Add Xcode version check for Header post-processing scripts
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-04-23  Keith Rollin  <krollin@apple.com>
2
3         Add Xcode version check for Header post-processing scripts
4         https://bugs.webkit.org/show_bug.cgi?id=197116
5         <rdar://problem/50058968>
6
7         Reviewed by Brent Fulgham.
8
9         There are several places in our Xcode projects that post-process
10         header files after they've been exported. Because of XCBuild, we're
11         moving to a model where the post-processing is performed at the same
12         time the header files are exported, rather than as a distinct
13         post-processing step. This patch disables the distinct step when the
14         inline processing is available.
15
16         In practice, this means prefixing appropriate post-processing Custom
17         Build phases with:
18
19         if [ "${XCODE_VERSION_MAJOR}" -ge "1100" -a "${USE_NEW_BUILD_SYSTEM}" = "YES" ]; then
20             # In this configuration, post-processing is performed at the same time as copying in the postprocess-header-rule script, so there's no need for this separate step.
21             exit 0
22         fi
23
24         * JavaScriptCore.xcodeproj/project.pbxproj:
25
26 2019-04-23  Commit Queue  <commit-queue@webkit.org>
27
28         Unreviewed, rolling out r244558.
29         https://bugs.webkit.org/show_bug.cgi?id=197219
30
31         Causing crashes on iOS Sim Release and Debug (Requested by
32         ShawnRoberts on #webkit).
33
34         Reverted changeset:
35
36         "Remove DeprecatedOptional"
37         https://bugs.webkit.org/show_bug.cgi?id=197161
38         https://trac.webkit.org/changeset/244558
39
40 2019-04-23  Devin Rousso  <drousso@apple.com>
41
42         Web Inspector: Uncaught Exception: null is not an object (evaluating 'this.ownerDocument.frameIdentifier')
43         https://bugs.webkit.org/show_bug.cgi?id=196420
44         <rdar://problem/49444205>
45
46         Reviewed by Timothy Hatcher.
47
48         * inspector/protocol/DOM.json:
49         Modify the existing `frameId` to represent the owner frame of the node, rather than the
50         frame it holds (in the case of an `<iframe>`).
51
52 2019-04-23  Alex Christensen  <achristensen@webkit.org>
53
54         Remove DeprecatedOptional
55         https://bugs.webkit.org/show_bug.cgi?id=197161
56
57         Reviewed by Darin Adler.
58
59         * inspector/InspectorBackendDispatcher.cpp:
60         * inspector/InspectorBackendDispatcher.h:
61
62 2019-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
63
64         [JSC] Use volatile load to populate backing page in MarkedBlock::Footer instead of using holdLock
65         https://bugs.webkit.org/show_bug.cgi?id=197152
66
67         Reviewed by Saam Barati.
68
69         Emit volatile load instead of using holdLock to populate backing page in MarkedBlock::Footer.
70
71         * heap/BlockDirectory.cpp:
72         (JSC::BlockDirectory::isPagedOut):
73         * heap/MarkedBlock.h:
74         (JSC::MarkedBlock::populatePage const):
75
76 2019-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
77
78         [JSC] useJIT should subsume useRegExpJIT
79         https://bugs.webkit.org/show_bug.cgi?id=197153
80
81         Reviewed by Alex Christensen.
82
83         useJIT should subsume useRegExpJIT. We should immediately disable JIT feature if useJIT = false,
84         even if useRegExpJIT is true.
85
86         * dfg/DFGCapabilities.cpp:
87         (JSC::DFG::isSupported):
88         * runtime/Options.cpp:
89         (JSC::recomputeDependentOptions):
90         * runtime/RegExp.cpp:
91         (JSC::RegExp::compile):
92         (JSC::RegExp::compileMatchOnly):
93         * runtime/VM.cpp:
94         (JSC::enableAssembler):
95         (JSC::VM::canUseRegExpJIT): Deleted.
96         * runtime/VM.h:
97
98 2019-04-22  Basuke Suzuki  <basuke.suzuki@sony.com>
99
100         [PlayStation] Restructuring Remote Inspector classes to support multiple platform.
101         https://bugs.webkit.org/show_bug.cgi?id=197030
102
103         Reviewed by Don Olmstead.
104
105         Restructuring the PlayStation's RemoteInspector backend which uses native socket for the communication to be ready for WinCairo.
106
107         What we did is basically:
108         - Renamed `remote/playstation/` to `remote/socket/`. This directory is now platform independent implementation of socket backend. 
109         - Renamed `RemoteInspectorSocket` class to `RemoteInspectorSocketEndpoint`. This class is platform independent and core of the backend.
110         - Merged `RemoteInspectorSocket{Client|Server}` classes into `RemoteInspectorSocketEndpoint` class because the differences are little.
111         - Defined a new interface functions in `Inspector::Socket` (new) namespace.
112         - Moved POSIX socket implementation into `posix\RemoteInspectorSocketPOSIX.{h|cpp}`.
113
114         * PlatformPlayStation.cmake:
115         * inspector/remote/RemoteInspector.h:
116         * inspector/remote/playstation/RemoteInspectorSocketClient.h: Merged into RemoteInspectorSocketEndpoint.
117         * inspector/remote/playstation/RemoteInspectorSocketClientPlayStation.cpp: Merged into RemoteInspectorSocketEndpoint.
118         * inspector/remote/playstation/RemoteInspectorSocketPlayStation.cpp: Removed.
119         * inspector/remote/playstation/RemoteInspectorSocketServer.h: Merged into RemoteInspectorSocketEndpoint.
120         * inspector/remote/playstation/RemoteInspectorSocketServerPlayStation.cpp: Merged into RemoteInspectorSocketEndpoint.
121         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp: Renamed from inspector\remote\playstation\RemoteInspectorConnectionClientPlayStation.cpp.
122         * inspector/remote/socket/RemoteInspectorConnectionClient.h: Renamed from inspector\remote\playstation\RemoteInspectorConnectionClient.h.
123         (Inspector::RemoteInspectorConnectionClient::didAccept):
124         * inspector/remote/socket/RemoteInspectorMessageParser.cpp: Renamed from inspector\remote\playstation\RemoteInspectorMessageParserPlayStation.cpp.
125         * inspector/remote/socket/RemoteInspectorMessageParser.h: Renamed from inspector\remote\playstation\RemoteInspectorMessageParser.h.
126         * inspector/remote/socket/RemoteInspectorServer.cpp: Renamed from inspector\remote\playstation\RemoteInspectorServerPlayStation.cpp.
127         (Inspector::RemoteInspectorServer::didAccept):
128         (Inspector::RemoteInspectorServer::start):
129         * inspector/remote/socket/RemoteInspectorServer.h: Renamed from inspector\remote\playstation\RemoteInspectorServer.h.
130         * inspector/remote/socket/RemoteInspectorSocket.cpp: Renamed from inspector\remote\playstation\RemoteInspectorPlayStation.cpp.
131         (Inspector::RemoteInspector::start):
132         * inspector/remote/socket/RemoteInspectorSocket.h: Copied from inspector\remote\playstation\RemoteInspectorSocket.h.
133         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: Added.
134         (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint):
135         (Inspector::RemoteInspectorSocketEndpoint::~RemoteInspectorSocketEndpoint):
136         (Inspector::RemoteInspectorSocketEndpoint::wakeupWorkerThread):
137         (Inspector::RemoteInspectorSocketEndpoint::connectInet):
138         (Inspector::RemoteInspectorSocketEndpoint::listenInet):
139         (Inspector::RemoteInspectorSocketEndpoint::isListening):
140         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
141         (Inspector::RemoteInspectorSocketEndpoint::createClient):
142         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
143         (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
144         (Inspector::RemoteInspectorSocketEndpoint::send):
145         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
146         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: Renamed from inspector\remote\playstation\RemoteInspectorSocket.h.
147         * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: Added.
148         (Inspector::Socket::connect):
149         (Inspector::Socket::listen):
150         (Inspector::Socket::accept):
151         (Inspector::Socket::createPair):
152         (Inspector::Socket::setup):
153         (Inspector::Socket::isValid):
154         (Inspector::Socket::isListening):
155         (Inspector::Socket::read):
156         (Inspector::Socket::write):
157         (Inspector::Socket::close):
158         (Inspector::Socket::preparePolling):
159         (Inspector::Socket::poll):
160         (Inspector::Socket::isReadable):
161         (Inspector::Socket::isWritable):
162         (Inspector::Socket::markWaitingWritable):
163         (Inspector::Socket::clearWaitingWritable):
164
165 2019-04-20  Yusuke Suzuki  <ysuzuki@apple.com>
166
167         Unreviewed, suppress warnings in non Darwin environments
168
169         * jit/ExecutableAllocator.cpp:
170         (JSC::dumpJITMemory):
171
172 2019-04-19  Saam Barati  <sbarati@apple.com>
173
174         AbstractValue can represent more than int52
175         https://bugs.webkit.org/show_bug.cgi?id=197118
176         <rdar://problem/49969960>
177
178         Reviewed by Michael Saboff.
179
180         Let's analyze this control flow diamond:
181         
182         #0
183         branch #1, #2
184         
185         #1:
186         PutStack(JSValue, loc42)
187         Jump #3
188         
189         #2:
190         PutStack(Int52, loc42)
191         Jump #3
192         
193         #3:
194         ...
195         
196         Our abstract value for loc42 at the head of #3 will contain an abstract
197         value that us the union of Int52 with other things. Obviously in the
198         above program, a GetStack for loc42 would be inavlid, since it might
199         be loading either JSValue or Int52. However, the abstract interpreter
200         just tracks what the value could be, and it could be Int52 or JSValue.
201         
202         When I did the Int52 refactoring, I expected such things to never happen,
203         but it turns out it does. We should just allow for this instead of asserting
204         against it since it's valid IR to do the above.
205
206         * bytecode/SpeculatedType.cpp:
207         (JSC::dumpSpeculation):
208         * dfg/DFGAbstractValue.cpp:
209         (JSC::DFG::AbstractValue::checkConsistency const):
210         * dfg/DFGAbstractValue.h:
211         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
212
213 2019-04-19  Tadeu Zagallo  <tzagallo@apple.com>
214
215         Add option to dump JIT memory
216         https://bugs.webkit.org/show_bug.cgi?id=197062
217         <rdar://problem/49744332>
218
219         Reviewed by Saam Barati.
220
221         Dump all writes into JIT memory to the specified file. The format is:
222         - 64-bit destination address for the write
223         - 64-bit size of the content written
224         - Copy of the data that was written to JIT memory
225
226         * assembler/LinkBuffer.cpp:
227         (JSC::LinkBuffer::copyCompactAndLinkCode):
228         * jit/ExecutableAllocator.cpp:
229         (JSC::dumpJITMemory):
230         * jit/ExecutableAllocator.h:
231         (JSC::performJITMemcpy):
232         * runtime/Options.h:
233
234 2019-04-19  Keith Rollin  <krollin@apple.com>
235
236         Add postprocess-header-rule scripts
237         https://bugs.webkit.org/show_bug.cgi?id=197072
238         <rdar://problem/50027299>
239
240         Reviewed by Brent Fulgham.
241
242         Several projects have post-processing build phases where exported
243         headers are tweaked after they've been copied. This post-processing is
244         performed via scripts called postprocess-headers.sh. For reasons
245         related to XCBuild, we are now transitioning to a build process where
246         the post-processing is performed at the same time as the
247         exporting/copying. To support this process, add similar scripts named
248         postprocess-header-rule, which are geared towards processing a single
249         file at a time rather than all exported files at once. Also add a
250         build rule that makes use of these scripts. These scripts and build
251         rules are not used at the moment; they will come into use in an
252         imminent patch.
253
254         Note that I've named these postprocess-header-rule rather than
255         postprocess-header-rule.sh. Scripts in Tools/Scripts do not have
256         suffixes indicating how the tool is implemented. Scripts in
257         per-project Scripts folders appear to be mixed regarding the use of
258         suffixes. I'm opting here to follow the Tools/Scripts convention, with
259         the expectation that over time we completely standardize on that.
260
261         * JavaScriptCore.xcodeproj/project.pbxproj:
262         * Scripts/postprocess-header-rule: Added.
263
264 2019-04-18  Saam barati  <sbarati@apple.com>
265
266         Remove useConcurrentBarriers option
267         https://bugs.webkit.org/show_bug.cgi?id=197066
268
269         Reviewed by Michael Saboff.
270
271         This isn't a helpful option as it will lead us to crash when using the
272         concurrent GC.
273
274         * dfg/DFGStoreBarrierClusteringPhase.cpp:
275         * dfg/DFGStoreBarrierInsertionPhase.cpp:
276         * jit/AssemblyHelpers.h:
277         (JSC::AssemblyHelpers::barrierStoreLoadFence):
278         * runtime/Options.h:
279
280 2019-04-17  Saam Barati  <sbarati@apple.com>
281
282         Remove deprecated JSScript SPI
283         https://bugs.webkit.org/show_bug.cgi?id=194909
284         <rdar://problem/48283499>
285
286         Reviewed by Keith Miller.
287
288         * API/JSAPIGlobalObject.mm:
289         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
290         * API/JSScript.h:
291         * API/JSScript.mm:
292         (+[JSScript scriptWithSource:inVirtualMachine:]): Deleted.
293         (fillBufferWithContentsOfFile): Deleted.
294         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]): Deleted.
295         (+[JSScript scriptFromUTF8File:inVirtualMachine:withCodeSigning:andBytecodeCache:]): Deleted.
296         (-[JSScript setSourceURL:]): Deleted.
297         * API/JSScriptInternal.h:
298         * API/tests/testapi.mm:
299         (testFetch):
300         (testFetchWithTwoCycle):
301         (testFetchWithThreeCycle):
302         (testLoaderResolvesAbsoluteScriptURL):
303         (testImportModuleTwice):
304         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
305
306 2019-04-17  Keith Rollin  <krollin@apple.com>
307
308         Remove JSCBuiltins.cpp from Copy Headers phase
309         https://bugs.webkit.org/show_bug.cgi?id=196981
310         <rdar://problem/49952133>
311
312         Reviewed by Alex Christensen.
313
314         JSCBuiltins.cpp is not a header and so doesn't need to be in the Copy
315         Headers phase. Checking its history, it seems to have been added
316         accidentally at the same time that JSCBuiltins.h was added.
317
318         * JavaScriptCore.xcodeproj/project.pbxproj:
319
320 2019-04-16  Stephan Szabo  <stephan.szabo@sony.com>
321
322         [PlayStation] Update port for system library changes
323         https://bugs.webkit.org/show_bug.cgi?id=196978
324
325         Reviewed by Ross Kirsling.
326
327         * shell/playstation/Initializer.cpp:
328         Add reference to new posix compatibility library.
329
330 2019-04-16  Robin Morisset  <rmorisset@apple.com>
331
332         [WTF] holdLock should be marked WARN_UNUSED_RETURN
333         https://bugs.webkit.org/show_bug.cgi?id=196922
334
335         Reviewed by Keith Miller.
336
337         There was one case where holdLock was used and the result ignored.
338         From a comment that was deleted in https://bugs.webkit.org/attachment.cgi?id=328438&action=prettypatch, I believe that it is on purpose.
339         So I brought back a variant of the comment, and made the ignoring of the return explicit.
340
341         * heap/BlockDirectory.cpp:
342         (JSC::BlockDirectory::isPagedOut):
343
344 2019-04-16  Caitlin Potter  <caitp@igalia.com>
345
346         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
347         https://bugs.webkit.org/show_bug.cgi?id=176810
348
349         Reviewed by Saam Barati.
350
351         This adds conditional logic following the invariant checks, to perform
352         filtering in common uses of getOwnPropertyNames.
353
354         While this would ideally only be done in JSPropertyNameEnumerator, adding
355         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
356         invariant that the EnumerationMode is properly followed.
357
358         This was originally rolled out in r244020, as DontEnum filtering code
359         in ObjectConstructor.cpp's ownPropertyKeys() had not been removed. It's
360         now redundant due to being handled in ProxyObject::getOwnPropertyNames().
361
362         * runtime/PropertyNameArray.h:
363         (JSC::PropertyNameArray::reset):
364         * runtime/ProxyObject.cpp:
365         (JSC::ProxyObject::performGetOwnPropertyNames):
366
367 2019-04-15  Saam barati  <sbarati@apple.com>
368
369         Modify how we do SetArgument when we inline varargs calls
370         https://bugs.webkit.org/show_bug.cgi?id=196712
371         <rdar://problem/49605012>
372
373         Reviewed by Michael Saboff.
374
375         When we inline varargs calls, we guarantee that the number of arguments that
376         go on the stack are somewhere between the "mandatoryMinimum" and the "limit - 1".
377         However, we can't statically guarantee that the arguments between these two
378         ranges was filled out by Load/ForwardVarargs. This is because in the general
379         case we don't know the argument count statically.
380         
381         However, we used to always emit SetArgumentDefinitely up to "limit - 1" for
382         all arguments, even when some arguments aren't guaranteed to be in a valid
383         state. Emitting these SetArgumentDefinitely were helpful because they let us
384         handle variable liveness and OSR exit metadata. However, when we converted
385         to SSA, we ended up emitting a GetStack for each such SetArgumentDefinitely.
386         
387         This is wrong, as we can't guarantee such SetArgumentDefinitely nodes are
388         actually looking at a range of the stack that are guaranteed to be initialized.
389         This patch introduces a new form of SetArgument node: SetArgumentMaybe. In terms
390         of OSR exit metadata and variable liveness tracking, it behaves like SetArgumentDefinitely.
391         
392         However, it differs in a couple key ways:
393         1. In ThreadedCPS, GetLocal(@SetArgumentMaybe) is invalid IR, as this implies
394         you might be loading uninitialized stack. (This same rule applies when you do
395         the full data flow reachability analysis over CPS Phis.) If someone logically
396         wanted to emit code like this, the correct node to emit would be GetArgument,
397         not GetLocal. For similar reasons, PhantomLocal(@SetArgumentMaybe) is also
398         invalid IR.
399         2. To track liveness, Flush(@SetArgumentMaybe) is valid, and is the main user
400         of SetArgumentMaybe.
401         3. In SSA conversion, we don't lower SetArgumentMaybe to GetStack, as there
402         should be no data flow user of SetArgumentMaybe.
403         
404         SetArgumentDefinitely guarantees that the stack slot is initialized.
405         SetArgumentMaybe makes no such guarantee.
406
407         * dfg/DFGAbstractInterpreterInlines.h:
408         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
409         * dfg/DFGByteCodeParser.cpp:
410         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
411         * dfg/DFGCPSRethreadingPhase.cpp:
412         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
413         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
414         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
415         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
416         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
417         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
418         * dfg/DFGClobberize.h:
419         (JSC::DFG::clobberize):
420         * dfg/DFGCommon.h:
421         * dfg/DFGDoesGC.cpp:
422         (JSC::DFG::doesGC):
423         * dfg/DFGFixupPhase.cpp:
424         (JSC::DFG::FixupPhase::fixupNode):
425         * dfg/DFGInPlaceAbstractState.cpp:
426         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
427         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
428         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
429         * dfg/DFGMaximalFlushInsertionPhase.cpp:
430         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
431         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
432         * dfg/DFGMayExit.cpp:
433         * dfg/DFGNode.cpp:
434         (JSC::DFG::Node::hasVariableAccessData):
435         * dfg/DFGNodeType.h:
436         * dfg/DFGPhantomInsertionPhase.cpp:
437         * dfg/DFGPredictionPropagationPhase.cpp:
438         * dfg/DFGSSAConversionPhase.cpp:
439         (JSC::DFG::SSAConversionPhase::run):
440         * dfg/DFGSafeToExecute.h:
441         (JSC::DFG::safeToExecute):
442         * dfg/DFGSpeculativeJIT32_64.cpp:
443         (JSC::DFG::SpeculativeJIT::compile):
444         * dfg/DFGSpeculativeJIT64.cpp:
445         (JSC::DFG::SpeculativeJIT::compile):
446         * dfg/DFGValidate.cpp:
447         * ftl/FTLCapabilities.cpp:
448         (JSC::FTL::canCompile):
449
450 2019-04-15  Commit Queue  <commit-queue@webkit.org>
451
452         Unreviewed, rolling out r243672.
453         https://bugs.webkit.org/show_bug.cgi?id=196952
454
455         [JSValue release] should be thread-safe (Requested by
456         yusukesuzuki on #webkit).
