Sources.txt:
3004         * runtime/JSSegmentedVariableObject.cpp:
3005         (JSC::JSSegmentedVariableObject::findVariableIndex):
3006         (JSC::JSSegmentedVariableObject::addVariables):
3007         (JSC::JSSegmentedVariableObject::visitChildren):
3008         (JSC::JSSegmentedVariableObject::~JSSegmentedVariableObject):
3009         (JSC::JSSegmentedVariableObject::finishCreation):
3010         * runtime/JSSegmentedVariableObject.h:
3011         (JSC::JSSegmentedVariableObject::subspaceFor): Deleted.
3012         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Removed.
3013         * runtime/JSSegmentedVariableObjectHeapCellType.h: Removed.
3014         * runtime/StringIteratorPrototype.cpp:
3015         * runtime/VM.cpp:
3016         (JSC::VM::VM):
3017         * runtime/VM.h:
3018
3019 2019-03-20  Saam Barati  <sbarati@apple.com>
3020
3021         DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty
3022         https://bugs.webkit.org/show_bug.cgi?id=195721
3023
3024         Reviewed by Filip Pizlo.
3025
3026         There was a check in AbstractValue::validateOSREntry where it checked
3027         if isHeapTop(), and if so, just returned true. However, this is wrong
3028         if the value we're checking against is the empty value, since HeapTop
3029         does not include the Empty value. Instead, this check should be
3030         isBytecodeTop(), which does account for the empty value.
3031         
3032         This patch also does a couple of other things:
3033         - For our OSR entry AbstractValues, we were using HeapTop to mark
3034          a dead value. That is now changed to BytecodeTop. (The idea here
3035          is just to have validateOSREntry return early.)
3036         - It wasn't obvious to me how I could make this fail in JS code.
3037          The symptom we'd end up seeing is something like a nullptr derefernece
3038          from forgetting to do a TDZ check. Instead, I've added a unit test.
3039          This unit test lives in a new test file: testdfg. testdfg is similar
3040          to testb3/testair/testapi.
3041
3042         * JavaScriptCore.xcodeproj/project.pbxproj:
3043         * bytecode/SpeculatedType.h:
3044         * dfg/DFGAbstractValue.h:
3045         (JSC::DFG::AbstractValue::isBytecodeTop const):
3046         (JSC::DFG::AbstractValue::validateOSREntryValue const):
3047         * dfg/testdfg.cpp: Added.
3048         (hiddenTruthBecauseNoReturnIsStupid):
3049         (usage):
3050         (JSC::DFG::testEmptyValueDoesNotValidateWithHeapTop):
3051         (JSC::DFG::run):
3052         (run):
3053         (main):
3054         * shell/CMakeLists.txt:
3055
3056 2019-03-20  Saam Barati  <sbarati@apple.com>
3057
3058         typeOfDoubleSum is wrong for when NaN can be produced
3059         https://bugs.webkit.org/show_bug.cgi?id=196030
3060
3061         Reviewed by Filip Pizlo.
3062
3063         We were using typeOfDoubleSum(SpeculatedType, SpeculatedType) for add/sub/mul.
3064         It assumed that the only way the resulting type could be NaN is if one of
3065         the inputs were NaN. However, this is wrong. NaN can be produced in at least
3066         these cases:
3067           Infinity - Infinity
3068           Infinity + (-Infinity)
3069           Infinity * 0
3070
3071         * bytecode/SpeculatedType.cpp:
3072         (JSC::typeOfDoubleSumOrDifferenceOrProduct):
3073         (JSC::typeOfDoubleSum):
3074         (JSC::typeOfDoubleDifference):
3075         (JSC::typeOfDoubleProduct):
3076
3077 2019-03-20  Simon Fraser  <simon.fraser@apple.com>
3078
3079         Rename ENABLE_ACCELERATED_OVERFLOW_SCROLLING macro to ENABLE_OVERFLOW_SCROLLING_TOUCH
3080         https://bugs.webkit.org/show_bug.cgi?id=196049
3081
3082         Reviewed by Tim Horton.
3083
3084         This macro is about the -webkit-overflow-scrolling CSS property, not accelerated
3085         overflow scrolling in general, so rename it.
3086
3087         * Configurations/FeatureDefines.xcconfig:
3088
3089 2019-03-20  Saam Barati  <sbarati@apple.com>
3090
3091         GetCallee does not report the correct type in AI
3092         https://bugs.webkit.org/show_bug.cgi?id=195981
3093
3094         Reviewed by Yusuke Suzuki.
3095
3096         I found this as part of my work in:
3097         https://bugs.webkit.org/show_bug.cgi?id=195924
3098         
3099         I'm not sure how to write a test for it.
3100         
3101         GetCallee was always reporting that the result is SpecFunction. However,
3102         for eval, it may result in just a JSCallee object, which is not a JSFunction.
3103
3104         * dfg/DFGAbstractInterpreterInlines.h:
3105         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3106
3107 2019-03-20  Mark Lam  <mark.lam@apple.com>
3108
3109         Open source arm64e code.
3110         https://bugs.webkit.org/show_bug.cgi?id=196012
3111         <rdar://problem/49066237>
3112
3113         Reviewed by Keith Miller.
3114
3115         * JavaScriptCore.xcodeproj/project.pbxproj:
3116         * Sources.txt:
3117         * assembler/ARM64EAssembler.h: Added.
