Unreviewed. Build fix after r244233.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-04-12  Saam barati  <sbarati@apple.com>
2
3         Unreviewed. Build fix after r244233.
4
5         * assembler/CPU.cpp:
6
7 2019-04-12  Saam barati  <sbarati@apple.com>
8
9         Sometimes we need to user fewer CPUs in our threading calculations
10         https://bugs.webkit.org/show_bug.cgi?id=196794
11         <rdar://problem/49389497>
12
13         Reviewed by Yusuke Suzuki.
14
15         * JavaScriptCore.xcodeproj/project.pbxproj:
16         * Sources.txt:
17         * assembler/CPU.cpp: Added.
18         (JSC::isKernTCSMAvailable):
19         (JSC::enableKernTCSM):
20         (JSC::kernTCSMAwareNumberOfProcessorCores):
21         * assembler/CPU.h:
22         (JSC::isKernTCSMAvailable):
23         (JSC::enableKernTCSM):
24         (JSC::kernTCSMAwareNumberOfProcessorCores):
25         * heap/MachineStackMarker.h:
26         (JSC::MachineThreads::addCurrentThread):
27         * runtime/JSLock.cpp:
28         (JSC::JSLock::didAcquireLock):
29         * runtime/Options.cpp:
30         (JSC::computeNumberOfWorkerThreads):
31         (JSC::computePriorityDeltaOfWorkerThreads):
32         * wasm/WasmWorklist.cpp:
33         (JSC::Wasm::Worklist::Worklist):
34
35 2019-04-12  Robin Morisset  <rmorisset@apple.com>
36
37         Use padding at end of ArrayBuffer
38         https://bugs.webkit.org/show_bug.cgi?id=196823
39
40         Reviewed by Filip Pizlo.
41
42         * runtime/ArrayBuffer.h:
43
44 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
45
46         [JSC] op_has_indexed_property should not assume subscript part is Uint32
47         https://bugs.webkit.org/show_bug.cgi?id=196850
48
49         Reviewed by Saam Barati.
50
51         op_has_indexed_property assumed that subscript part is always Uint32. However, this is just a load from non-constant RegisterID,
52         DFG can store it in double format and can perform OSR exit. op_has_indexed_property should not assume that.
53         In this patch, instead, we check it with isAnyInt and get uint32_t from AnyInt.
54
55         * jit/JITOpcodes.cpp:
56         (JSC::JIT::emit_op_has_indexed_property):
57         * jit/JITOpcodes32_64.cpp:
58         (JSC::JIT::emit_op_has_indexed_property):
59         * jit/JITOperations.cpp:
60         * runtime/CommonSlowPaths.cpp:
61         (JSC::SLOW_PATH_DECL):
62
63 2019-04-11  Saam barati  <sbarati@apple.com>
64
65         Remove invalid assertion in operationInstanceOfCustom
66         https://bugs.webkit.org/show_bug.cgi?id=196842
67         <rdar://problem/49725493>
68
69         Reviewed by Michael Saboff.
70
71         In the generated JIT code, we go to the slow path when the incoming function
72         isn't the Node's CodeOrigin's functionProtoHasInstanceSymbolFunction. However,
73         in the JIT operation, we were asserting against exec->lexicalGlobalObject()'s
74         functionProtoHasInstanceSymbolFunction. That assertion might be wrong when
75         inlining across global objects as exec->lexicalGlobalObject() uses the machine
76         frame for procuring the global object. There is no harm when this assertion fails
77         as we just execute the slow path. This patch removes the assertion. (However, this
78         does shed light on the deficiency in our exec->lexicalGlobalObject() function with
79         respect to inlining. However, this isn't new -- we've known about this for a while.)
80
81         * jit/JITOperations.cpp:
82
83 2019-04-11  Michael Saboff  <msaboff@apple.com>
84
85         Improve the Inline Cache Stats code
86         https://bugs.webkit.org/show_bug.cgi?id=196836
87
88         Reviewed by Saam Barati.
89
90         Needed to handle the case where the Identifier could be null, for example with InstanceOfAddAccessCase
91         and InstanceOfReplaceWithJump.
92
93         Added the ability to log the location of a GetBy and PutBy property as either on self or up the
94         protocol chain.
95
96         * jit/ICStats.cpp:
97         (JSC::ICEvent::operator< const):
98         (JSC::ICEvent::dump const):
99         * jit/ICStats.h:
100         (JSC::ICEvent::ICEvent):
101         (JSC::ICEvent::hash const):
102         * jit/JITOperations.cpp:
103         * jit/Repatch.cpp:
104         (JSC::tryCacheGetByID):
105         (JSC::tryCachePutByID):
106         (JSC::tryCacheInByID):
107
108 2019-04-11  Devin Rousso  <drousso@apple.com>
109
110         Web Inspector: Timelines: can't reliably stop/start a recording
111         https://bugs.webkit.org/show_bug.cgi?id=196778
112         <rdar://problem/47606798>
113
114         Reviewed by Timothy Hatcher.
115
116         * inspector/protocol/ScriptProfiler.json:
117         * inspector/protocol/Timeline.json:
118         It is possible to determine when programmatic capturing starts/stops in the frontend based
119         on the state when the backend causes the state to change, such as if the state is "inactive"
120         when the frontend is told that the backend has started capturing.
121
122         * inspector/protocol/CPUProfiler.json:
123         * inspector/protocol/Memory.json:
124         Send an end timestamp to match other instruments.
125
126         * inspector/JSGlobalObjectConsoleClient.cpp:
127         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
128         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
129
130         * inspector/agents/InspectorScriptProfilerAgent.h:
131         * inspector/agents/InspectorScriptProfilerAgent.cpp:
132         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
133         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
134         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
135
136 2019-04-11  Saam barati  <sbarati@apple.com>
137
138         Rename SetArgument to SetArgumentDefinitely
139         https://bugs.webkit.org/show_bug.cgi?id=196828
140
141         Reviewed by Yusuke Suzuki.
142
143         This is in preparation for https://bugs.webkit.org/show_bug.cgi?id=196712
144         where we will introduce a node named SetArgumentMaybe. Doing this refactoring
145         first will make reviewing that other patch easier.
146
147         * dfg/DFGAbstractInterpreterInlines.h:
148         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
149         * dfg/DFGByteCodeParser.cpp:
150         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
151         (JSC::DFG::ByteCodeParser::parseBlock):
152         * dfg/DFGCPSRethreadingPhase.cpp:
153         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
154         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
155         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
156         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
157         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
158         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
159         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
160         * dfg/DFGClobberize.h:
161         (JSC::DFG::clobberize):
162         * dfg/DFGCommon.h:
163         * dfg/DFGDoesGC.cpp:
164         (JSC::DFG::doesGC):
165         * dfg/DFGFixupPhase.cpp:
166         (JSC::DFG::FixupPhase::fixupNode):
167         * dfg/DFGGraph.cpp:
168         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
169         * dfg/DFGGraph.h:
170         * dfg/DFGInPlaceAbstractState.cpp:
171         (JSC::DFG::InPlaceAbstractState::initialize):
172         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
173         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
174         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
175         * dfg/DFGMaximalFlushInsertionPhase.cpp:
176         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
177         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
178         * dfg/DFGMayExit.cpp:
179         * dfg/DFGNode.cpp:
180         (JSC::DFG::Node::hasVariableAccessData):
181         * dfg/DFGNode.h:
182         (JSC::DFG::Node::convertPhantomToPhantomLocal):
183         * dfg/DFGNodeType.h:
184         * dfg/DFGOSREntrypointCreationPhase.cpp:
185         (JSC::DFG::OSREntrypointCreationPhase::run):
186         * dfg/DFGPhantomInsertionPhase.cpp:
187         * dfg/DFGPredictionPropagationPhase.cpp:
188         * dfg/DFGSSAConversionPhase.cpp:
189         (JSC::DFG::SSAConversionPhase::run):
190         * dfg/DFGSafeToExecute.h:
191         (JSC::DFG::safeToExecute):
192         * dfg/DFGSpeculativeJIT.cpp:
193         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
194         * dfg/DFGSpeculativeJIT32_64.cpp:
195         (JSC::DFG::SpeculativeJIT::compile):
196         * dfg/DFGSpeculativeJIT64.cpp:
197         (JSC::DFG::SpeculativeJIT::compile):
198         * dfg/DFGTypeCheckHoistingPhase.cpp:
199         (JSC::DFG::TypeCheckHoistingPhase::run):
200         * dfg/DFGValidate.cpp:
201         * ftl/FTLCapabilities.cpp:
202         (JSC::FTL::canCompile):
203
204 2019-04-11  Truitt Savell  <tsavell@apple.com>
205
206         Unreviewed, rolling out r244158.
207
208         Casued 8 inspector/timeline/ test failures.
209
210         Reverted changeset:
211
212         "Web Inspector: Timelines: can't reliably stop/start a
213         recording"
214         https://bugs.webkit.org/show_bug.cgi?id=196778
215         https://trac.webkit.org/changeset/244158
216
217 2019-04-10  Saam Barati  <sbarati@apple.com>
218
219         AbstractValue::validateOSREntryValue is wrong for Int52 constants
220         https://bugs.webkit.org/show_bug.cgi?id=196801
221         <rdar://problem/49771122>
222
223         Reviewed by Yusuke Suzuki.
224
225         validateOSREntryValue should not care about the format of the incoming
226         value for Int52s. This patch normalizes the format of m_value and
227         the incoming value when comparing them.
228
229         * dfg/DFGAbstractValue.h:
230         (JSC::DFG::AbstractValue::validateOSREntryValue const):
231
232 2019-04-10  Saam Barati  <sbarati@apple.com>
233
234         ArithSub over Int52 has shouldCheckOverflow as always true
235         https://bugs.webkit.org/show_bug.cgi?id=196796
236
237         Reviewed by Yusuke Suzuki.
238
239         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
240         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
241         false. We shouldn't check something we assert against.
242
243         * dfg/DFGAbstractInterpreterInlines.h:
244         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
245
246 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
247
248         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
249         https://bugs.webkit.org/show_bug.cgi?id=196790
250
251         Reviewed by Ross Kirsling.
252
253         Original implementation lacks byte order specification. Network byte order is the
254         good candidate if there's no strong reason to choose other.
255         Currently no client exists for PlayStation remote inspector protocol, so we can
256         change the byte order without care.
257
258         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
259         (Inspector::MessageParser::createMessage):
260         (Inspector::MessageParser::parse):
261
262 2019-04-10  Devin Rousso  <drousso@apple.com>
263
264        Web Inspector: Inspector: lazily create the agent
265        https://bugs.webkit.org/show_bug.cgi?id=195971
266        <rdar://problem/49039645>
267
268        Reviewed by Joseph Pecoraro.
269
270        * inspector/JSGlobalObjectInspectorController.cpp:
271        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
272        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
273        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
274        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
275
276        * inspector/agents/InspectorAgent.h:
277        * inspector/agents/InspectorAgent.cpp:
278
279 2019-04-10  Saam Barati  <sbarati@apple.com>
280
281         Work around an arm64_32 LLVM miscompile bug
282         https://bugs.webkit.org/show_bug.cgi?id=196788
283
284         Reviewed by Yusuke Suzuki.
285
286         * runtime/CachedTypes.cpp:
287
288 2019-04-10  Devin Rousso  <drousso@apple.com>
289
290         Web Inspector: Timelines: can't reliably stop/start a recording
291         https://bugs.webkit.org/show_bug.cgi?id=196778
292         <rdar://problem/47606798>
293
294         Reviewed by Timothy Hatcher.
295
296         * inspector/protocol/ScriptProfiler.json:
297         * inspector/protocol/Timeline.json:
298         It is possible to determine when programmatic capturing starts/stops in the frontend based
299         on the state when the backend causes the state to change, such as if the state is "inactive"
300         when the frontend is told that the backend has started capturing.
301
302         * inspector/protocol/CPUProfiler.json:
303         * inspector/protocol/Memory.json:
304         Send an end timestamp to match other instruments.
305
306         * inspector/JSGlobalObjectConsoleClient.cpp:
307         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
308         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
309
310         * inspector/agents/InspectorScriptProfilerAgent.h:
311         * inspector/agents/InspectorScriptProfilerAgent.cpp:
312         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
313         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
314         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
315
316 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
317
318         Unreviewed, fix watch build after r244143
319         https://bugs.webkit.org/show_bug.cgi?id=195000
320
321         The result of `lseek` should be `off_t` rather than `int`.
322
323         * jsc.cpp:
324
325 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
326
327         Add support for incremental bytecode cache updates
328         https://bugs.webkit.org/show_bug.cgi?id=195000
329
330         Reviewed by Filip Pizlo.
331
332         Add support for incremental updates to the bytecode cache. The cache
333         is constructed as follows:
334         - When the cache is empty, the initial payload can be added to the BytecodeCache
335         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
336         top-level UnlinkedCodeBlock.
337         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
338         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
339         to the existing cache and updating the CachedFunctionExecutableMetadata
340         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
341
342         * API/JSScript.mm:
343         (-[JSScript readCache]):
344         (-[JSScript isUsingBytecodeCache]):
345         (-[JSScript init]):
346         (-[JSScript cachedBytecode]):
347         (-[JSScript writeCache:]):
348         * API/JSScriptInternal.h:
349         * API/JSScriptSourceProvider.h:
350         * API/JSScriptSourceProvider.mm:
351         (JSScriptSourceProvider::cachedBytecode const):
352         * CMakeLists.txt:
353         * JavaScriptCore.xcodeproj/project.pbxproj:
354         * Sources.txt:
355         * bytecode/UnlinkedFunctionExecutable.cpp:
356         (JSC::generateUnlinkedFunctionCodeBlock):
357         * jsc.cpp:
358         (ShellSourceProvider::~ShellSourceProvider):
359         (ShellSourceProvider::cachePath const):
360         (ShellSourceProvider::loadBytecode const):
361         (ShellSourceProvider::ShellSourceProvider):
362         (ShellSourceProvider::cacheEnabled):
363         * parser/SourceProvider.h:
364         (JSC::SourceProvider::cachedBytecode const):
365         (JSC::SourceProvider::updateCache const):
366         (JSC::SourceProvider::commitCachedBytecode const):
367         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
368         (JSC::CachePayload::makeMappedPayload):
369         (JSC::CachePayload::makeMallocPayload):
370         (JSC::CachePayload::makeEmptyPayload):
371         (JSC::CachePayload::CachePayload):
372         (JSC::CachePayload::~CachePayload):
373         (JSC::CachePayload::operator=):
374         (JSC::CachePayload::freeData):
375         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
376         (JSC::CachePayload::data const):
377         (JSC::CachePayload::size const):
378         (JSC::CachePayload::CachePayload):
379         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
380         (JSC::CacheUpdate::CacheUpdate):
381         (JSC::CacheUpdate::operator=):
382         (JSC::CacheUpdate::isGlobal const):
383         (JSC::CacheUpdate::asGlobal const):
384         (JSC::CacheUpdate::asFunction const):
385         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
386         * runtime/CachedBytecode.cpp: Added.
387         (JSC::CachedBytecode::addGlobalUpdate):
388         (JSC::CachedBytecode::addFunctionUpdate):
389         (JSC::CachedBytecode::copyLeafExecutables):
390         (JSC::CachedBytecode::commitUpdates const):
391         * runtime/CachedBytecode.h: Added.
392         (JSC::CachedBytecode::create):
393         (JSC::CachedBytecode::leafExecutables):
394         (JSC::CachedBytecode::data const):
395         (JSC::CachedBytecode::size const):
396         (JSC::CachedBytecode::hasUpdates const):
397         (JSC::CachedBytecode::sizeForUpdate const):
398         (JSC::CachedBytecode::CachedBytecode):
399         * runtime/CachedTypes.cpp:
400         (JSC::Encoder::addLeafExecutable):
401         (JSC::Encoder::release):
402         (JSC::Decoder::Decoder):
403         (JSC::Decoder::create):
404         (JSC::Decoder::size const):
405         (JSC::Decoder::offsetOf):
406         (JSC::Decoder::ptrForOffsetFromBase):
407         (JSC::Decoder::addLeafExecutable):
408         (JSC::VariableLengthObject::VariableLengthObject):
409         (JSC::VariableLengthObject::buffer const):
410         (JSC::CachedPtrOffsets::offsetOffset):
411         (JSC::CachedWriteBarrierOffsets::ptrOffset):
412         (JSC::CachedFunctionExecutable::features const):
413         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
414         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
415         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
416         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
417         (JSC::CachedFunctionExecutable::encode):
418         (JSC::CachedFunctionExecutable::decode const):
419         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
420         (JSC::encodeCodeBlock):
421         (JSC::encodeFunctionCodeBlock):
422         (JSC::decodeCodeBlockImpl):
423         (JSC::isCachedBytecodeStillValid):
424         * runtime/CachedTypes.h:
425         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
426         (JSC::decodeCodeBlock):
427         * runtime/CodeCache.cpp:
428         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
429         (JSC::CodeCache::updateCache):
430         (JSC::CodeCache::write):
431         (JSC::writeCodeBlock):
432         (JSC::serializeBytecode):
433         * runtime/CodeCache.h:
434         (JSC::SourceCodeValue::SourceCodeValue):
435         (JSC::CodeCacheMap::findCacheAndUpdateAge):
436         (JSC::CodeCacheMap::fetchFromDiskImpl):
437         * runtime/Completion.cpp:
438         (JSC::generateProgramBytecode):
439         (JSC::generateModuleBytecode):
440         * runtime/Completion.h:
441         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
442         (JSC::LeafExecutable::operator+ const):
443         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
444         (JSC::LeafExecutable::LeafExecutable):
445         (JSC::LeafExecutable::base const):
446
447 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
448
449         Unreviewed, rolling out r243989.
450
451         Broke i686 builds
452
453         Reverted changeset:
454
455         "[CMake] Detect SSE2 at compile time"
456         https://bugs.webkit.org/show_bug.cgi?id=196488
457         https://trac.webkit.org/changeset/243989
458
459 2019-04-10  Robin Morisset  <rmorisset@apple.com>
460
461         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
462         https://bugs.webkit.org/show_bug.cgi?id=196746
463
464         Reviewed by Yusuke Suzuki..
465
466         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
467
468         * runtime/ObjectConstructor.cpp:
469         (JSC::defineProperties):
470
471 2019-04-10  Antoine Quint  <graouts@apple.com>
472
473         Enable Pointer Events on watchOS
474         https://bugs.webkit.org/show_bug.cgi?id=196771
475         <rdar://problem/49040909>
476
477         Reviewed by Dean Jackson.
478
479         * Configurations/FeatureDefines.xcconfig:
480
481 2019-04-09  Keith Rollin  <krollin@apple.com>
482
483         Unreviewed build maintenance -- update .xcfilelists.
484
485         * DerivedSources-input.xcfilelist:
486
487 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
488
489         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
490         https://bugs.webkit.org/show_bug.cgi?id=193073
491
492         Reviewed by Keith Miller.
493
494         * bytecompiler/BytecodeGenerator.cpp:
495         (JSC::BytecodeGenerator::emitEqualityOpImpl):
496         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
497         * bytecompiler/BytecodeGenerator.h:
498         (JSC::BytecodeGenerator::emitEqualityOp):
499         Factor out the logic that uses the template parameter and keep it in the header.
500
501         * jit/JITPropertyAccess.cpp:
502         List off the template specializations needed by JITOperations.cpp.
503         This is unfortunate but at least there are only two (x2) by definition?
504         Trying to do away with this incurs a severe domino effect...
505
506         * API/JSValueRef.cpp:
507         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
508         * b3/air/AirHandleCalleeSaves.cpp:
509         * builtins/BuiltinNames.cpp:
510         * bytecode/AccessCase.cpp:
511         * bytecode/BytecodeIntrinsicRegistry.cpp:
512         * bytecode/BytecodeIntrinsicRegistry.h:
513         * bytecode/BytecodeRewriter.cpp:
514         * bytecode/BytecodeUseDef.h:
515         * bytecode/CodeBlock.cpp:
516         * bytecode/InstanceOfAccessCase.cpp:
517         * bytecode/MetadataTable.cpp:
518         * bytecode/PolyProtoAccessChain.cpp:
519         * bytecode/StructureSet.cpp:
520         * bytecompiler/NodesCodegen.cpp:
521         * dfg/DFGCFAPhase.cpp:
522         * dfg/DFGPureValue.cpp:
523         * heap/GCSegmentedArray.h:
524         * heap/HeapInlines.h:
525         * heap/IsoSubspace.cpp:
526         * heap/LocalAllocator.cpp:
527         * heap/LocalAllocator.h:
528         * heap/LocalAllocatorInlines.h:
529         * heap/MarkingConstraintSolver.cpp:
530         * inspector/ScriptArguments.cpp:
531         (Inspector::ScriptArguments::isEqual const):
532         * inspector/ScriptCallStackFactory.cpp:
533         * interpreter/CallFrame.h:
534         * interpreter/Interpreter.cpp:
535         * interpreter/StackVisitor.cpp:
536         * llint/LLIntEntrypoint.cpp:
537         * runtime/ArrayIteratorPrototype.cpp:
538         * runtime/BigIntPrototype.cpp:
539         * runtime/CachedTypes.cpp:
540         * runtime/ErrorType.cpp:
541         * runtime/IndexingType.cpp:
542         * runtime/JSCellInlines.h:
543         * runtime/JSImmutableButterfly.h:
544         * runtime/Operations.h:
545         * runtime/RegExpCachedResult.cpp:
546         * runtime/RegExpConstructor.cpp:
547         * runtime/RegExpGlobalData.cpp:
548         * runtime/StackFrame.h:
549         * wasm/WasmSignature.cpp:
550         * wasm/js/JSToWasm.cpp:
551         * wasm/js/JSToWasmICCallee.cpp:
552         * wasm/js/WebAssemblyFunction.h:
553         Fix includes / forward declarations (and a couple of nearby clang warnings).
554
555 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
556
557         [CMake] Apple builds should use ICU_INCLUDE_DIRS
558         https://bugs.webkit.org/show_bug.cgi?id=196720
559
560         Reviewed by Konstantin Tokarev.
561
562         * PlatformMac.cmake:
563
564 2019-04-09  Saam barati  <sbarati@apple.com>
565
566         Clean up Int52 code and some bugs in it
567         https://bugs.webkit.org/show_bug.cgi?id=196639
568         <rdar://problem/49515757>
569
570         Reviewed by Yusuke Suzuki.
571
572         This patch fixes bugs in our Int52 code. The primary change in this patch is
573         adopting a segregated type lattice for Int52. Previously, for Int52 values,
574         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
575         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
576         that the is outside of the int32 range.