457
458         Reverted changeset:
459
460         "[JSC] JSWrapperMap should not use Objective-C Weak map
461         (NSMapTable with NSPointerFunctionsWeakMemory) for
462         m_cachedObjCWrappers"
463         https://bugs.webkit.org/show_bug.cgi?id=196392
464         https://trac.webkit.org/changeset/243672
465
466 2019-04-15  Saam barati  <sbarati@apple.com>
467
468         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
469         https://bugs.webkit.org/show_bug.cgi?id=196945
470         <rdar://problem/49802750>
471
472         Reviewed by Filip Pizlo.
473
474         * dfg/DFGSafeToExecute.h:
475         (JSC::DFG::safeToExecute):
476
477 2019-04-15  Robin Morisset  <rmorisset@apple.com>
478
479         DFG should be able to constant fold Object.create() with a constant prototype operand
480         https://bugs.webkit.org/show_bug.cgi?id=196886
481
482         Reviewed by Yusuke Suzuki.
483
484
485         It is a fairly simple and limited patch, as it only works when the DFG can prove the exact object used as prototype.
486         But when it applies it can be a significant win:
487                                                         Baseline                   Optim                                       
488         object-create-constant-prototype              3.6082+-0.0979     ^      1.6947+-0.0756        ^ definitely 2.1292x faster
489         object-create-null                           11.4492+-0.2510     ?     11.5030+-0.2402        ?
490         object-create-unknown-object-prototype       15.6067+-0.1851     ?     15.7500+-0.2322        ?
491         object-create-untyped-prototype               8.8873+-0.1240     ?      8.9806+-0.1202        ? might be 1.0105x slower
492         <geometric>                                   8.6967+-0.1208     ^      7.2408+-0.1367        ^ definitely 1.2011x faster
493
494         The only subtlety is that we need to to access the StructureCache concurrently from the compiler thread (see https://bugs.webkit.org/show_bug.cgi?id=186199)
495         I solved this with a simple lock, taken when the compiler thread tries to read it, and when the main thread tries to modify it.
496         I expect it to be extremely low contention, but will watch the bots just in case.
497         The lock is taken neither when the main thread is only reading the cache (it has no-one to race with), nor when the GC purges it of dead entries (it does not free anything while a compiler thread is in the middle of a phase).
498
499         * dfg/DFGAbstractInterpreterInlines.h:
500         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
501         * dfg/DFGConstantFoldingPhase.cpp:
502         (JSC::DFG::ConstantFoldingPhase::foldConstants):
503         * runtime/StructureCache.cpp:
504         (JSC::StructureCache::createEmptyStructure):
505         (JSC::StructureCache::tryEmptyObjectStructureForPrototypeFromCompilerThread):
506         * runtime/StructureCache.h:
507
508 2019-04-15  Devin Rousso  <drousso@apple.com>
509
510         Web Inspector: fake value descriptors for promises add a catch handler, preventing "rejectionhandled" events from being fired
511         https://bugs.webkit.org/show_bug.cgi?id=196484
512         <rdar://problem/49114725>
513
514         Reviewed by Joseph Pecoraro.
515
516         Only add a catch handler when the promise is reachable via a native getter and is known to
517         have rejected. A non-rejected promise doesn't need a catch handler, and any promise that
518         isn't reachable via a getter won't actually be reached, as `InjectedScript` doesn't call any
519         functions, instead only getting the function object itself.
520
521         * inspector/InjectedScriptSource.js:
522         (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
523
524         * inspector/JSInjectedScriptHost.h:
525         * inspector/JSInjectedScriptHost.cpp:
526         (Inspector::JSInjectedScriptHost::isPromiseRejectedWithNativeGetterTypeError): Added.
527         * inspector/JSInjectedScriptHostPrototype.cpp:
528         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
529         (Inspector::jsInjectedScriptHostPrototypeFunctionIsPromiseRejectedWithNativeGetterTypeError): Added.
530
531         * runtime/ErrorInstance.h:
532         (JSC::ErrorInstance::setNativeGetterTypeError): Added.
533         (JSC::ErrorInstance::isNativeGetterTypeError const): Added.
534
535         * runtime/Error.h:
536         (JSC::throwVMGetterTypeError): Added.
537         * runtime/Error.cpp:
538         (JSC::createGetterTypeError): Added.
539         (JSC::throwGetterTypeError): Added.
540         (JSC::throwDOMAttributeGetterTypeError):
541
542 2019-04-15  Robin Morisset  <rmorisset@apple.com>
543
544         B3::Value should have different kinds of adjacency lists
545         https://bugs.webkit.org/show_bug.cgi?id=196091
546
547         Reviewed by Filip Pizlo.
548
549         The key idea of this optimization is to replace the Vector<Value*, 3> m_children in B3::Value (40 bytes on 64-bits platform) by one of the following:
550         - Nothing (0 bytes)
551         - 1 Value* (8 bytes)
552         - 2 Value* (16 bytes)
553         - 3 Value* (24 bytes)
554         - A Vector<Value*, 3>
555         after the end of the Value object, depending on the kind of the Value.
556         So for example, when allocating an Add, we would allocate an extra 16 bytes into which to store 2 Values.
557         This would halve the memory consumption of Const64/Const32/Nop/Identity and a bunch more kinds of values, and reduce by a more moderate amount the memory consumption of the rest of non-varargs values (e.g. Add would go from 72 to 48 bytes).
558
559         A few implementation points:
560         - Even if there is no children, we must remember to allocate at least enough space for replaceWithIdentity to work later. It needs sizeof(Value) (for the object itself) + sizeof(Value*) (for the pointer to its child)
561         - We must make sure to destroy the vector whenever we destroy a Value which is VarArgs
562         - We must remember how many elements there are in the case where we did not allocate a Vector. We cannot do it purely by relying on the kind, both for speed reasons and because Return can have either 0 or 1 argument in B3
563           Thankfully, we have an extra byte of padding to use in the middle of B3::Value
564         - In order to support clone(), we must have a separate version of allocate, which extracts the opcode from the to-be-cloned object instead of from the call to the constructor
565         - Speaking of which, we need a special templated function opcodeFromConstructor, because some of the constructors of subclasses of Value don't take an explicit Opcode as argument, typically because they match a single one.
566         - To maximize performance, we provide specialized versions of child/lastChild/numChildren/children in the subclasses of Value, skipping checks when the actual type of the Value is already known.
567           This is done through the B3_SPECIALIZE_VALUE_FOR_... defined at the bottom of B3Value.h
568         - In the constructors of Value, we convert all extra children arguments to Value* eagerly. It is not required for correctness (they will be converted when put into a Vector<Value*> or a Value* in the end), but it helps limit an explosion in the number of template instantiations.
569         - I moved DeepValueDump::dump from the .h to the .cpp, as there is no good reason to inline it, and recompiling JSC is already slow enough
570
571         * JavaScriptCore.xcodeproj/project.pbxproj:
572         * b3/B3ArgumentRegValue.cpp:
573         (JSC::B3::ArgumentRegValue::cloneImpl const): Deleted.
574         * b3/B3ArgumentRegValue.h:
575         * b3/B3AtomicValue.cpp:
576         (JSC::B3::AtomicValue::AtomicValue):
577         (JSC::B3::AtomicValue::cloneImpl const): Deleted.
578         * b3/B3AtomicValue.h:
579         * b3/B3BasicBlock.h:
580         * b3/B3BasicBlockInlines.h:
581         (JSC::B3::BasicBlock::appendNewNonTerminal): Deleted.
582         * b3/B3CCallValue.cpp:
583         (JSC::B3::CCallValue::appendArgs):
584         (JSC::B3::CCallValue::cloneImpl const): Deleted.
585         * b3/B3CCallValue.h:
586         * b3/B3CheckValue.cpp:
587         (JSC::B3::CheckValue::cloneImpl const): Deleted.
588         * b3/B3CheckValue.h:
589         * b3/B3Const32Value.cpp:
590         (JSC::B3::Const32Value::cloneImpl const): Deleted.
591         * b3/B3Const32Value.h:
592         * b3/B3Const64Value.cpp:
593         (JSC::B3::Const64Value::cloneImpl const): Deleted.
594         * b3/B3Const64Value.h:
595         * b3/B3ConstDoubleValue.cpp:
596         (JSC::B3::ConstDoubleValue::cloneImpl const): Deleted.
597         * b3/B3ConstDoubleValue.h:
598         * b3/B3ConstFloatValue.cpp:
599         (JSC::B3::ConstFloatValue::cloneImpl const): Deleted.
600         * b3/B3ConstFloatValue.h:
601         * b3/B3ConstPtrValue.h:
602         (JSC::B3::ConstPtrValue::opcodeFromConstructor):
603         * b3/B3FenceValue.cpp:
604         (JSC::B3::FenceValue::FenceValue):
605         (JSC::B3::FenceValue::cloneImpl const): Deleted.
606         * b3/B3FenceValue.h:
607         * b3/B3MemoryValue.cpp:
608         (JSC::B3::MemoryValue::MemoryValue):
609         (JSC::B3::MemoryValue::cloneImpl const): Deleted.
610         * b3/B3MemoryValue.h:
611         * b3/B3MoveConstants.cpp:
612         * b3/B3PatchpointValue.cpp:
613         (JSC::B3::PatchpointValue::cloneImpl const): Deleted.
614         * b3/B3PatchpointValue.h:
615         (JSC::B3::PatchpointValue::opcodeFromConstructor):
616         * b3/B3Procedure.cpp:
617         * b3/B3Procedure.h:
618         * b3/B3ProcedureInlines.h:
619         (JSC::B3::Procedure::add):
620         * b3/B3SlotBaseValue.cpp:
621         (JSC::B3::SlotBaseValue::cloneImpl const): Deleted.
622         * b3/B3SlotBaseValue.h:
623         * b3/B3StackmapSpecial.cpp:
624         (JSC::B3::StackmapSpecial::forEachArgImpl):
625         (JSC::B3::StackmapSpecial::isValidImpl):
626         * b3/B3StackmapValue.cpp:
627         (JSC::B3::StackmapValue::append):
628         (JSC::B3::StackmapValue::StackmapValue):
629         * b3/B3StackmapValue.h:
630         * b3/B3SwitchValue.cpp:
631         (JSC::B3::SwitchValue::SwitchValue):
632         (JSC::B3::SwitchValue::cloneImpl const): Deleted.
633         * b3/B3SwitchValue.h:
634         (JSC::B3::SwitchValue::opcodeFromConstructor):
635         * b3/B3UpsilonValue.cpp:
636         (JSC::B3::UpsilonValue::cloneImpl const): Deleted.
637         * b3/B3UpsilonValue.h:
638         * b3/B3Value.cpp:
639         (JSC::B3::DeepValueDump::dump const):
640         (JSC::B3::Value::~Value):
641         (JSC::B3::Value::replaceWithIdentity):
642         (JSC::B3::Value::replaceWithNopIgnoringType):
643         (JSC::B3::Value::replaceWithPhi):
644         (JSC::B3::Value::replaceWithJump):
645         (JSC::B3::Value::replaceWithOops):
646         (JSC::B3::Value::replaceWith):
647         (JSC::B3::Value::invertedCompare const):
648         (JSC::B3::Value::returnsBool const):
649         (JSC::B3::Value::cloneImpl const): Deleted.
650         * b3/B3Value.h:
651         (JSC::B3::DeepValueDump::dump const): Deleted.
652         * b3/B3ValueInlines.h:
653         (JSC::B3::Value::adjacencyListOffset const):
654         (JSC::B3::Value::cloneImpl const):
655         * b3/B3VariableValue.cpp:
656         (JSC::B3::VariableValue::VariableValue):
657         (JSC::B3::VariableValue::cloneImpl const): Deleted.
658         * b3/B3VariableValue.h:
659         * b3/B3WasmAddressValue.cpp:
660         (JSC::B3::WasmAddressValue::WasmAddressValue):
661         (JSC::B3::WasmAddressValue::cloneImpl const): Deleted.
662         * b3/B3WasmAddressValue.h:
663         * b3/B3WasmBoundsCheckValue.cpp:
664         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
665         (JSC::B3::WasmBoundsCheckValue::cloneImpl const): Deleted.
666         * b3/B3WasmBoundsCheckValue.h:
667         (JSC::B3::WasmBoundsCheckValue::accepts):
668         (JSC::B3::WasmBoundsCheckValue::opcodeFromConstructor):
669         * b3/testb3.cpp:
670         (JSC::B3::testCallFunctionWithHellaArguments):
671         (JSC::B3::testCallFunctionWithHellaArguments2):
672         (JSC::B3::testCallFunctionWithHellaArguments3):
673         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
674         (JSC::B3::testCallFunctionWithHellaFloatArguments):
675         * ftl/FTLOutput.h:
676         (JSC::FTL::Output::call):
677
678 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
679
680         Bytecode cache should not encode the SourceProvider for UnlinkedFunctionExecutable's classSource
681         https://bugs.webkit.org/show_bug.cgi?id=196878
682
683         Reviewed by Saam Barati.
684
685         Every time we encode an (Unlinked)SourceCode, we encode its SourceProvider,
686         including the full source if it's a StringSourceProvider. This wasn't an issue,
687         since the SourceCode contains a RefPtr to the SourceProvider, and the Encoder
688         would avoid encoding the provider multiple times. With the addition of the
689         incremental cache, each UnlinkedFunctionCodeBlock is encoded in isolation, which
690         means we can no longer deduplicate it and the full program text was being encoded
691         multiple times in the cache.
692         As a work around, this patch adds a custom cached type for encoding the SourceCode
693         without its provider, and later injects the SourceProvider through the Decoder.
694
695         * parser/SourceCode.h:
696         * parser/UnlinkedSourceCode.h:
697         (JSC::UnlinkedSourceCode::provider const):
698         * runtime/CachedTypes.cpp:
699         (JSC::Decoder::Decoder):
700         (JSC::Decoder::create):
701         (JSC::Decoder::provider const):
702         (JSC::CachedSourceCodeWithoutProvider::encode):
703         (JSC::CachedSourceCodeWithoutProvider::decode const):
704         (JSC::decodeCodeBlockImpl):
705         * runtime/CachedTypes.h:
706
707 2019-04-15  Robin Morisset  <rmorisset@apple.com>
708
709         MarkedSpace.cpp is not in the Xcode workspace
710         https://bugs.webkit.org/show_bug.cgi?id=196928
711
712         Reviewed by Saam Barati.
713
714         * JavaScriptCore.xcodeproj/project.pbxproj:
715
716 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
717
718         Incremental bytecode cache should not append function updates when loaded from memory
719         https://bugs.webkit.org/show_bug.cgi?id=196865
720
721         Reviewed by Filip Pizlo.
722
723         Function updates hold the assumption that a function can only be executed/cached
724         after its containing code block has already been cached. This assumptions does
725         not hold if the UnlinkedCodeBlock is loaded from memory by the CodeCache, since
726         we might have two independent SourceProviders executing different paths of the
727         code and causing the same UnlinkedCodeBlock to be modified in memory.
728         Use a RefPtr instead of Ref for m_cachedBytecode in ShellSourceProvider to distinguish
729         between a new, empty cache and a cache that was not loaded and therefore cannot be updated.
730
731         * jsc.cpp:
732         (ShellSourceProvider::ShellSourceProvider):
733
734 2019-04-15  Saam barati  <sbarati@apple.com>
735
736         mergeOSREntryValue is wrong when the incoming value does not match up with the flush format
737         https://bugs.webkit.org/show_bug.cgi?id=196918
738
739         Reviewed by Yusuke Suzuki.
740
741         r244238 lead to some debug failures because we were calling checkConsistency()
742         before doing fixTypeForRepresentation when merging in must handle values in
743         CFA. This patch fixes that.
744         
745         However, as I was reading over mergeOSREntryValue, I realized it was wrong. It
746         was possible it could merge in a value/type outside of the variable's flushed type.
747         Once the flush format types are locked in, we can't introduce a type out of
748         that range. This probably never lead to any crashes as our profiling injection
749         and speculation decision code is solid. However, what we were doing is clearly
750         wrong, and something a fuzzer could have found if we fuzzed the must handle
751         values inside prediction injection. We should do that fuzzing:
752         https://bugs.webkit.org/show_bug.cgi?id=196924
753
754         * dfg/DFGAbstractValue.cpp:
755         (JSC::DFG::AbstractValue::mergeOSREntryValue):
756         * dfg/DFGAbstractValue.h:
757         * dfg/DFGCFAPhase.cpp:
758         (JSC::DFG::CFAPhase::injectOSR):
759
760 2019-04-15  Robin Morisset  <rmorisset@apple.com>
761
762         Several structures and enums in the Yarr interpreter can be shrunk
763         https://bugs.webkit.org/show_bug.cgi?id=196923
764
765         Reviewed by Saam Barati.
766
767         YarrOp: 88 -> 80
768         RegularExpression: 40 -> 32
769         ByteTerm: 56 -> 48
770         PatternTerm: 56 -> 48
771
772         * yarr/RegularExpression.cpp:
773         * yarr/YarrInterpreter.h:
774         * yarr/YarrJIT.cpp:
775         (JSC::Yarr::YarrGenerator::YarrOp::YarrOp):
776         * yarr/YarrParser.h:
777         * yarr/YarrPattern.h:
778
779 2019-04-15  Devin Rousso  <drousso@apple.com>
780
781         Web Inspector: REGRESSION(r244172): crash when trying to add extra domain while inspecting JSContext
782         https://bugs.webkit.org/show_bug.cgi?id=196925
783         <rdar://problem/49873994>
784
785         Reviewed by Joseph Pecoraro.
786
787         Move the logic for creating the `InspectorAgent` and `InspectorDebuggerAgent` into separate
788         functions so that callers can be guaranteed to have a valid instance of the agent.
789
790         * inspector/JSGlobalObjectInspectorController.h:
791         * inspector/JSGlobalObjectInspectorController.cpp:
792         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
793         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
794         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
795         (Inspector::JSGlobalObjectInspectorController::ensureInspectorAgent): Added.
796         (Inspector::JSGlobalObjectInspectorController::ensureDebuggerAgent): Added.
797         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
798
799 2019-04-14  Don Olmstead  <don.olmstead@sony.com>
800
801         [CMake] JavaScriptCore derived sources should only be referenced inside JavaScriptCore
802         https://bugs.webkit.org/show_bug.cgi?id=196742
803
804         Reviewed by Konstantin Tokarev.
805
806         Migrate to using JavaScriptCore_DERIVED_SOURCES_DIR instead of DERIVED_SOURCES_JAVASCRIPTCORE_DIR
807         to support moving the JavaScriptCore derived sources outside of a shared directory.
808
809         Also use JavaScriptCore_DERIVED_SOURCES_DIR instead of DERIVED_SOUCES_DIR.
810
811         * CMakeLists.txt:
812
813 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
814
815         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
816         https://bugs.webkit.org/show_bug.cgi?id=196880
817
818         Reviewed by Yusuke Suzuki.
819
820         CodeCache should not tell the SourceProvider to cache the bytecode if it failed
821         to create the UnlinkedCodeBlock.
822
823         * runtime/CodeCache.cpp:
824         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
825
826 2019-04-12  Saam barati  <sbarati@apple.com>
827
828         r244079 logically broke shouldSpeculateInt52
829         https://bugs.webkit.org/show_bug.cgi?id=196884
830
831         Reviewed by Yusuke Suzuki.
832
833         In r244079, I changed shouldSpeculateInt52 to only return true
834         when the prediction is isAnyInt52Speculation(). However, it was
835         wrong to not to include SpecInt32 in this for two reasons:
836
837         1. We diligently write code that first checks if we should speculate Int32.
838         For example:
839         if (shouldSpeculateInt32()) ... 
840         else if (shouldSpeculateInt52()) ...
841
842         It would be wrong not to fall back to Int52 if we're dealing with the union of
843         Int32 and Int52.
844
845         It would be a performance mistake to not include Int32 here because
846         data flow can easily tell us that we have variables that are the union
847         of Int32 and Int52 values. It's better to speculate Int52 than Double
848         in that situation.
849
850         2. We also write code where we ask if the inputs can be Int52, e.g, if
851         we know via profiling that an Add overflows, we may not emit an Int32 add.
852         However, we only emit such an add if both inputs can be Int52, and Int32
853         can trivially become Int52.