3118         (JSC::ARM64EAssembler::encodeGroup1):
3119         (JSC::ARM64EAssembler::encodeGroup2):
3120         (JSC::ARM64EAssembler::encodeGroup4):
3121         (JSC::ARM64EAssembler::pacia1716):
3122         (JSC::ARM64EAssembler::pacib1716):
3123         (JSC::ARM64EAssembler::autia1716):
3124         (JSC::ARM64EAssembler::autib1716):
3125         (JSC::ARM64EAssembler::paciaz):
3126         (JSC::ARM64EAssembler::paciasp):
3127         (JSC::ARM64EAssembler::pacibz):
3128         (JSC::ARM64EAssembler::pacibsp):
3129         (JSC::ARM64EAssembler::autiaz):
3130         (JSC::ARM64EAssembler::autiasp):
3131         (JSC::ARM64EAssembler::autibz):
3132         (JSC::ARM64EAssembler::autibsp):
3133         (JSC::ARM64EAssembler::xpaclri):
3134         (JSC::ARM64EAssembler::pacia):
3135         (JSC::ARM64EAssembler::pacib):
3136         (JSC::ARM64EAssembler::pacda):
3137         (JSC::ARM64EAssembler::pacdb):
3138         (JSC::ARM64EAssembler::autia):
3139         (JSC::ARM64EAssembler::autib):
3140         (JSC::ARM64EAssembler::autda):
3141         (JSC::ARM64EAssembler::autdb):
3142         (JSC::ARM64EAssembler::paciza):
3143         (JSC::ARM64EAssembler::pacizb):
3144         (JSC::ARM64EAssembler::pacdza):
3145         (JSC::ARM64EAssembler::pacdzb):
3146         (JSC::ARM64EAssembler::autiza):
3147         (JSC::ARM64EAssembler::autizb):
3148         (JSC::ARM64EAssembler::autdza):
3149         (JSC::ARM64EAssembler::autdzb):
3150         (JSC::ARM64EAssembler::xpaci):
3151         (JSC::ARM64EAssembler::xpacd):
3152         (JSC::ARM64EAssembler::pacga):
3153         (JSC::ARM64EAssembler::braa):
3154         (JSC::ARM64EAssembler::brab):
3155         (JSC::ARM64EAssembler::blraa):
3156         (JSC::ARM64EAssembler::blrab):
3157         (JSC::ARM64EAssembler::braaz):
3158         (JSC::ARM64EAssembler::brabz):
3159         (JSC::ARM64EAssembler::blraaz):
3160         (JSC::ARM64EAssembler::blrabz):
3161         (JSC::ARM64EAssembler::retaa):
3162         (JSC::ARM64EAssembler::retab):
3163         (JSC::ARM64EAssembler::eretaa):
3164         (JSC::ARM64EAssembler::eretab):
3165         (JSC::ARM64EAssembler::linkPointer):
3166         (JSC::ARM64EAssembler::repatchPointer):
3167         (JSC::ARM64EAssembler::setPointer):
3168         (JSC::ARM64EAssembler::readPointer):
3169         (JSC::ARM64EAssembler::readCallTarget):
3170         (JSC::ARM64EAssembler::ret):
3171         * assembler/MacroAssembler.cpp:
3172         * assembler/MacroAssembler.h:
3173         * assembler/MacroAssemblerARM64.cpp:
3174         * assembler/MacroAssemblerARM64E.h: Added.
3175         (JSC::MacroAssemblerARM64E::tagReturnAddress):
3176         (JSC::MacroAssemblerARM64E::untagReturnAddress):
3177         (JSC::MacroAssemblerARM64E::tagPtr):
3178         (JSC::MacroAssemblerARM64E::untagPtr):
3179         (JSC::MacroAssemblerARM64E::removePtrTag):
3180         (JSC::MacroAssemblerARM64E::callTrustedPtr):
3181         (JSC::MacroAssemblerARM64E::call):
3182         (JSC::MacroAssemblerARM64E::callRegister):
3183         (JSC::MacroAssemblerARM64E::jump):
3184         * dfg/DFGOSRExit.cpp:
3185         (JSC::DFG::reifyInlinedCallFrames):
3186         * dfg/DFGOSRExitCompilerCommon.cpp:
3187         (JSC::DFG::reifyInlinedCallFrames):
3188         * ftl/FTLThunks.cpp:
3189         (JSC::FTL::genericGenerationThunkGenerator):
3190         * jit/CCallHelpers.h:
3191         (JSC::CCallHelpers::prepareForTailCallSlow):
3192         * jit/CallFrameShuffler.cpp:
3193         (JSC::CallFrameShuffler::prepareForTailCall):
3194         * jit/ExecutableAllocator.cpp:
3195         (JSC::ExecutableAllocator::allocate):
3196         * jit/ThunkGenerators.cpp:
3197         (JSC::arityFixupGenerator):
3198         * llint/LLIntOfflineAsmConfig.h:
3199         * llint/LowLevelInterpreter.asm:
3200         * llint/LowLevelInterpreter64.asm:
3201         * runtime/ClassInfo.h:
3202         * runtime/InitializeThreading.cpp:
3203         (JSC::initializeThreading):
3204         * runtime/JSCPtrTag.cpp: Added.
