4dcf16a4470fb9a46f998e5a3d8cbceb3dd4171e
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-08-24  Michael Saboff  <msaboff@apple.com>
2
3         YARR: Update UCS canonicalization tables for Unicode 11
4         https://bugs.webkit.org/show_bug.cgi?id=188928
5
6         Reviewed by Mark Lam.
7
8         Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
9
10         This passes JavaScriptCore and test262 tests.
11
12         * yarr/YarrCanonicalizeUCS2.cpp:
13         * yarr/YarrCanonicalizeUCS2.js:
14         (printHeader):
15
16 2018-08-24  Michael Saboff  <msaboff@apple.com>
17
18         YARR: JIT RegExps with non-greedy parenthesized sub patterns
19         https://bugs.webkit.org/show_bug.cgi?id=180876
20
21         Reviewed by Filip Pizlo.
22
23         Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
24         For the matching code, the greedy path was correct except that we don't try matching for the
25         non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
26         first / next match when we backtrack.  The backtracking code needs to check to see if we have
27         tried the first match or if we can do another match.
28
29         Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
30         count.  Did other minor cleanup as well.
31
32         Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
33
34         Updated the text in some comments, both for this change as well as accuracy for existing code.
35
36         * yarr/YarrJIT.cpp:
37         (JSC::Yarr::YarrGenerator::generate):
38         (JSC::Yarr::YarrGenerator::backtrack):
39         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
40         (JSC::Yarr::YarrGenerator::compile):
41         (JSC::Yarr::dumpCompileFailure):
42         (JSC::Yarr::jitCompile):
43         * yarr/YarrJIT.h:
44         (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
45         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
46
47 2018-08-23  Simon Fraser  <simon.fraser@apple.com>
48
49         Add support for dumping GC heap snapshots, and a viewer
50         https://bugs.webkit.org/show_bug.cgi?id=186416
51
52         Reviewed by Joseph Pecoraro.
53
54         Make a way to dump information about the GC heap that is useful for looking for leaked
55         or abandoned objects. This dump is obtained (on Apple platforms) via:
56             notifyutil -p com.apple.WebKit.dumpGCHeap
57         which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
58         
59         This leverages the heap snapshot used by Web Inspector, adding an alternate format for
60         the snapshot JSON that adds additional data about objects and why they are GC roots.
61
62         SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
63         the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
64         objects visited via opaque roots, we record the reason why via a new out param to
65         isReachableFromOpaqueRoots().
66
67         HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
68         additional information including the address of the JSCell* and the wrapped object (for
69         JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
70         be the document URL.
71
72         GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
73
74         * API/JSAPIWrapperObject.mm:
75         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
76         * API/JSManagedValue.mm:
77         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
78         * API/glib/JSAPIWrapperObjectGLib.cpp:
79         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
80         * CMakeLists.txt:
81         * heap/ConservativeRoots.h:
82         (JSC::ConservativeRoots::size const):
83         (JSC::ConservativeRoots::size): Deleted.
84         * heap/Heap.cpp:
85         (JSC::Heap::addCoreConstraints):
86         * heap/HeapSnapshotBuilder.cpp:
87         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
88         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
89         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
90         (JSC::HeapSnapshotBuilder::buildSnapshot):
91         (JSC::HeapSnapshotBuilder::appendNode):
92         (JSC::HeapSnapshotBuilder::appendEdge):
93         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
94         (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
95         (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
96         (JSC::snapshotTypeToString):
97         (JSC::rootTypeToString):
98         (JSC::HeapSnapshotBuilder::setLabelForCell):
99         (JSC::HeapSnapshotBuilder::descriptionForCell const):
100         (JSC::HeapSnapshotBuilder::json):
101         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
102         * heap/HeapSnapshotBuilder.h:
103         * heap/SlotVisitor.cpp:
104         (JSC::SlotVisitor::appendSlow):
105         * heap/SlotVisitor.h:
106         (JSC::SlotVisitor::heapSnapshotBuilder const):
107         (JSC::SlotVisitor::rootMarkReason const):
108         (JSC::SlotVisitor::setRootMarkReason):
109         (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
110         (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
111         * heap/WeakBlock.cpp:
112         (JSC::WeakBlock::specializedVisit):
113         * heap/WeakHandleOwner.cpp:
114         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
115         * heap/WeakHandleOwner.h:
116         * runtime/SimpleTypedArrayController.cpp:
117         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
118         * runtime/SimpleTypedArrayController.h:
119         * tools/JSDollarVM.cpp:
120
121 2018-08-23  Saam barati  <sbarati@apple.com>
122
123         JSRunLoopTimer may run part of a member function after it's destroyed
124         https://bugs.webkit.org/show_bug.cgi?id=188426
125
126         Reviewed by Mark Lam.
127
128         When I was reading the JSRunLoopTimer code, I noticed that it is possible
129         to end up running timer code after the class had been destroyed.
130         
131         The issue I spotted was in this function:
132         ```
133         void JSRunLoopTimer::timerDidFire()
134         {
135             JSLock* apiLock = m_apiLock.get();
136             if (!apiLock) {
137                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
138                 return;
139             }
140             // HERE
141             std::lock_guard<JSLock> lock(*apiLock);
142             RefPtr<VM> vm = apiLock->vm();
143             if (!vm) {
144                 // The VM has been destroyed, so we should just give up.
145                 return;
146             }
147         
148             doWork();
149         }
150         ```
151         
152         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
153         switched before grabbing the API lock. Then, some other thread destroys the VM.
154         And let's say that the VM owns (perhaps transitively) this timer. Then, the
155         timer would run code and access member variables after it was destroyed.
156         
157         This patch fixes this issue by introducing a new timer manager class. 
158         This class manages timers on a per VM basis. When a timer is scheduled,
159         this class refs the timer. It also calls the timer callback while actively
160         maintaining a +1 ref to it. So, it's no longer possible to call the timer
161         callback after the timer has been destroyed. However, calling a timer callback
162         can still race with the VM being destroyed. We continue to detect this case and
163         bail out of the callback early.
164         
165         This patch also removes a lot of duplicate code between GCActivityCallback
166         and JSRunLoopTimer.
167
168         * heap/EdenGCActivityCallback.cpp:
169         (JSC::EdenGCActivityCallback::doCollection):
170         (JSC::EdenGCActivityCallback::lastGCLength):
171         (JSC::EdenGCActivityCallback::deathRate):
172         * heap/EdenGCActivityCallback.h:
173         * heap/FullGCActivityCallback.cpp:
174         (JSC::FullGCActivityCallback::doCollection):
175         (JSC::FullGCActivityCallback::lastGCLength):
176         (JSC::FullGCActivityCallback::deathRate):
177         * heap/FullGCActivityCallback.h:
178         * heap/GCActivityCallback.cpp:
179         (JSC::GCActivityCallback::doWork):
180         (JSC::GCActivityCallback::scheduleTimer):
181         (JSC::GCActivityCallback::didAllocate):
182         (JSC::GCActivityCallback::willCollect):
183         (JSC::GCActivityCallback::cancel):
184         (JSC::GCActivityCallback::cancelTimer): Deleted.
185         (JSC::GCActivityCallback::nextFireTime): Deleted.
186         * heap/GCActivityCallback.h:
187         * heap/Heap.cpp:
188         (JSC::Heap::reportAbandonedObjectGraph):
189         (JSC::Heap::notifyIncrementalSweeper):
190         (JSC::Heap::updateAllocationLimits):
191         (JSC::Heap::didAllocate):
192         * heap/IncrementalSweeper.cpp:
193         (JSC::IncrementalSweeper::scheduleTimer):
194         (JSC::IncrementalSweeper::doWork):
195         (JSC::IncrementalSweeper::doSweep):
196         (JSC::IncrementalSweeper::sweepNextBlock):
197         (JSC::IncrementalSweeper::startSweeping):
198         (JSC::IncrementalSweeper::stopSweeping):
199         * heap/IncrementalSweeper.h:
200         * heap/StopIfNecessaryTimer.cpp:
201         (JSC::StopIfNecessaryTimer::doWork):
202         (JSC::StopIfNecessaryTimer::scheduleSoon):
203         * heap/StopIfNecessaryTimer.h:
204         * runtime/JSRunLoopTimer.cpp:
205         (JSC::epochTime):
206         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
207         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
208         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
209         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
210         (JSC::JSRunLoopTimer::Manager::timerDidFire):
211         (JSC::JSRunLoopTimer::Manager::shared):
212         (JSC::JSRunLoopTimer::Manager::registerVM):
213         (JSC::JSRunLoopTimer::Manager::unregisterVM):
214         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
215         (JSC::JSRunLoopTimer::Manager::cancelTimer):
216         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
217         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
218         (JSC::JSRunLoopTimer::timerDidFire):
219         (JSC::JSRunLoopTimer::JSRunLoopTimer):
220         (JSC::JSRunLoopTimer::timeUntilFire):
221         (JSC::JSRunLoopTimer::setTimeUntilFire):
222         (JSC::JSRunLoopTimer::cancelTimer):
223         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
224         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
225         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
226         * runtime/JSRunLoopTimer.h:
227         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
228         * runtime/PromiseDeferredTimer.cpp:
229         (JSC::PromiseDeferredTimer::doWork):
230         (JSC::PromiseDeferredTimer::runRunLoop):
231         (JSC::PromiseDeferredTimer::addPendingPromise):
232         (JSC::PromiseDeferredTimer::hasPendingPromise):
233         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
234         (JSC::PromiseDeferredTimer::cancelPendingPromise):
235         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
236         * runtime/PromiseDeferredTimer.h:
237         * runtime/VM.cpp:
238         (JSC::VM::VM):
239         (JSC::VM::~VM):
240         (JSC::VM::setRunLoop):
241         (JSC::VM::registerRunLoopTimer): Deleted.
242         (JSC::VM::unregisterRunLoopTimer): Deleted.
243         * runtime/VM.h:
244         (JSC::VM::runLoop const):
245         * wasm/js/WebAssemblyPrototype.cpp:
246         (JSC::webAssemblyModuleValidateAsyncInternal):
247         (JSC::instantiate):
248         (JSC::compileAndInstantiate):
249         (JSC::webAssemblyModuleInstantinateAsyncInternal):
250         (JSC::webAssemblyCompileStreamingInternal):
251         (JSC::webAssemblyInstantiateStreamingInternal):
252
253 2018-08-23  Mark Lam  <mark.lam@apple.com>
254
255         Move vmEntryGlobalObject() to VM from CallFrame.
256         https://bugs.webkit.org/show_bug.cgi?id=188900
257         <rdar://problem/43655753>
258
259         Reviewed by Michael Saboff.
260
261         Also introduced CallFrame::isGlobalExec() which makes use of one property of
262         GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
263         CallFrame::initGlobalExec() ensures this.
264
265         In contrast, normal CallFrames always have a callerFrame (because they must at
266         least be preceded by a VM EntryFrame) and a returnPC (at least return to the
267         VM entry glue).
268
269         * API/APIUtils.h:
270         (handleExceptionIfNeeded):
271         (setException):
272         * API/JSBase.cpp:
273         (JSEvaluateScript):
274         (JSCheckScriptSyntax):
275         * API/JSContextRef.cpp:
276         (JSGlobalContextRetain):
277         (JSGlobalContextRelease):
278         (JSGlobalContextCopyName):
279         (JSGlobalContextSetName):
280         (JSGlobalContextGetRemoteInspectionEnabled):
281         (JSGlobalContextSetRemoteInspectionEnabled):
282         (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
283         (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
284         (JSGlobalContextGetDebuggerRunLoop):
285         (JSGlobalContextSetDebuggerRunLoop):
286         (JSGlobalContextGetAugmentableInspectorController):
287         * API/JSValue.mm:
288         (reportExceptionToInspector):
289         * API/glib/JSCClass.cpp:
290         (jscContextForObject):
291         * API/glib/JSCContext.cpp:
292         (jsc_context_evaluate_in_object):
293         * debugger/Debugger.cpp:
294         (JSC::Debugger::pauseIfNeeded):
295         * debugger/DebuggerCallFrame.cpp:
296         (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
297         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
298         * interpreter/CallFrame.cpp:
299         (JSC::CallFrame::vmEntryGlobalObject): Deleted.
300         * interpreter/CallFrame.h:
301         (JSC::ExecState::scope const):
302         (JSC::ExecState::noCaller):
303         (JSC::ExecState::isGlobalExec const):
304         * interpreter/Interpreter.cpp:
305         (JSC::notifyDebuggerOfUnwinding):
306         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
307         (JSC::Interpreter::debug):
308         * runtime/CallData.cpp:
309         (JSC::profiledCall):
310         * runtime/Completion.cpp:
311         (JSC::evaluate):
312         (JSC::profiledEvaluate):
313         (JSC::evaluateWithScopeExtension):
314         (JSC::loadAndEvaluateModule):
315         (JSC::loadModule):
316         (JSC::linkAndEvaluateModule):
317         (JSC::importModule):
318         * runtime/ConstructData.cpp:
319         (JSC::profiledConstruct):
320         * runtime/Error.cpp:
321         (JSC::getStackTrace):
322         * runtime/VM.cpp:
323         (JSC::VM::throwException):
324         (JSC::VM::vmEntryGlobalObject const):
325         * runtime/VM.h:
326
327 2018-08-23  Andy Estes  <aestes@apple.com>
328
329         [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
330         https://bugs.webkit.org/show_bug.cgi?id=188829
331
332         Reviewed by Tim Horton.
333
334         * Configurations/FeatureDefines.xcconfig:
335
336 2018-08-23  Devin Rousso  <drousso@apple.com>
337
338         Web Inspector: support breakpoints for timers and animation-frame events
339         https://bugs.webkit.org/show_bug.cgi?id=188778
340
341         Reviewed by Brian Burg.
342
343         * inspector/protocol/Debugger.json:
344         Add `AnimationFrame` and `Timer` types to the list of pause reasons.
345
346         * inspector/protocol/DOMDebugger.json:
347         Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
348          - `setEventListenerBreakpoint`
349          - `removeEventListenerBreakpoint`
350          - `setInstrumentationBreakpoint`
351          - `removeInstrumentationBreakpoint`
352         Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
353
354         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
355         (CppProtocolTypesHeaderGenerator.generate_output):
356         (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
357         (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
358         (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
359         Generate `DefaultHash` for all `enum class` used by inspector protocols.
360
361         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
362         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
363         * inspector/scripts/tests/generic/expected/enum-values.json-result:
364         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
365         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
366         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
367         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
368
369 2018-08-23  Michael Saboff  <msaboff@apple.com>
370
371         YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
372         https://bugs.webkit.org/show_bug.cgi?id=188895
373
374         Reviewed by Mark Lam.
375
376         Found while working on another change.  This will allow processing of nested
377         parenthesis that require saved ParenContext structures.
378
379         * yarr/YarrJIT.cpp:
380         (JSC::Yarr::YarrGenerator::compile):
381
382 2018-08-22  Michael Saboff  <msaboff@apple.com>
383
384         https://bugs.webkit.org/show_bug.cgi?id=188859
385         Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
386
387         Rubber-stamped by Saam Barati.
388
389         Deleted these two functions.
390
391         * jit/JITOperations.cpp:
392         * jit/JITOperations.h:
393
394 2018-08-22  Mark Lam  <mark.lam@apple.com>
395
396         The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
397         https://bugs.webkit.org/show_bug.cgi?id=188298
398         <rdar://problem/42888427>
399
400         Reviewed by Saam Barati.
401
402         In the event that both targets of a Branch is the same block, then even if we'll
403         always take one path of the branch, the other target is not unreachable because
404         it is the same target as the one in the taken path.  Hence, it should not be
405         jettisoned.
406
407         * JavaScriptCore.xcodeproj/project.pbxproj:
408         - Added DFGCFG.h which is in use and should have been added to the project.
409         * dfg/DFGCFGSimplificationPhase.cpp:
410         (JSC::DFG::CFGSimplificationPhase::run):
411
412 2018-08-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
413
414         [JSC] HeapUtil should care about pointer overflow
415         https://bugs.webkit.org/show_bug.cgi?id=188740
416
417         Reviewed by Saam Barati.
418
419         `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
420         For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
421         with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
422
423         * heap/HeapUtil.h:
424         (JSC::HeapUtil::findGCObjectPointersForMarking):
425
426 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
427
428         [JSC] Should not rotate constant with 64
429         https://bugs.webkit.org/show_bug.cgi?id=188556
430
431         Reviewed by Saam Barati.
432
433         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
434         But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
435         where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
436         the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
437
438         * assembler/MacroAssembler.h:
439         (JSC::MacroAssembler::generateRotationSeed):
440         (JSC::MacroAssembler::rotationBlindConstant):
441
442 2018-08-21  Commit Queue  <commit-queue@webkit.org>
443
444         Unreviewed, rolling out r235107.
445         https://bugs.webkit.org/show_bug.cgi?id=188832
446
447         "It revealed bugs in Blob code as well as regressed JS
448         performance tests" (Requested by saamyjoon on #webkit).
