AbstractValue::validateOSREntryValue is wrong for Int52 constants
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-04-10  Saam Barati  <sbarati@apple.com>
2
3         AbstractValue::validateOSREntryValue is wrong for Int52 constants
4         https://bugs.webkit.org/show_bug.cgi?id=196801
5         <rdar://problem/49771122>
6
7         Reviewed by Yusuke Suzuki.
8
9         validateOSREntryValue should not care about the format of the incoming
10         value for Int52s. This patch normalizes the format of m_value and
11         the incoming value when comparing them.
12
13         * dfg/DFGAbstractValue.h:
14         (JSC::DFG::AbstractValue::validateOSREntryValue const):
15
16 2019-04-10  Saam Barati  <sbarati@apple.com>
17
18         ArithSub over Int52 has shouldCheckOverflow as always true
19         https://bugs.webkit.org/show_bug.cgi?id=196796
20
21         Reviewed by Yusuke Suzuki.
22
23         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
24         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
25         false. We shouldn't check something we assert against.
26
27         * dfg/DFGAbstractInterpreterInlines.h:
28         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
29
30 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
31
32         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
33         https://bugs.webkit.org/show_bug.cgi?id=196790
34
35         Reviewed by Ross Kirsling.
36
37         Original implementation lacks byte order specification. Network byte order is the
38         good candidate if there's no strong reason to choose other.
39         Currently no client exists for PlayStation remote inspector protocol, so we can
40         change the byte order without care.
41
42         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
43         (Inspector::MessageParser::createMessage):
44         (Inspector::MessageParser::parse):
45
46 2019-04-10  Devin Rousso  <drousso@apple.com>
47
48        Web Inspector: Inspector: lazily create the agent
49        https://bugs.webkit.org/show_bug.cgi?id=195971
50        <rdar://problem/49039645>
51
52        Reviewed by Joseph Pecoraro.
53
54        * inspector/JSGlobalObjectInspectorController.cpp:
55        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
56        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
57        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
58        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
59
60        * inspector/agents/InspectorAgent.h:
61        * inspector/agents/InspectorAgent.cpp:
62
63 2019-04-10  Saam Barati  <sbarati@apple.com>
64
65         Work around an arm64_32 LLVM miscompile bug
66         https://bugs.webkit.org/show_bug.cgi?id=196788
67
68         Reviewed by Yusuke Suzuki.
69
70         * runtime/CachedTypes.cpp:
71
72 2019-04-10  Devin Rousso  <drousso@apple.com>
73
74         Web Inspector: Timelines: can't reliably stop/start a recording
75         https://bugs.webkit.org/show_bug.cgi?id=196778
76         <rdar://problem/47606798>
77
78         Reviewed by Timothy Hatcher.
79
80         * inspector/protocol/ScriptProfiler.json:
81         * inspector/protocol/Timeline.json:
82         It is possible to determine when programmatic capturing starts/stops in the frontend based
83         on the state when the backend causes the state to change, such as if the state is "inactive"
84         when the frontend is told that the backend has started capturing.
85
86         * inspector/protocol/CPUProfiler.json:
87         * inspector/protocol/Memory.json:
88         Send an end timestamp to match other instruments.
89
90         * inspector/JSGlobalObjectConsoleClient.cpp:
91         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
92         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
93
94         * inspector/agents/InspectorScriptProfilerAgent.h:
95         * inspector/agents/InspectorScriptProfilerAgent.cpp:
96         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
97         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
98         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
99
100 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
101
102         Unreviewed, fix watch build after r244143
103         https://bugs.webkit.org/show_bug.cgi?id=195000
104
105         The result of `lseek` should be `off_t` rather than `int`.
106
107         * jsc.cpp:
108
109 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
110
111         Add support for incremental bytecode cache updates
112         https://bugs.webkit.org/show_bug.cgi?id=195000
113
114         Reviewed by Filip Pizlo.
115
116         Add support for incremental updates to the bytecode cache. The cache
117         is constructed as follows:
118         - When the cache is empty, the initial payload can be added to the BytecodeCache
119         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
120         top-level UnlinkedCodeBlock.
121         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
122         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
123         to the existing cache and updating the CachedFunctionExecutableMetadata
124         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
125
126         * API/JSScript.mm:
127         (-[JSScript readCache]):
128         (-[JSScript isUsingBytecodeCache]):
129         (-[JSScript init]):
130         (-[JSScript cachedBytecode]):
131         (-[JSScript writeCache:]):
132         * API/JSScriptInternal.h:
133         * API/JSScriptSourceProvider.h:
134         * API/JSScriptSourceProvider.mm:
135         (JSScriptSourceProvider::cachedBytecode const):
136         * CMakeLists.txt:
137         * JavaScriptCore.xcodeproj/project.pbxproj:
138         * Sources.txt:
139         * bytecode/UnlinkedFunctionExecutable.cpp:
140         (JSC::generateUnlinkedFunctionCodeBlock):
141         * jsc.cpp:
142         (ShellSourceProvider::~ShellSourceProvider):
143         (ShellSourceProvider::cachePath const):
144         (ShellSourceProvider::loadBytecode const):
145         (ShellSourceProvider::ShellSourceProvider):
146         (ShellSourceProvider::cacheEnabled):
147         * parser/SourceProvider.h:
148         (JSC::SourceProvider::cachedBytecode const):
149         (JSC::SourceProvider::updateCache const):
150         (JSC::SourceProvider::commitCachedBytecode const):
151         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
152         (JSC::CachePayload::makeMappedPayload):
153         (JSC::CachePayload::makeMallocPayload):
154         (JSC::CachePayload::makeEmptyPayload):
155         (JSC::CachePayload::CachePayload):
156         (JSC::CachePayload::~CachePayload):
157         (JSC::CachePayload::operator=):
158         (JSC::CachePayload::freeData):
159         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
160         (JSC::CachePayload::data const):
161         (JSC::CachePayload::size const):
162         (JSC::CachePayload::CachePayload):
163         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
164         (JSC::CacheUpdate::CacheUpdate):
165         (JSC::CacheUpdate::operator=):
166         (JSC::CacheUpdate::isGlobal const):
167         (JSC::CacheUpdate::asGlobal const):
168         (JSC::CacheUpdate::asFunction const):
169         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
170         * runtime/CachedBytecode.cpp: Added.
171         (JSC::CachedBytecode::addGlobalUpdate):
172         (JSC::CachedBytecode::addFunctionUpdate):
173         (JSC::CachedBytecode::copyLeafExecutables):
174         (JSC::CachedBytecode::commitUpdates const):
175         * runtime/CachedBytecode.h: Added.
176         (JSC::CachedBytecode::create):
177         (JSC::CachedBytecode::leafExecutables):
178         (JSC::CachedBytecode::data const):
179         (JSC::CachedBytecode::size const):
180         (JSC::CachedBytecode::hasUpdates const):
181         (JSC::CachedBytecode::sizeForUpdate const):
182         (JSC::CachedBytecode::CachedBytecode):
183         * runtime/CachedTypes.cpp:
184         (JSC::Encoder::addLeafExecutable):
185         (JSC::Encoder::release):
186         (JSC::Decoder::Decoder):
187         (JSC::Decoder::create):
188         (JSC::Decoder::size const):
189         (JSC::Decoder::offsetOf):
190         (JSC::Decoder::ptrForOffsetFromBase):
191         (JSC::Decoder::addLeafExecutable):
192         (JSC::VariableLengthObject::VariableLengthObject):
193         (JSC::VariableLengthObject::buffer const):
194         (JSC::CachedPtrOffsets::offsetOffset):
195         (JSC::CachedWriteBarrierOffsets::ptrOffset):
196         (JSC::CachedFunctionExecutable::features const):
197         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
198         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
199         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
200         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
201         (JSC::CachedFunctionExecutable::encode):
202         (JSC::CachedFunctionExecutable::decode const):
203         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
204         (JSC::encodeCodeBlock):
205         (JSC::encodeFunctionCodeBlock):
206         (JSC::decodeCodeBlockImpl):
207         (JSC::isCachedBytecodeStillValid):
208         * runtime/CachedTypes.h:
209         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
210         (JSC::decodeCodeBlock):
211         * runtime/CodeCache.cpp:
212         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
213         (JSC::CodeCache::updateCache):
214         (JSC::CodeCache::write):
215         (JSC::writeCodeBlock):
216         (JSC::serializeBytecode):
217         * runtime/CodeCache.h:
218         (JSC::SourceCodeValue::SourceCodeValue):
219         (JSC::CodeCacheMap::findCacheAndUpdateAge):
220         (JSC::CodeCacheMap::fetchFromDiskImpl):
221         * runtime/Completion.cpp:
222         (JSC::generateProgramBytecode):
223         (JSC::generateModuleBytecode):
224         * runtime/Completion.h:
225         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
226         (JSC::LeafExecutable::operator+ const):
227         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
228         (JSC::LeafExecutable::LeafExecutable):
229         (JSC::LeafExecutable::base const):
230
231 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
232
233         Unreviewed, rolling out r243989.
234
235         Broke i686 builds
236
237         Reverted changeset:
238
239         "[CMake] Detect SSE2 at compile time"
240         https://bugs.webkit.org/show_bug.cgi?id=196488
241         https://trac.webkit.org/changeset/243989
242
243 2019-04-10  Robin Morisset  <rmorisset@apple.com>
244
245         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
246         https://bugs.webkit.org/show_bug.cgi?id=196746
247
248         Reviewed by Yusuke Suzuki..
249
250         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
251
252         * runtime/ObjectConstructor.cpp:
253         (JSC::defineProperties):
254
255 2019-04-10  Antoine Quint  <graouts@apple.com>
256
257         Enable Pointer Events on watchOS
258         https://bugs.webkit.org/show_bug.cgi?id=196771
259         <rdar://problem/49040909>
260
261         Reviewed by Dean Jackson.
262
263         * Configurations/FeatureDefines.xcconfig:
264
265 2019-04-09  Keith Rollin  <krollin@apple.com>
266
267         Unreviewed build maintenance -- update .xcfilelists.
268
269         * DerivedSources-input.xcfilelist:
270
271 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
272
273         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
274         https://bugs.webkit.org/show_bug.cgi?id=193073
275
276         Reviewed by Keith Miller.
277
278         * bytecompiler/BytecodeGenerator.cpp:
279         (JSC::BytecodeGenerator::emitEqualityOpImpl):
280         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
281         * bytecompiler/BytecodeGenerator.h:
282         (JSC::BytecodeGenerator::emitEqualityOp):
283         Factor out the logic that uses the template parameter and keep it in the header.
284
285         * jit/JITPropertyAccess.cpp:
286         List off the template specializations needed by JITOperations.cpp.
287         This is unfortunate but at least there are only two (x2) by definition?
288         Trying to do away with this incurs a severe domino effect...
289
290         * API/JSValueRef.cpp:
291         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
292         * b3/air/AirHandleCalleeSaves.cpp:
293         * builtins/BuiltinNames.cpp:
294         * bytecode/AccessCase.cpp:
295         * bytecode/BytecodeIntrinsicRegistry.cpp:
296         * bytecode/BytecodeIntrinsicRegistry.h:
297         * bytecode/BytecodeRewriter.cpp:
298         * bytecode/BytecodeUseDef.h:
299         * bytecode/CodeBlock.cpp:
300         * bytecode/InstanceOfAccessCase.cpp:
301         * bytecode/MetadataTable.cpp:
302         * bytecode/PolyProtoAccessChain.cpp:
303         * bytecode/StructureSet.cpp:
304         * bytecompiler/NodesCodegen.cpp:
305         * dfg/DFGCFAPhase.cpp:
306         * dfg/DFGPureValue.cpp:
307         * heap/GCSegmentedArray.h:
308         * heap/HeapInlines.h:
309         * heap/IsoSubspace.cpp:
310         * heap/LocalAllocator.cpp:
311         * heap/LocalAllocator.h:
312         * heap/LocalAllocatorInlines.h:
313         * heap/MarkingConstraintSolver.cpp:
314         * inspector/ScriptArguments.cpp:
315         (Inspector::ScriptArguments::isEqual const):
316         * inspector/ScriptCallStackFactory.cpp:
317         * interpreter/CallFrame.h:
318         * interpreter/Interpreter.cpp:
319         * interpreter/StackVisitor.cpp:
320         * llint/LLIntEntrypoint.cpp:
321         * runtime/ArrayIteratorPrototype.cpp:
322         * runtime/BigIntPrototype.cpp:
323         * runtime/CachedTypes.cpp:
324         * runtime/ErrorType.cpp:
325         * runtime/IndexingType.cpp:
326         * runtime/JSCellInlines.h:
327         * runtime/JSImmutableButterfly.h:
328         * runtime/Operations.h:
329         * runtime/RegExpCachedResult.cpp:
330         * runtime/RegExpConstructor.cpp:
331         * runtime/RegExpGlobalData.cpp:
332         * runtime/StackFrame.h:
333         * wasm/WasmSignature.cpp:
334         * wasm/js/JSToWasm.cpp:
335         * wasm/js/JSToWasmICCallee.cpp:
336         * wasm/js/WebAssemblyFunction.h:
337         Fix includes / forward declarations (and a couple of nearby clang warnings).
338
339 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
340
341         [CMake] Apple builds should use ICU_INCLUDE_DIRS
342         https://bugs.webkit.org/show_bug.cgi?id=196720
343
344         Reviewed by Konstantin Tokarev.
345
346         * PlatformMac.cmake:
347
348 2019-04-09  Saam barati  <sbarati@apple.com>
349
350         Clean up Int52 code and some bugs in it
351         https://bugs.webkit.org/show_bug.cgi?id=196639
352         <rdar://problem/49515757>
353
354         Reviewed by Yusuke Suzuki.
355
356         This patch fixes bugs in our Int52 code. The primary change in this patch is
357         adopting a segregated type lattice for Int52. Previously, for Int52 values,
358         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
359         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
360         that the is outside of the int32 range.
361         
362         However, this got confusing because we reused SpecInt32Only both for JSValue
363         representations and Int52 representations. This actually lead to some bugs.
364         
365         1. It's possible that roundtripping through Int52 representation would say
366         it produces the wrong type. For example, consider this program and how we
367         used to annotate types in AI:
368         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
369         b: Int52Rep(@a) => m_type is SpecInt52Only
370         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
371         
372         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
373         However, the execution semantics are such that it'd actually produce a boxed
374         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
375         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
376         mean an int value in either int32 or int52 range.
377         
378         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
379         accepted Int52 values. It was wrong in two different ways:
380         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
381         was a boxed double, but represented a value in int32 range, the incoming
382         value would incorrectly validate as being acceptable. However, we should
383         have rejected this value.
384         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
385         was an Int32 boxed in a double, this would not validate, even though
386         it should have validated.
387         
388         Solving 2 was easiest if we segregated out the Int52 type into its own
389         lattice. This patch makes a new Int52 lattice, which is composed of
390         SpecInt32AsInt52 and SpecNonInt32AsInt52.
391         
392         The conversion rules are now really simple.
393         
394         Int52 rep => JSValue rep
395         SpecInt32AsInt52 => SpecInt32Only
396         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
397         
398         JSValue rep => Int52 rep
399         SpecInt32Only => SpecInt32AsInt52
400         SpecAnyIntAsDouble => SpecInt52Any
401         
402         With these rules, the program in (1) will now correctly report that @c
403         returns SpecInt32Only | SpecAnyIntAsDouble.
404
405         * bytecode/SpeculatedType.cpp:
406         (JSC::dumpSpeculation):
407         (JSC::speculationToAbbreviatedString):
408         (JSC::int52AwareSpeculationFromValue):
409         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
410         (JSC::speculationFromString):
411         * bytecode/SpeculatedType.h:
412         (JSC::isInt32SpeculationForArithmetic):
413         (JSC::isInt32OrBooleanSpeculationForArithmetic):
414         (JSC::isAnyInt52Speculation):
415         (JSC::isIntAnyFormat):
416         (JSC::isInt52Speculation): Deleted.
417         (JSC::isAnyIntSpeculation): Deleted.
418         * dfg/DFGAbstractInterpreterInlines.h:
419         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
420         * dfg/DFGAbstractValue.cpp:
421         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
422         (JSC::DFG::AbstractValue::checkConsistency const):
423         * dfg/DFGAbstractValue.h:
424         (JSC::DFG::AbstractValue::isInt52Any const):
425         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
426         * dfg/DFGFixupPhase.cpp:
427         (JSC::DFG::FixupPhase::fixupArithMul):
428         (JSC::DFG::FixupPhase::fixupNode):
429         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
430         (JSC::DFG::FixupPhase::fixupToThis):
431         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
432         (JSC::DFG::FixupPhase::observeUseKindOnNode):
433         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
434         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
435         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
436         (JSC::DFG::FixupPhase::fixupChecksInBlock):
437         * dfg/DFGGraph.h:
438         (JSC::DFG::Graph::addShouldSpeculateInt52):
439         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
440         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
441         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
442         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
443         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
444         * dfg/DFGNode.h:
445         (JSC::DFG::Node::shouldSpeculateInt52):
446         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
447         * dfg/DFGPredictionPropagationPhase.cpp:
448         * dfg/DFGSpeculativeJIT.cpp:
449         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
450         (JSC::DFG::SpeculativeJIT::compileArithAdd):
451         (JSC::DFG::SpeculativeJIT::compileArithSub):
452         (JSC::DFG::SpeculativeJIT::compileArithNegate):
453         * dfg/DFGSpeculativeJIT64.cpp:
454         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
455         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
456         * dfg/DFGUseKind.h:
457         (JSC::DFG::typeFilterFor):
458         * dfg/DFGVariableAccessData.cpp:
459         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
460         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
461         * ftl/FTLLowerDFGToB3.cpp:
462         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
463         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
464         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
465
466 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
467
468         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
469         https://bugs.webkit.org/show_bug.cgi?id=196708
470         <rdar://problem/49556803>
471
472         Reviewed by Yusuke Suzuki.
473
474         `operationPutToScope` needs to return early if an exception is thrown while
475         checking if `hasProperty`.
476
477         * jit/JITOperations.cpp:
478
479 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
480
481         [JSC] DFG should respect node's strict flag
482         https://bugs.webkit.org/show_bug.cgi?id=196617
483
484         Reviewed by Saam Barati.
485
486         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
487         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
488         in DFG and FTL to get the right isStrictMode flag for the DFG node.
489         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
490         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
491         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
492
493         * dfg/DFGAbstractInterpreterInlines.h:
494         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
495         * dfg/DFGConstantFoldingPhase.cpp:
496         (JSC::DFG::ConstantFoldingPhase::foldConstants):
497         * dfg/DFGFixupPhase.cpp:
498         (JSC::DFG::FixupPhase::fixupToThis):
499         * dfg/DFGOperations.cpp:
500         * dfg/DFGOperations.h:
501         * dfg/DFGPredictionPropagationPhase.cpp:
502         * dfg/DFGSpeculativeJIT.cpp:
503         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
504         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
505         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
506         (JSC::DFG::SpeculativeJIT::compileToThis):
507         * dfg/DFGSpeculativeJIT32_64.cpp:
508         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
509         (JSC::DFG::SpeculativeJIT::compile):
510         * dfg/DFGSpeculativeJIT64.cpp:
511         (JSC::DFG::SpeculativeJIT::compile):
512         * ftl/FTLLowerDFGToB3.cpp:
513         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
514         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
515
516 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
517
518         [CMake][WinCairo] Separate copied headers into different directories
519         https://bugs.webkit.org/show_bug.cgi?id=196655
520
521         Reviewed by Michael Catanzaro.
522
523         * CMakeLists.txt:
524         * shell/PlatformWin.cmake:
525
526 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
527
528         [JSC] isRope jump in StringSlice should not jump over register allocations
529         https://bugs.webkit.org/show_bug.cgi?id=196716
530
531         Reviewed by Saam Barati.
532
533         Jumping over the register allocation code in DFG (like the following) is wrong.
534
535             auto jump = m_jit.branchXXX();
536             {
537                 GPRTemporary reg(this);
538                 GPRReg regGPR = reg.gpr();
539                 ...