3205         (JSC::tagForPtr):
3206         (JSC::ptrTagName):
3207         (JSC::initializePtrTagLookup):
3208         * runtime/JSCPtrTag.h:
3209         (JSC::initializePtrTagLookup):
3210         * runtime/Options.cpp:
3211         (JSC::recomputeDependentOptions):
3212
3213 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3214
3215         JSC::createError needs to check for OOM in errorDescriptionForValue
3216         https://bugs.webkit.org/show_bug.cgi?id=196032
3217         <rdar://problem/46842740>
3218
3219         Reviewed by Mark Lam.
3220
3221         We were missing exceptions checks at two levels:
3222         - In errorDescriptionForValue, when the value is a string, we should
3223           check that JSString::value returns a valid string, since we might run
3224           out of memory if it is a rope and we need to resolve it.
3225         - In createError, we should check for the result of errorDescriptionForValue
3226           before concatenating it with the message provided by the caller.
3227
3228         * runtime/ExceptionHelpers.cpp:
3229         (JSC::errorDescriptionForValue):
3230         (JSC::createError):
3231         * runtime/ExceptionHelpers.h:
3232
3233 2019-03-20  Devin Rousso  <drousso@apple.com>
3234
3235         Web Inspector: DOM: include window as part of any event listener chain
3236         https://bugs.webkit.org/show_bug.cgi?id=195730
3237         <rdar://problem/48916872>
3238
3239         Reviewed by Timothy Hatcher.
3240
3241         * inspector/protocol/DOM.json:
3242         Modify `DOM.getEventListenersForNode` to not save the handler object, as that was never
3243         used by the frontend. Add an `onWindow` optional property to `DOM.EventListener` that is set
3244         when the event listener was retrieved from the `window` object.
3245
3246 2019-03-20  Devin Rousso  <drousso@apple.com>
3247
3248         Web Inspector: Runtime: lazily create the agent
3249         https://bugs.webkit.org/show_bug.cgi?id=195972
3250         <rdar://problem/49039655>
3251
3252         Reviewed by Timothy Hatcher.
3253
3254         * inspector/JSGlobalObjectInspectorController.cpp:
3255         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3256         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3257
3258         * inspector/agents/InspectorRuntimeAgent.h:
3259         (Inspector::InspectorRuntimeAgent::enabled): Deleted.
3260         * inspector/agents/InspectorRuntimeAgent.cpp:
3261         (Inspector::InspectorRuntimeAgent::didCreateFrontendAndBackend): Added.
3262         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
3263
3264         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3265         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3266         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend): Deleted.
3267
3268 2019-03-20  Michael Saboff  <msaboff@apple.com>
3269
3270         JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
3271         https://bugs.webkit.org/show_bug.cgi?id=195906
3272
3273         Reviewed by Mark Lam.
3274
3275         The problem here as that we may successfully parsed a RegExp without running out of stack,
3276         but later run out of stack when trying to JIT compile the same expression.
3277
3278         Added a check for available stack space when we call into one of the parenthesis compilation
3279         functions that recurse.  When we don't have enough stack space to recurse, we fail the JIT
3280         compilation and let the interpreter handle the expression.
3281
3282         From code inspection of the YARR interpreter it has the same issue, but I couldn't cause a failure.
3283         Filed a new bug and added a FIXME comment for the Interpreter to have similar checks.
3284         Given that we can reproduce a failure, this is sufficient for now.
3285
3286         This change is covered by the previously added failing test,
3287         JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js.
3288
3289         * yarr/YarrInterpreter.cpp:
3290         (JSC::Yarr::Interpreter::interpret):
3291         * yarr/YarrJIT.cpp:
3292         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
3293         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
3294         (JSC::Yarr::YarrGenerator::opCompileBody):
3295         (JSC::Yarr::dumpCompileFailure):
3296         * yarr/YarrJIT.h:
3297
3298 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3299
3300         DFGNodeAllocator.h is dead code
3301         https://bugs.webkit.org/show_bug.cgi?id=196019
3302
3303         Reviewed by Yusuke Suzuki.
3304
3305         As explained by Yusuke on IRC, the comment on DFG::Node saying that it cannot have a destructor is obsolete since https://trac.webkit.org/changeset/216815/webkit.
3306         This patch removes both the comment and DFGNodeAllocator.h that that patch forgot to remove.
3307
3308         * dfg/DFGNode.h:
3309         (JSC::DFG::Node::dumpChildren):
3310         * dfg/DFGNodeAllocator.h: Removed.
3311
3312 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3313
3314         Compress CodeOrigin into a single word in the common case
3315         https://bugs.webkit.org/show_bug.cgi?id=195928
3316
3317         Reviewed by Saam Barati.
3318
3319         The trick is that pointers only take 48 bits on x86_64 in practice (and we can even use the bottom three bits of that thanks to alignment), and even less on ARM64.
3320         So we can shove the bytecode index in the top bits almost all the time.
3321         If the bytecodeIndex is too ginormous (1<<16 in practice on x86_64), we just set one bit at the bottom and store a pointer to some out-of-line storage instead.
3322         Finally we represent an invalid bytecodeIndex (which used to be represented by UINT_MAX) by setting the second least signifcant bit.
3323
3324         The patch looks very long, but most of it is just replacing direct accesses to inlineCallFrame and bytecodeIndex by the relevant getters.