449
450         Reverted changeset:
451
452         "JSRunLoopTimer may run part of a member function after it's
453         destroyed"
454         https://bugs.webkit.org/show_bug.cgi?id=188426
455         https://trac.webkit.org/changeset/235107
456
457 2018-08-21  Saam barati  <sbarati@apple.com>
458
459         JSRunLoopTimer may run part of a member function after it's destroyed
460         https://bugs.webkit.org/show_bug.cgi?id=188426
461
462         Reviewed by Mark Lam.
463
464         When I was reading the JSRunLoopTimer code, I noticed that it is possible
465         to end up running timer code after the class had been destroyed.
466         
467         The issue I spotted was in this function:
468         ```
469         void JSRunLoopTimer::timerDidFire()
470         {
471             JSLock* apiLock = m_apiLock.get();
472             if (!apiLock) {
473                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
474                 return;
475             }
476             // HERE
477             std::lock_guard<JSLock> lock(*apiLock);
478             RefPtr<VM> vm = apiLock->vm();
479             if (!vm) {
480                 // The VM has been destroyed, so we should just give up.
481                 return;
482             }
483         
484             doWork();
485         }
486         ```
487         
488         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
489         switched before grabbing the API lock. Then, some other thread destroys the VM.
490         And let's say that the VM owns (perhaps transitively) this timer. Then, the
491         timer would run code and access member variables after it was destroyed.
492         
493         This patch fixes this issue by introducing a new timer manager class. 
494         This class manages timers on a per VM basis. When a timer is scheduled,
495         this class refs the timer. It also calls the timer callback while actively
496         maintaining a +1 ref to it. So, it's no longer possible to call the timer
497         callback after the timer has been destroyed. However, calling a timer callback
498         can still race with the VM being destroyed. We continue to detect this case and
499         bail out of the callback early.
500         
501         This patch also removes a lot of duplicate code between GCActivityCallback
502         and JSRunLoopTimer.
503
504         * heap/EdenGCActivityCallback.cpp:
505         (JSC::EdenGCActivityCallback::doCollection):
506         (JSC::EdenGCActivityCallback::lastGCLength):
507         (JSC::EdenGCActivityCallback::deathRate):
508         * heap/EdenGCActivityCallback.h:
509         * heap/FullGCActivityCallback.cpp:
510         (JSC::FullGCActivityCallback::doCollection):
511         (JSC::FullGCActivityCallback::lastGCLength):
512         (JSC::FullGCActivityCallback::deathRate):
513         * heap/FullGCActivityCallback.h:
514         * heap/GCActivityCallback.cpp:
515         (JSC::GCActivityCallback::doWork):
516         (JSC::GCActivityCallback::scheduleTimer):
517         (JSC::GCActivityCallback::didAllocate):
518         (JSC::GCActivityCallback::willCollect):
519         (JSC::GCActivityCallback::cancel):
520         (JSC::GCActivityCallback::cancelTimer): Deleted.
521         (JSC::GCActivityCallback::nextFireTime): Deleted.
522         * heap/GCActivityCallback.h:
523         * heap/Heap.cpp:
524         (JSC::Heap::reportAbandonedObjectGraph):
525         (JSC::Heap::notifyIncrementalSweeper):
526         (JSC::Heap::updateAllocationLimits):
527         (JSC::Heap::didAllocate):
528         * heap/IncrementalSweeper.cpp:
529         (JSC::IncrementalSweeper::scheduleTimer):
530         (JSC::IncrementalSweeper::doWork):
531         (JSC::IncrementalSweeper::doSweep):
532         (JSC::IncrementalSweeper::sweepNextBlock):
533         (JSC::IncrementalSweeper::startSweeping):
534         (JSC::IncrementalSweeper::stopSweeping):
535         * heap/IncrementalSweeper.h:
536         * heap/StopIfNecessaryTimer.cpp:
537         (JSC::StopIfNecessaryTimer::doWork):
538         (JSC::StopIfNecessaryTimer::scheduleSoon):
539         * heap/StopIfNecessaryTimer.h:
540         * runtime/JSRunLoopTimer.cpp:
541         (JSC::epochTime):
542         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
543         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
544         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
545         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
546         (JSC::JSRunLoopTimer::Manager::timerDidFire):
547         (JSC::JSRunLoopTimer::Manager::shared):
548         (JSC::JSRunLoopTimer::Manager::registerVM):
549         (JSC::JSRunLoopTimer::Manager::unregisterVM):
550         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
551         (JSC::JSRunLoopTimer::Manager::cancelTimer):
552         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
553         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
554         (JSC::JSRunLoopTimer::timerDidFire):
555         (JSC::JSRunLoopTimer::JSRunLoopTimer):
556         (JSC::JSRunLoopTimer::timeUntilFire):
557         (JSC::JSRunLoopTimer::setTimeUntilFire):
558         (JSC::JSRunLoopTimer::cancelTimer):
559         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
560         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
561         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
562         * runtime/JSRunLoopTimer.h:
563         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
564         * runtime/PromiseDeferredTimer.cpp:
565         (JSC::PromiseDeferredTimer::doWork):
566         (JSC::PromiseDeferredTimer::runRunLoop):
567         (JSC::PromiseDeferredTimer::addPendingPromise):
568         (JSC::PromiseDeferredTimer::hasPendingPromise):
569         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
570         (JSC::PromiseDeferredTimer::cancelPendingPromise):
571         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
572         * runtime/PromiseDeferredTimer.h:
573         * runtime/VM.cpp:
574         (JSC::VM::VM):
575         (JSC::VM::~VM):
576         (JSC::VM::setRunLoop):
577         (JSC::VM::registerRunLoopTimer): Deleted.
578         (JSC::VM::unregisterRunLoopTimer): Deleted.
579         * runtime/VM.h:
580         (JSC::VM::runLoop const):
581         * wasm/js/WebAssemblyPrototype.cpp:
582         (JSC::webAssemblyModuleValidateAsyncInternal):
583         (JSC::instantiate):
584         (JSC::compileAndInstantiate):
585         (JSC::webAssemblyModuleInstantinateAsyncInternal):
586         (JSC::webAssemblyCompileStreamingInternal):
587         (JSC::webAssemblyInstantiateStreamingInternal):
588
589 2018-08-20  Saam barati  <sbarati@apple.com>
590
591         Inline DataView accesses into DFG/FTL
592         https://bugs.webkit.org/show_bug.cgi?id=188573
593         <rdar://problem/43286746>
594
595         Reviewed by Michael Saboff.
596
597         This patch teaches the DFG/FTL to inline DataView accesses. The approach is
598         straight forward. We inline the various get*/set* operations as intrinsics.
599         
600         This patch takes the most obvious approach for now. We OSR exit when:
601         - An isLittleEndian argument is provided, and is not a boolean.
602         - The index isn't an integer.
603         - The |this| isn't a DataView.
604         - We do an OOB access (or see a neutered array)
605         
606         To implement this change in a performant way, this patch teaches the macro
607         assembler how to emit byte swap operations. The semantics of the added functions
608         are byteSwap + zero extend. This means for the 16bit byte swaps, we need
609         to actually emit zero extend instructions. For the 32/64bit byte swaps,
610         the instructions already have these semantics.
611         
612         This patch is just a lightweight initial implementation. There are some easy
613         extensions we can do in future changes:
614         - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
615         - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
616
617         * assembler/MacroAssemblerARM64.h:
618         (JSC::MacroAssemblerARM64::byteSwap16):
619         (JSC::MacroAssemblerARM64::byteSwap32):
620         (JSC::MacroAssemblerARM64::byteSwap64):
621         * assembler/MacroAssemblerX86Common.h:
622         (JSC::MacroAssemblerX86Common::byteSwap32):
623         (JSC::MacroAssemblerX86Common::byteSwap16):
624         (JSC::MacroAssemblerX86Common::byteSwap64):
625         * assembler/X86Assembler.h:
626         (JSC::X86Assembler::bswapl_r):
627         (JSC::X86Assembler::bswapq_r):
628         (JSC::X86Assembler::shiftInstruction16):
629         (JSC::X86Assembler::rolw_i8r):
630         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
631         * assembler/testmasm.cpp:
632         (JSC::testByteSwap):
633         (JSC::run):
634         * bytecode/DataFormat.h:
635         * bytecode/SpeculatedType.cpp:
636         (JSC::dumpSpeculation):
637         (JSC::speculationFromClassInfo):
638         (JSC::speculationFromJSType):
639         (JSC::speculationFromString):
640         * bytecode/SpeculatedType.h:
641         * dfg/DFGAbstractInterpreterInlines.h:
642         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
643         * dfg/DFGByteCodeParser.cpp:
644         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
645         * dfg/DFGClobberize.h:
646         (JSC::DFG::clobberize):
647         * dfg/DFGDoesGC.cpp:
648         (JSC::DFG::doesGC):
649         * dfg/DFGFixupPhase.cpp:
650         (JSC::DFG::FixupPhase::fixupNode):
651         * dfg/DFGNode.h:
652         (JSC::DFG::Node::hasHeapPrediction):
653         (JSC::DFG::Node::dataViewData):
654         * dfg/DFGNodeType.h:
655         * dfg/DFGPredictionPropagationPhase.cpp:
656         * dfg/DFGSafeToExecute.h:
657         (JSC::DFG::SafeToExecuteEdge::operator()):
658         (JSC::DFG::safeToExecute):
659         * dfg/DFGSpeculativeJIT.cpp:
660         (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
661         (JSC::DFG::SpeculativeJIT::speculate):
662         * dfg/DFGSpeculativeJIT.h:
663         * dfg/DFGSpeculativeJIT32_64.cpp:
664         (JSC::DFG::SpeculativeJIT::compile):
665         * dfg/DFGSpeculativeJIT64.cpp:
666         (JSC::DFG::SpeculativeJIT::compile):
667         * dfg/DFGUseKind.cpp:
668         (WTF::printInternal):
669         * dfg/DFGUseKind.h:
670         (JSC::DFG::typeFilterFor):
671         (JSC::DFG::isCell):
672         * ftl/FTLCapabilities.cpp:
673         (JSC::FTL::canCompile):
674         * ftl/FTLLowerDFGToB3.cpp:
675         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
676         (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
677         (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
678         (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
679         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
680         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
681         (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
682         (JSC::FTL::DFG::LowerDFGToB3::speculate):
683         (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
684         * runtime/Intrinsic.cpp:
685         (JSC::intrinsicName):
686         * runtime/Intrinsic.h:
687         * runtime/JSDataViewPrototype.cpp:
688
689 2018-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
690
691         [YARR] Extend size of fixed characters bulk matching in 64bit platform
692         https://bugs.webkit.org/show_bug.cgi?id=181989
693
694         Reviewed by Michael Saboff.
695
696         This patch extends bulk matching style for fixed-sized characters.
697         In 64bit environment, the GPR can hold up to 8 characters. This change
698         reduces the code size since we can fuse multiple `mov` operations into one.
699
700         * assembler/LinkBuffer.h:
701         * runtime/Options.h:
702         * yarr/YarrJIT.cpp:
703         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
704         (JSC::Yarr::YarrGenerator::compile):
705
706 2018-08-20  Devin Rousso  <drousso@apple.com>
707
708         Web Inspector: allow breakpoints to be set for specific event listeners
709         https://bugs.webkit.org/show_bug.cgi?id=183138
710
711         Reviewed by Joseph Pecoraro.
712
713         * inspector/protocol/DOM.json:
714         Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
715         takes an `eventListenerId` and toggles whether that specific usage of that event listener
716         should have a breakpoint and pause before running.
717
718 2018-08-20  Mark Lam  <mark.lam@apple.com>
719
720         Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
721         https://bugs.webkit.org/show_bug.cgi?id=188769
722
723         Reviewed by Michael Saboff.
724
725         * llint/LowLevelInterpreter.asm:
726         - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
727           so that libunwind doesn't get confused by the 2 labels pointing to the same
728           code address.
729
730 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
731
732         [GLIB] Add API to throw exceptions using printf formatted strings
733         https://bugs.webkit.org/show_bug.cgi?id=188698
734
735         Reviewed by Michael Catanzaro.
736
737         Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
738         JSCException using printf formatted string.
739
740         * API/glib/JSCContext.cpp:
741         (jsc_context_throw_printf):
742         (jsc_context_throw_with_name_printf):
743         * API/glib/JSCContext.h:
744         * API/glib/JSCException.cpp:
745         (jsc_exception_new_printf):
746         (jsc_exception_new_vprintf):
747         (jsc_exception_new_with_name_printf):
748         (jsc_exception_new_with_name_vprintf):
749         * API/glib/JSCException.h:
750         * API/glib/docs/jsc-glib-4.0-sections.txt:
751
752 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
753
754         [GLIB] Complete the JSCException API
755         https://bugs.webkit.org/show_bug.cgi?id=188695
756
757         Reviewed by Michael Catanzaro.
758
759         Add more API to JSCException:
760          - New function to get the column number
761          - New function get exception as string (toString())
762          - Add the possibility to create exceptions with a custom error name.
763          - New function to get the exception error name
764          - New function to get the exception backtrace.
765          - New convenience function to report a exception by returning a formatted string with all the exception
766            details, to be shown as a user error message.
767
768         * API/glib/JSCContext.cpp:
769         (jsc_context_throw_with_name):
770         * API/glib/JSCContext.h:
771         * API/glib/JSCException.cpp:
772         (jscExceptionEnsureProperties):
773         (jsc_exception_new):
774         (jsc_exception_new_with_name):
775         (jsc_exception_get_name):
776         (jsc_exception_get_column_number):
777         (jsc_exception_get_back_trace_string):
778         (jsc_exception_to_string):
779         (jsc_exception_report):
780         * API/glib/JSCException.h:
781         * API/glib/docs/jsc-glib-4.0-sections.txt:
782
783 2018-08-19  Commit Queue  <commit-queue@webkit.org>
784
785         Unreviewed, rolling out r234852.
786         https://bugs.webkit.org/show_bug.cgi?id=188736
787
788         Workaround is not correct (Requested by yusukesuzuki on
789         #webkit).
790
791         Reverted changeset:
792
793         "[JSC] Should not rotate constant with 64"
794         https://bugs.webkit.org/show_bug.cgi?id=188556
795         https://trac.webkit.org/changeset/234852
796
797 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
798
799         [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
800         https://bugs.webkit.org/show_bug.cgi?id=188716
801
802         Reviewed by Darin Adler.
803
804         Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
805         The compiler can emit appropriate mov operations in x86 even if we use these
806         helper functions.
807
808         * assembler/AssemblerBuffer.h:
809         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
810         (JSC::AssemblerBuffer::putIntegral):
811         (JSC::AssemblerBuffer::putIntegralUnchecked):
812         * assembler/MacroAssemblerX86.h:
813         (JSC::MacroAssemblerX86::readCallTarget):
814         * assembler/X86Assembler.h:
815         (JSC::X86Assembler::linkJump):
816         (JSC::X86Assembler::readPointer):
817         (JSC::X86Assembler::replaceWithHlt):
818         (JSC::X86Assembler::replaceWithJump):
819         (JSC::X86Assembler::setPointer):
820         (JSC::X86Assembler::setInt32):
821         (JSC::X86Assembler::setInt8):
822         * interpreter/InterpreterInlines.h:
823         (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
824
825 2018-08-17  Saam barati  <sbarati@apple.com>
826
827         intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
828         https://bugs.webkit.org/show_bug.cgi?id=188707
829         <rdar://problem/43015442>
830
831         Reviewed by Mark Lam.
832
833         We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
834         OSR enter at the head of a block. We verify it's safe to OSR enter by checking
835         that each incoming value is compatible with its corresponding AbstractValue.
836         
837         The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
838         with abstract values that were clobbererd. This meant that the value we're
839         verifying with at OSR entry effectively has an infinite structure set because
840         it's clobbered. So, imagine we have code like this:
841         ```
842         ---> We OSR enter here, and we're clobbered here
843         InvalidationPoint
844         GetByOffset(@base)
845         ```
846         
847         The abstract value for @base inside intersectionOfPastValuesAtHead has a
848         clobberred structure set, so we'd allow an incoming object with any
849         structure. However, this is wrong because the invalidation point is no
850         longer fulfilling its promise that it filters the structure that @base has.
