Resync web-platform-tests/hr-time from upstream
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2020-09-18  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Generator declaration should not be allowed in single statement context
4         https://bugs.webkit.org/show_bug.cgi?id=216720
5
6         Reviewed by Ross Kirsling.
7
8         Generator declaration in single statement context (like the following code) should be syntax error.
9         We already made async function / async generator function syntax error. We should apply the same rule
10         to generator declaration too.
11
12             if (false)
13                 function * gen() { }
14
15         * parser/Parser.cpp:
16         (JSC::Parser<LexerType>::parseSingleFunction):
17         (JSC::Parser<LexerType>::parseStatement):
18         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
19         (JSC::Parser<LexerType>::parseFunctionDeclaration):
20         (JSC::Parser<LexerType>::parseExportDeclaration):
21         * parser/Parser.h:
22
23 2020-09-18  Yusuke Suzuki  <ysuzuki@apple.com>
24
25         [JSC] PreciseAllocation's isNewlyAllocated flag should be propagated from isMarked at GC begin phase to make isLive correct
26         https://bugs.webkit.org/show_bug.cgi?id=216717
27
28         Reviewed by Mark Lam.
29
30         When starting full GC, at beginMarking, PreciseAllocation's mark bit is cleared to be usable for upcoming marking.
31         However, this means that HeapCell::isLive will see this object as dead until it is marked.
32         Let's consider that this object is not newly allocated one. Then, its isNewlyAllocated is false. And now mark bit
33         is also cleared. Since PreciseAllocation::isLive is isNewlyAllocated || isMarked, then it looks dead, while it is live.
34         This confuses HeapCell:isLive function and makes some of watchpoints perform wrong decisions (e.g. this condition is
35         no longer valid, let's just discard it).
36         At the beginning of full collection, we should propagate the old mark bit to isNewlyAllocated so that it looks live
37         during marking. This is similar trick to MarkedBlock::aboutToMark.
38
39         * heap/PreciseAllocation.cpp:
40         (JSC::PreciseAllocation::flip):
41
42 2020-09-18  Saam Barati  <sbarati@apple.com>
43
44         console APIs shouldn't crash making a string that's too long for a console warning when using user provided labels
45         https://bugs.webkit.org/show_bug.cgi?id=216709
46         <rdar://problem/68275357>
47
48         Reviewed by Mark Lam and Devin Rousso.
49
50         Various console APIs send warnings when a label can't be found. These warnings
51         include the label itself. If this label has a long enough length, when we make
52         these warning strings, we can crash, because we exceed max string length.
53         This patch fixes this by truncating the label everywhere it's used if it
54         exceeds a length of 10000.
55
56         * inspector/JSGlobalObjectConsoleClient.cpp:
57         (Inspector::JSGlobalObjectConsoleClient::profile):
58         * inspector/ScriptArguments.h:
59         * inspector/agents/InspectorConsoleAgent.cpp:
60         (Inspector::InspectorConsoleAgent::startTiming):
61         (Inspector::InspectorConsoleAgent::logTiming):
62         (Inspector::InspectorConsoleAgent::stopTiming):
63         (Inspector::InspectorConsoleAgent::count):
64         (Inspector::InspectorConsoleAgent::countReset):
65
66 2020-09-18  Keith Miller  <keith_miller@apple.com>
67
68         DFG should ensure there are PhantomLocals for the taken block of op_jneq_ptr
69         https://bugs.webkit.org/show_bug.cgi?id=216669
70
71         Reviewed by Saam Barati.
72
73         Right now, if there is a local that is live on the taken branch but dead on
74         not-taken branch then nothing will preserve it for OSR exit. This patch simply
75         adds a PhantomLocal for each live operand for the first bytecode of the taken block.
76
77         * dfg/DFGByteCodeParser.cpp:
78         (JSC::DFG::ByteCodeParser::parseBlock):
79
80 2020-09-18  Paulo Matos  <pmatos@igalia.com>
81
82         Unified build fixes from ARMv7 build failures
83         https://bugs.webkit.org/show_bug.cgi?id=216698
84
85         Reviewed by Adrian Perez de Castro.
86
87         * llint/LLIntThunks.cpp:
88         * runtime/FileBasedFuzzerAgent.cpp:
89         * runtime/FunctionExecutableDump.cpp:
90         * runtime/NativeExecutable.cpp:
91         * runtime/WeakMapImpl.cpp:
92
93 2020-09-17  Mark Lam  <mark.lam@apple.com>
94
95         Use OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) in speculationFromCell()'s isSanePointer().
96         https://bugs.webkit.org/show_bug.cgi?id=216638
97
98         Reviewed by Saam Barati.
99
100         We should be using OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) instead of assuming the
101         width of the pointer address bits.
102
103         * bytecode/SpeculatedType.cpp:
104         (JSC::isSanePointer):
105
106 2020-09-17  Devin Rousso  <drousso@apple.com>
107
108         Web Inspector: REGRESSION(r266885): fix open source build
109         https://bugs.webkit.org/show_bug.cgi?id=216675
110
111         Reviewed by Timothy Hatcher.
112
113         Add back methods used by `WebInspector.framework`.
114
115         * inspector/InspectorBackendDispatcher.cpp:
116         (Inspector::BackendDispatcher::getInteger): Added.
117         (Inspector::BackendDispatcher::getDouble): Added.
118         (Inspector::BackendDispatcher::getString): Added.
119
120 2020-09-17  Tadeu Zagallo  <tzagallo@apple.com>
121
122         Inconsistent loop exit assertion in B3ReduceLoopStrength
123         https://bugs.webkit.org/show_bug.cgi?id=216274
124         <rdar://problem/68513573>
125
126         Reviewed by Keith Miller.
127
128         On B3ReduceLoopStrength, we first calculate where the loop exits to, and ensure there's only
129         one exit target. Later on, we compute how many places within the loop exit to that single exit
130         target. Currently, we assume that having a single target implies that we'll only ever have one
131         exit point, which is incorrect. To fix it, instead of asserting there should only be one exit
132         point, we just bail if we find more than one.
133
134         * b3/B3ReduceLoopStrength.cpp:
135         (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy):
136
137 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
138
139         [JSC] Async generator default-export is not handled
140         https://bugs.webkit.org/show_bug.cgi?id=216643
141
142         Reviewed by Ross Kirsling.
143
144         `export default async function * test() { }` syntax should be correctly handled.
145         This patch adds the code retrieving "test" name from the above declaration correctly.
146
147         * parser/Parser.cpp:
148         (JSC::Parser<LexerType>::parseExportDeclaration):
149
150 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
151
152         [JSC] Update JSModuleNamespaceObject::defineOwnProperty
153         https://bugs.webkit.org/show_bug.cgi?id=216640
154
155         Reviewed by Ross Kirsling.
156
157         This patch implements spec update of JSModuleNamespaceObject::defineOwnProperty.
158         We implement https://tc39.es/ecma262/#sec-module-namespace-exotic-objects-defineownproperty-p-desc precisely.
159
160         * runtime/JSModuleNamespaceObject.cpp:
161         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
162         (JSC::JSModuleNamespaceObject::deleteProperty):
163         (JSC::JSModuleNamespaceObject::getOwnPropertyNames):
164         (JSC::JSModuleNamespaceObject::defineOwnProperty):
165
166 2020-09-17  Mark Lam  <mark.lam@apple.com>
167
168         Add some pointer sanity checks to speculationFromCell().
169         https://bugs.webkit.org/show_bug.cgi?id=216638
170         rdar://23226333
171
172         Reviewed by Yusuke Suzuki.
173
174         Add some sanity checks to mitigate against some potential pointer corruptions
175         from profiling data.  The goal here is not to exhaustively filter out all possible
176         bad pointers, but simply to filter out as many as possible to reduce crashes from
177         such bad pointers, and to do so with the least possible performance impact.
178
179         It is OK to do such filtering here because we're only trying to compute a
180         SpeculatedType from the pointer.  If the pointer is bad, we can just return
181         SpecNone indicating that we don't have any info to speculate on.
182
183         * bytecode/SpeculatedType.cpp:
184         (JSC::isSanePointer):
185         (JSC::speculationFromCell):
186         * runtime/StructureIDTable.h:
187         (JSC::StructureIDTable::tryGet):
188         * runtime/VM.h:
189         (JSC::VM::tryGetStructure):
190
191 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
192
193         Support export namespace `export * as ns`
194         https://bugs.webkit.org/show_bug.cgi?id=214379
195
196         Reviewed by Ross Kirsling.
197
198         This patch supports `export * as ns from "module"` syntax. If it is used, we expose "module"'s namespace object as "ns".
199         For each module environment, we create *namespace* (starNamespace) private symbol scope variable. And we fill it later
200         with module namespace object. This way allows us to use module namespace object IC and super fast imported module binding
201         lookup though environment variable lookup mechanism.
202
203         * builtins/BuiltinNames.h:
204         * bytecompiler/BytecodeGenerator.cpp:
205         (JSC::BytecodeGenerator::BytecodeGenerator):
206         * parser/NodesAnalyzeModule.cpp:
207         (JSC::ExportNamedDeclarationNode::analyzeModule):
208         * parser/Parser.cpp:
209         (JSC::Parser<LexerType>::parseExportDeclaration):
210         * runtime/AbstractModuleRecord.cpp:
211         (JSC::AbstractModuleRecord::ExportEntry::createNamespace):
212         (JSC::AbstractModuleRecord::resolveExportImpl):
213         (JSC::AbstractModuleRecord::getModuleNamespace):
214         (JSC::AbstractModuleRecord::setModuleEnvironment):
215         (JSC::AbstractModuleRecord::dump):
216         * runtime/AbstractModuleRecord.h:
217         * runtime/CommonIdentifiers.h:
218         * runtime/JSFunction.cpp:
219         (JSC::JSFunction::name):
220         (JSC::JSFunction::reifyName):
221         * runtime/JSModuleNamespaceObject.cpp:
222         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
223         * runtime/JSModuleRecord.cpp:
224         (JSC::JSModuleRecord::instantiateDeclarations):
225         (JSC::JSModuleRecord::evaluate):
226         * wasm/js/JSWebAssemblyModule.cpp:
227         (JSC::JSWebAssemblyModule::finishCreation):
228         * wasm/js/WebAssemblyModuleRecord.cpp:
229         (JSC::WebAssemblyModuleRecord::link):
230
231 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
232
233         [JSC] Optimize Promise#finally by avoiding creating multiple environments
234         https://bugs.webkit.org/show_bug.cgi?id=216637
235
236         Reviewed by Ross Kirsling.
237
238         Let's just create functions inside Promise#finally. This avoids creating
239         multiple lexical environments that are captured by each function.
240
241         * builtins/PromisePrototype.js:
242         (finally):
243         (globalPrivate.getThenFinally): Deleted.
244         (globalPrivate.getCatchFinally): Deleted.
245
246 2020-09-16  Saam Barati  <sbarati@apple.com>
247
248         Don't IC a null custom accessor/value setter
249         https://bugs.webkit.org/show_bug.cgi?id=216620
250         <rdar://problem/68976066>
251
252         Reviewed by Mark Lam.
253
254         Our runtime allows CustomGetterSetter objects setter field to not contain an
255         actual C function to call. In such a scenario, the runtime just does nothing
256         except return false to the ::put code (which may result in throwing an
257         exception in strict mode code). 
258         
259         However, our IC code never considered whether this function could be nullptr.
260         The fix here is simple: don't IC such custom accessor/value setters.
261
262         * runtime/PutPropertySlot.h:
263         (JSC::PutPropertySlot::isCacheableCustom const):
264
265 2020-09-16  Philippe Normand  <pnormand@igalia.com>
266
267         [Flatpak SDK][WPE] Launching the remote inspector kills MB
268         https://bugs.webkit.org/show_bug.cgi?id=213899
269
270         Reviewed by Adrian Perez de Castro.
271
272         Load inspector resources from developer build artefacts, when the inspector server is
273         running in this configuration. Fall back to system libraries loading mechanism otherwise.
274
275         * inspector/remote/glib/RemoteInspectorUtils.cpp:
276         (Inspector::backendCommands):
277
278 2020-09-16  Adrian Perez de Castro  <aperez@igalia.com>
279
280         Non-unified build fixes, early September 2020 edition
281         https://bugs.webkit.org/show_bug.cgi?id=216599
282
283         Unreviewed build fix.
284
285         Largely based on a patch by Lauro Moura <lmoura@igalia.com>
286
287         * runtime/IntlCache.cpp: Add missing wtf/Vector.h include.
288         * runtime/IntlCache.h: Add missing wtf/text/CString.h include.
289         * runtime/IntlNumberFormatPrototype.cpp: Replace IntlNumberFormat.h
290         include with IntlNumberFormatInlines.h to fix linking.
291
292 2020-09-15  Saam Barati  <sbarati@apple.com>
293
294         JSImmutableButterfly::get needs to return jsDoubleNumber for double arrays
295         https://bugs.webkit.org/show_bug.cgi?id=216589
296         <rdar://problem/68061245>
297
298         Reviewed by Yusuke Suzuki.
299
300         We are using JSImmutableButterfly::get in AI to constant fold GetByVal,
301         but we were failing to always return a boxed double value for double loads.
302         We were calling jsNumber instead of jsDooubleNumber. This is in contrast to
303         the runtime, which always returns a double boxed value. This would lead AI
304         to disagree with the runtime, and miscompile code.
305
306         * runtime/JSImmutableButterfly.h:
307         (JSC::JSImmutableButterfly::get const):
308
309 2020-09-15  Yusuke Suzuki  <ysuzuki@apple.com>
310
311         [JSC] Cache UDateTimePatternGenerator
312         https://bugs.webkit.org/show_bug.cgi?id=213454
313
314         Reviewed by Ross Kirsling.
315
316         ICU udatpg_open function is particularly slow. As a result, 80~% of time is used by this function when calling Date#toLocaleString.
317         We should have last-used cache in VM, which covers major cases like, "One locale (possibly default locale) is used and continuously
318         use toLocaleString with that locale".
319
320         This significantly improves toLocaleString / toLocaleDateString / toLocaleTimeString performance.
321
322                                                    ToT                     Patched
323
324             date-to-locale-string           392.0092+-0.6811     ^     87.3196+-3.1598        ^ definitely 4.4894x faster
325             date-to-locale-date-string      377.9117+-7.8701     ^     70.4155+-3.6661        ^ definitely 5.3669x faster
326             date-to-locale-time-string      373.1970+-3.0142     ^     67.3790+-2.8952        ^ definitely 5.5388x faster
327
328
329         * JavaScriptCore.xcodeproj/project.pbxproj:
330         * Sources.txt:
331         * runtime/IntlCache.cpp: Added.
332         (JSC::IntlCache::cacheSharedPatternGenerator):
333         (JSC::IntlCache::getBestDateTimePattern):
334         * runtime/IntlCache.h: Added.
335         (JSC::IntlCache::getSharedPatternGenerator):
336         * runtime/IntlDateTimeFormat.cpp:
337         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
338         * runtime/VM.cpp:
339         (JSC::VM::VM):
340         * runtime/VM.h:
341         (JSC::VM::intlCache):
342
343 2020-09-15  HyeockJin Kim  <kherootz@gmail.com>
344
345         Check whether the iterator is callable in spread
346         https://bugs.webkit.org/show_bug.cgi?id=215974
347
348         Reviewed by Darin Adler.
349
350         * builtins/IteratorHelpers.js:
351         (performIteration):
352
353 2020-09-15  Tadeu Zagallo  <tzagallo@apple.com>
354
355         Object allocation sinking forgets escaped nodes when structure changes
356         https://bugs.webkit.org/show_bug.cgi?id=216214
357         <rdar://problem/68518460>
358
359         Reviewed by Saam Barati.
360
361         Consider the following program:
362             bb0:
363                 a: NewObject
364                 b: CreateActivation()
365                 _: Branch(bb2, bb1)
366             bb1:
367                 _: PutByOffset(a, 'x', 42)
368                 _: PutStrucute(a, {x: 0})
369                 _: Branch(bb2, bb1)
370             bb2:
371                 _: CheckStructure(a, {x: 0})
372                 _: PutClosureVar(b, 0, Kill:a)
373                 _: Branch(bb3, bb2)
374             bb3:
375                 c: GetClosureVar(b, 0)
376                 _: PutByOffset(global, 'y', c)
377                 _: Return
378
379         Due to the order we visit the program, we'll visit bb2 before bb1. The first time we visit bb2, heapAtHead will be:
380             #@a: ObjectAllocation({})
381             #@b: ActivationAllocation()
382             @a => #@a
383             @b => #@b
384
385         Now CheckStructure would always fail, so it will escape @a and heapAtTail will be:
386             #@a: EscapedAllocation()
387             #@b: ActivationAllocation()
388             @a => #@a
389             @b => #@b
390
391         And after pruning:
392             #@b: ActivationAllocation()
393             @b => #@b
394
395         Now, we'll visit bb3 and then bb1. When we visit bb1 we'll set the structure {x: 0} for the #@a and eventually visit bb2 again. This time around CheckStructure will no longer escape @a, since the allocation has the right structure, and heapAtTail will be:
396             #@a: ObjectAllocation({x: 0})
397             #@b: ActivationAllocation(0: #@a)
398             @b => #@b
399
400         However, we now have to merge into bb3, which has heapAtHead:
401             #@b: ActivationAllocation()
402             @b => #@b
403
404         Since we can't add the extra field to the activation, we'll end up escaping @a at the edge and therefore pruning #@b, which will leave the heap for bb3 unchanged.
405         That's a problem, since PutClosureVar didn't see the escaped object, but GetClosureVar thinks it's escaped. The materialization for @a will be placed after the
406         PutClosureVar, at end of bb2, when the node is already dead. When computing the SSA defs, the PutByOffset at bb3 will then see @a (which at this point will be a
407         PhantomNewObject) instead of its materialization.
408
409         The issue happens because we don't allow allocations to add extra fields while merging, but we do allow adding new structures. This results in different decisions
410         being made about what escapes in CheckStructure and MultiGetByOffset. To avoid this problem, we track two sets of structures: structures and structuresForMaterialization.
411         The first is used for checks and should never grow while the second is used for materialization and is allowed to grow.
412
413         * dfg/DFGObjectAllocationSinkingPhase.cpp:
414
415 2020-09-15  Saam Barati  <sbarati@apple.com>
416
417         CustomFunctionEquivalence PropertyCondition needs to check if the structure has the property
418         https://bugs.webkit.org/show_bug.cgi?id=216575
419         <rdar://problem/68286930>
420
421         Reviewed by Yusuke Suzuki.
422
423         The CustomFunctionEquivalence PropertyCondition would only return false to
424         isStillValidAssumingImpurePropertyWatchpoint if the Structure's static
425         property table was reified or if the static property table did not contain the
426         property. However, this missed the obvious case of where we store to this
427         property in normal object storage without reifying the static property table.
428         The fix here is simple: we first check if the Structure's property table
429         has this property, and if so, return false.
430         
431         This patch also renames CustomFunctionEquivalence to HasStaticProperty to
432         better capture what we're doing.
433
434         * bytecode/ObjectPropertyCondition.h:
435         (JSC::ObjectPropertyCondition::hasStaticProperty):
436         (JSC::ObjectPropertyCondition::customFunctionEquivalence): Deleted.
437         * bytecode/ObjectPropertyConditionSet.cpp:
438         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const):
439         (JSC::ObjectPropertyConditionSet::slotBaseCondition const):
440         (JSC::generateConditionsForPrototypePropertyHitCustom):
441         * bytecode/PropertyCondition.cpp:
442         (JSC::PropertyCondition::dumpInContext const):
443         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
444         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
445         (JSC::PropertyCondition::isStillValid const):
446         (JSC::PropertyCondition::isWatchableWhenValid const):
447         (WTF::printInternal):
448         * bytecode/PropertyCondition.h:
449         (JSC::PropertyCondition::hasStaticProperty):
450         (JSC::PropertyCondition::hash const):
451         (JSC::PropertyCondition::operator== const):
452         (JSC::PropertyCondition::customFunctionEquivalence): Deleted.
453         * tools/JSDollarVM.cpp:
454         (JSC::functionCreateStaticCustomValue):
455         (JSC::JSDollarVM::finishCreation):
456
457 2020-09-15  Yusuke Suzuki  <ysuzuki@apple.com>
458
459         [JSC] Apply Intl.DateTimeFormat hour-cycle correctly when timeStyle is used
460         https://bugs.webkit.org/show_bug.cgi?id=216521
461
462         Reviewed by Ross Kirsling.
463
464         When specifying timeStyle in Intl.DateTimeFormat, we need to check that the generated format also follows to the hourCycle / hour12 options
465         specified in the constructor. Because dayPeriod can be included automatically, just replacing symbols after generating a pattern can dump strange result.
466         For example, the generated one is something like "02:12:47 PM Coordinated Universal Time". And we adjust the pattern to make it "14:12:47 PM Coordinated Universal Time"
467         when hourCycle H23 / H24 is specified. But this looks strange since dayPeriod "PM" should not exist when using H23 / H24.
468
469         In this patch, we revise our hour-cycle handling in Intl.DateTimeFormat. We align our behavior to SpiderMonkey's one[1] rather than the spec's one: when hour12 is specified,
470         we will just use 'H' or 'h' skeleton and do not enforce hour-cycle after generating pattern in hour12 case. If hour12 is not specified, then we use 'h' or 'H' skeleton
471         symbols based on hour-cycle, and later we modify the pattern based on hour-cycle. If both are not offered, we use 'j' which allows ICU to pick preferable one.
472         This is slightly different behavior to the spec (hcDefault etc.) but the spec's behavior can cause a bit surprising result[2,3], and SpiderMonkey like behavior will be
473         integrated into the spec eventually[4].
474
475         [1]: https://github.com/tc39/ecma402/issues/402#issuecomment-623628320
476         [2]: https://github.com/tc39/ecma402/issues/402
477         [3]: https://bugs.chromium.org/p/chromium/issues/detail?id=1045791
478         [4]: https://github.com/tc39/ecma402/pull/436
479
480         * runtime/IntlDateTimeFormat.cpp:
481         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
482         (JSC::IntlDateTimeFormat::parseHourCycle):
483         (JSC::IntlDateTimeFormat::hourCycleFromPattern):
484         (JSC::IntlDateTimeFormat::replaceHourCycleInSkeleton):
485         (JSC::IntlDateTimeFormat::replaceHourCycleInPattern):
486         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
487         (JSC::IntlDateTimeFormat::hourCycleString):
488         (JSC::IntlDateTimeFormat::resolvedOptions const):
489         (JSC::IntlDateTimeFormat::createDateIntervalFormatIfNecessary):
490         * runtime/IntlDateTimeFormat.h:
491
492 2020-09-14  Yusuke Suzuki  <ysuzuki@apple.com>
493
494         [JSC] Intl.Collator should take collation option
495         https://bugs.webkit.org/show_bug.cgi?id=216529
496
497         Reviewed by Ross Kirsling.
498
499         This patch adds "collation" option to Intl.Collator. We are already getting consensus[1], and will be integrated into the spec.
500         Previously, passing "collation" is only available through "-u-co-" unicode extension in the passed locale. The proposal exposes
501         collation option as an option to Intl.Collator so that we can set it easily.
502         "collation" is used only when "usage" is "sort". "search" usage will filter out collation options since "search" itself is one of
503         the "collation" option.
504
505         [1]: https://github.com/tc39/ecma402/pull/459
506
507         * runtime/IntlCollator.cpp:
508         (JSC::IntlCollator::sortLocaleData):
509         (JSC::IntlCollator::initializeCollator):
510
511 2020-09-15  Joonghun Park  <jh718.park@samsung.com>
512
513         Unreviewed. Remove the build warning below since r228533.
514         warning: ‘%40s’ directive argument is null [-Wformat-overflow=]
515
516         Since gcc which has version >= 9 is stricter about passing null string
517         pointers to printf-like functions, add null string pointer check
518         to fix the warning proactively.
519
520         * jsc.cpp:
521         (runJSC):
522
523 2020-09-14  Keith Miller  <keith_miller@apple.com>
524
525         BytecodeParser should GetLocal op_ret's value even if it's unused by the caller
526         https://bugs.webkit.org/show_bug.cgi?id=216506
527
528         Reviewed by Mark Lam.
529
530         We have to unconditionally GetLocal operands each bytecode claims to use
531         regardless of true liveness. This is important to keep OSRAvailability simple.
532         However, op_ret would only GetLocal the return value if we knew the value
533         was going to be used by an inline caller.
534
535         * dfg/DFGByteCodeParser.cpp:
536         (JSC::DFG::ByteCodeParser::parseBlock):
537
538 2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>
539
540         Proxy's "ownKeys" trap result should not be sorted
541         https://bugs.webkit.org/show_bug.cgi?id=216227
542
543         Reviewed by Yusuke Suzuki.
544
545         Given that we can't know whether ownPropertyKeys() received property names from
546         userland Proxy's "ownKeys" trap, this patch moves symbols after strings sorting [1]
547         to Structure::getPropertyNamesFromStructure(), aligning observed property order
548         (via Proxy's "getOwnPropertyDescriptor" trap) with V8 and SpiderMonkey.
549
550         Also, removes sorting logic duplication in objectConstructorAssign().
551
552         This change is neutral on provided Reflect.ownKeys microbenchmark. Although property
553         name collection besides PropertyNameMode::StringsAndSymbols cases is unaffected,
554         Object.{keys,getOwnPropertySymbols} microbenchmarks regress by 6-12% due to
555         increased Structure::getPropertyNamesFromStructure() code size.