577         
578         However, this got confusing because we reused SpecInt32Only both for JSValue
579         representations and Int52 representations. This actually lead to some bugs.
580         
581         1. It's possible that roundtripping through Int52 representation would say
582         it produces the wrong type. For example, consider this program and how we
583         used to annotate types in AI:
584         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
585         b: Int52Rep(@a) => m_type is SpecInt52Only
586         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
587         
588         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
589         However, the execution semantics are such that it'd actually produce a boxed
590         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
591         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
592         mean an int value in either int32 or int52 range.
593         
594         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
595         accepted Int52 values. It was wrong in two different ways:
596         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
597         was a boxed double, but represented a value in int32 range, the incoming
598         value would incorrectly validate as being acceptable. However, we should
599         have rejected this value.
600         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
601         was an Int32 boxed in a double, this would not validate, even though
602         it should have validated.
603         
604         Solving 2 was easiest if we segregated out the Int52 type into its own
605         lattice. This patch makes a new Int52 lattice, which is composed of
606         SpecInt32AsInt52 and SpecNonInt32AsInt52.
607         
608         The conversion rules are now really simple.
609         
610         Int52 rep => JSValue rep
611         SpecInt32AsInt52 => SpecInt32Only
612         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
613         
614         JSValue rep => Int52 rep
615         SpecInt32Only => SpecInt32AsInt52
616         SpecAnyIntAsDouble => SpecInt52Any
617         
618         With these rules, the program in (1) will now correctly report that @c
619         returns SpecInt32Only | SpecAnyIntAsDouble.
620
621         * bytecode/SpeculatedType.cpp:
622         (JSC::dumpSpeculation):
623         (JSC::speculationToAbbreviatedString):
624         (JSC::int52AwareSpeculationFromValue):
625         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
626         (JSC::speculationFromString):
627         * bytecode/SpeculatedType.h:
628         (JSC::isInt32SpeculationForArithmetic):
629         (JSC::isInt32OrBooleanSpeculationForArithmetic):
630         (JSC::isAnyInt52Speculation):
631         (JSC::isIntAnyFormat):
632         (JSC::isInt52Speculation): Deleted.
633         (JSC::isAnyIntSpeculation): Deleted.
634         * dfg/DFGAbstractInterpreterInlines.h:
635         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
636         * dfg/DFGAbstractValue.cpp:
637         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
638         (JSC::DFG::AbstractValue::checkConsistency const):
639         * dfg/DFGAbstractValue.h:
640         (JSC::DFG::AbstractValue::isInt52Any const):
641         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
642         * dfg/DFGFixupPhase.cpp:
643         (JSC::DFG::FixupPhase::fixupArithMul):
644         (JSC::DFG::FixupPhase::fixupNode):
645         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
646         (JSC::DFG::FixupPhase::fixupToThis):
647         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
648         (JSC::DFG::FixupPhase::observeUseKindOnNode):
649         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
650         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
651         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
652         (JSC::DFG::FixupPhase::fixupChecksInBlock):
653         * dfg/DFGGraph.h:
654         (JSC::DFG::Graph::addShouldSpeculateInt52):
655         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
656         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
657         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
658         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
659         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
660         * dfg/DFGNode.h:
661         (JSC::DFG::Node::shouldSpeculateInt52):
662         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
663         * dfg/DFGPredictionPropagationPhase.cpp:
664         * dfg/DFGSpeculativeJIT.cpp:
665         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
666         (JSC::DFG::SpeculativeJIT::compileArithAdd):
667         (JSC::DFG::SpeculativeJIT::compileArithSub):
668         (JSC::DFG::SpeculativeJIT::compileArithNegate):
669         * dfg/DFGSpeculativeJIT64.cpp:
670         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
671         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
672         * dfg/DFGUseKind.h:
673         (JSC::DFG::typeFilterFor):
674         * dfg/DFGVariableAccessData.cpp:
675         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
676         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
677         * ftl/FTLLowerDFGToB3.cpp:
678         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
679         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
680         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
681
682 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
683
684         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
685         https://bugs.webkit.org/show_bug.cgi?id=196708
686         <rdar://problem/49556803>
687
688         Reviewed by Yusuke Suzuki.
689
690         `operationPutToScope` needs to return early if an exception is thrown while
691         checking if `hasProperty`.
692
693         * jit/JITOperations.cpp:
694
695 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
696
697         [JSC] DFG should respect node's strict flag
698         https://bugs.webkit.org/show_bug.cgi?id=196617
699
700         Reviewed by Saam Barati.
701
702         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
703         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
704         in DFG and FTL to get the right isStrictMode flag for the DFG node.
705         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
706         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
707         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
708
709         * dfg/DFGAbstractInterpreterInlines.h:
710         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
711         * dfg/DFGConstantFoldingPhase.cpp:
712         (JSC::DFG::ConstantFoldingPhase::foldConstants):
713         * dfg/DFGFixupPhase.cpp:
714         (JSC::DFG::FixupPhase::fixupToThis):
715         * dfg/DFGOperations.cpp:
716         * dfg/DFGOperations.h:
717         * dfg/DFGPredictionPropagationPhase.cpp:
718         * dfg/DFGSpeculativeJIT.cpp:
719         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
720         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
721         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
722         (JSC::DFG::SpeculativeJIT::compileToThis):
723         * dfg/DFGSpeculativeJIT32_64.cpp:
724         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
725         (JSC::DFG::SpeculativeJIT::compile):
726         * dfg/DFGSpeculativeJIT64.cpp:
727         (JSC::DFG::SpeculativeJIT::compile):
728         * ftl/FTLLowerDFGToB3.cpp:
729         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
730         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
731
732 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
733
734         [CMake][WinCairo] Separate copied headers into different directories
735         https://bugs.webkit.org/show_bug.cgi?id=196655
736
737         Reviewed by Michael Catanzaro.
738
739         * CMakeLists.txt:
740         * shell/PlatformWin.cmake:
741
742 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
743
744         [JSC] isRope jump in StringSlice should not jump over register allocations
745         https://bugs.webkit.org/show_bug.cgi?id=196716
746
747         Reviewed by Saam Barati.
748
749         Jumping over the register allocation code in DFG (like the following) is wrong.
750
751             auto jump = m_jit.branchXXX();
752             {
753                 GPRTemporary reg(this);
754                 GPRReg regGPR = reg.gpr();
755                 ...
756             }
757             jump.link(&m_jit);
758
759         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
760         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
761         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
762         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
763
764         * dfg/DFGSpeculativeJIT.cpp:
765         (JSC::DFG::SpeculativeJIT::compileStringSlice):
766
767 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
768
769         [JSC] to_index_string should not assume incoming value is Uint32
770         https://bugs.webkit.org/show_bug.cgi?id=196713
771
772         Reviewed by Saam Barati.
773
774         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
775         this assumption since DFG may decide we should have it double format. This patch removes this
776         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
777         is within Uint32.
778
779         * runtime/CommonSlowPaths.cpp:
780         (JSC::SLOW_PATH_DECL):
781
782 2019-04-08  Justin Fan  <justin_fan@apple.com>
783
784         [Web GPU] Fix Web GPU experimental feature on iOS
785         https://bugs.webkit.org/show_bug.cgi?id=196632
786
787         Reviewed by Myles C. Maxfield.
788
789         Properly make Web GPU available on iOS 11+.
790
791         * Configurations/FeatureDefines.xcconfig:
792         * Configurations/WebKitTargetConditionals.xcconfig:
793
794 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
795
796         -f[no-]var-tracking-assignments is GCC-only
797         https://bugs.webkit.org/show_bug.cgi?id=196699
798
799         Reviewed by Don Olmstead.
800
801         * CMakeLists.txt:
802         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
803         and said problem evidently no longer occurs as of GCC 9.
804
805 2019-04-08  Saam Barati  <sbarati@apple.com>
806
807         WebAssembly.RuntimeError missing exception check
808         https://bugs.webkit.org/show_bug.cgi?id=196700
809         <rdar://problem/49693932>
810
811         Reviewed by Yusuke Suzuki.
812
813         * wasm/js/JSWebAssemblyRuntimeError.h:
814         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
815         (JSC::constructJSWebAssemblyRuntimeError):
816
817 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
818
819         Unreviewed, rolling in r243948 with test fix
820         https://bugs.webkit.org/show_bug.cgi?id=196486
821
822         * parser/ASTBuilder.h:
823         (JSC::ASTBuilder::createString):
824         * parser/Lexer.cpp:
825         (JSC::Lexer<T>::parseMultilineComment):
826         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
827         (JSC::Lexer<T>::lex): Deleted.
828         * parser/Lexer.h:
829         (JSC::Lexer::hasLineTerminatorBeforeToken const):
830         (JSC::Lexer::setHasLineTerminatorBeforeToken):
831         (JSC::Lexer<T>::lex):
832         (JSC::Lexer::prevTerminator const): Deleted.
833         (JSC::Lexer::setTerminator): Deleted.
834         * parser/Parser.cpp:
835         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
836         (JSC::Parser<LexerType>::parseSingleFunction):
837         (JSC::Parser<LexerType>::parseStatementListItem):
838         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
839         (JSC::Parser<LexerType>::parseFunctionInfo):
840         (JSC::Parser<LexerType>::parseClass):
841         (JSC::Parser<LexerType>::parseExportDeclaration):
842         (JSC::Parser<LexerType>::parseAssignmentExpression):
843         (JSC::Parser<LexerType>::parseYieldExpression):
844         (JSC::Parser<LexerType>::parseProperty):
845         (JSC::Parser<LexerType>::parsePrimaryExpression):
846         (JSC::Parser<LexerType>::parseMemberExpression):
847         * parser/Parser.h:
848         (JSC::Parser::nextWithoutClearingLineTerminator):
849         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
850         (JSC::Parser::internalSaveLexerState):
851         (JSC::Parser::restoreLexerState):
852
853 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
854
855         Unreviewed, rolling out r243948.
856
857         Caused inspector/runtime/parse.html to fail
858
859         Reverted changeset:
860
861         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
862         https://bugs.webkit.org/show_bug.cgi?id=196486
863         https://trac.webkit.org/changeset/243948
864
865 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
866
867         Unreviewed, rolling out r243943.
868
869         Caused test262 failures.
870
871         Reverted changeset:
872
873         "[JSC] Filter DontEnum properties in
874         ProxyObject::getOwnPropertyNames()"
875         https://bugs.webkit.org/show_bug.cgi?id=176810
876         https://trac.webkit.org/changeset/243943
877
878 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
879
880         [JSC] Partially fix the build with unified builds disabled
881         https://bugs.webkit.org/show_bug.cgi?id=196647
882
883         Reviewed by Konstantin Tokarev.
884
885         If you disable unified builds you find all kind of build
886         errors. This partially tries to fix them but there's a lot
887         more.
888
889         * API/JSBaseInternal.h:
890         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
891         * b3/air/AirHandleCalleeSaves.h:
892         * bytecode/ExecutableToCodeBlockEdge.cpp:
893         * bytecode/ExitFlag.h:
894         * bytecode/ICStatusUtils.h:
895         * bytecode/UnlinkedMetadataTable.h:
896         * dfg/DFGPureValue.h:
897         * heap/IsoAlignedMemoryAllocator.cpp:
898         * heap/IsoAlignedMemoryAllocator.h:
899
900 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
901
902         Enable DFG on MIPS
903         https://bugs.webkit.org/show_bug.cgi?id=196689
904
905         Reviewed by Žan Doberšek.
906
907         Since the bytecode change, we enabled the baseline JIT on mips in
908         r240432, but DFG is still missing. With this change, all tests are
909         passing on a ci20 board.
910
911         * jit/RegisterSet.cpp:
912         (JSC::RegisterSet::calleeSaveRegisters):
913         Added s0, which is used in llint.
914
915 2019-04-08  Xan Lopez  <xan@igalia.com>
916
917         [CMake] Detect SSE2 at compile time
918         https://bugs.webkit.org/show_bug.cgi?id=196488
919
920         Reviewed by Carlos Garcia Campos.
921
922         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
923         incorrect) static_assert.
924
925 2019-04-07  Michael Saboff  <msaboff@apple.com>
926
927         REGRESSION (r243642): Crash in reddit.com page
928         https://bugs.webkit.org/show_bug.cgi?id=196684
929
930         Reviewed by Geoffrey Garen.
931
932         In r243642, the code that saves and restores the count for non-greedy character classes
933         was inadvertently put inside an if statement.  This code should be generated for all
934         non-greedy character classes.
935
936         * yarr/YarrJIT.cpp:
937         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
938         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
939
940 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
941
942         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
943         https://bugs.webkit.org/show_bug.cgi?id=196683
944
945         Reviewed by Saam Barati.
946
947         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
948         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
949         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
950         can be still live.
951
952         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
953         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
954
955         * bytecode/CallLinkInfo.cpp:
956         (JSC::CallLinkInfo::setCallee):
957         (JSC::CallLinkInfo::clearCallee):
958         * jit/Repatch.cpp:
959         (JSC::linkFor):
960         (JSC::revertCall):
961
962 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
963
964         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
965         https://bugs.webkit.org/show_bug.cgi?id=196582
966
967         Reviewed by Saam Barati.
968
969         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
970         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
971         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
972         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
973
974         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
975         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
976
977         We also found that FTL recovery code is dead. We remove them in this patch.
978
979         * dfg/DFGOSRExit.cpp:
980         (JSC::DFG::OSRExit::executeOSRExit):
981         (JSC::DFG::OSRExit::compileExit):
982         * dfg/DFGOSRExit.h:
983         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
984         * dfg/DFGSpeculativeJIT.cpp:
985         (JSC::DFG::SpeculativeJIT::compileArithAdd):
986         * ftl/FTLExitValue.cpp:
987         (JSC::FTL::ExitValue::dataFormat const):
988         (JSC::FTL::ExitValue::dumpInContext const):
989         * ftl/FTLExitValue.h:
990         (JSC::FTL::ExitValue::isArgument const):
991         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
992         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
993         (JSC::FTL::ExitValue::recovery): Deleted.
994         (JSC::FTL::ExitValue::isRecovery const): Deleted.
995         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
996         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
997         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
998         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
999         * ftl/FTLLowerDFGToB3.cpp:
1000         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1001         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
1002         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
1003         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
1004         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
1005         * ftl/FTLOSRExitCompiler.cpp:
1006         (JSC::FTL::compileRecovery):
1007
1008 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
1009
1010         Unreviewed, rolling out r243665.
1011
1012         Caused iOS JSC tests to exit with an exception.
1013
1014         Reverted changeset:
1015
1016         "Assertion failed in JSC::createError"
1017         https://bugs.webkit.org/show_bug.cgi?id=196305
1018         https://trac.webkit.org/changeset/243665
1019
1020 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
1021
1022         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
1023         https://bugs.webkit.org/show_bug.cgi?id=196486
1024
1025         Reviewed by Saam Barati.
1026
1027         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
1028         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
1029         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
1030
1031         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
1032
1033                 arrow => expr
1034                 "string!"
1035
1036         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
1037         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
1038         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
1039
1040         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
1041         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
1042         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
1043
1044         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
1045         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
1046
1047         * parser/ASTBuilder.h:
1048         (JSC::ASTBuilder::createString):
1049         * parser/Lexer.cpp:
1050         (JSC::Lexer<T>::parseMultilineComment):
1051         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
1052         (JSC::Lexer<T>::lex): Deleted.
1053         * parser/Lexer.h:
1054         (JSC::Lexer::hasLineTerminatorBeforeToken const):
1055         (JSC::Lexer::setHasLineTerminatorBeforeToken):
1056         (JSC::Lexer<T>::lex):
1057         (JSC::Lexer::prevTerminator const): Deleted.
1058         (JSC::Lexer::setTerminator): Deleted.
1059         * parser/Parser.cpp:
1060         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
1061         (JSC::Parser<LexerType>::parseSingleFunction):
1062         (JSC::Parser<LexerType>::parseStatementListItem):
1063         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
1064         (JSC::Parser<LexerType>::parseFunctionInfo):
1065         (JSC::Parser<LexerType>::parseClass):
1066         (JSC::Parser<LexerType>::parseExportDeclaration):
1067         (JSC::Parser<LexerType>::parseAssignmentExpression):
1068         (JSC::Parser<LexerType>::parseYieldExpression):
1069         (JSC::Parser<LexerType>::parseProperty):
1070         (JSC::Parser<LexerType>::parsePrimaryExpression):
1071         (JSC::Parser<LexerType>::parseMemberExpression):
1072         * parser/Parser.h:
1073         (JSC::Parser::nextWithoutClearingLineTerminator):
1074         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
1075         (JSC::Parser::internalSaveLexerState):
1076         (JSC::Parser::restoreLexerState):
1077
1078 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1079
1080         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1081         https://bugs.webkit.org/show_bug.cgi?id=176810
1082
1083         Reviewed by Saam Barati.
1084
1085         This adds conditional logic following the invariant checks, to perform
1086         filtering in common uses of getOwnPropertyNames.
1087
1088         While this would ideally only be done in JSPropertyNameEnumerator, adding
1089         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
1090         invariant that the EnumerationMode is properly followed.
1091
1092         * runtime/PropertyNameArray.h:
1093         (JSC::PropertyNameArray::reset):
1094         * runtime/ProxyObject.cpp:
1095         (JSC::ProxyObject::performGetOwnPropertyNames):
1096
1097 2019-04-05  Commit Queue  <commit-queue@webkit.org>
1098
1099         Unreviewed, rolling out r243833.
1100         https://bugs.webkit.org/show_bug.cgi?id=196645
1101
1102         This change breaks build of WPE and GTK ports (Requested by
1103         annulen on #webkit).
