Web Inspector: Record actions performed on WebGL2RenderingContext
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-05-03  Devin Rousso  <drousso@apple.com>
2
3         Web Inspector: Record actions performed on WebGL2RenderingContext
4         https://bugs.webkit.org/show_bug.cgi?id=176008
5         <rdar://problem/34213884>
6
7         Reviewed by Joseph Pecoraro.
8
9         * inspector/protocol/Recording.json:
10         * inspector/scripts/codegen/generator.py:
11         Add `canvas-webgl2` as a `Type`.
12
13 2019-05-03  Commit Queue  <commit-queue@webkit.org>
14
15         Unreviewed, rolling out r244881.
16         https://bugs.webkit.org/show_bug.cgi?id=197559
17
18         Breaks compilation of jsconly on linux, breaking compilation
19         for jsc-i386-ews, jsc-mips-ews and jsc-armv7-ews (Requested by
20         guijemont on #webkit).
21
22         Reverted changeset:
23
24         "[CMake] Refactor WEBKIT_MAKE_FORWARDING_HEADERS into
25         WEBKIT_COPY_FILES"
26         https://bugs.webkit.org/show_bug.cgi?id=197174
27         https://trac.webkit.org/changeset/244881
28
29 2019-05-02  Don Olmstead  <don.olmstead@sony.com>
30
31         [CMake] Refactor WEBKIT_MAKE_FORWARDING_HEADERS into WEBKIT_COPY_FILES
32         https://bugs.webkit.org/show_bug.cgi?id=197174
33
34         Reviewed by Alex Christensen.
35
36         Replace WEBKIT_MAKE_FORWARDING_HEADERS with WEBKIT_COPY_FILES and make dependencies
37         for framework headers explicit.
38
39         * CMakeLists.txt:
40
41 2019-05-02  Michael Saboff  <msaboff@apple.com>
42
43         Unreviewed rollout of r244862.
44
45         * runtime/JSObject.cpp:
46         (JSC::JSObject::getOwnPropertyDescriptor):
47
48 2019-05-01  Saam barati  <sbarati@apple.com>
49
50         Baseline JIT should do argument value profiling after checking for stack overflow
51         https://bugs.webkit.org/show_bug.cgi?id=197052
52         <rdar://problem/50009602>
53
54         Reviewed by Yusuke Suzuki.
55
56         Otherwise, we may do value profiling without running a write barrier, which
57         is against the rules of how we do value profiling.
58
59         * jit/JIT.cpp:
60         (JSC::JIT::compileWithoutLinking):
61
62 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
63
64         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
65         https://bugs.webkit.org/show_bug.cgi?id=197405
66
67         Reviewed by Saam Barati.
68
69         When inlining getter and setter calls, we setup a stack frame which does not appear in the bytecode.
70         Because Inlining can switch on executable, we could have a graph like this.
71
72         BB#0
73             ...
74             30: GetSetter
75             31: MovHint(loc10)
76             32: SetLocal(loc10)
77             33: MovHint(loc9)
78             34: SetLocal(loc9)
79             ...
80             37: GetExecutable(@30)
81             ...
82             41: Switch(@37)
83
84         BB#2
85             42: GetLocal(loc12, bc#7 of caller)
86             ...
87             --> callee: loc9 and loc10 are arguments of callee.
88               ...
89               <HERE, exit to callee, loc9 and loc10 are required in the bytecode>
90
91         When we prune OSR availability at the beginning of BB#2 (bc#7 in the caller), we prune loc9 and loc10's liveness because the caller does not actually have loc9 and loc10.
92         However, when we begin executing the callee, we need OSR exit to be aware of where it can recover the arguments to the setter, loc9 and loc10.
93
94         This patch inserts MovHint at the beginning of callee for a getter / setter stack frame to make arguments (loc9 and loc10 in the above example) recoverable from OSR exit.
95         We also move arity fixup DFG nodes from the caller to the callee, since moved arguments are not live in the caller too.
96
97         Interestingly, this fix also reveals the existing issue in LiveCatchVariablePreservationPhase. We emitted Flush for |this| of InlineCallFrame blindly if we saw InlineCallFrame
98         inside a block which is covered by catch handler. But this is wrong because inlined function can finish its execution within the block, and |this| is completely unrelated to
99         the catch handler if the catch handler is in the outer callee. We already collect all the live locals at the catch handler. And this locals must include arguments too if the
100         catch handler is in inlined function. So, we should not emit Flush for each |this| of seen InlineCallFrame. This emitted Flush may connect unrelated locals in the catch handler
101         to the locals that is only defined and used in the inlined function, and it leads to the results like DFG says the local is live while the bytecode says the local is dead.
102         This results in reading and using garbage in OSR entry because DFG OSR entry needs to fill live DFG values from the stack.
103
104         * dfg/DFGByteCodeParser.cpp:
105         (JSC::DFG::ByteCodeParser::inlineCall):
106         (JSC::DFG::ByteCodeParser::handleGetById):
107         (JSC::DFG::ByteCodeParser::handlePutById):
108         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
109         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
110
111 2019-05-01  Michael Saboff  <msaboff@apple.com>
112
113         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
114         https://bugs.webkit.org/show_bug.cgi?id=197485
115
116         Reviewed by Saam Barati.
117
118         Added an EXCEPTION_ASSERT after call to getOwnPropertySlot().
119
120         * runtime/JSObject.cpp:
121         (JSC::JSObject::getOwnPropertyDescriptor):
122
123 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
124
125         RemoteInspector::updateAutomaticInspectionCandidate should have a default implementation.
126         https://bugs.webkit.org/show_bug.cgi?id=197439
127
128         Reviewed by Devin Rousso.
129
130         On non-Cocoa platforms, automatic inspection is not currently implemented,
131         so updateAutomaticInspectionCandidate falls back to the logic of updateTarget.
132         This logic already existed in three places, so refactor it into a common private method
133         and allow our websocket-based RWI implementation to make use of it too.
134
135         * inspector/remote/RemoteInspector.cpp:
136         (Inspector::RemoteInspector::updateTarget):
137         (Inspector::RemoteInspector::updateTargetMap):
138         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
139         * inspector/remote/RemoteInspector.h:
140         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
141         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
142         * inspector/remote/glib/RemoteInspectorGlib.cpp:
143         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate): Deleted.
144         * inspector/remote/socket/RemoteInspectorSocket.cpp:
145         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate): Deleted.
146
147 2019-05-01  Darin Adler  <darin@apple.com>
148
149         WebKit has too much of its own UTF-8 code and should rely more on ICU's UTF-8 support
150         https://bugs.webkit.org/show_bug.cgi?id=195535
151
152         Reviewed by Alexey Proskuryakov.
153
154         * API/JSClassRef.cpp: Removed uneeded include of UTF8Conversion.h.
155
156         * API/JSStringRef.cpp:
157         (JSStringCreateWithUTF8CString): Updated for changes to convertUTF8ToUTF16.
158         (JSStringGetUTF8CString): Updated for changes to convertLatin1ToUTF8.
159         Removed unneeded "true" to get the strict version of convertUTF16ToUTF8,
160         since that is the default. Also updated for changes to CompletionResult.
161
162         * runtime/JSGlobalObjectFunctions.cpp:
163         (JSC::decode): Stop using UTF8SequenceLength, and instead use U8_COUNT_TRAIL_BYTES
164         and U8_MAX_LENGTH. Instead of decodeUTF8Sequence, use U8_NEXT. Also use U_IS_BMP,
165         U_IS_SUPPLEMENTARY, U16_LEAD, U16_TRAIL, and U_IS_SURROGATE instead of our own
166         equivalents, since these macros from ICU are correct and efficient.
167
168         * wasm/WasmParser.h:
169         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String): Updated for changes to
170         convertUTF8ToUTF16.
171
172 2019-05-01  Shawn Roberts  <sroberts@apple.com>
173
174         Unreviewed, rolling out r244821.
175
176         Causing
177
178         Reverted changeset:
179
180         "WebKit has too much of its own UTF-8 code and should rely
181         more on ICU's UTF-8 support"
182         https://bugs.webkit.org/show_bug.cgi?id=195535
183         https://trac.webkit.org/changeset/244821
184
185 2019-04-29  Darin Adler  <darin@apple.com>
186
187         WebKit has too much of its own UTF-8 code and should rely more on ICU's UTF-8 support
188         https://bugs.webkit.org/show_bug.cgi?id=195535
189
190         Reviewed by Alexey Proskuryakov.
191
192         * API/JSClassRef.cpp: Removed uneeded include of UTF8Conversion.h.
193
194         * API/JSStringRef.cpp:
195         (JSStringCreateWithUTF8CString): Updated for changes to convertUTF8ToUTF16.
196         (JSStringGetUTF8CString): Updated for changes to convertLatin1ToUTF8.
197         Removed unneeded "true" to get the strict version of convertUTF16ToUTF8,
198         since that is the default. Also updated for changes to CompletionResult.
199
200         * runtime/JSGlobalObjectFunctions.cpp:
201         (JSC::decode): Stop using UTF8SequenceLength, and instead use U8_COUNT_TRAIL_BYTES
202         and U8_MAX_LENGTH. Instead of decodeUTF8Sequence, use U8_NEXT. Also use U_IS_BMP,
203         U_IS_SUPPLEMENTARY, U16_LEAD, U16_TRAIL, and U_IS_SURROGATE instead of our own
204         equivalents, since these macros from ICU are correct and efficient.
205
206         * wasm/WasmParser.h:
207         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String): Updated for changes to
208         convertUTF8ToUTF16.
209
210 2019-04-30  Commit Queue  <commit-queue@webkit.org>
211
212         Unreviewed, rolling out r244806.
213         https://bugs.webkit.org/show_bug.cgi?id=197446
214
215         Causing Test262 and JSC test failures on multiple builds
216         (Requested by ShawnRoberts on #webkit).
217
218         Reverted changeset:
219
220         "TypeArrays should not store properties that are canonical
221         numeric indices"
222         https://bugs.webkit.org/show_bug.cgi?id=197228
223         https://trac.webkit.org/changeset/244806
224
225 2019-04-30  Saam barati  <sbarati@apple.com>
226
227         CodeBlock::m_instructionCount is wrong
228         https://bugs.webkit.org/show_bug.cgi?id=197304
229
230         Reviewed by Yusuke Suzuki.
231
232         What we were calling instructionCount() was wrong, as evidenced by
233         us using it incorrectly both in the sampling profiler and when we
234         dumped bytecode for a given CodeBlock. Prior to the bytecode rewrite,
235         instructionCount() was probably valid to do bounds checks against.
236         However, this is no longer the case. This patch renames what we called
237         instructionCount() to bytecodeCost(). It is now only used to make decisions
238         about inlining and tier up heuristics. I've also named options related to
239         this appropriately.
240         
241         This patch also introduces instructionsSize(). The result of this method
242         is valid to do bounds checks against.
243
244         * bytecode/CodeBlock.cpp:
245         (JSC::CodeBlock::dumpAssumingJITType const):
246         (JSC::CodeBlock::CodeBlock):
247         (JSC::CodeBlock::finishCreation):
248         (JSC::CodeBlock::optimizationThresholdScalingFactor):
249         (JSC::CodeBlock::predictedMachineCodeSize):
250         * bytecode/CodeBlock.h:
251         (JSC::CodeBlock::instructionsSize const):
252         (JSC::CodeBlock::bytecodeCost const):
253         (JSC::CodeBlock::instructionCount const): Deleted.
254         * dfg/DFGByteCodeParser.cpp:
255         (JSC::DFG::ByteCodeParser::inliningCost):
256         (JSC::DFG::ByteCodeParser::getInliningBalance):
257         * dfg/DFGCapabilities.cpp:
258         (JSC::DFG::mightCompileEval):
259         (JSC::DFG::mightCompileProgram):
260         (JSC::DFG::mightCompileFunctionForCall):
261         (JSC::DFG::mightCompileFunctionForConstruct):
262         (JSC::DFG::mightInlineFunctionForCall):
263         (JSC::DFG::mightInlineFunctionForClosureCall):
264         (JSC::DFG::mightInlineFunctionForConstruct):
265         * dfg/DFGCapabilities.h:
266         (JSC::DFG::isSmallEnoughToInlineCodeInto):
267         * dfg/DFGDisassembler.cpp:
268         (JSC::DFG::Disassembler::dumpHeader):
269         * dfg/DFGDriver.cpp:
270         (JSC::DFG::compileImpl):
271         * dfg/DFGPlan.cpp:
272         (JSC::DFG::Plan::compileInThread):
273         * dfg/DFGTierUpCheckInjectionPhase.cpp:
274         (JSC::DFG::TierUpCheckInjectionPhase::run):
275         * ftl/FTLCapabilities.cpp:
276         (JSC::FTL::canCompile):
277         * ftl/FTLCompile.cpp:
278         (JSC::FTL::compile):
279         * ftl/FTLLink.cpp:
280         (JSC::FTL::link):
281         * jit/JIT.cpp:
282         (JSC::JIT::link):
283         * jit/JITDisassembler.cpp:
284         (JSC::JITDisassembler::dumpHeader):
285         * llint/LLIntSlowPaths.cpp:
286         (JSC::LLInt::shouldJIT):
287         * profiler/ProfilerBytecodes.cpp:
288         (JSC::Profiler::Bytecodes::Bytecodes):
289         * runtime/Options.h:
290         * runtime/SamplingProfiler.cpp:
291         (JSC::tryGetBytecodeIndex):
292         (JSC::SamplingProfiler::processUnverifiedStackTraces):
293
294 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
295
296         TypeArrays should not store properties that are canonical numeric indices
297         https://bugs.webkit.org/show_bug.cgi?id=197228
298         <rdar://problem/49557381>
299
300         Reviewed by Darin Adler.
301
302         According to the spec[1], TypedArrays should not perform an ordinary GetOwnProperty/SetOwnProperty
303         if the index is a CanonicalNumericIndexString, but invalid according toIntegerIndexedElementGet
304         and similar functions. I.e., there are a few properties that should not be set in a TypedArray,
305         like NaN, Infinity and -0.
306
307         [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-integer-indexed-exotic-objects-defineownproperty-p-desc
308
309         * CMakeLists.txt:
310         * JavaScriptCore.xcodeproj/project.pbxproj:
311         * runtime/JSGenericTypedArrayViewInlines.h:
312         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
313         (JSC::JSGenericTypedArrayView<Adaptor>::put):
314         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
315         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
316         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
317         * runtime/JSTypedArrays.cpp:
318         * runtime/PropertyName.h:
319         (JSC::canonicalNumericIndexString):
320
321 2019-04-30  Brian Burg  <bburg@apple.com>
322
323         Web Automation: use a more informative key to indicate automation availability
324         https://bugs.webkit.org/show_bug.cgi?id=197377
325         <rdar://problem/50258069>
326
327         Reviewed by Devin Rousso.
328
329         The existing WIRAutomationEnabledKey does not encode uncertainty.
330         Add a new key that provides an 'Unknown' state, and prefer to use it.
331
332         Since an application's initial listing is sent from a background dispatch queue
333         on Cocoa platforms, this can race with main thread initialization that sets up
334         RemoteInspector::Client. Therefore, the initial listing may not properly represent
335         the client's capabilites because the client is not yet available. Allowing for
336         an "Unknown" state that is later upgraded to Available or Not Available makes it
337         possible to work around this potential race.
338
339         * inspector/remote/RemoteInspectorConstants.h:
340         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
341         (Inspector::RemoteInspector::pushListingsNow):
342
343 2019-04-30  Keith Miller  <keith_miller@apple.com>
344
345         Fix failing ARM64E wasm tests
346         https://bugs.webkit.org/show_bug.cgi?id=197420
347
348         Reviewed by Saam Barati.
349
350         This patch fixes a bug in the slow path of our JS->Wasm IC bridge
351         where we wouldn't untag the link register before tail calling.
352
353         Additionally, this patch fixes a broken assert when using setting
354         Options::useTailCalls=false.
355
356         * bytecompiler/BytecodeGenerator.cpp:
357         (JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition):
358         * wasm/js/WebAssemblyFunction.cpp:
359         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
360
361 2019-04-29  Saam Barati  <sbarati@apple.com>
362
363         Make JITType an enum class
364         https://bugs.webkit.org/show_bug.cgi?id=197394
365
366         Reviewed by Yusuke Suzuki.
367
368         This makes the code more easily searchable.
369
370         * bytecode/CallLinkStatus.cpp:
371         (JSC::CallLinkStatus::computeFor):
372         * bytecode/CodeBlock.cpp:
373         (JSC::CodeBlock::dumpAssumingJITType const):
374         (JSC::CodeBlock::specialOSREntryBlockOrNull):
375         (JSC::timeToLive):
376         (JSC::CodeBlock::propagateTransitions):
377         (JSC::CodeBlock::baselineAlternative):
378         (JSC::CodeBlock::baselineVersion):
379         (JSC::CodeBlock::hasOptimizedReplacement):
380         (JSC::CodeBlock::noticeIncomingCall):
381         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
382         (JSC::CodeBlock::tallyFrequentExitSites):
383         (JSC::CodeBlock::frameRegisterCount):
384         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
385         * bytecode/CodeBlock.h:
386         (JSC::CodeBlock::jitType const):
387         (JSC::CodeBlock::hasBaselineJITProfiling const):
388         * bytecode/CodeBlockWithJITType.h:
389         (JSC::CodeBlockWithJITType::CodeBlockWithJITType):
390         * bytecode/DeferredSourceDump.cpp:
391         (JSC::DeferredSourceDump::DeferredSourceDump):
392         * bytecode/DeferredSourceDump.h:
393         * bytecode/ExitingJITType.h:
394         (JSC::exitingJITTypeFor):
395         * bytecode/InlineCallFrame.h:
396         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
397         * dfg/DFGByteCodeParser.cpp:
398         (JSC::DFG::ByteCodeParser::parseCodeBlock):
399         * dfg/DFGDisassembler.cpp:
400         (JSC::DFG::Disassembler::dumpHeader):
401         * dfg/DFGDriver.cpp:
402         (JSC::DFG::compileImpl):
403         * dfg/DFGGraph.cpp:
404         (JSC::DFG::Graph::dump):
405         * dfg/DFGJITCode.cpp:
406         (JSC::DFG::JITCode::JITCode):
407         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
408         (JSC::DFG::JITCode::optimizeNextInvocation):
409         (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
410         (JSC::DFG::JITCode::optimizeAfterWarmUp):
411         (JSC::DFG::JITCode::optimizeSoon):
412         (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
413         (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
414         * dfg/DFGJITFinalizer.cpp:
415         (JSC::DFG::JITFinalizer::finalize):
416         (JSC::DFG::JITFinalizer::finalizeFunction):
417         * dfg/DFGOSREntry.cpp:
418         (JSC::DFG::prepareOSREntry):
419         (JSC::DFG::prepareCatchOSREntry):
420         * dfg/DFGOSRExit.cpp:
421         (JSC::DFG::OSRExit::executeOSRExit):
422         (JSC::DFG::reifyInlinedCallFrames):
423         (JSC::DFG::OSRExit::compileOSRExit):
424         * dfg/DFGOSRExitCompilerCommon.cpp:
425         (JSC::DFG::handleExitCounts):
426         (JSC::DFG::reifyInlinedCallFrames):
427         (JSC::DFG::adjustAndJumpToTarget):
428         * dfg/DFGOSRExitCompilerCommon.h:
429         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
430         * dfg/DFGOperations.cpp:
431         * dfg/DFGThunks.cpp:
432         (JSC::DFG::osrExitGenerationThunkGenerator):
433         * dfg/DFGVariableEventStream.cpp:
434         (JSC::DFG::VariableEventStream::reconstruct const):
435         * ftl/FTLCompile.cpp:
436         (JSC::FTL::compile):
437         * ftl/FTLJITCode.cpp:
438         (JSC::FTL::JITCode::JITCode):
439         * ftl/FTLJITFinalizer.cpp:
440         (JSC::FTL::JITFinalizer::finalizeCommon):
441         * ftl/FTLLink.cpp:
442         (JSC::FTL::link):
443         * ftl/FTLOSRExitCompiler.cpp:
444         (JSC::FTL::compileFTLOSRExit):
445         * ftl/FTLThunks.cpp:
446         (JSC::FTL::genericGenerationThunkGenerator):
447         * interpreter/CallFrame.cpp:
448         (JSC::CallFrame::callSiteBitsAreBytecodeOffset const):
449         (JSC::CallFrame::callSiteBitsAreCodeOriginIndex const):
450         * interpreter/StackVisitor.cpp:
451         (JSC::StackVisitor::Frame::dump const):
452         * jit/AssemblyHelpers.h:
453         (JSC::AssemblyHelpers::AssemblyHelpers):
454         * jit/JIT.cpp:
455         (JSC::JIT::link):
456         * jit/JITCode.cpp:
457         (JSC::JITCode::typeName):
458         (WTF::printInternal):
459         * jit/JITCode.h:
460         (JSC::JITCode::bottomTierJIT):
461         (JSC::JITCode::topTierJIT):
462         (JSC::JITCode::nextTierJIT):
463         (JSC::JITCode::isExecutableScript):
464         (JSC::JITCode::couldBeInterpreted):
465         (JSC::JITCode::isJIT):
466         (JSC::JITCode::isOptimizingJIT):
467         (JSC::JITCode::isBaselineCode):
468         (JSC::JITCode::jitTypeFor):
469         * jit/JITDisassembler.cpp:
470         (JSC::JITDisassembler::dumpHeader):
471         * jit/JITOperations.cpp:
472         * jit/JITThunks.cpp:
473         (JSC::JITThunks::hostFunctionStub):
474         * jit/JITToDFGDeferredCompilationCallback.cpp:
475         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
476         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
477         * jit/JITWorklist.cpp:
478         (JSC::JITWorklist::compileLater):
479         (JSC::JITWorklist::compileNow):
480         * jit/Repatch.cpp:
481         (JSC::readPutICCallTarget):
482         (JSC::ftlThunkAwareRepatchCall):
483         * llint/LLIntEntrypoint.cpp:
484         (JSC::LLInt::setFunctionEntrypoint):
485         (JSC::LLInt::setEvalEntrypoint):
486         (JSC::LLInt::setProgramEntrypoint):
487         (JSC::LLInt::setModuleProgramEntrypoint):
488         * llint/LLIntSlowPaths.cpp:
489         (JSC::LLInt::jitCompileAndSetHeuristics):
490         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
491         * runtime/SamplingProfiler.cpp:
492         (JSC::SamplingProfiler::processUnverifiedStackTraces):
493         * runtime/SamplingProfiler.h:
494         * runtime/VM.cpp:
495         (JSC::jitCodeForCallTrampoline):
496         (JSC::jitCodeForConstructTrampoline):
497         * tools/CodeProfile.cpp:
498         (JSC::CodeProfile::sample):
499         * tools/JSDollarVM.cpp:
500         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
501         (JSC::CallerFrameJITTypeFunctor::jitType):
502         (JSC::functionLLintTrue):
503         (JSC::functionJITTrue):