540             }
541             jump.link(&m_jit);
542
543         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
544         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
545         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
546         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
547
548         * dfg/DFGSpeculativeJIT.cpp:
549         (JSC::DFG::SpeculativeJIT::compileStringSlice):
550
551 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
552
553         [JSC] to_index_string should not assume incoming value is Uint32
554         https://bugs.webkit.org/show_bug.cgi?id=196713
555
556         Reviewed by Saam Barati.
557
558         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
559         this assumption since DFG may decide we should have it double format. This patch removes this
560         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
561         is within Uint32.
562
563         * runtime/CommonSlowPaths.cpp:
564         (JSC::SLOW_PATH_DECL):
565
566 2019-04-08  Justin Fan  <justin_fan@apple.com>
567
568         [Web GPU] Fix Web GPU experimental feature on iOS
569         https://bugs.webkit.org/show_bug.cgi?id=196632
570
571         Reviewed by Myles C. Maxfield.
572
573         Properly make Web GPU available on iOS 11+.
574
575         * Configurations/FeatureDefines.xcconfig:
576         * Configurations/WebKitTargetConditionals.xcconfig:
577
578 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
579
580         -f[no-]var-tracking-assignments is GCC-only
581         https://bugs.webkit.org/show_bug.cgi?id=196699
582
583         Reviewed by Don Olmstead.
584
585         * CMakeLists.txt:
586         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
587         and said problem evidently no longer occurs as of GCC 9.
588
589 2019-04-08  Saam Barati  <sbarati@apple.com>
590
591         WebAssembly.RuntimeError missing exception check
592         https://bugs.webkit.org/show_bug.cgi?id=196700
593         <rdar://problem/49693932>
594
595         Reviewed by Yusuke Suzuki.
596
597         * wasm/js/JSWebAssemblyRuntimeError.h:
598         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
599         (JSC::constructJSWebAssemblyRuntimeError):
600
601 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
602
603         Unreviewed, rolling in r243948 with test fix
604         https://bugs.webkit.org/show_bug.cgi?id=196486
605
606         * parser/ASTBuilder.h:
607         (JSC::ASTBuilder::createString):
608         * parser/Lexer.cpp:
609         (JSC::Lexer<T>::parseMultilineComment):
610         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
611         (JSC::Lexer<T>::lex): Deleted.
612         * parser/Lexer.h:
613         (JSC::Lexer::hasLineTerminatorBeforeToken const):
614         (JSC::Lexer::setHasLineTerminatorBeforeToken):
615         (JSC::Lexer<T>::lex):
616         (JSC::Lexer::prevTerminator const): Deleted.
617         (JSC::Lexer::setTerminator): Deleted.
618         * parser/Parser.cpp:
619         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
620         (JSC::Parser<LexerType>::parseSingleFunction):
621         (JSC::Parser<LexerType>::parseStatementListItem):
622         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
623         (JSC::Parser<LexerType>::parseFunctionInfo):
624         (JSC::Parser<LexerType>::parseClass):
625         (JSC::Parser<LexerType>::parseExportDeclaration):
626         (JSC::Parser<LexerType>::parseAssignmentExpression):
627         (JSC::Parser<LexerType>::parseYieldExpression):
628         (JSC::Parser<LexerType>::parseProperty):
629         (JSC::Parser<LexerType>::parsePrimaryExpression):
630         (JSC::Parser<LexerType>::parseMemberExpression):
631         * parser/Parser.h:
632         (JSC::Parser::nextWithoutClearingLineTerminator):
633         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
634         (JSC::Parser::internalSaveLexerState):
635         (JSC::Parser::restoreLexerState):
636
637 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
638
639         Unreviewed, rolling out r243948.
640
641         Caused inspector/runtime/parse.html to fail
642
643         Reverted changeset:
644
645         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
646         https://bugs.webkit.org/show_bug.cgi?id=196486
647         https://trac.webkit.org/changeset/243948
648
649 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
650
651         Unreviewed, rolling out r243943.
652
653         Caused test262 failures.
654
655         Reverted changeset:
656
657         "[JSC] Filter DontEnum properties in
658         ProxyObject::getOwnPropertyNames()"
659         https://bugs.webkit.org/show_bug.cgi?id=176810
660         https://trac.webkit.org/changeset/243943
661
662 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
663
664         [JSC] Partially fix the build with unified builds disabled
665         https://bugs.webkit.org/show_bug.cgi?id=196647
666
667         Reviewed by Konstantin Tokarev.
668
669         If you disable unified builds you find all kind of build
670         errors. This partially tries to fix them but there's a lot
671         more.
672
673         * API/JSBaseInternal.h:
674         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
675         * b3/air/AirHandleCalleeSaves.h:
676         * bytecode/ExecutableToCodeBlockEdge.cpp:
677         * bytecode/ExitFlag.h:
678         * bytecode/ICStatusUtils.h:
679         * bytecode/UnlinkedMetadataTable.h:
680         * dfg/DFGPureValue.h:
681         * heap/IsoAlignedMemoryAllocator.cpp:
682         * heap/IsoAlignedMemoryAllocator.h:
683
684 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
685
686         Enable DFG on MIPS
687         https://bugs.webkit.org/show_bug.cgi?id=196689
688
689         Reviewed by Žan Doberšek.
690
691         Since the bytecode change, we enabled the baseline JIT on mips in
692         r240432, but DFG is still missing. With this change, all tests are
693         passing on a ci20 board.
694
695         * jit/RegisterSet.cpp:
696         (JSC::RegisterSet::calleeSaveRegisters):
697         Added s0, which is used in llint.
698
699 2019-04-08  Xan Lopez  <xan@igalia.com>
700
701         [CMake] Detect SSE2 at compile time
702         https://bugs.webkit.org/show_bug.cgi?id=196488
703
704         Reviewed by Carlos Garcia Campos.
705
706         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
707         incorrect) static_assert.
708
709 2019-04-07  Michael Saboff  <msaboff@apple.com>
710
711         REGRESSION (r243642): Crash in reddit.com page
712         https://bugs.webkit.org/show_bug.cgi?id=196684
713
714         Reviewed by Geoffrey Garen.
715
716         In r243642, the code that saves and restores the count for non-greedy character classes
717         was inadvertently put inside an if statement.  This code should be generated for all
718         non-greedy character classes.
719
720         * yarr/YarrJIT.cpp:
721         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
722         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
723
724 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
725
726         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
727         https://bugs.webkit.org/show_bug.cgi?id=196683
728
729         Reviewed by Saam Barati.
730
731         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
732         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
733         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
734         can be still live.
735
736         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
737         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
738
739         * bytecode/CallLinkInfo.cpp:
740         (JSC::CallLinkInfo::setCallee):
741         (JSC::CallLinkInfo::clearCallee):
742         * jit/Repatch.cpp:
743         (JSC::linkFor):
744         (JSC::revertCall):
745
746 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
747
748         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
749         https://bugs.webkit.org/show_bug.cgi?id=196582
750
751         Reviewed by Saam Barati.
752
753         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
754         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
755         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
756         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
757
758         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
759         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
760
761         We also found that FTL recovery code is dead. We remove them in this patch.
762
763         * dfg/DFGOSRExit.cpp:
764         (JSC::DFG::OSRExit::executeOSRExit):
765         (JSC::DFG::OSRExit::compileExit):
766         * dfg/DFGOSRExit.h:
767         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
768         * dfg/DFGSpeculativeJIT.cpp:
769         (JSC::DFG::SpeculativeJIT::compileArithAdd):
770         * ftl/FTLExitValue.cpp:
771         (JSC::FTL::ExitValue::dataFormat const):
772         (JSC::FTL::ExitValue::dumpInContext const):
773         * ftl/FTLExitValue.h:
774         (JSC::FTL::ExitValue::isArgument const):
775         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
776         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
777         (JSC::FTL::ExitValue::recovery): Deleted.
778         (JSC::FTL::ExitValue::isRecovery const): Deleted.
779         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
780         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
781         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
782         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
783         * ftl/FTLLowerDFGToB3.cpp:
784         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
785         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
786         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
787         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
788         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
789         * ftl/FTLOSRExitCompiler.cpp:
790         (JSC::FTL::compileRecovery):
791
792 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
793
794         Unreviewed, rolling out r243665.
795
796         Caused iOS JSC tests to exit with an exception.
797
798         Reverted changeset:
799
800         "Assertion failed in JSC::createError"
801         https://bugs.webkit.org/show_bug.cgi?id=196305
802         https://trac.webkit.org/changeset/243665
803
804 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
805
806         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
807         https://bugs.webkit.org/show_bug.cgi?id=196486
808
809         Reviewed by Saam Barati.
810
811         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
812         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
813         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
814
815         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
816
817                 arrow => expr
818                 "string!"
819
820         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
821         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
822         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
823
824         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
825         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
826         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
827
828         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
829         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
830
831         * parser/ASTBuilder.h:
832         (JSC::ASTBuilder::createString):
833         * parser/Lexer.cpp:
834         (JSC::Lexer<T>::parseMultilineComment):
835         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
836         (JSC::Lexer<T>::lex): Deleted.
837         * parser/Lexer.h:
838         (JSC::Lexer::hasLineTerminatorBeforeToken const):
839         (JSC::Lexer::setHasLineTerminatorBeforeToken):
840         (JSC::Lexer<T>::lex):
841         (JSC::Lexer::prevTerminator const): Deleted.
842         (JSC::Lexer::setTerminator): Deleted.
843         * parser/Parser.cpp:
844         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
845         (JSC::Parser<LexerType>::parseSingleFunction):
846         (JSC::Parser<LexerType>::parseStatementListItem):
847         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
848         (JSC::Parser<LexerType>::parseFunctionInfo):
849         (JSC::Parser<LexerType>::parseClass):
850         (JSC::Parser<LexerType>::parseExportDeclaration):
851         (JSC::Parser<LexerType>::parseAssignmentExpression):
852         (JSC::Parser<LexerType>::parseYieldExpression):
853         (JSC::Parser<LexerType>::parseProperty):
854         (JSC::Parser<LexerType>::parsePrimaryExpression):
855         (JSC::Parser<LexerType>::parseMemberExpression):
856         * parser/Parser.h:
857         (JSC::Parser::nextWithoutClearingLineTerminator):
858         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
859         (JSC::Parser::internalSaveLexerState):
860         (JSC::Parser::restoreLexerState):
861
862 2019-04-05  Caitlin Potter  <caitp@igalia.com>
863
864         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
865         https://bugs.webkit.org/show_bug.cgi?id=176810
866
867         Reviewed by Saam Barati.
868
869         This adds conditional logic following the invariant checks, to perform
870         filtering in common uses of getOwnPropertyNames.
871
872         While this would ideally only be done in JSPropertyNameEnumerator, adding
873         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
874         invariant that the EnumerationMode is properly followed.
875
876         * runtime/PropertyNameArray.h:
877         (JSC::PropertyNameArray::reset):
878         * runtime/ProxyObject.cpp:
879         (JSC::ProxyObject::performGetOwnPropertyNames):
880
881 2019-04-05  Commit Queue  <commit-queue@webkit.org>
882
883         Unreviewed, rolling out r243833.
884         https://bugs.webkit.org/show_bug.cgi?id=196645
885
886         This change breaks build of WPE and GTK ports (Requested by
887         annulen on #webkit).
888
889         Reverted changeset:
890
891         "[CMake][WTF] Mirror XCode header directories"
892         https://bugs.webkit.org/show_bug.cgi?id=191662
893         https://trac.webkit.org/changeset/243833
894
895 2019-04-05  Caitlin Potter  <caitp@igalia.com>
896
897         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
898         https://bugs.webkit.org/show_bug.cgi?id=185211
899
900         Reviewed by Saam Barati.
901
902         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
903
904         This involves tracking duplicate keys returned from the ownKeys trap in yet
905         another HashTable, and may incur a minor performance penalty in some cases. This
906         is not expected to significantly affect web performance.
907
908         * runtime/ProxyObject.cpp:
909         (JSC::ProxyObject::performGetOwnPropertyNames):
910
911 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
912
913         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
914         https://bugs.webkit.org/show_bug.cgi?id=196631
915
916         Reviewed by Saam Barati.
917
918         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
919         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
920         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
921
922         * JavaScriptCore.xcodeproj/project.pbxproj:
923         * Sources.txt:
924         * interpreter/CallFrameInlines.h:
925         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
926         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
927         (JSC::DoublePredictionFuzzerAgent::getPrediction):
928         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
929         * runtime/JSGlobalObject.cpp:
930         (JSC::makeBoundFunction):
931         * runtime/Options.h:
932         * runtime/VM.cpp:
933         (JSC::VM::VM):
934
935 2019-04-04  Robin Morisset  <rmorisset@apple.com>
936
937         B3ReduceStrength should know that Mul distributes over Add and Sub
938         https://bugs.webkit.org/show_bug.cgi?id=196325
939         <rdar://problem/49441650>
940
941         Reviewed by Saam Barati.
942
943         Fix some obviously wrong code that was due to an accidental copy-paste.
944         It made the entire optimization dead code that never ran.
945
946         * b3/B3ReduceStrength.cpp:
947
948 2019-04-04  Saam Barati  <sbarati@apple.com>
949
950         Unreviewed, build fix for CLoop after r243886
951
952         * interpreter/Interpreter.cpp:
953         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
954         * interpreter/StackVisitor.cpp:
955         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
956         * interpreter/StackVisitor.h:
957
958 2019-04-04  Commit Queue  <commit-queue@webkit.org>
959
960         Unreviewed, rolling out r243898.
961         https://bugs.webkit.org/show_bug.cgi?id=196624
962
963         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
964         does not work well (Requested by yusukesuzuki on #webkit).
965
966         Reverted changeset:
967
968         "Unreviewed, build fix for CLoop and Windows after r243886"
969         https://bugs.webkit.org/show_bug.cgi?id=196387
970         https://trac.webkit.org/changeset/243898
971
972 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
973
974         Unreviewed, build fix for CLoop and Windows after r243886
975         https://bugs.webkit.org/show_bug.cgi?id=196387
976
977         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
978
979         * interpreter/StackVisitor.cpp:
980         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
981         * interpreter/StackVisitor.h:
982
983 2019-04-04  Saam barati  <sbarati@apple.com>
984
985         Teach Call ICs how to call Wasm
986         https://bugs.webkit.org/show_bug.cgi?id=196387
987
988         Reviewed by Filip Pizlo.
989
990         This patch teaches JS to call Wasm without going through the native thunk.
991         Currently, we emit a JIT "JS" callee stub which marshals arguments from
992         JS to Wasm. Like the native version of this, this thunk is responsible
993         for saving and restoring the VM's current Wasm context. Instead of emitting
994         an exception handler, we also teach the unwinder how to read the previous
995         wasm context to restore it as it unwindws past this frame.
996         
997         This patch is straight forward, and leaves some areas for perf improvement:
998         - We can teach the DFG/FTL to directly use the Wasm calling convention when
999           it knows it's calling a single Wasm function. This way we don't shuffle
1000           registers to the stack and then back into registers.
1001         - We bail out to the slow path for mismatched arity. I opened a bug to fix
1002           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
1003         - We bail out to the slow path Double JSValues flowing into i32 arguments.
1004           We should teach this thunk how to do that conversion directly.
1005         
1006         This patch also refactors the code to explicitly have a single pinned size register.
1007         We used pretend in some places that we could have more than one pinned size register.
1008         However, there was other code that just asserted the size was one. This patch just rips
1009         out this code since we never moved to having more than one pinned size register. Doing
1010         this refactoring cleans up the various places where we set up the size register.
1011         
1012         This patch is a 50-60% progression on JetStream 2's richards-wasm.
1013
1014         * JavaScriptCore.xcodeproj/project.pbxproj:
1015         * Sources.txt:
1016         * assembler/MacroAssemblerCodeRef.h:
1017         (JSC::MacroAssemblerCodeRef::operator=):
1018         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1019         * interpreter/Interpreter.cpp:
1020         (JSC::UnwindFunctor::operator() const):
1021         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1022         * interpreter/StackVisitor.cpp:
1023         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1024         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
1025         * interpreter/StackVisitor.h:
1026         * jit/JITOperations.cpp:
1027         * jit/RegisterSet.cpp:
1028         (JSC::RegisterSet::runtimeTagRegisters):
1029         (JSC::RegisterSet::specialRegisters):
1030         (JSC::RegisterSet::runtimeRegisters): Deleted.
1031         * jit/RegisterSet.h:
1032         * jit/Repatch.cpp:
1033         (JSC::linkPolymorphicCall):
1034         * runtime/JSFunction.cpp:
1035         (JSC::getCalculatedDisplayName):
1036         * runtime/JSGlobalObject.cpp:
1037         (JSC::JSGlobalObject::init):
1038         (JSC::JSGlobalObject::visitChildren):
1039         * runtime/JSGlobalObject.h:
1040         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
1041         * runtime/VM.cpp:
1042         (JSC::VM::VM):
1043         * runtime/VM.h:
1044         * wasm/WasmAirIRGenerator.cpp:
1045         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1046         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
1047         (JSC::Wasm::AirIRGenerator::addCallIndirect):
1048         * wasm/WasmB3IRGenerator.cpp:
1049         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1050         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1051         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1052         * wasm/WasmBinding.cpp:
1053         (JSC::Wasm::wasmToWasm):
1054         * wasm/WasmContext.h:
1055         (JSC::Wasm::Context::pointerToInstance):
1056         * wasm/WasmContextInlines.h:
1057         (JSC::Wasm::Context::store):
1058         * wasm/WasmMemoryInformation.cpp:
1059         (JSC::Wasm::getPinnedRegisters):
1060         (JSC::Wasm::PinnedRegisterInfo::get):
1061         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1062         * wasm/WasmMemoryInformation.h:
1063         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1064         * wasm/WasmOMGPlan.cpp:
1065         (JSC::Wasm::OMGPlan::work):
1066         * wasm/js/JSToWasm.cpp:
1067         (JSC::Wasm::createJSToWasmWrapper):
1068         * wasm/js/JSToWasmICCallee.cpp: Added.
1069         (JSC::JSToWasmICCallee::create):
1070         (JSC::JSToWasmICCallee::createStructure):
1071         (JSC::JSToWasmICCallee::visitChildren):
1072         * wasm/js/JSToWasmICCallee.h: Added.
1073         (JSC::JSToWasmICCallee::function):
1074         (JSC::JSToWasmICCallee::JSToWasmICCallee):
1075         * wasm/js/WebAssemblyFunction.cpp:
1076         (JSC::WebAssemblyFunction::useTagRegisters const):
1077         (JSC::WebAssemblyFunction::calleeSaves const):
1078         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
1079         (JSC::WebAssemblyFunction::previousInstanceOffset const):
1080         (JSC::WebAssemblyFunction::previousInstance):
1081         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1082         (JSC::WebAssemblyFunction::visitChildren):
1083         (JSC::WebAssemblyFunction::destroy):
1084         * wasm/js/WebAssemblyFunction.h:
1085         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
1086         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
1087         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
1088         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
1089         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
1090         (JSC::WebAssemblyFunctionHeapCellType::destroy):
1091         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
1092         * wasm/js/WebAssemblyPrototype.h:
1093
1094 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1095
1096         [JSC] Pass CodeOrigin to FuzzerAgent
1097         https://bugs.webkit.org/show_bug.cgi?id=196590
1098
1099         Reviewed by Saam Barati.
1100
1101         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
1102         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
1103         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
1104
1105         * dfg/DFGByteCodeParser.cpp:
1106         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1107         * runtime/FuzzerAgent.cpp:
1108         (JSC::FuzzerAgent::getPrediction):
1109         * runtime/FuzzerAgent.h:
1110         * runtime/RandomizingFuzzerAgent.cpp:
1111         (JSC::RandomizingFuzzerAgent::getPrediction):
1112         * runtime/RandomizingFuzzerAgent.h:
1113
1114 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
1115
1116         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
1117         https://bugs.webkit.org/show_bug.cgi?id=194944
1118
1119         Reviewed by Keith Miller.
1120
1121         Based on profile data collected on JetStream2, Speedometer 2 and
1122         other benchmarks, it is very rare having non-empty
1123         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
1124
1125         - Data collected from Speedometer2
1126             Total number of UnlinkedFunctionExecutable: 39463
1127             Total number of non-empty parentScopeTDZVars: 428 (~1%)
1128
1129         - Data collected from JetStream2
1130             Total number of UnlinkedFunctionExecutable: 83715
1131             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
1132
1133         We also collected numbers on 6 of top 10 Alexia sites.
1134
1135         - Data collected from youtube.com
1136             Total number of UnlinkedFunctionExecutable: 29599
1137             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
1138
1139         - Data collected from twitter.com
1140             Total number of UnlinkedFunctionExecutable: 23774
1141             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
1142
1143         - Data collected from google.com
1144             Total number of UnlinkedFunctionExecutable: 33209
1145             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
1146
1147         - Data collected from amazon.com:
1148             Total number of UnlinkedFunctionExecutable: 15182
1149             Total number of non-empty parentScopeTDZVars: 166 (~1%)
1150
1151         - Data collected from facebook.com:
1152             Total number of UnlinkedFunctionExecutable: 54443
1153             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
1154
1155         - Data collected from netflix.com:
1156             Total number of UnlinkedFunctionExecutable: 39266
1157             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
1158
1159         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
1160         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
1161         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
1162         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
1163         it when `value != WTF::nullopt`. We also changed
1164         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
1165         `VariableEnvironment()` whenever the Executable doesn't have RareData,
1166         or VariableEnvironmentMap::Handle is unitialized. This is required
1167         because RareData is instantiated when any of its field is stored and
1168         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
1169         is `WTF::nullopt`.
