Don't OSR enter into an FTL CodeBlock that has been jettisoned
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-05-07  Saam Barati  <sbarati@apple.com>
2
3         Don't OSR enter into an FTL CodeBlock that has been jettisoned
4         https://bugs.webkit.org/show_bug.cgi?id=197531
5         <rdar://problem/50162379>
6
7         Reviewed by Yusuke Suzuki.
8
9         Sometimes we make silly mistakes. This is one of those times. It's invalid to OSR
10         enter into an FTL OSR entry code block that has been jettisoned already.
11
12         * dfg/DFGJITCode.cpp:
13         (JSC::DFG::JITCode::clearOSREntryBlockAndResetThresholds):
14         * dfg/DFGJITCode.h:
15         (JSC::DFG::JITCode::clearOSREntryBlock): Deleted.
16         * dfg/DFGOSREntry.cpp:
17         (JSC::DFG::prepareOSREntry):
18         (JSC::DFG::prepareCatchOSREntry):
19         * dfg/DFGOperations.cpp:
20         * ftl/FTLOSREntry.cpp:
21         (JSC::FTL::prepareOSREntry):
22
23 2019-05-06  Keith Miller  <keith_miller@apple.com>
24
25         JSWrapperMap should check if existing prototype properties are wrappers when copying exported methods.
26         https://bugs.webkit.org/show_bug.cgi?id=197324
27         <rdar://problem/50253144>
28
29         Reviewed by Saam Barati.
30
31         The current implementation prevents using JSExport to shadow a
32         method from a super class. This was because we would only add a
33         method if the prototype didn't already claim to have the
34         property. Normally this would only happen if an Objective-C super
35         class already exported a ObjCCallbackFunction for the method,
36         however, if the user exports a property that is already on
37         Object.prototype the overriden method won't be exported.
38
39         This patch fixes the object prototype issue by checking if the
40         property on the prototype chain is an ObjCCallbackFunction, if
41         it's not then it adds an override.
42
43         * API/JSWrapperMap.mm:
44         (copyMethodsToObject):
45         * API/tests/testapi.mm:
46         (-[ToStringClass toString]):
47         (-[ToStringClass other]):
48         (-[ToStringSubclass toString]):
49         (-[ToStringSubclassNoProtocol toString]):
50         (testToString):
51         (testObjectiveCAPI):
52
53 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
54
55         [JSC] We should check OOM for description string of Symbol
56         https://bugs.webkit.org/show_bug.cgi?id=197634
57
58         Reviewed by Keith Miller.
59
60         When resoling JSString for description of Symbol, we should check OOM error.
61         We also change JSValueMakeSymbol(..., nullptr) to returning a symbol value
62         without description, (1) to simplify the code and (2) give a way for JSC API
63         to create a symbol value without description.
64
65         * API/JSValueRef.cpp:
66         (JSValueMakeSymbol):
67         * API/tests/testapi.cpp:
68         (TestAPI::symbolsTypeof):
69         (TestAPI::symbolsDescription):
70         (testCAPIViaCpp):
71         * dfg/DFGOperations.cpp:
72         * runtime/Symbol.cpp:
73         (JSC::Symbol::createWithDescription):
74         * runtime/Symbol.h:
75         * runtime/SymbolConstructor.cpp:
76         (JSC::callSymbol):
77
78 2019-05-06  Keith Rollin  <krollin@apple.com>
79
80         Temporarily disable generate-xcfilelists
81         https://bugs.webkit.org/show_bug.cgi?id=197619
82         <rdar://problem/50507392>
83
84         Reviewed by Alex Christensen.
85
86         We need to perform a significant update to the generate-xcfilelist
87         scripts. This work involves coordinated work with another facility. If
88         the work does not occur in tandem, the build will be broken. To avoid
89         this, disable the invoking of the scripts during the transition. The
90         checking will be restored once the new scripts are in place.
91
92         * Scripts/check-xcfilelists.sh:
93
94 2019-05-06  Basuke Suzuki  <Basuke.Suzuki@sony.com>
95
96         [PlayStation] Fix build break since r244919
97         https://bugs.webkit.org/show_bug.cgi?id=197627
98
99         Reviewed by Ross Kirsling.
100
101         Bugfix for POSIX socket implementation and suppress warnings.
102
103         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
104         (Inspector::RemoteInspectorConnectionClient::didAccept):
105         * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp:
106         (Inspector::Socket::getPort):
107
108 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
109
110         TemplateObject passed to template literal tags are not always identical for the same source location.
111         https://bugs.webkit.org/show_bug.cgi?id=190756
112
113         Reviewed by Saam Barati.
114
115         Tagged template literal requires that the site object is allocated per source location. Previously, we create the site object
116         when linking CodeBlock and cache it in CodeBlock. But this is wrong because,
117
118         1. CodeBlock can be jettisoned and regenerated. So every time CodeBlock is regenerated, we get the different site object.
119         2. Call and Construct can have different CodeBlock. Even if the function is called in call-form or construct-form, we should return the same site object.
120
121         In this patch, we start caching these site objects in the top-level ScriptExecutable, this matches the spec's per source location since the only one top-level
122         ScriptExecutable is created for the given script code. Each ScriptExecutable of JSFunction can be created multiple times because CodeBlock creates it.
123         But the top-level one is not created by CodeBlock. This top-level ScriptExecutable is well-aligned to the Script itself. The top-level ScriptExecutable now has HashMap,
124         which maps source locations to cached site objects.
125
126         1. This patch threads the top-level ScriptExecutable to each FunctionExecutable creation. Each FunctionExecutable has a reference to the top-level ScriptExecutable.
127         2. We put TemplateObjectMap in ScriptExecutable, which manages cached template objects.
128         3. We move FunctionExecutable::m_cachedPolyProtoStructure to the FunctionExecutable::RareDate to keep FunctionExecutable 128 bytes.
129
130         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
131         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
132         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
133         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
134         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
135         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
136         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
137         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
138         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
139         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
140         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
141         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
142         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
143         * Scripts/wkbuiltins/builtins_templates.py:
144         * bytecode/CodeBlock.cpp:
145         (JSC::CodeBlock::finishCreation):
146         (JSC::CodeBlock::setConstantRegisters):
147         * bytecode/CodeBlock.h:
148         * bytecode/UnlinkedFunctionExecutable.cpp:
149         (JSC::UnlinkedFunctionExecutable::link):
150         * bytecode/UnlinkedFunctionExecutable.h:
151         * bytecompiler/BytecodeGenerator.cpp:
152         (JSC::BytecodeGenerator::addTemplateObjectConstant):
153         (JSC::BytecodeGenerator::emitGetTemplateObject):
154         * bytecompiler/BytecodeGenerator.h:
155         * runtime/CachedTypes.cpp:
156         (JSC::CachedTemplateObjectDescriptor::encode):
157         (JSC::CachedTemplateObjectDescriptor::decode const):
158         (JSC::CachedJSValue::encode):
159         (JSC::CachedJSValue::decode const):
160         * runtime/EvalExecutable.cpp:
161         (JSC::EvalExecutable::ensureTemplateObjectMap):
162         (JSC::EvalExecutable::visitChildren):
163         * runtime/EvalExecutable.h:
164         * runtime/FunctionExecutable.cpp:
165         (JSC::FunctionExecutable::finishCreation):
166         (JSC::FunctionExecutable::visitChildren):
167         (JSC::FunctionExecutable::fromGlobalCode):
168         (JSC::FunctionExecutable::ensureRareDataSlow):
169         (JSC::FunctionExecutable::ensureTemplateObjectMap):
170         * runtime/FunctionExecutable.h:
171         * runtime/JSModuleRecord.cpp:
172         (JSC::JSModuleRecord::instantiateDeclarations):
173         * runtime/JSTemplateObjectDescriptor.cpp:
174         (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
175         (JSC::JSTemplateObjectDescriptor::create):
176         * runtime/JSTemplateObjectDescriptor.h:
177         * runtime/ModuleProgramExecutable.cpp:
178         (JSC::ModuleProgramExecutable::ensureTemplateObjectMap):
179         (JSC::ModuleProgramExecutable::visitChildren):
180         * runtime/ModuleProgramExecutable.h:
181         * runtime/ProgramExecutable.cpp:
182         (JSC::ProgramExecutable::ensureTemplateObjectMap):
183         (JSC::ProgramExecutable::visitChildren):
184         * runtime/ProgramExecutable.h:
185         * runtime/ScriptExecutable.cpp:
186         (JSC::ScriptExecutable::topLevelExecutable):
187         (JSC::ScriptExecutable::createTemplateObject):
188         (JSC::ScriptExecutable::ensureTemplateObjectMap):
189         * runtime/ScriptExecutable.h:
190         * tools/JSDollarVM.cpp:
191         (JSC::functionCreateBuiltin):
192         (JSC::functionDeleteAllCodeWhenIdle):
193         (JSC::JSDollarVM::finishCreation):
194
195 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
196
197         TypedArrays should not store properties that are canonical numeric indices
198         https://bugs.webkit.org/show_bug.cgi?id=197228
199         <rdar://problem/49557381>
200
201         Reviewed by Saam Barati.
202
203         According to the spec[1]:
204         - TypedArrays should not perform an ordinary GetOwnProperty/SetOwnProperty if the index is a
205         CanonicalNumericIndexString, but invalid according to IntegerIndexedElementGet and similar
206         functions. I.e., there are a few properties that should not be set in a TypedArray, like NaN,
207         Infinity and -0.
208         - On DefineOwnProperty, the out-of-bounds check should be performed before validating the property
209         descriptor.
210         - On GetOwnProperty, the returned descriptor for numeric properties should have writable set to true.
211
212         [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-integer-indexed-exotic-objects-defineownproperty-p-desc
213
214         * CMakeLists.txt:
215         * JavaScriptCore.xcodeproj/project.pbxproj:
216         * runtime/JSGenericTypedArrayViewInlines.h:
217         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
218         (JSC::JSGenericTypedArrayView<Adaptor>::put):
219         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
220         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
221         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
222         * runtime/PropertyName.h:
223         (JSC::isCanonicalNumericIndexString):
224
225 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
226
227         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
228         https://bugs.webkit.org/show_bug.cgi?id=197584
229
230         Reviewed by Saam Barati.
231
232         In r244864, we emit MovHint for adhocly created GetterCall/SetterCall frame locals in the callee side to make OSR availability analysis's pruning correct.
233         However, we just emit MovHint, and we do not emit SetLocal since we ensured that these locals are already flushed in the same place before. However, MovHint
234         and SetLocal are needed to be a pair in DFGByteCodeParser because we rely on this assumption in SSA conversion phase. SSA conversion phase always emit KillStack
235         just before MovHint's target location even if the MovHint's target is the same to the previously emitted MovHint and SetLocal.
236         This patch emits SetLocal too when emitting MovHint for GetterCall/SetterCall frame locals.
237
238         The example is like this.
239
240             a:  SomeValueNode
241              :  MovHint(@a, loc10)
242             b:  SetLocal(@a, loc10)
243                 ...
244             c:  MovHint(@a, loc10)
245
246         Then, this will be converted to the style in SSA conversion.
247
248             a:  SomeValueNode
249              :  KillStack(loc10)
250             b:  PutStack(@a, loc10)
251                 ...
252             c:  KillStack(loc10)
253
254         Then, @b will be removed later since @c kills it.
255
256         * dfg/DFGByteCodeParser.cpp:
257         (JSC::DFG::ByteCodeParser::inlineCall):
258         * heap/MarkedBlock.cpp:
259         (JSC::MarkedBlock::MarkedBlock):
260         (JSC::MarkedBlock::Handle::stopAllocating):
261         (JSC::MarkedBlock::Handle::resumeAllocating):
262         (JSC::MarkedBlock::aboutToMarkSlow):
263         (JSC::MarkedBlock::Handle::didConsumeFreeList):
264
265 2019-05-03  Devin Rousso  <drousso@apple.com>
266
267         Web Inspector: DOM: rename "low power" to "display composited"
268         https://bugs.webkit.org/show_bug.cgi?id=197296
269
270         Reviewed by Joseph Pecoraro.
271
272         Removed specific ChangeLog entries since it is almost entirely mechanical changes.
273
274         * inspector/protocol/DOM.json:
275
276 2019-05-03  Basuke Suzuki  <Basuke.Suzuki@sony.com>
277
278         [WinCairo] Implement and enable RemoteInspector Server.
279         https://bugs.webkit.org/show_bug.cgi?id=197432
280
281         Reviewed by Ross Kirsling.
282
283         Implement Windows implementation for Socket Backend of RemoteInspector and enable it on WinCairo
284         for experimental feature.
285
286         Also add listener interface for connection between RemoteInspector and RemoteInspectorServer
287         for flexible configuration.
288
289         * PlatformWin.cmake:
290         * inspector/remote/RemoteInspector.h:
291         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
292         (Inspector::RemoteInspectorConnectionClient::didAccept):
293         * inspector/remote/socket/RemoteInspectorServer.cpp:
294         (Inspector::RemoteInspectorServer::connect):
295         (Inspector::RemoteInspectorServer::listenForTargets):
296         (Inspector::RemoteInspectorServer::didAccept):
297         (Inspector::RemoteInspectorServer::dispatchMap):
298         (Inspector::RemoteInspectorServer::start):
299         (Inspector::RemoteInspectorServer::addServerConnection): Deleted.
300         * inspector/remote/socket/RemoteInspectorServer.h:
301         (Inspector::RemoteInspectorServer::RemoteInspectorServer):
302         * inspector/remote/socket/RemoteInspectorSocket.cpp:
303         (Inspector::RemoteInspector::RemoteInspector):
304         (Inspector::RemoteInspector::dispatchMap):
305         (Inspector::RemoteInspector::start):
306         (Inspector::RemoteInspector::stopInternal):
307         (Inspector::RemoteInspector::setServerPort):
308         * inspector/remote/socket/RemoteInspectorSocket.h:
309         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
310         (Inspector::RemoteInspectorSocketEndpoint::listenInet):
311         (Inspector::RemoteInspectorSocketEndpoint::getPort const):
312         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
313         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
314         * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp:
315         (Inspector::Socket::init): Added.
316         (Inspector::Socket::listen): Signature changed.
317         (Inspector::Socket::getPort): Added.
318         * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp: Added.
319         (Inspector::Socket::init):
320         (Inspector::Socket::Socket::Socket):
321         (Inspector::Socket::Socket::~Socket):
322         (Inspector::Socket::Socket::close):
323         (Inspector::Socket::Socket::operator PlatformSocketType const):
324         (Inspector::Socket::Socket::operator bool const):
325         (Inspector::Socket::Socket::leak):
326         (Inspector::Socket::Socket::create):
327         (Inspector::Socket::setOpt):
328         (Inspector::Socket::setOptEnabled):
329         (Inspector::Socket::enableOpt):
330         (Inspector::Socket::connectTo):
331         (Inspector::Socket::bindAndListen):
332         (Inspector::Socket::connect):
333         (Inspector::Socket::listen):
334         (Inspector::Socket::accept):
335         (Inspector::Socket::createPair):
336         (Inspector::Socket::setup):
337         (Inspector::Socket::isValid):
338         (Inspector::Socket::isListening):
339         (Inspector::Socket::getPort):
340         (Inspector::Socket::read):
341         (Inspector::Socket::write):
342         (Inspector::Socket::close):
343         (Inspector::Socket::preparePolling):
344         (Inspector::Socket::poll):
345         (Inspector::Socket::isReadable):
346         (Inspector::Socket::isWritable):
347         (Inspector::Socket::markWaitingWritable):
348         (Inspector::Socket::clearWaitingWritable):
349
350 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
351
352         [JSC] Generator CodeBlock generation should be idempotent
353         https://bugs.webkit.org/show_bug.cgi?id=197552
354
355         Reviewed by Keith Miller.
356
357         ES6 Generator saves and resumes the current execution state. Since ES6 generator can save the execution state at expression
358         granularity (not statement granularity), the saved state involves locals. But if the underlying CodeBlock is jettisoned and
359         recompiled with different code generation option (like, debugger, type profiler etc.), the generated instructions can be largely
360         different and it does not have the same state previously used. If we resume the previously created generator with the newly
361         generator function, resuming is messed up.
362
363             function* gen () { ... }
364             var g = gen();
365             g.next();
366
367             // CodeBlock is destroyed & Debugger is enabled.
368
369             g.next();
370
371         In this patch,
372
373         1. In generatorification, we use index Identifier (localN => Identifier("N")) instead of private symbols to generate the same
374            instructions every time we regenerate the CodeBlock.
375
376         2. We decouple the options which can affect on the generated code (Debugger, TypeProfiler, ControlFlowProfiler) from the BytecodeGenerator,
377            and pass them as a parameter, OptionSet<CodeGeneratorMode>.
378
379         3. Generator ScriptExecutable remembers the previous CodeGeneratorMode and reuses this parameter to regenerate CodeBlock. It means that,
380            even if the debugger is enabled, previously created generators are not debuggable. But newly created generators are debuggable.
381
382         * bytecode/BytecodeGeneratorification.cpp:
383         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
384         (JSC::BytecodeGeneratorification::run):
385         * bytecode/CodeBlock.cpp:
386         (JSC::CodeBlock::finishCreation):
387         (JSC::CodeBlock::setConstantRegisters):
388         * bytecode/UnlinkedCodeBlock.cpp:
389         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
390         * bytecode/UnlinkedCodeBlock.h:
391         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes const):
392         (JSC::UnlinkedCodeBlock::wasCompiledWithTypeProfilerOpcodes const):
393         (JSC::UnlinkedCodeBlock::wasCompiledWithControlFlowProfilerOpcodes const):
394         (JSC::UnlinkedCodeBlock::codeGenerationMode const):
395         * bytecode/UnlinkedEvalCodeBlock.h:
396         * bytecode/UnlinkedFunctionCodeBlock.h:
397         * bytecode/UnlinkedFunctionExecutable.cpp:
398         (JSC::generateUnlinkedFunctionCodeBlock):
399         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
400         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
401         * bytecode/UnlinkedFunctionExecutable.h:
402         * bytecode/UnlinkedGlobalCodeBlock.h:
403         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
404         * bytecode/UnlinkedModuleProgramCodeBlock.h:
405         * bytecode/UnlinkedProgramCodeBlock.h:
406         * bytecompiler/BytecodeGenerator.cpp:
407         (JSC::BytecodeGenerator::BytecodeGenerator):
408         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
409         (JSC::BytecodeGenerator::emitProfileType):
410         (JSC::BytecodeGenerator::emitProfileControlFlow):
411         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
412         (JSC::BytecodeGenerator::popLexicalScopeInternal):
413         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
414         (JSC::BytecodeGenerator::emitCall):
415         (JSC::BytecodeGenerator::emitCallVarargs):
416         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
417         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
418         (JSC::BytecodeGenerator::emitDebugHook):
419         * bytecompiler/BytecodeGenerator.h:
420         (JSC::BytecodeGenerator::generate):
421         (JSC::BytecodeGenerator::shouldEmitDebugHooks const):
422         (JSC::BytecodeGenerator::shouldEmitTypeProfilerHooks const):
423         (JSC::BytecodeGenerator::shouldEmitControlFlowProfilerHooks const):
424         * bytecompiler/NodesCodegen.cpp:
425         (JSC::PrefixNode::emitResolve):
426         (JSC::EmptyVarExpression::emitBytecode):
427         (JSC::ReturnNode::emitBytecode):
428         (JSC::FunctionNode::emitBytecode):
429         * parser/ParserModes.h:
430         (): Deleted.
431         * parser/SourceCodeKey.h:
432         (JSC::SourceCodeFlags::SourceCodeFlags):
433         (JSC::SourceCodeKey::SourceCodeKey):
434         * runtime/CachedTypes.cpp:
435         (JSC::CachedCodeBlock::isClassContext const):
436         (JSC::CachedCodeBlock::codeGenerationMode const):
437         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
438         (JSC::CachedCodeBlock<CodeBlockType>::encode):
439         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const): Deleted.