1104
1105         Reverted changeset:
1106
1107         "[CMake][WTF] Mirror XCode header directories"
1108         https://bugs.webkit.org/show_bug.cgi?id=191662
1109         https://trac.webkit.org/changeset/243833
1110
1111 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1112
1113         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
1114         https://bugs.webkit.org/show_bug.cgi?id=185211
1115
1116         Reviewed by Saam Barati.
1117
1118         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
1119
1120         This involves tracking duplicate keys returned from the ownKeys trap in yet
1121         another HashTable, and may incur a minor performance penalty in some cases. This
1122         is not expected to significantly affect web performance.
1123
1124         * runtime/ProxyObject.cpp:
1125         (JSC::ProxyObject::performGetOwnPropertyNames):
1126
1127 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1128
1129         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
1130         https://bugs.webkit.org/show_bug.cgi?id=196631
1131
1132         Reviewed by Saam Barati.
1133
1134         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
1135         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
1136         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
1137
1138         * JavaScriptCore.xcodeproj/project.pbxproj:
1139         * Sources.txt:
1140         * interpreter/CallFrameInlines.h:
1141         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
1142         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
1143         (JSC::DoublePredictionFuzzerAgent::getPrediction):
1144         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
1145         * runtime/JSGlobalObject.cpp:
1146         (JSC::makeBoundFunction):
1147         * runtime/Options.h:
1148         * runtime/VM.cpp:
1149         (JSC::VM::VM):
1150
1151 2019-04-04  Robin Morisset  <rmorisset@apple.com>
1152
1153         B3ReduceStrength should know that Mul distributes over Add and Sub
1154         https://bugs.webkit.org/show_bug.cgi?id=196325
1155         <rdar://problem/49441650>
1156
1157         Reviewed by Saam Barati.
1158
1159         Fix some obviously wrong code that was due to an accidental copy-paste.
1160         It made the entire optimization dead code that never ran.
1161
1162         * b3/B3ReduceStrength.cpp:
1163
1164 2019-04-04  Saam Barati  <sbarati@apple.com>
1165
1166         Unreviewed, build fix for CLoop after r243886
1167
1168         * interpreter/Interpreter.cpp:
1169         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1170         * interpreter/StackVisitor.cpp:
1171         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1172         * interpreter/StackVisitor.h:
1173
1174 2019-04-04  Commit Queue  <commit-queue@webkit.org>
1175
1176         Unreviewed, rolling out r243898.
1177         https://bugs.webkit.org/show_bug.cgi?id=196624
1178
1179         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
1180         does not work well (Requested by yusukesuzuki on #webkit).
1181
1182         Reverted changeset:
1183
1184         "Unreviewed, build fix for CLoop and Windows after r243886"
1185         https://bugs.webkit.org/show_bug.cgi?id=196387
1186         https://trac.webkit.org/changeset/243898
1187
1188 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1189
1190         Unreviewed, build fix for CLoop and Windows after r243886
1191         https://bugs.webkit.org/show_bug.cgi?id=196387
1192
1193         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
1194
1195         * interpreter/StackVisitor.cpp:
1196         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1197         * interpreter/StackVisitor.h:
1198
1199 2019-04-04  Saam barati  <sbarati@apple.com>
1200
1201         Teach Call ICs how to call Wasm
1202         https://bugs.webkit.org/show_bug.cgi?id=196387
1203
1204         Reviewed by Filip Pizlo.
1205
1206         This patch teaches JS to call Wasm without going through the native thunk.
1207         Currently, we emit a JIT "JS" callee stub which marshals arguments from
1208         JS to Wasm. Like the native version of this, this thunk is responsible
1209         for saving and restoring the VM's current Wasm context. Instead of emitting
1210         an exception handler, we also teach the unwinder how to read the previous
1211         wasm context to restore it as it unwindws past this frame.
1212         
1213         This patch is straight forward, and leaves some areas for perf improvement:
1214         - We can teach the DFG/FTL to directly use the Wasm calling convention when
1215           it knows it's calling a single Wasm function. This way we don't shuffle
1216           registers to the stack and then back into registers.
1217         - We bail out to the slow path for mismatched arity. I opened a bug to fix
1218           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
1219         - We bail out to the slow path Double JSValues flowing into i32 arguments.
1220           We should teach this thunk how to do that conversion directly.
1221         
1222         This patch also refactors the code to explicitly have a single pinned size register.
1223         We used pretend in some places that we could have more than one pinned size register.
1224         However, there was other code that just asserted the size was one. This patch just rips
1225         out this code since we never moved to having more than one pinned size register. Doing
1226         this refactoring cleans up the various places where we set up the size register.
1227         
1228         This patch is a 50-60% progression on JetStream 2's richards-wasm.
1229
1230         * JavaScriptCore.xcodeproj/project.pbxproj:
1231         * Sources.txt:
1232         * assembler/MacroAssemblerCodeRef.h:
1233         (JSC::MacroAssemblerCodeRef::operator=):
1234         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1235         * interpreter/Interpreter.cpp:
1236         (JSC::UnwindFunctor::operator() const):
1237         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1238         * interpreter/StackVisitor.cpp:
1239         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1240         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
1241         * interpreter/StackVisitor.h:
1242         * jit/JITOperations.cpp:
1243         * jit/RegisterSet.cpp:
1244         (JSC::RegisterSet::runtimeTagRegisters):
1245         (JSC::RegisterSet::specialRegisters):
1246         (JSC::RegisterSet::runtimeRegisters): Deleted.
1247         * jit/RegisterSet.h:
1248         * jit/Repatch.cpp:
1249         (JSC::linkPolymorphicCall):
1250         * runtime/JSFunction.cpp:
1251         (JSC::getCalculatedDisplayName):
1252         * runtime/JSGlobalObject.cpp:
1253         (JSC::JSGlobalObject::init):
1254         (JSC::JSGlobalObject::visitChildren):
1255         * runtime/JSGlobalObject.h:
1256         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
1257         * runtime/VM.cpp:
1258         (JSC::VM::VM):
1259         * runtime/VM.h:
1260         * wasm/WasmAirIRGenerator.cpp:
1261         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1262         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
1263         (JSC::Wasm::AirIRGenerator::addCallIndirect):
1264         * wasm/WasmB3IRGenerator.cpp:
1265         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1266         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1267         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1268         * wasm/WasmBinding.cpp:
1269         (JSC::Wasm::wasmToWasm):
1270         * wasm/WasmContext.h:
1271         (JSC::Wasm::Context::pointerToInstance):
1272         * wasm/WasmContextInlines.h:
1273         (JSC::Wasm::Context::store):
1274         * wasm/WasmMemoryInformation.cpp:
1275         (JSC::Wasm::getPinnedRegisters):
1276         (JSC::Wasm::PinnedRegisterInfo::get):
1277         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1278         * wasm/WasmMemoryInformation.h:
1279         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1280         * wasm/WasmOMGPlan.cpp:
1281         (JSC::Wasm::OMGPlan::work):
1282         * wasm/js/JSToWasm.cpp:
1283         (JSC::Wasm::createJSToWasmWrapper):
1284         * wasm/js/JSToWasmICCallee.cpp: Added.
1285         (JSC::JSToWasmICCallee::create):
1286         (JSC::JSToWasmICCallee::createStructure):
1287         (JSC::JSToWasmICCallee::visitChildren):
1288         * wasm/js/JSToWasmICCallee.h: Added.
1289         (JSC::JSToWasmICCallee::function):
1290         (JSC::JSToWasmICCallee::JSToWasmICCallee):
1291         * wasm/js/WebAssemblyFunction.cpp:
1292         (JSC::WebAssemblyFunction::useTagRegisters const):
1293         (JSC::WebAssemblyFunction::calleeSaves const):
1294         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
1295         (JSC::WebAssemblyFunction::previousInstanceOffset const):
1296         (JSC::WebAssemblyFunction::previousInstance):
1297         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1298         (JSC::WebAssemblyFunction::visitChildren):
1299         (JSC::WebAssemblyFunction::destroy):
1300         * wasm/js/WebAssemblyFunction.h:
1301         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
1302         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
1303         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
1304         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
1305         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
1306         (JSC::WebAssemblyFunctionHeapCellType::destroy):
1307         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
1308         * wasm/js/WebAssemblyPrototype.h:
1309
1310 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1311
1312         [JSC] Pass CodeOrigin to FuzzerAgent
1313         https://bugs.webkit.org/show_bug.cgi?id=196590
1314
1315         Reviewed by Saam Barati.
1316
1317         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
1318         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
1319         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
1320
1321         * dfg/DFGByteCodeParser.cpp:
1322         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1323         * runtime/FuzzerAgent.cpp:
1324         (JSC::FuzzerAgent::getPrediction):
1325         * runtime/FuzzerAgent.h:
1326         * runtime/RandomizingFuzzerAgent.cpp:
1327         (JSC::RandomizingFuzzerAgent::getPrediction):
1328         * runtime/RandomizingFuzzerAgent.h:
1329
1330 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
1331
1332         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
1333         https://bugs.webkit.org/show_bug.cgi?id=194944
1334
1335         Reviewed by Keith Miller.
1336
1337         Based on profile data collected on JetStream2, Speedometer 2 and
1338         other benchmarks, it is very rare having non-empty
1339         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
1340
1341         - Data collected from Speedometer2
1342             Total number of UnlinkedFunctionExecutable: 39463
1343             Total number of non-empty parentScopeTDZVars: 428 (~1%)
1344
1345         - Data collected from JetStream2
1346             Total number of UnlinkedFunctionExecutable: 83715
1347             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
1348
1349         We also collected numbers on 6 of top 10 Alexia sites.
1350
1351         - Data collected from youtube.com
1352             Total number of UnlinkedFunctionExecutable: 29599
1353             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
1354
1355         - Data collected from twitter.com
1356             Total number of UnlinkedFunctionExecutable: 23774
1357             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
1358
1359         - Data collected from google.com
1360             Total number of UnlinkedFunctionExecutable: 33209
1361             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
1362
1363         - Data collected from amazon.com:
1364             Total number of UnlinkedFunctionExecutable: 15182
1365             Total number of non-empty parentScopeTDZVars: 166 (~1%)
1366
1367         - Data collected from facebook.com:
1368             Total number of UnlinkedFunctionExecutable: 54443
1369             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
1370
1371         - Data collected from netflix.com:
1372             Total number of UnlinkedFunctionExecutable: 39266
1373             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
1374
1375         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
1376         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
1377         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
1378         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
1379         it when `value != WTF::nullopt`. We also changed
1380         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
1381         `VariableEnvironment()` whenever the Executable doesn't have RareData,
1382         or VariableEnvironmentMap::Handle is unitialized. This is required
1383         because RareData is instantiated when any of its field is stored and
1384         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
1385         is `WTF::nullopt`.
1386
1387         Results on memory usage on JetStrem2 is neutral.
1388
1389             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
1390             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
1391
1392         * builtins/BuiltinExecutables.cpp:
1393         (JSC::BuiltinExecutables::createExecutable):
1394         * bytecode/UnlinkedFunctionExecutable.cpp:
1395         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1396         * bytecode/UnlinkedFunctionExecutable.h:
1397         * bytecompiler/BytecodeGenerator.cpp:
1398         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1399
1400         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
1401         is empty, so we can properly return `WTF::nullopt` without the
1402         reconstruction of a VariableEnvironment to check if it is empty.
1403
1404         * bytecompiler/BytecodeGenerator.h:
1405         (JSC::BytecodeGenerator::makeFunction):
1406         * parser/VariableEnvironment.h:
1407         (JSC::VariableEnvironment::isEmpty const):
1408         * runtime/CachedTypes.cpp:
1409         (JSC::CachedCompactVariableMapHandle::decode const):
1410
1411         It returns an unitialized Handle when there is no
1412         CompactVariableEnvironment. This can happen when RareData is ensured
1413         because of another field.
1414
1415         (JSC::CachedFunctionExecutableRareData::encode):
1416         (JSC::CachedFunctionExecutableRareData::decode const):
1417         (JSC::CachedFunctionExecutable::encode):
1418         (JSC::CachedFunctionExecutable::decode const):
1419         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1420         * runtime/CodeCache.cpp:
1421
1422         Instead of creating a dummyVariablesUnderTDZ, we simply pass
1423         WTF::nullopt.
1424
1425         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1426
1427 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1428
1429         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
1430         https://bugs.webkit.org/show_bug.cgi?id=196409
1431
1432         Reviewed by Saam Barati.
1433
1434         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
1435         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
1436         and therefore does not write the bytecode cache to disk.
1437
1438         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
1439         of pointers to offsets of already cached objects, in order to avoid caching
1440         the same object twice. Similarly, the Decoder keeps a mapping from offsets
1441         to pointers, in order to avoid creating multiple objects in memory for the
1442         same cached object. The following was happening:
1443         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
1444         an entry in the Encoder mapping that S has already been encoded at O.
1445         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
1446         We find an entry in the Encoder mapping for S, and return the offset O. However,
1447         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
1448
1449         3) When decoding, there are 2 possibilities:
1450         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
1451         this case, everything works as expected since we add an entry in the decoder
1452         mapping from the offset O to the decoded StringImpl* S. The next time we find
1453         S through the uniqued version, we'll return the already decoded S.
1454         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
1455         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
1456         which has a different shape and we crash.
1457
1458         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
1459         same implementation. Since it doesn't matter whether a string is uniqued for
1460         encoding, and we always decode strings as uniqued either way, they can be used
1461         interchangeably.
1462
1463         * jsc.cpp:
1464         (functionRunString):
1465         (functionLoadString):
1466         (functionDollarAgentStart):
1467         (functionCheckModuleSyntax):
1468         (runInteractive):
1469         * runtime/CachedTypes.cpp:
1470         (JSC::CachedUniquedStringImplBase::decode const):
1471         (JSC::CachedFunctionExecutable::rareData const):
1472         (JSC::CachedCodeBlock::rareData const):
1473         (JSC::CachedFunctionExecutable::encode):
1474         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1475         (JSC::CachedUniquedStringImpl::encode): Deleted.
1476         (JSC::CachedUniquedStringImpl::decode const): Deleted.
1477         (JSC::CachedStringImpl::encode): Deleted.
1478         (JSC::CachedStringImpl::decode const): Deleted.
1479
1480 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1481
1482         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
1483         https://bugs.webkit.org/show_bug.cgi?id=196396
1484
1485         Reviewed by Saam Barati.
1486
1487         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
1488         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
1489
1490         * runtime/CachedTypes.cpp:
1491         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1492
1493 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1494
1495         Unreviewed, rolling in r243843 with the build fix
1496         https://bugs.webkit.org/show_bug.cgi?id=196586
1497
1498         * runtime/Options.cpp:
1499         (JSC::recomputeDependentOptions):
1500         * runtime/Options.h:
1501         * runtime/RandomizingFuzzerAgent.cpp:
1502         (JSC::RandomizingFuzzerAgent::getPrediction):
1503
1504 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
1505
1506         Unreviewed, rolling out r243843.
1507
1508         Broke CLoop and Windows builds.
1509
1510         Reverted changeset:
1511
1512         "[JSC] Add dump feature for RandomizingFuzzerAgent"
1513         https://bugs.webkit.org/show_bug.cgi?id=196586
1514         https://trac.webkit.org/changeset/243843
1515
1516 2019-04-03  Robin Morisset  <rmorisset@apple.com>
1517
1518         B3 should use associativity to optimize expression trees
1519         https://bugs.webkit.org/show_bug.cgi?id=194081
1520
1521         Reviewed by Filip Pizlo.
1522
1523         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
1524         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
1525         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
1526         inherited from CSE.
1527         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
1528         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
1529
1530         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
1531         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
1532         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
1533         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
1534         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
1535
1536         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
1537         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
1538
1539         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
1540
1541         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
1542         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
1543
1544         * JavaScriptCore.xcodeproj/project.pbxproj:
1545         * Sources.txt:
1546         * b3/B3Common.cpp:
1547         (JSC::B3::shouldDumpIR):
1548         (JSC::B3::shouldDumpIRAtEachPhase):
1549         * b3/B3Common.h:
1550         * b3/B3EliminateDeadCode.cpp: Added.
1551         (JSC::B3::EliminateDeadCode::run):
1552         (JSC::B3::eliminateDeadCode):
1553         * b3/B3EliminateDeadCode.h: Added.
1554         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
1555         * b3/B3Generate.cpp:
1556         (JSC::B3::generateToAir):
1557         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
1558         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
1559         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
1560         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
1561         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
1562         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
1563         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
1564         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
1565         (JSC::B3::optimizeAssociativeExpressionTrees):
1566         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
1567         * b3/B3ReduceStrength.cpp:
1568         * b3/B3Value.cpp:
1569         (JSC::B3::Value::replaceWithIdentity):
1570         * b3/testb3.cpp:
1571         (JSC::B3::testBitXorTreeArgs):
1572         (JSC::B3::testBitXorTreeArgsEven):
1573         (JSC::B3::testBitXorTreeArgImm):
1574         (JSC::B3::testAddTreeArg32):
1575         (JSC::B3::testMulTreeArg32):
1576         (JSC::B3::testBitAndTreeArg32):
1577         (JSC::B3::testBitOrTreeArg32):
1578         (JSC::B3::run):
1579
1580 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1581
1582         [JSC] Add dump feature for RandomizingFuzzerAgent
1583         https://bugs.webkit.org/show_bug.cgi?id=196586
1584
1585         Reviewed by Saam Barati.
1586
1587         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
1588         The results is like this.
1589
1590             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
1591             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
1592
1593         * runtime/Options.cpp:
1594         (JSC::recomputeDependentOptions):
1595         * runtime/Options.h:
1596         * runtime/RandomizingFuzzerAgent.cpp:
1597         (JSC::RandomizingFuzzerAgent::getPrediction):
1598
1599 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1600
1601         -apple-trailing-word is needed for browser detection
1602         https://bugs.webkit.org/show_bug.cgi?id=196575
1603
1604         Unreviewed.
1605
1606         * Configurations/FeatureDefines.xcconfig:
1607
1608 2019-04-03  Michael Saboff  <msaboff@apple.com>
1609
1610         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
1611         https://bugs.webkit.org/show_bug.cgi?id=196477
1612
1613         Reviewed by Keith Miller.
1614
1615         The problem here is that when we advance the index by 2 for a character class that only
1616         has non-BMP characters, we might go past the end of the string.  This can happen for
1617         greedy counted character classes that are part of a alternative where there is one
1618         character to match after the greedy non-BMP character class.
1619
1620         The "do we have string left to match" check at the top of the JIT loop for the counted
1621         character class checks to see if index is not equal to the string length.  For non-BMP
1622         character classes, we need to check to see if there are at least 2 characters left.
1623         Therefore we now temporarily add 1 to the current index before comparing.  This checks
1624         to see if there are iat least 2 characters left to match, instead of 1.
1625
1626         * yarr/YarrJIT.cpp:
1627         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1628         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1629
1630 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1631
1632         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
1633         https://bugs.webkit.org/show_bug.cgi?id=196574
1634
1635         Reviewed by Saam Barati.
1636
1637         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
1638
1639         * dfg/DFGOperations.cpp:
1640
1641 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
1642
1643         [CMake][WTF] Mirror XCode header directories
1644         https://bugs.webkit.org/show_bug.cgi?id=191662
1645
1646         Reviewed by Konstantin Tokarev.
1647
1648         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
1649         builds.
1650
1651         * CMakeLists.txt:
1652         * shell/CMakeLists.txt:
1653
1654 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1655
1656         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
1657         https://bugs.webkit.org/show_bug.cgi?id=196530
1658
1659         Reviewed by Saam Barati.
1660
1661         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
1662         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
1663         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
1664
1665         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
1666         they should be fixed in subsequent patches.
1667
1668         * CMakeLists.txt:
1669         * JavaScriptCore.xcodeproj/project.pbxproj:
1670         * Sources.txt:
1671         * dfg/DFGByteCodeParser.cpp:
1672         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1673         * runtime/FuzzerAgent.cpp: Added.
1674         (JSC::FuzzerAgent::~FuzzerAgent):
1675         (JSC::FuzzerAgent::getPrediction):
1676         * runtime/FuzzerAgent.h: Added.
1677         * runtime/JSGlobalObjectFunctions.cpp:
1678         * runtime/Options.h:
1679         * runtime/RandomizingFuzzerAgent.cpp: Added.
1680         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
1681         (JSC::RandomizingFuzzerAgent::getPrediction):
1682         * runtime/RandomizingFuzzerAgent.h: Added.
