[JSC] Clean up StructureStubClearingWatchpoint
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-08-31  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2
3         [JSC] Clean up StructureStubClearingWatchpoint
4         https://bugs.webkit.org/show_bug.cgi?id=189156
5
6         Reviewed by Saam Barati.
7
8         Cleaning up StructureStubClearingWatchpoint by holding StructureStubClearingWatchpoint in Bag
9         in WatchpointsOnStructureStubInfo. This removes hacky linked list code for StructureStubClearingWatchpoint.
10
11         * bytecode/StructureStubClearingWatchpoint.cpp:
12         (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
13         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint): Deleted.
14         (JSC::StructureStubClearingWatchpoint::push): Deleted.
15         (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo): Deleted.
16         * bytecode/StructureStubClearingWatchpoint.h:
17         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
18
19 2018-09-06  Michael Saboff  <msaboff@apple.com>
20
21         Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
22         https://bugs.webkit.org/show_bug.cgi?id=189380
23
24         Reviewed by Saam Barati.
25
26         Account for the case where in Math.pow(NaN, y) where y could be 0.
27
28         * bytecode/SpeculatedType.cpp:
29         (JSC::typeOfDoublePow):
30
31 2018-09-06  Mark Lam  <mark.lam@apple.com>
32
33         Gardening: only visit m_cachedStructureID if it's not null.
34         https://bugs.webkit.org/show_bug.cgi?id=189124
35         <rdar://problem/43863605>
36
37         Not reviewed.
38
39         * runtime/JSPropertyNameEnumerator.cpp:
40         (JSC::JSPropertyNameEnumerator::visitChildren):
41
42 2018-09-06  Tomas Popela  <tpopela@redhat.com>
43
44         [JSC] Build broken after r234975 on s390x, ppc64le, armv7hl
45         https://bugs.webkit.org/show_bug.cgi?id=189078
46
47         Reviewed by Mark Lam.
48
49         Caused by the GCC bug - https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70124.
50         Using the ternary operator instead of std::max() fixes it.
51
52         * heap/RegisterState.h:
53
54 2018-09-05  Mark Lam  <mark.lam@apple.com>
55
56         JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
57         https://bugs.webkit.org/show_bug.cgi?id=189124
58         <rdar://problem/43863605>
59
60         Reviewed by Filip Pizlo.
61
62         It is assumed that the Structure for the m_cachedStructureID will remain alive
63         while the m_cachedStructureID is in use.  This prevents the structureID from being
64         re-used for a different Structure.
65
66         * runtime/JSPropertyNameEnumerator.cpp:
67         (JSC::JSPropertyNameEnumerator::visitChildren):
68
69 2018-09-05  Ross Kirsling  <ross.kirsling@sony.com>
70
71         [ESNext] Symbol.prototype.description
72         https://bugs.webkit.org/show_bug.cgi?id=186686
73
74         Reviewed by Keith Miller.
75
76         Symbol.prototype.description was implemented in r232404, but has one small bug:
77         It should return undefined for a null symbol.
78
79         * runtime/Symbol.cpp:
80         (JSC::Symbol::description const):
81         * runtime/SymbolPrototype.cpp:
82         (JSC::symbolProtoGetterDescription):
83         Address the null symbol case.
84
85 2018-09-04  Keith Miller  <keith_miller@apple.com>
86
87         RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83
88         https://bugs.webkit.org/show_bug.cgi?id=188917
89
90         Reviewed by Mark Lam.
91
92         Our allocators should be able to handle allocating a zero-sized object.
93         Zero-sized objects will be allocated into the smallest size class.
94
95         * dfg/DFGSpeculativeJIT.cpp:
96         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
97         * ftl/FTLLowerDFGToB3.cpp:
98         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
99         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
100         * heap/MarkedSpace.h:
101         (JSC::MarkedSpace::sizeClassToIndex):
102         (JSC::MarkedSpace::indexToSizeClass):
103         * jit/AssemblyHelpers.cpp:
104         (JSC::AssemblyHelpers::emitAllocateVariableSized):
105         * runtime/JSArrayBufferView.cpp:
106         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
107
108 2018-09-05  Mark Lam  <mark.lam@apple.com>
109
110         Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOrigin.