440         * runtime/CodeCache.cpp:
441         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
442         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
443         (JSC::CodeCache::getUnlinkedEvalCodeBlock):
444         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
445         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
446         (JSC::generateUnlinkedCodeBlockForFunctions):
447         (JSC::sourceCodeKeyForSerializedBytecode):
448         (JSC::sourceCodeKeyForSerializedProgram):
449         (JSC::sourceCodeKeyForSerializedModule):
450         (JSC::serializeBytecode):
451         * runtime/CodeCache.h:
452         (JSC::generateUnlinkedCodeBlockImpl):
453         (JSC::generateUnlinkedCodeBlock):
454         * runtime/Completion.cpp:
455         (JSC::generateProgramBytecode):
456         (JSC::generateModuleBytecode):
457         * runtime/DirectEvalExecutable.cpp:
458         (JSC::DirectEvalExecutable::create):
459         * runtime/IndirectEvalExecutable.cpp:
460         (JSC::IndirectEvalExecutable::create):
461         * runtime/JSGlobalObject.h:
462         (JSC::JSGlobalObject::defaultCodeGenerationMode const):
463         * runtime/ModuleProgramExecutable.cpp:
464         (JSC::ModuleProgramExecutable::create):
465         * runtime/ProgramExecutable.cpp:
466         (JSC::ProgramExecutable::initializeGlobalProperties):
467         * runtime/ScriptExecutable.cpp:
468         (JSC::ScriptExecutable::ScriptExecutable):
469         (JSC::ScriptExecutable::newCodeBlockFor):
470         * runtime/ScriptExecutable.h:
471         * tools/JSDollarVM.cpp:
472         (JSC::changeDebuggerModeWhenIdle):
473         (JSC::functionEnableDebuggerModeWhenIdle):
474         (JSC::functionDisableDebuggerModeWhenIdle):
475
476 2019-05-03  Devin Rousso  <drousso@apple.com>
477
478         Web Inspector: Record actions performed on WebGL2RenderingContext
479         https://bugs.webkit.org/show_bug.cgi?id=176008
480         <rdar://problem/34213884>
481
482         Reviewed by Joseph Pecoraro.
483
484         * inspector/protocol/Recording.json:
485         * inspector/scripts/codegen/generator.py:
486         Add `canvas-webgl2` as a `Type`.
487
488 2019-05-03  Commit Queue  <commit-queue@webkit.org>
489
490         Unreviewed, rolling out r244881.
491         https://bugs.webkit.org/show_bug.cgi?id=197559
492
493         Breaks compilation of jsconly on linux, breaking compilation
494         for jsc-i386-ews, jsc-mips-ews and jsc-armv7-ews (Requested by
495         guijemont on #webkit).
496
497         Reverted changeset:
498
499         "[CMake] Refactor WEBKIT_MAKE_FORWARDING_HEADERS into
500         WEBKIT_COPY_FILES"
501         https://bugs.webkit.org/show_bug.cgi?id=197174
502         https://trac.webkit.org/changeset/244881
503
504 2019-05-02  Don Olmstead  <don.olmstead@sony.com>
505
506         [CMake] Refactor WEBKIT_MAKE_FORWARDING_HEADERS into WEBKIT_COPY_FILES
507         https://bugs.webkit.org/show_bug.cgi?id=197174
508
509         Reviewed by Alex Christensen.
510
511         Replace WEBKIT_MAKE_FORWARDING_HEADERS with WEBKIT_COPY_FILES and make dependencies
512         for framework headers explicit.
513
514         * CMakeLists.txt:
515
516 2019-05-02  Michael Saboff  <msaboff@apple.com>
517
518         Unreviewed rollout of r244862.
519
520         * runtime/JSObject.cpp:
521         (JSC::JSObject::getOwnPropertyDescriptor):
522
523 2019-05-01  Saam barati  <sbarati@apple.com>
524
525         Baseline JIT should do argument value profiling after checking for stack overflow
526         https://bugs.webkit.org/show_bug.cgi?id=197052
527         <rdar://problem/50009602>
528
529         Reviewed by Yusuke Suzuki.
530
531         Otherwise, we may do value profiling without running a write barrier, which
532         is against the rules of how we do value profiling.
533
534         * jit/JIT.cpp:
535         (JSC::JIT::compileWithoutLinking):
536
537 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
538
539         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
540         https://bugs.webkit.org/show_bug.cgi?id=197405
541
542         Reviewed by Saam Barati.
543
544         When inlining getter and setter calls, we setup a stack frame which does not appear in the bytecode.
545         Because Inlining can switch on executable, we could have a graph like this.
546
547         BB#0
548             ...
549             30: GetSetter
550             31: MovHint(loc10)
551             32: SetLocal(loc10)
552             33: MovHint(loc9)
553             34: SetLocal(loc9)
554             ...
555             37: GetExecutable(@30)
556             ...
557             41: Switch(@37)
558
559         BB#2
560             42: GetLocal(loc12, bc#7 of caller)
561             ...
562             --> callee: loc9 and loc10 are arguments of callee.
563               ...
564               <HERE, exit to callee, loc9 and loc10 are required in the bytecode>
565
566         When we prune OSR availability at the beginning of BB#2 (bc#7 in the caller), we prune loc9 and loc10's liveness because the caller does not actually have loc9 and loc10.
567         However, when we begin executing the callee, we need OSR exit to be aware of where it can recover the arguments to the setter, loc9 and loc10.
568
569         This patch inserts MovHint at the beginning of callee for a getter / setter stack frame to make arguments (loc9 and loc10 in the above example) recoverable from OSR exit.
570         We also move arity fixup DFG nodes from the caller to the callee, since moved arguments are not live in the caller too.
571
572         Interestingly, this fix also reveals the existing issue in LiveCatchVariablePreservationPhase. We emitted Flush for |this| of InlineCallFrame blindly if we saw InlineCallFrame
573         inside a block which is covered by catch handler. But this is wrong because inlined function can finish its execution within the block, and |this| is completely unrelated to
574         the catch handler if the catch handler is in the outer callee. We already collect all the live locals at the catch handler. And this locals must include arguments too if the
575         catch handler is in inlined function. So, we should not emit Flush for each |this| of seen InlineCallFrame. This emitted Flush may connect unrelated locals in the catch handler
576         to the locals that is only defined and used in the inlined function, and it leads to the results like DFG says the local is live while the bytecode says the local is dead.
577         This results in reading and using garbage in OSR entry because DFG OSR entry needs to fill live DFG values from the stack.
578
579         * dfg/DFGByteCodeParser.cpp:
580         (JSC::DFG::ByteCodeParser::inlineCall):
581         (JSC::DFG::ByteCodeParser::handleGetById):
582         (JSC::DFG::ByteCodeParser::handlePutById):
583         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
584         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
585
586 2019-05-01  Michael Saboff  <msaboff@apple.com>
587
588         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
589         https://bugs.webkit.org/show_bug.cgi?id=197485
590
591         Reviewed by Saam Barati.
592
593         Added an EXCEPTION_ASSERT after call to getOwnPropertySlot().
594
595         * runtime/JSObject.cpp:
596         (JSC::JSObject::getOwnPropertyDescriptor):
597
598 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
599
600         RemoteInspector::updateAutomaticInspectionCandidate should have a default implementation.
601         https://bugs.webkit.org/show_bug.cgi?id=197439
602
603         Reviewed by Devin Rousso.
604
605         On non-Cocoa platforms, automatic inspection is not currently implemented,
606         so updateAutomaticInspectionCandidate falls back to the logic of updateTarget.
607         This logic already existed in three places, so refactor it into a common private method
608         and allow our websocket-based RWI implementation to make use of it too.
609
610         * inspector/remote/RemoteInspector.cpp:
611         (Inspector::RemoteInspector::updateTarget):
612         (Inspector::RemoteInspector::updateTargetMap):
613         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
614         * inspector/remote/RemoteInspector.h:
615         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
616         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
617         * inspector/remote/glib/RemoteInspectorGlib.cpp:
618         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate): Deleted.
619         * inspector/remote/socket/RemoteInspectorSocket.cpp:
620         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate): Deleted.
621
622 2019-05-01  Darin Adler  <darin@apple.com>
623
624         WebKit has too much of its own UTF-8 code and should rely more on ICU's UTF-8 support
625         https://bugs.webkit.org/show_bug.cgi?id=195535
626
627         Reviewed by Alexey Proskuryakov.
628
629         * API/JSClassRef.cpp: Removed uneeded include of UTF8Conversion.h.
630
631         * API/JSStringRef.cpp:
632         (JSStringCreateWithUTF8CString): Updated for changes to convertUTF8ToUTF16.
633         (JSStringGetUTF8CString): Updated for changes to convertLatin1ToUTF8.
634         Removed unneeded "true" to get the strict version of convertUTF16ToUTF8,
635         since that is the default. Also updated for changes to CompletionResult.
636
637         * runtime/JSGlobalObjectFunctions.cpp:
638         (JSC::decode): Stop using UTF8SequenceLength, and instead use U8_COUNT_TRAIL_BYTES
639         and U8_MAX_LENGTH. Instead of decodeUTF8Sequence, use U8_NEXT. Also use U_IS_BMP,
640         U_IS_SUPPLEMENTARY, U16_LEAD, U16_TRAIL, and U_IS_SURROGATE instead of our own
641         equivalents, since these macros from ICU are correct and efficient.
642
643         * wasm/WasmParser.h:
644         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String): Updated for changes to
645         convertUTF8ToUTF16.
646
647 2019-05-01  Shawn Roberts  <sroberts@apple.com>
648
649         Unreviewed, rolling out r244821.
650
651         Causing
652
653         Reverted changeset:
654
655         "WebKit has too much of its own UTF-8 code and should rely
656         more on ICU's UTF-8 support"
657         https://bugs.webkit.org/show_bug.cgi?id=195535
658         https://trac.webkit.org/changeset/244821
659
660 2019-04-29  Darin Adler  <darin@apple.com>
661
662         WebKit has too much of its own UTF-8 code and should rely more on ICU's UTF-8 support
663         https://bugs.webkit.org/show_bug.cgi?id=195535
664
665         Reviewed by Alexey Proskuryakov.
666
667         * API/JSClassRef.cpp: Removed uneeded include of UTF8Conversion.h.
668
669         * API/JSStringRef.cpp:
670         (JSStringCreateWithUTF8CString): Updated for changes to convertUTF8ToUTF16.
671         (JSStringGetUTF8CString): Updated for changes to convertLatin1ToUTF8.
672         Removed unneeded "true" to get the strict version of convertUTF16ToUTF8,
673         since that is the default. Also updated for changes to CompletionResult.
674
675         * runtime/JSGlobalObjectFunctions.cpp:
676         (JSC::decode): Stop using UTF8SequenceLength, and instead use U8_COUNT_TRAIL_BYTES
677         and U8_MAX_LENGTH. Instead of decodeUTF8Sequence, use U8_NEXT. Also use U_IS_BMP,
678         U_IS_SUPPLEMENTARY, U16_LEAD, U16_TRAIL, and U_IS_SURROGATE instead of our own
679         equivalents, since these macros from ICU are correct and efficient.
680
681         * wasm/WasmParser.h:
682         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String): Updated for changes to
683         convertUTF8ToUTF16.
684
685 2019-04-30  Commit Queue  <commit-queue@webkit.org>
686
687         Unreviewed, rolling out r244806.
688         https://bugs.webkit.org/show_bug.cgi?id=197446
689
690         Causing Test262 and JSC test failures on multiple builds
691         (Requested by ShawnRoberts on #webkit).
692
693         Reverted changeset:
694
695         "TypeArrays should not store properties that are canonical
696         numeric indices"
697         https://bugs.webkit.org/show_bug.cgi?id=197228
698         https://trac.webkit.org/changeset/244806
699
700 2019-04-30  Saam barati  <sbarati@apple.com>
701
702         CodeBlock::m_instructionCount is wrong
703         https://bugs.webkit.org/show_bug.cgi?id=197304
704
705         Reviewed by Yusuke Suzuki.
706
707         What we were calling instructionCount() was wrong, as evidenced by
708         us using it incorrectly both in the sampling profiler and when we
709         dumped bytecode for a given CodeBlock. Prior to the bytecode rewrite,
710         instructionCount() was probably valid to do bounds checks against.
711         However, this is no longer the case. This patch renames what we called
712         instructionCount() to bytecodeCost(). It is now only used to make decisions
713         about inlining and tier up heuristics. I've also named options related to
714         this appropriately.
715         
716         This patch also introduces instructionsSize(). The result of this method
717         is valid to do bounds checks against.
718
719         * bytecode/CodeBlock.cpp:
720         (JSC::CodeBlock::dumpAssumingJITType const):
721         (JSC::CodeBlock::CodeBlock):
722         (JSC::CodeBlock::finishCreation):
723         (JSC::CodeBlock::optimizationThresholdScalingFactor):
724         (JSC::CodeBlock::predictedMachineCodeSize):
725         * bytecode/CodeBlock.h:
726         (JSC::CodeBlock::instructionsSize const):
727         (JSC::CodeBlock::bytecodeCost const):
728         (JSC::CodeBlock::instructionCount const): Deleted.
729         * dfg/DFGByteCodeParser.cpp:
730         (JSC::DFG::ByteCodeParser::inliningCost):
731         (JSC::DFG::ByteCodeParser::getInliningBalance):
732         * dfg/DFGCapabilities.cpp:
733         (JSC::DFG::mightCompileEval):
734         (JSC::DFG::mightCompileProgram):
735         (JSC::DFG::mightCompileFunctionForCall):
736         (JSC::DFG::mightCompileFunctionForConstruct):
737         (JSC::DFG::mightInlineFunctionForCall):
738         (JSC::DFG::mightInlineFunctionForClosureCall):
739         (JSC::DFG::mightInlineFunctionForConstruct):
740         * dfg/DFGCapabilities.h:
741         (JSC::DFG::isSmallEnoughToInlineCodeInto):
742         * dfg/DFGDisassembler.cpp:
743         (JSC::DFG::Disassembler::dumpHeader):
744         * dfg/DFGDriver.cpp:
745         (JSC::DFG::compileImpl):
746         * dfg/DFGPlan.cpp:
747         (JSC::DFG::Plan::compileInThread):
748         * dfg/DFGTierUpCheckInjectionPhase.cpp:
749         (JSC::DFG::TierUpCheckInjectionPhase::run):
750         * ftl/FTLCapabilities.cpp:
751         (JSC::FTL::canCompile):
752         * ftl/FTLCompile.cpp:
753         (JSC::FTL::compile):
754         * ftl/FTLLink.cpp:
755         (JSC::FTL::link):
756         * jit/JIT.cpp:
757         (JSC::JIT::link):
758         * jit/JITDisassembler.cpp:
759         (JSC::JITDisassembler::dumpHeader):
760         * llint/LLIntSlowPaths.cpp:
761         (JSC::LLInt::shouldJIT):
762         * profiler/ProfilerBytecodes.cpp:
763         (JSC::Profiler::Bytecodes::Bytecodes):
764         * runtime/Options.h:
765         * runtime/SamplingProfiler.cpp:
766         (JSC::tryGetBytecodeIndex):
767         (JSC::SamplingProfiler::processUnverifiedStackTraces):
768
769 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
770
771         TypeArrays should not store properties that are canonical numeric indices
772         https://bugs.webkit.org/show_bug.cgi?id=197228
773         <rdar://problem/49557381>
774
775         Reviewed by Darin Adler.
776
777         According to the spec[1], TypedArrays should not perform an ordinary GetOwnProperty/SetOwnProperty
778         if the index is a CanonicalNumericIndexString, but invalid according toIntegerIndexedElementGet
779         and similar functions. I.e., there are a few properties that should not be set in a TypedArray,
780         like NaN, Infinity and -0.
781
782         [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-integer-indexed-exotic-objects-defineownproperty-p-desc
783
784         * CMakeLists.txt:
785         * JavaScriptCore.xcodeproj/project.pbxproj:
786         * runtime/JSGenericTypedArrayViewInlines.h:
787         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
788         (JSC::JSGenericTypedArrayView<Adaptor>::put):
789         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
790         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
791         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
792         * runtime/JSTypedArrays.cpp:
793         * runtime/PropertyName.h:
794         (JSC::canonicalNumericIndexString):
795
796 2019-04-30  Brian Burg  <bburg@apple.com>
797
798         Web Automation: use a more informative key to indicate automation availability
799         https://bugs.webkit.org/show_bug.cgi?id=197377
800         <rdar://problem/50258069>
801
802         Reviewed by Devin Rousso.
803
804         The existing WIRAutomationEnabledKey does not encode uncertainty.
805         Add a new key that provides an 'Unknown' state, and prefer to use it.
806
807         Since an application's initial listing is sent from a background dispatch queue
808         on Cocoa platforms, this can race with main thread initialization that sets up
809         RemoteInspector::Client. Therefore, the initial listing may not properly represent
810         the client's capabilites because the client is not yet available. Allowing for
811         an "Unknown" state that is later upgraded to Available or Not Available makes it
812         possible to work around this potential race.
813
814         * inspector/remote/RemoteInspectorConstants.h:
815         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
816         (Inspector::RemoteInspector::pushListingsNow):
817
818 2019-04-30  Keith Miller  <keith_miller@apple.com>
819
820         Fix failing ARM64E wasm tests
821         https://bugs.webkit.org/show_bug.cgi?id=197420
822
823         Reviewed by Saam Barati.
824
825         This patch fixes a bug in the slow path of our JS->Wasm IC bridge
826         where we wouldn't untag the link register before tail calling.
827
828         Additionally, this patch fixes a broken assert when using setting
829         Options::useTailCalls=false.
830
831         * bytecompiler/BytecodeGenerator.cpp:
832         (JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition):
833         * wasm/js/WebAssemblyFunction.cpp:
834         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
835
836 2019-04-29  Saam Barati  <sbarati@apple.com>
837
838         Make JITType an enum class
839         https://bugs.webkit.org/show_bug.cgi?id=197394
840
841         Reviewed by Yusuke Suzuki.
842
843         This makes the code more easily searchable.
844
845         * bytecode/CallLinkStatus.cpp:
846         (JSC::CallLinkStatus::computeFor):
847         * bytecode/CodeBlock.cpp:
848         (JSC::CodeBlock::dumpAssumingJITType const):
849         (JSC::CodeBlock::specialOSREntryBlockOrNull):
850         (JSC::timeToLive):
851         (JSC::CodeBlock::propagateTransitions):
852         (JSC::CodeBlock::baselineAlternative):
853         (JSC::CodeBlock::baselineVersion):
854         (JSC::CodeBlock::hasOptimizedReplacement):
855         (JSC::CodeBlock::noticeIncomingCall):
856         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
857         (JSC::CodeBlock::tallyFrequentExitSites):
858         (JSC::CodeBlock::frameRegisterCount):
859         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
860         * bytecode/CodeBlock.h:
861         (JSC::CodeBlock::jitType const):
862         (JSC::CodeBlock::hasBaselineJITProfiling const):
863         * bytecode/CodeBlockWithJITType.h:
864         (JSC::CodeBlockWithJITType::CodeBlockWithJITType):
865         * bytecode/DeferredSourceDump.cpp:
866         (JSC::DeferredSourceDump::DeferredSourceDump):
867         * bytecode/DeferredSourceDump.h:
868         * bytecode/ExitingJITType.h:
869         (JSC::exitingJITTypeFor):
870         * bytecode/InlineCallFrame.h:
871         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
872         * dfg/DFGByteCodeParser.cpp:
873         (JSC::DFG::ByteCodeParser::parseCodeBlock):
874         * dfg/DFGDisassembler.cpp:
875         (JSC::DFG::Disassembler::dumpHeader):
876         * dfg/DFGDriver.cpp:
877         (JSC::DFG::compileImpl):
878         * dfg/DFGGraph.cpp:
879         (JSC::DFG::Graph::dump):
880         * dfg/DFGJITCode.cpp:
881         (JSC::DFG::JITCode::JITCode):
882         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
883         (JSC::DFG::JITCode::optimizeNextInvocation):
884         (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
885         (JSC::DFG::JITCode::optimizeAfterWarmUp):
886         (JSC::DFG::JITCode::optimizeSoon):
887         (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
888         (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
889         * dfg/DFGJITFinalizer.cpp:
890         (JSC::DFG::JITFinalizer::finalize):
891         (JSC::DFG::JITFinalizer::finalizeFunction):
892         * dfg/DFGOSREntry.cpp:
893         (JSC::DFG::prepareOSREntry):
894         (JSC::DFG::prepareCatchOSREntry):
895         * dfg/DFGOSRExit.cpp:
896         (JSC::DFG::OSRExit::executeOSRExit):
897         (JSC::DFG::reifyInlinedCallFrames):
898         (JSC::DFG::OSRExit::compileOSRExit):
899         * dfg/DFGOSRExitCompilerCommon.cpp:
900         (JSC::DFG::handleExitCounts):
901         (JSC::DFG::reifyInlinedCallFrames):
902         (JSC::DFG::adjustAndJumpToTarget):
903         * dfg/DFGOSRExitCompilerCommon.h:
904         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
905         * dfg/DFGOperations.cpp:
906         * dfg/DFGThunks.cpp:
907         (JSC::DFG::osrExitGenerationThunkGenerator):
908         * dfg/DFGVariableEventStream.cpp:
909         (JSC::DFG::VariableEventStream::reconstruct const):
910         * ftl/FTLCompile.cpp:
911         (JSC::FTL::compile):
912         * ftl/FTLJITCode.cpp:
913         (JSC::FTL::JITCode::JITCode):
914         * ftl/FTLJITFinalizer.cpp:
915         (JSC::FTL::JITFinalizer::finalizeCommon):
916         * ftl/FTLLink.cpp:
917         (JSC::FTL::link):
918         * ftl/FTLOSRExitCompiler.cpp:
919         (JSC::FTL::compileFTLOSRExit):
920         * ftl/FTLThunks.cpp:
921         (JSC::FTL::genericGenerationThunkGenerator):
922         * interpreter/CallFrame.cpp:
923         (JSC::CallFrame::callSiteBitsAreBytecodeOffset const):
924         (JSC::CallFrame::callSiteBitsAreCodeOriginIndex const):
925         * interpreter/StackVisitor.cpp:
926         (JSC::StackVisitor::Frame::dump const):
927         * jit/AssemblyHelpers.h:
928         (JSC::AssemblyHelpers::AssemblyHelpers):
929         * jit/JIT.cpp:
930         (JSC::JIT::link):
931         * jit/JITCode.cpp:
932         (JSC::JITCode::typeName):
933         (WTF::printInternal):
934         * jit/JITCode.h:
935         (JSC::JITCode::bottomTierJIT):
936         (JSC::JITCode::topTierJIT):
937         (JSC::JITCode::nextTierJIT):
938         (JSC::JITCode::isExecutableScript):
939         (JSC::JITCode::couldBeInterpreted):
940         (JSC::JITCode::isJIT):
941         (JSC::JITCode::isOptimizingJIT):
942         (JSC::JITCode::isBaselineCode):
943         (JSC::JITCode::jitTypeFor):
944         * jit/JITDisassembler.cpp:
945         (JSC::JITDisassembler::dumpHeader):
946         * jit/JITOperations.cpp:
947         * jit/JITThunks.cpp:
948         (JSC::JITThunks::hostFunctionStub):
949         * jit/JITToDFGDeferredCompilationCallback.cpp:
950         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
951         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
952         * jit/JITWorklist.cpp:
953         (JSC::JITWorklist::compileLater):
954         (JSC::JITWorklist::compileNow):
955         * jit/Repatch.cpp:
956         (JSC::readPutICCallTarget):
957         (JSC::ftlThunkAwareRepatchCall):
958         * llint/LLIntEntrypoint.cpp:
959         (JSC::LLInt::setFunctionEntrypoint):
960         (JSC::LLInt::setEvalEntrypoint):
961         (JSC::LLInt::setProgramEntrypoint):
962         (JSC::LLInt::setModuleProgramEntrypoint):
963         * llint/LLIntSlowPaths.cpp:
964         (JSC::LLInt::jitCompileAndSetHeuristics):
965         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
966         * runtime/SamplingProfiler.cpp:
967         (JSC::SamplingProfiler::processUnverifiedStackTraces):
968         * runtime/SamplingProfiler.h:
969         * runtime/VM.cpp:
970         (JSC::jitCodeForCallTrampoline):
971         (JSC::jitCodeForConstructTrampoline):
972         * tools/CodeProfile.cpp:
973         (JSC::CodeProfile::sample):
974         * tools/JSDollarVM.cpp:
975         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
976         (JSC::CallerFrameJITTypeFunctor::jitType):
977         (JSC::functionLLintTrue):
978         (JSC::functionJITTrue):
979
980 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
981
982         Unreivewed, fix FTL implementation of r244760
983         https://bugs.webkit.org/show_bug.cgi?id=197362
984
985         Reviewed by Saam Barati.
986
987         Looked with Saam. ValueFromBlock from double case block was overridden by NaN thing now.
988
989         * ftl/FTLLowerDFGToB3.cpp:
990         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
991
992 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
993
994         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
995         https://bugs.webkit.org/show_bug.cgi?id=197362
996
997         Reviewed by Saam Barati.
998
999         Our Map/Set's hash algorithm relies on the bit pattern of JSValue. So our Map/Set has
1000         normalization of the key, which normalizes Int32 / Double etc. But we did not normalize
1001         pure NaNs into one canonicalized pure NaN. So we end up having multiple different pure NaNs
1002         in one Map/Set. This patch normalizes NaN into one jsNaN(), which uses PNaN for the representation.