1170
1171         Results on memory usage on JetStrem2 is neutral.
1172
1173             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
1174             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
1175
1176         * builtins/BuiltinExecutables.cpp:
1177         (JSC::BuiltinExecutables::createExecutable):
1178         * bytecode/UnlinkedFunctionExecutable.cpp:
1179         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1180         * bytecode/UnlinkedFunctionExecutable.h:
1181         * bytecompiler/BytecodeGenerator.cpp:
1182         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1183
1184         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
1185         is empty, so we can properly return `WTF::nullopt` without the
1186         reconstruction of a VariableEnvironment to check if it is empty.
1187
1188         * bytecompiler/BytecodeGenerator.h:
1189         (JSC::BytecodeGenerator::makeFunction):
1190         * parser/VariableEnvironment.h:
1191         (JSC::VariableEnvironment::isEmpty const):
1192         * runtime/CachedTypes.cpp:
1193         (JSC::CachedCompactVariableMapHandle::decode const):
1194
1195         It returns an unitialized Handle when there is no
1196         CompactVariableEnvironment. This can happen when RareData is ensured
1197         because of another field.
1198
1199         (JSC::CachedFunctionExecutableRareData::encode):
1200         (JSC::CachedFunctionExecutableRareData::decode const):
1201         (JSC::CachedFunctionExecutable::encode):
1202         (JSC::CachedFunctionExecutable::decode const):
1203         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1204         * runtime/CodeCache.cpp:
1205
1206         Instead of creating a dummyVariablesUnderTDZ, we simply pass
1207         WTF::nullopt.
1208
1209         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1210
1211 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1212
1213         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
1214         https://bugs.webkit.org/show_bug.cgi?id=196409
1215
1216         Reviewed by Saam Barati.
1217
1218         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
1219         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
1220         and therefore does not write the bytecode cache to disk.
1221
1222         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
1223         of pointers to offsets of already cached objects, in order to avoid caching
1224         the same object twice. Similarly, the Decoder keeps a mapping from offsets
1225         to pointers, in order to avoid creating multiple objects in memory for the
1226         same cached object. The following was happening:
1227         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
1228         an entry in the Encoder mapping that S has already been encoded at O.
1229         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
1230         We find an entry in the Encoder mapping for S, and return the offset O. However,
1231         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
1232
1233         3) When decoding, there are 2 possibilities:
1234         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
1235         this case, everything works as expected since we add an entry in the decoder
1236         mapping from the offset O to the decoded StringImpl* S. The next time we find
1237         S through the uniqued version, we'll return the already decoded S.
1238         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
1239         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
1240         which has a different shape and we crash.
1241
1242         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
1243         same implementation. Since it doesn't matter whether a string is uniqued for
1244         encoding, and we always decode strings as uniqued either way, they can be used
1245         interchangeably.
1246
1247         * jsc.cpp:
1248         (functionRunString):
1249         (functionLoadString):
1250         (functionDollarAgentStart):
1251         (functionCheckModuleSyntax):
1252         (runInteractive):
1253         * runtime/CachedTypes.cpp:
1254         (JSC::CachedUniquedStringImplBase::decode const):
1255         (JSC::CachedFunctionExecutable::rareData const):
1256         (JSC::CachedCodeBlock::rareData const):
1257         (JSC::CachedFunctionExecutable::encode):
1258         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1259         (JSC::CachedUniquedStringImpl::encode): Deleted.
1260         (JSC::CachedUniquedStringImpl::decode const): Deleted.
1261         (JSC::CachedStringImpl::encode): Deleted.
1262         (JSC::CachedStringImpl::decode const): Deleted.
1263
1264 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1265
1266         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
1267         https://bugs.webkit.org/show_bug.cgi?id=196396
1268
1269         Reviewed by Saam Barati.
1270
1271         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
1272         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
1273
1274         * runtime/CachedTypes.cpp:
1275         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1276
1277 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1278
1279         Unreviewed, rolling in r243843 with the build fix
1280         https://bugs.webkit.org/show_bug.cgi?id=196586
1281
1282         * runtime/Options.cpp:
1283         (JSC::recomputeDependentOptions):
1284         * runtime/Options.h:
1285         * runtime/RandomizingFuzzerAgent.cpp:
1286         (JSC::RandomizingFuzzerAgent::getPrediction):
1287
1288 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
1289
1290         Unreviewed, rolling out r243843.
1291
1292         Broke CLoop and Windows builds.
1293
1294         Reverted changeset:
1295
1296         "[JSC] Add dump feature for RandomizingFuzzerAgent"
1297         https://bugs.webkit.org/show_bug.cgi?id=196586
1298         https://trac.webkit.org/changeset/243843
1299
1300 2019-04-03  Robin Morisset  <rmorisset@apple.com>
1301
1302         B3 should use associativity to optimize expression trees
1303         https://bugs.webkit.org/show_bug.cgi?id=194081
1304
1305         Reviewed by Filip Pizlo.
1306
1307         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
1308         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
1309         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
1310         inherited from CSE.
1311         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
1312         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
1313
1314         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
1315         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
1316         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
1317         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
1318         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
1319
1320         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
1321         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
1322
1323         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
1324
1325         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
1326         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
1327
1328         * JavaScriptCore.xcodeproj/project.pbxproj:
1329         * Sources.txt:
1330         * b3/B3Common.cpp:
1331         (JSC::B3::shouldDumpIR):
1332         (JSC::B3::shouldDumpIRAtEachPhase):
1333         * b3/B3Common.h:
1334         * b3/B3EliminateDeadCode.cpp: Added.
1335         (JSC::B3::EliminateDeadCode::run):
1336         (JSC::B3::eliminateDeadCode):
1337         * b3/B3EliminateDeadCode.h: Added.
1338         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
1339         * b3/B3Generate.cpp:
1340         (JSC::B3::generateToAir):
1341         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
1342         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
1343         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
1344         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
1345         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
1346         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
1347         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
1348         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
1349         (JSC::B3::optimizeAssociativeExpressionTrees):
1350         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
1351         * b3/B3ReduceStrength.cpp:
1352         * b3/B3Value.cpp:
1353         (JSC::B3::Value::replaceWithIdentity):
1354         * b3/testb3.cpp:
1355         (JSC::B3::testBitXorTreeArgs):
1356         (JSC::B3::testBitXorTreeArgsEven):
1357         (JSC::B3::testBitXorTreeArgImm):
1358         (JSC::B3::testAddTreeArg32):
1359         (JSC::B3::testMulTreeArg32):
1360         (JSC::B3::testBitAndTreeArg32):
1361         (JSC::B3::testBitOrTreeArg32):
1362         (JSC::B3::run):
1363
1364 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1365
1366         [JSC] Add dump feature for RandomizingFuzzerAgent
1367         https://bugs.webkit.org/show_bug.cgi?id=196586
1368
1369         Reviewed by Saam Barati.
1370
1371         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
1372         The results is like this.
1373
1374             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
1375             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
1376
1377         * runtime/Options.cpp:
1378         (JSC::recomputeDependentOptions):
1379         * runtime/Options.h:
1380         * runtime/RandomizingFuzzerAgent.cpp:
1381         (JSC::RandomizingFuzzerAgent::getPrediction):
1382
1383 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1384
1385         -apple-trailing-word is needed for browser detection
1386         https://bugs.webkit.org/show_bug.cgi?id=196575
1387
1388         Unreviewed.
1389
1390         * Configurations/FeatureDefines.xcconfig:
1391
1392 2019-04-03  Michael Saboff  <msaboff@apple.com>
1393
1394         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
1395         https://bugs.webkit.org/show_bug.cgi?id=196477
1396
1397         Reviewed by Keith Miller.
1398
1399         The problem here is that when we advance the index by 2 for a character class that only
1400         has non-BMP characters, we might go past the end of the string.  This can happen for
1401         greedy counted character classes that are part of a alternative where there is one
1402         character to match after the greedy non-BMP character class.
1403
1404         The "do we have string left to match" check at the top of the JIT loop for the counted
1405         character class checks to see if index is not equal to the string length.  For non-BMP
1406         character classes, we need to check to see if there are at least 2 characters left.
1407         Therefore we now temporarily add 1 to the current index before comparing.  This checks
1408         to see if there are iat least 2 characters left to match, instead of 1.
1409
1410         * yarr/YarrJIT.cpp:
1411         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1412         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1413
1414 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1415
1416         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
1417         https://bugs.webkit.org/show_bug.cgi?id=196574
1418
1419         Reviewed by Saam Barati.
1420
1421         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
1422
1423         * dfg/DFGOperations.cpp:
1424
1425 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
1426
1427         [CMake][WTF] Mirror XCode header directories
1428         https://bugs.webkit.org/show_bug.cgi?id=191662
1429
1430         Reviewed by Konstantin Tokarev.
1431
1432         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
1433         builds.
1434
1435         * CMakeLists.txt:
1436         * shell/CMakeLists.txt:
1437
1438 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1439
1440         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
1441         https://bugs.webkit.org/show_bug.cgi?id=196530
1442
1443         Reviewed by Saam Barati.
1444
1445         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
1446         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
1447         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
1448
1449         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
1450         they should be fixed in subsequent patches.
1451
1452         * CMakeLists.txt:
1453         * JavaScriptCore.xcodeproj/project.pbxproj:
1454         * Sources.txt:
1455         * dfg/DFGByteCodeParser.cpp:
1456         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1457         * runtime/FuzzerAgent.cpp: Added.
1458         (JSC::FuzzerAgent::~FuzzerAgent):
1459         (JSC::FuzzerAgent::getPrediction):
1460         * runtime/FuzzerAgent.h: Added.
1461         * runtime/JSGlobalObjectFunctions.cpp:
1462         * runtime/Options.h:
1463         * runtime/RandomizingFuzzerAgent.cpp: Added.
1464         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
1465         (JSC::RandomizingFuzzerAgent::getPrediction):
1466         * runtime/RandomizingFuzzerAgent.h: Added.
1467         * runtime/RegExpCachedResult.h:
1468         * runtime/RegExpGlobalData.cpp:
1469         * runtime/VM.cpp:
1470         (JSC::VM::VM):
1471         * runtime/VM.h:
1472         (JSC::VM::fuzzerAgent const):
1473         (JSC::VM::setFuzzerAgent):
1474
1475 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1476
1477         Remove support for -apple-trailing-word
1478         https://bugs.webkit.org/show_bug.cgi?id=196525
1479
1480         Reviewed by Zalan Bujtas.
1481
1482         This CSS property is nonstandard and not used.
1483
1484         * Configurations/FeatureDefines.xcconfig:
1485
1486 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
1487
1488         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
1489         https://bugs.webkit.org/show_bug.cgi?id=196513
1490         <rdar://problem/49498284>
1491
1492         Reviewed by Devin Rousso.
1493
1494         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1495         (Inspector::RemoteInspector::receivedIndicateMessage):
1496         When we have a WebThread, don't just run on the WebThread,
1497         run on the MainThread with the WebThreadLock.
1498
1499 2019-04-02  Michael Saboff  <msaboff@apple.com>
1500
1501         Crash in Options::setOptions() using --configFile option and libgmalloc
1502         https://bugs.webkit.org/show_bug.cgi?id=196506
1503
1504         Reviewed by Keith Miller.
1505
1506         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
1507         the implicit CString temporary alive until after setOptions() returns.
1508
1509         * runtime/ConfigFile.cpp:
1510         (JSC::ConfigFile::parse):
1511
1512 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
1513
1514         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
1515         https://bugs.webkit.org/show_bug.cgi?id=182757
1516
1517         Reviewed by Don Olmstead.
1518
1519         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
1520         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
1521         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
1522
1523 2019-04-02  Saam barati  <sbarati@apple.com>
1524
1525         Add a ValueRepReduction phase
1526         https://bugs.webkit.org/show_bug.cgi?id=196234
1527
1528         Reviewed by Filip Pizlo.
1529
1530         This patch adds a ValueRepReduction phase. The main idea here is
1531         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
1532         to just be @x. This patch handles such above strengh reduction rules
1533         as long as we prove that all users of the ValueRep can be converted
1534         to using the incoming double value. That way we prevent introducing
1535         a parallel live range for the double value.
1536         
1537         This patch tracks the uses of the ValueRep through Phi variables,
1538         so we can convert entire Phi variables to being Double instead
1539         of JSValue if the Phi also has only double uses.
1540         
1541         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
1542         and OSR exit hints are not counted as escapes. All other uses are counted
1543         as escapes. Connected Phi graphs are converted to being Double only if the
1544         entire graph is ok with the result being Double.
1545         
1546         Some ways we could extend this phase in the future:
1547         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
1548           that the result of the DoubleRep of @x is not impure NaN. We could
1549           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
1550           with PurifyNaN(@x). Alternatively, we could see if certain users of this
1551           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
1552           their output type is always treated as if the input is impure NaN.
1553         - We could do sinking of ValueRep where we think it's profitable. So instead
1554           of an escape making it so we never represent the variable as a Double, we
1555           could make the escape reconstruct the JSValueRep where profitable.
1556         - We can extend this phase to handle Int52Rep if it's profitable.
1557         - We can opt other nodes into accepting incoming Doubles so we no longer
1558           treat them as escapes.
1559         
1560         This patch is somewhere between neutral and a 1% progression on JetStream 2.
1561
1562         * JavaScriptCore.xcodeproj/project.pbxproj:
1563         * Sources.txt:
1564         * dfg/DFGPlan.cpp:
1565         (JSC::DFG::Plan::compileInThreadImpl):
1566         * dfg/DFGValueRepReductionPhase.cpp: Added.
1567         (JSC::DFG::ValueRepReductionPhase::ValueRepReductionPhase):
1568         (JSC::DFG::ValueRepReductionPhase::run):
1569         (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):
1570         (JSC::DFG::performValueRepReduction):
1571         * dfg/DFGValueRepReductionPhase.h: Added.
1572         * runtime/Options.h:
1573
1574 2019-04-01  Yusuke Suzuki  <ysuzuki@apple.com>
1575
1576         [JSC] JSRunLoopTimer::Manager should be small
1577         https://bugs.webkit.org/show_bug.cgi?id=196425
1578
1579         Reviewed by Darin Adler.
1580
1581         Using very large Key or Value in HashMap potentially bloats memory since HashMap pre-allocates large size of
1582         memory ((sizeof(Key) + sizeof(Value)) * N) for its backing storage's array. Using std::unique_ptr<> for JSRunLoopTimer's
1583         PerVMData to keep HashMap's backing store size small.
1584
1585         * runtime/JSRunLoopTimer.cpp:
1586         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1587         (JSC::JSRunLoopTimer::Manager::registerVM):
1588         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1589         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1590         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1591         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1592         * runtime/JSRunLoopTimer.h:
1593
1594 2019-04-01  Stephan Szabo  <stephan.szabo@sony.com>
1595
1596         [PlayStation] Add initialization for JSC shell for PlayStation port
1597         https://bugs.webkit.org/show_bug.cgi?id=195411
1598
1599         Reviewed by Ross Kirsling.
1600
1601         Add ps options
1602
1603         * shell/PlatformPlayStation.cmake: Added.
1604         * shell/playstation/Initializer.cpp: Added.
1605         (initializer):
1606
1607 2019-04-01  Michael Catanzaro  <mcatanzaro@igalia.com>
1608
1609         Stop trying to support building JSC with clang 3.8
1610         https://bugs.webkit.org/show_bug.cgi?id=195947
1611         <rdar://problem/49069219>
1612
1613         Reviewed by Darin Adler.
1614
1615         It seems WebKit hasn't built with clang 3.8 in a while, no devs are using this compiler, we
1616         don't know how much effort it would be to make JSC work again, and it's making the code
1617         worse. Remove my hacks to support clang 3.8 from JSC.
1618
1619         * bindings/ScriptValue.cpp:
1620         (Inspector::jsToInspectorValue):
1621         * bytecode/GetterSetterAccessCase.cpp:
1622         (JSC::GetterSetterAccessCase::create):
1623         (JSC::GetterSetterAccessCase::clone const):
1624         * bytecode/InstanceOfAccessCase.cpp:
1625         (JSC::InstanceOfAccessCase::clone const):
1626         * bytecode/IntrinsicGetterAccessCase.cpp:
1627         (JSC::IntrinsicGetterAccessCase::clone const):
1628         * bytecode/ModuleNamespaceAccessCase.cpp:
1629         (JSC::ModuleNamespaceAccessCase::clone const):
1630         * bytecode/ProxyableAccessCase.cpp:
1631         (JSC::ProxyableAccessCase::clone const):
1632
1633 2019-03-31  Yusuke Suzuki  <ysuzuki@apple.com>
1634
1635         [JSC] Butterfly allocation from LargeAllocation should try "realloc" behavior if collector thread is not active
1636         https://bugs.webkit.org/show_bug.cgi?id=196160
1637
1638         Reviewed by Saam Barati.
1639
1640         "realloc" can be effective in terms of peak/current memory footprint when realloc succeeds because,
1641
1642         1. It does not allocate additional memory while expanding a vector
1643         2. It does not deallocate an old memory, just reusing the current memory by expanding, so that memory footprint is tight even before scavenging
1644
1645         We found that we can "realloc" large butterflies in certain conditions are met because,
1646
1647         1. If it goes to LargeAllocation, this memory region is never reused until GC sweeps it.
1648         2. Butterflies are owned by owner JSObjects, so we know the lifetime of Butterflies.
1649
1650         This patch attempts to use "realloc" onto butterflies if,
1651
1652         1. Butterflies are allocated in LargeAllocation kind
1653         2. Concurrent collector is not active
1654         3. Butterflies do not have property storage
1655
1656         The condition (2) is required to avoid deallocating butterflies while the concurrent collector looks into it. The condition (3) is
1657         also required to avoid deallocating butterflies while the concurrent compiler looks into it.
1658
1659         We also change LargeAllocation mechanism to using "malloc" and "free" instead of "posix_memalign". This allows us to use "realloc"
1660         safely in all the platforms. Since LargeAllocation uses alignment to distinguish LargeAllocation and MarkedBlock, we manually adjust
1661         16B alignment by allocating 8B more memory in "malloc".
1662
1663         Speedometer2 and JetStream2 are neutral. RAMification shows about 1% progression (even in some of JIT tests).