1683         * runtime/RegExpCachedResult.h:
1684         * runtime/RegExpGlobalData.cpp:
1685         * runtime/VM.cpp:
1686         (JSC::VM::VM):
1687         * runtime/VM.h:
1688         (JSC::VM::fuzzerAgent const):
1689         (JSC::VM::setFuzzerAgent):
1690
1691 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1692
1693         Remove support for -apple-trailing-word
1694         https://bugs.webkit.org/show_bug.cgi?id=196525
1695
1696         Reviewed by Zalan Bujtas.
1697
1698         This CSS property is nonstandard and not used.
1699
1700         * Configurations/FeatureDefines.xcconfig:
1701
1702 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
1703
1704         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
1705         https://bugs.webkit.org/show_bug.cgi?id=196513
1706         <rdar://problem/49498284>
1707
1708         Reviewed by Devin Rousso.
1709
1710         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1711         (Inspector::RemoteInspector::receivedIndicateMessage):
1712         When we have a WebThread, don't just run on the WebThread,
1713         run on the MainThread with the WebThreadLock.
1714
1715 2019-04-02  Michael Saboff  <msaboff@apple.com>
1716
1717         Crash in Options::setOptions() using --configFile option and libgmalloc
1718         https://bugs.webkit.org/show_bug.cgi?id=196506
1719
1720         Reviewed by Keith Miller.
1721
1722         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
1723         the implicit CString temporary alive until after setOptions() returns.
1724
1725         * runtime/ConfigFile.cpp:
1726         (JSC::ConfigFile::parse):
1727
1728 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
1729
1730         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
1731         https://bugs.webkit.org/show_bug.cgi?id=182757
1732
1733         Reviewed by Don Olmstead.
1734
1735         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
1736         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
1737         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
1738
1739 2019-04-02  Saam barati  <sbarati@apple.com>
1740
1741         Add a ValueRepReduction phase
1742         https://bugs.webkit.org/show_bug.cgi?id=196234
1743
1744         Reviewed by Filip Pizlo.
1745
1746         This patch adds a ValueRepReduction phase. The main idea here is
1747         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
1748         to just be @x. This patch handles such above strengh reduction rules
1749         as long as we prove that all users of the ValueRep can be converted
1750         to using the incoming double value. That way we prevent introducing
1751         a parallel live range for the double value.
1752         
1753         This patch tracks the uses of the ValueRep through Phi variables,
1754         so we can convert entire Phi variables to being Double instead
1755         of JSValue if the Phi also has only double uses.
1756         
1757         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
1758         and OSR exit hints are not counted as escapes. All other uses are counted
1759         as escapes. Connected Phi graphs are converted to being Double only if the
1760         entire graph is ok with the result being Double.
1761         
1762         Some ways we could extend this phase in the future:
1763         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
1764           that the result of the DoubleRep of @x is not impure NaN. We could
1765           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
1766           with PurifyNaN(@x). Alternatively, we could see if certain users of this
1767           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
1768           their output type is always treated as if the input is impure NaN.
1769         - We could do sinking of ValueRep where we think it's profitable. So instead
1770           of an escape making it so we never represent the variable as a Double, we
1771           could make the escape reconstruct the JSValueRep where profitable.
1772         - We can extend this phase to handle Int52Rep if it's profitable.
1773         - We can opt other nodes into accepting incoming Doubles so we no longer
1774           treat them as escapes.
1775         
1776         This patch is somewhere between neutral and a 1% progression on JetStream 2.
1777
1778         * JavaScriptCore.xcodeproj/project.pbxproj:
1779         * Sources.txt:
1780         * dfg/DFGPlan.cpp:
1781         (JSC::DFG::Plan::compileInThreadImpl):
1782         * dfg/DFGValueRepReductionPhase.cpp: Added.
1783         (JSC::DFG::ValueRepReductionPhase::ValueRepReductionPhase):
1784         (JSC::DFG::ValueRepReductionPhase::run):
1785         (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):
1786         (JSC::DFG::performValueRepReduction):
1787         * dfg/DFGValueRepReductionPhase.h: Added.
1788         * runtime/Options.h:
1789
1790 2019-04-01  Yusuke Suzuki  <ysuzuki@apple.com>
1791
1792         [JSC] JSRunLoopTimer::Manager should be small
1793         https://bugs.webkit.org/show_bug.cgi?id=196425
1794
1795         Reviewed by Darin Adler.
1796
1797         Using very large Key or Value in HashMap potentially bloats memory since HashMap pre-allocates large size of
1798         memory ((sizeof(Key) + sizeof(Value)) * N) for its backing storage's array. Using std::unique_ptr<> for JSRunLoopTimer's
1799         PerVMData to keep HashMap's backing store size small.
1800
1801         * runtime/JSRunLoopTimer.cpp:
1802         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1803         (JSC::JSRunLoopTimer::Manager::registerVM):
1804         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1805         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1806         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1807         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1808         * runtime/JSRunLoopTimer.h:
1809
1810 2019-04-01  Stephan Szabo  <stephan.szabo@sony.com>
1811
1812         [PlayStation] Add initialization for JSC shell for PlayStation port
1813         https://bugs.webkit.org/show_bug.cgi?id=195411
1814
1815         Reviewed by Ross Kirsling.
1816
1817         Add ps options
1818
1819         * shell/PlatformPlayStation.cmake: Added.
1820         * shell/playstation/Initializer.cpp: Added.
1821         (initializer):
1822
1823 2019-04-01  Michael Catanzaro  <mcatanzaro@igalia.com>
1824
1825         Stop trying to support building JSC with clang 3.8
1826         https://bugs.webkit.org/show_bug.cgi?id=195947
1827         <rdar://problem/49069219>
1828
1829         Reviewed by Darin Adler.
1830
1831         It seems WebKit hasn't built with clang 3.8 in a while, no devs are using this compiler, we
1832         don't know how much effort it would be to make JSC work again, and it's making the code
1833         worse. Remove my hacks to support clang 3.8 from JSC.
1834
1835         * bindings/ScriptValue.cpp:
1836         (Inspector::jsToInspectorValue):
1837         * bytecode/GetterSetterAccessCase.cpp:
1838         (JSC::GetterSetterAccessCase::create):
1839         (JSC::GetterSetterAccessCase::clone const):
1840         * bytecode/InstanceOfAccessCase.cpp:
1841         (JSC::InstanceOfAccessCase::clone const):
1842         * bytecode/IntrinsicGetterAccessCase.cpp:
1843         (JSC::IntrinsicGetterAccessCase::clone const):
1844         * bytecode/ModuleNamespaceAccessCase.cpp:
1845         (JSC::ModuleNamespaceAccessCase::clone const):
1846         * bytecode/ProxyableAccessCase.cpp:
1847         (JSC::ProxyableAccessCase::clone const):
1848
1849 2019-03-31  Yusuke Suzuki  <ysuzuki@apple.com>
1850
1851         [JSC] Butterfly allocation from LargeAllocation should try "realloc" behavior if collector thread is not active
1852         https://bugs.webkit.org/show_bug.cgi?id=196160
1853
1854         Reviewed by Saam Barati.
1855
1856         "realloc" can be effective in terms of peak/current memory footprint when realloc succeeds because,
1857
1858         1. It does not allocate additional memory while expanding a vector
1859         2. It does not deallocate an old memory, just reusing the current memory by expanding, so that memory footprint is tight even before scavenging
1860
1861         We found that we can "realloc" large butterflies in certain conditions are met because,
1862
1863         1. If it goes to LargeAllocation, this memory region is never reused until GC sweeps it.
1864         2. Butterflies are owned by owner JSObjects, so we know the lifetime of Butterflies.
1865
1866         This patch attempts to use "realloc" onto butterflies if,
1867
1868         1. Butterflies are allocated in LargeAllocation kind
1869         2. Concurrent collector is not active
1870         3. Butterflies do not have property storage
1871
1872         The condition (2) is required to avoid deallocating butterflies while the concurrent collector looks into it. The condition (3) is
1873         also required to avoid deallocating butterflies while the concurrent compiler looks into it.
1874
1875         We also change LargeAllocation mechanism to using "malloc" and "free" instead of "posix_memalign". This allows us to use "realloc"
1876         safely in all the platforms. Since LargeAllocation uses alignment to distinguish LargeAllocation and MarkedBlock, we manually adjust
1877         16B alignment by allocating 8B more memory in "malloc".
1878
1879         Speedometer2 and JetStream2 are neutral. RAMification shows about 1% progression (even in some of JIT tests).
1880
1881         * heap/AlignedMemoryAllocator.h:
1882         * heap/CompleteSubspace.cpp:
1883         (JSC::CompleteSubspace::tryAllocateSlow):
1884         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
1885         * heap/CompleteSubspace.h:
1886         * heap/FastMallocAlignedMemoryAllocator.cpp:
1887         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory):
1888         (JSC::FastMallocAlignedMemoryAllocator::freeMemory):
1889         (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory):
1890         * heap/FastMallocAlignedMemoryAllocator.h:
1891         * heap/GigacageAlignedMemoryAllocator.cpp:
1892         (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory):
1893         (JSC::GigacageAlignedMemoryAllocator::freeMemory):
1894         (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory):
1895         * heap/GigacageAlignedMemoryAllocator.h:
1896         * heap/IsoAlignedMemoryAllocator.cpp:
1897         (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
1898         (JSC::IsoAlignedMemoryAllocator::freeMemory):
1899         (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
1900         * heap/IsoAlignedMemoryAllocator.h:
1901         * heap/LargeAllocation.cpp:
1902         (JSC::isAlignedForLargeAllocation):
1903         (JSC::LargeAllocation::tryCreate):
1904         (JSC::LargeAllocation::tryReallocate):
1905         (JSC::LargeAllocation::LargeAllocation):
1906         (JSC::LargeAllocation::destroy):
1907         * heap/LargeAllocation.h:
1908         (JSC::LargeAllocation::indexInSpace):
1909         (JSC::LargeAllocation::setIndexInSpace):
1910         (JSC::LargeAllocation::basePointer const):
1911         * heap/MarkedSpace.cpp:
1912         (JSC::MarkedSpace::sweepLargeAllocations):
1913         (JSC::MarkedSpace::prepareForConservativeScan):
1914         * heap/WeakSet.h:
1915         (JSC::WeakSet::isTriviallyDestructible const):
1916         * runtime/Butterfly.h:
1917         * runtime/ButterflyInlines.h:
1918         (JSC::Butterfly::reallocArrayRightIfPossible):
1919         * runtime/JSObject.cpp:
1920         (JSC::JSObject::ensureLengthSlow):
1921
1922 2019-03-31  Sam Weinig  <weinig@apple.com>
1923
1924         Remove more i386 specific configurations
1925         https://bugs.webkit.org/show_bug.cgi?id=196430
1926
1927         Reviewed by Alexey Proskuryakov.
1928
1929         * Configurations/FeatureDefines.xcconfig:
1930         ENABLE_WEB_AUTHN_macosx can now be enabled unconditionally on macOS.
1931
1932         * Configurations/ToolExecutable.xcconfig:
1933         ARC can be enabled unconditionally now.
1934
1935 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
1936
1937         [JSC] JSWrapperMap should not use Objective-C Weak map (NSMapTable with NSPointerFunctionsWeakMemory) for m_cachedObjCWrappers
1938         https://bugs.webkit.org/show_bug.cgi?id=196392
1939
1940         Reviewed by Saam Barati.
1941
1942         Weak representation in Objective-C is surprisingly costly in terms of memory. We can see that very easy program shows 10KB memory consumption due to
1943         this weak wrapper map in JavaScriptCore.framework. But we do not need this weak map since Objective-C JSValue has a dealloc. We can unregister itself
1944         from the map when it is deallocated without using Objective-C weak mechanism. And since Objective-C JSValue is tightly coupled to a specific JSContext,
1945         and wrapper map is created per JSContext, JSValue wrapper and actual JavaScriptCore value is one-on-one, and [JSValue dealloc] knows which JSContext's
1946         wrapper map holds itself.
1947
1948         1. We do not use Objective-C weak mechanism. We use WTF::HashSet instead. When JSValue is allocated, we register it to JSWrapperMap's HashSet. And unregister
1949            JSValue from this map when JSValue is deallocated.
1950         2. We use HashSet<JSValue> (logically) instead of HashMap<JSValueRef, JSValue> to keep JSValueRef and JSValue relationship. We can achieve it because JSValue
1951            holds JSValueRef inside it.
1952
1953         * API/JSContext.mm:
1954         (-[JSContext removeWrapper:]):
1955         * API/JSContextInternal.h:
1956         * API/JSValue.mm:
1957         (-[JSValue dealloc]):
1958         (-[JSValue initWithValue:inContext:]):
1959         * API/JSWrapperMap.h:
1960         * API/JSWrapperMap.mm:
1961         (WrapperKey::hashTableDeletedValue):
1962         (WrapperKey::WrapperKey):
1963         (WrapperKey::isHashTableDeletedValue const):
1964         (WrapperKey::Hash::hash):
1965         (WrapperKey::Hash::equal):
1966         (WrapperKey::Traits::isEmptyValue):
1967         (WrapperKey::Translator::hash):
1968         (WrapperKey::Translator::equal):
1969         (WrapperKey::Translator::translate):
1970         (-[JSWrapperMap initWithGlobalContextRef:]):
1971         (-[JSWrapperMap dealloc]):
1972         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
1973         (-[JSWrapperMap removeWrapper:]):
1974         * API/tests/testapi.mm:
1975         (testObjectiveCAPIMain):
1976
1977 2019-03-29  Robin Morisset  <rmorisset@apple.com>
1978
1979         B3ReduceStrength should know that Mul distributes over Add and Sub
1980         https://bugs.webkit.org/show_bug.cgi?id=196325
1981
1982         Reviewed by Michael Saboff.
1983
1984         In this patch I add the following patterns to B3ReduceStrength:
1985         - Turn this: Integer Neg(Mul(value, c))
1986           Into this: Mul(value, -c), as long as -c does not overflow
1987         - Turn these: Integer Mul(value, Neg(otherValue)) and Integer Mul(Neg(value), otherValue)
1988           Into this: Neg(Mul(value, otherValue))
1989         - For Op==Add or Sub, turn any of these:
1990              Op(Mul(x1, x2), Mul(x1, x3))
1991              Op(Mul(x2, x1), Mul(x1, x3))
1992              Op(Mul(x1, x2), Mul(x3, x1))
1993              Op(Mul(x2, x1), Mul(x3, x1))
1994           Into this: Mul(x1, Op(x2, x3))
1995
1996         Also includes a trivial change: a similar reduction for the distributivity of BitAnd over BitOr/BitXor now
1997         emits the arguments to BitAnd in the other order, to minimize the probability that we'll spend a full fixpoint step just to flip them.
1998
1999         * b3/B3ReduceStrength.cpp:
2000         * b3/testb3.cpp:
2001         (JSC::B3::testAddMulMulArgs):
2002         (JSC::B3::testMulArgNegArg):
2003         (JSC::B3::testMulNegArgArg):
2004         (JSC::B3::testNegMulArgImm):
2005         (JSC::B3::testSubMulMulArgs):
2006         (JSC::B3::run):
2007
2008 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
2009
2010         [JSC] Remove distancing for LargeAllocation
2011         https://bugs.webkit.org/show_bug.cgi?id=196335
2012
2013         Reviewed by Saam Barati.
2014
2015         In r230226, we removed distancing feature from our GC. This patch removes remaining distancing thing in LargeAllocation.
2016
2017         * heap/HeapCell.h:
2018         * heap/LargeAllocation.cpp:
2019         (JSC::LargeAllocation::tryCreate):
2020         * heap/MarkedBlock.h:
2021
2022 2019-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2023
2024         Delete WebMetal implementation in favor of WebGPU
2025         https://bugs.webkit.org/show_bug.cgi?id=195418
2026
2027         Reviewed by Dean Jackson.
2028
2029         * Configurations/FeatureDefines.xcconfig:
2030         * inspector/protocol/Canvas.json:
2031         * inspector/scripts/codegen/generator.py:
2032
2033 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
2034
2035         Assertion failed in JSC::createError
2036         https://bugs.webkit.org/show_bug.cgi?id=196305
2037         <rdar://problem/49387382>
2038
2039         Reviewed by Saam Barati.
2040
2041         JSC::createError assumes that `errorDescriptionForValue` will either
2042         throw an exception or return a valid description string. However, that
2043         is not true if the value is a rope string and we successfully resolve it,
2044         but later fail to wrap the string in quotes with `tryMakeString`.
2045
2046         * runtime/ExceptionHelpers.cpp:
2047         (JSC::createError):
2048
2049 2019-03-29  Devin Rousso  <drousso@apple.com>
2050
2051         Web Inspector: add fast returns for instrumentation hooks that have no affect before a frontend is connected
2052         https://bugs.webkit.org/show_bug.cgi?id=196382
2053         <rdar://problem/49403417>
2054
2055         Reviewed by Joseph Pecoraro.
2056
2057         Ensure that all instrumentation hooks use `FAST_RETURN_IF_NO_FRONTENDS` or check that
2058         `developerExtrasEnabled`. There should be no activity to/from any inspector objects until
2059         developer extras are enabled.
2060
2061         * inspector/agents/InspectorConsoleAgent.cpp:
2062         (Inspector::InspectorConsoleAgent::startTiming):
2063         (Inspector::InspectorConsoleAgent::stopTiming):
2064         (Inspector::InspectorConsoleAgent::count):
2065         (Inspector::InspectorConsoleAgent::addConsoleMessage):
2066
2067 2019-03-29  Cathie Chen  <cathiechen@igalia.com>
2068
2069         Implement ResizeObserver.
2070         https://bugs.webkit.org/show_bug.cgi?id=157743
2071
2072         Reviewed by Simon Fraser.
2073
2074         Add ENABLE_RESIZE_OBSERVER.
2075
2076         * Configurations/FeatureDefines.xcconfig:
2077
2078 2019-03-28  Michael Saboff  <msaboff@apple.com>
2079
2080         [YARR] Precompute BMP / non-BMP status when constructing character classes
2081         https://bugs.webkit.org/show_bug.cgi?id=196296
2082
2083         Reviewed by Keith Miller.
2084
2085         Changed CharacterClass::m_hasNonBMPCharacters into a character width bit field which
2086         indicateis if the class includes characters from either BMP, non-BMP or both ranges.
2087         This allows the recognizing code to eliminate checks for the width of a matched
2088         characters when the class has only one width.  The character width is needed to
2089         determine if we advance 1 or 2 character.  Also, the pre-computed width of character
2090         classes that contains either all BMP or all non-BMP characters allows the parser to
2091         use fixed widths for terms using those character classes.  Changed both the code gen
2092         scripts and Yarr compiler to compute this bit field during the construction of
2093         character classes.
2094
2095         For JIT'ed code of character classes that contain either all BMP or all non-BMP
2096         characters, we can eliminate the generic check we were doing do compute how much
2097         to advance after sucessfully matching a character in the class.
2098
2099                 Generic isBMP check      BMP only            non-BMP only
2100                 --------------           --------------      --------------
2101                 inc %r9d                 inc %r9d            add $0x2, %r9d
2102                 cmp $0x10000, %eax
2103                 jl isBMP
2104                 cmp %edx, %esi
2105                 jz atEndOfString
2106                 inc %r9d
2107                 inc %esi
2108          isBMP:
2109
2110         For character classes that contained non-BMP characters, we were always generating
2111         the code in the left column.  The middle column is the code we generate for character
2112         classes that contain only BMP characters.  The right column is the code we now
2113         generate if the character class has only non-BMP characters.  In the fix width cases,
2114         we can eliminate both the isBMP check as well as the atEndOfString check.  The
2115         atEndOfstring check is eliminated since we know how many characters this character
2116         class requires and that check can be factored out to the beginning of the current
2117         alternative.  For character classes that contain both BMP and non-BMP characters,
2118         we still generate the generic left column.
2119
2120         This change is a ~8% perf progression on UniPoker and a ~2% improvement on RexBench
2121         as a whole.