1003
1004         * dfg/DFGSpeculativeJIT.cpp:
1005         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1006         * ftl/FTLLowerDFGToB3.cpp:
1007         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
1008         * runtime/HashMapImpl.h:
1009         (JSC::normalizeMapKey):
1010
1011 2019-04-29  Alex Christensen  <achristensen@webkit.org>
1012
1013         <rdar://problem/50299396> Fix internal High Sierra build
1014         https://bugs.webkit.org/show_bug.cgi?id=197388
1015
1016         * Configurations/Base.xcconfig:
1017
1018 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
1019
1020         JITStubRoutineSet wastes 180KB of HashTable capacity on can.com
1021         https://bugs.webkit.org/show_bug.cgi?id=186732
1022
1023         Reviewed by Saam Barati.
1024
1025         Our current mechanism of JITStubRoutineSet consumes more memory than needed. Basically we have HashMap<uintptr_t, StubRoutine*> and register
1026         each executable address by 16 byte to this entry. So if your StubRoutine has 128bytes, it just adds 8 entries to this hash table.
1027         In Gmail, we see a ~2MB table size.
1028
1029         Instead, this patch uses Vector<pair<uintptr_t, StubRoutine*>> and performs binary search onto this sorted vector. Before conservative
1030         scanning, we sort this vector. And doing binary search with the sorted vector to find executing stub routines from the conservative roots.
1031         This vector includes uintptr_t startAddress to make binary searching fast.
1032
1033         Large amount of conservative scan should be filtered by range check, so I think binary search here is OK, but we can decide based on what the
1034         performance bots say.
1035
1036         * heap/Heap.cpp:
1037         (JSC::Heap::addCoreConstraints):
1038         * heap/JITStubRoutineSet.cpp:
1039         (JSC::JITStubRoutineSet::~JITStubRoutineSet):
1040         (JSC::JITStubRoutineSet::add):
1041         (JSC::JITStubRoutineSet::prepareForConservativeScan):
1042         (JSC::JITStubRoutineSet::clearMarks):
1043         (JSC::JITStubRoutineSet::markSlow):
1044         (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
1045         (JSC::JITStubRoutineSet::traceMarkedStubRoutines):
1046         * heap/JITStubRoutineSet.h:
1047         (JSC::JITStubRoutineSet::mark):
1048         (JSC::JITStubRoutineSet::prepareForConservativeScan):
1049         (JSC::JITStubRoutineSet::size const): Deleted.
1050         (JSC::JITStubRoutineSet::at const): Deleted.
1051
1052 2019-04-29  Basuke Suzuki  <Basuke.Suzuki@sony.com>
1053
1054         [Win] Add flag to enable version information stamping and disable by default.
1055         https://bugs.webkit.org/show_bug.cgi?id=197249
1056         <rdar://problem/50224412>
1057
1058         Reviewed by Ross Kirsling.
1059
1060         This feature is only used in AppleWin port. Add flag for this task and make it OFF by default.
1061         Then enable it by default on AppleWin.
1062
1063         * CMakeLists.txt:
1064
1065 2019-04-26  Keith Rollin  <krollin@apple.com>
1066
1067         Enable new build rule for post-processing headers when using XCBuild
1068         https://bugs.webkit.org/show_bug.cgi?id=197340
1069         <rdar://problem/50226685>
1070
1071         Reviewed by Brent Fulgham.
1072
1073         In Bug 197116, we conditionally disabled the old method for
1074         post-processing header files when we are using the new XCBuild build
1075         system. This check-in conditionally enables the new post-processing
1076         facility. Note that the old system is disabled and the new system
1077         enabled only when the USE_NEW_BUILD_SYSTEM environment variable is set
1078         to YES.
1079
1080         * Configurations/JavaScriptCore.xcconfig:
1081
1082 2019-04-26  Jessie Berlin  <jberlin@webkit.org>
1083
1084         Add new mac target numbers
1085         https://bugs.webkit.org/show_bug.cgi?id=197313
1086
1087         Reviewed by Alex Christensen.
1088
1089         * Configurations/Version.xcconfig:
1090         * Configurations/WebKitTargetConditionals.xcconfig:
1091
1092 2019-04-26  Commit Queue  <commit-queue@webkit.org>
1093
1094         Unreviewed, rolling out r244708.
1095         https://bugs.webkit.org/show_bug.cgi?id=197334
1096
1097         "Broke the debug build" (Requested by rmorisset on #webkit).
1098
1099         Reverted changeset:
1100
1101         "All prototypes should call didBecomePrototype()"
1102         https://bugs.webkit.org/show_bug.cgi?id=196315
1103         https://trac.webkit.org/changeset/244708
1104
1105 2019-04-26  Don Olmstead  <don.olmstead@sony.com>
1106
1107         [CMake] Add WEBKIT_EXECUTABLE macro
1108         https://bugs.webkit.org/show_bug.cgi?id=197206
1109
1110         Reviewed by Konstantin Tokarev.
1111
1112         Migrate to WEBKIT_EXECUTABLE for the jsc and test targets.
1113
1114         * b3/air/testair.cpp:
1115         * b3/testb3.cpp:
1116         * dfg/testdfg.cpp:
1117         * shell/CMakeLists.txt:
1118         * shell/PlatformGTK.cmake:
1119         * shell/PlatformJSCOnly.cmake: Removed.
1120         * shell/PlatformMac.cmake:
1121         * shell/PlatformPlayStation.cmake:
1122         * shell/PlatformWPE.cmake:
1123         * shell/PlatformWin.cmake:
1124
1125 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
1126
1127         [JSC] linkPolymorphicCall now does GC
1128         https://bugs.webkit.org/show_bug.cgi?id=197306
1129
1130         Reviewed by Saam Barati.
1131
1132         Previously, we assumed that linkPolymorphicCall does not perform allocations. So we put CallVariant into a Vector<>.
1133         But now, WebAssemblyFunction's entrypoint generation can allocate JSToWasmICCallee and cause GC. Since CallLinkInfo
1134         does not hold these cells, they can be collected, and we will see dead cells in the middle of linkPolymorphicCall.
1135         We should defer GC for a while in linkPolymorphicCall. We use DeferGCForAWhile instead of DeferGC because the
1136         caller "operationLinkPolymorphicCall" assumes that this function does not cause GC.
1137
1138         * jit/Repatch.cpp:
1139         (JSC::linkPolymorphicCall):
1140
1141 2019-04-26  Robin Morisset  <rmorisset@apple.com>
1142
1143         All prototypes should call didBecomePrototype()
1144         https://bugs.webkit.org/show_bug.cgi?id=196315
1145
1146         Reviewed by Saam Barati.
1147
1148         Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor.
1149
1150         I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't
1151         create structures with invalid prototypes.
1152         It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation().
1153         Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype.
1154
1155         * runtime/BigIntPrototype.cpp:
1156         (JSC::BigIntPrototype::finishCreation):
1157         * runtime/BooleanPrototype.cpp:
1158         (JSC::BooleanPrototype::finishCreation):
1159         * runtime/DatePrototype.cpp:
1160         (JSC::DatePrototype::finishCreation):
1161         * runtime/ErrorConstructor.cpp:
1162         (JSC::ErrorConstructor::finishCreation):
1163         * runtime/ErrorPrototype.cpp:
1164         (JSC::ErrorPrototype::finishCreation):
1165         * runtime/FunctionConstructor.cpp:
1166         (JSC::FunctionConstructor::finishCreation):
1167         * runtime/FunctionPrototype.cpp:
1168         (JSC::FunctionPrototype::finishCreation):
1169         * runtime/IntlCollatorPrototype.cpp:
1170         (JSC::IntlCollatorPrototype::finishCreation):
1171         * runtime/IntlDateTimeFormatPrototype.cpp:
1172         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1173         * runtime/IntlNumberFormatPrototype.cpp:
1174         (JSC::IntlNumberFormatPrototype::finishCreation):
1175         * runtime/IntlPluralRulesPrototype.cpp:
1176         (JSC::IntlPluralRulesPrototype::finishCreation):
1177         * runtime/JSArrayBufferPrototype.cpp:
1178         (JSC::JSArrayBufferPrototype::finishCreation):
1179         * runtime/JSDataViewPrototype.cpp:
1180         (JSC::JSDataViewPrototype::finishCreation):
1181         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
1182         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
1183         * runtime/JSGlobalObject.cpp:
1184         (JSC::createConsoleProperty):
1185         * runtime/JSPromisePrototype.cpp:
1186         (JSC::JSPromisePrototype::finishCreation):
1187         * runtime/JSTypedArrayViewConstructor.cpp:
1188         (JSC::JSTypedArrayViewConstructor::finishCreation):
1189         * runtime/JSTypedArrayViewPrototype.cpp:
1190         (JSC::JSTypedArrayViewPrototype::finishCreation):
1191         * runtime/NumberPrototype.cpp:
1192         (JSC::NumberPrototype::finishCreation):
1193         * runtime/RegExpPrototype.cpp:
1194         (JSC::RegExpPrototype::finishCreation):
1195         * runtime/StringPrototype.cpp:
1196         (JSC::StringPrototype::finishCreation):
1197         * runtime/Structure.cpp:
1198         (JSC::Structure::isValidPrototype):
1199         (JSC::Structure::changePrototypeTransition):
1200         * runtime/Structure.h:
1201         * runtime/SymbolPrototype.cpp:
1202         (JSC::SymbolPrototype::finishCreation):
1203         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
1204         (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
1205         * wasm/js/WebAssemblyInstancePrototype.cpp:
1206         (JSC::WebAssemblyInstancePrototype::finishCreation):
1207         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
1208         (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
1209         * wasm/js/WebAssemblyMemoryPrototype.cpp:
1210         (JSC::WebAssemblyMemoryPrototype::finishCreation):
1211         * wasm/js/WebAssemblyModulePrototype.cpp:
1212         (JSC::WebAssemblyModulePrototype::finishCreation):
1213         * wasm/js/WebAssemblyPrototype.cpp:
1214         (JSC::WebAssemblyPrototype::finishCreation):
1215         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
1216         (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
1217         * wasm/js/WebAssemblyTablePrototype.cpp:
1218         (JSC::WebAssemblyTablePrototype::finishCreation):
1219
1220 2019-04-26  Don Olmstead  <don.olmstead@sony.com>
1221
1222         Add WTF::findIgnoringASCIICaseWithoutLength to replace strcasestr
1223         https://bugs.webkit.org/show_bug.cgi?id=197291
1224
1225         Reviewed by Konstantin Tokarev.
1226
1227         Replace uses of strcasestr with WTF::findIgnoringASCIICaseWithoutLength.
1228
1229         * API/tests/testapi.cpp:
1230         * assembler/testmasm.cpp:
1231         * b3/air/testair.cpp:
1232         * b3/testb3.cpp:
1233         * dfg/testdfg.cpp:
1234         * dynbench.cpp:
1235
1236 2019-04-25  Fujii Hironori  <Hironori.Fujii@sony.com>
1237
1238         Unreviewed, rolling out r244669.
1239
1240         Windows ports can't clean build.
1241
1242         Reverted changeset:
1243
1244         "[Win] Add flag to enable version information stamping and
1245         disable by default."
1246         https://bugs.webkit.org/show_bug.cgi?id=197249
1247         https://trac.webkit.org/changeset/244669
1248
1249 2019-04-25  Basuke Suzuki  <Basuke.Suzuki@sony.com>
1250
1251         [Win] Add flag to enable version information stamping and disable by default.
1252         https://bugs.webkit.org/show_bug.cgi?id=197249
1253
1254         Reviewed by Ross Kirsling.
1255
1256         This feature is only used in AppleWin port. Add flag for this task and make it OFF by default.
1257         Then enable it by default on AppleWin.
1258
1259         * CMakeLists.txt:
1260
1261 2019-04-25  Timothy Hatcher  <timothy@apple.com>
1262
1263         Disable date and time inputs on iOSMac.
1264         https://bugs.webkit.org/show_bug.cgi?id=197287
1265         rdar://problem/46794376
1266
1267         Reviewed by Wenson Hsieh.
1268
1269         * Configurations/FeatureDefines.xcconfig:
1270
1271 2019-04-25  Alex Christensen  <achristensen@webkit.org>
1272
1273         Fix more builds after r244653
1274         https://bugs.webkit.org/show_bug.cgi?id=197131
1275
1276         * b3/B3Value.h:
1277         There is an older system with libc++ headers that don't have std::conjunction.  Just use constexpr and && instead for the one use of it in WebKit.
1278
1279 2019-04-25  Basuke Suzuki  <Basuke.Suzuki@sony.com>
1280
1281         [RemoteInspector] Fix connection and target identifier types.
1282         https://bugs.webkit.org/show_bug.cgi?id=197243
1283
1284         Reviewed by Ross Kirsling.
1285
1286         Give dedicated type for RemoteControllableTarget's identifier as Inspector::TargetID.
1287
1288         Also rename ClientID type used in Socket backend to ConnectionID because this is the identifier
1289         socket endpoint assign to the newly created connection. The size was changed to uint32_t.
1290         Enough size for managing connections.
1291
1292         * inspector/remote/RemoteConnectionToTarget.cpp:
1293         (Inspector::RemoteConnectionToTarget::setup):
1294         (Inspector::RemoteConnectionToTarget::close):
1295         (Inspector::RemoteConnectionToTarget::targetIdentifier const):
1296         * inspector/remote/RemoteConnectionToTarget.h:
1297         * inspector/remote/RemoteControllableTarget.h:
1298         * inspector/remote/RemoteInspector.cpp:
1299         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
1300         (Inspector::RemoteInspector::registerTarget):
1301         (Inspector::RemoteInspector::unregisterTarget):
1302         (Inspector::RemoteInspector::updateTarget):
1303         (Inspector::RemoteInspector::setupFailed):
1304         (Inspector::RemoteInspector::setupCompleted):
1305         (Inspector::RemoteInspector::waitingForAutomaticInspection):
1306         (Inspector::RemoteInspector::updateTargetListing):
1307         * inspector/remote/RemoteInspector.h:
1308         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
1309         (Inspector::RemoteConnectionToTarget::targetIdentifier const):
1310         (Inspector::RemoteConnectionToTarget::setup):
1311         (Inspector::RemoteConnectionToTarget::close):
1312         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1313         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
1314         (Inspector::RemoteInspector::sendMessageToRemote):
1315         (Inspector::RemoteInspector::receivedSetupMessage):
1316         (Inspector::RemoteInspector::receivedDataMessage):
1317         (Inspector::RemoteInspector::receivedDidCloseMessage):
1318         (Inspector::RemoteInspector::receivedIndicateMessage):
1319         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
1320         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1321         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
1322         (Inspector::RemoteInspector::sendMessageToRemote):
1323         (Inspector::RemoteInspector::receivedSetupMessage):
1324         (Inspector::RemoteInspector::receivedDataMessage):
1325         (Inspector::RemoteInspector::receivedCloseMessage):
1326         (Inspector::RemoteInspector::setup):
1327         (Inspector::RemoteInspector::sendMessageToTarget):
1328         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
1329         (Inspector::RemoteInspectorConnectionClient::didReceiveWebInspectorEvent):
1330         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
1331         (Inspector::RemoteInspectorConnectionClient::didAccept):
1332         * inspector/remote/socket/RemoteInspectorMessageParser.cpp:
1333         (Inspector::MessageParser::MessageParser):
1334         (Inspector::MessageParser::parse):
1335         * inspector/remote/socket/RemoteInspectorMessageParser.h:
1336         (Inspector::MessageParser::setDidParseMessageListener):
1337         * inspector/remote/socket/RemoteInspectorServer.cpp:
1338         (Inspector::RemoteInspectorServer::didAccept):
1339         (Inspector::RemoteInspectorServer::didClose):
1340         (Inspector::RemoteInspectorServer::dispatchMap):
1341         (Inspector::RemoteInspectorServer::sendWebInspectorEvent):
1342         (Inspector::RemoteInspectorServer::sendCloseEvent):
1343         (Inspector::RemoteInspectorServer::connectionClosed):
1344         * inspector/remote/socket/RemoteInspectorServer.h:
1345         * inspector/remote/socket/RemoteInspectorSocket.cpp:
1346         (Inspector::RemoteInspector::didClose):
1347         (Inspector::RemoteInspector::sendMessageToRemote):
1348         (Inspector::RemoteInspector::setup):
1349         (Inspector::RemoteInspector::sendMessageToTarget):
1350         * inspector/remote/socket/RemoteInspectorSocket.h:
1351         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
1352         (Inspector::RemoteInspectorSocketEndpoint::connectInet):
1353         (Inspector::RemoteInspectorSocketEndpoint::isListening):
1354         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
1355         (Inspector::RemoteInspectorSocketEndpoint::createClient):
1356         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
1357         (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
1358         (Inspector::RemoteInspectorSocketEndpoint::send):
1359         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
1360         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
1361
1362 2019-04-25  Alex Christensen  <achristensen@webkit.org>
1363
1364         Start using C++17
1365         https://bugs.webkit.org/show_bug.cgi?id=197131
1366
1367         Reviewed by Darin Alder.
1368
1369         * Configurations/Base.xcconfig:
1370
1371 2019-04-25  Alex Christensen  <achristensen@webkit.org>
1372
1373         Remove DeprecatedOptional
1374         https://bugs.webkit.org/show_bug.cgi?id=197161
1375
1376         Reviewed by Darin Adler.
1377
1378         We need to keep a symbol exported from JavaScriptCore for binary compatibility with iOS12.
1379         We need this symbol to be in a file that doesn't include anything because libcxx's implementation of
1380         std::optional is actually std::__1::optional, which has a different mangled name.  This change will
1381         prevent protocol errors from being reported if you are running the iOS12 simulator with a custom build of WebKit
1382         and using the web inspector with it, but it's necessary to allow us to start using C++17 in WebKit.
1383
1384         * JavaScriptCore.xcodeproj/project.pbxproj:
1385         * inspector/InspectorBackendDispatcher.cpp:
1386         * inspector/InspectorBackendDispatcher.h:
1387         * inspector/InspectorBackendDispatcherCompatibility.cpp: Added.
