2018-10-01 Commit Queue Unreviewed, rolling out r236647. https://bugs.webkit.org/show_bug.cgi?id=190124 Breaking test stress/big-int-to-string.js (Requested by caiolima_ on #webkit). Reverted changeset: "[BigInt] BigInt.proptotype.toString is broken when radix is power of 2" https://bugs.webkit.org/show_bug.cgi?id=190033 https://trac.webkit.org/changeset/236647 2018-10-01 Yusuke Suzuki [WebAssembly] Move type conversion code of JSToWasm return type to JS wasm wrapper https://bugs.webkit.org/show_bug.cgi?id=189498 Reviewed by Saam Barati. To call JS-to-Wasm code we need to convert the result value from wasm function to the JS type. Previously this is done by callWebAssemblyFunction by using swtich over signature.returnType(). But since we know the value of `signature.returnType()` at compiling phase, we can emit a small conversion code directly to JSToWasm glue and remove this switch from callWebAssemblyFunction. In JSToWasm glue code, we do not have tag registers. So we use DoNotHaveTagRegisters in boxInt32 and boxDouble. Since boxDouble does not have DoNotHaveTagRegisters version, we add an implementation for that. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::boxDouble): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/WebAssemblyFunction.cpp: (JSC::callWebAssemblyFunction): 2018-09-30 Caio Lima [BigInt] BigInt.proptotype.toString is broken when radix is power of 2 https://bugs.webkit.org/show_bug.cgi?id=190033 Reviewed by Yusuke Suzuki. The implementation of JSBigInt::toStringToGeneric doesn't handle power of 2 radix when JSBigInt length is >= 2. To handle such cases, we implemented JSBigInt::toStringBasePowerOfTwo that follows the algorithm that groups bits using mask of (2 ^ n) - 1 to extract every digit. * runtime/JSBigInt.cpp: (JSC::JSBigInt::toString): (JSC::JSBigInt::toStringBasePowerOfTwo): * runtime/JSBigInt.h: 2018-09-28 Caio Lima [ESNext][BigInt] Implement support for "&" https://bugs.webkit.org/show_bug.cgi?id=186228 Reviewed by Yusuke Suzuki. This patch introduces support of BigInt into bitwise "&" operation. We are also introducing the ValueBitAnd DFG node, that is responsible to take care of JIT for non-Int32 operands. With the introduction of this new node, we renamed the BitAnd node to ArithBitAnd. The ArithBitAnd follows the behavior of ArithAdd and other arithmetic nodes, where the Arith version always results in Number (in the case of ArithBitAnd, its is always an Int32). * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitBinaryOp): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo): (JSC::DFG::BackwardsPropagationPhase::propagate): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp): (JSC::DFG::SpeculativeJIT::compileBitwiseOp): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::bitOp): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd): (JSC::FTL::DFG::LowerDFGToB3::compileArithBitAnd): (JSC::FTL::DFG::LowerDFGToB3::compileBitAnd): Deleted. * jit/JIT.h: * jit/JITArithmetic.cpp: (JSC::JIT::emitBitBinaryOpFastPath): (JSC::JIT::emit_op_bitand): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::JSBigInt): (JSC::JSBigInt::initialize): (JSC::JSBigInt::createZero): (JSC::JSBigInt::createFrom): (JSC::JSBigInt::bitwiseAnd): (JSC::JSBigInt::absoluteBitwiseOp): (JSC::JSBigInt::absoluteAnd): (JSC::JSBigInt::absoluteOr): (JSC::JSBigInt::absoluteAndNot): (JSC::JSBigInt::absoluteAddOne): (JSC::JSBigInt::absoluteSubOne): * runtime/JSBigInt.h: * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::toBigIntOrInt32 const): 2018-09-28 Mark Lam Gardening: speculative build fix. Not reviewed. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): 2018-09-28 Guillaume Emont [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions. https://bugs.webkit.org/show_bug.cgi?id=190080 Reviewed by Mark Lam. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::link): (JSC::ARMv7Assembler::linkJumpT1): (JSC::ARMv7Assembler::linkJumpT2): (JSC::ARMv7Assembler::linkJumpT3): (JSC::ARMv7Assembler::linkJumpT4): (JSC::ARMv7Assembler::linkConditionalJumpT4): (JSC::ARMv7Assembler::linkBX): (JSC::ARMv7Assembler::linkConditionalBX): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::link): 2018-09-27 Saam barati Verify the contents of AssemblerBuffer on arm64e https://bugs.webkit.org/show_bug.cgi?id=190057 Reviewed by Mark Lam. * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::ARM64Assembler): (JSC::ARM64Assembler::fillNops): (JSC::ARM64Assembler::link): (JSC::ARM64Assembler::linkJumpOrCall): (JSC::ARM64Assembler::linkCompareAndBranch): (JSC::ARM64Assembler::linkConditionalBranch): (JSC::ARM64Assembler::linkTestAndBranch): (JSC::ARM64Assembler::unlinkedCode): Deleted. * assembler/ARMAssembler.h: (JSC::ARMAssembler::fillNops): * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::unlinkedCode): Deleted. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::emitNops): (JSC::AbstractMacroAssembler::AbstractMacroAssembler): * assembler/AssemblerBuffer.h: (JSC::ARM64EHash::ARM64EHash): (JSC::ARM64EHash::update): (JSC::ARM64EHash::hash const): (JSC::ARM64EHash::randomSeed const): (JSC::AssemblerBuffer::AssemblerBuffer): (JSC::AssemblerBuffer::putShort): (JSC::AssemblerBuffer::putIntUnchecked): (JSC::AssemblerBuffer::putInt): (JSC::AssemblerBuffer::hash const): (JSC::AssemblerBuffer::data const): (JSC::AssemblerBuffer::putIntegralUnchecked): (JSC::AssemblerBuffer::append): Deleted. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::fillNops): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::jumpsToLink): (JSC::MacroAssemblerARM64::link): (JSC::MacroAssemblerARM64::unlinkedCode): Deleted. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::jumpsToLink): (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted. * assembler/X86Assembler.h: (JSC::X86Assembler::fillNops): 2018-09-27 Mark Lam ByValInfo should not use integer offsets. https://bugs.webkit.org/show_bug.cgi?id=190070 Reviewed by Saam Barati. Also moved some fields around to allow the ByValInfo struct to be more densely packed. * bytecode/ByValInfo.h: (JSC::ByValInfo::ByValInfo): * jit/JIT.cpp: (JSC::JIT::link): * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITPropertyAccess.cpp: (JSC::JIT::privateCompileGetByVal): (JSC::JIT::privateCompileGetByValWithCachedId): (JSC::JIT::privateCompilePutByVal): (JSC::JIT::privateCompilePutByValWithCachedId): 2018-09-27 Saam barati DFG::OSRExit::m_patchableCodeOffset should not be an int https://bugs.webkit.org/show_bug.cgi?id=190066 Reviewed by Mark Lam. * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::linkOSRExits): (JSC::DFG::JITCompiler::link): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::codeLocationForRepatch