556
557         [1]: https://tc39.es/ecma262/#sec-ordinaryownpropertykeys (steps 3-4)
558
559         * runtime/ObjectConstructor.cpp:
560         (JSC::objectConstructorAssign):
561         (JSC::ownPropertyKeys):
562         * runtime/Structure.cpp:
563         (JSC::Structure::getPropertyNamesFromStructure):
564
565 2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>
566
567         ArraySetLength should coerce [[Value]] before descriptor validation
568         https://bugs.webkit.org/show_bug.cgi?id=158791
569
570         Reviewed by Darin Adler.
571
572         This patch:
573
574         1. Moves [[Value]] coercion before descriptor validation as per spec [1],
575            which fixes ASSERT() failure and aligns JSC with V8 & SpiderMonkey.
576
577         2. Prevents JSArray::setLengthWithArrayStorage() from throwing if the length
578            is unchanged, even if it's read-only [2].
579
580         3. Refactors JSArray::defineOwnProperty() leveraging #2 to always perform
581            setLength(), which greatly reduces the number of checks, branches,
582            and setLengthWritable() calls.
583
584         Following the ArraySetLength spec steps precisely [1] would result in
585         more difficult-to-follow code because descriptor validation [2] is inlined
586         and [[Delete]] failures are handled in setLength().
587
588         This change is performance-neutral as it doesn't affect JSArray::put(),
589         which was vetted to be spec-correct and is covered by test262 suite.
590
591         [1]: https://tc39.es/ecma262/#sec-arraysetlength (steps 3-4)
592         [2]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor (step 7.a.ii)
593
594         * runtime/JSArray.cpp:
595         (JSC::JSArray::defineOwnProperty):
596         (JSC::JSArray::setLengthWithArrayStorage):
597
598 2020-09-14  Saam Barati  <sbarati@apple.com>
599
600         Remove bogus asserts in FTLLower that assume programs are compiled with sensible speculations
601         https://bugs.webkit.org/show_bug.cgi?id=216485
602         <rdar://problem/68562804>
603
604         Reviewed by Keith Miller.
605
606         We had an assert inside lowCell that if a value was not part of the JSValue
607         hashmap of values, then the type must not conform to being a cell. However,
608         consider a program like this:
609         
610         ```
611         x = ArithAdd(i32, i32) <-- x is an i32 here
612         if (b) {
613             Check(Cell:@x)
614             ArrayifyToStructure(@x, thingy)
615         }
616         <-- HERE
617         ```
618         
619         @x will live in FTLLower's i32 hashmap, but because of the AI rule for
620         ArrayifyToStructure, it will also have SpecCell in its type. This is totally
621         valid, and asserting that this isn't possible is wrong. (Obviously the above
622         speculation is stupid, as we will always exit at the Check, but it's valid IR.)
623         
624         This patch removes this assertion from lowCell, and removes similar assertions
625         from other low* functions.
626
627         * ftl/FTLLowerDFGToB3.cpp:
628         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
629         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
630         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
631         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
632         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
633
634 2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>
635
636         Make a few built-in methods throw if called as top-level functions
637         https://bugs.webkit.org/show_bug.cgi?id=216467
638
639         Reviewed by Darin Adler.
640
641         Non-strict userland functions substitute undefined & null `this` values
642         with the global object [1], while built-in functions do not [2].
643
644         This patch adds 5 missing toThis(globalObject, ECMAMode::strict()) calls,
645         preventing built-in methods from being called as top-level functions:
646
647         ```
648         let {toString} = Error.prototype;
649         toString(); // now throws TypeError
650         ```
651
652         Aligns JSC with V8 and SpiderMonkey.
653         This change is performance-neutral due to DFG inlining of OpToThis.
654         All other callFrame->thisValue() usages were vetted to be spec-correct.
655
656         [1]: https://tc39.es/ecma262/#sec-ordinarycallbindthis (step 6.a.iii)
657         [2]: https://tc39.es/ecma262/#sec-built-in-function-objects-call-thisargument-argumentslist (step 10)
658
659         * runtime/ArrayPrototype.cpp:
660         (JSC::createArrayIteratorObject):
661         * runtime/DatePrototype.cpp:
662         (JSC::dateProtoFuncToPrimitiveSymbol):
663         (JSC::dateProtoFuncToJSON):
664         * runtime/ErrorPrototype.cpp:
665         (JSC::errorProtoFuncToString):
666         * runtime/RegExpPrototype.cpp:
667         (JSC::regExpProtoFuncToString):
668
669 2020-09-14  Devin Rousso  <drousso@apple.com>
670
671         Web Inspector: REGRESSION(r266885): dyld: Symbol not found: __ZN9Inspector17BackendDispatcher12sendResponseElON3WTF6RefPtrINS1_8JSONImpl6ObjectENS1_13DumbPtrTraitsIS4_EEEEb
672         https://bugs.webkit.org/show_bug.cgi?id=216486
673
674         Reviewed by Joseph Pecoraro.
675
676         * inspector/InspectorBackendDispatcher.h:
677         * inspector/InspectorBackendDispatcher.cpp:
678         (Inspector::BackendDispatcher::sendResponse):
679         Add back overloads removed in r266885 so that the symbols exist.
680
681 2020-09-14  Saam Barati  <sbarati@apple.com>
682
683         Don't assume byte code operands are uint32 JSValues
684         https://bugs.webkit.org/show_bug.cgi?id=216386
685
686         Reviewed by Yusuke Suzuki.
687
688         The slow path for enumerator_generic_pname was assuming that its input index operand
689         would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true
690         because that value can have double format in the DFG, and remain in that format when
691         we exit from the DFG to baseline/LLInt code.
692         
693         This was found via the widening number fuzzing agent.
694         
695         I also audited two more places that seem like they suffer from the same issue,
696         and also switched them to using the asUInt32AsAnyInt function:
697         - enumerator_structure_pname
698         - create_rest
699
700         * runtime/CommonSlowPaths.cpp:
701         (JSC::SLOW_PATH_DECL):
702
703 2020-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
704
705         [JSC] Canonicalize "true" unicode extension type value to ""
706         https://bugs.webkit.org/show_bug.cgi?id=216224
707
708         Reviewed by Ross Kirsling.
709
710         Unicode Technical Standard #35 defines that unicode extension type's "true" should be converged to "".
711         This patch implements it by extracting unicode extension subtags and replacing "true" to "".
712
713         * runtime/IntlLocale.cpp:
714         (JSC::LocaleIDBuilder::toCanonical):
715         (JSC::IntlLocale::keywordValue const):
716         (JSC::IntlLocale::calendar):
717         (JSC::IntlLocale::caseFirst):
718         (JSC::IntlLocale::collation):
719         (JSC::IntlLocale::hourCycle):
720         (JSC::IntlLocale::numberingSystem):
721         (JSC::IntlLocale::numeric):
722         * runtime/IntlLocale.h:
723         * runtime/IntlLocalePrototype.cpp:
724         (JSC::IntlLocalePrototypeGetterCalendar):
725         (JSC::IntlLocalePrototypeGetterCaseFirst):
726         (JSC::IntlLocalePrototypeGetterCollation):
727         (JSC::IntlLocalePrototypeGetterHourCycle):
728         (JSC::IntlLocalePrototypeGetterNumberingSystem):
729         * runtime/IntlObject.cpp:
730         (JSC::unicodeExtensionSubTags):
731         (JSC::canonicalizeUnicodeExtensionsAfterICULocaleCanonicalization):
732         (JSC::languageTagForLocaleID):
733         (JSC::resolveLocale):
734         * runtime/IntlObject.h:
735         * runtime/IntlObjectInlines.h:
736         (JSC::computeTwoCharacters16Code):
737         * runtime/StringPrototype.cpp:
738         (JSC::computeTwoCharacters16Code): Deleted.
739
740 2020-09-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
741
742         [JSC] attribute-change transition should not pin Structure
743         https://bugs.webkit.org/show_bug.cgi?id=215528
744
745         Reviewed by Saam Barati.
746
747         This patch avoids using pin in attribute-change transition. To achieve this, attribute-change transition is now fully supported
748         transition chain in forEachPropertyConcurrently etc.: we can retrieve properties with changed attributes correctly via traversing
749         transition chain. And we also support attribute-change transition in materializePropertyTable, so we do not need to pin structure.
750
751         The design largely mimics existing removePropertyTransition and addPropertyTransition. This patch also adds `hasBeenDictionary()`
752         check before adding structure to the transition so that we can avoid adding unnecessary structure entry to the transition table.
753
754         * bytecode/AccessCase.cpp:
755         (JSC::AccessCase::generateImpl):
756         * dfg/DFGClobberize.h:
757         (JSC::DFG::clobberize):
758         * ftl/FTLLowerDFGToB3.cpp:
759         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
760         * jit/Repatch.cpp:
761         (JSC::tryCacheDeleteBy):
762         * runtime/Structure.cpp:
763         (JSC::Structure::materializePropertyTable):
764         (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
765         (JSC::Structure::addPropertyTransition):
766         (JSC::Structure::addNewPropertyTransition):
767         (JSC::Structure::removePropertyTransitionFromExistingStructureImpl):
768         (JSC::Structure::removeNewPropertyTransition):
769         (JSC::Structure::attributeChangeTransitionToExistingStructure):
770         (JSC::Structure::attributeChangeTransition):
771         (JSC::Structure::nonPropertyTransitionSlow):
772         (JSC::Structure::attributeChange):
773         * runtime/Structure.h:
774         * runtime/StructureInlines.h:
775         (JSC::Structure::forEachPropertyConcurrently):
776         (JSC::Structure::attributeChange):
777         (JSC::Structure::attributeChangeWithoutTransition):
778         * tools/JSDollarVM.cpp:
779         (JSC::JSDollarVMHelper::functionGetStructureTransitionList):
780
781 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
782
783         [JSC] customGetterSetterFunctionCall should have proper exception checking
784         https://bugs.webkit.org/show_bug.cgi?id=216391
785         <rdar://problem/68631643>
786
787         Reviewed by Mark Lam.
788
789         Add appropriate exception checking to customGetterSetterFunctionCall.
790
791         * runtime/JSCustomGetterSetterFunction.cpp:
792         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
793
794 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
795
796         [JSC] Add exception checks to JSCallbackObject
797         https://bugs.webkit.org/show_bug.cgi?id=216384
798         <rdar://problem/68632190>
799
800         Reviewed by Saam Barati.
801
802         This patch adds necessary exception checks to JSCallbackObject to suppress exception verifier crash in Debug build.
803
804         * API/JSCallbackObjectFunctions.h:
805         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
806         (JSC::JSCallbackObject<Parent>::defaultValue):
807         (JSC::JSCallbackObject<Parent>::put):
808         (JSC::JSCallbackObject<Parent>::putByIndex):
809         (JSC::JSCallbackObject<Parent>::deleteProperty):
810         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
811
812 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
813
814         [JSC] agent start function should move isolated copy of source
815         https://bugs.webkit.org/show_bug.cgi?id=216383
816         <rdar://problem/66371008>
817
818         Reviewed by Saam Barati.
819
820         We are calling `isolatedCopy()` and setting it to variable in caller thread. And we are copying it to the thread.
821         This means that ref-count will happen in caller thread and callee thread, this is wrong.
822         We should pass isolatedCopy string directly to the callee thread.
823
824         * jsc.cpp:
825         (functionDollarAgentStart):
826
827 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
828
829         [JSC] unshift / shift should take structure lock
830         https://bugs.webkit.org/show_bug.cgi?id=216378
831         <rdar://problem/68496096>
832
833         Reviewed by Mark Lam.
834
835         When unshifting / shifting butterfly, we need to move property storage values too.
836         If property storage values are moved while concurrent JIT compiler is accessing it, it could include garbage value.
837
838         For example, concurrent JIT compiler is accessing [2] property storage.
839
840                             1          2         3
841                        [ JSValue ][ JSValue ][ Header ]
842
843         But unshift moved it like this.
844
845                             1          2         3
846             [ JSValue ][ JSValue ][ Header ]
847
848         Since butterfly pointer held by JSObject is not updated yet, concurrent JIT compiler will read [ Header ] as JSValue and crash.
849         In this patch, we take structure lock when shifting existing butterfly since this affect on property storage. Since JSObject::getDirectConcurrently
850         takes a structure lock, this locking prevents concurrent compilers from getting an invalid value.
851
852         * runtime/JSArray.cpp:
853         (JSC::JSArray::unshiftCountSlowCase):
854         (JSC::JSArray::shiftCountWithArrayStorage):
855         (JSC::JSArray::unshiftCountWithArrayStorage):
856
857 2020-09-10  Joonghun Park  <jh718.park@samsung.com>
858
859         Unreviewed. Remove the build warning below since r266885.
860         warning: redundant move in return statement [-Wredundant-move]
861
862         Because return statement already returns rvalue reference,
863         we don't need WTFMove at return.
864
865         * inspector/agents/InspectorRuntimeAgent.cpp:
866         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
867         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
868
869 2020-09-10  Alexey Shvayka  <shvaikalesh@gmail.com>
870
871         Promise.prototype.finally should perform PromiseResolve
872         https://bugs.webkit.org/show_bug.cgi?id=176006
873
874         Reviewed by Yusuke Suzuki.
875
876         This patch extracts @promiseResolve global private function and utilizes it in
877         Promise.prototype.finally then/catch functions [1] to avoid creating an extra
878         Promise Capability. Aligns JSC with V8 and SpiderMonkey.
879
880         [1]: https://tc39.es/ecma262/#sec-thenfinallyfunctions (step 7)
881
882         * builtins/PromiseConstructor.js:
883         (resolve):
884         * builtins/PromiseOperations.js:
885         (globalPrivate.promiseResolve):
886         * builtins/PromisePrototype.js:
887         (globalPrivate.getThenFinally):
888         (globalPrivate.getCatchFinally):
889
890 2020-09-10  Devin Rousso  <drousso@apple.com>
891
892         Web Inspector: modernize generated backend protocol code
893         https://bugs.webkit.org/show_bug.cgi?id=216302
894         <rdar://problem/68547649>
895
896         Reviewed by Brian Burg.
897
898         Previously, the inspector protocol was expressed in code in a somewhat confusing way:
899          - the error string was the first argument
900          - required parameters were `T` or `const T&`
901          - optional parameters were `const T*`
902          - enum parameters were the underlying type requiring the backend dispatcher handler to
903            process it instead of it being preprocessed
904          - required returns were `T&`
905          - optional returns were `T*`
906         This doesn't really make for easy/obvious reading of code since the order of arguments is
907         not weird (e.g. error string first), and that there are references/pointers to primitive
908         types.
909
910         This patch cleans up the generated inspector protocol code to be:
911          - required parameters are `T` or `Ref<T>&&`
912          - optional parameters are `Optional<T>&&` or `RefPtr<T>&&`
913          - enum parameters are preprocessed and passed to the backend dispatcher handler if valid
914          - synchronous commands return `Expected<X, ErrorString>` using the same types/rules above
915            where `X` is either a single return or a `std::tuple` of multiple returns
916
917         The one exception to the above is `String`, which is already a tri-state of `nullString()`,
918         `emptyString()`, and something set, so there's no need to use `Optional<String>`.
919
920         Also use `Protocol` objects/`typedefs` wherever possible to further relate the protocol
921         JSON and the actual backend dispatcher handler implementation.
922
923         * inspector/scripts/codegen/generator.py:
924         (Generator.generate_includes_from_entries):
925         * inspector/scripts/codegen/cpp_generator_templates.py:
926         * inspector/scripts/codegen/cpp_generator.py:
927         (CppGenerator.helpers_namespace):
928         (CppGenerator.cpp_getter_method_for_type):
929         (CppGenerator.cpp_setter_method_for_type):
930         (CppGenerator.cpp_protocol_type_for_type):
931         (CppGenerator.cpp_type_for_type_member_argument): Added.
932         (CppGenerator.cpp_type_for_command_parameter): Added.
933         (CppGenerator.cpp_type_for_command_return_declaration): Added.
934         (CppGenerator.cpp_type_for_command_return_argument): Added.
935         (CppGenerator.cpp_type_for_event_parameter): Added.
936         (CppGenerator.cpp_type_for_enum): Added.
937         (CppGenerator.should_move_argument): Added.
938         (CppGenerator.should_release_argument): Added.
939         (CppGenerator.should_dereference_argument): Added.
940         (CppGenerator.cpp_protocol_type_for_type_member): Deleted.
941         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Deleted.
942         (CppGenerator.cpp_type_for_checked_formal_event_parameter): Deleted.
943         (CppGenerator.cpp_type_for_type_member): Deleted.
944         (CppGenerator.cpp_type_for_type_with_name): Deleted.
945         (CppGenerator.cpp_type_for_formal_out_parameter): Deleted.
946         (CppGenerator.cpp_type_for_formal_async_parameter): Deleted.
947         (CppGenerator.cpp_type_for_stack_in_parameter): Deleted.
948         (CppGenerator.cpp_type_for_stack_out_parameter): Deleted.
949         (CppGenerator.cpp_assertion_method_for_type_member): Deleted.
950         (CppGenerator.cpp_assertion_method_for_type_member.assertion_method_for_type): Deleted.
951         (CppGenerator.should_use_wrapper_for_return_type): Deleted.
952         (CppGenerator.should_use_references_for_type): Deleted.
953         (CppGenerator.should_pass_by_copy_for_return_type): Deleted.
954         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
955         (CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
956         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
957         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
958         (CppBackendDispatcherHeaderGenerator.generate_output):
959         (CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
960         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
961         (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
962         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
963         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
964         (CppBackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter): Deleted.
965         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
966         (CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes):
967         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
968         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
969         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
970         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
971         (CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes):
972         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event):
973         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
974         (CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes):
975         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
976         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
977         (CppProtocolTypesHeaderGenerator._generate_secondary_header_includes):
978         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
979         (CppProtocolTypesImplementationGenerator._generate_secondary_header_includes):
980         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
981         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
982         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
983         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
984         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command):
985         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
986         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_command):
987         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
988         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command.and):
989         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command.in_param_expression):
990         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
991         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
992         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
993         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
994         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
995         * inspector/scripts/codegen/objc_generator_templates.py:
996         * inspector/scripts/codegen/objc_generator.py:
997         (ObjCGenerator.protocol_type_for_type):
998         (ObjCGenerator.objc_type_for_param_internal):
999         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1000
1001         * inspector/protocol/Page.json:
1002         Now that enums are processed before being passed to backend dispacher handlers, the
1003         `appearance` parameter of `Page.setForcedAppearance` must be marked `optional` as
1004         there's no way for it to accept an empty string, as that's not possible for an enum.
1005
1006         * inspector/agents/InspectorAgent.h:
1007         * inspector/agents/InspectorAgent.cpp:
1008         * inspector/agents/InspectorAuditAgent.h:
1009         * inspector/agents/InspectorAuditAgent.cpp:
1010         * inspector/agents/InspectorConsoleAgent.h:
1011         * inspector/agents/InspectorConsoleAgent.cpp:
1012         * inspector/agents/InspectorDebuggerAgent.h:
1013         * inspector/agents/InspectorDebuggerAgent.cpp:
1014         * inspector/agents/InspectorHeapAgent.h:
1015         * inspector/agents/InspectorHeapAgent.cpp:
1016         * inspector/agents/InspectorRuntimeAgent.h:
1017         * inspector/agents/InspectorRuntimeAgent.cpp:
1018         * inspector/agents/InspectorScriptProfilerAgent.h:
1019         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1020         * inspector/agents/InspectorTargetAgent.h:
1021         * inspector/agents/InspectorTargetAgent.cpp:
1022         * inspector/agents/JSGlobalObjectAuditAgent.h:
1023         * inspector/agents/JSGlobalObjectAuditAgent.cpp:
1024         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
1025         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1026         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1027         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1028         * inspector/JSGlobalObjectConsoleClient.cpp:
1029         * inspector/JSGlobalObjectInspectorController.cpp:
1030         Elided backend dispatcher handler changes describe above.
1031
1032         * bindings/ScriptValue.cpp:
1033         (Inspector::jsToInspectorValue):
1034         * inspector/AsyncStackTrace.h:
1035         * inspector/AsyncStackTrace.cpp:
1036         (Inspector::AsyncStackTrace::buildInspectorObject const):
1037         * inspector/ConsoleMessage.cpp:
1038         (Inspector::ConsoleMessage::addToFrontend):
1039         * inspector/InjectedScriptBase.h:
1040         * inspector/InjectedScriptBase.cpp:
1041         (Inspector::InjectedScriptBase::makeEvalCall):
1042         (Inspector::InjectedScriptBase::checkCallResult):
1043         (Inspector::InjectedScriptBase::checkAsyncCallResult):
1044         * inspector/InjectedScript.h:
1045         * inspector/InjectedScript.cpp:
1046         (Inspector::InjectedScript::execute):
1047         (Inspector::InjectedScript::evaluate):
1048         (Inspector::InjectedScript::callFunctionOn):
1049         (Inspector::InjectedScript::evaluateOnCallFrame):
1050         (Inspector::InjectedScript::getFunctionDetails):
1051         (Inspector::InjectedScript::functionDetails):
1052         (Inspector::InjectedScript::getPreview):
1053         (Inspector::InjectedScript::getProperties):
1054         (Inspector::InjectedScript::getDisplayableProperties):
1055         (Inspector::InjectedScript::getInternalProperties):
1056         (Inspector::InjectedScript::getCollectionEntries):
1057         (Inspector::InjectedScript::saveResult):
1058         (Inspector::InjectedScript::wrapCallFrames const):
1059         (Inspector::InjectedScript::wrapObject const):
1060         (Inspector::InjectedScript::wrapJSONString const):
1061         (Inspector::InjectedScript::wrapTable const):
1062         (Inspector::InjectedScript::previewValue const):
1063         * inspector/InjectedScriptManager.cpp:
1064         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1065         * inspector/InspectorBackendDispatcher.h:
1066         * inspector/InspectorBackendDispatcher.cpp:
1067         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1068         (Inspector::BackendDispatcher::dispatch):
1069         (Inspector::BackendDispatcher::sendResponse):
1070         (Inspector::BackendDispatcher::getPropertyValue):
1071         (Inspector::BackendDispatcher::getBoolean):
1072         (Inspector::BackendDispatcher::getInteger):
1073         (Inspector::BackendDispatcher::getDouble):
1074         (Inspector::BackendDispatcher::getString):
1075         (Inspector::BackendDispatcher::getValue):
1076         (Inspector::BackendDispatcher::getObject):
1077         (Inspector::BackendDispatcher::getArray):
1078         (Inspector::castToInteger): Deleted.
1079         (Inspector::castToNumber): Deleted.
1080         * inspector/InspectorProtocolTypes.h:
1081         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
1082         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::assertValueHasExpectedType):
1083         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
1084         (Inspector::RemoteInspectorConnectionClient::extractEvent):
1085         * inspector/remote/socket/RemoteInspectorSocket.cpp:
1086         (Inspector::RemoteInspector::pushListingsNow):
1087         * runtime/TypeSet.cpp:
1088         (JSC::StructureShape::inspectorRepresentation):
1089         `JSON` classes now use `Ref&&` wherever possible and `Optional` instead of an out parameter
1090         for `get*`/`as*` so that values can be more easily manipulated and can be confidently known
1091         to exist.
1092
1093         * inspector/scripts/tests/enum-values.json:
1094         * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result:
1095         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1096         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1097         * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result:
1098         * inspector/scripts/tests/expected/domain-debuggableTypes.json-result:
1099         * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result:
1100         * inspector/scripts/tests/expected/domain-targetTypes.json-result:
1101         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1102         * inspector/scripts/tests/expected/enum-values.json-result:
1103         * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result:
1104         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1105         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1106         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1107         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1108         * inspector/scripts/tests/expected/should-strip-comments.json-result:
1109         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1110         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1111         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1112         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1113         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1114         * inspector/scripts/tests/expected/type-with-open-parameters.json-result:
1115         * inspector/scripts/tests/expected/version.json-result:
1116
1117 2020-09-09  Saam Barati  <sbarati@apple.com>
1118
1119         OutOfBoundsSaneChain operations should use their own heap locations
1120         https://bugs.webkit.org/show_bug.cgi?id=216328
1121         <rdar://problem/68568039>
1122
1123         Reviewed by Keith Miller.
1124
1125         There is code in local CSE that does some basic bounds check elimination
1126         for PutByVal. It does this analysis by seeing if a particular heap location
1127         is already defined, and if so, it eliminates the bounds check for the
1128         PutByVal. This doesn't work for OutOfBoundsSaneChain for the obvious reason
1129         that these GetByVals are not proven to be in bounds. So GetByVal's in the
1130         OutOfBoundsSaneChain mode reusing non OutOfBoundsSaneChain heap locations
1131         can lead to a bug where we mistakenly remove a bounds check. The fix is to
1132         have all OutOfBoundsSaneChain operations use distinct heaps, and for CSE to
1133         not query those heaps.
1134
1135         * dfg/DFGArrayMode.h:
1136         (JSC::DFG::ArrayMode::isAnySaneChain const): Deleted.
1137         * dfg/DFGClobberize.h:
1138         (JSC::DFG::clobberize):
1139         * dfg/DFGHeapLocation.cpp:
1140         (WTF::printInternal):
1141         * dfg/DFGHeapLocation.h:
1142
1143 2020-09-09  Keith Miller  <keith_miller@apple.com>
1144
1145         BigInt should PACCage its data pointer
1146         https://bugs.webkit.org/show_bug.cgi?id=216319
1147
1148         Reviewed by Yusuke Suzuki.
1149
1150         * runtime/JSBigInt.h:
1151
1152 2020-09-09  Alexey Shvayka  <shvaikalesh@gmail.com>
1153
1154         Don't emitDirectBinding() if there is a [...rest] element binding
1155         https://bugs.webkit.org/show_bug.cgi?id=216228
1156
1157         Reviewed by Darin Adler.
1158
1159         emitDirectBinding() is up for removal due to not respecting overriden or removed
1160         Array.prototype[Symbol.iterator]. However, dropping it slows down popular swap pattern
1161         `[a, b] = [b, a]` by 40% with DFG/FTL, and by a factor of 6 with baseline JIT only.
