[JSC] op_has_indexed_property should not assume subscript part is Uint32
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] op_has_indexed_property should not assume subscript part is Uint32
4         https://bugs.webkit.org/show_bug.cgi?id=196850
5
6         Reviewed by Saam Barati.
7
8         op_has_indexed_property assumed that subscript part is always Uint32. However, this is just a load from non-constant RegisterID,
9         DFG can store it in double format and can perform OSR exit. op_has_indexed_property should not assume that.
10         In this patch, instead, we check it with isAnyInt and get uint32_t from AnyInt.
11
12         * jit/JITOpcodes.cpp:
13         (JSC::JIT::emit_op_has_indexed_property):
14         * jit/JITOpcodes32_64.cpp:
15         (JSC::JIT::emit_op_has_indexed_property):
16         * jit/JITOperations.cpp:
17         * runtime/CommonSlowPaths.cpp:
18         (JSC::SLOW_PATH_DECL):
19
20 2019-04-11  Saam barati  <sbarati@apple.com>
21
22         Remove invalid assertion in operationInstanceOfCustom
23         https://bugs.webkit.org/show_bug.cgi?id=196842
24         <rdar://problem/49725493>
25
26         Reviewed by Michael Saboff.
27
28         In the generated JIT code, we go to the slow path when the incoming function
29         isn't the Node's CodeOrigin's functionProtoHasInstanceSymbolFunction. However,
30         in the JIT operation, we were asserting against exec->lexicalGlobalObject()'s
31         functionProtoHasInstanceSymbolFunction. That assertion might be wrong when
32         inlining across global objects as exec->lexicalGlobalObject() uses the machine
33         frame for procuring the global object. There is no harm when this assertion fails
34         as we just execute the slow path. This patch removes the assertion. (However, this
35         does shed light on the deficiency in our exec->lexicalGlobalObject() function with
36         respect to inlining. However, this isn't new -- we've known about this for a while.)
37
38         * jit/JITOperations.cpp:
39
40 2019-04-11  Michael Saboff  <msaboff@apple.com>
41
42         Improve the Inline Cache Stats code
43         https://bugs.webkit.org/show_bug.cgi?id=196836
44
45         Reviewed by Saam Barati.
46
47         Needed to handle the case where the Identifier could be null, for example with InstanceOfAddAccessCase
48         and InstanceOfReplaceWithJump.
49
50         Added the ability to log the location of a GetBy and PutBy property as either on self or up the
51         protocol chain.
52
53         * jit/ICStats.cpp:
54         (JSC::ICEvent::operator< const):
55         (JSC::ICEvent::dump const):
56         * jit/ICStats.h:
57         (JSC::ICEvent::ICEvent):
58         (JSC::ICEvent::hash const):
59         * jit/JITOperations.cpp:
60         * jit/Repatch.cpp:
61         (JSC::tryCacheGetByID):
62         (JSC::tryCachePutByID):
63         (JSC::tryCacheInByID):
64
65 2019-04-11  Devin Rousso  <drousso@apple.com>
66
67         Web Inspector: Timelines: can't reliably stop/start a recording
68         https://bugs.webkit.org/show_bug.cgi?id=196778
69         <rdar://problem/47606798>
70
71         Reviewed by Timothy Hatcher.
72
73         * inspector/protocol/ScriptProfiler.json:
74         * inspector/protocol/Timeline.json:
75         It is possible to determine when programmatic capturing starts/stops in the frontend based
76         on the state when the backend causes the state to change, such as if the state is "inactive"
77         when the frontend is told that the backend has started capturing.
78
79         * inspector/protocol/CPUProfiler.json:
80         * inspector/protocol/Memory.json:
81         Send an end timestamp to match other instruments.
82
83         * inspector/JSGlobalObjectConsoleClient.cpp:
84         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
85         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
86
87         * inspector/agents/InspectorScriptProfilerAgent.h:
88         * inspector/agents/InspectorScriptProfilerAgent.cpp:
89         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
90         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
91         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
92
93 2019-04-11  Saam barati  <sbarati@apple.com>
94
95         Rename SetArgument to SetArgumentDefinitely
96         https://bugs.webkit.org/show_bug.cgi?id=196828
97
98         Reviewed by Yusuke Suzuki.
99
100         This is in preparation for https://bugs.webkit.org/show_bug.cgi?id=196712
101         where we will introduce a node named SetArgumentMaybe. Doing this refactoring
102         first will make reviewing that other patch easier.
103
104         * dfg/DFGAbstractInterpreterInlines.h:
105         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
106         * dfg/DFGByteCodeParser.cpp:
107         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
108         (JSC::DFG::ByteCodeParser::parseBlock):
109         * dfg/DFGCPSRethreadingPhase.cpp:
110         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
111         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
112         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
113         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
114         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
115         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
116         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
117         * dfg/DFGClobberize.h:
118         (JSC::DFG::clobberize):
119         * dfg/DFGCommon.h:
120         * dfg/DFGDoesGC.cpp:
121         (JSC::DFG::doesGC):
122         * dfg/DFGFixupPhase.cpp:
123         (JSC::DFG::FixupPhase::fixupNode):
124         * dfg/DFGGraph.cpp:
125         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
126         * dfg/DFGGraph.h:
127         * dfg/DFGInPlaceAbstractState.cpp:
128         (JSC::DFG::InPlaceAbstractState::initialize):
129         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
130         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
131         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
132         * dfg/DFGMaximalFlushInsertionPhase.cpp:
133         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
134         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
135         * dfg/DFGMayExit.cpp:
136         * dfg/DFGNode.cpp:
137         (JSC::DFG::Node::hasVariableAccessData):
138         * dfg/DFGNode.h:
139         (JSC::DFG::Node::convertPhantomToPhantomLocal):
140         * dfg/DFGNodeType.h:
141         * dfg/DFGOSREntrypointCreationPhase.cpp:
142         (JSC::DFG::OSREntrypointCreationPhase::run):
143         * dfg/DFGPhantomInsertionPhase.cpp:
144         * dfg/DFGPredictionPropagationPhase.cpp:
145         * dfg/DFGSSAConversionPhase.cpp:
146         (JSC::DFG::SSAConversionPhase::run):
147         * dfg/DFGSafeToExecute.h:
148         (JSC::DFG::safeToExecute):
149         * dfg/DFGSpeculativeJIT.cpp:
150         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
151         * dfg/DFGSpeculativeJIT32_64.cpp:
152         (JSC::DFG::SpeculativeJIT::compile):
153         * dfg/DFGSpeculativeJIT64.cpp:
154         (JSC::DFG::SpeculativeJIT::compile):
155         * dfg/DFGTypeCheckHoistingPhase.cpp:
156         (JSC::DFG::TypeCheckHoistingPhase::run):
157         * dfg/DFGValidate.cpp:
158         * ftl/FTLCapabilities.cpp:
159         (JSC::FTL::canCompile):
160
161 2019-04-11  Truitt Savell  <tsavell@apple.com>
162
163         Unreviewed, rolling out r244158.
164
165         Casued 8 inspector/timeline/ test failures.
166
167         Reverted changeset:
168
169         "Web Inspector: Timelines: can't reliably stop/start a
170         recording"
171         https://bugs.webkit.org/show_bug.cgi?id=196778
172         https://trac.webkit.org/changeset/244158
173
174 2019-04-10  Saam Barati  <sbarati@apple.com>
175
176         AbstractValue::validateOSREntryValue is wrong for Int52 constants
177         https://bugs.webkit.org/show_bug.cgi?id=196801
178         <rdar://problem/49771122>
179
180         Reviewed by Yusuke Suzuki.
181
182         validateOSREntryValue should not care about the format of the incoming
183         value for Int52s. This patch normalizes the format of m_value and
184         the incoming value when comparing them.
185
186         * dfg/DFGAbstractValue.h:
187         (JSC::DFG::AbstractValue::validateOSREntryValue const):
188
189 2019-04-10  Saam Barati  <sbarati@apple.com>
190
191         ArithSub over Int52 has shouldCheckOverflow as always true
192         https://bugs.webkit.org/show_bug.cgi?id=196796
193
194         Reviewed by Yusuke Suzuki.
195
196         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
197         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
198         false. We shouldn't check something we assert against.
199
200         * dfg/DFGAbstractInterpreterInlines.h:
201         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
202
203 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
204
205         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
206         https://bugs.webkit.org/show_bug.cgi?id=196790
207
208         Reviewed by Ross Kirsling.
209
210         Original implementation lacks byte order specification. Network byte order is the
211         good candidate if there's no strong reason to choose other.
212         Currently no client exists for PlayStation remote inspector protocol, so we can
213         change the byte order without care.
214
215         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
216         (Inspector::MessageParser::createMessage):
217         (Inspector::MessageParser::parse):
218
219 2019-04-10  Devin Rousso  <drousso@apple.com>
220
221        Web Inspector: Inspector: lazily create the agent
222        https://bugs.webkit.org/show_bug.cgi?id=195971
223        <rdar://problem/49039645>
224
225        Reviewed by Joseph Pecoraro.
226
227        * inspector/JSGlobalObjectInspectorController.cpp:
228        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
229        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
230        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
231        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
232
233        * inspector/agents/InspectorAgent.h:
234        * inspector/agents/InspectorAgent.cpp:
235
236 2019-04-10  Saam Barati  <sbarati@apple.com>
237
238         Work around an arm64_32 LLVM miscompile bug
239         https://bugs.webkit.org/show_bug.cgi?id=196788
240
241         Reviewed by Yusuke Suzuki.
242
243         * runtime/CachedTypes.cpp:
244
245 2019-04-10  Devin Rousso  <drousso@apple.com>
246
247         Web Inspector: Timelines: can't reliably stop/start a recording
248         https://bugs.webkit.org/show_bug.cgi?id=196778
249         <rdar://problem/47606798>
250
251         Reviewed by Timothy Hatcher.
252
253         * inspector/protocol/ScriptProfiler.json:
254         * inspector/protocol/Timeline.json:
255         It is possible to determine when programmatic capturing starts/stops in the frontend based
256         on the state when the backend causes the state to change, such as if the state is "inactive"
257         when the frontend is told that the backend has started capturing.
258
259         * inspector/protocol/CPUProfiler.json:
260         * inspector/protocol/Memory.json:
261         Send an end timestamp to match other instruments.
262
263         * inspector/JSGlobalObjectConsoleClient.cpp:
264         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
265         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
266
267         * inspector/agents/InspectorScriptProfilerAgent.h:
268         * inspector/agents/InspectorScriptProfilerAgent.cpp:
269         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
270         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
271         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
272
273 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
274
275         Unreviewed, fix watch build after r244143
276         https://bugs.webkit.org/show_bug.cgi?id=195000
277
278         The result of `lseek` should be `off_t` rather than `int`.
279
280         * jsc.cpp:
281
282 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
283
284         Add support for incremental bytecode cache updates
285         https://bugs.webkit.org/show_bug.cgi?id=195000
286
287         Reviewed by Filip Pizlo.
288
289         Add support for incremental updates to the bytecode cache. The cache
290         is constructed as follows:
291         - When the cache is empty, the initial payload can be added to the BytecodeCache
292         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
293         top-level UnlinkedCodeBlock.
294         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
295         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
296         to the existing cache and updating the CachedFunctionExecutableMetadata
297         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
298
299         * API/JSScript.mm:
300         (-[JSScript readCache]):
301         (-[JSScript isUsingBytecodeCache]):
302         (-[JSScript init]):
303         (-[JSScript cachedBytecode]):
304         (-[JSScript writeCache:]):
305         * API/JSScriptInternal.h:
306         * API/JSScriptSourceProvider.h:
307         * API/JSScriptSourceProvider.mm:
308         (JSScriptSourceProvider::cachedBytecode const):
309         * CMakeLists.txt:
310         * JavaScriptCore.xcodeproj/project.pbxproj:
311         * Sources.txt:
312         * bytecode/UnlinkedFunctionExecutable.cpp:
313         (JSC::generateUnlinkedFunctionCodeBlock):
314         * jsc.cpp:
315         (ShellSourceProvider::~ShellSourceProvider):
316         (ShellSourceProvider::cachePath const):
317         (ShellSourceProvider::loadBytecode const):
318         (ShellSourceProvider::ShellSourceProvider):
319         (ShellSourceProvider::cacheEnabled):
320         * parser/SourceProvider.h:
321         (JSC::SourceProvider::cachedBytecode const):
322         (JSC::SourceProvider::updateCache const):
323         (JSC::SourceProvider::commitCachedBytecode const):
324         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
325         (JSC::CachePayload::makeMappedPayload):
326         (JSC::CachePayload::makeMallocPayload):
327         (JSC::CachePayload::makeEmptyPayload):
328         (JSC::CachePayload::CachePayload):
329         (JSC::CachePayload::~CachePayload):
330         (JSC::CachePayload::operator=):
331         (JSC::CachePayload::freeData):
332         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
333         (JSC::CachePayload::data const):
334         (JSC::CachePayload::size const):
335         (JSC::CachePayload::CachePayload):
336         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
337         (JSC::CacheUpdate::CacheUpdate):
338         (JSC::CacheUpdate::operator=):
339         (JSC::CacheUpdate::isGlobal const):
340         (JSC::CacheUpdate::asGlobal const):
341         (JSC::CacheUpdate::asFunction const):
342         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
343         * runtime/CachedBytecode.cpp: Added.
344         (JSC::CachedBytecode::addGlobalUpdate):
345         (JSC::CachedBytecode::addFunctionUpdate):
346         (JSC::CachedBytecode::copyLeafExecutables):
347         (JSC::CachedBytecode::commitUpdates const):
348         * runtime/CachedBytecode.h: Added.
349         (JSC::CachedBytecode::create):
350         (JSC::CachedBytecode::leafExecutables):
351         (JSC::CachedBytecode::data const):
352         (JSC::CachedBytecode::size const):
353         (JSC::CachedBytecode::hasUpdates const):
354         (JSC::CachedBytecode::sizeForUpdate const):
355         (JSC::CachedBytecode::CachedBytecode):
356         * runtime/CachedTypes.cpp:
357         (JSC::Encoder::addLeafExecutable):
358         (JSC::Encoder::release):
359         (JSC::Decoder::Decoder):
360         (JSC::Decoder::create):
361         (JSC::Decoder::size const):
362         (JSC::Decoder::offsetOf):
363         (JSC::Decoder::ptrForOffsetFromBase):
364         (JSC::Decoder::addLeafExecutable):
365         (JSC::VariableLengthObject::VariableLengthObject):
366         (JSC::VariableLengthObject::buffer const):
367         (JSC::CachedPtrOffsets::offsetOffset):
368         (JSC::CachedWriteBarrierOffsets::ptrOffset):
369         (JSC::CachedFunctionExecutable::features const):
370         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
371         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
372         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
373         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
374         (JSC::CachedFunctionExecutable::encode):
375         (JSC::CachedFunctionExecutable::decode const):
376         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
377         (JSC::encodeCodeBlock):
378         (JSC::encodeFunctionCodeBlock):
379         (JSC::decodeCodeBlockImpl):
380         (JSC::isCachedBytecodeStillValid):
381         * runtime/CachedTypes.h:
382         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
383         (JSC::decodeCodeBlock):
384         * runtime/CodeCache.cpp:
385         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
386         (JSC::CodeCache::updateCache):
387         (JSC::CodeCache::write):
388         (JSC::writeCodeBlock):
389         (JSC::serializeBytecode):
390         * runtime/CodeCache.h:
391         (JSC::SourceCodeValue::SourceCodeValue):
392         (JSC::CodeCacheMap::findCacheAndUpdateAge):
393         (JSC::CodeCacheMap::fetchFromDiskImpl):
394         * runtime/Completion.cpp:
395         (JSC::generateProgramBytecode):
396         (JSC::generateModuleBytecode):
397         * runtime/Completion.h:
398         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
399         (JSC::LeafExecutable::operator+ const):
400         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
401         (JSC::LeafExecutable::LeafExecutable):
402         (JSC::LeafExecutable::base const):
403
404 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
405
406         Unreviewed, rolling out r243989.
407
408         Broke i686 builds
409
410         Reverted changeset:
411
412         "[CMake] Detect SSE2 at compile time"
413         https://bugs.webkit.org/show_bug.cgi?id=196488
414         https://trac.webkit.org/changeset/243989
415
416 2019-04-10  Robin Morisset  <rmorisset@apple.com>
417
418         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
419         https://bugs.webkit.org/show_bug.cgi?id=196746
420
421         Reviewed by Yusuke Suzuki..
422
423         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
424
425         * runtime/ObjectConstructor.cpp:
426         (JSC::defineProperties):
427
428 2019-04-10  Antoine Quint  <graouts@apple.com>
429
430         Enable Pointer Events on watchOS
431         https://bugs.webkit.org/show_bug.cgi?id=196771
432         <rdar://problem/49040909>
433
434         Reviewed by Dean Jackson.
435
436         * Configurations/FeatureDefines.xcconfig:
437
438 2019-04-09  Keith Rollin  <krollin@apple.com>
439
440         Unreviewed build maintenance -- update .xcfilelists.
441
442         * DerivedSources-input.xcfilelist:
443
444 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
445
446         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
447         https://bugs.webkit.org/show_bug.cgi?id=193073
448
449         Reviewed by Keith Miller.
450
451         * bytecompiler/BytecodeGenerator.cpp:
452         (JSC::BytecodeGenerator::emitEqualityOpImpl):
453         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
454         * bytecompiler/BytecodeGenerator.h:
455         (JSC::BytecodeGenerator::emitEqualityOp):
456         Factor out the logic that uses the template parameter and keep it in the header.
457
458         * jit/JITPropertyAccess.cpp:
459         List off the template specializations needed by JITOperations.cpp.
460         This is unfortunate but at least there are only two (x2) by definition?
461         Trying to do away with this incurs a severe domino effect...
462
463         * API/JSValueRef.cpp:
464         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
465         * b3/air/AirHandleCalleeSaves.cpp:
466         * builtins/BuiltinNames.cpp:
467         * bytecode/AccessCase.cpp:
468         * bytecode/BytecodeIntrinsicRegistry.cpp:
469         * bytecode/BytecodeIntrinsicRegistry.h:
470         * bytecode/BytecodeRewriter.cpp:
471         * bytecode/BytecodeUseDef.h:
472         * bytecode/CodeBlock.cpp:
473         * bytecode/InstanceOfAccessCase.cpp:
474         * bytecode/MetadataTable.cpp:
475         * bytecode/PolyProtoAccessChain.cpp:
476         * bytecode/StructureSet.cpp:
477         * bytecompiler/NodesCodegen.cpp:
478         * dfg/DFGCFAPhase.cpp:
479         * dfg/DFGPureValue.cpp:
480         * heap/GCSegmentedArray.h:
481         * heap/HeapInlines.h:
482         * heap/IsoSubspace.cpp:
483         * heap/LocalAllocator.cpp:
484         * heap/LocalAllocator.h:
485         * heap/LocalAllocatorInlines.h:
486         * heap/MarkingConstraintSolver.cpp:
487         * inspector/ScriptArguments.cpp:
488         (Inspector::ScriptArguments::isEqual const):
489         * inspector/ScriptCallStackFactory.cpp:
490         * interpreter/CallFrame.h:
491         * interpreter/Interpreter.cpp:
492         * interpreter/StackVisitor.cpp:
493         * llint/LLIntEntrypoint.cpp:
494         * runtime/ArrayIteratorPrototype.cpp:
495         * runtime/BigIntPrototype.cpp:
496         * runtime/CachedTypes.cpp:
497         * runtime/ErrorType.cpp:
498         * runtime/IndexingType.cpp:
499         * runtime/JSCellInlines.h:
500         * runtime/JSImmutableButterfly.h:
501         * runtime/Operations.h:
502         * runtime/RegExpCachedResult.cpp:
503         * runtime/RegExpConstructor.cpp:
504         * runtime/RegExpGlobalData.cpp:
505         * runtime/StackFrame.h:
506         * wasm/WasmSignature.cpp:
507         * wasm/js/JSToWasm.cpp:
508         * wasm/js/JSToWasmICCallee.cpp:
509         * wasm/js/WebAssemblyFunction.h:
510         Fix includes / forward declarations (and a couple of nearby clang warnings).
511
512 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
513
514         [CMake] Apple builds should use ICU_INCLUDE_DIRS
515         https://bugs.webkit.org/show_bug.cgi?id=196720
516
517         Reviewed by Konstantin Tokarev.
518
519         * PlatformMac.cmake:
520
521 2019-04-09  Saam barati  <sbarati@apple.com>
522
523         Clean up Int52 code and some bugs in it
524         https://bugs.webkit.org/show_bug.cgi?id=196639
525         <rdar://problem/49515757>
526
527         Reviewed by Yusuke Suzuki.
528
529         This patch fixes bugs in our Int52 code. The primary change in this patch is
530         adopting a segregated type lattice for Int52. Previously, for Int52 values,
531         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
532         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
533         that the is outside of the int32 range.