1388         (Inspector::BackendDispatcher::reportProtocolError):
1389         * inspector/InspectorBackendDispatcherCompatibility.h: Added.
1390
1391 2019-04-24  Saam Barati  <sbarati@apple.com>
1392
1393         Add SPI callbacks for before and after module execution
1394         https://bugs.webkit.org/show_bug.cgi?id=197244
1395         <rdar://problem/50180511>
1396
1397         Reviewed by Yusuke Suzuki.
1398
1399         This is helpful for clients that want to profile execution of modules
1400         in some way. E.g, if they want to time module execution time.
1401
1402         * API/JSAPIGlobalObject.h:
1403         * API/JSAPIGlobalObject.mm:
1404         (JSC::JSAPIGlobalObject::moduleLoaderEvaluate):
1405         * API/JSContextPrivate.h:
1406         * API/tests/testapi.mm:
1407         (+[JSContextFetchDelegate contextWithBlockForFetch:]):
1408         (-[JSContextFetchDelegate willEvaluateModule:]):
1409         (-[JSContextFetchDelegate didEvaluateModule:]):
1410         (testFetch):
1411         (testFetchWithTwoCycle):
1412         (testFetchWithThreeCycle):
1413         (testLoaderResolvesAbsoluteScriptURL):
1414         (testLoaderRejectsNilScriptURL):
1415         * runtime/JSModuleLoader.cpp:
1416         (JSC::JSModuleLoader::evaluate):
1417         (JSC::JSModuleLoader::evaluateNonVirtual):
1418         * runtime/JSModuleLoader.h:
1419
1420 2019-04-23  Yusuke Suzuki  <ysuzuki@apple.com>
1421
1422         [JSC] Shrink DFG::MinifiedNode
1423         https://bugs.webkit.org/show_bug.cgi?id=197224
1424
1425         Reviewed by Filip Pizlo.
1426
1427         Since it is kept alive with compiled DFG code, we should shrink it to save memory.
1428         If it is effective, we should consider minimizing these OSR exit data more aggressively.
1429
1430         * dfg/DFGMinifiedNode.h:
1431
1432 2019-04-23  Saam Barati  <sbarati@apple.com>
1433
1434         LICM incorrectly assumes it'll never insert a node which provably OSR exits
1435         https://bugs.webkit.org/show_bug.cgi?id=196721
1436         <rdar://problem/49556479> 
1437
1438         Reviewed by Filip Pizlo.
1439
1440         Previously, we assumed LICM could never hoist code that caused us
1441         to provably OSR exit. This is a bad assumption, as we may very well
1442         hoist such code. Obviously hoisting such code is not ideal. We shouldn't
1443         hoist something we provably know will OSR exit. However, this is super rare,
1444         and the phase is written in such a way where it's easier to gracefully
1445         handle this case than to prevent us from hoisting such code.
1446         
1447         If we wanted to ensure we never hoisted code that would provably exit, we'd
1448         have to teach the phase to know when it inserted code that provably exits. I
1449         saw two ways to do that:
1450         1: Save and restore the AI state before actually hoisting.
1451         2: Write an analysis that can determine if such a node would exit.
1452         
1453         (1) is bad because it costs in memory and compile time. (2) will inevitably
1454         have bugs as running into this condition is rare.
1455         
1456         So instead of (1) or (2), I opted to have LICM gracefully handle when
1457         it causes a provable exit. When we encounter this, we mark all blocks
1458         in the loop as !cfaHasVisited and !cfaDidFinish.
1459
1460         * dfg/DFGLICMPhase.cpp:
1461         (JSC::DFG::LICMPhase::attemptHoist):
1462
1463 2019-04-23  Yusuke Suzuki  <ysuzuki@apple.com>
1464
1465         [JSC] Use node index as DFG::MinifiedID
1466         https://bugs.webkit.org/show_bug.cgi?id=197186
1467
1468         Reviewed by Saam Barati.
1469
1470         DFG Nodes can be identified with index if the graph is given. We should use unsigned index as a DFG::MinifiedID's underlying
1471         source instead of Node* to reduce the size of VariableEvent from 16 to 12. Vector<VariableEvent> is the main data in DFG's OSR
1472         tracking. It is kept after DFG compilation is done to make OSR work. We saw that this is allocated with large size in GMail.
1473
1474         * JavaScriptCore.xcodeproj/project.pbxproj:
1475         * bytecode/DataFormat.h:
1476         * bytecode/ValueRecovery.h:
1477         * dfg/DFGGenerationInfo.h:
1478         * dfg/DFGMinifiedID.h:
1479         (JSC::DFG::MinifiedID::MinifiedID):
1480         (JSC::DFG::MinifiedID::operator! const):
1481         (JSC::DFG::MinifiedID::operator== const):
1482         (JSC::DFG::MinifiedID::operator!= const):
1483         (JSC::DFG::MinifiedID::operator< const):
1484         (JSC::DFG::MinifiedID::operator> const):
1485         (JSC::DFG::MinifiedID::operator<= const):
1486         (JSC::DFG::MinifiedID::operator>= const):
1487         (JSC::DFG::MinifiedID::hash const):
1488         (JSC::DFG::MinifiedID::dump const):
1489         (JSC::DFG::MinifiedID::isHashTableDeletedValue const):
1490         (JSC::DFG::MinifiedID::fromBits):
1491         (JSC::DFG::MinifiedID::bits const):
1492         (JSC::DFG::MinifiedID::invalidIndex):
1493         (JSC::DFG::MinifiedID::otherInvalidIndex):
1494         (JSC::DFG::MinifiedID::node const): Deleted.
1495         (JSC::DFG::MinifiedID::invalidID): Deleted.
1496         (JSC::DFG::MinifiedID::otherInvalidID): Deleted.
1497         * dfg/DFGMinifiedIDInlines.h: Copied from Source/JavaScriptCore/dfg/DFGMinifiedNode.cpp.
1498         (JSC::DFG::MinifiedID::MinifiedID):
1499         * dfg/DFGMinifiedNode.cpp:
1500         * dfg/DFGValueSource.h:
1501         (JSC::DFG::ValueSource::ValueSource):
1502         * dfg/DFGVariableEvent.h:
1503         (JSC::DFG::VariableEvent::dataFormat const):
1504
1505 2019-04-23  Keith Rollin  <krollin@apple.com>
1506
1507         Add Xcode version check for Header post-processing scripts
1508         https://bugs.webkit.org/show_bug.cgi?id=197116
1509         <rdar://problem/50058968>
1510
1511         Reviewed by Brent Fulgham.
1512
1513         There are several places in our Xcode projects that post-process
1514         header files after they've been exported. Because of XCBuild, we're
1515         moving to a model where the post-processing is performed at the same
1516         time the header files are exported, rather than as a distinct
1517         post-processing step. This patch disables the distinct step when the
1518         inline processing is available.
1519
1520         In practice, this means prefixing appropriate post-processing Custom
1521         Build phases with:
1522
1523         if [ "${XCODE_VERSION_MAJOR}" -ge "1100" -a "${USE_NEW_BUILD_SYSTEM}" = "YES" ]; then
1524             # In this configuration, post-processing is performed at the same time as copying in the postprocess-header-rule script, so there's no need for this separate step.
1525             exit 0
1526         fi
1527
1528         * JavaScriptCore.xcodeproj/project.pbxproj:
1529
1530 2019-04-23  Commit Queue  <commit-queue@webkit.org>
1531
1532         Unreviewed, rolling out r244558.
1533         https://bugs.webkit.org/show_bug.cgi?id=197219
1534
1535         Causing crashes on iOS Sim Release and Debug (Requested by
1536         ShawnRoberts on #webkit).
1537
1538         Reverted changeset:
1539
1540         "Remove DeprecatedOptional"
1541         https://bugs.webkit.org/show_bug.cgi?id=197161
1542         https://trac.webkit.org/changeset/244558
1543
1544 2019-04-23  Devin Rousso  <drousso@apple.com>
1545
1546         Web Inspector: Uncaught Exception: null is not an object (evaluating 'this.ownerDocument.frameIdentifier')
1547         https://bugs.webkit.org/show_bug.cgi?id=196420
1548         <rdar://problem/49444205>
1549
1550         Reviewed by Timothy Hatcher.
1551
1552         * inspector/protocol/DOM.json:
1553         Modify the existing `frameId` to represent the owner frame of the node, rather than the
1554         frame it holds (in the case of an `<iframe>`).
1555
1556 2019-04-23  Alex Christensen  <achristensen@webkit.org>
1557
1558         Remove DeprecatedOptional
1559         https://bugs.webkit.org/show_bug.cgi?id=197161
1560
1561         Reviewed by Darin Adler.
1562
1563         * inspector/InspectorBackendDispatcher.cpp:
1564         * inspector/InspectorBackendDispatcher.h:
1565
1566 2019-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
1567
1568         [JSC] Use volatile load to populate backing page in MarkedBlock::Footer instead of using holdLock
1569         https://bugs.webkit.org/show_bug.cgi?id=197152
1570
1571         Reviewed by Saam Barati.
1572
1573         Emit volatile load instead of using holdLock to populate backing page in MarkedBlock::Footer.
1574
1575         * heap/BlockDirectory.cpp:
1576         (JSC::BlockDirectory::isPagedOut):
1577         * heap/MarkedBlock.h:
1578         (JSC::MarkedBlock::populatePage const):
1579
1580 2019-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
1581
1582         [JSC] useJIT should subsume useRegExpJIT
1583         https://bugs.webkit.org/show_bug.cgi?id=197153
1584
1585         Reviewed by Alex Christensen.
1586
1587         useJIT should subsume useRegExpJIT. We should immediately disable JIT feature if useJIT = false,
1588         even if useRegExpJIT is true.
1589
1590         * dfg/DFGCapabilities.cpp:
1591         (JSC::DFG::isSupported):
1592         * runtime/Options.cpp:
1593         (JSC::recomputeDependentOptions):
1594         * runtime/RegExp.cpp:
1595         (JSC::RegExp::compile):
1596         (JSC::RegExp::compileMatchOnly):
1597         * runtime/VM.cpp:
1598         (JSC::enableAssembler):
1599         (JSC::VM::canUseRegExpJIT): Deleted.
1600         * runtime/VM.h:
1601
1602 2019-04-22  Basuke Suzuki  <basuke.suzuki@sony.com>
1603
1604         [PlayStation] Restructuring Remote Inspector classes to support multiple platform.
1605         https://bugs.webkit.org/show_bug.cgi?id=197030
1606
1607         Reviewed by Don Olmstead.
1608
1609         Restructuring the PlayStation's RemoteInspector backend which uses native socket for the communication to be ready for WinCairo.
1610
1611         What we did is basically:
1612         - Renamed `remote/playstation/` to `remote/socket/`. This directory is now platform independent implementation of socket backend. 
1613         - Renamed `RemoteInspectorSocket` class to `RemoteInspectorSocketEndpoint`. This class is platform independent and core of the backend.
1614         - Merged `RemoteInspectorSocket{Client|Server}` classes into `RemoteInspectorSocketEndpoint` class because the differences are little.
1615         - Defined a new interface functions in `Inspector::Socket` (new) namespace.
1616         - Moved POSIX socket implementation into `posix\RemoteInspectorSocketPOSIX.{h|cpp}`.
1617
1618         * PlatformPlayStation.cmake:
1619         * inspector/remote/RemoteInspector.h:
1620         * inspector/remote/playstation/RemoteInspectorSocketClient.h: Merged into RemoteInspectorSocketEndpoint.
1621         * inspector/remote/playstation/RemoteInspectorSocketClientPlayStation.cpp: Merged into RemoteInspectorSocketEndpoint.
1622         * inspector/remote/playstation/RemoteInspectorSocketPlayStation.cpp: Removed.
1623         * inspector/remote/playstation/RemoteInspectorSocketServer.h: Merged into RemoteInspectorSocketEndpoint.
1624         * inspector/remote/playstation/RemoteInspectorSocketServerPlayStation.cpp: Merged into RemoteInspectorSocketEndpoint.
1625         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp: Renamed from inspector\remote\playstation\RemoteInspectorConnectionClientPlayStation.cpp.
1626         * inspector/remote/socket/RemoteInspectorConnectionClient.h: Renamed from inspector\remote\playstation\RemoteInspectorConnectionClient.h.
1627         (Inspector::RemoteInspectorConnectionClient::didAccept):
1628         * inspector/remote/socket/RemoteInspectorMessageParser.cpp: Renamed from inspector\remote\playstation\RemoteInspectorMessageParserPlayStation.cpp.
1629         * inspector/remote/socket/RemoteInspectorMessageParser.h: Renamed from inspector\remote\playstation\RemoteInspectorMessageParser.h.
1630         * inspector/remote/socket/RemoteInspectorServer.cpp: Renamed from inspector\remote\playstation\RemoteInspectorServerPlayStation.cpp.
1631         (Inspector::RemoteInspectorServer::didAccept):
1632         (Inspector::RemoteInspectorServer::start):
1633         * inspector/remote/socket/RemoteInspectorServer.h: Renamed from inspector\remote\playstation\RemoteInspectorServer.h.
1634         * inspector/remote/socket/RemoteInspectorSocket.cpp: Renamed from inspector\remote\playstation\RemoteInspectorPlayStation.cpp.
1635         (Inspector::RemoteInspector::start):
1636         * inspector/remote/socket/RemoteInspectorSocket.h: Copied from inspector\remote\playstation\RemoteInspectorSocket.h.
1637         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: Added.
1638         (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint):
1639         (Inspector::RemoteInspectorSocketEndpoint::~RemoteInspectorSocketEndpoint):
1640         (Inspector::RemoteInspectorSocketEndpoint::wakeupWorkerThread):
1641         (Inspector::RemoteInspectorSocketEndpoint::connectInet):
1642         (Inspector::RemoteInspectorSocketEndpoint::listenInet):
1643         (Inspector::RemoteInspectorSocketEndpoint::isListening):
1644         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
1645         (Inspector::RemoteInspectorSocketEndpoint::createClient):
1646         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
1647         (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
1648         (Inspector::RemoteInspectorSocketEndpoint::send):
1649         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
1650         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: Renamed from inspector\remote\playstation\RemoteInspectorSocket.h.
1651         * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: Added.
1652         (Inspector::Socket::connect):
1653         (Inspector::Socket::listen):
1654         (Inspector::Socket::accept):
1655         (Inspector::Socket::createPair):
1656         (Inspector::Socket::setup):
1657         (Inspector::Socket::isValid):
1658         (Inspector::Socket::isListening):
1659         (Inspector::Socket::read):
1660         (Inspector::Socket::write):
1661         (Inspector::Socket::close):
1662         (Inspector::Socket::preparePolling):
1663         (Inspector::Socket::poll):
1664         (Inspector::Socket::isReadable):
1665         (Inspector::Socket::isWritable):
1666         (Inspector::Socket::markWaitingWritable):
1667         (Inspector::Socket::clearWaitingWritable):
1668
1669 2019-04-20  Yusuke Suzuki  <ysuzuki@apple.com>
1670
1671         Unreviewed, suppress warnings in non Darwin environments
1672
1673         * jit/ExecutableAllocator.cpp:
1674         (JSC::dumpJITMemory):
1675
1676 2019-04-19  Saam Barati  <sbarati@apple.com>
1677
1678         AbstractValue can represent more than int52
1679         https://bugs.webkit.org/show_bug.cgi?id=197118
1680         <rdar://problem/49969960>
1681
1682         Reviewed by Michael Saboff.
1683
1684         Let's analyze this control flow diamond:
1685         
1686         #0
1687         branch #1, #2
1688         
1689         #1:
1690         PutStack(JSValue, loc42)
1691         Jump #3
1692         
1693         #2:
1694         PutStack(Int52, loc42)
1695         Jump #3
1696         
1697         #3:
1698         ...
1699         
1700         Our abstract value for loc42 at the head of #3 will contain an abstract
1701         value that us the union of Int52 with other things. Obviously in the
1702         above program, a GetStack for loc42 would be inavlid, since it might
1703         be loading either JSValue or Int52. However, the abstract interpreter
1704         just tracks what the value could be, and it could be Int52 or JSValue.
1705         
1706         When I did the Int52 refactoring, I expected such things to never happen,
1707         but it turns out it does. We should just allow for this instead of asserting
1708         against it since it's valid IR to do the above.
1709
1710         * bytecode/SpeculatedType.cpp:
1711         (JSC::dumpSpeculation):
1712         * dfg/DFGAbstractValue.cpp:
1713         (JSC::DFG::AbstractValue::checkConsistency const):
1714         * dfg/DFGAbstractValue.h:
1715         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
1716
1717 2019-04-19  Tadeu Zagallo  <tzagallo@apple.com>
1718
1719         Add option to dump JIT memory
1720         https://bugs.webkit.org/show_bug.cgi?id=197062
1721         <rdar://problem/49744332>
1722
1723         Reviewed by Saam Barati.
1724
1725         Dump all writes into JIT memory to the specified file. The format is:
1726         - 64-bit destination address for the write
1727         - 64-bit size of the content written
1728         - Copy of the data that was written to JIT memory
1729
1730         * assembler/LinkBuffer.cpp:
1731         (JSC::LinkBuffer::copyCompactAndLinkCode):
1732         * jit/ExecutableAllocator.cpp:
1733         (JSC::dumpJITMemory):
1734         * jit/ExecutableAllocator.h:
1735         (JSC::performJITMemcpy):
1736         * runtime/Options.h:
1737
1738 2019-04-19  Keith Rollin  <krollin@apple.com>
1739
1740         Add postprocess-header-rule scripts
1741         https://bugs.webkit.org/show_bug.cgi?id=197072
1742         <rdar://problem/50027299>
1743
1744         Reviewed by Brent Fulgham.
1745
1746         Several projects have post-processing build phases where exported
1747         headers are tweaked after they've been copied. This post-processing is
1748         performed via scripts called postprocess-headers.sh. For reasons
1749         related to XCBuild, we are now transitioning to a build process where
1750         the post-processing is performed at the same time as the
1751         exporting/copying. To support this process, add similar scripts named
1752         postprocess-header-rule, which are geared towards processing a single
1753         file at a time rather than all exported files at once. Also add a
1754         build rule that makes use of these scripts. These scripts and build
1755         rules are not used at the moment; they will come into use in an
1756         imminent patch.
1757
1758         Note that I've named these postprocess-header-rule rather than
1759         postprocess-header-rule.sh. Scripts in Tools/Scripts do not have
1760         suffixes indicating how the tool is implemented. Scripts in
1761         per-project Scripts folders appear to be mixed regarding the use of
1762         suffixes. I'm opting here to follow the Tools/Scripts convention, with
1763         the expectation that over time we completely standardize on that.
1764
1765         * JavaScriptCore.xcodeproj/project.pbxproj:
1766         * Scripts/postprocess-header-rule: Added.
1767
1768 2019-04-18  Saam barati  <sbarati@apple.com>
1769
1770         Remove useConcurrentBarriers option
1771         https://bugs.webkit.org/show_bug.cgi?id=197066
1772
1773         Reviewed by Michael Saboff.
1774
1775         This isn't a helpful option as it will lead us to crash when using the
1776         concurrent GC.
1777
1778         * dfg/DFGStoreBarrierClusteringPhase.cpp:
1779         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1780         * jit/AssemblyHelpers.h:
1781         (JSC::AssemblyHelpers::barrierStoreLoadFence):
1782         * runtime/Options.h:
1783
1784 2019-04-17  Saam Barati  <sbarati@apple.com>
1785
1786         Remove deprecated JSScript SPI
1787         https://bugs.webkit.org/show_bug.cgi?id=194909
1788         <rdar://problem/48283499>
1789
1790         Reviewed by Keith Miller.
1791
1792         * API/JSAPIGlobalObject.mm:
1793         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
1794         * API/JSScript.h:
1795         * API/JSScript.mm:
1796         (+[JSScript scriptWithSource:inVirtualMachine:]): Deleted.
1797         (fillBufferWithContentsOfFile): Deleted.
1798         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]): Deleted.
1799         (+[JSScript scriptFromUTF8File:inVirtualMachine:withCodeSigning:andBytecodeCache:]): Deleted.
1800         (-[JSScript setSourceURL:]): Deleted.
1801         * API/JSScriptInternal.h:
1802         * API/tests/testapi.mm:
1803         (testFetch):
1804         (testFetchWithTwoCycle):
1805         (testFetchWithThreeCycle):
1806         (testLoaderResolvesAbsoluteScriptURL):
1807         (testImportModuleTwice):
1808         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
1809
1810 2019-04-17  Keith Rollin  <krollin@apple.com>
1811
1812         Remove JSCBuiltins.cpp from Copy Headers phase
1813         https://bugs.webkit.org/show_bug.cgi?id=196981
1814         <rdar://problem/49952133>
1815
1816         Reviewed by Alex Christensen.
1817
1818         JSCBuiltins.cpp is not a header and so doesn't need to be in the Copy
1819         Headers phase. Checking its history, it seems to have been added
1820         accidentally at the same time that JSCBuiltins.h was added.