3325
3326         End result: CodeOrigin in the common case moves from 16 bytes (8 for InlineCallFrame*, 4 for unsigned bytecodeIndex, 4 of padding) to 8.
3327         As a reference, during running JetStream2 we allocate more than 35M CodeOrigins. While they won't all be alive at the same time, it is still quite a lot of objects, so I am hoping for some small
3328         improvement to RAMification from this work.
3329
3330         The one slightly tricky part is that we must implement copy and move assignment operators and constructors to make sure that any out-of-line storage belongs to a single CodeOrigin and is destroyed exactly once.
3331
3332         * bytecode/ByValInfo.h:
3333         * bytecode/CallLinkStatus.cpp:
3334         (JSC::CallLinkStatus::computeFor):
3335         * bytecode/CodeBlock.cpp:
3336         (JSC::CodeBlock::globalObjectFor):
3337         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
3338         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
3339         * bytecode/CodeOrigin.cpp:
3340         (JSC::CodeOrigin::inlineDepth const):
3341         (JSC::CodeOrigin::isApproximatelyEqualTo const):
3342         (JSC::CodeOrigin::approximateHash const):
3343         (JSC::CodeOrigin::inlineStack const):
3344         (JSC::CodeOrigin::codeOriginOwner const):
3345         (JSC::CodeOrigin::stackOffset const):
3346         (JSC::CodeOrigin::dump const):
3347         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
3348         * bytecode/CodeOrigin.h:
3349         (JSC::OutOfLineCodeOrigin::OutOfLineCodeOrigin):
3350         (JSC::CodeOrigin::CodeOrigin):
3351         (JSC::CodeOrigin::~CodeOrigin):
3352         (JSC::CodeOrigin::isSet const):
3353         (JSC::CodeOrigin::isHashTableDeletedValue const):
3354         (JSC::CodeOrigin::bytecodeIndex const):
3355         (JSC::CodeOrigin::inlineCallFrame const):
3356         (JSC::CodeOrigin::buildCompositeValue):
3357         (JSC::CodeOrigin::hash const):
3358         (JSC::CodeOrigin::operator== const):
3359         (JSC::CodeOrigin::exitingInlineKind const): Deleted.
3360         * bytecode/DeferredSourceDump.h:
3361         * bytecode/GetByIdStatus.cpp:
3362         (JSC::GetByIdStatus::computeForStubInfo):
3363         (JSC::GetByIdStatus::computeFor):
3364         * bytecode/ICStatusMap.cpp:
3365         (JSC::ICStatusContext::isInlined const):
3366         * bytecode/InByIdStatus.cpp:
3367         (JSC::InByIdStatus::computeFor):
3368         (JSC::InByIdStatus::computeForStubInfo):
3369         * bytecode/InlineCallFrame.cpp:
3370         (JSC::InlineCallFrame::dumpInContext const):
3371         * bytecode/InlineCallFrame.h:
3372         (JSC::InlineCallFrame::computeCallerSkippingTailCalls):
3373         (JSC::InlineCallFrame::getCallerInlineFrameSkippingTailCalls):
3374         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
3375         (JSC::CodeOrigin::walkUpInlineStack):
3376         * bytecode/InstanceOfStatus.h:
3377         * bytecode/PutByIdStatus.cpp:
3378         (JSC::PutByIdStatus::computeForStubInfo):
3379         (JSC::PutByIdStatus::computeFor):
3380         * dfg/DFGAbstractInterpreterInlines.h:
3381         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3382         * dfg/DFGArgumentsEliminationPhase.cpp:
3383         * dfg/DFGArgumentsUtilities.cpp:
3384         (JSC::DFG::argumentsInvolveStackSlot):
3385         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3386         * dfg/DFGArrayMode.h:
3387         * dfg/DFGByteCodeParser.cpp:
3388         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3389         (JSC::DFG::ByteCodeParser::setLocal):
3390         (JSC::DFG::ByteCodeParser::setArgument):
3391         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
3392         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3393         (JSC::DFG::ByteCodeParser::parseBlock):
3394         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3395         (JSC::DFG::ByteCodeParser::handlePutByVal):
3396         * dfg/DFGClobberize.h:
3397         (JSC::DFG::clobberize):
3398         * dfg/DFGConstantFoldingPhase.cpp:
3399         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3400         * dfg/DFGFixupPhase.cpp:
3401         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3402         * dfg/DFGForAllKills.h:
3403         (JSC::DFG::forAllKilledOperands):
3404         * dfg/DFGGraph.cpp:
3405         (JSC::DFG::Graph::dumpCodeOrigin):
3406         (JSC::DFG::Graph::dump):
3407         (JSC::DFG::Graph::isLiveInBytecode):
3408         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3409         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
3410         * dfg/DFGGraph.h:
3411         (JSC::DFG::Graph::executableFor):
3412         (JSC::DFG::Graph::isStrictModeFor):
3413         (JSC::DFG::Graph::hasExitSite):
3414         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
3415         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
3416         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
3417         * dfg/DFGMinifiedNode.cpp:
3418         (JSC::DFG::MinifiedNode::fromNode):
3419         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3420         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3421         * dfg/DFGOSRExit.cpp:
3422         (JSC::DFG::OSRExit::executeOSRExit):
3423         (JSC::DFG::reifyInlinedCallFrames):
3424         (JSC::DFG::adjustAndJumpToTarget):
3425         (JSC::DFG::printOSRExit):
3426         (JSC::DFG::OSRExit::compileExit):
3427         * dfg/DFGOSRExitBase.cpp:
3428         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
3429         * dfg/DFGOSRExitCompilerCommon.cpp:
3430         (JSC::DFG::handleExitCounts):
3431         (JSC::DFG::reifyInlinedCallFrames):
3432         (JSC::DFG::adjustAndJumpToTarget):
3433         * dfg/DFGOSRExitPreparation.cpp:
3434         (JSC::DFG::prepareCodeOriginForOSRExit):
3435         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3436         * dfg/DFGOperations.cpp:
3437         * dfg/DFGPreciseLocalClobberize.h:
3438         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3439         * dfg/DFGSpeculativeJIT.cpp:
3440         (JSC::DFG::SpeculativeJIT::emitGetLength):
3441         (JSC::DFG::SpeculativeJIT::emitGetCallee):
3442         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3443         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3444         (JSC::DFG::SpeculativeJIT::compileValueSub):
3445         (JSC::DFG::SpeculativeJIT::compileValueNegate):
3446         (JSC::DFG::SpeculativeJIT::compileValueMul):
3447         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
3448         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3449         * dfg/DFGSpeculativeJIT32_64.cpp:
3450         (JSC::DFG::SpeculativeJIT::emitCall):
3451         * dfg/DFGSpeculativeJIT64.cpp:
3452         (JSC::DFG::SpeculativeJIT::emitCall):
3453         (JSC::DFG::SpeculativeJIT::compile):
3454         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3455         (JSC::DFG::TierUpCheckInjectionPhase::run):
3456         (JSC::DFG::TierUpCheckInjectionPhase::canOSREnterAtLoopHint):
3457         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
3458         * dfg/DFGTypeCheckHoistingPhase.cpp:
3459         (JSC::DFG::TypeCheckHoistingPhase::run):
3460         * dfg/DFGVariableEventStream.cpp:
3461         (JSC::DFG::VariableEventStream::reconstruct const):
3462         * ftl/FTLLowerDFGToB3.cpp:
3463         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3464         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
3465         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
3466         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3467         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
3468         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3469         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3470         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3471         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3472         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3473         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
3474         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
3475         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
3476         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
3477         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
3478         (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const):
3479         * ftl/FTLOSRExitCompiler.cpp:
3480         (JSC::FTL::compileStub):
3481         * ftl/FTLOperations.cpp:
3482         (JSC::FTL::operationMaterializeObjectInOSR):
3483         * interpreter/CallFrame.cpp:
3484         (JSC::CallFrame::bytecodeOffset):
3485         * interpreter/StackVisitor.cpp:
3486         (JSC::StackVisitor::unwindToMachineCodeBlockFrame):
3487         (JSC::StackVisitor::readFrame):
3488         (JSC::StackVisitor::readNonInlinedFrame):
3489         (JSC::inlinedFrameOffset):
3490         (JSC::StackVisitor::readInlinedFrame):
3491         * interpreter/StackVisitor.h:
3492         * jit/AssemblyHelpers.cpp:
3493         (JSC::AssemblyHelpers::executableFor):
3494         * jit/AssemblyHelpers.h:
3495         (JSC::AssemblyHelpers::isStrictModeFor):
3496         (JSC::AssemblyHelpers::argumentsStart):
3497         (JSC::AssemblyHelpers::argumentCount):
3498         * jit/PCToCodeOriginMap.cpp:
3499         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
3500         (JSC::PCToCodeOriginMap::findPC const):
3501         * profiler/ProfilerOriginStack.cpp:
3502         (JSC::Profiler::OriginStack::OriginStack):
3503         * profiler/ProfilerOriginStack.h:
3504         * runtime/ErrorInstance.cpp:
3505         (JSC::appendSourceToError):
3506         * runtime/SamplingProfiler.cpp:
3507         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3508
3509 2019-03-20  Devin Rousso  <drousso@apple.com>
3510
3511         Web Inspector: Search: allow DOM searches to be case sensitive
3512         https://bugs.webkit.org/show_bug.cgi?id=194673
3513         <rdar://problem/48087577>
3514
3515         Reviewed by Timothy Hatcher.
3516
3517         Since `DOM.performSearch` also searches by selector and XPath, some results may appear
3518         as unexpected. As an example, searching for "BoDy" will still return the <body> as a result,
3519         as although the literal node name ("BODY") didn't match, it did match via selector/XPath.
3520
3521         * inspector/protocol/DOM.json:
3522         Allow `DOM.performSearch` to be case sensitive.
3523
3524 2019-03-20  Saam Barati  <sbarati@apple.com>
3525
3526         AI rule for ValueBitNot/ValueBitXor/ValueBitAnd/ValueBitOr is wrong
3527         https://bugs.webkit.org/show_bug.cgi?id=195980
3528
3529         Reviewed by Yusuke Suzuki.
3530
3531         They were all saying they could be type: (SpecBoolInt32, SpecBigInt)
3532         However, they should have been type: (SpecInt32Only, SpecBigInt)
3533
3534         * dfg/DFGAbstractInterpreterInlines.h:
3535         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3536
3537 2019-03-20  Michael Catanzaro  <mcatanzaro@igalia.com>
3538
3539         Remove copyRef() calls added in r243163
3540         https://bugs.webkit.org/show_bug.cgi?id=195962
3541
3542         Reviewed by Chris Dumez.
3543
3544         As best I can tell, may be a GCC 9 bug. It shouldn't warn about this case because the return
3545         value is noncopyable and the WTFMove() is absolutely required. We can avoid the warning
3546         without refcount churn by introducing an intermediate variable.