534         
535         However, this got confusing because we reused SpecInt32Only both for JSValue
536         representations and Int52 representations. This actually lead to some bugs.
537         
538         1. It's possible that roundtripping through Int52 representation would say
539         it produces the wrong type. For example, consider this program and how we
540         used to annotate types in AI:
541         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
542         b: Int52Rep(@a) => m_type is SpecInt52Only
543         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
544         
545         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
546         However, the execution semantics are such that it'd actually produce a boxed
547         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
548         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
549         mean an int value in either int32 or int52 range.
550         
551         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
552         accepted Int52 values. It was wrong in two different ways:
553         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
554         was a boxed double, but represented a value in int32 range, the incoming
555         value would incorrectly validate as being acceptable. However, we should
556         have rejected this value.
557         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
558         was an Int32 boxed in a double, this would not validate, even though
559         it should have validated.
560         
561         Solving 2 was easiest if we segregated out the Int52 type into its own
562         lattice. This patch makes a new Int52 lattice, which is composed of
563         SpecInt32AsInt52 and SpecNonInt32AsInt52.
564         
565         The conversion rules are now really simple.
566         
567         Int52 rep => JSValue rep
568         SpecInt32AsInt52 => SpecInt32Only
569         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
570         
571         JSValue rep => Int52 rep
572         SpecInt32Only => SpecInt32AsInt52
573         SpecAnyIntAsDouble => SpecInt52Any
574         
575         With these rules, the program in (1) will now correctly report that @c
576         returns SpecInt32Only | SpecAnyIntAsDouble.
577
578         * bytecode/SpeculatedType.cpp:
579         (JSC::dumpSpeculation):
580         (JSC::speculationToAbbreviatedString):
581         (JSC::int52AwareSpeculationFromValue):
582         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
583         (JSC::speculationFromString):
584         * bytecode/SpeculatedType.h:
585         (JSC::isInt32SpeculationForArithmetic):
586         (JSC::isInt32OrBooleanSpeculationForArithmetic):
587         (JSC::isAnyInt52Speculation):
588         (JSC::isIntAnyFormat):
589         (JSC::isInt52Speculation): Deleted.
590         (JSC::isAnyIntSpeculation): Deleted.
591         * dfg/DFGAbstractInterpreterInlines.h:
592         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
593         * dfg/DFGAbstractValue.cpp:
594         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
595         (JSC::DFG::AbstractValue::checkConsistency const):
596         * dfg/DFGAbstractValue.h:
597         (JSC::DFG::AbstractValue::isInt52Any const):
598         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
599         * dfg/DFGFixupPhase.cpp:
600         (JSC::DFG::FixupPhase::fixupArithMul):
601         (JSC::DFG::FixupPhase::fixupNode):
602         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
603         (JSC::DFG::FixupPhase::fixupToThis):
604         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
605         (JSC::DFG::FixupPhase::observeUseKindOnNode):
606         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
607         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
608         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
609         (JSC::DFG::FixupPhase::fixupChecksInBlock):
610         * dfg/DFGGraph.h:
611         (JSC::DFG::Graph::addShouldSpeculateInt52):
612         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
613         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
614         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
615         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
616         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
617         * dfg/DFGNode.h:
618         (JSC::DFG::Node::shouldSpeculateInt52):
619         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
620         * dfg/DFGPredictionPropagationPhase.cpp:
621         * dfg/DFGSpeculativeJIT.cpp:
622         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
623         (JSC::DFG::SpeculativeJIT::compileArithAdd):
624         (JSC::DFG::SpeculativeJIT::compileArithSub):
625         (JSC::DFG::SpeculativeJIT::compileArithNegate):
626         * dfg/DFGSpeculativeJIT64.cpp:
627         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
628         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
629         * dfg/DFGUseKind.h:
630         (JSC::DFG::typeFilterFor):
631         * dfg/DFGVariableAccessData.cpp:
632         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
633         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
634         * ftl/FTLLowerDFGToB3.cpp:
635         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
636         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
637         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
638
639 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
640
641         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
642         https://bugs.webkit.org/show_bug.cgi?id=196708
643         <rdar://problem/49556803>
644
645         Reviewed by Yusuke Suzuki.
646
647         `operationPutToScope` needs to return early if an exception is thrown while
648         checking if `hasProperty`.
649
650         * jit/JITOperations.cpp:
651
652 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
653
654         [JSC] DFG should respect node's strict flag
655         https://bugs.webkit.org/show_bug.cgi?id=196617
656
657         Reviewed by Saam Barati.
658
659         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
660         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
661         in DFG and FTL to get the right isStrictMode flag for the DFG node.
662         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
663         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
664         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
665
666         * dfg/DFGAbstractInterpreterInlines.h:
667         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
668         * dfg/DFGConstantFoldingPhase.cpp:
669         (JSC::DFG::ConstantFoldingPhase::foldConstants):
670         * dfg/DFGFixupPhase.cpp:
671         (JSC::DFG::FixupPhase::fixupToThis):
672         * dfg/DFGOperations.cpp:
673         * dfg/DFGOperations.h:
674         * dfg/DFGPredictionPropagationPhase.cpp:
675         * dfg/DFGSpeculativeJIT.cpp:
676         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
677         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
678         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
679         (JSC::DFG::SpeculativeJIT::compileToThis):
680         * dfg/DFGSpeculativeJIT32_64.cpp:
681         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
682         (JSC::DFG::SpeculativeJIT::compile):
683         * dfg/DFGSpeculativeJIT64.cpp:
684         (JSC::DFG::SpeculativeJIT::compile):
685         * ftl/FTLLowerDFGToB3.cpp:
686         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
687         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
688
689 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
690
691         [CMake][WinCairo] Separate copied headers into different directories
692         https://bugs.webkit.org/show_bug.cgi?id=196655
693
694         Reviewed by Michael Catanzaro.
695
696         * CMakeLists.txt:
697         * shell/PlatformWin.cmake:
698
699 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
700
701         [JSC] isRope jump in StringSlice should not jump over register allocations
702         https://bugs.webkit.org/show_bug.cgi?id=196716
703
704         Reviewed by Saam Barati.
705
706         Jumping over the register allocation code in DFG (like the following) is wrong.
707
708             auto jump = m_jit.branchXXX();
709             {
710                 GPRTemporary reg(this);
711                 GPRReg regGPR = reg.gpr();
712                 ...
713             }
714             jump.link(&m_jit);
715
716         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
717         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
718         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
719         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
720
721         * dfg/DFGSpeculativeJIT.cpp:
722         (JSC::DFG::SpeculativeJIT::compileStringSlice):
723
724 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
725
726         [JSC] to_index_string should not assume incoming value is Uint32
727         https://bugs.webkit.org/show_bug.cgi?id=196713
728
729         Reviewed by Saam Barati.
730
731         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
732         this assumption since DFG may decide we should have it double format. This patch removes this
733         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
734         is within Uint32.
735
736         * runtime/CommonSlowPaths.cpp:
737         (JSC::SLOW_PATH_DECL):
738
739 2019-04-08  Justin Fan  <justin_fan@apple.com>
740
741         [Web GPU] Fix Web GPU experimental feature on iOS
742         https://bugs.webkit.org/show_bug.cgi?id=196632
743
744         Reviewed by Myles C. Maxfield.
745
746         Properly make Web GPU available on iOS 11+.
747
748         * Configurations/FeatureDefines.xcconfig:
749         * Configurations/WebKitTargetConditionals.xcconfig:
750
751 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
752
753         -f[no-]var-tracking-assignments is GCC-only
754         https://bugs.webkit.org/show_bug.cgi?id=196699
755
756         Reviewed by Don Olmstead.
757
758         * CMakeLists.txt:
759         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
760         and said problem evidently no longer occurs as of GCC 9.
761
762 2019-04-08  Saam Barati  <sbarati@apple.com>
763
764         WebAssembly.RuntimeError missing exception check
765         https://bugs.webkit.org/show_bug.cgi?id=196700
766         <rdar://problem/49693932>
767
768         Reviewed by Yusuke Suzuki.
769
770         * wasm/js/JSWebAssemblyRuntimeError.h:
771         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
772         (JSC::constructJSWebAssemblyRuntimeError):
773
774 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
775
776         Unreviewed, rolling in r243948 with test fix
777         https://bugs.webkit.org/show_bug.cgi?id=196486
778
779         * parser/ASTBuilder.h:
780         (JSC::ASTBuilder::createString):
781         * parser/Lexer.cpp:
782         (JSC::Lexer<T>::parseMultilineComment):
783         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
784         (JSC::Lexer<T>::lex): Deleted.
785         * parser/Lexer.h:
786         (JSC::Lexer::hasLineTerminatorBeforeToken const):
787         (JSC::Lexer::setHasLineTerminatorBeforeToken):
788         (JSC::Lexer<T>::lex):
789         (JSC::Lexer::prevTerminator const): Deleted.
790         (JSC::Lexer::setTerminator): Deleted.
791         * parser/Parser.cpp:
792         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
793         (JSC::Parser<LexerType>::parseSingleFunction):
794         (JSC::Parser<LexerType>::parseStatementListItem):
795         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
796         (JSC::Parser<LexerType>::parseFunctionInfo):
797         (JSC::Parser<LexerType>::parseClass):
798         (JSC::Parser<LexerType>::parseExportDeclaration):
799         (JSC::Parser<LexerType>::parseAssignmentExpression):
800         (JSC::Parser<LexerType>::parseYieldExpression):
801         (JSC::Parser<LexerType>::parseProperty):
802         (JSC::Parser<LexerType>::parsePrimaryExpression):
803         (JSC::Parser<LexerType>::parseMemberExpression):
804         * parser/Parser.h:
805         (JSC::Parser::nextWithoutClearingLineTerminator):
806         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
807         (JSC::Parser::internalSaveLexerState):
808         (JSC::Parser::restoreLexerState):
809
810 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
811
812         Unreviewed, rolling out r243948.
813
814         Caused inspector/runtime/parse.html to fail
815
816         Reverted changeset:
817
818         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
819         https://bugs.webkit.org/show_bug.cgi?id=196486
820         https://trac.webkit.org/changeset/243948
821
822 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
823
824         Unreviewed, rolling out r243943.
825
826         Caused test262 failures.
827
828         Reverted changeset:
829
830         "[JSC] Filter DontEnum properties in
831         ProxyObject::getOwnPropertyNames()"
832         https://bugs.webkit.org/show_bug.cgi?id=176810
833         https://trac.webkit.org/changeset/243943
834
835 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
836
837         [JSC] Partially fix the build with unified builds disabled
838         https://bugs.webkit.org/show_bug.cgi?id=196647
839
840         Reviewed by Konstantin Tokarev.
841
842         If you disable unified builds you find all kind of build
843         errors. This partially tries to fix them but there's a lot
844         more.
845
846         * API/JSBaseInternal.h:
847         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
848         * b3/air/AirHandleCalleeSaves.h:
849         * bytecode/ExecutableToCodeBlockEdge.cpp:
850         * bytecode/ExitFlag.h:
851         * bytecode/ICStatusUtils.h:
852         * bytecode/UnlinkedMetadataTable.h:
853         * dfg/DFGPureValue.h:
854         * heap/IsoAlignedMemoryAllocator.cpp:
855         * heap/IsoAlignedMemoryAllocator.h:
856
857 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
858
859         Enable DFG on MIPS
860         https://bugs.webkit.org/show_bug.cgi?id=196689
861
862         Reviewed by Žan Doberšek.
863
864         Since the bytecode change, we enabled the baseline JIT on mips in
865         r240432, but DFG is still missing. With this change, all tests are
866         passing on a ci20 board.
867
868         * jit/RegisterSet.cpp:
869         (JSC::RegisterSet::calleeSaveRegisters):
870         Added s0, which is used in llint.
871
872 2019-04-08  Xan Lopez  <xan@igalia.com>
873
874         [CMake] Detect SSE2 at compile time
875         https://bugs.webkit.org/show_bug.cgi?id=196488
876
877         Reviewed by Carlos Garcia Campos.
878
879         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
880         incorrect) static_assert.
881
882 2019-04-07  Michael Saboff  <msaboff@apple.com>
883
884         REGRESSION (r243642): Crash in reddit.com page
885         https://bugs.webkit.org/show_bug.cgi?id=196684
886
887         Reviewed by Geoffrey Garen.
888
889         In r243642, the code that saves and restores the count for non-greedy character classes
890         was inadvertently put inside an if statement.  This code should be generated for all
891         non-greedy character classes.
892
893         * yarr/YarrJIT.cpp:
894         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
895         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
896
897 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
898
899         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
900         https://bugs.webkit.org/show_bug.cgi?id=196683
901
902         Reviewed by Saam Barati.
903
904         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
905         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
906         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
907         can be still live.
908
909         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
910         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
911
912         * bytecode/CallLinkInfo.cpp:
913         (JSC::CallLinkInfo::setCallee):
914         (JSC::CallLinkInfo::clearCallee):
915         * jit/Repatch.cpp:
916         (JSC::linkFor):
917         (JSC::revertCall):
918
919 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
920
921         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
922         https://bugs.webkit.org/show_bug.cgi?id=196582
923
924         Reviewed by Saam Barati.
925
926         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
927         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
928         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
929         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
930
931         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
932         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
933
934         We also found that FTL recovery code is dead. We remove them in this patch.
935
936         * dfg/DFGOSRExit.cpp:
937         (JSC::DFG::OSRExit::executeOSRExit):
938         (JSC::DFG::OSRExit::compileExit):
939         * dfg/DFGOSRExit.h:
940         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
941         * dfg/DFGSpeculativeJIT.cpp:
942         (JSC::DFG::SpeculativeJIT::compileArithAdd):
943         * ftl/FTLExitValue.cpp:
944         (JSC::FTL::ExitValue::dataFormat const):
945         (JSC::FTL::ExitValue::dumpInContext const):
946         * ftl/FTLExitValue.h:
947         (JSC::FTL::ExitValue::isArgument const):
948         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
949         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
950         (JSC::FTL::ExitValue::recovery): Deleted.
951         (JSC::FTL::ExitValue::isRecovery const): Deleted.
952         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
953         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
954         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
955         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
956         * ftl/FTLLowerDFGToB3.cpp:
957         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
958         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
959         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
960         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
961         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
962         * ftl/FTLOSRExitCompiler.cpp:
963         (JSC::FTL::compileRecovery):
964
965 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
966
967         Unreviewed, rolling out r243665.
968
969         Caused iOS JSC tests to exit with an exception.
970
971         Reverted changeset:
972
973         "Assertion failed in JSC::createError"
974         https://bugs.webkit.org/show_bug.cgi?id=196305
975         https://trac.webkit.org/changeset/243665
976
977 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
978
979         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
980         https://bugs.webkit.org/show_bug.cgi?id=196486
981
982         Reviewed by Saam Barati.
983
984         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
985         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
986         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
987
988         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
989
990                 arrow => expr
991                 "string!"
992
993         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
994         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
995         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
996
997         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
998         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
999         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
1000
1001         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
1002         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
1003
1004         * parser/ASTBuilder.h:
1005         (JSC::ASTBuilder::createString):
1006         * parser/Lexer.cpp:
1007         (JSC::Lexer<T>::parseMultilineComment):
1008         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
1009         (JSC::Lexer<T>::lex): Deleted.
1010         * parser/Lexer.h:
1011         (JSC::Lexer::hasLineTerminatorBeforeToken const):
1012         (JSC::Lexer::setHasLineTerminatorBeforeToken):
1013         (JSC::Lexer<T>::lex):
1014         (JSC::Lexer::prevTerminator const): Deleted.
1015         (JSC::Lexer::setTerminator): Deleted.
1016         * parser/Parser.cpp:
1017         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
1018         (JSC::Parser<LexerType>::parseSingleFunction):
1019         (JSC::Parser<LexerType>::parseStatementListItem):
1020         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
1021         (JSC::Parser<LexerType>::parseFunctionInfo):
1022         (JSC::Parser<LexerType>::parseClass):
1023         (JSC::Parser<LexerType>::parseExportDeclaration):
1024         (JSC::Parser<LexerType>::parseAssignmentExpression):
1025         (JSC::Parser<LexerType>::parseYieldExpression):
1026         (JSC::Parser<LexerType>::parseProperty):
1027         (JSC::Parser<LexerType>::parsePrimaryExpression):
1028         (JSC::Parser<LexerType>::parseMemberExpression):
1029         * parser/Parser.h:
1030         (JSC::Parser::nextWithoutClearingLineTerminator):
1031         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
1032         (JSC::Parser::internalSaveLexerState):
1033         (JSC::Parser::restoreLexerState):
1034
1035 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1036
1037         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1038         https://bugs.webkit.org/show_bug.cgi?id=176810
1039
1040         Reviewed by Saam Barati.
1041
1042         This adds conditional logic following the invariant checks, to perform
1043         filtering in common uses of getOwnPropertyNames.
1044
1045         While this would ideally only be done in JSPropertyNameEnumerator, adding
1046         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
1047         invariant that the EnumerationMode is properly followed.
1048
1049         * runtime/PropertyNameArray.h:
1050         (JSC::PropertyNameArray::reset):
1051         * runtime/ProxyObject.cpp:
1052         (JSC::ProxyObject::performGetOwnPropertyNames):
1053
1054 2019-04-05  Commit Queue  <commit-queue@webkit.org>
1055
1056         Unreviewed, rolling out r243833.
1057         https://bugs.webkit.org/show_bug.cgi?id=196645
1058
1059         This change breaks build of WPE and GTK ports (Requested by
1060         annulen on #webkit).
1061
1062         Reverted changeset:
1063
1064         "[CMake][WTF] Mirror XCode header directories"
1065         https://bugs.webkit.org/show_bug.cgi?id=191662
1066         https://trac.webkit.org/changeset/243833
1067
1068 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1069
1070         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
1071         https://bugs.webkit.org/show_bug.cgi?id=185211
1072
1073         Reviewed by Saam Barati.
1074
1075         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
1076
1077         This involves tracking duplicate keys returned from the ownKeys trap in yet
1078         another HashTable, and may incur a minor performance penalty in some cases. This
1079         is not expected to significantly affect web performance.
1080
1081         * runtime/ProxyObject.cpp:
1082         (JSC::ProxyObject::performGetOwnPropertyNames):
1083
1084 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1085
1086         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
1087         https://bugs.webkit.org/show_bug.cgi?id=196631
1088
1089         Reviewed by Saam Barati.
1090
1091         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
1092         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
1093         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
1094
1095         * JavaScriptCore.xcodeproj/project.pbxproj:
1096         * Sources.txt:
1097         * interpreter/CallFrameInlines.h:
1098         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
1099         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
1100         (JSC::DoublePredictionFuzzerAgent::getPrediction):
1101         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
1102         * runtime/JSGlobalObject.cpp:
1103         (JSC::makeBoundFunction):
1104         * runtime/Options.h:
1105         * runtime/VM.cpp:
1106         (JSC::VM::VM):
1107
1108 2019-04-04  Robin Morisset  <rmorisset@apple.com>
1109
1110         B3ReduceStrength should know that Mul distributes over Add and Sub
1111         https://bugs.webkit.org/show_bug.cgi?id=196325
1112         <rdar://problem/49441650>
1113
1114         Reviewed by Saam Barati.
1115
1116         Fix some obviously wrong code that was due to an accidental copy-paste.
1117         It made the entire optimization dead code that never ran.
1118
1119         * b3/B3ReduceStrength.cpp:
1120
1121 2019-04-04  Saam Barati  <sbarati@apple.com>
1122
1123         Unreviewed, build fix for CLoop after r243886
1124
1125         * interpreter/Interpreter.cpp:
1126         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1127         * interpreter/StackVisitor.cpp:
1128         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1129         * interpreter/StackVisitor.h:
1130
1131 2019-04-04  Commit Queue  <commit-queue@webkit.org>
1132
1133         Unreviewed, rolling out r243898.
1134         https://bugs.webkit.org/show_bug.cgi?id=196624
1135
1136         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
1137         does not work well (Requested by yusukesuzuki on #webkit).