854
855        This patch recovers the 0.5-1% regression r244079 caused on JetStream 2.
856
857         * bytecode/SpeculatedType.h:
858         (JSC::isInt32SpeculationForArithmetic):
859         (JSC::isInt32OrBooleanSpeculationForArithmetic):
860         (JSC::isInt32OrInt52Speculation):
861         * dfg/DFGFixupPhase.cpp:
862         (JSC::DFG::FixupPhase::observeUseKindOnNode):
863         * dfg/DFGNode.h:
864         (JSC::DFG::Node::shouldSpeculateInt52):
865         * dfg/DFGPredictionPropagationPhase.cpp:
866         * dfg/DFGVariableAccessData.cpp:
867         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
868
869 2019-04-12  Saam barati  <sbarati@apple.com>
870
871         Unreviewed. Build fix after r244233.
872
873         * assembler/CPU.cpp:
874
875 2019-04-12  Saam barati  <sbarati@apple.com>
876
877         Sometimes we need to user fewer CPUs in our threading calculations
878         https://bugs.webkit.org/show_bug.cgi?id=196794
879         <rdar://problem/49389497>
880
881         Reviewed by Yusuke Suzuki.
882
883         * JavaScriptCore.xcodeproj/project.pbxproj:
884         * Sources.txt:
885         * assembler/CPU.cpp: Added.
886         (JSC::isKernTCSMAvailable):
887         (JSC::enableKernTCSM):
888         (JSC::kernTCSMAwareNumberOfProcessorCores):
889         * assembler/CPU.h:
890         (JSC::isKernTCSMAvailable):
891         (JSC::enableKernTCSM):
892         (JSC::kernTCSMAwareNumberOfProcessorCores):
893         * heap/MachineStackMarker.h:
894         (JSC::MachineThreads::addCurrentThread):
895         * runtime/JSLock.cpp:
896         (JSC::JSLock::didAcquireLock):
897         * runtime/Options.cpp:
898         (JSC::computeNumberOfWorkerThreads):
899         (JSC::computePriorityDeltaOfWorkerThreads):
900         * wasm/WasmWorklist.cpp:
901         (JSC::Wasm::Worklist::Worklist):
902
903 2019-04-12  Robin Morisset  <rmorisset@apple.com>
904
905         Use padding at end of ArrayBuffer
906         https://bugs.webkit.org/show_bug.cgi?id=196823
907
908         Reviewed by Filip Pizlo.
909
910         * runtime/ArrayBuffer.h:
911
912 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
913
914         [JSC] op_has_indexed_property should not assume subscript part is Uint32
915         https://bugs.webkit.org/show_bug.cgi?id=196850
916
917         Reviewed by Saam Barati.
918
919         op_has_indexed_property assumed that subscript part is always Uint32. However, this is just a load from non-constant RegisterID,
920         DFG can store it in double format and can perform OSR exit. op_has_indexed_property should not assume that.
921         In this patch, instead, we check it with isAnyInt and get uint32_t from AnyInt.
922
923         * jit/JITOpcodes.cpp:
924         (JSC::JIT::emit_op_has_indexed_property):
925         * jit/JITOpcodes32_64.cpp:
926         (JSC::JIT::emit_op_has_indexed_property):
927         * jit/JITOperations.cpp:
928         * runtime/CommonSlowPaths.cpp:
929         (JSC::SLOW_PATH_DECL):
930
931 2019-04-11  Saam barati  <sbarati@apple.com>
932
933         Remove invalid assertion in operationInstanceOfCustom
934         https://bugs.webkit.org/show_bug.cgi?id=196842
935         <rdar://problem/49725493>
936
937         Reviewed by Michael Saboff.
938
939         In the generated JIT code, we go to the slow path when the incoming function
940         isn't the Node's CodeOrigin's functionProtoHasInstanceSymbolFunction. However,
941         in the JIT operation, we were asserting against exec->lexicalGlobalObject()'s
942         functionProtoHasInstanceSymbolFunction. That assertion might be wrong when
943         inlining across global objects as exec->lexicalGlobalObject() uses the machine
944         frame for procuring the global object. There is no harm when this assertion fails
945         as we just execute the slow path. This patch removes the assertion. (However, this
946         does shed light on the deficiency in our exec->lexicalGlobalObject() function with
947         respect to inlining. However, this isn't new -- we've known about this for a while.)
948
949         * jit/JITOperations.cpp:
950
951 2019-04-11  Michael Saboff  <msaboff@apple.com>
952
953         Improve the Inline Cache Stats code
954         https://bugs.webkit.org/show_bug.cgi?id=196836
955
956         Reviewed by Saam Barati.
957
958         Needed to handle the case where the Identifier could be null, for example with InstanceOfAddAccessCase
959         and InstanceOfReplaceWithJump.
960
961         Added the ability to log the location of a GetBy and PutBy property as either on self or up the
962         protocol chain.
963
964         * jit/ICStats.cpp:
965         (JSC::ICEvent::operator< const):
966         (JSC::ICEvent::dump const):
967         * jit/ICStats.h:
968         (JSC::ICEvent::ICEvent):
969         (JSC::ICEvent::hash const):
970         * jit/JITOperations.cpp:
971         * jit/Repatch.cpp:
972         (JSC::tryCacheGetByID):
973         (JSC::tryCachePutByID):
974         (JSC::tryCacheInByID):
975
976 2019-04-11  Devin Rousso  <drousso@apple.com>
977
978         Web Inspector: Timelines: can't reliably stop/start a recording
979         https://bugs.webkit.org/show_bug.cgi?id=196778
980         <rdar://problem/47606798>
981
982         Reviewed by Timothy Hatcher.
983
984         * inspector/protocol/ScriptProfiler.json:
985         * inspector/protocol/Timeline.json:
986         It is possible to determine when programmatic capturing starts/stops in the frontend based
987         on the state when the backend causes the state to change, such as if the state is "inactive"
988         when the frontend is told that the backend has started capturing.
989
990         * inspector/protocol/CPUProfiler.json:
991         * inspector/protocol/Memory.json:
992         Send an end timestamp to match other instruments.
993
994         * inspector/JSGlobalObjectConsoleClient.cpp:
995         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
996         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
997
998         * inspector/agents/InspectorScriptProfilerAgent.h:
999         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1000         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1001         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
1002         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
1003
1004 2019-04-11  Saam barati  <sbarati@apple.com>
1005
1006         Rename SetArgument to SetArgumentDefinitely
1007         https://bugs.webkit.org/show_bug.cgi?id=196828
1008
1009         Reviewed by Yusuke Suzuki.
1010
1011         This is in preparation for https://bugs.webkit.org/show_bug.cgi?id=196712
1012         where we will introduce a node named SetArgumentMaybe. Doing this refactoring
1013         first will make reviewing that other patch easier.
1014
1015         * dfg/DFGAbstractInterpreterInlines.h:
1016         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1017         * dfg/DFGByteCodeParser.cpp:
1018         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1019         (JSC::DFG::ByteCodeParser::parseBlock):
1020         * dfg/DFGCPSRethreadingPhase.cpp:
1021         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1022         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1023         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1024         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1025         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1026         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1027         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
1028         * dfg/DFGClobberize.h:
1029         (JSC::DFG::clobberize):
1030         * dfg/DFGCommon.h:
1031         * dfg/DFGDoesGC.cpp:
1032         (JSC::DFG::doesGC):
1033         * dfg/DFGFixupPhase.cpp:
1034         (JSC::DFG::FixupPhase::fixupNode):
1035         * dfg/DFGGraph.cpp:
1036         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1037         * dfg/DFGGraph.h:
1038         * dfg/DFGInPlaceAbstractState.cpp:
1039         (JSC::DFG::InPlaceAbstractState::initialize):
1040         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1041         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1042         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1043         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1044         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1045         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1046         * dfg/DFGMayExit.cpp:
1047         * dfg/DFGNode.cpp:
1048         (JSC::DFG::Node::hasVariableAccessData):
1049         * dfg/DFGNode.h:
1050         (JSC::DFG::Node::convertPhantomToPhantomLocal):
1051         * dfg/DFGNodeType.h:
1052         * dfg/DFGOSREntrypointCreationPhase.cpp:
1053         (JSC::DFG::OSREntrypointCreationPhase::run):
1054         * dfg/DFGPhantomInsertionPhase.cpp:
1055         * dfg/DFGPredictionPropagationPhase.cpp:
1056         * dfg/DFGSSAConversionPhase.cpp:
1057         (JSC::DFG::SSAConversionPhase::run):
1058         * dfg/DFGSafeToExecute.h:
1059         (JSC::DFG::safeToExecute):
1060         * dfg/DFGSpeculativeJIT.cpp:
1061         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1062         * dfg/DFGSpeculativeJIT32_64.cpp:
1063         (JSC::DFG::SpeculativeJIT::compile):
1064         * dfg/DFGSpeculativeJIT64.cpp:
1065         (JSC::DFG::SpeculativeJIT::compile):
1066         * dfg/DFGTypeCheckHoistingPhase.cpp:
1067         (JSC::DFG::TypeCheckHoistingPhase::run):
1068         * dfg/DFGValidate.cpp:
1069         * ftl/FTLCapabilities.cpp:
1070         (JSC::FTL::canCompile):
1071
1072 2019-04-11  Truitt Savell  <tsavell@apple.com>
1073
1074         Unreviewed, rolling out r244158.
1075
1076         Casued 8 inspector/timeline/ test failures.
1077
1078         Reverted changeset:
1079
1080         "Web Inspector: Timelines: can't reliably stop/start a
1081         recording"
1082         https://bugs.webkit.org/show_bug.cgi?id=196778
1083         https://trac.webkit.org/changeset/244158
1084
1085 2019-04-10  Saam Barati  <sbarati@apple.com>
1086
1087         AbstractValue::validateOSREntryValue is wrong for Int52 constants
1088         https://bugs.webkit.org/show_bug.cgi?id=196801
1089         <rdar://problem/49771122>
1090
1091         Reviewed by Yusuke Suzuki.
1092
1093         validateOSREntryValue should not care about the format of the incoming
1094         value for Int52s. This patch normalizes the format of m_value and
1095         the incoming value when comparing them.
1096
1097         * dfg/DFGAbstractValue.h:
1098         (JSC::DFG::AbstractValue::validateOSREntryValue const):
1099
1100 2019-04-10  Saam Barati  <sbarati@apple.com>
1101
1102         ArithSub over Int52 has shouldCheckOverflow as always true
1103         https://bugs.webkit.org/show_bug.cgi?id=196796
1104
1105         Reviewed by Yusuke Suzuki.
1106
1107         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
1108         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
1109         false. We shouldn't check something we assert against.
1110
1111         * dfg/DFGAbstractInterpreterInlines.h:
1112         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1113
1114 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
1115
1116         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
1117         https://bugs.webkit.org/show_bug.cgi?id=196790
1118
1119         Reviewed by Ross Kirsling.
1120
1121         Original implementation lacks byte order specification. Network byte order is the
1122         good candidate if there's no strong reason to choose other.
1123         Currently no client exists for PlayStation remote inspector protocol, so we can
1124         change the byte order without care.
1125
1126         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
1127         (Inspector::MessageParser::createMessage):
1128         (Inspector::MessageParser::parse):
1129
1130 2019-04-10  Devin Rousso  <drousso@apple.com>
1131
1132        Web Inspector: Inspector: lazily create the agent
1133        https://bugs.webkit.org/show_bug.cgi?id=195971
1134        <rdar://problem/49039645>
1135
1136        Reviewed by Joseph Pecoraro.
1137
1138        * inspector/JSGlobalObjectInspectorController.cpp:
1139        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1140        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1141        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
1142        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
1143
1144        * inspector/agents/InspectorAgent.h:
1145        * inspector/agents/InspectorAgent.cpp:
1146
1147 2019-04-10  Saam Barati  <sbarati@apple.com>
1148
1149         Work around an arm64_32 LLVM miscompile bug
1150         https://bugs.webkit.org/show_bug.cgi?id=196788
1151
1152         Reviewed by Yusuke Suzuki.
1153
1154         * runtime/CachedTypes.cpp:
1155
1156 2019-04-10  Devin Rousso  <drousso@apple.com>
1157
1158         Web Inspector: Timelines: can't reliably stop/start a recording
1159         https://bugs.webkit.org/show_bug.cgi?id=196778
1160         <rdar://problem/47606798>
1161
1162         Reviewed by Timothy Hatcher.
1163
1164         * inspector/protocol/ScriptProfiler.json:
1165         * inspector/protocol/Timeline.json:
1166         It is possible to determine when programmatic capturing starts/stops in the frontend based
1167         on the state when the backend causes the state to change, such as if the state is "inactive"
1168         when the frontend is told that the backend has started capturing.
1169
1170         * inspector/protocol/CPUProfiler.json:
1171         * inspector/protocol/Memory.json:
1172         Send an end timestamp to match other instruments.
1173
1174         * inspector/JSGlobalObjectConsoleClient.cpp:
1175         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
1176         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
1177
1178         * inspector/agents/InspectorScriptProfilerAgent.h:
1179         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1180         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1181         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
1182         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
1183
1184 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
1185
1186         Unreviewed, fix watch build after r244143
1187         https://bugs.webkit.org/show_bug.cgi?id=195000
1188
1189         The result of `lseek` should be `off_t` rather than `int`.
1190
1191         * jsc.cpp:
1192
1193 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
1194
1195         Add support for incremental bytecode cache updates
1196         https://bugs.webkit.org/show_bug.cgi?id=195000
1197
1198         Reviewed by Filip Pizlo.
1199
1200         Add support for incremental updates to the bytecode cache. The cache
1201         is constructed as follows:
1202         - When the cache is empty, the initial payload can be added to the BytecodeCache
1203         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
1204         top-level UnlinkedCodeBlock.
1205         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
1206         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
1207         to the existing cache and updating the CachedFunctionExecutableMetadata
1208         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
1209
1210         * API/JSScript.mm:
1211         (-[JSScript readCache]):
1212         (-[JSScript isUsingBytecodeCache]):
1213         (-[JSScript init]):
1214         (-[JSScript cachedBytecode]):
1215         (-[JSScript writeCache:]):
1216         * API/JSScriptInternal.h:
1217         * API/JSScriptSourceProvider.h:
1218         * API/JSScriptSourceProvider.mm:
1219         (JSScriptSourceProvider::cachedBytecode const):
1220         * CMakeLists.txt:
1221         * JavaScriptCore.xcodeproj/project.pbxproj:
1222         * Sources.txt:
1223         * bytecode/UnlinkedFunctionExecutable.cpp:
1224         (JSC::generateUnlinkedFunctionCodeBlock):
1225         * jsc.cpp:
1226         (ShellSourceProvider::~ShellSourceProvider):
1227         (ShellSourceProvider::cachePath const):
1228         (ShellSourceProvider::loadBytecode const):
1229         (ShellSourceProvider::ShellSourceProvider):
1230         (ShellSourceProvider::cacheEnabled):
1231         * parser/SourceProvider.h:
1232         (JSC::SourceProvider::cachedBytecode const):
1233         (JSC::SourceProvider::updateCache const):
1234         (JSC::SourceProvider::commitCachedBytecode const):
1235         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
1236         (JSC::CachePayload::makeMappedPayload):
1237         (JSC::CachePayload::makeMallocPayload):
1238         (JSC::CachePayload::makeEmptyPayload):
1239         (JSC::CachePayload::CachePayload):
1240         (JSC::CachePayload::~CachePayload):
1241         (JSC::CachePayload::operator=):
1242         (JSC::CachePayload::freeData):
1243         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
1244         (JSC::CachePayload::data const):
1245         (JSC::CachePayload::size const):
1246         (JSC::CachePayload::CachePayload):
1247         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
1248         (JSC::CacheUpdate::CacheUpdate):
1249         (JSC::CacheUpdate::operator=):
1250         (JSC::CacheUpdate::isGlobal const):
1251         (JSC::CacheUpdate::asGlobal const):
1252         (JSC::CacheUpdate::asFunction const):
1253         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
1254         * runtime/CachedBytecode.cpp: Added.
1255         (JSC::CachedBytecode::addGlobalUpdate):
1256         (JSC::CachedBytecode::addFunctionUpdate):
1257         (JSC::CachedBytecode::copyLeafExecutables):
1258         (JSC::CachedBytecode::commitUpdates const):
1259         * runtime/CachedBytecode.h: Added.
1260         (JSC::CachedBytecode::create):
1261         (JSC::CachedBytecode::leafExecutables):
1262         (JSC::CachedBytecode::data const):
1263         (JSC::CachedBytecode::size const):
1264         (JSC::CachedBytecode::hasUpdates const):
1265         (JSC::CachedBytecode::sizeForUpdate const):
1266         (JSC::CachedBytecode::CachedBytecode):
1267         * runtime/CachedTypes.cpp:
1268         (JSC::Encoder::addLeafExecutable):
1269         (JSC::Encoder::release):
1270         (JSC::Decoder::Decoder):
1271         (JSC::Decoder::create):
1272         (JSC::Decoder::size const):
1273         (JSC::Decoder::offsetOf):
1274         (JSC::Decoder::ptrForOffsetFromBase):
1275         (JSC::Decoder::addLeafExecutable):
1276         (JSC::VariableLengthObject::VariableLengthObject):
1277         (JSC::VariableLengthObject::buffer const):
1278         (JSC::CachedPtrOffsets::offsetOffset):
1279         (JSC::CachedWriteBarrierOffsets::ptrOffset):
1280         (JSC::CachedFunctionExecutable::features const):
1281         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
1282         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
1283         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
1284         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
1285         (JSC::CachedFunctionExecutable::encode):
1286         (JSC::CachedFunctionExecutable::decode const):
1287         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1288         (JSC::encodeCodeBlock):
1289         (JSC::encodeFunctionCodeBlock):
1290         (JSC::decodeCodeBlockImpl):
1291         (JSC::isCachedBytecodeStillValid):
1292         * runtime/CachedTypes.h:
1293         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
1294         (JSC::decodeCodeBlock):
1295         * runtime/CodeCache.cpp:
1296         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1297         (JSC::CodeCache::updateCache):
1298         (JSC::CodeCache::write):
1299         (JSC::writeCodeBlock):
1300         (JSC::serializeBytecode):
1301         * runtime/CodeCache.h:
1302         (JSC::SourceCodeValue::SourceCodeValue):
1303         (JSC::CodeCacheMap::findCacheAndUpdateAge):
1304         (JSC::CodeCacheMap::fetchFromDiskImpl):
1305         * runtime/Completion.cpp:
1306         (JSC::generateProgramBytecode):
1307         (JSC::generateModuleBytecode):
1308         * runtime/Completion.h:
1309         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
1310         (JSC::LeafExecutable::operator+ const):
1311         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
1312         (JSC::LeafExecutable::LeafExecutable):
1313         (JSC::LeafExecutable::base const):
1314
1315 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1316
1317         Unreviewed, rolling out r243989.
1318
1319         Broke i686 builds
1320
1321         Reverted changeset:
1322
1323         "[CMake] Detect SSE2 at compile time"
1324         https://bugs.webkit.org/show_bug.cgi?id=196488
1325         https://trac.webkit.org/changeset/243989
1326
1327 2019-04-10  Robin Morisset  <rmorisset@apple.com>
1328
1329         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
1330         https://bugs.webkit.org/show_bug.cgi?id=196746
1331
1332         Reviewed by Yusuke Suzuki..
1333
1334         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
1335
1336         * runtime/ObjectConstructor.cpp:
1337         (JSC::defineProperties):
1338
1339 2019-04-10  Antoine Quint  <graouts@apple.com>
1340
1341         Enable Pointer Events on watchOS
1342         https://bugs.webkit.org/show_bug.cgi?id=196771
1343         <rdar://problem/49040909>
1344
1345         Reviewed by Dean Jackson.
1346
1347         * Configurations/FeatureDefines.xcconfig:
1348
1349 2019-04-09  Keith Rollin  <krollin@apple.com>
1350
1351         Unreviewed build maintenance -- update .xcfilelists.
1352
1353         * DerivedSources-input.xcfilelist:
1354
1355 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
1356
1357         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
1358         https://bugs.webkit.org/show_bug.cgi?id=193073
1359
1360         Reviewed by Keith Miller.
1361
1362         * bytecompiler/BytecodeGenerator.cpp:
1363         (JSC::BytecodeGenerator::emitEqualityOpImpl):
1364         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
1365         * bytecompiler/BytecodeGenerator.h:
1366         (JSC::BytecodeGenerator::emitEqualityOp):