1162
1163         Until we figure out the best way to preserve common case performance, this patch
1164         prevents `let [...rest] = [1]` from ending up as a number instead of an array,
1165         aligning JSC with V8 and SpiderMonkey.
1166
1167         * bytecompiler/NodesCodegen.cpp:
1168         (JSC::ArrayPatternNode::emitDirectBinding):
1169
1170 2020-09-08  Yusuke Suzuki  <ysuzuki@apple.com>
1171
1172         [JSC] returnEarlyFromInfiniteLoopsForFuzzing should return object
1173         https://bugs.webkit.org/show_bug.cgi?id=216289
1174         <rdar://problem/68496533>
1175
1176         Reviewed by Saam Barati.
1177
1178         When returning early with returnEarlyFromInfiniteLoopsForFuzzing, we are returning with undefined.
1179         But this is wrong when the callee is constructor since constructor is strongly assumed that it returns an object.
1180         We should return some object from returnEarlyFromInfiniteLoopsForFuzzing. In this patch, we return global object
1181         associated to this callee instead of undefined
1182
1183         * bytecode/CodeBlock.cpp:
1184         (JSC::CodeBlock::finishCreation):
1185         (JSC::CodeBlock::~CodeBlock):
1186         * dfg/DFGSpeculativeJIT64.cpp:
1187         (JSC::DFG::SpeculativeJIT::compile):
1188         * ftl/FTLLowerDFGToB3.cpp:
1189         (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):
1190         * jit/JITOpcodes.cpp:
1191         (JSC::JIT::emit_op_loop_hint):
1192         * llint/LowLevelInterpreter64.asm:
1193
1194 2020-09-08  Saam Barati  <sbarati@apple.com>
1195
1196         re-enable TCSM on all OSs
1197         https://bugs.webkit.org/show_bug.cgi?id=216281
1198
1199         Reviewed by Tadeu Zagallo.
1200
1201         * runtime/Options.cpp:
1202         (JSC::defaultTCSMValue):
1203
1204 2020-09-08  Yusuke Suzuki  <ysuzuki@apple.com>
1205
1206         [JSC] Special property caching should check Structure's cacheability
1207         https://bugs.webkit.org/show_bug.cgi?id=216222
1208
1209         Reviewed by Saam Barati.
1210
1211         While StructureRareData::cacheSpecialPropertySlow caches properties, the way it takes is incomplete.
1212         It is not checking Structure's cacheability. We were caching miss condition even if structure is !propertyAccessesAreCacheableForAbsence.
1213         We should perform the same check done in IC case. Strictly speaking, we can cache value for uncacheable-dictionary because we are setting
1214         property change watchpoint (which will fire). But it sounds not so profitable if this structure is uncacheable.
1215
1216         * runtime/JSObject.cpp:
1217         (JSC::JSObject::convertToUncacheableDictionary):
1218         * runtime/JSObject.h:
1219         * runtime/StructureRareData.cpp:
1220         (JSC::StructureRareData::cacheSpecialPropertySlow):
1221         * tools/JSDollarVM.cpp:
1222         (JSC::functionToUncacheableDictionary):
1223         (JSC::JSDollarVM::finishCreation):
1224
1225 2020-09-07  Joonghun Park  <jh718.park@samsung.com>
1226
1227         Unreviewed. Remove the build warning below since r266567.
1228         warning: parameter ‘hint’ set but not used [-Wunused-but-set-parameter]
1229
1230         * runtime/JSObject.cpp:
1231         (JSC::callToPrimitiveFunction):
1232
1233 2020-09-06  Darin Adler  <darin@apple.com>
1234
1235         TextCodec refinements
1236         https://bugs.webkit.org/show_bug.cgi?id=216219
1237
1238         Reviewed by Sam Weinig.
1239
1240         * parser/Lexer.h:
1241         (JSC::Lexer<UChar>::isWhiteSpace): Use byteOrderMark constant.
1242
1243 2020-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1244
1245         Unreviewed, suppress exception checking after unwrapForOldFunctions
1246         https://bugs.webkit.org/show_bug.cgi?id=216193
1247
1248         * runtime/IntlNumberFormatPrototype.cpp:
1249         (JSC::IntlNumberFormatPrototypeGetterFormat):
1250         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1251
1252 2020-09-05  Devin Rousso  <drousso@apple.com>
1253
1254         Web Inspector: allow DOM breakpoints to be configured
1255         https://bugs.webkit.org/show_bug.cgi?id=215795
1256
1257         Reviewed by Brian Burg.
1258
1259         * inspector/protocol/DOMDebugger.json:
1260         Add an `options` parameter to `DOMDebugger.setDOMBreakpoint` to allow configuration.
1261
1262 2020-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1263
1264         [JSC] Align legacy Intl constructor behavior to spec
1265         https://bugs.webkit.org/show_bug.cgi?id=216193
1266
1267         Reviewed by Darin Adler.
1268
1269         Legacy Intl constructors (Intl.DateTimeFormat and Intl.NumberFormat) have special handling when it is called via `Intl.DateTimeFormat()` form.
1270         This allowed legacy Intl constructors to be used with prototype-based inheritance without using class syntax. This legacy behavior is later specified
1271         explicitly in the spec. So we should align our implementation to the spec's one.
1272
1273             1. When defining fallback formats, we need to put them into the property which is visible via Symbol("IntlLegacyConstructedSymbol").
1274             2. Even if the provided thisValue is IntlDateTimeFormat* / IntlNumberFormat*, we should create another instance and put it to Symbol("IntlLegacyConstructedSymbol") field.
1275
1276         * JavaScriptCore.xcodeproj/project.pbxproj:
1277         * builtins/BuiltinNames.cpp:
1278         (JSC::BuiltinNames::BuiltinNames):
1279         * builtins/BuiltinNames.h:
1280         (JSC::BuiltinNames::intlLegacyConstructedSymbol const):
1281         * runtime/CommonIdentifiers.h:
1282         * runtime/IntlDateTimeFormat.h:
1283         * runtime/IntlDateTimeFormatConstructor.cpp:
1284         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1285         (JSC::callIntlDateTimeFormat):
1286         * runtime/IntlDateTimeFormatInlines.h: Added.
1287         (JSC::IntlDateTimeFormat::unwrapForOldFunctions):
1288         * runtime/IntlDateTimeFormatPrototype.cpp:
1289         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1290         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1291         (JSC::IntlDateTimeFormatPrototypeFuncFormatRange):
1292         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1293         * runtime/IntlNumberFormat.h:
1294         * runtime/IntlNumberFormatConstructor.cpp:
1295         (JSC::IntlNumberFormatConstructor::finishCreation):
1296         (JSC::callIntlNumberFormat):
1297         * runtime/IntlNumberFormatInlines.h:
1298         (JSC::IntlNumberFormat::unwrapForOldFunctions):
1299         * runtime/IntlNumberFormatPrototype.cpp:
1300         (JSC::IntlNumberFormatPrototypeGetterFormat):
1301         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1302         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1303         * runtime/IntlObject.cpp:
1304         (JSC::createDateTimeFormatConstructor):
1305         (JSC::createNumberFormatConstructor):
1306         * runtime/IntlObjectInlines.h:
1307         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1308         (JSC::unwrapForLegacyIntlConstructor):
1309         * runtime/JSGlobalObject.cpp:
1310         (JSC::JSGlobalObject::init):
1311         (JSC::JSGlobalObject::visitChildren):
1312         * runtime/JSGlobalObject.h:
1313         (JSC::JSGlobalObject::dateTimeFormatConstructor):
1314         (JSC::JSGlobalObject::dateTimeFormatPrototype):
1315         (JSC::JSGlobalObject::numberFormatConstructor):
1316         (JSC::JSGlobalObject::numberFormatPrototype):
1317
1318 2020-09-04  Alexey Shvayka  <shvaikalesh@gmail.com>
1319
1320         Array.prototype.push should always perform [[Set]] in strict mode
1321         https://bugs.webkit.org/show_bug.cgi?id=216121
1322
1323         Unreviewed, address Darin's feedback on r266581.
1324
1325         * runtime/ArrayPrototype.cpp:
1326         (JSC::arrayProtoFuncPush): Remove unnecessary static_cast<uint64_t>.
1327
1328 2020-09-04  Alexey Shvayka  <shvaikalesh@gmail.com>
1329
1330         Array.prototype.push should always perform [[Set]] in strict mode
1331         https://bugs.webkit.org/show_bug.cgi?id=216121
1332
1333         Reviewed by Darin Adler.
1334
1335         This patch fixes arrayProtoFuncPush() to throw a TypeError if putting an
1336         index beyond UINT32_MAX has failed, aligning JSC with the spec [1], V8,
1337         and SpiderMonkey. Also, refactors the method leveraging putByIndexInline().
1338
1339         Array.prototype.push microbenchmarks, including varargs tests, are neutral.
1340
1341         [1]: https://tc39.es/ecma262/#sec-array.prototype.push (step 5.b)
1342
1343         * runtime/ArrayPrototype.cpp:
1344         (JSC::arrayProtoFuncPush):
1345
1346 2020-09-03  Carlos Garcia Campos  <cgarcia@igalia.com>
1347
1348         Unreviewed. [GLIB] Add missing return
1349
1350         There's no change in behavior because jsObjectCall() returns undefined in case of failure, but fixes a memory leak.
1351
1352         * API/glib/JSCValue.cpp:
1353         (jsc_value_object_invoke_methodv):
1354
1355 2020-09-02  Yusuke Suzuki  <ysuzuki@apple.com>
1356
1357         [JSC] Cache toString / valueOf / @@toPrimitive for major cases
1358         https://bugs.webkit.org/show_bug.cgi?id=216061
1359
1360         Reviewed by Saam Barati.
1361
1362         When toPrimitive is called, we need to look-up three properties at most to perform operation. And these special properties do not have caching mechanism at all.
1363         We found that Speedometer2/EmberJS-Debug-TodoMVC is using very much time for this property look-up. We should have caching mechanism in StructureRareData, which
1364         should be similar to @@toStringTag & Object#toString caching mechanism.
1365
1366         This patch generalizes @@toStringTag & Object#toString caching mechanism as SpecialPropertyCache. And we accelerate toString / valueOf / @@toPrimitive look-ups in
1367         toPrimitive with this caching mechanism.
1368
1369         This patch improved Speedometer2/EmberJS-Debug-TodoMVC by 10%.
1370
1371         * JavaScriptCore.xcodeproj/project.pbxproj:
1372         * Sources.txt:
1373         * bytecode/Watchpoint.cpp:
1374         * bytecode/Watchpoint.h:
1375         * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.cpp.
1376         (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::CachedSpecialPropertyAdaptiveStructureWatchpoint):
1377         (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install):
1378         (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::fireInternal):
1379         * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.h.
1380         * runtime/JSGlobalObject.cpp:
1381         (JSC::JSGlobalObject::init):
1382         (JSC::JSGlobalObject::visitChildren):
1383         * runtime/JSGlobalObject.h:
1384         (JSC::JSGlobalObject::objectProtoToStringFunction const):
1385         * runtime/JSObject.cpp:
1386         (JSC::callToPrimitiveFunction):
1387         (JSC::JSObject::ordinaryToPrimitive const):
1388         (JSC::JSObject::toPrimitive const):
1389         * runtime/ObjectPrototype.cpp:
1390         (JSC::ObjectPrototype::finishCreation):
1391         (JSC::objectProtoFuncToString):
1392         * runtime/Structure.h:
1393         * runtime/StructureInlines.h:
1394         (JSC::Structure::cacheSpecialProperty):
1395         (JSC::Structure::setObjectToStringValue): Deleted.
1396         * runtime/StructureRareData.cpp:
1397         (JSC::StructureRareData::visitChildren):
1398         (JSC::StructureRareData::ensureSpecialPropertyCacheSlow):
1399         (JSC::StructureRareData::giveUpOnSpecialPropertyCache):
1400         (JSC::StructureRareData::cacheSpecialPropertySlow):
1401         (JSC::StructureRareData::clearCachedSpecialProperty):
1402         (JSC::StructureRareData::finalizeUnconditionally):
1403         (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint):
1404         (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::isValid const):
1405         (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::handleFire):
1406         (JSC::StructureRareData::setObjectToStringValue): Deleted.
1407         (JSC::StructureRareData::clearObjectToStringValue): Deleted.
1408         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::ObjectToStringAdaptiveInferredPropertyValueWatchpoint): Deleted.
1409         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid const): Deleted.
1410         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire): Deleted.
1411         * runtime/StructureRareData.h:
1412         * runtime/StructureRareDataInlines.h:
1413         (JSC::StructureRareData::cachedSpecialProperty const):
1414         (JSC::StructureRareData::canCacheSpecialProperty):
1415         (JSC::StructureRareData::ensureSpecialPropertyCache):
1416         (JSC::StructureRareData::cacheSpecialProperty):
1417         (JSC::StructureRareData::objectToStringValue const): Deleted.
1418
1419 2020-09-03  Saam Barati  <sbarati@apple.com>
1420
1421         Sampling profiler should dump hash as part of the top function key to prevent incorrectly grouping nameless functions together
1422         https://bugs.webkit.org/show_bug.cgi?id=216087
1423
1424         Reviewed by Tadeu Zagallo.
1425
1426         * runtime/SamplingProfiler.cpp:
1427         (JSC::SamplingProfiler::reportTopFunctions):
1428
1429 2020-09-03  Devin Rousso  <drousso@apple.com>
1430
1431         Web Inspector: allow url breakpoints to be configured
1432         https://bugs.webkit.org/show_bug.cgi?id=215793
1433
1434         Reviewed by Brian Burg.
1435
1436         * inspector/protocol/DOMDebugger.json:
1437         Add an `options` parameter to `DOMDebugger.setURLBreakpoint` to allow configuration.
1438         Add an `isRegex` parameter to `DOMDebugger.removeURLBreakpoint` so that we know what
1439         type of URL breakpoint is being removed.
1440
1441 2020-09-03  Devin Rousso  <drousso@apple.com>
1442
1443         Web Inspector: allow special JavaScript breakpoints to be configured
1444         https://bugs.webkit.org/show_bug.cgi?id=215794
1445
1446         Reviewed by Brian Burg.
1447
1448         * inspector/protocol/Debugger.json:
1449         Add an `options` parameter to the following commands for configuring the related breakpoint:
1450          - `Debugger.setPauseOnDebuggerStatements`
1451          - `Debugger.setPauseOnExceptions`
1452          - `Debugger.setPauseOnAssertions`
1453          - `Debugger.setPauseOnMicrotasks`
1454
1455         * debugger/Debugger.h:
1456         (JSC::Debugger::needsExceptionCallbacks const):
1457         (JSC::Debugger::pauseOnAllExceptionsBreakpoint const): Added.
1458         (JSC::Debugger::setPauseOnAllExceptionsBreakpoint): Added.
1459         (JSC::Debugger::pauseOnUncaughtExceptionsBreakpoint const): Added.
1460         (JSC::Debugger::setPauseOnUncaughtExceptionsBreakpoint): Added.
1461         (JSC::Debugger::setPauseOnDebuggerStatementsBreakpoint): Added.
1462         (JSC::Debugger::pauseOnExceptionsState const): Deleted.
1463         (JSC::Debugger::setPauseOnDebuggerStatements): Deleted.
1464         * debugger/Debugger.cpp:
1465         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::TemporarilyDisableExceptionBreakpoints): Added.
1466         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::~TemporarilyDisableExceptionBreakpoints): Added.
1467         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::replace): Added.
1468         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::restore): Added.
1469         (JSC::Debugger::Debugger):
1470         (JSC::Debugger::breakProgram):
1471         (JSC::Debugger::exception):
1472         (JSC::Debugger::didReachDebuggerStatement):
1473         (JSC::Debugger::setPauseOnExceptionsState): Deleted.
1474         Add `JSC::Breakpoint` member variables for the Debugger Statements and Exceptions
1475         breakpoints. Split the Exceptions breakpoint into two `JSC::Breakpoint` now that
1476         All Exceptions and Uncaught Exceptions can be independently configured (the All
1477         Exceptions breakpoint still takes precedence).
1478
1479         * debugger/DebuggerCallFrame.h:
1480         * debugger/DebuggerCallFrame.cpp:
1481         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1482         If there is no `CallFrame`, climb the backtrace until the first valid `CallFrame` is reached.
1483         This is needed when pausing in native code, such as for assertions/exceptions.
1484
1485         * debugger/Breakpoint.h:
1486         Export `JSC::Breakpoint::create` so that other parts of WebKit can create breakpoints.
1487
1488         * inspector/agents/InspectorDebuggerAgent.h:
1489         * inspector/agents/InspectorDebuggerAgent.cpp:
1490         (Inspector::InspectorDebuggerAgent::disable):
1491         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
1492         (Inspector::InspectorDebuggerAgent::setPauseOnDebuggerStatements):
1493         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
1494         (Inspector::InspectorDebuggerAgent::setPauseOnAssertions):
1495         (Inspector::InspectorDebuggerAgent::setPauseOnMicrotasks):
1496         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1497         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
1498         (Inspector::InspectorDebuggerAgent::willRunMicrotask):
1499         (Inspector::InspectorDebuggerAgent::didRunMicrotask):
1500         (Inspector::InspectorDebuggerAgent::breakProgram):
1501         Add `JSC::Breakpoint` member variables for the Assertion Failures and All Microtasks
1502         breakpoints. Pass them to the `JSC::Debugger` when they are hit.
1503
1504         * inspector/agents/InspectorAuditAgent.cpp:
1505         (Inspector::InspectorAuditAgent::run):
1506         * inspector/agents/InspectorRuntimeAgent.cpp:
1507         (Inspector::InspectorRuntimeAgent::evaluate):
1508         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1509         (Inspector::InspectorRuntimeAgent::getPreview):
1510         (Inspector::InspectorRuntimeAgent::getProperties):
1511         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1512         (Inspector::setPauseOnExceptionsState): Deleted.
1513         Use `TemporarilyDisableExceptionBreakpoints` to save, override, and restore the exceptions
1514         breakpoints now that they've been separated into two `JSC::Breakpoint` instead of an `enum`.
1515
1516 2020-09-03  Keith Miller  <keith_miller@apple.com>
1517
1518         Finish comment describing the various *Stack SSA nodes in DFG
1519         https://bugs.webkit.org/show_bug.cgi?id=216110
1520
1521         Reviewed by Sam Weinig.
1522
1523         * dfg/DFGNodeType.h:
1524
1525 2020-09-03  David Kilzer  <ddkilzer@apple.com>
1526
1527         AbstractMacroAssembler::Jump class has uninitialized instance variables
1528         <https://webkit.org/b/216082>
1529
1530         Reviewed by Michael Saboff.
1531
1532         * assembler/AbstractMacroAssembler.h:
1533         (JSC::AbstractMacroAssembler::Jump):
1534         - Switch to default constructor syntax.
1535         - Provide defaults for instance variables.
1536
1537 2020-09-03  Ross Kirsling  <ross.kirsling@sony.com>
1538
1539         [JSC] Add missing detached buffer errors for DataView
1540         https://bugs.webkit.org/show_bug.cgi?id=216062
1541
1542         Reviewed by Yusuke Suzuki.
1543
1544         DataView methods are often expected to throw a TypeError if the underlying ArrayBuffer is detached
1545         (or neutered, in older terminology) -- this patch adds a slew of missing cases from the following spec section:
1546           - https://tc39.es/ecma262/#sec-properties-of-the-dataview-prototype-object
1547
1548         At the same time:
1549          - get rid of JSDataView::getOwnPropertySlot, which was turning dataViewProtoGetterByte{Length,Offset}
1550            into mostly unreachable code and erroneously causing byte{Length,Offset} to have property descriptors
1551          - perform some simple cleanup of neighboring error calls / messages
1552          - fix value of DataView.length (our only other DataView spec bug)
1553
1554         * runtime/JSDataView.cpp:
1555         (JSC::JSDataView::create):
1556         (JSC::JSDataView::getOwnPropertySlot): Deleted.
1557         * runtime/JSDataView.h:
1558         * runtime/JSDataViewPrototype.cpp:
1559         (JSC::getData):
1560         (JSC::setData):
1561         (JSC::dataViewProtoGetterByteLength):
1562         (JSC::dataViewProtoGetterByteOffset):
1563         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1564         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
1565
1566 2020-09-02  Michael Saboff  <msaboff@apple.com>
1567
1568         ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp
1569         https://bugs.webkit.org/show_bug.cgi?id=216103
1570
1571         Reviewed by Saam Barati.
1572
1573         Changed the ASSERT to an if statement.  This checks to see if, the likely newly changed,
1574         property is still a custom getter setter before caching its access as such.
1575
1576         * bytecode/ObjectPropertyConditionSet.cpp:
1577         (JSC::generateConditionsForPrototypePropertyHitCustom):
1578         * tools/JSDollarVM.cpp: Added test helper function.
1579
1580 2020-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
1581
1582         Skip fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html if Gigacage is not enabled
1583         https://bugs.webkit.org/show_bug.cgi?id=216043
1584         <rdar://problem/66394369>
1585
1586         Reviewed by Mark Lam.
1587
1588         * tools/JSDollarVM.cpp:
1589         (JSC::functionIsGigacageEnabled):
1590         (JSC::JSDollarVM::finishCreation):
1591
1592 2020-08-31  Mark Lam  <mark.lam@apple.com>
1593
1594         Remove some PtrTag debugging code from release builds.
1595         https://bugs.webkit.org/show_bug.cgi?id=216025
1596         <rdar://problem/68098263>
1597
1598         Reviewed by Saam Barati.
1599
1600         Removed PtrTag name lookup debugging utility from release builds.
1601
1602         * runtime/JSCPtrTag.cpp:
1603         * runtime/JSCPtrTag.h:
1604
1605 2020-09-01  Carlos Garcia Campos  <cgarcia@igalia.com>
1606
1607         [Linux] Web Inspector: show per thread cpu usage
1608         https://bugs.webkit.org/show_bug.cgi?id=215883
1609
1610         Reviewed by Adrian Perez de Castro.
1611
1612         Remove platform specific getter machThread() and add thread() to return the Thread instead. The caller knows how
1613         to get the machThread or id from a Thread.
1614
1615         * runtime/SamplingProfiler.cpp:
1616         (JSC::SamplingProfiler::reportTopBytecodes):
1617         (JSC::SamplingProfiler::machThread): Deleted.
1618         * runtime/SamplingProfiler.h:
1619         (JSC::SamplingProfiler::thread):
1620
1621 2020-08-31  Yusuke Suzuki  <ysuzuki@apple.com>
1622
1623         [JSC] StructureStubInfo / CallLinkInfo / ByValInfo should set CodeOrigin or BytecodeIndex at construction
1624         https://bugs.webkit.org/show_bug.cgi?id=215987
1625         <rdar://problem/66370323>
1626
1627         Reviewed by Mark Lam.
1628
1629         We had race condition during construction of StructureStubInfo and CodeOrigin field setting.
1630
1631             1. The thread creates StructureStubInfo by calling CodeBlock::addStubInfo. This is guarded by the lock. But at this point we are not setting StructureStubInfo::codeOrigin.
1632             2. Then (1)'s thread attempts to set StructureStubInfo::codeOrigin. But at this point, it is not guarded by the lock.
1633             3. Before (2) is executed, DFG ByteCodeParser calls CodeBlock::getICStatusMap. It creates HashMap<CodeOrigin, StructureStubInfo*>.
1634             4. Since StructureStubInfo*'s codeOrigin is not configured yet, (3) sees invalid CodeOrigin. And storing invalid CodeOrigin as a HashMap key is not correct.
1635
1636         We should configure CodeOrigin at construction of StructureStubInfo, which is guarded by the lock. We have the same problem for CallLinkInfo and ByValInfo. This patch fixes them.
1637         To reproduce this, we need to execute a script 2~ days repeatedly. So it is difficult to add a test.
1638
1639         * bytecode/AccessCase.cpp:
1640         (JSC::AccessCase::generateImpl):
1641         * bytecode/ByValInfo.h:
1642         (JSC::ByValInfo::ByValInfo):
1643         (JSC::ByValInfo::setUp):
1644         * bytecode/CallLinkInfo.cpp:
1645         (JSC::CallLinkInfo::CallLinkInfo):
1646         * bytecode/CallLinkInfo.h:
1647         (JSC::CallLinkInfo::setUpCall):
1648         (JSC::CallLinkInfo::setCodeOrigin): Deleted.
1649         * bytecode/CodeBlock.cpp:
1650         (JSC::CodeBlock::addStubInfo):
1651         (JSC::CodeBlock::addByValInfo):
1652         (JSC::CodeBlock::addCallLinkInfo):
1653         * bytecode/CodeBlock.h:
1654         * bytecode/StructureStubInfo.cpp:
1655         (JSC::StructureStubInfo::StructureStubInfo):
1656         * bytecode/StructureStubInfo.h:
1657         * dfg/DFGSpeculativeJIT32_64.cpp:
1658         (JSC::DFG::SpeculativeJIT::emitCall):
1659         * dfg/DFGSpeculativeJIT64.cpp:
1660         (JSC::DFG::SpeculativeJIT::emitCall):
1661         * ftl/FTLLowerDFGToB3.cpp:
1662         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1663         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1664         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1665         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1666         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1667         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1668         * jit/JIT.cpp:
1669         (JSC::JIT::link):
1670         * jit/JITCall.cpp:
1671         (JSC::JIT::compileCallEvalSlowCase):
1672         (JSC::JIT::compileOpCall):
1673         * jit/JITCall32_64.cpp:
1674         (JSC::JIT::compileCallEvalSlowCase):
1675         (JSC::JIT::compileOpCall):
1676         * jit/JITInlineCacheGenerator.cpp:
1677         (JSC::garbageStubInfo):
1678         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1679         * jit/JITOpcodes.cpp:
1680         (JSC::JIT::emit_op_has_indexed_property):
1681         * jit/JITOpcodes32_64.cpp:
1682         (JSC::JIT::emit_op_has_indexed_property):
1683         * jit/JITPropertyAccess.cpp:
1684         (JSC::JIT::emit_op_put_by_val):
1685         * jit/JITPropertyAccess32_64.cpp:
1686         (JSC::JIT::emit_op_put_by_val):
1687         * wasm/js/WasmToJS.cpp:
1688         (JSC::Wasm::wasmToJS):
1689
1690 2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1691
1692         [JSC] @defaultPromiseThen fast path should check species constructor
1693         https://bugs.webkit.org/show_bug.cgi?id=215996
1694
1695         Reviewed by Ross Kirsling.
1696
1697         When executing @defaultPromiseThen fast path, we assumed that this execution is not observable.
1698         This is wrong only for species constructor part: this @@species access & derived constructor calls
1699         can be observable. In this patch,
1700
1701             1. We extract part of Promise#then as @performPromiseThen, which corresponds to the spec's PerformPromiseThen.