1138
1139         Reverted changeset:
1140
1141         "Unreviewed, build fix for CLoop and Windows after r243886"
1142         https://bugs.webkit.org/show_bug.cgi?id=196387
1143         https://trac.webkit.org/changeset/243898
1144
1145 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1146
1147         Unreviewed, build fix for CLoop and Windows after r243886
1148         https://bugs.webkit.org/show_bug.cgi?id=196387
1149
1150         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
1151
1152         * interpreter/StackVisitor.cpp:
1153         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1154         * interpreter/StackVisitor.h:
1155
1156 2019-04-04  Saam barati  <sbarati@apple.com>
1157
1158         Teach Call ICs how to call Wasm
1159         https://bugs.webkit.org/show_bug.cgi?id=196387
1160
1161         Reviewed by Filip Pizlo.
1162
1163         This patch teaches JS to call Wasm without going through the native thunk.
1164         Currently, we emit a JIT "JS" callee stub which marshals arguments from
1165         JS to Wasm. Like the native version of this, this thunk is responsible
1166         for saving and restoring the VM's current Wasm context. Instead of emitting
1167         an exception handler, we also teach the unwinder how to read the previous
1168         wasm context to restore it as it unwindws past this frame.
1169         
1170         This patch is straight forward, and leaves some areas for perf improvement:
1171         - We can teach the DFG/FTL to directly use the Wasm calling convention when
1172           it knows it's calling a single Wasm function. This way we don't shuffle
1173           registers to the stack and then back into registers.
1174         - We bail out to the slow path for mismatched arity. I opened a bug to fix
1175           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
1176         - We bail out to the slow path Double JSValues flowing into i32 arguments.
1177           We should teach this thunk how to do that conversion directly.
1178         
1179         This patch also refactors the code to explicitly have a single pinned size register.
1180         We used pretend in some places that we could have more than one pinned size register.
1181         However, there was other code that just asserted the size was one. This patch just rips
1182         out this code since we never moved to having more than one pinned size register. Doing
1183         this refactoring cleans up the various places where we set up the size register.
1184         
1185         This patch is a 50-60% progression on JetStream 2's richards-wasm.
1186
1187         * JavaScriptCore.xcodeproj/project.pbxproj:
1188         * Sources.txt:
1189         * assembler/MacroAssemblerCodeRef.h:
1190         (JSC::MacroAssemblerCodeRef::operator=):
1191         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1192         * interpreter/Interpreter.cpp:
1193         (JSC::UnwindFunctor::operator() const):
1194         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1195         * interpreter/StackVisitor.cpp:
1196         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1197         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
1198         * interpreter/StackVisitor.h:
1199         * jit/JITOperations.cpp:
1200         * jit/RegisterSet.cpp:
1201         (JSC::RegisterSet::runtimeTagRegisters):
1202         (JSC::RegisterSet::specialRegisters):
1203         (JSC::RegisterSet::runtimeRegisters): Deleted.
1204         * jit/RegisterSet.h:
1205         * jit/Repatch.cpp:
1206         (JSC::linkPolymorphicCall):
1207         * runtime/JSFunction.cpp:
1208         (JSC::getCalculatedDisplayName):
1209         * runtime/JSGlobalObject.cpp:
1210         (JSC::JSGlobalObject::init):
1211         (JSC::JSGlobalObject::visitChildren):
1212         * runtime/JSGlobalObject.h:
1213         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
1214         * runtime/VM.cpp:
1215         (JSC::VM::VM):
1216         * runtime/VM.h:
1217         * wasm/WasmAirIRGenerator.cpp:
1218         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1219         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
1220         (JSC::Wasm::AirIRGenerator::addCallIndirect):
1221         * wasm/WasmB3IRGenerator.cpp:
1222         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1223         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1224         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1225         * wasm/WasmBinding.cpp:
1226         (JSC::Wasm::wasmToWasm):
1227         * wasm/WasmContext.h:
1228         (JSC::Wasm::Context::pointerToInstance):
1229         * wasm/WasmContextInlines.h:
1230         (JSC::Wasm::Context::store):
1231         * wasm/WasmMemoryInformation.cpp:
1232         (JSC::Wasm::getPinnedRegisters):
1233         (JSC::Wasm::PinnedRegisterInfo::get):
1234         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1235         * wasm/WasmMemoryInformation.h:
1236         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1237         * wasm/WasmOMGPlan.cpp:
1238         (JSC::Wasm::OMGPlan::work):
1239         * wasm/js/JSToWasm.cpp:
1240         (JSC::Wasm::createJSToWasmWrapper):
1241         * wasm/js/JSToWasmICCallee.cpp: Added.
1242         (JSC::JSToWasmICCallee::create):
1243         (JSC::JSToWasmICCallee::createStructure):
1244         (JSC::JSToWasmICCallee::visitChildren):
1245         * wasm/js/JSToWasmICCallee.h: Added.
1246         (JSC::JSToWasmICCallee::function):
1247         (JSC::JSToWasmICCallee::JSToWasmICCallee):
1248         * wasm/js/WebAssemblyFunction.cpp:
1249         (JSC::WebAssemblyFunction::useTagRegisters const):
1250         (JSC::WebAssemblyFunction::calleeSaves const):
1251         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
1252         (JSC::WebAssemblyFunction::previousInstanceOffset const):
1253         (JSC::WebAssemblyFunction::previousInstance):
1254         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1255         (JSC::WebAssemblyFunction::visitChildren):
1256         (JSC::WebAssemblyFunction::destroy):
1257         * wasm/js/WebAssemblyFunction.h:
1258         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
1259         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
1260         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
1261         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
1262         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
1263         (JSC::WebAssemblyFunctionHeapCellType::destroy):
1264         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
1265         * wasm/js/WebAssemblyPrototype.h:
1266
1267 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1268
1269         [JSC] Pass CodeOrigin to FuzzerAgent
1270         https://bugs.webkit.org/show_bug.cgi?id=196590
1271
1272         Reviewed by Saam Barati.
1273
1274         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
1275         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
1276         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
1277
1278         * dfg/DFGByteCodeParser.cpp:
1279         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1280         * runtime/FuzzerAgent.cpp:
1281         (JSC::FuzzerAgent::getPrediction):
1282         * runtime/FuzzerAgent.h:
1283         * runtime/RandomizingFuzzerAgent.cpp:
1284         (JSC::RandomizingFuzzerAgent::getPrediction):
1285         * runtime/RandomizingFuzzerAgent.h:
1286
1287 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
1288
1289         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
1290         https://bugs.webkit.org/show_bug.cgi?id=194944
1291
1292         Reviewed by Keith Miller.
1293
1294         Based on profile data collected on JetStream2, Speedometer 2 and
1295         other benchmarks, it is very rare having non-empty
1296         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
1297
1298         - Data collected from Speedometer2
1299             Total number of UnlinkedFunctionExecutable: 39463
1300             Total number of non-empty parentScopeTDZVars: 428 (~1%)
1301
1302         - Data collected from JetStream2
1303             Total number of UnlinkedFunctionExecutable: 83715
1304             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
1305
1306         We also collected numbers on 6 of top 10 Alexia sites.
1307
1308         - Data collected from youtube.com
1309             Total number of UnlinkedFunctionExecutable: 29599
1310             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
1311
1312         - Data collected from twitter.com
1313             Total number of UnlinkedFunctionExecutable: 23774
1314             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
1315
1316         - Data collected from google.com
1317             Total number of UnlinkedFunctionExecutable: 33209
1318             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
1319
1320         - Data collected from amazon.com:
1321             Total number of UnlinkedFunctionExecutable: 15182
1322             Total number of non-empty parentScopeTDZVars: 166 (~1%)
1323
1324         - Data collected from facebook.com:
1325             Total number of UnlinkedFunctionExecutable: 54443
1326             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
1327
1328         - Data collected from netflix.com:
1329             Total number of UnlinkedFunctionExecutable: 39266
1330             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
1331
1332         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
1333         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
1334         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
1335         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
1336         it when `value != WTF::nullopt`. We also changed
1337         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
1338         `VariableEnvironment()` whenever the Executable doesn't have RareData,
1339         or VariableEnvironmentMap::Handle is unitialized. This is required
1340         because RareData is instantiated when any of its field is stored and
1341         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
1342         is `WTF::nullopt`.
1343
1344         Results on memory usage on JetStrem2 is neutral.
1345
1346             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
1347             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
1348
1349         * builtins/BuiltinExecutables.cpp:
1350         (JSC::BuiltinExecutables::createExecutable):
1351         * bytecode/UnlinkedFunctionExecutable.cpp:
1352         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1353         * bytecode/UnlinkedFunctionExecutable.h:
1354         * bytecompiler/BytecodeGenerator.cpp:
1355         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1356
1357         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
1358         is empty, so we can properly return `WTF::nullopt` without the
1359         reconstruction of a VariableEnvironment to check if it is empty.
1360
1361         * bytecompiler/BytecodeGenerator.h:
1362         (JSC::BytecodeGenerator::makeFunction):
1363         * parser/VariableEnvironment.h:
1364         (JSC::VariableEnvironment::isEmpty const):
1365         * runtime/CachedTypes.cpp:
1366         (JSC::CachedCompactVariableMapHandle::decode const):
1367
1368         It returns an unitialized Handle when there is no
1369         CompactVariableEnvironment. This can happen when RareData is ensured
1370         because of another field.
1371
1372         (JSC::CachedFunctionExecutableRareData::encode):
1373         (JSC::CachedFunctionExecutableRareData::decode const):
1374         (JSC::CachedFunctionExecutable::encode):
1375         (JSC::CachedFunctionExecutable::decode const):
1376         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1377         * runtime/CodeCache.cpp:
1378
1379         Instead of creating a dummyVariablesUnderTDZ, we simply pass
1380         WTF::nullopt.
1381
1382         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1383
1384 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1385
1386         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
1387         https://bugs.webkit.org/show_bug.cgi?id=196409
1388
1389         Reviewed by Saam Barati.
1390
1391         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
1392         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
1393         and therefore does not write the bytecode cache to disk.
1394
1395         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
1396         of pointers to offsets of already cached objects, in order to avoid caching
1397         the same object twice. Similarly, the Decoder keeps a mapping from offsets
1398         to pointers, in order to avoid creating multiple objects in memory for the
1399         same cached object. The following was happening:
1400         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
1401         an entry in the Encoder mapping that S has already been encoded at O.
1402         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
1403         We find an entry in the Encoder mapping for S, and return the offset O. However,
1404         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
1405
1406         3) When decoding, there are 2 possibilities:
1407         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
1408         this case, everything works as expected since we add an entry in the decoder
1409         mapping from the offset O to the decoded StringImpl* S. The next time we find
1410         S through the uniqued version, we'll return the already decoded S.
1411         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
1412         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
1413         which has a different shape and we crash.
1414
1415         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
1416         same implementation. Since it doesn't matter whether a string is uniqued for
1417         encoding, and we always decode strings as uniqued either way, they can be used
1418         interchangeably.
1419
1420         * jsc.cpp:
1421         (functionRunString):
1422         (functionLoadString):
1423         (functionDollarAgentStart):
1424         (functionCheckModuleSyntax):
1425         (runInteractive):
1426         * runtime/CachedTypes.cpp:
1427         (JSC::CachedUniquedStringImplBase::decode const):
1428         (JSC::CachedFunctionExecutable::rareData const):
1429         (JSC::CachedCodeBlock::rareData const):
1430         (JSC::CachedFunctionExecutable::encode):
1431         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1432         (JSC::CachedUniquedStringImpl::encode): Deleted.
1433         (JSC::CachedUniquedStringImpl::decode const): Deleted.
1434         (JSC::CachedStringImpl::encode): Deleted.
1435         (JSC::CachedStringImpl::decode const): Deleted.
1436
1437 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1438
1439         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
1440         https://bugs.webkit.org/show_bug.cgi?id=196396
1441
1442         Reviewed by Saam Barati.
1443
1444         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
1445         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
1446
1447         * runtime/CachedTypes.cpp:
1448         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1449
1450 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1451
1452         Unreviewed, rolling in r243843 with the build fix
1453         https://bugs.webkit.org/show_bug.cgi?id=196586
1454
1455         * runtime/Options.cpp:
1456         (JSC::recomputeDependentOptions):
1457         * runtime/Options.h:
1458         * runtime/RandomizingFuzzerAgent.cpp:
1459         (JSC::RandomizingFuzzerAgent::getPrediction):
1460
1461 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
1462
1463         Unreviewed, rolling out r243843.
1464
1465         Broke CLoop and Windows builds.
1466
1467         Reverted changeset:
1468
1469         "[JSC] Add dump feature for RandomizingFuzzerAgent"
1470         https://bugs.webkit.org/show_bug.cgi?id=196586
1471         https://trac.webkit.org/changeset/243843
1472
1473 2019-04-03  Robin Morisset  <rmorisset@apple.com>
1474
1475         B3 should use associativity to optimize expression trees
1476         https://bugs.webkit.org/show_bug.cgi?id=194081
1477
1478         Reviewed by Filip Pizlo.
1479
1480         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
1481         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
1482         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
1483         inherited from CSE.
1484         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
1485         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
1486
1487         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
1488         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
1489         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
1490         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
1491         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
1492
1493         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
1494         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
1495
1496         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
1497
1498         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
1499         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
1500
1501         * JavaScriptCore.xcodeproj/project.pbxproj:
1502         * Sources.txt:
1503         * b3/B3Common.cpp:
1504         (JSC::B3::shouldDumpIR):
1505         (JSC::B3::shouldDumpIRAtEachPhase):
1506         * b3/B3Common.h:
1507         * b3/B3EliminateDeadCode.cpp: Added.
1508         (JSC::B3::EliminateDeadCode::run):
1509         (JSC::B3::eliminateDeadCode):
1510         * b3/B3EliminateDeadCode.h: Added.
1511         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
1512         * b3/B3Generate.cpp:
1513         (JSC::B3::generateToAir):
1514         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
1515         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
1516         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
1517         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
1518         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
1519         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
1520         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
1521         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
1522         (JSC::B3::optimizeAssociativeExpressionTrees):
1523         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
1524         * b3/B3ReduceStrength.cpp:
1525         * b3/B3Value.cpp:
1526         (JSC::B3::Value::replaceWithIdentity):
1527         * b3/testb3.cpp:
1528         (JSC::B3::testBitXorTreeArgs):
1529         (JSC::B3::testBitXorTreeArgsEven):
1530         (JSC::B3::testBitXorTreeArgImm):
1531         (JSC::B3::testAddTreeArg32):
1532         (JSC::B3::testMulTreeArg32):
1533         (JSC::B3::testBitAndTreeArg32):
1534         (JSC::B3::testBitOrTreeArg32):
1535         (JSC::B3::run):
1536
1537 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1538
1539         [JSC] Add dump feature for RandomizingFuzzerAgent
1540         https://bugs.webkit.org/show_bug.cgi?id=196586
1541
1542         Reviewed by Saam Barati.
1543
1544         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
1545         The results is like this.
1546
1547             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
1548             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
1549
1550         * runtime/Options.cpp:
1551         (JSC::recomputeDependentOptions):
1552         * runtime/Options.h:
1553         * runtime/RandomizingFuzzerAgent.cpp:
1554         (JSC::RandomizingFuzzerAgent::getPrediction):
1555
1556 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1557
1558         -apple-trailing-word is needed for browser detection
1559         https://bugs.webkit.org/show_bug.cgi?id=196575
1560
1561         Unreviewed.
1562
1563         * Configurations/FeatureDefines.xcconfig:
1564
1565 2019-04-03  Michael Saboff  <msaboff@apple.com>
1566
1567         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
1568         https://bugs.webkit.org/show_bug.cgi?id=196477
1569
1570         Reviewed by Keith Miller.
1571
1572         The problem here is that when we advance the index by 2 for a character class that only
1573         has non-BMP characters, we might go past the end of the string.  This can happen for
1574         greedy counted character classes that are part of a alternative where there is one
1575         character to match after the greedy non-BMP character class.
1576
1577         The "do we have string left to match" check at the top of the JIT loop for the counted
1578         character class checks to see if index is not equal to the string length.  For non-BMP
1579         character classes, we need to check to see if there are at least 2 characters left.
1580         Therefore we now temporarily add 1 to the current index before comparing.  This checks
1581         to see if there are iat least 2 characters left to match, instead of 1.
1582
1583         * yarr/YarrJIT.cpp:
1584         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1585         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1586
1587 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1588
1589         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
1590         https://bugs.webkit.org/show_bug.cgi?id=196574
1591
1592         Reviewed by Saam Barati.
1593
1594         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
1595
1596         * dfg/DFGOperations.cpp:
1597
1598 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
1599
1600         [CMake][WTF] Mirror XCode header directories
1601         https://bugs.webkit.org/show_bug.cgi?id=191662
1602
1603         Reviewed by Konstantin Tokarev.
1604
1605         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
1606         builds.
1607
1608         * CMakeLists.txt:
1609         * shell/CMakeLists.txt:
1610
1611 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1612
1613         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
1614         https://bugs.webkit.org/show_bug.cgi?id=196530
1615
1616         Reviewed by Saam Barati.
1617
1618         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
1619         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
1620         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
1621
1622         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
1623         they should be fixed in subsequent patches.
1624
1625         * CMakeLists.txt:
1626         * JavaScriptCore.xcodeproj/project.pbxproj:
1627         * Sources.txt:
1628         * dfg/DFGByteCodeParser.cpp:
1629         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1630         * runtime/FuzzerAgent.cpp: Added.
1631         (JSC::FuzzerAgent::~FuzzerAgent):
1632         (JSC::FuzzerAgent::getPrediction):
1633         * runtime/FuzzerAgent.h: Added.
1634         * runtime/JSGlobalObjectFunctions.cpp:
1635         * runtime/Options.h:
1636         * runtime/RandomizingFuzzerAgent.cpp: Added.
1637         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
1638         (JSC::RandomizingFuzzerAgent::getPrediction):
1639         * runtime/RandomizingFuzzerAgent.h: Added.
1640         * runtime/RegExpCachedResult.h:
1641         * runtime/RegExpGlobalData.cpp:
1642         * runtime/VM.cpp:
1643         (JSC::VM::VM):
1644         * runtime/VM.h:
1645         (JSC::VM::fuzzerAgent const):
1646         (JSC::VM::setFuzzerAgent):
1647
1648 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1649
1650         Remove support for -apple-trailing-word
1651         https://bugs.webkit.org/show_bug.cgi?id=196525
1652
1653         Reviewed by Zalan Bujtas.
1654
1655         This CSS property is nonstandard and not used.
1656
1657         * Configurations/FeatureDefines.xcconfig:
1658
1659 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
1660
1661         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
1662         https://bugs.webkit.org/show_bug.cgi?id=196513
1663         <rdar://problem/49498284>
1664
1665         Reviewed by Devin Rousso.
1666
1667         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1668         (Inspector::RemoteInspector::receivedIndicateMessage):
1669         When we have a WebThread, don't just run on the WebThread,
1670         run on the MainThread with the WebThreadLock.
1671
1672 2019-04-02  Michael Saboff  <msaboff@apple.com>
1673
1674         Crash in Options::setOptions() using --configFile option and libgmalloc
1675         https://bugs.webkit.org/show_bug.cgi?id=196506
1676
1677         Reviewed by Keith Miller.
1678
1679         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
1680         the implicit CString temporary alive until after setOptions() returns.
1681
1682         * runtime/ConfigFile.cpp:
1683         (JSC::ConfigFile::parse):
1684
1685 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
1686
1687         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
1688         https://bugs.webkit.org/show_bug.cgi?id=182757
1689
1690         Reviewed by Don Olmstead.
1691
1692         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
1693         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
1694         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
1695
1696 2019-04-02  Saam barati  <sbarati@apple.com>
1697
1698         Add a ValueRepReduction phase
1699         https://bugs.webkit.org/show_bug.cgi?id=196234
1700
1701         Reviewed by Filip Pizlo.
1702
1703         This patch adds a ValueRepReduction phase. The main idea here is
1704         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
1705         to just be @x. This patch handles such above strengh reduction rules
1706         as long as we prove that all users of the ValueRep can be converted
1707         to using the incoming double value. That way we prevent introducing
1708         a parallel live range for the double value.