504
505 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
506
507         Unreivewed, fix FTL implementation of r244760
508         https://bugs.webkit.org/show_bug.cgi?id=197362
509
510         Reviewed by Saam Barati.
511
512         Looked with Saam. ValueFromBlock from double case block was overridden by NaN thing now.
513
514         * ftl/FTLLowerDFGToB3.cpp:
515         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
516
517 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
518
519         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
520         https://bugs.webkit.org/show_bug.cgi?id=197362
521
522         Reviewed by Saam Barati.
523
524         Our Map/Set's hash algorithm relies on the bit pattern of JSValue. So our Map/Set has
525         normalization of the key, which normalizes Int32 / Double etc. But we did not normalize
526         pure NaNs into one canonicalized pure NaN. So we end up having multiple different pure NaNs
527         in one Map/Set. This patch normalizes NaN into one jsNaN(), which uses PNaN for the representation.
528
529         * dfg/DFGSpeculativeJIT.cpp:
530         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
531         * ftl/FTLLowerDFGToB3.cpp:
532         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
533         * runtime/HashMapImpl.h:
534         (JSC::normalizeMapKey):
535
536 2019-04-29  Alex Christensen  <achristensen@webkit.org>
537
538         <rdar://problem/50299396> Fix internal High Sierra build
539         https://bugs.webkit.org/show_bug.cgi?id=197388
540
541         * Configurations/Base.xcconfig:
542
543 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
544
545         JITStubRoutineSet wastes 180KB of HashTable capacity on can.com
546         https://bugs.webkit.org/show_bug.cgi?id=186732
547
548         Reviewed by Saam Barati.
549
550         Our current mechanism of JITStubRoutineSet consumes more memory than needed. Basically we have HashMap<uintptr_t, StubRoutine*> and register
551         each executable address by 16 byte to this entry. So if your StubRoutine has 128bytes, it just adds 8 entries to this hash table.
552         In Gmail, we see a ~2MB table size.
553
554         Instead, this patch uses Vector<pair<uintptr_t, StubRoutine*>> and performs binary search onto this sorted vector. Before conservative
555         scanning, we sort this vector. And doing binary search with the sorted vector to find executing stub routines from the conservative roots.
556         This vector includes uintptr_t startAddress to make binary searching fast.
557
558         Large amount of conservative scan should be filtered by range check, so I think binary search here is OK, but we can decide based on what the
559         performance bots say.
560
561         * heap/Heap.cpp:
562         (JSC::Heap::addCoreConstraints):
563         * heap/JITStubRoutineSet.cpp:
564         (JSC::JITStubRoutineSet::~JITStubRoutineSet):
565         (JSC::JITStubRoutineSet::add):
566         (JSC::JITStubRoutineSet::prepareForConservativeScan):
567         (JSC::JITStubRoutineSet::clearMarks):
568         (JSC::JITStubRoutineSet::markSlow):
569         (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
570         (JSC::JITStubRoutineSet::traceMarkedStubRoutines):
571         * heap/JITStubRoutineSet.h:
572         (JSC::JITStubRoutineSet::mark):
573         (JSC::JITStubRoutineSet::prepareForConservativeScan):
574         (JSC::JITStubRoutineSet::size const): Deleted.
575         (JSC::JITStubRoutineSet::at const): Deleted.
576
577 2019-04-29  Basuke Suzuki  <Basuke.Suzuki@sony.com>
578
579         [Win] Add flag to enable version information stamping and disable by default.
580         https://bugs.webkit.org/show_bug.cgi?id=197249
581         <rdar://problem/50224412>
582
583         Reviewed by Ross Kirsling.
584
585         This feature is only used in AppleWin port. Add flag for this task and make it OFF by default.
586         Then enable it by default on AppleWin.
587
588         * CMakeLists.txt:
589
590 2019-04-26  Keith Rollin  <krollin@apple.com>
591
592         Enable new build rule for post-processing headers when using XCBuild
593         https://bugs.webkit.org/show_bug.cgi?id=197340
594         <rdar://problem/50226685>
595
596         Reviewed by Brent Fulgham.
597
598         In Bug 197116, we conditionally disabled the old method for
599         post-processing header files when we are using the new XCBuild build
600         system. This check-in conditionally enables the new post-processing
601         facility. Note that the old system is disabled and the new system
602         enabled only when the USE_NEW_BUILD_SYSTEM environment variable is set
603         to YES.
604
605         * Configurations/JavaScriptCore.xcconfig:
606
607 2019-04-26  Jessie Berlin  <jberlin@webkit.org>
608
609         Add new mac target numbers
610         https://bugs.webkit.org/show_bug.cgi?id=197313
611
612         Reviewed by Alex Christensen.
613
614         * Configurations/Version.xcconfig:
615         * Configurations/WebKitTargetConditionals.xcconfig:
616
617 2019-04-26  Commit Queue  <commit-queue@webkit.org>
618
619         Unreviewed, rolling out r244708.
620         https://bugs.webkit.org/show_bug.cgi?id=197334
621
622         "Broke the debug build" (Requested by rmorisset on #webkit).
623
624         Reverted changeset:
625
626         "All prototypes should call didBecomePrototype()"
627         https://bugs.webkit.org/show_bug.cgi?id=196315
628         https://trac.webkit.org/changeset/244708
629
630 2019-04-26  Don Olmstead  <don.olmstead@sony.com>
631
632         [CMake] Add WEBKIT_EXECUTABLE macro
633         https://bugs.webkit.org/show_bug.cgi?id=197206
634
635         Reviewed by Konstantin Tokarev.
636
637         Migrate to WEBKIT_EXECUTABLE for the jsc and test targets.
638
639         * b3/air/testair.cpp:
640         * b3/testb3.cpp:
641         * dfg/testdfg.cpp:
642         * shell/CMakeLists.txt:
643         * shell/PlatformGTK.cmake:
644         * shell/PlatformJSCOnly.cmake: Removed.
645         * shell/PlatformMac.cmake:
646         * shell/PlatformPlayStation.cmake:
647         * shell/PlatformWPE.cmake:
648         * shell/PlatformWin.cmake:
649
650 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
651
652         [JSC] linkPolymorphicCall now does GC
653         https://bugs.webkit.org/show_bug.cgi?id=197306
654
655         Reviewed by Saam Barati.
656
657         Previously, we assumed that linkPolymorphicCall does not perform allocations. So we put CallVariant into a Vector<>.
658         But now, WebAssemblyFunction's entrypoint generation can allocate JSToWasmICCallee and cause GC. Since CallLinkInfo
659         does not hold these cells, they can be collected, and we will see dead cells in the middle of linkPolymorphicCall.
660         We should defer GC for a while in linkPolymorphicCall. We use DeferGCForAWhile instead of DeferGC because the
661         caller "operationLinkPolymorphicCall" assumes that this function does not cause GC.
662
663         * jit/Repatch.cpp:
664         (JSC::linkPolymorphicCall):
665
666 2019-04-26  Robin Morisset  <rmorisset@apple.com>
667
668         All prototypes should call didBecomePrototype()
669         https://bugs.webkit.org/show_bug.cgi?id=196315
670
671         Reviewed by Saam Barati.
672
673         Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor.
674
675         I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't
676         create structures with invalid prototypes.
677         It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation().
678         Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype.
679
680         * runtime/BigIntPrototype.cpp:
681         (JSC::BigIntPrototype::finishCreation):
682         * runtime/BooleanPrototype.cpp:
683         (JSC::BooleanPrototype::finishCreation):
684         * runtime/DatePrototype.cpp:
685         (JSC::DatePrototype::finishCreation):
686         * runtime/ErrorConstructor.cpp:
687         (JSC::ErrorConstructor::finishCreation):
688         * runtime/ErrorPrototype.cpp:
689         (JSC::ErrorPrototype::finishCreation):
690         * runtime/FunctionConstructor.cpp:
691         (JSC::FunctionConstructor::finishCreation):
692         * runtime/FunctionPrototype.cpp:
693         (JSC::FunctionPrototype::finishCreation):
694         * runtime/IntlCollatorPrototype.cpp:
695         (JSC::IntlCollatorPrototype::finishCreation):
696         * runtime/IntlDateTimeFormatPrototype.cpp:
697         (JSC::IntlDateTimeFormatPrototype::finishCreation):
698         * runtime/IntlNumberFormatPrototype.cpp:
699         (JSC::IntlNumberFormatPrototype::finishCreation):
700         * runtime/IntlPluralRulesPrototype.cpp:
701         (JSC::IntlPluralRulesPrototype::finishCreation):
702         * runtime/JSArrayBufferPrototype.cpp:
703         (JSC::JSArrayBufferPrototype::finishCreation):
704         * runtime/JSDataViewPrototype.cpp:
705         (JSC::JSDataViewPrototype::finishCreation):
706         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
707         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
708         * runtime/JSGlobalObject.cpp:
709         (JSC::createConsoleProperty):
710         * runtime/JSPromisePrototype.cpp:
711         (JSC::JSPromisePrototype::finishCreation):
712         * runtime/JSTypedArrayViewConstructor.cpp:
713         (JSC::JSTypedArrayViewConstructor::finishCreation):
714         * runtime/JSTypedArrayViewPrototype.cpp:
715         (JSC::JSTypedArrayViewPrototype::finishCreation):
716         * runtime/NumberPrototype.cpp:
717         (JSC::NumberPrototype::finishCreation):
718         * runtime/RegExpPrototype.cpp:
719         (JSC::RegExpPrototype::finishCreation):
720         * runtime/StringPrototype.cpp:
721         (JSC::StringPrototype::finishCreation):
722         * runtime/Structure.cpp:
723         (JSC::Structure::isValidPrototype):
724         (JSC::Structure::changePrototypeTransition):
725         * runtime/Structure.h:
726         * runtime/SymbolPrototype.cpp:
727         (JSC::SymbolPrototype::finishCreation):
728         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
729         (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
730         * wasm/js/WebAssemblyInstancePrototype.cpp:
731         (JSC::WebAssemblyInstancePrototype::finishCreation):
732         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
733         (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
734         * wasm/js/WebAssemblyMemoryPrototype.cpp:
735         (JSC::WebAssemblyMemoryPrototype::finishCreation):
736         * wasm/js/WebAssemblyModulePrototype.cpp:
737         (JSC::WebAssemblyModulePrototype::finishCreation):
738         * wasm/js/WebAssemblyPrototype.cpp:
739         (JSC::WebAssemblyPrototype::finishCreation):
740         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
741         (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
742         * wasm/js/WebAssemblyTablePrototype.cpp:
743         (JSC::WebAssemblyTablePrototype::finishCreation):
744
745 2019-04-26  Don Olmstead  <don.olmstead@sony.com>
746
747         Add WTF::findIgnoringASCIICaseWithoutLength to replace strcasestr
748         https://bugs.webkit.org/show_bug.cgi?id=197291
749
750         Reviewed by Konstantin Tokarev.
751
752         Replace uses of strcasestr with WTF::findIgnoringASCIICaseWithoutLength.
753
754         * API/tests/testapi.cpp:
755         * assembler/testmasm.cpp:
756         * b3/air/testair.cpp:
757         * b3/testb3.cpp:
758         * dfg/testdfg.cpp:
759         * dynbench.cpp:
760
761 2019-04-25  Fujii Hironori  <Hironori.Fujii@sony.com>
762
763         Unreviewed, rolling out r244669.
764
765         Windows ports can't clean build.
766
767         Reverted changeset:
768
769         "[Win] Add flag to enable version information stamping and
770         disable by default."
771         https://bugs.webkit.org/show_bug.cgi?id=197249
772         https://trac.webkit.org/changeset/244669
773
774 2019-04-25  Basuke Suzuki  <Basuke.Suzuki@sony.com>
775
776         [Win] Add flag to enable version information stamping and disable by default.
777         https://bugs.webkit.org/show_bug.cgi?id=197249
778
779         Reviewed by Ross Kirsling.
780
781         This feature is only used in AppleWin port. Add flag for this task and make it OFF by default.
782         Then enable it by default on AppleWin.
783
784         * CMakeLists.txt:
785
786 2019-04-25  Timothy Hatcher  <timothy@apple.com>
787
788         Disable date and time inputs on iOSMac.
789         https://bugs.webkit.org/show_bug.cgi?id=197287
790         rdar://problem/46794376
791
792         Reviewed by Wenson Hsieh.
793
794         * Configurations/FeatureDefines.xcconfig:
795
796 2019-04-25  Alex Christensen  <achristensen@webkit.org>
797
798         Fix more builds after r244653
799         https://bugs.webkit.org/show_bug.cgi?id=197131
800
801         * b3/B3Value.h:
802         There is an older system with libc++ headers that don't have std::conjunction.  Just use constexpr and && instead for the one use of it in WebKit.
803
804 2019-04-25  Basuke Suzuki  <Basuke.Suzuki@sony.com>
805
806         [RemoteInspector] Fix connection and target identifier types.
807         https://bugs.webkit.org/show_bug.cgi?id=197243
808
809         Reviewed by Ross Kirsling.
810
811         Give dedicated type for RemoteControllableTarget's identifier as Inspector::TargetID.
812
813         Also rename ClientID type used in Socket backend to ConnectionID because this is the identifier
814         socket endpoint assign to the newly created connection. The size was changed to uint32_t.
815         Enough size for managing connections.
816
817         * inspector/remote/RemoteConnectionToTarget.cpp:
818         (Inspector::RemoteConnectionToTarget::setup):
819         (Inspector::RemoteConnectionToTarget::close):
820         (Inspector::RemoteConnectionToTarget::targetIdentifier const):
821         * inspector/remote/RemoteConnectionToTarget.h:
822         * inspector/remote/RemoteControllableTarget.h:
823         * inspector/remote/RemoteInspector.cpp:
824         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
825         (Inspector::RemoteInspector::registerTarget):
826         (Inspector::RemoteInspector::unregisterTarget):
827         (Inspector::RemoteInspector::updateTarget):
828         (Inspector::RemoteInspector::setupFailed):
829         (Inspector::RemoteInspector::setupCompleted):
830         (Inspector::RemoteInspector::waitingForAutomaticInspection):
831         (Inspector::RemoteInspector::updateTargetListing):
832         * inspector/remote/RemoteInspector.h:
833         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
834         (Inspector::RemoteConnectionToTarget::targetIdentifier const):
835         (Inspector::RemoteConnectionToTarget::setup):
836         (Inspector::RemoteConnectionToTarget::close):
837         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
838         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
839         (Inspector::RemoteInspector::sendMessageToRemote):
840         (Inspector::RemoteInspector::receivedSetupMessage):
841         (Inspector::RemoteInspector::receivedDataMessage):
842         (Inspector::RemoteInspector::receivedDidCloseMessage):
843         (Inspector::RemoteInspector::receivedIndicateMessage):
844         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
845         * inspector/remote/glib/RemoteInspectorGlib.cpp:
846         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
847         (Inspector::RemoteInspector::sendMessageToRemote):
848         (Inspector::RemoteInspector::receivedSetupMessage):
849         (Inspector::RemoteInspector::receivedDataMessage):
850         (Inspector::RemoteInspector::receivedCloseMessage):
851         (Inspector::RemoteInspector::setup):
852         (Inspector::RemoteInspector::sendMessageToTarget):
853         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
854         (Inspector::RemoteInspectorConnectionClient::didReceiveWebInspectorEvent):
855         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
856         (Inspector::RemoteInspectorConnectionClient::didAccept):
857         * inspector/remote/socket/RemoteInspectorMessageParser.cpp:
858         (Inspector::MessageParser::MessageParser):
859         (Inspector::MessageParser::parse):
860         * inspector/remote/socket/RemoteInspectorMessageParser.h:
861         (Inspector::MessageParser::setDidParseMessageListener):
862         * inspector/remote/socket/RemoteInspectorServer.cpp:
863         (Inspector::RemoteInspectorServer::didAccept):
864         (Inspector::RemoteInspectorServer::didClose):
865         (Inspector::RemoteInspectorServer::dispatchMap):
866         (Inspector::RemoteInspectorServer::sendWebInspectorEvent):
867         (Inspector::RemoteInspectorServer::sendCloseEvent):
868         (Inspector::RemoteInspectorServer::connectionClosed):
869         * inspector/remote/socket/RemoteInspectorServer.h:
870         * inspector/remote/socket/RemoteInspectorSocket.cpp:
871         (Inspector::RemoteInspector::didClose):
872         (Inspector::RemoteInspector::sendMessageToRemote):
873         (Inspector::RemoteInspector::setup):
874         (Inspector::RemoteInspector::sendMessageToTarget):
875         * inspector/remote/socket/RemoteInspectorSocket.h:
876         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
877         (Inspector::RemoteInspectorSocketEndpoint::connectInet):
878         (Inspector::RemoteInspectorSocketEndpoint::isListening):
879         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
880         (Inspector::RemoteInspectorSocketEndpoint::createClient):
881         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
882         (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
883         (Inspector::RemoteInspectorSocketEndpoint::send):
884         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
885         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
886
887 2019-04-25  Alex Christensen  <achristensen@webkit.org>
888
889         Start using C++17
890         https://bugs.webkit.org/show_bug.cgi?id=197131
891
892         Reviewed by Darin Alder.
893
894         * Configurations/Base.xcconfig:
895
896 2019-04-25  Alex Christensen  <achristensen@webkit.org>
897
898         Remove DeprecatedOptional
899         https://bugs.webkit.org/show_bug.cgi?id=197161
900
901         Reviewed by Darin Adler.
902
903         We need to keep a symbol exported from JavaScriptCore for binary compatibility with iOS12.
904         We need this symbol to be in a file that doesn't include anything because libcxx's implementation of
905         std::optional is actually std::__1::optional, which has a different mangled name.  This change will
906         prevent protocol errors from being reported if you are running the iOS12 simulator with a custom build of WebKit
907         and using the web inspector with it, but it's necessary to allow us to start using C++17 in WebKit.
908
909         * JavaScriptCore.xcodeproj/project.pbxproj:
910         * inspector/InspectorBackendDispatcher.cpp:
911         * inspector/InspectorBackendDispatcher.h:
912         * inspector/InspectorBackendDispatcherCompatibility.cpp: Added.
913         (Inspector::BackendDispatcher::reportProtocolError):
914         * inspector/InspectorBackendDispatcherCompatibility.h: Added.