1821
1822         * JavaScriptCore.xcodeproj/project.pbxproj:
1823
1824 2019-04-16  Stephan Szabo  <stephan.szabo@sony.com>
1825
1826         [PlayStation] Update port for system library changes
1827         https://bugs.webkit.org/show_bug.cgi?id=196978
1828
1829         Reviewed by Ross Kirsling.
1830
1831         * shell/playstation/Initializer.cpp:
1832         Add reference to new posix compatibility library.
1833
1834 2019-04-16  Robin Morisset  <rmorisset@apple.com>
1835
1836         [WTF] holdLock should be marked WARN_UNUSED_RETURN
1837         https://bugs.webkit.org/show_bug.cgi?id=196922
1838
1839         Reviewed by Keith Miller.
1840
1841         There was one case where holdLock was used and the result ignored.
1842         From a comment that was deleted in https://bugs.webkit.org/attachment.cgi?id=328438&action=prettypatch, I believe that it is on purpose.
1843         So I brought back a variant of the comment, and made the ignoring of the return explicit.
1844
1845         * heap/BlockDirectory.cpp:
1846         (JSC::BlockDirectory::isPagedOut):
1847
1848 2019-04-16  Caitlin Potter  <caitp@igalia.com>
1849
1850         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1851         https://bugs.webkit.org/show_bug.cgi?id=176810
1852
1853         Reviewed by Saam Barati.
1854
1855         This adds conditional logic following the invariant checks, to perform
1856         filtering in common uses of getOwnPropertyNames.
1857
1858         While this would ideally only be done in JSPropertyNameEnumerator, adding
1859         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
1860         invariant that the EnumerationMode is properly followed.
1861
1862         This was originally rolled out in r244020, as DontEnum filtering code
1863         in ObjectConstructor.cpp's ownPropertyKeys() had not been removed. It's
1864         now redundant due to being handled in ProxyObject::getOwnPropertyNames().
1865
1866         * runtime/PropertyNameArray.h:
1867         (JSC::PropertyNameArray::reset):
1868         * runtime/ProxyObject.cpp:
1869         (JSC::ProxyObject::performGetOwnPropertyNames):
1870
1871 2019-04-15  Saam barati  <sbarati@apple.com>
1872
1873         Modify how we do SetArgument when we inline varargs calls
1874         https://bugs.webkit.org/show_bug.cgi?id=196712
1875         <rdar://problem/49605012>
1876
1877         Reviewed by Michael Saboff.
1878
1879         When we inline varargs calls, we guarantee that the number of arguments that
1880         go on the stack are somewhere between the "mandatoryMinimum" and the "limit - 1".
1881         However, we can't statically guarantee that the arguments between these two
1882         ranges was filled out by Load/ForwardVarargs. This is because in the general
1883         case we don't know the argument count statically.
1884         
1885         However, we used to always emit SetArgumentDefinitely up to "limit - 1" for
1886         all arguments, even when some arguments aren't guaranteed to be in a valid
1887         state. Emitting these SetArgumentDefinitely were helpful because they let us
1888         handle variable liveness and OSR exit metadata. However, when we converted
1889         to SSA, we ended up emitting a GetStack for each such SetArgumentDefinitely.
1890         
1891         This is wrong, as we can't guarantee such SetArgumentDefinitely nodes are
1892         actually looking at a range of the stack that are guaranteed to be initialized.
1893         This patch introduces a new form of SetArgument node: SetArgumentMaybe. In terms
1894         of OSR exit metadata and variable liveness tracking, it behaves like SetArgumentDefinitely.
1895         
1896         However, it differs in a couple key ways:
1897         1. In ThreadedCPS, GetLocal(@SetArgumentMaybe) is invalid IR, as this implies
1898         you might be loading uninitialized stack. (This same rule applies when you do
1899         the full data flow reachability analysis over CPS Phis.) If someone logically
1900         wanted to emit code like this, the correct node to emit would be GetArgument,
1901         not GetLocal. For similar reasons, PhantomLocal(@SetArgumentMaybe) is also
1902         invalid IR.
1903         2. To track liveness, Flush(@SetArgumentMaybe) is valid, and is the main user
1904         of SetArgumentMaybe.
1905         3. In SSA conversion, we don't lower SetArgumentMaybe to GetStack, as there
1906         should be no data flow user of SetArgumentMaybe.
1907         
1908         SetArgumentDefinitely guarantees that the stack slot is initialized.
1909         SetArgumentMaybe makes no such guarantee.
1910
1911         * dfg/DFGAbstractInterpreterInlines.h:
1912         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1913         * dfg/DFGByteCodeParser.cpp:
1914         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1915         * dfg/DFGCPSRethreadingPhase.cpp:
1916         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1917         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1918         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1919         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1920         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1921         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
1922         * dfg/DFGClobberize.h:
1923         (JSC::DFG::clobberize):
1924         * dfg/DFGCommon.h:
1925         * dfg/DFGDoesGC.cpp:
1926         (JSC::DFG::doesGC):
1927         * dfg/DFGFixupPhase.cpp:
1928         (JSC::DFG::FixupPhase::fixupNode):
1929         * dfg/DFGInPlaceAbstractState.cpp:
1930         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1931         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1932         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1933         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1934         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1935         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1936         * dfg/DFGMayExit.cpp:
1937         * dfg/DFGNode.cpp:
1938         (JSC::DFG::Node::hasVariableAccessData):
1939         * dfg/DFGNodeType.h:
1940         * dfg/DFGPhantomInsertionPhase.cpp:
1941         * dfg/DFGPredictionPropagationPhase.cpp:
1942         * dfg/DFGSSAConversionPhase.cpp:
1943         (JSC::DFG::SSAConversionPhase::run):
1944         * dfg/DFGSafeToExecute.h:
1945         (JSC::DFG::safeToExecute):
1946         * dfg/DFGSpeculativeJIT32_64.cpp:
1947         (JSC::DFG::SpeculativeJIT::compile):
1948         * dfg/DFGSpeculativeJIT64.cpp:
1949         (JSC::DFG::SpeculativeJIT::compile):
1950         * dfg/DFGValidate.cpp:
1951         * ftl/FTLCapabilities.cpp:
1952         (JSC::FTL::canCompile):
1953
1954 2019-04-15  Commit Queue  <commit-queue@webkit.org>
1955
1956         Unreviewed, rolling out r243672.
1957         https://bugs.webkit.org/show_bug.cgi?id=196952
1958
1959         [JSValue release] should be thread-safe (Requested by
1960         yusukesuzuki on #webkit).
1961
1962         Reverted changeset:
1963
1964         "[JSC] JSWrapperMap should not use Objective-C Weak map
1965         (NSMapTable with NSPointerFunctionsWeakMemory) for
1966         m_cachedObjCWrappers"
1967         https://bugs.webkit.org/show_bug.cgi?id=196392
1968         https://trac.webkit.org/changeset/243672
1969
1970 2019-04-15  Saam barati  <sbarati@apple.com>
1971
1972         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
1973         https://bugs.webkit.org/show_bug.cgi?id=196945
1974         <rdar://problem/49802750>
1975
1976         Reviewed by Filip Pizlo.
1977
1978         * dfg/DFGSafeToExecute.h:
1979         (JSC::DFG::safeToExecute):
1980
1981 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1982
1983         DFG should be able to constant fold Object.create() with a constant prototype operand
1984         https://bugs.webkit.org/show_bug.cgi?id=196886
1985
1986         Reviewed by Yusuke Suzuki.
1987
1988
1989         It is a fairly simple and limited patch, as it only works when the DFG can prove the exact object used as prototype.
1990         But when it applies it can be a significant win:
1991                                                         Baseline                   Optim                                       
1992         object-create-constant-prototype              3.6082+-0.0979     ^      1.6947+-0.0756        ^ definitely 2.1292x faster
1993         object-create-null                           11.4492+-0.2510     ?     11.5030+-0.2402        ?
1994         object-create-unknown-object-prototype       15.6067+-0.1851     ?     15.7500+-0.2322        ?
1995         object-create-untyped-prototype               8.8873+-0.1240     ?      8.9806+-0.1202        ? might be 1.0105x slower
1996         <geometric>                                   8.6967+-0.1208     ^      7.2408+-0.1367        ^ definitely 1.2011x faster
1997
1998         The only subtlety is that we need to to access the StructureCache concurrently from the compiler thread (see https://bugs.webkit.org/show_bug.cgi?id=186199)
1999         I solved this with a simple lock, taken when the compiler thread tries to read it, and when the main thread tries to modify it.
2000         I expect it to be extremely low contention, but will watch the bots just in case.
2001         The lock is taken neither when the main thread is only reading the cache (it has no-one to race with), nor when the GC purges it of dead entries (it does not free anything while a compiler thread is in the middle of a phase).
2002
2003         * dfg/DFGAbstractInterpreterInlines.h:
2004         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2005         * dfg/DFGConstantFoldingPhase.cpp:
2006         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2007         * runtime/StructureCache.cpp:
2008         (JSC::StructureCache::createEmptyStructure):
2009         (JSC::StructureCache::tryEmptyObjectStructureForPrototypeFromCompilerThread):
2010         * runtime/StructureCache.h:
2011
2012 2019-04-15  Devin Rousso  <drousso@apple.com>
2013
2014         Web Inspector: fake value descriptors for promises add a catch handler, preventing "rejectionhandled" events from being fired
2015         https://bugs.webkit.org/show_bug.cgi?id=196484
2016         <rdar://problem/49114725>
2017
2018         Reviewed by Joseph Pecoraro.
2019
2020         Only add a catch handler when the promise is reachable via a native getter and is known to
2021         have rejected. A non-rejected promise doesn't need a catch handler, and any promise that
2022         isn't reachable via a getter won't actually be reached, as `InjectedScript` doesn't call any
2023         functions, instead only getting the function object itself.
2024
2025         * inspector/InjectedScriptSource.js:
2026         (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
2027
2028         * inspector/JSInjectedScriptHost.h:
2029         * inspector/JSInjectedScriptHost.cpp:
2030         (Inspector::JSInjectedScriptHost::isPromiseRejectedWithNativeGetterTypeError): Added.
2031         * inspector/JSInjectedScriptHostPrototype.cpp:
2032         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2033         (Inspector::jsInjectedScriptHostPrototypeFunctionIsPromiseRejectedWithNativeGetterTypeError): Added.
2034
2035         * runtime/ErrorInstance.h:
2036         (JSC::ErrorInstance::setNativeGetterTypeError): Added.
2037         (JSC::ErrorInstance::isNativeGetterTypeError const): Added.
2038
2039         * runtime/Error.h:
2040         (JSC::throwVMGetterTypeError): Added.
2041         * runtime/Error.cpp:
2042         (JSC::createGetterTypeError): Added.
2043         (JSC::throwGetterTypeError): Added.
2044         (JSC::throwDOMAttributeGetterTypeError):
2045
2046 2019-04-15  Robin Morisset  <rmorisset@apple.com>
2047
2048         B3::Value should have different kinds of adjacency lists
2049         https://bugs.webkit.org/show_bug.cgi?id=196091
2050
2051         Reviewed by Filip Pizlo.
2052
2053         The key idea of this optimization is to replace the Vector<Value*, 3> m_children in B3::Value (40 bytes on 64-bits platform) by one of the following:
2054         - Nothing (0 bytes)
2055         - 1 Value* (8 bytes)
2056         - 2 Value* (16 bytes)
2057         - 3 Value* (24 bytes)
2058         - A Vector<Value*, 3>
2059         after the end of the Value object, depending on the kind of the Value.
2060         So for example, when allocating an Add, we would allocate an extra 16 bytes into which to store 2 Values.
2061         This would halve the memory consumption of Const64/Const32/Nop/Identity and a bunch more kinds of values, and reduce by a more moderate amount the memory consumption of the rest of non-varargs values (e.g. Add would go from 72 to 48 bytes).
2062
2063         A few implementation points:
2064         - Even if there is no children, we must remember to allocate at least enough space for replaceWithIdentity to work later. It needs sizeof(Value) (for the object itself) + sizeof(Value*) (for the pointer to its child)
2065         - We must make sure to destroy the vector whenever we destroy a Value which is VarArgs
2066         - We must remember how many elements there are in the case where we did not allocate a Vector. We cannot do it purely by relying on the kind, both for speed reasons and because Return can have either 0 or 1 argument in B3
2067           Thankfully, we have an extra byte of padding to use in the middle of B3::Value
2068         - In order to support clone(), we must have a separate version of allocate, which extracts the opcode from the to-be-cloned object instead of from the call to the constructor
2069         - Speaking of which, we need a special templated function opcodeFromConstructor, because some of the constructors of subclasses of Value don't take an explicit Opcode as argument, typically because they match a single one.
2070         - To maximize performance, we provide specialized versions of child/lastChild/numChildren/children in the subclasses of Value, skipping checks when the actual type of the Value is already known.
2071           This is done through the B3_SPECIALIZE_VALUE_FOR_... defined at the bottom of B3Value.h
2072         - In the constructors of Value, we convert all extra children arguments to Value* eagerly. It is not required for correctness (they will be converted when put into a Vector<Value*> or a Value* in the end), but it helps limit an explosion in the number of template instantiations.
2073         - I moved DeepValueDump::dump from the .h to the .cpp, as there is no good reason to inline it, and recompiling JSC is already slow enough
2074
2075         * JavaScriptCore.xcodeproj/project.pbxproj:
2076         * b3/B3ArgumentRegValue.cpp:
2077         (JSC::B3::ArgumentRegValue::cloneImpl const): Deleted.
2078         * b3/B3ArgumentRegValue.h:
2079         * b3/B3AtomicValue.cpp:
2080         (JSC::B3::AtomicValue::AtomicValue):
2081         (JSC::B3::AtomicValue::cloneImpl const): Deleted.
2082         * b3/B3AtomicValue.h:
2083         * b3/B3BasicBlock.h:
2084         * b3/B3BasicBlockInlines.h:
2085         (JSC::B3::BasicBlock::appendNewNonTerminal): Deleted.
2086         * b3/B3CCallValue.cpp:
2087         (JSC::B3::CCallValue::appendArgs):
2088         (JSC::B3::CCallValue::cloneImpl const): Deleted.
2089         * b3/B3CCallValue.h:
2090         * b3/B3CheckValue.cpp:
2091         (JSC::B3::CheckValue::cloneImpl const): Deleted.
2092         * b3/B3CheckValue.h:
2093         * b3/B3Const32Value.cpp:
2094         (JSC::B3::Const32Value::cloneImpl const): Deleted.
2095         * b3/B3Const32Value.h:
2096         * b3/B3Const64Value.cpp:
2097         (JSC::B3::Const64Value::cloneImpl const): Deleted.
2098         * b3/B3Const64Value.h:
2099         * b3/B3ConstDoubleValue.cpp:
2100         (JSC::B3::ConstDoubleValue::cloneImpl const): Deleted.
2101         * b3/B3ConstDoubleValue.h:
2102         * b3/B3ConstFloatValue.cpp:
2103         (JSC::B3::ConstFloatValue::cloneImpl const): Deleted.
2104         * b3/B3ConstFloatValue.h:
2105         * b3/B3ConstPtrValue.h:
2106         (JSC::B3::ConstPtrValue::opcodeFromConstructor):
2107         * b3/B3FenceValue.cpp:
2108         (JSC::B3::FenceValue::FenceValue):
2109         (JSC::B3::FenceValue::cloneImpl const): Deleted.
2110         * b3/B3FenceValue.h:
2111         * b3/B3MemoryValue.cpp:
2112         (JSC::B3::MemoryValue::MemoryValue):
2113         (JSC::B3::MemoryValue::cloneImpl const): Deleted.
2114         * b3/B3MemoryValue.h:
2115         * b3/B3MoveConstants.cpp:
2116         * b3/B3PatchpointValue.cpp:
2117         (JSC::B3::PatchpointValue::cloneImpl const): Deleted.
2118         * b3/B3PatchpointValue.h:
2119         (JSC::B3::PatchpointValue::opcodeFromConstructor):
2120         * b3/B3Procedure.cpp:
2121         * b3/B3Procedure.h:
2122         * b3/B3ProcedureInlines.h:
2123         (JSC::B3::Procedure::add):
2124         * b3/B3SlotBaseValue.cpp:
2125         (JSC::B3::SlotBaseValue::cloneImpl const): Deleted.
2126         * b3/B3SlotBaseValue.h:
2127         * b3/B3StackmapSpecial.cpp:
2128         (JSC::B3::StackmapSpecial::forEachArgImpl):
2129         (JSC::B3::StackmapSpecial::isValidImpl):
2130         * b3/B3StackmapValue.cpp:
2131         (JSC::B3::StackmapValue::append):
2132         (JSC::B3::StackmapValue::StackmapValue):
2133         * b3/B3StackmapValue.h:
2134         * b3/B3SwitchValue.cpp:
2135         (JSC::B3::SwitchValue::SwitchValue):
2136         (JSC::B3::SwitchValue::cloneImpl const): Deleted.
2137         * b3/B3SwitchValue.h:
2138         (JSC::B3::SwitchValue::opcodeFromConstructor):
2139         * b3/B3UpsilonValue.cpp:
2140         (JSC::B3::UpsilonValue::cloneImpl const): Deleted.
2141         * b3/B3UpsilonValue.h:
2142         * b3/B3Value.cpp:
2143         (JSC::B3::DeepValueDump::dump const):
2144         (JSC::B3::Value::~Value):
2145         (JSC::B3::Value::replaceWithIdentity):
2146         (JSC::B3::Value::replaceWithNopIgnoringType):
2147         (JSC::B3::Value::replaceWithPhi):
2148         (JSC::B3::Value::replaceWithJump):
2149         (JSC::B3::Value::replaceWithOops):
2150         (JSC::B3::Value::replaceWith):
2151         (JSC::B3::Value::invertedCompare const):
2152         (JSC::B3::Value::returnsBool const):
2153         (JSC::B3::Value::cloneImpl const): Deleted.
2154         * b3/B3Value.h:
2155         (JSC::B3::DeepValueDump::dump const): Deleted.
2156         * b3/B3ValueInlines.h:
2157         (JSC::B3::Value::adjacencyListOffset const):
2158         (JSC::B3::Value::cloneImpl const):
2159         * b3/B3VariableValue.cpp:
2160         (JSC::B3::VariableValue::VariableValue):
2161         (JSC::B3::VariableValue::cloneImpl const): Deleted.
2162         * b3/B3VariableValue.h:
2163         * b3/B3WasmAddressValue.cpp:
2164         (JSC::B3::WasmAddressValue::WasmAddressValue):
2165         (JSC::B3::WasmAddressValue::cloneImpl const): Deleted.
2166         * b3/B3WasmAddressValue.h:
2167         * b3/B3WasmBoundsCheckValue.cpp:
2168         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
2169         (JSC::B3::WasmBoundsCheckValue::cloneImpl const): Deleted.
2170         * b3/B3WasmBoundsCheckValue.h:
2171         (JSC::B3::WasmBoundsCheckValue::accepts):
2172         (JSC::B3::WasmBoundsCheckValue::opcodeFromConstructor):
2173         * b3/testb3.cpp:
2174         (JSC::B3::testCallFunctionWithHellaArguments):
2175         (JSC::B3::testCallFunctionWithHellaArguments2):
2176         (JSC::B3::testCallFunctionWithHellaArguments3):
2177         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
2178         (JSC::B3::testCallFunctionWithHellaFloatArguments):
2179         * ftl/FTLOutput.h:
2180         (JSC::FTL::Output::call):
2181
2182 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
2183
2184         Bytecode cache should not encode the SourceProvider for UnlinkedFunctionExecutable's classSource
2185         https://bugs.webkit.org/show_bug.cgi?id=196878
2186
2187         Reviewed by Saam Barati.
2188
2189         Every time we encode an (Unlinked)SourceCode, we encode its SourceProvider,
2190         including the full source if it's a StringSourceProvider. This wasn't an issue,
2191         since the SourceCode contains a RefPtr to the SourceProvider, and the Encoder
2192         would avoid encoding the provider multiple times. With the addition of the
2193         incremental cache, each UnlinkedFunctionCodeBlock is encoded in isolation, which
2194         means we can no longer deduplicate it and the full program text was being encoded
2195         multiple times in the cache.
2196         As a work around, this patch adds a custom cached type for encoding the SourceCode
2197         without its provider, and later injects the SourceProvider through the Decoder.
2198
2199         * parser/SourceCode.h:
2200         * parser/UnlinkedSourceCode.h:
2201         (JSC::UnlinkedSourceCode::provider const):
2202         * runtime/CachedTypes.cpp:
2203         (JSC::Decoder::Decoder):
2204         (JSC::Decoder::create):
2205         (JSC::Decoder::provider const):
2206         (JSC::CachedSourceCodeWithoutProvider::encode):
2207         (JSC::CachedSourceCodeWithoutProvider::decode const):
2208         (JSC::decodeCodeBlockImpl):
2209         * runtime/CachedTypes.h:
2210
2211 2019-04-15  Robin Morisset  <rmorisset@apple.com>
2212
2213         MarkedSpace.cpp is not in the Xcode workspace
2214         https://bugs.webkit.org/show_bug.cgi?id=196928
2215
2216         Reviewed by Saam Barati.
2217
2218         * JavaScriptCore.xcodeproj/project.pbxproj:
2219
2220 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
2221
2222         Incremental bytecode cache should not append function updates when loaded from memory
2223         https://bugs.webkit.org/show_bug.cgi?id=196865
2224
2225         Reviewed by Filip Pizlo.
2226
2227         Function updates hold the assumption that a function can only be executed/cached
2228         after its containing code block has already been cached. This assumptions does
2229         not hold if the UnlinkedCodeBlock is loaded from memory by the CodeCache, since
2230         we might have two independent SourceProviders executing different paths of the
2231         code and causing the same UnlinkedCodeBlock to be modified in memory.