1702             2. In promise fast path, we check @speciesConstructor is @Promise or @InternalPromise. If it is not, then we go to the slow path.
1703
1704         This fixes Promise#finally failures in test262.
1705
1706         * builtins/PromiseOperations.js:
1707         (globalPrivate.promiseResolveThenableJobFast):
1708         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
1709         (globalPrivate.promiseResolveThenableJobWithDerivedPromise):
1710         (onFulfilled):
1711         (onRejected):
1712         (globalPrivate.performPromiseThen):
1713         * builtins/PromisePrototype.js:
1714         (then):
1715         (onFulfilled): Deleted.
1716         (onRejected): Deleted.
1717
1718 2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1719
1720         [JSC] Use -2 for grouping options in IntlRelativeTimeFormat
1721         https://bugs.webkit.org/show_bug.cgi?id=215984
1722
1723         Reviewed by Ross Kirsling.
1724
1725         Several test262 tests are failing after ICU 67. This is because Intl.RelativeTimeFormat is not using locale-sensitive grouping option.
1726         There are hidden option -2 for UNumberFormat. It is supported so long, but it is not explicitly documented. After ICU 68, it is exposed as a constant,
1727         we should pass -2 to UNumberFormat's grouping options to use locale-sensitive grouping option here.
1728
1729         * runtime/IntlRelativeTimeFormat.cpp:
1730         (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
1731
1732 2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1733
1734         [JSC] async function cannot appear in single-statement context
1735         https://bugs.webkit.org/show_bug.cgi?id=215993
1736
1737         Reviewed by Darin Adler.
1738
1739         The following code is syntax error[1] because ExpressionStatement has `async [no LineTerminator here] function` lookahead.
1740
1741             if (false)
1742                 async function t() { }
1743
1744         [1]: https://tc39.es/ecma262/#sec-expression-statement
1745
1746         * parser/Parser.cpp:
1747         (JSC::Parser<LexerType>::parseStatement):
1748         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement): Deleted.
1749         * parser/Parser.h:
1750
1751 2020-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1752
1753         [JSC] `let [` sequence cannot appear in ExpressionStatement context
1754         https://bugs.webkit.org/show_bug.cgi?id=215977
1755
1756         Reviewed by Ross Kirsling.
1757
1758         Because of ambiguity between destructuring assignment and member access (let IDENTIFIER), ECMA262 does not allow `let [` sequence in ExpressionStatement context[1].
1759         We should throw SyntaxError when we see something like this.
1760
1761             if (false)
1762                 let [ok] = [42];
1763
1764         [1]: https://tc39.es/ecma262/#sec-expression-statement
1765
1766         * parser/Parser.cpp:
1767         (JSC::Parser<LexerType>::parseStatement):
1768
1769 2020-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1770
1771         [JSC] for-of uses AssignmentExpression while for-in uses Expression
1772         https://bugs.webkit.org/show_bug.cgi?id=215975
1773
1774         Reviewed by Ross Kirsling.
1775
1776         While for-in uses Expression, for-of and for-await-of use AssignmentExpression which does not accept comma-expression.
1777         We should align our implementation to that.
1778
1779             for (LeftHandSideExpression in Expression) Statement
1780             for (LeftHandSideExpression of AssignmentExpression) Statement
1781             for await(LeftHandSideExpression of AssignmentExpression) Statement
1782
1783         * parser/Parser.cpp:
1784         (JSC::Parser<LexerType>::parseForStatement):
1785
1786 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
1787
1788         [JSC] for-of / for-in left-hand-side target should be simple-assignment-target
1789         https://bugs.webkit.org/show_bug.cgi?id=215969
1790
1791         Reviewed by Ross Kirsling.
1792
1793         Left-hand-side of `for-in`, `for-of`, and `for-await-of` should be simple assignment target[1]
1794         if the target is not declaration and not destructuring pattern.
1795
1796         [1]: https://tc39.es/ecma262/#sec-for-in-and-for-of-statements-static-semantics-early-errors
1797
1798         * parser/Parser.cpp:
1799         (JSC::Parser<LexerType>::parseForStatement):
1800         * parser/SyntaxChecker.h:
1801         (JSC::SyntaxChecker::createCommaExpr): Should return CommaExpr to align it to ASTBuilder.
1802         (JSC::SyntaxChecker::appendToCommaExpr):
1803         (JSC::SyntaxChecker::appendStatement):
1804         (JSC::SyntaxChecker::combineCommaNodes): Deleted since it is not used.
1805
1806 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
1807
1808         [JSC] Implement Intl.DateTimeFormat dayPeriod
1809         https://bugs.webkit.org/show_bug.cgi?id=215839
1810
1811         Reviewed by Ross Kirsling.
1812
1813         This patch implements Intl.DateTimeFormat dayPeriod option[1]. We can use "narrow", "short", or "long" for dayPeriod,
1814         and it determines how "AM" etc. is represented.
1815
1816         [1]: https://github.com/tc39/ecma402/pull/346
1817
1818         * builtins/DatePrototype.js:
1819         (toLocaleString.toDateTimeOptionsAnyAll):
1820         (toLocaleString):
1821         (toLocaleTimeString.toDateTimeOptionsTimeTime):
1822         (toLocaleTimeString):
1823         * bytecode/BytecodeIntrinsicRegistry.cpp:
1824         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1825         * bytecode/BytecodeIntrinsicRegistry.h:
1826         * runtime/CommonIdentifiers.h:
1827         * runtime/IntlDateTimeFormat.cpp:
1828         (JSC::toDateTimeOptionsAnyDate):
1829         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
1830         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1831         (JSC::IntlDateTimeFormat::dayPeriodString):
1832         (JSC::IntlDateTimeFormat::resolvedOptions const):
1833         * runtime/IntlDateTimeFormat.h:
1834         * runtime/OptionsList.h:
1835
1836 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
1837
1838         [JSC] super property with new should be accepted
1839         https://bugs.webkit.org/show_bug.cgi?id=215966
1840
1841         Reviewed by Ross Kirsling.
1842
1843         While we should reject `new super` / `new super()`, we should accept `new super.property`.
1844         https://tc39.es/ecma262/#prod-SuperProperty is a child production of https://tc39.es/ecma262/#prod-MemberExpression,
1845         unlike https://tc39.es/ecma262/#prod-SuperCall. So `new` should accept SuperProperty (e.g. `super.xxx`).
1846
1847         * parser/Parser.cpp:
1848         (JSC::Parser<LexerType>::parseMemberExpression):
1849
1850 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
1851
1852         [JSC] `new import.meta()` is acceptable
1853         https://bugs.webkit.org/show_bug.cgi?id=215915
1854
1855         Reviewed by Ross Kirsling.
1856
1857         `new import.meta()` is valid in terms of syntax while it throws runtime error.
1858         We should accept this code, while `new import()` is not correct syntax.
1859
1860         * parser/Parser.cpp:
1861         (JSC::Parser<LexerType>::parseMemberExpression):
1862
1863 2020-08-27  Alexey Shvayka  <shvaikalesh@gmail.com>
1864
1865         __proto__ in object literal should perform [[SetPrototypeOf]] directly
1866         https://bugs.webkit.org/show_bug.cgi?id=215769
1867
1868         Reviewed by Ross Kirsling.
1869
1870         To fix __proto__ usage in object literals if Object.prototype.__proto__ is overridden
1871         or removed, this patch sets the [[Prototype]] directly, aligning JSC with V8 and
1872         SpiderMonkey. We are safe to skip method table lookups and cycle checks, as the
1873         spec [1] calls [[SetPrototypeOf]] on newly created (unreferenced) ordinary objects.
1874
1875         This change removes PropertyNode::PutType because its only purpose was to accomodate
1876         __proto__ in object literals. Since emitPutConstantProperty() handles static public
1877         class fields, which don't need `super` binding, PropertyNode::isUnderscoreProtoSetter()
1878         is extended to reject class properties.
1879
1880         This patch speeds up creating object literals with __proto__ by 25%.
1881
1882         [1]: https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers (step 7.a)
1883
1884         * bytecompiler/BytecodeGenerator.cpp:
1885         (JSC::BytecodeGenerator::emitDirectPutById):
1886         (JSC::BytecodeGenerator::emitDirectSetPrototypeOf):
1887         1. Remove unused `dst` parameter to align with other `put` methods.
1888         2. Remove `divot*` parameters as it's cumbersome to pass them through,
1889            and globalFuncSetPrototypeDirect() never throws anyway.
1890
1891         * bytecompiler/BytecodeGenerator.h:
1892         * bytecompiler/NodesCodegen.cpp:
1893         (JSC::PropertyListNode::emitPutConstantProperty):
1894         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
1895         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1896         (JSC::ClassExprNode::emitBytecode):
1897         * parser/ASTBuilder.h:
1898         (JSC::ASTBuilder::createGetterOrSetterProperty):
1899         (JSC::ASTBuilder::createProperty):
1900         (JSC::ASTBuilder::isUnderscoreProtoSetter const):
1901         * parser/NodeConstructors.h:
1902         (JSC::PropertyNode::PropertyNode):
1903         * parser/Nodes.h:
1904         * parser/Parser.cpp:
1905         (JSC::Parser<LexerType>::parseClass):
1906         (JSC::Parser<LexerType>::parseProperty):
1907         * parser/SyntaxChecker.h:
1908         (JSC::SyntaxChecker::createProperty):
1909         * runtime/JSGlobalObjectFunctions.cpp:
1910         (JSC::globalFuncSetPrototypeDirect):
1911         1. Ignore a prototype value of incorrect type as per spec [1],
1912            which is unobservable for call sites in ClassExprNode::emitBytecode().
1913         2. Assert that JSObject::setPrototypeDirect() doesn't throw.
1914
1915 2020-08-27  Yusuke Suzuki  <ysuzuki@apple.com>
1916
1917         [JSC] setLength in Array#push could get very large length
1918         https://bugs.webkit.org/show_bug.cgi?id=215897
1919         <rdar://problem/67859149>
1920
1921         Reviewed by Keith Miller.
1922
1923         Array#push can get length larger than UINT32_MAX. And in this case, we should throw a RangeError.
1924         Before r266215, it was using putLength which throws an error. But it was replaced with setLength,
1925         and JSC::setLength assumes that it never gets a length greater than UINT32_MAX by asserting. We
1926         should fix it so that Array#push should thrown an error correctly.
1927
1928         * runtime/ArrayPrototype.cpp:
1929         (JSC::setLength):
1930
1931 2020-08-27  Saam Barati  <sbarati@apple.com>
1932
1933         GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
1934         https://bugs.webkit.org/show_bug.cgi?id=215894
1935         <rdar://problem/67669696>
1936
1937         Reviewed by Michael Saboff and Keith Miller.
1938
1939         GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
1940         BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
1941         The constant folding for this though was folding to jsUndefined(). I forgot
1942         to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
1943         implementation.
1944
1945         * dfg/DFGAbstractInterpreterInlines.h:
1946         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1947
1948 2020-08-27  Keith Miller  <keith_miller@apple.com>
1949
1950         structureOrNull should take VM instead of getting it from the marked block
1951         https://bugs.webkit.org/show_bug.cgi?id=215899
1952
1953         Reviewed by Yusuke Suzuki.
1954
1955         It's slightly faster use an existing VM over recomputing the address. It probably doesn't
1956         happen to matter here for performance but it's good hygiene.
1957
1958         * API/tests/JSWrapperMapTests.mm:
1959         (+[JSWrapperMapTests testStructureIdentity]):
1960         * jit/JITOperations.cpp:
1961         * runtime/JSCJSValue.h:
1962         * runtime/JSCJSValueInlines.h:
1963         (JSC::JSValue::structureOrNull const):
1964         (JSC::JSValue::structureOrUndefined const): Deleted.
1965
1966 2020-08-27  Yusuke Suzuki  <ysuzuki@apple.com>
1967
1968         [JSC] Use auxiliary memory for JSBigInt storage
1969         https://bugs.webkit.org/show_bug.cgi?id=215876
1970
1971         Reviewed by Mark Lam.
1972
1973         This makes JSBigInt non-destructible cell. And it makes allocating JSBigInt from JIT easy.
1974
1975         * runtime/JSBigInt.cpp:
1976         (JSC::JSBigInt::JSBigInt):
1977         (JSC::JSBigInt::visitChildren):
1978         (JSC::JSBigInt::createWithLength):
1979         (JSC::JSBigInt::destroy): Deleted.
1980         * runtime/JSBigInt.h:
1981         * runtime/VM.cpp:
1982         (JSC::VM::VM):
1983
1984 2020-08-27  Keith Miller  <keith_miller@apple.com>
1985
1986         OSR availability validation should run for any node with exitOK
1987         https://bugs.webkit.org/show_bug.cgi?id=215672
1988
1989         Reviewed by Saam Barati.
1990
1991         Currently we only validate OSR exit availability if a node would
1992         say `mayExit(graph, node) != DoesNotExit` and the node is marked
1993         as exitOK. However, it would be perfectly valid to insert a node
1994         that exits anywhere we have a node marked exitOK. So with this
1995         patch we now validate all places where it would ever be possible
1996         to OSR exit.
1997
1998         Relaxing our criteria revealed a number of bugs however. Which I
1999         will describe below in, IMO, increasing complexity/subtly.
2000
2001         First, we currently don't mark arity fixup during inlining as not
2002         exitOK. However, since our arity code says its code origin is
2003         OpEnter, we assume arity fixup has already happened.
2004
2005         Second, OpGetScope, should not mark its first argument as used
2006         since it's not actually used. This is problematic because we could
2007         have a loop where OpGetScope is the first bytecode, namely when
2008         doing tail recursive inlining. If we were in that position, there
2009         could be a local that was used at a merge point at the loop
2010         backedge that had two MovHint defs from both predecessors. In DFG
2011         IR this would look like:
2012
2013         BB#1:
2014         @1: MovHint(Undefined, loc1)
2015         ...
2016         Jump(#2)
2017
2018         BB#2:
2019         ... // loc1 is live here in bytecode
2020         @2: MovHint(@scopeObject, loc1)
2021         @3: SetLocal(@scopeObject, loc1)
2022         Branch(#3, #4) // #4 is the successor of the tail call loop
2023
2024         BB#3:
2025         @4 MovHint(Undefined, loc1)
2026         ...
2027         Jump(#2)
2028
2029         When we do CPS conversion the MovHints at @1 and @4 will be seen
2030         as different variables (there's no GetLocal). Then, after, during
2031         SSA conversion we won't insert a phi connecting them, making the
2032         argument to OpGetScope, in this case loc1, unrecoverable there are
2033         conflicting nodes and the value isn't saved on the stack.
2034
2035         There were also issues with MovHintRemoval Phase but rather than
2036         fix them we opted to just remove the phase as it didn't show any
2037         performance impact. I'll describe the issues I found below for
2038         completeness, however.
2039
2040         Third, MovHint removal phase had a bug where it would not mark
2041         sections where a zombied MovHint has yet to be killed as not
2042         exitOK. So in theory another phase could come along and insert an
2043         exiting node there.
2044
2045         Fourth, MovHint removal phase had a second bug where a MovHint
2046         that was not killed in the current block would be zombied, which
2047         is wrong for SSA. It's wrong because the MovHinted value could
2048         still be live for OSR exit in a successor block.
2049
2050         Lastly, this patch adds some new verbose options as well as the ability to
2051         dump a DFG::BasicBlock without dereferencing it.
2052
2053         * bytecode/BytecodeUseDef.cpp:
2054         (JSC::computeUsesForBytecodeIndexImpl):
2055         * dfg/DFGBasicBlock.cpp:
2056         (WTF::printInternal):
2057         * dfg/DFGBasicBlock.h:
2058         * dfg/DFGByteCodeParser.cpp:
2059         (JSC::DFG::ByteCodeParser::inlineCall):
2060         * dfg/DFGCPSRethreadingPhase.cpp:
2061         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
2062         * dfg/DFGEpoch.h:
2063         (JSC::DFG::Epoch::operator bool const):
2064         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2065         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2066         * dfg/DFGSSACalculator.cpp:
2067         (JSC::DFG::SSACalculator::dump const):
2068
2069 2020-08-27  Keith Miller  <keith_miller@apple.com>
2070
2071         JSClassRef should work with JS class syntax.
2072         https://bugs.webkit.org/show_bug.cgi?id=215047
2073
2074         Reviewed by Darin Adler.
2075
2076         This is done by checking if value returned by the
2077         callAsConstructor parameter to JSObjectMakeConstructor returns an
2078         object allocated as the jsClass parameter. When that happens we
2079         replace the prototype of the returned object with the prototype of
2080         the new.target. Ideally we would have passed the derived classes
2081         constructor from the beginning of our support for JS subclassing
2082         but at this point that's probably not compatible with too many
2083         applications.
2084
2085         * API/APICallbackFunction.h:
2086         (JSC::APICallbackFunction::construct):
2087         * API/JSObjectRef.h:
2088         * API/tests/testapi.cpp:
2089         (APIString::APIString):
2090         (TestAPI::markedJSValueArrayAndGC):
2091         (TestAPI::classDefinitionWithJSSubclass):
2092         (testCAPIViaCpp):
2093         * API/tests/testapi.mm:
2094         (testObjectiveCAPI):
2095
2096 2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>
2097
2098         Use jsTypeofIsObject() in DFG AI and operationTypeOfIsObject()
2099         https://bugs.webkit.org/show_bug.cgi?id=144457
2100
2101         Reviewed by Saam Barati.
2102
2103         This patch refactors jsTypeofIsObject(), leveraging fast path of isCallable(),
2104         moves it to the header, and utilizes it in operationTypeOfIsObject() & DFG AI
2105         (minding concurrency) to eliminate code duplication.
2106
2107         Also, removes orphaned slow_path_is_object declaration.
2108
2109         No behavior change, `typeof` microbenchmarks are neutral.
2110
2111         * dfg/DFGAbstractInterpreterInlines.h:
2112         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2113         * dfg/DFGOperations.cpp:
2114         * runtime/CommonSlowPaths.h:
2115         * runtime/Operations.cpp:
2116         (JSC::jsTypeofIsObject): Deleted.
2117         * runtime/Operations.h:
2118         (JSC::jsTypeofIsObjectWithConcurrency):
2119         (JSC::jsTypeofIsObject):
2120
2121 2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>
2122
2123         Merge putLength() into setLength()
2124         https://bugs.webkit.org/show_bug.cgi?id=211279
2125
2126         Reviewed by Darin Adler and Saam Barati.
2127
2128         This patch:
2129
2130         1. Replaces all putLength() call sites with setLength(), saving two JSValue
2131            instantiations in arrayProtoFuncPop() and two in arrayProtoFuncShift().
2132
2133         2. Merges putLength() into setLength(), removing superfluous put() call for
2134            JSArray. Also, performs put() in strict mode to preserve the original
2135            error messages, like ones in ProxyObject::performPut().
2136
2137         3. Inlines performPop(), which avoided an extra index check and Identifier
2138            creation, as it was on the slow path anyway (note JSArray::pop() call).
2139
2140         This change advances provided setLength()-heavy microbenchmark by ~40%,
2141         while existing Array tests are neutral.
2142
2143         * runtime/ArrayPrototype.cpp:
2144         (JSC::setLength):
2145         (JSC::arrayProtoFuncPop):
2146         (JSC::arrayProtoFuncPush):
2147         (JSC::arrayProtoFuncShift):
2148         (JSC::arrayProtoFuncUnShift):
2149         (JSC::putLength): Deleted.
2150
2151 2020-08-26  Saam Barati  <sbarati@apple.com>
2152
2153         Make isIndex use MAX_ARRAY_INDEX
2154         https://bugs.webkit.org/show_bug.cgi?id=215872
2155
2156         Reviewed by Darin Adler.
2157
2158         It's already written in such a way where it relies on what MAX_ARRAY_INDEX
2159         is defined as. But instead of MAX_ARRAY_INDEX, the function was hardcoding
2160         MAX_ARRAY_INDEX + 1.
2161
2162         * runtime/Identifier.h:
2163         (JSC::isIndex):
2164
2165 2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>
2166
2167         Use unsigned type for `length` of JSFunction
2168         https://bugs.webkit.org/show_bug.cgi?id=215870
2169
2170         Reviewed by Darin Adler.
2171
2172         Since the `length` value of a built-in function is its arity,
2173         we can communicate it's always non-negative via method signatures.
2174
2175         No behavior change: `length` values redefined by user code are unaffected.
2176
2177         * runtime/InternalFunction.cpp:
2178         (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined):
2179         * runtime/InternalFunction.h:
2180         * runtime/JSFunction.cpp:
2181         (JSC::JSFunction::create):
2182         (JSC::JSFunction::finishCreation):
2183         * runtime/JSFunction.h:
2184         * runtime/JSNativeStdFunction.cpp:
2185         (JSC::JSNativeStdFunction::finishCreation):
2186         (JSC::JSNativeStdFunction::create):
2187         * runtime/JSNativeStdFunction.h:
2188
2189 2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
2190
2191         [JSC] Enable Intl.Segmenter
2192         https://bugs.webkit.org/show_bug.cgi?id=215854
2193
2194         Reviewed by Ross Kirsling.
2195
2196         This is already stage-3 and all the features are implemented. Let's just enable it.
2197
2198         * runtime/IntlObject.cpp:
2199         (JSC::IntlObject::finishCreation):
2200         * runtime/OptionsList.h:
2201
2202 2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
2203
2204         [JSC] Add ASCII comparison fast path for IntlCollator
2205         https://bugs.webkit.org/show_bug.cgi?id=215798
2206
2207         Reviewed by Darin Adler, Ross Kirsling, and Saam Barati.
2208
2209         The idea behind this change is the following: ICU Collator's comparison is too slow. We should have fast path for ASCII strings when we know this equals to ICU Collator's result.
2210         The problem is that even for ASCII strings, collation is super complicated!
2211
2212             1. Unicode defines Unicode Collation Algorithm (UCA). To perform collation, it uses collation element tables which defines weights on various levels per code point. UCA also offers
2213                the Default Unicode Collation Element Table (DUCET). This UCA with DUCET is used when using ICU Root Collator.
2214             2. UCA collation consists of rules, which defines how collation works. And ICU locales define customized collations by adding special rules to that.
2215             3. UCA behaves differently by using different options.
2216
2217         Based on that, our observation is that some of major locales are not defining additional rules in (2). This means that they behaves the same to UCA with DUCET.
2218         This patch implements a simplified version of comparison which generates the same results for ASCII strings (excluding control characters) to UCA with DUCET. This fast path can be usable only when the following conditions are met.
2219
2220             1. The collator does not have additional rules to ICU Root Colator.
2221             2. The collator is using default options.
2222
2223         These checks are very important since there are a lot of edge-case locales. For example,
2224
2225             1. th (Thai language) ignores punctuations (even including ASCII punctuations) by default. This is defined as ignore-punctuations option is enabled by default, so without (2)'s check, th comparison becomes wrong.
2226             2. There are contraction concept (multiple letters behave as a single letter). "ch" letters are ordered interestingly in Czech language. So even in ASCII, Czech shows very interesting collation behavior.
2227
2228         So we cannot safely take this fast path without carefully querying the information to ICU.
2229
2230         This shows 37% improvement in JetStream2/cdjs in en-US environment.
2231
2232         * runtime/IntlCollator.cpp:
2233         (JSC::IntlCollator::initializeCollator):
2234         (JSC::IntlCollator::compareStrings const):
2235         (JSC::canDoASCIIUCADUCETComparisonWithUCollator):
2236         (JSC::IntlCollator::updateCanDoASCIIUCADUCETComparison const):
2237         (JSC::IntlCollator::checkICULocaleInvariants):
2238         * runtime/IntlCollator.h:
2239         * runtime/IntlObject.cpp:
2240         (JSC::intlCollatorAvailableLocales):
2241         * runtime/IntlObject.h:
2242         * runtime/IntlObjectInlines.h:
2243         (JSC::canUseASCIIUCADUCETComparison):
2244         (JSC::compareASCIIWithUCADUCET):
2245
2246 2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
2247
2248         [JSC] Implement Intl.DateTimeFormat fractionalSecondDigits
2249         https://bugs.webkit.org/show_bug.cgi?id=215840
2250
2251         Reviewed by Ross Kirsling.
2252
2253         This patch implements fractionalSecondDigits option for Intl.DateTimeFormat. If it is
2254         specified, milliseconds in N digits are represented in the formatted output.
2255         This extension is about to be merged into the spec[1]. SpiderMonkey and V8 support it,
2256         and V8 shipped it without flags.