2122
2123         * runtime/RegExp.cpp:
2124         (JSC::RegExp::matchCompareWithInterpreter):
2125         * runtime/RegExpInlines.h:
2126         (JSC::RegExp::matchInline):
2127         * yarr/YarrInterpreter.cpp:
2128         (JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
2129         (JSC::Yarr::Interpreter::matchCharacterClass):
2130         * yarr/YarrJIT.cpp:
2131         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2132         (JSC::Yarr::YarrGenerator::matchCharacterClass):
2133         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
2134         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2135         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2136         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2137         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2138         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
2139         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
2140         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2141         (JSC::Yarr::YarrGenerator::generateEnter):
2142         (JSC::Yarr::YarrGenerator::YarrGenerator):
2143         (JSC::Yarr::YarrGenerator::compile):
2144         * yarr/YarrPattern.cpp:
2145         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2146         (JSC::Yarr::CharacterClassConstructor::reset):
2147         (JSC::Yarr::CharacterClassConstructor::charClass):
2148         (JSC::Yarr::CharacterClassConstructor::addSorted):
2149         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2150         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
2151         (JSC::Yarr::CharacterClassConstructor::characterWidths):
2152         (JSC::Yarr::PatternTerm::dump):
2153         (JSC::Yarr::anycharCreate):
2154         * yarr/YarrPattern.h:
2155         (JSC::Yarr::operator|):
2156         (JSC::Yarr::operator&):
2157         (JSC::Yarr::operator|=):
2158         (JSC::Yarr::CharacterClass::CharacterClass):
2159         (JSC::Yarr::CharacterClass::hasNonBMPCharacters):
2160         (JSC::Yarr::CharacterClass::hasOneCharacterSize):
2161         (JSC::Yarr::CharacterClass::hasOnlyNonBMPCharacters):
2162         (JSC::Yarr::PatternTerm::invert const):
2163         (JSC::Yarr::PatternTerm::invert): Deleted.
2164         * yarr/create_regex_tables:
2165         * yarr/generateYarrUnicodePropertyTables.py:
2166
2167 2019-03-28  Saam Barati  <sbarati@apple.com>
2168
2169         BackwardsGraph needs to consider back edges as the backward's root successor
2170         https://bugs.webkit.org/show_bug.cgi?id=195991
2171
2172         Reviewed by Filip Pizlo.
2173
2174         * b3/testb3.cpp:
2175         (JSC::B3::testInfiniteLoopDoesntCauseBadHoisting):
2176         (JSC::B3::run):
2177
2178 2019-03-28  Fujii Hironori  <Hironori.Fujii@sony.com>
2179
2180         Opcode.h(159,27): warning: adding 'unsigned int' to a string does not append to the string [-Wstring-plus-int]
2181         https://bugs.webkit.org/show_bug.cgi?id=196343
2182
2183         Reviewed by Saam Barati.
2184
2185         Clang reports a compilation warning and recommend '&PADDING_STRING[PADDING_STRING_LENGTH]'
2186         instead of 'PADDING_STRING + PADDING_STRING_LENGTH'.
2187
2188         * bytecode/Opcode.cpp:
2189         (JSC::padOpcodeName): Moved padOpcodeName from Opcode.h because
2190         this function is used only in Opcode.cpp. Changed macros
2191         PADDING_STRING and PADDING_STRING_LENGTH to simple variables.
2192         (JSC::compareOpcodePairIndices): Replaced pair with std::pair.
2193         * bytecode/Opcode.h:
2194         (JSC::padOpcodeName): Moved.
2195
2196 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2197
2198         CodeBlock::jettison() should disallow repatching its own calls
2199         https://bugs.webkit.org/show_bug.cgi?id=196359
2200         <rdar://problem/48973663>
2201
2202         Reviewed by Saam Barati.
2203
2204         CodeBlock::jettison() calls CommonData::invalidate, which replaces the `hlt`
2205         instruction with the jump to OSR exit. However, if the `hlt` was immediately
2206         followed by a call to the CodeBlock being jettisoned, we would write over the
2207         OSR exit address while unlinking all the incoming CallLinkInfos later in
2208         CodeBlock::jettison().
2209
2210         Change it so that we set a flag, `clearedByJettison`, in all the CallLinkInfos
2211         owned by the CodeBlock being jettisoned. If the flag is set, we will avoid
2212         repatching the call during unlinking. This is safe because this call will never
2213         be reachable again after the CodeBlock is jettisoned.
2214
2215         * bytecode/CallLinkInfo.cpp:
2216         (JSC::CallLinkInfo::CallLinkInfo):
2217         (JSC::CallLinkInfo::setCallee):
2218         (JSC::CallLinkInfo::clearCallee):
2219         (JSC::CallLinkInfo::setCodeBlock):
2220         (JSC::CallLinkInfo::clearCodeBlock):
2221         * bytecode/CallLinkInfo.h:
2222         (JSC::CallLinkInfo::clearedByJettison):
2223         (JSC::CallLinkInfo::setClearedByJettison):
2224         * bytecode/CodeBlock.cpp:
2225         (JSC::CodeBlock::jettison):
2226         * jit/Repatch.cpp:
2227         (JSC::revertCall):
2228
2229 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2230
2231         [JSC] Drop VM and Context cache map in JavaScriptCore.framework
2232         https://bugs.webkit.org/show_bug.cgi?id=196341
2233
2234         Reviewed by Saam Barati.
2235
2236         Previously, we created Objective-C weak map to maintain JSVirtualMachine and JSContext wrappers corresponding to VM and JSGlobalObject.
2237         But Objective-C weak map is really memory costly. Even if the entry is only one, it consumes 2.5KB per weak map. Since we can modify
2238         JSC intrusively for JavaScriptCore.framework (and we already did it, like, holding JSWrapperMap in JSGlobalObject), we can just hold
2239         a pointer to a wrapper in VM and JSGlobalObject.
2240
2241         This patch adds void* members to VM and JSGlobalObject, which holds a non-strong reference to a wrapper. When a wrapper is gone, we
2242         clear this pointer too. This removes unnecessary two Objective-C weak maps, and save 5KB.
2243
2244         * API/JSContext.mm:
2245         (-[JSContext initWithVirtualMachine:]):
2246         (-[JSContext dealloc]):
2247         (-[JSContext initWithGlobalContextRef:]):
2248         (-[JSContext wrapperMap]):
2249         (+[JSContext contextWithJSGlobalContextRef:]):
2250         * API/JSVirtualMachine.mm:
2251         (-[JSVirtualMachine initWithContextGroupRef:]):
2252         (-[JSVirtualMachine dealloc]):
2253         (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
2254         (scanExternalObjectGraph):
2255         (scanExternalRememberedSet):
2256         (initWrapperCache): Deleted.
2257         (wrapperCache): Deleted.
2258         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Deleted.
2259         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Deleted.
2260         (-[JSVirtualMachine contextForGlobalContextRef:]): Deleted.
2261         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Deleted.
2262         * API/JSVirtualMachineInternal.h:
2263         * runtime/JSGlobalObject.h:
2264         (JSC::JSGlobalObject::setAPIWrapper):
2265         (JSC::JSGlobalObject::apiWrapper const):
2266         * runtime/VM.h:
2267
2268 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2269
2270         In-memory code cache should not share bytecode across domains
2271         https://bugs.webkit.org/show_bug.cgi?id=196321
2272
2273         Reviewed by Geoffrey Garen.
2274
2275         Use the SourceProvider's URL to make sure that the hosts match for the
2276         two SourceCodeKeys in operator==.
2277
2278         * parser/SourceCodeKey.h:
2279         (JSC::SourceCodeKey::host const):
2280         (JSC::SourceCodeKey::operator== const):
2281
2282 2019-03-28  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2283
2284         Silence lot of warnings when compiling with clang
2285         https://bugs.webkit.org/show_bug.cgi?id=196310
2286
2287         Reviewed by Michael Catanzaro.
2288
2289         Initialize variable with default constructor.
2290
2291         * API/glib/JSCOptions.cpp:
2292         (jsc_options_foreach):
2293
2294 2019-03-27  Saam Barati  <sbarati@apple.com>
2295
2296         validateOSREntryValue with Int52 should box the value being checked into double format
2297         https://bugs.webkit.org/show_bug.cgi?id=196313
2298         <rdar://problem/49306703>
2299
2300         Reviewed by Yusuke Suzuki.
2301
2302         * dfg/DFGOSREntry.cpp:
2303         (JSC::DFG::prepareOSREntry):
2304         * ftl/FTLLowerDFGToB3.cpp:
2305         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2306
2307 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2308
2309         [JSC] Owner of watchpoints should validate at GC finalizing phase
2310         https://bugs.webkit.org/show_bug.cgi?id=195827
2311
2312         Reviewed by Filip Pizlo.
2313
2314         This patch fixes JSC's watchpoint liveness issue by the following two policies.
2315
2316         1. Watchpoint should have owner cell, and "fire" operation should be gaurded with owner cell's isLive check.
2317
2318         Watchpoints should hold its owner cell, and fire procedure should be guarded by `owner->isLive()`.
2319         When the owner cell is destroyed, these watchpoints are destroyed too. But this destruction can
2320         be delayed due to incremental sweeper. So the following condition can happen.
2321
2322         When we have a watchpoint like the following.
2323
2324             class XXXWatchpoint {
2325                 ObjectPropertyCondition m_key;
2326                 JSCell* m_owner;
2327             };
2328
2329         Both m_key's cell and m_owner is now unreachable from the root. So eventually, m_owner cell's destructor
2330         is called and this watchpoint will be destroyed. But before that, m_key's cell can be destroyed. And this
2331         watchpoint's fire procedure can be called since m_owner's destructor is not called yet. In this situation,
2332         we encounter the destroyed cell held in m_key. This problem can be avoided if we guard fire procedure with
2333         `m_owner->isLive()`. Until the owner cell is destroyed, this guard avoids "fire" procedure execution. And
2334         once the destructor of m_owner is called, this watchpoint will be destroyed too.
2335
2336         2. Watchpoint liveness should be maintained by owner cell's unconditional finalizer
2337
2338         Watchpoints often hold weak references to the other cell (like, m_key in the above example). If we do not
2339         delete watchpoints with dead cells when these weak cells become dead, these watchpoints continue holding dead cells,
2340         and watchpoint's fire operation can use these dead cells accidentally. isLive / isStillLive check for these weak cells
2341         in fire operation is not useful. Because these dead cells can be reused to the other live cells eventually, and this
2342         isLive / isStillLive checks fail to see these cells are live if they are reused. Appropriate way is deleting watchpoints
2343         with dead cells when finalizing GC. In this patch, we do this in unconditional finalizers in owner cells of watchpoints.
2344         We already did this in CodeBlock etc. We add the same thing to StructureRareData which owns watchpoints for toString operations.
2345
2346         * JavaScriptCore.xcodeproj/project.pbxproj:
2347         * Sources.txt:
2348         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2349         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::StructureWatchpoint): Deleted.
2350         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::PropertyWatchpoint): Deleted.
2351         * bytecode/CodeBlockJettisoningWatchpoint.h:
2352         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): Deleted.
2353         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2354         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
2355         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2356         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2357         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): Deleted.
2358         * bytecode/StructureStubClearingWatchpoint.cpp:
2359         (JSC::StructureStubClearingWatchpoint::fireInternal):
2360         (JSC::WatchpointsOnStructureStubInfo::isValid const):
2361         * bytecode/StructureStubClearingWatchpoint.h:
2362         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): Deleted.
2363         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2364         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
2365         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2366         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2367         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2368         * dfg/DFGAdaptiveStructureWatchpoint.h:
2369         (JSC::DFG::AdaptiveStructureWatchpoint::key const): Deleted.
2370         * dfg/DFGDesiredWatchpoints.cpp:
2371         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2372         * heap/Heap.cpp:
2373         (JSC::Heap::finalizeUnconditionalFinalizers):
2374         * llint/LLIntSlowPaths.cpp:
2375         (JSC::LLInt::setupGetByIdPrototypeCache):
2376         * runtime/ArrayBuffer.cpp:
2377         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
2378         * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp.
2379         (JSC::ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet):
2380         (JSC::ArrayBufferNeuteringWatchpointSet::destroy):
2381         (JSC::ArrayBufferNeuteringWatchpointSet::create):
2382         (JSC::ArrayBufferNeuteringWatchpointSet::createStructure):
2383         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
2384         * runtime/ArrayBufferNeuteringWatchpointSet.h: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h.
2385         * runtime/FunctionRareData.h:
2386         * runtime/JSGlobalObject.cpp:
2387         (JSC::JSGlobalObject::init):
2388         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
2389         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2390         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): Deleted.
2391         * runtime/StructureRareData.cpp:
2392         (JSC::StructureRareData::finalizeUnconditionally):
2393         * runtime/StructureRareData.h:
2394         * runtime/VM.cpp:
2395         (JSC::VM::VM):
2396
2397 2019-03-26  Saam Barati  <sbarati@apple.com>
2398
2399         FTL: Emit code to validate AI's state when running the compiled code
2400         https://bugs.webkit.org/show_bug.cgi?id=195924
2401         <rdar://problem/49003422>
2402
2403         Reviewed by Filip Pizlo.
2404
2405         This patch adds code that between the execution of each node that validates
2406         the types that AI proves. This option is too expensive to turn on for our
2407         regression testing, but we think it will be valuable in other types of running
2408         modes, such as when running with a fuzzer.
2409         
2410         This patch also adds options to only probabilistically run this validation
2411         after the execution of each node. As the probability is lowered, there is
2412         less of a perf hit.
2413         
2414         This patch just adds this validation in the FTL. A follow-up patch will land
2415         it in the DFG too: https://bugs.webkit.org/show_bug.cgi?id=196219
2416
2417         * ftl/FTLLowerDFGToB3.cpp:
2418         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2419         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2420         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2421         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2422         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
2423         * runtime/Options.h:
2424
2425 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
2426
2427         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
2428         https://bugs.webkit.org/show_bug.cgi?id=196217
2429
2430         Reviewed by Saam Barati.
2431
2432         Generalize the fix for f32.max to properly handle NaN by doing an extra GreatherThan
2433         comparison in r243446 to all min and max float operations.
2434
2435         * wasm/WasmAirIRGenerator.cpp:
2436         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2437         (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax):
2438         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2439         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2440         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2441         * wasm/wasm.json:
2442
2443 2019-03-26  Andy VanWagoner  <andy@vanwagoner.family>
2444
2445         Intl.DateTimeFormat should obey 2-digit hour
2446         https://bugs.webkit.org/show_bug.cgi?id=195974
2447
2448         Reviewed by Keith Miller.
2449
2450         * runtime/IntlDateTimeFormat.cpp:
2451         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2452
2453 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2454
2455         Heap::isMarked and friends should be instance methods
2456         https://bugs.webkit.org/show_bug.cgi?id=179988
2457
2458         Reviewed by Saam Barati.
2459
2460         Almost all the callers of Heap::isMarked have VM& reference. We should make Heap::isMarked instance function instead of static function
2461         so that we do not need to look up Heap from the cell.
2462
2463         * API/JSAPIWrapperObject.mm:
2464         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2465         * API/JSMarkingConstraintPrivate.cpp:
2466         (JSC::isMarked):
2467         * API/glib/JSAPIWrapperObjectGLib.cpp:
2468         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2469         * builtins/BuiltinExecutables.cpp:
2470         (JSC::BuiltinExecutables::finalizeUnconditionally):
2471         * bytecode/AccessCase.cpp:
2472         (JSC::AccessCase::visitWeak const):
2473         (JSC::AccessCase::propagateTransitions const):
2474         * bytecode/CallLinkInfo.cpp:
2475         (JSC::CallLinkInfo::visitWeak):
2476         * bytecode/CallLinkStatus.cpp:
2477         (JSC::CallLinkStatus::finalize):
2478         * bytecode/CallLinkStatus.h:
2479         * bytecode/CallVariant.cpp:
2480         (JSC::CallVariant::finalize):
2481         * bytecode/CallVariant.h:
2482         * bytecode/CodeBlock.cpp:
2483         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
2484         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2485         (JSC::shouldMarkTransition):
2486         (JSC::CodeBlock::propagateTransitions):
2487         (JSC::CodeBlock::determineLiveness):
2488         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2489         (JSC::CodeBlock::finalizeUnconditionally):
2490         (JSC::CodeBlock::jettison):
2491         * bytecode/CodeBlock.h:
2492         * bytecode/ExecutableToCodeBlockEdge.cpp:
2493         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2494         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
2495         (JSC::ExecutableToCodeBlockEdge::runConstraint):
2496         * bytecode/GetByIdStatus.cpp:
2497         (JSC::GetByIdStatus::finalize):
2498         * bytecode/GetByIdStatus.h:
2499         * bytecode/GetByIdVariant.cpp:
2500         (JSC::GetByIdVariant::finalize):
2501         * bytecode/GetByIdVariant.h:
2502         * bytecode/InByIdStatus.cpp:
2503         (JSC::InByIdStatus::finalize):
2504         * bytecode/InByIdStatus.h:
2505         * bytecode/InByIdVariant.cpp:
2506         (JSC::InByIdVariant::finalize):
2507         * bytecode/InByIdVariant.h:
2508         * bytecode/ObjectPropertyCondition.cpp:
2509         (JSC::ObjectPropertyCondition::isStillLive const):
2510         * bytecode/ObjectPropertyCondition.h:
2511         * bytecode/ObjectPropertyConditionSet.cpp:
2512         (JSC::ObjectPropertyConditionSet::areStillLive const):
2513         * bytecode/ObjectPropertyConditionSet.h:
2514         * bytecode/PolymorphicAccess.cpp:
2515         (JSC::PolymorphicAccess::visitWeak const):
2516         * bytecode/PropertyCondition.cpp:
2517         (JSC::PropertyCondition::isStillLive const):
2518         * bytecode/PropertyCondition.h:
2519         * bytecode/PutByIdStatus.cpp:
2520         (JSC::PutByIdStatus::finalize):
2521         * bytecode/PutByIdStatus.h:
2522         * bytecode/PutByIdVariant.cpp:
2523         (JSC::PutByIdVariant::finalize):
2524         * bytecode/PutByIdVariant.h:
2525         * bytecode/RecordedStatuses.cpp:
2526         (JSC::RecordedStatuses::finalizeWithoutDeleting):
2527         (JSC::RecordedStatuses::finalize):
2528         * bytecode/RecordedStatuses.h:
2529         * bytecode/StructureSet.cpp:
2530         (JSC::StructureSet::isStillAlive const):
2531         * bytecode/StructureSet.h:
2532         * bytecode/StructureStubInfo.cpp:
2533         (JSC::StructureStubInfo::visitWeakReferences):
2534         * dfg/DFGPlan.cpp:
2535         (JSC::DFG::Plan::finalizeInGC):
2536         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2537         * heap/GCIncomingRefCounted.h:
2538         * heap/GCIncomingRefCountedInlines.h:
2539         (JSC::GCIncomingRefCounted<T>::filterIncomingReferences):
2540         * heap/GCIncomingRefCountedSet.h:
2541         * heap/GCIncomingRefCountedSetInlines.h:
2542         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
2543         (JSC::GCIncomingRefCountedSet<T>::sweep):
2544         (JSC::GCIncomingRefCountedSet<T>::removeAll): Deleted.
2545         (JSC::GCIncomingRefCountedSet<T>::removeDead): Deleted.