2232         Use a RefPtr instead of Ref for m_cachedBytecode in ShellSourceProvider to distinguish
2233         between a new, empty cache and a cache that was not loaded and therefore cannot be updated.
2234
2235         * jsc.cpp:
2236         (ShellSourceProvider::ShellSourceProvider):
2237
2238 2019-04-15  Saam barati  <sbarati@apple.com>
2239
2240         mergeOSREntryValue is wrong when the incoming value does not match up with the flush format
2241         https://bugs.webkit.org/show_bug.cgi?id=196918
2242
2243         Reviewed by Yusuke Suzuki.
2244
2245         r244238 lead to some debug failures because we were calling checkConsistency()
2246         before doing fixTypeForRepresentation when merging in must handle values in
2247         CFA. This patch fixes that.
2248         
2249         However, as I was reading over mergeOSREntryValue, I realized it was wrong. It
2250         was possible it could merge in a value/type outside of the variable's flushed type.
2251         Once the flush format types are locked in, we can't introduce a type out of
2252         that range. This probably never lead to any crashes as our profiling injection
2253         and speculation decision code is solid. However, what we were doing is clearly
2254         wrong, and something a fuzzer could have found if we fuzzed the must handle
2255         values inside prediction injection. We should do that fuzzing:
2256         https://bugs.webkit.org/show_bug.cgi?id=196924
2257
2258         * dfg/DFGAbstractValue.cpp:
2259         (JSC::DFG::AbstractValue::mergeOSREntryValue):
2260         * dfg/DFGAbstractValue.h:
2261         * dfg/DFGCFAPhase.cpp:
2262         (JSC::DFG::CFAPhase::injectOSR):
2263
2264 2019-04-15  Robin Morisset  <rmorisset@apple.com>
2265
2266         Several structures and enums in the Yarr interpreter can be shrunk
2267         https://bugs.webkit.org/show_bug.cgi?id=196923
2268
2269         Reviewed by Saam Barati.
2270
2271         YarrOp: 88 -> 80
2272         RegularExpression: 40 -> 32
2273         ByteTerm: 56 -> 48
2274         PatternTerm: 56 -> 48
2275
2276         * yarr/RegularExpression.cpp:
2277         * yarr/YarrInterpreter.h:
2278         * yarr/YarrJIT.cpp:
2279         (JSC::Yarr::YarrGenerator::YarrOp::YarrOp):
2280         * yarr/YarrParser.h:
2281         * yarr/YarrPattern.h:
2282
2283 2019-04-15  Devin Rousso  <drousso@apple.com>
2284
2285         Web Inspector: REGRESSION(r244172): crash when trying to add extra domain while inspecting JSContext
2286         https://bugs.webkit.org/show_bug.cgi?id=196925
2287         <rdar://problem/49873994>
2288
2289         Reviewed by Joseph Pecoraro.
2290
2291         Move the logic for creating the `InspectorAgent` and `InspectorDebuggerAgent` into separate
2292         functions so that callers can be guaranteed to have a valid instance of the agent.
2293
2294         * inspector/JSGlobalObjectInspectorController.h:
2295         * inspector/JSGlobalObjectInspectorController.cpp:
2296         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2297         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
2298         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
2299         (Inspector::JSGlobalObjectInspectorController::ensureInspectorAgent): Added.
2300         (Inspector::JSGlobalObjectInspectorController::ensureDebuggerAgent): Added.
2301         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
2302
2303 2019-04-14  Don Olmstead  <don.olmstead@sony.com>
2304
2305         [CMake] JavaScriptCore derived sources should only be referenced inside JavaScriptCore
2306         https://bugs.webkit.org/show_bug.cgi?id=196742
2307
2308         Reviewed by Konstantin Tokarev.
2309
2310         Migrate to using JavaScriptCore_DERIVED_SOURCES_DIR instead of DERIVED_SOURCES_JAVASCRIPTCORE_DIR
2311         to support moving the JavaScriptCore derived sources outside of a shared directory.
2312
2313         Also use JavaScriptCore_DERIVED_SOURCES_DIR instead of DERIVED_SOUCES_DIR.
2314
2315         * CMakeLists.txt:
2316
2317 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
2318
2319         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
2320         https://bugs.webkit.org/show_bug.cgi?id=196880
2321
2322         Reviewed by Yusuke Suzuki.
2323
2324         CodeCache should not tell the SourceProvider to cache the bytecode if it failed
2325         to create the UnlinkedCodeBlock.
2326
2327         * runtime/CodeCache.cpp:
2328         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2329
2330 2019-04-12  Saam barati  <sbarati@apple.com>
2331
2332         r244079 logically broke shouldSpeculateInt52
2333         https://bugs.webkit.org/show_bug.cgi?id=196884
2334
2335         Reviewed by Yusuke Suzuki.
2336
2337         In r244079, I changed shouldSpeculateInt52 to only return true
2338         when the prediction is isAnyInt52Speculation(). However, it was
2339         wrong to not to include SpecInt32 in this for two reasons:
2340
2341         1. We diligently write code that first checks if we should speculate Int32.
2342         For example:
2343         if (shouldSpeculateInt32()) ... 
2344         else if (shouldSpeculateInt52()) ...
2345
2346         It would be wrong not to fall back to Int52 if we're dealing with the union of
2347         Int32 and Int52.
2348
2349         It would be a performance mistake to not include Int32 here because
2350         data flow can easily tell us that we have variables that are the union
2351         of Int32 and Int52 values. It's better to speculate Int52 than Double
2352         in that situation.
2353
2354         2. We also write code where we ask if the inputs can be Int52, e.g, if
2355         we know via profiling that an Add overflows, we may not emit an Int32 add.
2356         However, we only emit such an add if both inputs can be Int52, and Int32
2357         can trivially become Int52.
2358
2359        This patch recovers the 0.5-1% regression r244079 caused on JetStream 2.
2360
2361         * bytecode/SpeculatedType.h:
2362         (JSC::isInt32SpeculationForArithmetic):
2363         (JSC::isInt32OrBooleanSpeculationForArithmetic):
2364         (JSC::isInt32OrInt52Speculation):
2365         * dfg/DFGFixupPhase.cpp:
2366         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2367         * dfg/DFGNode.h:
2368         (JSC::DFG::Node::shouldSpeculateInt52):
2369         * dfg/DFGPredictionPropagationPhase.cpp:
2370         * dfg/DFGVariableAccessData.cpp:
2371         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
2372
2373 2019-04-12  Saam barati  <sbarati@apple.com>
2374
2375         Unreviewed. Build fix after r244233.
2376
2377         * assembler/CPU.cpp:
2378
2379 2019-04-12  Saam barati  <sbarati@apple.com>
2380
2381         Sometimes we need to user fewer CPUs in our threading calculations
2382         https://bugs.webkit.org/show_bug.cgi?id=196794
2383         <rdar://problem/49389497>
2384
2385         Reviewed by Yusuke Suzuki.
2386
2387         * JavaScriptCore.xcodeproj/project.pbxproj:
2388         * Sources.txt:
2389         * assembler/CPU.cpp: Added.
2390         (JSC::isKernTCSMAvailable):
2391         (JSC::enableKernTCSM):
2392         (JSC::kernTCSMAwareNumberOfProcessorCores):
2393         * assembler/CPU.h:
2394         (JSC::isKernTCSMAvailable):
2395         (JSC::enableKernTCSM):
2396         (JSC::kernTCSMAwareNumberOfProcessorCores):
2397         * heap/MachineStackMarker.h:
2398         (JSC::MachineThreads::addCurrentThread):
2399         * runtime/JSLock.cpp:
2400         (JSC::JSLock::didAcquireLock):
2401         * runtime/Options.cpp:
2402         (JSC::computeNumberOfWorkerThreads):
2403         (JSC::computePriorityDeltaOfWorkerThreads):
2404         * wasm/WasmWorklist.cpp:
2405         (JSC::Wasm::Worklist::Worklist):
2406
2407 2019-04-12  Robin Morisset  <rmorisset@apple.com>
2408
2409         Use padding at end of ArrayBuffer
2410         https://bugs.webkit.org/show_bug.cgi?id=196823
2411
2412         Reviewed by Filip Pizlo.
2413
2414         * runtime/ArrayBuffer.h:
2415
2416 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
2417
2418         [JSC] op_has_indexed_property should not assume subscript part is Uint32
2419         https://bugs.webkit.org/show_bug.cgi?id=196850
2420
2421         Reviewed by Saam Barati.
2422
2423         op_has_indexed_property assumed that subscript part is always Uint32. However, this is just a load from non-constant RegisterID,
2424         DFG can store it in double format and can perform OSR exit. op_has_indexed_property should not assume that.
2425         In this patch, instead, we check it with isAnyInt and get uint32_t from AnyInt.
2426
2427         * jit/JITOpcodes.cpp:
2428         (JSC::JIT::emit_op_has_indexed_property):
2429         * jit/JITOpcodes32_64.cpp:
2430         (JSC::JIT::emit_op_has_indexed_property):
2431         * jit/JITOperations.cpp:
2432         * runtime/CommonSlowPaths.cpp:
2433         (JSC::SLOW_PATH_DECL):
2434
2435 2019-04-11  Saam barati  <sbarati@apple.com>
2436
2437         Remove invalid assertion in operationInstanceOfCustom
2438         https://bugs.webkit.org/show_bug.cgi?id=196842
2439         <rdar://problem/49725493>
2440
2441         Reviewed by Michael Saboff.
2442
2443         In the generated JIT code, we go to the slow path when the incoming function
2444         isn't the Node's CodeOrigin's functionProtoHasInstanceSymbolFunction. However,
2445         in the JIT operation, we were asserting against exec->lexicalGlobalObject()'s
2446         functionProtoHasInstanceSymbolFunction. That assertion might be wrong when
2447         inlining across global objects as exec->lexicalGlobalObject() uses the machine
2448         frame for procuring the global object. There is no harm when this assertion fails
2449         as we just execute the slow path. This patch removes the assertion. (However, this
2450         does shed light on the deficiency in our exec->lexicalGlobalObject() function with
2451         respect to inlining. However, this isn't new -- we've known about this for a while.)
2452
2453         * jit/JITOperations.cpp:
2454
2455 2019-04-11  Michael Saboff  <msaboff@apple.com>
2456
2457         Improve the Inline Cache Stats code
2458         https://bugs.webkit.org/show_bug.cgi?id=196836
2459
2460         Reviewed by Saam Barati.
2461
2462         Needed to handle the case where the Identifier could be null, for example with InstanceOfAddAccessCase
2463         and InstanceOfReplaceWithJump.
2464
2465         Added the ability to log the location of a GetBy and PutBy property as either on self or up the
2466         protocol chain.
2467
2468         * jit/ICStats.cpp:
2469         (JSC::ICEvent::operator< const):
2470         (JSC::ICEvent::dump const):
2471         * jit/ICStats.h:
2472         (JSC::ICEvent::ICEvent):
2473         (JSC::ICEvent::hash const):
2474         * jit/JITOperations.cpp:
2475         * jit/Repatch.cpp:
2476         (JSC::tryCacheGetByID):
2477         (JSC::tryCachePutByID):
2478         (JSC::tryCacheInByID):
2479
2480 2019-04-11  Devin Rousso  <drousso@apple.com>
2481
2482         Web Inspector: Timelines: can't reliably stop/start a recording
2483         https://bugs.webkit.org/show_bug.cgi?id=196778
2484         <rdar://problem/47606798>
2485
2486         Reviewed by Timothy Hatcher.
2487
2488         * inspector/protocol/ScriptProfiler.json:
2489         * inspector/protocol/Timeline.json:
2490         It is possible to determine when programmatic capturing starts/stops in the frontend based
2491         on the state when the backend causes the state to change, such as if the state is "inactive"
2492         when the frontend is told that the backend has started capturing.
2493
2494         * inspector/protocol/CPUProfiler.json:
2495         * inspector/protocol/Memory.json:
2496         Send an end timestamp to match other instruments.
2497
2498         * inspector/JSGlobalObjectConsoleClient.cpp:
2499         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
2500         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
2501
2502         * inspector/agents/InspectorScriptProfilerAgent.h:
2503         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2504         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2505         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
2506         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
2507
2508 2019-04-11  Saam barati  <sbarati@apple.com>
2509
2510         Rename SetArgument to SetArgumentDefinitely
2511         https://bugs.webkit.org/show_bug.cgi?id=196828
2512
2513         Reviewed by Yusuke Suzuki.
2514
2515         This is in preparation for https://bugs.webkit.org/show_bug.cgi?id=196712
2516         where we will introduce a node named SetArgumentMaybe. Doing this refactoring
2517         first will make reviewing that other patch easier.
2518
2519         * dfg/DFGAbstractInterpreterInlines.h:
2520         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2521         * dfg/DFGByteCodeParser.cpp:
2522         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
2523         (JSC::DFG::ByteCodeParser::parseBlock):
2524         * dfg/DFGCPSRethreadingPhase.cpp:
2525         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2526         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
2527         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
2528         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2529         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
2530         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
2531         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
2532         * dfg/DFGClobberize.h:
2533         (JSC::DFG::clobberize):
2534         * dfg/DFGCommon.h:
2535         * dfg/DFGDoesGC.cpp:
2536         (JSC::DFG::doesGC):
2537         * dfg/DFGFixupPhase.cpp:
2538         (JSC::DFG::FixupPhase::fixupNode):
2539         * dfg/DFGGraph.cpp:
2540         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2541         * dfg/DFGGraph.h:
2542         * dfg/DFGInPlaceAbstractState.cpp:
2543         (JSC::DFG::InPlaceAbstractState::initialize):
2544         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2545         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2546         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
2547         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2548         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2549         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2550         * dfg/DFGMayExit.cpp:
2551         * dfg/DFGNode.cpp:
2552         (JSC::DFG::Node::hasVariableAccessData):
2553         * dfg/DFGNode.h:
2554         (JSC::DFG::Node::convertPhantomToPhantomLocal):
2555         * dfg/DFGNodeType.h:
2556         * dfg/DFGOSREntrypointCreationPhase.cpp:
2557         (JSC::DFG::OSREntrypointCreationPhase::run):
2558         * dfg/DFGPhantomInsertionPhase.cpp:
2559         * dfg/DFGPredictionPropagationPhase.cpp:
2560         * dfg/DFGSSAConversionPhase.cpp:
2561         (JSC::DFG::SSAConversionPhase::run):
2562         * dfg/DFGSafeToExecute.h:
2563         (JSC::DFG::safeToExecute):
2564         * dfg/DFGSpeculativeJIT.cpp:
2565         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2566         * dfg/DFGSpeculativeJIT32_64.cpp:
2567         (JSC::DFG::SpeculativeJIT::compile):
2568         * dfg/DFGSpeculativeJIT64.cpp:
2569         (JSC::DFG::SpeculativeJIT::compile):
2570         * dfg/DFGTypeCheckHoistingPhase.cpp:
2571         (JSC::DFG::TypeCheckHoistingPhase::run):
2572         * dfg/DFGValidate.cpp:
2573         * ftl/FTLCapabilities.cpp:
2574         (JSC::FTL::canCompile):
2575
2576 2019-04-11  Truitt Savell  <tsavell@apple.com>
2577
2578         Unreviewed, rolling out r244158.
2579
2580         Casued 8 inspector/timeline/ test failures.
2581
2582         Reverted changeset:
2583
2584         "Web Inspector: Timelines: can't reliably stop/start a
2585         recording"
2586         https://bugs.webkit.org/show_bug.cgi?id=196778
2587         https://trac.webkit.org/changeset/244158
2588
2589 2019-04-10  Saam Barati  <sbarati@apple.com>
2590
2591         AbstractValue::validateOSREntryValue is wrong for Int52 constants
2592         https://bugs.webkit.org/show_bug.cgi?id=196801
2593         <rdar://problem/49771122>
2594
2595         Reviewed by Yusuke Suzuki.
2596
2597         validateOSREntryValue should not care about the format of the incoming
2598         value for Int52s. This patch normalizes the format of m_value and
2599         the incoming value when comparing them.
2600
2601         * dfg/DFGAbstractValue.h:
2602         (JSC::DFG::AbstractValue::validateOSREntryValue const):
2603
2604 2019-04-10  Saam Barati  <sbarati@apple.com>
2605
2606         ArithSub over Int52 has shouldCheckOverflow as always true
2607         https://bugs.webkit.org/show_bug.cgi?id=196796
2608
2609         Reviewed by Yusuke Suzuki.
2610
2611         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
2612         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
2613         false. We shouldn't check something we assert against.
2614
2615         * dfg/DFGAbstractInterpreterInlines.h:
2616         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2617
2618 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
2619
2620         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
2621         https://bugs.webkit.org/show_bug.cgi?id=196790
2622
2623         Reviewed by Ross Kirsling.
2624
2625         Original implementation lacks byte order specification. Network byte order is the
2626         good candidate if there's no strong reason to choose other.
2627         Currently no client exists for PlayStation remote inspector protocol, so we can
2628         change the byte order without care.
2629
2630         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
2631         (Inspector::MessageParser::createMessage):
2632         (Inspector::MessageParser::parse):
2633
2634 2019-04-10  Devin Rousso  <drousso@apple.com>
2635
2636        Web Inspector: Inspector: lazily create the agent
2637        https://bugs.webkit.org/show_bug.cgi?id=195971
2638        <rdar://problem/49039645>
2639
2640        Reviewed by Joseph Pecoraro.
2641
2642        * inspector/JSGlobalObjectInspectorController.cpp:
2643        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2644        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2645        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
2646        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
2647
2648        * inspector/agents/InspectorAgent.h:
2649        * inspector/agents/InspectorAgent.cpp:
2650
2651 2019-04-10  Saam Barati  <sbarati@apple.com>
2652
2653         Work around an arm64_32 LLVM miscompile bug
2654         https://bugs.webkit.org/show_bug.cgi?id=196788
2655
2656         Reviewed by Yusuke Suzuki.
2657
2658         * runtime/CachedTypes.cpp:
2659
2660 2019-04-10  Devin Rousso  <drousso@apple.com>
2661
2662         Web Inspector: Timelines: can't reliably stop/start a recording
2663         https://bugs.webkit.org/show_bug.cgi?id=196778
2664         <rdar://problem/47606798>
2665
2666         Reviewed by Timothy Hatcher.
2667
2668         * inspector/protocol/ScriptProfiler.json:
2669         * inspector/protocol/Timeline.json:
2670         It is possible to determine when programmatic capturing starts/stops in the frontend based
2671         on the state when the backend causes the state to change, such as if the state is "inactive"
2672         when the frontend is told that the backend has started capturing.
2673
2674         * inspector/protocol/CPUProfiler.json:
2675         * inspector/protocol/Memory.json:
2676         Send an end timestamp to match other instruments.
2677
2678         * inspector/JSGlobalObjectConsoleClient.cpp:
2679         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
2680         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
2681
2682         * inspector/agents/InspectorScriptProfilerAgent.h:
2683         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2684         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2685         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
2686         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
2687
2688 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
2689
2690         Unreviewed, fix watch build after r244143
2691         https://bugs.webkit.org/show_bug.cgi?id=195000
2692
2693         The result of `lseek` should be `off_t` rather than `int`.
2694
2695         * jsc.cpp:
2696
2697 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
2698
2699         Add support for incremental bytecode cache updates
2700         https://bugs.webkit.org/show_bug.cgi?id=195000
2701
2702         Reviewed by Filip Pizlo.
2703
2704         Add support for incremental updates to the bytecode cache. The cache
2705         is constructed as follows:
2706         - When the cache is empty, the initial payload can be added to the BytecodeCache
2707         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
2708         top-level UnlinkedCodeBlock.