1709         
1710         This patch tracks the uses of the ValueRep through Phi variables,
1711         so we can convert entire Phi variables to being Double instead
1712         of JSValue if the Phi also has only double uses.
1713         
1714         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
1715         and OSR exit hints are not counted as escapes. All other uses are counted
1716         as escapes. Connected Phi graphs are converted to being Double only if the
1717         entire graph is ok with the result being Double.
1718         
1719         Some ways we could extend this phase in the future:
1720         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
1721           that the result of the DoubleRep of @x is not impure NaN. We could
1722           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
1723           with PurifyNaN(@x). Alternatively, we could see if certain users of this
1724           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
1725           their output type is always treated as if the input is impure NaN.
1726         - We could do sinking of ValueRep where we think it's profitable. So instead
1727           of an escape making it so we never represent the variable as a Double, we
1728           could make the escape reconstruct the JSValueRep where profitable.
1729         - We can extend this phase to handle Int52Rep if it's profitable.
1730         - We can opt other nodes into accepting incoming Doubles so we no longer
1731           treat them as escapes.
1732         
1733         This patch is somewhere between neutral and a 1% progression on JetStream 2.
1734
1735         * JavaScriptCore.xcodeproj/project.pbxproj:
1736         * Sources.txt:
1737         * dfg/DFGPlan.cpp:
1738         (JSC::DFG::Plan::compileInThreadImpl):
1739         * dfg/DFGValueRepReductionPhase.cpp: Added.
1740         (JSC::DFG::ValueRepReductionPhase::ValueRepReductionPhase):
1741         (JSC::DFG::ValueRepReductionPhase::run):
1742         (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):
1743         (JSC::DFG::performValueRepReduction):
1744         * dfg/DFGValueRepReductionPhase.h: Added.
1745         * runtime/Options.h:
1746
1747 2019-04-01  Yusuke Suzuki  <ysuzuki@apple.com>
1748
1749         [JSC] JSRunLoopTimer::Manager should be small
1750         https://bugs.webkit.org/show_bug.cgi?id=196425
1751
1752         Reviewed by Darin Adler.
1753
1754         Using very large Key or Value in HashMap potentially bloats memory since HashMap pre-allocates large size of
1755         memory ((sizeof(Key) + sizeof(Value)) * N) for its backing storage's array. Using std::unique_ptr<> for JSRunLoopTimer's
1756         PerVMData to keep HashMap's backing store size small.
1757
1758         * runtime/JSRunLoopTimer.cpp:
1759         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1760         (JSC::JSRunLoopTimer::Manager::registerVM):
1761         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1762         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1763         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1764         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1765         * runtime/JSRunLoopTimer.h:
1766
1767 2019-04-01  Stephan Szabo  <stephan.szabo@sony.com>
1768
1769         [PlayStation] Add initialization for JSC shell for PlayStation port
1770         https://bugs.webkit.org/show_bug.cgi?id=195411
1771
1772         Reviewed by Ross Kirsling.
1773
1774         Add ps options
1775
1776         * shell/PlatformPlayStation.cmake: Added.
1777         * shell/playstation/Initializer.cpp: Added.
1778         (initializer):
1779
1780 2019-04-01  Michael Catanzaro  <mcatanzaro@igalia.com>
1781
1782         Stop trying to support building JSC with clang 3.8
1783         https://bugs.webkit.org/show_bug.cgi?id=195947
1784         <rdar://problem/49069219>
1785
1786         Reviewed by Darin Adler.
1787
1788         It seems WebKit hasn't built with clang 3.8 in a while, no devs are using this compiler, we
1789         don't know how much effort it would be to make JSC work again, and it's making the code
1790         worse. Remove my hacks to support clang 3.8 from JSC.
1791
1792         * bindings/ScriptValue.cpp:
1793         (Inspector::jsToInspectorValue):
1794         * bytecode/GetterSetterAccessCase.cpp:
1795         (JSC::GetterSetterAccessCase::create):
1796         (JSC::GetterSetterAccessCase::clone const):
1797         * bytecode/InstanceOfAccessCase.cpp:
1798         (JSC::InstanceOfAccessCase::clone const):
1799         * bytecode/IntrinsicGetterAccessCase.cpp:
1800         (JSC::IntrinsicGetterAccessCase::clone const):
1801         * bytecode/ModuleNamespaceAccessCase.cpp:
1802         (JSC::ModuleNamespaceAccessCase::clone const):
1803         * bytecode/ProxyableAccessCase.cpp:
1804         (JSC::ProxyableAccessCase::clone const):
1805
1806 2019-03-31  Yusuke Suzuki  <ysuzuki@apple.com>
1807
1808         [JSC] Butterfly allocation from LargeAllocation should try "realloc" behavior if collector thread is not active
1809         https://bugs.webkit.org/show_bug.cgi?id=196160
1810
1811         Reviewed by Saam Barati.
1812
1813         "realloc" can be effective in terms of peak/current memory footprint when realloc succeeds because,
1814
1815         1. It does not allocate additional memory while expanding a vector
1816         2. It does not deallocate an old memory, just reusing the current memory by expanding, so that memory footprint is tight even before scavenging
1817
1818         We found that we can "realloc" large butterflies in certain conditions are met because,
1819
1820         1. If it goes to LargeAllocation, this memory region is never reused until GC sweeps it.
1821         2. Butterflies are owned by owner JSObjects, so we know the lifetime of Butterflies.
1822
1823         This patch attempts to use "realloc" onto butterflies if,
1824
1825         1. Butterflies are allocated in LargeAllocation kind
1826         2. Concurrent collector is not active
1827         3. Butterflies do not have property storage
1828
1829         The condition (2) is required to avoid deallocating butterflies while the concurrent collector looks into it. The condition (3) is
1830         also required to avoid deallocating butterflies while the concurrent compiler looks into it.
1831
1832         We also change LargeAllocation mechanism to using "malloc" and "free" instead of "posix_memalign". This allows us to use "realloc"
1833         safely in all the platforms. Since LargeAllocation uses alignment to distinguish LargeAllocation and MarkedBlock, we manually adjust
1834         16B alignment by allocating 8B more memory in "malloc".
1835
1836         Speedometer2 and JetStream2 are neutral. RAMification shows about 1% progression (even in some of JIT tests).
1837
1838         * heap/AlignedMemoryAllocator.h:
1839         * heap/CompleteSubspace.cpp:
1840         (JSC::CompleteSubspace::tryAllocateSlow):
1841         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
1842         * heap/CompleteSubspace.h:
1843         * heap/FastMallocAlignedMemoryAllocator.cpp:
1844         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory):
1845         (JSC::FastMallocAlignedMemoryAllocator::freeMemory):
1846         (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory):
1847         * heap/FastMallocAlignedMemoryAllocator.h:
1848         * heap/GigacageAlignedMemoryAllocator.cpp:
1849         (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory):
1850         (JSC::GigacageAlignedMemoryAllocator::freeMemory):
1851         (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory):
1852         * heap/GigacageAlignedMemoryAllocator.h:
1853         * heap/IsoAlignedMemoryAllocator.cpp:
1854         (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
1855         (JSC::IsoAlignedMemoryAllocator::freeMemory):
1856         (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
1857         * heap/IsoAlignedMemoryAllocator.h:
1858         * heap/LargeAllocation.cpp:
1859         (JSC::isAlignedForLargeAllocation):
1860         (JSC::LargeAllocation::tryCreate):
1861         (JSC::LargeAllocation::tryReallocate):
1862         (JSC::LargeAllocation::LargeAllocation):
1863         (JSC::LargeAllocation::destroy):
1864         * heap/LargeAllocation.h:
1865         (JSC::LargeAllocation::indexInSpace):
1866         (JSC::LargeAllocation::setIndexInSpace):
1867         (JSC::LargeAllocation::basePointer const):
1868         * heap/MarkedSpace.cpp:
1869         (JSC::MarkedSpace::sweepLargeAllocations):
1870         (JSC::MarkedSpace::prepareForConservativeScan):
1871         * heap/WeakSet.h:
1872         (JSC::WeakSet::isTriviallyDestructible const):
1873         * runtime/Butterfly.h:
1874         * runtime/ButterflyInlines.h:
1875         (JSC::Butterfly::reallocArrayRightIfPossible):
1876         * runtime/JSObject.cpp:
1877         (JSC::JSObject::ensureLengthSlow):
1878
1879 2019-03-31  Sam Weinig  <weinig@apple.com>
1880
1881         Remove more i386 specific configurations
1882         https://bugs.webkit.org/show_bug.cgi?id=196430
1883
1884         Reviewed by Alexey Proskuryakov.
1885
1886         * Configurations/FeatureDefines.xcconfig:
1887         ENABLE_WEB_AUTHN_macosx can now be enabled unconditionally on macOS.
1888
1889         * Configurations/ToolExecutable.xcconfig:
1890         ARC can be enabled unconditionally now.
1891
1892 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
1893
1894         [JSC] JSWrapperMap should not use Objective-C Weak map (NSMapTable with NSPointerFunctionsWeakMemory) for m_cachedObjCWrappers
1895         https://bugs.webkit.org/show_bug.cgi?id=196392
1896
1897         Reviewed by Saam Barati.
1898
1899         Weak representation in Objective-C is surprisingly costly in terms of memory. We can see that very easy program shows 10KB memory consumption due to
1900         this weak wrapper map in JavaScriptCore.framework. But we do not need this weak map since Objective-C JSValue has a dealloc. We can unregister itself
1901         from the map when it is deallocated without using Objective-C weak mechanism. And since Objective-C JSValue is tightly coupled to a specific JSContext,
1902         and wrapper map is created per JSContext, JSValue wrapper and actual JavaScriptCore value is one-on-one, and [JSValue dealloc] knows which JSContext's
1903         wrapper map holds itself.
1904
1905         1. We do not use Objective-C weak mechanism. We use WTF::HashSet instead. When JSValue is allocated, we register it to JSWrapperMap's HashSet. And unregister
1906            JSValue from this map when JSValue is deallocated.
1907         2. We use HashSet<JSValue> (logically) instead of HashMap<JSValueRef, JSValue> to keep JSValueRef and JSValue relationship. We can achieve it because JSValue
1908            holds JSValueRef inside it.
1909
1910         * API/JSContext.mm:
1911         (-[JSContext removeWrapper:]):
1912         * API/JSContextInternal.h:
1913         * API/JSValue.mm:
1914         (-[JSValue dealloc]):
1915         (-[JSValue initWithValue:inContext:]):
1916         * API/JSWrapperMap.h:
1917         * API/JSWrapperMap.mm:
1918         (WrapperKey::hashTableDeletedValue):
1919         (WrapperKey::WrapperKey):
1920         (WrapperKey::isHashTableDeletedValue const):
1921         (WrapperKey::Hash::hash):
1922         (WrapperKey::Hash::equal):
1923         (WrapperKey::Traits::isEmptyValue):
1924         (WrapperKey::Translator::hash):
1925         (WrapperKey::Translator::equal):
1926         (WrapperKey::Translator::translate):
1927         (-[JSWrapperMap initWithGlobalContextRef:]):
1928         (-[JSWrapperMap dealloc]):
1929         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
1930         (-[JSWrapperMap removeWrapper:]):
1931         * API/tests/testapi.mm:
1932         (testObjectiveCAPIMain):
1933
1934 2019-03-29  Robin Morisset  <rmorisset@apple.com>
1935
1936         B3ReduceStrength should know that Mul distributes over Add and Sub
1937         https://bugs.webkit.org/show_bug.cgi?id=196325
1938
1939         Reviewed by Michael Saboff.
1940
1941         In this patch I add the following patterns to B3ReduceStrength:
1942         - Turn this: Integer Neg(Mul(value, c))
1943           Into this: Mul(value, -c), as long as -c does not overflow
1944         - Turn these: Integer Mul(value, Neg(otherValue)) and Integer Mul(Neg(value), otherValue)
1945           Into this: Neg(Mul(value, otherValue))
1946         - For Op==Add or Sub, turn any of these:
1947              Op(Mul(x1, x2), Mul(x1, x3))
1948              Op(Mul(x2, x1), Mul(x1, x3))
1949              Op(Mul(x1, x2), Mul(x3, x1))
1950              Op(Mul(x2, x1), Mul(x3, x1))
1951           Into this: Mul(x1, Op(x2, x3))
1952
1953         Also includes a trivial change: a similar reduction for the distributivity of BitAnd over BitOr/BitXor now
1954         emits the arguments to BitAnd in the other order, to minimize the probability that we'll spend a full fixpoint step just to flip them.
1955
1956         * b3/B3ReduceStrength.cpp:
1957         * b3/testb3.cpp:
1958         (JSC::B3::testAddMulMulArgs):
1959         (JSC::B3::testMulArgNegArg):
1960         (JSC::B3::testMulNegArgArg):
1961         (JSC::B3::testNegMulArgImm):
1962         (JSC::B3::testSubMulMulArgs):
1963         (JSC::B3::run):
1964
1965 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
1966
1967         [JSC] Remove distancing for LargeAllocation
1968         https://bugs.webkit.org/show_bug.cgi?id=196335
1969
1970         Reviewed by Saam Barati.
1971
1972         In r230226, we removed distancing feature from our GC. This patch removes remaining distancing thing in LargeAllocation.
1973
1974         * heap/HeapCell.h:
1975         * heap/LargeAllocation.cpp:
1976         (JSC::LargeAllocation::tryCreate):
1977         * heap/MarkedBlock.h:
1978
1979 2019-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1980
1981         Delete WebMetal implementation in favor of WebGPU
1982         https://bugs.webkit.org/show_bug.cgi?id=195418
1983
1984         Reviewed by Dean Jackson.
1985
1986         * Configurations/FeatureDefines.xcconfig:
1987         * inspector/protocol/Canvas.json:
1988         * inspector/scripts/codegen/generator.py:
1989
1990 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
1991
1992         Assertion failed in JSC::createError
1993         https://bugs.webkit.org/show_bug.cgi?id=196305
1994         <rdar://problem/49387382>
1995
1996         Reviewed by Saam Barati.
1997
1998         JSC::createError assumes that `errorDescriptionForValue` will either
1999         throw an exception or return a valid description string. However, that
2000         is not true if the value is a rope string and we successfully resolve it,
2001         but later fail to wrap the string in quotes with `tryMakeString`.
2002
2003         * runtime/ExceptionHelpers.cpp:
2004         (JSC::createError):
2005
2006 2019-03-29  Devin Rousso  <drousso@apple.com>
2007
2008         Web Inspector: add fast returns for instrumentation hooks that have no affect before a frontend is connected
2009         https://bugs.webkit.org/show_bug.cgi?id=196382
2010         <rdar://problem/49403417>
2011
2012         Reviewed by Joseph Pecoraro.
2013
2014         Ensure that all instrumentation hooks use `FAST_RETURN_IF_NO_FRONTENDS` or check that
2015         `developerExtrasEnabled`. There should be no activity to/from any inspector objects until
2016         developer extras are enabled.
2017
2018         * inspector/agents/InspectorConsoleAgent.cpp:
2019         (Inspector::InspectorConsoleAgent::startTiming):
2020         (Inspector::InspectorConsoleAgent::stopTiming):
2021         (Inspector::InspectorConsoleAgent::count):
2022         (Inspector::InspectorConsoleAgent::addConsoleMessage):
2023
2024 2019-03-29  Cathie Chen  <cathiechen@igalia.com>
2025
2026         Implement ResizeObserver.
2027         https://bugs.webkit.org/show_bug.cgi?id=157743
2028
2029         Reviewed by Simon Fraser.
2030
2031         Add ENABLE_RESIZE_OBSERVER.
2032
2033         * Configurations/FeatureDefines.xcconfig:
2034
2035 2019-03-28  Michael Saboff  <msaboff@apple.com>
2036
2037         [YARR] Precompute BMP / non-BMP status when constructing character classes
2038         https://bugs.webkit.org/show_bug.cgi?id=196296
2039
2040         Reviewed by Keith Miller.
2041
2042         Changed CharacterClass::m_hasNonBMPCharacters into a character width bit field which
2043         indicateis if the class includes characters from either BMP, non-BMP or both ranges.
2044         This allows the recognizing code to eliminate checks for the width of a matched
2045         characters when the class has only one width.  The character width is needed to
2046         determine if we advance 1 or 2 character.  Also, the pre-computed width of character
2047         classes that contains either all BMP or all non-BMP characters allows the parser to
2048         use fixed widths for terms using those character classes.  Changed both the code gen
2049         scripts and Yarr compiler to compute this bit field during the construction of
2050         character classes.
2051
2052         For JIT'ed code of character classes that contain either all BMP or all non-BMP
2053         characters, we can eliminate the generic check we were doing do compute how much
2054         to advance after sucessfully matching a character in the class.
2055
2056                 Generic isBMP check      BMP only            non-BMP only
2057                 --------------           --------------      --------------
2058                 inc %r9d                 inc %r9d            add $0x2, %r9d
2059                 cmp $0x10000, %eax
2060                 jl isBMP
2061                 cmp %edx, %esi
2062                 jz atEndOfString
2063                 inc %r9d
2064                 inc %esi
2065          isBMP:
2066
2067         For character classes that contained non-BMP characters, we were always generating
2068         the code in the left column.  The middle column is the code we generate for character
2069         classes that contain only BMP characters.  The right column is the code we now
2070         generate if the character class has only non-BMP characters.  In the fix width cases,
2071         we can eliminate both the isBMP check as well as the atEndOfString check.  The
2072         atEndOfstring check is eliminated since we know how many characters this character
2073         class requires and that check can be factored out to the beginning of the current
2074         alternative.  For character classes that contain both BMP and non-BMP characters,
2075         we still generate the generic left column.
2076
2077         This change is a ~8% perf progression on UniPoker and a ~2% improvement on RexBench
2078         as a whole.
2079
2080         * runtime/RegExp.cpp:
2081         (JSC::RegExp::matchCompareWithInterpreter):
2082         * runtime/RegExpInlines.h:
2083         (JSC::RegExp::matchInline):
2084         * yarr/YarrInterpreter.cpp:
2085         (JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
2086         (JSC::Yarr::Interpreter::matchCharacterClass):
2087         * yarr/YarrJIT.cpp:
2088         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2089         (JSC::Yarr::YarrGenerator::matchCharacterClass):
2090         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
2091         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2092         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2093         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2094         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2095         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
2096         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
2097         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2098         (JSC::Yarr::YarrGenerator::generateEnter):
2099         (JSC::Yarr::YarrGenerator::YarrGenerator):
2100         (JSC::Yarr::YarrGenerator::compile):
2101         * yarr/YarrPattern.cpp:
2102         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2103         (JSC::Yarr::CharacterClassConstructor::reset):
2104         (JSC::Yarr::CharacterClassConstructor::charClass):
2105         (JSC::Yarr::CharacterClassConstructor::addSorted):
2106         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2107         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
2108         (JSC::Yarr::CharacterClassConstructor::characterWidths):
2109         (JSC::Yarr::PatternTerm::dump):
2110         (JSC::Yarr::anycharCreate):
2111         * yarr/YarrPattern.h:
2112         (JSC::Yarr::operator|):
2113         (JSC::Yarr::operator&):
2114         (JSC::Yarr::operator|=):
2115         (JSC::Yarr::CharacterClass::CharacterClass):
2116         (JSC::Yarr::CharacterClass::hasNonBMPCharacters):
2117         (JSC::Yarr::CharacterClass::hasOneCharacterSize):
2118         (JSC::Yarr::CharacterClass::hasOnlyNonBMPCharacters):
2119         (JSC::Yarr::PatternTerm::invert const):
2120         (JSC::Yarr::PatternTerm::invert): Deleted.