1664
1665         * heap/AlignedMemoryAllocator.h:
1666         * heap/CompleteSubspace.cpp:
1667         (JSC::CompleteSubspace::tryAllocateSlow):
1668         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
1669         * heap/CompleteSubspace.h:
1670         * heap/FastMallocAlignedMemoryAllocator.cpp:
1671         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory):
1672         (JSC::FastMallocAlignedMemoryAllocator::freeMemory):
1673         (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory):
1674         * heap/FastMallocAlignedMemoryAllocator.h:
1675         * heap/GigacageAlignedMemoryAllocator.cpp:
1676         (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory):
1677         (JSC::GigacageAlignedMemoryAllocator::freeMemory):
1678         (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory):
1679         * heap/GigacageAlignedMemoryAllocator.h:
1680         * heap/IsoAlignedMemoryAllocator.cpp:
1681         (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
1682         (JSC::IsoAlignedMemoryAllocator::freeMemory):
1683         (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
1684         * heap/IsoAlignedMemoryAllocator.h:
1685         * heap/LargeAllocation.cpp:
1686         (JSC::isAlignedForLargeAllocation):
1687         (JSC::LargeAllocation::tryCreate):
1688         (JSC::LargeAllocation::tryReallocate):
1689         (JSC::LargeAllocation::LargeAllocation):
1690         (JSC::LargeAllocation::destroy):
1691         * heap/LargeAllocation.h:
1692         (JSC::LargeAllocation::indexInSpace):
1693         (JSC::LargeAllocation::setIndexInSpace):
1694         (JSC::LargeAllocation::basePointer const):
1695         * heap/MarkedSpace.cpp:
1696         (JSC::MarkedSpace::sweepLargeAllocations):
1697         (JSC::MarkedSpace::prepareForConservativeScan):
1698         * heap/WeakSet.h:
1699         (JSC::WeakSet::isTriviallyDestructible const):
1700         * runtime/Butterfly.h:
1701         * runtime/ButterflyInlines.h:
1702         (JSC::Butterfly::reallocArrayRightIfPossible):
1703         * runtime/JSObject.cpp:
1704         (JSC::JSObject::ensureLengthSlow):
1705
1706 2019-03-31  Sam Weinig  <weinig@apple.com>
1707
1708         Remove more i386 specific configurations
1709         https://bugs.webkit.org/show_bug.cgi?id=196430
1710
1711         Reviewed by Alexey Proskuryakov.
1712
1713         * Configurations/FeatureDefines.xcconfig:
1714         ENABLE_WEB_AUTHN_macosx can now be enabled unconditionally on macOS.
1715
1716         * Configurations/ToolExecutable.xcconfig:
1717         ARC can be enabled unconditionally now.
1718
1719 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
1720
1721         [JSC] JSWrapperMap should not use Objective-C Weak map (NSMapTable with NSPointerFunctionsWeakMemory) for m_cachedObjCWrappers
1722         https://bugs.webkit.org/show_bug.cgi?id=196392
1723
1724         Reviewed by Saam Barati.
1725
1726         Weak representation in Objective-C is surprisingly costly in terms of memory. We can see that very easy program shows 10KB memory consumption due to
1727         this weak wrapper map in JavaScriptCore.framework. But we do not need this weak map since Objective-C JSValue has a dealloc. We can unregister itself
1728         from the map when it is deallocated without using Objective-C weak mechanism. And since Objective-C JSValue is tightly coupled to a specific JSContext,
1729         and wrapper map is created per JSContext, JSValue wrapper and actual JavaScriptCore value is one-on-one, and [JSValue dealloc] knows which JSContext's
1730         wrapper map holds itself.
1731
1732         1. We do not use Objective-C weak mechanism. We use WTF::HashSet instead. When JSValue is allocated, we register it to JSWrapperMap's HashSet. And unregister
1733            JSValue from this map when JSValue is deallocated.
1734         2. We use HashSet<JSValue> (logically) instead of HashMap<JSValueRef, JSValue> to keep JSValueRef and JSValue relationship. We can achieve it because JSValue
1735            holds JSValueRef inside it.
1736
1737         * API/JSContext.mm:
1738         (-[JSContext removeWrapper:]):
1739         * API/JSContextInternal.h:
1740         * API/JSValue.mm:
1741         (-[JSValue dealloc]):
1742         (-[JSValue initWithValue:inContext:]):
1743         * API/JSWrapperMap.h:
1744         * API/JSWrapperMap.mm:
1745         (WrapperKey::hashTableDeletedValue):
1746         (WrapperKey::WrapperKey):
1747         (WrapperKey::isHashTableDeletedValue const):
1748         (WrapperKey::Hash::hash):
1749         (WrapperKey::Hash::equal):
1750         (WrapperKey::Traits::isEmptyValue):
1751         (WrapperKey::Translator::hash):
1752         (WrapperKey::Translator::equal):
1753         (WrapperKey::Translator::translate):
1754         (-[JSWrapperMap initWithGlobalContextRef:]):
1755         (-[JSWrapperMap dealloc]):
1756         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
1757         (-[JSWrapperMap removeWrapper:]):
1758         * API/tests/testapi.mm:
1759         (testObjectiveCAPIMain):
1760
1761 2019-03-29  Robin Morisset  <rmorisset@apple.com>
1762
1763         B3ReduceStrength should know that Mul distributes over Add and Sub
1764         https://bugs.webkit.org/show_bug.cgi?id=196325
1765
1766         Reviewed by Michael Saboff.
1767
1768         In this patch I add the following patterns to B3ReduceStrength:
1769         - Turn this: Integer Neg(Mul(value, c))
1770           Into this: Mul(value, -c), as long as -c does not overflow
1771         - Turn these: Integer Mul(value, Neg(otherValue)) and Integer Mul(Neg(value), otherValue)
1772           Into this: Neg(Mul(value, otherValue))
1773         - For Op==Add or Sub, turn any of these:
1774              Op(Mul(x1, x2), Mul(x1, x3))
1775              Op(Mul(x2, x1), Mul(x1, x3))
1776              Op(Mul(x1, x2), Mul(x3, x1))
1777              Op(Mul(x2, x1), Mul(x3, x1))
1778           Into this: Mul(x1, Op(x2, x3))
1779
1780         Also includes a trivial change: a similar reduction for the distributivity of BitAnd over BitOr/BitXor now
1781         emits the arguments to BitAnd in the other order, to minimize the probability that we'll spend a full fixpoint step just to flip them.
1782
1783         * b3/B3ReduceStrength.cpp:
1784         * b3/testb3.cpp:
1785         (JSC::B3::testAddMulMulArgs):
1786         (JSC::B3::testMulArgNegArg):
1787         (JSC::B3::testMulNegArgArg):
1788         (JSC::B3::testNegMulArgImm):
1789         (JSC::B3::testSubMulMulArgs):
1790         (JSC::B3::run):
1791
1792 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
1793
1794         [JSC] Remove distancing for LargeAllocation
1795         https://bugs.webkit.org/show_bug.cgi?id=196335
1796
1797         Reviewed by Saam Barati.
1798
1799         In r230226, we removed distancing feature from our GC. This patch removes remaining distancing thing in LargeAllocation.
1800
1801         * heap/HeapCell.h:
1802         * heap/LargeAllocation.cpp:
1803         (JSC::LargeAllocation::tryCreate):
1804         * heap/MarkedBlock.h:
1805
1806 2019-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1807
1808         Delete WebMetal implementation in favor of WebGPU
1809         https://bugs.webkit.org/show_bug.cgi?id=195418
1810
1811         Reviewed by Dean Jackson.
1812
1813         * Configurations/FeatureDefines.xcconfig:
1814         * inspector/protocol/Canvas.json:
1815         * inspector/scripts/codegen/generator.py:
1816
1817 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
1818
1819         Assertion failed in JSC::createError
1820         https://bugs.webkit.org/show_bug.cgi?id=196305
1821         <rdar://problem/49387382>
1822
1823         Reviewed by Saam Barati.
1824
1825         JSC::createError assumes that `errorDescriptionForValue` will either
1826         throw an exception or return a valid description string. However, that
1827         is not true if the value is a rope string and we successfully resolve it,
1828         but later fail to wrap the string in quotes with `tryMakeString`.
1829
1830         * runtime/ExceptionHelpers.cpp:
1831         (JSC::createError):
1832
1833 2019-03-29  Devin Rousso  <drousso@apple.com>
1834
1835         Web Inspector: add fast returns for instrumentation hooks that have no affect before a frontend is connected
1836         https://bugs.webkit.org/show_bug.cgi?id=196382
1837         <rdar://problem/49403417>
1838
1839         Reviewed by Joseph Pecoraro.
1840
1841         Ensure that all instrumentation hooks use `FAST_RETURN_IF_NO_FRONTENDS` or check that
1842         `developerExtrasEnabled`. There should be no activity to/from any inspector objects until
1843         developer extras are enabled.
1844
1845         * inspector/agents/InspectorConsoleAgent.cpp:
1846         (Inspector::InspectorConsoleAgent::startTiming):
1847         (Inspector::InspectorConsoleAgent::stopTiming):
1848         (Inspector::InspectorConsoleAgent::count):
1849         (Inspector::InspectorConsoleAgent::addConsoleMessage):
1850
1851 2019-03-29  Cathie Chen  <cathiechen@igalia.com>
1852
1853         Implement ResizeObserver.
1854         https://bugs.webkit.org/show_bug.cgi?id=157743
1855
1856         Reviewed by Simon Fraser.
1857
1858         Add ENABLE_RESIZE_OBSERVER.
1859
1860         * Configurations/FeatureDefines.xcconfig:
1861
1862 2019-03-28  Michael Saboff  <msaboff@apple.com>
1863
1864         [YARR] Precompute BMP / non-BMP status when constructing character classes
1865         https://bugs.webkit.org/show_bug.cgi?id=196296
1866
1867         Reviewed by Keith Miller.
1868
1869         Changed CharacterClass::m_hasNonBMPCharacters into a character width bit field which
1870         indicateis if the class includes characters from either BMP, non-BMP or both ranges.
1871         This allows the recognizing code to eliminate checks for the width of a matched
1872         characters when the class has only one width.  The character width is needed to
1873         determine if we advance 1 or 2 character.  Also, the pre-computed width of character
1874         classes that contains either all BMP or all non-BMP characters allows the parser to
1875         use fixed widths for terms using those character classes.  Changed both the code gen
1876         scripts and Yarr compiler to compute this bit field during the construction of
1877         character classes.
1878
1879         For JIT'ed code of character classes that contain either all BMP or all non-BMP
1880         characters, we can eliminate the generic check we were doing do compute how much
1881         to advance after sucessfully matching a character in the class.
1882
1883                 Generic isBMP check      BMP only            non-BMP only
1884                 --------------           --------------      --------------
1885                 inc %r9d                 inc %r9d            add $0x2, %r9d
1886                 cmp $0x10000, %eax
1887                 jl isBMP
1888                 cmp %edx, %esi
1889                 jz atEndOfString
1890                 inc %r9d
1891                 inc %esi
1892          isBMP:
1893
1894         For character classes that contained non-BMP characters, we were always generating
1895         the code in the left column.  The middle column is the code we generate for character
1896         classes that contain only BMP characters.  The right column is the code we now
1897         generate if the character class has only non-BMP characters.  In the fix width cases,
1898         we can eliminate both the isBMP check as well as the atEndOfString check.  The
1899         atEndOfstring check is eliminated since we know how many characters this character
1900         class requires and that check can be factored out to the beginning of the current
1901         alternative.  For character classes that contain both BMP and non-BMP characters,
1902         we still generate the generic left column.
1903
1904         This change is a ~8% perf progression on UniPoker and a ~2% improvement on RexBench
1905         as a whole.
1906
1907         * runtime/RegExp.cpp:
1908         (JSC::RegExp::matchCompareWithInterpreter):
1909         * runtime/RegExpInlines.h:
1910         (JSC::RegExp::matchInline):
1911         * yarr/YarrInterpreter.cpp:
1912         (JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
1913         (JSC::Yarr::Interpreter::matchCharacterClass):
1914         * yarr/YarrJIT.cpp:
1915         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1916         (JSC::Yarr::YarrGenerator::matchCharacterClass):
1917         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
1918         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1919         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1920         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1921         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1922         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
1923         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
1924         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1925         (JSC::Yarr::YarrGenerator::generateEnter):
1926         (JSC::Yarr::YarrGenerator::YarrGenerator):
1927         (JSC::Yarr::YarrGenerator::compile):
1928         * yarr/YarrPattern.cpp:
1929         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1930         (JSC::Yarr::CharacterClassConstructor::reset):
1931         (JSC::Yarr::CharacterClassConstructor::charClass):
1932         (JSC::Yarr::CharacterClassConstructor::addSorted):
1933         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1934         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
1935         (JSC::Yarr::CharacterClassConstructor::characterWidths):
1936         (JSC::Yarr::PatternTerm::dump):
1937         (JSC::Yarr::anycharCreate):
1938         * yarr/YarrPattern.h:
1939         (JSC::Yarr::operator|):
1940         (JSC::Yarr::operator&):
1941         (JSC::Yarr::operator|=):
1942         (JSC::Yarr::CharacterClass::CharacterClass):
1943         (JSC::Yarr::CharacterClass::hasNonBMPCharacters):
1944         (JSC::Yarr::CharacterClass::hasOneCharacterSize):
1945         (JSC::Yarr::CharacterClass::hasOnlyNonBMPCharacters):
1946         (JSC::Yarr::PatternTerm::invert const):
1947         (JSC::Yarr::PatternTerm::invert): Deleted.
1948         * yarr/create_regex_tables:
1949         * yarr/generateYarrUnicodePropertyTables.py:
1950
1951 2019-03-28  Saam Barati  <sbarati@apple.com>
1952
1953         BackwardsGraph needs to consider back edges as the backward's root successor
1954         https://bugs.webkit.org/show_bug.cgi?id=195991
1955
1956         Reviewed by Filip Pizlo.
1957
1958         * b3/testb3.cpp:
1959         (JSC::B3::testInfiniteLoopDoesntCauseBadHoisting):
1960         (JSC::B3::run):
1961
1962 2019-03-28  Fujii Hironori  <Hironori.Fujii@sony.com>
1963
1964         Opcode.h(159,27): warning: adding 'unsigned int' to a string does not append to the string [-Wstring-plus-int]
1965         https://bugs.webkit.org/show_bug.cgi?id=196343
1966
1967         Reviewed by Saam Barati.
1968
1969         Clang reports a compilation warning and recommend '&PADDING_STRING[PADDING_STRING_LENGTH]'
1970         instead of 'PADDING_STRING + PADDING_STRING_LENGTH'.
1971
1972         * bytecode/Opcode.cpp:
1973         (JSC::padOpcodeName): Moved padOpcodeName from Opcode.h because
1974         this function is used only in Opcode.cpp. Changed macros
1975         PADDING_STRING and PADDING_STRING_LENGTH to simple variables.
1976         (JSC::compareOpcodePairIndices): Replaced pair with std::pair.
1977         * bytecode/Opcode.h:
1978         (JSC::padOpcodeName): Moved.
1979
1980 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
1981
1982         CodeBlock::jettison() should disallow repatching its own calls
1983         https://bugs.webkit.org/show_bug.cgi?id=196359
1984         <rdar://problem/48973663>
1985
1986         Reviewed by Saam Barati.
1987
1988         CodeBlock::jettison() calls CommonData::invalidate, which replaces the `hlt`
1989         instruction with the jump to OSR exit. However, if the `hlt` was immediately
1990         followed by a call to the CodeBlock being jettisoned, we would write over the
1991         OSR exit address while unlinking all the incoming CallLinkInfos later in
1992         CodeBlock::jettison().
1993
1994         Change it so that we set a flag, `clearedByJettison`, in all the CallLinkInfos
1995         owned by the CodeBlock being jettisoned. If the flag is set, we will avoid
1996         repatching the call during unlinking. This is safe because this call will never
1997         be reachable again after the CodeBlock is jettisoned.
1998
1999         * bytecode/CallLinkInfo.cpp:
2000         (JSC::CallLinkInfo::CallLinkInfo):
2001         (JSC::CallLinkInfo::setCallee):
2002         (JSC::CallLinkInfo::clearCallee):
2003         (JSC::CallLinkInfo::setCodeBlock):
2004         (JSC::CallLinkInfo::clearCodeBlock):
2005         * bytecode/CallLinkInfo.h:
2006         (JSC::CallLinkInfo::clearedByJettison):
2007         (JSC::CallLinkInfo::setClearedByJettison):
2008         * bytecode/CodeBlock.cpp:
2009         (JSC::CodeBlock::jettison):
2010         * jit/Repatch.cpp:
2011         (JSC::revertCall):
2012
2013 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2014
2015         [JSC] Drop VM and Context cache map in JavaScriptCore.framework
2016         https://bugs.webkit.org/show_bug.cgi?id=196341
2017
2018         Reviewed by Saam Barati.
2019
2020         Previously, we created Objective-C weak map to maintain JSVirtualMachine and JSContext wrappers corresponding to VM and JSGlobalObject.
2021         But Objective-C weak map is really memory costly. Even if the entry is only one, it consumes 2.5KB per weak map. Since we can modify
2022         JSC intrusively for JavaScriptCore.framework (and we already did it, like, holding JSWrapperMap in JSGlobalObject), we can just hold
2023         a pointer to a wrapper in VM and JSGlobalObject.
2024
2025         This patch adds void* members to VM and JSGlobalObject, which holds a non-strong reference to a wrapper. When a wrapper is gone, we
2026         clear this pointer too. This removes unnecessary two Objective-C weak maps, and save 5KB.
2027
2028         * API/JSContext.mm:
2029         (-[JSContext initWithVirtualMachine:]):
2030         (-[JSContext dealloc]):
2031         (-[JSContext initWithGlobalContextRef:]):
2032         (-[JSContext wrapperMap]):
2033         (+[JSContext contextWithJSGlobalContextRef:]):
2034         * API/JSVirtualMachine.mm:
2035         (-[JSVirtualMachine initWithContextGroupRef:]):
2036         (-[JSVirtualMachine dealloc]):
2037         (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
2038         (scanExternalObjectGraph):
2039         (scanExternalRememberedSet):
2040         (initWrapperCache): Deleted.
2041         (wrapperCache): Deleted.
2042         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Deleted.
2043         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Deleted.
2044         (-[JSVirtualMachine contextForGlobalContextRef:]): Deleted.
2045         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Deleted.
2046         * API/JSVirtualMachineInternal.h:
2047         * runtime/JSGlobalObject.h:
2048         (JSC::JSGlobalObject::setAPIWrapper):
2049         (JSC::JSGlobalObject::apiWrapper const):
2050         * runtime/VM.h:
2051
2052 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2053
2054         In-memory code cache should not share bytecode across domains
2055         https://bugs.webkit.org/show_bug.cgi?id=196321
2056
2057         Reviewed by Geoffrey Garen.
2058
2059         Use the SourceProvider's URL to make sure that the hosts match for the
2060         two SourceCodeKeys in operator==.
2061
2062         * parser/SourceCodeKey.h:
2063         (JSC::SourceCodeKey::host const):
2064         (JSC::SourceCodeKey::operator== const):
2065
2066 2019-03-28  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2067
2068         Silence lot of warnings when compiling with clang
2069         https://bugs.webkit.org/show_bug.cgi?id=196310
2070
2071         Reviewed by Michael Catanzaro.
2072
2073         Initialize variable with default constructor.
2074
2075         * API/glib/JSCOptions.cpp:
2076         (jsc_options_foreach):
2077
2078 2019-03-27  Saam Barati  <sbarati@apple.com>
2079
2080         validateOSREntryValue with Int52 should box the value being checked into double format
2081         https://bugs.webkit.org/show_bug.cgi?id=196313
2082         <rdar://problem/49306703>
2083
2084         Reviewed by Yusuke Suzuki.
2085
2086         * dfg/DFGOSREntry.cpp:
2087         (JSC::DFG::prepareOSREntry):
2088         * ftl/FTLLowerDFGToB3.cpp:
2089         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2090
2091 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2092
2093         [JSC] Owner of watchpoints should validate at GC finalizing phase
2094         https://bugs.webkit.org/show_bug.cgi?id=195827
2095
2096         Reviewed by Filip Pizlo.
2097
2098         This patch fixes JSC's watchpoint liveness issue by the following two policies.
2099
2100         1. Watchpoint should have owner cell, and "fire" operation should be gaurded with owner cell's isLive check.
2101
2102         Watchpoints should hold its owner cell, and fire procedure should be guarded by `owner->isLive()`.
2103         When the owner cell is destroyed, these watchpoints are destroyed too. But this destruction can
2104         be delayed due to incremental sweeper. So the following condition can happen.
2105
2106         When we have a watchpoint like the following.
2107
2108             class XXXWatchpoint {
2109                 ObjectPropertyCondition m_key;
2110                 JSCell* m_owner;
2111             };
2112
2113         Both m_key's cell and m_owner is now unreachable from the root. So eventually, m_owner cell's destructor
2114         is called and this watchpoint will be destroyed. But before that, m_key's cell can be destroyed. And this
2115         watchpoint's fire procedure can be called since m_owner's destructor is not called yet. In this situation,
2116         we encounter the destroyed cell held in m_key. This problem can be avoided if we guard fire procedure with
2117         `m_owner->isLive()`. Until the owner cell is destroyed, this guard avoids "fire" procedure execution. And
2118         once the destructor of m_owner is called, this watchpoint will be destroyed too.