2546         * heap/Heap.cpp:
2547         (JSC::Heap::addToRememberedSet):
2548         (JSC::Heap::runEndPhase):
2549         (JSC::Heap::sweepArrayBuffers):
2550         (JSC::Heap::addCoreConstraints):
2551         * heap/Heap.h:
2552         * heap/HeapInlines.h:
2553         (JSC::Heap::isMarked):
2554         * heap/HeapSnapshotBuilder.cpp:
2555         (JSC::HeapSnapshotBuilder::appendNode):
2556         * heap/SlotVisitor.cpp:
2557         (JSC::SlotVisitor::appendToMarkStack):
2558         (JSC::SlotVisitor::visitChildren):
2559         * jit/PolymorphicCallStubRoutine.cpp:
2560         (JSC::PolymorphicCallStubRoutine::visitWeak):
2561         * runtime/ErrorInstance.cpp:
2562         (JSC::ErrorInstance::finalizeUnconditionally):
2563         * runtime/InferredValueInlines.h:
2564         (JSC::InferredValue::finalizeUnconditionally):
2565         * runtime/StackFrame.h:
2566         (JSC::StackFrame::isMarked const):
2567         * runtime/Structure.cpp:
2568         (JSC::Structure::isCheapDuringGC):
2569         (JSC::Structure::markIfCheap):
2570         * runtime/Structure.h:
2571         * runtime/TypeProfiler.cpp:
2572         (JSC::TypeProfiler::invalidateTypeSetCache):
2573         * runtime/TypeProfiler.h:
2574         * runtime/TypeSet.cpp:
2575         (JSC::TypeSet::invalidateCache):
2576         * runtime/TypeSet.h:
2577         * runtime/WeakMapImpl.cpp:
2578         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
2579         * runtime/WeakMapImplInlines.h:
2580         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
2581
2582 2019-03-25  Keith Miller  <keith_miller@apple.com>
2583
2584         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
2585         https://bugs.webkit.org/show_bug.cgi?id=196176
2586
2587         Reviewed by Saam Barati.
2588
2589         convertToCompareEqPtr should allow for either CompareStrictEq or
2590         the SameValue DFG node. This fixes the old assertion that only
2591         allowed CompareStrictEq.
2592
2593         * dfg/DFGNode.h:
2594         (JSC::DFG::Node::convertToCompareEqPtr):
2595
2596 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
2597
2598         WebAssembly: f32.max with NaN generates incorrect result
2599         https://bugs.webkit.org/show_bug.cgi?id=175691
2600         <rdar://problem/33952228>
2601
2602         Reviewed by Saam Barati.
2603
2604         Fix the B3 and Air compilation for f32.max. In order to handle the NaN
2605         case, we need an extra GreaterThan comparison on top of the existing
2606         Equal and LessThan ones.
2607
2608         * wasm/WasmAirIRGenerator.cpp:
2609         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2610         * wasm/wasm.json:
2611
2612 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2613
2614         Unreviewed, speculative fix for CLoop build on CPU(UNKNOWN)
2615         https://bugs.webkit.org/show_bug.cgi?id=195982
2616
2617         * jit/ExecutableAllocator.h:
2618         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2619
2620 2019-03-25  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2621
2622         Remove NavigatorContentUtils in WebCore/Modules
2623         https://bugs.webkit.org/show_bug.cgi?id=196070
2624
2625         Reviewed by Alex Christensen.
2626
2627         NavigatorContentUtils was to support the custom scheme spec [1].
2628         However, in WebKit side, no port has supported the feature in
2629         WebKit layer after EFL port was removed. So there has been the
2630         only IDL implementation of the NavigatorContentUtils in WebCore.
2631         So we don't need to keep the implementation in WebCore anymore.
2632
2633         [1] https://html.spec.whatwg.org/multipage/system-state.html#custom-handlers
2634
2635         * Configurations/FeatureDefines.xcconfig:
2636
2637 2019-03-23  Mark Lam  <mark.lam@apple.com>
2638
2639         Rolling out r243032 and r243071 because the fix is incorrect.
2640         https://bugs.webkit.org/show_bug.cgi?id=195892
2641         <rdar://problem/48981239>
2642
2643         Not reviewed.
2644
2645         The fix is incorrect: it relies on being able to determine liveness of an object
2646         in an ObjectPropertyCondition based on the state of the object's MarkedBit.
2647         However, there's no guarantee that GC has run and that the MarkedBit is already
2648         set even if the object is live.  As a result, we may not re-install adaptive
2649         watchpoints based on presumed dead objects which are actually live.
2650
2651         I'm rolling this out, and will implement a more comprehensive fix to handle
2652         watchpoint liveness later.
2653
2654         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2655         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2656         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2657         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2658         * bytecode/ObjectPropertyCondition.cpp:
2659         (JSC::ObjectPropertyCondition::dumpInContext const):
2660         * bytecode/StructureStubClearingWatchpoint.cpp:
2661         (JSC::StructureStubClearingWatchpoint::fireInternal):
2662         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2663         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2664         * runtime/StructureRareData.cpp:
2665         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2666
2667 2019-03-23  Keith Miller  <keith_miller@apple.com>
2668
2669         Refactor clz/ctz and fix getLSBSet.
2670         https://bugs.webkit.org/show_bug.cgi?id=196162
2671
2672         Reviewed by Saam Barati.
2673
2674         Refactor references of clz32/64 and ctz32 to use clz and ctz,
2675         respectively.
2676
2677         * dfg/DFGAbstractInterpreterInlines.h:
2678         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2679         * dfg/DFGOperations.cpp:
2680         * runtime/JSBigInt.cpp:
2681         (JSC::JSBigInt::digitDiv):
2682         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
2683         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2684         (JSC::JSBigInt::toStringBasePowerOfTwo):
2685         (JSC::JSBigInt::compareToDouble):
2686         * runtime/MathObject.cpp:
2687         (JSC::mathProtoFuncClz32):
2688
2689 2019-03-23  Yusuke Suzuki  <ysuzuki@apple.com>
2690
2691         [JSC] Shrink sizeof(RegExp)
2692         https://bugs.webkit.org/show_bug.cgi?id=196133
2693
2694         Reviewed by Mark Lam.
2695
2696         Some applications have many RegExp cells. But RegExp cells are very large (144B).
2697         This patch reduces the size from 144B to 48B by,
2698
2699         1. Allocate Yarr::YarrCodeBlock in non-GC heap. We can avoid this allocation if JIT is disabled.
2700         2. m_captureGroupNames and m_namedGroupToParenIndex are moved to RareData. They are only used when RegExp has named capture groups.
2701
2702         * runtime/RegExp.cpp:
2703         (JSC::RegExp::finishCreation):
2704         (JSC::RegExp::estimatedSize):
2705         (JSC::RegExp::compile):
2706         (JSC::RegExp::matchConcurrently):
2707         (JSC::RegExp::compileMatchOnly):
2708         (JSC::RegExp::deleteCode):
2709         (JSC::RegExp::printTraceData):
2710         * runtime/RegExp.h:
2711         * runtime/RegExpInlines.h:
2712         (JSC::RegExp::hasCodeFor):
2713         (JSC::RegExp::matchInline):
2714         (JSC::RegExp::hasMatchOnlyCodeFor):
2715
2716 2019-03-22  Keith Rollin  <krollin@apple.com>
2717
2718         Enable ThinLTO support in Production builds
2719         https://bugs.webkit.org/show_bug.cgi?id=190758
2720         <rdar://problem/45413233>
2721
2722         Reviewed by Daniel Bates.
2723
2724         Tweak JavaScriptCore's Base.xcconfig to be more in-line with other
2725         .xcconfig files with regards to LTO settings. However, don't actually
2726         enable LTO for JavaScriptCore. LTO is not enabled for JavaScriptCore
2727         due to <rdar://problem/24543547>.
2728
2729         * Configurations/Base.xcconfig:
2730
2731 2019-03-22  Mark Lam  <mark.lam@apple.com>
2732
2733         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
2734         https://bugs.webkit.org/show_bug.cgi?id=196154
2735         <rdar://problem/49145307>
2736
2737         Reviewed by Filip Pizlo.
2738
2739         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2740         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2741
2742 2019-03-22  Mark Lam  <mark.lam@apple.com>
2743
2744         Placate exception check validation in constructJSWebAssemblyLinkError().
2745         https://bugs.webkit.org/show_bug.cgi?id=196152
2746         <rdar://problem/49145257>
2747
2748         Reviewed by Michael Saboff.
2749
2750         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2751         (JSC::constructJSWebAssemblyLinkError):
2752
2753 2019-03-22  Timothy Hatcher  <timothy@apple.com>
2754
2755         Change macosx() to macos() in WK_API... and JSC_API... macros.
2756         https://bugs.webkit.org/show_bug.cgi?id=196106
2757
2758         Reviewed by Brian Burg.
2759
2760         * API/JSBasePrivate.h:
2761         * API/JSContext.h:
2762         * API/JSContextPrivate.h:
2763         * API/JSContextRef.h:
2764         * API/JSContextRefInternal.h:
2765         * API/JSContextRefPrivate.h:
2766         * API/JSManagedValue.h:
2767         * API/JSObjectRef.h:
2768         * API/JSObjectRefPrivate.h:
2769         * API/JSRemoteInspector.h:
2770         * API/JSScript.h:
2771         * API/JSTypedArray.h:
2772         * API/JSValue.h:
2773         * API/JSValuePrivate.h:
2774         * API/JSValueRef.h:
2775         * API/JSVirtualMachinePrivate.h:
2776
2777 2019-03-22  Yusuke Suzuki  <ysuzuki@apple.com>
2778
2779         Unreviewed, build fix for Windows
2780         https://bugs.webkit.org/show_bug.cgi?id=196122
2781
2782         * runtime/FunctionExecutable.cpp:
2783
2784 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2785
2786         [JSC] Shrink sizeof(FunctionExecutable) by 16bytes
2787         https://bugs.webkit.org/show_bug.cgi?id=196122
2788
2789         Reviewed by Saam Barati.
2790
2791         This patch reduces sizeof(FunctionExecutable) by 16 bytes.
2792
2793         1. ScriptExecutable::m_numParametersForCall and ScriptExecutable::m_numParametersForConstruct are not used in a meaningful way. Removed them.
2794         2. ScriptExecutable::m_lastLine and ScriptExecutable::m_endColumn can be calculated from UnlinkedFunctionExecutable. So FunctionExecutable does not need to hold it.
2795            This patch adds GlobalExecutable, which are non-function ScriptExecutables, and move m_lastLine and m_endColumn to this class.
2796         3. FunctionExecutable still needs to have the feature overriding m_lastLine and m_endColumn. We move overridden data in FunctionExecutable::RareData.
2797
2798         * CMakeLists.txt:
2799         * JavaScriptCore.xcodeproj/project.pbxproj:
2800         * Sources.txt:
2801         * bytecode/UnlinkedFunctionExecutable.cpp:
2802         (JSC::UnlinkedFunctionExecutable::link):
2803         * runtime/EvalExecutable.cpp:
2804         (JSC::EvalExecutable::EvalExecutable):
2805         * runtime/EvalExecutable.h:
2806         * runtime/FunctionExecutable.cpp:
2807         (JSC::FunctionExecutable::FunctionExecutable):
2808         (JSC::FunctionExecutable::ensureRareDataSlow):
2809         (JSC::FunctionExecutable::overrideInfo):
2810         * runtime/FunctionExecutable.h:
2811         * runtime/GlobalExecutable.cpp: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2812         * runtime/GlobalExecutable.h: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2813         (JSC::GlobalExecutable::lastLine const):
2814         (JSC::GlobalExecutable::endColumn const):
2815         (JSC::GlobalExecutable::recordParse):
2816         (JSC::GlobalExecutable::GlobalExecutable):
2817         * runtime/ModuleProgramExecutable.cpp:
2818         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2819         * runtime/ModuleProgramExecutable.h:
2820         * runtime/ProgramExecutable.cpp:
2821         (JSC::ProgramExecutable::ProgramExecutable):
2822         * runtime/ProgramExecutable.h:
2823         * runtime/ScriptExecutable.cpp:
2824         (JSC::ScriptExecutable::clearCode):
2825         (JSC::ScriptExecutable::installCode):
2826         (JSC::ScriptExecutable::hasClearableCode const):
2827         (JSC::ScriptExecutable::newCodeBlockFor):
2828         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2829         (JSC::ScriptExecutable::recordParse):
2830         (JSC::ScriptExecutable::lastLine const):
2831         (JSC::ScriptExecutable::endColumn const):
2832         * runtime/ScriptExecutable.h:
2833         (JSC::ScriptExecutable::hasJITCodeForCall const):
2834         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
2835         (JSC::ScriptExecutable::recordParse):
2836         (JSC::ScriptExecutable::lastLine const): Deleted.
2837         (JSC::ScriptExecutable::endColumn const): Deleted.
2838         * tools/FunctionOverrides.h:
2839
2840 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2841
2842         [JSC] Shrink sizeof(RegExpObject)
2843         https://bugs.webkit.org/show_bug.cgi?id=196130
2844
2845         Reviewed by Saam Barati.
2846
2847         sizeof(RegExpObject) is 48B due to one bool flag. We should compress this flag into lower bit of RegExp* field so that we can make RegExpObject 32B.
2848         It saves memory footprint 1.3% in RAMification's regexp.
2849
2850         * dfg/DFGSpeculativeJIT.cpp:
2851         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2852         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2853         * ftl/FTLAbstractHeapRepository.h:
2854         * ftl/FTLLowerDFGToB3.cpp:
2855         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2856         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2857         * runtime/RegExpObject.cpp:
2858         (JSC::RegExpObject::RegExpObject):
2859         (JSC::RegExpObject::visitChildren):
2860         (JSC::RegExpObject::getOwnPropertySlot):
2861         (JSC::RegExpObject::defineOwnProperty):
2862         * runtime/RegExpObject.h:
2863
2864 2019-03-21  Tomas Popela  <tpopela@redhat.com>
2865
2866         [JSC] Fix build after r243232 on unsupported 64bit architectures
2867         https://bugs.webkit.org/show_bug.cgi?id=196072
2868
2869         Reviewed by Keith Miller.
2870
2871         As Keith suggested we already expect 16 free bits at the top of any
2872         pointer for JSValue even for the unsupported 64 bit arches.
2873
2874         * bytecode/CodeOrigin.h:
2875
2876 2019-03-21  Mark Lam  <mark.lam@apple.com>
2877
2878         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
2879         https://bugs.webkit.org/show_bug.cgi?id=196116
2880         <rdar://problem/48976951>
2881
2882         Reviewed by Filip Pizlo.
2883
2884         The DFG backend should not make assumptions about what optimizations the front end
2885         will or will not do.  The assertion asserts that the operand cannot be known to be
2886         a cell.  However, it is not guaranteed that the front end will fold away this case.
2887         Also, the DFG backend is perfectly capable of generating code to handle the case
2888         where the operand is a cell.
2889
2890         The attached test case demonstrates a case where the operand can be a known cell.
2891         The test needs to be run with the concurrent JIT and GC, and is racy.  It used to
2892         trip up this assertion about once every 10 runs or so.
2893
2894         * dfg/DFGSpeculativeJIT64.cpp:
2895         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2896
2897 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2898
2899         JSC::createError should clear exception thrown by errorDescriptionForValue
2900         https://bugs.webkit.org/show_bug.cgi?id=196089
2901
2902         Reviewed by Mark Lam.
2903
2904         errorDescriptionForValue returns a nullString in case of failure, but it
2905         might also throw an OOM exception when resolving a rope string. We need
2906         to clear any potential exceptions thrown by errorDescriptionForValue
2907         before returning the OOM from JSC::createError.
2908
2909         * runtime/ExceptionHelpers.cpp:
2910         (JSC::createError):
2911
2912 2019-03-21  Robin Morisset  <rmorisset@apple.com>
2913
2914         B3::Opcode can fit in a single byte, shrinking B3Value by 8 bytes
2915         https://bugs.webkit.org/show_bug.cgi?id=196014
2916
2917         Reviewed by Keith Miller.
2918
2919         B3::Opcode has less than one hundred cases, so it can easily fit in one byte (from two currently)
2920         This shrinks B3::Kind from 4 bytes to 2 (by removing the byte of padding at the end).
2921         This in turns eliminate padding from B3::Value, shrinking it by 8 bytes (out of 80).
2922
2923         * b3/B3Opcode.h:
2924
2925 2019-03-21  Michael Catanzaro  <mcatanzaro@igalia.com>
2926
2927         Unreviewed, more clang 3.8 build fixes
2928         https://bugs.webkit.org/show_bug.cgi?id=195947
2929         <rdar://problem/49069219>
2930
2931         In the spirit of making our code worse to please old compilers....
2932
2933         * bindings/ScriptValue.cpp:
2934         (Inspector::jsToInspectorValue):
2935         * bytecode/GetterSetterAccessCase.cpp:
2936         (JSC::GetterSetterAccessCase::create):
2937         (JSC::GetterSetterAccessCase::clone const):
2938         * bytecode/InstanceOfAccessCase.cpp:
2939         (JSC::InstanceOfAccessCase::clone const):
2940         * bytecode/IntrinsicGetterAccessCase.cpp:
2941         (JSC::IntrinsicGetterAccessCase::clone const):
2942         * bytecode/ModuleNamespaceAccessCase.cpp:
2943         (JSC::ModuleNamespaceAccessCase::clone const):
2944         * bytecode/ProxyableAccessCase.cpp:
2945         (JSC::ProxyableAccessCase::clone const):
2946
2947 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2948
2949         [JSC] Do not create JIT related data under non-JIT mode
2950         https://bugs.webkit.org/show_bug.cgi?id=195982
2951
2952         Reviewed by Mark Lam.
2953
2954         We avoid creations of JIT related data structures under non-JIT mode.
2955         This patch removes the following allocations.
2956
2957         1. JITThunks
2958         2. FTLThunks
2959         3. FixedVMPoolExecutableAllocator
2960         4. noJITValueProfileSingleton since it is no longer used
2961         5. ARM disassembler should be initialized when it is used
2962         6. Wasm related data structures are accidentally allocated if VM::canUseJIT() == false &&
2963            Options::useWebAssembly() == true. Add Wasm::isSupported() function to check the both conditions.
2964
2965         * CMakeLists.txt:
2966         * JavaScriptCore.xcodeproj/project.pbxproj:
2967         * heap/Heap.cpp:
2968         (JSC::Heap::runEndPhase):
2969         * jit/ExecutableAllocator.cpp:
2970         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
2971         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2972         (JSC::ExecutableAllocator::isValid const):
2973         (JSC::ExecutableAllocator::underMemoryPressure):
2974         (JSC::ExecutableAllocator::memoryPressureMultiplier):
2975         (JSC::ExecutableAllocator::allocate):
2976         (JSC::ExecutableAllocator::isValidExecutableMemory):
2977         (JSC::ExecutableAllocator::getLock const):
2978         (JSC::ExecutableAllocator::committedByteCount):
2979         (JSC::ExecutableAllocator::dumpProfile):
2980         (JSC::startOfFixedExecutableMemoryPoolImpl):
2981         (JSC::endOfFixedExecutableMemoryPoolImpl):
2982         (JSC::ExecutableAllocator::initialize):
2983         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
2984         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
2985         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
2986         * jit/ExecutableAllocator.h:
2987         (JSC::ExecutableAllocatorBase::isValid const):
2988         (JSC::ExecutableAllocatorBase::underMemoryPressure):
2989         (JSC::ExecutableAllocatorBase::memoryPressureMultiplier):
2990         (JSC::ExecutableAllocatorBase::dumpProfile):
2991         (JSC::ExecutableAllocatorBase::allocate):
2992         (JSC::ExecutableAllocatorBase::setJITEnabled):
2993         (JSC::ExecutableAllocatorBase::isValidExecutableMemory):
2994         (JSC::ExecutableAllocatorBase::committedByteCount):
2995         (JSC::ExecutableAllocatorBase::getLock const):
2996         (JSC::ExecutableAllocator::isValid const): Deleted.
2997         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
2998         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
2999         (JSC::ExecutableAllocator::allocate): Deleted.
3000         (JSC::ExecutableAllocator::setJITEnabled): Deleted.
3001         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
3002         (JSC::ExecutableAllocator::committedByteCount): Deleted.
3003         (JSC::ExecutableAllocator::getLock const): Deleted.
3004         * jsc.cpp:
3005         (functionWebAssemblyMemoryMode):
3006         * runtime/InitializeThreading.cpp:
3007         (JSC::initializeThreading):
3008         * runtime/JSGlobalObject.cpp:
3009         (JSC::JSGlobalObject::init):
3010         * runtime/JSLock.cpp:
3011         (JSC::JSLock::didAcquireLock):
3012         * runtime/Options.cpp:
3013         (JSC::recomputeDependentOptions):
3014         * runtime/VM.cpp:
3015         (JSC::enableAssembler):
3016         (JSC::VM::canUseAssembler):
3017         (JSC::VM::VM):
3018         * runtime/VM.h:
3019         * wasm/WasmCapabilities.h: Added.