const): (JSC::DFG::OSRExit::compileOSRExit): (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted. (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted. (JSC::DFG::OSRExit::correctJump): Deleted. * dfg/DFGOSRExit.h: * dfg/DFGOSRExitCompilationInfo.h: 2018-09-27 Saam barati Don't use int offsets in StructureStubInfo https://bugs.webkit.org/show_bug.cgi?id=190064 Reviewed by Mark Lam. * bytecode/InlineAccess.cpp: (JSC::linkCodeInline): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::slowPathCallLocation): (JSC::StructureStubInfo::doneLocation): (JSC::StructureStubInfo::slowPathStartLocation): * jit/JITInlineCacheGenerator.cpp: (JSC::JITInlineCacheGenerator::finalize): 2018-09-27 Mark Lam DFG::OSREntry::m_machineCodeOffset should be a CodeLocation. https://bugs.webkit.org/show_bug.cgi?id=190054 Reviewed by Saam Barati. * dfg/DFGJITCode.h: (JSC::DFG::JITCode::appendOSREntryData): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::noticeOSREntry): * dfg/DFGOSREntry.cpp: (JSC::DFG::OSREntryData::dumpInContext const): (JSC::DFG::prepareOSREntry): * dfg/DFGOSREntry.h: * runtime/JSCPtrTag.h: 2018-09-27 Mark Lam JITMathIC should not use integer offsets into machine code. https://bugs.webkit.org/show_bug.cgi?id=190030 Reviewed by Saam Barati. We'll replace them with CodeLocation smart pointers instead. * jit/JITMathIC.h: (JSC::isProfileEmpty): 2018-09-26 Mark Lam Options::useSeparatedWXHeap() should always be false when ENABLE(FAST_JIT_PERMISSIONS) && CPU(ARM64E). https://bugs.webkit.org/show_bug.cgi?id=190022 Reviewed by Saam Barati. * jit/ExecutableAllocator.cpp: (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps): * jit/ExecutableAllocator.h: (JSC::performJITMemcpy): * runtime/Options.cpp: (JSC::recomputeDependentOptions): 2018-09-26 Mark Lam Assert that performJITMemcpy() is always called with instruction size aligned addresses on ARM64. https://bugs.webkit.org/show_bug.cgi?id=190016 Reviewed by Saam Barati. Also assert in performJITMemcpy() that the entire buffer to be copied will fit in JIT memory. * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::fillNops): (JSC::ARM64Assembler::replaceWithVMHalt): (JSC::ARM64Assembler::replaceWithJump): (JSC::ARM64Assembler::replaceWithLoad): (JSC::ARM64Assembler::replaceWithAddressComputation): (JSC::ARM64Assembler::setPointer): (JSC::ARM64Assembler::repatchInt32): (JSC::ARM64Assembler::repatchCompact): (JSC::ARM64Assembler::linkJumpOrCall): (JSC::ARM64Assembler::linkCompareAndBranch): (JSC::ARM64Assembler::linkConditionalBranch): (JSC::ARM64Assembler::linkTestAndBranch): * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): (JSC::LinkBuffer::linkCode): * jit/ExecutableAllocator.h: (JSC::performJITMemcpy): 2018-09-25 Keith Miller Move Symbol API to SPI https://bugs.webkit.org/show_bug.cgi?id=189946 Reviewed by Michael Saboff. Some of the property access methods on JSValue needed to be moved to a category so that SPI overloads don't result in a compiler error for internal users. Additionally, this patch does not move the new enum entry for Symbols in the JSType enumeration. * API/JSObjectRef.h: * API/JSObjectRefPrivate.h: * API/JSValue.h: * API/JSValuePrivate.h: * API/JSValueRef.h: 2018-09-26 Keith Miller We should zero unused property storage when rebalancing array storage. https://bugs.webkit.org/show_bug.cgi?id=188151 Reviewed by Michael Saboff. In unshiftCountSlowCase we sometimes will move property storage to the right even when net adding elements. This can happen because we "balance" the pre/post-capacity in that code so we need to zero the unused property storage. * runtime/JSArray.cpp: (JSC::JSArray::unshiftCountSlowCase): 2018-09-26 Yusuke Suzuki Unreviewed, add scope verification handling https://bugs.webkit.org/show_bug.cgi?id=189780 * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncIndexOf): (JSC::arrayProtoFuncLastIndexOf): 2018-09-26 Koby Boyango [JSC] offlineasm parser should handle CRLF in asm files https://bugs.webkit.org/show_bug.cgi?id=189949 Reviewed by Mark Lam. * offlineasm/parser.rb: 2018-09-20 Yusuke Suzuki [JSC] Optimize Array#lastIndexOf https://bugs.webkit.org/show_bug.cgi?id=189780 Reviewed by Saam Barati. Optimize Array#lastIndexOf as the same to Array#indexOf. We add a fast path for JSArray with contiguous storage. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncLastIndexOf): 2018-09-25 Saam Barati Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock https://bugs.webkit.org/show_bug.cgi?id=189940 Reviewed by Mark Lam. We were calling baselineCodeBlockForOriginAndBaselineCodeBlock with the FTL CodeBlock. There is nothing semantically wrong with doing that (except for poor naming), however, the poor naming here led us to make a real semantic mistake. We wanted the baseline CodeBlock's constant pool, but we were accessing the FTL CodeBlock's constant pool accidentally. We need to access the baseline CodeBlock's constant pool when we update the NewArrayBuffer constant value. * bytecode/InlineCallFrame.h: (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock): * ftl/FTLOperations.cpp: (JSC::FTL::operationMaterializeObjectInOSR): 2018-09-25 Joseph Pecoraro Web Inspector: Stricter block syntax in generated ObjC protocol interfaces https://bugs.webkit.org/show_bug.cgi?id=189962 Reviewed by Brian Burg. * inspector/scripts/codegen/generate_objc_header.py: (ObjCHeaderGenerator._callback_block_for_command): If there are no return parameters include "void" in the block signature. * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: * inspector/scripts/tests/generic/expected/domain-availability.json-result: * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result: * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result: * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: Rebaseline test results. 2018-09-24 Joseph Pecoraro Remove AUTHORS and THANKS files which are stale https://bugs.webkit.org/show_bug.cgi?id=189941 Reviewed by Darin Adler. Included mentions below so their names are still in ChangeLogs. * AUTHORS: Removed. Harri Porten (porten@kde.org) and Peter Kelly (pmk@post.com). These authors remain mentioned in copyrights in source files. * THANKS: Removed. Richard Moore - for filling the Math object with some life Daegeun Lee - for pointing out some bugs and providing much code for the String and Date object. Marco Pinelli - for his patches Christian Kirsch - for his contribution to the Date object 2018-09-24 Fujii Hironori Rename WTF_COMPILER_GCC_OR_CLANG to WTF_COMPILER_GCC_COMPATIBLE https://bugs.webkit.org/show_bug.cgi?id=189733 Reviewed by Michael Catanzaro. * assembler/ARM64Assembler.h: * assembler/ARMAssembler.h: (JSC::ARMAssembler::cacheFlush): * assembler/MacroAssemblerARM.cpp: (JSC::isVFPPresent): * assembler/MacroAssemblerARM64.cpp: * assembler/MacroAssemblerARMv7.cpp: * assembler/MacroAssemblerMIPS.cpp: * assembler/MacroAssemblerX86Common.cpp: * heap/HeapCell.cpp: * heap/HeapCell.h: * jit/HostCallReturnValue.h: * jit/JIT.h: * jit/JITOperations.cpp: * jit/ThunkGenerators.cpp: * runtime/ArrayConventions.cpp: (JSC::clearArrayMemset): * runtime/JSBigInt.cpp: (JSC::JSBigInt::digitDiv): 2018-09-24 Saam Barati Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects https://bugs.webkit.org/show_bug.cgi?id=189922 Reviewed by Mark Lam. The implementation was first getting the length to iterate up to, then getting the starting index. However, getting the starting index may perform effects. e.g, it could change the length of the array. This changes it so we verify the length is still valid. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncIndexOf): 2018-09-24 Tadeu Zagallo offlineasm: fix macro scoping https://bugs.webkit.org/show_bug.cgi?id=189902 Reviewed by Mark Lam. In the code below, the reference to `f` in `g`, which should refer to the outer macro definition will instead refer to the f argument of the anonymous macro passed to `g`. That leads to this code failing to compile (f expected 0 args but got 1). ``` macro f(x) move x, t0 end macro g(fn) fn(macro () f(42) end) end g(macro(f) f() end) ``` * offlineasm/ast.rb: * offlineasm/transform.rb: 2018-09-24 Tadeu Zagallo Add forEach method for iterating CodeBlock's ValueProfiles https://bugs.webkit.org/show_bug.cgi?id=189897 Reviewed by Mark Lam. Add method to abstract how we find ValueProfiles in a CodeBlock in preparation for https://bugs.webkit.org/show_bug.cgi?id=189785, when ValueProfiles will be stored in the MetadataTable. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::updateAllPredictionsAndCountLiveness): (JSC::CodeBlock::updateAllValueProfilePredictions): (JSC::CodeBlock::shouldOptimizeNow): (JSC::CodeBlock::dumpValueProfiles): * bytecode/CodeBlock.h: (JSC::CodeBlock::forEachValueProfile): (JSC::CodeBlock::numberOfArgumentValueProfiles): (JSC::CodeBlock::valueProfileForArgument): (JSC::CodeBlock::numberOfValueProfiles): (JSC::CodeBlock::valueProfile): (JSC::CodeBlock::totalNumberOfValueProfiles): Deleted. (JSC::CodeBlock::getFromAllValueProfiles): Deleted. * tools/HeapVerifier.cpp: (JSC::HeapVerifier::validateJSCell): 2018-09-24 Saam barati ArgumentsEliminationPhase should snip basic blocks after proven OSR exits https://bugs.webkit.org/show_bug.cgi?id=189682 Reviewed by Mark Lam. Otherwise, if we have code like this: ``` a: Arguments b: GetButterfly(@a) c: ForceExit d: GetArrayLength(@a, @b) ``` it will get transformed into this invalid DFG IR: ``` a: PhantomArguments b: Check(@a) c: ForceExit d: GetArrayLength(@a, @b) ``` And we will fail DFG validation since @b does not have a result. The fix is to just remove all nodes after the ForceExit and plant an Unreachable after it. So the above code program will now turn into this: ``` a: PhantomArguments b: Check(@a) c: ForceExit e: Unreachable ``` * dfg/DFGArgumentsEliminationPhase.cpp: 2018-09-22 Saam barati The sampling should not use Strong in its machineLocation field https://bugs.webkit.org/show_bug.cgi?id=189319 Reviewed by Filip Pizlo. The sampling profiler has a CLI mode where we gather information about inline call frames. That data structure was using a Strong. We were constructing this Strong during GC concurrently to processing all the Strong handles. This is a bug since we end up corrupting that data structure. This patch fixes this by just making this data structure use the sampling profiler's mechanism for holding onto and properly visiting heap pointers. * inspector/agents/InspectorScriptProfilerAgent.cpp: (Inspector::InspectorScriptProfilerAgent::trackingComplete): * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::processUnverifiedStackTraces): (JSC::SamplingProfiler::reportTopFunctions): (JSC::SamplingProfiler::reportTopBytecodes): These CLI helpers needed a DeferGC otherwise we may end up deadlocking when we cause a GC to happen while already holding the sampling profiler's lock. 2018-09-21 Yusuke Suzuki [JSC] Enable LLInt ASM interpreter on X64 and ARM64 in non JIT configuration https://bugs.webkit.org/show_bug.cgi?id=189778 Reviewed by Keith Miller. LLInt ASM interpreter is 2x and 15% faster than CLoop interpreter on Linux and macOS respectively. We would like to enable it for non JIT configurations in X86_64 and ARM64. This patch enables LLInt for non JIT builds in X86_64 and ARM64 architectures. Previously, we switch LLInt ASM interpreter and CLoop by using ENABLE(JIT) configuration. But it is wrong in the new scenario since we have a build configuration that uses LLInt ASM interpreter and JIT is disabled. We introduce ENABLE(C_LOOP) option, which represents that we use CLoop. And we replace ENABLE(JIT) with ENABLE(C_LOOP) if the previous ENABLE(JIT) is essentially just related to LLInt ASM interpreter and not related to JIT. We also replace some ENABLE(JIT) configurations with ENABLE(ASSEMBLER). ENABLE(ASSEMBLER) is now enabled even if we disable JIT since MacroAssembler has machine register information that is used in LLInt ASM interpreter. * API/tests/PingPongStackOverflowTest.cpp: (testPingPongStackOverflow): * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/MaxFrameExtentForSlowPathCall.h: * bytecode/CallReturnOffsetToBytecodeOffset.h: Removed. It is no longer used. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/CodeBlock.h: (JSC::CodeBlock::calleeSaveRegisters const): (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters): (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters): * bytecode/Opcode.h: (JSC::padOpcodeName): * heap/Heap.cpp: (JSC::Heap::gatherJSStackRoots): (JSC::Heap::stopThePeriphery): * interpreter/CLoopStack.cpp: * interpreter/CLoopStack.h: * interpreter/CLoopStackInlines.h: * interpreter/EntryFrame.h: * interpreter/Interpreter.cpp: (JSC::Interpreter::Interpreter): (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const): * interpreter/Interpreter.h: * interpreter/StackVisitor.cpp: (JSC::StackVisitor::Frame::calleeSaveRegisters): * interpreter/VMEntryRecord.h: * jit/ExecutableAllocator.h: * jit/FPRInfo.h: (WTF::printInternal): * jit/GPRInfo.cpp: * jit/GPRInfo.h: (WTF::printInternal): * jit/HostCallReturnValue.cpp: (JSC::getHostCallReturnValueWithExecState): Moved. They are used in LLInt ASM interpreter too. * jit/HostCallReturnValue.h: * jit/JITOperations.cpp: (JSC::getHostCallReturnValueWithExecState): Deleted. * jit/JITOperationsMSVC64.cpp: * jit/Reg.cpp: * jit/Reg.h: * jit/RegisterAtOffset.cpp: * jit/RegisterAtOffset.h: * jit/RegisterAtOffsetList.cpp: * jit/RegisterAtOffsetList.h: * jit/RegisterMap.h: * jit/RegisterSet.cpp: * jit/RegisterSet.h: * jit/TempRegisterSet.cpp: * jit/TempRegisterSet.h: * llint/LLIntCLoop.cpp: * llint/LLIntCLoop.h: * llint/LLIntData.cpp: (JSC::LLInt::initialize): (JSC::LLInt::Data::performAssertions): * llint/LLIntData.h: * llint/LLIntOfflineAsmConfig.h: * llint/LLIntOpcode.h: * llint/LLIntPCRanges.