2119
2120         2. Watchpoint liveness should be maintained by owner cell's unconditional finalizer
2121
2122         Watchpoints often hold weak references to the other cell (like, m_key in the above example). If we do not
2123         delete watchpoints with dead cells when these weak cells become dead, these watchpoints continue holding dead cells,
2124         and watchpoint's fire operation can use these dead cells accidentally. isLive / isStillLive check for these weak cells
2125         in fire operation is not useful. Because these dead cells can be reused to the other live cells eventually, and this
2126         isLive / isStillLive checks fail to see these cells are live if they are reused. Appropriate way is deleting watchpoints
2127         with dead cells when finalizing GC. In this patch, we do this in unconditional finalizers in owner cells of watchpoints.
2128         We already did this in CodeBlock etc. We add the same thing to StructureRareData which owns watchpoints for toString operations.
2129
2130         * JavaScriptCore.xcodeproj/project.pbxproj:
2131         * Sources.txt:
2132         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2133         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::StructureWatchpoint): Deleted.
2134         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::PropertyWatchpoint): Deleted.
2135         * bytecode/CodeBlockJettisoningWatchpoint.h:
2136         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): Deleted.
2137         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2138         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
2139         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2140         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2141         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): Deleted.
2142         * bytecode/StructureStubClearingWatchpoint.cpp:
2143         (JSC::StructureStubClearingWatchpoint::fireInternal):
2144         (JSC::WatchpointsOnStructureStubInfo::isValid const):
2145         * bytecode/StructureStubClearingWatchpoint.h:
2146         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): Deleted.
2147         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2148         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
2149         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2150         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2151         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2152         * dfg/DFGAdaptiveStructureWatchpoint.h:
2153         (JSC::DFG::AdaptiveStructureWatchpoint::key const): Deleted.
2154         * dfg/DFGDesiredWatchpoints.cpp:
2155         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2156         * heap/Heap.cpp:
2157         (JSC::Heap::finalizeUnconditionalFinalizers):
2158         * llint/LLIntSlowPaths.cpp:
2159         (JSC::LLInt::setupGetByIdPrototypeCache):
2160         * runtime/ArrayBuffer.cpp:
2161         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
2162         * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp.
2163         (JSC::ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet):
2164         (JSC::ArrayBufferNeuteringWatchpointSet::destroy):
2165         (JSC::ArrayBufferNeuteringWatchpointSet::create):
2166         (JSC::ArrayBufferNeuteringWatchpointSet::createStructure):
2167         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
2168         * runtime/ArrayBufferNeuteringWatchpointSet.h: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h.
2169         * runtime/FunctionRareData.h:
2170         * runtime/JSGlobalObject.cpp:
2171         (JSC::JSGlobalObject::init):
2172         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
2173         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2174         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): Deleted.
2175         * runtime/StructureRareData.cpp:
2176         (JSC::StructureRareData::finalizeUnconditionally):
2177         * runtime/StructureRareData.h:
2178         * runtime/VM.cpp:
2179         (JSC::VM::VM):
2180
2181 2019-03-26  Saam Barati  <sbarati@apple.com>
2182
2183         FTL: Emit code to validate AI's state when running the compiled code
2184         https://bugs.webkit.org/show_bug.cgi?id=195924
2185         <rdar://problem/49003422>
2186
2187         Reviewed by Filip Pizlo.
2188
2189         This patch adds code that between the execution of each node that validates
2190         the types that AI proves. This option is too expensive to turn on for our
2191         regression testing, but we think it will be valuable in other types of running
2192         modes, such as when running with a fuzzer.
2193         
2194         This patch also adds options to only probabilistically run this validation
2195         after the execution of each node. As the probability is lowered, there is
2196         less of a perf hit.
2197         
2198         This patch just adds this validation in the FTL. A follow-up patch will land
2199         it in the DFG too: https://bugs.webkit.org/show_bug.cgi?id=196219
2200
2201         * ftl/FTLLowerDFGToB3.cpp:
2202         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2203         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2204         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2205         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2206         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
2207         * runtime/Options.h:
2208
2209 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
2210
2211         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
2212         https://bugs.webkit.org/show_bug.cgi?id=196217
2213
2214         Reviewed by Saam Barati.
2215
2216         Generalize the fix for f32.max to properly handle NaN by doing an extra GreatherThan
2217         comparison in r243446 to all min and max float operations.
2218
2219         * wasm/WasmAirIRGenerator.cpp:
2220         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2221         (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax):
2222         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2223         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2224         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2225         * wasm/wasm.json:
2226
2227 2019-03-26  Andy VanWagoner  <andy@vanwagoner.family>
2228
2229         Intl.DateTimeFormat should obey 2-digit hour
2230         https://bugs.webkit.org/show_bug.cgi?id=195974
2231
2232         Reviewed by Keith Miller.
2233
2234         * runtime/IntlDateTimeFormat.cpp:
2235         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2236
2237 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2238
2239         Heap::isMarked and friends should be instance methods
2240         https://bugs.webkit.org/show_bug.cgi?id=179988
2241
2242         Reviewed by Saam Barati.
2243
2244         Almost all the callers of Heap::isMarked have VM& reference. We should make Heap::isMarked instance function instead of static function
2245         so that we do not need to look up Heap from the cell.
2246
2247         * API/JSAPIWrapperObject.mm:
2248         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2249         * API/JSMarkingConstraintPrivate.cpp:
2250         (JSC::isMarked):
2251         * API/glib/JSAPIWrapperObjectGLib.cpp:
2252         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2253         * builtins/BuiltinExecutables.cpp:
2254         (JSC::BuiltinExecutables::finalizeUnconditionally):
2255         * bytecode/AccessCase.cpp:
2256         (JSC::AccessCase::visitWeak const):
2257         (JSC::AccessCase::propagateTransitions const):
2258         * bytecode/CallLinkInfo.cpp:
2259         (JSC::CallLinkInfo::visitWeak):
2260         * bytecode/CallLinkStatus.cpp:
2261         (JSC::CallLinkStatus::finalize):
2262         * bytecode/CallLinkStatus.h:
2263         * bytecode/CallVariant.cpp:
2264         (JSC::CallVariant::finalize):
2265         * bytecode/CallVariant.h:
2266         * bytecode/CodeBlock.cpp:
2267         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
2268         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2269         (JSC::shouldMarkTransition):
2270         (JSC::CodeBlock::propagateTransitions):
2271         (JSC::CodeBlock::determineLiveness):
2272         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2273         (JSC::CodeBlock::finalizeUnconditionally):
2274         (JSC::CodeBlock::jettison):
2275         * bytecode/CodeBlock.h:
2276         * bytecode/ExecutableToCodeBlockEdge.cpp:
2277         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2278         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
2279         (JSC::ExecutableToCodeBlockEdge::runConstraint):
2280         * bytecode/GetByIdStatus.cpp:
2281         (JSC::GetByIdStatus::finalize):
2282         * bytecode/GetByIdStatus.h:
2283         * bytecode/GetByIdVariant.cpp:
2284         (JSC::GetByIdVariant::finalize):
2285         * bytecode/GetByIdVariant.h:
2286         * bytecode/InByIdStatus.cpp:
2287         (JSC::InByIdStatus::finalize):
2288         * bytecode/InByIdStatus.h:
2289         * bytecode/InByIdVariant.cpp:
2290         (JSC::InByIdVariant::finalize):
2291         * bytecode/InByIdVariant.h:
2292         * bytecode/ObjectPropertyCondition.cpp:
2293         (JSC::ObjectPropertyCondition::isStillLive const):
2294         * bytecode/ObjectPropertyCondition.h:
2295         * bytecode/ObjectPropertyConditionSet.cpp:
2296         (JSC::ObjectPropertyConditionSet::areStillLive const):
2297         * bytecode/ObjectPropertyConditionSet.h:
2298         * bytecode/PolymorphicAccess.cpp:
2299         (JSC::PolymorphicAccess::visitWeak const):
2300         * bytecode/PropertyCondition.cpp:
2301         (JSC::PropertyCondition::isStillLive const):
2302         * bytecode/PropertyCondition.h:
2303         * bytecode/PutByIdStatus.cpp:
2304         (JSC::PutByIdStatus::finalize):
2305         * bytecode/PutByIdStatus.h:
2306         * bytecode/PutByIdVariant.cpp:
2307         (JSC::PutByIdVariant::finalize):
2308         * bytecode/PutByIdVariant.h:
2309         * bytecode/RecordedStatuses.cpp:
2310         (JSC::RecordedStatuses::finalizeWithoutDeleting):
2311         (JSC::RecordedStatuses::finalize):
2312         * bytecode/RecordedStatuses.h:
2313         * bytecode/StructureSet.cpp:
2314         (JSC::StructureSet::isStillAlive const):
2315         * bytecode/StructureSet.h:
2316         * bytecode/StructureStubInfo.cpp:
2317         (JSC::StructureStubInfo::visitWeakReferences):
2318         * dfg/DFGPlan.cpp:
2319         (JSC::DFG::Plan::finalizeInGC):
2320         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2321         * heap/GCIncomingRefCounted.h:
2322         * heap/GCIncomingRefCountedInlines.h:
2323         (JSC::GCIncomingRefCounted<T>::filterIncomingReferences):
2324         * heap/GCIncomingRefCountedSet.h:
2325         * heap/GCIncomingRefCountedSetInlines.h:
2326         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
2327         (JSC::GCIncomingRefCountedSet<T>::sweep):
2328         (JSC::GCIncomingRefCountedSet<T>::removeAll): Deleted.
2329         (JSC::GCIncomingRefCountedSet<T>::removeDead): Deleted.
2330         * heap/Heap.cpp:
2331         (JSC::Heap::addToRememberedSet):
2332         (JSC::Heap::runEndPhase):
2333         (JSC::Heap::sweepArrayBuffers):
2334         (JSC::Heap::addCoreConstraints):
2335         * heap/Heap.h:
2336         * heap/HeapInlines.h:
2337         (JSC::Heap::isMarked):
2338         * heap/HeapSnapshotBuilder.cpp:
2339         (JSC::HeapSnapshotBuilder::appendNode):
2340         * heap/SlotVisitor.cpp:
2341         (JSC::SlotVisitor::appendToMarkStack):
2342         (JSC::SlotVisitor::visitChildren):
2343         * jit/PolymorphicCallStubRoutine.cpp:
2344         (JSC::PolymorphicCallStubRoutine::visitWeak):
2345         * runtime/ErrorInstance.cpp:
2346         (JSC::ErrorInstance::finalizeUnconditionally):
2347         * runtime/InferredValueInlines.h:
2348         (JSC::InferredValue::finalizeUnconditionally):
2349         * runtime/StackFrame.h:
2350         (JSC::StackFrame::isMarked const):
2351         * runtime/Structure.cpp:
2352         (JSC::Structure::isCheapDuringGC):
2353         (JSC::Structure::markIfCheap):
2354         * runtime/Structure.h:
2355         * runtime/TypeProfiler.cpp:
2356         (JSC::TypeProfiler::invalidateTypeSetCache):
2357         * runtime/TypeProfiler.h:
2358         * runtime/TypeSet.cpp:
2359         (JSC::TypeSet::invalidateCache):
2360         * runtime/TypeSet.h:
2361         * runtime/WeakMapImpl.cpp:
2362         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
2363         * runtime/WeakMapImplInlines.h:
2364         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
2365
2366 2019-03-25  Keith Miller  <keith_miller@apple.com>
2367
2368         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
2369         https://bugs.webkit.org/show_bug.cgi?id=196176
2370
2371         Reviewed by Saam Barati.
2372
2373         convertToCompareEqPtr should allow for either CompareStrictEq or
2374         the SameValue DFG node. This fixes the old assertion that only
2375         allowed CompareStrictEq.
2376
2377         * dfg/DFGNode.h:
2378         (JSC::DFG::Node::convertToCompareEqPtr):
2379
2380 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
2381
2382         WebAssembly: f32.max with NaN generates incorrect result
2383         https://bugs.webkit.org/show_bug.cgi?id=175691
2384         <rdar://problem/33952228>
2385
2386         Reviewed by Saam Barati.
2387
2388         Fix the B3 and Air compilation for f32.max. In order to handle the NaN
2389         case, we need an extra GreaterThan comparison on top of the existing
2390         Equal and LessThan ones.
2391
2392         * wasm/WasmAirIRGenerator.cpp:
2393         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2394         * wasm/wasm.json:
2395
2396 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2397
2398         Unreviewed, speculative fix for CLoop build on CPU(UNKNOWN)
2399         https://bugs.webkit.org/show_bug.cgi?id=195982
2400
2401         * jit/ExecutableAllocator.h:
2402         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2403
2404 2019-03-25  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2405
2406         Remove NavigatorContentUtils in WebCore/Modules
2407         https://bugs.webkit.org/show_bug.cgi?id=196070
2408
2409         Reviewed by Alex Christensen.
2410
2411         NavigatorContentUtils was to support the custom scheme spec [1].
2412         However, in WebKit side, no port has supported the feature in
2413         WebKit layer after EFL port was removed. So there has been the
2414         only IDL implementation of the NavigatorContentUtils in WebCore.
2415         So we don't need to keep the implementation in WebCore anymore.
2416
2417         [1] https://html.spec.whatwg.org/multipage/system-state.html#custom-handlers
2418
2419         * Configurations/FeatureDefines.xcconfig:
2420
2421 2019-03-23  Mark Lam  <mark.lam@apple.com>
2422
2423         Rolling out r243032 and r243071 because the fix is incorrect.
2424         https://bugs.webkit.org/show_bug.cgi?id=195892
2425         <rdar://problem/48981239>
2426
2427         Not reviewed.
2428
2429         The fix is incorrect: it relies on being able to determine liveness of an object
2430         in an ObjectPropertyCondition based on the state of the object's MarkedBit.
2431         However, there's no guarantee that GC has run and that the MarkedBit is already
2432         set even if the object is live.  As a result, we may not re-install adaptive
2433         watchpoints based on presumed dead objects which are actually live.
2434
2435         I'm rolling this out, and will implement a more comprehensive fix to handle
2436         watchpoint liveness later.
2437
2438         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2439         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2440         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2441         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2442         * bytecode/ObjectPropertyCondition.cpp:
2443         (JSC::ObjectPropertyCondition::dumpInContext const):
2444         * bytecode/StructureStubClearingWatchpoint.cpp:
2445         (JSC::StructureStubClearingWatchpoint::fireInternal):
2446         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2447         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2448         * runtime/StructureRareData.cpp:
2449         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2450
2451 2019-03-23  Keith Miller  <keith_miller@apple.com>
2452
2453         Refactor clz/ctz and fix getLSBSet.
2454         https://bugs.webkit.org/show_bug.cgi?id=196162
2455
2456         Reviewed by Saam Barati.
2457
2458         Refactor references of clz32/64 and ctz32 to use clz and ctz,
2459         respectively.
2460
2461         * dfg/DFGAbstractInterpreterInlines.h:
2462         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2463         * dfg/DFGOperations.cpp:
2464         * runtime/JSBigInt.cpp:
2465         (JSC::JSBigInt::digitDiv):
2466         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
2467         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2468         (JSC::JSBigInt::toStringBasePowerOfTwo):
2469         (JSC::JSBigInt::compareToDouble):
2470         * runtime/MathObject.cpp:
2471         (JSC::mathProtoFuncClz32):
2472
2473 2019-03-23  Yusuke Suzuki  <ysuzuki@apple.com>
2474
2475         [JSC] Shrink sizeof(RegExp)
2476         https://bugs.webkit.org/show_bug.cgi?id=196133
2477
2478         Reviewed by Mark Lam.
2479
2480         Some applications have many RegExp cells. But RegExp cells are very large (144B).
2481         This patch reduces the size from 144B to 48B by,
2482
2483         1. Allocate Yarr::YarrCodeBlock in non-GC heap. We can avoid this allocation if JIT is disabled.
2484         2. m_captureGroupNames and m_namedGroupToParenIndex are moved to RareData. They are only used when RegExp has named capture groups.
2485
2486         * runtime/RegExp.cpp:
2487         (JSC::RegExp::finishCreation):
2488         (JSC::RegExp::estimatedSize):
2489         (JSC::RegExp::compile):
2490         (JSC::RegExp::matchConcurrently):
2491         (JSC::RegExp::compileMatchOnly):
2492         (JSC::RegExp::deleteCode):
2493         (JSC::RegExp::printTraceData):
2494         * runtime/RegExp.h:
2495         * runtime/RegExpInlines.h:
2496         (JSC::RegExp::hasCodeFor):
2497         (JSC::RegExp::matchInline):
2498         (JSC::RegExp::hasMatchOnlyCodeFor):
2499
2500 2019-03-22  Keith Rollin  <krollin@apple.com>
2501
2502         Enable ThinLTO support in Production builds
2503         https://bugs.webkit.org/show_bug.cgi?id=190758
2504         <rdar://problem/45413233>
2505
2506         Reviewed by Daniel Bates.
2507
2508         Tweak JavaScriptCore's Base.xcconfig to be more in-line with other
2509         .xcconfig files with regards to LTO settings. However, don't actually
2510         enable LTO for JavaScriptCore. LTO is not enabled for JavaScriptCore
2511         due to <rdar://problem/24543547>.
2512
2513         * Configurations/Base.xcconfig:
2514
2515 2019-03-22  Mark Lam  <mark.lam@apple.com>
2516
2517         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
2518         https://bugs.webkit.org/show_bug.cgi?id=196154
2519         <rdar://problem/49145307>
2520
2521         Reviewed by Filip Pizlo.
2522
2523         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2524         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2525
2526 2019-03-22  Mark Lam  <mark.lam@apple.com>
2527
2528         Placate exception check validation in constructJSWebAssemblyLinkError().
2529         https://bugs.webkit.org/show_bug.cgi?id=196152
2530         <rdar://problem/49145257>
2531
2532         Reviewed by Michael Saboff.
2533
2534         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2535         (JSC::constructJSWebAssemblyLinkError):
2536
2537 2019-03-22  Timothy Hatcher  <timothy@apple.com>
2538
2539         Change macosx() to macos() in WK_API... and JSC_API... macros.
2540         https://bugs.webkit.org/show_bug.cgi?id=196106
2541
2542         Reviewed by Brian Burg.
2543
2544         * API/JSBasePrivate.h:
2545         * API/JSContext.h:
2546         * API/JSContextPrivate.h:
2547         * API/JSContextRef.h:
2548         * API/JSContextRefInternal.h:
2549         * API/JSContextRefPrivate.h:
2550         * API/JSManagedValue.h:
2551         * API/JSObjectRef.h:
2552         * API/JSObjectRefPrivate.h:
2553         * API/JSRemoteInspector.h:
2554         * API/JSScript.h:
2555         * API/JSTypedArray.h:
2556         * API/JSValue.h:
2557         * API/JSValuePrivate.h:
2558         * API/JSValueRef.h:
2559         * API/JSVirtualMachinePrivate.h:
2560
2561 2019-03-22  Yusuke Suzuki  <ysuzuki@apple.com>
2562
2563         Unreviewed, build fix for Windows
2564         https://bugs.webkit.org/show_bug.cgi?id=196122
2565
2566         * runtime/FunctionExecutable.cpp:
2567
2568 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2569
2570         [JSC] Shrink sizeof(FunctionExecutable) by 16bytes
2571         https://bugs.webkit.org/show_bug.cgi?id=196122
2572
2573         Reviewed by Saam Barati.
2574
2575         This patch reduces sizeof(FunctionExecutable) by 16 bytes.
2576
2577         1. ScriptExecutable::m_numParametersForCall and ScriptExecutable::m_numParametersForConstruct are not used in a meaningful way. Removed them.
2578         2. ScriptExecutable::m_lastLine and ScriptExecutable::m_endColumn can be calculated from UnlinkedFunctionExecutable. So FunctionExecutable does not need to hold it.
2579            This patch adds GlobalExecutable, which are non-function ScriptExecutables, and move m_lastLine and m_endColumn to this class.
2580         3. FunctionExecutable still needs to have the feature overriding m_lastLine and m_endColumn. We move overridden data in FunctionExecutable::RareData.