3547
3548         * inspector/scripts/codegen/cpp_generator_templates.py:
3549
3550 2019-03-20  Carlos Garcia Campos  <cgarcia@igalia.com>
3551
3552         [GLIB] Optimize jsc_value_object_define_property_data|accessor
3553         https://bugs.webkit.org/show_bug.cgi?id=195679
3554
3555         Reviewed by Saam Barati.
3556
3557         Use direct C++ call instead of using the JSC GLib API to create the descriptor object and invoke Object.defineProperty().
3558
3559         * API/glib/JSCValue.cpp:
3560         (jsc_value_object_define_property_data):
3561         (jsc_value_object_define_property_accessor):
3562
3563 2019-03-19  Devin Rousso  <drousso@apple.com>
3564
3565         Web Inspector: Debugger: lazily create the agent
3566         https://bugs.webkit.org/show_bug.cgi?id=195973
3567         <rdar://problem/49039674>
3568
3569         Reviewed by Joseph Pecoraro.
3570
3571         * inspector/JSGlobalObjectInspectorController.cpp:
3572         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3573         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
3574         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3575
3576         * inspector/JSGlobalObjectConsoleClient.h:
3577         (Inspector::JSGlobalObjectConsoleClient::setInspectorDebuggerAgent): Added.
3578         * inspector/JSGlobalObjectConsoleClient.cpp:
3579         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
3580         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
3581         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
3582
3583         * inspector/agents/InspectorDebuggerAgent.h:
3584         (Inspector::InspectorDebuggerAgent::addListener): Added.
3585         (Inspector::InspectorDebuggerAgent::removeListener): Added.
3586         (Inspector::InspectorDebuggerAgent::setListener): Deleted.
3587         * inspector/agents/InspectorDebuggerAgent.cpp:
3588         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3589         (Inspector::InspectorDebuggerAgent::enable):
3590         (Inspector::InspectorDebuggerAgent::disable):
3591         (Inspector::InspectorDebuggerAgent::getScriptSource):
3592         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3593         (Inspector::InspectorDebuggerAgent::didPause):
3594         (Inspector::InspectorDebuggerAgent::breakProgram):
3595         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
3596         Drive-by: reorder some member variables for better sizing.
3597         Drive-by: rename some member variables for clarity.
3598
3599 2019-03-19  Saam barati  <sbarati@apple.com>
3600
3601         Prune code after ForceOSRExit
3602         https://bugs.webkit.org/show_bug.cgi?id=195913
3603
3604         Reviewed by Keith Miller.
3605
3606         I removed our original implementation of this in r242989 because
3607         it was not sound. It broke backwards propagation because it removed
3608         uses of a node that backwards propagation relied on to be sound.
3609         Essentially, backwards propagation relies on being able to see uses
3610         that would exist in bytecode to be sound.
3611         
3612         The rollout in r242989 was a 1% Speedometer2 regression. This patch
3613         rolls back in the optimization in a sound way.
3614         
3615         This patch augments the code we had prior to r242989 to be sound. In
3616         addition to preserving liveness, we now also convert all uses after
3617         the ForceOSRExit to be Phantom. This may pessimize the optimizations
3618         we do in backwards propagation, but it will prevent that phase from
3619         making unsound optimizations.
3620
3621         * dfg/DFGByteCodeParser.cpp:
3622         (JSC::DFG::ByteCodeParser::addToGraph):
3623         (JSC::DFG::ByteCodeParser::parse):
3624
3625 2019-03-19  Michael Catanzaro  <mcatanzaro@igalia.com>
3626
3627         Build cleanly with GCC 9
3628         https://bugs.webkit.org/show_bug.cgi?id=195920
3629
3630         Reviewed by Chris Dumez.
3631
3632         WebKit triggers three new GCC 9 warnings:
3633
3634         """
3635         -Wdeprecated-copy, implied by -Wextra, warns about the C++11 deprecation of implicitly
3636         declared copy constructor and assignment operator if one of them is user-provided.
3637         """
3638
3639         Solution is to either add a copy constructor or copy assignment operator, if required, or
3640         else remove one if it is redundant.
3641
3642         """
3643         -Wredundant-move, implied by -Wextra, warns about redundant calls to std::move.
3644         -Wpessimizing-move, implied by -Wall, warns when a call to std::move prevents copy elision.
3645         """
3646
3647         These account for most of this patch. Solution is to just remove the bad WTFMove().
3648
3649         Additionally, -Wclass-memaccess has been enhanced to catch a few cases that GCC 8 didn't.
3650         These are solved by casting nontrivial types to void* before using memcpy. (Of course, it
3651         would be safer to not use memcpy on nontrivial types, but that's too complex for this
3652         patch. Searching for memcpy used with static_cast<void*> will reveal other cases to fix.)