3020         (JSC::Wasm::isSupported):
3021         * wasm/WasmFaultSignalHandler.cpp:
3022         (JSC::Wasm::enableFastMemory):
3023
3024 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
3025
3026         [JSC] Fix JSC build with newer ICU
3027         https://bugs.webkit.org/show_bug.cgi?id=196098
3028
3029         Reviewed by Keith Miller.
3030
3031         IntlDateTimeFormat and IntlNumberFormat have switch statement over ICU's enums. However it lacks "default" clause so that
3032         the compile error occurs when a new enum value is added in ICU side. We should have "default" clause which just fallbacks
3033         "unknown"_s case. The behavior is not changed since we already have `return "unknown"_s;` statement anyway after the
3034         switch statement. This patch just suppresses a compile error.
3035
3036         * runtime/IntlDateTimeFormat.cpp:
3037         (JSC::IntlDateTimeFormat::partTypeString):
3038         * runtime/IntlNumberFormat.cpp:
3039         (JSC::IntlNumberFormat::partTypeString):
3040
3041 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3042
3043         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
3044         https://bugs.webkit.org/show_bug.cgi?id=196078
3045         <rdar://problem/35925380>
3046
3047         Reviewed by Mark Lam.
3048
3049         Unlike the other variations of putByIndex, it only checked if the index
3050         was larger than MIN_SPARSE_ARRAY_INDEX when the indexingType was
3051         ALL_BLANK_INDEXING_TYPES. This resulted in a huge butterfly being
3052         allocated for object literals (e.g. `{[9e4]: ...}`) and objects parsed
3053         from JSON.
3054
3055         * runtime/JSObject.cpp:
3056         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3057
3058 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3059
3060         CachedUnlinkedSourceCodeShape::m_provider should be a CachedRefPtr
3061         https://bugs.webkit.org/show_bug.cgi?id=196079
3062
3063         Reviewed by Saam Barati.
3064
3065         It was mistakenly cached as CachedPtr, which was leaking the decoded SourceProvider.
3066
3067         * runtime/CachedTypes.cpp:
3068         (JSC::CachedUnlinkedSourceCodeShape::encode):
3069
3070 2019-03-21  Mark Lam  <mark.lam@apple.com>
3071
3072         Placate exception check validation in operationArrayIndexOfString().
3073         https://bugs.webkit.org/show_bug.cgi?id=196067
3074         <rdar://problem/49056572>
3075
3076         Reviewed by Michael Saboff.
3077
3078         * dfg/DFGOperations.cpp:
3079
3080 2019-03-21  Xan Lopez  <xan@igalia.com>
3081
3082         [JSC][x86] Drop support for x87 floating point
3083         https://bugs.webkit.org/show_bug.cgi?id=194853
3084
3085         Reviewed by Don Olmstead.
3086
3087         Require SSE2 throughout the codebase, and remove x87 support where
3088         it was optionally available. SSE2 detection happens at compile
3089         time through a static_assert.
3090
3091         * assembler/MacroAssemblerX86.h:
3092         (JSC::MacroAssemblerX86::storeDouble):
3093         (JSC::MacroAssemblerX86::moveDoubleToInts):
3094         (JSC::MacroAssemblerX86::supportsFloatingPoint):
3095         (JSC::MacroAssemblerX86::supportsFloatingPointTruncate):
3096         (JSC::MacroAssemblerX86::supportsFloatingPointSqrt):
3097         (JSC::MacroAssemblerX86::supportsFloatingPointAbs):
3098         * assembler/MacroAssemblerX86Common.cpp:
3099         * assembler/MacroAssemblerX86Common.h:
3100         (JSC::MacroAssemblerX86Common::moveDouble):
3101         (JSC::MacroAssemblerX86Common::loadDouble):
3102         (JSC::MacroAssemblerX86Common::loadFloat):
3103         (JSC::MacroAssemblerX86Common::storeDouble):
3104         (JSC::MacroAssemblerX86Common::storeFloat):
3105         (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
3106         (JSC::MacroAssemblerX86Common::convertFloatToDouble):
3107         (JSC::MacroAssemblerX86Common::addDouble):
3108         (JSC::MacroAssemblerX86Common::addFloat):
3109         (JSC::MacroAssemblerX86Common::divDouble):
3110         (JSC::MacroAssemblerX86Common::divFloat):
3111         (JSC::MacroAssemblerX86Common::subDouble):
3112         (JSC::MacroAssemblerX86Common::subFloat):
3113         (JSC::MacroAssemblerX86Common::mulDouble):
3114         (JSC::MacroAssemblerX86Common::mulFloat):
3115         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
3116         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
3117         (JSC::MacroAssemblerX86Common::branchDouble):
3118         (JSC::MacroAssemblerX86Common::branchFloat):
3119         (JSC::MacroAssemblerX86Common::compareDouble):
3120         (JSC::MacroAssemblerX86Common::compareFloat):
3121         (JSC::MacroAssemblerX86Common::branchTruncateDoubleToInt32):
3122         (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
3123         (JSC::MacroAssemblerX86Common::truncateFloatToInt32):
3124         (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
3125         (JSC::MacroAssemblerX86Common::branchDoubleNonZero):
3126         (JSC::MacroAssemblerX86Common::branchDoubleZeroOrNaN):
3127         (JSC::MacroAssemblerX86Common::lshiftPacked):
3128         (JSC::MacroAssemblerX86Common::rshiftPacked):
3129         (JSC::MacroAssemblerX86Common::orPacked):
3130         (JSC::MacroAssemblerX86Common::move32ToFloat):
3131         (JSC::MacroAssemblerX86Common::moveFloatTo32):
3132         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
3133         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
3134         * offlineasm/x86.rb:
3135         * runtime/MathCommon.cpp:
3136         (JSC::operationMathPow):
3137
3138 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3139
3140         [GLIB] User data not correctly passed to callback of functions and constructors with no parameters
3141         https://bugs.webkit.org/show_bug.cgi?id=196073
3142
3143         Reviewed by Michael Catanzaro.
3144
3145         This is because GClosure always expects a first parameter as instance. In case of functions or constructors with
3146         no parameters we insert a fake instance which is just a null pointer that is ignored by the callback. But
3147         if the function/constructor has user data the callback will expect one parameter for the user data. In that case
3148         we can simply swap instance/user data so that the fake instance will be the second argument and user data the
3149         first one.
3150
3151         * API/glib/JSCClass.cpp:
3152         (jscClassCreateConstructor): Use g_cclosure_new_swap() if parameters is empty and user data was provided.
3153         * API/glib/JSCValue.cpp:
3154         (jscValueFunctionCreate): Ditto.
3155
3156 2019-03-21  Pablo Saavedra  <psaavedra@igalia.com>
3157
3158         [JSC][32-bit] Build failure after r243232
3159         https://bugs.webkit.org/show_bug.cgi?id=196068
3160
3161         Reviewed by Mark Lam.
3162
3163         * dfg/DFGOSRExit.cpp:
3164         (JSC::DFG::reifyInlinedCallFrames):
3165         * dfg/DFGOSRExitCompilerCommon.cpp:
3166         (JSC::DFG::reifyInlinedCallFrames):
3167
3168 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3169
3170         [GLib] Returning G_TYPE_OBJECT from a method does not work
3171         https://bugs.webkit.org/show_bug.cgi?id=195574
3172
3173         Reviewed by Michael Catanzaro.
3174
3175         Add more documentation to clarify the ownership of wrapped objects when created and when returned by functions.
3176
3177         * API/glib/JSCCallbackFunction.cpp:
3178         (JSC::JSCCallbackFunction::construct): Also allow to return boxed types from a constructor.
3179         * API/glib/JSCClass.cpp:
3180         * API/glib/JSCValue.cpp:
3181
3182 2019-03-21  Mark Lam  <mark.lam@apple.com>
3183
3184         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
3185         https://bugs.webkit.org/show_bug.cgi?id=196055
3186         <rdar://problem/49067448>
3187
3188         Reviewed by Yusuke Suzuki.
3189
3190         We are doing this because:
3191         1. We expect the array to be densely packed.
3192         2. SpeculativeJIT::compileAllocateNewArrayWithSize() (and the FTL equivalent)
3193            expects the array length to be less than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH
3194            if we don't want to use an ArrayStorage shape.
3195         3. There's no reason why an array with spread needs to be that large anyway.
3196            MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is plenty.
3197
3198         In this patch, we also add a debug assert in compileAllocateNewArrayWithSize() and
3199         emitAllocateButterfly() to check for overflows.
3200
3201         * assembler/AbortReason.h:
3202         * dfg/DFGOperations.cpp:
3203         * dfg/DFGSpeculativeJIT.cpp:
3204         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3205         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3206         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
3207         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3208         * ftl/FTLLowerDFGToB3.cpp:
3209         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3210         * runtime/ArrayConventions.h:
3211         * runtime/CommonSlowPaths.cpp:
3212         (JSC::SLOW_PATH_DECL):
3213
3214 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
3215
3216         [JSC] Use finalizer in JSGlobalLexicalEnvironment and JSGlobalObject
3217         https://bugs.webkit.org/show_bug.cgi?id=195992
3218
3219         Reviewed by Keith Miller and Mark Lam.
3220
3221         JSGlobalLexicalEnvironment and JSGlobalObject have their own CompleteSubspace to call destructors while they are not inheriting JSDestructibleObject.
3222         But it is too costly since (1) it requires CompleteSubspace in VM, (2) both objects allocate MarkedBlocks while # of them are really small.
3223
3224         Instead of using CompleteSubspace, we just set finalizers for them. Since these objects are rarely allocated, setting finalizers does not show
3225         memory / performance problems (actually, previously we used finalizer for ArrayPrototype due to the same reason, and it does not show any problems).
3226
3227         And we also add following two changes to JSSegmentedVariableObject.
3228
3229         1. Remove one boolean used for debugging in Release build. It enlarges sizeof(JSSegmentedVariableObject) and allocates one more MarkedBlock.
3230         2. Use cellLock() instead.
3231
3232         * CMakeLists.txt:
3233         * JavaScriptCore.xcodeproj/project.pbxproj:
3234         * Sources.txt:
3235         * runtime/JSSegmentedVariableObject.cpp:
3236         (JSC::JSSegmentedVariableObject::findVariableIndex):
3237         (JSC::JSSegmentedVariableObject::addVariables):
3238         (JSC::JSSegmentedVariableObject::visitChildren):
3239         (JSC::JSSegmentedVariableObject::~JSSegmentedVariableObject):
3240         (JSC::JSSegmentedVariableObject::finishCreation):
3241         * runtime/JSSegmentedVariableObject.h:
3242         (JSC::JSSegmentedVariableObject::subspaceFor): Deleted.
3243         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Removed.
3244         * runtime/JSSegmentedVariableObjectHeapCellType.h: Removed.
3245         * runtime/StringIteratorPrototype.cpp:
3246         * runtime/VM.cpp:
3247         (JSC::VM::VM):
3248         * runtime/VM.h:
3249
3250 2019-03-20  Saam Barati  <sbarati@apple.com>
3251
3252         DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty
3253         https://bugs.webkit.org/show_bug.cgi?id=195721
3254
3255         Reviewed by Filip Pizlo.
3256
3257         There was a check in AbstractValue::validateOSREntry where it checked
3258         if isHeapTop(), and if so, just returned true. However, this is wrong
3259         if the value we're checking against is the empty value, since HeapTop
3260         does not include the Empty value. Instead, this check should be
3261         isBytecodeTop(), which does account for the empty value.
3262         
3263         This patch also does a couple of other things:
3264         - For our OSR entry AbstractValues, we were using HeapTop to mark
3265          a dead value. That is now changed to BytecodeTop. (The idea here
3266          is just to have validateOSREntry return early.)
3267         - It wasn't obvious to me how I could make this fail in JS code.
3268          The symptom we'd end up seeing is something like a nullptr derefernece
3269          from forgetting to do a TDZ check. Instead, I've added a unit test.
3270          This unit test lives in a new test file: testdfg. testdfg is similar
3271          to testb3/testair/testapi.
3272
3273         * JavaScriptCore.xcodeproj/project.pbxproj:
3274         * bytecode/SpeculatedType.h:
3275         * dfg/DFGAbstractValue.h:
3276         (JSC::DFG::AbstractValue::isBytecodeTop const):
3277         (JSC::DFG::AbstractValue::validateOSREntryValue const):
3278         * dfg/testdfg.cpp: Added.
3279         (hiddenTruthBecauseNoReturnIsStupid):
3280         (usage):
3281         (JSC::DFG::testEmptyValueDoesNotValidateWithHeapTop):
3282         (JSC::DFG::run):
3283         (run):
3284         (main):
3285         * shell/CMakeLists.txt:
3286
3287 2019-03-20  Saam Barati  <sbarati@apple.com>
3288
3289         typeOfDoubleSum is wrong for when NaN can be produced
3290         https://bugs.webkit.org/show_bug.cgi?id=196030
3291
3292         Reviewed by Filip Pizlo.
3293
3294         We were using typeOfDoubleSum(SpeculatedType, SpeculatedType) for add/sub/mul.
3295         It assumed that the only way the resulting type could be NaN is if one of
3296         the inputs were NaN. However, this is wrong. NaN can be produced in at least
3297         these cases:
3298           Infinity - Infinity
3299           Infinity + (-Infinity)
3300           Infinity * 0
3301
3302         * bytecode/SpeculatedType.cpp:
3303         (JSC::typeOfDoubleSumOrDifferenceOrProduct):
3304         (JSC::typeOfDoubleSum):
3305         (JSC::typeOfDoubleDifference):
3306         (JSC::typeOfDoubleProduct):
3307
3308 2019-03-20  Simon Fraser  <simon.fraser@apple.com>
3309
3310         Rename ENABLE_ACCELERATED_OVERFLOW_SCROLLING macro to ENABLE_OVERFLOW_SCROLLING_TOUCH
3311         https://bugs.webkit.org/show_bug.cgi?id=196049
3312
3313         Reviewed by Tim Horton.
3314
3315         This macro is about the -webkit-overflow-scrolling CSS property, not accelerated
3316         overflow scrolling in general, so rename it.
3317
3318         * Configurations/FeatureDefines.xcconfig:
3319
3320 2019-03-20  Saam Barati  <sbarati@apple.com>
3321
3322         GetCallee does not report the correct type in AI
3323         https://bugs.webkit.org/show_bug.cgi?id=195981
3324
3325         Reviewed by Yusuke Suzuki.
3326
3327         I found this as part of my work in:
3328         https://bugs.webkit.org/show_bug.cgi?id=195924
3329         
3330         I'm not sure how to write a test for it.
3331         
3332         GetCallee was always reporting that the result is SpecFunction. However,
3333         for eval, it may result in just a JSCallee object, which is not a JSFunction.
3334
3335         * dfg/DFGAbstractInterpreterInlines.h:
3336         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3337
3338 2019-03-20  Mark Lam  <mark.lam@apple.com>
3339
3340         Open source arm64e code.
3341         https://bugs.webkit.org/show_bug.cgi?id=196012
3342         <rdar://problem/49066237>
3343
3344         Reviewed by Keith Miller.
3345
3346         * JavaScriptCore.xcodeproj/project.pbxproj:
3347         * Sources.txt:
3348         * assembler/ARM64EAssembler.h: Added.
3349         (JSC::ARM64EAssembler::encodeGroup1):
3350         (JSC::ARM64EAssembler::encodeGroup2):
3351         (JSC::ARM64EAssembler::encodeGroup4):
3352         (JSC::ARM64EAssembler::pacia1716):
3353         (JSC::ARM64EAssembler::pacib1716):
3354         (JSC::ARM64EAssembler::autia1716):
3355         (JSC::ARM64EAssembler::autib1716):
3356         (JSC::ARM64EAssembler::paciaz):
3357         (JSC::ARM64EAssembler::paciasp):
3358         (JSC::ARM64EAssembler::pacibz):
3359         (JSC::ARM64EAssembler::pacibsp):
3360         (JSC::ARM64EAssembler::autiaz):
3361         (JSC::ARM64EAssembler::autiasp):
3362         (JSC::ARM64EAssembler::autibz):
3363         (JSC::ARM64EAssembler::autibsp):
3364         (JSC::ARM64EAssembler::xpaclri):
3365         (JSC::ARM64EAssembler::pacia):
3366         (JSC::ARM64EAssembler::pacib):
3367         (JSC::ARM64EAssembler::pacda):
3368         (JSC::ARM64EAssembler::pacdb):
3369         (JSC::ARM64EAssembler::autia):
3370         (JSC::ARM64EAssembler::autib):
3371         (JSC::ARM64EAssembler::autda):
3372         (JSC::ARM64EAssembler::autdb):
3373         (JSC::ARM64EAssembler::paciza):
3374         (JSC::ARM64EAssembler::pacizb):
3375         (JSC::ARM64EAssembler::pacdza):
3376         (JSC::ARM64EAssembler::pacdzb):
3377         (JSC::ARM64EAssembler::autiza):
3378         (JSC::ARM64EAssembler::autizb):
3379         (JSC::ARM64EAssembler::autdza):
3380         (JSC::ARM64EAssembler::autdzb):
3381         (JSC::ARM64EAssembler::xpaci):
3382         (JSC::ARM64EAssembler::xpacd):
3383         (JSC::ARM64EAssembler::pacga):
3384         (JSC::ARM64EAssembler::braa):
3385         (JSC::ARM64EAssembler::brab):
3386         (JSC::ARM64EAssembler::blraa):
3387         (JSC::ARM64EAssembler::blrab):
3388         (JSC::ARM64EAssembler::braaz):
3389         (JSC::ARM64EAssembler::brabz):
3390         (JSC::ARM64EAssembler::blraaz):
3391         (JSC::ARM64EAssembler::blrabz):
3392         (JSC::ARM64EAssembler::retaa):
3393         (JSC::ARM64EAssembler::retab):
3394         (JSC::ARM64EAssembler::eretaa):
3395         (JSC::ARM64EAssembler::eretab):
3396         (JSC::ARM64EAssembler::linkPointer):
3397         (JSC::ARM64EAssembler::repatchPointer):
3398         (JSC::ARM64EAssembler::setPointer):
3399         (JSC::ARM64EAssembler::readPointer):
3400         (JSC::ARM64EAssembler::readCallTarget):
3401         (JSC::ARM64EAssembler::ret):
3402         * assembler/MacroAssembler.cpp:
3403         * assembler/MacroAssembler.h:
3404         * assembler/MacroAssemblerARM64.cpp:
3405         * assembler/MacroAssemblerARM64E.h: Added.
3406         (JSC::MacroAssemblerARM64E::tagReturnAddress):
3407         (JSC::MacroAssemblerARM64E::untagReturnAddress):
3408         (JSC::MacroAssemblerARM64E::tagPtr):
3409         (JSC::MacroAssemblerARM64E::untagPtr):
3410         (JSC::MacroAssemblerARM64E::removePtrTag):
3411         (JSC::MacroAssemblerARM64E::callTrustedPtr):
3412         (JSC::MacroAssemblerARM64E::call):
3413         (JSC::MacroAssemblerARM64E::callRegister):
3414         (JSC::MacroAssemblerARM64E::jump):
3415         * dfg/DFGOSRExit.cpp:
3416         (JSC::DFG::reifyInlinedCallFrames):
3417         * dfg/DFGOSRExitCompilerCommon.cpp:
3418         (JSC::DFG::reifyInlinedCallFrames):
3419         * ftl/FTLThunks.cpp:
3420         (JSC::FTL::genericGenerationThunkGenerator):
3421         * jit/CCallHelpers.h:
3422         (JSC::CCallHelpers::prepareForTailCallSlow):
3423         * jit/CallFrameShuffler.cpp:
3424         (JSC::CallFrameShuffler::prepareForTailCall):
3425         * jit/ExecutableAllocator.cpp:
3426         (JSC::ExecutableAllocator::allocate):
3427         * jit/ThunkGenerators.cpp:
3428         (JSC::arityFixupGenerator):
3429         * llint/LLIntOfflineAsmConfig.h:
3430         * llint/LowLevelInterpreter.asm:
3431         * llint/LowLevelInterpreter64.asm:
3432         * runtime/ClassInfo.h:
3433         * runtime/InitializeThreading.cpp:
3434         (JSC::initializeThreading):
3435         * runtime/JSCPtrTag.cpp: Added.