915
916 2019-04-24  Saam Barati  <sbarati@apple.com>
917
918         Add SPI callbacks for before and after module execution
919         https://bugs.webkit.org/show_bug.cgi?id=197244
920         <rdar://problem/50180511>
921
922         Reviewed by Yusuke Suzuki.
923
924         This is helpful for clients that want to profile execution of modules
925         in some way. E.g, if they want to time module execution time.
926
927         * API/JSAPIGlobalObject.h:
928         * API/JSAPIGlobalObject.mm:
929         (JSC::JSAPIGlobalObject::moduleLoaderEvaluate):
930         * API/JSContextPrivate.h:
931         * API/tests/testapi.mm:
932         (+[JSContextFetchDelegate contextWithBlockForFetch:]):
933         (-[JSContextFetchDelegate willEvaluateModule:]):
934         (-[JSContextFetchDelegate didEvaluateModule:]):
935         (testFetch):
936         (testFetchWithTwoCycle):
937         (testFetchWithThreeCycle):
938         (testLoaderResolvesAbsoluteScriptURL):
939         (testLoaderRejectsNilScriptURL):
940         * runtime/JSModuleLoader.cpp:
941         (JSC::JSModuleLoader::evaluate):
942         (JSC::JSModuleLoader::evaluateNonVirtual):
943         * runtime/JSModuleLoader.h:
944
945 2019-04-23  Yusuke Suzuki  <ysuzuki@apple.com>
946
947         [JSC] Shrink DFG::MinifiedNode
948         https://bugs.webkit.org/show_bug.cgi?id=197224
949
950         Reviewed by Filip Pizlo.
951
952         Since it is kept alive with compiled DFG code, we should shrink it to save memory.
953         If it is effective, we should consider minimizing these OSR exit data more aggressively.
954
955         * dfg/DFGMinifiedNode.h:
956
957 2019-04-23  Saam Barati  <sbarati@apple.com>
958
959         LICM incorrectly assumes it'll never insert a node which provably OSR exits
960         https://bugs.webkit.org/show_bug.cgi?id=196721
961         <rdar://problem/49556479> 
962
963         Reviewed by Filip Pizlo.
964
965         Previously, we assumed LICM could never hoist code that caused us
966         to provably OSR exit. This is a bad assumption, as we may very well
967         hoist such code. Obviously hoisting such code is not ideal. We shouldn't
968         hoist something we provably know will OSR exit. However, this is super rare,
969         and the phase is written in such a way where it's easier to gracefully
970         handle this case than to prevent us from hoisting such code.
971         
972         If we wanted to ensure we never hoisted code that would provably exit, we'd
973         have to teach the phase to know when it inserted code that provably exits. I
974         saw two ways to do that:
975         1: Save and restore the AI state before actually hoisting.
976         2: Write an analysis that can determine if such a node would exit.
977         
978         (1) is bad because it costs in memory and compile time. (2) will inevitably
979         have bugs as running into this condition is rare.
980         
981         So instead of (1) or (2), I opted to have LICM gracefully handle when
982         it causes a provable exit. When we encounter this, we mark all blocks
983         in the loop as !cfaHasVisited and !cfaDidFinish.
984
985         * dfg/DFGLICMPhase.cpp:
986         (JSC::DFG::LICMPhase::attemptHoist):
987
988 2019-04-23  Yusuke Suzuki  <ysuzuki@apple.com>
989
990         [JSC] Use node index as DFG::MinifiedID
991         https://bugs.webkit.org/show_bug.cgi?id=197186
992
993         Reviewed by Saam Barati.
994
995         DFG Nodes can be identified with index if the graph is given. We should use unsigned index as a DFG::MinifiedID's underlying
996         source instead of Node* to reduce the size of VariableEvent from 16 to 12. Vector<VariableEvent> is the main data in DFG's OSR
997         tracking. It is kept after DFG compilation is done to make OSR work. We saw that this is allocated with large size in GMail.
998
999         * JavaScriptCore.xcodeproj/project.pbxproj:
1000         * bytecode/DataFormat.h:
1001         * bytecode/ValueRecovery.h:
1002         * dfg/DFGGenerationInfo.h:
1003         * dfg/DFGMinifiedID.h:
1004         (JSC::DFG::MinifiedID::MinifiedID):
1005         (JSC::DFG::MinifiedID::operator! const):
1006         (JSC::DFG::MinifiedID::operator== const):
1007         (JSC::DFG::MinifiedID::operator!= const):
1008         (JSC::DFG::MinifiedID::operator< const):
1009         (JSC::DFG::MinifiedID::operator> const):
1010         (JSC::DFG::MinifiedID::operator<= const):
1011         (JSC::DFG::MinifiedID::operator>= const):
1012         (JSC::DFG::MinifiedID::hash const):
1013         (JSC::DFG::MinifiedID::dump const):
1014         (JSC::DFG::MinifiedID::isHashTableDeletedValue const):
1015         (JSC::DFG::MinifiedID::fromBits):
1016         (JSC::DFG::MinifiedID::bits const):
1017         (JSC::DFG::MinifiedID::invalidIndex):
1018         (JSC::DFG::MinifiedID::otherInvalidIndex):
1019         (JSC::DFG::MinifiedID::node const): Deleted.
1020         (JSC::DFG::MinifiedID::invalidID): Deleted.
1021         (JSC::DFG::MinifiedID::otherInvalidID): Deleted.
1022         * dfg/DFGMinifiedIDInlines.h: Copied from Source/JavaScriptCore/dfg/DFGMinifiedNode.cpp.
1023         (JSC::DFG::MinifiedID::MinifiedID):
1024         * dfg/DFGMinifiedNode.cpp:
1025         * dfg/DFGValueSource.h:
1026         (JSC::DFG::ValueSource::ValueSource):
1027         * dfg/DFGVariableEvent.h:
1028         (JSC::DFG::VariableEvent::dataFormat const):
1029
1030 2019-04-23  Keith Rollin  <krollin@apple.com>
1031
1032         Add Xcode version check for Header post-processing scripts
1033         https://bugs.webkit.org/show_bug.cgi?id=197116
1034         <rdar://problem/50058968>
1035
1036         Reviewed by Brent Fulgham.
1037
1038         There are several places in our Xcode projects that post-process
1039         header files after they've been exported. Because of XCBuild, we're
1040         moving to a model where the post-processing is performed at the same
1041         time the header files are exported, rather than as a distinct
1042         post-processing step. This patch disables the distinct step when the
1043         inline processing is available.
1044
1045         In practice, this means prefixing appropriate post-processing Custom
1046         Build phases with:
1047
1048         if [ "${XCODE_VERSION_MAJOR}" -ge "1100" -a "${USE_NEW_BUILD_SYSTEM}" = "YES" ]; then
1049             # In this configuration, post-processing is performed at the same time as copying in the postprocess-header-rule script, so there's no need for this separate step.
1050             exit 0
1051         fi
1052
1053         * JavaScriptCore.xcodeproj/project.pbxproj:
1054
1055 2019-04-23  Commit Queue  <commit-queue@webkit.org>
1056
1057         Unreviewed, rolling out r244558.
1058         https://bugs.webkit.org/show_bug.cgi?id=197219
1059
1060         Causing crashes on iOS Sim Release and Debug (Requested by
1061         ShawnRoberts on #webkit).
1062
1063         Reverted changeset:
1064
1065         "Remove DeprecatedOptional"
1066         https://bugs.webkit.org/show_bug.cgi?id=197161
1067         https://trac.webkit.org/changeset/244558
1068
1069 2019-04-23  Devin Rousso  <drousso@apple.com>
1070
1071         Web Inspector: Uncaught Exception: null is not an object (evaluating 'this.ownerDocument.frameIdentifier')
1072         https://bugs.webkit.org/show_bug.cgi?id=196420
1073         <rdar://problem/49444205>
1074
1075         Reviewed by Timothy Hatcher.
1076
1077         * inspector/protocol/DOM.json:
1078         Modify the existing `frameId` to represent the owner frame of the node, rather than the
1079         frame it holds (in the case of an `<iframe>`).
1080
1081 2019-04-23  Alex Christensen  <achristensen@webkit.org>
1082
1083         Remove DeprecatedOptional
1084         https://bugs.webkit.org/show_bug.cgi?id=197161
1085
1086         Reviewed by Darin Adler.
1087
1088         * inspector/InspectorBackendDispatcher.cpp:
1089         * inspector/InspectorBackendDispatcher.h:
1090
1091 2019-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
1092
1093         [JSC] Use volatile load to populate backing page in MarkedBlock::Footer instead of using holdLock
1094         https://bugs.webkit.org/show_bug.cgi?id=197152
1095
1096         Reviewed by Saam Barati.
1097
1098         Emit volatile load instead of using holdLock to populate backing page in MarkedBlock::Footer.
1099
1100         * heap/BlockDirectory.cpp:
1101         (JSC::BlockDirectory::isPagedOut):
1102         * heap/MarkedBlock.h:
1103         (JSC::MarkedBlock::populatePage const):
1104
1105 2019-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
1106
1107         [JSC] useJIT should subsume useRegExpJIT
1108         https://bugs.webkit.org/show_bug.cgi?id=197153
1109
1110         Reviewed by Alex Christensen.
1111
1112         useJIT should subsume useRegExpJIT. We should immediately disable JIT feature if useJIT = false,
1113         even if useRegExpJIT is true.
1114
1115         * dfg/DFGCapabilities.cpp:
1116         (JSC::DFG::isSupported):
1117         * runtime/Options.cpp:
1118         (JSC::recomputeDependentOptions):
1119         * runtime/RegExp.cpp:
1120         (JSC::RegExp::compile):
1121         (JSC::RegExp::compileMatchOnly):
1122         * runtime/VM.cpp:
1123         (JSC::enableAssembler):
1124         (JSC::VM::canUseRegExpJIT): Deleted.
1125         * runtime/VM.h:
1126
1127 2019-04-22  Basuke Suzuki  <basuke.suzuki@sony.com>
1128
1129         [PlayStation] Restructuring Remote Inspector classes to support multiple platform.
1130         https://bugs.webkit.org/show_bug.cgi?id=197030
1131
1132         Reviewed by Don Olmstead.
1133
1134         Restructuring the PlayStation's RemoteInspector backend which uses native socket for the communication to be ready for WinCairo.
1135
1136         What we did is basically:
1137         - Renamed `remote/playstation/` to `remote/socket/`. This directory is now platform independent implementation of socket backend. 
1138         - Renamed `RemoteInspectorSocket` class to `RemoteInspectorSocketEndpoint`. This class is platform independent and core of the backend.
1139         - Merged `RemoteInspectorSocket{Client|Server}` classes into `RemoteInspectorSocketEndpoint` class because the differences are little.
1140         - Defined a new interface functions in `Inspector::Socket` (new) namespace.
1141         - Moved POSIX socket implementation into `posix\RemoteInspectorSocketPOSIX.{h|cpp}`.
1142
1143         * PlatformPlayStation.cmake:
1144         * inspector/remote/RemoteInspector.h:
1145         * inspector/remote/playstation/RemoteInspectorSocketClient.h: Merged into RemoteInspectorSocketEndpoint.
1146         * inspector/remote/playstation/RemoteInspectorSocketClientPlayStation.cpp: Merged into RemoteInspectorSocketEndpoint.
1147         * inspector/remote/playstation/RemoteInspectorSocketPlayStation.cpp: Removed.
1148         * inspector/remote/playstation/RemoteInspectorSocketServer.h: Merged into RemoteInspectorSocketEndpoint.
1149         * inspector/remote/playstation/RemoteInspectorSocketServerPlayStation.cpp: Merged into RemoteInspectorSocketEndpoint.
1150         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp: Renamed from inspector\remote\playstation\RemoteInspectorConnectionClientPlayStation.cpp.
1151         * inspector/remote/socket/RemoteInspectorConnectionClient.h: Renamed from inspector\remote\playstation\RemoteInspectorConnectionClient.h.
1152         (Inspector::RemoteInspectorConnectionClient::didAccept):
1153         * inspector/remote/socket/RemoteInspectorMessageParser.cpp: Renamed from inspector\remote\playstation\RemoteInspectorMessageParserPlayStation.cpp.
1154         * inspector/remote/socket/RemoteInspectorMessageParser.h: Renamed from inspector\remote\playstation\RemoteInspectorMessageParser.h.
1155         * inspector/remote/socket/RemoteInspectorServer.cpp: Renamed from inspector\remote\playstation\RemoteInspectorServerPlayStation.cpp.
1156         (Inspector::RemoteInspectorServer::didAccept):
1157         (Inspector::RemoteInspectorServer::start):
1158         * inspector/remote/socket/RemoteInspectorServer.h: Renamed from inspector\remote\playstation\RemoteInspectorServer.h.
1159         * inspector/remote/socket/RemoteInspectorSocket.cpp: Renamed from inspector\remote\playstation\RemoteInspectorPlayStation.cpp.
1160         (Inspector::RemoteInspector::start):
1161         * inspector/remote/socket/RemoteInspectorSocket.h: Copied from inspector\remote\playstation\RemoteInspectorSocket.h.
1162         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: Added.
1163         (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint):
1164         (Inspector::RemoteInspectorSocketEndpoint::~RemoteInspectorSocketEndpoint):
1165         (Inspector::RemoteInspectorSocketEndpoint::wakeupWorkerThread):
1166         (Inspector::RemoteInspectorSocketEndpoint::connectInet):
1167         (Inspector::RemoteInspectorSocketEndpoint::listenInet):
1168         (Inspector::RemoteInspectorSocketEndpoint::isListening):
1169         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
1170         (Inspector::RemoteInspectorSocketEndpoint::createClient):
1171         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
1172         (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
1173         (Inspector::RemoteInspectorSocketEndpoint::send):
1174         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
1175         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: Renamed from inspector\remote\playstation\RemoteInspectorSocket.h.
1176         * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: Added.
1177         (Inspector::Socket::connect):
1178         (Inspector::Socket::listen):
1179         (Inspector::Socket::accept):
1180         (Inspector::Socket::createPair):
1181         (Inspector::Socket::setup):
1182         (Inspector::Socket::isValid):
1183         (Inspector::Socket::isListening):
1184         (Inspector::Socket::read):
1185         (Inspector::Socket::write):
1186         (Inspector::Socket::close):
1187         (Inspector::Socket::preparePolling):
1188         (Inspector::Socket::poll):
1189         (Inspector::Socket::isReadable):
1190         (Inspector::Socket::isWritable):
1191         (Inspector::Socket::markWaitingWritable):
1192         (Inspector::Socket::clearWaitingWritable):
1193
1194 2019-04-20  Yusuke Suzuki  <ysuzuki@apple.com>
1195
1196         Unreviewed, suppress warnings in non Darwin environments
1197
1198         * jit/ExecutableAllocator.cpp:
1199         (JSC::dumpJITMemory):
1200
1201 2019-04-19  Saam Barati  <sbarati@apple.com>
1202
1203         AbstractValue can represent more than int52
1204         https://bugs.webkit.org/show_bug.cgi?id=197118
1205         <rdar://problem/49969960>
1206
1207         Reviewed by Michael Saboff.
1208
1209         Let's analyze this control flow diamond:
1210         
1211         #0
1212         branch #1, #2
1213         
1214         #1:
1215         PutStack(JSValue, loc42)
1216         Jump #3
1217         
1218         #2:
1219         PutStack(Int52, loc42)
1220         Jump #3
1221         
1222         #3:
1223         ...
1224         
1225         Our abstract value for loc42 at the head of #3 will contain an abstract
1226         value that us the union of Int52 with other things. Obviously in the
1227         above program, a GetStack for loc42 would be inavlid, since it might
1228         be loading either JSValue or Int52. However, the abstract interpreter
1229         just tracks what the value could be, and it could be Int52 or JSValue.
1230         
1231         When I did the Int52 refactoring, I expected such things to never happen,
1232         but it turns out it does. We should just allow for this instead of asserting
1233         against it since it's valid IR to do the above.
1234
1235         * bytecode/SpeculatedType.cpp:
1236         (JSC::dumpSpeculation):
1237         * dfg/DFGAbstractValue.cpp:
1238         (JSC::DFG::AbstractValue::checkConsistency const):
1239         * dfg/DFGAbstractValue.h:
1240         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
1241
1242 2019-04-19  Tadeu Zagallo  <tzagallo@apple.com>
1243
1244         Add option to dump JIT memory
1245         https://bugs.webkit.org/show_bug.cgi?id=197062
1246         <rdar://problem/49744332>
1247
1248         Reviewed by Saam Barati.
1249
1250         Dump all writes into JIT memory to the specified file. The format is:
1251         - 64-bit destination address for the write
1252         - 64-bit size of the content written
1253         - Copy of the data that was written to JIT memory
1254
1255         * assembler/LinkBuffer.cpp:
1256         (JSC::LinkBuffer::copyCompactAndLinkCode):
1257         * jit/ExecutableAllocator.cpp:
1258         (JSC::dumpJITMemory):
1259         * jit/ExecutableAllocator.h:
1260         (JSC::performJITMemcpy):
1261         * runtime/Options.h:
1262
1263 2019-04-19  Keith Rollin  <krollin@apple.com>
1264
1265         Add postprocess-header-rule scripts
1266         https://bugs.webkit.org/show_bug.cgi?id=197072
1267         <rdar://problem/50027299>
1268
1269         Reviewed by Brent Fulgham.
1270
1271         Several projects have post-processing build phases where exported
1272         headers are tweaked after they've been copied. This post-processing is
1273         performed via scripts called postprocess-headers.sh. For reasons
1274         related to XCBuild, we are now transitioning to a build process where
1275         the post-processing is performed at the same time as the
1276         exporting/copying. To support this process, add similar scripts named
1277         postprocess-header-rule, which are geared towards processing a single
1278         file at a time rather than all exported files at once. Also add a
1279         build rule that makes use of these scripts. These scripts and build
1280         rules are not used at the moment; they will come into use in an
1281         imminent patch.
1282
1283         Note that I've named these postprocess-header-rule rather than
1284         postprocess-header-rule.sh. Scripts in Tools/Scripts do not have
1285         suffixes indicating how the tool is implemented. Scripts in
1286         per-project Scripts folders appear to be mixed regarding the use of
1287         suffixes. I'm opting here to follow the Tools/Scripts convention, with
1288         the expectation that over time we completely standardize on that.
1289
1290         * JavaScriptCore.xcodeproj/project.pbxproj:
1291         * Scripts/postprocess-header-rule: Added.
1292
1293 2019-04-18  Saam barati  <sbarati@apple.com>
1294
1295         Remove useConcurrentBarriers option
1296         https://bugs.webkit.org/show_bug.cgi?id=197066
1297
1298         Reviewed by Michael Saboff.
1299
1300         This isn't a helpful option as it will lead us to crash when using the
1301         concurrent GC.
1302
1303         * dfg/DFGStoreBarrierClusteringPhase.cpp:
1304         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1305         * jit/AssemblyHelpers.h:
1306         (JSC::AssemblyHelpers::barrierStoreLoadFence):
1307         * runtime/Options.h:
1308
1309 2019-04-17  Saam Barati  <sbarati@apple.com>
1310
1311         Remove deprecated JSScript SPI
1312         https://bugs.webkit.org/show_bug.cgi?id=194909
1313         <rdar://problem/48283499>
1314
1315         Reviewed by Keith Miller.
1316
1317         * API/JSAPIGlobalObject.mm:
1318         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
1319         * API/JSScript.h:
1320         * API/JSScript.mm:
1321         (+[JSScript scriptWithSource:inVirtualMachine:]): Deleted.
1322         (fillBufferWithContentsOfFile): Deleted.
1323         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]): Deleted.
1324         (+[JSScript scriptFromUTF8File:inVirtualMachine:withCodeSigning:andBytecodeCache:]): Deleted.
1325         (-[JSScript setSourceURL:]): Deleted.
1326         * API/JSScriptInternal.h:
1327         * API/tests/testapi.mm:
1328         (testFetch):
1329         (testFetchWithTwoCycle):
1330         (testFetchWithThreeCycle):
1331         (testLoaderResolvesAbsoluteScriptURL):
1332         (testImportModuleTwice):
1333         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
1334
1335 2019-04-17  Keith Rollin  <krollin@apple.com>
1336
1337         Remove JSCBuiltins.cpp from Copy Headers phase
1338         https://bugs.webkit.org/show_bug.cgi?id=196981
1339         <rdar://problem/49952133>
1340
1341         Reviewed by Alex Christensen.
1342
1343         JSCBuiltins.cpp is not a header and so doesn't need to be in the Copy
1344         Headers phase. Checking its history, it seems to have been added
1345         accidentally at the same time that JSCBuiltins.h was added.