2121         * yarr/create_regex_tables:
2122         * yarr/generateYarrUnicodePropertyTables.py:
2123
2124 2019-03-28  Saam Barati  <sbarati@apple.com>
2125
2126         BackwardsGraph needs to consider back edges as the backward's root successor
2127         https://bugs.webkit.org/show_bug.cgi?id=195991
2128
2129         Reviewed by Filip Pizlo.
2130
2131         * b3/testb3.cpp:
2132         (JSC::B3::testInfiniteLoopDoesntCauseBadHoisting):
2133         (JSC::B3::run):
2134
2135 2019-03-28  Fujii Hironori  <Hironori.Fujii@sony.com>
2136
2137         Opcode.h(159,27): warning: adding 'unsigned int' to a string does not append to the string [-Wstring-plus-int]
2138         https://bugs.webkit.org/show_bug.cgi?id=196343
2139
2140         Reviewed by Saam Barati.
2141
2142         Clang reports a compilation warning and recommend '&PADDING_STRING[PADDING_STRING_LENGTH]'
2143         instead of 'PADDING_STRING + PADDING_STRING_LENGTH'.
2144
2145         * bytecode/Opcode.cpp:
2146         (JSC::padOpcodeName): Moved padOpcodeName from Opcode.h because
2147         this function is used only in Opcode.cpp. Changed macros
2148         PADDING_STRING and PADDING_STRING_LENGTH to simple variables.
2149         (JSC::compareOpcodePairIndices): Replaced pair with std::pair.
2150         * bytecode/Opcode.h:
2151         (JSC::padOpcodeName): Moved.
2152
2153 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2154
2155         CodeBlock::jettison() should disallow repatching its own calls
2156         https://bugs.webkit.org/show_bug.cgi?id=196359
2157         <rdar://problem/48973663>
2158
2159         Reviewed by Saam Barati.
2160
2161         CodeBlock::jettison() calls CommonData::invalidate, which replaces the `hlt`
2162         instruction with the jump to OSR exit. However, if the `hlt` was immediately
2163         followed by a call to the CodeBlock being jettisoned, we would write over the
2164         OSR exit address while unlinking all the incoming CallLinkInfos later in
2165         CodeBlock::jettison().
2166
2167         Change it so that we set a flag, `clearedByJettison`, in all the CallLinkInfos
2168         owned by the CodeBlock being jettisoned. If the flag is set, we will avoid
2169         repatching the call during unlinking. This is safe because this call will never
2170         be reachable again after the CodeBlock is jettisoned.
2171
2172         * bytecode/CallLinkInfo.cpp:
2173         (JSC::CallLinkInfo::CallLinkInfo):
2174         (JSC::CallLinkInfo::setCallee):
2175         (JSC::CallLinkInfo::clearCallee):
2176         (JSC::CallLinkInfo::setCodeBlock):
2177         (JSC::CallLinkInfo::clearCodeBlock):
2178         * bytecode/CallLinkInfo.h:
2179         (JSC::CallLinkInfo::clearedByJettison):
2180         (JSC::CallLinkInfo::setClearedByJettison):
2181         * bytecode/CodeBlock.cpp:
2182         (JSC::CodeBlock::jettison):
2183         * jit/Repatch.cpp:
2184         (JSC::revertCall):
2185
2186 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2187
2188         [JSC] Drop VM and Context cache map in JavaScriptCore.framework
2189         https://bugs.webkit.org/show_bug.cgi?id=196341
2190
2191         Reviewed by Saam Barati.
2192
2193         Previously, we created Objective-C weak map to maintain JSVirtualMachine and JSContext wrappers corresponding to VM and JSGlobalObject.
2194         But Objective-C weak map is really memory costly. Even if the entry is only one, it consumes 2.5KB per weak map. Since we can modify
2195         JSC intrusively for JavaScriptCore.framework (and we already did it, like, holding JSWrapperMap in JSGlobalObject), we can just hold
2196         a pointer to a wrapper in VM and JSGlobalObject.
2197
2198         This patch adds void* members to VM and JSGlobalObject, which holds a non-strong reference to a wrapper. When a wrapper is gone, we
2199         clear this pointer too. This removes unnecessary two Objective-C weak maps, and save 5KB.
2200
2201         * API/JSContext.mm:
2202         (-[JSContext initWithVirtualMachine:]):
2203         (-[JSContext dealloc]):
2204         (-[JSContext initWithGlobalContextRef:]):
2205         (-[JSContext wrapperMap]):
2206         (+[JSContext contextWithJSGlobalContextRef:]):
2207         * API/JSVirtualMachine.mm:
2208         (-[JSVirtualMachine initWithContextGroupRef:]):
2209         (-[JSVirtualMachine dealloc]):
2210         (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
2211         (scanExternalObjectGraph):
2212         (scanExternalRememberedSet):
2213         (initWrapperCache): Deleted.
2214         (wrapperCache): Deleted.
2215         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Deleted.
2216         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Deleted.
2217         (-[JSVirtualMachine contextForGlobalContextRef:]): Deleted.
2218         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Deleted.
2219         * API/JSVirtualMachineInternal.h:
2220         * runtime/JSGlobalObject.h:
2221         (JSC::JSGlobalObject::setAPIWrapper):
2222         (JSC::JSGlobalObject::apiWrapper const):
2223         * runtime/VM.h:
2224
2225 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2226
2227         In-memory code cache should not share bytecode across domains
2228         https://bugs.webkit.org/show_bug.cgi?id=196321
2229
2230         Reviewed by Geoffrey Garen.
2231
2232         Use the SourceProvider's URL to make sure that the hosts match for the
2233         two SourceCodeKeys in operator==.
2234
2235         * parser/SourceCodeKey.h:
2236         (JSC::SourceCodeKey::host const):
2237         (JSC::SourceCodeKey::operator== const):
2238
2239 2019-03-28  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2240
2241         Silence lot of warnings when compiling with clang
2242         https://bugs.webkit.org/show_bug.cgi?id=196310
2243
2244         Reviewed by Michael Catanzaro.
2245
2246         Initialize variable with default constructor.
2247
2248         * API/glib/JSCOptions.cpp:
2249         (jsc_options_foreach):
2250
2251 2019-03-27  Saam Barati  <sbarati@apple.com>
2252
2253         validateOSREntryValue with Int52 should box the value being checked into double format
2254         https://bugs.webkit.org/show_bug.cgi?id=196313
2255         <rdar://problem/49306703>
2256
2257         Reviewed by Yusuke Suzuki.
2258
2259         * dfg/DFGOSREntry.cpp:
2260         (JSC::DFG::prepareOSREntry):
2261         * ftl/FTLLowerDFGToB3.cpp:
2262         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2263
2264 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2265
2266         [JSC] Owner of watchpoints should validate at GC finalizing phase
2267         https://bugs.webkit.org/show_bug.cgi?id=195827
2268
2269         Reviewed by Filip Pizlo.
2270
2271         This patch fixes JSC's watchpoint liveness issue by the following two policies.
2272
2273         1. Watchpoint should have owner cell, and "fire" operation should be gaurded with owner cell's isLive check.
2274
2275         Watchpoints should hold its owner cell, and fire procedure should be guarded by `owner->isLive()`.
2276         When the owner cell is destroyed, these watchpoints are destroyed too. But this destruction can
2277         be delayed due to incremental sweeper. So the following condition can happen.
2278
2279         When we have a watchpoint like the following.
2280
2281             class XXXWatchpoint {
2282                 ObjectPropertyCondition m_key;
2283                 JSCell* m_owner;
2284             };
2285
2286         Both m_key's cell and m_owner is now unreachable from the root. So eventually, m_owner cell's destructor
2287         is called and this watchpoint will be destroyed. But before that, m_key's cell can be destroyed. And this
2288         watchpoint's fire procedure can be called since m_owner's destructor is not called yet. In this situation,
2289         we encounter the destroyed cell held in m_key. This problem can be avoided if we guard fire procedure with
2290         `m_owner->isLive()`. Until the owner cell is destroyed, this guard avoids "fire" procedure execution. And
2291         once the destructor of m_owner is called, this watchpoint will be destroyed too.
2292
2293         2. Watchpoint liveness should be maintained by owner cell's unconditional finalizer
2294
2295         Watchpoints often hold weak references to the other cell (like, m_key in the above example). If we do not
2296         delete watchpoints with dead cells when these weak cells become dead, these watchpoints continue holding dead cells,
2297         and watchpoint's fire operation can use these dead cells accidentally. isLive / isStillLive check for these weak cells
2298         in fire operation is not useful. Because these dead cells can be reused to the other live cells eventually, and this
2299         isLive / isStillLive checks fail to see these cells are live if they are reused. Appropriate way is deleting watchpoints
2300         with dead cells when finalizing GC. In this patch, we do this in unconditional finalizers in owner cells of watchpoints.
2301         We already did this in CodeBlock etc. We add the same thing to StructureRareData which owns watchpoints for toString operations.
2302
2303         * JavaScriptCore.xcodeproj/project.pbxproj:
2304         * Sources.txt:
2305         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2306         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::StructureWatchpoint): Deleted.
2307         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::PropertyWatchpoint): Deleted.
2308         * bytecode/CodeBlockJettisoningWatchpoint.h:
2309         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): Deleted.
2310         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2311         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
2312         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2313         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2314         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): Deleted.
2315         * bytecode/StructureStubClearingWatchpoint.cpp:
2316         (JSC::StructureStubClearingWatchpoint::fireInternal):
2317         (JSC::WatchpointsOnStructureStubInfo::isValid const):
2318         * bytecode/StructureStubClearingWatchpoint.h:
2319         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): Deleted.
2320         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2321         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
2322         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2323         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2324         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2325         * dfg/DFGAdaptiveStructureWatchpoint.h:
2326         (JSC::DFG::AdaptiveStructureWatchpoint::key const): Deleted.
2327         * dfg/DFGDesiredWatchpoints.cpp:
2328         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2329         * heap/Heap.cpp:
2330         (JSC::Heap::finalizeUnconditionalFinalizers):
2331         * llint/LLIntSlowPaths.cpp:
2332         (JSC::LLInt::setupGetByIdPrototypeCache):
2333         * runtime/ArrayBuffer.cpp:
2334         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
2335         * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp.
2336         (JSC::ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet):
2337         (JSC::ArrayBufferNeuteringWatchpointSet::destroy):
2338         (JSC::ArrayBufferNeuteringWatchpointSet::create):
2339         (JSC::ArrayBufferNeuteringWatchpointSet::createStructure):
2340         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
2341         * runtime/ArrayBufferNeuteringWatchpointSet.h: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h.
2342         * runtime/FunctionRareData.h:
2343         * runtime/JSGlobalObject.cpp:
2344         (JSC::JSGlobalObject::init):
2345         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
2346         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2347         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): Deleted.
2348         * runtime/StructureRareData.cpp:
2349         (JSC::StructureRareData::finalizeUnconditionally):
2350         * runtime/StructureRareData.h:
2351         * runtime/VM.cpp:
2352         (JSC::VM::VM):
2353
2354 2019-03-26  Saam Barati  <sbarati@apple.com>
2355
2356         FTL: Emit code to validate AI's state when running the compiled code
2357         https://bugs.webkit.org/show_bug.cgi?id=195924
2358         <rdar://problem/49003422>
2359
2360         Reviewed by Filip Pizlo.
2361
2362         This patch adds code that between the execution of each node that validates
2363         the types that AI proves. This option is too expensive to turn on for our
2364         regression testing, but we think it will be valuable in other types of running
2365         modes, such as when running with a fuzzer.
2366         
2367         This patch also adds options to only probabilistically run this validation
2368         after the execution of each node. As the probability is lowered, there is
2369         less of a perf hit.
2370         
2371         This patch just adds this validation in the FTL. A follow-up patch will land
2372         it in the DFG too: https://bugs.webkit.org/show_bug.cgi?id=196219
2373
2374         * ftl/FTLLowerDFGToB3.cpp:
2375         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2376         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2377         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2378         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2379         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
2380         * runtime/Options.h:
2381
2382 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
2383
2384         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
2385         https://bugs.webkit.org/show_bug.cgi?id=196217
2386
2387         Reviewed by Saam Barati.
2388
2389         Generalize the fix for f32.max to properly handle NaN by doing an extra GreatherThan
2390         comparison in r243446 to all min and max float operations.
2391
2392         * wasm/WasmAirIRGenerator.cpp:
2393         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2394         (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax):
2395         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2396         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2397         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2398         * wasm/wasm.json:
2399
2400 2019-03-26  Andy VanWagoner  <andy@vanwagoner.family>
2401
2402         Intl.DateTimeFormat should obey 2-digit hour
2403         https://bugs.webkit.org/show_bug.cgi?id=195974
2404
2405         Reviewed by Keith Miller.
2406
2407         * runtime/IntlDateTimeFormat.cpp:
2408         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2409
2410 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2411
2412         Heap::isMarked and friends should be instance methods
2413         https://bugs.webkit.org/show_bug.cgi?id=179988
2414
2415         Reviewed by Saam Barati.
2416
2417         Almost all the callers of Heap::isMarked have VM& reference. We should make Heap::isMarked instance function instead of static function
2418         so that we do not need to look up Heap from the cell.
2419
2420         * API/JSAPIWrapperObject.mm:
2421         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2422         * API/JSMarkingConstraintPrivate.cpp:
2423         (JSC::isMarked):
2424         * API/glib/JSAPIWrapperObjectGLib.cpp:
2425         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2426         * builtins/BuiltinExecutables.cpp:
2427         (JSC::BuiltinExecutables::finalizeUnconditionally):
2428         * bytecode/AccessCase.cpp:
2429         (JSC::AccessCase::visitWeak const):
2430         (JSC::AccessCase::propagateTransitions const):
2431         * bytecode/CallLinkInfo.cpp:
2432         (JSC::CallLinkInfo::visitWeak):
2433         * bytecode/CallLinkStatus.cpp:
2434         (JSC::CallLinkStatus::finalize):
2435         * bytecode/CallLinkStatus.h:
2436         * bytecode/CallVariant.cpp:
2437         (JSC::CallVariant::finalize):
2438         * bytecode/CallVariant.h:
2439         * bytecode/CodeBlock.cpp:
2440         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
2441         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2442         (JSC::shouldMarkTransition):
2443         (JSC::CodeBlock::propagateTransitions):
2444         (JSC::CodeBlock::determineLiveness):
2445         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2446         (JSC::CodeBlock::finalizeUnconditionally):
2447         (JSC::CodeBlock::jettison):
2448         * bytecode/CodeBlock.h:
2449         * bytecode/ExecutableToCodeBlockEdge.cpp:
2450         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2451         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
2452         (JSC::ExecutableToCodeBlockEdge::runConstraint):
2453         * bytecode/GetByIdStatus.cpp:
2454         (JSC::GetByIdStatus::finalize):
2455         * bytecode/GetByIdStatus.h:
2456         * bytecode/GetByIdVariant.cpp:
2457         (JSC::GetByIdVariant::finalize):
2458         * bytecode/GetByIdVariant.h:
2459         * bytecode/InByIdStatus.cpp:
2460         (JSC::InByIdStatus::finalize):
2461         * bytecode/InByIdStatus.h:
2462         * bytecode/InByIdVariant.cpp:
2463         (JSC::InByIdVariant::finalize):
2464         * bytecode/InByIdVariant.h:
2465         * bytecode/ObjectPropertyCondition.cpp:
2466         (JSC::ObjectPropertyCondition::isStillLive const):
2467         * bytecode/ObjectPropertyCondition.h:
2468         * bytecode/ObjectPropertyConditionSet.cpp:
2469         (JSC::ObjectPropertyConditionSet::areStillLive const):
2470         * bytecode/ObjectPropertyConditionSet.h:
2471         * bytecode/PolymorphicAccess.cpp:
2472         (JSC::PolymorphicAccess::visitWeak const):
2473         * bytecode/PropertyCondition.cpp:
2474         (JSC::PropertyCondition::isStillLive const):
2475         * bytecode/PropertyCondition.h:
2476         * bytecode/PutByIdStatus.cpp:
2477         (JSC::PutByIdStatus::finalize):
2478         * bytecode/PutByIdStatus.h:
2479         * bytecode/PutByIdVariant.cpp:
2480         (JSC::PutByIdVariant::finalize):
2481         * bytecode/PutByIdVariant.h:
2482         * bytecode/RecordedStatuses.cpp:
2483         (JSC::RecordedStatuses::finalizeWithoutDeleting):
2484         (JSC::RecordedStatuses::finalize):
2485         * bytecode/RecordedStatuses.h:
2486         * bytecode/StructureSet.cpp:
2487         (JSC::StructureSet::isStillAlive const):
2488         * bytecode/StructureSet.h:
2489         * bytecode/StructureStubInfo.cpp:
2490         (JSC::StructureStubInfo::visitWeakReferences):
2491         * dfg/DFGPlan.cpp:
2492         (JSC::DFG::Plan::finalizeInGC):
2493         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2494         * heap/GCIncomingRefCounted.h:
2495         * heap/GCIncomingRefCountedInlines.h:
2496         (JSC::GCIncomingRefCounted<T>::filterIncomingReferences):
2497         * heap/GCIncomingRefCountedSet.h:
2498         * heap/GCIncomingRefCountedSetInlines.h:
2499         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
2500         (JSC::GCIncomingRefCountedSet<T>::sweep):
2501         (JSC::GCIncomingRefCountedSet<T>::removeAll): Deleted.
2502         (JSC::GCIncomingRefCountedSet<T>::removeDead): Deleted.
2503         * heap/Heap.cpp:
2504         (JSC::Heap::addToRememberedSet):
2505         (JSC::Heap::runEndPhase):
2506         (JSC::Heap::sweepArrayBuffers):
2507         (JSC::Heap::addCoreConstraints):
2508         * heap/Heap.h:
2509         * heap/HeapInlines.h:
2510         (JSC::Heap::isMarked):
2511         * heap/HeapSnapshotBuilder.cpp:
2512         (JSC::HeapSnapshotBuilder::appendNode):
2513         * heap/SlotVisitor.cpp:
2514         (JSC::SlotVisitor::appendToMarkStack):
2515         (JSC::SlotVisitor::visitChildren):
2516         * jit/PolymorphicCallStubRoutine.cpp:
2517         (JSC::PolymorphicCallStubRoutine::visitWeak):
2518         * runtime/ErrorInstance.cpp:
2519         (JSC::ErrorInstance::finalizeUnconditionally):
2520         * runtime/InferredValueInlines.h:
2521         (JSC::InferredValue::finalizeUnconditionally):
2522         * runtime/StackFrame.h:
2523         (JSC::StackFrame::isMarked const):
2524         * runtime/Structure.cpp:
2525         (JSC::Structure::isCheapDuringGC):
2526         (JSC::Structure::markIfCheap):
2527         * runtime/Structure.h:
2528         * runtime/TypeProfiler.cpp:
2529         (JSC::TypeProfiler::invalidateTypeSetCache):
2530         * runtime/TypeProfiler.h:
2531         * runtime/TypeSet.cpp:
2532         (JSC::TypeSet::invalidateCache):
2533         * runtime/TypeSet.h:
2534         * runtime/WeakMapImpl.cpp:
2535         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
2536         * runtime/WeakMapImplInlines.h:
2537         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
2538
2539 2019-03-25  Keith Miller  <keith_miller@apple.com>
2540
2541         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
2542         https://bugs.webkit.org/show_bug.cgi?id=196176
2543
2544         Reviewed by Saam Barati.
2545
2546         convertToCompareEqPtr should allow for either CompareStrictEq or
2547         the SameValue DFG node. This fixes the old assertion that only
2548         allowed CompareStrictEq.
2549
2550         * dfg/DFGNode.h:
2551         (JSC::DFG::Node::convertToCompareEqPtr):
2552
2553 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
2554
2555         WebAssembly: f32.max with NaN generates incorrect result
2556         https://bugs.webkit.org/show_bug.cgi?id=175691
2557         <rdar://problem/33952228>
2558
2559         Reviewed by Saam Barati.
2560
2561         Fix the B3 and Air compilation for f32.max. In order to handle the NaN
2562         case, we need an extra GreaterThan comparison on top of the existing
2563         Equal and LessThan ones.
2564
2565         * wasm/WasmAirIRGenerator.cpp:
2566         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2567         * wasm/wasm.json:
2568
2569 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2570
2571         Unreviewed, speculative fix for CLoop build on CPU(UNKNOWN)
2572         https://bugs.webkit.org/show_bug.cgi?id=195982
2573
2574         * jit/ExecutableAllocator.h:
2575         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2576
2577 2019-03-25  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2578
2579         Remove NavigatorContentUtils in WebCore/Modules
2580         https://bugs.webkit.org/show_bug.cgi?id=196070
2581
2582         Reviewed by Alex Christensen.
2583
2584         NavigatorContentUtils was to support the custom scheme spec [1].
2585         However, in WebKit side, no port has supported the feature in
2586         WebKit layer after EFL port was removed. So there has been the
2587         only IDL implementation of the NavigatorContentUtils in WebCore.