111         https://bugs.webkit.org/show_bug.cgi?id=189300
112         <rdar://problem/39681779>
113
114         Reviewed by Saam Barati.
115
116         At the time a DeferredSourceDump is instantiated, it captures a CodeOrigin value
117         which points to a InlineCallFrame in the DFG::Plan's m_inlineCallFrames set.  The
118         DeferredSourceDump is later used to dump source even if the compilation fails.
119         This is intentional so that we can use this tool to see what source fails to
120         compile as well.
121
122         The DFG::Plan may have been destructed by then, and since the compilation failed,
123         the InlineCallFrame is also destructed.  This means DeferredSourceDump::dump()
124         may be end up accessing freed memory.
125
126         DeferredSourceDump doesn't really need a CodeOrigin.  All it wants is the caller
127         bytecodeIndex for the call to an inlined function.  Hence, we can fix this issue
128         by changing DeferredSourceDump to capture the caller bytecodeIndex instead.
129
130         In this patch, we also change DeferredSourceDump's m_codeBlock and m_rootCodeBlock
131         to be Strong references to ensure that the CodeBlocks are kept alive until they
132         can be dumped.
133
134         * bytecode/DeferredCompilationCallback.cpp:
135         (JSC::DeferredCompilationCallback::dumpCompiledSourcesIfNeeded):
136         * bytecode/DeferredSourceDump.cpp:
137         (JSC::DeferredSourceDump::DeferredSourceDump):
138         (JSC::DeferredSourceDump::dump):
139         * bytecode/DeferredSourceDump.h:
140         * dfg/DFGByteCodeParser.cpp:
141         (JSC::DFG::ByteCodeParser::parseCodeBlock):
142
143 2018-09-05  David Kilzer  <ddkilzer@apple.com>
144
145         REGRESSION (r235419): DFGCFG.h is missing from JavaScriptCore Xcode project
146
147         Found using `tidy-Xcode-project-file --missing` (see Bug
148         188754).  Fix was made manually.
149
150         * JavaScriptCore.xcodeproj/project.pbxproj:
151         (dfg/DFGCFG.h): Revert accidental change in r235419 by restoring
152         `name` and `path` values to file reference.
153
154 2018-09-05  Mark Lam  <mark.lam@apple.com>
155
156         isAsyncGeneratorMethodParseMode() should check for SourceParseMode::AsyncGeneratorWrapperMethodMode.
157         https://bugs.webkit.org/show_bug.cgi?id=189292
158         <rdar://problem/38907433>
159
160         Reviewed by Saam Barati.
161
162         Previously, isAsyncGeneratorMethodParseMode() was checking for AsyncGeneratorWrapperFunctionMode
163         instead of AsyncGeneratorWrapperMethodMode.  This patch fixes it
164         to check for AsyncGeneratorWrapperMethodMode (to match what is expected as indicated
165         in the name isAsyncGeneratorMethodParseMode).
166
167         * parser/ParserModes.h:
168         (JSC::isAsyncGeneratorMethodParseMode):
169
170 2018-09-04  Michael Saboff  <msaboff@apple.com>
171
172         Unreviewed indentations change.
173
174         * yarr/YarrJIT.cpp:
175         (JSC::Yarr::YarrGenerator::matchBackreference):
176
177 2018-09-04  Michael Saboff  <msaboff@apple.com>
178
179         JSC Build error when changing CPU type: offlineasm: No magic values found. Skipping assembly file generation
180         https://bugs.webkit.org/show_bug.cgi?id=189274
181
182         Reviewed by Saam Barati.
183
184         Put the derived file LLIntDesiredOffsets.h in an architecture specific subdirectory to make them unique.
185
186         Some I got this change mixed up with the change for r235636.  The changes to JavaScriptCore.xcodeproj/project.pbxproj
187         where landed there.