851         
852         We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
853         as if the incoming value may be live past an InvalidationPoint.
854         This places a stricter requirement that to safely OSR enter at any basic
855         block, all incoming values must be compatible as if they lived past
856         the execution of an invalidation point.
857
858         * dfg/DFGCFAPhase.cpp:
859         (JSC::DFG::CFAPhase::run):
860
861 2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>
862
863         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
864         https://bugs.webkit.org/show_bug.cgi?id=188589
865
866         Reviewed by Mark Lam.
867         And reviewed by Yusuke Suzuki for Hironori's change.
868
869         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
870         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
871
872         - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
873         - We make GPRReg and FPRReg int8_t enums.
874         - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
875         - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
876           if `enum : int8_t` is used instead of `enum`.
877
878         * assembler/ARM64Assembler.h:
879         * assembler/ARMAssembler.h:
880         * assembler/ARMv7Assembler.h:
881         * assembler/MIPSAssembler.h:
882         * assembler/MacroAssembler.h:
883         * assembler/X86Assembler.h:
884         * jit/CCallHelpers.h:
885         (JSC::CCallHelpers::clampArrayToSize):
886         * jit/FPRInfo.h:
887         * jit/GPRInfo.h:
888         (JSC::JSValueRegs::JSValueRegs):
889         (JSC::JSValueRegs::tagGPR const):
890         (JSC::JSValueRegs::payloadGPR const):
891         (JSC::JSValueSource::JSValueSource):
892         (JSC::JSValueSource::unboxedCell):
893         (JSC::JSValueSource::operator bool const):
894         (JSC::JSValueSource::base const):
895         (JSC::JSValueSource::tagGPR const):
896         (JSC::JSValueSource::payloadGPR const):
897         (JSC::JSValueSource::hasKnownTag const):
898
899 2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
900
901         [JSC] alignas for RegisterState should respect alignof(RegisterState) too
902         https://bugs.webkit.org/show_bug.cgi?id=188686
903
904         Reviewed by Saam Barati.
905
906         RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
907         for `alignof` for RegisterState.
908
909         * heap/RegisterState.h:
910
911 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
912
913         [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
914         https://bugs.webkit.org/show_bug.cgi?id=188571
915
916         Reviewed by Saam Barati.
917
918         UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
919         allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
920         without considering alignment of them. This patch adds DisjunctionContext::allocationSize
921         and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
922         The size is always rounded to `sizeof(void*)` so that these classes are always allocated
923         with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
924         than or equal to `sizeof(void*)` by `static_assert`.
925
926         * yarr/YarrInterpreter.cpp:
927         (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
928         (JSC::Yarr::Interpreter::allocDisjunctionContext):
929         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
930         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
931         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
932         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
933         (JSC::Yarr::Interpreter::Interpreter):
934         (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
935
936 2018-08-15  Keith Miller  <keith_miller@apple.com>
937
938         Remove evernote hacks
939         https://bugs.webkit.org/show_bug.cgi?id=188591
940
941         Reviewed by Joseph Pecoraro.
942
943         The hack was added in 2012 and the evernote app seems to work now.
944         It's probably not needed anymore.
945
946         * API/JSValueRef.cpp:
947         (JSValueUnprotect):
948         (evernoteHackNeeded): Deleted.
949
950 2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>
951
952         Unreviewed, rolling out r234874 and r234876.
953
954         WinCairo port can't compile
955
956         Reverted changesets:
957
958         "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
959         https://bugs.webkit.org/show_bug.cgi?id=188589
960         https://trac.webkit.org/changeset/234874
961
962         "Unreviewed, attempt to fix CLoop build"
963         https://bugs.webkit.org/show_bug.cgi?id=188589
964         https://trac.webkit.org/changeset/234876
965
966 2018-08-14  Saam barati  <sbarati@apple.com>
967
968         HashMap<Ref<P>, V> asserts when V is not zero for its empty value
969         https://bugs.webkit.org/show_bug.cgi?id=188582
970
971         Reviewed by Sam Weinig.
972
973         * runtime/SparseArrayValueMap.h:
974
975 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
976
977         Unreviewed, attempt to fix CLoop build
978         https://bugs.webkit.org/show_bug.cgi?id=188589
979
980         * assembler/MacroAssembler.h:
981
982 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
983
984         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
985         https://bugs.webkit.org/show_bug.cgi?id=188589
986
987         Reviewed by Mark Lam.
988
989         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
990         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
991
992         1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
993         2. We make GPRReg and FPRReg int8_t enums.
994         3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
995
996         * assembler/ARM64Assembler.h:
997         * assembler/ARMAssembler.h:
998         * assembler/ARMv7Assembler.h:
999         * assembler/MIPSAssembler.h:
1000         * assembler/X86Assembler.h:
1001         * jit/FPRInfo.h:
1002         * jit/GPRInfo.h:
1003         (JSC::JSValueRegs::JSValueRegs):
1004         (JSC::JSValueRegs::tagGPR const):
1005         (JSC::JSValueRegs::payloadGPR const):
1006         (JSC::JSValueSource::JSValueSource):
1007         (JSC::JSValueSource::unboxedCell):
1008         (JSC::JSValueSource::operator bool const):
1009         (JSC::JSValueSource::base const):
1010         (JSC::JSValueSource::tagGPR const):
1011         (JSC::JSValueSource::payloadGPR const):
1012         (JSC::JSValueSource::hasKnownTag const):
1013
1014 2018-08-14  Keith Miller  <keith_miller@apple.com>
1015
1016         Add missing availability macro.
1017         https://bugs.webkit.org/show_bug.cgi?id=188563
1018
1019         Reviewed by Mark Lam.
1020
1021         * API/JSValueRef.h:
1022
1023 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1024
1025         [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
1026         https://bugs.webkit.org/show_bug.cgi?id=188560
1027
1028         Reviewed by Keith Miller.
1029
1030         While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
1031         it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
1032         uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
1033         `m_wasSeenInJIT { false }`.
1034
1035         * bytecode/GetByIdStatus.h:
1036
1037 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1038
1039         [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
1040         https://bugs.webkit.org/show_bug.cgi?id=188557
1041
1042         Reviewed by Mark Lam.
1043
1044         DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
1045         processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
1046         in UBSan's result.
1047
1048         * dfg/DFGPredictionPropagationPhase.cpp:
1049
1050 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1051
1052         [JSC] Should not rotate constant with 64
1053         https://bugs.webkit.org/show_bug.cgi?id=188556
1054
1055         Reviewed by Mark Lam.
1056
1057         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1058         But if a seed becomes 64, the following code performs `value << 64` where value's type
1059         is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
1060         range of [0, 64) not to generate code causing UBs. This is found by UBSan.
1061
1062         * assembler/MacroAssembler.h:
1063         (JSC::MacroAssembler::generateRotationSeed):
1064         (JSC::MacroAssembler::rotationBlindConstant):
1065
1066 2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1067
1068         Disable JIT on IA-32 without SSE2
1069         https://bugs.webkit.org/show_bug.cgi?id=188476
1070
1071         Reviewed by Michael Catanzaro.
1072
1073         Including missing header (MacroAssembler.h) in case of other
1074         operating systems than Windows too.
1075
1076         * runtime/Options.cpp:
1077
1078 2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1079
1080         Disable JIT on IA-32 without SSE2
1081         https://bugs.webkit.org/show_bug.cgi?id=188476
1082
1083         Reviewed by Yusuke Suzuki.
1084
1085         On IA-32 CPUs without SSE2 most of the webpages cannot load
1086         if the JIT is turned on.
1087
1088         * runtime/Options.cpp:
1089         (JSC::recomputeDependentOptions):
1090
1091 2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
1092
1093         Web Inspector: console.log fires getters for deep properties
1094         https://bugs.webkit.org/show_bug.cgi?id=187542
1095         <rdar://problem/42873158>
1096
1097         Reviewed by Saam Barati.
1098
1099         * inspector/InjectedScriptSource.js:
1100         (RemoteObject.prototype._isPreviewableObject):
1101         Avoid getters/setters when checking for simple properties to preview.
1102         Here we avoid invoking `object[property]` if it could be a user getter.
1103
1104 2018-08-10  Keith Miller  <keith_miller@apple.com>
1105
1106         Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
1107         https://bugs.webkit.org/show_bug.cgi?id=185127
1108
1109         Reviewed by Saam Barati.
1110
1111         Previously, we would truncate the indicies passed to slice to an
1112         int. This meant that the value was not getting properly clamped
1113         later.
1114
1115         This patch also removes a non-spec compliant check that slice was
1116         passed at least one argument.
1117
1118         * runtime/ArrayBuffer.cpp:
1119         (JSC::ArrayBuffer::clampValue):
1120         (JSC::ArrayBuffer::clampIndex const):
1121         (JSC::ArrayBuffer::slice const):
1122         * runtime/ArrayBuffer.h:
1123         (JSC::ArrayBuffer::clampValue): Deleted.
1124         (JSC::ArrayBuffer::clampIndex const): Deleted.
1125         * runtime/JSArrayBufferPrototype.cpp:
1126         (JSC::arrayBufferProtoFuncSlice):
1127
1128 2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1129
1130         Date.UTC should not return NaN with only Year param
1131         https://bugs.webkit.org/show_bug.cgi?id=188378
1132
1133         Reviewed by Keith Miller.
1134
1135         Date.UTC requires one argument for |year|. But the other ones are optional.
1136         This patch fix this handling.
1137
1138         * runtime/DateConstructor.cpp:
1139         (JSC::millisecondsFromComponents):
1140
1141 2018-08-08  Keith Miller  <keith_miller@apple.com>
1142
1143         Array.prototype.sort should call @toLength instead of ">>> 0"
1144         https://bugs.webkit.org/show_bug.cgi?id=188430
1145
1146         Reviewed by Saam Barati.
1147
1148         Also add a new function to $vm that will fetch a private
1149         property. This can be useful for running builtin helper functions.
1150
1151         * builtins/ArrayPrototype.js:
1152         (sort):
1153         * tools/JSDollarVM.cpp:
1154         (JSC::functionGetPrivateProperty):
1155         (JSC::JSDollarVM::finishCreation):
1156
1157 2018-08-08  Keith Miller  <keith_miller@apple.com>
1158
1159         Array.prototype.sort should throw TypeError if param is a not callable object
1160         https://bugs.webkit.org/show_bug.cgi?id=188382
1161
1162         Reviewed by Saam Barati.
1163
1164         Improve spec compatability by checking if the Array.prototype.sort comparator is a function
1165         before doing anything else.
1166
1167         Also, refactor the various helper functions to use let instead of var.
1168
1169         * builtins/ArrayPrototype.js:
1170         (sort.stringComparator):
1171         (sort.compactSparse):
1172         (sort.compactSlow):
1173         (sort.compact):
1174         (sort.merge):
1175         (sort.mergeSort):
1176         (sort.bucketSort):
1177         (sort.comparatorSort):
1178         (sort.stringSort):
1179         (sort):
1180
1181 2018-08-08  Michael Saboff  <msaboff@apple.com>
1182
1183         Yarr JIT should include annotations with dumpDisassembly=true
1184         https://bugs.webkit.org/show_bug.cgi?id=188415
1185
1186         Reviewed by Yusuke Suzuki.
1187
1188         Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
1189         Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
1190         then the backtracking code through the YarrPattern ops in reverse order, the disassembler
1191         needs to do the same think.
1192
1193         Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
1194         out simple methods for what was needed by the YarrDisassembler.
1195
1196         Here is abbreviated sample output after this change.
1197
1198         Generated JIT code for 8-bit regular expression /ab*c/:
1199             Code at [0x469561c03720, 0x469561c03840):
1200                 0x469561c03720: push %rbp
1201                 0x469561c03721: mov %rsp, %rbp
1202                 ...
1203                 0x469561c03762: sub $0x40, %rsp
1204              == Matching ==
1205            0:OpBodyAlternativeBegin minimum size 2
1206                 0x469561c03766: add $0x2, %esi
1207                 0x469561c03769: cmp %edx, %esi
1208                 0x469561c0376b: ja 0x469561c037fa
1209            1:OpTerm TypePatternCharacter 'a'
1210                 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
1211                 0x469561c03776: cmp $0x61, %eax
1212                 0x469561c03779: jnz 0x469561c037e9
1213            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1214                 0x469561c0377f: xor %r9d, %r9d
1215                 0x469561c03782: cmp %edx, %esi
1216                 0x469561c03784: jz 0x469561c037a2
1217                 ...
1218                 0x469561c0379d: jmp 0x469561c03782
1219                 0x469561c037a2: mov %r9, 0x8(%rsp)
1220            3:OpTerm TypePatternCharacter 'c'
1221                 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
1222                 0x469561c037ac: cmp $0x63, %eax
1223                 0x469561c037af: jnz 0x469561c037d1
1224            4:OpBodyAlternativeEnd
1225                 0x469561c037b5: add $0x40, %rsp
1226                 ...
1227                 0x469561c037cf: pop %rbp
1228                 0x469561c037d0: ret
1229              == Backtracking ==
1230            4:OpBodyAlternativeEnd
1231            3:OpTerm TypePatternCharacter 'c'
1232            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1233                 0x469561c037d1: mov 0x8(%rsp), %r9
1234                 ...
1235                 0x469561c037e4: jmp 0x469561c037a2
1236            1:OpTerm TypePatternCharacter 'a'
1237            0:OpBodyAlternativeBegin minimum size 2
1238                 0x469561c037e9: mov %rsi, %rax
1239                 ...
1240                 0x469561c0382f: pop %rbp
1241                 0x469561c03830: ret
1242
1243         * JavaScriptCore.xcodeproj/project.pbxproj:
1244         * Sources.txt:
1245         * runtime/RegExp.cpp:
1246         (JSC::RegExp::compile):
1247         (JSC::RegExp::compileMatchOnly):
1248         * yarr/YarrDisassembler.cpp: Added.
1249         (JSC::Yarr::YarrDisassembler::indentString):
1250         (JSC::Yarr::YarrDisassembler::YarrDisassembler):
1251         (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
1252         (JSC::Yarr::YarrDisassembler::dump):
1253         (JSC::Yarr::YarrDisassembler::dumpHeader):
1254         (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
1255         (JSC::Yarr::YarrDisassembler::dumpForInstructions):
1256         (JSC::Yarr::YarrDisassembler::dumpDisassembly):
1257         * yarr/YarrDisassembler.h: Added.
1258         (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
1259         (JSC::Yarr::YarrDisassembler::setStartOfCode):
1260         (JSC::Yarr::YarrDisassembler::setForGenerate):
1261         (JSC::Yarr::YarrDisassembler::setForBacktrack):
1262         (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
1263         (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
1264         (JSC::Yarr::YarrDisassembler::setEndOfCode):
1265         (JSC::Yarr::YarrDisassembler::indentString):
1266         * yarr/YarrJIT.cpp:
1267         (JSC::Yarr::YarrGenerator::generate):
1268         (JSC::Yarr::YarrGenerator::backtrack):
1269         (JSC::Yarr::YarrGenerator::YarrGenerator):
1270         (JSC::Yarr::YarrGenerator::compile):
1271         (JSC::Yarr::jitCompile):
1272         * yarr/YarrJIT.h:
1273         * yarr/YarrPattern.cpp:
1274         (JSC::Yarr::dumpCharacterClass):
1275         (JSC::Yarr::PatternTerm::dump):
1276         (JSC::Yarr::YarrPattern::dumpPatternString):
1277         (JSC::Yarr::YarrPattern::dumpPattern):
1278         * yarr/YarrPattern.h:
1279
1280 2018-08-05  Darin Adler  <darin@apple.com>
1281
1282         [Cocoa] More tweaks and refactoring to prepare for ARC
1283         https://bugs.webkit.org/show_bug.cgi?id=188245
1284
1285         Reviewed by Dan Bernstein.
1286
1287         * API/JSValue.mm: Use __unsafe_unretained.
1288         (JSContainerConvertor::convert): Use auto for compatibility with the above.
1289         * API/JSWrapperMap.mm:
1290         (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
1291         (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
1292
1293         * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
1294
1295 2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1296
1297         Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
1298         https://bugs.webkit.org/show_bug.cgi?id=188328
1299
1300         Reviewed by Saam Barati.
1301
1302         Shrinking the size of PropertyCondition can improve memory consumption by a lot.
1303         For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
1304         and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
1305         as a member field.