2709         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
2710         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
2711         to the existing cache and updating the CachedFunctionExecutableMetadata
2712         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
2713
2714         * API/JSScript.mm:
2715         (-[JSScript readCache]):
2716         (-[JSScript isUsingBytecodeCache]):
2717         (-[JSScript init]):
2718         (-[JSScript cachedBytecode]):
2719         (-[JSScript writeCache:]):
2720         * API/JSScriptInternal.h:
2721         * API/JSScriptSourceProvider.h:
2722         * API/JSScriptSourceProvider.mm:
2723         (JSScriptSourceProvider::cachedBytecode const):
2724         * CMakeLists.txt:
2725         * JavaScriptCore.xcodeproj/project.pbxproj:
2726         * Sources.txt:
2727         * bytecode/UnlinkedFunctionExecutable.cpp:
2728         (JSC::generateUnlinkedFunctionCodeBlock):
2729         * jsc.cpp:
2730         (ShellSourceProvider::~ShellSourceProvider):
2731         (ShellSourceProvider::cachePath const):
2732         (ShellSourceProvider::loadBytecode const):
2733         (ShellSourceProvider::ShellSourceProvider):
2734         (ShellSourceProvider::cacheEnabled):
2735         * parser/SourceProvider.h:
2736         (JSC::SourceProvider::cachedBytecode const):
2737         (JSC::SourceProvider::updateCache const):
2738         (JSC::SourceProvider::commitCachedBytecode const):
2739         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2740         (JSC::CachePayload::makeMappedPayload):
2741         (JSC::CachePayload::makeMallocPayload):
2742         (JSC::CachePayload::makeEmptyPayload):
2743         (JSC::CachePayload::CachePayload):
2744         (JSC::CachePayload::~CachePayload):
2745         (JSC::CachePayload::operator=):
2746         (JSC::CachePayload::freeData):
2747         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2748         (JSC::CachePayload::data const):
2749         (JSC::CachePayload::size const):
2750         (JSC::CachePayload::CachePayload):
2751         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2752         (JSC::CacheUpdate::CacheUpdate):
2753         (JSC::CacheUpdate::operator=):
2754         (JSC::CacheUpdate::isGlobal const):
2755         (JSC::CacheUpdate::asGlobal const):
2756         (JSC::CacheUpdate::asFunction const):
2757         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2758         * runtime/CachedBytecode.cpp: Added.
2759         (JSC::CachedBytecode::addGlobalUpdate):
2760         (JSC::CachedBytecode::addFunctionUpdate):
2761         (JSC::CachedBytecode::copyLeafExecutables):
2762         (JSC::CachedBytecode::commitUpdates const):
2763         * runtime/CachedBytecode.h: Added.
2764         (JSC::CachedBytecode::create):
2765         (JSC::CachedBytecode::leafExecutables):
2766         (JSC::CachedBytecode::data const):
2767         (JSC::CachedBytecode::size const):
2768         (JSC::CachedBytecode::hasUpdates const):
2769         (JSC::CachedBytecode::sizeForUpdate const):
2770         (JSC::CachedBytecode::CachedBytecode):
2771         * runtime/CachedTypes.cpp:
2772         (JSC::Encoder::addLeafExecutable):
2773         (JSC::Encoder::release):
2774         (JSC::Decoder::Decoder):
2775         (JSC::Decoder::create):
2776         (JSC::Decoder::size const):
2777         (JSC::Decoder::offsetOf):
2778         (JSC::Decoder::ptrForOffsetFromBase):
2779         (JSC::Decoder::addLeafExecutable):
2780         (JSC::VariableLengthObject::VariableLengthObject):
2781         (JSC::VariableLengthObject::buffer const):
2782         (JSC::CachedPtrOffsets::offsetOffset):
2783         (JSC::CachedWriteBarrierOffsets::ptrOffset):
2784         (JSC::CachedFunctionExecutable::features const):
2785         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
2786         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
2787         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
2788         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
2789         (JSC::CachedFunctionExecutable::encode):
2790         (JSC::CachedFunctionExecutable::decode const):
2791         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2792         (JSC::encodeCodeBlock):
2793         (JSC::encodeFunctionCodeBlock):
2794         (JSC::decodeCodeBlockImpl):
2795         (JSC::isCachedBytecodeStillValid):
2796         * runtime/CachedTypes.h:
2797         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
2798         (JSC::decodeCodeBlock):
2799         * runtime/CodeCache.cpp:
2800         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2801         (JSC::CodeCache::updateCache):
2802         (JSC::CodeCache::write):
2803         (JSC::writeCodeBlock):
2804         (JSC::serializeBytecode):
2805         * runtime/CodeCache.h:
2806         (JSC::SourceCodeValue::SourceCodeValue):
2807         (JSC::CodeCacheMap::findCacheAndUpdateAge):
2808         (JSC::CodeCacheMap::fetchFromDiskImpl):
2809         * runtime/Completion.cpp:
2810         (JSC::generateProgramBytecode):
2811         (JSC::generateModuleBytecode):
2812         * runtime/Completion.h:
2813         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
2814         (JSC::LeafExecutable::operator+ const):
2815         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
2816         (JSC::LeafExecutable::LeafExecutable):
2817         (JSC::LeafExecutable::base const):
2818
2819 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
2820
2821         Unreviewed, rolling out r243989.
2822
2823         Broke i686 builds
2824
2825         Reverted changeset:
2826
2827         "[CMake] Detect SSE2 at compile time"
2828         https://bugs.webkit.org/show_bug.cgi?id=196488
2829         https://trac.webkit.org/changeset/243989
2830
2831 2019-04-10  Robin Morisset  <rmorisset@apple.com>
2832
2833         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
2834         https://bugs.webkit.org/show_bug.cgi?id=196746
2835
2836         Reviewed by Yusuke Suzuki..
2837
2838         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
2839
2840         * runtime/ObjectConstructor.cpp:
2841         (JSC::defineProperties):
2842
2843 2019-04-10  Antoine Quint  <graouts@apple.com>
2844
2845         Enable Pointer Events on watchOS
2846         https://bugs.webkit.org/show_bug.cgi?id=196771
2847         <rdar://problem/49040909>
2848
2849         Reviewed by Dean Jackson.
2850
2851         * Configurations/FeatureDefines.xcconfig:
2852
2853 2019-04-09  Keith Rollin  <krollin@apple.com>
2854
2855         Unreviewed build maintenance -- update .xcfilelists.
2856
2857         * DerivedSources-input.xcfilelist:
2858
2859 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
2860
2861         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
2862         https://bugs.webkit.org/show_bug.cgi?id=193073
2863
2864         Reviewed by Keith Miller.
2865
2866         * bytecompiler/BytecodeGenerator.cpp:
2867         (JSC::BytecodeGenerator::emitEqualityOpImpl):
2868         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
2869         * bytecompiler/BytecodeGenerator.h:
2870         (JSC::BytecodeGenerator::emitEqualityOp):
2871         Factor out the logic that uses the template parameter and keep it in the header.
2872
2873         * jit/JITPropertyAccess.cpp:
2874         List off the template specializations needed by JITOperations.cpp.
2875         This is unfortunate but at least there are only two (x2) by definition?
2876         Trying to do away with this incurs a severe domino effect...
2877
2878         * API/JSValueRef.cpp:
2879         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
2880         * b3/air/AirHandleCalleeSaves.cpp:
2881         * builtins/BuiltinNames.cpp:
2882         * bytecode/AccessCase.cpp:
2883         * bytecode/BytecodeIntrinsicRegistry.cpp:
2884         * bytecode/BytecodeIntrinsicRegistry.h:
2885         * bytecode/BytecodeRewriter.cpp:
2886         * bytecode/BytecodeUseDef.h:
2887         * bytecode/CodeBlock.cpp:
2888         * bytecode/InstanceOfAccessCase.cpp:
2889         * bytecode/MetadataTable.cpp:
2890         * bytecode/PolyProtoAccessChain.cpp:
2891         * bytecode/StructureSet.cpp:
2892         * bytecompiler/NodesCodegen.cpp:
2893         * dfg/DFGCFAPhase.cpp:
2894         * dfg/DFGPureValue.cpp:
2895         * heap/GCSegmentedArray.h:
2896         * heap/HeapInlines.h:
2897         * heap/IsoSubspace.cpp:
2898         * heap/LocalAllocator.cpp:
2899         * heap/LocalAllocator.h:
2900         * heap/LocalAllocatorInlines.h:
2901         * heap/MarkingConstraintSolver.cpp:
2902         * inspector/ScriptArguments.cpp:
2903         (Inspector::ScriptArguments::isEqual const):
2904         * inspector/ScriptCallStackFactory.cpp:
2905         * interpreter/CallFrame.h:
2906         * interpreter/Interpreter.cpp:
2907         * interpreter/StackVisitor.cpp:
2908         * llint/LLIntEntrypoint.cpp:
2909         * runtime/ArrayIteratorPrototype.cpp:
2910         * runtime/BigIntPrototype.cpp:
2911         * runtime/CachedTypes.cpp:
2912         * runtime/ErrorType.cpp:
2913         * runtime/IndexingType.cpp:
2914         * runtime/JSCellInlines.h:
2915         * runtime/JSImmutableButterfly.h:
2916         * runtime/Operations.h:
2917         * runtime/RegExpCachedResult.cpp:
2918         * runtime/RegExpConstructor.cpp:
2919         * runtime/RegExpGlobalData.cpp:
2920         * runtime/StackFrame.h:
2921         * wasm/WasmSignature.cpp:
2922         * wasm/js/JSToWasm.cpp:
2923         * wasm/js/JSToWasmICCallee.cpp:
2924         * wasm/js/WebAssemblyFunction.h:
2925         Fix includes / forward declarations (and a couple of nearby clang warnings).
2926
2927 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
2928
2929         [CMake] Apple builds should use ICU_INCLUDE_DIRS
2930         https://bugs.webkit.org/show_bug.cgi?id=196720
2931
2932         Reviewed by Konstantin Tokarev.
2933
2934         * PlatformMac.cmake:
2935
2936 2019-04-09  Saam barati  <sbarati@apple.com>
2937
2938         Clean up Int52 code and some bugs in it
2939         https://bugs.webkit.org/show_bug.cgi?id=196639
2940         <rdar://problem/49515757>
2941
2942         Reviewed by Yusuke Suzuki.
2943
2944         This patch fixes bugs in our Int52 code. The primary change in this patch is
2945         adopting a segregated type lattice for Int52. Previously, for Int52 values,
2946         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
2947         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
2948         that the is outside of the int32 range.
2949         
2950         However, this got confusing because we reused SpecInt32Only both for JSValue
2951         representations and Int52 representations. This actually lead to some bugs.
2952         
2953         1. It's possible that roundtripping through Int52 representation would say
2954         it produces the wrong type. For example, consider this program and how we
2955         used to annotate types in AI:
2956         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
2957         b: Int52Rep(@a) => m_type is SpecInt52Only
2958         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
2959         
2960         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
2961         However, the execution semantics are such that it'd actually produce a boxed
2962         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
2963         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
2964         mean an int value in either int32 or int52 range.
2965         
2966         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
2967         accepted Int52 values. It was wrong in two different ways:
2968         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
2969         was a boxed double, but represented a value in int32 range, the incoming
2970         value would incorrectly validate as being acceptable. However, we should
2971         have rejected this value.
2972         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
2973         was an Int32 boxed in a double, this would not validate, even though
2974         it should have validated.
2975         
2976         Solving 2 was easiest if we segregated out the Int52 type into its own
2977         lattice. This patch makes a new Int52 lattice, which is composed of
2978         SpecInt32AsInt52 and SpecNonInt32AsInt52.
2979         
2980         The conversion rules are now really simple.
2981         
2982         Int52 rep => JSValue rep
2983         SpecInt32AsInt52 => SpecInt32Only
2984         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
2985         
2986         JSValue rep => Int52 rep
2987         SpecInt32Only => SpecInt32AsInt52
2988         SpecAnyIntAsDouble => SpecInt52Any
2989         
2990         With these rules, the program in (1) will now correctly report that @c
2991         returns SpecInt32Only | SpecAnyIntAsDouble.
2992
2993         * bytecode/SpeculatedType.cpp:
2994         (JSC::dumpSpeculation):
2995         (JSC::speculationToAbbreviatedString):
2996         (JSC::int52AwareSpeculationFromValue):
2997         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2998         (JSC::speculationFromString):
2999         * bytecode/SpeculatedType.h:
3000         (JSC::isInt32SpeculationForArithmetic):
3001         (JSC::isInt32OrBooleanSpeculationForArithmetic):
3002         (JSC::isAnyInt52Speculation):
3003         (JSC::isIntAnyFormat):
3004         (JSC::isInt52Speculation): Deleted.
3005         (JSC::isAnyIntSpeculation): Deleted.
3006         * dfg/DFGAbstractInterpreterInlines.h:
3007         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3008         * dfg/DFGAbstractValue.cpp:
3009         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
3010         (JSC::DFG::AbstractValue::checkConsistency const):
3011         * dfg/DFGAbstractValue.h:
3012         (JSC::DFG::AbstractValue::isInt52Any const):
3013         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
3014         * dfg/DFGFixupPhase.cpp:
3015         (JSC::DFG::FixupPhase::fixupArithMul):
3016         (JSC::DFG::FixupPhase::fixupNode):
3017         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
3018         (JSC::DFG::FixupPhase::fixupToThis):
3019         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
3020         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3021         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
3022         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
3023         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
3024         (JSC::DFG::FixupPhase::fixupChecksInBlock):
3025         * dfg/DFGGraph.h:
3026         (JSC::DFG::Graph::addShouldSpeculateInt52):
3027         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
3028         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
3029         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
3030         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
3031         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
3032         * dfg/DFGNode.h:
3033         (JSC::DFG::Node::shouldSpeculateInt52):
3034         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
3035         * dfg/DFGPredictionPropagationPhase.cpp:
3036         * dfg/DFGSpeculativeJIT.cpp:
3037         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
3038         (JSC::DFG::SpeculativeJIT::compileArithAdd):
3039         (JSC::DFG::SpeculativeJIT::compileArithSub):
3040         (JSC::DFG::SpeculativeJIT::compileArithNegate):
3041         * dfg/DFGSpeculativeJIT64.cpp:
3042         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3043         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3044         * dfg/DFGUseKind.h:
3045         (JSC::DFG::typeFilterFor):
3046         * dfg/DFGVariableAccessData.cpp:
3047         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
3048         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
3049         * ftl/FTLLowerDFGToB3.cpp:
3050         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3051         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
3052         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
3053
3054 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
3055
3056         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
3057         https://bugs.webkit.org/show_bug.cgi?id=196708
3058         <rdar://problem/49556803>
3059
3060         Reviewed by Yusuke Suzuki.
3061
3062         `operationPutToScope` needs to return early if an exception is thrown while
3063         checking if `hasProperty`.
3064
3065         * jit/JITOperations.cpp:
3066
3067 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3068
3069         [JSC] DFG should respect node's strict flag
3070         https://bugs.webkit.org/show_bug.cgi?id=196617
3071
3072         Reviewed by Saam Barati.
3073
3074         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
3075         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
3076         in DFG and FTL to get the right isStrictMode flag for the DFG node.
3077         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
3078         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
3079         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
3080
3081         * dfg/DFGAbstractInterpreterInlines.h:
3082         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3083         * dfg/DFGConstantFoldingPhase.cpp:
3084         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3085         * dfg/DFGFixupPhase.cpp:
3086         (JSC::DFG::FixupPhase::fixupToThis):
3087         * dfg/DFGOperations.cpp:
3088         * dfg/DFGOperations.h:
3089         * dfg/DFGPredictionPropagationPhase.cpp:
3090         * dfg/DFGSpeculativeJIT.cpp:
3091         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
3092         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3093         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
3094         (JSC::DFG::SpeculativeJIT::compileToThis):
3095         * dfg/DFGSpeculativeJIT32_64.cpp:
3096         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
3097         (JSC::DFG::SpeculativeJIT::compile):
3098         * dfg/DFGSpeculativeJIT64.cpp:
3099         (JSC::DFG::SpeculativeJIT::compile):
3100         * ftl/FTLLowerDFGToB3.cpp:
3101         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
3102         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
3103
3104 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
3105
3106         [CMake][WinCairo] Separate copied headers into different directories
3107         https://bugs.webkit.org/show_bug.cgi?id=196655
3108
3109         Reviewed by Michael Catanzaro.
3110
3111         * CMakeLists.txt:
3112         * shell/PlatformWin.cmake:
3113
3114 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3115
3116         [JSC] isRope jump in StringSlice should not jump over register allocations
3117         https://bugs.webkit.org/show_bug.cgi?id=196716
3118
3119         Reviewed by Saam Barati.
3120
3121         Jumping over the register allocation code in DFG (like the following) is wrong.
3122
3123             auto jump = m_jit.branchXXX();
3124             {
3125                 GPRTemporary reg(this);
3126                 GPRReg regGPR = reg.gpr();
3127                 ...
3128             }
3129             jump.link(&m_jit);
3130
3131         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
3132         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
3133         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
3134         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
3135
3136         * dfg/DFGSpeculativeJIT.cpp:
3137         (JSC::DFG::SpeculativeJIT::compileStringSlice):
3138
3139 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3140
3141         [JSC] to_index_string should not assume incoming value is Uint32
3142         https://bugs.webkit.org/show_bug.cgi?id=196713
3143
3144         Reviewed by Saam Barati.
3145
3146         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
3147         this assumption since DFG may decide we should have it double format. This patch removes this
3148         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
3149         is within Uint32.
3150
3151         * runtime/CommonSlowPaths.cpp:
3152         (JSC::SLOW_PATH_DECL):
3153
3154 2019-04-08  Justin Fan  <justin_fan@apple.com>
3155
3156         [Web GPU] Fix Web GPU experimental feature on iOS
3157         https://bugs.webkit.org/show_bug.cgi?id=196632
3158
3159         Reviewed by Myles C. Maxfield.
3160
3161         Properly make Web GPU available on iOS 11+.
3162
3163         * Configurations/FeatureDefines.xcconfig:
3164         * Configurations/WebKitTargetConditionals.xcconfig:
3165
3166 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
3167
3168         -f[no-]var-tracking-assignments is GCC-only
3169         https://bugs.webkit.org/show_bug.cgi?id=196699
3170
3171         Reviewed by Don Olmstead.
3172
3173         * CMakeLists.txt:
3174         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
3175         and said problem evidently no longer occurs as of GCC 9.
3176
3177 2019-04-08  Saam Barati  <sbarati@apple.com>
3178
3179         WebAssembly.RuntimeError missing exception check
3180         https://bugs.webkit.org/show_bug.cgi?id=196700
3181         <rdar://problem/49693932>
3182
3183         Reviewed by Yusuke Suzuki.
3184
3185         * wasm/js/JSWebAssemblyRuntimeError.h:
3186         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3187         (JSC::constructJSWebAssemblyRuntimeError):
3188
3189 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3190
3191         Unreviewed, rolling in r243948 with test fix
3192         https://bugs.webkit.org/show_bug.cgi?id=196486
3193
3194         * parser/ASTBuilder.h:
3195         (JSC::ASTBuilder::createString):
3196         * parser/Lexer.cpp:
3197         (JSC::Lexer<T>::parseMultilineComment):
3198         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
3199         (JSC::Lexer<T>::lex): Deleted.
3200         * parser/Lexer.h:
3201         (JSC::Lexer::hasLineTerminatorBeforeToken const):
3202         (JSC::Lexer::setHasLineTerminatorBeforeToken):
3203         (JSC::Lexer<T>::lex):
3204         (JSC::Lexer::prevTerminator const): Deleted.
3205         (JSC::Lexer::setTerminator): Deleted.
3206         * parser/Parser.cpp:
3207         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
3208         (JSC::Parser<LexerType>::parseSingleFunction):
3209         (JSC::Parser<LexerType>::parseStatementListItem):
3210         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
3211         (JSC::Parser<LexerType>::parseFunctionInfo):
3212         (JSC::Parser<LexerType>::parseClass):
3213         (JSC::Parser<LexerType>::parseExportDeclaration):
3214         (JSC::Parser<LexerType>::parseAssignmentExpression):
3215         (JSC::Parser<LexerType>::parseYieldExpression):
3216         (JSC::Parser<LexerType>::parseProperty):
3217         (JSC::Parser<LexerType>::parsePrimaryExpression):
3218         (JSC::Parser<LexerType>::parseMemberExpression):
3219         * parser/Parser.h:
3220         (JSC::Parser::nextWithoutClearingLineTerminator):
3221         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
3222         (JSC::Parser::internalSaveLexerState):
3223         (JSC::Parser::restoreLexerState):
3224
3225 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3226
3227         Unreviewed, rolling out r243948.
3228
3229         Caused inspector/runtime/parse.html to fail
3230
3231         Reverted changeset:
3232
3233         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
3234         https://bugs.webkit.org/show_bug.cgi?id=196486
3235         https://trac.webkit.org/changeset/243948
3236
3237 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3238
3239         Unreviewed, rolling out r243943.
3240
3241         Caused test262 failures.
3242
3243         Reverted changeset:
3244
3245         "[JSC] Filter DontEnum properties in
3246         ProxyObject::getOwnPropertyNames()"
3247         https://bugs.webkit.org/show_bug.cgi?id=176810
3248         https://trac.webkit.org/changeset/243943
3249
3250 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
3251
3252         [JSC] Partially fix the build with unified builds disabled
3253         https://bugs.webkit.org/show_bug.cgi?id=196647
3254
3255         Reviewed by Konstantin Tokarev.
3256
3257         If you disable unified builds you find all kind of build
3258         errors. This partially tries to fix them but there's a lot
3259         more.
3260
3261         * API/JSBaseInternal.h:
3262         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
3263         * b3/air/AirHandleCalleeSaves.h:
3264         * bytecode/ExecutableToCodeBlockEdge.cpp:
3265         * bytecode/ExitFlag.h:
3266         * bytecode/ICStatusUtils.h:
3267         * bytecode/UnlinkedMetadataTable.h:
3268         * dfg/DFGPureValue.h:
3269         * heap/IsoAlignedMemoryAllocator.cpp:
3270         * heap/IsoAlignedMemoryAllocator.h:
3271
3272 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
3273
3274         Enable DFG on MIPS
3275         https://bugs.webkit.org/show_bug.cgi?id=196689
3276
3277         Reviewed by Žan Doberšek.
3278
3279         Since the bytecode change, we enabled the baseline JIT on mips in
3280         r240432, but DFG is still missing. With this change, all tests are
3281         passing on a ci20 board.