1346
1347         * JavaScriptCore.xcodeproj/project.pbxproj:
1348
1349 2019-04-16  Stephan Szabo  <stephan.szabo@sony.com>
1350
1351         [PlayStation] Update port for system library changes
1352         https://bugs.webkit.org/show_bug.cgi?id=196978
1353
1354         Reviewed by Ross Kirsling.
1355
1356         * shell/playstation/Initializer.cpp:
1357         Add reference to new posix compatibility library.
1358
1359 2019-04-16  Robin Morisset  <rmorisset@apple.com>
1360
1361         [WTF] holdLock should be marked WARN_UNUSED_RETURN
1362         https://bugs.webkit.org/show_bug.cgi?id=196922
1363
1364         Reviewed by Keith Miller.
1365
1366         There was one case where holdLock was used and the result ignored.
1367         From a comment that was deleted in https://bugs.webkit.org/attachment.cgi?id=328438&action=prettypatch, I believe that it is on purpose.
1368         So I brought back a variant of the comment, and made the ignoring of the return explicit.
1369
1370         * heap/BlockDirectory.cpp:
1371         (JSC::BlockDirectory::isPagedOut):
1372
1373 2019-04-16  Caitlin Potter  <caitp@igalia.com>
1374
1375         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1376         https://bugs.webkit.org/show_bug.cgi?id=176810
1377
1378         Reviewed by Saam Barati.
1379
1380         This adds conditional logic following the invariant checks, to perform
1381         filtering in common uses of getOwnPropertyNames.
1382
1383         While this would ideally only be done in JSPropertyNameEnumerator, adding
1384         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
1385         invariant that the EnumerationMode is properly followed.
1386
1387         This was originally rolled out in r244020, as DontEnum filtering code
1388         in ObjectConstructor.cpp's ownPropertyKeys() had not been removed. It's
1389         now redundant due to being handled in ProxyObject::getOwnPropertyNames().
1390
1391         * runtime/PropertyNameArray.h:
1392         (JSC::PropertyNameArray::reset):
1393         * runtime/ProxyObject.cpp:
1394         (JSC::ProxyObject::performGetOwnPropertyNames):
1395
1396 2019-04-15  Saam barati  <sbarati@apple.com>
1397
1398         Modify how we do SetArgument when we inline varargs calls
1399         https://bugs.webkit.org/show_bug.cgi?id=196712
1400         <rdar://problem/49605012>
1401
1402         Reviewed by Michael Saboff.
1403
1404         When we inline varargs calls, we guarantee that the number of arguments that
1405         go on the stack are somewhere between the "mandatoryMinimum" and the "limit - 1".
1406         However, we can't statically guarantee that the arguments between these two
1407         ranges was filled out by Load/ForwardVarargs. This is because in the general
1408         case we don't know the argument count statically.
1409         
1410         However, we used to always emit SetArgumentDefinitely up to "limit - 1" for
1411         all arguments, even when some arguments aren't guaranteed to be in a valid
1412         state. Emitting these SetArgumentDefinitely were helpful because they let us
1413         handle variable liveness and OSR exit metadata. However, when we converted
1414         to SSA, we ended up emitting a GetStack for each such SetArgumentDefinitely.
1415         
1416         This is wrong, as we can't guarantee such SetArgumentDefinitely nodes are
1417         actually looking at a range of the stack that are guaranteed to be initialized.
1418         This patch introduces a new form of SetArgument node: SetArgumentMaybe. In terms
1419         of OSR exit metadata and variable liveness tracking, it behaves like SetArgumentDefinitely.
1420         
1421         However, it differs in a couple key ways:
1422         1. In ThreadedCPS, GetLocal(@SetArgumentMaybe) is invalid IR, as this implies
1423         you might be loading uninitialized stack. (This same rule applies when you do
1424         the full data flow reachability analysis over CPS Phis.) If someone logically
1425         wanted to emit code like this, the correct node to emit would be GetArgument,
1426         not GetLocal. For similar reasons, PhantomLocal(@SetArgumentMaybe) is also
1427         invalid IR.
1428         2. To track liveness, Flush(@SetArgumentMaybe) is valid, and is the main user
1429         of SetArgumentMaybe.
1430         3. In SSA conversion, we don't lower SetArgumentMaybe to GetStack, as there
1431         should be no data flow user of SetArgumentMaybe.
1432         
1433         SetArgumentDefinitely guarantees that the stack slot is initialized.
1434         SetArgumentMaybe makes no such guarantee.
1435
1436         * dfg/DFGAbstractInterpreterInlines.h:
1437         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1438         * dfg/DFGByteCodeParser.cpp:
1439         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1440         * dfg/DFGCPSRethreadingPhase.cpp:
1441         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1442         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1443         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1444         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1445         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1446         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
1447         * dfg/DFGClobberize.h:
1448         (JSC::DFG::clobberize):
1449         * dfg/DFGCommon.h:
1450         * dfg/DFGDoesGC.cpp:
1451         (JSC::DFG::doesGC):
1452         * dfg/DFGFixupPhase.cpp:
1453         (JSC::DFG::FixupPhase::fixupNode):
1454         * dfg/DFGInPlaceAbstractState.cpp:
1455         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1456         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1457         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1458         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1459         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1460         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1461         * dfg/DFGMayExit.cpp:
1462         * dfg/DFGNode.cpp:
1463         (JSC::DFG::Node::hasVariableAccessData):
1464         * dfg/DFGNodeType.h:
1465         * dfg/DFGPhantomInsertionPhase.cpp:
1466         * dfg/DFGPredictionPropagationPhase.cpp:
1467         * dfg/DFGSSAConversionPhase.cpp:
1468         (JSC::DFG::SSAConversionPhase::run):
1469         * dfg/DFGSafeToExecute.h:
1470         (JSC::DFG::safeToExecute):
1471         * dfg/DFGSpeculativeJIT32_64.cpp:
1472         (JSC::DFG::SpeculativeJIT::compile):
1473         * dfg/DFGSpeculativeJIT64.cpp:
1474         (JSC::DFG::SpeculativeJIT::compile):
1475         * dfg/DFGValidate.cpp:
1476         * ftl/FTLCapabilities.cpp:
1477         (JSC::FTL::canCompile):
1478
1479 2019-04-15  Commit Queue  <commit-queue@webkit.org>
1480
1481         Unreviewed, rolling out r243672.
1482         https://bugs.webkit.org/show_bug.cgi?id=196952
1483
1484         [JSValue release] should be thread-safe (Requested by
1485         yusukesuzuki on #webkit).
1486
1487         Reverted changeset:
1488
1489         "[JSC] JSWrapperMap should not use Objective-C Weak map
1490         (NSMapTable with NSPointerFunctionsWeakMemory) for
1491         m_cachedObjCWrappers"
1492         https://bugs.webkit.org/show_bug.cgi?id=196392
1493         https://trac.webkit.org/changeset/243672
1494
1495 2019-04-15  Saam barati  <sbarati@apple.com>
1496
1497         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
1498         https://bugs.webkit.org/show_bug.cgi?id=196945
1499         <rdar://problem/49802750>
1500
1501         Reviewed by Filip Pizlo.
1502
1503         * dfg/DFGSafeToExecute.h:
1504         (JSC::DFG::safeToExecute):
1505
1506 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1507
1508         DFG should be able to constant fold Object.create() with a constant prototype operand
1509         https://bugs.webkit.org/show_bug.cgi?id=196886
1510
1511         Reviewed by Yusuke Suzuki.
1512
1513
1514         It is a fairly simple and limited patch, as it only works when the DFG can prove the exact object used as prototype.
1515         But when it applies it can be a significant win:
1516                                                         Baseline                   Optim                                       
1517         object-create-constant-prototype              3.6082+-0.0979     ^      1.6947+-0.0756        ^ definitely 2.1292x faster
1518         object-create-null                           11.4492+-0.2510     ?     11.5030+-0.2402        ?
1519         object-create-unknown-object-prototype       15.6067+-0.1851     ?     15.7500+-0.2322        ?
1520         object-create-untyped-prototype               8.8873+-0.1240     ?      8.9806+-0.1202        ? might be 1.0105x slower
1521         <geometric>                                   8.6967+-0.1208     ^      7.2408+-0.1367        ^ definitely 1.2011x faster
1522
1523         The only subtlety is that we need to to access the StructureCache concurrently from the compiler thread (see https://bugs.webkit.org/show_bug.cgi?id=186199)
1524         I solved this with a simple lock, taken when the compiler thread tries to read it, and when the main thread tries to modify it.
1525         I expect it to be extremely low contention, but will watch the bots just in case.
1526         The lock is taken neither when the main thread is only reading the cache (it has no-one to race with), nor when the GC purges it of dead entries (it does not free anything while a compiler thread is in the middle of a phase).
1527
1528         * dfg/DFGAbstractInterpreterInlines.h:
1529         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1530         * dfg/DFGConstantFoldingPhase.cpp:
1531         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1532         * runtime/StructureCache.cpp:
1533         (JSC::StructureCache::createEmptyStructure):
1534         (JSC::StructureCache::tryEmptyObjectStructureForPrototypeFromCompilerThread):
1535         * runtime/StructureCache.h:
1536
1537 2019-04-15  Devin Rousso  <drousso@apple.com>
1538
1539         Web Inspector: fake value descriptors for promises add a catch handler, preventing "rejectionhandled" events from being fired
1540         https://bugs.webkit.org/show_bug.cgi?id=196484
1541         <rdar://problem/49114725>
1542
1543         Reviewed by Joseph Pecoraro.
1544
1545         Only add a catch handler when the promise is reachable via a native getter and is known to
1546         have rejected. A non-rejected promise doesn't need a catch handler, and any promise that
1547         isn't reachable via a getter won't actually be reached, as `InjectedScript` doesn't call any
1548         functions, instead only getting the function object itself.
1549
1550         * inspector/InjectedScriptSource.js:
1551         (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
1552
1553         * inspector/JSInjectedScriptHost.h:
1554         * inspector/JSInjectedScriptHost.cpp:
1555         (Inspector::JSInjectedScriptHost::isPromiseRejectedWithNativeGetterTypeError): Added.
1556         * inspector/JSInjectedScriptHostPrototype.cpp:
1557         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1558         (Inspector::jsInjectedScriptHostPrototypeFunctionIsPromiseRejectedWithNativeGetterTypeError): Added.
1559
1560         * runtime/ErrorInstance.h:
1561         (JSC::ErrorInstance::setNativeGetterTypeError): Added.
1562         (JSC::ErrorInstance::isNativeGetterTypeError const): Added.
1563
1564         * runtime/Error.h:
1565         (JSC::throwVMGetterTypeError): Added.
1566         * runtime/Error.cpp:
1567         (JSC::createGetterTypeError): Added.
1568         (JSC::throwGetterTypeError): Added.
1569         (JSC::throwDOMAttributeGetterTypeError):
1570
1571 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1572
1573         B3::Value should have different kinds of adjacency lists
1574         https://bugs.webkit.org/show_bug.cgi?id=196091
1575
1576         Reviewed by Filip Pizlo.
1577
1578         The key idea of this optimization is to replace the Vector<Value*, 3> m_children in B3::Value (40 bytes on 64-bits platform) by one of the following:
1579         - Nothing (0 bytes)
1580         - 1 Value* (8 bytes)
1581         - 2 Value* (16 bytes)
1582         - 3 Value* (24 bytes)
1583         - A Vector<Value*, 3>
1584         after the end of the Value object, depending on the kind of the Value.
1585         So for example, when allocating an Add, we would allocate an extra 16 bytes into which to store 2 Values.
1586         This would halve the memory consumption of Const64/Const32/Nop/Identity and a bunch more kinds of values, and reduce by a more moderate amount the memory consumption of the rest of non-varargs values (e.g. Add would go from 72 to 48 bytes).
1587
1588         A few implementation points:
1589         - Even if there is no children, we must remember to allocate at least enough space for replaceWithIdentity to work later. It needs sizeof(Value) (for the object itself) + sizeof(Value*) (for the pointer to its child)
1590         - We must make sure to destroy the vector whenever we destroy a Value which is VarArgs
1591         - We must remember how many elements there are in the case where we did not allocate a Vector. We cannot do it purely by relying on the kind, both for speed reasons and because Return can have either 0 or 1 argument in B3
1592           Thankfully, we have an extra byte of padding to use in the middle of B3::Value
1593         - In order to support clone(), we must have a separate version of allocate, which extracts the opcode from the to-be-cloned object instead of from the call to the constructor
1594         - Speaking of which, we need a special templated function opcodeFromConstructor, because some of the constructors of subclasses of Value don't take an explicit Opcode as argument, typically because they match a single one.
1595         - To maximize performance, we provide specialized versions of child/lastChild/numChildren/children in the subclasses of Value, skipping checks when the actual type of the Value is already known.
1596           This is done through the B3_SPECIALIZE_VALUE_FOR_... defined at the bottom of B3Value.h
1597         - In the constructors of Value, we convert all extra children arguments to Value* eagerly. It is not required for correctness (they will be converted when put into a Vector<Value*> or a Value* in the end), but it helps limit an explosion in the number of template instantiations.
1598         - I moved DeepValueDump::dump from the .h to the .cpp, as there is no good reason to inline it, and recompiling JSC is already slow enough
1599
1600         * JavaScriptCore.xcodeproj/project.pbxproj:
1601         * b3/B3ArgumentRegValue.cpp:
1602         (JSC::B3::ArgumentRegValue::cloneImpl const): Deleted.
1603         * b3/B3ArgumentRegValue.h:
1604         * b3/B3AtomicValue.cpp:
1605         (JSC::B3::AtomicValue::AtomicValue):
1606         (JSC::B3::AtomicValue::cloneImpl const): Deleted.
1607         * b3/B3AtomicValue.h:
1608         * b3/B3BasicBlock.h:
1609         * b3/B3BasicBlockInlines.h:
1610         (JSC::B3::BasicBlock::appendNewNonTerminal): Deleted.
1611         * b3/B3CCallValue.cpp:
1612         (JSC::B3::CCallValue::appendArgs):
1613         (JSC::B3::CCallValue::cloneImpl const): Deleted.
1614         * b3/B3CCallValue.h:
1615         * b3/B3CheckValue.cpp:
1616         (JSC::B3::CheckValue::cloneImpl const): Deleted.
1617         * b3/B3CheckValue.h:
1618         * b3/B3Const32Value.cpp:
1619         (JSC::B3::Const32Value::cloneImpl const): Deleted.
1620         * b3/B3Const32Value.h:
1621         * b3/B3Const64Value.cpp:
1622         (JSC::B3::Const64Value::cloneImpl const): Deleted.
1623         * b3/B3Const64Value.h:
1624         * b3/B3ConstDoubleValue.cpp:
1625         (JSC::B3::ConstDoubleValue::cloneImpl const): Deleted.
1626         * b3/B3ConstDoubleValue.h:
1627         * b3/B3ConstFloatValue.cpp:
1628         (JSC::B3::ConstFloatValue::cloneImpl const): Deleted.
1629         * b3/B3ConstFloatValue.h:
1630         * b3/B3ConstPtrValue.h:
1631         (JSC::B3::ConstPtrValue::opcodeFromConstructor):
1632         * b3/B3FenceValue.cpp:
1633         (JSC::B3::FenceValue::FenceValue):
1634         (JSC::B3::FenceValue::cloneImpl const): Deleted.
1635         * b3/B3FenceValue.h:
1636         * b3/B3MemoryValue.cpp:
1637         (JSC::B3::MemoryValue::MemoryValue):
1638         (JSC::B3::MemoryValue::cloneImpl const): Deleted.
1639         * b3/B3MemoryValue.h:
1640         * b3/B3MoveConstants.cpp:
1641         * b3/B3PatchpointValue.cpp:
1642         (JSC::B3::PatchpointValue::cloneImpl const): Deleted.
1643         * b3/B3PatchpointValue.h:
1644         (JSC::B3::PatchpointValue::opcodeFromConstructor):
1645         * b3/B3Procedure.cpp:
1646         * b3/B3Procedure.h:
1647         * b3/B3ProcedureInlines.h:
1648         (JSC::B3::Procedure::add):
1649         * b3/B3SlotBaseValue.cpp:
1650         (JSC::B3::SlotBaseValue::cloneImpl const): Deleted.
1651         * b3/B3SlotBaseValue.h:
1652         * b3/B3StackmapSpecial.cpp:
1653         (JSC::B3::StackmapSpecial::forEachArgImpl):
1654         (JSC::B3::StackmapSpecial::isValidImpl):
1655         * b3/B3StackmapValue.cpp:
1656         (JSC::B3::StackmapValue::append):
1657         (JSC::B3::StackmapValue::StackmapValue):
1658         * b3/B3StackmapValue.h:
1659         * b3/B3SwitchValue.cpp:
1660         (JSC::B3::SwitchValue::SwitchValue):
1661         (JSC::B3::SwitchValue::cloneImpl const): Deleted.
1662         * b3/B3SwitchValue.h:
1663         (JSC::B3::SwitchValue::opcodeFromConstructor):
1664         * b3/B3UpsilonValue.cpp:
1665         (JSC::B3::UpsilonValue::cloneImpl const): Deleted.
1666         * b3/B3UpsilonValue.h:
1667         * b3/B3Value.cpp:
1668         (JSC::B3::DeepValueDump::dump const):
1669         (JSC::B3::Value::~Value):
1670         (JSC::B3::Value::replaceWithIdentity):
1671         (JSC::B3::Value::replaceWithNopIgnoringType):
1672         (JSC::B3::Value::replaceWithPhi):
1673         (JSC::B3::Value::replaceWithJump):
1674         (JSC::B3::Value::replaceWithOops):
1675         (JSC::B3::Value::replaceWith):
1676         (JSC::B3::Value::invertedCompare const):
1677         (JSC::B3::Value::returnsBool const):
1678         (JSC::B3::Value::cloneImpl const): Deleted.
1679         * b3/B3Value.h:
1680         (JSC::B3::DeepValueDump::dump const): Deleted.
1681         * b3/B3ValueInlines.h:
1682         (JSC::B3::Value::adjacencyListOffset const):
1683         (JSC::B3::Value::cloneImpl const):
1684         * b3/B3VariableValue.cpp:
1685         (JSC::B3::VariableValue::VariableValue):
1686         (JSC::B3::VariableValue::cloneImpl const): Deleted.
1687         * b3/B3VariableValue.h:
1688         * b3/B3WasmAddressValue.cpp:
1689         (JSC::B3::WasmAddressValue::WasmAddressValue):
1690         (JSC::B3::WasmAddressValue::cloneImpl const): Deleted.
1691         * b3/B3WasmAddressValue.h:
1692         * b3/B3WasmBoundsCheckValue.cpp:
1693         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
1694         (JSC::B3::WasmBoundsCheckValue::cloneImpl const): Deleted.
1695         * b3/B3WasmBoundsCheckValue.h:
1696         (JSC::B3::WasmBoundsCheckValue::accepts):
1697         (JSC::B3::WasmBoundsCheckValue::opcodeFromConstructor):
1698         * b3/testb3.cpp:
1699         (JSC::B3::testCallFunctionWithHellaArguments):
1700         (JSC::B3::testCallFunctionWithHellaArguments2):
1701         (JSC::B3::testCallFunctionWithHellaArguments3):
1702         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
1703         (JSC::B3::testCallFunctionWithHellaFloatArguments):
1704         * ftl/FTLOutput.h:
1705         (JSC::FTL::Output::call):
1706
1707 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
1708
1709         Bytecode cache should not encode the SourceProvider for UnlinkedFunctionExecutable's classSource
1710         https://bugs.webkit.org/show_bug.cgi?id=196878
1711
1712         Reviewed by Saam Barati.
1713
1714         Every time we encode an (Unlinked)SourceCode, we encode its SourceProvider,
1715         including the full source if it's a StringSourceProvider. This wasn't an issue,
1716         since the SourceCode contains a RefPtr to the SourceProvider, and the Encoder
1717         would avoid encoding the provider multiple times. With the addition of the
1718         incremental cache, each UnlinkedFunctionCodeBlock is encoded in isolation, which
1719         means we can no longer deduplicate it and the full program text was being encoded
1720         multiple times in the cache.
1721         As a work around, this patch adds a custom cached type for encoding the SourceCode
1722         without its provider, and later injects the SourceProvider through the Decoder.