3653
3654         * b3/B3ValueRep.h:
3655         * bindings/ScriptValue.cpp:
3656         (Inspector::jsToInspectorValue):
3657         * bytecode/GetterSetterAccessCase.cpp:
3658         (JSC::GetterSetterAccessCase::create):
3659         (JSC::GetterSetterAccessCase::clone const):
3660         * bytecode/InstanceOfAccessCase.cpp:
3661         (JSC::InstanceOfAccessCase::clone const):
3662         * bytecode/IntrinsicGetterAccessCase.cpp:
3663         (JSC::IntrinsicGetterAccessCase::clone const):
3664         * bytecode/ModuleNamespaceAccessCase.cpp:
3665         (JSC::ModuleNamespaceAccessCase::clone const):
3666         * bytecode/ProxyableAccessCase.cpp:
3667         (JSC::ProxyableAccessCase::clone const):
3668         * bytecode/StructureSet.h:
3669         * debugger/Breakpoint.h:
3670         * dfg/DFGRegisteredStructureSet.h:
3671         * inspector/agents/InspectorDebuggerAgent.cpp:
3672         (Inspector::buildDebuggerLocation):
3673         * inspector/scripts/codegen/cpp_generator_templates.py:
3674         * parser/UnlinkedSourceCode.h:
3675         * wasm/WasmAirIRGenerator.cpp:
3676         (JSC::Wasm::parseAndCompileAir):
3677         * wasm/WasmB3IRGenerator.cpp:
3678         (JSC::Wasm::parseAndCompile):
3679         * wasm/WasmNameSectionParser.cpp:
3680         (JSC::Wasm::NameSectionParser::parse):
3681         * wasm/WasmStreamingParser.cpp:
3682         (JSC::Wasm::StreamingParser::consume):
3683
3684 2019-03-19  Saam Barati  <sbarati@apple.com>
3685
3686         Style fix: remove C style cast in Instruction.h
3687         https://bugs.webkit.org/show_bug.cgi?id=195917
3688
3689         Reviewed by Filip Pizlo.
3690
3691         * bytecode/Instruction.h:
3692         (JSC::Instruction::wide const):
3693
3694 2019-03-19  Devin Rousso  <drousso@apple.com>
3695
3696         Web Inspector: Provide $event in the console when paused on an event listener
3697         https://bugs.webkit.org/show_bug.cgi?id=188672
3698
3699         Reviewed by Timothy Hatcher.
3700
3701         * inspector/InjectedScript.h:
3702         * inspector/InjectedScript.cpp:
3703         (Inspector::InjectedScript::setEventValue): Added.
3704         (Inspector::InjectedScript::clearEventValue): Added.
3705
3706         * inspector/InjectedScriptManager.h:
3707         * inspector/InjectedScriptManager.cpp:
3708         (Inspector::InjectedScriptManager::clearEventValue): Added.
3709
3710         * inspector/InjectedScriptSource.js:
3711         (WI.InjectedScript.prototype.setEventValue): Added.
3712         (WI.InjectedScript.prototype.clearEventValue): Added.
3713         (BasicCommandLineAPI):
3714
3715 2019-03-19  Devin Rousso  <drousso@apple.com>
3716
3717         Web Inspector: ScriptProfiler: lazily create the agent
3718         https://bugs.webkit.org/show_bug.cgi?id=195591
3719         <rdar://problem/48791756>
3720
3721         Reviewed by Joseph Pecoraro.
3722
3723         * inspector/JSGlobalObjectConsoleClient.h:
3724         (Inspector::JSGlobalObjectConsoleClient::setInspectorScriptProfilerAgent): Added.
3725         * inspector/JSGlobalObjectConsoleClient.cpp:
3726         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
3727         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
3728         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
3729
3730         * inspector/JSGlobalObjectInspectorController.cpp:
3731         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3732         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3733
3734 2019-03-19  Devin Rousso  <drousso@apple.com>
3735
3736         Web Inspector: Heap: lazily create the agent
3737         https://bugs.webkit.org/show_bug.cgi?id=195590
3738         <rdar://problem/48791750>
3739
3740         Reviewed by Joseph Pecoraro.
3741
3742         * inspector/agents/InspectorHeapAgent.h:
3743         * inspector/agents/InspectorHeapAgent.cpp:
3744         (Inspector::InspectorHeapAgent::~InspectorHeapAgent): Deleted.
3745
3746         * inspector/agents/InspectorConsoleAgent.h:
3747         (Inspector::InspectorConsoleAgent::setInspectorHeapAgent): Added.
3748         * inspector/agents/InspectorConsoleAgent.cpp:
3749         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
3750         (Inspector::InspectorConsoleAgent::takeHeapSnapshot):
3751         (Inspector::InspectorConsoleAgent::~InspectorConsoleAgent): Deleted.
3752
3753         * inspector/JSGlobalObjectInspectorController.cpp:
3754         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3755         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3756
3757 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
3758
3759         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
3760         https://bugs.webkit.org/show_bug.cgi?id=194648
3761
3762         Reviewed by Keith Miller.
3763
3764         1. Making LLIntThunks singleton. 
3765
3766         Motivation: Former implementation has one LLIntThunk per type per VM.
3767         However, the generated code for every kind of thunk is essentially the
3768         same and we end up wasting memory (right now jitAllocationGranule = 32 bytes)
3769         when we have 2 or more VM instantiated. Turn these thunks into
3770         singleton will avoid such wasting.