1306
1307         This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
1308         PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
1309         are within 48bit, we can put PropertyCondition::Kind in this unused bits.
1310         To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
1311         folds a pointer and 1byte type into 64bit data.
1312
1313         This change shrinks PropertyCondition from 24bytes to 16bytes.
1314
1315         * bytecode/PropertyCondition.cpp:
1316         (JSC::PropertyCondition::dumpInContext const):
1317         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1318         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
1319         (JSC::PropertyCondition::isStillValid const):
1320         (JSC::PropertyCondition::isWatchableWhenValid const):
1321         * bytecode/PropertyCondition.h:
1322         (JSC::PropertyCondition::PropertyCondition):
1323         (JSC::PropertyCondition::presenceWithoutBarrier):
1324         (JSC::PropertyCondition::absenceWithoutBarrier):
1325         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
1326         (JSC::PropertyCondition::equivalenceWithoutBarrier):
1327         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
1328         (JSC::PropertyCondition::operator bool const):
1329         (JSC::PropertyCondition::kind const):
1330         (JSC::PropertyCondition::uid const):
1331         (JSC::PropertyCondition::hasOffset const):
1332         (JSC::PropertyCondition::hasAttributes const):
1333         (JSC::PropertyCondition::hasPrototype const):
1334         (JSC::PropertyCondition::hasRequiredValue const):
1335         (JSC::PropertyCondition::hash const):
1336         (JSC::PropertyCondition::operator== const):
1337         (JSC::PropertyCondition::isHashTableDeletedValue const):
1338         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
1339
1340 2018-08-07  Mark Lam  <mark.lam@apple.com>
1341
1342         Use a more specific PtrTag for PlatformRegisters PC and LR.
1343         https://bugs.webkit.org/show_bug.cgi?id=188366
1344         <rdar://problem/42984123>
1345
1346         Reviewed by Keith Miller.
1347
1348         Also fixed a bug in linkRegister(), which was previously returning the PC instead
1349         of LR.  It now returns LR.
1350
1351         * runtime/JSCPtrTag.h:
1352         * runtime/MachineContext.h:
1353         (JSC::MachineContext::instructionPointer):
1354         (JSC::MachineContext::linkRegister):
1355         * runtime/VMTraps.cpp:
1356         (JSC::SignalContext::SignalContext):
1357         * tools/SigillCrashAnalyzer.cpp:
1358         (JSC::SignalContext::SignalContext):
1359
1360 2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1361
1362         Hardcoded LFENCE instruction
1363         https://bugs.webkit.org/show_bug.cgi?id=188145
1364
1365         Reviewed by Filip Pizlo.
1366
1367         Remove lfence instruction because it is crashing systems without SSE2 and
1368         this is not the way how WebKit mitigates Spectre.
1369
1370         * runtime/JSLock.cpp:
1371         (JSC::JSLock::didAcquireLock):
1372         (JSC::JSLock::willReleaseLock):
1373
1374 2018-08-04  David Kilzer  <ddkilzer@apple.com>
1375
1376         REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
1377         <https://webkit.org/b/188331>
1378
1379         Reviewed by Yusuke Suzuki.
1380
1381         * runtime/TemplateObjectDescriptor.h:
1382         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
1383         Use `m_rawstrings` instead of `rawStrings` to calculate hash.
1384
1385 2018-08-03  Saam Barati  <sbarati@apple.com>
1386
1387         Give the `jsc` shell the JIT entitlement
1388         https://bugs.webkit.org/show_bug.cgi?id=188324
1389         <rdar://problem/42885806>
1390
1391         Reviewed by Dan Bernstein.
1392
1393         This should help us in ensuring the system jsc is able to JIT.
1394
1395         * Configurations/JSC.xcconfig:
1396         * JavaScriptCore.xcodeproj/project.pbxproj:
1397         * allow-jit-macOS.entitlements: Added.
1398
1399 2018-08-03  Alex Christensen  <achristensen@webkit.org>
1400
1401         Fix spelling of "overridden"
1402         https://bugs.webkit.org/show_bug.cgi?id=188315
1403
1404         Reviewed by Darin Adler.
1405
1406         * API/JSExport.h:
1407         * inspector/InjectedScriptSource.js:
1408
1409 2018-08-02  Saam Barati  <sbarati@apple.com>
1410
1411         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
1412         https://bugs.webkit.org/show_bug.cgi?id=188271
1413         <rdar://problem/42850884>
1414
1415         Reviewed by Michael Saboff.
1416
1417         This patch defends against the instructionPointer containing garbage bits.
1418         See radar for details.
1419
1420         * runtime/MachineContext.h:
1421         (JSC::MachineContext::instructionPointer):
1422         * runtime/SamplingProfiler.cpp:
1423         (JSC::SamplingProfiler::takeSample):
1424         * runtime/VMTraps.cpp:
1425         (JSC::SignalContext::SignalContext):
1426         (JSC::SignalContext::tryCreate):
1427         * tools/CodeProfiling.cpp:
1428         (JSC::profilingTimer):
1429         * tools/SigillCrashAnalyzer.cpp:
1430         (JSC::SignalContext::SignalContext):
1431         (JSC::SignalContext::tryCreate):
1432         (JSC::SignalContext::dump):
1433         (JSC::installCrashHandler):
1434         * wasm/WasmFaultSignalHandler.cpp:
1435         (JSC::Wasm::trapHandler):
1436
1437 2018-08-02  David Fenton  <david_fenton@apple.com>
1438
1439         Unreviewed, rolling out r234489.
1440
1441         Caused 50+ crashes and 60+ API failures on iOS
1442
1443         Reverted changeset:
1444
1445         "[WTF] Rename String::format to String::deprecatedFormat"
1446         https://bugs.webkit.org/show_bug.cgi?id=188191
1447         https://trac.webkit.org/changeset/234489
1448
1449 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1450
1451         Add self.queueMicrotask(f) on DOMWindow
1452         https://bugs.webkit.org/show_bug.cgi?id=188212
1453
1454         Reviewed by Ryosuke Niwa.
1455
1456         * CMakeLists.txt:
1457         * JavaScriptCore.xcodeproj/project.pbxproj:
1458         * Sources.txt:
1459         * runtime/JSGlobalObject.cpp:
1460         (JSC::enqueueJob):
1461         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
1462         (JSC::createJSMicrotask):
1463         Export them to WebCore.
1464
1465         (JSC::JSMicrotask::run):
1466         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
1467         Add another version of JSMicrotask which does not have arguments.
1468
1469 2018-08-01  Tomas Popela  <tpopela@redhat.com>
1470
1471         [WTF] Rename String::format to String::deprecatedFormat
1472         https://bugs.webkit.org/show_bug.cgi?id=188191
1473
1474         Reviewed by Darin Adler.
1475
1476         It should be replaced with string concatenation.
1477
1478         * bytecode/CodeBlock.cpp:
1479         (JSC::CodeBlock::nameForRegister):
1480         * inspector/InjectedScriptBase.cpp:
1481         (Inspector::InjectedScriptBase::makeCall):
1482         * inspector/InspectorBackendDispatcher.cpp:
1483         (Inspector::BackendDispatcher::getPropertyValue):
1484         * inspector/agents/InspectorConsoleAgent.cpp:
1485         (Inspector::InspectorConsoleAgent::enable):
1486         (Inspector::InspectorConsoleAgent::stopTiming):
1487         * jsc.cpp:
1488         (FunctionJSCStackFunctor::operator() const):
1489         * parser/Lexer.cpp:
1490         (JSC::Lexer<T>::invalidCharacterMessage const):
1491         * runtime/IntlDateTimeFormat.cpp:
1492         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1493         * runtime/IntlObject.cpp:
1494         (JSC::canonicalizeLocaleList):
1495         * runtime/LiteralParser.cpp:
1496         (JSC::LiteralParser<CharType>::Lexer::lex):
1497         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
1498         (JSC::LiteralParser<CharType>::parse):
1499         * runtime/LiteralParser.h:
1500         (JSC::LiteralParser::getErrorMessage):
1501
1502 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
1503
1504         [INTL] Allow "unknown" formatToParts types
1505         https://bugs.webkit.org/show_bug.cgi?id=188176
1506
1507         Reviewed by Darin Adler.
1508
1509         Originally extra unexpected field types were marked as "literal", since
1510         the spec did not account for these. The ECMA 402 spec has since been updated
1511         to specify "unknown" should be used in these cases.
1512
1513         Currently there is no known way to reach these cases, so no tests can
1514         account for them. Theoretically they shoudn't exist, but they are specified,
1515         just to be safe. Marking them as "unknown" instead of "literal" hopefully
1516         will make such cases easy to identify if they ever happen.
1517
1518         * runtime/IntlDateTimeFormat.cpp:
1519         (JSC::IntlDateTimeFormat::partTypeString):
1520         * runtime/IntlNumberFormat.cpp:
1521         (JSC::IntlNumberFormat::partTypeString):
1522
1523 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
1524
1525         [INTL] Implement hourCycle in DateTimeFormat
1526         https://bugs.webkit.org/show_bug.cgi?id=188006
1527
1528         Reviewed by Darin Adler.
1529
1530         Implemented hourCycle, updating both the skeleton and the final pattern.
1531         Changed resolveLocale to assume undefined options are not given and null
1532         strings actually mean null, which removes the tag extension.
1533
1534         * runtime/CommonIdentifiers.h:
1535         * runtime/IntlCollator.cpp:
1536         (JSC::IntlCollator::initializeCollator):
1537         * runtime/IntlDateTimeFormat.cpp:
1538         (JSC::IntlDTFInternal::localeData):
1539         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
1540         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1541         (JSC::IntlDateTimeFormat::resolvedOptions):
1542         * runtime/IntlDateTimeFormat.h:
1543         * runtime/IntlObject.cpp:
1544         (JSC::resolveLocale):
1545
1546 2018-08-01  Keith Miller  <keith_miller@apple.com>
1547
1548         JSArrayBuffer should have its own JSType
1549         https://bugs.webkit.org/show_bug.cgi?id=188231
1550
1551         Reviewed by Saam Barati.
1552
1553         * runtime/JSArrayBuffer.cpp:
1554         (JSC::JSArrayBuffer::createStructure):
1555         * runtime/JSCast.h:
1556         * runtime/JSType.h:
1557
1558 2018-07-31  Keith Miller  <keith_miller@apple.com>
1559
1560         Unreviewed 32-bit build fix...
1561
1562         * dfg/DFGSpeculativeJIT32_64.cpp:
1563
1564 2018-07-31  Keith Miller  <keith_miller@apple.com>
1565
1566         Long compiling JSC files should not be unified
1567         https://bugs.webkit.org/show_bug.cgi?id=188205
1568
1569         Reviewed by Saam Barati.
1570
1571         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
1572         to compile. Unifying them means touching anything in the same
1573         bundle as those files takes a long time to incrementally build.
1574         This patch separates those files so they build standalone.
1575
1576         * JavaScriptCore.xcodeproj/project.pbxproj:
1577         * Sources.txt:
1578         * dfg/DFGSpeculativeJIT64.cpp:
1579
1580 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1581
1582         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
1583         https://bugs.webkit.org/show_bug.cgi?id=188201
1584
1585         Reviewed by Keith Miller.
1586
1587         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
1588         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
1589         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
1590         never becomes broken state. This patch removes unnecessary locking.
1591
1592         * runtime/JSObject.cpp:
1593         (JSC::JSObject::visitButterflyImpl):
1594
1595 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
1596
1597         [JSC] Remove gcc warnings for 32-bit platforms
1598         https://bugs.webkit.org/show_bug.cgi?id=187803
1599
1600         Reviewed by Yusuke Suzuki.
1601
1602         * assembler/MacroAssemblerPrinter.cpp:
1603         (JSC::Printer::printPCRegister):
1604         (JSC::Printer::printRegisterID):
1605         (JSC::Printer::printAddress):
1606         * dfg/DFGSpeculativeJIT.cpp:
1607         (JSC::DFG::SpeculativeJIT::speculateNumber):
1608         (JSC::DFG::SpeculativeJIT::speculateMisc):
1609         * jit/CCallHelpers.h:
1610         (JSC::CCallHelpers::calculatePokeOffset):
1611         * runtime/Options.cpp:
1612         (JSC::parse):
1613
1614 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
1615
1616         watchOS engineering build is broken after r234227
1617         https://bugs.webkit.org/show_bug.cgi?id=188180
1618
1619         Reviewed by Keith Miller.
1620
1621         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
1622         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
1623         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
1624         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
1625
1626         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
1627         entirely, since there's no relevant version to replace them with.
1628
1629         * postprocess-headers.sh:
1630
1631 2018-07-30  Keith Miller  <keith_miller@apple.com>
1632
1633         Clarify conversion rules for JSValue property access API
1634         https://bugs.webkit.org/show_bug.cgi?id=188179
1635
1636         Reviewed by Geoffrey Garen.
1637
1638         * API/JSValue.h:
1639
1640 2018-07-30  Keith Miller  <keith_miller@apple.com>
1641
1642         Rename some JSC API functions/types.
1643         https://bugs.webkit.org/show_bug.cgi?id=188173
1644
1645         Reviewed by Saam Barati.
1646
1647         * API/JSObjectRef.cpp:
1648         (JSObjectHasPropertyForKey):
1649         (JSObjectGetPropertyForKey):
1650         (JSObjectSetPropertyForKey):
1651         (JSObjectDeletePropertyForKey):
1652         (JSObjectHasPropertyKey): Deleted.
1653         (JSObjectGetPropertyKey): Deleted.
1654         (JSObjectSetPropertyKey): Deleted.
1655         (JSObjectDeletePropertyKey): Deleted.
1656         * API/JSObjectRef.h:
1657         * API/JSValue.h:
1658         * API/JSValue.mm:
1659         (-[JSValue valueForProperty:]):
1660         (-[JSValue setValue:forProperty:]):
1661         (-[JSValue deleteProperty:]):
1662         (-[JSValue hasProperty:]):
1663         (-[JSValue defineProperty:descriptor:]):
1664         * API/tests/testapi.cpp:
1665         (TestAPI::run):
1666
1667 2018-07-30  Mark Lam  <mark.lam@apple.com>
1668
1669         Add a debugging utility to dump the memory layout of a JSCell.
1670         https://bugs.webkit.org/show_bug.cgi?id=188157
1671
1672         Reviewed by Yusuke Suzuki.
1673
1674         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
1675         dump the memory contents of a cell and if present, its butterfly for debugging
1676         purposes.
1677
1678         Example usage for JS code when JSC_useDollarVM=true:
1679
1680             $vm.dumpCell(obj);
1681
1682         Example usage from C++ code or from lldb: 
1683
1684             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
1685
1686         Some examples of dumps:
1687
1688             <0x104bc8260, Object>
1689               [0] 0x104bc8260 : 0x010016000000016c header
1690                 structureID 364 0x16c structure 0x104b721b0
1691                 indexingTypeAndMisc 0 0x0 NonArray
1692                 type 22 0x16
1693                 flags 0 0x0
1694                 cellState 1
1695               [1] 0x104bc8268 : 0x0000000000000000 butterfly
1696               [2] 0x104bc8270 : 0xffff000000000007
1697               [3] 0x104bc8278 : 0xffff000000000008
1698
1699             <0x104bb4360, Array>
1700               [0] 0x104bb4360 : 0x0108210b00000171 header
1701                 structureID 369 0x171 structure 0x104b723e0
1702                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
1703                 type 33 0x21
1704                 flags 8 0x8
1705                 cellState 1
1706               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
1707                 base 0x8000f46e0
1708                 hasIndexingHeader YES hasAnyArrayStorage YES
1709                 publicLength 4 vectorLength 7 indexBias 2
1710                 preCapacity 2 propertyCapacity 4
1711                   <--- preCapacity
1712                   [0] 0x8000f46e0 : 0x0000000000000000
1713                   [1] 0x8000f46e8 : 0x0000000000000000
1714                   <--- propertyCapacity
1715                   [2] 0x8000f46f0 : 0x0000000000000000
1716                   [3] 0x8000f46f8 : 0x0000000000000000
1717                   [4] 0x8000f4700 : 0xffff00000000000d
1718                   [5] 0x8000f4708 : 0xffff00000000000c
1719                   <--- indexingHeader
1720                   [6] 0x8000f4710 : 0x0000000700000004
1721                   <--- butterfly
1722                   <--- arrayStorage
1723                   [7] 0x8000f4718 : 0x0000000000000000
1724                   [8] 0x8000f4720 : 0x0000000400000002
1725                   <--- indexedProperties
1726                   [9] 0x8000f4728 : 0xffff000000000008
1727                   [10] 0x8000f4730 : 0xffff000000000009
1728                   [11] 0x8000f4738 : 0xffff000000000005
1729                   [12] 0x8000f4740 : 0xffff000000000006
1730                   [13] 0x8000f4748 : 0x0000000000000000
1731                   [14] 0x8000f4750 : 0x0000000000000000
1732                   [15] 0x8000f4758 : 0x0000000000000000
1733                   <--- unallocated capacity
1734                   [16] 0x8000f4760 : 0x0000000000000000
1735                   [17] 0x8000f4768 : 0x0000000000000000
1736                   [18] 0x8000f4770 : 0x0000000000000000
1737                   [19] 0x8000f4778 : 0x0000000000000000
1738
1739         * runtime/JSObject.h:
1740         * tools/JSDollarVM.cpp:
1741         (JSC::functionDumpCell):
1742         (JSC::JSDollarVM::finishCreation):
1743         * tools/VMInspector.cpp:
1744         (JSC::VMInspector::dumpCellMemory):
1745         (JSC::IndentationScope::IndentationScope):
1746         (JSC::IndentationScope::~IndentationScope):
1747         (JSC::VMInspector::dumpCellMemoryToStream):
1748         * tools/VMInspector.h:
1749
1750 2018-07-27  Mark Lam  <mark.lam@apple.com>
1751
1752         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
1753         https://bugs.webkit.org/show_bug.cgi?id=188123
1754         <rdar://problem/42672268>
1755
1756         Reviewed by Keith Miller.
1757
1758         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
1759            padding space in VM and Heap, and should not cost any measurable perf to
1760            initialize and update.