1367         Factor out the logic that uses the template parameter and keep it in the header.
1368
1369         * jit/JITPropertyAccess.cpp:
1370         List off the template specializations needed by JITOperations.cpp.
1371         This is unfortunate but at least there are only two (x2) by definition?
1372         Trying to do away with this incurs a severe domino effect...
1373
1374         * API/JSValueRef.cpp:
1375         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
1376         * b3/air/AirHandleCalleeSaves.cpp:
1377         * builtins/BuiltinNames.cpp:
1378         * bytecode/AccessCase.cpp:
1379         * bytecode/BytecodeIntrinsicRegistry.cpp:
1380         * bytecode/BytecodeIntrinsicRegistry.h:
1381         * bytecode/BytecodeRewriter.cpp:
1382         * bytecode/BytecodeUseDef.h:
1383         * bytecode/CodeBlock.cpp:
1384         * bytecode/InstanceOfAccessCase.cpp:
1385         * bytecode/MetadataTable.cpp:
1386         * bytecode/PolyProtoAccessChain.cpp:
1387         * bytecode/StructureSet.cpp:
1388         * bytecompiler/NodesCodegen.cpp:
1389         * dfg/DFGCFAPhase.cpp:
1390         * dfg/DFGPureValue.cpp:
1391         * heap/GCSegmentedArray.h:
1392         * heap/HeapInlines.h:
1393         * heap/IsoSubspace.cpp:
1394         * heap/LocalAllocator.cpp:
1395         * heap/LocalAllocator.h:
1396         * heap/LocalAllocatorInlines.h:
1397         * heap/MarkingConstraintSolver.cpp:
1398         * inspector/ScriptArguments.cpp:
1399         (Inspector::ScriptArguments::isEqual const):
1400         * inspector/ScriptCallStackFactory.cpp:
1401         * interpreter/CallFrame.h:
1402         * interpreter/Interpreter.cpp:
1403         * interpreter/StackVisitor.cpp:
1404         * llint/LLIntEntrypoint.cpp:
1405         * runtime/ArrayIteratorPrototype.cpp:
1406         * runtime/BigIntPrototype.cpp:
1407         * runtime/CachedTypes.cpp:
1408         * runtime/ErrorType.cpp:
1409         * runtime/IndexingType.cpp:
1410         * runtime/JSCellInlines.h:
1411         * runtime/JSImmutableButterfly.h:
1412         * runtime/Operations.h:
1413         * runtime/RegExpCachedResult.cpp:
1414         * runtime/RegExpConstructor.cpp:
1415         * runtime/RegExpGlobalData.cpp:
1416         * runtime/StackFrame.h:
1417         * wasm/WasmSignature.cpp:
1418         * wasm/js/JSToWasm.cpp:
1419         * wasm/js/JSToWasmICCallee.cpp:
1420         * wasm/js/WebAssemblyFunction.h:
1421         Fix includes / forward declarations (and a couple of nearby clang warnings).
1422
1423 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
1424
1425         [CMake] Apple builds should use ICU_INCLUDE_DIRS
1426         https://bugs.webkit.org/show_bug.cgi?id=196720
1427
1428         Reviewed by Konstantin Tokarev.
1429
1430         * PlatformMac.cmake:
1431
1432 2019-04-09  Saam barati  <sbarati@apple.com>
1433
1434         Clean up Int52 code and some bugs in it
1435         https://bugs.webkit.org/show_bug.cgi?id=196639
1436         <rdar://problem/49515757>
1437
1438         Reviewed by Yusuke Suzuki.
1439
1440         This patch fixes bugs in our Int52 code. The primary change in this patch is
1441         adopting a segregated type lattice for Int52. Previously, for Int52 values,
1442         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
1443         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
1444         that the is outside of the int32 range.
1445         
1446         However, this got confusing because we reused SpecInt32Only both for JSValue
1447         representations and Int52 representations. This actually lead to some bugs.
1448         
1449         1. It's possible that roundtripping through Int52 representation would say
1450         it produces the wrong type. For example, consider this program and how we
1451         used to annotate types in AI:
1452         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
1453         b: Int52Rep(@a) => m_type is SpecInt52Only
1454         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
1455         
1456         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
1457         However, the execution semantics are such that it'd actually produce a boxed
1458         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
1459         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
1460         mean an int value in either int32 or int52 range.
1461         
1462         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
1463         accepted Int52 values. It was wrong in two different ways:
1464         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
1465         was a boxed double, but represented a value in int32 range, the incoming
1466         value would incorrectly validate as being acceptable. However, we should
1467         have rejected this value.
1468         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
1469         was an Int32 boxed in a double, this would not validate, even though
1470         it should have validated.
1471         
1472         Solving 2 was easiest if we segregated out the Int52 type into its own
1473         lattice. This patch makes a new Int52 lattice, which is composed of
1474         SpecInt32AsInt52 and SpecNonInt32AsInt52.
1475         
1476         The conversion rules are now really simple.
1477         
1478         Int52 rep => JSValue rep
1479         SpecInt32AsInt52 => SpecInt32Only
1480         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
1481         
1482         JSValue rep => Int52 rep
1483         SpecInt32Only => SpecInt32AsInt52
1484         SpecAnyIntAsDouble => SpecInt52Any
1485         
1486         With these rules, the program in (1) will now correctly report that @c
1487         returns SpecInt32Only | SpecAnyIntAsDouble.
1488
1489         * bytecode/SpeculatedType.cpp:
1490         (JSC::dumpSpeculation):
1491         (JSC::speculationToAbbreviatedString):
1492         (JSC::int52AwareSpeculationFromValue):
1493         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
1494         (JSC::speculationFromString):
1495         * bytecode/SpeculatedType.h:
1496         (JSC::isInt32SpeculationForArithmetic):
1497         (JSC::isInt32OrBooleanSpeculationForArithmetic):
1498         (JSC::isAnyInt52Speculation):
1499         (JSC::isIntAnyFormat):
1500         (JSC::isInt52Speculation): Deleted.
1501         (JSC::isAnyIntSpeculation): Deleted.
1502         * dfg/DFGAbstractInterpreterInlines.h:
1503         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1504         * dfg/DFGAbstractValue.cpp:
1505         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
1506         (JSC::DFG::AbstractValue::checkConsistency const):
1507         * dfg/DFGAbstractValue.h:
1508         (JSC::DFG::AbstractValue::isInt52Any const):
1509         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
1510         * dfg/DFGFixupPhase.cpp:
1511         (JSC::DFG::FixupPhase::fixupArithMul):
1512         (JSC::DFG::FixupPhase::fixupNode):
1513         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
1514         (JSC::DFG::FixupPhase::fixupToThis):
1515         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
1516         (JSC::DFG::FixupPhase::observeUseKindOnNode):
1517         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
1518         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
1519         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
1520         (JSC::DFG::FixupPhase::fixupChecksInBlock):
1521         * dfg/DFGGraph.h:
1522         (JSC::DFG::Graph::addShouldSpeculateInt52):
1523         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
1524         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
1525         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
1526         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
1527         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
1528         * dfg/DFGNode.h:
1529         (JSC::DFG::Node::shouldSpeculateInt52):
1530         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
1531         * dfg/DFGPredictionPropagationPhase.cpp:
1532         * dfg/DFGSpeculativeJIT.cpp:
1533         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
1534         (JSC::DFG::SpeculativeJIT::compileArithAdd):
1535         (JSC::DFG::SpeculativeJIT::compileArithSub):
1536         (JSC::DFG::SpeculativeJIT::compileArithNegate):
1537         * dfg/DFGSpeculativeJIT64.cpp:
1538         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1539         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1540         * dfg/DFGUseKind.h:
1541         (JSC::DFG::typeFilterFor):
1542         * dfg/DFGVariableAccessData.cpp:
1543         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
1544         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
1545         * ftl/FTLLowerDFGToB3.cpp:
1546         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
1547         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
1548         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
1549
1550 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
1551
1552         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
1553         https://bugs.webkit.org/show_bug.cgi?id=196708
1554         <rdar://problem/49556803>
1555
1556         Reviewed by Yusuke Suzuki.
1557
1558         `operationPutToScope` needs to return early if an exception is thrown while
1559         checking if `hasProperty`.
1560
1561         * jit/JITOperations.cpp:
1562
1563 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1564
1565         [JSC] DFG should respect node's strict flag
1566         https://bugs.webkit.org/show_bug.cgi?id=196617
1567
1568         Reviewed by Saam Barati.
1569
1570         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
1571         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
1572         in DFG and FTL to get the right isStrictMode flag for the DFG node.
1573         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
1574         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
1575         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
1576
1577         * dfg/DFGAbstractInterpreterInlines.h:
1578         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1579         * dfg/DFGConstantFoldingPhase.cpp:
1580         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1581         * dfg/DFGFixupPhase.cpp:
1582         (JSC::DFG::FixupPhase::fixupToThis):
1583         * dfg/DFGOperations.cpp:
1584         * dfg/DFGOperations.h:
1585         * dfg/DFGPredictionPropagationPhase.cpp:
1586         * dfg/DFGSpeculativeJIT.cpp:
1587         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1588         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1589         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
1590         (JSC::DFG::SpeculativeJIT::compileToThis):
1591         * dfg/DFGSpeculativeJIT32_64.cpp:
1592         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
1593         (JSC::DFG::SpeculativeJIT::compile):
1594         * dfg/DFGSpeculativeJIT64.cpp:
1595         (JSC::DFG::SpeculativeJIT::compile):
1596         * ftl/FTLLowerDFGToB3.cpp:
1597         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1598         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
1599
1600 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
1601
1602         [CMake][WinCairo] Separate copied headers into different directories
1603         https://bugs.webkit.org/show_bug.cgi?id=196655
1604
1605         Reviewed by Michael Catanzaro.
1606
1607         * CMakeLists.txt:
1608         * shell/PlatformWin.cmake:
1609
1610 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1611
1612         [JSC] isRope jump in StringSlice should not jump over register allocations
1613         https://bugs.webkit.org/show_bug.cgi?id=196716
1614
1615         Reviewed by Saam Barati.
1616
1617         Jumping over the register allocation code in DFG (like the following) is wrong.
1618
1619             auto jump = m_jit.branchXXX();
1620             {
1621                 GPRTemporary reg(this);
1622                 GPRReg regGPR = reg.gpr();
1623                 ...
1624             }
1625             jump.link(&m_jit);
1626
1627         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
1628         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
1629         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
1630         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
1631
1632         * dfg/DFGSpeculativeJIT.cpp:
1633         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1634
1635 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1636
1637         [JSC] to_index_string should not assume incoming value is Uint32
1638         https://bugs.webkit.org/show_bug.cgi?id=196713
1639
1640         Reviewed by Saam Barati.
1641
1642         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
1643         this assumption since DFG may decide we should have it double format. This patch removes this
1644         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
1645         is within Uint32.
1646
1647         * runtime/CommonSlowPaths.cpp:
1648         (JSC::SLOW_PATH_DECL):
1649
1650 2019-04-08  Justin Fan  <justin_fan@apple.com>
1651
1652         [Web GPU] Fix Web GPU experimental feature on iOS
1653         https://bugs.webkit.org/show_bug.cgi?id=196632
1654
1655         Reviewed by Myles C. Maxfield.
1656
1657         Properly make Web GPU available on iOS 11+.
1658
1659         * Configurations/FeatureDefines.xcconfig:
1660         * Configurations/WebKitTargetConditionals.xcconfig:
1661
1662 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
1663
1664         -f[no-]var-tracking-assignments is GCC-only
1665         https://bugs.webkit.org/show_bug.cgi?id=196699
1666
1667         Reviewed by Don Olmstead.
1668
1669         * CMakeLists.txt:
1670         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
1671         and said problem evidently no longer occurs as of GCC 9.
1672
1673 2019-04-08  Saam Barati  <sbarati@apple.com>
1674
1675         WebAssembly.RuntimeError missing exception check
1676         https://bugs.webkit.org/show_bug.cgi?id=196700
1677         <rdar://problem/49693932>
1678
1679         Reviewed by Yusuke Suzuki.
1680
1681         * wasm/js/JSWebAssemblyRuntimeError.h:
1682         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1683         (JSC::constructJSWebAssemblyRuntimeError):
1684
1685 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
1686
1687         Unreviewed, rolling in r243948 with test fix
1688         https://bugs.webkit.org/show_bug.cgi?id=196486
1689
1690         * parser/ASTBuilder.h:
1691         (JSC::ASTBuilder::createString):
1692         * parser/Lexer.cpp:
1693         (JSC::Lexer<T>::parseMultilineComment):
1694         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
1695         (JSC::Lexer<T>::lex): Deleted.
1696         * parser/Lexer.h:
1697         (JSC::Lexer::hasLineTerminatorBeforeToken const):
1698         (JSC::Lexer::setHasLineTerminatorBeforeToken):
1699         (JSC::Lexer<T>::lex):
1700         (JSC::Lexer::prevTerminator const): Deleted.
1701         (JSC::Lexer::setTerminator): Deleted.
1702         * parser/Parser.cpp:
1703         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
1704         (JSC::Parser<LexerType>::parseSingleFunction):
1705         (JSC::Parser<LexerType>::parseStatementListItem):
1706         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
1707         (JSC::Parser<LexerType>::parseFunctionInfo):
1708         (JSC::Parser<LexerType>::parseClass):
1709         (JSC::Parser<LexerType>::parseExportDeclaration):
1710         (JSC::Parser<LexerType>::parseAssignmentExpression):
1711         (JSC::Parser<LexerType>::parseYieldExpression):
1712         (JSC::Parser<LexerType>::parseProperty):
1713         (JSC::Parser<LexerType>::parsePrimaryExpression):
1714         (JSC::Parser<LexerType>::parseMemberExpression):
1715         * parser/Parser.h:
1716         (JSC::Parser::nextWithoutClearingLineTerminator):
1717         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
1718         (JSC::Parser::internalSaveLexerState):
1719         (JSC::Parser::restoreLexerState):
1720
1721 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
1722
1723         Unreviewed, rolling out r243948.
1724
1725         Caused inspector/runtime/parse.html to fail
1726
1727         Reverted changeset:
1728
1729         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
1730         https://bugs.webkit.org/show_bug.cgi?id=196486
1731         https://trac.webkit.org/changeset/243948
1732
1733 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
1734
1735         Unreviewed, rolling out r243943.
1736
1737         Caused test262 failures.
1738
1739         Reverted changeset:
1740
1741         "[JSC] Filter DontEnum properties in
1742         ProxyObject::getOwnPropertyNames()"
1743         https://bugs.webkit.org/show_bug.cgi?id=176810
1744         https://trac.webkit.org/changeset/243943
1745
1746 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
1747
1748         [JSC] Partially fix the build with unified builds disabled
1749         https://bugs.webkit.org/show_bug.cgi?id=196647
1750
1751         Reviewed by Konstantin Tokarev.
1752
1753         If you disable unified builds you find all kind of build
1754         errors. This partially tries to fix them but there's a lot
1755         more.
1756
1757         * API/JSBaseInternal.h:
1758         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
1759         * b3/air/AirHandleCalleeSaves.h:
1760         * bytecode/ExecutableToCodeBlockEdge.cpp:
1761         * bytecode/ExitFlag.h:
1762         * bytecode/ICStatusUtils.h:
1763         * bytecode/UnlinkedMetadataTable.h:
1764         * dfg/DFGPureValue.h:
1765         * heap/IsoAlignedMemoryAllocator.cpp:
1766         * heap/IsoAlignedMemoryAllocator.h:
1767
1768 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
1769
1770         Enable DFG on MIPS
1771         https://bugs.webkit.org/show_bug.cgi?id=196689
1772
1773         Reviewed by Žan Doberšek.
1774
1775         Since the bytecode change, we enabled the baseline JIT on mips in
1776         r240432, but DFG is still missing. With this change, all tests are
1777         passing on a ci20 board.
1778
1779         * jit/RegisterSet.cpp:
1780         (JSC::RegisterSet::calleeSaveRegisters):
1781         Added s0, which is used in llint.
1782
1783 2019-04-08  Xan Lopez  <xan@igalia.com>
1784
1785         [CMake] Detect SSE2 at compile time
1786         https://bugs.webkit.org/show_bug.cgi?id=196488
1787
1788         Reviewed by Carlos Garcia Campos.
1789
1790         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
1791         incorrect) static_assert.
1792
1793 2019-04-07  Michael Saboff  <msaboff@apple.com>
1794
1795         REGRESSION (r243642): Crash in reddit.com page
1796         https://bugs.webkit.org/show_bug.cgi?id=196684
1797
1798         Reviewed by Geoffrey Garen.
1799
1800         In r243642, the code that saves and restores the count for non-greedy character classes
1801         was inadvertently put inside an if statement.  This code should be generated for all
1802         non-greedy character classes.
1803
1804         * yarr/YarrJIT.cpp:
1805         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
1806         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1807
1808 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
1809
1810         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
1811         https://bugs.webkit.org/show_bug.cgi?id=196683
1812
1813         Reviewed by Saam Barati.
1814
1815         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
1816         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
1817         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
1818         can be still live.
1819
1820         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
1821         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
1822
1823         * bytecode/CallLinkInfo.cpp:
1824         (JSC::CallLinkInfo::setCallee):
1825         (JSC::CallLinkInfo::clearCallee):
1826         * jit/Repatch.cpp:
1827         (JSC::linkFor):
1828         (JSC::revertCall):
1829
1830 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
1831
1832         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
1833         https://bugs.webkit.org/show_bug.cgi?id=196582
1834
1835         Reviewed by Saam Barati.
1836
1837         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
1838         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
1839         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
1840         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
1841
1842         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
1843         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
1844
1845         We also found that FTL recovery code is dead. We remove them in this patch.
1846
1847         * dfg/DFGOSRExit.cpp:
1848         (JSC::DFG::OSRExit::executeOSRExit):
1849         (JSC::DFG::OSRExit::compileExit):
1850         * dfg/DFGOSRExit.h:
1851         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
1852         * dfg/DFGSpeculativeJIT.cpp:
1853         (JSC::DFG::SpeculativeJIT::compileArithAdd):
1854         * ftl/FTLExitValue.cpp:
1855         (JSC::FTL::ExitValue::dataFormat const):
1856         (JSC::FTL::ExitValue::dumpInContext const):
1857         * ftl/FTLExitValue.h:
1858         (JSC::FTL::ExitValue::isArgument const):
1859         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
1860         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
1861         (JSC::FTL::ExitValue::recovery): Deleted.
1862         (JSC::FTL::ExitValue::isRecovery const): Deleted.
1863         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
1864         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
1865         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
1866         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
1867         * ftl/FTLLowerDFGToB3.cpp:
1868         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1869         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
1870         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
1871         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
1872         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
1873         * ftl/FTLOSRExitCompiler.cpp:
1874         (JSC::FTL::compileRecovery):
1875
1876 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
1877
1878         Unreviewed, rolling out r243665.
1879
1880         Caused iOS JSC tests to exit with an exception.
1881
1882         Reverted changeset:
1883
1884         "Assertion failed in JSC::createError"
1885         https://bugs.webkit.org/show_bug.cgi?id=196305
1886         https://trac.webkit.org/changeset/243665
1887
1888 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
1889
1890         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
1891         https://bugs.webkit.org/show_bug.cgi?id=196486
1892
1893         Reviewed by Saam Barati.
1894
1895         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
1896         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
1897         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
1898
1899         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
1900
1901                 arrow => expr
1902                 "string!"
1903
1904         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
1905         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
1906         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
1907
1908         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
1909         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
1910         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
1911
1912         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
1913         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
1914
1915         * parser/ASTBuilder.h:
1916         (JSC::ASTBuilder::createString):
1917         * parser/Lexer.cpp:
1918         (JSC::Lexer<T>::parseMultilineComment):
1919         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
1920         (JSC::Lexer<T>::lex): Deleted.
1921         * parser/Lexer.h:
1922         (JSC::Lexer::hasLineTerminatorBeforeToken const):
1923         (JSC::Lexer::setHasLineTerminatorBeforeToken):
1924         (JSC::Lexer<T>::lex):
1925         (JSC::Lexer::prevTerminator const): Deleted.
1926         (JSC::Lexer::setTerminator): Deleted.