3282
3283         * jit/RegisterSet.cpp:
3284         (JSC::RegisterSet::calleeSaveRegisters):
3285         Added s0, which is used in llint.
3286
3287 2019-04-08  Xan Lopez  <xan@igalia.com>
3288
3289         [CMake] Detect SSE2 at compile time
3290         https://bugs.webkit.org/show_bug.cgi?id=196488
3291
3292         Reviewed by Carlos Garcia Campos.
3293
3294         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
3295         incorrect) static_assert.
3296
3297 2019-04-07  Michael Saboff  <msaboff@apple.com>
3298
3299         REGRESSION (r243642): Crash in reddit.com page
3300         https://bugs.webkit.org/show_bug.cgi?id=196684
3301
3302         Reviewed by Geoffrey Garen.
3303
3304         In r243642, the code that saves and restores the count for non-greedy character classes
3305         was inadvertently put inside an if statement.  This code should be generated for all
3306         non-greedy character classes.
3307
3308         * yarr/YarrJIT.cpp:
3309         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
3310         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
3311
3312 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
3313
3314         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
3315         https://bugs.webkit.org/show_bug.cgi?id=196683
3316
3317         Reviewed by Saam Barati.
3318
3319         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
3320         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
3321         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
3322         can be still live.
3323
3324         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
3325         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
3326
3327         * bytecode/CallLinkInfo.cpp:
3328         (JSC::CallLinkInfo::setCallee):
3329         (JSC::CallLinkInfo::clearCallee):
3330         * jit/Repatch.cpp:
3331         (JSC::linkFor):
3332         (JSC::revertCall):
3333
3334 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3335
3336         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
3337         https://bugs.webkit.org/show_bug.cgi?id=196582
3338
3339         Reviewed by Saam Barati.
3340
3341         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
3342         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
3343         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
3344         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
3345
3346         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
3347         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
3348
3349         We also found that FTL recovery code is dead. We remove them in this patch.
3350
3351         * dfg/DFGOSRExit.cpp:
3352         (JSC::DFG::OSRExit::executeOSRExit):
3353         (JSC::DFG::OSRExit::compileExit):
3354         * dfg/DFGOSRExit.h:
3355         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
3356         * dfg/DFGSpeculativeJIT.cpp:
3357         (JSC::DFG::SpeculativeJIT::compileArithAdd):
3358         * ftl/FTLExitValue.cpp:
3359         (JSC::FTL::ExitValue::dataFormat const):
3360         (JSC::FTL::ExitValue::dumpInContext const):
3361         * ftl/FTLExitValue.h:
3362         (JSC::FTL::ExitValue::isArgument const):
3363         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
3364         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
3365         (JSC::FTL::ExitValue::recovery): Deleted.
3366         (JSC::FTL::ExitValue::isRecovery const): Deleted.
3367         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
3368         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
3369         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
3370         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
3371         * ftl/FTLLowerDFGToB3.cpp:
3372         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3373         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
3374         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
3375         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
3376         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
3377         * ftl/FTLOSRExitCompiler.cpp:
3378         (JSC::FTL::compileRecovery):
3379
3380 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
3381
3382         Unreviewed, rolling out r243665.
3383
3384         Caused iOS JSC tests to exit with an exception.
3385
3386         Reverted changeset:
3387
3388         "Assertion failed in JSC::createError"
3389         https://bugs.webkit.org/show_bug.cgi?id=196305
3390         https://trac.webkit.org/changeset/243665
3391
3392 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3393
3394         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
3395         https://bugs.webkit.org/show_bug.cgi?id=196486
3396
3397         Reviewed by Saam Barati.
3398
3399         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
3400         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
3401         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
3402
3403         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
3404
3405                 arrow => expr
3406                 "string!"
3407
3408         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
3409         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
3410         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
3411
3412         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
3413         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
3414         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
3415
3416         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
3417         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
3418
3419         * parser/ASTBuilder.h:
3420         (JSC::ASTBuilder::createString):
3421         * parser/Lexer.cpp:
3422         (JSC::Lexer<T>::parseMultilineComment):
3423         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
3424         (JSC::Lexer<T>::lex): Deleted.
3425         * parser/Lexer.h:
3426         (JSC::Lexer::hasLineTerminatorBeforeToken const):
3427         (JSC::Lexer::setHasLineTerminatorBeforeToken):
3428         (JSC::Lexer<T>::lex):
3429         (JSC::Lexer::prevTerminator const): Deleted.
3430         (JSC::Lexer::setTerminator): Deleted.
3431         * parser/Parser.cpp:
3432         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
3433         (JSC::Parser<LexerType>::parseSingleFunction):
3434         (JSC::Parser<LexerType>::parseStatementListItem):
3435         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
3436         (JSC::Parser<LexerType>::parseFunctionInfo):
3437         (JSC::Parser<LexerType>::parseClass):
3438         (JSC::Parser<LexerType>::parseExportDeclaration):
3439         (JSC::Parser<LexerType>::parseAssignmentExpression):
3440         (JSC::Parser<LexerType>::parseYieldExpression):
3441         (JSC::Parser<LexerType>::parseProperty):
3442         (JSC::Parser<LexerType>::parsePrimaryExpression):
3443         (JSC::Parser<LexerType>::parseMemberExpression):
3444         * parser/Parser.h:
3445         (JSC::Parser::nextWithoutClearingLineTerminator):
3446         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
3447         (JSC::Parser::internalSaveLexerState):
3448         (JSC::Parser::restoreLexerState):
3449
3450 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3451
3452         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3453         https://bugs.webkit.org/show_bug.cgi?id=176810
3454
3455         Reviewed by Saam Barati.
3456
3457         This adds conditional logic following the invariant checks, to perform
3458         filtering in common uses of getOwnPropertyNames.
3459
3460         While this would ideally only be done in JSPropertyNameEnumerator, adding
3461         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
3462         invariant that the EnumerationMode is properly followed.
3463
3464         * runtime/PropertyNameArray.h:
3465         (JSC::PropertyNameArray::reset):
3466         * runtime/ProxyObject.cpp:
3467         (JSC::ProxyObject::performGetOwnPropertyNames):
3468
3469 2019-04-05  Commit Queue  <commit-queue@webkit.org>
3470
3471         Unreviewed, rolling out r243833.
3472         https://bugs.webkit.org/show_bug.cgi?id=196645
3473
3474         This change breaks build of WPE and GTK ports (Requested by
3475         annulen on #webkit).
3476
3477         Reverted changeset:
3478
3479         "[CMake][WTF] Mirror XCode header directories"
3480         https://bugs.webkit.org/show_bug.cgi?id=191662
3481         https://trac.webkit.org/changeset/243833
3482
3483 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3484
3485         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
3486         https://bugs.webkit.org/show_bug.cgi?id=185211
3487
3488         Reviewed by Saam Barati.
3489
3490         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
3491
3492         This involves tracking duplicate keys returned from the ownKeys trap in yet
3493         another HashTable, and may incur a minor performance penalty in some cases. This
3494         is not expected to significantly affect web performance.
3495
3496         * runtime/ProxyObject.cpp:
3497         (JSC::ProxyObject::performGetOwnPropertyNames):
3498
3499 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
3500
3501         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
3502         https://bugs.webkit.org/show_bug.cgi?id=196631
3503
3504         Reviewed by Saam Barati.
3505
3506         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
3507         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
3508         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
3509
3510         * JavaScriptCore.xcodeproj/project.pbxproj:
3511         * Sources.txt:
3512         * interpreter/CallFrameInlines.h:
3513         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
3514         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
3515         (JSC::DoublePredictionFuzzerAgent::getPrediction):
3516         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
3517         * runtime/JSGlobalObject.cpp:
3518         (JSC::makeBoundFunction):
3519         * runtime/Options.h:
3520         * runtime/VM.cpp:
3521         (JSC::VM::VM):
3522
3523 2019-04-04  Robin Morisset  <rmorisset@apple.com>
3524
3525         B3ReduceStrength should know that Mul distributes over Add and Sub
3526         https://bugs.webkit.org/show_bug.cgi?id=196325
3527         <rdar://problem/49441650>
3528
3529         Reviewed by Saam Barati.
3530
3531         Fix some obviously wrong code that was due to an accidental copy-paste.
3532         It made the entire optimization dead code that never ran.
3533
3534         * b3/B3ReduceStrength.cpp:
3535
3536 2019-04-04  Saam Barati  <sbarati@apple.com>
3537
3538         Unreviewed, build fix for CLoop after r243886
3539
3540         * interpreter/Interpreter.cpp:
3541         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
3542         * interpreter/StackVisitor.cpp:
3543         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
3544         * interpreter/StackVisitor.h:
3545
3546 2019-04-04  Commit Queue  <commit-queue@webkit.org>
3547
3548         Unreviewed, rolling out r243898.
3549         https://bugs.webkit.org/show_bug.cgi?id=196624
3550
3551         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
3552         does not work well (Requested by yusukesuzuki on #webkit).
3553
3554         Reverted changeset:
3555
3556         "Unreviewed, build fix for CLoop and Windows after r243886"
3557         https://bugs.webkit.org/show_bug.cgi?id=196387
3558         https://trac.webkit.org/changeset/243898
3559
3560 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
3561
3562         Unreviewed, build fix for CLoop and Windows after r243886
3563         https://bugs.webkit.org/show_bug.cgi?id=196387
3564
3565         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
3566
3567         * interpreter/StackVisitor.cpp:
3568         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
3569         * interpreter/StackVisitor.h:
3570
3571 2019-04-04  Saam barati  <sbarati@apple.com>
3572
3573         Teach Call ICs how to call Wasm
3574         https://bugs.webkit.org/show_bug.cgi?id=196387
3575
3576         Reviewed by Filip Pizlo.
3577
3578         This patch teaches JS to call Wasm without going through the native thunk.
3579         Currently, we emit a JIT "JS" callee stub which marshals arguments from
3580         JS to Wasm. Like the native version of this, this thunk is responsible
3581         for saving and restoring the VM's current Wasm context. Instead of emitting
3582         an exception handler, we also teach the unwinder how to read the previous
3583         wasm context to restore it as it unwindws past this frame.
3584         
3585         This patch is straight forward, and leaves some areas for perf improvement:
3586         - We can teach the DFG/FTL to directly use the Wasm calling convention when
3587           it knows it's calling a single Wasm function. This way we don't shuffle
3588           registers to the stack and then back into registers.
3589         - We bail out to the slow path for mismatched arity. I opened a bug to fix
3590           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
3591         - We bail out to the slow path Double JSValues flowing into i32 arguments.
3592           We should teach this thunk how to do that conversion directly.
3593         
3594         This patch also refactors the code to explicitly have a single pinned size register.
3595         We used pretend in some places that we could have more than one pinned size register.
3596         However, there was other code that just asserted the size was one. This patch just rips
3597         out this code since we never moved to having more than one pinned size register. Doing
3598         this refactoring cleans up the various places where we set up the size register.
3599         
3600         This patch is a 50-60% progression on JetStream 2's richards-wasm.
3601
3602         * JavaScriptCore.xcodeproj/project.pbxproj:
3603         * Sources.txt:
3604         * assembler/MacroAssemblerCodeRef.h:
3605         (JSC::MacroAssemblerCodeRef::operator=):
3606         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3607         * interpreter/Interpreter.cpp:
3608         (JSC::UnwindFunctor::operator() const):
3609         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
3610         * interpreter/StackVisitor.cpp:
3611         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
3612         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
3613         * interpreter/StackVisitor.h:
3614         * jit/JITOperations.cpp:
3615         * jit/RegisterSet.cpp:
3616         (JSC::RegisterSet::runtimeTagRegisters):
3617         (JSC::RegisterSet::specialRegisters):
3618         (JSC::RegisterSet::runtimeRegisters): Deleted.
3619         * jit/RegisterSet.h:
3620         * jit/Repatch.cpp:
3621         (JSC::linkPolymorphicCall):
3622         * runtime/JSFunction.cpp:
3623         (JSC::getCalculatedDisplayName):
3624         * runtime/JSGlobalObject.cpp:
3625         (JSC::JSGlobalObject::init):
3626         (JSC::JSGlobalObject::visitChildren):
3627         * runtime/JSGlobalObject.h:
3628         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
3629         * runtime/VM.cpp:
3630         (JSC::VM::VM):
3631         * runtime/VM.h:
3632         * wasm/WasmAirIRGenerator.cpp:
3633         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3634         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
3635         (JSC::Wasm::AirIRGenerator::addCallIndirect):
3636         * wasm/WasmB3IRGenerator.cpp:
3637         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3638         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
3639         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3640         * wasm/WasmBinding.cpp:
3641         (JSC::Wasm::wasmToWasm):
3642         * wasm/WasmContext.h:
3643         (JSC::Wasm::Context::pointerToInstance):
3644         * wasm/WasmContextInlines.h:
3645         (JSC::Wasm::Context::store):
3646         * wasm/WasmMemoryInformation.cpp:
3647         (JSC::Wasm::getPinnedRegisters):
3648         (JSC::Wasm::PinnedRegisterInfo::get):
3649         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
3650         * wasm/WasmMemoryInformation.h:
3651         (JSC::Wasm::PinnedRegisterInfo::toSave const):
3652         * wasm/WasmOMGPlan.cpp:
3653         (JSC::Wasm::OMGPlan::work):
3654         * wasm/js/JSToWasm.cpp:
3655         (JSC::Wasm::createJSToWasmWrapper):
3656         * wasm/js/JSToWasmICCallee.cpp: Added.
3657         (JSC::JSToWasmICCallee::create):
3658         (JSC::JSToWasmICCallee::createStructure):
3659         (JSC::JSToWasmICCallee::visitChildren):
3660         * wasm/js/JSToWasmICCallee.h: Added.
3661         (JSC::JSToWasmICCallee::function):
3662         (JSC::JSToWasmICCallee::JSToWasmICCallee):
3663         * wasm/js/WebAssemblyFunction.cpp:
3664         (JSC::WebAssemblyFunction::useTagRegisters const):
3665         (JSC::WebAssemblyFunction::calleeSaves const):
3666         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
3667         (JSC::WebAssemblyFunction::previousInstanceOffset const):
3668         (JSC::WebAssemblyFunction::previousInstance):
3669         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
3670         (JSC::WebAssemblyFunction::visitChildren):
3671         (JSC::WebAssemblyFunction::destroy):
3672         * wasm/js/WebAssemblyFunction.h:
3673         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
3674         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
3675         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
3676         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
3677         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
3678         (JSC::WebAssemblyFunctionHeapCellType::destroy):
3679         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
3680         * wasm/js/WebAssemblyPrototype.h:
3681
3682 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
3683
3684         [JSC] Pass CodeOrigin to FuzzerAgent
3685         https://bugs.webkit.org/show_bug.cgi?id=196590
3686
3687         Reviewed by Saam Barati.
3688
3689         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
3690         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
3691         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
3692
3693         * dfg/DFGByteCodeParser.cpp:
3694         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3695         * runtime/FuzzerAgent.cpp:
3696         (JSC::FuzzerAgent::getPrediction):
3697         * runtime/FuzzerAgent.h:
3698         * runtime/RandomizingFuzzerAgent.cpp:
3699         (JSC::RandomizingFuzzerAgent::getPrediction):
3700         * runtime/RandomizingFuzzerAgent.h:
3701
3702 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
3703
3704         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
3705         https://bugs.webkit.org/show_bug.cgi?id=194944
3706
3707         Reviewed by Keith Miller.
3708
3709         Based on profile data collected on JetStream2, Speedometer 2 and
3710         other benchmarks, it is very rare having non-empty
3711         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
3712
3713         - Data collected from Speedometer2
3714             Total number of UnlinkedFunctionExecutable: 39463
3715             Total number of non-empty parentScopeTDZVars: 428 (~1%)
3716
3717         - Data collected from JetStream2
3718             Total number of UnlinkedFunctionExecutable: 83715
3719             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
3720
3721         We also collected numbers on 6 of top 10 Alexia sites.
3722
3723         - Data collected from youtube.com
3724             Total number of UnlinkedFunctionExecutable: 29599
3725             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
3726
3727         - Data collected from twitter.com
3728             Total number of UnlinkedFunctionExecutable: 23774
3729             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
3730
3731         - Data collected from google.com
3732             Total number of UnlinkedFunctionExecutable: 33209
3733             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
3734
3735         - Data collected from amazon.com:
3736             Total number of UnlinkedFunctionExecutable: 15182
3737             Total number of non-empty parentScopeTDZVars: 166 (~1%)
3738
3739         - Data collected from facebook.com:
3740             Total number of UnlinkedFunctionExecutable: 54443
3741             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
3742
3743         - Data collected from netflix.com:
3744             Total number of UnlinkedFunctionExecutable: 39266
3745             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
3746
3747         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
3748         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
3749         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
3750         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
3751         it when `value != WTF::nullopt`. We also changed
3752         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
3753         `VariableEnvironment()` whenever the Executable doesn't have RareData,
3754         or VariableEnvironmentMap::Handle is unitialized. This is required
3755         because RareData is instantiated when any of its field is stored and
3756         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
3757         is `WTF::nullopt`.
3758
3759         Results on memory usage on JetStrem2 is neutral.
3760
3761             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
3762             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
3763
3764         * builtins/BuiltinExecutables.cpp:
3765         (JSC::BuiltinExecutables::createExecutable):
3766         * bytecode/UnlinkedFunctionExecutable.cpp:
3767         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3768         * bytecode/UnlinkedFunctionExecutable.h:
3769         * bytecompiler/BytecodeGenerator.cpp:
3770         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
3771
3772         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
3773         is empty, so we can properly return `WTF::nullopt` without the
3774         reconstruction of a VariableEnvironment to check if it is empty.
3775
3776         * bytecompiler/BytecodeGenerator.h:
3777         (JSC::BytecodeGenerator::makeFunction):
3778         * parser/VariableEnvironment.h:
3779         (JSC::VariableEnvironment::isEmpty const):
3780         * runtime/CachedTypes.cpp:
3781         (JSC::CachedCompactVariableMapHandle::decode const):
3782
3783         It returns an unitialized Handle when there is no
3784         CompactVariableEnvironment. This can happen when RareData is ensured
3785         because of another field.
3786
3787         (JSC::CachedFunctionExecutableRareData::encode):
3788         (JSC::CachedFunctionExecutableRareData::decode const):
3789         (JSC::CachedFunctionExecutable::encode):
3790         (JSC::CachedFunctionExecutable::decode const):
3791         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3792         * runtime/CodeCache.cpp:
3793
3794         Instead of creating a dummyVariablesUnderTDZ, we simply pass
3795         WTF::nullopt.
3796
3797         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3798
3799 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
3800
3801         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
3802         https://bugs.webkit.org/show_bug.cgi?id=196409
3803
3804         Reviewed by Saam Barati.
3805
3806         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
3807         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
3808         and therefore does not write the bytecode cache to disk.
3809
3810         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
3811         of pointers to offsets of already cached objects, in order to avoid caching
3812         the same object twice. Similarly, the Decoder keeps a mapping from offsets
3813         to pointers, in order to avoid creating multiple objects in memory for the
3814         same cached object. The following was happening:
3815         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
3816         an entry in the Encoder mapping that S has already been encoded at O.
3817         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
3818         We find an entry in the Encoder mapping for S, and return the offset O. However,
3819         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
3820
3821         3) When decoding, there are 2 possibilities:
3822         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
3823         this case, everything works as expected since we add an entry in the decoder
3824         mapping from the offset O to the decoded StringImpl* S. The next time we find
3825         S through the uniqued version, we'll return the already decoded S.
3826         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
3827         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
3828         which has a different shape and we crash.
3829
3830         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
3831         same implementation. Since it doesn't matter whether a string is uniqued for
3832         encoding, and we always decode strings as uniqued either way, they can be used
3833         interchangeably.
3834
3835         * jsc.cpp:
3836         (functionRunString):
3837         (functionLoadString):
3838         (functionDollarAgentStart):
3839         (functionCheckModuleSyntax):
3840         (runInteractive):
3841         * runtime/CachedTypes.cpp:
3842         (JSC::CachedUniquedStringImplBase::decode const):
3843         (JSC::CachedFunctionExecutable::rareData const):
3844         (JSC::CachedCodeBlock::rareData const):
3845         (JSC::CachedFunctionExecutable::encode):
3846         (JSC::CachedCodeBlock<CodeBlockType>::encode):
3847         (JSC::CachedUniquedStringImpl::encode): Deleted.
3848         (JSC::CachedUniquedStringImpl::decode const): Deleted.
3849         (JSC::CachedStringImpl::encode): Deleted.
3850         (JSC::CachedStringImpl::decode const): Deleted.
3851
3852 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
3853
3854         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
3855         https://bugs.webkit.org/show_bug.cgi?id=196396
3856
3857         Reviewed by Saam Barati.
3858
3859         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
3860         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
3861
3862         * runtime/CachedTypes.cpp:
3863         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3864
3865 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3866