2581
2582         * CMakeLists.txt:
2583         * JavaScriptCore.xcodeproj/project.pbxproj:
2584         * Sources.txt:
2585         * bytecode/UnlinkedFunctionExecutable.cpp:
2586         (JSC::UnlinkedFunctionExecutable::link):
2587         * runtime/EvalExecutable.cpp:
2588         (JSC::EvalExecutable::EvalExecutable):
2589         * runtime/EvalExecutable.h:
2590         * runtime/FunctionExecutable.cpp:
2591         (JSC::FunctionExecutable::FunctionExecutable):
2592         (JSC::FunctionExecutable::ensureRareDataSlow):
2593         (JSC::FunctionExecutable::overrideInfo):
2594         * runtime/FunctionExecutable.h:
2595         * runtime/GlobalExecutable.cpp: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2596         * runtime/GlobalExecutable.h: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2597         (JSC::GlobalExecutable::lastLine const):
2598         (JSC::GlobalExecutable::endColumn const):
2599         (JSC::GlobalExecutable::recordParse):
2600         (JSC::GlobalExecutable::GlobalExecutable):
2601         * runtime/ModuleProgramExecutable.cpp:
2602         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2603         * runtime/ModuleProgramExecutable.h:
2604         * runtime/ProgramExecutable.cpp:
2605         (JSC::ProgramExecutable::ProgramExecutable):
2606         * runtime/ProgramExecutable.h:
2607         * runtime/ScriptExecutable.cpp:
2608         (JSC::ScriptExecutable::clearCode):
2609         (JSC::ScriptExecutable::installCode):
2610         (JSC::ScriptExecutable::hasClearableCode const):
2611         (JSC::ScriptExecutable::newCodeBlockFor):
2612         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2613         (JSC::ScriptExecutable::recordParse):
2614         (JSC::ScriptExecutable::lastLine const):
2615         (JSC::ScriptExecutable::endColumn const):
2616         * runtime/ScriptExecutable.h:
2617         (JSC::ScriptExecutable::hasJITCodeForCall const):
2618         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
2619         (JSC::ScriptExecutable::recordParse):
2620         (JSC::ScriptExecutable::lastLine const): Deleted.
2621         (JSC::ScriptExecutable::endColumn const): Deleted.
2622         * tools/FunctionOverrides.h:
2623
2624 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2625
2626         [JSC] Shrink sizeof(RegExpObject)
2627         https://bugs.webkit.org/show_bug.cgi?id=196130
2628
2629         Reviewed by Saam Barati.
2630
2631         sizeof(RegExpObject) is 48B due to one bool flag. We should compress this flag into lower bit of RegExp* field so that we can make RegExpObject 32B.
2632         It saves memory footprint 1.3% in RAMification's regexp.
2633
2634         * dfg/DFGSpeculativeJIT.cpp:
2635         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2636         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2637         * ftl/FTLAbstractHeapRepository.h:
2638         * ftl/FTLLowerDFGToB3.cpp:
2639         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2640         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2641         * runtime/RegExpObject.cpp:
2642         (JSC::RegExpObject::RegExpObject):
2643         (JSC::RegExpObject::visitChildren):
2644         (JSC::RegExpObject::getOwnPropertySlot):
2645         (JSC::RegExpObject::defineOwnProperty):
2646         * runtime/RegExpObject.h:
2647
2648 2019-03-21  Tomas Popela  <tpopela@redhat.com>
2649
2650         [JSC] Fix build after r243232 on unsupported 64bit architectures
2651         https://bugs.webkit.org/show_bug.cgi?id=196072
2652
2653         Reviewed by Keith Miller.
2654
2655         As Keith suggested we already expect 16 free bits at the top of any
2656         pointer for JSValue even for the unsupported 64 bit arches.
2657
2658         * bytecode/CodeOrigin.h:
2659
2660 2019-03-21  Mark Lam  <mark.lam@apple.com>
2661
2662         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
2663         https://bugs.webkit.org/show_bug.cgi?id=196116
2664         <rdar://problem/48976951>
2665
2666         Reviewed by Filip Pizlo.
2667
2668         The DFG backend should not make assumptions about what optimizations the front end
2669         will or will not do.  The assertion asserts that the operand cannot be known to be
2670         a cell.  However, it is not guaranteed that the front end will fold away this case.
2671         Also, the DFG backend is perfectly capable of generating code to handle the case
2672         where the operand is a cell.
2673
2674         The attached test case demonstrates a case where the operand can be a known cell.
2675         The test needs to be run with the concurrent JIT and GC, and is racy.  It used to
2676         trip up this assertion about once every 10 runs or so.
2677
2678         * dfg/DFGSpeculativeJIT64.cpp:
2679         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2680
2681 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2682
2683         JSC::createError should clear exception thrown by errorDescriptionForValue
2684         https://bugs.webkit.org/show_bug.cgi?id=196089
2685
2686         Reviewed by Mark Lam.
2687
2688         errorDescriptionForValue returns a nullString in case of failure, but it
2689         might also throw an OOM exception when resolving a rope string. We need
2690         to clear any potential exceptions thrown by errorDescriptionForValue
2691         before returning the OOM from JSC::createError.
2692
2693         * runtime/ExceptionHelpers.cpp:
2694         (JSC::createError):
2695
2696 2019-03-21  Robin Morisset  <rmorisset@apple.com>
2697
2698         B3::Opcode can fit in a single byte, shrinking B3Value by 8 bytes
2699         https://bugs.webkit.org/show_bug.cgi?id=196014
2700
2701         Reviewed by Keith Miller.
2702
2703         B3::Opcode has less than one hundred cases, so it can easily fit in one byte (from two currently)
2704         This shrinks B3::Kind from 4 bytes to 2 (by removing the byte of padding at the end).
2705         This in turns eliminate padding from B3::Value, shrinking it by 8 bytes (out of 80).
2706
2707         * b3/B3Opcode.h:
2708
2709 2019-03-21  Michael Catanzaro  <mcatanzaro@igalia.com>
2710
2711         Unreviewed, more clang 3.8 build fixes
2712         https://bugs.webkit.org/show_bug.cgi?id=195947
2713         <rdar://problem/49069219>
2714
2715         In the spirit of making our code worse to please old compilers....
2716
2717         * bindings/ScriptValue.cpp:
2718         (Inspector::jsToInspectorValue):
2719         * bytecode/GetterSetterAccessCase.cpp:
2720         (JSC::GetterSetterAccessCase::create):
2721         (JSC::GetterSetterAccessCase::clone const):
2722         * bytecode/InstanceOfAccessCase.cpp:
2723         (JSC::InstanceOfAccessCase::clone const):
2724         * bytecode/IntrinsicGetterAccessCase.cpp:
2725         (JSC::IntrinsicGetterAccessCase::clone const):
2726         * bytecode/ModuleNamespaceAccessCase.cpp:
2727         (JSC::ModuleNamespaceAccessCase::clone const):
2728         * bytecode/ProxyableAccessCase.cpp:
2729         (JSC::ProxyableAccessCase::clone const):
2730
2731 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2732
2733         [JSC] Do not create JIT related data under non-JIT mode
2734         https://bugs.webkit.org/show_bug.cgi?id=195982
2735
2736         Reviewed by Mark Lam.
2737
2738         We avoid creations of JIT related data structures under non-JIT mode.
2739         This patch removes the following allocations.
2740
2741         1. JITThunks
2742         2. FTLThunks
2743         3. FixedVMPoolExecutableAllocator
2744         4. noJITValueProfileSingleton since it is no longer used
2745         5. ARM disassembler should be initialized when it is used
2746         6. Wasm related data structures are accidentally allocated if VM::canUseJIT() == false &&
2747            Options::useWebAssembly() == true. Add Wasm::isSupported() function to check the both conditions.
2748
2749         * CMakeLists.txt:
2750         * JavaScriptCore.xcodeproj/project.pbxproj:
2751         * heap/Heap.cpp:
2752         (JSC::Heap::runEndPhase):
2753         * jit/ExecutableAllocator.cpp:
2754         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
2755         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2756         (JSC::ExecutableAllocator::isValid const):
2757         (JSC::ExecutableAllocator::underMemoryPressure):
2758         (JSC::ExecutableAllocator::memoryPressureMultiplier):
2759         (JSC::ExecutableAllocator::allocate):
2760         (JSC::ExecutableAllocator::isValidExecutableMemory):
2761         (JSC::ExecutableAllocator::getLock const):
2762         (JSC::ExecutableAllocator::committedByteCount):
2763         (JSC::ExecutableAllocator::dumpProfile):
2764         (JSC::startOfFixedExecutableMemoryPoolImpl):
2765         (JSC::endOfFixedExecutableMemoryPoolImpl):
2766         (JSC::ExecutableAllocator::initialize):
2767         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
2768         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
2769         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
2770         * jit/ExecutableAllocator.h:
2771         (JSC::ExecutableAllocatorBase::isValid const):
2772         (JSC::ExecutableAllocatorBase::underMemoryPressure):
2773         (JSC::ExecutableAllocatorBase::memoryPressureMultiplier):
2774         (JSC::ExecutableAllocatorBase::dumpProfile):
2775         (JSC::ExecutableAllocatorBase::allocate):
2776         (JSC::ExecutableAllocatorBase::setJITEnabled):
2777         (JSC::ExecutableAllocatorBase::isValidExecutableMemory):
2778         (JSC::ExecutableAllocatorBase::committedByteCount):
2779         (JSC::ExecutableAllocatorBase::getLock const):
2780         (JSC::ExecutableAllocator::isValid const): Deleted.
2781         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
2782         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
2783         (JSC::ExecutableAllocator::allocate): Deleted.
2784         (JSC::ExecutableAllocator::setJITEnabled): Deleted.
2785         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
2786         (JSC::ExecutableAllocator::committedByteCount): Deleted.
2787         (JSC::ExecutableAllocator::getLock const): Deleted.
2788         * jsc.cpp:
2789         (functionWebAssemblyMemoryMode):
2790         * runtime/InitializeThreading.cpp:
2791         (JSC::initializeThreading):
2792         * runtime/JSGlobalObject.cpp:
2793         (JSC::JSGlobalObject::init):
2794         * runtime/JSLock.cpp:
2795         (JSC::JSLock::didAcquireLock):
2796         * runtime/Options.cpp:
2797         (JSC::recomputeDependentOptions):
2798         * runtime/VM.cpp:
2799         (JSC::enableAssembler):
2800         (JSC::VM::canUseAssembler):
2801         (JSC::VM::VM):
2802         * runtime/VM.h:
2803         * wasm/WasmCapabilities.h: Added.
2804         (JSC::Wasm::isSupported):
2805         * wasm/WasmFaultSignalHandler.cpp:
2806         (JSC::Wasm::enableFastMemory):
2807
2808 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2809
2810         [JSC] Fix JSC build with newer ICU
2811         https://bugs.webkit.org/show_bug.cgi?id=196098
2812
2813         Reviewed by Keith Miller.
2814
2815         IntlDateTimeFormat and IntlNumberFormat have switch statement over ICU's enums. However it lacks "default" clause so that
2816         the compile error occurs when a new enum value is added in ICU side. We should have "default" clause which just fallbacks
2817         "unknown"_s case. The behavior is not changed since we already have `return "unknown"_s;` statement anyway after the
2818         switch statement. This patch just suppresses a compile error.
2819
2820         * runtime/IntlDateTimeFormat.cpp:
2821         (JSC::IntlDateTimeFormat::partTypeString):
2822         * runtime/IntlNumberFormat.cpp:
2823         (JSC::IntlNumberFormat::partTypeString):
2824
2825 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2826
2827         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
2828         https://bugs.webkit.org/show_bug.cgi?id=196078
2829         <rdar://problem/35925380>
2830
2831         Reviewed by Mark Lam.
2832
2833         Unlike the other variations of putByIndex, it only checked if the index
2834         was larger than MIN_SPARSE_ARRAY_INDEX when the indexingType was
2835         ALL_BLANK_INDEXING_TYPES. This resulted in a huge butterfly being
2836         allocated for object literals (e.g. `{[9e4]: ...}`) and objects parsed
2837         from JSON.
2838
2839         * runtime/JSObject.cpp:
2840         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2841
2842 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2843
2844         CachedUnlinkedSourceCodeShape::m_provider should be a CachedRefPtr
2845         https://bugs.webkit.org/show_bug.cgi?id=196079
2846
2847         Reviewed by Saam Barati.
2848
2849         It was mistakenly cached as CachedPtr, which was leaking the decoded SourceProvider.
2850
2851         * runtime/CachedTypes.cpp:
2852         (JSC::CachedUnlinkedSourceCodeShape::encode):
2853
2854 2019-03-21  Mark Lam  <mark.lam@apple.com>
2855
2856         Placate exception check validation in operationArrayIndexOfString().
2857         https://bugs.webkit.org/show_bug.cgi?id=196067
2858         <rdar://problem/49056572>
2859
2860         Reviewed by Michael Saboff.
2861
2862         * dfg/DFGOperations.cpp:
2863
2864 2019-03-21  Xan Lopez  <xan@igalia.com>
2865
2866         [JSC][x86] Drop support for x87 floating point
2867         https://bugs.webkit.org/show_bug.cgi?id=194853
2868
2869         Reviewed by Don Olmstead.
2870
2871         Require SSE2 throughout the codebase, and remove x87 support where
2872         it was optionally available. SSE2 detection happens at compile
2873         time through a static_assert.
2874
2875         * assembler/MacroAssemblerX86.h:
2876         (JSC::MacroAssemblerX86::storeDouble):
2877         (JSC::MacroAssemblerX86::moveDoubleToInts):
2878         (JSC::MacroAssemblerX86::supportsFloatingPoint):
2879         (JSC::MacroAssemblerX86::supportsFloatingPointTruncate):
2880         (JSC::MacroAssemblerX86::supportsFloatingPointSqrt):
2881         (JSC::MacroAssemblerX86::supportsFloatingPointAbs):
2882         * assembler/MacroAssemblerX86Common.cpp:
2883         * assembler/MacroAssemblerX86Common.h:
2884         (JSC::MacroAssemblerX86Common::moveDouble):
2885         (JSC::MacroAssemblerX86Common::loadDouble):
2886         (JSC::MacroAssemblerX86Common::loadFloat):
2887         (JSC::MacroAssemblerX86Common::storeDouble):
2888         (JSC::MacroAssemblerX86Common::storeFloat):
2889         (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
2890         (JSC::MacroAssemblerX86Common::convertFloatToDouble):
2891         (JSC::MacroAssemblerX86Common::addDouble):
2892         (JSC::MacroAssemblerX86Common::addFloat):
2893         (JSC::MacroAssemblerX86Common::divDouble):
2894         (JSC::MacroAssemblerX86Common::divFloat):
2895         (JSC::MacroAssemblerX86Common::subDouble):
2896         (JSC::MacroAssemblerX86Common::subFloat):
2897         (JSC::MacroAssemblerX86Common::mulDouble):
2898         (JSC::MacroAssemblerX86Common::mulFloat):
2899         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
2900         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
2901         (JSC::MacroAssemblerX86Common::branchDouble):
2902         (JSC::MacroAssemblerX86Common::branchFloat):
2903         (JSC::MacroAssemblerX86Common::compareDouble):
2904         (JSC::MacroAssemblerX86Common::compareFloat):
2905         (JSC::MacroAssemblerX86Common::branchTruncateDoubleToInt32):
2906         (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
2907         (JSC::MacroAssemblerX86Common::truncateFloatToInt32):
2908         (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
2909         (JSC::MacroAssemblerX86Common::branchDoubleNonZero):
2910         (JSC::MacroAssemblerX86Common::branchDoubleZeroOrNaN):
2911         (JSC::MacroAssemblerX86Common::lshiftPacked):
2912         (JSC::MacroAssemblerX86Common::rshiftPacked):
2913         (JSC::MacroAssemblerX86Common::orPacked):
2914         (JSC::MacroAssemblerX86Common::move32ToFloat):
2915         (JSC::MacroAssemblerX86Common::moveFloatTo32):
2916         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2917         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2918         * offlineasm/x86.rb:
2919         * runtime/MathCommon.cpp:
2920         (JSC::operationMathPow):
2921
2922 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2923
2924         [GLIB] User data not correctly passed to callback of functions and constructors with no parameters
2925         https://bugs.webkit.org/show_bug.cgi?id=196073
2926
2927         Reviewed by Michael Catanzaro.
2928
2929         This is because GClosure always expects a first parameter as instance. In case of functions or constructors with
2930         no parameters we insert a fake instance which is just a null pointer that is ignored by the callback. But
2931         if the function/constructor has user data the callback will expect one parameter for the user data. In that case
2932         we can simply swap instance/user data so that the fake instance will be the second argument and user data the
2933         first one.
2934
2935         * API/glib/JSCClass.cpp:
2936         (jscClassCreateConstructor): Use g_cclosure_new_swap() if parameters is empty and user data was provided.
2937         * API/glib/JSCValue.cpp:
2938         (jscValueFunctionCreate): Ditto.
2939
2940 2019-03-21  Pablo Saavedra  <psaavedra@igalia.com>
2941
2942         [JSC][32-bit] Build failure after r243232
2943         https://bugs.webkit.org/show_bug.cgi?id=196068
2944
2945         Reviewed by Mark Lam.
2946
2947         * dfg/DFGOSRExit.cpp:
2948         (JSC::DFG::reifyInlinedCallFrames):
2949         * dfg/DFGOSRExitCompilerCommon.cpp:
2950         (JSC::DFG::reifyInlinedCallFrames):
2951
2952 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2953
2954         [GLib] Returning G_TYPE_OBJECT from a method does not work
2955         https://bugs.webkit.org/show_bug.cgi?id=195574
2956
2957         Reviewed by Michael Catanzaro.
2958
2959         Add more documentation to clarify the ownership of wrapped objects when created and when returned by functions.
2960
2961         * API/glib/JSCCallbackFunction.cpp:
2962         (JSC::JSCCallbackFunction::construct): Also allow to return boxed types from a constructor.
2963         * API/glib/JSCClass.cpp:
2964         * API/glib/JSCValue.cpp:
2965
2966 2019-03-21  Mark Lam  <mark.lam@apple.com>
2967
2968         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
2969         https://bugs.webkit.org/show_bug.cgi?id=196055
2970         <rdar://problem/49067448>
2971
2972         Reviewed by Yusuke Suzuki.
2973
2974         We are doing this because:
2975         1. We expect the array to be densely packed.
2976         2. SpeculativeJIT::compileAllocateNewArrayWithSize() (and the FTL equivalent)
2977            expects the array length to be less than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH
2978            if we don't want to use an ArrayStorage shape.
2979         3. There's no reason why an array with spread needs to be that large anyway.
2980            MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is plenty.
2981
2982         In this patch, we also add a debug assert in compileAllocateNewArrayWithSize() and
2983         emitAllocateButterfly() to check for overflows.
2984
2985         * assembler/AbortReason.h:
2986         * dfg/DFGOperations.cpp:
2987         * dfg/DFGSpeculativeJIT.cpp:
2988         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2989         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2990         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
2991         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2992         * ftl/FTLLowerDFGToB3.cpp:
2993         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2994         * runtime/ArrayConventions.h:
2995         * runtime/CommonSlowPaths.cpp:
2996         (JSC::SLOW_PATH_DECL):
2997
2998 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
2999
3000         [JSC] Use finalizer in JSGlobalLexicalEnvironment and JSGlobalObject
3001         https://bugs.webkit.org/show_bug.cgi?id=195992
3002
3003         Reviewed by Keith Miller and Mark Lam.
3004
3005         JSGlobalLexicalEnvironment and JSGlobalObject have their own CompleteSubspace to call destructors while they are not inheriting JSDestructibleObject.
3006         But it is too costly since (1) it requires CompleteSubspace in VM, (2) both objects allocate MarkedBlocks while # of them are really small.
3007
3008         Instead of using CompleteSubspace, we just set finalizers for them. Since these objects are rarely allocated, setting finalizers does not show
3009         memory / performance problems (actually, previously we used finalizer for ArrayPrototype due to the same reason, and it does not show any problems).
3010
3011         And we also add following two changes to JSSegmentedVariableObject.
3012
3013         1. Remove one boolean used for debugging in Release build. It enlarges sizeof(JSSegmentedVariableObject) and allocates one more MarkedBlock.
3014         2. Use cellLock() instead.