3771
3772         Tradeoff: This change comes with a price, because we will keep thunks
3773         allocated even when there is no VM instantiated. Considering WebCore use case,
3774         the situation of having no VM instantiated is uncommon, since once a
3775         VM is created through `commomVM()`, it will never be destroyed. Given
3776         that, this change does not impact the overall memory comsumption of
3777         WebCore/JSC. It also doesn't impact memory footprint, since thunks are
3778         generated lazily (see results below).
3779
3780         Since we are keeping a static `MacroAssemblerCodeRef<JITThunkPtrTag>`,
3781         we have the assurance that JITed code will never be deallocated,
3782         given it is being pointed by `RefPtr<ExecutableMemoryHandle> m_executableMemory`.
3783         To understand why we decided to make LLIntThunks singleton instead of
3784         removing them, please see the comment on `llint/LLIntThunks.cpp`.
3785
3786         2. Making all LLIntEntrypoints singleton
3787
3788         Motivation: With singleton LLIntThunks, we also can have singleton
3789         DirectJITCodes and NativeJITCodes for each LLIntEntrypoint type and
3790         avoid multiple allocations of objects with the same content.
3791
3792         Tradeoff: As explained before, once we allocate an entrypoint, it
3793         will be alive until the program exits. However, the gains we can
3794         achieve in some use cases justifies such allocations.
3795
3796         As DirectJITCode and NativeJITCode are ThreadSafeRefCounted and we are using
3797         `codeBlock->setJITCode(makeRef(*jitCode))`, their reference counter
3798         will never be less than 1.
3799
3800         3. Memory usage analysis
3801
3802         This change reduces memory usage on stress/generate-multiple-llint-entrypoints.js
3803         by 2% and is neutral on JetStream 2. Following results were generated
3804         running each benchmark 6 times and using 95% Student's t distribution
3805         confidence interval.
3806
3807         microbenchmarks/generate-multiple-llint-entrypoints.js (Changes uses less memory): 
3808             Mean of memory peak on ToT: 122576896 bytes (confidence interval: 67747.2316)
3809             Mean of memory peak on Changes: 119248213.33 bytes (confidence interval: 50251.2718)
3810
3811         JetStream2 (Neutral):
3812             Mean of memory peak on ToT: 5442742272 bytes (confidence interval: 134381565.9117)
3813             Mean of memory peak on Changes: 5384949760 bytes (confidence interval: 158413904.8352)
3814
3815         4. Performance Analysis
3816
3817         This change is performance neutral on JetStream 2 and Speedometer 2.
3818         See results below.:
3819
3820         JetStream 2 (Neutral):
3821             Mean of score on ToT: 139.58 (confidence interval: 2.44)
3822             Mean of score on Changes: 141.46 (confidence interval: 4.24)
3823
3824         Speedometer run #1
3825            ToT: 110 +- 2.9
3826            Changes: 110 +- 1.8
3827
3828         Speedometer run #2
3829            ToT: 110 +- 1.6
3830            Changes: 108 +- 2.3
3831
3832         Speedometer run #3
3833            ToT: 110 +- 3.0
3834            Changes: 110 +- 1.4
3835
3836         * jit/JSInterfaceJIT.h:
3837         (JSC::JSInterfaceJIT::JSInterfaceJIT):
3838         * llint/LLIntEntrypoint.cpp:
3839
3840         Here we are changing the usage or DirectJITCode by NativeJITCode on cases
3841         where there is no difference from address of calls with and without
3842         ArithCheck.
3843
3844         (JSC::LLInt::setFunctionEntrypoint):
3845         (JSC::LLInt::setEvalEntrypoint):
3846         (JSC::LLInt::setProgramEntrypoint):
3847         (JSC::LLInt::setModuleProgramEntrypoint):
3848         (JSC::LLInt::setEntrypoint):
3849         * llint/LLIntEntrypoint.h:
3850         * llint/LLIntThunks.cpp:
3851         (JSC::LLInt::generateThunkWithJumpTo):
3852         (JSC::LLInt::functionForCallEntryThunk):
3853         (JSC::LLInt::functionForConstructEntryThunk):
3854         (JSC::LLInt::functionForCallArityCheckThunk):
3855         (JSC::LLInt::functionForConstructArityCheckThunk):
3856         (JSC::LLInt::evalEntryThunk):
3857         (JSC::LLInt::programEntryThunk):
3858         (JSC::LLInt::moduleProgramEntryThunk):
3859         (JSC::LLInt::functionForCallEntryThunkGenerator): Deleted.
3860         (JSC::LLInt::functionForConstructEntryThunkGenerator): Deleted.
3861         (JSC::LLInt::functionForCallArityCheckThunkGenerator): Deleted.
3862         (JSC::LLInt::functionForConstructArityCheckThunkGenerator): Deleted.
3863         (JSC::LLInt::evalEntryThunkGenerator): Deleted.
3864         (JSC::LLInt::programEntryThunkGenerator): Deleted.
3865         (JSC::LLInt::moduleProgramEntryThunkGenerator): Deleted.
3866         * llint/LLIntThunks.h:
3867         * runtime/ScriptExecutable.cpp:
3868         (JSC::setupLLInt):
3869         (JSC::ScriptExecutable::prepareForExecutionImpl):
3870
3871 2019-03-18  Yusuke Suzuki  <ysuzuki@apple.com>
3872
3873         [JSC] Add missing exception checks revealed by newly added exception checks, follow-up after r243081