1723
1724         * parser/SourceCode.h:
1725         * parser/UnlinkedSourceCode.h:
1726         (JSC::UnlinkedSourceCode::provider const):
1727         * runtime/CachedTypes.cpp:
1728         (JSC::Decoder::Decoder):
1729         (JSC::Decoder::create):
1730         (JSC::Decoder::provider const):
1731         (JSC::CachedSourceCodeWithoutProvider::encode):
1732         (JSC::CachedSourceCodeWithoutProvider::decode const):
1733         (JSC::decodeCodeBlockImpl):
1734         * runtime/CachedTypes.h:
1735
1736 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1737
1738         MarkedSpace.cpp is not in the Xcode workspace
1739         https://bugs.webkit.org/show_bug.cgi?id=196928
1740
1741         Reviewed by Saam Barati.
1742
1743         * JavaScriptCore.xcodeproj/project.pbxproj:
1744
1745 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
1746
1747         Incremental bytecode cache should not append function updates when loaded from memory
1748         https://bugs.webkit.org/show_bug.cgi?id=196865
1749
1750         Reviewed by Filip Pizlo.
1751
1752         Function updates hold the assumption that a function can only be executed/cached
1753         after its containing code block has already been cached. This assumptions does
1754         not hold if the UnlinkedCodeBlock is loaded from memory by the CodeCache, since
1755         we might have two independent SourceProviders executing different paths of the
1756         code and causing the same UnlinkedCodeBlock to be modified in memory.
1757         Use a RefPtr instead of Ref for m_cachedBytecode in ShellSourceProvider to distinguish
1758         between a new, empty cache and a cache that was not loaded and therefore cannot be updated.
1759
1760         * jsc.cpp:
1761         (ShellSourceProvider::ShellSourceProvider):
1762
1763 2019-04-15  Saam barati  <sbarati@apple.com>
1764
1765         mergeOSREntryValue is wrong when the incoming value does not match up with the flush format
1766         https://bugs.webkit.org/show_bug.cgi?id=196918
1767
1768         Reviewed by Yusuke Suzuki.
1769
1770         r244238 lead to some debug failures because we were calling checkConsistency()
1771         before doing fixTypeForRepresentation when merging in must handle values in
1772         CFA. This patch fixes that.
1773         
1774         However, as I was reading over mergeOSREntryValue, I realized it was wrong. It
1775         was possible it could merge in a value/type outside of the variable's flushed type.
1776         Once the flush format types are locked in, we can't introduce a type out of
1777         that range. This probably never lead to any crashes as our profiling injection
1778         and speculation decision code is solid. However, what we were doing is clearly
1779         wrong, and something a fuzzer could have found if we fuzzed the must handle
1780         values inside prediction injection. We should do that fuzzing:
1781         https://bugs.webkit.org/show_bug.cgi?id=196924
1782
1783         * dfg/DFGAbstractValue.cpp:
1784         (JSC::DFG::AbstractValue::mergeOSREntryValue):
1785         * dfg/DFGAbstractValue.h:
1786         * dfg/DFGCFAPhase.cpp:
1787         (JSC::DFG::CFAPhase::injectOSR):
1788
1789 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1790
1791         Several structures and enums in the Yarr interpreter can be shrunk
1792         https://bugs.webkit.org/show_bug.cgi?id=196923
1793
1794         Reviewed by Saam Barati.
1795
1796         YarrOp: 88 -> 80
1797         RegularExpression: 40 -> 32
1798         ByteTerm: 56 -> 48
1799         PatternTerm: 56 -> 48
1800
1801         * yarr/RegularExpression.cpp:
1802         * yarr/YarrInterpreter.h:
1803         * yarr/YarrJIT.cpp:
1804         (JSC::Yarr::YarrGenerator::YarrOp::YarrOp):
1805         * yarr/YarrParser.h:
1806         * yarr/YarrPattern.h:
1807
1808 2019-04-15  Devin Rousso  <drousso@apple.com>
1809
1810         Web Inspector: REGRESSION(r244172): crash when trying to add extra domain while inspecting JSContext
1811         https://bugs.webkit.org/show_bug.cgi?id=196925
1812         <rdar://problem/49873994>
1813
1814         Reviewed by Joseph Pecoraro.
1815
1816         Move the logic for creating the `InspectorAgent` and `InspectorDebuggerAgent` into separate
1817         functions so that callers can be guaranteed to have a valid instance of the agent.
1818
1819         * inspector/JSGlobalObjectInspectorController.h:
1820         * inspector/JSGlobalObjectInspectorController.cpp:
1821         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1822         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
1823         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
1824         (Inspector::JSGlobalObjectInspectorController::ensureInspectorAgent): Added.
1825         (Inspector::JSGlobalObjectInspectorController::ensureDebuggerAgent): Added.
1826         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
1827
1828 2019-04-14  Don Olmstead  <don.olmstead@sony.com>
1829
1830         [CMake] JavaScriptCore derived sources should only be referenced inside JavaScriptCore
1831         https://bugs.webkit.org/show_bug.cgi?id=196742
1832
1833         Reviewed by Konstantin Tokarev.
1834
1835         Migrate to using JavaScriptCore_DERIVED_SOURCES_DIR instead of DERIVED_SOURCES_JAVASCRIPTCORE_DIR
1836         to support moving the JavaScriptCore derived sources outside of a shared directory.
1837
1838         Also use JavaScriptCore_DERIVED_SOURCES_DIR instead of DERIVED_SOUCES_DIR.
1839
1840         * CMakeLists.txt:
1841
1842 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
1843
1844         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
1845         https://bugs.webkit.org/show_bug.cgi?id=196880
1846
1847         Reviewed by Yusuke Suzuki.
1848
1849         CodeCache should not tell the SourceProvider to cache the bytecode if it failed
1850         to create the UnlinkedCodeBlock.
1851
1852         * runtime/CodeCache.cpp:
1853         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1854
1855 2019-04-12  Saam barati  <sbarati@apple.com>
1856
1857         r244079 logically broke shouldSpeculateInt52
1858         https://bugs.webkit.org/show_bug.cgi?id=196884
1859
1860         Reviewed by Yusuke Suzuki.
1861
1862         In r244079, I changed shouldSpeculateInt52 to only return true
1863         when the prediction is isAnyInt52Speculation(). However, it was
1864         wrong to not to include SpecInt32 in this for two reasons:
1865
1866         1. We diligently write code that first checks if we should speculate Int32.
1867         For example:
1868         if (shouldSpeculateInt32()) ... 
1869         else if (shouldSpeculateInt52()) ...
1870
1871         It would be wrong not to fall back to Int52 if we're dealing with the union of
1872         Int32 and Int52.
1873
1874         It would be a performance mistake to not include Int32 here because
1875         data flow can easily tell us that we have variables that are the union
1876         of Int32 and Int52 values. It's better to speculate Int52 than Double
1877         in that situation.
1878
1879         2. We also write code where we ask if the inputs can be Int52, e.g, if
1880         we know via profiling that an Add overflows, we may not emit an Int32 add.
1881         However, we only emit such an add if both inputs can be Int52, and Int32
1882         can trivially become Int52.
1883
1884        This patch recovers the 0.5-1% regression r244079 caused on JetStream 2.
1885
1886         * bytecode/SpeculatedType.h:
1887         (JSC::isInt32SpeculationForArithmetic):
1888         (JSC::isInt32OrBooleanSpeculationForArithmetic):
1889         (JSC::isInt32OrInt52Speculation):
1890         * dfg/DFGFixupPhase.cpp:
1891         (JSC::DFG::FixupPhase::observeUseKindOnNode):
1892         * dfg/DFGNode.h:
1893         (JSC::DFG::Node::shouldSpeculateInt52):
1894         * dfg/DFGPredictionPropagationPhase.cpp:
1895         * dfg/DFGVariableAccessData.cpp:
1896         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
1897
1898 2019-04-12  Saam barati  <sbarati@apple.com>
1899
1900         Unreviewed. Build fix after r244233.
1901
1902         * assembler/CPU.cpp:
1903
1904 2019-04-12  Saam barati  <sbarati@apple.com>
1905
1906         Sometimes we need to user fewer CPUs in our threading calculations
1907         https://bugs.webkit.org/show_bug.cgi?id=196794
1908         <rdar://problem/49389497>
1909
1910         Reviewed by Yusuke Suzuki.
1911
1912         * JavaScriptCore.xcodeproj/project.pbxproj:
1913         * Sources.txt:
1914         * assembler/CPU.cpp: Added.
1915         (JSC::isKernTCSMAvailable):
1916         (JSC::enableKernTCSM):
1917         (JSC::kernTCSMAwareNumberOfProcessorCores):
1918         * assembler/CPU.h:
1919         (JSC::isKernTCSMAvailable):
1920         (JSC::enableKernTCSM):
1921         (JSC::kernTCSMAwareNumberOfProcessorCores):
1922         * heap/MachineStackMarker.h:
1923         (JSC::MachineThreads::addCurrentThread):
1924         * runtime/JSLock.cpp:
1925         (JSC::JSLock::didAcquireLock):
1926         * runtime/Options.cpp:
1927         (JSC::computeNumberOfWorkerThreads):
1928         (JSC::computePriorityDeltaOfWorkerThreads):
1929         * wasm/WasmWorklist.cpp:
1930         (JSC::Wasm::Worklist::Worklist):
1931
1932 2019-04-12  Robin Morisset  <rmorisset@apple.com>
1933
1934         Use padding at end of ArrayBuffer
1935         https://bugs.webkit.org/show_bug.cgi?id=196823
1936
1937         Reviewed by Filip Pizlo.
1938
1939         * runtime/ArrayBuffer.h:
1940
1941 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
1942
1943         [JSC] op_has_indexed_property should not assume subscript part is Uint32
1944         https://bugs.webkit.org/show_bug.cgi?id=196850
1945
1946         Reviewed by Saam Barati.
1947
1948         op_has_indexed_property assumed that subscript part is always Uint32. However, this is just a load from non-constant RegisterID,
1949         DFG can store it in double format and can perform OSR exit. op_has_indexed_property should not assume that.
1950         In this patch, instead, we check it with isAnyInt and get uint32_t from AnyInt.
1951
1952         * jit/JITOpcodes.cpp:
1953         (JSC::JIT::emit_op_has_indexed_property):
1954         * jit/JITOpcodes32_64.cpp:
1955         (JSC::JIT::emit_op_has_indexed_property):
1956         * jit/JITOperations.cpp:
1957         * runtime/CommonSlowPaths.cpp:
1958         (JSC::SLOW_PATH_DECL):
1959
1960 2019-04-11  Saam barati  <sbarati@apple.com>
1961
1962         Remove invalid assertion in operationInstanceOfCustom
1963         https://bugs.webkit.org/show_bug.cgi?id=196842
1964         <rdar://problem/49725493>
1965
1966         Reviewed by Michael Saboff.
1967
1968         In the generated JIT code, we go to the slow path when the incoming function
1969         isn't the Node's CodeOrigin's functionProtoHasInstanceSymbolFunction. However,
1970         in the JIT operation, we were asserting against exec->lexicalGlobalObject()'s
1971         functionProtoHasInstanceSymbolFunction. That assertion might be wrong when
1972         inlining across global objects as exec->lexicalGlobalObject() uses the machine
1973         frame for procuring the global object. There is no harm when this assertion fails
1974         as we just execute the slow path. This patch removes the assertion. (However, this
1975         does shed light on the deficiency in our exec->lexicalGlobalObject() function with
1976         respect to inlining. However, this isn't new -- we've known about this for a while.)
1977
1978         * jit/JITOperations.cpp:
1979
1980 2019-04-11  Michael Saboff  <msaboff@apple.com>
1981
1982         Improve the Inline Cache Stats code
1983         https://bugs.webkit.org/show_bug.cgi?id=196836
1984
1985         Reviewed by Saam Barati.
1986
1987         Needed to handle the case where the Identifier could be null, for example with InstanceOfAddAccessCase
1988         and InstanceOfReplaceWithJump.
1989
1990         Added the ability to log the location of a GetBy and PutBy property as either on self or up the
1991         protocol chain.
1992
1993         * jit/ICStats.cpp:
1994         (JSC::ICEvent::operator< const):
1995         (JSC::ICEvent::dump const):
1996         * jit/ICStats.h:
1997         (JSC::ICEvent::ICEvent):
1998         (JSC::ICEvent::hash const):
1999         * jit/JITOperations.cpp:
2000         * jit/Repatch.cpp:
2001         (JSC::tryCacheGetByID):
2002         (JSC::tryCachePutByID):
2003         (JSC::tryCacheInByID):
2004
2005 2019-04-11  Devin Rousso  <drousso@apple.com>
2006
2007         Web Inspector: Timelines: can't reliably stop/start a recording
2008         https://bugs.webkit.org/show_bug.cgi?id=196778
2009         <rdar://problem/47606798>
2010
2011         Reviewed by Timothy Hatcher.
2012
2013         * inspector/protocol/ScriptProfiler.json:
2014         * inspector/protocol/Timeline.json:
2015         It is possible to determine when programmatic capturing starts/stops in the frontend based
2016         on the state when the backend causes the state to change, such as if the state is "inactive"
2017         when the frontend is told that the backend has started capturing.
2018
2019         * inspector/protocol/CPUProfiler.json:
2020         * inspector/protocol/Memory.json:
2021         Send an end timestamp to match other instruments.
2022
2023         * inspector/JSGlobalObjectConsoleClient.cpp:
2024         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
2025         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
2026
2027         * inspector/agents/InspectorScriptProfilerAgent.h:
2028         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2029         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2030         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
2031         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
2032
2033 2019-04-11  Saam barati  <sbarati@apple.com>
2034
2035         Rename SetArgument to SetArgumentDefinitely
2036         https://bugs.webkit.org/show_bug.cgi?id=196828
2037
2038         Reviewed by Yusuke Suzuki.
2039
2040         This is in preparation for https://bugs.webkit.org/show_bug.cgi?id=196712
2041         where we will introduce a node named SetArgumentMaybe. Doing this refactoring
2042         first will make reviewing that other patch easier.
2043
2044         * dfg/DFGAbstractInterpreterInlines.h:
2045         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2046         * dfg/DFGByteCodeParser.cpp:
2047         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
2048         (JSC::DFG::ByteCodeParser::parseBlock):
2049         * dfg/DFGCPSRethreadingPhase.cpp:
2050         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2051         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
2052         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
2053         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2054         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
2055         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
2056         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
2057         * dfg/DFGClobberize.h:
2058         (JSC::DFG::clobberize):
2059         * dfg/DFGCommon.h:
2060         * dfg/DFGDoesGC.cpp:
2061         (JSC::DFG::doesGC):
2062         * dfg/DFGFixupPhase.cpp:
2063         (JSC::DFG::FixupPhase::fixupNode):
2064         * dfg/DFGGraph.cpp:
2065         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2066         * dfg/DFGGraph.h:
2067         * dfg/DFGInPlaceAbstractState.cpp:
2068         (JSC::DFG::InPlaceAbstractState::initialize):
2069         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2070         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2071         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
2072         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2073         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2074         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2075         * dfg/DFGMayExit.cpp:
2076         * dfg/DFGNode.cpp:
2077         (JSC::DFG::Node::hasVariableAccessData):
2078         * dfg/DFGNode.h:
2079         (JSC::DFG::Node::convertPhantomToPhantomLocal):
2080         * dfg/DFGNodeType.h:
2081         * dfg/DFGOSREntrypointCreationPhase.cpp:
2082         (JSC::DFG::OSREntrypointCreationPhase::run):
2083         * dfg/DFGPhantomInsertionPhase.cpp:
2084         * dfg/DFGPredictionPropagationPhase.cpp:
2085         * dfg/DFGSSAConversionPhase.cpp:
2086         (JSC::DFG::SSAConversionPhase::run):
2087         * dfg/DFGSafeToExecute.h:
2088         (JSC::DFG::safeToExecute):
2089         * dfg/DFGSpeculativeJIT.cpp:
2090         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2091         * dfg/DFGSpeculativeJIT32_64.cpp:
2092         (JSC::DFG::SpeculativeJIT::compile):
2093         * dfg/DFGSpeculativeJIT64.cpp:
2094         (JSC::DFG::SpeculativeJIT::compile):
2095         * dfg/DFGTypeCheckHoistingPhase.cpp:
2096         (JSC::DFG::TypeCheckHoistingPhase::run):
2097         * dfg/DFGValidate.cpp:
2098         * ftl/FTLCapabilities.cpp:
2099         (JSC::FTL::canCompile):
2100
2101 2019-04-11  Truitt Savell  <tsavell@apple.com>
2102
2103         Unreviewed, rolling out r244158.
2104
2105         Casued 8 inspector/timeline/ test failures.
2106
2107         Reverted changeset:
2108
2109         "Web Inspector: Timelines: can't reliably stop/start a
2110         recording"
2111         https://bugs.webkit.org/show_bug.cgi?id=196778
2112         https://trac.webkit.org/changeset/244158
2113
2114 2019-04-10  Saam Barati  <sbarati@apple.com>
2115
2116         AbstractValue::validateOSREntryValue is wrong for Int52 constants
2117         https://bugs.webkit.org/show_bug.cgi?id=196801
2118         <rdar://problem/49771122>
2119
2120         Reviewed by Yusuke Suzuki.
2121
2122         validateOSREntryValue should not care about the format of the incoming
2123         value for Int52s. This patch normalizes the format of m_value and
2124         the incoming value when comparing them.
2125
2126         * dfg/DFGAbstractValue.h:
2127         (JSC::DFG::AbstractValue::validateOSREntryValue const):
2128
2129 2019-04-10  Saam Barati  <sbarati@apple.com>
2130
2131         ArithSub over Int52 has shouldCheckOverflow as always true
2132         https://bugs.webkit.org/show_bug.cgi?id=196796
2133
2134         Reviewed by Yusuke Suzuki.
2135
2136         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
2137         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
2138         false. We shouldn't check something we assert against.
2139
2140         * dfg/DFGAbstractInterpreterInlines.h:
2141         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2142
2143 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
2144
2145         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
2146         https://bugs.webkit.org/show_bug.cgi?id=196790
2147
2148         Reviewed by Ross Kirsling.
2149
2150         Original implementation lacks byte order specification. Network byte order is the
2151         good candidate if there's no strong reason to choose other.
2152         Currently no client exists for PlayStation remote inspector protocol, so we can
2153         change the byte order without care.
2154
2155         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
2156         (Inspector::MessageParser::createMessage):
2157         (Inspector::MessageParser::parse):
2158
2159 2019-04-10  Devin Rousso  <drousso@apple.com>
2160
2161        Web Inspector: Inspector: lazily create the agent
2162        https://bugs.webkit.org/show_bug.cgi?id=195971
2163        <rdar://problem/49039645>
2164
2165        Reviewed by Joseph Pecoraro.
2166
2167        * inspector/JSGlobalObjectInspectorController.cpp:
2168        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2169        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2170        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
2171        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
2172
2173        * inspector/agents/InspectorAgent.h:
2174        * inspector/agents/InspectorAgent.cpp:
2175
2176 2019-04-10  Saam Barati  <sbarati@apple.com>
2177
2178         Work around an arm64_32 LLVM miscompile bug
2179         https://bugs.webkit.org/show_bug.cgi?id=196788
2180
2181         Reviewed by Yusuke Suzuki.
2182
2183         * runtime/CachedTypes.cpp:
2184
2185 2019-04-10  Devin Rousso  <drousso@apple.com>
2186
2187         Web Inspector: Timelines: can't reliably stop/start a recording
2188         https://bugs.webkit.org/show_bug.cgi?id=196778
2189         <rdar://problem/47606798>
2190
2191         Reviewed by Timothy Hatcher.
2192
2193         * inspector/protocol/ScriptProfiler.json:
2194         * inspector/protocol/Timeline.json:
2195         It is possible to determine when programmatic capturing starts/stops in the frontend based
2196         on the state when the backend causes the state to change, such as if the state is "inactive"
2197         when the frontend is told that the backend has started capturing.
2198
2199         * inspector/protocol/CPUProfiler.json:
2200         * inspector/protocol/Memory.json:
2201         Send an end timestamp to match other instruments.
2202
2203         * inspector/JSGlobalObjectConsoleClient.cpp:
2204         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
2205         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
2206
2207         * inspector/agents/InspectorScriptProfilerAgent.h:
2208         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2209         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2210         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
2211         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
2212
2213 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
2214
2215         Unreviewed, fix watch build after r244143
2216         https://bugs.webkit.org/show_bug.cgi?id=195000
2217
2218         The result of `lseek` should be `off_t` rather than `int`.
2219
2220         * jsc.cpp:
2221
2222 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
2223
2224         Add support for incremental bytecode cache updates
2225         https://bugs.webkit.org/show_bug.cgi?id=195000
2226
2227         Reviewed by Filip Pizlo.
2228
2229         Add support for incremental updates to the bytecode cache. The cache
2230         is constructed as follows:
2231         - When the cache is empty, the initial payload can be added to the BytecodeCache
2232         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
2233         top-level UnlinkedCodeBlock.