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LLIntSlowPaths.h: * llint/LLIntThunks.cpp: * llint/LowLevelInterpreter.cpp: * llint/LowLevelInterpreter.h: * runtime/JSCJSValue.h: * runtime/MachineContext.h: * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::processUnverifiedStackTraces): Enable SamplingProfiler for LLInt ASM interpreter with non JIT configuration. * runtime/TestRunnerUtils.cpp: (JSC::optimizeNextInvocation): * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::getHostFunction): (JSC::VM::updateSoftReservedZoneSize): (JSC::sanitizeStackForVM): (JSC::VM::committedStackByteCount): * runtime/VM.h: * runtime/VMInlines.h: (JSC::VM::ensureStackCapacityFor): (JSC::VM::isSafeToRecurseSoft const): 2018-09-21 Keith Miller Add Promise SPI https://bugs.webkit.org/show_bug.cgi?id=189809 Reviewed by Saam Barati. The Patch adds new SPI to create promises. It's mostly SPI because I want to see how internal users react to it before we make it public. This patch adds a couple of new Obj-C SPI methods. The first creates a new promise using the same API that JS does where the user provides an executor callback. If an exception is raised in/to that callback the promise is automagically rejected. The other methods create a pre-resolved or rejected promise as this appears to be a common way to initialize a promise. I was also considering adding a second version of executor API where it would catch specific Obj-C exceptions. This would work by taking a Class paramter and checking isKindOfClass: on the exception. I decided against this as nothing else in our API handles Obj-C exceptions. I'm pretty sure the VM will end up in a corrupt state if an Obj-C exception unwinds through JS frames. This patch adds a new C function that will create a "deferred" promise. A deferred promise is a style of creating promise/futures where the resolve and reject functions are passed as outputs of a function. I went with this style for the C SPI because we don't have any concept of forwarding exceptions in the C API. In order to make the C API work I refactored a bit of the promise code so that we can call a static method on JSDeferredPromise and just get the components without allocating an extra cell wrapper. * API/JSContext.mm: (+[JSContext currentCallee]): * API/JSObjectRef.cpp: (JSObjectMakeDeferredPromise): * API/JSObjectRefPrivate.h: * API/JSValue.mm: (+[JSValue valueWithNewPromiseInContext:fromExecutor:]): (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]): (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]): * API/JSValuePrivate.h: Added. * API/JSVirtualMachine.mm: * API/JSVirtualMachinePrivate.h: * API/tests/testapi.c: (main): * API/tests/testapi.cpp: (APIContext::operator JSC::ExecState*): (TestAPI::failed const): (TestAPI::check): (TestAPI::basicSymbol): (TestAPI::symbolsTypeof): (TestAPI::symbolsGetPropertyForKey): (TestAPI::symbolsSetPropertyForKey): (TestAPI::symbolsHasPropertyForKey): (TestAPI::symbolsDeletePropertyForKey): (TestAPI::promiseResolveTrue): (TestAPI::promiseRejectTrue): (testCAPIViaCpp): (TestAPI::run): Deleted. * API/tests/testapi.mm: (testObjectiveCAPIMain): (promiseWithExecutor): (promiseRejectOnJSException): (promiseCreateResolved): (promiseCreateRejected): (parallelPromiseResolveTest): (testObjectiveCAPI): * JavaScriptCore.xcodeproj/project.pbxproj: * runtime/JSInternalPromiseDeferred.cpp: (JSC::JSInternalPromiseDeferred::create): * runtime/JSPromise.h: * runtime/JSPromiseConstructor.cpp: (JSC::constructPromise): * runtime/JSPromiseDeferred.cpp: (JSC::JSPromiseDeferred::createDeferredData): (JSC::JSPromiseDeferred::create): (JSC::JSPromiseDeferred::finishCreation): (JSC::newPromiseCapability): Deleted. * runtime/JSPromiseDeferred.h: (JSC::JSPromiseDeferred::promise const): (JSC::JSPromiseDeferred::resolve const): (JSC::JSPromiseDeferred::reject const): 2018-09-21 Ryan Haddad Unreviewed, rolling out r236359. Broke the Windows build. Reverted changeset: "Add Promise SPI" https://bugs.webkit.org/show_bug.cgi?id=189809 https://trac.webkit.org/changeset/236359 2018-09-21 Mark Lam JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState. https://bugs.webkit.org/show_bug.cgi?id=189855 Reviewed by Filip Pizlo. tryGetValue() always passes a nullptr to JSRopeString::resolveRope() for the ExecState* argument. This is intentional so that resolveRope() does not throw in the event of an OutOfMemory error. Hence, JSRopeString::resolveRope() should get the VM from the cell instead of via the ExecState. Also removed an obsolete and unused field in JSString. * runtime/JSString.cpp: (JSC::JSRopeString::resolveRope const): (JSC::JSRopeString::outOfMemory const): * runtime/JSString.h: (JSC::JSString::tryGetValue const): 2018-09-21 Michael Saboff Add functions to measure memory footprint to JSC https://bugs.webkit.org/show_bug.cgi?id=189768 Reviewed by Saam Barati. Rolling this back in again. Provide system memory metrics for the current process to aid in memory reduction measurement and tuning using native JS tests. * jsc.cpp: (MemoryFootprint::now): (MemoryFootprint::resetPeak): (GlobalObject::finishCreation): (JSCMemoryFootprint::JSCMemoryFootprint): (JSCMemoryFootprint::createStructure): (JSCMemoryFootprint::create): (JSCMemoryFootprint::finishCreation): (JSCMemoryFootprint::addProperty): (functionResetMemoryPeak): 2018-09-21 Keith Miller Add Promise SPI https://bugs.webkit.org/show_bug.cgi?id=189809 Reviewed by Saam Barati. The Patch adds new SPI to create promises. It's mostly SPI because I want to see how internal users react to it before we make it public. This patch adds a couple of new Obj-C SPI methods. The first creates a new promise using the same API that JS does where the user provides an executor callback. If an exception is raised in/to that callback the promise is automagically rejected. The other methods create a pre-resolved or rejected promise as this appears to be a common way to initialize a promise. I was also considering adding a second version of executor API where it would catch specific Obj-C exceptions. This would work by taking a Class paramter and checking isKindOfClass: on the exception. I decided against this as nothing else in our API handles Obj-C exceptions. I'm pretty sure the VM will end up in a corrupt state if an Obj-C exception unwinds through JS frames. This patch adds a new C function that will create a "deferred" promise. A deferred promise is a style of creating promise/futures where the resolve and reject functions are passed as outputs of a function. I went with this style for the C SPI because we don't have any concept of forwarding exceptions in the C API. In order to make the C API work