1761
1762         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
1763
1764            worldState tells us the value we failed the assertion on.
1765
1766            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
1767            that led us here.
1768
1769            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
1770
1771            VM::isEntered() tells us if the current VM is currently executing JS code.
1772
1773            Some of this data may be redundant, but the redundancy is intentional so that
1774            we can double check what is really happening at the time of crash.
1775
1776         * heap/Heap.cpp:
1777         (JSC::asInt):
1778         (JSC::Heap::checkConn):
1779         (JSC::Heap::changePhase):
1780         * heap/Heap.h:
1781         * runtime/VM.cpp:
1782         (JSC::VM::nextID):
1783         (JSC::VM::VM):
1784         * runtime/VM.h:
1785         (JSC::VM::numberOfIDs):
1786         (JSC::VM::id const):
1787         (JSC::VM::isEntered const):
1788
1789 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1790
1791         [JSC] Record CoW status in ArrayProfile correctly
1792         https://bugs.webkit.org/show_bug.cgi?id=187949
1793
1794         Reviewed by Saam Barati.
1795
1796         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
1797         This is important since our OSR exit compiler records m_observedArrayModes by calculating
1798         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
1799         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
1800         Array::Generic DFG nodes.
1801
1802         * bytecode/ArrayProfile.h:
1803         (JSC::asArrayModes):
1804         (JSC::ArrayProfile::ArrayProfile):
1805         * dfg/DFGOSRExit.cpp:
1806         (JSC::DFG::OSRExit::compileExit):
1807         * ftl/FTLOSRExitCompiler.cpp:
1808         (JSC::FTL::compileStub):
1809         * runtime/IndexingType.h:
1810
1811 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
1812
1813         [INTL] Remove INTL sub-feature compile flags
1814         https://bugs.webkit.org/show_bug.cgi?id=188081
1815
1816         Reviewed by Michael Catanzaro.
1817
1818         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
1819         The runtime flags are still present, and should be relied on instead.
1820         The defines for ICU features have also been updated to match HAVE() style.
1821
1822         * Configurations/FeatureDefines.xcconfig:
1823         * runtime/IntlPluralRules.cpp:
1824         (JSC::IntlPluralRules::resolvedOptions):
1825         (JSC::IntlPluralRules::select):
1826         * runtime/IntlPluralRules.h:
1827         * runtime/Options.h:
1828
1829 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1830
1831         [JSC] Dump IndexingMode in Structure
1832         https://bugs.webkit.org/show_bug.cgi?id=188085
1833
1834         Reviewed by Keith Miller.
1835
1836         Dump IndexingMode instead of IndexingType.
1837
1838         * runtime/Structure.cpp:
1839         (JSC::Structure::dump const):
1840
1841 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
1842
1843         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
1844         https://bugs.webkit.org/show_bug.cgi?id=187963
1845
1846         Reviewed by Alex Christensen.
1847
1848         * inspector/InspectorBackendDispatcher.cpp:
1849         (Inspector::BackendDispatcher::dispatch):
1850         * jsc.cpp:
1851         (ModuleName::ModuleName):
1852         (resolvePath):
1853         * runtime/IntlObject.cpp:
1854         (JSC::canonicalizeLanguageTag):
1855         (JSC::removeUnicodeLocaleExtension):
1856         Update split/splitAllowingEmptyEntries usage.
1857
1858 2018-07-26  Commit Queue  <commit-queue@webkit.org>
1859
1860         Unreviewed, rolling out r234181 and r234189.
1861         https://bugs.webkit.org/show_bug.cgi?id=188075
1862
1863         These are not needed right now (Requested by thorton on
1864         #webkit).
1865
1866         Reverted changesets:
1867
1868         "Enable Web Content Filtering on watchOS"
1869         https://bugs.webkit.org/show_bug.cgi?id=187979
1870         https://trac.webkit.org/changeset/234181
1871
1872         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
1873         https://bugs.webkit.org/show_bug.cgi?id=187985
1874         https://trac.webkit.org/changeset/234189
1875
1876 2018-07-26  Mark Lam  <mark.lam@apple.com>
1877
1878         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
1879         https://bugs.webkit.org/show_bug.cgi?id=188065
1880         <rdar://problem/42515726>
1881
1882         Reviewed by Saam Barati.
1883
1884         * runtime/ArrayPrototype.cpp:
1885         (JSC::clearElement):
1886         (JSC::copyElements):
1887         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1888
1889 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
1890
1891         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
1892         https://bugs.webkit.org/show_bug.cgi?id=167991
1893
1894         Reviewed by Michael Catanzaro.
1895
1896         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
1897         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
1898         no more cases where you might have an invalid locale come back from resolveLocale.
1899
1900         * runtime/IntlObject.cpp:
1901         (JSC::convertICULocaleToBCP47LanguageTag):
1902         (JSC::defaultLocale):
1903         (JSC::lookupMatcher):
1904         * runtime/IntlObject.h:
1905         * runtime/JSGlobalObject.cpp:
1906         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
1907         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
1908         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
1909         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
1910
1911 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
1912
1913         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
1914         https://bugs.webkit.org/show_bug.cgi?id=188040
1915
1916         Unreviewed build fix for AppleWin port.
1917
1918         * API/tests/testapi.c: Disabled warning C4204.
1919         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
1920
1921 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
1922
1923         [JSC API] We should support the symbol type in our C/Obj-C API
1924         https://bugs.webkit.org/show_bug.cgi?id=175836
1925
1926         Unreviewed build fix for Windows port.
1927
1928         r234227 introduced a compilation error unresolved external symbol
1929         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
1930
1931         Windows ports are compiling testapi.c as C++ by using /TP switch.
1932
1933         * API/tests/testapi.c:
1934         (main): Removed `::` prefix of ::SetErrorMode Windows API.
1935         (dllLauncherEntryPoint): Converted into C style.
1936         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
1937
1938 2018-07-25  Keith Miller  <keith_miller@apple.com>
1939
1940         [JSC API] We should support the symbol type in our C/Obj-C API
1941         https://bugs.webkit.org/show_bug.cgi?id=175836
1942
1943         Reviewed by Filip Pizlo.
1944
1945         This patch makes the following API additions:
1946         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
1947         2) Create a symbol on both APIs.
1948         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
1949         4) Add Get/Set/Delete in the C API.
1950
1951         We can do 3 because it is both binary and source compatable with
1952         the existing API. I added (4) because the current property access
1953         APIs only have the ability to get Strings. It was possible to
1954         merge symbols into JSStringRef but that felt confusing and exposes
1955         implementation details of our engine. The new functions match the
1956         same meaning that they have in JS, thus should be forward
1957         compatible with any future language extensions.
1958
1959         Lastly, this patch adds the same availability preproccessing phase
1960         in WebCore to JavaScriptCore, which enables TBA features for
1961         testing on previous releases.
1962
1963         * API/APICast.h:
1964         * API/JSBasePrivate.h:
1965         * API/JSContext.h:
1966         * API/JSContextPrivate.h:
1967         * API/JSContextRef.h:
1968         * API/JSContextRefInternal.h:
1969         * API/JSContextRefPrivate.h:
1970         * API/JSManagedValue.h:
1971         * API/JSObjectRef.cpp:
1972         (JSObjectHasPropertyKey):
1973         (JSObjectGetPropertyKey):
1974         (JSObjectSetPropertyKey):
1975         (JSObjectDeletePropertyKey):
1976         * API/JSObjectRef.h:
1977         * API/JSRemoteInspector.h:
1978         * API/JSTypedArray.h:
1979         * API/JSValue.h:
1980         * API/JSValue.mm:
1981         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
1982         (performPropertyOperation):
1983         (-[JSValue valueForProperty:valueForProperty:]):
1984         (-[JSValue setValue:forProperty:setValue:forProperty:]):
1985         (-[JSValue deleteProperty:deleteProperty:]):
1986         (-[JSValue hasProperty:hasProperty:]):
1987         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
1988         (-[JSValue isSymbol]):
1989         (-[JSValue objectForKeyedSubscript:]):
1990         (-[JSValue setObject:forKeyedSubscript:]):
1991         (-[JSValue valueForProperty:]): Deleted.
1992         (-[JSValue setValue:forProperty:]): Deleted.
1993         (-[JSValue deleteProperty:]): Deleted.
1994         (-[JSValue hasProperty:]): Deleted.
1995         (-[JSValue defineProperty:descriptor:]): Deleted.
1996         * API/JSValueRef.cpp:
1997         (JSValueGetType):
1998         (JSValueIsSymbol):
1999         (JSValueMakeSymbol):
2000         * API/JSValueRef.h:
2001         * API/WebKitAvailability.h:
2002         * API/tests/CurrentThisInsideBlockGetterTest.mm:
2003         * API/tests/CustomGlobalObjectClassTest.c:
2004         * API/tests/DateTests.mm:
2005         * API/tests/JSExportTests.mm:
2006         * API/tests/JSNode.c:
2007         * API/tests/JSNodeList.c:
2008         * API/tests/Node.c:
2009         * API/tests/NodeList.c:
2010         * API/tests/minidom.c:
2011         * API/tests/testapi.c:
2012         (main):
2013         * API/tests/testapi.cpp: Added.
2014         (APIString::APIString):
2015         (APIString::~APIString):
2016         (APIString::operator JSStringRef):
2017         (APIContext::APIContext):
2018         (APIContext::~APIContext):
2019         (APIContext::operator JSGlobalContextRef):
2020         (APIVector::APIVector):
2021         (APIVector::~APIVector):
2022         (APIVector::append):
2023         (testCAPIViaCpp):
2024         (TestAPI::evaluateScript):
2025         (TestAPI::callFunction):
2026         (TestAPI::functionReturnsTrue):
2027         (TestAPI::check):
2028         (TestAPI::checkJSAndAPIMatch):
2029         (TestAPI::interestingObjects):
2030         (TestAPI::interestingKeys):
2031         (TestAPI::run):
2032         * API/tests/testapi.mm:
2033         (testObjectiveCAPIMain):
2034         * JavaScriptCore.xcodeproj/project.pbxproj:
2035         * config.h:
2036         * postprocess-headers.sh:
2037         * shell/CMakeLists.txt:
2038         * testmem/testmem.mm:
2039
2040 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2041
2042         [INTL] Call Typed Array elements toLocaleString with locale and options
2043         https://bugs.webkit.org/show_bug.cgi?id=185796
2044
2045         Reviewed by Keith Miller.
2046
2047         Improve ECMA 402 compliance of typed array toLocaleString, passing along
2048         the locale and options to element toLocaleString calls.
2049
2050         * builtins/TypedArrayPrototype.js:
2051         (toLocaleString):
2052
2053 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2054
2055         [INTL] Intl constructor lengths should be configurable
2056         https://bugs.webkit.org/show_bug.cgi?id=187960
2057
2058         Reviewed by Saam Barati.
2059
2060         Removed DontDelete from Intl constructor lengths.
2061         Fixed DateTimeFormat formatToParts length.
2062
2063         * runtime/IntlCollatorConstructor.cpp:
2064         (JSC::IntlCollatorConstructor::finishCreation):
2065         * runtime/IntlDateTimeFormatConstructor.cpp:
2066         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2067         * runtime/IntlDateTimeFormatPrototype.cpp:
2068         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2069         * runtime/IntlNumberFormatConstructor.cpp:
2070         (JSC::IntlNumberFormatConstructor::finishCreation):
2071         * runtime/IntlPluralRulesConstructor.cpp:
2072         (JSC::IntlPluralRulesConstructor::finishCreation):
2073
2074 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
2075
2076         runJITThreadLimitTests is failing
2077         https://bugs.webkit.org/show_bug.cgi?id=187886
2078         <rdar://problem/42561966>
2079
2080         Unreviewed build fix for MSVC.
2081
2082         MSVC doen't support ternary operator without second operand.
2083
2084         * dfg/DFGWorklist.cpp:
2085         (JSC::DFG::getNumberOfDFGCompilerThreads):
2086         (JSC::DFG::getNumberOfFTLCompilerThreads):
2087
2088 2018-07-24  Commit Queue  <commit-queue@webkit.org>
2089
2090         Unreviewed, rolling out r234183.
2091         https://bugs.webkit.org/show_bug.cgi?id=187983
2092
2093         cause regression in Kraken gaussian blur and desaturate
2094         (Requested by yusukesuzuki on #webkit).
2095
2096         Reverted changeset:
2097
2098         "[JSC] Record CoW status in ArrayProfile"
2099         https://bugs.webkit.org/show_bug.cgi?id=187949
2100         https://trac.webkit.org/changeset/234183
2101
2102 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2103
2104         [JSC] Record CoW status in ArrayProfile
2105         https://bugs.webkit.org/show_bug.cgi?id=187949
2106
2107         Reviewed by Saam Barati.
2108
2109         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
2110         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
2111         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
2112         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
2113         CoW arrays.
2114
2115         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
2116         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
2117
2118         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
2119
2120                                       baseline                  patched
2121
2122         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
2123         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
2124
2125         * bytecode/ArrayProfile.cpp:
2126         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2127         * bytecode/ArrayProfile.h:
2128         (JSC::asArrayModes):
2129         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
2130
2131         (JSC::ArrayProfile::ArrayProfile):
2132         (JSC::ArrayProfile::addressOfObservedIndexingModes):
2133         (JSC::ArrayProfile::observedIndexingModes const):
2134         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
2135         So storing the union of seen IndexingMode in `unsigned` instead.
2136
2137         * dfg/DFGArrayMode.cpp:
2138         (JSC::DFG::ArrayMode::fromObserved):
2139         * dfg/DFGArrayMode.h:
2140         (JSC::DFG::ArrayMode::withProfile const):
2141         * jit/JITCall.cpp:
2142         (JSC::JIT::compileOpCall):
2143         * jit/JITCall32_64.cpp:
2144         (JSC::JIT::compileOpCall):
2145         * jit/JITInlines.h:
2146         (JSC::JIT::emitArrayProfilingSiteWithCell):
2147         * llint/LowLevelInterpreter.asm:
2148         * llint/LowLevelInterpreter32_64.asm:
2149         * llint/LowLevelInterpreter64.asm:
2150
2151 2018-07-24  Tim Horton  <timothy_horton@apple.com>
2152
2153         Enable Web Content Filtering on watchOS
2154         https://bugs.webkit.org/show_bug.cgi?id=187979
2155         <rdar://problem/42559346>
2156
2157         Reviewed by Wenson Hsieh.
2158
2159         * Configurations/FeatureDefines.xcconfig:
2160
2161 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
2162
2163         Don't modify Options when setting JIT thread limits
2164         https://bugs.webkit.org/show_bug.cgi?id=187886
2165
2166         Reviewed by Filip Pizlo.
2167
2168         Previously, when setting the JIT thread limit prior to the worklist
2169         initialization, it'd be set via Options, which didn't work if Options
2170         hadn't been initialized yet. Change it to use a static variable in the
2171         Worklist instead.
2172
2173         * API/JSVirtualMachine.mm:
2174         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
2175         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
2176         * API/tests/testapi.mm:
2177         (testObjectiveCAPIMain):
2178         * dfg/DFGWorklist.cpp:
2179         (JSC::DFG::getNumberOfDFGCompilerThreads):
2180         (JSC::DFG::getNumberOfFTLCompilerThreads):
2181         (JSC::DFG::setNumberOfDFGCompilerThreads):
2182         (JSC::DFG::setNumberOfFTLCompilerThreads):
2183         (JSC::DFG::ensureGlobalDFGWorklist):
2184         (JSC::DFG::ensureGlobalFTLWorklist):
2185         * dfg/DFGWorklist.h:
2186
2187 2018-07-24  Mark Lam  <mark.lam@apple.com>
2188
2189         Refactoring: make DFG::Plan a class.
2190         https://bugs.webkit.org/show_bug.cgi?id=187968
2191
2192         Reviewed by Saam Barati.
2193
2194         This patch makes all the DFG::Plan fields private, and provide accessor methods
2195         for them.  This makes it easier to reason about how these fields are used and
2196         modified.