2234         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
2235         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
2236         to the existing cache and updating the CachedFunctionExecutableMetadata
2237         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
2238
2239         * API/JSScript.mm:
2240         (-[JSScript readCache]):
2241         (-[JSScript isUsingBytecodeCache]):
2242         (-[JSScript init]):
2243         (-[JSScript cachedBytecode]):
2244         (-[JSScript writeCache:]):
2245         * API/JSScriptInternal.h:
2246         * API/JSScriptSourceProvider.h:
2247         * API/JSScriptSourceProvider.mm:
2248         (JSScriptSourceProvider::cachedBytecode const):
2249         * CMakeLists.txt:
2250         * JavaScriptCore.xcodeproj/project.pbxproj:
2251         * Sources.txt:
2252         * bytecode/UnlinkedFunctionExecutable.cpp:
2253         (JSC::generateUnlinkedFunctionCodeBlock):
2254         * jsc.cpp:
2255         (ShellSourceProvider::~ShellSourceProvider):
2256         (ShellSourceProvider::cachePath const):
2257         (ShellSourceProvider::loadBytecode const):
2258         (ShellSourceProvider::ShellSourceProvider):
2259         (ShellSourceProvider::cacheEnabled):
2260         * parser/SourceProvider.h:
2261         (JSC::SourceProvider::cachedBytecode const):
2262         (JSC::SourceProvider::updateCache const):
2263         (JSC::SourceProvider::commitCachedBytecode const):
2264         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2265         (JSC::CachePayload::makeMappedPayload):
2266         (JSC::CachePayload::makeMallocPayload):
2267         (JSC::CachePayload::makeEmptyPayload):
2268         (JSC::CachePayload::CachePayload):
2269         (JSC::CachePayload::~CachePayload):
2270         (JSC::CachePayload::operator=):
2271         (JSC::CachePayload::freeData):
2272         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2273         (JSC::CachePayload::data const):
2274         (JSC::CachePayload::size const):
2275         (JSC::CachePayload::CachePayload):
2276         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2277         (JSC::CacheUpdate::CacheUpdate):
2278         (JSC::CacheUpdate::operator=):
2279         (JSC::CacheUpdate::isGlobal const):
2280         (JSC::CacheUpdate::asGlobal const):
2281         (JSC::CacheUpdate::asFunction const):
2282         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2283         * runtime/CachedBytecode.cpp: Added.
2284         (JSC::CachedBytecode::addGlobalUpdate):
2285         (JSC::CachedBytecode::addFunctionUpdate):
2286         (JSC::CachedBytecode::copyLeafExecutables):
2287         (JSC::CachedBytecode::commitUpdates const):
2288         * runtime/CachedBytecode.h: Added.
2289         (JSC::CachedBytecode::create):
2290         (JSC::CachedBytecode::leafExecutables):
2291         (JSC::CachedBytecode::data const):
2292         (JSC::CachedBytecode::size const):
2293         (JSC::CachedBytecode::hasUpdates const):
2294         (JSC::CachedBytecode::sizeForUpdate const):
2295         (JSC::CachedBytecode::CachedBytecode):
2296         * runtime/CachedTypes.cpp:
2297         (JSC::Encoder::addLeafExecutable):
2298         (JSC::Encoder::release):
2299         (JSC::Decoder::Decoder):
2300         (JSC::Decoder::create):
2301         (JSC::Decoder::size const):
2302         (JSC::Decoder::offsetOf):
2303         (JSC::Decoder::ptrForOffsetFromBase):
2304         (JSC::Decoder::addLeafExecutable):
2305         (JSC::VariableLengthObject::VariableLengthObject):
2306         (JSC::VariableLengthObject::buffer const):
2307         (JSC::CachedPtrOffsets::offsetOffset):
2308         (JSC::CachedWriteBarrierOffsets::ptrOffset):
2309         (JSC::CachedFunctionExecutable::features const):
2310         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
2311         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
2312         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
2313         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
2314         (JSC::CachedFunctionExecutable::encode):
2315         (JSC::CachedFunctionExecutable::decode const):
2316         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2317         (JSC::encodeCodeBlock):
2318         (JSC::encodeFunctionCodeBlock):
2319         (JSC::decodeCodeBlockImpl):
2320         (JSC::isCachedBytecodeStillValid):
2321         * runtime/CachedTypes.h:
2322         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
2323         (JSC::decodeCodeBlock):
2324         * runtime/CodeCache.cpp:
2325         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2326         (JSC::CodeCache::updateCache):
2327         (JSC::CodeCache::write):
2328         (JSC::writeCodeBlock):
2329         (JSC::serializeBytecode):
2330         * runtime/CodeCache.h:
2331         (JSC::SourceCodeValue::SourceCodeValue):
2332         (JSC::CodeCacheMap::findCacheAndUpdateAge):
2333         (JSC::CodeCacheMap::fetchFromDiskImpl):
2334         * runtime/Completion.cpp:
2335         (JSC::generateProgramBytecode):
2336         (JSC::generateModuleBytecode):
2337         * runtime/Completion.h:
2338         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
2339         (JSC::LeafExecutable::operator+ const):
2340         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
2341         (JSC::LeafExecutable::LeafExecutable):
2342         (JSC::LeafExecutable::base const):
2343
2344 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
2345
2346         Unreviewed, rolling out r243989.
2347
2348         Broke i686 builds
2349
2350         Reverted changeset:
2351
2352         "[CMake] Detect SSE2 at compile time"
2353         https://bugs.webkit.org/show_bug.cgi?id=196488
2354         https://trac.webkit.org/changeset/243989
2355
2356 2019-04-10  Robin Morisset  <rmorisset@apple.com>
2357
2358         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
2359         https://bugs.webkit.org/show_bug.cgi?id=196746
2360
2361         Reviewed by Yusuke Suzuki..
2362
2363         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
2364
2365         * runtime/ObjectConstructor.cpp:
2366         (JSC::defineProperties):
2367
2368 2019-04-10  Antoine Quint  <graouts@apple.com>
2369
2370         Enable Pointer Events on watchOS
2371         https://bugs.webkit.org/show_bug.cgi?id=196771
2372         <rdar://problem/49040909>
2373
2374         Reviewed by Dean Jackson.
2375
2376         * Configurations/FeatureDefines.xcconfig:
2377
2378 2019-04-09  Keith Rollin  <krollin@apple.com>
2379
2380         Unreviewed build maintenance -- update .xcfilelists.
2381
2382         * DerivedSources-input.xcfilelist:
2383
2384 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
2385
2386         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
2387         https://bugs.webkit.org/show_bug.cgi?id=193073
2388
2389         Reviewed by Keith Miller.
2390
2391         * bytecompiler/BytecodeGenerator.cpp:
2392         (JSC::BytecodeGenerator::emitEqualityOpImpl):
2393         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
2394         * bytecompiler/BytecodeGenerator.h:
2395         (JSC::BytecodeGenerator::emitEqualityOp):
2396         Factor out the logic that uses the template parameter and keep it in the header.
2397
2398         * jit/JITPropertyAccess.cpp:
2399         List off the template specializations needed by JITOperations.cpp.
2400         This is unfortunate but at least there are only two (x2) by definition?
2401         Trying to do away with this incurs a severe domino effect...
2402
2403         * API/JSValueRef.cpp:
2404         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
2405         * b3/air/AirHandleCalleeSaves.cpp:
2406         * builtins/BuiltinNames.cpp:
2407         * bytecode/AccessCase.cpp:
2408         * bytecode/BytecodeIntrinsicRegistry.cpp:
2409         * bytecode/BytecodeIntrinsicRegistry.h:
2410         * bytecode/BytecodeRewriter.cpp:
2411         * bytecode/BytecodeUseDef.h:
2412         * bytecode/CodeBlock.cpp:
2413         * bytecode/InstanceOfAccessCase.cpp:
2414         * bytecode/MetadataTable.cpp:
2415         * bytecode/PolyProtoAccessChain.cpp:
2416         * bytecode/StructureSet.cpp:
2417         * bytecompiler/NodesCodegen.cpp:
2418         * dfg/DFGCFAPhase.cpp:
2419         * dfg/DFGPureValue.cpp:
2420         * heap/GCSegmentedArray.h:
2421         * heap/HeapInlines.h:
2422         * heap/IsoSubspace.cpp:
2423         * heap/LocalAllocator.cpp:
2424         * heap/LocalAllocator.h:
2425         * heap/LocalAllocatorInlines.h:
2426         * heap/MarkingConstraintSolver.cpp:
2427         * inspector/ScriptArguments.cpp:
2428         (Inspector::ScriptArguments::isEqual const):
2429         * inspector/ScriptCallStackFactory.cpp:
2430         * interpreter/CallFrame.h:
2431         * interpreter/Interpreter.cpp:
2432         * interpreter/StackVisitor.cpp:
2433         * llint/LLIntEntrypoint.cpp:
2434         * runtime/ArrayIteratorPrototype.cpp:
2435         * runtime/BigIntPrototype.cpp:
2436         * runtime/CachedTypes.cpp:
2437         * runtime/ErrorType.cpp:
2438         * runtime/IndexingType.cpp:
2439         * runtime/JSCellInlines.h:
2440         * runtime/JSImmutableButterfly.h:
2441         * runtime/Operations.h:
2442         * runtime/RegExpCachedResult.cpp:
2443         * runtime/RegExpConstructor.cpp:
2444         * runtime/RegExpGlobalData.cpp:
2445         * runtime/StackFrame.h:
2446         * wasm/WasmSignature.cpp:
2447         * wasm/js/JSToWasm.cpp:
2448         * wasm/js/JSToWasmICCallee.cpp:
2449         * wasm/js/WebAssemblyFunction.h:
2450         Fix includes / forward declarations (and a couple of nearby clang warnings).
2451
2452 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
2453
2454         [CMake] Apple builds should use ICU_INCLUDE_DIRS
2455         https://bugs.webkit.org/show_bug.cgi?id=196720
2456
2457         Reviewed by Konstantin Tokarev.
2458
2459         * PlatformMac.cmake:
2460
2461 2019-04-09  Saam barati  <sbarati@apple.com>
2462
2463         Clean up Int52 code and some bugs in it
2464         https://bugs.webkit.org/show_bug.cgi?id=196639
2465         <rdar://problem/49515757>
2466
2467         Reviewed by Yusuke Suzuki.
2468
2469         This patch fixes bugs in our Int52 code. The primary change in this patch is
2470         adopting a segregated type lattice for Int52. Previously, for Int52 values,
2471         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
2472         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
2473         that the is outside of the int32 range.
2474         
2475         However, this got confusing because we reused SpecInt32Only both for JSValue
2476         representations and Int52 representations. This actually lead to some bugs.
2477         
2478         1. It's possible that roundtripping through Int52 representation would say
2479         it produces the wrong type. For example, consider this program and how we
2480         used to annotate types in AI:
2481         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
2482         b: Int52Rep(@a) => m_type is SpecInt52Only
2483         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
2484         
2485         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
2486         However, the execution semantics are such that it'd actually produce a boxed
2487         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
2488         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
2489         mean an int value in either int32 or int52 range.
2490         
2491         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
2492         accepted Int52 values. It was wrong in two different ways:
2493         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
2494         was a boxed double, but represented a value in int32 range, the incoming
2495         value would incorrectly validate as being acceptable. However, we should
2496         have rejected this value.
2497         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
2498         was an Int32 boxed in a double, this would not validate, even though
2499         it should have validated.
2500         
2501         Solving 2 was easiest if we segregated out the Int52 type into its own
2502         lattice. This patch makes a new Int52 lattice, which is composed of
2503         SpecInt32AsInt52 and SpecNonInt32AsInt52.
2504         
2505         The conversion rules are now really simple.
2506         
2507         Int52 rep => JSValue rep
2508         SpecInt32AsInt52 => SpecInt32Only
2509         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
2510         
2511         JSValue rep => Int52 rep
2512         SpecInt32Only => SpecInt32AsInt52
2513         SpecAnyIntAsDouble => SpecInt52Any
2514         
2515         With these rules, the program in (1) will now correctly report that @c
2516         returns SpecInt32Only | SpecAnyIntAsDouble.
2517
2518         * bytecode/SpeculatedType.cpp:
2519         (JSC::dumpSpeculation):
2520         (JSC::speculationToAbbreviatedString):
2521         (JSC::int52AwareSpeculationFromValue):
2522         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2523         (JSC::speculationFromString):
2524         * bytecode/SpeculatedType.h:
2525         (JSC::isInt32SpeculationForArithmetic):
2526         (JSC::isInt32OrBooleanSpeculationForArithmetic):
2527         (JSC::isAnyInt52Speculation):
2528         (JSC::isIntAnyFormat):
2529         (JSC::isInt52Speculation): Deleted.
2530         (JSC::isAnyIntSpeculation): Deleted.
2531         * dfg/DFGAbstractInterpreterInlines.h:
2532         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2533         * dfg/DFGAbstractValue.cpp:
2534         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2535         (JSC::DFG::AbstractValue::checkConsistency const):
2536         * dfg/DFGAbstractValue.h:
2537         (JSC::DFG::AbstractValue::isInt52Any const):
2538         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
2539         * dfg/DFGFixupPhase.cpp:
2540         (JSC::DFG::FixupPhase::fixupArithMul):
2541         (JSC::DFG::FixupPhase::fixupNode):
2542         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
2543         (JSC::DFG::FixupPhase::fixupToThis):
2544         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
2545         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2546         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
2547         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2548         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2549         (JSC::DFG::FixupPhase::fixupChecksInBlock):
2550         * dfg/DFGGraph.h:
2551         (JSC::DFG::Graph::addShouldSpeculateInt52):
2552         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
2553         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
2554         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
2555         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
2556         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
2557         * dfg/DFGNode.h:
2558         (JSC::DFG::Node::shouldSpeculateInt52):
2559         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
2560         * dfg/DFGPredictionPropagationPhase.cpp:
2561         * dfg/DFGSpeculativeJIT.cpp:
2562         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
2563         (JSC::DFG::SpeculativeJIT::compileArithAdd):
2564         (JSC::DFG::SpeculativeJIT::compileArithSub):
2565         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2566         * dfg/DFGSpeculativeJIT64.cpp:
2567         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2568         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2569         * dfg/DFGUseKind.h:
2570         (JSC::DFG::typeFilterFor):
2571         * dfg/DFGVariableAccessData.cpp:
2572         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2573         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
2574         * ftl/FTLLowerDFGToB3.cpp:
2575         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2576         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2577         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
2578
2579 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
2580
2581         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
2582         https://bugs.webkit.org/show_bug.cgi?id=196708
2583         <rdar://problem/49556803>
2584
2585         Reviewed by Yusuke Suzuki.
2586
2587         `operationPutToScope` needs to return early if an exception is thrown while
2588         checking if `hasProperty`.
2589
2590         * jit/JITOperations.cpp:
2591
2592 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2593
2594         [JSC] DFG should respect node's strict flag
2595         https://bugs.webkit.org/show_bug.cgi?id=196617
2596
2597         Reviewed by Saam Barati.
2598
2599         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
2600         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
2601         in DFG and FTL to get the right isStrictMode flag for the DFG node.
2602         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
2603         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
2604         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
2605
2606         * dfg/DFGAbstractInterpreterInlines.h:
2607         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2608         * dfg/DFGConstantFoldingPhase.cpp:
2609         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2610         * dfg/DFGFixupPhase.cpp:
2611         (JSC::DFG::FixupPhase::fixupToThis):
2612         * dfg/DFGOperations.cpp:
2613         * dfg/DFGOperations.h:
2614         * dfg/DFGPredictionPropagationPhase.cpp:
2615         * dfg/DFGSpeculativeJIT.cpp:
2616         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2617         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2618         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
2619         (JSC::DFG::SpeculativeJIT::compileToThis):
2620         * dfg/DFGSpeculativeJIT32_64.cpp:
2621         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2622         (JSC::DFG::SpeculativeJIT::compile):
2623         * dfg/DFGSpeculativeJIT64.cpp:
2624         (JSC::DFG::SpeculativeJIT::compile):
2625         * ftl/FTLLowerDFGToB3.cpp:
2626         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2627         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
2628
2629 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
2630
2631         [CMake][WinCairo] Separate copied headers into different directories
2632         https://bugs.webkit.org/show_bug.cgi?id=196655
2633
2634         Reviewed by Michael Catanzaro.
2635
2636         * CMakeLists.txt:
2637         * shell/PlatformWin.cmake:
2638
2639 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2640
2641         [JSC] isRope jump in StringSlice should not jump over register allocations
2642         https://bugs.webkit.org/show_bug.cgi?id=196716
2643
2644         Reviewed by Saam Barati.
2645
2646         Jumping over the register allocation code in DFG (like the following) is wrong.
2647
2648             auto jump = m_jit.branchXXX();
2649             {
2650                 GPRTemporary reg(this);
2651                 GPRReg regGPR = reg.gpr();
2652                 ...
2653             }
2654             jump.link(&m_jit);
2655
2656         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
2657         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
2658         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
2659         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
2660
2661         * dfg/DFGSpeculativeJIT.cpp:
2662         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2663
2664 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2665
2666         [JSC] to_index_string should not assume incoming value is Uint32
2667         https://bugs.webkit.org/show_bug.cgi?id=196713
2668
2669         Reviewed by Saam Barati.
2670
2671         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
2672         this assumption since DFG may decide we should have it double format. This patch removes this
2673         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
2674         is within Uint32.
2675
2676         * runtime/CommonSlowPaths.cpp:
2677         (JSC::SLOW_PATH_DECL):
2678
2679 2019-04-08  Justin Fan  <justin_fan@apple.com>
2680
2681         [Web GPU] Fix Web GPU experimental feature on iOS
2682         https://bugs.webkit.org/show_bug.cgi?id=196632
2683
2684         Reviewed by Myles C. Maxfield.
2685
2686         Properly make Web GPU available on iOS 11+.
2687
2688         * Configurations/FeatureDefines.xcconfig:
2689         * Configurations/WebKitTargetConditionals.xcconfig:
2690
2691 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
2692
2693         -f[no-]var-tracking-assignments is GCC-only
2694         https://bugs.webkit.org/show_bug.cgi?id=196699
2695
2696         Reviewed by Don Olmstead.
2697
2698         * CMakeLists.txt:
2699         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
2700         and said problem evidently no longer occurs as of GCC 9.
2701
2702 2019-04-08  Saam Barati  <sbarati@apple.com>
2703
2704         WebAssembly.RuntimeError missing exception check
2705         https://bugs.webkit.org/show_bug.cgi?id=196700
2706         <rdar://problem/49693932>
2707
2708         Reviewed by Yusuke Suzuki.
2709
2710         * wasm/js/JSWebAssemblyRuntimeError.h:
2711         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2712         (JSC::constructJSWebAssemblyRuntimeError):
2713
2714 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2715
2716         Unreviewed, rolling in r243948 with test fix
2717         https://bugs.webkit.org/show_bug.cgi?id=196486
2718
2719         * parser/ASTBuilder.h:
2720         (JSC::ASTBuilder::createString):
2721         * parser/Lexer.cpp:
2722         (JSC::Lexer<T>::parseMultilineComment):
2723         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
2724         (JSC::Lexer<T>::lex): Deleted.
2725         * parser/Lexer.h:
2726         (JSC::Lexer::hasLineTerminatorBeforeToken const):
2727         (JSC::Lexer::setHasLineTerminatorBeforeToken):
2728         (JSC::Lexer<T>::lex):
2729         (JSC::Lexer::prevTerminator const): Deleted.
2730         (JSC::Lexer::setTerminator): Deleted.
2731         * parser/Parser.cpp:
2732         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
2733         (JSC::Parser<LexerType>::parseSingleFunction):
2734         (JSC::Parser<LexerType>::parseStatementListItem):
2735         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2736         (JSC::Parser<LexerType>::parseFunctionInfo):
2737         (JSC::Parser<LexerType>::parseClass):
2738         (JSC::Parser<LexerType>::parseExportDeclaration):
2739         (JSC::Parser<LexerType>::parseAssignmentExpression):
2740         (JSC::Parser<LexerType>::parseYieldExpression):
2741         (JSC::Parser<LexerType>::parseProperty):
2742         (JSC::Parser<LexerType>::parsePrimaryExpression):
2743         (JSC::Parser<LexerType>::parseMemberExpression):
2744         * parser/Parser.h:
2745         (JSC::Parser::nextWithoutClearingLineTerminator):
2746         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
2747         (JSC::Parser::internalSaveLexerState):
2748         (JSC::Parser::restoreLexerState):
2749
2750 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2751
2752         Unreviewed, rolling out r243948.
2753
2754         Caused inspector/runtime/parse.html to fail
2755
2756         Reverted changeset:
2757
2758         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
2759         https://bugs.webkit.org/show_bug.cgi?id=196486
2760         https://trac.webkit.org/changeset/243948
2761
2762 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2763
2764         Unreviewed, rolling out r243943.
2765
2766         Caused test262 failures.
2767
2768         Reverted changeset:
2769
2770         "[JSC] Filter DontEnum properties in
2771         ProxyObject::getOwnPropertyNames()"
2772         https://bugs.webkit.org/show_bug.cgi?id=176810
2773         https://trac.webkit.org/changeset/243943
2774
2775 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
2776
2777         [JSC] Partially fix the build with unified builds disabled
2778         https://bugs.webkit.org/show_bug.cgi?id=196647
2779
2780         Reviewed by Konstantin Tokarev.
2781
2782         If you disable unified builds you find all kind of build
2783         errors. This partially tries to fix them but there's a lot
2784         more.