I refactored a bit of the promise code so that we can call a static method on JSDeferredPromise and just get the components without allocating an extra cell wrapper. * API/JSContext.mm: (+[JSContext currentCallee]): * API/JSObjectRef.cpp: (JSObjectMakeDeferredPromise): * API/JSObjectRefPrivate.h: * API/JSValue.mm: (+[JSValue valueWithNewPromiseInContext:fromExecutor:]): (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]): (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]): * API/JSValuePrivate.h: Added. * API/JSVirtualMachine.mm: * API/JSVirtualMachinePrivate.h: * API/tests/testapi.c: (main): * API/tests/testapi.cpp: (APIContext::operator JSC::ExecState*): (TestAPI::failed const): (TestAPI::check): (TestAPI::basicSymbol): (TestAPI::symbolsTypeof): (TestAPI::symbolsGetPropertyForKey): (TestAPI::symbolsSetPropertyForKey): (TestAPI::symbolsHasPropertyForKey): (TestAPI::symbolsDeletePropertyForKey): (TestAPI::promiseResolveTrue): (TestAPI::promiseRejectTrue): (testCAPIViaCpp): (TestAPI::run): Deleted. * API/tests/testapi.mm: (testObjectiveCAPIMain): (promiseWithExecutor): (promiseRejectOnJSException): (promiseCreateResolved): (promiseCreateRejected): (parallelPromiseResolveTest): (testObjectiveCAPI): * JavaScriptCore.xcodeproj/project.pbxproj: * runtime/JSInternalPromiseDeferred.cpp: (JSC::JSInternalPromiseDeferred::create): * runtime/JSPromise.h: * runtime/JSPromiseConstructor.cpp: (JSC::constructPromise): * runtime/JSPromiseDeferred.cpp: (JSC::JSPromiseDeferred::createDeferredData): (JSC::JSPromiseDeferred::create): (JSC::JSPromiseDeferred::finishCreation): (JSC::newPromiseCapability): Deleted. * runtime/JSPromiseDeferred.h: (JSC::JSPromiseDeferred::promise const): (JSC::JSPromiseDeferred::resolve const): (JSC::JSPromiseDeferred::reject const): 2018-09-21 Truitt Savell Rebaseline tests after changes in https://trac.webkit.org/changeset/236321/webkit https://bugs.webkit.org/show_bug.cgi?id=156674 Unreviewed Test Gardening * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result: * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result: 2018-09-21 Mike Gorse Build tools should work when the /usr/bin/python is python3 https://bugs.webkit.org/show_bug.cgi?id=156674 Reviewed by Michael Catanzaro. * Scripts/cssmin.py: * Scripts/generate-js-builtins.py: (do_open): (generate_bindings_for_builtins_files): * Scripts/generateIntlCanonicalizeLanguage.py: * Scripts/jsmin.py: (JavascriptMinify.minify.write): (JavascriptMinify): (JavascriptMinify.minify): * Scripts/make-js-file-arrays.py: (chunk): (main): * Scripts/wkbuiltins/__init__.py: * Scripts/wkbuiltins/builtins_generate_combined_header.py: (generate_section_for_global_private_code_name_macro): * Scripts/wkbuiltins/builtins_generate_internals_wrapper_header.py: (BuiltinsInternalsWrapperHeaderGenerator.__init__): * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: (BuiltinsInternalsWrapperImplementationGenerator.__init__): * Scripts/wkbuiltins/builtins_model.py: (BuiltinFunction.__lt__): (BuiltinsCollection.copyrights): (BuiltinsCollection._parse_functions): * disassembler/udis86/ud_opcode.py: (UdOpcodeTables.pprint.printWalk): * generate-bytecode-files: * inspector/scripts/codegen/__init__.py: * inspector/scripts/codegen/cpp_generator.py: * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py: (CppAlternateBackendDispatcherHeaderGenerator.generate_output): * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: (CppBackendDispatcherHeaderGenerator.domains_to_generate): (CppBackendDispatcherHeaderGenerator.generate_output): (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain): * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: (CppBackendDispatcherImplementationGenerator.domains_to_generate): (CppBackendDispatcherImplementationGenerator.generate_output): * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py: (CppFrontendDispatcherHeaderGenerator.domains_to_generate): (CppFrontendDispatcherHeaderGenerator.generate_output): * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: (CppFrontendDispatcherImplementationGenerator.domains_to_generate): (CppFrontendDispatcherImplementationGenerator.generate_output): * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: (CppProtocolTypesHeaderGenerator.generate_output): (CppProtocolTypesHeaderGenerator._generate_forward_declarations): * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: (CppProtocolTypesImplementationGenerator.generate_output): (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain): (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods): (CppProtocolTypesImplementationGenerator._generate_open_field_names): (CppProtocolTypesImplementationGenerator._generate_builders_for_domain): (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): * inspector/scripts/codegen/generate_js_backend_commands.py: (JSBackendCommandsGenerator.should_generate_domain): (JSBackendCommandsGenerator.domains_to_generate): (JSBackendCommandsGenerator.generate_output): (JSBackendCommandsGenerator.generate_domain): * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: (ObjCBackendDispatcherHeaderGenerator.domains_to_generate): (ObjCBackendDispatcherHeaderGenerator.generate_output): * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: (ObjCBackendDispatcherImplementationGenerator.domains_to_generate): (ObjCBackendDispatcherImplementationGenerator.generate_output): (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command): * inspector/scripts/codegen/generate_objc_configuration_header.py: * inspector/scripts/codegen/generate_objc_configuration_implementation.py: * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate): (ObjCFrontendDispatcherImplementationGenerator.generate_output): (ObjCFrontendDispatcherImplementationGenerator._generate_event): * inspector/scripts/codegen/generate_objc_header.py: (ObjCHeaderGenerator.generate_output): (ObjCHeaderGenerator._generate_type_interface): * inspector/scripts/codegen/generate_objc_internal_header.py: (ObjCInternalHeaderGenerator.generate_output): * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate): (ObjCProtocolTypeConversionsHeaderGenerator.generate_output): * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py: (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate): * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py: (ObjCProtocolTypesImplementationGenerator.domains_to_generate): (ObjCProtocolTypesImplementationGenerator.generate_output): (ObjCProtocolTypesImplementationGenerator.generate_type_implementation): (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members): * inspector/scripts/codegen/generator.py: (Generator.non_supplemental_domains): (Generator.open_fields): (Generator.calculate_types_requiring_shape_assertions): (Generator._traverse_and_assign_enum_values): (Generator.stylized_name_for_enum_value): * inspector/scripts/codegen/models.py: (find_duplicates): * inspector/scripts/codegen/objc_generator.py: * wasm/generateWasm.py: (opcodeIterator): * yarr/generateYarrCanonicalizeUnicode: * yarr/generateYarrUnicodePropertyTables.py: * yarr/hasher.py: (stringHash): 2018-09-21 Tomas Popela [ARM] Build broken on armv7hl after r235517 https://bugs.webkit.org/show_bug.cgi?id=189831 Reviewed by Yusuke Suzuki. Add missing implementation of patchebleBranch8() for traditional ARM. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::patchableBranch8): 2018-09-20 Ryan Haddad Unreviewed, rolling out r236293. Internal build still broken. Reverted changeset: "Add functions to measure memory footprint to JSC" https://bugs.webkit.org/show_bug.cgi?id=189768 https://trac.webkit.org/changeset/236293 2018-09-20 Yusuke Suzuki [JSC] Heap::reportExtraMemoryVisited shows contention if we have many JSString https://bugs.webkit.org/show_bug.cgi?id=189558 Reviewed by Mark Lam. When running web-tooling-benchmark postcss test on Linux JSCOnly port, we get the following result in `perf report`. 10.95% AutomaticThread libJavaScriptCore.so.1.0.0 [.] JSC::Heap::reportExtraMemoryVisited This is because postcss produces bunch of JSString, which require reportExtraMemoryVisited calls in JSString::visitChildren. And since reportExtraMemoryVisited attempts to update atomic counter, if we have bunch of marking threads, it becomes super contended. This patch reduces the frequency of updating the atomic counter. Each SlotVisitor has per-SlotVisitor m_extraMemorySize counter. And we propagate this value to the global atomic counter when rebalance happens. We also reduce HeapCell::heap() access by using `vm.heap`. * heap/SlotVisitor.cpp: (JSC::SlotVisitor::didStartMarking): (JSC::SlotVisitor::propagateExternalMemoryVisitedIfNecessary): (JSC::SlotVisitor::drain): (JSC::SlotVisitor::performIncrementOfDraining): * heap/SlotVisitor.h: * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::reportExtraMemoryVisited): * runtime/JSString.cpp: (JSC::JSRopeString::resolveRopeToAtomicString const): (JSC::JSRopeString::resolveRope const): * runtime/JSString.h: (JSC::JSString::finishCreation): * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::finishCreation): * wasm/js/JSWebAssemblyMemory.cpp: (JSC::JSWebAssemblyMemory::finishCreation): 2018-09-20 Michael Saboff Add functions to measure memory footprint to JSC https://bugs.webkit.org/show_bug.cgi?id=189768 Reviewed by Saam Barati. Rolling this back in. Provide system memory metrics for the current process to aid in memory reduction measurement and tuning using native JS tests. * jsc.cpp: (MemoryFootprint::now): (MemoryFootprint::resetPeak): (GlobalObject::finishCreation): (JSCMemoryFootprint::JSCMemoryFootprint): (JSCMemoryFootprint::createStructure): (JSCMemoryFootprint::create): (JSCMemoryFootprint::finishCreation): (JSCMemoryFootprint::addProperty): (functionResetMemoryPeak): 2018-09-20 Ryan Haddad Unreviewed, rolling out r236235. Breaks internal builds. Reverted changeset: "Add functions to measure memory footprint to JSC" https://bugs.webkit.org/show_bug.cgi?id=189768 https://trac.webkit.org/changeset/236235 2018-09-20 Fujii Hironori [Win][Clang] JITMathIC.h: error: missing 'template' keyword prior to dependent template name 'retagged' https://bugs.webkit.org/show_bug.cgi?id=189730 Reviewed by Saam Barati. Clang for Windows can't compile the workaround for MSVC quirk in generateOutOfLine. * jit/JITMathIC.h: (generateOutOfLine): Append "&& !COMPILER(CLANG)" to "#if COMPILER(MSVC)". 2018-09-19 Yusuke Suzuki [JSC] Optimize Array#indexOf in C++ runtime https://bugs.webkit.org/show_bug.cgi?id=189507 Reviewed by Saam Barati. C++ Array#indexOf runtime function takes so much time in babylon benchmark in web-tooling-benchmark. While our DFG and FTL has Array#indexOf optimization and actually it is working well, C++ Array#indexOf is called significant amount of time before tiering up, and it takes 6.74% of jsc main thread samples according to perf command in Linux. This is because C++ Array#indexOf is too generic and misses the chance to optimize JSArray cases. This patch adds JSArray fast path for Array#indexOf. If we know that indexed access to the given JSArray is non-observable and indexing type is good for the fast path, we go to the fast path. This makes sampling of Array#indexOf 3.83% in babylon web-tooling-benchmark. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncIndexOf): * runtime/JSArray.h: * runtime/JSArrayInlines.h: (JSC::JSArray::canDoFastIndexedAccess): (JSC::toLength): * runtime/JSCJSValueInlines.h: (JSC::JSValue::JSValue): * runtime/JSGlobalObject.h: * runtime/JSGlobalObjectInlines.h: (JSC::JSGlobalObject::isArrayPrototypeIndexedAccessFastAndNonObservable): (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable): * runtime/MathCommon.h: (JSC::canBeStrictInt32): (JSC::canBeInt32): 2018-09-19 Michael Saboff Add functions to measure memory footprint to JSC https://bugs.webkit.org/show_bug.cgi?id=189768 Reviewed by Saam Barati. Provide system memory metrics for the current process to aid in memory reduction measurement and tuning using native JS tests. * jsc.cpp: (MemoryFootprint::now): (MemoryFootprint::resetPeak): (GlobalObject::finishCreation): (JSCMemoryFootprint::JSCMemoryFootprint): (JSCMemoryFootprint::createStructure): (JSCMemoryFootprint::create): (JSCMemoryFootprint::finishCreation): (JSCMemoryFootprint::addProperty): (functionResetMemoryPeak): 2018-09-19 Saam barati CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code https://bugs.webkit.org/show_bug.cgi?id=189703 Reviewed by Mark Lam. This fixes a crash that a TypeProfiler change revealed. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2018-09-19 Saam barati AI rule for MultiPutByOffset executes its effects in the wrong order https://bugs.webkit.org/show_bug.cgi?id=189757 Reviewed by Michael Saboff. The AI rule for MultiPutByOffset was executing effects in the wrong order. It first executed the transition effects and the effects on the base, and then executed the filtering effects on the value being stored. However, you can end up with the wrong type when the base and the value being stored are the same. E.g, in a program like `o.f = o`. These effects need to happen in the opposite order, modeling what happens in the runtime executing of MultiPutByOffset. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): 2018-09-18 Mark Lam Ensure that ForInContexts are invalidated if their loop local is over-written. https://bugs.webkit.org/show_bug.cgi?id=189571 Reviewed by Saam Barati. Instead of hunting down every place in the BytecodeGenerator that potentially needs to invalidate an enclosing ForInContext (if one exists), we simply iterate the bytecode range of the loop body when the ForInContext is popped, and invalidate the context if we ever find the loop temp variable over-written. This has 2 benefits: 1. It ensures that every type of opcode that can write to the loop temp will be handled appropriately, not just the op_mov that we've hunted down. 2. It avoids us having to check the BytecodeGenerator's m_forInContextStack every time we emit an op_mov (or other opcodes that can write to a local) even when we're not inside a for-in loop. JSC benchmarks show that that this change is performance neutral. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::pushIndexedForInScope): (JSC::BytecodeGenerator::popIndexedForInScope): (JSC::BytecodeGenerator::pushStructureForInScope): (JSC::BytecodeGenerator::popStructureForInScope): (JSC::ForInContext::finalize): (JSC::StructureForInContext::finalize): (JSC::IndexedForInContext::finalize): (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted. * bytecompiler/BytecodeGenerator.h: (JSC::ForInContext::ForInContext): (JSC::ForInContext::bodyBytecodeStartOffset const): (JSC::StructureForInContext::StructureForInContext): (JSC::IndexedForInContext::IndexedForInContext): * bytecompiler/NodesCodegen.cpp: (JSC::PostfixNode::emitResolve): (JSC::PrefixNode::emitResolve): (JSC::ReadModifyResolveNode::emitBytecode): (JSC::AssignResolveNode::emitBytecode): (JSC::EmptyLetExpression::emitBytecode): (JSC::ForInNode::emitLoopHeader): (JSC::ForOfNode::emitBytecode): (JSC::BindingNode::bindValue const): (JSC::AssignmentElementNode::bindValue const): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): 2018-09-17 Devin Rousso Web Inspector: generate CSSKeywordCompletions from backend values https://bugs.webkit.org/show_bug.cgi?id=189041 Reviewed by Joseph Pecoraro. * inspector/protocol/CSS.json: Include an optional `aliases` array and `inherited` boolean for `CSSPropertyInfo`. 2018-09-17 Saam barati We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure https://bugs.webkit.org/show_bug.cgi?id=189676 Reviewed by Michael Saboff. Because the incoming value may be TDZ, CheckStructure may end up crashing. Since the Type Profile does not currently record TDZ values in any of its data structures, this is not a semantic change in how it will show you data. It just fixes crashes when we emit a CheckStructure and the incoming value is TDZ. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::convertToCheckStructureOrEmpty): 2018-09-17 Darin Adler Use OpaqueJSString rather than JSRetainPtr inside WebKit https://bugs.webkit.org/show_bug.cgi?id=189652 Reviewed by Saam Barati. * API/JSCallbackObjectFunctions.h: Removed an uneeded include of JSStringRef.h. * API/JSContext.mm: (-[JSContext evaluateScript:withSourceURL:]): Use OpaqueJSString::create rather than JSStringCreateWithCFString, simplifying the code and also obviating the need for explicit JSStringRelease. (-[JSContext setName:]): Ditto. * API/JSStringRef.cpp: (JSStringIsEqualToUTF8CString): Use adoptRef rather than explicit JSStringRelease. It seems that additional optimization is possible, obviating the need to allocate an OpaqueJSString, but that's true almost everywhere else in this patch, too. * API/JSValue.mm: (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Use OpaqueJSString::create and adoptRef as appropriate. (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto. (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Ditto. (performPropertyOperation): Ditto. (-[JSValue invokeMethod:withArguments:]): Ditto. (valueToObjectWithoutCopy): Ditto. (containerValueToObject): Ditto. (valueToString): Ditto. (objectToValueWithoutCopy): Ditto. (objectToValue): Ditto. 2018-09-08 Darin Adler Streamline JSRetainPtr, fix leaks of JSString and JSGlobalContext https://bugs.webkit.org/show_bug.cgi?id=189455 Reviewed by Keith Miller. * API/JSObjectRef.cpp: (OpaqueJSPropertyNameArray): Use Ref instead of JSRetainPtr. (JSObjectCopyPropertyNames): Remove now-unneeded use of leakRef and adopt constructor. (JSPropertyNameArrayGetNameAtIndex): Use ptr() instead of get() since the array elements are now Ref. * API/JSRetainPtr.h: While JSRetainPtr is written as a template, it only works for two specific unrelated types, JSStringRef and JSGlobalContextRef. Simplified the default constructor using data member initialization. Prepared to make the adopt constructor private (got everything compiling that way, then made it public again so that Apple internal software will still build). Got rid of unneeded templated constructor and assignment operator, since it's not relevant since there is no inheritance between JSRetainPtr template types. Added WARN_UNUSED_RETURN to leakRef as in RefPtr and RetainPtr. Added move constructor and move assignment operator for slightly better performance. Simplified implementations of various member functions so they are more obviously correct, by using leakPtr in more of them and using std::exchange to make the flow of values more obvious. * API/JSValue.mm: (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Added a missing JSStringRelease to fix a leak. * API/tests/CustomGlobalObjectClassTest.c: (customGlobalObjectClassTest): Added a JSGlobalContextRelease to fix a leak. (globalObjectSetPrototypeTest): Ditto. (globalObjectPrivatePropertyTest): Ditto. * API/tests/ExecutionTimeLimitTest.cpp: (testResetAfterTimeout): Added a call to JSStringRelease to fix a leak. (testExecutionTimeLimit): Ditto, lots more. * API/tests/FunctionOverridesTest.cpp: (testFunctionOverrides): Added a call to JSStringRelease to fix a leak. * API/tests/JSObjectGetProxyTargetTest.cpp: (testJSObjectGetProxyTarget): Added a call to JSGlobalContextRelease to fix a leak. * API/tests/PingPongStackOverflowTest.cpp: (testPingPongStackOverflow): Added calls to JSGlobalContextRelease and JSStringRelease to fix leaks. * API/tests/testapi.c: (throwException): Added. Helper function for repeated idiom where we want to throw an exception, but with additional JSStringRelease calls so we don't have to leak just to keep the code simpler to read. (MyObject_getProperty): Use throwException. (MyObject_setProperty): Ditto. (MyObject_deleteProperty): Ditto. (isValueEqualToString): Added. Helper function for an idiom where we check if something is a string and then if it's equal to a particular string constant, but a version that has an additional JSStringRelease call so we don't have to leak just to keep the code simpler to read. (MyObject_callAsFunction): Use isValueEqualToString and throwException. (MyObject_callAsConstructor): Ditto. (MyObject_hasInstance): Ditto. (globalContextNameTest): Added a JSGlobalContextRelease to fix a leak. (testMarkingConstraintsAndHeapFinalizers): Ditto. 