3015
3016         * CMakeLists.txt:
3017         * JavaScriptCore.xcodeproj/project.pbxproj:
3018         * Sources.txt:
3019         * runtime/JSSegmentedVariableObject.cpp:
3020         (JSC::JSSegmentedVariableObject::findVariableIndex):
3021         (JSC::JSSegmentedVariableObject::addVariables):
3022         (JSC::JSSegmentedVariableObject::visitChildren):
3023         (JSC::JSSegmentedVariableObject::~JSSegmentedVariableObject):
3024         (JSC::JSSegmentedVariableObject::finishCreation):
3025         * runtime/JSSegmentedVariableObject.h:
3026         (JSC::JSSegmentedVariableObject::subspaceFor): Deleted.
3027         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Removed.
3028         * runtime/JSSegmentedVariableObjectHeapCellType.h: Removed.
3029         * runtime/StringIteratorPrototype.cpp:
3030         * runtime/VM.cpp:
3031         (JSC::VM::VM):
3032         * runtime/VM.h:
3033
3034 2019-03-20  Saam Barati  <sbarati@apple.com>
3035
3036         DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty
3037         https://bugs.webkit.org/show_bug.cgi?id=195721
3038
3039         Reviewed by Filip Pizlo.
3040
3041         There was a check in AbstractValue::validateOSREntry where it checked
3042         if isHeapTop(), and if so, just returned true. However, this is wrong
3043         if the value we're checking against is the empty value, since HeapTop
3044         does not include the Empty value. Instead, this check should be
3045         isBytecodeTop(), which does account for the empty value.
3046         
3047         This patch also does a couple of other things:
3048         - For our OSR entry AbstractValues, we were using HeapTop to mark
3049          a dead value. That is now changed to BytecodeTop. (The idea here
3050          is just to have validateOSREntry return early.)
3051         - It wasn't obvious to me how I could make this fail in JS code.
3052          The symptom we'd end up seeing is something like a nullptr derefernece
3053          from forgetting to do a TDZ check. Instead, I've added a unit test.
3054          This unit test lives in a new test file: testdfg. testdfg is similar
3055          to testb3/testair/testapi.
3056
3057         * JavaScriptCore.xcodeproj/project.pbxproj:
3058         * bytecode/SpeculatedType.h:
3059         * dfg/DFGAbstractValue.h:
3060         (JSC::DFG::AbstractValue::isBytecodeTop const):
3061         (JSC::DFG::AbstractValue::validateOSREntryValue const):
3062         * dfg/testdfg.cpp: Added.
3063         (hiddenTruthBecauseNoReturnIsStupid):
3064         (usage):
3065         (JSC::DFG::testEmptyValueDoesNotValidateWithHeapTop):
3066         (JSC::DFG::run):
3067         (run):
3068         (main):
3069         * shell/CMakeLists.txt:
3070
3071 2019-03-20  Saam Barati  <sbarati@apple.com>
3072
3073         typeOfDoubleSum is wrong for when NaN can be produced
3074         https://bugs.webkit.org/show_bug.cgi?id=196030
3075
3076         Reviewed by Filip Pizlo.
3077
3078         We were using typeOfDoubleSum(SpeculatedType, SpeculatedType) for add/sub/mul.
3079         It assumed that the only way the resulting type could be NaN is if one of
3080         the inputs were NaN. However, this is wrong. NaN can be produced in at least
3081         these cases:
3082           Infinity - Infinity
3083           Infinity + (-Infinity)
3084           Infinity * 0
3085
3086         * bytecode/SpeculatedType.cpp:
3087         (JSC::typeOfDoubleSumOrDifferenceOrProduct):
3088         (JSC::typeOfDoubleSum):
3089         (JSC::typeOfDoubleDifference):
3090         (JSC::typeOfDoubleProduct):
3091
3092 2019-03-20  Simon Fraser  <simon.fraser@apple.com>
3093
3094         Rename ENABLE_ACCELERATED_OVERFLOW_SCROLLING macro to ENABLE_OVERFLOW_SCROLLING_TOUCH
3095         https://bugs.webkit.org/show_bug.cgi?id=196049
3096
3097         Reviewed by Tim Horton.
3098
3099         This macro is about the -webkit-overflow-scrolling CSS property, not accelerated
3100         overflow scrolling in general, so rename it.
3101
3102         * Configurations/FeatureDefines.xcconfig:
3103
3104 2019-03-20  Saam Barati  <sbarati@apple.com>
3105
3106         GetCallee does not report the correct type in AI
3107         https://bugs.webkit.org/show_bug.cgi?id=195981
3108
3109         Reviewed by Yusuke Suzuki.
3110
3111         I found this as part of my work in:
3112         https://bugs.webkit.org/show_bug.cgi?id=195924
3113         
3114         I'm not sure how to write a test for it.
3115         
3116         GetCallee was always reporting that the result is SpecFunction. However,
3117         for eval, it may result in just a JSCallee object, which is not a JSFunction.
3118
3119         * dfg/DFGAbstractInterpreterInlines.h:
3120         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3121
3122 2019-03-20  Mark Lam  <mark.lam@apple.com>
3123
3124         Open source arm64e code.
3125         https://bugs.webkit.org/show_bug.cgi?id=196012
3126         <rdar://problem/49066237>
3127
3128         Reviewed by Keith Miller.
3129
3130         * JavaScriptCore.xcodeproj/project.pbxproj:
3131         * Sources.txt:
3132         * assembler/ARM64EAssembler.h: Added.
3133         (JSC::ARM64EAssembler::encodeGroup1):
3134         (JSC::ARM64EAssembler::encodeGroup2):
3135         (JSC::ARM64EAssembler::encodeGroup4):
3136         (JSC::ARM64EAssembler::pacia1716):
3137         (JSC::ARM64EAssembler::pacib1716):
3138         (JSC::ARM64EAssembler::autia1716):
3139         (JSC::ARM64EAssembler::autib1716):
3140         (JSC::ARM64EAssembler::paciaz):
3141         (JSC::ARM64EAssembler::paciasp):
3142         (JSC::ARM64EAssembler::pacibz):
3143         (JSC::ARM64EAssembler::pacibsp):
3144         (JSC::ARM64EAssembler::autiaz):
3145         (JSC::ARM64EAssembler::autiasp):
3146         (JSC::ARM64EAssembler::autibz):
3147         (JSC::ARM64EAssembler::autibsp):
3148         (JSC::ARM64EAssembler::xpaclri):
3149         (JSC::ARM64EAssembler::pacia):
3150         (JSC::ARM64EAssembler::pacib):
3151         (JSC::ARM64EAssembler::pacda):
3152         (JSC::ARM64EAssembler::pacdb):
3153         (JSC::ARM64EAssembler::autia):
3154         (JSC::ARM64EAssembler::autib):
3155         (JSC::ARM64EAssembler::autda):
3156         (JSC::ARM64EAssembler::autdb):
3157         (JSC::ARM64EAssembler::paciza):
3158         (JSC::ARM64EAssembler::pacizb):
3159         (JSC::ARM64EAssembler::pacdza):
3160         (JSC::ARM64EAssembler::pacdzb):
3161         (JSC::ARM64EAssembler::autiza):
3162         (JSC::ARM64EAssembler::autizb):
3163         (JSC::ARM64EAssembler::autdza):
3164         (JSC::ARM64EAssembler::autdzb):
3165         (JSC::ARM64EAssembler::xpaci):
3166         (JSC::ARM64EAssembler::xpacd):
3167         (JSC::ARM64EAssembler::pacga):
3168         (JSC::ARM64EAssembler::braa):
3169         (JSC::ARM64EAssembler::brab):
3170         (JSC::ARM64EAssembler::blraa):
3171         (JSC::ARM64EAssembler::blrab):
3172         (JSC::ARM64EAssembler::braaz):
3173         (JSC::ARM64EAssembler::brabz):
3174         (JSC::ARM64EAssembler::blraaz):
3175         (JSC::ARM64EAssembler::blrabz):
3176         (JSC::ARM64EAssembler::retaa):
3177         (JSC::ARM64EAssembler::retab):
3178         (JSC::ARM64EAssembler::eretaa):
3179         (JSC::ARM64EAssembler::eretab):
3180         (JSC::ARM64EAssembler::linkPointer):
3181         (JSC::ARM64EAssembler::repatchPointer):
3182         (JSC::ARM64EAssembler::setPointer):
3183         (JSC::ARM64EAssembler::readPointer):
3184         (JSC::ARM64EAssembler::readCallTarget):
3185         (JSC::ARM64EAssembler::ret):
3186         * assembler/MacroAssembler.cpp:
3187         * assembler/MacroAssembler.h:
3188         * assembler/MacroAssemblerARM64.cpp:
3189         * assembler/MacroAssemblerARM64E.h: Added.
3190         (JSC::MacroAssemblerARM64E::tagReturnAddress):
3191         (JSC::MacroAssemblerARM64E::untagReturnAddress):
3192         (JSC::MacroAssemblerARM64E::tagPtr):
3193         (JSC::MacroAssemblerARM64E::untagPtr):
3194         (JSC::MacroAssemblerARM64E::removePtrTag):
3195         (JSC::MacroAssemblerARM64E::callTrustedPtr):
3196         (JSC::MacroAssemblerARM64E::call):
3197         (JSC::MacroAssemblerARM64E::callRegister):
3198         (JSC::MacroAssemblerARM64E::jump):
3199         * dfg/DFGOSRExit.cpp:
3200         (JSC::DFG::reifyInlinedCallFrames):
3201         * dfg/DFGOSRExitCompilerCommon.cpp:
3202         (JSC::DFG::reifyInlinedCallFrames):
3203         * ftl/FTLThunks.cpp:
3204         (JSC::FTL::genericGenerationThunkGenerator):
3205         * jit/CCallHelpers.h:
3206         (JSC::CCallHelpers::prepareForTailCallSlow):
3207         * jit/CallFrameShuffler.cpp:
3208         (JSC::CallFrameShuffler::prepareForTailCall):
3209         * jit/ExecutableAllocator.cpp:
3210         (JSC::ExecutableAllocator::allocate):
3211         * jit/ThunkGenerators.cpp:
3212         (JSC::arityFixupGenerator):
3213         * llint/LLIntOfflineAsmConfig.h:
3214         * llint/LowLevelInterpreter.asm:
3215         * llint/LowLevelInterpreter64.asm:
3216         * runtime/ClassInfo.h:
3217         * runtime/InitializeThreading.cpp:
3218         (JSC::initializeThreading):
3219         * runtime/JSCPtrTag.cpp: Added.
3220         (JSC::tagForPtr):
3221         (JSC::ptrTagName):
3222         (JSC::initializePtrTagLookup):
3223         * runtime/JSCPtrTag.h:
3224         (JSC::initializePtrTagLookup):
3225         * runtime/Options.cpp:
3226         (JSC::recomputeDependentOptions):
3227
3228 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3229
3230         JSC::createError needs to check for OOM in errorDescriptionForValue
3231         https://bugs.webkit.org/show_bug.cgi?id=196032
3232         <rdar://problem/46842740>
3233
3234         Reviewed by Mark Lam.
3235
3236         We were missing exceptions checks at two levels:
3237         - In errorDescriptionForValue, when the value is a string, we should
3238           check that JSString::value returns a valid string, since we might run
3239           out of memory if it is a rope and we need to resolve it.
3240         - In createError, we should check for the result of errorDescriptionForValue
3241           before concatenating it with the message provided by the caller.
3242
3243         * runtime/ExceptionHelpers.cpp:
3244         (JSC::errorDescriptionForValue):
3245         (JSC::createError):
3246         * runtime/ExceptionHelpers.h:
3247
3248 2019-03-20  Devin Rousso  <drousso@apple.com>
3249
3250         Web Inspector: DOM: include window as part of any event listener chain
3251         https://bugs.webkit.org/show_bug.cgi?id=195730
3252         <rdar://problem/48916872>
3253
3254         Reviewed by Timothy Hatcher.
3255
3256         * inspector/protocol/DOM.json:
3257         Modify `DOM.getEventListenersForNode` to not save the handler object, as that was never
3258         used by the frontend. Add an `onWindow` optional property to `DOM.EventListener` that is set
3259         when the event listener was retrieved from the `window` object.
3260
3261 2019-03-20  Devin Rousso  <drousso@apple.com>
3262
3263         Web Inspector: Runtime: lazily create the agent
3264         https://bugs.webkit.org/show_bug.cgi?id=195972
3265         <rdar://problem/49039655>
3266
3267         Reviewed by Timothy Hatcher.
3268
3269         * inspector/JSGlobalObjectInspectorController.cpp:
3270         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3271         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3272
3273         * inspector/agents/InspectorRuntimeAgent.h:
3274         (Inspector::InspectorRuntimeAgent::enabled): Deleted.
3275         * inspector/agents/InspectorRuntimeAgent.cpp:
3276         (Inspector::InspectorRuntimeAgent::didCreateFrontendAndBackend): Added.
3277         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
3278
3279         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3280         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3281         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend): Deleted.
3282
3283 2019-03-20  Michael Saboff  <msaboff@apple.com>
3284
3285         JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
3286         https://bugs.webkit.org/show_bug.cgi?id=195906
3287
3288         Reviewed by Mark Lam.
3289
3290         The problem here as that we may successfully parsed a RegExp without running out of stack,
3291         but later run out of stack when trying to JIT compile the same expression.
3292
3293         Added a check for available stack space when we call into one of the parenthesis compilation
3294         functions that recurse.  When we don't have enough stack space to recurse, we fail the JIT
3295         compilation and let the interpreter handle the expression.
3296
3297         From code inspection of the YARR interpreter it has the same issue, but I couldn't cause a failure.
3298         Filed a new bug and added a FIXME comment for the Interpreter to have similar checks.
3299         Given that we can reproduce a failure, this is sufficient for now.
3300
3301         This change is covered by the previously added failing test,
3302         JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js.
3303
3304         * yarr/YarrInterpreter.cpp:
3305         (JSC::Yarr::Interpreter::interpret):
3306         * yarr/YarrJIT.cpp:
3307         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
3308         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
3309         (JSC::Yarr::YarrGenerator::opCompileBody):
3310         (JSC::Yarr::dumpCompileFailure):
3311         * yarr/YarrJIT.h:
3312
3313 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3314
3315         DFGNodeAllocator.h is dead code
3316         https://bugs.webkit.org/show_bug.cgi?id=196019
3317
3318         Reviewed by Yusuke Suzuki.
3319
3320         As explained by Yusuke on IRC, the comment on DFG::Node saying that it cannot have a destructor is obsolete since https://trac.webkit.org/changeset/216815/webkit.
3321         This patch removes both the comment and DFGNodeAllocator.h that that patch forgot to remove.
3322
3323         * dfg/DFGNode.h:
3324         (JSC::DFG::Node::dumpChildren):
3325         * dfg/DFGNodeAllocator.h: Removed.
3326
3327 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3328
3329         Compress CodeOrigin into a single word in the common case
3330         https://bugs.webkit.org/show_bug.cgi?id=195928
3331
3332         Reviewed by Saam Barati.
3333
3334         The trick is that pointers only take 48 bits on x86_64 in practice (and we can even use the bottom three bits of that thanks to alignment), and even less on ARM64.
3335         So we can shove the bytecode index in the top bits almost all the time.
3336         If the bytecodeIndex is too ginormous (1<<16 in practice on x86_64), we just set one bit at the bottom and store a pointer to some out-of-line storage instead.
3337         Finally we represent an invalid bytecodeIndex (which used to be represented by UINT_MAX) by setting the second least signifcant bit.
3338
3339         The patch looks very long, but most of it is just replacing direct accesses to inlineCallFrame and bytecodeIndex by the relevant getters.
3340
3341         End result: CodeOrigin in the common case moves from 16 bytes (8 for InlineCallFrame*, 4 for unsigned bytecodeIndex, 4 of padding) to 8.
3342         As a reference, during running JetStream2 we allocate more than 35M CodeOrigins. While they won't all be alive at the same time, it is still quite a lot of objects, so I am hoping for some small
3343         improvement to RAMification from this work.
3344
3345         The one slightly tricky part is that we must implement copy and move assignment operators and constructors to make sure that any out-of-line storage belongs to a single CodeOrigin and is destroyed exactly once.
3346
3347         * bytecode/ByValInfo.h:
3348         * bytecode/CallLinkStatus.cpp:
3349         (JSC::CallLinkStatus::computeFor):
3350         * bytecode/CodeBlock.cpp:
3351         (JSC::CodeBlock::globalObjectFor):
3352         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
3353         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
3354         * bytecode/CodeOrigin.cpp:
3355         (JSC::CodeOrigin::inlineDepth const):
3356         (JSC::CodeOrigin::isApproximatelyEqualTo const):
3357         (JSC::CodeOrigin::approximateHash const):
3358         (JSC::CodeOrigin::inlineStack const):
3359         (JSC::CodeOrigin::codeOriginOwner const):
3360         (JSC::CodeOrigin::stackOffset const):
3361         (JSC::CodeOrigin::dump const):
3362         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
3363         * bytecode/CodeOrigin.h:
3364         (JSC::OutOfLineCodeOrigin::OutOfLineCodeOrigin):
3365         (JSC::CodeOrigin::CodeOrigin):
3366         (JSC::CodeOrigin::~CodeOrigin):
3367         (JSC::CodeOrigin::isSet const):
3368         (JSC::CodeOrigin::isHashTableDeletedValue const):
3369         (JSC::CodeOrigin::bytecodeIndex const):
3370         (JSC::CodeOrigin::inlineCallFrame const):
3371         (JSC::CodeOrigin::buildCompositeValue):
3372         (JSC::CodeOrigin::hash const):
3373         (JSC::CodeOrigin::operator== const):
3374         (JSC::CodeOrigin::exitingInlineKind const): Deleted.