1927         * parser/Parser.cpp:
1928         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
1929         (JSC::Parser<LexerType>::parseSingleFunction):
1930         (JSC::Parser<LexerType>::parseStatementListItem):
1931         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
1932         (JSC::Parser<LexerType>::parseFunctionInfo):
1933         (JSC::Parser<LexerType>::parseClass):
1934         (JSC::Parser<LexerType>::parseExportDeclaration):
1935         (JSC::Parser<LexerType>::parseAssignmentExpression):
1936         (JSC::Parser<LexerType>::parseYieldExpression):
1937         (JSC::Parser<LexerType>::parseProperty):
1938         (JSC::Parser<LexerType>::parsePrimaryExpression):
1939         (JSC::Parser<LexerType>::parseMemberExpression):
1940         * parser/Parser.h:
1941         (JSC::Parser::nextWithoutClearingLineTerminator):
1942         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
1943         (JSC::Parser::internalSaveLexerState):
1944         (JSC::Parser::restoreLexerState):
1945
1946 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1947
1948         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1949         https://bugs.webkit.org/show_bug.cgi?id=176810
1950
1951         Reviewed by Saam Barati.
1952
1953         This adds conditional logic following the invariant checks, to perform
1954         filtering in common uses of getOwnPropertyNames.
1955
1956         While this would ideally only be done in JSPropertyNameEnumerator, adding
1957         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
1958         invariant that the EnumerationMode is properly followed.
1959
1960         * runtime/PropertyNameArray.h:
1961         (JSC::PropertyNameArray::reset):
1962         * runtime/ProxyObject.cpp:
1963         (JSC::ProxyObject::performGetOwnPropertyNames):
1964
1965 2019-04-05  Commit Queue  <commit-queue@webkit.org>
1966
1967         Unreviewed, rolling out r243833.
1968         https://bugs.webkit.org/show_bug.cgi?id=196645
1969
1970         This change breaks build of WPE and GTK ports (Requested by
1971         annulen on #webkit).
1972
1973         Reverted changeset:
1974
1975         "[CMake][WTF] Mirror XCode header directories"
1976         https://bugs.webkit.org/show_bug.cgi?id=191662
1977         https://trac.webkit.org/changeset/243833
1978
1979 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1980
1981         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
1982         https://bugs.webkit.org/show_bug.cgi?id=185211
1983
1984         Reviewed by Saam Barati.
1985
1986         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
1987
1988         This involves tracking duplicate keys returned from the ownKeys trap in yet
1989         another HashTable, and may incur a minor performance penalty in some cases. This
1990         is not expected to significantly affect web performance.
1991
1992         * runtime/ProxyObject.cpp:
1993         (JSC::ProxyObject::performGetOwnPropertyNames):
1994
1995 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1996
1997         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
1998         https://bugs.webkit.org/show_bug.cgi?id=196631
1999
2000         Reviewed by Saam Barati.
2001
2002         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
2003         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
2004         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
2005
2006         * JavaScriptCore.xcodeproj/project.pbxproj:
2007         * Sources.txt:
2008         * interpreter/CallFrameInlines.h:
2009         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
2010         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
2011         (JSC::DoublePredictionFuzzerAgent::getPrediction):
2012         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
2013         * runtime/JSGlobalObject.cpp:
2014         (JSC::makeBoundFunction):
2015         * runtime/Options.h:
2016         * runtime/VM.cpp:
2017         (JSC::VM::VM):
2018
2019 2019-04-04  Robin Morisset  <rmorisset@apple.com>
2020
2021         B3ReduceStrength should know that Mul distributes over Add and Sub
2022         https://bugs.webkit.org/show_bug.cgi?id=196325
2023         <rdar://problem/49441650>
2024
2025         Reviewed by Saam Barati.
2026
2027         Fix some obviously wrong code that was due to an accidental copy-paste.
2028         It made the entire optimization dead code that never ran.
2029
2030         * b3/B3ReduceStrength.cpp:
2031
2032 2019-04-04  Saam Barati  <sbarati@apple.com>
2033
2034         Unreviewed, build fix for CLoop after r243886
2035
2036         * interpreter/Interpreter.cpp:
2037         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2038         * interpreter/StackVisitor.cpp:
2039         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2040         * interpreter/StackVisitor.h:
2041
2042 2019-04-04  Commit Queue  <commit-queue@webkit.org>
2043
2044         Unreviewed, rolling out r243898.
2045         https://bugs.webkit.org/show_bug.cgi?id=196624
2046
2047         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
2048         does not work well (Requested by yusukesuzuki on #webkit).
2049
2050         Reverted changeset:
2051
2052         "Unreviewed, build fix for CLoop and Windows after r243886"
2053         https://bugs.webkit.org/show_bug.cgi?id=196387
2054         https://trac.webkit.org/changeset/243898
2055
2056 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2057
2058         Unreviewed, build fix for CLoop and Windows after r243886
2059         https://bugs.webkit.org/show_bug.cgi?id=196387
2060
2061         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
2062
2063         * interpreter/StackVisitor.cpp:
2064         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2065         * interpreter/StackVisitor.h:
2066
2067 2019-04-04  Saam barati  <sbarati@apple.com>
2068
2069         Teach Call ICs how to call Wasm
2070         https://bugs.webkit.org/show_bug.cgi?id=196387
2071
2072         Reviewed by Filip Pizlo.
2073
2074         This patch teaches JS to call Wasm without going through the native thunk.
2075         Currently, we emit a JIT "JS" callee stub which marshals arguments from
2076         JS to Wasm. Like the native version of this, this thunk is responsible
2077         for saving and restoring the VM's current Wasm context. Instead of emitting
2078         an exception handler, we also teach the unwinder how to read the previous
2079         wasm context to restore it as it unwindws past this frame.
2080         
2081         This patch is straight forward, and leaves some areas for perf improvement:
2082         - We can teach the DFG/FTL to directly use the Wasm calling convention when
2083           it knows it's calling a single Wasm function. This way we don't shuffle
2084           registers to the stack and then back into registers.
2085         - We bail out to the slow path for mismatched arity. I opened a bug to fix
2086           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
2087         - We bail out to the slow path Double JSValues flowing into i32 arguments.
2088           We should teach this thunk how to do that conversion directly.
2089         
2090         This patch also refactors the code to explicitly have a single pinned size register.
2091         We used pretend in some places that we could have more than one pinned size register.
2092         However, there was other code that just asserted the size was one. This patch just rips
2093         out this code since we never moved to having more than one pinned size register. Doing
2094         this refactoring cleans up the various places where we set up the size register.
2095         
2096         This patch is a 50-60% progression on JetStream 2's richards-wasm.
2097
2098         * JavaScriptCore.xcodeproj/project.pbxproj:
2099         * Sources.txt:
2100         * assembler/MacroAssemblerCodeRef.h:
2101         (JSC::MacroAssemblerCodeRef::operator=):
2102         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2103         * interpreter/Interpreter.cpp:
2104         (JSC::UnwindFunctor::operator() const):
2105         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2106         * interpreter/StackVisitor.cpp:
2107         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2108         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
2109         * interpreter/StackVisitor.h:
2110         * jit/JITOperations.cpp:
2111         * jit/RegisterSet.cpp:
2112         (JSC::RegisterSet::runtimeTagRegisters):
2113         (JSC::RegisterSet::specialRegisters):
2114         (JSC::RegisterSet::runtimeRegisters): Deleted.
2115         * jit/RegisterSet.h:
2116         * jit/Repatch.cpp:
2117         (JSC::linkPolymorphicCall):
2118         * runtime/JSFunction.cpp:
2119         (JSC::getCalculatedDisplayName):
2120         * runtime/JSGlobalObject.cpp:
2121         (JSC::JSGlobalObject::init):
2122         (JSC::JSGlobalObject::visitChildren):
2123         * runtime/JSGlobalObject.h:
2124         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
2125         * runtime/VM.cpp:
2126         (JSC::VM::VM):
2127         * runtime/VM.h:
2128         * wasm/WasmAirIRGenerator.cpp:
2129         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2130         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2131         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2132         * wasm/WasmB3IRGenerator.cpp:
2133         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2134         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2135         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2136         * wasm/WasmBinding.cpp:
2137         (JSC::Wasm::wasmToWasm):
2138         * wasm/WasmContext.h:
2139         (JSC::Wasm::Context::pointerToInstance):
2140         * wasm/WasmContextInlines.h:
2141         (JSC::Wasm::Context::store):
2142         * wasm/WasmMemoryInformation.cpp:
2143         (JSC::Wasm::getPinnedRegisters):
2144         (JSC::Wasm::PinnedRegisterInfo::get):
2145         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
2146         * wasm/WasmMemoryInformation.h:
2147         (JSC::Wasm::PinnedRegisterInfo::toSave const):
2148         * wasm/WasmOMGPlan.cpp:
2149         (JSC::Wasm::OMGPlan::work):
2150         * wasm/js/JSToWasm.cpp:
2151         (JSC::Wasm::createJSToWasmWrapper):
2152         * wasm/js/JSToWasmICCallee.cpp: Added.
2153         (JSC::JSToWasmICCallee::create):
2154         (JSC::JSToWasmICCallee::createStructure):
2155         (JSC::JSToWasmICCallee::visitChildren):
2156         * wasm/js/JSToWasmICCallee.h: Added.
2157         (JSC::JSToWasmICCallee::function):
2158         (JSC::JSToWasmICCallee::JSToWasmICCallee):
2159         * wasm/js/WebAssemblyFunction.cpp:
2160         (JSC::WebAssemblyFunction::useTagRegisters const):
2161         (JSC::WebAssemblyFunction::calleeSaves const):
2162         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
2163         (JSC::WebAssemblyFunction::previousInstanceOffset const):
2164         (JSC::WebAssemblyFunction::previousInstance):
2165         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2166         (JSC::WebAssemblyFunction::visitChildren):
2167         (JSC::WebAssemblyFunction::destroy):
2168         * wasm/js/WebAssemblyFunction.h:
2169         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
2170         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
2171         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
2172         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
2173         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
2174         (JSC::WebAssemblyFunctionHeapCellType::destroy):
2175         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
2176         * wasm/js/WebAssemblyPrototype.h:
2177
2178 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2179
2180         [JSC] Pass CodeOrigin to FuzzerAgent
2181         https://bugs.webkit.org/show_bug.cgi?id=196590
2182
2183         Reviewed by Saam Barati.
2184
2185         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
2186         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
2187         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
2188
2189         * dfg/DFGByteCodeParser.cpp:
2190         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2191         * runtime/FuzzerAgent.cpp:
2192         (JSC::FuzzerAgent::getPrediction):
2193         * runtime/FuzzerAgent.h:
2194         * runtime/RandomizingFuzzerAgent.cpp:
2195         (JSC::RandomizingFuzzerAgent::getPrediction):
2196         * runtime/RandomizingFuzzerAgent.h:
2197
2198 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
2199
2200         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
2201         https://bugs.webkit.org/show_bug.cgi?id=194944
2202
2203         Reviewed by Keith Miller.
2204
2205         Based on profile data collected on JetStream2, Speedometer 2 and
2206         other benchmarks, it is very rare having non-empty
2207         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
2208
2209         - Data collected from Speedometer2
2210             Total number of UnlinkedFunctionExecutable: 39463
2211             Total number of non-empty parentScopeTDZVars: 428 (~1%)
2212
2213         - Data collected from JetStream2
2214             Total number of UnlinkedFunctionExecutable: 83715
2215             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
2216
2217         We also collected numbers on 6 of top 10 Alexia sites.
2218
2219         - Data collected from youtube.com
2220             Total number of UnlinkedFunctionExecutable: 29599
2221             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
2222
2223         - Data collected from twitter.com
2224             Total number of UnlinkedFunctionExecutable: 23774
2225             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
2226
2227         - Data collected from google.com
2228             Total number of UnlinkedFunctionExecutable: 33209
2229             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
2230
2231         - Data collected from amazon.com:
2232             Total number of UnlinkedFunctionExecutable: 15182
2233             Total number of non-empty parentScopeTDZVars: 166 (~1%)
2234
2235         - Data collected from facebook.com:
2236             Total number of UnlinkedFunctionExecutable: 54443
2237             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
2238
2239         - Data collected from netflix.com:
2240             Total number of UnlinkedFunctionExecutable: 39266
2241             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
2242
2243         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
2244         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
2245         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
2246         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
2247         it when `value != WTF::nullopt`. We also changed
2248         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
2249         `VariableEnvironment()` whenever the Executable doesn't have RareData,
2250         or VariableEnvironmentMap::Handle is unitialized. This is required
2251         because RareData is instantiated when any of its field is stored and
2252         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
2253         is `WTF::nullopt`.
2254
2255         Results on memory usage on JetStrem2 is neutral.
2256
2257             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
2258             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
2259
2260         * builtins/BuiltinExecutables.cpp:
2261         (JSC::BuiltinExecutables::createExecutable):
2262         * bytecode/UnlinkedFunctionExecutable.cpp:
2263         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2264         * bytecode/UnlinkedFunctionExecutable.h:
2265         * bytecompiler/BytecodeGenerator.cpp:
2266         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
2267
2268         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
2269         is empty, so we can properly return `WTF::nullopt` without the
2270         reconstruction of a VariableEnvironment to check if it is empty.
2271
2272         * bytecompiler/BytecodeGenerator.h:
2273         (JSC::BytecodeGenerator::makeFunction):
2274         * parser/VariableEnvironment.h:
2275         (JSC::VariableEnvironment::isEmpty const):
2276         * runtime/CachedTypes.cpp:
2277         (JSC::CachedCompactVariableMapHandle::decode const):
2278
2279         It returns an unitialized Handle when there is no
2280         CompactVariableEnvironment. This can happen when RareData is ensured
2281         because of another field.
2282
2283         (JSC::CachedFunctionExecutableRareData::encode):
2284         (JSC::CachedFunctionExecutableRareData::decode const):
2285         (JSC::CachedFunctionExecutable::encode):
2286         (JSC::CachedFunctionExecutable::decode const):
2287         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2288         * runtime/CodeCache.cpp:
2289
2290         Instead of creating a dummyVariablesUnderTDZ, we simply pass
2291         WTF::nullopt.
2292
2293         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2294
2295 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
2296
2297         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
2298         https://bugs.webkit.org/show_bug.cgi?id=196409
2299
2300         Reviewed by Saam Barati.
2301
2302         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
2303         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
2304         and therefore does not write the bytecode cache to disk.
2305
2306         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
2307         of pointers to offsets of already cached objects, in order to avoid caching
2308         the same object twice. Similarly, the Decoder keeps a mapping from offsets
2309         to pointers, in order to avoid creating multiple objects in memory for the
2310         same cached object. The following was happening:
2311         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
2312         an entry in the Encoder mapping that S has already been encoded at O.
2313         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
2314         We find an entry in the Encoder mapping for S, and return the offset O. However,
2315         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
2316
2317         3) When decoding, there are 2 possibilities:
2318         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
2319         this case, everything works as expected since we add an entry in the decoder
2320         mapping from the offset O to the decoded StringImpl* S. The next time we find
2321         S through the uniqued version, we'll return the already decoded S.
2322         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
2323         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
2324         which has a different shape and we crash.
2325
2326         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
2327         same implementation. Since it doesn't matter whether a string is uniqued for
2328         encoding, and we always decode strings as uniqued either way, they can be used
2329         interchangeably.
2330
2331         * jsc.cpp:
2332         (functionRunString):
2333         (functionLoadString):
2334         (functionDollarAgentStart):
2335         (functionCheckModuleSyntax):
2336         (runInteractive):
2337         * runtime/CachedTypes.cpp:
2338         (JSC::CachedUniquedStringImplBase::decode const):
2339         (JSC::CachedFunctionExecutable::rareData const):
2340         (JSC::CachedCodeBlock::rareData const):
2341         (JSC::CachedFunctionExecutable::encode):
2342         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2343         (JSC::CachedUniquedStringImpl::encode): Deleted.
2344         (JSC::CachedUniquedStringImpl::decode const): Deleted.
2345         (JSC::CachedStringImpl::encode): Deleted.
2346         (JSC::CachedStringImpl::decode const): Deleted.
2347
2348 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
2349
2350         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
2351         https://bugs.webkit.org/show_bug.cgi?id=196396
2352
2353         Reviewed by Saam Barati.
2354
2355         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
2356         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
2357
2358         * runtime/CachedTypes.cpp:
2359         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2360
2361 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
2362
2363         Unreviewed, rolling in r243843 with the build fix
2364         https://bugs.webkit.org/show_bug.cgi?id=196586
2365
2366         * runtime/Options.cpp:
2367         (JSC::recomputeDependentOptions):
2368         * runtime/Options.h:
2369         * runtime/RandomizingFuzzerAgent.cpp:
2370         (JSC::RandomizingFuzzerAgent::getPrediction):
2371
2372 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
2373
2374         Unreviewed, rolling out r243843.
2375
2376         Broke CLoop and Windows builds.
2377
2378         Reverted changeset:
2379
2380         "[JSC] Add dump feature for RandomizingFuzzerAgent"
2381         https://bugs.webkit.org/show_bug.cgi?id=196586
2382         https://trac.webkit.org/changeset/243843
2383
2384 2019-04-03  Robin Morisset  <rmorisset@apple.com>
2385
2386         B3 should use associativity to optimize expression trees
2387         https://bugs.webkit.org/show_bug.cgi?id=194081
2388
2389         Reviewed by Filip Pizlo.
2390
2391         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
2392         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
2393         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
2394         inherited from CSE.
2395         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
2396         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
2397
2398         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
2399         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
2400         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
2401         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
2402         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
2403
2404         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
2405         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
2406
2407         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
2408
2409         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
2410         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
2411
2412         * JavaScriptCore.xcodeproj/project.pbxproj:
2413         * Sources.txt:
2414         * b3/B3Common.cpp:
2415         (JSC::B3::shouldDumpIR):
2416         (JSC::B3::shouldDumpIRAtEachPhase):
2417         * b3/B3Common.h:
2418         * b3/B3EliminateDeadCode.cpp: Added.
2419         (JSC::B3::EliminateDeadCode::run):
2420         (JSC::B3::eliminateDeadCode):
2421         * b3/B3EliminateDeadCode.h: Added.
2422         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
2423         * b3/B3Generate.cpp:
2424         (JSC::B3::generateToAir):
2425         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
2426         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
2427         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
2428         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
2429         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
2430         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
2431         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
2432         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
2433         (JSC::B3::optimizeAssociativeExpressionTrees):
2434         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
2435         * b3/B3ReduceStrength.cpp:
2436         * b3/B3Value.cpp:
2437         (JSC::B3::Value::replaceWithIdentity):
2438         * b3/testb3.cpp:
2439         (JSC::B3::testBitXorTreeArgs):
2440         (JSC::B3::testBitXorTreeArgsEven):
2441         (JSC::B3::testBitXorTreeArgImm):
2442         (JSC::B3::testAddTreeArg32):
2443         (JSC::B3::testMulTreeArg32):
2444         (JSC::B3::testBitAndTreeArg32):
2445         (JSC::B3::testBitOrTreeArg32):
2446         (JSC::B3::run):
2447
2448 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
2449
2450         [JSC] Add dump feature for RandomizingFuzzerAgent
2451         https://bugs.webkit.org/show_bug.cgi?id=196586
2452
2453         Reviewed by Saam Barati.
2454
2455         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
2456         The results is like this.
2457
2458             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
2459             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
2460
2461         * runtime/Options.cpp:
2462         (JSC::recomputeDependentOptions):
2463         * runtime/Options.h:
2464         * runtime/RandomizingFuzzerAgent.cpp:
2465         (JSC::RandomizingFuzzerAgent::getPrediction):
2466
2467 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
2468
2469         -apple-trailing-word is needed for browser detection
2470         https://bugs.webkit.org/show_bug.cgi?id=196575
2471
2472         Unreviewed.
2473
2474         * Configurations/FeatureDefines.xcconfig:
2475
2476 2019-04-03  Michael Saboff  <msaboff@apple.com>
2477
2478         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
2479         https://bugs.webkit.org/show_bug.cgi?id=196477
2480
2481         Reviewed by Keith Miller.
2482
2483         The problem here is that when we advance the index by 2 for a character class that only
2484         has non-BMP characters, we might go past the end of the string.  This can happen for
2485         greedy counted character classes that are part of a alternative where there is one
2486         character to match after the greedy non-BMP character class.
2487
2488         The "do we have string left to match" check at the top of the JIT loop for the counted
2489         character class checks to see if index is not equal to the string length.  For non-BMP
2490         character classes, we need to check to see if there are at least 2 characters left.