2018-09-14 Saam barati Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed https://bugs.webkit.org/show_bug.cgi?id=189628 Reviewed by Mark Lam. An Availability may point to a Node. And that Node may be removed from the graph, e.g, it's freed and its memory is no longer owned by Graph. This patch makes it so we no longer dump this metadata by default. If this metadata is interesting to you, you'll need to go in and change Graph::dump to dump the needed metadata. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): 2018-09-14 Mark Lam Refactor some ForInContext code for better encapsulation. https://bugs.webkit.org/show_bug.cgi?id=189626 Reviewed by Keith Miller. 1. Add a ForInContext::m_type field to store the context type. This does not increase the class size, but eliminates the need for a virtual call to get the type. Note: we still need a virtual destructor because we'll be mingling IndexedForInContexts and StructureForInContexts in the BytecodeGenerator::m_forInContextStack. 2. Add ForInContext::isIndexedForInContext() and ForInContext::isStructureForInContext() convenience methods. 3. Add ForInContext::asIndexedForInContext() and ForInContext::asStructureForInContext() to do the casting to the subclass types. This ensures that we'll properly assert that the casting is legal. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGetByVal): (JSC::BytecodeGenerator::popIndexedForInScope): (JSC::BytecodeGenerator::popStructureForInScope): * bytecompiler/BytecodeGenerator.h: (JSC::ForInContext::type const): (JSC::ForInContext::isIndexedForInContext const): (JSC::ForInContext::isStructureForInContext const): (JSC::ForInContext::asIndexedForInContext): (JSC::ForInContext::asStructureForInContext): (JSC::ForInContext::ForInContext): (JSC::StructureForInContext::StructureForInContext): (JSC::IndexedForInContext::IndexedForInContext): (JSC::ForInContext::~ForInContext): Deleted. 2018-09-14 Devin Rousso Web Inspector: Record actions performed on ImageBitmapRenderingContext https://bugs.webkit.org/show_bug.cgi?id=181341 Reviewed by Joseph Pecoraro. * inspector/protocol/Recording.json: * inspector/scripts/codegen/generator.py: 2018-09-14 Mike Gorse builtins directory causes name conflict on Python 3 https://bugs.webkit.org/show_bug.cgi?id=189552 Reviewed by Michael Catanzaro. * CMakeLists.txt: builtins -> wkbuiltins. * DerivedSources.make: builtins -> wkbuiltins. * Scripts/generate-js-builtins.py: import wkbuiltins, rather than builtins. * Scripts/wkbuiltins/__init__.py: Renamed from Source/JavaScriptCore/Scripts/builtins/__init__.py. * Scripts/wkbuiltins/builtins_generate_combined_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_header.py. * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py. * Scripts/wkbuiltins/builtins_generate_separate_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_header.py. * Scripts/wkbuiltins/builtins_generate_separate_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py. * Scripts/wkbuiltins/builtins_generate_wrapper_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_header.py. * Scripts/wkbuiltins/builtins_generate_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_implementation.py. * Scripts/wkbuiltins/builtins_generator.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generator.py. * Scripts/wkbuiltins/builtins_model.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_model.py. * Scripts/wkbuiltins/builtins_templates.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_templates.py. * Scripts/wkbuiltins/wkbuiltins.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins.py. * JavaScriptCore.xcodeproj/project.pbxproj: Update for the renaming. 2018-09-13 Yusuke Suzuki [WebAssembly] Inline WasmContext accessor functions https://bugs.webkit.org/show_bug.cgi?id=189416 Reviewed by Saam Barati. WasmContext accessor functions are very small while it resides in the critical path of JS to Wasm function call. This patch makes them inline to improve performance. This change improves a small benchmark (calling JS to Wasm function 1e7 times) from 320ms to 270ms. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * interpreter/CallFrame.cpp: * jit/AssemblyHelpers.cpp: * wasm/WasmB3IRGenerator.cpp: * wasm/WasmContextInlines.h: Renamed from Source/JavaScriptCore/wasm/WasmContext.cpp. (JSC::Wasm::Context::useFastTLS): (JSC::Wasm::Context::load const): (JSC::Wasm::Context::store): * wasm/WasmMemoryInformation.cpp: * wasm/WasmModuleParser.cpp: Include due to changes of unified source combinations. * wasm/js/JSToWasm.cpp: * wasm/js/WebAssemblyFunction.cpp: 2018-09-12 David Kilzer Move JavaScriptCore files to match Xcode project hierarchy Reviewed by Filip Pizlo. * API/JSAPIValueWrapper.cpp: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.cpp. * API/JSAPIValueWrapper.h: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.h. * CMakeLists.txt: Update for new path to generateYarrUnicodePropertyTables.py, hasher.py and JSAPIValueWrapper.h. * DerivedSources.make: Ditto. Add missing dependency on hasher.py captured by CMakeLists.txt. * JavaScriptCore.xcodeproj/project.pbxproj: Update for new file reference paths. Add hasher.py library to project. * Sources.txt: Update for new path to JSAPIValueWrapper.cpp. * runtime/JSImmutableButterfly.h: Add missing includes after changes to Sources.txt and regenerating unified sources. * runtime/RuntimeType.h: Ditto. * yarr/generateYarrUnicodePropertyTables.py: Rename from Source/JavaScriptCore/Scripts/generateYarrUnicodePropertyTables.py. * yarr/hasher.py: Rename from Source/JavaScriptCore/Scripts/hasher.py. 2018-09-12 David Kilzer Let Xcode have its way with the JavaScriptCore project * JavaScriptCore.xcodeproj/project.pbxproj: 2018-09-12 Guillaume Emont Add IGNORE_WARNING_.* macros https://bugs.webkit.org/show_bug.cgi?id=188996 Reviewed by Michael Catanzaro. * API/JSCallbackObject.h: * API/tests/testapi.c: * assembler/LinkBuffer.h: (JSC::LinkBuffer::finalizeCodeWithDisassembly): * b3/B3LowerToAir.cpp: * b3/B3Opcode.cpp: * b3/B3Type.h: * b3/B3TypeMap.h: * b3/B3Width.h: * b3/air/AirArg.cpp: * b3/air/AirArg.h: * b3/air/AirCode.h: * bytecode/Opcode.h: (JSC::padOpcodeName): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculateNumber): (JSC::DFG::SpeculativeJIT::speculateMisc): * dfg/DFGSpeculativeJIT64.cpp: * ftl/FTLOutput.h: * jit/CCallHelpers.h: (JSC::CCallHelpers::calculatePokeOffset): * llint/LLIntData.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::slowPathLogF): * runtime/ConfigFile.cpp: (JSC::ConfigFile::canonicalizePaths): * runtime/JSDataViewPrototype.cpp: * runtime/JSGenericTypedArrayViewConstructor.h: * runtime/JSGenericTypedArrayViewPrototype.h: * runtime/Options.cpp: (JSC::Options::setAliasedOption): * tools/CodeProfiling.cpp: * wasm/WasmSections.h: * wasm/generateWasmValidateInlinesHeader.py: == Rolled over to ChangeLog-2018-09-11 ==