3436         (JSC::tagForPtr):
3437         (JSC::ptrTagName):
3438         (JSC::initializePtrTagLookup):
3439         * runtime/JSCPtrTag.h:
3440         (JSC::initializePtrTagLookup):
3441         * runtime/Options.cpp:
3442         (JSC::recomputeDependentOptions):
3443
3444 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3445
3446         JSC::createError needs to check for OOM in errorDescriptionForValue
3447         https://bugs.webkit.org/show_bug.cgi?id=196032
3448         <rdar://problem/46842740>
3449
3450         Reviewed by Mark Lam.
3451
3452         We were missing exceptions checks at two levels:
3453         - In errorDescriptionForValue, when the value is a string, we should
3454           check that JSString::value returns a valid string, since we might run
3455           out of memory if it is a rope and we need to resolve it.
3456         - In createError, we should check for the result of errorDescriptionForValue
3457           before concatenating it with the message provided by the caller.
3458
3459         * runtime/ExceptionHelpers.cpp:
3460         (JSC::errorDescriptionForValue):
3461         (JSC::createError):
3462         * runtime/ExceptionHelpers.h:
3463
3464 2019-03-20  Devin Rousso  <drousso@apple.com>
3465
3466         Web Inspector: DOM: include window as part of any event listener chain
3467         https://bugs.webkit.org/show_bug.cgi?id=195730
3468         <rdar://problem/48916872>
3469
3470         Reviewed by Timothy Hatcher.
3471
3472         * inspector/protocol/DOM.json:
3473         Modify `DOM.getEventListenersForNode` to not save the handler object, as that was never
3474         used by the frontend. Add an `onWindow` optional property to `DOM.EventListener` that is set
3475         when the event listener was retrieved from the `window` object.
3476
3477 2019-03-20  Devin Rousso  <drousso@apple.com>
3478
3479         Web Inspector: Runtime: lazily create the agent
3480         https://bugs.webkit.org/show_bug.cgi?id=195972
3481         <rdar://problem/49039655>
3482
3483         Reviewed by Timothy Hatcher.
3484
3485         * inspector/JSGlobalObjectInspectorController.cpp:
3486         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3487         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3488
3489         * inspector/agents/InspectorRuntimeAgent.h:
3490         (Inspector::InspectorRuntimeAgent::enabled): Deleted.
3491         * inspector/agents/InspectorRuntimeAgent.cpp:
3492         (Inspector::InspectorRuntimeAgent::didCreateFrontendAndBackend): Added.
3493         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
3494
3495         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3496         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3497         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend): Deleted.
3498
3499 2019-03-20  Michael Saboff  <msaboff@apple.com>
3500
3501         JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
3502         https://bugs.webkit.org/show_bug.cgi?id=195906
3503
3504         Reviewed by Mark Lam.
3505
3506         The problem here as that we may successfully parsed a RegExp without running out of stack,
3507         but later run out of stack when trying to JIT compile the same expression.
3508
3509         Added a check for available stack space when we call into one of the parenthesis compilation
3510         functions that recurse.  When we don't have enough stack space to recurse, we fail the JIT
3511         compilation and let the interpreter handle the expression.
3512
3513         From code inspection of the YARR interpreter it has the same issue, but I couldn't cause a failure.
3514         Filed a new bug and added a FIXME comment for the Interpreter to have similar checks.
3515         Given that we can reproduce a failure, this is sufficient for now.
3516
3517         This change is covered by the previously added failing test,
3518         JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js.
3519
3520         * yarr/YarrInterpreter.cpp:
3521         (JSC::Yarr::Interpreter::interpret):
3522         * yarr/YarrJIT.cpp:
3523         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
3524         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
3525         (JSC::Yarr::YarrGenerator::opCompileBody):
3526         (JSC::Yarr::dumpCompileFailure):
3527         * yarr/YarrJIT.h:
3528
3529 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3530
3531         DFGNodeAllocator.h is dead code
3532         https://bugs.webkit.org/show_bug.cgi?id=196019
3533
3534         Reviewed by Yusuke Suzuki.
3535
3536         As explained by Yusuke on IRC, the comment on DFG::Node saying that it cannot have a destructor is obsolete since https://trac.webkit.org/changeset/216815/webkit.
3537         This patch removes both the comment and DFGNodeAllocator.h that that patch forgot to remove.
3538
3539         * dfg/DFGNode.h:
3540         (JSC::DFG::Node::dumpChildren):
3541         * dfg/DFGNodeAllocator.h: Removed.
3542
3543 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3544
3545         Compress CodeOrigin into a single word in the common case
3546         https://bugs.webkit.org/show_bug.cgi?id=195928
3547
3548         Reviewed by Saam Barati.
3549
3550         The trick is that pointers only take 48 bits on x86_64 in practice (and we can even use the bottom three bits of that thanks to alignment), and even less on ARM64.
3551         So we can shove the bytecode index in the top bits almost all the time.
3552         If the bytecodeIndex is too ginormous (1<<16 in practice on x86_64), we just set one bit at the bottom and store a pointer to some out-of-line storage instead.
3553         Finally we represent an invalid bytecodeIndex (which used to be represented by UINT_MAX) by setting the second least signifcant bit.
3554
3555         The patch looks very long, but most of it is just replacing direct accesses to inlineCallFrame and bytecodeIndex by the relevant getters.
3556
3557         End result: CodeOrigin in the common case moves from 16 bytes (8 for InlineCallFrame*, 4 for unsigned bytecodeIndex, 4 of padding) to 8.
3558         As a reference, during running JetStream2 we allocate more than 35M CodeOrigins. While they won't all be alive at the same time, it is still quite a lot of objects, so I am hoping for some small
3559         improvement to RAMification from this work.
3560
3561         The one slightly tricky part is that we must implement copy and move assignment operators and constructors to make sure that any out-of-line storage belongs to a single CodeOrigin and is destroyed exactly once.
3562
3563         * bytecode/ByValInfo.h:
3564         * bytecode/CallLinkStatus.cpp:
3565         (JSC::CallLinkStatus::computeFor):
3566         * bytecode/CodeBlock.cpp:
3567         (JSC::CodeBlock::globalObjectFor):
3568         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
3569         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
3570         * bytecode/CodeOrigin.cpp:
3571         (JSC::CodeOrigin::inlineDepth const):
3572         (JSC::CodeOrigin::isApproximatelyEqualTo const):
3573         (JSC::CodeOrigin::approximateHash const):
3574         (JSC::CodeOrigin::inlineStack const):
3575         (JSC::CodeOrigin::codeOriginOwner const):
3576         (JSC::CodeOrigin::stackOffset const):
3577         (JSC::CodeOrigin::dump const):
3578         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
3579         * bytecode/CodeOrigin.h:
3580         (JSC::OutOfLineCodeOrigin::OutOfLineCodeOrigin):
3581         (JSC::CodeOrigin::CodeOrigin):
3582         (JSC::CodeOrigin::~CodeOrigin):
3583         (JSC::CodeOrigin::isSet const):
3584         (JSC::CodeOrigin::isHashTableDeletedValue const):
3585         (JSC::CodeOrigin::bytecodeIndex const):
3586         (JSC::CodeOrigin::inlineCallFrame const):
3587         (JSC::CodeOrigin::buildCompositeValue):
3588         (JSC::CodeOrigin::hash const):
3589         (JSC::CodeOrigin::operator== const):
3590         (JSC::CodeOrigin::exitingInlineKind const): Deleted.
3591         * bytecode/DeferredSourceDump.h:
3592         * bytecode/GetByIdStatus.cpp:
3593         (JSC::GetByIdStatus::computeForStubInfo):
3594         (JSC::GetByIdStatus::computeFor):
3595         * bytecode/ICStatusMap.cpp:
3596         (JSC::ICStatusContext::isInlined const):
3597         * bytecode/InByIdStatus.cpp:
3598         (JSC::InByIdStatus::computeFor):
3599         (JSC::InByIdStatus::computeForStubInfo):
3600         * bytecode/InlineCallFrame.cpp:
3601         (JSC::InlineCallFrame::dumpInContext const):
3602         * bytecode/InlineCallFrame.h:
3603         (JSC::InlineCallFrame::computeCallerSkippingTailCalls):
3604         (JSC::InlineCallFrame::getCallerInlineFrameSkippingTailCalls):
3605         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
3606         (JSC::CodeOrigin::walkUpInlineStack):
3607         * bytecode/InstanceOfStatus.h:
3608         * bytecode/PutByIdStatus.cpp:
3609         (JSC::PutByIdStatus::computeForStubInfo):
3610         (JSC::PutByIdStatus::computeFor):
3611         * dfg/DFGAbstractInterpreterInlines.h:
3612         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3613         * dfg/DFGArgumentsEliminationPhase.cpp:
3614         * dfg/DFGArgumentsUtilities.cpp:
3615         (JSC::DFG::argumentsInvolveStackSlot):
3616         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3617         * dfg/DFGArrayMode.h:
3618         * dfg/DFGByteCodeParser.cpp:
3619         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3620         (JSC::DFG::ByteCodeParser::setLocal):
3621         (JSC::DFG::ByteCodeParser::setArgument):
3622         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
3623         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3624         (JSC::DFG::ByteCodeParser::parseBlock):
3625         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3626         (JSC::DFG::ByteCodeParser::handlePutByVal):
3627         * dfg/DFGClobberize.h:
3628         (JSC::DFG::clobberize):
3629         * dfg/DFGConstantFoldingPhase.cpp:
3630         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3631         * dfg/DFGFixupPhase.cpp:
3632         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3633         * dfg/DFGForAllKills.h:
3634         (JSC::DFG::forAllKilledOperands):
3635         * dfg/DFGGraph.cpp:
3636         (JSC::DFG::Graph::dumpCodeOrigin):
3637         (JSC::DFG::Graph::dump):
3638         (JSC::DFG::Graph::isLiveInBytecode):
3639         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3640         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
3641         * dfg/DFGGraph.h:
3642         (JSC::DFG::Graph::executableFor):
3643         (JSC::DFG::Graph::isStrictModeFor):
3644         (JSC::DFG::Graph::hasExitSite):
3645         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
3646         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
3647         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
3648         * dfg/DFGMinifiedNode.cpp:
3649         (JSC::DFG::MinifiedNode::fromNode):
3650         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3651         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3652         * dfg/DFGOSRExit.cpp:
3653         (JSC::DFG::OSRExit::executeOSRExit):
3654         (JSC::DFG::reifyInlinedCallFrames):
3655         (JSC::DFG::adjustAndJumpToTarget):
3656         (JSC::DFG::printOSRExit):
3657         (JSC::DFG::OSRExit::compileExit):
3658         * dfg/DFGOSRExitBase.cpp:
3659         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
3660         * dfg/DFGOSRExitCompilerCommon.cpp:
3661         (JSC::DFG::handleExitCounts):
3662         (JSC::DFG::reifyInlinedCallFrames):
3663         (JSC::DFG::adjustAndJumpToTarget):
3664         * dfg/DFGOSRExitPreparation.cpp:
3665         (JSC::DFG::prepareCodeOriginForOSRExit):
3666         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3667         * dfg/DFGOperations.cpp:
3668         * dfg/DFGPreciseLocalClobberize.h:
3669         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3670         * dfg/DFGSpeculativeJIT.cpp:
3671         (JSC::DFG::SpeculativeJIT::emitGetLength):
3672         (JSC::DFG::SpeculativeJIT::emitGetCallee):
3673         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3674         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3675         (JSC::DFG::SpeculativeJIT::compileValueSub):
3676         (JSC::DFG::SpeculativeJIT::compileValueNegate):
3677         (JSC::DFG::SpeculativeJIT::compileValueMul):
3678         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
3679         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3680         * dfg/DFGSpeculativeJIT32_64.cpp:
3681         (JSC::DFG::SpeculativeJIT::emitCall):
3682         * dfg/DFGSpeculativeJIT64.cpp:
3683         (JSC::DFG::SpeculativeJIT::emitCall):
3684         (JSC::DFG::SpeculativeJIT::compile):
3685         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3686         (JSC::DFG::TierUpCheckInjectionPhase::run):
3687         (JSC::DFG::TierUpCheckInjectionPhase::canOSREnterAtLoopHint):
3688         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
3689         * dfg/DFGTypeCheckHoistingPhase.cpp:
3690         (JSC::DFG::TypeCheckHoistingPhase::run):
3691         * dfg/DFGVariableEventStream.cpp:
3692         (JSC::DFG::VariableEventStream::reconstruct const):
3693         * ftl/FTLLowerDFGToB3.cpp:
3694         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3695         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
3696         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
3697         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3698         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
3699         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3700         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3701         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3702         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3703         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3704         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
3705         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
3706         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
3707         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
3708         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
3709         (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const):
3710         * ftl/FTLOSRExitCompiler.cpp:
3711         (JSC::FTL::compileStub):
3712         * ftl/FTLOperations.cpp:
3713         (JSC::FTL::operationMaterializeObjectInOSR):
3714         * interpreter/CallFrame.cpp:
3715         (JSC::CallFrame::bytecodeOffset):
3716         * interpreter/StackVisitor.cpp:
3717         (JSC::StackVisitor::unwindToMachineCodeBlockFrame):
3718         (JSC::StackVisitor::readFrame):
3719         (JSC::StackVisitor::readNonInlinedFrame):
3720         (JSC::inlinedFrameOffset):
3721         (JSC::StackVisitor::readInlinedFrame):
3722         * interpreter/StackVisitor.h:
3723         * jit/AssemblyHelpers.cpp:
3724         (JSC::AssemblyHelpers::executableFor):
3725         * jit/AssemblyHelpers.h:
3726         (JSC::AssemblyHelpers::isStrictModeFor):
3727         (JSC::AssemblyHelpers::argumentsStart):
3728         (JSC::AssemblyHelpers::argumentCount):
3729         * jit/PCToCodeOriginMap.cpp:
3730         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
3731         (JSC::PCToCodeOriginMap::findPC const):
3732         * profiler/ProfilerOriginStack.cpp:
3733         (JSC::Profiler::OriginStack::OriginStack):
3734         * profiler/ProfilerOriginStack.h:
3735         * runtime/ErrorInstance.cpp:
3736         (JSC::appendSourceToError):
3737         * runtime/SamplingProfiler.cpp:
3738         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3739
3740 2019-03-20  Devin Rousso  <drousso@apple.com>
3741
3742         Web Inspector: Search: allow DOM searches to be case sensitive
3743         https://bugs.webkit.org/show_bug.cgi?id=194673
3744         <rdar://problem/48087577>
3745
3746         Reviewed by Timothy Hatcher.
3747
3748         Since `DOM.performSearch` also searches by selector and XPath, some results may appear
3749         as unexpected. As an example, searching for "BoDy" will still return the <body> as a result,
3750         as although the literal node name ("BODY") didn't match, it did match via selector/XPath.
3751
3752         * inspector/protocol/DOM.json:
3753         Allow `DOM.performSearch` to be case sensitive.
3754
3755 2019-03-20  Saam Barati  <sbarati@apple.com>
3756
3757         AI rule for ValueBitNot/ValueBitXor/ValueBitAnd/ValueBitOr is wrong
3758         https://bugs.webkit.org/show_bug.cgi?id=195980
3759
3760         Reviewed by Yusuke Suzuki.
3761
3762         They were all saying they could be type: (SpecBoolInt32, SpecBigInt)
3763         However, they should have been type: (SpecInt32Only, SpecBigInt)
3764
3765         * dfg/DFGAbstractInterpreterInlines.h:
3766         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3767
3768 2019-03-20  Michael Catanzaro  <mcatanzaro@igalia.com>
3769
3770         Remove copyRef() calls added in r243163
3771         https://bugs.webkit.org/show_bug.cgi?id=195962
3772
3773         Reviewed by Chris Dumez.
3774
3775         As best I can tell, may be a GCC 9 bug. It shouldn't warn about this case because the return
3776         value is noncopyable and the WTFMove() is absolutely required. We can avoid the warning
3777         without refcount churn by introducing an intermediate variable.
3778
3779         * inspector/scripts/codegen/cpp_generator_templates.py:
3780
3781 2019-03-20  Carlos Garcia Campos  <cgarcia@igalia.com>
3782
3783         [GLIB] Optimize jsc_value_object_define_property_data|accessor
3784         https://bugs.webkit.org/show_bug.cgi?id=195679
3785
3786         Reviewed by Saam Barati.
3787
3788         Use direct C++ call instead of using the JSC GLib API to create the descriptor object and invoke Object.defineProperty().
3789
3790         * API/glib/JSCValue.cpp:
3791         (jsc_value_object_define_property_data):
3792         (jsc_value_object_define_property_accessor):
3793
3794 2019-03-19  Devin Rousso  <drousso@apple.com>
3795
3796         Web Inspector: Debugger: lazily create the agent
3797         https://bugs.webkit.org/show_bug.cgi?id=195973
3798         <rdar://problem/49039674>
3799
3800         Reviewed by Joseph Pecoraro.
3801
3802         * inspector/JSGlobalObjectInspectorController.cpp:
3803         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3804         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
3805         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3806
3807         * inspector/JSGlobalObjectConsoleClient.h:
3808         (Inspector::JSGlobalObjectConsoleClient::setInspectorDebuggerAgent): Added.
3809         * inspector/JSGlobalObjectConsoleClient.cpp:
3810         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
3811         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
3812         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
3813
3814         * inspector/agents/InspectorDebuggerAgent.h:
3815         (Inspector::InspectorDebuggerAgent::addListener): Added.
3816         (Inspector::InspectorDebuggerAgent::removeListener): Added.
3817         (Inspector::InspectorDebuggerAgent::setListener): Deleted.
3818         * inspector/agents/InspectorDebuggerAgent.cpp:
3819         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3820         (Inspector::InspectorDebuggerAgent::enable):
3821         (Inspector::InspectorDebuggerAgent::disable):
3822         (Inspector::InspectorDebuggerAgent::getScriptSource):
3823         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3824         (Inspector::InspectorDebuggerAgent::didPause):
3825         (Inspector::InspectorDebuggerAgent::breakProgram):
3826         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
3827         Drive-by: reorder some member variables for better sizing.
3828         Drive-by: rename some member variables for clarity.
3829
3830 2019-03-19  Saam barati  <sbarati@apple.com>
3831
3832         Prune code after ForceOSRExit
3833         https://bugs.webkit.org/show_bug.cgi?id=195913
3834
3835         Reviewed by Keith Miller.
3836
3837         I removed our original implementation of this in r242989 because
3838         it was not sound. It broke backwards propagation because it removed
3839         uses of a node that backwards propagation relied on to be sound.
3840         Essentially, backwards propagation relies on being able to see uses
3841         that would exist in bytecode to be sound.
3842         
3843         The rollout in r242989 was a 1% Speedometer2 regression. This patch
3844         rolls back in the optimization in a sound way.
3845         
3846         This patch augments the code we had prior to r242989 to be sound. In
3847         addition to preserving liveness, we now also convert all uses after
3848         the ForceOSRExit to be Phantom. This may pessimize the optimizations
3849         we do in backwards propagation, but it will prevent that phase from
3850         making unsound optimizations.
3851
3852         * dfg/DFGByteCodeParser.cpp:
3853         (JSC::DFG::ByteCodeParser::addToGraph):
3854         (JSC::DFG::ByteCodeParser::parse):
3855
3856 2019-03-19  Michael Catanzaro  <mcatanzaro@igalia.com>
3857
3858         Build cleanly with GCC 9
3859         https://bugs.webkit.org/show_bug.cgi?id=195920
3860
3861         Reviewed by Chris Dumez.
3862
3863         WebKit triggers three new GCC 9 warnings:
3864
3865         """
3866         -Wdeprecated-copy, implied by -Wextra, warns about the C++11 deprecation of implicitly
3867         declared copy constructor and assignment operator if one of them is user-provided.
3868         """
3869
3870         Solution is to either add a copy constructor or copy assignment operator, if required, or
3871         else remove one if it is redundant.
3872
3873         """
3874         -Wredundant-move, implied by -Wextra, warns about redundant calls to std::move.
3875         -Wpessimizing-move, implied by -Wall, warns when a call to std::move prevents copy elision.
3876         """
3877
3878         These account for most of this patch. Solution is to just remove the bad WTFMove().
3879
3880         Additionally, -Wclass-memaccess has been enhanced to catch a few cases that GCC 8 didn't.