2491         Therefore we now temporarily add 1 to the current index before comparing.  This checks
2492         to see if there are iat least 2 characters left to match, instead of 1.
2493
2494         * yarr/YarrJIT.cpp:
2495         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2496         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2497
2498 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
2499
2500         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
2501         https://bugs.webkit.org/show_bug.cgi?id=196574
2502
2503         Reviewed by Saam Barati.
2504
2505         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
2506
2507         * dfg/DFGOperations.cpp:
2508
2509 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
2510
2511         [CMake][WTF] Mirror XCode header directories
2512         https://bugs.webkit.org/show_bug.cgi?id=191662
2513
2514         Reviewed by Konstantin Tokarev.
2515
2516         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
2517         builds.
2518
2519         * CMakeLists.txt:
2520         * shell/CMakeLists.txt:
2521
2522 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
2523
2524         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
2525         https://bugs.webkit.org/show_bug.cgi?id=196530
2526
2527         Reviewed by Saam Barati.
2528
2529         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
2530         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
2531         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
2532
2533         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
2534         they should be fixed in subsequent patches.
2535
2536         * CMakeLists.txt:
2537         * JavaScriptCore.xcodeproj/project.pbxproj:
2538         * Sources.txt:
2539         * dfg/DFGByteCodeParser.cpp:
2540         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2541         * runtime/FuzzerAgent.cpp: Added.
2542         (JSC::FuzzerAgent::~FuzzerAgent):
2543         (JSC::FuzzerAgent::getPrediction):
2544         * runtime/FuzzerAgent.h: Added.
2545         * runtime/JSGlobalObjectFunctions.cpp:
2546         * runtime/Options.h:
2547         * runtime/RandomizingFuzzerAgent.cpp: Added.
2548         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
2549         (JSC::RandomizingFuzzerAgent::getPrediction):
2550         * runtime/RandomizingFuzzerAgent.h: Added.
2551         * runtime/RegExpCachedResult.h:
2552         * runtime/RegExpGlobalData.cpp:
2553         * runtime/VM.cpp:
2554         (JSC::VM::VM):
2555         * runtime/VM.h:
2556         (JSC::VM::fuzzerAgent const):
2557         (JSC::VM::setFuzzerAgent):
2558
2559 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
2560
2561         Remove support for -apple-trailing-word
2562         https://bugs.webkit.org/show_bug.cgi?id=196525
2563
2564         Reviewed by Zalan Bujtas.
2565
2566         This CSS property is nonstandard and not used.
2567
2568         * Configurations/FeatureDefines.xcconfig:
2569
2570 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
2571
2572         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
2573         https://bugs.webkit.org/show_bug.cgi?id=196513
2574         <rdar://problem/49498284>
2575
2576         Reviewed by Devin Rousso.
2577
2578         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2579         (Inspector::RemoteInspector::receivedIndicateMessage):
2580         When we have a WebThread, don't just run on the WebThread,
2581         run on the MainThread with the WebThreadLock.
2582
2583 2019-04-02  Michael Saboff  <msaboff@apple.com>
2584
2585         Crash in Options::setOptions() using --configFile option and libgmalloc
2586         https://bugs.webkit.org/show_bug.cgi?id=196506
2587
2588         Reviewed by Keith Miller.
2589
2590         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
2591         the implicit CString temporary alive until after setOptions() returns.
2592
2593         * runtime/ConfigFile.cpp:
2594         (JSC::ConfigFile::parse):
2595
2596 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
2597
2598         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
2599         https://bugs.webkit.org/show_bug.cgi?id=182757
2600
2601         Reviewed by Don Olmstead.
2602
2603         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
2604         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
2605         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
2606
2607 2019-04-02  Saam barati  <sbarati@apple.com>
2608
2609         Add a ValueRepReduction phase
2610         https://bugs.webkit.org/show_bug.cgi?id=196234
2611
2612         Reviewed by Filip Pizlo.
2613
2614         This patch adds a ValueRepReduction phase. The main idea here is
2615         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
2616         to just be @x. This patch handles such above strengh reduction rules
2617         as long as we prove that all users of the ValueRep can be converted
2618         to using the incoming double value. That way we prevent introducing
2619         a parallel live range for the double value.
2620         
2621         This patch tracks the uses of the ValueRep through Phi variables,
2622         so we can convert entire Phi variables to being Double instead
2623         of JSValue if the Phi also has only double uses.
2624         
2625         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
2626         and OSR exit hints are not counted as escapes. All other uses are counted
2627         as escapes. Connected Phi graphs are converted to being Double only if the
2628         entire graph is ok with the result being Double.
2629         
2630         Some ways we could extend this phase in the future:
2631         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
2632           that the result of the DoubleRep of @x is not impure NaN. We could
2633           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
2634           with PurifyNaN(@x). Alternatively, we could see if certain users of this
2635           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
2636           their output type is always treated as if the input is impure NaN.
2637         - We could do sinking of ValueRep where we think it's profitable. So instead
2638           of an escape making it so we never represent the variable as a Double, we
2639           could make the escape reconstruct the JSValueRep where profitable.
2640         - We can extend this phase to handle Int52Rep if it's profitable.
2641         - We can opt other nodes into accepting incoming Doubles so we no longer
2642           treat them as escapes.
2643         
2644         This patch is somewhere between neutral and a 1% progression on JetStream 2.
2645
2646         * JavaScriptCore.xcodeproj/project.pbxproj:
2647         * Sources.txt:
2648         * dfg/DFGPlan.cpp:
2649         (JSC::DFG::Plan::compileInThreadImpl):
2650         * dfg/DFGValueRepReductionPhase.cpp: Added.
2651         (JSC::DFG::ValueRepReductionPhase::ValueRepReductionPhase):
2652         (JSC::DFG::ValueRepReductionPhase::run):
2653         (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):
2654         (JSC::DFG::performValueRepReduction):
2655         * dfg/DFGValueRepReductionPhase.h: Added.
2656         * runtime/Options.h:
2657
2658 2019-04-01  Yusuke Suzuki  <ysuzuki@apple.com>
2659
2660         [JSC] JSRunLoopTimer::Manager should be small
2661         https://bugs.webkit.org/show_bug.cgi?id=196425
2662
2663         Reviewed by Darin Adler.
2664
2665         Using very large Key or Value in HashMap potentially bloats memory since HashMap pre-allocates large size of
2666         memory ((sizeof(Key) + sizeof(Value)) * N) for its backing storage's array. Using std::unique_ptr<> for JSRunLoopTimer's
2667         PerVMData to keep HashMap's backing store size small.
2668
2669         * runtime/JSRunLoopTimer.cpp:
2670         (JSC::JSRunLoopTimer::Manager::timerDidFire):
2671         (JSC::JSRunLoopTimer::Manager::registerVM):
2672         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
2673         (JSC::JSRunLoopTimer::Manager::cancelTimer):
2674         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
2675         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
2676         * runtime/JSRunLoopTimer.h:
2677
2678 2019-04-01  Stephan Szabo  <stephan.szabo@sony.com>
2679
2680         [PlayStation] Add initialization for JSC shell for PlayStation port
2681         https://bugs.webkit.org/show_bug.cgi?id=195411
2682
2683         Reviewed by Ross Kirsling.
2684
2685         Add ps options
2686
2687         * shell/PlatformPlayStation.cmake: Added.
2688         * shell/playstation/Initializer.cpp: Added.
2689         (initializer):
2690
2691 2019-04-01  Michael Catanzaro  <mcatanzaro@igalia.com>
2692
2693         Stop trying to support building JSC with clang 3.8
2694         https://bugs.webkit.org/show_bug.cgi?id=195947
2695         <rdar://problem/49069219>
2696
2697         Reviewed by Darin Adler.
2698
2699         It seems WebKit hasn't built with clang 3.8 in a while, no devs are using this compiler, we
2700         don't know how much effort it would be to make JSC work again, and it's making the code
2701         worse. Remove my hacks to support clang 3.8 from JSC.
2702
2703         * bindings/ScriptValue.cpp:
2704         (Inspector::jsToInspectorValue):
2705         * bytecode/GetterSetterAccessCase.cpp:
2706         (JSC::GetterSetterAccessCase::create):
2707         (JSC::GetterSetterAccessCase::clone const):
2708         * bytecode/InstanceOfAccessCase.cpp:
2709         (JSC::InstanceOfAccessCase::clone const):
2710         * bytecode/IntrinsicGetterAccessCase.cpp:
2711         (JSC::IntrinsicGetterAccessCase::clone const):
2712         * bytecode/ModuleNamespaceAccessCase.cpp:
2713         (JSC::ModuleNamespaceAccessCase::clone const):
2714         * bytecode/ProxyableAccessCase.cpp:
2715         (JSC::ProxyableAccessCase::clone const):
2716
2717 2019-03-31  Yusuke Suzuki  <ysuzuki@apple.com>
2718
2719         [JSC] Butterfly allocation from LargeAllocation should try "realloc" behavior if collector thread is not active
2720         https://bugs.webkit.org/show_bug.cgi?id=196160
2721
2722         Reviewed by Saam Barati.
2723
2724         "realloc" can be effective in terms of peak/current memory footprint when realloc succeeds because,
2725
2726         1. It does not allocate additional memory while expanding a vector
2727         2. It does not deallocate an old memory, just reusing the current memory by expanding, so that memory footprint is tight even before scavenging
2728
2729         We found that we can "realloc" large butterflies in certain conditions are met because,
2730
2731         1. If it goes to LargeAllocation, this memory region is never reused until GC sweeps it.
2732         2. Butterflies are owned by owner JSObjects, so we know the lifetime of Butterflies.
2733
2734         This patch attempts to use "realloc" onto butterflies if,
2735
2736         1. Butterflies are allocated in LargeAllocation kind
2737         2. Concurrent collector is not active
2738         3. Butterflies do not have property storage
2739
2740         The condition (2) is required to avoid deallocating butterflies while the concurrent collector looks into it. The condition (3) is
2741         also required to avoid deallocating butterflies while the concurrent compiler looks into it.
2742
2743         We also change LargeAllocation mechanism to using "malloc" and "free" instead of "posix_memalign". This allows us to use "realloc"
2744         safely in all the platforms. Since LargeAllocation uses alignment to distinguish LargeAllocation and MarkedBlock, we manually adjust
2745         16B alignment by allocating 8B more memory in "malloc".
2746
2747         Speedometer2 and JetStream2 are neutral. RAMification shows about 1% progression (even in some of JIT tests).
2748
2749         * heap/AlignedMemoryAllocator.h:
2750         * heap/CompleteSubspace.cpp:
2751         (JSC::CompleteSubspace::tryAllocateSlow):
2752         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
2753         * heap/CompleteSubspace.h:
2754         * heap/FastMallocAlignedMemoryAllocator.cpp:
2755         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory):
2756         (JSC::FastMallocAlignedMemoryAllocator::freeMemory):
2757         (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory):
2758         * heap/FastMallocAlignedMemoryAllocator.h:
2759         * heap/GigacageAlignedMemoryAllocator.cpp:
2760         (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory):
2761         (JSC::GigacageAlignedMemoryAllocator::freeMemory):
2762         (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory):
2763         * heap/GigacageAlignedMemoryAllocator.h:
2764         * heap/IsoAlignedMemoryAllocator.cpp:
2765         (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
2766         (JSC::IsoAlignedMemoryAllocator::freeMemory):
2767         (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
2768         * heap/IsoAlignedMemoryAllocator.h:
2769         * heap/LargeAllocation.cpp:
2770         (JSC::isAlignedForLargeAllocation):
2771         (JSC::LargeAllocation::tryCreate):
2772         (JSC::LargeAllocation::tryReallocate):
2773         (JSC::LargeAllocation::LargeAllocation):
2774         (JSC::LargeAllocation::destroy):
2775         * heap/LargeAllocation.h:
2776         (JSC::LargeAllocation::indexInSpace):
2777         (JSC::LargeAllocation::setIndexInSpace):
2778         (JSC::LargeAllocation::basePointer const):
2779         * heap/MarkedSpace.cpp:
2780         (JSC::MarkedSpace::sweepLargeAllocations):
2781         (JSC::MarkedSpace::prepareForConservativeScan):
2782         * heap/WeakSet.h:
2783         (JSC::WeakSet::isTriviallyDestructible const):
2784         * runtime/Butterfly.h:
2785         * runtime/ButterflyInlines.h:
2786         (JSC::Butterfly::reallocArrayRightIfPossible):
2787         * runtime/JSObject.cpp:
2788         (JSC::JSObject::ensureLengthSlow):
2789
2790 2019-03-31  Sam Weinig  <weinig@apple.com>
2791
2792         Remove more i386 specific configurations
2793         https://bugs.webkit.org/show_bug.cgi?id=196430
2794
2795         Reviewed by Alexey Proskuryakov.
2796
2797         * Configurations/FeatureDefines.xcconfig:
2798         ENABLE_WEB_AUTHN_macosx can now be enabled unconditionally on macOS.
2799
2800         * Configurations/ToolExecutable.xcconfig:
2801         ARC can be enabled unconditionally now.
2802
2803 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
2804
2805         [JSC] JSWrapperMap should not use Objective-C Weak map (NSMapTable with NSPointerFunctionsWeakMemory) for m_cachedObjCWrappers
2806         https://bugs.webkit.org/show_bug.cgi?id=196392
2807
2808         Reviewed by Saam Barati.
2809
2810         Weak representation in Objective-C is surprisingly costly in terms of memory. We can see that very easy program shows 10KB memory consumption due to
2811         this weak wrapper map in JavaScriptCore.framework. But we do not need this weak map since Objective-C JSValue has a dealloc. We can unregister itself
2812         from the map when it is deallocated without using Objective-C weak mechanism. And since Objective-C JSValue is tightly coupled to a specific JSContext,
2813         and wrapper map is created per JSContext, JSValue wrapper and actual JavaScriptCore value is one-on-one, and [JSValue dealloc] knows which JSContext's
2814         wrapper map holds itself.
2815
2816         1. We do not use Objective-C weak mechanism. We use WTF::HashSet instead. When JSValue is allocated, we register it to JSWrapperMap's HashSet. And unregister
2817            JSValue from this map when JSValue is deallocated.
2818         2. We use HashSet<JSValue> (logically) instead of HashMap<JSValueRef, JSValue> to keep JSValueRef and JSValue relationship. We can achieve it because JSValue
2819            holds JSValueRef inside it.
2820
2821         * API/JSContext.mm:
2822         (-[JSContext removeWrapper:]):
2823         * API/JSContextInternal.h:
2824         * API/JSValue.mm:
2825         (-[JSValue dealloc]):
2826         (-[JSValue initWithValue:inContext:]):
2827         * API/JSWrapperMap.h:
2828         * API/JSWrapperMap.mm:
2829         (WrapperKey::hashTableDeletedValue):
2830         (WrapperKey::WrapperKey):
2831         (WrapperKey::isHashTableDeletedValue const):
2832         (WrapperKey::Hash::hash):
2833         (WrapperKey::Hash::equal):
2834         (WrapperKey::Traits::isEmptyValue):
2835         (WrapperKey::Translator::hash):
2836         (WrapperKey::Translator::equal):
2837         (WrapperKey::Translator::translate):
2838         (-[JSWrapperMap initWithGlobalContextRef:]):
2839         (-[JSWrapperMap dealloc]):
2840         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
2841         (-[JSWrapperMap removeWrapper:]):
2842         * API/tests/testapi.mm:
2843         (testObjectiveCAPIMain):
2844
2845 2019-03-29  Robin Morisset  <rmorisset@apple.com>
2846
2847         B3ReduceStrength should know that Mul distributes over Add and Sub
2848         https://bugs.webkit.org/show_bug.cgi?id=196325
2849
2850         Reviewed by Michael Saboff.
2851
2852         In this patch I add the following patterns to B3ReduceStrength:
2853         - Turn this: Integer Neg(Mul(value, c))
2854           Into this: Mul(value, -c), as long as -c does not overflow
2855         - Turn these: Integer Mul(value, Neg(otherValue)) and Integer Mul(Neg(value), otherValue)
2856           Into this: Neg(Mul(value, otherValue))
2857         - For Op==Add or Sub, turn any of these:
2858              Op(Mul(x1, x2), Mul(x1, x3))
2859              Op(Mul(x2, x1), Mul(x1, x3))
2860              Op(Mul(x1, x2), Mul(x3, x1))
2861              Op(Mul(x2, x1), Mul(x3, x1))
2862           Into this: Mul(x1, Op(x2, x3))
2863
2864         Also includes a trivial change: a similar reduction for the distributivity of BitAnd over BitOr/BitXor now
2865         emits the arguments to BitAnd in the other order, to minimize the probability that we'll spend a full fixpoint step just to flip them.
2866
2867         * b3/B3ReduceStrength.cpp:
2868         * b3/testb3.cpp:
2869         (JSC::B3::testAddMulMulArgs):
2870         (JSC::B3::testMulArgNegArg):
2871         (JSC::B3::testMulNegArgArg):
2872         (JSC::B3::testNegMulArgImm):
2873         (JSC::B3::testSubMulMulArgs):
2874         (JSC::B3::run):
2875
2876 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
2877
2878         [JSC] Remove distancing for LargeAllocation
2879         https://bugs.webkit.org/show_bug.cgi?id=196335
2880
2881         Reviewed by Saam Barati.
2882
2883         In r230226, we removed distancing feature from our GC. This patch removes remaining distancing thing in LargeAllocation.
2884
2885         * heap/HeapCell.h:
2886         * heap/LargeAllocation.cpp:
2887         (JSC::LargeAllocation::tryCreate):
2888         * heap/MarkedBlock.h:
2889
2890 2019-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2891
2892         Delete WebMetal implementation in favor of WebGPU
2893         https://bugs.webkit.org/show_bug.cgi?id=195418
2894
2895         Reviewed by Dean Jackson.
2896
2897         * Configurations/FeatureDefines.xcconfig:
2898         * inspector/protocol/Canvas.json:
2899         * inspector/scripts/codegen/generator.py:
2900
2901 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
2902
2903         Assertion failed in JSC::createError
2904         https://bugs.webkit.org/show_bug.cgi?id=196305
2905         <rdar://problem/49387382>
2906
2907         Reviewed by Saam Barati.
2908
2909         JSC::createError assumes that `errorDescriptionForValue` will either
2910         throw an exception or return a valid description string. However, that
2911         is not true if the value is a rope string and we successfully resolve it,
2912         but later fail to wrap the string in quotes with `tryMakeString`.
2913
2914         * runtime/ExceptionHelpers.cpp:
2915         (JSC::createError):
2916
2917 2019-03-29  Devin Rousso  <drousso@apple.com>
2918
2919         Web Inspector: add fast returns for instrumentation hooks that have no affect before a frontend is connected
2920         https://bugs.webkit.org/show_bug.cgi?id=196382
2921         <rdar://problem/49403417>
2922
2923         Reviewed by Joseph Pecoraro.
2924
2925         Ensure that all instrumentation hooks use `FAST_RETURN_IF_NO_FRONTENDS` or check that
2926         `developerExtrasEnabled`. There should be no activity to/from any inspector objects until
2927         developer extras are enabled.
2928
2929         * inspector/agents/InspectorConsoleAgent.cpp:
2930         (Inspector::InspectorConsoleAgent::startTiming):
2931         (Inspector::InspectorConsoleAgent::stopTiming):
2932         (Inspector::InspectorConsoleAgent::count):
2933         (Inspector::InspectorConsoleAgent::addConsoleMessage):
2934
2935 2019-03-29  Cathie Chen  <cathiechen@igalia.com>
2936
2937         Implement ResizeObserver.
2938         https://bugs.webkit.org/show_bug.cgi?id=157743
2939
2940         Reviewed by Simon Fraser.
2941
2942         Add ENABLE_RESIZE_OBSERVER.
2943
2944         * Configurations/FeatureDefines.xcconfig:
2945
2946 2019-03-28  Michael Saboff  <msaboff@apple.com>
2947
2948         [YARR] Precompute BMP / non-BMP status when constructing character classes
2949         https://bugs.webkit.org/show_bug.cgi?id=196296
2950
2951         Reviewed by Keith Miller.
2952
2953         Changed CharacterClass::m_hasNonBMPCharacters into a character width bit field which
2954         indicateis if the class includes characters from either BMP, non-BMP or both ranges.