2588         So we don't need to keep the implementation in WebCore anymore.
2589
2590         [1] https://html.spec.whatwg.org/multipage/system-state.html#custom-handlers
2591
2592         * Configurations/FeatureDefines.xcconfig:
2593
2594 2019-03-23  Mark Lam  <mark.lam@apple.com>
2595
2596         Rolling out r243032 and r243071 because the fix is incorrect.
2597         https://bugs.webkit.org/show_bug.cgi?id=195892
2598         <rdar://problem/48981239>
2599
2600         Not reviewed.
2601
2602         The fix is incorrect: it relies on being able to determine liveness of an object
2603         in an ObjectPropertyCondition based on the state of the object's MarkedBit.
2604         However, there's no guarantee that GC has run and that the MarkedBit is already
2605         set even if the object is live.  As a result, we may not re-install adaptive
2606         watchpoints based on presumed dead objects which are actually live.
2607
2608         I'm rolling this out, and will implement a more comprehensive fix to handle
2609         watchpoint liveness later.
2610
2611         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2612         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2613         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2614         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2615         * bytecode/ObjectPropertyCondition.cpp:
2616         (JSC::ObjectPropertyCondition::dumpInContext const):
2617         * bytecode/StructureStubClearingWatchpoint.cpp:
2618         (JSC::StructureStubClearingWatchpoint::fireInternal):
2619         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2620         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2621         * runtime/StructureRareData.cpp:
2622         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2623
2624 2019-03-23  Keith Miller  <keith_miller@apple.com>
2625
2626         Refactor clz/ctz and fix getLSBSet.
2627         https://bugs.webkit.org/show_bug.cgi?id=196162
2628
2629         Reviewed by Saam Barati.
2630
2631         Refactor references of clz32/64 and ctz32 to use clz and ctz,
2632         respectively.
2633
2634         * dfg/DFGAbstractInterpreterInlines.h:
2635         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2636         * dfg/DFGOperations.cpp:
2637         * runtime/JSBigInt.cpp:
2638         (JSC::JSBigInt::digitDiv):
2639         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
2640         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2641         (JSC::JSBigInt::toStringBasePowerOfTwo):
2642         (JSC::JSBigInt::compareToDouble):
2643         * runtime/MathObject.cpp:
2644         (JSC::mathProtoFuncClz32):
2645
2646 2019-03-23  Yusuke Suzuki  <ysuzuki@apple.com>
2647
2648         [JSC] Shrink sizeof(RegExp)
2649         https://bugs.webkit.org/show_bug.cgi?id=196133
2650
2651         Reviewed by Mark Lam.
2652
2653         Some applications have many RegExp cells. But RegExp cells are very large (144B).
2654         This patch reduces the size from 144B to 48B by,
2655
2656         1. Allocate Yarr::YarrCodeBlock in non-GC heap. We can avoid this allocation if JIT is disabled.
2657         2. m_captureGroupNames and m_namedGroupToParenIndex are moved to RareData. They are only used when RegExp has named capture groups.
2658
2659         * runtime/RegExp.cpp:
2660         (JSC::RegExp::finishCreation):
2661         (JSC::RegExp::estimatedSize):
2662         (JSC::RegExp::compile):
2663         (JSC::RegExp::matchConcurrently):
2664         (JSC::RegExp::compileMatchOnly):
2665         (JSC::RegExp::deleteCode):
2666         (JSC::RegExp::printTraceData):
2667         * runtime/RegExp.h:
2668         * runtime/RegExpInlines.h:
2669         (JSC::RegExp::hasCodeFor):
2670         (JSC::RegExp::matchInline):
2671         (JSC::RegExp::hasMatchOnlyCodeFor):
2672
2673 2019-03-22  Keith Rollin  <krollin@apple.com>
2674
2675         Enable ThinLTO support in Production builds
2676         https://bugs.webkit.org/show_bug.cgi?id=190758
2677         <rdar://problem/45413233>
2678
2679         Reviewed by Daniel Bates.
2680
2681         Tweak JavaScriptCore's Base.xcconfig to be more in-line with other
2682         .xcconfig files with regards to LTO settings. However, don't actually
2683         enable LTO for JavaScriptCore. LTO is not enabled for JavaScriptCore
2684         due to <rdar://problem/24543547>.
2685
2686         * Configurations/Base.xcconfig:
2687
2688 2019-03-22  Mark Lam  <mark.lam@apple.com>
2689
2690         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
2691         https://bugs.webkit.org/show_bug.cgi?id=196154
2692         <rdar://problem/49145307>
2693
2694         Reviewed by Filip Pizlo.
2695
2696         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2697         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2698
2699 2019-03-22  Mark Lam  <mark.lam@apple.com>
2700
2701         Placate exception check validation in constructJSWebAssemblyLinkError().
2702         https://bugs.webkit.org/show_bug.cgi?id=196152
2703         <rdar://problem/49145257>
2704
2705         Reviewed by Michael Saboff.
2706
2707         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2708         (JSC::constructJSWebAssemblyLinkError):
2709
2710 2019-03-22  Timothy Hatcher  <timothy@apple.com>
2711
2712         Change macosx() to macos() in WK_API... and JSC_API... macros.
2713         https://bugs.webkit.org/show_bug.cgi?id=196106
2714
2715         Reviewed by Brian Burg.
2716
2717         * API/JSBasePrivate.h:
2718         * API/JSContext.h:
2719         * API/JSContextPrivate.h:
2720         * API/JSContextRef.h:
2721         * API/JSContextRefInternal.h:
2722         * API/JSContextRefPrivate.h:
2723         * API/JSManagedValue.h:
2724         * API/JSObjectRef.h:
2725         * API/JSObjectRefPrivate.h:
2726         * API/JSRemoteInspector.h:
2727         * API/JSScript.h:
2728         * API/JSTypedArray.h:
2729         * API/JSValue.h:
2730         * API/JSValuePrivate.h:
2731         * API/JSValueRef.h:
2732         * API/JSVirtualMachinePrivate.h:
2733
2734 2019-03-22  Yusuke Suzuki  <ysuzuki@apple.com>
2735
2736         Unreviewed, build fix for Windows
2737         https://bugs.webkit.org/show_bug.cgi?id=196122
2738
2739         * runtime/FunctionExecutable.cpp:
2740
2741 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2742
2743         [JSC] Shrink sizeof(FunctionExecutable) by 16bytes
2744         https://bugs.webkit.org/show_bug.cgi?id=196122
2745
2746         Reviewed by Saam Barati.
2747
2748         This patch reduces sizeof(FunctionExecutable) by 16 bytes.
2749
2750         1. ScriptExecutable::m_numParametersForCall and ScriptExecutable::m_numParametersForConstruct are not used in a meaningful way. Removed them.
2751         2. ScriptExecutable::m_lastLine and ScriptExecutable::m_endColumn can be calculated from UnlinkedFunctionExecutable. So FunctionExecutable does not need to hold it.
2752            This patch adds GlobalExecutable, which are non-function ScriptExecutables, and move m_lastLine and m_endColumn to this class.
2753         3. FunctionExecutable still needs to have the feature overriding m_lastLine and m_endColumn. We move overridden data in FunctionExecutable::RareData.
2754
2755         * CMakeLists.txt:
2756         * JavaScriptCore.xcodeproj/project.pbxproj:
2757         * Sources.txt:
2758         * bytecode/UnlinkedFunctionExecutable.cpp:
2759         (JSC::UnlinkedFunctionExecutable::link):
2760         * runtime/EvalExecutable.cpp:
2761         (JSC::EvalExecutable::EvalExecutable):
2762         * runtime/EvalExecutable.h:
2763         * runtime/FunctionExecutable.cpp:
2764         (JSC::FunctionExecutable::FunctionExecutable):
2765         (JSC::FunctionExecutable::ensureRareDataSlow):
2766         (JSC::FunctionExecutable::overrideInfo):
2767         * runtime/FunctionExecutable.h:
2768         * runtime/GlobalExecutable.cpp: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2769         * runtime/GlobalExecutable.h: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2770         (JSC::GlobalExecutable::lastLine const):
2771         (JSC::GlobalExecutable::endColumn const):
2772         (JSC::GlobalExecutable::recordParse):
2773         (JSC::GlobalExecutable::GlobalExecutable):
2774         * runtime/ModuleProgramExecutable.cpp:
2775         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2776         * runtime/ModuleProgramExecutable.h:
2777         * runtime/ProgramExecutable.cpp:
2778         (JSC::ProgramExecutable::ProgramExecutable):
2779         * runtime/ProgramExecutable.h:
2780         * runtime/ScriptExecutable.cpp:
2781         (JSC::ScriptExecutable::clearCode):
2782         (JSC::ScriptExecutable::installCode):
2783         (JSC::ScriptExecutable::hasClearableCode const):
2784         (JSC::ScriptExecutable::newCodeBlockFor):
2785         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2786         (JSC::ScriptExecutable::recordParse):
2787         (JSC::ScriptExecutable::lastLine const):
2788         (JSC::ScriptExecutable::endColumn const):
2789         * runtime/ScriptExecutable.h:
2790         (JSC::ScriptExecutable::hasJITCodeForCall const):
2791         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
2792         (JSC::ScriptExecutable::recordParse):
2793         (JSC::ScriptExecutable::lastLine const): Deleted.
2794         (JSC::ScriptExecutable::endColumn const): Deleted.
2795         * tools/FunctionOverrides.h:
2796
2797 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2798
2799         [JSC] Shrink sizeof(RegExpObject)
2800         https://bugs.webkit.org/show_bug.cgi?id=196130
2801
2802         Reviewed by Saam Barati.
2803
2804         sizeof(RegExpObject) is 48B due to one bool flag. We should compress this flag into lower bit of RegExp* field so that we can make RegExpObject 32B.
2805         It saves memory footprint 1.3% in RAMification's regexp.
2806
2807         * dfg/DFGSpeculativeJIT.cpp:
2808         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2809         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2810         * ftl/FTLAbstractHeapRepository.h:
2811         * ftl/FTLLowerDFGToB3.cpp:
2812         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2813         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2814         * runtime/RegExpObject.cpp:
2815         (JSC::RegExpObject::RegExpObject):
2816         (JSC::RegExpObject::visitChildren):
2817         (JSC::RegExpObject::getOwnPropertySlot):
2818         (JSC::RegExpObject::defineOwnProperty):
2819         * runtime/RegExpObject.h:
2820
2821 2019-03-21  Tomas Popela  <tpopela@redhat.com>
2822
2823         [JSC] Fix build after r243232 on unsupported 64bit architectures
2824         https://bugs.webkit.org/show_bug.cgi?id=196072
2825
2826         Reviewed by Keith Miller.
2827
2828         As Keith suggested we already expect 16 free bits at the top of any
2829         pointer for JSValue even for the unsupported 64 bit arches.
2830
2831         * bytecode/CodeOrigin.h:
2832
2833 2019-03-21  Mark Lam  <mark.lam@apple.com>
2834
2835         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
2836         https://bugs.webkit.org/show_bug.cgi?id=196116
2837         <rdar://problem/48976951>
2838
2839         Reviewed by Filip Pizlo.
2840
2841         The DFG backend should not make assumptions about what optimizations the front end
2842         will or will not do.  The assertion asserts that the operand cannot be known to be
2843         a cell.  However, it is not guaranteed that the front end will fold away this case.
2844         Also, the DFG backend is perfectly capable of generating code to handle the case
2845         where the operand is a cell.
2846
2847         The attached test case demonstrates a case where the operand can be a known cell.
2848         The test needs to be run with the concurrent JIT and GC, and is racy.  It used to
2849         trip up this assertion about once every 10 runs or so.
2850
2851         * dfg/DFGSpeculativeJIT64.cpp:
2852         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2853
2854 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2855
2856         JSC::createError should clear exception thrown by errorDescriptionForValue
2857         https://bugs.webkit.org/show_bug.cgi?id=196089
2858
2859         Reviewed by Mark Lam.
2860
2861         errorDescriptionForValue returns a nullString in case of failure, but it
2862         might also throw an OOM exception when resolving a rope string. We need
2863         to clear any potential exceptions thrown by errorDescriptionForValue
2864         before returning the OOM from JSC::createError.
2865
2866         * runtime/ExceptionHelpers.cpp:
2867         (JSC::createError):
2868
2869 2019-03-21  Robin Morisset  <rmorisset@apple.com>
2870
2871         B3::Opcode can fit in a single byte, shrinking B3Value by 8 bytes
2872         https://bugs.webkit.org/show_bug.cgi?id=196014
2873
2874         Reviewed by Keith Miller.
2875
2876         B3::Opcode has less than one hundred cases, so it can easily fit in one byte (from two currently)
2877         This shrinks B3::Kind from 4 bytes to 2 (by removing the byte of padding at the end).
2878         This in turns eliminate padding from B3::Value, shrinking it by 8 bytes (out of 80).
2879
2880         * b3/B3Opcode.h:
2881
2882 2019-03-21  Michael Catanzaro  <mcatanzaro@igalia.com>
2883
2884         Unreviewed, more clang 3.8 build fixes
2885         https://bugs.webkit.org/show_bug.cgi?id=195947
2886         <rdar://problem/49069219>
2887
2888         In the spirit of making our code worse to please old compilers....
2889
2890         * bindings/ScriptValue.cpp:
2891         (Inspector::jsToInspectorValue):
2892         * bytecode/GetterSetterAccessCase.cpp:
2893         (JSC::GetterSetterAccessCase::create):
2894         (JSC::GetterSetterAccessCase::clone const):
2895         * bytecode/InstanceOfAccessCase.cpp:
2896         (JSC::InstanceOfAccessCase::clone const):
2897         * bytecode/IntrinsicGetterAccessCase.cpp:
2898         (JSC::IntrinsicGetterAccessCase::clone const):
2899         * bytecode/ModuleNamespaceAccessCase.cpp:
2900         (JSC::ModuleNamespaceAccessCase::clone const):
2901         * bytecode/ProxyableAccessCase.cpp:
2902         (JSC::ProxyableAccessCase::clone const):
2903
2904 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2905
2906         [JSC] Do not create JIT related data under non-JIT mode
2907         https://bugs.webkit.org/show_bug.cgi?id=195982
2908
2909         Reviewed by Mark Lam.
2910
2911         We avoid creations of JIT related data structures under non-JIT mode.
2912         This patch removes the following allocations.
2913
2914         1. JITThunks
2915         2. FTLThunks
2916         3. FixedVMPoolExecutableAllocator
2917         4. noJITValueProfileSingleton since it is no longer used
2918         5. ARM disassembler should be initialized when it is used
2919         6. Wasm related data structures are accidentally allocated if VM::canUseJIT() == false &&
2920            Options::useWebAssembly() == true. Add Wasm::isSupported() function to check the both conditions.
2921
2922         * CMakeLists.txt:
2923         * JavaScriptCore.xcodeproj/project.pbxproj:
2924         * heap/Heap.cpp:
2925         (JSC::Heap::runEndPhase):
2926         * jit/ExecutableAllocator.cpp:
2927         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
2928         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2929         (JSC::ExecutableAllocator::isValid const):
2930         (JSC::ExecutableAllocator::underMemoryPressure):
2931         (JSC::ExecutableAllocator::memoryPressureMultiplier):
2932         (JSC::ExecutableAllocator::allocate):
2933         (JSC::ExecutableAllocator::isValidExecutableMemory):
2934         (JSC::ExecutableAllocator::getLock const):
2935         (JSC::ExecutableAllocator::committedByteCount):
2936         (JSC::ExecutableAllocator::dumpProfile):
2937         (JSC::startOfFixedExecutableMemoryPoolImpl):
2938         (JSC::endOfFixedExecutableMemoryPoolImpl):
2939         (JSC::ExecutableAllocator::initialize):
2940         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
2941         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
2942         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
2943         * jit/ExecutableAllocator.h:
2944         (JSC::ExecutableAllocatorBase::isValid const):
2945         (JSC::ExecutableAllocatorBase::underMemoryPressure):
2946         (JSC::ExecutableAllocatorBase::memoryPressureMultiplier):
2947         (JSC::ExecutableAllocatorBase::dumpProfile):
2948         (JSC::ExecutableAllocatorBase::allocate):
2949         (JSC::ExecutableAllocatorBase::setJITEnabled):
2950         (JSC::ExecutableAllocatorBase::isValidExecutableMemory):
2951         (JSC::ExecutableAllocatorBase::committedByteCount):
2952         (JSC::ExecutableAllocatorBase::getLock const):
2953         (JSC::ExecutableAllocator::isValid const): Deleted.
2954         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
2955         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
2956         (JSC::ExecutableAllocator::allocate): Deleted.
2957         (JSC::ExecutableAllocator::setJITEnabled): Deleted.
2958         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
2959         (JSC::ExecutableAllocator::committedByteCount): Deleted.
2960         (JSC::ExecutableAllocator::getLock const): Deleted.
2961         * jsc.cpp:
2962         (functionWebAssemblyMemoryMode):
2963         * runtime/InitializeThreading.cpp:
2964         (JSC::initializeThreading):
2965         * runtime/JSGlobalObject.cpp:
2966         (JSC::JSGlobalObject::init):
2967         * runtime/JSLock.cpp:
2968         (JSC::JSLock::didAcquireLock):
2969         * runtime/Options.cpp:
2970         (JSC::recomputeDependentOptions):
2971         * runtime/VM.cpp:
2972         (JSC::enableAssembler):
2973         (JSC::VM::canUseAssembler):
2974         (JSC::VM::VM):
2975         * runtime/VM.h:
2976         * wasm/WasmCapabilities.h: Added.
2977         (JSC::Wasm::isSupported):
2978         * wasm/WasmFaultSignalHandler.cpp:
2979         (JSC::Wasm::enableFastMemory):
2980
2981 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2982
2983         [JSC] Fix JSC build with newer ICU
2984         https://bugs.webkit.org/show_bug.cgi?id=196098
2985
2986         Reviewed by Keith Miller.
2987
2988         IntlDateTimeFormat and IntlNumberFormat have switch statement over ICU's enums. However it lacks "default" clause so that
2989         the compile error occurs when a new enum value is added in ICU side. We should have "default" clause which just fallbacks
2990         "unknown"_s case. The behavior is not changed since we already have `return "unknown"_s;` statement anyway after the
2991         switch statement. This patch just suppresses a compile error.
2992
2993         * runtime/IntlDateTimeFormat.cpp:
2994         (JSC::IntlDateTimeFormat::partTypeString):
2995         * runtime/IntlNumberFormat.cpp:
2996         (JSC::IntlNumberFormat::partTypeString):
2997
2998 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2999
3000         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
3001         https://bugs.webkit.org/show_bug.cgi?id=196078
3002         <rdar://problem/35925380>
3003
3004         Reviewed by Mark Lam.
3005
3006         Unlike the other variations of putByIndex, it only checked if the index
3007         was larger than MIN_SPARSE_ARRAY_INDEX when the indexingType was
3008         ALL_BLANK_INDEXING_TYPES. This resulted in a huge butterfly being
3009         allocated for object literals (e.g. `{[9e4]: ...}`) and objects parsed
3010         from JSON.
3011
3012         * runtime/JSObject.cpp:
3013         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3014
3015 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3016
3017         CachedUnlinkedSourceCodeShape::m_provider should be a CachedRefPtr
3018         https://bugs.webkit.org/show_bug.cgi?id=196079
3019
3020         Reviewed by Saam Barati.
3021
3022         It was mistakenly cached as CachedPtr, which was leaking the decoded SourceProvider.
3023
3024         * runtime/CachedTypes.cpp:
3025         (JSC::CachedUnlinkedSourceCodeShape::encode):
3026
3027 2019-03-21  Mark Lam  <mark.lam@apple.com>
3028
3029         Placate exception check validation in operationArrayIndexOfString().
3030         https://bugs.webkit.org/show_bug.cgi?id=196067
3031         <rdar://problem/49056572>
3032
3033         Reviewed by Michael Saboff.
3034
3035         * dfg/DFGOperations.cpp:
3036
3037 2019-03-21  Xan Lopez  <xan@igalia.com>
3038
3039         [JSC][x86] Drop support for x87 floating point
3040         https://bugs.webkit.org/show_bug.cgi?id=194853
3041
3042         Reviewed by Don Olmstead.
3043
3044         Require SSE2 throughout the codebase, and remove x87 support where
3045         it was optionally available. SSE2 detection happens at compile
3046         time through a static_assert.