2785
2786         * API/JSBaseInternal.h:
2787         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
2788         * b3/air/AirHandleCalleeSaves.h:
2789         * bytecode/ExecutableToCodeBlockEdge.cpp:
2790         * bytecode/ExitFlag.h:
2791         * bytecode/ICStatusUtils.h:
2792         * bytecode/UnlinkedMetadataTable.h:
2793         * dfg/DFGPureValue.h:
2794         * heap/IsoAlignedMemoryAllocator.cpp:
2795         * heap/IsoAlignedMemoryAllocator.h:
2796
2797 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
2798
2799         Enable DFG on MIPS
2800         https://bugs.webkit.org/show_bug.cgi?id=196689
2801
2802         Reviewed by Žan Doberšek.
2803
2804         Since the bytecode change, we enabled the baseline JIT on mips in
2805         r240432, but DFG is still missing. With this change, all tests are
2806         passing on a ci20 board.
2807
2808         * jit/RegisterSet.cpp:
2809         (JSC::RegisterSet::calleeSaveRegisters):
2810         Added s0, which is used in llint.
2811
2812 2019-04-08  Xan Lopez  <xan@igalia.com>
2813
2814         [CMake] Detect SSE2 at compile time
2815         https://bugs.webkit.org/show_bug.cgi?id=196488
2816
2817         Reviewed by Carlos Garcia Campos.
2818
2819         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
2820         incorrect) static_assert.
2821
2822 2019-04-07  Michael Saboff  <msaboff@apple.com>
2823
2824         REGRESSION (r243642): Crash in reddit.com page
2825         https://bugs.webkit.org/show_bug.cgi?id=196684
2826
2827         Reviewed by Geoffrey Garen.
2828
2829         In r243642, the code that saves and restores the count for non-greedy character classes
2830         was inadvertently put inside an if statement.  This code should be generated for all
2831         non-greedy character classes.
2832
2833         * yarr/YarrJIT.cpp:
2834         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
2835         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2836
2837 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
2838
2839         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
2840         https://bugs.webkit.org/show_bug.cgi?id=196683
2841
2842         Reviewed by Saam Barati.
2843
2844         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
2845         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
2846         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
2847         can be still live.
2848
2849         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
2850         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
2851
2852         * bytecode/CallLinkInfo.cpp:
2853         (JSC::CallLinkInfo::setCallee):
2854         (JSC::CallLinkInfo::clearCallee):
2855         * jit/Repatch.cpp:
2856         (JSC::linkFor):
2857         (JSC::revertCall):
2858
2859 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2860
2861         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
2862         https://bugs.webkit.org/show_bug.cgi?id=196582
2863
2864         Reviewed by Saam Barati.
2865
2866         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
2867         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
2868         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
2869         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
2870
2871         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
2872         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
2873
2874         We also found that FTL recovery code is dead. We remove them in this patch.
2875
2876         * dfg/DFGOSRExit.cpp:
2877         (JSC::DFG::OSRExit::executeOSRExit):
2878         (JSC::DFG::OSRExit::compileExit):
2879         * dfg/DFGOSRExit.h:
2880         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
2881         * dfg/DFGSpeculativeJIT.cpp:
2882         (JSC::DFG::SpeculativeJIT::compileArithAdd):
2883         * ftl/FTLExitValue.cpp:
2884         (JSC::FTL::ExitValue::dataFormat const):
2885         (JSC::FTL::ExitValue::dumpInContext const):
2886         * ftl/FTLExitValue.h:
2887         (JSC::FTL::ExitValue::isArgument const):
2888         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
2889         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
2890         (JSC::FTL::ExitValue::recovery): Deleted.
2891         (JSC::FTL::ExitValue::isRecovery const): Deleted.
2892         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
2893         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
2894         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
2895         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
2896         * ftl/FTLLowerDFGToB3.cpp:
2897         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2898         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
2899         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
2900         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
2901         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
2902         * ftl/FTLOSRExitCompiler.cpp:
2903         (JSC::FTL::compileRecovery):
2904
2905 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
2906
2907         Unreviewed, rolling out r243665.
2908
2909         Caused iOS JSC tests to exit with an exception.
2910
2911         Reverted changeset:
2912
2913         "Assertion failed in JSC::createError"
2914         https://bugs.webkit.org/show_bug.cgi?id=196305
2915         https://trac.webkit.org/changeset/243665
2916
2917 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2918
2919         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
2920         https://bugs.webkit.org/show_bug.cgi?id=196486
2921
2922         Reviewed by Saam Barati.
2923
2924         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
2925         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
2926         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
2927
2928         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
2929
2930                 arrow => expr
2931                 "string!"
2932
2933         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
2934         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
2935         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
2936
2937         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
2938         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
2939         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
2940
2941         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
2942         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
2943
2944         * parser/ASTBuilder.h:
2945         (JSC::ASTBuilder::createString):
2946         * parser/Lexer.cpp:
2947         (JSC::Lexer<T>::parseMultilineComment):
2948         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
2949         (JSC::Lexer<T>::lex): Deleted.
2950         * parser/Lexer.h:
2951         (JSC::Lexer::hasLineTerminatorBeforeToken const):
2952         (JSC::Lexer::setHasLineTerminatorBeforeToken):
2953         (JSC::Lexer<T>::lex):
2954         (JSC::Lexer::prevTerminator const): Deleted.
2955         (JSC::Lexer::setTerminator): Deleted.
2956         * parser/Parser.cpp:
2957         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
2958         (JSC::Parser<LexerType>::parseSingleFunction):
2959         (JSC::Parser<LexerType>::parseStatementListItem):
2960         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2961         (JSC::Parser<LexerType>::parseFunctionInfo):
2962         (JSC::Parser<LexerType>::parseClass):
2963         (JSC::Parser<LexerType>::parseExportDeclaration):
2964         (JSC::Parser<LexerType>::parseAssignmentExpression):
2965         (JSC::Parser<LexerType>::parseYieldExpression):
2966         (JSC::Parser<LexerType>::parseProperty):
2967         (JSC::Parser<LexerType>::parsePrimaryExpression):
2968         (JSC::Parser<LexerType>::parseMemberExpression):
2969         * parser/Parser.h:
2970         (JSC::Parser::nextWithoutClearingLineTerminator):
2971         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
2972         (JSC::Parser::internalSaveLexerState):
2973         (JSC::Parser::restoreLexerState):
2974
2975 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2976
2977         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
2978         https://bugs.webkit.org/show_bug.cgi?id=176810
2979
2980         Reviewed by Saam Barati.
2981
2982         This adds conditional logic following the invariant checks, to perform
2983         filtering in common uses of getOwnPropertyNames.
2984
2985         While this would ideally only be done in JSPropertyNameEnumerator, adding
2986         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
2987         invariant that the EnumerationMode is properly followed.
2988
2989         * runtime/PropertyNameArray.h:
2990         (JSC::PropertyNameArray::reset):
2991         * runtime/ProxyObject.cpp:
2992         (JSC::ProxyObject::performGetOwnPropertyNames):
2993
2994 2019-04-05  Commit Queue  <commit-queue@webkit.org>
2995
2996         Unreviewed, rolling out r243833.
2997         https://bugs.webkit.org/show_bug.cgi?id=196645
2998
2999         This change breaks build of WPE and GTK ports (Requested by
3000         annulen on #webkit).
3001
3002         Reverted changeset:
3003
3004         "[CMake][WTF] Mirror XCode header directories"
3005         https://bugs.webkit.org/show_bug.cgi?id=191662
3006         https://trac.webkit.org/changeset/243833
3007
3008 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3009
3010         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
3011         https://bugs.webkit.org/show_bug.cgi?id=185211
3012
3013         Reviewed by Saam Barati.
3014
3015         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
3016
3017         This involves tracking duplicate keys returned from the ownKeys trap in yet
3018         another HashTable, and may incur a minor performance penalty in some cases. This
3019         is not expected to significantly affect web performance.
3020
3021         * runtime/ProxyObject.cpp:
3022         (JSC::ProxyObject::performGetOwnPropertyNames):
3023
3024 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
3025
3026         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
3027         https://bugs.webkit.org/show_bug.cgi?id=196631
3028
3029         Reviewed by Saam Barati.
3030
3031         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
3032         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
3033         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
3034
3035         * JavaScriptCore.xcodeproj/project.pbxproj:
3036         * Sources.txt:
3037         * interpreter/CallFrameInlines.h:
3038         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
3039         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
3040         (JSC::DoublePredictionFuzzerAgent::getPrediction):
3041         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
3042         * runtime/JSGlobalObject.cpp:
3043         (JSC::makeBoundFunction):
3044         * runtime/Options.h:
3045         * runtime/VM.cpp:
3046         (JSC::VM::VM):
3047
3048 2019-04-04  Robin Morisset  <rmorisset@apple.com>
3049
3050         B3ReduceStrength should know that Mul distributes over Add and Sub
3051         https://bugs.webkit.org/show_bug.cgi?id=196325
3052         <rdar://problem/49441650>
3053
3054         Reviewed by Saam Barati.
3055
3056         Fix some obviously wrong code that was due to an accidental copy-paste.
3057         It made the entire optimization dead code that never ran.
3058
3059         * b3/B3ReduceStrength.cpp:
3060
3061 2019-04-04  Saam Barati  <sbarati@apple.com>
3062
3063         Unreviewed, build fix for CLoop after r243886
3064
3065         * interpreter/Interpreter.cpp:
3066         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
3067         * interpreter/StackVisitor.cpp:
3068         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
3069         * interpreter/StackVisitor.h:
3070
3071 2019-04-04  Commit Queue  <commit-queue@webkit.org>
3072
3073         Unreviewed, rolling out r243898.
3074         https://bugs.webkit.org/show_bug.cgi?id=196624
3075
3076         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
3077         does not work well (Requested by yusukesuzuki on #webkit).
3078
3079         Reverted changeset:
3080
3081         "Unreviewed, build fix for CLoop and Windows after r243886"
3082         https://bugs.webkit.org/show_bug.cgi?id=196387
3083         https://trac.webkit.org/changeset/243898
3084
3085 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
3086
3087         Unreviewed, build fix for CLoop and Windows after r243886
3088         https://bugs.webkit.org/show_bug.cgi?id=196387
3089
3090         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
3091
3092         * interpreter/StackVisitor.cpp:
3093         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
3094         * interpreter/StackVisitor.h:
3095
3096 2019-04-04  Saam barati  <sbarati@apple.com>
3097
3098         Teach Call ICs how to call Wasm
3099         https://bugs.webkit.org/show_bug.cgi?id=196387
3100
3101         Reviewed by Filip Pizlo.
3102
3103         This patch teaches JS to call Wasm without going through the native thunk.
3104         Currently, we emit a JIT "JS" callee stub which marshals arguments from
3105         JS to Wasm. Like the native version of this, this thunk is responsible
3106         for saving and restoring the VM's current Wasm context. Instead of emitting
3107         an exception handler, we also teach the unwinder how to read the previous
3108         wasm context to restore it as it unwindws past this frame.
3109         
3110         This patch is straight forward, and leaves some areas for perf improvement:
3111         - We can teach the DFG/FTL to directly use the Wasm calling convention when
3112           it knows it's calling a single Wasm function. This way we don't shuffle
3113           registers to the stack and then back into registers.
3114         - We bail out to the slow path for mismatched arity. I opened a bug to fix
3115           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
3116         - We bail out to the slow path Double JSValues flowing into i32 arguments.
3117           We should teach this thunk how to do that conversion directly.
3118         
3119         This patch also refactors the code to explicitly have a single pinned size register.
3120         We used pretend in some places that we could have more than one pinned size register.
3121         However, there was other code that just asserted the size was one. This patch just rips
3122         out this code since we never moved to having more than one pinned size register. Doing
3123         this refactoring cleans up the various places where we set up the size register.
3124         
3125         This patch is a 50-60% progression on JetStream 2's richards-wasm.
3126
3127         * JavaScriptCore.xcodeproj/project.pbxproj:
3128         * Sources.txt:
3129         * assembler/MacroAssemblerCodeRef.h:
3130         (JSC::MacroAssemblerCodeRef::operator=):
3131         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3132         * interpreter/Interpreter.cpp:
3133         (JSC::UnwindFunctor::operator() const):
3134         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
3135         * interpreter/StackVisitor.cpp:
3136         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
3137         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
3138         * interpreter/StackVisitor.h:
3139         * jit/JITOperations.cpp:
3140         * jit/RegisterSet.cpp:
3141         (JSC::RegisterSet::runtimeTagRegisters):
3142         (JSC::RegisterSet::specialRegisters):
3143         (JSC::RegisterSet::runtimeRegisters): Deleted.
3144         * jit/RegisterSet.h:
3145         * jit/Repatch.cpp:
3146         (JSC::linkPolymorphicCall):
3147         * runtime/JSFunction.cpp:
3148         (JSC::getCalculatedDisplayName):
3149         * runtime/JSGlobalObject.cpp:
3150         (JSC::JSGlobalObject::init):
3151         (JSC::JSGlobalObject::visitChildren):
3152         * runtime/JSGlobalObject.h:
3153         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
3154         * runtime/VM.cpp:
3155         (JSC::VM::VM):
3156         * runtime/VM.h:
3157         * wasm/WasmAirIRGenerator.cpp:
3158         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3159         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
3160         (JSC::Wasm::AirIRGenerator::addCallIndirect):
3161         * wasm/WasmB3IRGenerator.cpp:
3162         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3163         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
3164         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3165         * wasm/WasmBinding.cpp:
3166         (JSC::Wasm::wasmToWasm):
3167         * wasm/WasmContext.h:
3168         (JSC::Wasm::Context::pointerToInstance):
3169         * wasm/WasmContextInlines.h:
3170         (JSC::Wasm::Context::store):
3171         * wasm/WasmMemoryInformation.cpp:
3172         (JSC::Wasm::getPinnedRegisters):
3173         (JSC::Wasm::PinnedRegisterInfo::get):
3174         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
3175         * wasm/WasmMemoryInformation.h:
3176         (JSC::Wasm::PinnedRegisterInfo::toSave const):
3177         * wasm/WasmOMGPlan.cpp:
3178         (JSC::Wasm::OMGPlan::work):
3179         * wasm/js/JSToWasm.cpp:
3180         (JSC::Wasm::createJSToWasmWrapper):
3181         * wasm/js/JSToWasmICCallee.cpp: Added.
3182         (JSC::JSToWasmICCallee::create):
3183         (JSC::JSToWasmICCallee::createStructure):
3184         (JSC::JSToWasmICCallee::visitChildren):
3185         * wasm/js/JSToWasmICCallee.h: Added.
3186         (JSC::JSToWasmICCallee::function):
3187         (JSC::JSToWasmICCallee::JSToWasmICCallee):
3188         * wasm/js/WebAssemblyFunction.cpp:
3189         (JSC::WebAssemblyFunction::useTagRegisters const):
3190         (JSC::WebAssemblyFunction::calleeSaves const):
3191         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
3192         (JSC::WebAssemblyFunction::previousInstanceOffset const):
3193         (JSC::WebAssemblyFunction::previousInstance):
3194         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
3195         (JSC::WebAssemblyFunction::visitChildren):
3196         (JSC::WebAssemblyFunction::destroy):
3197         * wasm/js/WebAssemblyFunction.h:
3198         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
3199         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
3200         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
3201         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
3202         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
3203         (JSC::WebAssemblyFunctionHeapCellType::destroy):
3204         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
3205         * wasm/js/WebAssemblyPrototype.h:
3206
3207 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
3208
3209         [JSC] Pass CodeOrigin to FuzzerAgent
3210         https://bugs.webkit.org/show_bug.cgi?id=196590
3211
3212         Reviewed by Saam Barati.
3213
3214         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
3215         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
3216         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
3217
3218         * dfg/DFGByteCodeParser.cpp:
3219         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3220         * runtime/FuzzerAgent.cpp:
3221         (JSC::FuzzerAgent::getPrediction):
3222         * runtime/FuzzerAgent.h:
3223         * runtime/RandomizingFuzzerAgent.cpp:
3224         (JSC::RandomizingFuzzerAgent::getPrediction):
3225         * runtime/RandomizingFuzzerAgent.h:
3226
3227 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
3228
3229         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
3230         https://bugs.webkit.org/show_bug.cgi?id=194944
3231
3232         Reviewed by Keith Miller.
3233
3234         Based on profile data collected on JetStream2, Speedometer 2 and
3235         other benchmarks, it is very rare having non-empty
3236         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
3237
3238         - Data collected from Speedometer2
3239             Total number of UnlinkedFunctionExecutable: 39463
3240             Total number of non-empty parentScopeTDZVars: 428 (~1%)
3241
3242         - Data collected from JetStream2
3243             Total number of UnlinkedFunctionExecutable: 83715
3244             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
3245
3246         We also collected numbers on 6 of top 10 Alexia sites.
3247
3248         - Data collected from youtube.com
3249             Total number of UnlinkedFunctionExecutable: 29599
3250             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
3251
3252         - Data collected from twitter.com
3253             Total number of UnlinkedFunctionExecutable: 23774
3254             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
3255
3256         - Data collected from google.com
3257             Total number of UnlinkedFunctionExecutable: 33209
3258             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
3259
3260         - Data collected from amazon.com:
3261             Total number of UnlinkedFunctionExecutable: 15182
3262             Total number of non-empty parentScopeTDZVars: 166 (~1%)
3263
3264         - Data collected from facebook.com:
3265             Total number of UnlinkedFunctionExecutable: 54443
3266             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
3267
3268         - Data collected from netflix.com:
3269             Total number of UnlinkedFunctionExecutable: 39266
3270             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
3271
3272         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
3273         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
3274         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
3275         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
3276         it when `value != WTF::nullopt`. We also changed
3277         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
3278         `VariableEnvironment()` whenever the Executable doesn't have RareData,
3279         or VariableEnvironmentMap::Handle is unitialized. This is required
3280         because RareData is instantiated when any of its field is stored and
3281         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
3282         is `WTF::nullopt`.
3283
3284         Results on memory usage on JetStrem2 is neutral.
3285
3286             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
3287             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
3288
3289         * builtins/BuiltinExecutables.cpp:
3290         (JSC::BuiltinExecutables::createExecutable):
3291         * bytecode/UnlinkedFunctionExecutable.cpp:
3292         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3293         * bytecode/UnlinkedFunctionExecutable.h:
3294         * bytecompiler/BytecodeGenerator.cpp:
3295         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
3296
3297         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
3298         is empty, so we can properly return `WTF::nullopt` without the
3299         reconstruction of a VariableEnvironment to check if it is empty.
3300
3301         * bytecompiler/BytecodeGenerator.h:
3302         (JSC::BytecodeGenerator::makeFunction):
3303         * parser/VariableEnvironment.h:
3304         (JSC::VariableEnvironment::isEmpty const):
3305         * runtime/CachedTypes.cpp:
3306         (JSC::CachedCompactVariableMapHandle::decode const):
3307
3308         It returns an unitialized Handle when there is no
3309         CompactVariableEnvironment. This can happen when RareData is ensured
3310         because of another field.
3311
3312         (JSC::CachedFunctionExecutableRareData::encode):
3313         (JSC::CachedFunctionExecutableRareData::decode const):
3314         (JSC::CachedFunctionExecutable::encode):
3315         (JSC::CachedFunctionExecutable::decode const):
3316         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3317         * runtime/CodeCache.cpp:
3318
3319         Instead of creating a dummyVariablesUnderTDZ, we simply pass
3320         WTF::nullopt.
3321
3322         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3323
3324 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
3325
3326         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
3327         https://bugs.webkit.org/show_bug.cgi?id=196409
3328
3329         Reviewed by Saam Barati.
3330
3331         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
3332         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
3333         and therefore does not write the bytecode cache to disk.
3334
3335         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
3336         of pointers to offsets of already cached objects, in order to avoid caching
3337         the same object twice. Similarly, the Decoder keeps a mapping from offsets
3338         to pointers, in order to avoid creating multiple objects in memory for the
3339         same cached object. The following was happening:
3340         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
3341         an entry in the Encoder mapping that S has already been encoded at O.
3342         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
3343         We find an entry in the Encoder mapping for S, and return the offset O. However,
3344         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
3345
3346         3) When decoding, there are 2 possibilities:
3347         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
3348         this case, everything works as expected since we add an entry in the decoder
3349         mapping from the offset O to the decoded StringImpl* S. The next time we find
3350         S through the uniqued version, we'll return the already decoded S.
3351         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
3352         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
3353         which has a different shape and we crash.