2197
2198         * dfg/DFGAbstractInterpreterInlines.h:
2199         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2200         * dfg/DFGByteCodeParser.cpp:
2201         (JSC::DFG::ByteCodeParser::handleCall):
2202         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2203         (JSC::DFG::ByteCodeParser::handleInlining):
2204         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2205         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2206         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
2207         (JSC::DFG::ByteCodeParser::handleGetById):
2208         (JSC::DFG::ByteCodeParser::handlePutById):
2209         (JSC::DFG::ByteCodeParser::parseBlock):
2210         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2211         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2212         (JSC::DFG::ByteCodeParser::parse):
2213         * dfg/DFGCFAPhase.cpp:
2214         (JSC::DFG::CFAPhase::run):
2215         (JSC::DFG::CFAPhase::injectOSR):
2216         * dfg/DFGClobberize.h:
2217         (JSC::DFG::clobberize):
2218         * dfg/DFGCommonData.cpp:
2219         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2220         * dfg/DFGCommonData.h:
2221         * dfg/DFGConstantFoldingPhase.cpp:
2222         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2223         * dfg/DFGDriver.cpp:
2224         (JSC::DFG::compileImpl):
2225         * dfg/DFGFinalizer.h:
2226         * dfg/DFGFixupPhase.cpp:
2227         (JSC::DFG::FixupPhase::fixupNode):
2228         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2229         * dfg/DFGGraph.cpp:
2230         (JSC::DFG::Graph::Graph):
2231         (JSC::DFG::Graph::watchCondition):
2232         (JSC::DFG::Graph::inferredTypeFor):
2233         (JSC::DFG::Graph::requiredRegisterCountForExit):
2234         (JSC::DFG::Graph::registerFrozenValues):
2235         (JSC::DFG::Graph::registerStructure):
2236         (JSC::DFG::Graph::registerAndWatchStructureTransition):
2237         (JSC::DFG::Graph::assertIsRegistered):
2238         * dfg/DFGGraph.h:
2239         (JSC::DFG::Graph::compilation):
2240         (JSC::DFG::Graph::identifiers):
2241         (JSC::DFG::Graph::watchpoints):
2242         * dfg/DFGJITCompiler.cpp:
2243         (JSC::DFG::JITCompiler::JITCompiler):
2244         (JSC::DFG::JITCompiler::link):
2245         (JSC::DFG::JITCompiler::compile):
2246         (JSC::DFG::JITCompiler::compileFunction):
2247         (JSC::DFG::JITCompiler::disassemble):
2248         * dfg/DFGJITCompiler.h:
2249         (JSC::DFG::JITCompiler::addWeakReference):
2250         * dfg/DFGJITFinalizer.cpp:
2251         (JSC::DFG::JITFinalizer::finalize):
2252         (JSC::DFG::JITFinalizer::finalizeFunction):
2253         (JSC::DFG::JITFinalizer::finalizeCommon):
2254         * dfg/DFGOSREntrypointCreationPhase.cpp:
2255         (JSC::DFG::OSREntrypointCreationPhase::run):
2256         * dfg/DFGPhase.cpp:
2257         (JSC::DFG::Phase::beginPhase):
2258         * dfg/DFGPhase.h:
2259         (JSC::DFG::runAndLog):
2260         * dfg/DFGPlan.cpp:
2261         (JSC::DFG::Plan::Plan):
2262         (JSC::DFG::Plan::computeCompileTimes const):
2263         (JSC::DFG::Plan::reportCompileTimes const):
2264         (JSC::DFG::Plan::compileInThread):
2265         (JSC::DFG::Plan::compileInThreadImpl):
2266         (JSC::DFG::Plan::isStillValid):
2267         (JSC::DFG::Plan::reallyAdd):
2268         (JSC::DFG::Plan::notifyCompiling):
2269         (JSC::DFG::Plan::notifyReady):
2270         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2271         (JSC::DFG::Plan::finalizeAndNotifyCallback):
2272         (JSC::DFG::Plan::key):
2273         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2274         (JSC::DFG::Plan::finalizeInGC):
2275         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2276         (JSC::DFG::Plan::cancel):
2277         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2278         * dfg/DFGPlan.h:
2279         (JSC::DFG::Plan::canTierUpAndOSREnter const):
2280         (JSC::DFG::Plan::vm const):
2281         (JSC::DFG::Plan::codeBlock):
2282         (JSC::DFG::Plan::mode const):
2283         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
2284         (JSC::DFG::Plan::mustHandleValues const):
2285         (JSC::DFG::Plan::threadData const):
2286         (JSC::DFG::Plan::compilation const):
2287         (JSC::DFG::Plan::finalizer const):
2288         (JSC::DFG::Plan::setFinalizer):
2289         (JSC::DFG::Plan::inlineCallFrames const):
2290         (JSC::DFG::Plan::watchpoints):
2291         (JSC::DFG::Plan::identifiers):
2292         (JSC::DFG::Plan::weakReferences):
2293         (JSC::DFG::Plan::transitions):
2294         (JSC::DFG::Plan::recordedStatuses):
2295         (JSC::DFG::Plan::willTryToTierUp const):
2296         (JSC::DFG::Plan::setWillTryToTierUp):
2297         (JSC::DFG::Plan::tierUpInLoopHierarchy):
2298         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
2299         (JSC::DFG::Plan::stage const):
2300         (JSC::DFG::Plan::callback const):
2301         (JSC::DFG::Plan::setCallback):
2302         * dfg/DFGPlanInlines.h:
2303         (JSC::DFG::Plan::iterateCodeBlocksForGC):
2304         * dfg/DFGPreciseLocalClobberize.h:
2305         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2306         * dfg/DFGPredictionInjectionPhase.cpp:
2307         (JSC::DFG::PredictionInjectionPhase::run):
2308         * dfg/DFGSafepoint.cpp:
2309         (JSC::DFG::Safepoint::Safepoint):
2310         (JSC::DFG::Safepoint::~Safepoint):
2311         (JSC::DFG::Safepoint::begin):
2312         * dfg/DFGSafepoint.h:
2313         * dfg/DFGSpeculativeJIT.h:
2314         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
2315         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
2316         * dfg/DFGStackLayoutPhase.cpp:
2317         (JSC::DFG::StackLayoutPhase::run):
2318         * dfg/DFGStrengthReductionPhase.cpp:
2319         (JSC::DFG::StrengthReductionPhase::handleNode):
2320         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2321         (JSC::DFG::TierUpCheckInjectionPhase::run):
2322         * dfg/DFGTypeCheckHoistingPhase.cpp:
2323         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
2324         * dfg/DFGWorklist.cpp:
2325         (JSC::DFG::Worklist::isActiveForVM const):
2326         (JSC::DFG::Worklist::compilationState):
2327         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2328         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2329         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2330         (JSC::DFG::Worklist::visitWeakReferences):
2331         (JSC::DFG::Worklist::removeDeadPlans):
2332         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
2333         * dfg/DFGWorklistInlines.h:
2334         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
2335         * ftl/FTLCompile.cpp:
2336         (JSC::FTL::compile):
2337         * ftl/FTLFail.cpp:
2338         (JSC::FTL::fail):
2339         * ftl/FTLJITFinalizer.cpp:
2340         (JSC::FTL::JITFinalizer::finalizeCommon):
2341         * ftl/FTLLink.cpp:
2342         (JSC::FTL::link):
2343         * ftl/FTLLowerDFGToB3.cpp:
2344         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2345         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2346         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
2347         * ftl/FTLState.cpp:
2348         (JSC::FTL::State::State):
2349
2350 2018-07-24  Saam Barati  <sbarati@apple.com>
2351
2352         Make VM::canUseJIT an inlined function
2353         https://bugs.webkit.org/show_bug.cgi?id=187583
2354
2355         Reviewed by Mark Lam.
2356
2357         We know the answer to this query in initializeThreading after initializing
2358         the executable allocator. This patch makes it so that we just hold this value
2359         in a static variable and have an inlined function that just returns the value
2360         of that static variable.
2361
2362         * runtime/InitializeThreading.cpp:
2363         (JSC::initializeThreading):
2364         * runtime/VM.cpp:
2365         (JSC::VM::computeCanUseJIT):
2366         (JSC::VM::canUseJIT): Deleted.
2367         * runtime/VM.h:
2368         (JSC::VM::canUseJIT):
2369
2370 2018-07-24  Mark Lam  <mark.lam@apple.com>
2371
2372         Placate exception check verification after recent changes.
2373         https://bugs.webkit.org/show_bug.cgi?id=187961
2374         <rdar://problem/42545394>
2375
2376         Reviewed by Saam Barati.
2377
2378         * runtime/IntlObject.cpp:
2379         (JSC::intlNumberOption):
2380
2381 2018-07-23  Saam Barati  <sbarati@apple.com>
2382
2383         need to didFoldClobberWorld when we constant fold GetByVal
2384         https://bugs.webkit.org/show_bug.cgi?id=187917
2385         <rdar://problem/42505095>
2386
2387         Reviewed by Yusuke Suzuki.
2388
2389         * dfg/DFGAbstractInterpreterInlines.h:
2390         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2391
2392 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
2393
2394         [INTL] Language tags are not canonicalized
2395         https://bugs.webkit.org/show_bug.cgi?id=185836
2396
2397         Reviewed by Keith Miller.
2398
2399         Canonicalize language tags, replacing deprecated tag parts with the
2400         preferred values. Remove broken support for algorithmic numbering systems,
2401         that can cause an error in icu, and are not supported in other engines.
2402
2403         Generate the lookup functions from the language-subtag-registry.
2404
2405         Also initialize the UNumberFormat in initializeNumberFormat so any
2406         failures are thrown immediately instead of failing to format later.
2407
2408         * CMakeLists.txt:
2409         * DerivedSources.make:
2410         * JavaScriptCore.xcodeproj/project.pbxproj:
2411         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
2412         * runtime/IntlDateTimeFormat.cpp:
2413         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2414         * runtime/IntlNumberFormat.cpp:
2415         (JSC::IntlNumberFormat::initializeNumberFormat):
2416         (JSC::IntlNumberFormat::formatNumber):
2417         (JSC::IntlNumberFormat::formatToParts):
2418         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
2419         * runtime/IntlNumberFormat.h:
2420         * runtime/IntlObject.cpp:
2421         (JSC::intlNumberOption):
2422         (JSC::intlDefaultNumberOption):
2423         (JSC::preferredLanguage):
2424         (JSC::preferredRegion):
2425         (JSC::canonicalLangTag):
2426         (JSC::canonicalizeLanguageTag):
2427         (JSC::defaultLocale):
2428         (JSC::removeUnicodeLocaleExtension):
2429         (JSC::numberingSystemsForLocale):
2430         (JSC::grandfatheredLangTag): Deleted.
2431         * runtime/IntlObject.h:
2432         * runtime/IntlPluralRules.cpp:
2433         (JSC::IntlPluralRules::initializePluralRules):
2434         * runtime/JSGlobalObject.cpp:
2435         (JSC::addMissingScriptLocales):
2436         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2437         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2438         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2439         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2440         * ucd/language-subtag-registry.txt: Added.
2441
2442 2018-07-23  Mark Lam  <mark.lam@apple.com>
2443
2444         Add some asserts to help diagnose a crash.
2445         https://bugs.webkit.org/show_bug.cgi?id=187915
2446         <rdar://problem/42508166>
2447
2448         Reviewed by Michael Saboff.
2449
2450         Add some asserts to verify that an CodeBlock alternative should always have a
2451         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
2452         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
2453         so that we'll retain the state of the variables that failed the assertion (again
2454         to help with diagnosis).
2455
2456         * bytecode/CodeBlock.cpp:
2457         (JSC::CodeBlock::setAlternative):
2458         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
2459         * dfg/DFGPlan.cpp:
2460         (JSC::DFG::Plan::Plan):
2461
2462 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
2463
2464         Unreviewed, fix no-JIT build.
2465
2466         * bytecode/CallLinkStatus.cpp:
2467         (JSC::CallLinkStatus::computeFor):
2468         * bytecode/CodeBlock.cpp:
2469         (JSC::CodeBlock::finalizeUnconditionally):
2470         * bytecode/GetByIdStatus.cpp:
2471         (JSC::GetByIdStatus::computeFor):
2472         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2473         * bytecode/InByIdStatus.cpp:
2474         * bytecode/PutByIdStatus.cpp:
2475         (JSC::PutByIdStatus::computeForStubInfo):
2476
2477 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2478
2479         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
2480         https://bugs.webkit.org/show_bug.cgi?id=187891
2481
2482         Reviewed by Saam Barati.
2483
2484         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
2485         two variants are mergeable but they have "Miss" status. We make merging failed if
2486         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
2487         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
2488         which patch have more chances to merge variants.
2489
2490         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
2491         is not related since it does not use this check in Transition case.
2492
2493         * bytecode/GetByIdVariant.cpp:
2494         (JSC::GetByIdVariant::attemptToMerge):
2495         * bytecode/InByIdVariant.cpp:
2496         (JSC::InByIdVariant::attemptToMerge):
2497
2498 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2499
2500         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
2501         https://bugs.webkit.org/show_bug.cgi?id=186462
2502
2503         Reviewed by Saam Barati.
2504
2505         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
2506         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
2507         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
2508
2509         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
2510         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
2511         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
2512         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
2513         changed and we can safely use it. We arrange our existing code to use this protocol.
2514
2515         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
2516         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
2517
2518         This patch improves SixSpeed/template_string_tag.es6.
2519
2520                                           baseline                  patched
2521
2522         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
2523
2524         * dfg/DFGAbstractInterpreterInlines.h:
2525         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2526         * runtime/JSArray.cpp:
2527         (JSC::JSArray::setLengthWithArrayStorage):
2528         * runtime/JSObject.cpp:
2529         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2530         (JSC::JSObject::deletePropertyByIndex):
2531         (JSC::JSObject::getOwnPropertyNames):
2532         (JSC::putIndexedDescriptor):
2533         (JSC::JSObject::defineOwnIndexedProperty):
2534         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
2535         (JSC::JSObject::putIndexedDescriptor): Deleted.
2536         * runtime/JSObject.h:
2537         * runtime/SparseArrayValueMap.cpp:
2538         (JSC::SparseArrayValueMap::SparseArrayValueMap):
2539         (JSC::SparseArrayValueMap::add):
2540         (JSC::SparseArrayValueMap::putDirect):
2541         (JSC::SparseArrayValueMap::getConcurrently):
2542         (JSC::SparseArrayEntry::get const):
2543         (JSC::SparseArrayEntry::getConcurrently const):
2544         (JSC::SparseArrayEntry::put):
2545         (JSC::SparseArrayEntry::getNonSparseMode const):
2546         (JSC::SparseArrayValueMap::visitChildren):
2547         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
2548         * runtime/SparseArrayValueMap.h:
2549         (JSC::SparseArrayEntry::SparseArrayEntry):
2550         (JSC::SparseArrayEntry::attributes const):
2551         (JSC::SparseArrayEntry::forceSet):
2552         (JSC::SparseArrayEntry::asValue):
2553
2554 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
2555
2556         We should support CreateThis in the FTL
2557         https://bugs.webkit.org/show_bug.cgi?id=164904
2558
2559         Reviewed by Yusuke Suzuki.
2560         
2561         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
2562         inference adventure.