2257
2258         [1]: https://github.com/tc39/ecma402/pull/347
2259
2260         * builtins/DatePrototype.js:
2261         (toLocaleString.toDateTimeOptionsAnyAll):
2262         (toLocaleString):
2263         (toLocaleTimeString.toDateTimeOptionsTimeTime):
2264         (toLocaleTimeString):
2265         * runtime/CommonIdentifiers.h:
2266         * runtime/IntlDateTimeFormat.cpp:
2267         (JSC::toDateTimeOptionsAnyDate):
2268         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2269         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2270         (JSC::IntlDateTimeFormat::resolvedOptions const):
2271         (JSC::partTypeString):
2272         * runtime/IntlDateTimeFormat.h:
2273
2274 2020-08-25  Yusuke Suzuki  <ysuzuki@apple.com>
2275
2276         [JSC] FTL should use m_origin instead of m_node->origin since m_node can be nullptr
2277         https://bugs.webkit.org/show_bug.cgi?id=215833
2278
2279         Reviewed by Mark Lam.
2280
2281         While we are using m_node->origin, m_node can be nullptr (at the entry of the FTL function).
2282         m_origin is always pointing appropriate origin. We should use it instead.
2283
2284         * ftl/FTLLowerDFGToB3.cpp:
2285         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
2286         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
2287         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2288         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
2289         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
2290         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
2291         (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
2292         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2293         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
2294         (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
2295         (JSC::FTL::DFG::LowerDFGToB3::compileValueMod):
2296         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
2297         (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary):
2298         (JSC::FTL::DFG::LowerDFGToB3::compileValuePow):
2299         (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom):
2300         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
2301         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
2302         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
2303         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
2304         (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt):
2305         (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound):
2306         (JSC::FTL::DFG::LowerDFGToB3::compileIncOrDec):
2307         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
2308         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
2309         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
2310         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
2311         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
2312         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
2313         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
2314         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2315         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
2316         (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
2317         (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
2318         (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
2319         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
2320         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree):
2321         (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty):
2322         (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty):
2323         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2324         (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
2325         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2326         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2327         (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById):
2328         (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById):
2329         (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal):
2330         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
2331         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
2332         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
2333         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2334         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
2335         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
2336         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
2337         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
2338         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2339         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2340         (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments):
2341         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
2342         (JSC::FTL::DFG::LowerDFGToB3::compileCreateArgumentsButterfly):
2343         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2344         (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeysOrObjectGetOwnPropertyNames):
2345         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
2346         (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol):
2347         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2348         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2349         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
2350         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
2351         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
2352         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2353         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2354         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2355         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2356         (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
2357         (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
2358         (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor):
2359         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
2360         (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
2361         (JSC::FTL::DFG::LowerDFGToB3::compileToPropertyKey):
2362         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2363         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2364         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
2365         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2366         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
2367         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
2368         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2369         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
2370         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2371         (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength):
2372         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
2373         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
2374         (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
2375         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
2376         (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
2377         (JSC::FTL::DFG::LowerDFGToB3::mapHashString):
2378         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2379         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2380         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
2381         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
2382         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsObject):
2383         (JSC::FTL::DFG::LowerDFGToB3::compileIsCallable):
2384         (JSC::FTL::DFG::LowerDFGToB3::compileIsConstructor):
2385         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
2386         (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty):
2387         (JSC::FTL::DFG::LowerDFGToB3::compileParseInt):
2388         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
2389         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2390         (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty):
2391         (JSC::FTL::DFG::LowerDFGToB3::compileHasStructurePropertyImpl):
2392         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2393         (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
2394         (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString):
2395         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
2396         (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
2397         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2398         (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName):
2399         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
2400         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
2401         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
2402         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
2403         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
2404         (JSC::FTL::DFG::LowerDFGToB3::compare):
2405         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2406         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2407         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix):
2408         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
2409         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
2410         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
2411         (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
2412         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
2413         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
2414         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
2415         (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):
2416         (JSC::FTL::DFG::LowerDFGToB3::genericJSValueCompare):
2417         (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
2418         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2419         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2420         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
2421         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
2422         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
2423         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
2424         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2425         (JSC::FTL::DFG::LowerDFGToB3::masqueradesAsUndefinedWatchpointIsStillValid):
2426         (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const):
2427         (JSC::FTL::DFG::LowerDFGToB3::callCheck):
2428         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
2429         * jsc.cpp:
2430         (runJSC):
2431         * runtime/OptionsList.h:
2432
2433 2020-08-25  Devin Rousso  <drousso@apple.com>
2434
2435         Web Inspector: breakpoint condition should be evaluated before the ignore count
2436         https://bugs.webkit.org/show_bug.cgi?id=215364
2437         <rdar://problem/67310703>
2438
2439         Reviewed by Joseph Pecoraro.
2440
2441         Previously, when pausing, `JSC::Breakpoint` would check that it's `ignoreCount` before it
2442         would even attempt to evaluate it's `condition`. This meant that a `JSC::Breakpoint` with
2443         a `condition` of `foo === 42` and an `ignoreCount` of `3` would ignore the first three
2444         pauses and then only pause if `foo === 42`. This is likely contrary to the expectation of
2445         most users (especially since the `condition` input is before the `ignoreCount` input in
2446         the Web Inspector frontend UI) in that they would probably expect to ignore the first
2447         three pauses if `foo === 42`.
2448
2449         * debugger/Breakpoint.cpp:
2450         (JSC::Breakpoint::shouldPause):
2451
2452 2020-08-25  Alexey Shvayka  <shvaikalesh@gmail.com>
2453
2454         Invalid early error for object literal method named "__proto__"
2455         https://bugs.webkit.org/show_bug.cgi?id=215760
2456
2457         Reviewed by Ross Kirsling.
2458
2459         According to Annex B [1], `{ __proto__: null, __proto__() {} }` is a valid object literal as the second
2460         `__proto__` wasn't obtained from `PropertyDefinition : PropertyName : AssignmentExpression` production.
2461         Currently, JSC throws an early SyntaxError, unlike V8 and SpiderMonkey.
2462
2463         Since a method needs `super` binding, the most straightforward fix would be adding SuperBinding field
2464         to SyntaxChecker::Property and exposing it via an accessor. However, given that Property is a very
2465         common structure, this approach would noticeably increase memory pressure during parsing.
2466
2467         Instead, this patch reworks SyntaxChecker::Property to accept `isUnderscoreProtoSetter` parameter,
2468         removing optional `name` field, its accessor, and shouldCheckPropertyForUnderscoreProtoDuplicate(),
2469         which reduces sizeof(SyntaxChecker::Property) by a factor of 8: from 16 to 2 bytes.
2470         Also, this change avoids two extra makeNumericIdentifier() calls, speeding up numeric keys parsing.
2471
2472         This approach is feasible because "__proto__" is the only identifier-based early error for object
2473         literals [2], with no such errors being added in upcoming stage 2-4 proposals.
2474
2475         Additionally, this patch removes `strict` / `complete` bool parameter from {parse,create}Property()
2476         signatures as a) it was always `true`, b) is now unused, and c) strict mode can be checked via scope.
2477
2478         [1]: https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers
2479         [2]: https://tc39.es/ecma262/#sec-object-initializer-static-semantics-early-errors
2480
2481         * parser/ASTBuilder.h:
2482         (JSC::ASTBuilder::createGetterOrSetterProperty):
2483         (JSC::ASTBuilder::createProperty):
2484         (JSC::ASTBuilder::isUnderscoreProtoSetter const):
2485         (JSC::ASTBuilder::getName const): Deleted.
2486         * parser/Nodes.h:
2487         * parser/Parser.cpp:
2488         (JSC::Parser<LexerType>::parseClass):
2489         (JSC::Parser<LexerType>::parseProperty):
2490         (JSC::Parser<LexerType>::parseGetterSetter):
2491         (JSC::Parser<LexerType>::parseObjectLiteral):
2492         (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate): Deleted.
2493         * parser/Parser.h:
2494         * parser/SyntaxChecker.h:
2495         (JSC::SyntaxChecker::SyntaxChecker):
2496         (JSC::SyntaxChecker::Property::Property):
2497         (JSC::SyntaxChecker::Property::operator!):
2498         (JSC::SyntaxChecker::createProperty):
2499         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2500         (JSC::SyntaxChecker::operatorStackPop):
2501
2502 2020-08-25  Yusuke Suzuki  <ysuzuki@apple.com>
2503
2504         [JSC] Add concurrency-aware version of isCallable / isConstructor to make it usable in DFG compiler
2505         https://bugs.webkit.org/show_bug.cgi?id=215746
2506
2507         Reviewed by Saam Barati.
2508
2509         This patch adds isCallableWithConcurrency and isConstructorWithConcurrency to JSCell, JSValue etc.
2510         This can work even if it is called from concurrent compiler threads. We also add jsTypeStringForValueWithConcurrency
2511         and jsTypeofIsFunctionWithConcurrency which are using the above WithConcurrency functionalities.
2512
2513         * CMakeLists.txt:
2514         * JavaScriptCore.xcodeproj/project.pbxproj:
2515         * dfg/DFGAbstractInterpreterInlines.h:
2516         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2517         * runtime/Concurrency.h: Added.
2518         (WTF::printInternal):
2519         * runtime/InternalFunction.cpp:
2520         (JSC::InternalFunction::finishCreation):
2521         (JSC::InternalFunction::getCallData):
2522         (JSC::InternalFunction::getConstructData):
2523         * runtime/JSCJSValue.h:
2524         * runtime/JSCJSValueInlines.h:
2525         (JSC::JSValue::isCallableWithConcurrency const):
2526         (JSC::JSValue::isConstructorWithConcurrency const):
2527         * runtime/JSCell.h:
2528         * runtime/JSCellInlines.h:
2529         (JSC::JSCell::isCallableWithConcurrency):
2530         (JSC::JSCell::isConstructorWithConcurrency):
2531         (JSC::JSCell::isCallable):
2532         (JSC::JSCell::isConstructor):
2533         * runtime/JSFunction.cpp:
2534         (JSC::JSFunction::finishCreation):
2535         (JSC::JSFunction::getCallData):
2536         (JSC::JSFunction::getConstructData):
2537         * runtime/NumberPrototype.cpp:
2538         (JSC::throwVMToThisNumberError):
2539         * runtime/Operations.cpp:
2540         (JSC::jsTypeStringForValueWithConcurrency):
2541         (JSC::jsTypeStringForValue): Deleted.
2542         * runtime/Operations.h:
2543         (JSC::jsTypeofIsFunctionWithConcurrency):
2544         (JSC::jsTypeStringForValue):
2545         (JSC::jsTypeofIsFunction):
2546
2547 2020-08-25  Alexey Shvayka  <shvaikalesh@gmail.com>
2548
2549         Implementation of the class "extends" clause incorrectly uses __proto__ for setting prototypes
2550         https://bugs.webkit.org/show_bug.cgi?id=205848
2551
2552         Reviewed by Keith Miller.
2553
2554         To prevent `class extends` from breaking if Object.prototype.__proto__ is overridden
2555         or removed, this patch replaces OpPutById bytecodes in ClassExprNode::emitBytecode()
2556         with JSObject::setPrototypeDirect() invocations via OpCall.
2557
2558         Since the spec sets [[Prototype]] values directly [1], we are safe to skip method
2559         table lookups and cycle checks.
2560
2561         Although this approach adds 4 `mov` ops to emitted bytecode for `class extends` creation,
2562         increasing instruction count to 35, I prefer it over introducing a slow path only op.
2563         To avoid emitting 2 extra `mov` ops, globalFuncSetPrototypeDirect() uses thisRegister().
2564
2565         Aligns JSC with V8 and SpiderMonkey. Derived class creation microbenchmark is neutral.
2566
2567         [1]: https://tc39.es/ecma262/#sec-createbuiltinfunction (step 7)
2568
2569         * builtins/BuiltinNames.h:
2570         * bytecode/BytecodeDumper.cpp:
2571         (JSC::CodeBlockBytecodeDumper<Block>::dumpConstants): Fix typo.
2572         * bytecode/LinkTimeConstant.h:
2573         * bytecompiler/BytecodeGenerator.cpp:
2574         (JSC::BytecodeGenerator::emitSetPrototypeOf):
2575         * bytecompiler/BytecodeGenerator.h:
2576         * bytecompiler/NodesCodegen.cpp:
2577         (JSC::ClassExprNode::emitBytecode):
2578         * parser/Nodes.h:
2579         * runtime/JSGlobalObject.cpp:
2580         (JSC::JSGlobalObject::init):
2581
2582 2020-08-24  Keith Miller  <keith_miller@apple.com>
2583
2584         DFG should always run CFG Simplification after Constant Folding.
2585         https://bugs.webkit.org/show_bug.cgi?id=215286
2586
2587         Reviewed by Robin Morisset.
2588
2589         We didn't do this originally because LICM, many years ago, was
2590         unsound if the CFG didn't have exactly the right shape around
2591         loops. This is no longer true so we don't have to worry about
2592         changing the CFG anymore. While, this doesn't appear to be a
2593         speedup on JetStream 2 CFG, probably because we'd eventually
2594         simplify the graph in B3, CFG Simplification is very cheap and
2595         make other DFG optimizations easier in the future.
2596
2597         Also, remove unecessary validation rule that no exitOKs can come
2598         before any Phi nodes in DFG. This isn't required and fails after
2599         merging two basic blocks where the latter block has a Phi.
2600
2601         * dfg/DFGCFGSimplificationPhase.cpp:
2602         (JSC::DFG::CFGSimplificationPhase::run):
2603         * dfg/DFGPlan.cpp:
2604         (JSC::DFG::Plan::compileInThreadImpl):
2605         * dfg/DFGValidate.cpp:
2606
2607 2020-08-24  Keith Miller  <keith_miller@apple.com>
2608
2609         Remove MovHintRemoval phase
2610         https://bugs.webkit.org/show_bug.cgi?id=215785
2611
2612         Reviewed by Saam Barati.
2613
2614         The MovHintRemoval phase doesn't play nicely with our OSR
2615         Availability. Specifically, it needs to do a tricky dance where it
2616         marks all the live ranges of the ZombieHints as not
2617         exitOK. There's also an issue because we treated unused locals as
2618         kill in this block, which is wrong for SSA when a MovHint is
2619         used in another block. Since removing MovHintRemoval isn't a
2620         performance regression, we are removing it rather than fixing bugs
2621         related to it. Relatedly, since the only place we produce
2622         ZombieHints is MovHintRemoval this patch also removes that node
2623         type.
2624
2625         * Sources.txt:
2626         * dfg/DFGAbstractInterpreterInlines.h:
2627         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2628         * dfg/DFGClobberize.h:
2629         (JSC::DFG::clobberize):
2630         * dfg/DFGClobbersExitState.cpp:
2631         (JSC::DFG::clobbersExitState):
2632         * dfg/DFGDoesGC.cpp:
2633         (JSC::DFG::doesGC):
2634         * dfg/DFGFixupPhase.cpp:
2635         (JSC::DFG::FixupPhase::fixupNode):
2636         * dfg/DFGMayExit.cpp:
2637         * dfg/DFGMovHintRemovalPhase.cpp: Removed.
2638         * dfg/DFGMovHintRemovalPhase.h: Removed.
2639         * dfg/DFGNode.h:
2640         (JSC::DFG::Node::containsMovHint):
2641         (JSC::DFG::Node::hasUnlinkedOperand):
2642         * dfg/DFGNodeType.h:
2643         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2644         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2645         * dfg/DFGPhantomInsertionPhase.cpp:
2646         * dfg/DFGPlan.cpp:
2647         (JSC::DFG::Plan::compileInThreadImpl):
2648         * dfg/DFGPredictionPropagationPhase.cpp:
2649         * dfg/DFGSafeToExecute.h:
2650         (JSC::DFG::safeToExecute):
2651         * dfg/DFGSpeculativeJIT.cpp:
2652         (JSC::DFG::SpeculativeJIT::compileMovHint):
2653         * dfg/DFGSpeculativeJIT32_64.cpp:
2654         (JSC::DFG::SpeculativeJIT::compile):
2655         * dfg/DFGSpeculativeJIT64.cpp:
2656         (JSC::DFG::SpeculativeJIT::compile):
2657         * dfg/DFGVarargsForwardingPhase.cpp:
2658         * ftl/FTLCapabilities.cpp:
2659         (JSC::FTL::canCompile):
2660         * ftl/FTLLowerDFGToB3.cpp:
2661         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2662         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2663         * runtime/OptionsList.h:
2664
2665 2020-08-24  Devin Rousso  <drousso@apple.com>
2666
2667         Web Inspector: rename `ScriptDebugServer` subclasses/methods
2668         https://bugs.webkit.org/show_bug.cgi?id=215363
2669         <rdar://problem/67310441>
2670
2671         Reviewed by Brian Burg.
2672
2673         r266074 merged `Inspector::ScriptDebugServer` into `JSC::Debugger`. All subclasses and
2674         functions should be renamed to match this change.
2675
2676         * JavaScriptCore.xcodeproj/project.pbxproj:
2677         * Sources.txt:
2678         * inspector/InspectorEnvironment.h:
2679         * inspector/JSGlobalObjectDebugger.h: Renamed from Source/JavaScriptCore/inspector/JSGlobalObjectScriptDebugServer.h.
2680         * inspector/JSGlobalObjectDebugger.cpp: Renamed from Source/JavaScriptCore/inspector/JSGlobalObjectScriptDebugServer.cpp.
2681         * inspector/JSGlobalObjectInspectorController.h:
2682         * inspector/JSGlobalObjectInspectorController.cpp:
2683         * inspector/agents/InspectorAuditAgent.h:
2684         * inspector/agents/InspectorAuditAgent.cpp:
2685         * inspector/agents/InspectorDebuggerAgent.h:
2686         * inspector/agents/InspectorDebuggerAgent.cpp:
2687         * inspector/agents/InspectorRuntimeAgent.h:
2688         * inspector/agents/InspectorRuntimeAgent.cpp:
2689         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2690         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2691         * inspector/remote/RemoteInspectionTarget.cpp:
2692         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
2693
2694 2020-08-24  Devin Rousso  <drousso@apple.com>
2695
2696         Web Inspector: allow event breakpoints to be configured
2697         https://bugs.webkit.org/show_bug.cgi?id=215362
2698         <rdar://problem/66932921>
2699
2700         Reviewed by Brian Burg.
2701
2702         This allows developers to do things like:
2703          - only pause when `window.event.type` is a certain value
2704          - ignore the first N pauses
2705          - evaluate JavaScript whenever an event listener is invoked without pausing
2706
2707         * inspector/protocol/DOM.json:
2708         Add an `options` paramater to `DOM.setBreakpointForEventListener` to allow configuration.
2709
2710         * inspector/protocol/DOMDebugger.json:
2711         Add an `options` paramater to `DOMDebugger.setEventBreakpoint` to allow configuration.
2712
2713         * debugger/Breakpoint.h:
2714         (JSC::Breakpoint::id const): Added.
2715         (JSC::Breakpoint::sourceID const): Added.
2716         (JSC::Breakpoint::lineNumber const): Added.
2717         (JSC::Breakpoint::columnNumber const): Added.
2718         (JSC::Breakpoint::condition const): Added.
2719         (JSC::Breakpoint::actions const): Added.
2720         (JSC::Breakpoint::isAutoContinue const): Added.
2721         (JSC::Breakpoint::resetHitCount): Added.
2722         (JSC::Breakpoint::isLinked const): Added.
2723         (JSC::Breakpoint::isResolved const): Added.
2724         (JSC::BreakpointsList::~BreakpointsList): Deleted.
2725         * debugger/Breakpoint.cpp: Added.
2726         (JSC::Breakpoint::Action::Action): Added.
2727         (JSC::Breakpoint::create): Added.
2728         (JSC::Breakpoint::Breakpoint): Added.
2729         (JSC::Breakpoint::link): Added.
2730         (JSC::Breakpoint::resolve): Added.
2731         (JSC::Breakpoint::shouldPause): Added.
2732         Unify `JSC::Breakpoint` and `Inspector::ScriptBreakpoint`.
2733
2734         * debugger/DebuggerPrimitives.h:
2735         * debugger/Debugger.h:
2736         * debugger/Debugger.cpp:
2737         (JSC::Debugger::Debugger):
2738         (JSC::Debugger::addObserver): Added.
2739         (JSC::Debugger::removeObserver): Added.
2740         (JSC::Debugger::canDispatchFunctionToObservers const): Added.
2741         (JSC::Debugger::dispatchFunctionToObservers): Added.
2742         (JSC::Debugger::sourceParsed): Added.
2743         (JSC::Debugger::toggleBreakpoint):
2744         (JSC::Debugger::applyBreakpoints):
2745         (JSC::Debugger::resolveBreakpoint):
2746         (JSC::Debugger::setBreakpoint):
2747         (JSC::Debugger::removeBreakpoint):
2748         (JSC::Debugger::didHitBreakpoint): Added.
2749         (JSC::Debugger::clearBreakpoints):
2750         (JSC::Debugger::evaluateBreakpointCondition): Added.
2751         (JSC::Debugger::evaluateBreakpointActions): Added.
2752         (JSC::Debugger::schedulePauseAtNextOpportunity): Added.
2753         (JSC::Debugger::cancelPauseAtNextOpportunity): Added.
2754         (JSC::Debugger::schedulePauseForSpecialBreakpoint): Added.
2755         (JSC::Debugger::cancelPauseForSpecialBreakpoint): Added.
2756         (JSC::Debugger::continueProgram):
2757         (JSC::Debugger::stepNextExpression):
2758         (JSC::Debugger::stepIntoStatement):
2759         (JSC::Debugger::stepOverStatement):
2760         (JSC::Debugger::stepOutOfFunction):
2761         (JSC::Debugger::pauseIfNeeded):
2762         (JSC::Debugger::handlePause): Added.
2763         (JSC::Debugger::exceptionOrCaughtValue): Added.
2764         (JSC::Debugger::atExpression):
2765         (JSC::Debugger::clearNextPauseState):
2766         (JSC::Debugger::willRunMicrotask): Added.
2767         (JSC::Debugger::didRunMicrotask): Added.
2768         (JSC::Debugger::hasBreakpoint): Deleted.
2769         (JSC::Debugger::setPauseOnNextStatement): Deleted.
2770         Unify `JSC::Debugger` and `Inspector::ScriptDebugServer` to simplify breakpoint logic.
2771         Introduce the concept of a "special breakpoint", which is essentially a `JSC::Breakpoint`
2772         that is expected to pause at the next opportunity but isn't tied to a particular location.
2773         As an example, whenever an event breakpoint is hit, instead of just pausing at the next
2774         opportunity, the newly managed `JSC::Breakpoint` is used as a "special breakpoint", allowing
2775         for it's configuration (ie.g. condition, ignore count, actions, auto-continue) to be used.
2776
2777         * inspector/agents/InspectorDebuggerAgent.h:
2778         * inspector/agents/InspectorDebuggerAgent.cpp:
2779         (Inspector::objectGroupForBreakpointAction):
2780         (Inspector::breakpointActionTypeForString): Added.
2781         (Inspector::parseBreakpointOptions): Added.
2782         (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::fromPayload): Added.
2783         (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::ProtocolBreakpoint): Added.
2784         (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::createDebuggerBreakpoint const): Added.
2785         (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::matchesScriptURL const): Added.
2786         (Inspector::InspectorDebuggerAgent::debuggerBreakpointFromPayload): Added.
2787         (Inspector::InspectorDebuggerAgent::enable):
2788         (Inspector::InspectorDebuggerAgent::disable):
2789         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
2790         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
2791         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2792         (Inspector::buildDebuggerLocation):
2793         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2794         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2795         (Inspector::InspectorDebuggerAgent::didSetBreakpoint):
2796         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
2797         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
2798         (Inspector::InspectorDebuggerAgent::continueToLocation):
2799         (Inspector::InspectorDebuggerAgent::schedulePauseAtNextOpportunity): Added.
2800         (Inspector::InspectorDebuggerAgent::cancelPauseAtNextOpportunity): Added.
2801         (Inspector::InspectorDebuggerAgent::schedulePauseForSpecialBreakpoint): Added.
2802         (Inspector::InspectorDebuggerAgent::cancelPauseForSpecialBreakpoint): Added.
2803         (Inspector::InspectorDebuggerAgent::pause):
2804         (Inspector::InspectorDebuggerAgent::resume):
2805         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
2806         (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
2807         (Inspector::InspectorDebuggerAgent::didParseSource):
2808         (Inspector::InspectorDebuggerAgent::willRunMicrotask):
2809         (Inspector::InspectorDebuggerAgent::didRunMicrotask):
2810         (Inspector::InspectorDebuggerAgent::didPause):
2811         (Inspector::InspectorDebuggerAgent::breakpointActionSound):
2812         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2813         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
2814         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
2815         (Inspector::matches): Deleted.
2816         (Inspector::buildObjectForBreakpointCookie): Deleted.
2817         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): Deleted.
2818         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement): Deleted.
2819         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement): Deleted.
2820         Create a private `ProtocolBreakpoint` class that holds the data sent by the frontend. This
2821         is necessary because breakpoints in the frontend have a potentially one-to-many relationship
2822         with breakpoints in the backend, as the same script can be loaded many times on a page. Each
2823         of those scripts is independent, however, and can execute differently, meaning that the same
2824         breakpoint for each script also needs a different state (e.g. ignore count). As such, the
2825         `ProtocolBreakpoint` is effectively a template that is actualized whenever a new script is
2826         parsed that matches the URL of the `ProtocolBreakpoint` to create a `JSC::Breakpoint` that
2827         is used by the `JSC::Debugger`. `ProtocolBreakpoint` also parses breakpoint configurations.