3047
3048         * assembler/MacroAssemblerX86.h:
3049         (JSC::MacroAssemblerX86::storeDouble):
3050         (JSC::MacroAssemblerX86::moveDoubleToInts):
3051         (JSC::MacroAssemblerX86::supportsFloatingPoint):
3052         (JSC::MacroAssemblerX86::supportsFloatingPointTruncate):
3053         (JSC::MacroAssemblerX86::supportsFloatingPointSqrt):
3054         (JSC::MacroAssemblerX86::supportsFloatingPointAbs):
3055         * assembler/MacroAssemblerX86Common.cpp:
3056         * assembler/MacroAssemblerX86Common.h:
3057         (JSC::MacroAssemblerX86Common::moveDouble):
3058         (JSC::MacroAssemblerX86Common::loadDouble):
3059         (JSC::MacroAssemblerX86Common::loadFloat):
3060         (JSC::MacroAssemblerX86Common::storeDouble):
3061         (JSC::MacroAssemblerX86Common::storeFloat):
3062         (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
3063         (JSC::MacroAssemblerX86Common::convertFloatToDouble):
3064         (JSC::MacroAssemblerX86Common::addDouble):
3065         (JSC::MacroAssemblerX86Common::addFloat):
3066         (JSC::MacroAssemblerX86Common::divDouble):
3067         (JSC::MacroAssemblerX86Common::divFloat):
3068         (JSC::MacroAssemblerX86Common::subDouble):
3069         (JSC::MacroAssemblerX86Common::subFloat):
3070         (JSC::MacroAssemblerX86Common::mulDouble):
3071         (JSC::MacroAssemblerX86Common::mulFloat):
3072         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
3073         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
3074         (JSC::MacroAssemblerX86Common::branchDouble):
3075         (JSC::MacroAssemblerX86Common::branchFloat):
3076         (JSC::MacroAssemblerX86Common::compareDouble):
3077         (JSC::MacroAssemblerX86Common::compareFloat):
3078         (JSC::MacroAssemblerX86Common::branchTruncateDoubleToInt32):
3079         (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
3080         (JSC::MacroAssemblerX86Common::truncateFloatToInt32):
3081         (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
3082         (JSC::MacroAssemblerX86Common::branchDoubleNonZero):
3083         (JSC::MacroAssemblerX86Common::branchDoubleZeroOrNaN):
3084         (JSC::MacroAssemblerX86Common::lshiftPacked):
3085         (JSC::MacroAssemblerX86Common::rshiftPacked):
3086         (JSC::MacroAssemblerX86Common::orPacked):
3087         (JSC::MacroAssemblerX86Common::move32ToFloat):
3088         (JSC::MacroAssemblerX86Common::moveFloatTo32):
3089         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
3090         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
3091         * offlineasm/x86.rb:
3092         * runtime/MathCommon.cpp:
3093         (JSC::operationMathPow):
3094
3095 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3096
3097         [GLIB] User data not correctly passed to callback of functions and constructors with no parameters
3098         https://bugs.webkit.org/show_bug.cgi?id=196073
3099
3100         Reviewed by Michael Catanzaro.
3101
3102         This is because GClosure always expects a first parameter as instance. In case of functions or constructors with
3103         no parameters we insert a fake instance which is just a null pointer that is ignored by the callback. But
3104         if the function/constructor has user data the callback will expect one parameter for the user data. In that case
3105         we can simply swap instance/user data so that the fake instance will be the second argument and user data the
3106         first one.
3107
3108         * API/glib/JSCClass.cpp:
3109         (jscClassCreateConstructor): Use g_cclosure_new_swap() if parameters is empty and user data was provided.
3110         * API/glib/JSCValue.cpp:
3111         (jscValueFunctionCreate): Ditto.
3112
3113 2019-03-21  Pablo Saavedra  <psaavedra@igalia.com>
3114
3115         [JSC][32-bit] Build failure after r243232
3116         https://bugs.webkit.org/show_bug.cgi?id=196068
3117
3118         Reviewed by Mark Lam.
3119
3120         * dfg/DFGOSRExit.cpp:
3121         (JSC::DFG::reifyInlinedCallFrames):
3122         * dfg/DFGOSRExitCompilerCommon.cpp:
3123         (JSC::DFG::reifyInlinedCallFrames):
3124
3125 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3126
3127         [GLib] Returning G_TYPE_OBJECT from a method does not work
3128         https://bugs.webkit.org/show_bug.cgi?id=195574
3129
3130         Reviewed by Michael Catanzaro.
3131
3132         Add more documentation to clarify the ownership of wrapped objects when created and when returned by functions.
3133
3134         * API/glib/JSCCallbackFunction.cpp:
3135         (JSC::JSCCallbackFunction::construct): Also allow to return boxed types from a constructor.
3136         * API/glib/JSCClass.cpp:
3137         * API/glib/JSCValue.cpp:
3138
3139 2019-03-21  Mark Lam  <mark.lam@apple.com>
3140
3141         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
3142         https://bugs.webkit.org/show_bug.cgi?id=196055
3143         <rdar://problem/49067448>
3144
3145         Reviewed by Yusuke Suzuki.
3146
3147         We are doing this because:
3148         1. We expect the array to be densely packed.
3149         2. SpeculativeJIT::compileAllocateNewArrayWithSize() (and the FTL equivalent)
3150            expects the array length to be less than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH
3151            if we don't want to use an ArrayStorage shape.
3152         3. There's no reason why an array with spread needs to be that large anyway.
3153            MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is plenty.
3154
3155         In this patch, we also add a debug assert in compileAllocateNewArrayWithSize() and
3156         emitAllocateButterfly() to check for overflows.
3157
3158         * assembler/AbortReason.h:
3159         * dfg/DFGOperations.cpp:
3160         * dfg/DFGSpeculativeJIT.cpp:
3161         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3162         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3163         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
3164         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3165         * ftl/FTLLowerDFGToB3.cpp:
3166         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3167         * runtime/ArrayConventions.h:
3168         * runtime/CommonSlowPaths.cpp:
3169         (JSC::SLOW_PATH_DECL):
3170
3171 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
3172
3173         [JSC] Use finalizer in JSGlobalLexicalEnvironment and JSGlobalObject
3174         https://bugs.webkit.org/show_bug.cgi?id=195992
3175
3176         Reviewed by Keith Miller and Mark Lam.
3177
3178         JSGlobalLexicalEnvironment and JSGlobalObject have their own CompleteSubspace to call destructors while they are not inheriting JSDestructibleObject.
3179         But it is too costly since (1) it requires CompleteSubspace in VM, (2) both objects allocate MarkedBlocks while # of them are really small.
3180
3181         Instead of using CompleteSubspace, we just set finalizers for them. Since these objects are rarely allocated, setting finalizers does not show
3182         memory / performance problems (actually, previously we used finalizer for ArrayPrototype due to the same reason, and it does not show any problems).
3183
3184         And we also add following two changes to JSSegmentedVariableObject.
3185
3186         1. Remove one boolean used for debugging in Release build. It enlarges sizeof(JSSegmentedVariableObject) and allocates one more MarkedBlock.
3187         2. Use cellLock() instead.
3188
3189         * CMakeLists.txt:
3190         * JavaScriptCore.xcodeproj/project.pbxproj:
3191         * Sources.txt:
3192         * runtime/JSSegmentedVariableObject.cpp:
3193         (JSC::JSSegmentedVariableObject::findVariableIndex):
3194         (JSC::JSSegmentedVariableObject::addVariables):
3195         (JSC::JSSegmentedVariableObject::visitChildren):
3196         (JSC::JSSegmentedVariableObject::~JSSegmentedVariableObject):
3197         (JSC::JSSegmentedVariableObject::finishCreation):
3198         * runtime/JSSegmentedVariableObject.h:
3199         (JSC::JSSegmentedVariableObject::subspaceFor): Deleted.
3200         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Removed.
3201         * runtime/JSSegmentedVariableObjectHeapCellType.h: Removed.
3202         * runtime/StringIteratorPrototype.cpp:
3203         * runtime/VM.cpp:
3204         (JSC::VM::VM):
3205         * runtime/VM.h:
3206
3207 2019-03-20  Saam Barati  <sbarati@apple.com>
3208
3209         DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty
3210         https://bugs.webkit.org/show_bug.cgi?id=195721
3211
3212         Reviewed by Filip Pizlo.
3213
3214         There was a check in AbstractValue::validateOSREntry where it checked
3215         if isHeapTop(), and if so, just returned true. However, this is wrong
3216         if the value we're checking against is the empty value, since HeapTop
3217         does not include the Empty value. Instead, this check should be
3218         isBytecodeTop(), which does account for the empty value.
3219         
3220         This patch also does a couple of other things:
3221         - For our OSR entry AbstractValues, we were using HeapTop to mark
3222          a dead value. That is now changed to BytecodeTop. (The idea here
3223          is just to have validateOSREntry return early.)
3224         - It wasn't obvious to me how I could make this fail in JS code.
3225          The symptom we'd end up seeing is something like a nullptr derefernece
3226          from forgetting to do a TDZ check. Instead, I've added a unit test.
3227          This unit test lives in a new test file: testdfg. testdfg is similar
3228          to testb3/testair/testapi.
3229
3230         * JavaScriptCore.xcodeproj/project.pbxproj:
3231         * bytecode/SpeculatedType.h:
3232         * dfg/DFGAbstractValue.h:
3233         (JSC::DFG::AbstractValue::isBytecodeTop const):
3234         (JSC::DFG::AbstractValue::validateOSREntryValue const):
3235         * dfg/testdfg.cpp: Added.
3236         (hiddenTruthBecauseNoReturnIsStupid):
3237         (usage):
3238         (JSC::DFG::testEmptyValueDoesNotValidateWithHeapTop):
3239         (JSC::DFG::run):
3240         (run):
3241         (main):
3242         * shell/CMakeLists.txt:
3243
3244 2019-03-20  Saam Barati  <sbarati@apple.com>
3245
3246         typeOfDoubleSum is wrong for when NaN can be produced
3247         https://bugs.webkit.org/show_bug.cgi?id=196030
3248
3249         Reviewed by Filip Pizlo.
3250
3251         We were using typeOfDoubleSum(SpeculatedType, SpeculatedType) for add/sub/mul.
3252         It assumed that the only way the resulting type could be NaN is if one of
3253         the inputs were NaN. However, this is wrong. NaN can be produced in at least
3254         these cases:
3255           Infinity - Infinity
3256           Infinity + (-Infinity)
3257           Infinity * 0
3258
3259         * bytecode/SpeculatedType.cpp:
3260         (JSC::typeOfDoubleSumOrDifferenceOrProduct):
3261         (JSC::typeOfDoubleSum):
3262         (JSC::typeOfDoubleDifference):
3263         (JSC::typeOfDoubleProduct):
3264
3265 2019-03-20  Simon Fraser  <simon.fraser@apple.com>
3266
3267         Rename ENABLE_ACCELERATED_OVERFLOW_SCROLLING macro to ENABLE_OVERFLOW_SCROLLING_TOUCH
3268         https://bugs.webkit.org/show_bug.cgi?id=196049
3269
3270         Reviewed by Tim Horton.
3271
3272         This macro is about the -webkit-overflow-scrolling CSS property, not accelerated
3273         overflow scrolling in general, so rename it.
3274
3275         * Configurations/FeatureDefines.xcconfig:
3276
3277 2019-03-20  Saam Barati  <sbarati@apple.com>
3278
3279         GetCallee does not report the correct type in AI
3280         https://bugs.webkit.org/show_bug.cgi?id=195981
3281
3282         Reviewed by Yusuke Suzuki.
3283
3284         I found this as part of my work in:
3285         https://bugs.webkit.org/show_bug.cgi?id=195924
3286         
3287         I'm not sure how to write a test for it.
3288         
3289         GetCallee was always reporting that the result is SpecFunction. However,
3290         for eval, it may result in just a JSCallee object, which is not a JSFunction.
3291
3292         * dfg/DFGAbstractInterpreterInlines.h:
3293         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3294
3295 2019-03-20  Mark Lam  <mark.lam@apple.com>
3296
3297         Open source arm64e code.
3298         https://bugs.webkit.org/show_bug.cgi?id=196012
3299         <rdar://problem/49066237>
3300
3301         Reviewed by Keith Miller.
3302
3303         * JavaScriptCore.xcodeproj/project.pbxproj:
3304         * Sources.txt:
3305         * assembler/ARM64EAssembler.h: Added.
3306         (JSC::ARM64EAssembler::encodeGroup1):
3307         (JSC::ARM64EAssembler::encodeGroup2):
3308         (JSC::ARM64EAssembler::encodeGroup4):
3309         (JSC::ARM64EAssembler::pacia1716):
3310         (JSC::ARM64EAssembler::pacib1716):
3311         (JSC::ARM64EAssembler::autia1716):
3312         (JSC::ARM64EAssembler::autib1716):
3313         (JSC::ARM64EAssembler::paciaz):
3314         (JSC::ARM64EAssembler::paciasp):
3315         (JSC::ARM64EAssembler::pacibz):
3316         (JSC::ARM64EAssembler::pacibsp):
3317         (JSC::ARM64EAssembler::autiaz):
3318         (JSC::ARM64EAssembler::autiasp):
3319         (JSC::ARM64EAssembler::autibz):
3320         (JSC::ARM64EAssembler::autibsp):
3321         (JSC::ARM64EAssembler::xpaclri):
3322         (JSC::ARM64EAssembler::pacia):
3323         (JSC::ARM64EAssembler::pacib):
3324         (JSC::ARM64EAssembler::pacda):
3325         (JSC::ARM64EAssembler::pacdb):
3326         (JSC::ARM64EAssembler::autia):
3327         (JSC::ARM64EAssembler::autib):
3328         (JSC::ARM64EAssembler::autda):
3329         (JSC::ARM64EAssembler::autdb):
3330         (JSC::ARM64EAssembler::paciza):
3331         (JSC::ARM64EAssembler::pacizb):
3332         (JSC::ARM64EAssembler::pacdza):
3333         (JSC::ARM64EAssembler::pacdzb):
3334         (JSC::ARM64EAssembler::autiza):
3335         (JSC::ARM64EAssembler::autizb):
3336         (JSC::ARM64EAssembler::autdza):
3337         (JSC::ARM64EAssembler::autdzb):
3338         (JSC::ARM64EAssembler::xpaci):
3339         (JSC::ARM64EAssembler::xpacd):
3340         (JSC::ARM64EAssembler::pacga):
3341         (JSC::ARM64EAssembler::braa):
3342         (JSC::ARM64EAssembler::brab):
3343         (JSC::ARM64EAssembler::blraa):
3344         (JSC::ARM64EAssembler::blrab):
3345         (JSC::ARM64EAssembler::braaz):
3346         (JSC::ARM64EAssembler::brabz):
3347         (JSC::ARM64EAssembler::blraaz):
3348         (JSC::ARM64EAssembler::blrabz):
3349         (JSC::ARM64EAssembler::retaa):
3350         (JSC::ARM64EAssembler::retab):
3351         (JSC::ARM64EAssembler::eretaa):
3352         (JSC::ARM64EAssembler::eretab):
3353         (JSC::ARM64EAssembler::linkPointer):
3354         (JSC::ARM64EAssembler::repatchPointer):
3355         (JSC::ARM64EAssembler::setPointer):
3356         (JSC::ARM64EAssembler::readPointer):
3357         (JSC::ARM64EAssembler::readCallTarget):
3358         (JSC::ARM64EAssembler::ret):
3359         * assembler/MacroAssembler.cpp:
3360         * assembler/MacroAssembler.h:
3361         * assembler/MacroAssemblerARM64.cpp:
3362         * assembler/MacroAssemblerARM64E.h: Added.
3363         (JSC::MacroAssemblerARM64E::tagReturnAddress):
3364         (JSC::MacroAssemblerARM64E::untagReturnAddress):
3365         (JSC::MacroAssemblerARM64E::tagPtr):
3366         (JSC::MacroAssemblerARM64E::untagPtr):
3367         (JSC::MacroAssemblerARM64E::removePtrTag):
3368         (JSC::MacroAssemblerARM64E::callTrustedPtr):
3369         (JSC::MacroAssemblerARM64E::call):
3370         (JSC::MacroAssemblerARM64E::callRegister):
3371         (JSC::MacroAssemblerARM64E::jump):
3372         * dfg/DFGOSRExit.cpp:
3373         (JSC::DFG::reifyInlinedCallFrames):
3374         * dfg/DFGOSRExitCompilerCommon.cpp:
3375         (JSC::DFG::reifyInlinedCallFrames):
3376         * ftl/FTLThunks.cpp:
3377         (JSC::FTL::genericGenerationThunkGenerator):
3378         * jit/CCallHelpers.h:
3379         (JSC::CCallHelpers::prepareForTailCallSlow):
3380         * jit/CallFrameShuffler.cpp:
3381         (JSC::CallFrameShuffler::prepareForTailCall):
3382         * jit/ExecutableAllocator.cpp:
3383         (JSC::ExecutableAllocator::allocate):
3384         * jit/ThunkGenerators.cpp:
3385         (JSC::arityFixupGenerator):
3386         * llint/LLIntOfflineAsmConfig.h:
3387         * llint/LowLevelInterpreter.asm:
3388         * llint/LowLevelInterpreter64.asm:
3389         * runtime/ClassInfo.h:
3390         * runtime/InitializeThreading.cpp:
3391         (JSC::initializeThreading):
3392         * runtime/JSCPtrTag.cpp: Added.
3393         (JSC::tagForPtr):
3394         (JSC::ptrTagName):
3395         (JSC::initializePtrTagLookup):
3396         * runtime/JSCPtrTag.h:
3397         (JSC::initializePtrTagLookup):
3398         * runtime/Options.cpp:
3399         (JSC::recomputeDependentOptions):
3400
3401 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3402
3403         JSC::createError needs to check for OOM in errorDescriptionForValue
3404         https://bugs.webkit.org/show_bug.cgi?id=196032
3405         <rdar://problem/46842740>
3406
3407         Reviewed by Mark Lam.
3408
3409         We were missing exceptions checks at two levels:
3410         - In errorDescriptionForValue, when the value is a string, we should
3411           check that JSString::value returns a valid string, since we might run
3412           out of memory if it is a rope and we need to resolve it.
3413         - In createError, we should check for the result of errorDescriptionForValue
3414           before concatenating it with the message provided by the caller.
3415
3416         * runtime/ExceptionHelpers.cpp:
3417         (JSC::errorDescriptionForValue):
3418         (JSC::createError):
3419         * runtime/ExceptionHelpers.h:
3420
3421 2019-03-20  Devin Rousso  <drousso@apple.com>
3422
3423         Web Inspector: DOM: include window as part of any event listener chain
3424         https://bugs.webkit.org/show_bug.cgi?id=195730
3425         <rdar://problem/48916872>
3426
3427         Reviewed by Timothy Hatcher.
3428
3429         * inspector/protocol/DOM.json:
3430         Modify `DOM.getEventListenersForNode` to not save the handler object, as that was never
3431         used by the frontend. Add an `onWindow` optional property to `DOM.EventListener` that is set
3432         when the event listener was retrieved from the `window` object.
3433
3434 2019-03-20  Devin Rousso  <drousso@apple.com>
3435
3436         Web Inspector: Runtime: lazily create the agent
3437         https://bugs.webkit.org/show_bug.cgi?id=195972
3438         <rdar://problem/49039655>
3439
3440         Reviewed by Timothy Hatcher.
3441
3442         * inspector/JSGlobalObjectInspectorController.cpp:
3443         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3444         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3445
3446         * inspector/agents/InspectorRuntimeAgent.h:
3447         (Inspector::InspectorRuntimeAgent::enabled): Deleted.