2563         
2564         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
2565         benchmark's extremely perverse way of winning at type inference:
2566         
2567         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
2568           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
2569           benchmark was falling back to other mechanisms...
2570         
2571         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
2572           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
2573           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
2574           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
2575           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
2576           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
2577           
2578           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
2579           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
2580           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
2581           helper because it had a CreateThis.
2582         
2583         - Compilations that inlined the construction helper would have gotten super lucky with
2584           parse-time constant folding, so they knew what structure the input to the get_by_id would
2585           have at parse time. This is only profitable if the get_by_id parsing computed a
2586           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
2587           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
2588           cases, we would indeed get a finite number of cases. The parser would then prune those
2589           cases to just one - based on its knowledge of the structure - and that would result in that
2590           get_by_id being folded at parse time to a constant.
2591         
2592         - The subsequent op_call would inline based on parse-time knowledge of that constant.
2593         
2594         This patch comprehensively fixes these issues, as well as other issues that come up along the
2595         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
2596         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
2597         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
2598         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
2599         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
2600         attack raytrace's problem as a shortcoming of polyvariant profiling.
2601         
2602         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
2603           subset of the inline stack that includes the IC we're profiling. For example, if we have
2604           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
2605           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
2606           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
2607           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
2608           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
2609           from polyvariant profling. Previously, the polyvariant profiler would only look at the
2610           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
2611           had inlined bar and then baz. It may not have done that, because those calls could have
2612           required polyvariant profiling that was only available in the FTL.
2613           
2614         - A particularly interesting case is when some IC in foo-baseline is also available in
2615           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
2616           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
2617           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
2618           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
2619           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
2620           because it warns us of historical polymorphism. Historical polymorphism usually means
2621           future polymorphism. IC status code already had some merging functionality, but I needed to
2622           beef it up a lot to make this work right.
2623         
2624         - Inlining an inline cache now preserves as much information as profiling. One challenge of
2625           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
2626           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
2627           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
2628           say "I don't have such an IC". At this point the DFG compilation that included that IC that
2629           gave us the information that we used to inline the IC is no longer alive. To keep us from
2630           losing the information we learned about the IC, there is now a RecordedStatuses data
2631           structure that preserves the statuses we use for inlining ICs. We also filter those
2632           statuses according to things we learn from AI. This further reduces the risk of information
2633           about an IC being forgotten.
2634         
2635         - Exit profiling now considers whether or not an exit happened from inline code. This
2636           protects us in the case where the not-inlined version of an IC exited a lot because of
2637           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
2638           profiling data, we consider only inlined exits.
2639         
2640         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
2641           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
2642           surprising that we've had this bug.
2643         
2644         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
2645         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
2646         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
2647         prototype access folding in the bytecode parser and constant folder. That would require some
2648         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
2649         have a test that captures raytrace's behavior in the case that the parser cannot fold the
2650         get_by_id.
2651         
2652         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
2653         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
2654         compile time regression anytime we fill in FTL coverage.
2655         
2656         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
2657         speeds up and that raytrace slows down, but these changes balance out and don't affect the
2658         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
2659         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
2660         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
2661         see a significant difference. In all three cases the difference is <0.5% with a high p value,
2662         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
2663         an insignificant infinitesimal slow-down.
2664         
2665         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
2666         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
2667         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
2668
2669         * CMakeLists.txt:
2670         * JavaScriptCore.xcodeproj/project.pbxproj:
2671         * Sources.txt:
2672         * bytecode/ByValInfo.h:
2673         * bytecode/BytecodeDumper.cpp:
2674         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
2675         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
2676         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
2677         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
2678         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
2679         (JSC::BytecodeDumper<Block>::printCallOp):
2680         (JSC::BytecodeDumper<Block>::dumpBytecode):
2681         (JSC::BytecodeDumper<Block>::dumpBlock):
2682         * bytecode/BytecodeDumper.h:
2683         * bytecode/CallLinkInfo.h:
2684         * bytecode/CallLinkStatus.cpp:
2685         (JSC::CallLinkStatus::computeFor):
2686         (JSC::CallLinkStatus::computeExitSiteData):
2687         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2688         (JSC::CallLinkStatus::accountForExits):
2689         (JSC::CallLinkStatus::finalize):
2690         (JSC::CallLinkStatus::filter):
2691         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
2692         * bytecode/CallLinkStatus.h:
2693         (JSC::CallLinkStatus::operator bool const):
2694         (JSC::CallLinkStatus::operator! const): Deleted.
2695         * bytecode/CallVariant.cpp:
2696         (JSC::CallVariant::finalize):
2697         (JSC::CallVariant::filter):
2698         * bytecode/CallVariant.h:
2699         (JSC::CallVariant::operator bool const):
2700         (JSC::CallVariant::operator! const): Deleted.
2701         * bytecode/CodeBlock.cpp:
2702         (JSC::CodeBlock::dumpBytecode):
2703         (JSC::CodeBlock::propagateTransitions):
2704         (JSC::CodeBlock::finalizeUnconditionally):
2705         (JSC::CodeBlock::getICStatusMap):
2706         (JSC::CodeBlock::resetJITData):
2707         (JSC::CodeBlock::getStubInfoMap): Deleted.
2708         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
2709         (JSC::CodeBlock::getByValInfoMap): Deleted.
2710         * bytecode/CodeBlock.h:
2711         * bytecode/CodeOrigin.cpp:
2712         (JSC::CodeOrigin::isApproximatelyEqualTo const):
2713         (JSC::CodeOrigin::approximateHash const):
2714         * bytecode/CodeOrigin.h:
2715         (JSC::CodeOrigin::exitingInlineKind const):
2716         * bytecode/DFGExitProfile.cpp:
2717         (JSC::DFG::FrequentExitSite::dump const):
2718         (JSC::DFG::ExitProfile::add):
2719         * bytecode/DFGExitProfile.h:
2720         (JSC::DFG::FrequentExitSite::FrequentExitSite):
2721         (JSC::DFG::FrequentExitSite::operator== const):
2722         (JSC::DFG::FrequentExitSite::subsumes const):
2723         (JSC::DFG::FrequentExitSite::hash const):
2724         (JSC::DFG::FrequentExitSite::inlineKind const):
2725         (JSC::DFG::FrequentExitSite::withInlineKind const):
2726         (JSC::DFG::QueryableExitProfile::hasExitSite const):
2727         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
2728         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
2729         * bytecode/ExitFlag.cpp: Added.
2730         (JSC::ExitFlag::dump const):
2731         * bytecode/ExitFlag.h: Added.
2732         (JSC::ExitFlag::ExitFlag):
2733         (JSC::ExitFlag::operator| const):
2734         (JSC::ExitFlag::operator|=):
2735         (JSC::ExitFlag::operator& const):
2736         (JSC::ExitFlag::operator&=):
2737         (JSC::ExitFlag::operator bool const):
2738         (JSC::ExitFlag::isSet const):
2739         * bytecode/ExitingInlineKind.cpp: Added.
2740         (WTF::printInternal):
2741         * bytecode/ExitingInlineKind.h: Added.
2742         * bytecode/GetByIdStatus.cpp:
2743         (JSC::GetByIdStatus::computeFor):
2744         (JSC::GetByIdStatus::computeForStubInfo):
2745         (JSC::GetByIdStatus::slowVersion const):
2746         (JSC::GetByIdStatus::markIfCheap):
2747         (JSC::GetByIdStatus::finalize):
2748         (JSC::GetByIdStatus::hasExitSite): Deleted.
2749         * bytecode/GetByIdStatus.h:
2750         * bytecode/GetByIdVariant.cpp:
2751         (JSC::GetByIdVariant::markIfCheap):
2752         (JSC::GetByIdVariant::finalize):
2753         * bytecode/GetByIdVariant.h:
2754         * bytecode/ICStatusMap.cpp: Added.
2755         (JSC::ICStatusContext::get const):
2756         (JSC::ICStatusContext::isInlined const):
2757         (JSC::ICStatusContext::inlineKind const):
2758         * bytecode/ICStatusMap.h: Added.
2759         * bytecode/ICStatusUtils.cpp: Added.
2760         (JSC::hasBadCacheExitSite):
2761         * bytecode/ICStatusUtils.h:
2762         * bytecode/InstanceOfStatus.cpp:
2763         (JSC::InstanceOfStatus::computeFor):
2764         * bytecode/InstanceOfStatus.h:
2765         * bytecode/PolyProtoAccessChain.h:
2766         * bytecode/PutByIdStatus.cpp:
2767         (JSC::PutByIdStatus::hasExitSite):
2768         (JSC::PutByIdStatus::computeFor):
2769         (JSC::PutByIdStatus::slowVersion const):
2770         (JSC::PutByIdStatus::markIfCheap):
2771         (JSC::PutByIdStatus::finalize):
2772         (JSC::PutByIdStatus::filter):
2773         * bytecode/PutByIdStatus.h:
2774         * bytecode/PutByIdVariant.cpp:
2775         (JSC::PutByIdVariant::markIfCheap):
2776         (JSC::PutByIdVariant::finalize):
2777         * bytecode/PutByIdVariant.h:
2778         (JSC::PutByIdVariant::structureSet const):
2779         * bytecode/RecordedStatuses.cpp: Added.
2780         (JSC::RecordedStatuses::operator=):
2781         (JSC::RecordedStatuses::RecordedStatuses):
2782         (JSC::RecordedStatuses::addCallLinkStatus):
2783         (JSC::RecordedStatuses::addGetByIdStatus):
2784         (JSC::RecordedStatuses::addPutByIdStatus):
2785         (JSC::RecordedStatuses::markIfCheap):
2786         (JSC::RecordedStatuses::finalizeWithoutDeleting):
2787         (JSC::RecordedStatuses::finalize):
2788         (JSC::RecordedStatuses::shrinkToFit):
2789         * bytecode/RecordedStatuses.h: Added.
2790         (JSC::RecordedStatuses::RecordedStatuses):
2791         (JSC::RecordedStatuses::forEachVector):
2792         * bytecode/StructureSet.cpp:
2793         (JSC::StructureSet::markIfCheap const):
2794         (JSC::StructureSet::isStillAlive const):
2795         * bytecode/StructureSet.h:
2796         * bytecode/TerminatedCodeOrigin.h: Added.
2797         (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
2798         (JSC::TerminatedCodeOriginHashTranslator::hash):
2799         (JSC::TerminatedCodeOriginHashTranslator::equal):
2800         * bytecode/Watchpoint.cpp:
2801         (WTF::printInternal):
2802         * bytecode/Watchpoint.h:
2803         * dfg/DFGAbstractInterpreter.h:
2804         * dfg/DFGAbstractInterpreterInlines.h:
2805         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2806         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
2807         * dfg/DFGByteCodeParser.cpp:
2808         (JSC::DFG::ByteCodeParser::handleCall):
2809         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2810         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2811         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
2812         (JSC::DFG::ByteCodeParser::handleGetById):
2813         (JSC::DFG::ByteCodeParser::handlePutById):
2814         (JSC::DFG::ByteCodeParser::parseBlock):
2815         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2816         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
2817         (JSC::DFG::ByteCodeParser::parse):
2818         * dfg/DFGClobberize.h:
2819         (JSC::DFG::clobberize):
2820         * dfg/DFGClobbersExitState.cpp:
2821         (JSC::DFG::clobbersExitState):
2822         * dfg/DFGCommonData.h:
2823         * dfg/DFGConstantFoldingPhase.cpp:
2824         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2825         * dfg/DFGDesiredWatchpoints.h:
2826         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
2827         * dfg/DFGDoesGC.cpp:
2828         (JSC::DFG::doesGC):
2829         * dfg/DFGFixupPhase.cpp:
2830         (JSC::DFG::FixupPhase::fixupNode):
2831         * dfg/DFGGraph.cpp:
2832         (JSC::DFG::Graph::dump):
2833         * dfg/DFGMayExit.cpp:
2834         * dfg/DFGNode.h:
2835         (JSC::DFG::Node::hasCallLinkStatus):
2836         (JSC::DFG::Node::callLinkStatus):
2837         (JSC::DFG::Node::hasGetByIdStatus):
2838         (JSC::DFG::Node::getByIdStatus):
2839         (JSC::DFG::Node::hasPutByIdStatus):
2840         (JSC::DFG::Node::putByIdStatus):
2841         * dfg/DFGNodeType.h:
2842         * dfg/DFGOSRExitBase.cpp:
2843         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2844         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2845         * dfg/DFGPlan.cpp:
2846         (JSC::DFG::Plan::reallyAdd):
2847         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2848         (JSC::DFG::Plan::finalizeInGC):
2849         * dfg/DFGPlan.h:
2850         * dfg/DFGPredictionPropagationPhase.cpp:
2851         * dfg/DFGSafeToExecute.h:
2852         (JSC::DFG::safeToExecute):
2853         * dfg/DFGSpeculativeJIT32_64.cpp:
2854         (JSC::DFG::SpeculativeJIT::compile):
2855         * dfg/DFGSpeculativeJIT64.cpp:
2856         (JSC::DFG::SpeculativeJIT::compile):
2857         * dfg/DFGStrengthReductionPhase.cpp:
2858         (JSC::DFG::StrengthReductionPhase::handleNode):
2859         * dfg/DFGWorklist.cpp:
2860         (JSC::DFG::Worklist::removeDeadPlans):
2861         * ftl/FTLAbstractHeapRepository.h:
2862         * ftl/FTLCapabilities.cpp:
2863         (JSC::FTL::canCompile):
2864         * ftl/FTLLowerDFGToB3.cpp:
2865         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2866         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
2867         (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
2868         * jit/PolymorphicCallStubRoutine.cpp:
2869         (JSC::PolymorphicCallStubRoutine::hasEdges const):
2870         (JSC::PolymorphicCallStubRoutine::edges const):
2871         * jit/PolymorphicCallStubRoutine.h:
2872         * profiler/ProfilerBytecodeSequence.cpp:
2873         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
2874         * runtime/FunctionRareData.cpp:
2875         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2876         * runtime/Options.h:
2877
2878 2018-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2879
2880         [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
2881         https://bugs.webkit.org/show_bug.cgi?id=187472
2882
2883         Reviewed by Mark Lam.
2884
2885         std::function allocates memory from standard malloc instead of bmalloc. Instead of
2886         using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
2887
2888         This patch attempts to replace std::function with the above WTF function types.
2889         If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
2890         is really efficient. Otherwise, we should use WTF::Function.
2891         For recurring use cases, we can use RecursableLambda.
2892
2893         * assembler/MacroAssembler.cpp:
2894         (JSC::stdFunctionCallback):
2895         (JSC::MacroAssembler::probe):
2896         * assembler/MacroAssembler.h:
2897         * b3/air/AirDisassembler.cpp:
2898         (JSC::B3::Air::Disassembler::dump):
2899         * b3/air/AirDisassembler.h:
2900         * bytecompiler/BytecodeGenerator.cpp:
2901         (JSC::BytecodeGenerator::BytecodeGenerator):
2902         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2903         (JSC::BytecodeGenerator::emitEnumeration):
2904         * bytecompiler/BytecodeGenerator.h:
2905         * bytecompiler/NodesCodegen.cpp:
2906         (JSC::ArrayNode::emitBytecode):
2907         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2908         (JSC::ForOfNode::emitBytecode):
2909         * dfg/DFGSpeculativeJIT.cpp:
2910         (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
2911         (JSC::DFG::SpeculativeJIT::compileMathIC):
2912         * dfg/DFGSpeculativeJIT.h:
2913         * dfg/DFGSpeculativeJIT64.cpp:
2914         (JSC::DFG::SpeculativeJIT::compile):
2915         * dfg/DFGValidate.cpp:
2916         * ftl/FTLCompile.cpp:
2917         (JSC::FTL::compile):
2918         * heap/HeapSnapshotBuilder.cpp:
2919         (JSC::HeapSnapshotBuilder::json):
2920         * heap/HeapSnapshotBuilder.h:
2921         * interpreter/StackVisitor.cpp:
2922         (JSC::StackVisitor::Frame::dump const):
2923         * interpreter/StackVisitor.h:
2924         * runtime/PromiseDeferredTimer.h:
2925         * runtime/VM.cpp:
2926         (JSC::VM::whenIdle):
2927         (JSC::enableProfilerWithRespectToCount):
2928         (JSC::disableProfilerWithRespectToCount):
2929         * runtime/VM.h:
2930         * runtime/VMEntryScope.cpp:
2931         (JSC::VMEntryScope::addDidPopListener):
2932         * runtime/VMEntryScope.h:
2933         * tools/HeapVerifier.cpp:
2934         (JSC::HeapVerifier::verifyCellList):
2935         (JSC::HeapVerifier::validateCell):
2936         (JSC::HeapVerifier::validateJSCell):
2937         * tools/HeapVerifier.h:
2938
2939 2018-07-20  Michael Saboff  <msaboff@apple.com>
2940
2941         DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
2942         https://bugs.webkit.org/show_bug.cgi?id=187827
2943         rdar://problem/42146858
2944
2945         Reviewed by Saam Barati.
2946
2947         When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
2948         that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
2949         We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
2950         InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
2951         putByIndex() path that doesn't change the shape.