2828
2829         * inspector/InspectorEnvironment.h:
2830         * inspector/JSGlobalObjectScriptDebugServer.h:
2831         * inspector/JSGlobalObjectScriptDebugServer.cpp:
2832         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
2833         (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger):
2834         (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger):
2835         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
2836         * inspector/agents/InspectorAuditAgent.h:
2837         * inspector/agents/InspectorAuditAgent.cpp:
2838         (Inspector::InspectorAuditAgent::run):
2839         * inspector/agents/InspectorRuntimeAgent.h:
2840         * inspector/agents/InspectorRuntimeAgent.cpp:
2841         (Inspector::setPauseOnExceptionsState):
2842         (Inspector::InspectorRuntimeAgent::evaluate):
2843         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2844         (Inspector::InspectorRuntimeAgent::getPreview):
2845         (Inspector::InspectorRuntimeAgent::getProperties):
2846         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2847         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2848         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2849         Replace `Inspector::ScriptDebugServer` with `JSC::Debugger`.
2850
2851         * runtime/JSMicrotask.cpp:
2852         (JSC::JSMicrotask::run):
2853         Drive-by: r248894 mistakenly omitted the call to notify the debugger that the microtask ran.
2854
2855         * inspector/ScriptBreakpoint.h: Removed.
2856         * inspector/ScriptDebugListener.h: Removed.
2857         * inspector/ScriptDebugServer.h: Removed.
2858         * inspector/ScriptDebugServer.cpp: Removed.
2859         * CMakeLists.txt:
2860         * JavaScriptCore.xcodeproj/project.pbxproj:
2861         * Sources.txt:
2862
2863 2020-08-24  Devin Rousso  <drousso@apple.com>
2864
2865         Web Inspector: remove "extra domains" concept now that domains can be added based on the debuggable type
2866         https://bugs.webkit.org/show_bug.cgi?id=201150
2867         <rdar://problem/56545911>
2868
2869         Reviewed by Brian Burg.
2870
2871         * inspector/scripts/codegen/objc_generator_templates.py:
2872         * inspector/augmentable/AugmentableInspectorController.h:
2873
2874         * inspector/JSGlobalObjectInspectorController.h:
2875         * inspector/JSGlobalObjectInspectorController.cpp:
2876         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2877         (Inspector::JSGlobalObjectInspectorController::registerAlternateAgent): Added.
2878         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent): Deleted.
2879
2880         * inspector/InspectorAgentRegistry.h:
2881         * inspector/InspectorAgentRegistry.cpp:
2882         (Inspector::AgentRegistry::appendExtraAgent): Deleted.
2883
2884         * inspector/protocol/Inspector.json:
2885         * inspector/agents/InspectorAgent.h:
2886         * inspector/agents/InspectorAgent.cpp:
2887         (Inspector::InspectorAgent::activateExtraDomain): Deleted.
2888         (Inspector::InspectorAgent::activateExtraDomains): Deleted.
2889
2890         * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result:
2891         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2892         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2893         * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result:
2894         * inspector/scripts/tests/expected/domain-debuggableTypes.json-result:
2895         * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result:
2896         * inspector/scripts/tests/expected/domain-targetTypes.json-result:
2897         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2898         * inspector/scripts/tests/expected/enum-values.json-result:
2899         * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result:
2900         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2901         Rebase protocol tests.
2902
2903 2020-08-23  Yusuke Suzuki  <ysuzuki@apple.com>
2904
2905         Unreviewed, wrong merge resolution between r266031 and r263837
2906         https://bugs.webkit.org/show_bug.cgi?id=209774
2907
2908         r263837 is landed after r266031 is configured. OSS buildbots didn't catch this since they are using old ICU headers.
2909
2910         * runtime/IntlNumberFormat.cpp:
2911         (JSC::IntlNumberFormat::initializeNumberFormat):
2912
2913 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
2914
2915         Unreviewed, assertion was opposite
2916         https://bugs.webkit.org/show_bug.cgi?id=215058
2917
2918         We should ensure that this is *not* zero.
2919
2920         * runtime/IntlObject.cpp:
2921         (JSC::parseVariantCode):
2922
2923 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
2924
2925         [JSC] Implement Intl Language Tag Parser
2926         https://bugs.webkit.org/show_bug.cgi?id=215058
2927
2928         Reviewed by Ross Kirsling and Darin Adler.
2929
2930         This patch adds LanguageTagParser which performs isStructurallyValidLanguageTag[1] validation precisely.
2931         The spec strictly defines acceptable format as language-tag and this is not the same to ICU's one and this
2932         is even tested in test262. We should have LanguageTagParser to validate the input.
2933
2934         [1]: https://tc39.es/ecma402/#sec-isstructurallyvalidlanguagetag
2935
2936         * runtime/IntlLocale.cpp:
2937         (JSC::LocaleIDBuilder::initialize):
2938         (JSC::IntlLocale::initializeLocale):
2939         * runtime/IntlObject.cpp:
2940         (JSC::canonicalizeLocaleList):
2941         (JSC::parseVariantCode):
2942         (JSC::convertToUnicodeSingletonIndex):
2943         (JSC::isUnicodeExtensionAttribute):
2944         (JSC::isUnicodeExtensionKey):
2945         (JSC::isUnicodeExtensionTypeComponent):
2946         (JSC::isUnicodePUExtensionValue):
2947         (JSC::isUnicodeOtherExtensionValue):
2948         (JSC::isUnicodeTKey):
2949         (JSC::isUnicodeTValueComponent):
2950         (JSC::LanguageTagParser::LanguageTagParser):
2951         (JSC::LanguageTagParser::isEOS):
2952         (JSC::LanguageTagParser::next):
2953         (JSC::LanguageTagParser::parseUnicodeLocaleId):
2954         (JSC::LanguageTagParser::parseUnicodeLanguageId):
2955         (JSC::LanguageTagParser::parseUnicodeExtensionAfterPrefix):
2956         (JSC::LanguageTagParser::parseTransformedExtensionAfterPrefix):
2957         (JSC::LanguageTagParser::parseOtherExtensionAfterPrefix):
2958         (JSC::LanguageTagParser::parsePUExtensionAfterPrefix):
2959         (JSC::LanguageTagParser::parseExtensionsAndPUExtensions):
2960         (JSC::isStructurallyValidLanguageTag):
2961         (JSC::isUnicodeLanguageId):
2962         * runtime/IntlObject.h:
2963
2964 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
2965
2966         Unreviewed, workaround for old ICU headers in macOS Catalina bots
2967         https://bugs.webkit.org/show_bug.cgi?id=209774
2968
2969         EWS and Catalina bots are inconsistent in terms of ICU header versions.
2970         This patch adds a workaround which checks ICU header version too at runtime.
2971
2972         * tools/JSDollarVM.cpp:
2973         (JSC::functionICUHeaderVersion):
2974         (JSC::JSDollarVM::finishCreation):
2975
2976 2020-08-22  Alexey Shvayka  <shvaikalesh@gmail.com>
2977
2978         The [[ThrowTypeError]] function object must not be extensible
2979         https://bugs.webkit.org/show_bug.cgi?id=108873
2980
2981         Reviewed by Yusuke Suzuki.
2982
2983         This patch:
2984
2985         1. Sets the value of %ThrowTypeError% "name" property to the empty string,
2986            as required [1] for anonymous built-in functions.
2987
2988         2. Calls JSObject::freeze() on %ThrowTypeError%, making it non-extensible and
2989            its "name" and "length" properties non-configurable to match the spec [2].
2990
2991         Both changes align JSC with V8 and SpiderMonkey.
2992
2993         [1]: https://tc39.es/ecma262/#sec-ecmascript-standard-built-in-objects
2994         [2]: https://tc39.es/ecma262/#sec-%throwtypeerror%
2995
2996         * runtime/JSGlobalObject.cpp:
2997         (JSC::JSGlobalObject::init):
2998
2999 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
3000
3001         [ECMA-402] Intl.DateTimeFormat dateStyle/timeStyle missing in WebKit
3002         https://bugs.webkit.org/show_bug.cgi?id=209776
3003
3004         Reviewed by Darin Adler and Ross Kirsling.
3005
3006         This patch implements Intl.DateTimeFormat dateStyle and timeStyle options. When it is specified,
3007         we query the best date-time format with these options to ICU instead of configuring each date-time
3008         formats.
3009
3010         Since ECMA402 requires enforcement of hourCycle specified from the option, even if ICU ignores that.
3011         So, after getting the appropriate pattern from ICU, we modify this pattern and re-create UDateFormat
3012         from the modified pattern.
3013
3014         * builtins/DatePrototype.js:
3015         (toLocaleString.toDateTimeOptionsAnyAll):
3016         (toLocaleString):
3017         (toLocaleDateString.toDateTimeOptionsDateDate):
3018         (toLocaleDateString):
3019         (toLocaleTimeString.toDateTimeOptionsTimeTime):
3020         (toLocaleTimeString):
3021         * runtime/CommonIdentifiers.h:
3022         * runtime/IntlDateTimeFormat.cpp:
3023         (JSC::toDateTimeOptionsAnyDate):
3024         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3025         (JSC::IntlDateTimeFormat::formatStyleString):
3026         (JSC::IntlDateTimeFormat::resolvedOptions const):
3027         * runtime/IntlDateTimeFormat.h:
3028
3029 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
3030
3031         [ECMA-402] Implement Intl.DateTimeFormat.prototype.formatRange
3032         https://bugs.webkit.org/show_bug.cgi?id=209778
3033
3034         Reviewed by Ross Kirsling.
3035
3036         This patch adds Intl.DateTimeFormat#formatRange. It takes two dates, and
3037         generates formatted text which represents interval between these two dates.
3038         We skip the implementation of Intl.DateTimeFormat#formatRangeToParts since
3039         ICU udtitvfmt_formatToResult API is not getting stable state yet. We retrieve
3040         pattern from UDateFormat, get skeleton from that pattern, and construct
3041         UDateIntervalFormat from this skeleton.
3042
3043         * runtime/IntlDateTimeFormat.cpp:
3044         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3045         (JSC::IntlDateTimeFormat::createDateIntervalFormatIfNecessary):
3046         (JSC::IntlDateTimeFormat::formatRange):
3047         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator() const): Deleted.
3048         * runtime/IntlDateTimeFormat.h:
3049         * runtime/IntlDateTimeFormatPrototype.cpp:
3050         (JSC::IntlDateTimeFormatPrototypeFuncFormatRange):
3051
3052 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
3053
3054         [JSC] Add Intl.Segmenter
3055         https://bugs.webkit.org/show_bug.cgi?id=213638
3056
3057         Reviewed by Ross Kirsling.
3058
3059         This patch implements Intl.Segmenter[1]. Intl.Segmenter offers access to ICU break iterator feature, which can break strings into grapheme cluster / words / sentences.
3060
3061         [1]: https://github.com/tc39/proposal-intl-segmenter
3062
3063         * CMakeLists.txt:
3064         * DerivedSources-input.xcfilelist:
3065         * DerivedSources-output.xcfilelist:
3066         * DerivedSources.make:
3067         * JavaScriptCore.xcodeproj/project.pbxproj:
3068         * Sources.txt:
3069         * runtime/CommonIdentifiers.h:
3070         * runtime/IntlObject.cpp:
3071         (JSC::createSegmenterConstructor):
3072         (JSC::IntlObject::finishCreation):
3073         (JSC::intlSegmenterAvailableLocales):
3074         * runtime/IntlObject.h:
3075         * runtime/IntlSegmentIterator.cpp: Added.
3076         (JSC::IntlSegmentIterator::create):
3077         (JSC::IntlSegmentIterator::createStructure):
3078         (JSC::IntlSegmentIterator::IntlSegmentIterator):
3079         (JSC::IntlSegmentIterator::finishCreation):
3080         (JSC::IntlSegmentIterator::visitChildren):
3081         (JSC::IntlSegmentIterator::next):
3082         * runtime/IntlSegmentIterator.h: Added.
3083         * runtime/IntlSegmentIteratorPrototype.cpp: Added.
3084         (JSC::IntlSegmentIteratorPrototype::create):
3085         (JSC::IntlSegmentIteratorPrototype::createStructure):
3086         (JSC::IntlSegmentIteratorPrototype::IntlSegmentIteratorPrototype):
3087         (JSC::IntlSegmentIteratorPrototype::finishCreation):
3088         (JSC::IntlSegmentIteratorPrototypeFuncNext):
3089         * runtime/IntlSegmentIteratorPrototype.h: Added.
3090         * runtime/IntlSegmenter.cpp: Added.
3091         (JSC::IntlSegmenter::create):
3092         (JSC::IntlSegmenter::createStructure):
3093         (JSC::IntlSegmenter::IntlSegmenter):
3094         (JSC::IntlSegmenter::finishCreation):
3095         (JSC::IntlSegmenter::initializeSegmenter):
3096         (JSC::IntlSegmenter::segment const):
3097         (JSC::IntlSegmenter::resolvedOptions const):
3098         (JSC::IntlSegmenter::granularityString):
3099         (JSC::IntlSegmenter::createSegmentDataObject):
3100         * runtime/IntlSegmenter.h: Added.
3101         * runtime/IntlSegmenterConstructor.cpp: Added.
3102         (JSC::IntlSegmenterConstructor::create):
3103         (JSC::IntlSegmenterConstructor::createStructure):
3104         (JSC::IntlSegmenterConstructor::IntlSegmenterConstructor):
3105         (JSC::IntlSegmenterConstructor::finishCreation):
3106         (JSC::constructIntlSegmenter):
3107         (JSC::callIntlSegmenter):
3108         (JSC::IntlSegmenterConstructorSupportedLocalesOf):
3109         * runtime/IntlSegmenterConstructor.h: Added.
3110         * runtime/IntlSegmenterPrototype.cpp: Added.
3111         (JSC::IntlSegmenterPrototype::create):
3112         (JSC::IntlSegmenterPrototype::createStructure):
3113         (JSC::IntlSegmenterPrototype::IntlSegmenterPrototype):
3114         (JSC::IntlSegmenterPrototype::finishCreation):
3115         (JSC::IntlSegmenterPrototypeFuncSegment):
3116         (JSC::IntlSegmenterPrototypeFuncResolvedOptions):
3117         * runtime/IntlSegmenterPrototype.h: Added.
3118         * runtime/IntlSegments.cpp: Added.
3119         (JSC::IntlSegments::create):
3120         (JSC::IntlSegments::createStructure):
3121         (JSC::IntlSegments::IntlSegments):
3122         (JSC::IntlSegments::finishCreation):
3123         (JSC::IntlSegments::containing):
3124         (JSC::IntlSegments::createSegmentIterator):
3125         (JSC::IntlSegments::visitChildren):
3126         * runtime/IntlSegments.h: Added.
3127         * runtime/IntlSegmentsPrototype.cpp: Added.
3128         (JSC::IntlSegmentsPrototype::create):
3129         (JSC::IntlSegmentsPrototype::createStructure):
3130         (JSC::IntlSegmentsPrototype::IntlSegmentsPrototype):
3131         (JSC::IntlSegmentsPrototype::finishCreation):
3132         (JSC::IntlSegmentsPrototypeFuncContaining):
3133         (JSC::IntlSegmentsPrototypeFuncIterator):
3134         * runtime/IntlSegmentsPrototype.h: Added.
3135         * runtime/JSGlobalObject.cpp:
3136         (JSC::JSGlobalObject::init):
3137         (JSC::JSGlobalObject::visitChildren):
3138         * runtime/JSGlobalObject.h:
3139         (JSC::JSGlobalObject::segmentIteratorStructure):
3140         (JSC::JSGlobalObject::segmenterStructure):
3141         (JSC::JSGlobalObject::segmentsStructure):
3142         * runtime/OptionsList.h:
3143         * runtime/VM.cpp:
3144         (JSC::VM::VM):
3145         * runtime/VM.h:
3146
3147 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
3148
3149         [ECMA-402] Implement unified Intl.NumberFormat
3150         https://bugs.webkit.org/show_bug.cgi?id=209774
3151
3152         Reviewed by Ross Kirsling and Darin Adler.
3153
3154         This patch implements updated Intl.NumberFormat. This update was proposed in [1], and integrated into ECMA-402 spec.
3155         This patch adds support for missing features in the previous Intl.NumberFormat implementation. Adding "unit", "unitDisplay",
3156         "signDisplay", "notation", and "currencySign". Then Intl.NumberFormat can now handle "unit" etc.
3157
3158         To support new features, we need to use UNumberFormatter which is available after ICU 64 (while it is offered in ICU 62, some
3159         critical part are added in 64 too). So, we keep the old UNumberFormat based implementation which is used for [60, 64) since WebKit
3160         currently supports ICU 60. Old implementation does not support new things. If ICU is 64 or later, Intl.NumberFormat starts using
3161         UNumberFormatter, and implements all the specified features.
3162
3163         [1]: https://github.com/tc39/proposal-unified-intl-numberformat
3164
3165         * JavaScriptCore.xcodeproj/project.pbxproj:
3166         * runtime/IntlCollator.cpp:
3167         (JSC::IntlCollator::UCollatorDeleter::operator() const): Deleted.
3168         * runtime/IntlCollator.h:
3169         * runtime/IntlDateTimeFormat.cpp:
3170         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator() const): Deleted.
3171         * runtime/IntlDateTimeFormat.h:
3172         * runtime/IntlNumberFormat.cpp:
3173         (JSC::computeCurrencyDigits):
3174         (JSC::sanctionedSimpleUnitIdentifier):
3175         (JSC::WellFormedUnit::WellFormedUnit):
3176         (JSC::wellFormedUnitIdentifier):
3177         (JSC::IntlNumberFormat::initializeNumberFormat):
3178         (JSC::IntlNumberFormat::format const):
3179         (JSC::IntlNumberFormat::styleString):
3180         (JSC::IntlNumberFormat::currencyDisplayString):
3181         (JSC::IntlNumberFormat::notationString):
3182         (JSC::IntlNumberFormat::currencySignString):
3183         (JSC::IntlNumberFormat::unitDisplayString):
3184         (JSC::IntlNumberFormat::compactDisplayString):
3185         (JSC::IntlNumberFormat::signDisplayString):
3186         (JSC::IntlNumberFormat::resolvedOptions const):
3187         (JSC::partTypeString):
3188         (JSC::IntlNumberFormat::formatToPartsInternal):
3189         (JSC::IntlNumberFormat::formatToParts const):
3190         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator() const): Deleted.
3191         * runtime/IntlNumberFormat.h:
3192         * runtime/IntlNumberFormatInlines.h: Added.
3193         (JSC::setNumberFormatDigitOptions):
3194         (JSC::IntlFieldIterator::IntlFieldIterator):
3195         (JSC::IntlFieldIterator::next):
3196         * runtime/IntlPluralRules.cpp:
3197         (JSC::IntlPluralRules::initializePluralRules):
3198         (JSC::IntlPluralRules::resolvedOptions const):
3199         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const): Deleted.
3200         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const): Deleted.
3201         (JSC::UEnumerationDeleter::operator() const): Deleted.
3202         * runtime/IntlPluralRules.h:
3203         * runtime/IntlRelativeTimeFormat.cpp:
3204         (JSC::IntlRelativeTimeFormat::formatToParts const):
3205         (JSC::IntlRelativeTimeFormat::URelativeDateTimeFormatterDeleter::operator() const): Deleted.
3206         (JSC::IntlRelativeTimeFormat::UNumberFormatDeleter::operator() const): Deleted.
3207         * runtime/IntlRelativeTimeFormat.h:
3208         * tools/JSDollarVM.cpp:
3209         (JSC::functionICUVersion):
3210
3211 2020-08-21  Yusuke Suzuki  <ysuzuki@apple.com>
3212
3213         Console object's @@toStringTag should be "console" instead of "Console"
3214         https://bugs.webkit.org/show_bug.cgi?id=215750
3215
3216         Reviewed by Ross Kirsling.
3217
3218         Use "console" instead of "Console". Now, namespace object has @@toStringTag.
3219         https://github.com/web-platform-tests/wpt/pull/24717
3220
3221         * runtime/ConsoleObject.cpp:
3222
3223 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
3224
3225         [JSC] Enable Intl.DisplayNames
3226         https://bugs.webkit.org/show_bug.cgi?id=215749
3227
3228         Reviewed by Ross Kirsling.
3229
3230         Enable Intl.DisplayNames by default. This is already stage 4 and integrated into the spec.
3231
3232         * runtime/IntlObject.cpp:
3233         (JSC::IntlObject::finishCreation):
3234         * runtime/OptionsList.h:
3235
3236 2020-08-21  Alexey Shvayka  <shvaikalesh@gmail.com>
3237
3238         StrictEq should not care about masqueradesAsUndefinedWatchpoint
3239         https://bugs.webkit.org/show_bug.cgi?id=215743
3240
3241         Reviewed by Yusuke Suzuki.
3242
3243         This patch removes masqueradesAsUndefinedWatchpoint handling for StrictEq
3244         from fixupCompareStrictEqAndSameValue(), aligning it with SameValue.
3245
3246         According to the spec [1], only a few language constructs special-case
3247         [[IsHTMLDDA]] objects: ToBoolean, abstract equality, and `typeof`.
3248
3249         No behavior change.
3250
3251         [1]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
3252
3253         * dfg/DFGFixupPhase.cpp:
3254         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
3255
3256 2020-08-21  Commit Queue  <commit-queue@webkit.org>
3257
3258         Unreviewed, reverting r265965.
3259         https://bugs.webkit.org/show_bug.cgi?id=215744
3260
3261         getCallData can be called from DFG concurrent compiler, but it
3262         is not safe in DOM PluginObject
3263
3264         Reverted changeset:
3265
3266         "Use jsTypeofIsObject() in DFG AI and
3267         operationTypeOfIsObject()"
3268         https://bugs.webkit.org/show_bug.cgi?id=144457
3269         https://trac.webkit.org/changeset/265965
3270
3271 2020-08-21  Alexey Shvayka  <shvaikalesh@gmail.com>
3272
3273         Align "length" properties of function prototypes with the spec
3274         https://bugs.webkit.org/show_bug.cgi?id=215716
3275
3276         Reviewed by Ross Kirsling.
3277
3278         This change defines Function.prototype.length [1] as [[Configurable]] and
3279         removes "length" properties from other (async/generator) function prototypes 
3280         that are ordinary non-callable objects [2], aligning JSC with V8 and SpiderMonkey.
3281
3282         Also, adds inherits() ASSERT in FunctionPrototype::finishCreation()
3283         to match (most of) the other built-ins.
3284
3285         [1]: https://tc39.es/ecma262/#sec-properties-of-the-function-prototype-object
3286         [2]: https://tc39.es/ecma262/#sec-async-function-prototype-properties
3287
3288         * runtime/AsyncFunctionPrototype.cpp:
3289         (JSC::AsyncFunctionPrototype::finishCreation):
3290         * runtime/AsyncGeneratorFunctionPrototype.cpp:
3291         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
3292         * runtime/FunctionPrototype.cpp:
3293         (JSC::FunctionPrototype::finishCreation):
3294         * runtime/GeneratorFunctionPrototype.cpp:
3295         (JSC::GeneratorFunctionPrototype::finishCreation):
3296
3297 2020-08-21  Alexey Shvayka  <shvaikalesh@gmail.com>
3298
3299         Define Intl[Symbol.toStringTag]
3300         https://bugs.webkit.org/show_bug.cgi?id=215715
3301
3302         Reviewed by Ross Kirsling.
3303
3304         This patch utilizes JSC_TO_STRING_TAG_WITHOUT_TRANSITION() to define Symbol.toStringTag
3305         on Intl namespace object, implementing the recent spec change [1] and aligning JSC with V8.
3306         Also, adds inherits() ASSERT to match (most of) the other built-ins.
3307
3308         [1]: https://github.com/tc39/ecma402/pull/487
3309
3310         * runtime/IntlObject.cpp:
3311         (JSC::IntlObject::finishCreation):
3312
3313 2020-08-21  Alexey Shvayka  <shvaikalesh@gmail.com>
3314
3315         Function.prototype.bind should not clamp "length" to int32
3316         https://bugs.webkit.org/show_bug.cgi?id=215733
3317
3318         Reviewed by Darin Adler.
3319
3320         This patch fixes to integer conversion of target function's "length" values
3321         beyond UINT_MAX, aligning JSC with the spec [1], V8 and SpiderMonkey.
3322
3323         `double` is used instead of `uint64_t` to retain semantics of JS Number type [2]
3324         and hold Infinity values. To avoid spreading `double length` over JSFunction::create()
3325         and its subclasses, JSBoundFunction is modified to use JSFunction::finishCreation(VM&)
3326         overload, removing 2 unused arguments and speeding up bound function creation by ~9%.
3327
3328         [1]: https://tc39.es/ecma262/#sec-function.prototype.bind (step 6.c.i)
3329         [2]: https://tc39.es/ecma262/#sec-ecmascript-language-types-number-type
3330
3331         * builtins/FunctionPrototype.js:
3332         (bind):
3333         * runtime/JSBoundFunction.cpp:
3334         (JSC::JSBoundFunction::create):
3335         (JSC::JSBoundFunction::JSBoundFunction):
3336         (JSC::JSBoundFunction::finishCreation):
3337         * runtime/JSBoundFunction.h:
3338         * runtime/JSFunction.cpp:
3339         (JSC::JSFunction::finishCreation):
3340         (JSC::JSFunction::reifyLength):
3341         * runtime/JSGlobalObject.cpp:
3342         (JSC::makeBoundFunction):
3343
3344 2020-08-20  Saam Barati  <sbarati@apple.com>
3345
3346         Replace IC on Proxy must write barrier Proxy's target
3347         https://bugs.webkit.org/show_bug.cgi?id=215720
3348
3349         Reviewed by Yusuke Suzuki.
3350
3351         The put_by_id opcode in the baseline and the DFG/FTl will emit a writeBarrier
3352         after the operation is complete. But it does this to the base object. In the
3353         case of an IC with the base as a Proxy, we're not actually storing to the Proxy, but
3354         instead, the Proxy's target. This patch makes it so our IC code writeBarriers
3355         the Proxy's target. This fixed a crash when running Speedometer2.