3448         * inspector/agents/InspectorRuntimeAgent.cpp:
3449         (Inspector::InspectorRuntimeAgent::didCreateFrontendAndBackend): Added.
3450         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
3451
3452         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3453         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3454         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend): Deleted.
3455
3456 2019-03-20  Michael Saboff  <msaboff@apple.com>
3457
3458         JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
3459         https://bugs.webkit.org/show_bug.cgi?id=195906
3460
3461         Reviewed by Mark Lam.
3462
3463         The problem here as that we may successfully parsed a RegExp without running out of stack,
3464         but later run out of stack when trying to JIT compile the same expression.
3465
3466         Added a check for available stack space when we call into one of the parenthesis compilation
3467         functions that recurse.  When we don't have enough stack space to recurse, we fail the JIT
3468         compilation and let the interpreter handle the expression.
3469
3470         From code inspection of the YARR interpreter it has the same issue, but I couldn't cause a failure.
3471         Filed a new bug and added a FIXME comment for the Interpreter to have similar checks.
3472         Given that we can reproduce a failure, this is sufficient for now.
3473
3474         This change is covered by the previously added failing test,
3475         JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js.
3476
3477         * yarr/YarrInterpreter.cpp:
3478         (JSC::Yarr::Interpreter::interpret):
3479         * yarr/YarrJIT.cpp:
3480         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
3481         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
3482         (JSC::Yarr::YarrGenerator::opCompileBody):
3483         (JSC::Yarr::dumpCompileFailure):
3484         * yarr/YarrJIT.h:
3485
3486 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3487
3488         DFGNodeAllocator.h is dead code
3489         https://bugs.webkit.org/show_bug.cgi?id=196019
3490
3491         Reviewed by Yusuke Suzuki.
3492
3493         As explained by Yusuke on IRC, the comment on DFG::Node saying that it cannot have a destructor is obsolete since https://trac.webkit.org/changeset/216815/webkit.
3494         This patch removes both the comment and DFGNodeAllocator.h that that patch forgot to remove.
3495
3496         * dfg/DFGNode.h:
3497         (JSC::DFG::Node::dumpChildren):
3498         * dfg/DFGNodeAllocator.h: Removed.
3499
3500 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3501
3502         Compress CodeOrigin into a single word in the common case
3503         https://bugs.webkit.org/show_bug.cgi?id=195928
3504
3505         Reviewed by Saam Barati.
3506
3507         The trick is that pointers only take 48 bits on x86_64 in practice (and we can even use the bottom three bits of that thanks to alignment), and even less on ARM64.
3508         So we can shove the bytecode index in the top bits almost all the time.
3509         If the bytecodeIndex is too ginormous (1<<16 in practice on x86_64), we just set one bit at the bottom and store a pointer to some out-of-line storage instead.
3510         Finally we represent an invalid bytecodeIndex (which used to be represented by UINT_MAX) by setting the second least signifcant bit.
3511
3512         The patch looks very long, but most of it is just replacing direct accesses to inlineCallFrame and bytecodeIndex by the relevant getters.
3513
3514         End result: CodeOrigin in the common case moves from 16 bytes (8 for InlineCallFrame*, 4 for unsigned bytecodeIndex, 4 of padding) to 8.
3515         As a reference, during running JetStream2 we allocate more than 35M CodeOrigins. While they won't all be alive at the same time, it is still quite a lot of objects, so I am hoping for some small
3516         improvement to RAMification from this work.
3517
3518         The one slightly tricky part is that we must implement copy and move assignment operators and constructors to make sure that any out-of-line storage belongs to a single CodeOrigin and is destroyed exactly once.
3519
3520         * bytecode/ByValInfo.h:
3521         * bytecode/CallLinkStatus.cpp:
3522         (JSC::CallLinkStatus::computeFor):
3523         * bytecode/CodeBlock.cpp:
3524         (JSC::CodeBlock::globalObjectFor):
3525         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
3526         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
3527         * bytecode/CodeOrigin.cpp:
3528         (JSC::CodeOrigin::inlineDepth const):
3529         (JSC::CodeOrigin::isApproximatelyEqualTo const):
3530         (JSC::CodeOrigin::approximateHash const):
3531         (JSC::CodeOrigin::inlineStack const):
3532         (JSC::CodeOrigin::codeOriginOwner const):
3533         (JSC::CodeOrigin::stackOffset const):
3534         (JSC::CodeOrigin::dump const):
3535         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
3536         * bytecode/CodeOrigin.h:
3537         (JSC::OutOfLineCodeOrigin::OutOfLineCodeOrigin):
3538         (JSC::CodeOrigin::CodeOrigin):
3539         (JSC::CodeOrigin::~CodeOrigin):
3540         (JSC::CodeOrigin::isSet const):
3541         (JSC::CodeOrigin::isHashTableDeletedValue const):
3542         (JSC::CodeOrigin::bytecodeIndex const):
3543         (JSC::CodeOrigin::inlineCallFrame const):
3544         (JSC::CodeOrigin::buildCompositeValue):
3545         (JSC::CodeOrigin::hash const):
3546         (JSC::CodeOrigin::operator== const):
3547         (JSC::CodeOrigin::exitingInlineKind const): Deleted.
3548         * bytecode/DeferredSourceDump.h:
3549         * bytecode/GetByIdStatus.cpp:
3550         (JSC::GetByIdStatus::computeForStubInfo):
3551         (JSC::GetByIdStatus::computeFor):
3552         * bytecode/ICStatusMap.cpp:
3553         (JSC::ICStatusContext::isInlined const):
3554         * bytecode/InByIdStatus.cpp:
3555         (JSC::InByIdStatus::computeFor):
3556         (JSC::InByIdStatus::computeForStubInfo):
3557         * bytecode/InlineCallFrame.cpp:
3558         (JSC::InlineCallFrame::dumpInContext const):
3559         * bytecode/InlineCallFrame.h:
3560         (JSC::InlineCallFrame::computeCallerSkippingTailCalls):
3561         (JSC::InlineCallFrame::getCallerInlineFrameSkippingTailCalls):
3562         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
3563         (JSC::CodeOrigin::walkUpInlineStack):
3564         * bytecode/InstanceOfStatus.h:
3565         * bytecode/PutByIdStatus.cpp:
3566         (JSC::PutByIdStatus::computeForStubInfo):
3567         (JSC::PutByIdStatus::computeFor):
3568         * dfg/DFGAbstractInterpreterInlines.h:
3569         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3570         * dfg/DFGArgumentsEliminationPhase.cpp:
3571         * dfg/DFGArgumentsUtilities.cpp:
3572         (JSC::DFG::argumentsInvolveStackSlot):
3573         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3574         * dfg/DFGArrayMode.h:
3575         * dfg/DFGByteCodeParser.cpp:
3576         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3577         (JSC::DFG::ByteCodeParser::setLocal):
3578         (JSC::DFG::ByteCodeParser::setArgument):
3579         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
3580         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3581         (JSC::DFG::ByteCodeParser::parseBlock):
3582         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3583         (JSC::DFG::ByteCodeParser::handlePutByVal):
3584         * dfg/DFGClobberize.h:
3585         (JSC::DFG::clobberize):
3586         * dfg/DFGConstantFoldingPhase.cpp:
3587         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3588         * dfg/DFGFixupPhase.cpp:
3589         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3590         * dfg/DFGForAllKills.h:
3591         (JSC::DFG::forAllKilledOperands):
3592         * dfg/DFGGraph.cpp:
3593         (JSC::DFG::Graph::dumpCodeOrigin):
3594         (JSC::DFG::Graph::dump):
3595         (JSC::DFG::Graph::isLiveInBytecode):
3596         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3597         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
3598         * dfg/DFGGraph.h:
3599         (JSC::DFG::Graph::executableFor):
3600         (JSC::DFG::Graph::isStrictModeFor):
3601         (JSC::DFG::Graph::hasExitSite):
3602         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
3603         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
3604         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
3605         * dfg/DFGMinifiedNode.cpp:
3606         (JSC::DFG::MinifiedNode::fromNode):
3607         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3608         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3609         * dfg/DFGOSRExit.cpp:
3610         (JSC::DFG::OSRExit::executeOSRExit):
3611         (JSC::DFG::reifyInlinedCallFrames):
3612         (JSC::DFG::adjustAndJumpToTarget):
3613         (JSC::DFG::printOSRExit):
3614         (JSC::DFG::OSRExit::compileExit):
3615         * dfg/DFGOSRExitBase.cpp:
3616         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
3617         * dfg/DFGOSRExitCompilerCommon.cpp:
3618         (JSC::DFG::handleExitCounts):
3619         (JSC::DFG::reifyInlinedCallFrames):
3620         (JSC::DFG::adjustAndJumpToTarget):
3621         * dfg/DFGOSRExitPreparation.cpp:
3622         (JSC::DFG::prepareCodeOriginForOSRExit):
3623         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3624         * dfg/DFGOperations.cpp:
3625         * dfg/DFGPreciseLocalClobberize.h:
3626         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3627         * dfg/DFGSpeculativeJIT.cpp:
3628         (JSC::DFG::SpeculativeJIT::emitGetLength):
3629         (JSC::DFG::SpeculativeJIT::emitGetCallee):
3630         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3631         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3632         (JSC::DFG::SpeculativeJIT::compileValueSub):
3633         (JSC::DFG::SpeculativeJIT::compileValueNegate):
3634         (JSC::DFG::SpeculativeJIT::compileValueMul):
3635         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
3636         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3637         * dfg/DFGSpeculativeJIT32_64.cpp:
3638         (JSC::DFG::SpeculativeJIT::emitCall):
3639         * dfg/DFGSpeculativeJIT64.cpp:
3640         (JSC::DFG::SpeculativeJIT::emitCall):
3641         (JSC::DFG::SpeculativeJIT::compile):
3642         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3643         (JSC::DFG::TierUpCheckInjectionPhase::run):
3644         (JSC::DFG::TierUpCheckInjectionPhase::canOSREnterAtLoopHint):
3645         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
3646         * dfg/DFGTypeCheckHoistingPhase.cpp:
3647         (JSC::DFG::TypeCheckHoistingPhase::run):
3648         * dfg/DFGVariableEventStream.cpp:
3649         (JSC::DFG::VariableEventStream::reconstruct const):
3650         * ftl/FTLLowerDFGToB3.cpp:
3651         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3652         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
3653         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
3654         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3655         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
3656         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3657         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3658         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3659         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3660         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3661         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
3662         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
3663         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
3664         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
3665         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
3666         (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const):
3667         * ftl/FTLOSRExitCompiler.cpp:
3668         (JSC::FTL::compileStub):
3669         * ftl/FTLOperations.cpp:
3670         (JSC::FTL::operationMaterializeObjectInOSR):
3671         * interpreter/CallFrame.cpp:
3672         (JSC::CallFrame::bytecodeOffset):
3673         * interpreter/StackVisitor.cpp:
3674         (JSC::StackVisitor::unwindToMachineCodeBlockFrame):
3675         (JSC::StackVisitor::readFrame):
3676         (JSC::StackVisitor::readNonInlinedFrame):
3677         (JSC::inlinedFrameOffset):
3678         (JSC::StackVisitor::readInlinedFrame):
3679         * interpreter/StackVisitor.h:
3680         * jit/AssemblyHelpers.cpp:
3681         (JSC::AssemblyHelpers::executableFor):
3682         * jit/AssemblyHelpers.h:
3683         (JSC::AssemblyHelpers::isStrictModeFor):
3684         (JSC::AssemblyHelpers::argumentsStart):
3685         (JSC::AssemblyHelpers::argumentCount):
3686         * jit/PCToCodeOriginMap.cpp:
3687         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
3688         (JSC::PCToCodeOriginMap::findPC const):
3689         * profiler/ProfilerOriginStack.cpp:
3690         (JSC::Profiler::OriginStack::OriginStack):
3691         * profiler/ProfilerOriginStack.h:
3692         * runtime/ErrorInstance.cpp:
3693         (JSC::appendSourceToError):
3694         * runtime/SamplingProfiler.cpp:
3695         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3696
3697 2019-03-20  Devin Rousso  <drousso@apple.com>
3698
3699         Web Inspector: Search: allow DOM searches to be case sensitive
3700         https://bugs.webkit.org/show_bug.cgi?id=194673
3701         <rdar://problem/48087577>
3702
3703         Reviewed by Timothy Hatcher.
3704
3705         Since `DOM.performSearch` also searches by selector and XPath, some results may appear
3706         as unexpected. As an example, searching for "BoDy" will still return the <body> as a result,
3707         as although the literal node name ("BODY") didn't match, it did match via selector/XPath.
3708
3709         * inspector/protocol/DOM.json:
3710         Allow `DOM.performSearch` to be case sensitive.
3711
3712 2019-03-20  Saam Barati  <sbarati@apple.com>
3713
3714         AI rule for ValueBitNot/ValueBitXor/ValueBitAnd/ValueBitOr is wrong
3715         https://bugs.webkit.org/show_bug.cgi?id=195980
3716
3717         Reviewed by Yusuke Suzuki.
3718
3719         They were all saying they could be type: (SpecBoolInt32, SpecBigInt)
3720         However, they should have been type: (SpecInt32Only, SpecBigInt)
3721
3722         * dfg/DFGAbstractInterpreterInlines.h:
3723         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3724
3725 2019-03-20  Michael Catanzaro  <mcatanzaro@igalia.com>
3726
3727         Remove copyRef() calls added in r243163
3728         https://bugs.webkit.org/show_bug.cgi?id=195962
3729
3730         Reviewed by Chris Dumez.
3731
3732         As best I can tell, may be a GCC 9 bug. It shouldn't warn about this case because the return
3733         value is noncopyable and the WTFMove() is absolutely required. We can avoid the warning
3734         without refcount churn by introducing an intermediate variable.
3735
3736         * inspector/scripts/codegen/cpp_generator_templates.py:
3737
3738 2019-03-20  Carlos Garcia Campos  <cgarcia@igalia.com>
3739
3740         [GLIB] Optimize jsc_value_object_define_property_data|accessor
3741         https://bugs.webkit.org/show_bug.cgi?id=195679
3742
3743         Reviewed by Saam Barati.
3744
3745         Use direct C++ call instead of using the JSC GLib API to create the descriptor object and invoke Object.defineProperty().
3746
3747         * API/glib/JSCValue.cpp:
3748         (jsc_value_object_define_property_data):
3749         (jsc_value_object_define_property_accessor):
3750
3751 2019-03-19  Devin Rousso  <drousso@apple.com>
3752
3753         Web Inspector: Debugger: lazily create the agent
3754         https://bugs.webkit.org/show_bug.cgi?id=195973
3755         <rdar://problem/49039674>
3756
3757         Reviewed by Joseph Pecoraro.
3758
3759         * inspector/JSGlobalObjectInspectorController.cpp:
3760         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3761         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
3762         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3763
3764         * inspector/JSGlobalObjectConsoleClient.h:
3765         (Inspector::JSGlobalObjectConsoleClient::setInspectorDebuggerAgent): Added.
3766         * inspector/JSGlobalObjectConsoleClient.cpp:
3767         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
3768         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
3769         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
3770
3771         * inspector/agents/InspectorDebuggerAgent.h:
3772         (Inspector::InspectorDebuggerAgent::addListener): Added.
3773         (Inspector::InspectorDebuggerAgent::removeListener): Added.
3774         (Inspector::InspectorDebuggerAgent::setListener): Deleted.
3775         * inspector/agents/InspectorDebuggerAgent.cpp:
3776         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3777         (Inspector::InspectorDebuggerAgent::enable):
3778         (Inspector::InspectorDebuggerAgent::disable):
3779         (Inspector::InspectorDebuggerAgent::getScriptSource):
3780         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3781         (Inspector::InspectorDebuggerAgent::didPause):
3782         (Inspector::InspectorDebuggerAgent::breakProgram):
3783         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
3784         Drive-by: reorder some member variables for better sizing.
3785         Drive-by: rename some member variables for clarity.
3786
3787 2019-03-19  Saam barati  <sbarati@apple.com>
3788
3789         Prune code after ForceOSRExit
3790         https://bugs.webkit.org/show_bug.cgi?id=195913
3791
3792         Reviewed by Keith Miller.
3793
3794         I removed our original implementation of this in r242989 because
3795         it was not sound. It broke backwards propagation because it removed
3796         uses of a node that backwards propagation relied on to be sound.
3797         Essentially, backwards propagation relies on being able to see uses
3798         that would exist in bytecode to be sound.
3799         
3800         The rollout in r242989 was a 1% Speedometer2 regression. This patch
3801         rolls back in the optimization in a sound way.
3802         
3803         This patch augments the code we had prior to r242989 to be sound. In
3804         addition to preserving liveness, we now also convert all uses after
3805         the ForceOSRExit to be Phantom. This may pessimize the optimizations
3806         we do in backwards propagation, but it will prevent that phase from
3807         making unsound optimizations.
3808
3809         * dfg/DFGByteCodeParser.cpp:
3810         (JSC::DFG::ByteCodeParser::addToGraph):
3811         (JSC::DFG::ByteCodeParser::parse):
3812
3813 2019-03-19  Michael Catanzaro  <mcatanzaro@igalia.com>
3814
3815         Build cleanly with GCC 9
3816         https://bugs.webkit.org/show_bug.cgi?id=195920
3817
3818         Reviewed by Chris Dumez.
3819
3820         WebKit triggers three new GCC 9 warnings:
3821
3822         """
3823         -Wdeprecated-copy, implied by -Wextra, warns about the C++11 deprecation of implicitly
3824         declared copy constructor and assignment operator if one of them is user-provided.
3825         """
3826
3827         Solution is to either add a copy constructor or copy assignment operator, if required, or
3828         else remove one if it is redundant.
3829
3830         """
3831         -Wredundant-move, implied by -Wextra, warns about redundant calls to std::move.
3832         -Wpessimizing-move, implied by -Wall, warns when a call to std::move prevents copy elision.
3833         """
3834
3835         These account for most of this patch. Solution is to just remove the bad WTFMove().
3836
3837         Additionally, -Wclass-memaccess has been enhanced to catch a few cases that GCC 8 didn't.
3838         These are solved by casting nontrivial types to void* before using memcpy. (Of course, it
3839         would be safer to not use memcpy on nontrivial types, but that's too complex for this
3840         patch. Searching for memcpy used with static_cast<void*> will reveal other cases to fix.)
3841
3842         * b3/B3ValueRep.h:
3843         * bindings/ScriptValue.cpp:
3844         (Inspector::jsToInspectorValue):
3845         * bytecode/GetterSetterAccessCase.cpp:
3846         (JSC::GetterSetterAccessCase::create):
3847         (JSC::GetterSetterAccessCase::clone const):
3848         * bytecode/InstanceOfAccessCase.cpp:
3849         (JSC::InstanceOfAccessCase::clone const):
3850         * bytecode/IntrinsicGetterAccessCase.cpp:
3851         (JSC::IntrinsicGetterAccessCase::clone const):
3852         * bytecode/ModuleNamespaceAccessCase.cpp:
3853         (JSC::ModuleNamespaceAccessCase::clone const):
3854         * bytecode/ProxyableAccessCase.cpp:
3855         (JSC::ProxyableAccessCase::clone const):
3856         * bytecode/StructureSet.h:
3857         * debugger/Breakpoint.h:
3858         * dfg/DFGRegisteredStructureSet.h:
3859         * inspector/agents/InspectorDebuggerAgent.cpp:
3860         (Inspector::buildDebuggerLocation):
3861         * inspector/scripts/codegen/cpp_generator_templates.py:
3862         * parser/UnlinkedSourceCode.h:
3863         * wasm/WasmAirIRGenerator.cpp:
3864         (JSC::Wasm::parseAndCompileAir):
3865         * wasm/WasmB3IRGenerator.cpp:
3866         (JSC::Wasm::parseAndCompile):
3867         * wasm/WasmNameSectionParser.cpp:
3868         (JSC::Wasm::NameSectionParser::parse):
3869         * wasm/WasmStreamingParser.cpp:
3870         (JSC::Wasm::StreamingParser::consume):
3871
3872 2019-03-19  Saam Barati  <sbarati@apple.com>
3873
3874         Style fix: remove C style cast in Instruction.h
3875         https://bugs.webkit.org/show_bug.cgi?id=195917
3876