2955         This allows the recognizing code to eliminate checks for the width of a matched
2956         characters when the class has only one width.  The character width is needed to
2957         determine if we advance 1 or 2 character.  Also, the pre-computed width of character
2958         classes that contains either all BMP or all non-BMP characters allows the parser to
2959         use fixed widths for terms using those character classes.  Changed both the code gen
2960         scripts and Yarr compiler to compute this bit field during the construction of
2961         character classes.
2962
2963         For JIT'ed code of character classes that contain either all BMP or all non-BMP
2964         characters, we can eliminate the generic check we were doing do compute how much
2965         to advance after sucessfully matching a character in the class.
2966
2967                 Generic isBMP check      BMP only            non-BMP only
2968                 --------------           --------------      --------------
2969                 inc %r9d                 inc %r9d            add $0x2, %r9d
2970                 cmp $0x10000, %eax
2971                 jl isBMP
2972                 cmp %edx, %esi
2973                 jz atEndOfString
2974                 inc %r9d
2975                 inc %esi
2976          isBMP:
2977
2978         For character classes that contained non-BMP characters, we were always generating
2979         the code in the left column.  The middle column is the code we generate for character
2980         classes that contain only BMP characters.  The right column is the code we now
2981         generate if the character class has only non-BMP characters.  In the fix width cases,
2982         we can eliminate both the isBMP check as well as the atEndOfString check.  The
2983         atEndOfstring check is eliminated since we know how many characters this character
2984         class requires and that check can be factored out to the beginning of the current
2985         alternative.  For character classes that contain both BMP and non-BMP characters,
2986         we still generate the generic left column.
2987
2988         This change is a ~8% perf progression on UniPoker and a ~2% improvement on RexBench
2989         as a whole.
2990
2991         * runtime/RegExp.cpp:
2992         (JSC::RegExp::matchCompareWithInterpreter):
2993         * runtime/RegExpInlines.h:
2994         (JSC::RegExp::matchInline):
2995         * yarr/YarrInterpreter.cpp:
2996         (JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
2997         (JSC::Yarr::Interpreter::matchCharacterClass):
2998         * yarr/YarrJIT.cpp:
2999         (JSC::Yarr::YarrGenerator::optimizeAlternative):
3000         (JSC::Yarr::YarrGenerator::matchCharacterClass):
3001         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
3002         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
3003         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
3004         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
3005         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
3006         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
3007         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
3008         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
3009         (JSC::Yarr::YarrGenerator::generateEnter):
3010         (JSC::Yarr::YarrGenerator::YarrGenerator):
3011         (JSC::Yarr::YarrGenerator::compile):
3012         * yarr/YarrPattern.cpp:
3013         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
3014         (JSC::Yarr::CharacterClassConstructor::reset):
3015         (JSC::Yarr::CharacterClassConstructor::charClass):
3016         (JSC::Yarr::CharacterClassConstructor::addSorted):
3017         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
3018         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
3019         (JSC::Yarr::CharacterClassConstructor::characterWidths):
3020         (JSC::Yarr::PatternTerm::dump):
3021         (JSC::Yarr::anycharCreate):
3022         * yarr/YarrPattern.h:
3023         (JSC::Yarr::operator|):
3024         (JSC::Yarr::operator&):
3025         (JSC::Yarr::operator|=):
3026         (JSC::Yarr::CharacterClass::CharacterClass):
3027         (JSC::Yarr::CharacterClass::hasNonBMPCharacters):
3028         (JSC::Yarr::CharacterClass::hasOneCharacterSize):
3029         (JSC::Yarr::CharacterClass::hasOnlyNonBMPCharacters):
3030         (JSC::Yarr::PatternTerm::invert const):
3031         (JSC::Yarr::PatternTerm::invert): Deleted.
3032         * yarr/create_regex_tables:
3033         * yarr/generateYarrUnicodePropertyTables.py:
3034
3035 2019-03-28  Saam Barati  <sbarati@apple.com>
3036
3037         BackwardsGraph needs to consider back edges as the backward's root successor
3038         https://bugs.webkit.org/show_bug.cgi?id=195991
3039
3040         Reviewed by Filip Pizlo.
3041
3042         * b3/testb3.cpp:
3043         (JSC::B3::testInfiniteLoopDoesntCauseBadHoisting):
3044         (JSC::B3::run):
3045
3046 2019-03-28  Fujii Hironori  <Hironori.Fujii@sony.com>
3047
3048         Opcode.h(159,27): warning: adding 'unsigned int' to a string does not append to the string [-Wstring-plus-int]
3049         https://bugs.webkit.org/show_bug.cgi?id=196343
3050
3051         Reviewed by Saam Barati.
3052
3053         Clang reports a compilation warning and recommend '&PADDING_STRING[PADDING_STRING_LENGTH]'
3054         instead of 'PADDING_STRING + PADDING_STRING_LENGTH'.
3055
3056         * bytecode/Opcode.cpp:
3057         (JSC::padOpcodeName): Moved padOpcodeName from Opcode.h because
3058         this function is used only in Opcode.cpp. Changed macros
3059         PADDING_STRING and PADDING_STRING_LENGTH to simple variables.
3060         (JSC::compareOpcodePairIndices): Replaced pair with std::pair.
3061         * bytecode/Opcode.h:
3062         (JSC::padOpcodeName): Moved.
3063
3064 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
3065
3066         CodeBlock::jettison() should disallow repatching its own calls
3067         https://bugs.webkit.org/show_bug.cgi?id=196359
3068         <rdar://problem/48973663>
3069
3070         Reviewed by Saam Barati.
3071
3072         CodeBlock::jettison() calls CommonData::invalidate, which replaces the `hlt`
3073         instruction with the jump to OSR exit. However, if the `hlt` was immediately
3074         followed by a call to the CodeBlock being jettisoned, we would write over the
3075         OSR exit address while unlinking all the incoming CallLinkInfos later in
3076         CodeBlock::jettison().
3077
3078         Change it so that we set a flag, `clearedByJettison`, in all the CallLinkInfos
3079         owned by the CodeBlock being jettisoned. If the flag is set, we will avoid
3080         repatching the call during unlinking. This is safe because this call will never
3081         be reachable again after the CodeBlock is jettisoned.
3082
3083         * bytecode/CallLinkInfo.cpp:
3084         (JSC::CallLinkInfo::CallLinkInfo):
3085         (JSC::CallLinkInfo::setCallee):
3086         (JSC::CallLinkInfo::clearCallee):
3087         (JSC::CallLinkInfo::setCodeBlock):
3088         (JSC::CallLinkInfo::clearCodeBlock):
3089         * bytecode/CallLinkInfo.h:
3090         (JSC::CallLinkInfo::clearedByJettison):
3091         (JSC::CallLinkInfo::setClearedByJettison):
3092         * bytecode/CodeBlock.cpp:
3093         (JSC::CodeBlock::jettison):
3094         * jit/Repatch.cpp:
3095         (JSC::revertCall):
3096
3097 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
3098
3099         [JSC] Drop VM and Context cache map in JavaScriptCore.framework
3100         https://bugs.webkit.org/show_bug.cgi?id=196341
3101
3102         Reviewed by Saam Barati.
3103
3104         Previously, we created Objective-C weak map to maintain JSVirtualMachine and JSContext wrappers corresponding to VM and JSGlobalObject.
3105         But Objective-C weak map is really memory costly. Even if the entry is only one, it consumes 2.5KB per weak map. Since we can modify
3106         JSC intrusively for JavaScriptCore.framework (and we already did it, like, holding JSWrapperMap in JSGlobalObject), we can just hold
3107         a pointer to a wrapper in VM and JSGlobalObject.
3108
3109         This patch adds void* members to VM and JSGlobalObject, which holds a non-strong reference to a wrapper. When a wrapper is gone, we
3110         clear this pointer too. This removes unnecessary two Objective-C weak maps, and save 5KB.
3111
3112         * API/JSContext.mm:
3113         (-[JSContext initWithVirtualMachine:]):
3114         (-[JSContext dealloc]):
3115         (-[JSContext initWithGlobalContextRef:]):
3116         (-[JSContext wrapperMap]):
3117         (+[JSContext contextWithJSGlobalContextRef:]):
3118         * API/JSVirtualMachine.mm:
3119         (-[JSVirtualMachine initWithContextGroupRef:]):
3120         (-[JSVirtualMachine dealloc]):
3121         (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
3122         (scanExternalObjectGraph):
3123         (scanExternalRememberedSet):
3124         (initWrapperCache): Deleted.
3125         (wrapperCache): Deleted.
3126         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Deleted.
3127         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Deleted.
3128         (-[JSVirtualMachine contextForGlobalContextRef:]): Deleted.
3129         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Deleted.
3130         * API/JSVirtualMachineInternal.h:
3131         * runtime/JSGlobalObject.h:
3132         (JSC::JSGlobalObject::setAPIWrapper):
3133         (JSC::JSGlobalObject::apiWrapper const):
3134         * runtime/VM.h:
3135
3136 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
3137
3138         In-memory code cache should not share bytecode across domains
3139         https://bugs.webkit.org/show_bug.cgi?id=196321
3140
3141         Reviewed by Geoffrey Garen.
3142
3143         Use the SourceProvider's URL to make sure that the hosts match for the
3144         two SourceCodeKeys in operator==.
3145
3146         * parser/SourceCodeKey.h:
3147         (JSC::SourceCodeKey::host const):
3148         (JSC::SourceCodeKey::operator== const):
3149
3150 2019-03-28  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
3151
3152         Silence lot of warnings when compiling with clang
3153         https://bugs.webkit.org/show_bug.cgi?id=196310
3154
3155         Reviewed by Michael Catanzaro.
3156
3157         Initialize variable with default constructor.
3158
3159         * API/glib/JSCOptions.cpp:
3160         (jsc_options_foreach):
3161
3162 2019-03-27  Saam Barati  <sbarati@apple.com>
3163
3164         validateOSREntryValue with Int52 should box the value being checked into double format
3165         https://bugs.webkit.org/show_bug.cgi?id=196313
3166         <rdar://problem/49306703>
3167
3168         Reviewed by Yusuke Suzuki.
3169
3170         * dfg/DFGOSREntry.cpp:
3171         (JSC::DFG::prepareOSREntry):
3172         * ftl/FTLLowerDFGToB3.cpp:
3173         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
3174
3175 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
3176
3177         [JSC] Owner of watchpoints should validate at GC finalizing phase
3178         https://bugs.webkit.org/show_bug.cgi?id=195827
3179
3180         Reviewed by Filip Pizlo.
3181
3182         This patch fixes JSC's watchpoint liveness issue by the following two policies.
3183
3184         1. Watchpoint should have owner cell, and "fire" operation should be gaurded with owner cell's isLive check.
3185
3186         Watchpoints should hold its owner cell, and fire procedure should be guarded by `owner->isLive()`.
3187         When the owner cell is destroyed, these watchpoints are destroyed too. But this destruction can
3188         be delayed due to incremental sweeper. So the following condition can happen.
3189
3190         When we have a watchpoint like the following.
3191
3192             class XXXWatchpoint {
3193                 ObjectPropertyCondition m_key;
3194                 JSCell* m_owner;
3195             };
3196
3197         Both m_key's cell and m_owner is now unreachable from the root. So eventually, m_owner cell's destructor
3198         is called and this watchpoint will be destroyed. But before that, m_key's cell can be destroyed. And this
3199         watchpoint's fire procedure can be called since m_owner's destructor is not called yet. In this situation,
3200         we encounter the destroyed cell held in m_key. This problem can be avoided if we guard fire procedure with
3201         `m_owner->isLive()`. Until the owner cell is destroyed, this guard avoids "fire" procedure execution. And
3202         once the destructor of m_owner is called, this watchpoint will be destroyed too.
3203
3204         2. Watchpoint liveness should be maintained by owner cell's unconditional finalizer
3205
3206         Watchpoints often hold weak references to the other cell (like, m_key in the above example). If we do not
3207         delete watchpoints with dead cells when these weak cells become dead, these watchpoints continue holding dead cells,
3208         and watchpoint's fire operation can use these dead cells accidentally. isLive / isStillLive check for these weak cells
3209         in fire operation is not useful. Because these dead cells can be reused to the other live cells eventually, and this
3210         isLive / isStillLive checks fail to see these cells are live if they are reused. Appropriate way is deleting watchpoints
3211         with dead cells when finalizing GC. In this patch, we do this in unconditional finalizers in owner cells of watchpoints.
3212         We already did this in CodeBlock etc. We add the same thing to StructureRareData which owns watchpoints for toString operations.
3213
3214         * JavaScriptCore.xcodeproj/project.pbxproj:
3215         * Sources.txt:
3216         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
3217         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::StructureWatchpoint): Deleted.
3218         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::PropertyWatchpoint): Deleted.
3219         * bytecode/CodeBlockJettisoningWatchpoint.h:
3220         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): Deleted.
3221         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3222         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
3223         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3224         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3225         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): Deleted.
3226         * bytecode/StructureStubClearingWatchpoint.cpp:
3227         (JSC::StructureStubClearingWatchpoint::fireInternal):
3228         (JSC::WatchpointsOnStructureStubInfo::isValid const):
3229         * bytecode/StructureStubClearingWatchpoint.h:
3230         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): Deleted.
3231         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
3232         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
3233         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
3234         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
3235         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
3236         * dfg/DFGAdaptiveStructureWatchpoint.h:
3237         (JSC::DFG::AdaptiveStructureWatchpoint::key const): Deleted.
3238         * dfg/DFGDesiredWatchpoints.cpp:
3239         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
3240         * heap/Heap.cpp:
3241         (JSC::Heap::finalizeUnconditionalFinalizers):
3242         * llint/LLIntSlowPaths.cpp:
3243         (JSC::LLInt::setupGetByIdPrototypeCache):
3244         * runtime/ArrayBuffer.cpp:
3245         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
3246         * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp.
3247         (JSC::ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet):
3248         (JSC::ArrayBufferNeuteringWatchpointSet::destroy):
3249         (JSC::ArrayBufferNeuteringWatchpointSet::create):
3250         (JSC::ArrayBufferNeuteringWatchpointSet::createStructure):
3251         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
3252         * runtime/ArrayBufferNeuteringWatchpointSet.h: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h.
3253         * runtime/FunctionRareData.h:
3254         * runtime/JSGlobalObject.cpp:
3255         (JSC::JSGlobalObject::init):
3256         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
3257         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
3258         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): Deleted.
3259         * runtime/StructureRareData.cpp:
3260         (JSC::StructureRareData::finalizeUnconditionally):
3261         * runtime/StructureRareData.h:
3262         * runtime/VM.cpp:
3263         (JSC::VM::VM):
3264
3265 2019-03-26  Saam Barati  <sbarati@apple.com>
3266
3267         FTL: Emit code to validate AI's state when running the compiled code
3268         https://bugs.webkit.org/show_bug.cgi?id=195924
3269         <rdar://problem/49003422>
3270
3271         Reviewed by Filip Pizlo.
3272
3273         This patch adds code that between the execution of each node that validates
3274         the types that AI proves. This option is too expensive to turn on for our
3275         regression testing, but we think it will be valuable in other types of running
3276         modes, such as when running with a fuzzer.
3277         
3278         This patch also adds options to only probabilistically run this validation
3279         after the execution of each node. As the probability is lowered, there is
3280         less of a perf hit.
3281         
3282         This patch just adds this validation in the FTL. A follow-up patch will land
3283         it in the DFG too: https://bugs.webkit.org/show_bug.cgi?id=196219
3284
3285         * ftl/FTLLowerDFGToB3.cpp:
3286         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
3287         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
3288         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
3289         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3290         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
3291         * runtime/Options.h:
3292
3293 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
3294
3295         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
3296         https://bugs.webkit.org/show_bug.cgi?id=196217
3297
3298         Reviewed by Saam Barati.
3299
3300         Generalize the fix for f32.max to properly handle NaN by doing an extra GreatherThan
3301         comparison in r243446 to all min and max float operations.
3302
3303         * wasm/WasmAirIRGenerator.cpp:
3304         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
3305         (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax):
3306         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
3307         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
3308         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
3309         * wasm/wasm.json:
3310
3311 2019-03-26  Andy VanWagoner  <andy@vanwagoner.family>
3312
3313         Intl.DateTimeFormat should obey 2-digit hour
3314         https://bugs.webkit.org/show_bug.cgi?id=195974
3315
3316         Reviewed by Keith Miller.
3317
3318         * runtime/IntlDateTimeFormat.cpp:
3319         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3320
3321 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
3322
3323         Heap::isMarked and friends should be instance methods
3324         https://bugs.webkit.org/show_bug.cgi?id=179988
3325
3326         Reviewed by Saam Barati.
3327
3328         Almost all the callers of Heap::isMarked have VM& reference. We should make Heap::isMarked instance function instead of static function
3329         so that we do not need to look up Heap from the cell.
3330
3331         * API/JSAPIWrapperObject.mm:
3332         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
3333         * API/JSMarkingConstraintPrivate.cpp:
3334         (JSC::isMarked):
3335         * API/glib/JSAPIWrapperObjectGLib.cpp:
3336         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
3337         * builtins/BuiltinExecutables.cpp:
3338         (JSC::BuiltinExecutables::finalizeUnconditionally):
3339         * bytecode/AccessCase.cpp:
3340         (JSC::AccessCase::visitWeak const):
3341         (JSC::AccessCase::propagateTransitions const):
3342         * bytecode/CallLinkInfo.cpp:
3343         (JSC::CallLinkInfo::visitWeak):
3344         * bytecode/CallLinkStatus.cpp:
3345         (JSC::CallLinkStatus::finalize):
3346         * bytecode/CallLinkStatus.h:
3347         * bytecode/CallVariant.cpp:
3348         (JSC::CallVariant::finalize):
3349         * bytecode/CallVariant.h:
3350         * bytecode/CodeBlock.cpp:
3351         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
3352         (JSC::CodeBlock::shouldJettisonDueToOldAge):
3353         (JSC::shouldMarkTransition):
3354         (JSC::CodeBlock::propagateTransitions):
3355         (JSC::CodeBlock::determineLiveness):
3356         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3357         (JSC::CodeBlock::finalizeUnconditionally):
3358         (JSC::CodeBlock::jettison):
3359         * bytecode/CodeBlock.h:
3360         * bytecode/ExecutableToCodeBlockEdge.cpp:
3361         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3362         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
3363         (JSC::ExecutableToCodeBlockEdge::runConstraint):
3364         * bytecode/GetByIdStatus.cpp:
3365         (JSC::GetByIdStatus::finalize):
3366         * bytecode/GetByIdStatus.h:
3367         * bytecode/GetByIdVariant.cpp:
3368         (JSC::GetByIdVariant::finalize):
3369         * bytecode/GetByIdVariant.h:
3370         * bytecode/InByIdStatus.cpp:
3371         (JSC::InByIdStatus::finalize):
3372         * bytecode/InByIdStatus.h:
3373         * bytecode/InByIdVariant.cpp:
3374         (JSC::InByIdVariant::finalize):
3375         * bytecode/InByIdVariant.h:
3376         * bytecode/ObjectPropertyCondition.cpp:
3377         (JSC::ObjectPropertyCondition::isStillLive const):
3378         * bytecode/ObjectPropertyCondition.h:
3379         * bytecode/ObjectPropertyConditionSet.cpp:
3380         (JSC::ObjectPropertyConditionSet::areStillLive const):
3381         * bytecode/ObjectPropertyConditionSet.h:
3382         * bytecode/PolymorphicAccess.cpp:
3383         (JSC::PolymorphicAccess::visitWeak const):
3384         * bytecode/PropertyCondition.cpp:
3385         (JSC::PropertyCondition::isStillLive const):
3386         * bytecode/PropertyCondition.h:
3387         * bytecode/PutByIdStatus.cpp:
3388         (JSC::PutByIdStatus::finalize):
3389         * bytecode/PutByIdStatus.h:
3390         * bytecode/PutByIdVariant.cpp:
3391         (JSC::PutByIdVariant::finalize):
3392         * bytecode/PutByIdVariant.h:
3393         * bytecode/RecordedStatuses.cpp:
3394         (JSC::RecordedStatuses::finalizeWithoutDeleting):
3395         (JSC::RecordedStatuses::finalize):
3396         * bytecode/RecordedStatuses.h:
3397         * bytecode/StructureSet.cpp:
3398         (JSC::StructureSet::isStillAlive const):
3399         * bytecode/StructureSet.h:
3400         * bytecode/StructureStubInfo.cpp:
3401         (JSC::StructureStubInfo::visitWeakReferences):
3402         * dfg/DFGPlan.cpp:
3403         (JSC::DFG::Plan::finalizeInGC):
3404         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
3405         * heap/GCIncomingRefCounted.h:
3406         * heap/GCIncomingRefCountedInlines.h:
3407         (JSC::GCIncomingRefCounted<T>::filterIncomingReferences):
3408         * heap/GCIncomingRefCountedSet.h:
3409         * heap/GCIncomingRefCountedSetInlines.h:
3410         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
3411         (JSC::GCIncomingRefCountedSet<T>::sweep):
3412         (JSC::GCIncomingRefCountedSet<T>::removeAll): Deleted.