3356
3357         * bytecode/AccessCase.cpp:
3358         (JSC::AccessCase::canReplace const):
3359         (JSC::AccessCase::generateImpl):
3360         * bytecode/PolymorphicAccess.cpp:
3361         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCallWithoutExceptions):
3362         * bytecode/PolymorphicAccess.h:
3363
3364 2020-08-20  Alexey Shvayka  <shvaikalesh@gmail.com>
3365
3366         Invalid early errors for class methods named "constructor" and "prototype"
3367         https://bugs.webkit.org/show_bug.cgi?id=215413
3368
3369         Reviewed by Darin Adler.
3370
3371         This change removes invalid early syntax errors, allowing static async/generator
3372         methods named "constructor" and instance async/generator methods named "prototype",
3373         which aligns JSC with the spec [1], V8, and SpiderMonkey.
3374
3375         Also, removes a FIXME related to super() calls outside constructor that was
3376         resolved in r181404 and is covered by test262 suite.
3377
3378         [1]: https://tc39.es/ecma262/#sec-class-definitions-static-semantics-early-errors
3379
3380         * parser/Parser.cpp:
3381         (JSC::Parser<LexerType>::parseClass):
3382
3383 2020-08-20  Alexey Shvayka  <shvaikalesh@gmail.com>
3384
3385         Use jsTypeofIsObject() in DFG AI and operationTypeOfIsObject()
3386         https://bugs.webkit.org/show_bug.cgi?id=144457
3387
3388         Reviewed by Saam Barati.
3389
3390         This patch:
3391
3392         1. Refactors jsTypeofIsObject(), leveraging fast path of isCallable(),
3393            moves it to the header, and utilizes it in DFG AI and
3394            operationTypeOfIsObject() to eliminate code duplication.
3395
3396         2. Splits jsTypeofIsFunction() into 2 methods to accomodate
3397            operationTypeOfIsFunction() calling it with JSObject* argument.
3398
3399         3. Removes orphaned slow_path_is_object declaration.
3400
3401         No behavior change, `typeof` microbenchmarks are neutral.
3402
3403         * dfg/DFGAbstractInterpreterInlines.h:
3404         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3405         * dfg/DFGOperations.cpp:
3406         * runtime/CommonSlowPaths.h:
3407         * runtime/Operations.cpp:
3408         (JSC::jsTypeofIsObject): Deleted.
3409         * runtime/Operations.h:
3410         (JSC::jsTypeofIsObject):
3411         (JSC::jsTypeofIsFunction):
3412
3413 2020-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
3414
3415         [JSC] Add Object.getOwnPropertyNames caching as it is done for Object.keys, and accelerate Object.getOwnPropertyDescriptor
3416         https://bugs.webkit.org/show_bug.cgi?id=215666
3417
3418         Reviewed by Saam Barati.
3419
3420         Object.getOwnPropertyNames is immutable for Structure if structure meets some conditions. And we have optimization for Object.keys.
3421         This patch wires existing caching mechanism for Object.keys to Object.getOwnPropertyNames so that Object.getOwnPropertyNames has
3422         full support of caching & inlined code in DFG / FTL.
3423
3424         We also pre-bake structure for the result of Object.getOwnPropertyDescriptor so that we do not need to perform hash table lookup every
3425         time we create an object for Object.getOwnPropertyDescriptor. This makes Object.getOwnPropertyDescriptor 2x faster from the microbenchmark.
3426
3427         The above two optimization makes Speedometer2/Inferno-TodoMVC 7% faster, and it also optimizes Speedometer2/EmberJS-Debug by 5%.
3428         In total, we can get 0.7 - 1.0% progression in Speedometer2.
3429
3430         * dfg/DFGAbstractInterpreterInlines.h:
3431         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3432         * dfg/DFGByteCodeParser.cpp:
3433         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3434         * dfg/DFGClobberize.h:
3435         (JSC::DFG::clobberize):
3436         * dfg/DFGConstantFoldingPhase.cpp:
3437         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3438         * dfg/DFGDoesGC.cpp:
3439         (JSC::DFG::doesGC):
3440         * dfg/DFGFixupPhase.cpp:
3441         (JSC::DFG::FixupPhase::fixupNode):
3442         * dfg/DFGNodeType.h:
3443         * dfg/DFGOperations.cpp:
3444         * dfg/DFGOperations.h:
3445         * dfg/DFGPredictionPropagationPhase.cpp:
3446         * dfg/DFGSafeToExecute.h:
3447         (JSC::DFG::safeToExecute):
3448         * dfg/DFGSpeculativeJIT.cpp:
3449         (JSC::DFG::SpeculativeJIT::compileObjectKeysOrObjectGetOwnPropertyNames):
3450         (JSC::DFG::SpeculativeJIT::compileObjectKeys): Deleted.
3451         * dfg/DFGSpeculativeJIT.h:
3452         * dfg/DFGSpeculativeJIT32_64.cpp:
3453         (JSC::DFG::SpeculativeJIT::compile):
3454         * dfg/DFGSpeculativeJIT64.cpp:
3455         (JSC::DFG::SpeculativeJIT::compile):
3456         * ftl/FTLAbstractHeapRepository.h:
3457         * ftl/FTLCapabilities.cpp:
3458         (JSC::FTL::canCompile):
3459         * ftl/FTLLowerDFGToB3.cpp:
3460         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3461         (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeysOrObjectGetOwnPropertyNames):
3462         (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): Deleted.
3463         * runtime/Intrinsic.cpp:
3464         (JSC::intrinsicName):
3465         * runtime/Intrinsic.h:
3466         * runtime/IteratorOperations.cpp:
3467         * runtime/JSGlobalObject.cpp:
3468         (JSC::JSGlobalObject::init):
3469         (JSC::JSGlobalObject::visitChildren):
3470         * runtime/JSGlobalObject.h:
3471         (JSC::JSGlobalObject::dataPropertyDescriptorObjectStructure const):
3472         (JSC::JSGlobalObject::accessorPropertyDescriptorObjectStructure const):
3473         * runtime/JSGlobalObjectFunctions.cpp:
3474         (JSC::globalFuncOwnKeys):
3475         * runtime/ObjectConstructor.cpp:
3476         (JSC::objectConstructorGetOwnPropertyNames):
3477         (JSC::objectConstructorGetOwnPropertySymbols):
3478         (JSC::objectConstructorKeys):
3479         (JSC::ownPropertyKeys):
3480         (JSC::constructObjectFromPropertyDescriptorSlow):
3481         * runtime/ObjectConstructor.h:
3482         (JSC::createDataPropertyDescriptorObjectStructure):
3483         (JSC::createAccessorPropertyDescriptorObjectStructure):
3484         (JSC::constructObjectFromPropertyDescriptor):
3485         * runtime/ReflectObject.cpp:
3486         (JSC::reflectObjectOwnKeys):
3487         * runtime/Structure.cpp:
3488         (JSC::Structure::canCachePropertyNameEnumerator const):
3489         * runtime/Structure.h:
3490         * runtime/StructureInlines.h:
3491         (JSC::Structure::setCachedPropertyNames):
3492         (JSC::Structure::cachedPropertyNames const):
3493         (JSC::Structure::cachedPropertyNamesIgnoringSentinel const):
3494         (JSC::Structure::canCacheOwnPropertyNames const):
3495         (JSC::Structure::setCachedOwnKeys): Deleted.
3496         (JSC::Structure::cachedOwnKeys const): Deleted.
3497         (JSC::Structure::cachedOwnKeysIgnoringSentinel const): Deleted.
3498         (JSC::Structure::canCacheOwnKeys const): Deleted.
3499         * runtime/StructureRareData.cpp:
3500         (JSC::StructureRareData::visitChildren):
3501         * runtime/StructureRareData.h:
3502         * runtime/StructureRareDataInlines.h:
3503         (JSC::StructureRareData::cachedPropertyNames const):
3504         (JSC::StructureRareData::cachedPropertyNamesIgnoringSentinel const):
3505         (JSC::StructureRareData::cachedPropertyNamesConcurrently const):
3506         (JSC::StructureRareData::setCachedPropertyNames):
3507         (JSC::StructureRareData::cachedOwnKeys const): Deleted.
3508         (JSC::StructureRareData::cachedOwnKeysIgnoringSentinel const): Deleted.
3509         (JSC::StructureRareData::cachedOwnKeysConcurrently const): Deleted.
3510         (JSC::StructureRareData::setCachedOwnKeys): Deleted.
3511
3512 2020-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
3513
3514         Introduce OpIsCallable bytecode and intrinsic
3515         https://bugs.webkit.org/show_bug.cgi?id=215572
3516
3517         Reviewed by Ross Kirsling and Saam Barati.
3518
3519         This patch:
3520
3521         1. Aligns slow_path_is_function with DFG/FTL implementations by introducing
3522            jsTypeofIsFunction() helper. This fixes `typeof document.all === "function"`
3523            to return `false` instead of `true`.
3524
3525         2. Renames is_function bytecode op to typeof_is_function, aligning it with
3526            typeof_is_undefined and typeof_is_object. New name offers better semantics
3527            and clearly communicates the op should be avoided when implementing new
3528            features because of `typeof` behavior with [[IsHTMLDDA]] objects [1].
3529
3530         3. Adds is_callable bytecode op and utilizes it in built-ins via intrinsic,
3531            removing `typeof callback === "function"` checks. This prevents [[IsHTMLDDA]]
3532            objects from being considered non-callable [2].
3533
3534            To preserve the fast path for JSFunctionType,
3535            createFunctionThatMasqueradesAsUndefined() is relocated to InternalFunction.
3536
3537         `typeof` microbenchmarks are neutral.
3538
3539         [1]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot-typeof
3540         [2]: https://tc39.es/ecma262/#sec-array.prototype.map (step 3)
3541
3542         * builtins/ArrayConstructor.js:
3543         * builtins/ArrayPrototype.js:
3544         (reduce):
3545         (reduceRight):
3546         (every):
3547         (forEach):
3548         (filter):
3549         (map):
3550         (some):
3551         (find):
3552         (findIndex):
3553         (sort):
3554         (flatMap):
3555         * builtins/FunctionPrototype.js:
3556         (overriddenName.string_appeared_here.symbolHasInstance):
3557         (bind):
3558         * builtins/MapPrototype.js:
3559         (forEach):
3560         * builtins/PromiseConstructor.js:
3561         (all):
3562         (allSettled):
3563         (any):
3564         (race):
3565         (nakedConstructor.Promise):
3566         (nakedConstructor.InternalPromise):
3567         * builtins/PromiseOperations.js:
3568         (globalPrivate.newPromiseCapabilitySlow):
3569         (globalPrivate.resolvePromise):
3570         (globalPrivate.resolveWithoutPromise):
3571         * builtins/PromisePrototype.js:
3572         (finally):
3573         (globalPrivate.getThenFinally):
3574         (globalPrivate.getCatchFinally):
3575         * builtins/ReflectObject.js:
3576         (apply):
3577         * builtins/RegExpPrototype.js:
3578         (globalPrivate.regExpExec):
3579         (overriddenName.string_appeared_here.replace):
3580         * builtins/SetPrototype.js:
3581         (forEach):
3582         * builtins/TypedArrayConstructor.js:
3583         * builtins/TypedArrayPrototype.js:
3584         (every):
3585         (find):
3586         (findIndex):
3587         (forEach):
3588         (some):
3589         (sort):
3590         (reduce):
3591         (reduceRight):
3592         (map):
3593         (filter):
3594         * bytecode/BytecodeIntrinsicRegistry.h:
3595         * bytecode/BytecodeList.rb:
3596         * bytecode/BytecodeUseDef.cpp:
3597         (JSC::computeUsesForBytecodeIndexImpl):
3598         (JSC::computeDefsForBytecodeIndexImpl):
3599         * bytecompiler/BytecodeGenerator.cpp:
3600         (JSC::BytecodeGenerator::emitEqualityOpImpl):
3601         (JSC::BytecodeGenerator::emitIsCallable):
3602         * bytecompiler/BytecodeGenerator.h:
3603         * bytecompiler/NodesCodegen.cpp:
3604         * dfg/DFGAbstractInterpreterInlines.h:
3605         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3606         * dfg/DFGByteCodeParser.cpp:
3607         (JSC::DFG::ByteCodeParser::parseBlock):
3608         * dfg/DFGCapabilities.cpp:
3609         (JSC::DFG::capabilityLevel):
3610         * dfg/DFGClobberize.h:
3611         (JSC::DFG::clobberize):
3612         * dfg/DFGDoesGC.cpp:
3613         (JSC::DFG::doesGC):
3614         * dfg/DFGFixupPhase.cpp:
3615         (JSC::DFG::FixupPhase::fixupNode):
3616         * dfg/DFGHeapLocation.cpp:
3617         (WTF::printInternal):
3618         * dfg/DFGHeapLocation.h:
3619         * dfg/DFGNodeType.h:
3620         * dfg/DFGOperations.cpp:
3621         * dfg/DFGOperations.h:
3622         * dfg/DFGPredictionPropagationPhase.cpp:
3623         * dfg/DFGSafeToExecute.h:
3624         (JSC::DFG::safeToExecute):
3625         * dfg/DFGSpeculativeJIT.cpp:
3626         (JSC::DFG::SpeculativeJIT::compileIsCallable):
3627         (JSC::DFG::SpeculativeJIT::compileIsFunction): Deleted.
3628         * dfg/DFGSpeculativeJIT.h:
3629         * dfg/DFGSpeculativeJIT32_64.cpp:
3630         (JSC::DFG::SpeculativeJIT::compile):
3631         * dfg/DFGSpeculativeJIT64.cpp:
3632         (JSC::DFG::SpeculativeJIT::compile):
3633         * ftl/FTLCapabilities.cpp:
3634         (JSC::FTL::canCompile):
3635         * ftl/FTLLowerDFGToB3.cpp:
3636         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3637         (JSC::FTL::DFG::LowerDFGToB3::compileIsCallable):
3638         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction): Deleted.
3639         * jit/JIT.cpp:
3640         (JSC::JIT::privateCompileMainPass):
3641         * jit/JITOperations.h:
3642         * jsc.cpp:
3643         (functionMakeMasquerader):
3644         * llint/LowLevelInterpreter.asm:
3645         * runtime/CommonSlowPaths.cpp:
3646         (JSC::SLOW_PATH_DECL):
3647         * runtime/CommonSlowPaths.h:
3648         * runtime/InternalFunction.cpp:
3649         (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined):
3650         * runtime/InternalFunction.h:
3651         * runtime/JSFunction.cpp:
3652         (JSC::JSFunction::createFunctionThatMasqueradesAsUndefined): Deleted.
3653         * runtime/JSFunction.h:
3654         * runtime/Operations.h:
3655         (JSC::jsTypeofIsFunction):
3656
3657 2020-08-19  Saam Barati  <sbarati@apple.com>
3658
3659         REGRESSION (r265775): DFG ASSERTION FAILED: AI-clobberize disagreement; AI says FoldedClobber while clobberize says (Direct:[], Super:[])
3660         https://bugs.webkit.org/show_bug.cgi?id=215639
3661         <rdar://problem/67376432>
3662
3663         Reviewed by Robin Morisset.
3664
3665         * dfg/DFGAbstractInterpreterInlines.h:
3666         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3667
3668 2020-08-19  Tadeu Zagallo  <tzagallo@apple.com>
3669
3670         B3 IntRange is incorrect for negative masks
3671         https://bugs.webkit.org/show_bug.cgi?id=215536
3672         <rdar://problem/67130430>
3673
3674         Reviewed by Michael Saboff and Robin Morisset.
3675
3676         In the B3 ReduceStrength phase, we compute rangeForMask as (0, mask).  This is correct for
3677         positive values, but incorrect when negative. To fix it, we use `(INT_MIN & mask, INT_MAX & mask)`
3678         as the range for negative masks.
3679
3680         * b3/B3ReduceStrength.cpp:
3681         * b3/testb3.h:
3682         * b3/testb3_1.cpp:
3683         (run):
3684         * b3/testb3_5.cpp:
3685         (testCheckSubBitAnd):
3686
3687 2020-08-18  Saam Barati  <sbarati@apple.com>
3688
3689         Update byte offsets in JSString.h comment
3690         https://bugs.webkit.org/show_bug.cgi?id=215621
3691
3692         Reviewed by Yusuke Suzuki.
3693
3694         * runtime/JSString.h:
3695
3696 2020-08-17  Saam Barati  <sbarati@apple.com>
3697
3698         Have an OOB+SaneChain Array::Speculation
3699         https://bugs.webkit.org/show_bug.cgi?id=215487
3700
3701         Reviewed by Yusuke Suzuki.
3702
3703         This patch adds a new ArrayMode speculation in the DFG/FTL called OutOfBoundsSaneChain.
3704         It allows us to do fast things when we go OOB, like simply return undefined.
3705         This is because we install watchpoints on the prototype chain to ensure they
3706         have no indexed properties. This patch implements OutOfBoundsSaneChain on
3707         GetByVal over Int32/Double/Contiguous original JS arrays. We can extend it in
3708         the future to non original JS arrays if we prove their prototype is Array.prototype. 
3709         To implement this properly, we also need to ensure that the index isn't negative,
3710         as Array.prototype/Object.prototype may have negative indexed accessors. We
3711         do this via speculation, and if we ever recompile, and see an exit because of
3712         this, we will stop speculating OutOfBoundsSaneChain.
3713         
3714         This is about 20% faster on crypto-md5-SP. And ~3-4x faster on the
3715         microbenchmarks I created.
3716
3717         * dfg/DFGAbstractInterpreterInlines.h:
3718         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3719         * dfg/DFGArrayMode.cpp:
3720         (JSC::DFG::ArrayMode::refine const):
3721         (JSC::DFG::arraySpeculationToString):
3722         * dfg/DFGArrayMode.h:
3723         (JSC::DFG::ArrayMode::isInBoundsSaneChain const):
3724         (JSC::DFG::ArrayMode::isOutOfBoundsSaneChain const):
3725         (JSC::DFG::ArrayMode::isOutOfBounds const):
3726         (JSC::DFG::ArrayMode::isEffectfulOutOfBounds const):
3727         (JSC::DFG::ArrayMode::isInBounds const):
3728         (JSC::DFG::ArrayMode::isSaneChain const): Deleted.
3729         * dfg/DFGCSEPhase.cpp:
3730         * dfg/DFGClobberize.h:
3731         (JSC::DFG::clobberize):
3732         * dfg/DFGFixupPhase.cpp:
3733         (JSC::DFG::FixupPhase::fixupNode):
3734         (JSC::DFG::FixupPhase::checkArray):
3735         (JSC::DFG::FixupPhase::setSaneChainIfPossible):
3736         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
3737         * dfg/DFGSpeculativeJIT.cpp:
3738         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3739         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
3740         * dfg/DFGSpeculativeJIT32_64.cpp:
3741         (JSC::DFG::SpeculativeJIT::compile):
3742         * dfg/DFGSpeculativeJIT64.cpp:
3743         (JSC::DFG::SpeculativeJIT::compile):
3744         * dfg/DFGValidate.cpp:
3745         * ftl/FTLLowerDFGToB3.cpp:
3746         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3747         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
3748         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
3749
3750 2020-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
3751
3752         Remove OpIsObjectOrNull from ClassExprNode::emitBytecode()
3753         https://bugs.webkit.org/show_bug.cgi?id=214525
3754
3755         Reviewed by Keith Miller.
3756
3757         This patch:
3758
3759         1. Replaces OpIsObjectOrNull in ClassExprNode::emitBytecode() [1] with emitIsObject() +
3760            emitIsNull(), preventing DFG/FTL from throwing a TypeError if `document.all` is the
3761            value of superclass "prototype" property, which aligns JSC with V8 and SpiderMonkey.
3762            Also, tweaks error message to reflect that `null` is allowed.
3763
3764         2. Renames is_object_or_null bytecode op to typeof_is_object, fixing the confusing
3765            operationObjectIsObject() name, and aligns it with typeof_is_undefined.
3766            New name offers better semantics and clearly communicates the op should be avoided when
3767            implementing new features because of `typeof` behavior with [[IsHTMLDDA]] objects [2].
3768
3769         [1]: https://tc39.es/ecma262/#sec-runtime-semantics-classdefinitionevaluation (step 5.g.ii)
3770         [2]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot-typeof
3771
3772         * bytecode/BytecodeList.rb:
3773         * bytecode/BytecodeUseDef.cpp:
3774         (JSC::computeUsesForBytecodeIndexImpl):
3775         (JSC::computeDefsForBytecodeIndexImpl):
3776         * bytecompiler/BytecodeGenerator.cpp:
3777         (JSC::BytecodeGenerator::emitEqualityOpImpl):
3778         * bytecompiler/NodesCodegen.cpp:
3779         (JSC::ClassExprNode::emitBytecode):
3780         * dfg/DFGAbstractInterpreterInlines.h:
3781         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3782         * dfg/DFGByteCodeParser.cpp:
3783         (JSC::DFG::ByteCodeParser::parseBlock):
3784         * dfg/DFGCapabilities.cpp:
3785         (JSC::DFG::capabilityLevel):
3786         * dfg/DFGClobberize.h:
3787         (JSC::DFG::clobberize):
3788         * dfg/DFGDoesGC.cpp:
3789         (JSC::DFG::doesGC):
3790         * dfg/DFGFixupPhase.cpp:
3791         (JSC::DFG::FixupPhase::fixupNode):
3792         * dfg/DFGHeapLocation.cpp:
3793         (WTF::printInternal):
3794         * dfg/DFGHeapLocation.h:
3795         * dfg/DFGNodeType.h:
3796         * dfg/DFGOperations.cpp:
3797         * dfg/DFGOperations.h:
3798         * dfg/DFGPredictionPropagationPhase.cpp:
3799         * dfg/DFGSafeToExecute.h:
3800         (JSC::DFG::safeToExecute):
3801         * dfg/DFGSpeculativeJIT.cpp:
3802         (JSC::DFG::SpeculativeJIT::compileTypeOfIsObject):
3803         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull): Deleted.
3804         * dfg/DFGSpeculativeJIT.h:
3805         * dfg/DFGSpeculativeJIT32_64.cpp:
3806         (JSC::DFG::SpeculativeJIT::compile):
3807         * dfg/DFGSpeculativeJIT64.cpp:
3808         (JSC::DFG::SpeculativeJIT::compile):
3809         * ftl/FTLCapabilities.cpp:
3810         (JSC::FTL::canCompile):
3811         * ftl/FTLLowerDFGToB3.cpp:
3812         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3813         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsObject):
3814         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull): Deleted.
3815         * jit/JIT.cpp:
3816         (JSC::JIT::privateCompileMainPass):
3817         * llint/LowLevelInterpreter.asm:
3818         * runtime/CommonSlowPaths.cpp:
3819         (JSC::SLOW_PATH_DECL):
3820         * runtime/CommonSlowPaths.h:
3821         * runtime/Operations.cpp:
3822         (JSC::jsTypeofIsObject):
3823         (JSC::jsIsObjectTypeOrNull): Deleted.
3824         * runtime/Operations.h:
3825
3826 2020-08-15  Adrian Perez de Castro  <aperez@igalia.com>
3827
3828         Unreviewed non-unified source build fix
3829
3830         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Add missing OperandsInlines.h header.
3831
3832 2020-08-14  Caio Lima  <ticaiolima@gmail.com>
3833
3834         [ARMv7][JSC] Conservative GC is not considering `r7` as a root
3835         https://bugs.webkit.org/show_bug.cgi?id=215512
3836
3837         Reviewed by Yusuke Suzuki.
3838
3839         Since `r7` is a callee-saved register on ARMv7
3840         we need to consider it as a conservative root.
3841
3842         See the statement "A subroutine must preserve
3843         the contents of the registers r4-r8, r10, r11
3844         and SP (and r9 in PCS variants that designate
3845         r9 as v6) form page 15 of
3846         https://developer.arm.com/documentation/ihi0042/f/.
3847
3848         * heap/RegisterState.h:
3849
3850 2020-08-12  Keith Miller  <keith_miller@apple.com>
3851
3852         OSRAvailabilityAnalysis shouldn't mark GetStack nodes directly as valid places for recovery
3853         https://bugs.webkit.org/show_bug.cgi?id=215434
3854
3855         Reviewed by Saam Barati.
3856
3857         It's somewhat subtle why we cannot use the node for the GetStack
3858         itself in the Availability's node field. The reason is that if we
3859         did we would need to make any phase that converts nodes to
3860         GetStack availability aware. For instance, a place where this
3861         could come up is in constant folding if you had a graph like the
3862         following, which could arise from PutStack sinking:
3863
3864         BB#1:
3865         @1: NewObject()
3866         @2: MovHint(@1, inline-arg1)
3867         @3: Jump(#2, #3)
3868
3869         BB#2:
3870         @4: PutStack(@1, inline-arg1)
3871         @5: GetMyArgumentByVal(inline-arg1)
3872         @6: Jump(#3)
3873
3874         BB#3:
3875         @7: InvalidationPoint()
3876
3877         If constant folding converts @5 to a GetStack then at @7
3878         inline-arg1 won't be available since at the end of BB#1 our
3879         availability is (@1, DeadFlush) and (@5,
3880         FlushedAt(inline-arg1)). When that gets merged at BB#3 then the
3881         availability will be (nullptr, ConflictingFlush).
3882
3883         This patch also makes validation check that availability is sane
3884         at each pontential exit site if
3885         Options::validateFTLOSRExitLiveness() is set. Since this is
3886         actually a Phase we also need to make sure that we don't infinite
3887         loop, so there is now a m_isValidating field on m_graph. The
3888         validateOSRExitAvailability phase is also careful not to modify
3889         the Graph, in order to avoid masking bugs when validating.