3375         * bytecode/DeferredSourceDump.h:
3376         * bytecode/GetByIdStatus.cpp:
3377         (JSC::GetByIdStatus::computeForStubInfo):
3378         (JSC::GetByIdStatus::computeFor):
3379         * bytecode/ICStatusMap.cpp:
3380         (JSC::ICStatusContext::isInlined const):
3381         * bytecode/InByIdStatus.cpp:
3382         (JSC::InByIdStatus::computeFor):
3383         (JSC::InByIdStatus::computeForStubInfo):
3384         * bytecode/InlineCallFrame.cpp:
3385         (JSC::InlineCallFrame::dumpInContext const):
3386         * bytecode/InlineCallFrame.h:
3387         (JSC::InlineCallFrame::computeCallerSkippingTailCalls):
3388         (JSC::InlineCallFrame::getCallerInlineFrameSkippingTailCalls):
3389         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
3390         (JSC::CodeOrigin::walkUpInlineStack):
3391         * bytecode/InstanceOfStatus.h:
3392         * bytecode/PutByIdStatus.cpp:
3393         (JSC::PutByIdStatus::computeForStubInfo):
3394         (JSC::PutByIdStatus::computeFor):
3395         * dfg/DFGAbstractInterpreterInlines.h:
3396         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3397         * dfg/DFGArgumentsEliminationPhase.cpp:
3398         * dfg/DFGArgumentsUtilities.cpp:
3399         (JSC::DFG::argumentsInvolveStackSlot):
3400         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3401         * dfg/DFGArrayMode.h:
3402         * dfg/DFGByteCodeParser.cpp:
3403         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3404         (JSC::DFG::ByteCodeParser::setLocal):
3405         (JSC::DFG::ByteCodeParser::setArgument):
3406         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
3407         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3408         (JSC::DFG::ByteCodeParser::parseBlock):
3409         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3410         (JSC::DFG::ByteCodeParser::handlePutByVal):
3411         * dfg/DFGClobberize.h:
3412         (JSC::DFG::clobberize):
3413         * dfg/DFGConstantFoldingPhase.cpp:
3414         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3415         * dfg/DFGFixupPhase.cpp:
3416         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3417         * dfg/DFGForAllKills.h:
3418         (JSC::DFG::forAllKilledOperands):
3419         * dfg/DFGGraph.cpp:
3420         (JSC::DFG::Graph::dumpCodeOrigin):
3421         (JSC::DFG::Graph::dump):
3422         (JSC::DFG::Graph::isLiveInBytecode):
3423         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3424         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
3425         * dfg/DFGGraph.h:
3426         (JSC::DFG::Graph::executableFor):
3427         (JSC::DFG::Graph::isStrictModeFor):
3428         (JSC::DFG::Graph::hasExitSite):
3429         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
3430         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
3431         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
3432         * dfg/DFGMinifiedNode.cpp:
3433         (JSC::DFG::MinifiedNode::fromNode):
3434         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3435         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3436         * dfg/DFGOSRExit.cpp:
3437         (JSC::DFG::OSRExit::executeOSRExit):
3438         (JSC::DFG::reifyInlinedCallFrames):
3439         (JSC::DFG::adjustAndJumpToTarget):
3440         (JSC::DFG::printOSRExit):
3441         (JSC::DFG::OSRExit::compileExit):
3442         * dfg/DFGOSRExitBase.cpp:
3443         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
3444         * dfg/DFGOSRExitCompilerCommon.cpp:
3445         (JSC::DFG::handleExitCounts):
3446         (JSC::DFG::reifyInlinedCallFrames):
3447         (JSC::DFG::adjustAndJumpToTarget):
3448         * dfg/DFGOSRExitPreparation.cpp:
3449         (JSC::DFG::prepareCodeOriginForOSRExit):
3450         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3451         * dfg/DFGOperations.cpp:
3452         * dfg/DFGPreciseLocalClobberize.h:
3453         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3454         * dfg/DFGSpeculativeJIT.cpp:
3455         (JSC::DFG::SpeculativeJIT::emitGetLength):
3456         (JSC::DFG::SpeculativeJIT::emitGetCallee):
3457         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3458         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3459         (JSC::DFG::SpeculativeJIT::compileValueSub):
3460         (JSC::DFG::SpeculativeJIT::compileValueNegate):
3461         (JSC::DFG::SpeculativeJIT::compileValueMul):
3462         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
3463         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3464         * dfg/DFGSpeculativeJIT32_64.cpp:
3465         (JSC::DFG::SpeculativeJIT::emitCall):
3466         * dfg/DFGSpeculativeJIT64.cpp:
3467         (JSC::DFG::SpeculativeJIT::emitCall):
3468         (JSC::DFG::SpeculativeJIT::compile):
3469         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3470         (JSC::DFG::TierUpCheckInjectionPhase::run):
3471         (JSC::DFG::TierUpCheckInjectionPhase::canOSREnterAtLoopHint):
3472         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
3473         * dfg/DFGTypeCheckHoistingPhase.cpp:
3474         (JSC::DFG::TypeCheckHoistingPhase::run):
3475         * dfg/DFGVariableEventStream.cpp:
3476         (JSC::DFG::VariableEventStream::reconstruct const):
3477         * ftl/FTLLowerDFGToB3.cpp:
3478         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3479         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
3480         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
3481         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3482         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
3483         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3484         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3485         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3486         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3487         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3488         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
3489         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
3490         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
3491         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
3492         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
3493         (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const):
3494         * ftl/FTLOSRExitCompiler.cpp:
3495         (JSC::FTL::compileStub):
3496         * ftl/FTLOperations.cpp:
3497         (JSC::FTL::operationMaterializeObjectInOSR):
3498         * interpreter/CallFrame.cpp:
3499         (JSC::CallFrame::bytecodeOffset):
3500         * interpreter/StackVisitor.cpp:
3501         (JSC::StackVisitor::unwindToMachineCodeBlockFrame):
3502         (JSC::StackVisitor::readFrame):
3503         (JSC::StackVisitor::readNonInlinedFrame):
3504         (JSC::inlinedFrameOffset):
3505         (JSC::StackVisitor::readInlinedFrame):
3506         * interpreter/StackVisitor.h:
3507         * jit/AssemblyHelpers.cpp:
3508         (JSC::AssemblyHelpers::executableFor):
3509         * jit/AssemblyHelpers.h:
3510         (JSC::AssemblyHelpers::isStrictModeFor):
3511         (JSC::AssemblyHelpers::argumentsStart):
3512         (JSC::AssemblyHelpers::argumentCount):
3513         * jit/PCToCodeOriginMap.cpp:
3514         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
3515         (JSC::PCToCodeOriginMap::findPC const):
3516         * profiler/ProfilerOriginStack.cpp:
3517         (JSC::Profiler::OriginStack::OriginStack):
3518         * profiler/ProfilerOriginStack.h:
3519         * runtime/ErrorInstance.cpp:
3520         (JSC::appendSourceToError):
3521         * runtime/SamplingProfiler.cpp:
3522         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3523
3524 2019-03-20  Devin Rousso  <drousso@apple.com>
3525
3526         Web Inspector: Search: allow DOM searches to be case sensitive
3527         https://bugs.webkit.org/show_bug.cgi?id=194673
3528         <rdar://problem/48087577>
3529
3530         Reviewed by Timothy Hatcher.
3531
3532         Since `DOM.performSearch` also searches by selector and XPath, some results may appear
3533         as unexpected. As an example, searching for "BoDy" will still return the <body> as a result,
3534         as although the literal node name ("BODY") didn't match, it did match via selector/XPath.
3535
3536         * inspector/protocol/DOM.json:
3537         Allow `DOM.performSearch` to be case sensitive.
3538
3539 2019-03-20  Saam Barati  <sbarati@apple.com>
3540
3541         AI rule for ValueBitNot/ValueBitXor/ValueBitAnd/ValueBitOr is wrong
3542         https://bugs.webkit.org/show_bug.cgi?id=195980
3543
3544         Reviewed by Yusuke Suzuki.
3545
3546         They were all saying they could be type: (SpecBoolInt32, SpecBigInt)
3547         However, they should have been type: (SpecInt32Only, SpecBigInt)
3548
3549         * dfg/DFGAbstractInterpreterInlines.h:
3550         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3551
3552 2019-03-20  Michael Catanzaro  <mcatanzaro@igalia.com>
3553
3554         Remove copyRef() calls added in r243163
3555         https://bugs.webkit.org/show_bug.cgi?id=195962
3556
3557         Reviewed by Chris Dumez.
3558
3559         As best I can tell, may be a GCC 9 bug. It shouldn't warn about this case because the return
3560         value is noncopyable and the WTFMove() is absolutely required. We can avoid the warning
3561         without refcount churn by introducing an intermediate variable.
3562
3563         * inspector/scripts/codegen/cpp_generator_templates.py:
3564
3565 2019-03-20  Carlos Garcia Campos  <cgarcia@igalia.com>
3566
3567         [GLIB] Optimize jsc_value_object_define_property_data|accessor
3568         https://bugs.webkit.org/show_bug.cgi?id=195679
3569
3570         Reviewed by Saam Barati.
3571
3572         Use direct C++ call instead of using the JSC GLib API to create the descriptor object and invoke Object.defineProperty().
3573
3574         * API/glib/JSCValue.cpp:
3575         (jsc_value_object_define_property_data):
3576         (jsc_value_object_define_property_accessor):
3577
3578 2019-03-19  Devin Rousso  <drousso@apple.com>
3579
3580         Web Inspector: Debugger: lazily create the agent
3581         https://bugs.webkit.org/show_bug.cgi?id=195973
3582         <rdar://problem/49039674>
3583
3584         Reviewed by Joseph Pecoraro.
3585
3586         * inspector/JSGlobalObjectInspectorController.cpp:
3587         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3588         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
3589         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3590
3591         * inspector/JSGlobalObjectConsoleClient.h:
3592         (Inspector::JSGlobalObjectConsoleClient::setInspectorDebuggerAgent): Added.
3593         * inspector/JSGlobalObjectConsoleClient.cpp:
3594         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
3595         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
3596         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
3597
3598         * inspector/agents/InspectorDebuggerAgent.h:
3599         (Inspector::InspectorDebuggerAgent::addListener): Added.
3600         (Inspector::InspectorDebuggerAgent::removeListener): Added.
3601         (Inspector::InspectorDebuggerAgent::setListener): Deleted.
3602         * inspector/agents/InspectorDebuggerAgent.cpp:
3603         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3604         (Inspector::InspectorDebuggerAgent::enable):
3605         (Inspector::InspectorDebuggerAgent::disable):
3606         (Inspector::InspectorDebuggerAgent::getScriptSource):
3607         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3608         (Inspector::InspectorDebuggerAgent::didPause):
3609         (Inspector::InspectorDebuggerAgent::breakProgram):
3610         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
3611         Drive-by: reorder some member variables for better sizing.
3612         Drive-by: rename some member variables for clarity.
3613
3614 2019-03-19  Saam barati  <sbarati@apple.com>
3615
3616         Prune code after ForceOSRExit
3617         https://bugs.webkit.org/show_bug.cgi?id=195913
3618
3619         Reviewed by Keith Miller.
3620
3621         I removed our original implementation of this in r242989 because
3622         it was not sound. It broke backwards propagation because it removed
3623         uses of a node that backwards propagation relied on to be sound.
3624         Essentially, backwards propagation relies on being able to see uses
3625         that would exist in bytecode to be sound.
3626         
3627         The rollout in r242989 was a 1% Speedometer2 regression. This patch
3628         rolls back in the optimization in a sound way.
3629         
3630         This patch augments the code we had prior to r242989 to be sound. In
3631         addition to preserving liveness, we now also convert all uses after
3632         the ForceOSRExit to be Phantom. This may pessimize the optimizations
3633         we do in backwards propagation, but it will prevent that phase from
3634         making unsound optimizations.
3635
3636         * dfg/DFGByteCodeParser.cpp:
3637         (JSC::DFG::ByteCodeParser::addToGraph):
3638         (JSC::DFG::ByteCodeParser::parse):
3639
3640 2019-03-19  Michael Catanzaro  <mcatanzaro@igalia.com>
3641
3642         Build cleanly with GCC 9
3643         https://bugs.webkit.org/show_bug.cgi?id=195920
3644
3645         Reviewed by Chris Dumez.
3646
3647         WebKit triggers three new GCC 9 warnings:
3648
3649         """
3650         -Wdeprecated-copy, implied by -Wextra, warns about the C++11 deprecation of implicitly
3651         declared copy constructor and assignment operator if one of them is user-provided.
3652         """
3653
3654         Solution is to either add a copy constructor or copy assignment operator, if required, or
3655         else remove one if it is redundant.
3656
3657         """
3658         -Wredundant-move, implied by -Wextra, warns about redundant calls to std::move.
3659         -Wpessimizing-move, implied by -Wall, warns when a call to std::move prevents copy elision.
3660         """
3661
3662         These account for most of this patch. Solution is to just remove the bad WTFMove().
3663
3664         Additionally, -Wclass-memaccess has been enhanced to catch a few cases that GCC 8 didn't.
3665         These are solved by casting nontrivial types to void* before using memcpy. (Of course, it
3666         would be safer to not use memcpy on nontrivial types, but that's too complex for this
3667         patch. Searching for memcpy used with static_cast<void*> will reveal other cases to fix.)
3668
3669         * b3/B3ValueRep.h:
3670         * bindings/ScriptValue.cpp:
3671         (Inspector::jsToInspectorValue):
3672         * bytecode/GetterSetterAccessCase.cpp:
3673         (JSC::GetterSetterAccessCase::create):
3674         (JSC::GetterSetterAccessCase::clone const):
3675         * bytecode/InstanceOfAccessCase.cpp:
3676         (JSC::InstanceOfAccessCase::clone const):
3677         * bytecode/IntrinsicGetterAccessCase.cpp:
3678         (JSC::IntrinsicGetterAccessCase::clone const):
3679         * bytecode/ModuleNamespaceAccessCase.cpp:
3680         (JSC::ModuleNamespaceAccessCase::clone const):
3681         * bytecode/ProxyableAccessCase.cpp:
3682         (JSC::ProxyableAccessCase::clone const):
3683         * bytecode/StructureSet.h:
3684         * debugger/Breakpoint.h:
3685         * dfg/DFGRegisteredStructureSet.h:
3686         * inspector/agents/InspectorDebuggerAgent.cpp:
3687         (Inspector::buildDebuggerLocation):
3688         * inspector/scripts/codegen/cpp_generator_templates.py:
3689         * parser/UnlinkedSourceCode.h:
3690         * wasm/WasmAirIRGenerator.cpp:
3691         (JSC::Wasm::parseAndCompileAir):
3692         * wasm/WasmB3IRGenerator.cpp:
3693         (JSC::Wasm::parseAndCompile):
3694         * wasm/WasmNameSectionParser.cpp:
3695         (JSC::Wasm::NameSectionParser::parse):
3696         * wasm/WasmStreamingParser.cpp:
3697         (JSC::Wasm::StreamingParser::consume):
3698
3699 2019-03-19  Saam Barati  <sbarati@apple.com>
3700
3701         Style fix: remove C style cast in Instruction.h
3702         https://bugs.webkit.org/show_bug.cgi?id=195917
3703
3704         Reviewed by Filip Pizlo.
3705
3706         * bytecode/Instruction.h:
3707         (JSC::Instruction::wide const):
3708
3709 2019-03-19  Devin Rousso  <drousso@apple.com>
3710
3711         Web Inspector: Provide $event in the console when paused on an event listener
3712         https://bugs.webkit.org/show_bug.cgi?id=188672
3713
3714         Reviewed by Timothy Hatcher.
3715
3716         * inspector/InjectedScript.h:
3717         * inspector/InjectedScript.cpp:
3718         (Inspector::InjectedScript::setEventValue): Added.
3719         (Inspector::InjectedScript::clearEventValue): Added.
3720
3721         * inspector/InjectedScriptManager.h:
3722         * inspector/InjectedScriptManager.cpp:
3723         (Inspector::InjectedScriptManager::clearEventValue): Added.
3724
3725         * inspector/InjectedScriptSource.js:
3726         (WI.InjectedScript.prototype.setEventValue): Added.
3727         (WI.InjectedScript.prototype.clearEventValue): Added.
3728         (BasicCommandLineAPI):
3729
3730 2019-03-19  Devin Rousso  <drousso@apple.com>
3731
3732         Web Inspector: ScriptProfiler: lazily create the agent
3733         https://bugs.webkit.org/show_bug.cgi?id=195591
3734         <rdar://problem/48791756>
3735
3736         Reviewed by Joseph Pecoraro.
3737
3738         * inspector/JSGlobalObjectConsoleClient.h:
3739         (Inspector::JSGlobalObjectConsoleClient::setInspectorScriptProfilerAgent): Added.
3740         * inspector/JSGlobalObjectConsoleClient.cpp:
3741         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
3742         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
3743         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
3744
3745         * inspector/JSGlobalObjectInspectorController.cpp:
3746         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3747         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3748
3749 2019-03-19  Devin Rousso  <drousso@apple.com>
3750
3751         Web Inspector: Heap: lazily create the agent
3752         https://bugs.webkit.org/show_bug.cgi?id=195590
3753         <rdar://problem/48791750>
3754
3755         Reviewed by Joseph Pecoraro.
3756
3757         * inspector/agents/InspectorHeapAgent.h:
3758         * inspector/agents/InspectorHeapAgent.cpp:
3759         (Inspector::InspectorHeapAgent::~InspectorHeapAgent): Deleted.
3760
3761         * inspector/agents/InspectorConsoleAgent.h:
3762         (Inspector::InspectorConsoleAgent::setInspectorHeapAgent): Added.
3763         * inspector/agents/InspectorConsoleAgent.cpp:
3764         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
3765         (Inspector::InspectorConsoleAgent::takeHeapSnapshot):
3766         (Inspector::InspectorConsoleAgent::~InspectorConsoleAgent): Deleted.
3767
3768         * inspector/JSGlobalObjectInspectorController.cpp:
3769         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3770         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3771
3772 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
3773
3774         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
3775         https://bugs.webkit.org/show_bug.cgi?id=194648
3776
3777         Reviewed by Keith Miller.
3778
3779         1. Making LLIntThunks singleton. 
3780
3781         Motivation: Former implementation has one LLIntThunk per type per VM.
3782         However, the generated code for every kind of thunk is essentially the
3783         same and we end up wasting memory (right now jitAllocationGranule = 32 bytes)
3784         when we have 2 or more VM instantiated. Turn these thunks into
3785         singleton will avoid such wasting.
3786
3787         Tradeoff: This change comes with a price, because we will keep thunks
3788         allocated even when there is no VM instantiated. Considering WebCore use case,
3789         the situation of having no VM instantiated is uncommon, since once a
3790         VM is created through `commomVM()`, it will never be destroyed. Given
3791         that, this change does not impact the overall memory comsumption of
3792         WebCore/JSC. It also doesn't impact memory footprint, since thunks are
3793         generated lazily (see results below).
3794
3795         Since we are keeping a static `MacroAssemblerCodeRef<JITThunkPtrTag>`,
3796         we have the assurance that JITed code will never be deallocated,
3797         given it is being pointed by `RefPtr<ExecutableMemoryHandle> m_executableMemory`.
3798         To understand why we decided to make LLIntThunks singleton instead of
3799         removing them, please see the comment on `llint/LLIntThunks.cpp`.
3800
3801         2. Making all LLIntEntrypoints singleton
3802
3803         Motivation: With singleton LLIntThunks, we also can have singleton
3804         DirectJITCodes and NativeJITCodes for each LLIntEntrypoint type and
3805         avoid multiple allocations of objects with the same content.
3806
3807         Tradeoff: As explained before, once we allocate an entrypoint, it
3808         will be alive until the program exits. However, the gains we can
3809         achieve in some use cases justifies such allocations.
3810
3811         As DirectJITCode and NativeJITCode are ThreadSafeRefCounted and we are using
3812         `codeBlock->setJITCode(makeRef(*jitCode))`, their reference counter
3813         will never be less than 1.
3814
3815         3. Memory usage analysis
3816
3817         This change reduces memory usage on stress/generate-multiple-llint-entrypoints.js
3818         by 2% and is neutral on JetStream 2. Following results were generated
3819         running each benchmark 6 times and using 95% Student's t distribution
3820         confidence interval.
3821
3822         microbenchmarks/generate-multiple-llint-entrypoints.js (Changes uses less memory): 
3823             Mean of memory peak on ToT: 122576896 bytes (confidence interval: 67747.2316)
3824             Mean of memory peak on Changes: 119248213.33 bytes (confidence interval: 50251.2718)
3825
3826         JetStream2 (Neutral):
3827             Mean of memory peak on ToT: 5442742272 bytes (confidence interval: 134381565.9117)
3828             Mean of memory peak on Changes: 5384949760 bytes (confidence interval: 158413904.8352)
3829
3830         4. Performance Analysis
3831
3832         This change is performance neutral on JetStream 2 and Speedometer 2.
3833         See results below.:
3834
3835         JetStream 2 (Neutral):
3836             Mean of score on ToT: 139.58 (confidence interval: 2.44)
3837             Mean of score on Changes: 141.46 (confidence interval: 4.24)
3838
3839         Speedometer run #1
3840            ToT: 110 +- 2.9
3841            Changes: 110 +- 1.8
3842
3843         Speedometer run #2
3844            ToT: 110 +- 1.6
3845            Changes: 108 +- 2.3
3846
3847         Speedometer run #3
3848            ToT: 110 +- 3.0
3849            Changes: 110 +- 1.4
3850
3851         * jit/JSInterfaceJIT.h:
3852         (JSC::JSInterfaceJIT::JSInterfaceJIT):
3853         * llint/LLIntEntrypoint.cpp:
3854
3855         Here we are changing the usage or DirectJITCode by NativeJITCode on cases
3856         where there is no difference from address of calls with and without
3857         ArithCheck.
3858
3859         (JSC::LLInt::setFunctionEntrypoint):
3860         (JSC::LLInt::setEvalEntrypoint):
3861         (JSC::LLInt::setProgramEntrypoint):
3862         (JSC::LLInt::setModuleProgramEntrypoint):
3863         (JSC::LLInt::setEntrypoint):
3864         * llint/LLIntEntrypoint.h:
3865         * llint/LLIntThunks.cpp:
3866         (JSC::LLInt::generateThunkWithJumpTo):
3867         (JSC::LLInt::functionForCallEntryThunk):
3868         (JSC::LLInt::functionForConstructEntryThunk):
3869         (JSC::LLInt::functionForCallArityCheckThunk):
3870         (JSC::LLInt::functionForConstructArityCheckThunk):
3871         (JSC::LLInt::evalEntryThunk):
3872         (JSC::LLInt::programEntryThunk):
3873         (JSC::LLInt::moduleProgramEntryThunk):
3874         (JSC::LLInt::functionForCallEntryThunkGenerator): Deleted.