3413         (JSC::GCIncomingRefCountedSet<T>::removeDead): Deleted.
3414         * heap/Heap.cpp:
3415         (JSC::Heap::addToRememberedSet):
3416         (JSC::Heap::runEndPhase):
3417         (JSC::Heap::sweepArrayBuffers):
3418         (JSC::Heap::addCoreConstraints):
3419         * heap/Heap.h:
3420         * heap/HeapInlines.h:
3421         (JSC::Heap::isMarked):
3422         * heap/HeapSnapshotBuilder.cpp:
3423         (JSC::HeapSnapshotBuilder::appendNode):
3424         * heap/SlotVisitor.cpp:
3425         (JSC::SlotVisitor::appendToMarkStack):
3426         (JSC::SlotVisitor::visitChildren):
3427         * jit/PolymorphicCallStubRoutine.cpp:
3428         (JSC::PolymorphicCallStubRoutine::visitWeak):
3429         * runtime/ErrorInstance.cpp:
3430         (JSC::ErrorInstance::finalizeUnconditionally):
3431         * runtime/InferredValueInlines.h:
3432         (JSC::InferredValue::finalizeUnconditionally):
3433         * runtime/StackFrame.h:
3434         (JSC::StackFrame::isMarked const):
3435         * runtime/Structure.cpp:
3436         (JSC::Structure::isCheapDuringGC):
3437         (JSC::Structure::markIfCheap):
3438         * runtime/Structure.h:
3439         * runtime/TypeProfiler.cpp:
3440         (JSC::TypeProfiler::invalidateTypeSetCache):
3441         * runtime/TypeProfiler.h:
3442         * runtime/TypeSet.cpp:
3443         (JSC::TypeSet::invalidateCache):
3444         * runtime/TypeSet.h:
3445         * runtime/WeakMapImpl.cpp:
3446         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
3447         * runtime/WeakMapImplInlines.h:
3448         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
3449
3450 2019-03-25  Keith Miller  <keith_miller@apple.com>
3451
3452         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
3453         https://bugs.webkit.org/show_bug.cgi?id=196176
3454
3455         Reviewed by Saam Barati.
3456
3457         convertToCompareEqPtr should allow for either CompareStrictEq or
3458         the SameValue DFG node. This fixes the old assertion that only
3459         allowed CompareStrictEq.
3460
3461         * dfg/DFGNode.h:
3462         (JSC::DFG::Node::convertToCompareEqPtr):
3463
3464 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
3465
3466         WebAssembly: f32.max with NaN generates incorrect result
3467         https://bugs.webkit.org/show_bug.cgi?id=175691
3468         <rdar://problem/33952228>
3469
3470         Reviewed by Saam Barati.
3471
3472         Fix the B3 and Air compilation for f32.max. In order to handle the NaN
3473         case, we need an extra GreaterThan comparison on top of the existing
3474         Equal and LessThan ones.
3475
3476         * wasm/WasmAirIRGenerator.cpp:
3477         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
3478         * wasm/wasm.json:
3479
3480 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
3481
3482         Unreviewed, speculative fix for CLoop build on CPU(UNKNOWN)
3483         https://bugs.webkit.org/show_bug.cgi?id=195982
3484
3485         * jit/ExecutableAllocator.h:
3486         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
3487
3488 2019-03-25  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
3489
3490         Remove NavigatorContentUtils in WebCore/Modules
3491         https://bugs.webkit.org/show_bug.cgi?id=196070
3492
3493         Reviewed by Alex Christensen.
3494
3495         NavigatorContentUtils was to support the custom scheme spec [1].
3496         However, in WebKit side, no port has supported the feature in
3497         WebKit layer after EFL port was removed. So there has been the
3498         only IDL implementation of the NavigatorContentUtils in WebCore.
3499         So we don't need to keep the implementation in WebCore anymore.
3500
3501         [1] https://html.spec.whatwg.org/multipage/system-state.html#custom-handlers
3502
3503         * Configurations/FeatureDefines.xcconfig:
3504
3505 2019-03-23  Mark Lam  <mark.lam@apple.com>
3506
3507         Rolling out r243032 and r243071 because the fix is incorrect.
3508         https://bugs.webkit.org/show_bug.cgi?id=195892
3509         <rdar://problem/48981239>
3510
3511         Not reviewed.
3512
3513         The fix is incorrect: it relies on being able to determine liveness of an object
3514         in an ObjectPropertyCondition based on the state of the object's MarkedBit.
3515         However, there's no guarantee that GC has run and that the MarkedBit is already
3516         set even if the object is live.  As a result, we may not re-install adaptive
3517         watchpoints based on presumed dead objects which are actually live.
3518
3519         I'm rolling this out, and will implement a more comprehensive fix to handle
3520         watchpoint liveness later.
3521
3522         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
3523         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
3524         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3525         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3526         * bytecode/ObjectPropertyCondition.cpp:
3527         (JSC::ObjectPropertyCondition::dumpInContext const):
3528         * bytecode/StructureStubClearingWatchpoint.cpp:
3529         (JSC::StructureStubClearingWatchpoint::fireInternal):
3530         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
3531         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
3532         * runtime/StructureRareData.cpp:
3533         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3534
3535 2019-03-23  Keith Miller  <keith_miller@apple.com>
3536
3537         Refactor clz/ctz and fix getLSBSet.
3538         https://bugs.webkit.org/show_bug.cgi?id=196162
3539
3540         Reviewed by Saam Barati.
3541
3542         Refactor references of clz32/64 and ctz32 to use clz and ctz,
3543         respectively.
3544
3545         * dfg/DFGAbstractInterpreterInlines.h:
3546         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3547         * dfg/DFGOperations.cpp:
3548         * runtime/JSBigInt.cpp:
3549         (JSC::JSBigInt::digitDiv):
3550         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
3551         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3552         (JSC::JSBigInt::toStringBasePowerOfTwo):
3553         (JSC::JSBigInt::compareToDouble):
3554         * runtime/MathObject.cpp:
3555         (JSC::mathProtoFuncClz32):
3556
3557 2019-03-23  Yusuke Suzuki  <ysuzuki@apple.com>
3558
3559         [JSC] Shrink sizeof(RegExp)
3560         https://bugs.webkit.org/show_bug.cgi?id=196133
3561
3562         Reviewed by Mark Lam.
3563
3564         Some applications have many RegExp cells. But RegExp cells are very large (144B).
3565         This patch reduces the size from 144B to 48B by,
3566
3567         1. Allocate Yarr::YarrCodeBlock in non-GC heap. We can avoid this allocation if JIT is disabled.
3568         2. m_captureGroupNames and m_namedGroupToParenIndex are moved to RareData. They are only used when RegExp has named capture groups.
3569
3570         * runtime/RegExp.cpp:
3571         (JSC::RegExp::finishCreation):
3572         (JSC::RegExp::estimatedSize):
3573         (JSC::RegExp::compile):
3574         (JSC::RegExp::matchConcurrently):
3575         (JSC::RegExp::compileMatchOnly):
3576         (JSC::RegExp::deleteCode):
3577         (JSC::RegExp::printTraceData):
3578         * runtime/RegExp.h:
3579         * runtime/RegExpInlines.h:
3580         (JSC::RegExp::hasCodeFor):
3581         (JSC::RegExp::matchInline):
3582         (JSC::RegExp::hasMatchOnlyCodeFor):
3583
3584 2019-03-22  Keith Rollin  <krollin@apple.com>
3585
3586         Enable ThinLTO support in Production builds
3587         https://bugs.webkit.org/show_bug.cgi?id=190758
3588         <rdar://problem/45413233>
3589
3590         Reviewed by Daniel Bates.
3591
3592         Tweak JavaScriptCore's Base.xcconfig to be more in-line with other
3593         .xcconfig files with regards to LTO settings. However, don't actually
3594         enable LTO for JavaScriptCore. LTO is not enabled for JavaScriptCore
3595         due to <rdar://problem/24543547>.
3596
3597         * Configurations/Base.xcconfig:
3598
3599 2019-03-22  Mark Lam  <mark.lam@apple.com>
3600
3601         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
3602         https://bugs.webkit.org/show_bug.cgi?id=196154
3603         <rdar://problem/49145307>
3604
3605         Reviewed by Filip Pizlo.
3606
3607         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3608         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
3609
3610 2019-03-22  Mark Lam  <mark.lam@apple.com>
3611
3612         Placate exception check validation in constructJSWebAssemblyLinkError().
3613         https://bugs.webkit.org/show_bug.cgi?id=196152
3614         <rdar://problem/49145257>
3615
3616         Reviewed by Michael Saboff.
3617
3618         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3619         (JSC::constructJSWebAssemblyLinkError):
3620
3621 2019-03-22  Timothy Hatcher  <timothy@apple.com>
3622
3623         Change macosx() to macos() in WK_API... and JSC_API... macros.
3624         https://bugs.webkit.org/show_bug.cgi?id=196106
3625
3626         Reviewed by Brian Burg.
3627
3628         * API/JSBasePrivate.h:
3629         * API/JSContext.h:
3630         * API/JSContextPrivate.h:
3631         * API/JSContextRef.h:
3632         * API/JSContextRefInternal.h:
3633         * API/JSContextRefPrivate.h:
3634         * API/JSManagedValue.h:
3635         * API/JSObjectRef.h:
3636         * API/JSObjectRefPrivate.h:
3637         * API/JSRemoteInspector.h:
3638         * API/JSScript.h:
3639         * API/JSTypedArray.h:
3640         * API/JSValue.h:
3641         * API/JSValuePrivate.h:
3642         * API/JSValueRef.h:
3643         * API/JSVirtualMachinePrivate.h:
3644
3645 2019-03-22  Yusuke Suzuki  <ysuzuki@apple.com>
3646
3647         Unreviewed, build fix for Windows
3648         https://bugs.webkit.org/show_bug.cgi?id=196122
3649
3650         * runtime/FunctionExecutable.cpp:
3651
3652 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
3653
3654         [JSC] Shrink sizeof(FunctionExecutable) by 16bytes
3655         https://bugs.webkit.org/show_bug.cgi?id=196122
3656
3657         Reviewed by Saam Barati.
3658
3659         This patch reduces sizeof(FunctionExecutable) by 16 bytes.
3660
3661         1. ScriptExecutable::m_numParametersForCall and ScriptExecutable::m_numParametersForConstruct are not used in a meaningful way. Removed them.
3662         2. ScriptExecutable::m_lastLine and ScriptExecutable::m_endColumn can be calculated from UnlinkedFunctionExecutable. So FunctionExecutable does not need to hold it.
3663            This patch adds GlobalExecutable, which are non-function ScriptExecutables, and move m_lastLine and m_endColumn to this class.
3664         3. FunctionExecutable still needs to have the feature overriding m_lastLine and m_endColumn. We move overridden data in FunctionExecutable::RareData.
3665
3666         * CMakeLists.txt:
3667         * JavaScriptCore.xcodeproj/project.pbxproj:
3668         * Sources.txt:
3669         * bytecode/UnlinkedFunctionExecutable.cpp:
3670         (JSC::UnlinkedFunctionExecutable::link):
3671         * runtime/EvalExecutable.cpp:
3672         (JSC::EvalExecutable::EvalExecutable):
3673         * runtime/EvalExecutable.h:
3674         * runtime/FunctionExecutable.cpp:
3675         (JSC::FunctionExecutable::FunctionExecutable):
3676         (JSC::FunctionExecutable::ensureRareDataSlow):
3677         (JSC::FunctionExecutable::overrideInfo):
3678         * runtime/FunctionExecutable.h:
3679         * runtime/GlobalExecutable.cpp: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
3680         * runtime/GlobalExecutable.h: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
3681         (JSC::GlobalExecutable::lastLine const):
3682         (JSC::GlobalExecutable::endColumn const):
3683         (JSC::GlobalExecutable::recordParse):
3684         (JSC::GlobalExecutable::GlobalExecutable):
3685         * runtime/ModuleProgramExecutable.cpp:
3686         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
3687         * runtime/ModuleProgramExecutable.h:
3688         * runtime/ProgramExecutable.cpp:
3689         (JSC::ProgramExecutable::ProgramExecutable):
3690         * runtime/ProgramExecutable.h:
3691         * runtime/ScriptExecutable.cpp:
3692         (JSC::ScriptExecutable::clearCode):
3693         (JSC::ScriptExecutable::installCode):
3694         (JSC::ScriptExecutable::hasClearableCode const):
3695         (JSC::ScriptExecutable::newCodeBlockFor):
3696         (JSC::ScriptExecutable::typeProfilingEndOffset const):
3697         (JSC::ScriptExecutable::recordParse):
3698         (JSC::ScriptExecutable::lastLine const):
3699         (JSC::ScriptExecutable::endColumn const):
3700         * runtime/ScriptExecutable.h:
3701         (JSC::ScriptExecutable::hasJITCodeForCall const):
3702         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
3703         (JSC::ScriptExecutable::recordParse):
3704         (JSC::ScriptExecutable::lastLine const): Deleted.
3705         (JSC::ScriptExecutable::endColumn const): Deleted.
3706         * tools/FunctionOverrides.h:
3707
3708 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
3709
3710         [JSC] Shrink sizeof(RegExpObject)
3711         https://bugs.webkit.org/show_bug.cgi?id=196130
3712
3713         Reviewed by Saam Barati.
3714
3715         sizeof(RegExpObject) is 48B due to one bool flag. We should compress this flag into lower bit of RegExp* field so that we can make RegExpObject 32B.
3716         It saves memory footprint 1.3% in RAMification's regexp.
3717
3718         * dfg/DFGSpeculativeJIT.cpp:
3719         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
3720         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
3721         * ftl/FTLAbstractHeapRepository.h:
3722         * ftl/FTLLowerDFGToB3.cpp:
3723         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
3724         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
3725         * runtime/RegExpObject.cpp:
3726         (JSC::RegExpObject::RegExpObject):
3727         (JSC::RegExpObject::visitChildren):
3728         (JSC::RegExpObject::getOwnPropertySlot):
3729         (JSC::RegExpObject::defineOwnProperty):
3730         * runtime/RegExpObject.h:
3731
3732 2019-03-21  Tomas Popela  <tpopela@redhat.com>
3733
3734         [JSC] Fix build after r243232 on unsupported 64bit architectures
3735         https://bugs.webkit.org/show_bug.cgi?id=196072
3736
3737         Reviewed by Keith Miller.
3738
3739         As Keith suggested we already expect 16 free bits at the top of any
3740         pointer for JSValue even for the unsupported 64 bit arches.
3741
3742         * bytecode/CodeOrigin.h:
3743
3744 2019-03-21  Mark Lam  <mark.lam@apple.com>
3745
3746         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
3747         https://bugs.webkit.org/show_bug.cgi?id=196116
3748         <rdar://problem/48976951>
3749
3750         Reviewed by Filip Pizlo.
3751
3752         The DFG backend should not make assumptions about what optimizations the front end
3753         will or will not do.  The assertion asserts that the operand cannot be known to be
3754         a cell.  However, it is not guaranteed that the front end will fold away this case.
3755         Also, the DFG backend is perfectly capable of generating code to handle the case
3756         where the operand is a cell.
3757
3758         The attached test case demonstrates a case where the operand can be a known cell.
3759         The test needs to be run with the concurrent JIT and GC, and is racy.  It used to
3760         trip up this assertion about once every 10 runs or so.
3761
3762         * dfg/DFGSpeculativeJIT64.cpp:
3763         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
3764
3765 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3766
3767         JSC::createError should clear exception thrown by errorDescriptionForValue
3768         https://bugs.webkit.org/show_bug.cgi?id=196089
3769
3770         Reviewed by Mark Lam.
3771
3772         errorDescriptionForValue returns a nullString in case of failure, but it
3773         might also throw an OOM exception when resolving a rope string. We need
3774         to clear any potential exceptions thrown by errorDescriptionForValue
3775         before returning the OOM from JSC::createError.
3776
3777         * runtime/ExceptionHelpers.cpp:
3778         (JSC::createError):
3779
3780 2019-03-21  Robin Morisset  <rmorisset@apple.com>
3781
3782         B3::Opcode can fit in a single byte, shrinking B3Value by 8 bytes
3783         https://bugs.webkit.org/show_bug.cgi?id=196014
3784
3785         Reviewed by Keith Miller.
3786
3787         B3::Opcode has less than one hundred cases, so it can easily fit in one byte (from two currently)
3788         This shrinks B3::Kind from 4 bytes to 2 (by removing the byte of padding at the end).
3789         This in turns eliminate padding from B3::Value, shrinking it by 8 bytes (out of 80).
3790
3791         * b3/B3Opcode.h:
3792
3793 2019-03-21  Michael Catanzaro  <mcatanzaro@igalia.com>
3794
3795         Unreviewed, more clang 3.8 build fixes
3796         https://bugs.webkit.org/show_bug.cgi?id=195947
3797         <rdar://problem/49069219>
3798
3799         In the spirit of making our code worse to please old compilers....
3800
3801         * bindings/ScriptValue.cpp:
3802         (Inspector::jsToInspectorValue):
3803         * bytecode/GetterSetterAccessCase.cpp:
3804         (JSC::GetterSetterAccessCase::create):
3805         (JSC::GetterSetterAccessCase::clone const):
3806         * bytecode/InstanceOfAccessCase.cpp:
3807         (JSC::InstanceOfAccessCase::clone const):
3808         * bytecode/IntrinsicGetterAccessCase.cpp:
3809         (JSC::IntrinsicGetterAccessCase::clone const):
3810         * bytecode/ModuleNamespaceAccessCase.cpp:
3811         (JSC::ModuleNamespaceAccessCase::clone const):
3812         * bytecode/ProxyableAccessCase.cpp:
3813         (JSC::ProxyableAccessCase::clone const):
3814
3815 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
3816
3817         [JSC] Do not create JIT related data under non-JIT mode
3818         https://bugs.webkit.org/show_bug.cgi?id=195982
3819
3820         Reviewed by Mark Lam.
3821
3822         We avoid creations of JIT related data structures under non-JIT mode.
3823         This patch removes the following allocations.
3824
3825         1. JITThunks
3826         2. FTLThunks
3827         3. FixedVMPoolExecutableAllocator
3828         4. noJITValueProfileSingleton since it is no longer used
3829         5. ARM disassembler should be initialized when it is used
3830         6. Wasm related data structures are accidentally allocated if VM::canUseJIT() == false &&
3831            Options::useWebAssembly() == true. Add Wasm::isSupported() function to check the both conditions.
3832
3833         * CMakeLists.txt:
3834         * JavaScriptCore.xcodeproj/project.pbxproj:
3835         * heap/Heap.cpp:
3836         (JSC::Heap::runEndPhase):
3837         * jit/ExecutableAllocator.cpp:
3838         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
3839         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
3840         (JSC::ExecutableAllocator::isValid const):
3841         (JSC::ExecutableAllocator::underMemoryPressure):
3842         (JSC::ExecutableAllocator::memoryPressureMultiplier):
3843         (JSC::ExecutableAllocator::allocate):
3844         (JSC::ExecutableAllocator::isValidExecutableMemory):
3845         (JSC::ExecutableAllocator::getLock const):
3846         (JSC::ExecutableAllocator::committedByteCount):
3847         (JSC::ExecutableAllocator::dumpProfile):
3848         (JSC::startOfFixedExecutableMemoryPoolImpl):
3849         (JSC::endOfFixedExecutableMemoryPoolImpl):
3850         (JSC::ExecutableAllocator::initialize):
3851         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
3852         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
3853         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
3854         * jit/ExecutableAllocator.h:
3855         (JSC::ExecutableAllocatorBase::isValid const):
3856         (JSC::ExecutableAllocatorBase::underMemoryPressure):
3857         (JSC::ExecutableAllocatorBase::memoryPressureMultiplier):