3890
3891         In a followup patch I intend to look into why MovHint elimination
3892         will convert:
3893
3894         @2: MovHint(@0, loc1, bc#1, ExitInvalid)
3895         @3: KillStack(loc1, bc#2, ExitValid)
3896         @4: MovHint(@1 loc1, bc#2, ExitInvalid)
3897
3898         into
3899
3900         @2: ZombieHint(@0, loc1, bc#1, ExitInvalid)
3901         @3: KillStack(loc1, bc#2, ExitValid)
3902         @4: MovHint(@1 loc1, bc#2, ExitInvalid)
3903
3904         when loc1 is live in the bytecode at bc#2. But for now, the
3905         validation rule works around this by only checking when mayExit
3906         and the nodes exitOK agree exiting is possible.
3907
3908         * dfg/DFGGraph.h:
3909         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3910         (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
3911         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
3912         (JSC::DFG::performOSRAvailabilityAnalysis):
3913         (JSC::DFG::validateOSRExitAvailability):
3914         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3915         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
3916         * dfg/DFGPhase.h:
3917         (JSC::DFG::runPhase):
3918         * dfg/DFGValidate.cpp:
3919
3920 2020-08-13  Alexey Shvayka  <shvaikalesh@gmail.com>
3921
3922         Cache Structure::attributeChangeTransition()
3923         https://bugs.webkit.org/show_bug.cgi?id=214890
3924
3925         Reviewed by Yusuke Suzuki.
3926
3927         With this change, a non-dictionary structure adds attribute-change transitions
3928         to transition table, making redefinition to previous atttributes a fast path.
3929
3930         After too many transitions, the structure becomes a dictionary, firing the
3931         transition watchpoint. Attribute-change transitions pin their property tables,
3932         preventing forEachPropertyConcurrently() traversal.
3933
3934         This patch advances provided microbenchmark by ~90% and progresses
3935         Speedometer2/EmberJS-Debug-TodoMVC by ~12% (~5% over r264573).
3936
3937         No behavior change.
3938
3939         * dfg/DFGGraph.cpp:
3940         (JSC::DFG::Graph::getRegExpPrototypeProperty):
3941         * runtime/JSObjectInlines.h:
3942         (JSC::JSObject::putDirectInternal):
3943         * runtime/Structure.cpp:
3944         (JSC::Structure::materializePropertyTable):
3945         (JSC::Structure::removeNewPropertyTransition):
3946         (JSC::Structure::attributeChangeTransition):
3947         * runtime/Structure.h:
3948
3949 2020-08-13  Alexey Shvayka  <shvaikalesh@gmail.com>
3950
3951         Rework StructureTransitionTable::Hash::Key encoding
3952         https://bugs.webkit.org/show_bug.cgi?id=215483
3953
3954         Reviewed by Yusuke Suzuki.
3955
3956         This patch implements new encoding of StructureTransitionTable::Hash::Key
3957         to enable storing attribute change transitions in a transition table.
3958
3959         Since PropertyMapEntry attributes are always uint8_t, the remaining 8 bits
3960         are used for TransitionKind, which also accommodates non-property transitions,
3961         removing a bit hacky toAttributes() and utilization of unused pointer bits.
3962
3963         This change also introduces TransitionKind::Unknown we can validate against,
3964         preventing addition transition from being a default, which could be unsafe.
3965
3966         No behavior change.
3967
3968         * runtime/JSObject.cpp:
3969         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3970         (JSC::JSObject::createInitialUndecided):
3971         (JSC::JSObject::createInitialInt32):
3972         (JSC::JSObject::createInitialDouble):
3973         (JSC::JSObject::createInitialContiguous):
3974         (JSC::JSObject::convertUndecidedToInt32):
3975         (JSC::JSObject::convertUndecidedToDouble):
3976         (JSC::JSObject::convertUndecidedToContiguous):
3977         (JSC::JSObject::convertUndecidedToArrayStorage):
3978         (JSC::JSObject::convertInt32ToDouble):
3979         (JSC::JSObject::convertInt32ToContiguous):
3980         (JSC::JSObject::convertInt32ToArrayStorage):
3981         (JSC::JSObject::convertDoubleToContiguous):
3982         (JSC::JSObject::convertDoubleToArrayStorage):
3983         (JSC::JSObject::convertContiguousToArrayStorage):
3984         (JSC::JSObject::convertFromCopyOnWrite):
3985         (JSC::JSObject::switchToSlowPutArrayStorage):
3986         (JSC::JSObject::suggestedArrayStorageTransition const):
3987         * runtime/JSObject.h:
3988         * runtime/Structure.cpp:
3989         (JSC::StructureTransitionTable::contains const):
3990         (JSC::StructureTransitionTable::get const):
3991         (JSC::StructureTransitionTable::add):
3992         (JSC::Structure::Structure):
3993         (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
3994         (JSC::Structure::addNewPropertyTransition):
3995         (JSC::Structure::removePropertyTransitionFromExistingStructureImpl):
3996         (JSC::Structure::removeNewPropertyTransition):
3997         (JSC::Structure::sealTransition):
3998         (JSC::Structure::freezeTransition):
3999         (JSC::Structure::preventExtensionsTransition):
4000         (JSC::Structure::nonPropertyTransitionSlow):
4001         * runtime/Structure.h:
4002         * runtime/StructureInlines.h:
4003         (JSC::Structure::nonPropertyTransition):
4004         * runtime/StructureTransitionTable.h:
4005         (JSC::changesIndexingType):
4006         (JSC::newIndexingType):
4007         (JSC::preventsExtensions):
4008         (JSC::setsDontDeleteOnAllProperties):
4009         (JSC::setsReadOnlyOnNonAccessorProperties):
4010         (JSC::StructureTransitionTable::Hash::Key::Key):
4011         (JSC::StructureTransitionTable::Hash::Key::attributes const):
4012         (JSC::StructureTransitionTable::Hash::Key::transitionKind const):
4013         (JSC::StructureTransitionTable::Hash::hash):
4014         (JSC::toAttributes): Deleted.
4015         (JSC::StructureTransitionTable::Hash::Key::isAddition const): Deleted.
4016
4017 2020-08-12  Keith Rollin  <krollin@apple.com>
4018
4019         Remove the need for defining USE_NEW_BUILD_SYSTEM
4020         https://bugs.webkit.org/show_bug.cgi?id=215439
4021
4022         Reviewed by Darin Adler.
4023
4024         When building WebKit for XCBuild, we currently require that the
4025         external build system (such as the Makefile, build-webkit, etc.)
4026         defines the USE_NEW_BUILD_SYSTEM=YES build setting. This build setting
4027         controls parts of our build instructions that are sensitive to when
4028         XCBuild or the Legacy build system are being used. Notably, we need to
4029         know when to use our custom “copy and modify” scripts with copying
4030         certain header files (used with the Legacy build system) vs. using the
4031         enhanced Copy Headers build phase that’s enabled with
4032         APPLY_RULES_IN_COPY_HEADERS=YES (introduced with and used by XCBuild).
4033         The choice of which method to copy headers is used is controlled by
4034         USE_NEW_BUILD_SYSTEM.
4035
4036         There is no built-in build setting that we can probe to help us
4037         determine which approach to take when copying and modifying headers,
4038         which is why we need to define USE_NEW_BUILD_SYSTEM ourselves. But it
4039         turns out that we can *detect* which build system is being used by
4040         taking advantage of a subtle difference between the two systems. As
4041         noted in:
4042
4043             https://developer.apple.com/documentation/xcode-release-notes/build-system-release-notes-for-xcode-10
4044
4045             “When an .xcconfig file contains multiple assignments of the same
4046              build setting, later assignments using $(inherited) or
4047              $(<setting_name>) will inherit from earlier assignments in the
4048              .xcconfig. The legacy build system caused every use of
4049              $(inherited) or $(<setting_name>) skip any other values defined
4050              within the .xcconfig.”
4051
4052         This difference can be exploited as follows:
4053
4054             WK_WHICH_BUILD_SYSTEM = not_
4055             WK_WHICH_BUILD_SYSTEM = $(inherited)legacy
4056             WK_USE_NEW_BUILD_SYSTEM = $(WK_USE_NEW_BUILD_SYSTEM_$(WK_WHICH_BUILD_SYSTEM))
4057             WK_USE_NEW_BUILD_SYSTEM_legacy = NO
4058             WK_USE_NEW_BUILD_SYSTEM_not_legacy = YES
4059
4060         We can then use WK_USE_NEW_BUILD_SYSTEM where we used to use the
4061         externally-defined USE_NEW_BUILD_SYSTEM.
4062
4063         * Configurations/Base.xcconfig:
4064         * Configurations/JavaScriptCore.xcconfig:
4065         * JavaScriptCore.xcodeproj/project.pbxproj:
4066
4067 2020-08-12  Saam Barati  <sbarati@apple.com>
4068
4069         Inline cache Replace and Setters on PureForwardingProxy
4070         https://bugs.webkit.org/show_bug.cgi?id=215250
4071
4072         Reviewed by Yusuke Suzuki.
4073
4074         We didn't used to cache any Puts on PureForwardingProxy. This patch
4075         implements Replace and JS/Custom Setters on PureForwardingProxy. We don't support
4076         Transition puts because in our current implementation different global objects
4077         will never share the same structure.
4078         
4079         This patch also aligns how our runtime and the ICs invoke Customs when the
4080         passed in |this| value is a JSProxy. For custom accessors, our runtime passes
4081         in the JSProxy, where our ICs used to pass in the target of the JSProxy, for
4082         the receiver value. For custom values, the IC behavior and the runtime were
4083         already aligned in passing in the property owner, which is the JSProxy's
4084         target. This patch aligns our IC behavior to match our runtime behavior.
4085         
4086         This patch also renames some of the registers in the IC code to clear
4087         up what they're used for.
4088         
4089         This is a 2.5x speedup on the microbenchmark I've added, and a 15-20% speedup
4090         on JetStream2's 3d-cube-SP.
4091
4092         * bytecode/AccessCase.cpp:
4093         (JSC::AccessCase::generateWithGuard):
4094         (JSC::AccessCase::generateImpl):
4095         * bytecode/GetterSetterAccessCase.cpp:
4096         (JSC::GetterSetterAccessCase::create):
4097         * bytecode/GetterSetterAccessCase.h:
4098         * jit/JITOperations.cpp:
4099         * jit/Repatch.cpp:
4100         (JSC::tryCachePutByID):
4101         * runtime/CommonSlowPaths.h:
4102         (JSC::CommonSlowPaths::originalStructureBeforePut):
4103         (JSC::CommonSlowPaths::putDirectWithReify):
4104
4105 2020-08-11  Mark Lam  <mark.lam@apple.com>
4106
4107         ScriptExecutable::newCodeBlockFor() neglected to set the exception pointer result in one case.
4108         https://bugs.webkit.org/show_bug.cgi?id=215357
4109         <rdar://problem/57675112>
4110
4111         Reviewed by Yusuke Suzuki.
4112
4113         At the bottom of ScriptExecutable::newCodeBlockFor(), it calls:
4114             RELEASE_AND_RETURN(throwScope, FunctionCodeBlock::create(vm, executable, unlinkedCodeBlock, scope));
4115
4116         However, ScriptExecutable::newCodeBlockFor() has 2 return values: a CodeBlock*,
4117         and a passed in Exception*& that needs to be set if there's an exception.
4118         FunctionCodeBlock::create() is capable of returning a null CodeBlock* because
4119         CodeBlock::finishCreation() can throw exceptions.  As a result, we have a scenario
4120         here where ScriptExecutable::newCodeBlockFor() can return a null CodeBlock* without
4121         setting the Exception*& result.
4122
4123         Consequently, Interpreter::executeCall() is relying on this and can end up
4124         crashing while dereferencing a null CodeBlock* because the exception result was
4125         not set.
4126
4127         This patch fixes ScriptExecutable::newCodeBlockFor() to set the exception result.
4128
4129         * runtime/ScriptExecutable.cpp:
4130         (JSC::ScriptExecutable::newCodeBlockFor):
4131
4132 2020-08-10  Lauro Moura  <lmoura@igalia.com>
4133
4134         [CMake][JSC] Fix testapiScripts copy location
4135         https://bugs.webkit.org/show_bug.cgi?id=215338
4136
4137         file(COPY src/dir DESTINATION target/dir) copies the entire `dir`
4138         inside target/dir instead of only the contents.
4139
4140         Reviewed by Alex Christensen.
4141
4142         * shell/CMakeLists.txt:
4143
4144 2020-08-10  Alex Christensen  <achristensen@webkit.org>
4145
4146         REGRESSION(r261159) PokerBros only shows black screen
4147         https://bugs.webkit.org/show_bug.cgi?id=215293
4148         <rdar://problem/66073740>
4149
4150         Reviewed by Keith Miller.
4151
4152         The PokerBros app has some logic that was broken by the change in behavior of r261159.
4153         It caused the app do do nothing except show a black screen upon opening.
4154         Revert to the old behavior for this app until they update to iOS14.
4155
4156         * runtime/JSObject.cpp:
4157         (JSC::needsOldStringName):
4158         (JSC::JSObject::toStringName):
4159
4160 2020-08-10  Yusuke Suzuki  <ysuzuki@apple.com>
4161
4162         [JSC] JSFinalObject::finishCreation's ASSERT has stale condition
4163         https://bugs.webkit.org/show_bug.cgi?id=215317
4164
4165         Reviewed by Mark Lam.
4166
4167         JSFinalObject::finishCreation assumes that there is no out-of-line property storage (inline storage capacity == total storage capacity).
4168         But this is wrong when passing Butterfly* parameter to JSFinalObject. Previously, this feature is not used and we instead used JSObject::createRawObject,
4169         which bypasses this assertion. But now, we start using this when creating an object for MaterializeNewObject in DFG and FTL, and then we hit the crash
4170         because this assertion does not consider about non-nullptr butterfly.
4171
4172         This patch makes create function explicit by introducing `JSFinalObject::createWithButterfly`, which is similar to JSArray::createWithButterfly.
4173         And we fix the assertion by checking butterfly existence. By renaming JSFinalObject::create to JSFinalObject::createWithButterfly when getting butterfly,
4174         this patch also clarifies that only MaterializeNewObject related functions, which were using JSObject::createRawObject to bypass this assertion, is passing
4175         butterfly.
4176
4177         * dfg/DFGOperations.cpp:
4178         * runtime/JSObject.h:
4179         (JSC::JSFinalObject::createWithButterfly):
4180         (JSC::JSFinalObject::create):
4181
4182 2020-08-09  Commit Queue  <commit-queue@webkit.org>
4183
4184         Unreviewed, reverting r265392.
4185         https://bugs.webkit.org/show_bug.cgi?id=215316
4186
4187         Crash ARM64 / ARM64E JSC tests
4188
4189         Reverted changeset:
4190
4191         "REGRESSION(r261159) PokerBros only shows black screen"
4192         https://bugs.webkit.org/show_bug.cgi?id=215293
4193         https://trac.webkit.org/changeset/265392
4194
4195 2020-08-09  Yusuke Suzuki  <ysuzuki@apple.com>
4196
4197         [JSC] Make CommandLine on Worker agent (JSC shell feature for testing) work on iOS
4198         https://bugs.webkit.org/show_bug.cgi?id=215311
4199         <rdar://problem/66660053>
4200
4201         Reviewed by Mark Lam.
4202
4203         We should not reconfigure Options since this is once initialized. Since Options are frozen,
4204         this results in crash.
4205
4206         * jsc.cpp:
4207         (CommandLine::CommandLine):
4208         (functionDollarAgentStart):
4209
4210 2020-08-09  Commit Queue  <commit-queue@webkit.org>
4211
4212         Unreviewed, reverting r263195, r263252, and r265394.
4213         https://bugs.webkit.org/show_bug.cgi?id=215312
4214
4215         Revert all related GC Bitmap changes because some of perf is
4216         not fully recovered
4217
4218         Reverted changesets:
4219
4220         "Replace JSC::FreeList linked list with a Bitmap."
4221         https://bugs.webkit.org/show_bug.cgi?id=213071
4222         https://trac.webkit.org/changeset/263195
4223
4224         "Unify Bitmap math loops in
4225         MarkedBlock::Handle::specializedSweep()."
4226         https://bugs.webkit.org/show_bug.cgi?id=213345
4227         https://trac.webkit.org/changeset/263252
4228
4229         "[JSC] Disable ENABLE_BITMAP_FREELIST"
4230         https://bugs.webkit.org/show_bug.cgi?id=215285
4231         https://trac.webkit.org/changeset/265394
4232
4233 2020-08-08  Yusuke Suzuki  <ysuzuki@apple.com>
4234
4235         [JSC] Speculate children first in DFG NewArray
4236         https://bugs.webkit.org/show_bug.cgi?id=215308
4237         <rdar://problem/64749263>
4238
4239         Reviewed by Mark Lam.
4240
4241         SpeculativeJIT::emitAllocateRawObject can create uninitialized butterfly since we later fill them.
4242         However, DFG NewArray node has speculation after that. So if speculation failure happens, we release
4243         half-baked butterfly.
4244
4245         Let's see the example.
4246
4247            8459         emitAllocateRawObject(resultGPR, structure, storageGPR, numElements, vectorLengthHint);
4248            ...
4249            8482             case ALL_INT32_INDEXING_TYPES:
4250            8483             case ALL_CONTIGUOUS_INDEXING_TYPES: {
4251            8484                 JSValueOperand operand(this, use, ManualOperandSpeculation);
4252            8485                 JSValueRegs operandRegs = operand.jsValueRegs();
4253            8486                 if (hasInt32(node->indexingType())) {
4254            8487                     DFG_TYPE_CHECK(
4255            8488                         operandRegs, use, SpecInt32Only,
4256            8489                         m_jit.branchIfNotInt32(operandRegs));
4257            8490                 }
4258            8491                 m_jit.storeValue(operandRegs, MacroAssembler::Address(storageGPR, sizeof(JSValue) * operandIdx));
4259            8492                 break;
4260            8493             }
4261
4262         L8487-L8489 is doing speculation check. If it failed, the rest of the butterfly can be filled with garbage. This looks OK since
4263         it is Int32 butterfly so GC never scans it. However, if have-a-bad-time happens and the array is reachable from the conservative root,
4264         this half-baked array is converted from Int32 array to ArrayStorage. At that time, since Int32 butterfly should hold JSInt32,
4265         we store this garbage to ArrayStorage. Later, if conservative root still holds this array, and GC scans this garbage as as JSValue,
4266         this value confuses GC.
4267
4268         In this patch, we first perform speculation before creating uninitialized JSArray so that we can ensure that we never exit after
4269         creating this array until we fill it. This strategy is the same to FTL's NewArray implementation.
4270
4271         And we also found that emitAllocateRawObject is allocating an object from JSFinalObject space while we use it for JSArray too.
4272         We should get per-type allocator to ensure JSArray is allocated in its IsoSubspace.
4273
4274         * dfg/DFGOperations.cpp:
4275         * dfg/DFGSpeculativeJIT.cpp:
4276         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
4277         (JSC::DFG::SpeculativeJIT::compileNewArray):
4278         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
4279         * ftl/FTLLowerDFGToB3.cpp:
4280         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
4281         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
4282         * runtime/JSObject.h:
4283         (JSC::JSObject::createRawObject): Deleted.
4284
4285 2020-08-07  Yusuke Suzuki  <ysuzuki@apple.com>
4286
4287         [JSC] Disable ENABLE_BITMAP_FREELIST
4288         https://bugs.webkit.org/show_bug.cgi?id=215285
4289
4290         Reviewed by Mark Lam.
4291
4292         From performance bots, we observed that,
4293
4294             1. MBP11,4 shows 1% regression in Speedometer2.
4295             2. The other MBP / iMac / MBA bots show neutral or slight regression in Speedometer2.
4296
4297         Based on the above result, for now, we disable this feature.
4298
4299         * heap/FreeList.h:
4300
4301 2020-08-07  Alex Christensen  <achristensen@webkit.org>
4302
4303         REGRESSION(r261159) PokerBros only shows black screen
4304         https://bugs.webkit.org/show_bug.cgi?id=215293
4305
4306         Reviewed by Keith Miller.
4307
4308         The PokerBros app has some logic that was broken by the change in behavior of r261159.
4309         It caused the app do do nothing except show a black screen upon opening.
4310         Revert to the old behavior for this app until they update to iOS14.
4311
4312         * runtime/JSObject.cpp:
4313         (JSC::needsOldStringName):
4314         (JSC::JSObject::toStringName):
4315
4316 2020-08-07  Michael Saboff  <msaboff@apple.com>
4317
4318         RegExp sticky not matching alternates correctly, ignoring lastIndex requirement
4319         https://bugs.webkit.org/show_bug.cgi?id=214181
4320
4321         Reviewed by Yusuke Suzuki.
4322
4323         In the YARR JIT, we need to check for sticky patterns before checking for fixed character
4324         terms when backtracking.  The YARR interpreter doesn't have this issue.
4325
4326         * yarr/YarrJIT.cpp:
4327
4328 2020-08-05  Tim Horton  <timothy_horton@apple.com>
4329
4330         Remove all references to non-existent 10.16
4331         https://bugs.webkit.org/show_bug.cgi?id=215202
4332
4333         Reviewed by Wenson Hsieh.
4334
4335         * Configurations/Base.xcconfig:
4336         * Configurations/DebugRelease.xcconfig:
4337         * Configurations/Version.xcconfig:
4338         * Configurations/WebKitTargetConditionals.xcconfig:
4339
4340 2020-08-05  Saam Barati  <sbarati@apple.com>
4341
4342         Fix returnEarlyFromInfiniteLoopsForFuzzing in DFG and validateDoesGC
4343         https://bugs.webkit.org/show_bug.cgi?id=215194
4344         <rdar://problem/66158641>
4345
4346         Reviewed by Mark Lam.
4347
4348         I already fixed this same issue in the FTL in r264330, but I forgot
4349         to do it in the DFG.
4350
4351         * dfg/DFGSpeculativeJIT64.cpp:
4352         (JSC::DFG::SpeculativeJIT::compile):
4353
4354 2020-08-05  Keith Miller  <keith_miller@apple.com>
4355
4356         The various AllowList options should be able to take the function name inline
4357         https://bugs.webkit.org/show_bug.cgi?id=215184
4358
4359         Reviewed by Saam Barati.
4360
4361         Right now when I use the various AllowList JSC options I almost
4362         always only care about a single function. Right now you need to
4363         create a file with that single name in it. That is inconvenient, so
4364         this patch changes the behavior to treat the string as the
4365         function name if no file at that path exists. I'm also
4366         speculatively assuming fopen doesn't return ENOENT when it fails
4367         due to sandboxing... I didn't feel like testing it because this is
4368         a debug option.
4369
4370         * runtime/OptionsList.h:
4371         * tools/FunctionAllowlist.cpp:
4372         (JSC::FunctionAllowlist::FunctionAllowlist):
4373
4374 2020-08-05  Keith Miller  <keith_miller@apple.com>
4375
4376         Add assertions / inline capacity to checkpoint side state stacks
4377         https://bugs.webkit.org/show_bug.cgi?id=215175
4378
4379         Reviewed by Saam Barati.
4380
4381         The inline capacity should hopefully avoid unneeded mallocs close to 100% of the time during our OSR exit ramp.
4382
4383         * dfg/DFGOSRExit.cpp:
4384         (JSC::DFG::OSRExit::compileExit):
4385         * ftl/FTLOSRExitCompiler.cpp:
4386         (JSC::FTL::compileStub):
4387         * runtime/VM.cpp:
4388         (JSC::VM::pushCheckpointOSRSideState):
4389         * runtime/VM.h:
4390
4391 2020-08-04  Yusuke Suzuki  <ysuzuki@apple.com>
4392
4393         [JSC] Use LazyNeverDestroyed & std::call_once for complex singletons
4394         https://bugs.webkit.org/show_bug.cgi?id=215153
4395         <rdar://problem/65718983>
4396
4397         Reviewed by Mark Lam.
4398
4399         We are getting some crashes in RemoteInspector and this speculatively fixes the crash.
4400         My guess is that NeverDestroyed<RemoteInspector> calls constructor twice in heavily contended situation:
4401         WebKit's static does not have thread-safety. If two threads come here at the same time, it is possible that
4402         constructor is invoked twice. In that case, later constructor will clear members, which involves clearing
4403         Lock m_mutex field. This makes Lock's invariant broken.
4404         This patch uses LazyNeverDestroyed and std::call_once to ensure invoking constructor only once.
4405
4406         * API/glib/JSCVirtualMachine.cpp:
4407         * dfg/DFGCommonData.cpp:
4408         * disassembler/Disassembler.cpp:
4409         * inspector/remote/RemoteInspector.h:
4410         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
4411         (Inspector::RemoteInspector::singleton):
4412         * inspector/remote/glib/RemoteInspectorGlib.cpp:
4413         (Inspector::RemoteInspector::singleton):
4414         * inspector/remote/socket/RemoteInspectorServer.cpp:
4415         (Inspector::RemoteInspectorServer::singleton):
4416         * inspector/remote/socket/RemoteInspectorServer.h:
4417         * inspector/remote/socket/RemoteInspectorSocket.cpp:
4418         (Inspector::RemoteInspector::singleton):
4419         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
4420         (Inspector::RemoteInspectorSocketEndpoint::singleton):
4421         * interpreter/Interpreter.cpp:
4422         (JSC::Interpreter::opcodeIDTable):
4423         * runtime/IntlObject.cpp:
4424         (JSC::intlAvailableLocales):
4425         (JSC::intlCollatorAvailableLocales):
4426         (JSC::defaultLocale):
4427         (JSC::numberingSystemsForLocale):
4428
4429 2020-08-04  Keith Miller  <keith_miller@apple.com>
4430
4431         CheckpointSideState shoud play nicely with StackOverflowException unwinding.
4432         https://bugs.webkit.org/show_bug.cgi?id=215114
4433
4434         Reviewed by Saam Barati.
4435
4436         This patch fixes an issue where we the StackVisitor would
4437         automatically unwind into the first frame before calling into the
4438         provided functor. As a note, we do this because the first frame is
4439         not fully initialized at the time we check for stack
4440   &