3354
3355         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
3356         same implementation. Since it doesn't matter whether a string is uniqued for
3357         encoding, and we always decode strings as uniqued either way, they can be used
3358         interchangeably.
3359
3360         * jsc.cpp:
3361         (functionRunString):
3362         (functionLoadString):
3363         (functionDollarAgentStart):
3364         (functionCheckModuleSyntax):
3365         (runInteractive):
3366         * runtime/CachedTypes.cpp:
3367         (JSC::CachedUniquedStringImplBase::decode const):
3368         (JSC::CachedFunctionExecutable::rareData const):
3369         (JSC::CachedCodeBlock::rareData const):
3370         (JSC::CachedFunctionExecutable::encode):
3371         (JSC::CachedCodeBlock<CodeBlockType>::encode):
3372         (JSC::CachedUniquedStringImpl::encode): Deleted.
3373         (JSC::CachedUniquedStringImpl::decode const): Deleted.
3374         (JSC::CachedStringImpl::encode): Deleted.
3375         (JSC::CachedStringImpl::decode const): Deleted.
3376
3377 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
3378
3379         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
3380         https://bugs.webkit.org/show_bug.cgi?id=196396
3381
3382         Reviewed by Saam Barati.
3383
3384         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
3385         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
3386
3387         * runtime/CachedTypes.cpp:
3388         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3389
3390 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3391
3392         Unreviewed, rolling in r243843 with the build fix
3393         https://bugs.webkit.org/show_bug.cgi?id=196586
3394
3395         * runtime/Options.cpp:
3396         (JSC::recomputeDependentOptions):
3397         * runtime/Options.h:
3398         * runtime/RandomizingFuzzerAgent.cpp:
3399         (JSC::RandomizingFuzzerAgent::getPrediction):
3400
3401 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
3402
3403         Unreviewed, rolling out r243843.
3404
3405         Broke CLoop and Windows builds.
3406
3407         Reverted changeset:
3408
3409         "[JSC] Add dump feature for RandomizingFuzzerAgent"
3410         https://bugs.webkit.org/show_bug.cgi?id=196586
3411         https://trac.webkit.org/changeset/243843
3412
3413 2019-04-03  Robin Morisset  <rmorisset@apple.com>
3414
3415         B3 should use associativity to optimize expression trees
3416         https://bugs.webkit.org/show_bug.cgi?id=194081
3417
3418         Reviewed by Filip Pizlo.
3419
3420         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
3421         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
3422         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
3423         inherited from CSE.
3424         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
3425         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
3426
3427         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
3428         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
3429         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
3430         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
3431         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
3432
3433         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
3434         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
3435
3436         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
3437
3438         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
3439         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
3440
3441         * JavaScriptCore.xcodeproj/project.pbxproj:
3442         * Sources.txt:
3443         * b3/B3Common.cpp:
3444         (JSC::B3::shouldDumpIR):
3445         (JSC::B3::shouldDumpIRAtEachPhase):
3446         * b3/B3Common.h:
3447         * b3/B3EliminateDeadCode.cpp: Added.
3448         (JSC::B3::EliminateDeadCode::run):
3449         (JSC::B3::eliminateDeadCode):
3450         * b3/B3EliminateDeadCode.h: Added.
3451         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
3452         * b3/B3Generate.cpp:
3453         (JSC::B3::generateToAir):
3454         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
3455         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
3456         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
3457         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
3458         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
3459         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
3460         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
3461         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
3462         (JSC::B3::optimizeAssociativeExpressionTrees):
3463         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
3464         * b3/B3ReduceStrength.cpp:
3465         * b3/B3Value.cpp:
3466         (JSC::B3::Value::replaceWithIdentity):
3467         * b3/testb3.cpp:
3468         (JSC::B3::testBitXorTreeArgs):
3469         (JSC::B3::testBitXorTreeArgsEven):
3470         (JSC::B3::testBitXorTreeArgImm):
3471         (JSC::B3::testAddTreeArg32):
3472         (JSC::B3::testMulTreeArg32):
3473         (JSC::B3::testBitAndTreeArg32):
3474         (JSC::B3::testBitOrTreeArg32):
3475         (JSC::B3::run):
3476
3477 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3478
3479         [JSC] Add dump feature for RandomizingFuzzerAgent
3480         https://bugs.webkit.org/show_bug.cgi?id=196586
3481
3482         Reviewed by Saam Barati.
3483
3484         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
3485         The results is like this.
3486
3487             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
3488             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
3489
3490         * runtime/Options.cpp:
3491         (JSC::recomputeDependentOptions):
3492         * runtime/Options.h:
3493         * runtime/RandomizingFuzzerAgent.cpp:
3494         (JSC::RandomizingFuzzerAgent::getPrediction):
3495
3496 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
3497
3498         -apple-trailing-word is needed for browser detection
3499         https://bugs.webkit.org/show_bug.cgi?id=196575
3500
3501         Unreviewed.
3502
3503         * Configurations/FeatureDefines.xcconfig:
3504
3505 2019-04-03  Michael Saboff  <msaboff@apple.com>
3506
3507         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
3508         https://bugs.webkit.org/show_bug.cgi?id=196477
3509
3510         Reviewed by Keith Miller.
3511
3512         The problem here is that when we advance the index by 2 for a character class that only
3513         has non-BMP characters, we might go past the end of the string.  This can happen for
3514         greedy counted character classes that are part of a alternative where there is one
3515         character to match after the greedy non-BMP character class.
3516
3517         The "do we have string left to match" check at the top of the JIT loop for the counted
3518         character class checks to see if index is not equal to the string length.  For non-BMP
3519         character classes, we need to check to see if there are at least 2 characters left.
3520         Therefore we now temporarily add 1 to the current index before comparing.  This checks
3521         to see if there are iat least 2 characters left to match, instead of 1.
3522
3523         * yarr/YarrJIT.cpp:
3524         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
3525         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
3526
3527 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3528
3529         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
3530         https://bugs.webkit.org/show_bug.cgi?id=196574
3531
3532         Reviewed by Saam Barati.
3533
3534         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
3535
3536         * dfg/DFGOperations.cpp:
3537
3538 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
3539
3540         [CMake][WTF] Mirror XCode header directories
3541         https://bugs.webkit.org/show_bug.cgi?id=191662
3542
3543         Reviewed by Konstantin Tokarev.
3544
3545         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
3546         builds.
3547
3548         * CMakeLists.txt:
3549         * shell/CMakeLists.txt:
3550
3551 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3552
3553         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
3554         https://bugs.webkit.org/show_bug.cgi?id=196530
3555
3556         Reviewed by Saam Barati.
3557
3558         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
3559         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
3560         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
3561
3562         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
3563         they should be fixed in subsequent patches.
3564
3565         * CMakeLists.txt:
3566         * JavaScriptCore.xcodeproj/project.pbxproj:
3567         * Sources.txt:
3568         * dfg/DFGByteCodeParser.cpp:
3569         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3570         * runtime/FuzzerAgent.cpp: Added.
3571         (JSC::FuzzerAgent::~FuzzerAgent):
3572         (JSC::FuzzerAgent::getPrediction):
3573         * runtime/FuzzerAgent.h: Added.
3574         * runtime/JSGlobalObjectFunctions.cpp:
3575         * runtime/Options.h:
3576         * runtime/RandomizingFuzzerAgent.cpp: Added.
3577         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
3578         (JSC::RandomizingFuzzerAgent::getPrediction):
3579         * runtime/RandomizingFuzzerAgent.h: Added.
3580         * runtime/RegExpCachedResult.h:
3581         * runtime/RegExpGlobalData.cpp:
3582         * runtime/VM.cpp:
3583         (JSC::VM::VM):
3584         * runtime/VM.h:
3585         (JSC::VM::fuzzerAgent const):
3586         (JSC::VM::setFuzzerAgent):
3587
3588 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
3589
3590         Remove support for -apple-trailing-word
3591         https://bugs.webkit.org/show_bug.cgi?id=196525
3592
3593         Reviewed by Zalan Bujtas.
3594
3595         This CSS property is nonstandard and not used.
3596
3597         * Configurations/FeatureDefines.xcconfig:
3598
3599 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
3600
3601         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
3602         https://bugs.webkit.org/show_bug.cgi?id=196513
3603         <rdar://problem/49498284>
3604
3605         Reviewed by Devin Rousso.
3606
3607         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3608         (Inspector::RemoteInspector::receivedIndicateMessage):
3609         When we have a WebThread, don't just run on the WebThread,
3610         run on the MainThread with the WebThreadLock.
3611
3612 2019-04-02  Michael Saboff  <msaboff@apple.com>
3613
3614         Crash in Options::setOptions() using --configFile option and libgmalloc
3615         https://bugs.webkit.org/show_bug.cgi?id=196506
3616
3617         Reviewed by Keith Miller.
3618
3619         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
3620         the implicit CString temporary alive until after setOptions() returns.
3621
3622         * runtime/ConfigFile.cpp:
3623         (JSC::ConfigFile::parse):
3624
3625 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
3626
3627         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
3628         https://bugs.webkit.org/show_bug.cgi?id=182757
3629
3630         Reviewed by Don Olmstead.
3631
3632         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
3633         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
3634         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
3635
3636 2019-04-02  Saam barati  <sbarati@apple.com>
3637
3638         Add a ValueRepReduction phase
3639         https://bugs.webkit.org/show_bug.cgi?id=196234
3640
3641         Reviewed by Filip Pizlo.
3642
3643         This patch adds a ValueRepReduction phase. The main idea here is
3644         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
3645         to just be @x. This patch handles such above strengh reduction rules
3646         as long as we prove that all users of the ValueRep can be converted
3647         to using the incoming double value. That way we prevent introducing
3648         a parallel live range for the double value.
3649         
3650         This patch tracks the uses of the ValueRep through Phi variables,
3651         so we can convert entire Phi variables to being Double instead
3652         of JSValue if the Phi also has only double uses.
3653         
3654         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
3655         and OSR exit hints are not counted as escapes. All other uses are counted
3656         as escapes. Connected Phi graphs are converted to being Double only if the
3657         entire graph is ok with the result being Double.
3658         
3659         Some ways we could extend this phase in the future:
3660         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
3661           that the result of the DoubleRep of @x is not impure NaN. We could
3662           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
3663           with PurifyNaN(@x). Alternatively, we could see if certain users of this
3664           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
3665           their output type is always treated as if the input is impure NaN.
3666         - We could do sinking of ValueRep where we think it's profitable. So instead
3667           of an escape making it so we never represent the variable as a Double, we
3668           could make the escape reconstruct the JSValueRep where profitable.
3669         - We can extend this phase to handle Int52Rep if it's profitable.
3670         - We can opt other nodes into accepting incoming Doubles so we no longer
3671           treat them as escapes.
3672         
3673         This patch is somewhere between neutral and a 1% progression on JetStream 2.
3674
3675         * JavaScriptCore.xcodeproj/project.pbxproj:
3676         * Sources.txt:
3677         * dfg/DFGPlan.cpp:
3678         (JSC::DFG::Plan::compileInThreadImpl):
3679         * dfg/DFGValueRepReductionPhase.cpp: Added.
3680         (JSC::DFG::ValueRepReductionPhase::ValueRepReductionPhase):
3681         (JSC::DFG::ValueRepReductionPhase::run):
3682         (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):
3683         (JSC::DFG::performValueRepReduction):
3684         * dfg/DFGValueRepReductionPhase.h: Added.
3685         * runtime/Options.h:
3686
3687 2019-04-01  Yusuke Suzuki  <ysuzuki@apple.com>
3688
3689         [JSC] JSRunLoopTimer::Manager should be small
3690         https://bugs.webkit.org/show_bug.cgi?id=196425
3691
3692         Reviewed by Darin Adler.
3693
3694         Using very large Key or Value in HashMap potentially bloats memory since HashMap pre-allocates large size of
3695         memory ((sizeof(Key) + sizeof(Value)) * N) for its backing storage's array. Using std::unique_ptr<> for JSRunLoopTimer's
3696         PerVMData to keep HashMap's backing store size small.
3697
3698         * runtime/JSRunLoopTimer.cpp:
3699         (JSC::JSRunLoopTimer::Manager::timerDidFire):
3700         (JSC::JSRunLoopTimer::Manager::registerVM):
3701         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
3702         (JSC::JSRunLoopTimer::Manager::cancelTimer):
3703         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
3704         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
3705         * runtime/JSRunLoopTimer.h:
3706
3707 2019-04-01  Stephan Szabo  <stephan.szabo@sony.com>
3708
3709         [PlayStation] Add initialization for JSC shell for PlayStation port
3710         https://bugs.webkit.org/show_bug.cgi?id=195411
3711
3712         Reviewed by Ross Kirsling.
3713
3714         Add ps options
3715
3716         * shell/PlatformPlayStation.cmake: Added.
3717         * shell/playstation/Initializer.cpp: Added.
3718         (initializer):
3719
3720 2019-04-01  Michael Catanzaro  <mcatanzaro@igalia.com>
3721
3722         Stop trying to support building JSC with clang 3.8
3723         https://bugs.webkit.org/show_bug.cgi?id=195947
3724         <rdar://problem/49069219>
3725
3726         Reviewed by Darin Adler.
3727
3728         It seems WebKit hasn't built with clang 3.8 in a while, no devs are using this compiler, we
3729         don't know how much effort it would be to make JSC work again, and it's making the code
3730         worse. Remove my hacks to support clang 3.8 from JSC.
3731
3732         * bindings/ScriptValue.cpp:
3733         (Inspector::jsToInspectorValue):
3734         * bytecode/GetterSetterAccessCase.cpp:
3735         (JSC::GetterSetterAccessCase::create):
3736         (JSC::GetterSetterAccessCase::clone const):
3737         * bytecode/InstanceOfAccessCase.cpp:
3738         (JSC::InstanceOfAccessCase::clone const):
3739         * bytecode/IntrinsicGetterAccessCase.cpp:
3740         (JSC::IntrinsicGetterAccessCase::clone const):
3741         * bytecode/ModuleNamespaceAccessCase.cpp:
3742         (JSC::ModuleNamespaceAccessCase::clone const):
3743         * bytecode/ProxyableAccessCase.cpp:
3744         (JSC::ProxyableAccessCase::clone const):
3745
3746 2019-03-31  Yusuke Suzuki  <ysuzuki@apple.com>
3747
3748         [JSC] Butterfly allocation from LargeAllocation should try "realloc" behavior if collector thread is not active
3749         https://bugs.webkit.org/show_bug.cgi?id=196160
3750
3751         Reviewed by Saam Barati.
3752
3753         "realloc" can be effective in terms of peak/current memory footprint when realloc succeeds because,
3754
3755         1. It does not allocate additional memory while expanding a vector
3756         2. It does not deallocate an old memory, just reusing the current memory by expanding, so that memory footprint is tight even before scavenging
3757
3758         We found that we can "realloc" large butterflies in certain conditions are met because,
3759
3760         1. If it goes to LargeAllocation, this memory region is never reused until GC sweeps it.
3761         2. Butterflies are owned by owner JSObjects, so we know the lifetime of Butterflies.
3762
3763         This patch attempts to use "realloc" onto butterflies if,
3764
3765         1. Butterflies are allocated in LargeAllocation kind
3766         2. Concurrent collector is not active
3767         3. Butterflies do not have property storage
3768
3769         The condition (2) is required to avoid deallocating butterflies while the concurrent collector looks into it. The condition (3) is
3770         also required to avoid deallocating butterflies while the concurrent compiler looks into it.
3771
3772         We also change LargeAllocation mechanism to using "malloc" and "free" instead of "posix_memalign". This allows us to use "realloc"
3773         safely in all the platforms. Since LargeAllocation uses alignment to distinguish LargeAllocation and MarkedBlock, we manually adjust
3774         16B alignment by allocating 8B more memory in "malloc".
3775
3776         Speedometer2 and JetStream2 are neutral. RAMification shows about 1% progression (even in some of JIT tests).
3777
3778         * heap/AlignedMemoryAllocator.h:
3779         * heap/CompleteSubspace.cpp:
3780         (JSC::CompleteSubspace::tryAllocateSlow):
3781         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
3782         * heap/CompleteSubspace.h:
3783         * heap/FastMallocAlignedMemoryAllocator.cpp:
3784         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory):
3785         (JSC::FastMallocAlignedMemoryAllocator::freeMemory):
3786         (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory):
3787         * heap/FastMallocAlignedMemoryAllocator.h:
3788         * heap/GigacageAlignedMemoryAllocator.cpp:
3789         (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory):
3790         (JSC::GigacageAlignedMemoryAllocator::freeMemory):
3791         (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory):
3792         * heap/GigacageAlignedMemoryAllocator.h:
3793         * heap/IsoAlignedMemoryAllocator.cpp:
3794         (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
3795         (JSC::IsoAlignedMemoryAllocator::freeMemory):
3796         (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
3797         * heap/IsoAlignedMemoryAllocator.h:
3798         * heap/LargeAllocation.cpp:
3799         (JSC::isAlignedForLargeAllocation):
3800         (JSC::LargeAllocation::tryCreate):
3801         (JSC::LargeAllocation::tryReallocate):
3802         (JSC::LargeAllocation::LargeAllocation):
3803         (JSC::LargeAllocation::destroy):
3804         * heap/LargeAllocation.h:
3805         (JSC::LargeAllocation::indexInSpace):
3806         (JSC::LargeAllocation::setIndexInSpace):
3807         (JSC::LargeAllocation::basePointer const):
3808         * heap/MarkedSpace.cpp:
3809         (JSC::MarkedSpace::sweepLargeAllocations):
3810         (JSC::MarkedSpace::prepareForConservativeScan):
3811         * heap/WeakSet.h:
3812         (JSC::WeakSet::isTriviallyDestructible const):
3813         * runtime/Butterfly.h:
3814         * runtime/ButterflyInlines.h:
3815         (JSC::Butterfly::reallocArrayRightIfPossible):
3816         * runtime/JSObject.cpp:
3817         (JSC::JSObject::ensureLengthSlow):
3818
3819 2019-03-31  Sam Weinig  <weinig@apple.com>
3820
3821         Remove more i386 specific configurations
3822         https://bugs.webkit.org/show_bug.cgi?id=196430
3823
3824         Reviewed by Alexey Proskuryakov.
3825
3826         * Configurations/FeatureDefines.xcconfig:
3827         ENABLE_WEB_AUTHN_macosx can now be enabled unconditionally on macOS.
3828
3829         * Configurations/ToolExecutable.xcconfig:
3830         ARC can be enabled unconditionally now.
3831
3832 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
3833
3834         [JSC] JSWrapperMap should not use Objective-C Weak map (NSMapTable with NSPointerFunctionsWeakMemory) for m_cachedObjCWrappers
3835         https://bugs.webkit.org/show_bug.cgi?id=196392
3836
3837         Reviewed by Saam Barati.
3838
3839         Weak representation in Objective-C is surprisingly costly in terms of memory. We can see that very easy program shows 10KB memory consumption due to
3840         this weak wrapper map in JavaScriptCore.framework. But we do not need this weak map since Objective-C JSValue has a dealloc. We can unregister itself
3841         from the map when it is deallocated without using Objective-C weak mechanism. And since Objective-C JSValue is tightly coupled to a specific JSContext,
3842         and wrapper map is created per JSContext, JSValue wrapper and actual JavaScriptCore value is one-on-one, and [JSValue dealloc] knows which JSContext's
3843         wrapper map holds itself.
3844
3845         1. We do not use Objective-C weak mechanism. We use WTF::HashSet instead. When JSValue is allocated, we register it to JSWrapperMap's HashSet. And unregister
3846            JSValue from this map when JSValue is deallocated.
3847         2. We use HashSet<JSValue> (logically) instead of HashMap<JSValueRef, JSValue> to keep JSValueRef and JSValue relationship. We can achieve it because JSValue
3848            holds JSValueRef inside it.
3849
3850         * API/JSContext.mm:
3851         (-[JSContext removeWrapper:]):
3852         * API/JSContextInternal.h:
3853         * API/JSValue.mm:
3854         (-[JSValue dealloc]):
3855         (-[JSValue initWithValue:inContext:]):
3856         * API/JSWrapperMap.h:
3857         * API/JSWrapperMap.mm:
3858         (WrapperKey::hashTableDeletedValue):
3859         (WrapperKey::WrapperKey):
3860         (WrapperKey::isHashTableDeletedValue const):
3861         (WrapperKey::Hash::hash):
3862         (WrapperKey::Hash::equal):
3863         (WrapperKey::Traits::isEmptyValue):
3864         (