2952
2953         * dfg/DFGArrayMode.h:
2954         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
2955
2956 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2957
2958         [DFG] Fold GetByVal if Array is CoW
2959         https://bugs.webkit.org/show_bug.cgi?id=186459
2960
2961         Reviewed by Saam Barati.
2962
2963         CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
2964         fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
2965         is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
2966
2967         This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
2968         to these constant arrays can be folded into an actual constant by this patch.
2969
2970                                            baseline                  patched
2971
2972         template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
2973         template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster
2974
2975         * dfg/DFGAbstractInterpreterInlines.h:
2976         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2977
2978 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2979
2980         [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
2981         https://bugs.webkit.org/show_bug.cgi?id=186602
2982
2983         Reviewed by Saam Barati.
2984
2985         JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
2986         change the part of the butterfly, length etc. We prove that our procedure is safe, and
2987         drop the cellLock() here.
2988
2989         * runtime/JSObject.cpp:
2990         (JSC::JSObject::convertContiguousToArrayStorage):
2991
2992 2018-07-20  Saam Barati  <sbarati@apple.com>
2993
2994         CompareEq should be using KnownOtherUse instead of OtherUse
2995         https://bugs.webkit.org/show_bug.cgi?id=186814
2996         <rdar://problem/39720030>
2997
2998         Reviewed by Filip Pizlo.
2999
3000         CompareEq in fixup phase was doing this:
3001         insertCheck(child, OtherUse)
3002         setUseKind(child, OtherUse)
3003         And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
3004         lead to edge verification crashing because a phase may optimize the check out
3005         by removing the node. However, AI may not be privy to that optimization, and
3006         AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
3007         backend to actually emit a check here, but it does not.
3008         
3009         This exact pattern is why we have KnownXYZ use kinds. This patch introduces
3010         KnownOtherUse and changes the above pattern to be:
3011         insertCheck(child, OtherUse)
3012         setUseKind(child, KnownOtherUse)
3013
3014         * dfg/DFGFixupPhase.cpp:
3015         (JSC::DFG::FixupPhase::fixupNode):
3016         * dfg/DFGSafeToExecute.h:
3017         (JSC::DFG::SafeToExecuteEdge::operator()):
3018         * dfg/DFGSpeculativeJIT.cpp:
3019         (JSC::DFG::SpeculativeJIT::speculate):
3020         * dfg/DFGUseKind.cpp:
3021         (WTF::printInternal):
3022         * dfg/DFGUseKind.h:
3023         (JSC::DFG::typeFilterFor):
3024         (JSC::DFG::shouldNotHaveTypeCheck):
3025         (JSC::DFG::checkMayCrashIfInputIsEmpty):
3026         * dfg/DFGWatchpointCollectionPhase.cpp:
3027         (JSC::DFG::WatchpointCollectionPhase::handle):
3028         * ftl/FTLCapabilities.cpp:
3029         (JSC::FTL::canCompile):
3030         * ftl/FTLLowerDFGToB3.cpp:
3031         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
3032         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3033
3034 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3035
3036         [JSC] A bit performance improvement for Object.assign by cleaning up code
3037         https://bugs.webkit.org/show_bug.cgi?id=187852
3038
3039         Reviewed by Saam Barati.
3040
3041         We clean up Object.assign code a bit.
3042
3043         1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
3044         2. canDoFastPath is not necessary. Restructuring the code to clean up things.
3045
3046         It improves the performance a bit.
3047
3048                                     baseline                  patched
3049
3050         object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
3051
3052         * runtime/ObjectConstructor.cpp:
3053         (JSC::objectConstructorAssign):
3054
3055 2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>
3056
3057         [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
3058         https://bugs.webkit.org/show_bug.cgi?id=187798
3059
3060         Reviewed by Michael Catanzaro.
3061
3062         Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
3063         jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
3064         functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
3065         patch adds JSAPIWrapperGlobalObject or that.
3066
3067         * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
3068         (jsAPIWrapperGlobalObjectHandleOwner):
3069         (JSAPIWrapperGlobalObjectHandleOwner::finalize):
3070         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
3071         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
3072         (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
3073         (JSC::JSAPIWrapperGlobalObject::finishCreation):
3074         (JSC::JSAPIWrapperGlobalObject::visitChildren):
3075         * API/glib/JSAPIWrapperGlobalObject.h: Added.
3076         (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
3077         (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
3078         * API/glib/JSCClass.cpp:
3079         (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
3080         (wrappedObjectClass): Return the class of a wrapped object.
3081         (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
3082         scope extension global object is used instead.
3083         (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
3084         (setProperty): Ditto.
3085         (hasProperty): Ditto.
3086         (deleteProperty): Ditto.
3087         (getPropertyNames): Ditto.
3088         (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
3089         * API/glib/JSCClassPrivate.h:
3090         * API/glib/JSCContext.cpp:
3091         (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
3092         (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
3093         * API/glib/JSCContext.h:
3094         * API/glib/JSCContextPrivate.h:
3095         * API/glib/JSCWrapperMap.cpp:
3096         (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
3097         when a JSCClass is used to create the JSAPIWrapperGlobalObject.
3098         (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
3099         * API/glib/JSCWrapperMap.h:
3100         * GLib.cmake:
3101
3102 2018-07-19  Saam Barati  <sbarati@apple.com>
3103
3104         Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
3105         https://bugs.webkit.org/show_bug.cgi?id=187836
3106         <rdar://problem/42409527>
3107
3108         Reviewed by Mark Lam.
3109
3110         We have crash reports that we're crashing on source->getDirect in Object.assign's
3111         fast path. Mark investigated this and determined we end up with a nullptr for
3112         butterfly. This is curious, because source's Structure indicated that it has
3113         out of line properties. My leading hypothesis for this at the moment is a bit
3114         handwavy, but it's essentially:
3115         - We end up firing a watchpoint when assigning to the target (this can happen
3116         if a watchpoint was set up for storing to that particular field)
3117         - When we fire that watchpoint, we end up doing some kind work on the source,
3118         perhaps causing it to flattenDictionaryStructure. Therefore, we end up
3119         mutating source.
3120         
3121         I'm not super convinced this is what we're running into, but just by reading
3122         the code, I think it needs to be something similar to this. Seeing if this change
3123         fixes the crasher will give us good data to determine if something like this is
3124         happening or if the bug is something else entirely.
3125
3126         * runtime/ObjectConstructor.cpp:
3127         (JSC::objectConstructorAssign):
3128
3129 2018-07-19  Commit Queue  <commit-queue@webkit.org>
3130
3131         Unreviewed, rolling out r233998.
3132         https://bugs.webkit.org/show_bug.cgi?id=187815
3133
3134         Not needed. (Requested by mlam|a on #webkit).
3135
3136         Reverted changeset:
3137
3138         "Temporarily mitigate a bug where a source provider is null
3139         when it shouldn't be."
3140         https://bugs.webkit.org/show_bug.cgi?id=187812
3141         https://trac.webkit.org/changeset/233998
3142
3143 2018-07-19  Mark Lam  <mark.lam@apple.com>
3144
3145         Temporarily mitigate a bug where a source provider is null when it shouldn't be.
3146         https://bugs.webkit.org/show_bug.cgi?id=187812
3147         <rdar://problem/41192691>
3148
3149         Reviewed by Michael Saboff.
3150
3151         Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
3152
3153         * runtime/Error.cpp:
3154         (JSC::addErrorInfo):
3155
3156 2018-07-19  Keith Rollin  <krollin@apple.com>
3157
3158         Adjust WEBCORE_EXPORT annotations for LTO
3159         https://bugs.webkit.org/show_bug.cgi?id=187781
3160         <rdar://problem/42351124>
3161
3162         Reviewed by Alex Christensen.
3163
3164         Continuation of Bug 186944. This bug addresses issues not caught
3165         during the first pass of adjustments. The initial work focussed on
3166         macOS; this one addresses issues found when building for iOS. From
3167         186944:
3168
3169         Adjust a number of places that result in WebKit's
3170         'check-for-weak-vtables-and-externals' script reporting weak external
3171         symbols:
3172
3173             ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
3174             ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
3175             ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
3176             ...
3177
3178         These cases are caused by inline methods being marked with WTF_EXPORT
3179         (or related macro) or with an inline function being in a class marked
3180         as such, and when enabling LTO builds.
3181
3182         For the most part, address these by removing the WEBCORE_EXPORT
3183         annotation from inline methods. In some cases, move the implementation
3184         out-of-line because it's the class that has the WEBCORE_EXPORT on it
3185         and removing the annotation from the class would be too disruptive.
3186         Finally, in other cases, move the implementation out-of-line because
3187         check-for-weak-vtables-and-externals still complains when keeping the
3188         implementation inline and removing the annotation; this seems to
3189         typically (but not always) happen with destructors.
3190
3191         * inspector/remote/RemoteAutomationTarget.cpp:
3192         (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
3193         * inspector/remote/RemoteAutomationTarget.h:
3194         * inspector/remote/RemoteInspector.cpp:
3195         (Inspector::RemoteInspector::Client::~Client):
3196         * inspector/remote/RemoteInspector.h:
3197
3198 2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3199
3200         Unreviewed, check scope after performing getPropertySlot in JSON.stringify
3201         https://bugs.webkit.org/show_bug.cgi?id=187807
3202
3203         Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
3204         that we know that exception occurrence and handle it well.
3205
3206         * runtime/JSONObject.cpp:
3207         (JSC::Stringifier::Holder::appendNextProperty):
3208
3209 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3210
3211         [JSC] Reduce size of AST nodes
3212         https://bugs.webkit.org/show_bug.cgi?id=187689
3213
3214         Reviewed by Mark Lam.
3215
3216         We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
3217         of ParserArena at peak state.
3218
3219         1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
3220         devirtualize a call to the function which are implemented in a final class.
3221
3222         2. Use default member initializers more.
3223
3224         3. And use `nullptr` instead of `0`.
3225
3226         4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
3227         of classes in multiple inheritance. In particular, StatementNode is decreased from 48
3228         to 40. This decreases the sizes of all the derived Statement nodes.
3229
3230         * parser/NodeConstructors.h:
3231         (JSC::Node::Node):
3232         (JSC::StatementNode::StatementNode):
3233         (JSC::ElementNode::ElementNode):
3234         (JSC::ArrayNode::ArrayNode):
3235         (JSC::PropertyListNode::PropertyListNode):
3236         (JSC::ObjectLiteralNode::ObjectLiteralNode):
3237         (JSC::ArgumentListNode::ArgumentListNode):
3238         (JSC::ArgumentsNode::ArgumentsNode):
3239         (JSC::NewExprNode::NewExprNode):
3240         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
3241         (JSC::BinaryOpNode::BinaryOpNode):
3242         (JSC::LogicalOpNode::LogicalOpNode):
3243         (JSC::CommaNode::CommaNode):
3244         (JSC::SourceElements::SourceElements):
3245         (JSC::ClauseListNode::ClauseListNode):
3246         * parser/Nodes.cpp:
3247         (JSC::FunctionMetadataNode::FunctionMetadataNode):
3248         (JSC::FunctionMetadataNode::operator== const):
3249         (JSC::FunctionMetadataNode::dump const):
3250         * parser/Nodes.h:
3251         (JSC::BooleanNode::value): Deleted.
3252         (JSC::StringNode::value): Deleted.
3253         (JSC::TemplateExpressionListNode::value): Deleted.
3254         (JSC::TemplateExpressionListNode::next): Deleted.
3255         (JSC::TemplateStringNode::cooked): Deleted.
3256         (JSC::TemplateStringNode::raw): Deleted.
3257         (JSC::TemplateStringListNode::value): Deleted.
3258         (JSC::TemplateStringListNode::next): Deleted.
3259         (JSC::TemplateLiteralNode::templateStrings const): Deleted.
3260         (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
3261         (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
3262         (JSC::ResolveNode::identifier const): Deleted.
3263         (JSC::ElementNode::elision const): Deleted.
3264         (JSC::ElementNode::value): Deleted.
3265         (JSC::ElementNode::next): Deleted.
3266         (JSC::ArrayNode::elements const): Deleted.
3267         (JSC::PropertyNode::expressionName const): Deleted.
3268         (JSC::PropertyNode::name const): Deleted.
3269         (JSC::PropertyNode::type const): Deleted.
3270         (JSC::PropertyNode::needsSuperBinding const): Deleted.
3271         (JSC::PropertyNode::isClassProperty const): Deleted.
3272         (JSC::PropertyNode::isStaticClassProperty const): Deleted.
3273         (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
3274         (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
3275         (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
3276         (JSC::PropertyNode::putType const): Deleted.
3277         (JSC::BracketAccessorNode::base const): Deleted.
3278         (JSC::BracketAccessorNode::subscript const): Deleted.
3279         (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
3280         (JSC::DotAccessorNode::base const): Deleted.
3281         (JSC::DotAccessorNode::identifier const): Deleted.
3282         (JSC::SpreadExpressionNode::expression const): Deleted.
3283         (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
3284         (JSC::BytecodeIntrinsicNode::type const): Deleted.
3285         (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
3286         (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
3287         (JSC::TypeOfResolveNode::identifier const): Deleted.
3288         (JSC::BitwiseNotNode::expr): Deleted.
3289         (JSC::BitwiseNotNode::expr const): Deleted.
3290         (JSC::AssignResolveNode::identifier const): Deleted.
3291         (JSC::ExprStatementNode::expr const): Deleted.
3292         (JSC::ForOfNode::isForAwait const): Deleted.
3293         (JSC::ReturnNode::value): Deleted.
3294         (JSC::ProgramNode::startColumn const): Deleted.
3295         (JSC::ProgramNode::endColumn const): Deleted.
3296         (JSC::EvalNode::startColumn const): Deleted.
3297         (JSC::EvalNode::endColumn const): Deleted.
3298         (JSC::ModuleProgramNode::startColumn const): Deleted.
3299         (JSC::ModuleProgramNode::endColumn const): Deleted.
3300         (JSC::ModuleProgramNode::moduleScopeData): Deleted.
3301         (JSC::ModuleNameNode::moduleName): Deleted.
3302         (JSC::ImportSpecifierNode::importedName): Deleted.
3303         (JSC::ImportSpecifierNode::localName): Deleted.
3304         (JSC::ImportSpecifierListNode::specifiers const): Deleted.
3305         (JSC::ImportSpecifierListNode::append): Deleted.
3306         (JSC::ImportDeclarationNode::specifierList const): Deleted.
3307         (JSC::ImportDeclarationNode::moduleName const): Deleted.
3308         (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
3309         (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
3310         (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
3311         (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
3312         (JSC::ExportSpecifierNode::exportedName): Deleted.
3313         (JSC::ExportSpecifierNode::localName): Deleted.
3314         (JSC::ExportSpecifierListNode::specifiers const): Deleted.
3315         (JSC::ExportSpecifierListNode::append): Deleted.
3316         (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
3317         (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
3318         (JSC::ArrayPatternNode::appendIndex): Deleted.
3319         (JSC::ObjectPatternNode::appendEntry): Deleted.
3320         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
3321         (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
3322         (JSC::DestructuringAssignmentNode::bindings): Deleted.
3323         (JSC::FunctionParameters::size const): Deleted.
3324         (JSC::FunctionParameters::append): Deleted.
3325         (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
3326         (JSC::FuncDeclNode::metadata): Deleted.
3327         (JSC::CaseClauseNode::expr const): Deleted.
3328         (JSC::CaseClauseNode::setStartOffset): Deleted.
3329         (JSC::ClauseListNode::getClause const): Deleted.
3330         (JSC::ClauseListNode::getNext const): Deleted.
3331         * runtime/ExceptionHelpers.cpp:
3332         * runtime/JSObject.cpp:
3333
3334 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3335
3336         JSON.stringify should emit non own properties if second array argument includes
3337         https://bugs.webkit.org/show_bug.cgi?id=187724
3338
3339         Reviewed by Mark Lam.
3340