188
189         * JavaScriptCore.xcodeproj/project.pbxproj:
190
191 2018-09-04  Michael Saboff  <msaboff@apple.com>
192
193         YARR: JIT RegExps with back references
194         https://bugs.webkit.org/show_bug.cgi?id=180874
195
196         Reviewed by Filip Pizlo.
197
198         Implemented JIT'ed back references for all counted types.  The only type of back references
199         not handled in the JIT are 16bit matches that ignore case.  Such support would require the
200         canonicalization that is currently handled in the Yarr interpreter via a C funtion call.
201         The back reference processing for surrogate pairs is implemented by individually comparing
202         each surrogate ala memcmp.
203
204         Added a generated canonicalization table for the LChar (8bit) domain to process case
205         ignored back references.
206
207         Added macro assembler load16(ExtendedAddress) for indexed access to the canonicalization table.
208
209         Added a new JIT failure reason for forward references as the check to JIT expressions with
210         forward references we're handled synonimously those containing back references.
211
212         This change is only enabled for 64 bit platforms.
213
214         * assembler/MacroAssemblerARM64.h:
215         (JSC::MacroAssemblerARM64::load16):
216         * assembler/MacroAssemblerX86_64.h:
217         (JSC::MacroAssemblerX86_64::load16):
218         * runtime/RegExp.cpp:
219         (JSC::RegExp::compile):
220         (JSC::RegExp::compileMatchOnly):
221         * yarr/YarrCanonicalize.h:
222         * yarr/YarrCanonicalizeUCS2.cpp:
223         * yarr/YarrCanonicalizeUCS2.js:
224         (set characters.hex.set string_appeared_here):
225         * yarr/YarrJIT.cpp:
226         (JSC::Yarr::YarrGenerator::checkNotEnoughInput):
227         (JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates):
228         (JSC::Yarr::YarrGenerator::matchBackreference):
229         (JSC::Yarr::YarrGenerator::generateBackReference):
230         (JSC::Yarr::YarrGenerator::backtrackBackReference):
231         (JSC::Yarr::YarrGenerator::generateTerm):
232         (JSC::Yarr::YarrGenerator::backtrackTerm):
233         (JSC::Yarr::YarrGenerator::compile):
234         (JSC::Yarr::dumpCompileFailure):
235         * yarr/YarrJIT.h:
236         * yarr/YarrPattern.h:
237         (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
238         (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
239
240 2018-09-04  Mark Lam  <mark.lam@apple.com>
241
242         Make the jsc shell print, printErr, and debug functions more robust.
243         https://bugs.webkit.org/show_bug.cgi?id=189268
244         <rdar://problem/41192690>
245
246         Reviewed by Keith Miller.
247
248         We'll now check for UTF8 conversion errors.
249
250         * jsc.cpp:
251         (cStringFromViewWithString):
252         (printInternal):
253         (functionDebug):
254
255 2018-09-04  Michael Catanzaro  <mcatanzaro@igalia.com>
256
257         [WPE][GTK] Add more unused result warnings to JSC API
258         https://bugs.webkit.org/show_bug.cgi?id=189243
259
260         Reviewed by Carlos Garcia Campos.
261
262         The jsc_context_evaluate() family of functions has a (transfer full) return value, but the
263         caller may be tempted to not inspect it if uninterested in the return value. This would be
264         an error, because it must be freed.
265
266         * API/glib/JSCContext.h:
267
268 2018-09-03  Mark Lam  <mark.lam@apple.com>
269
270         The watchdog sometimes fails to terminate a script.
271         https://bugs.webkit.org/show_bug.cgi?id=189227
272         <rdar://problem/39932857>
273
274         Reviewed by Saam Barati.
275
276         Consider the following scenario:
277
278         1. We have an infinite loop bytecode sequence as follows:
279
280             [  13] loop_hint
281             [  14] check_traps
282             [  15] jmp               -2(->13)
283
284         2. The VM tiers up from LLInt -> BaselineJIT -> DFG -> FTL.
285
286            Note that op_check_traps is represented as a CheckTraps node in the DFG and FTL.
287            When we're not using pollingTraps (JSC_usePollingTraps is false by default),
288            we emit no code for CheckTraps, but only record an InvalidationPoint there.
289
290         3. The watchdog fires, and invalidates all InvalidationPoints in the FTL CodeBlock.
291
292            InvalidationPoints OSR exits to the next instruction by design.  In this case,
293            that means the VM will resumes executing at the op_jmp, which jumps to the
294            op_loop_hint opcode.  At the loop_hint, the VM discovers that the function is
295            already hot, and attempts to tier up.  It immediately discovers that a replacement
296            CodeBlock is available because we still haven't jettisoned the DFG CodeBlock
297            nor the FTL CodeBlock that was previously compiled for this function.
298
299            Note that jettisoning a CodeBlock necessarily means the VM will invalidate
300            its InvalidationPoints (if the CodeBlock is DFG/FTL).  However, the reverse
301            is not true: merely invalidating the InvalidationPoints does not necessarily
302            mean that the CodeBlock is jettisoned.
303
304            VMTraps::tryInstallTrapBreakpoints() runs from a separate thread.  Hence,
305            it is only safe for it to invalidate a CodeBlock's InvalidationPoints.  It
306            is not safe for the CodeBlock to be jettisoned from another thread.  Instead,
307            the VMTraps mechanism relies on the script thread running to an op_check_traps
308            in the baseline JIT code where it will do the necessary jettisoning of optimized
309            CodeBlocks.
310
311         Since the op_check_traps never get executed, the VM will perpetually tier up in
312         the op_loop_hint, OSR exit to the op_jmp, jump to the op_loop_hint, and repeat.
313         Consequently, the watchdog fails to terminate this script.
314
315         In this patch, we fix this by making the DFG BytecodeParser emit an InvalidationPoint
316         node directly (when the VM is not configured to use polling traps).  This ensures
317         that the check traps invalidation point will OSR exit to the op_check_traps opcode
318         in the baseline JIT.
319
320         In this patch, we also change VMTraps::tryInstallTrapBreakpoints() to use
321         CallFrame::unsafeCodeBlock() instead of CallFrame::codeBlock().  This is because
322         we don't really know if the frame is properly set up.  We're just conservatively
323         probing the stack.  ASAN does not like this probing.  Using unsafeCodeBlock() here
324         will suppress the false positive ASAN complaint.
325
326         * dfg/DFGByteCodeParser.cpp:
327         (JSC::DFG::ByteCodeParser::parseBlock):
328         * dfg/DFGClobberize.h:
329         (JSC::DFG::clobberize):
330         * dfg/DFGFixupPhase.cpp:
331         (JSC::DFG::FixupPhase::fixupNode):
332         * dfg/DFGPredictionPropagationPhase.cpp:
333         * dfg/DFGSpeculativeJIT.cpp:
334         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
335         * dfg/DFGSpeculativeJIT32_64.cpp:
336         (JSC::DFG::SpeculativeJIT::compile):
337         * dfg/DFGSpeculativeJIT64.cpp:
338         (JSC::DFG::SpeculativeJIT::compile):
339         * ftl/FTLLowerDFGToB3.cpp:
340         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
341         * runtime/VMTraps.cpp:
342         (JSC::VMTraps::tryInstallTrapBreakpoints):
343
344 2018-09-03  Mark Lam  <mark.lam@apple.com>
345
346         CallFrame::unsafeCallee() should use an ASAN suppressed Register::asanUnsafePointer().
347         https://bugs.webkit.org/show_bug.cgi?id=189247
348
349         Reviewed by Saam Barati.
350
351         * interpreter/CallFrame.h:
352         (JSC::ExecState::unsafeCallee const):
353         * interpreter/Register.h:
354         (JSC::Register::asanUnsafePointer const):
355         (JSC::Register::unsafePayload const):
356
357 2018-09-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
358
359         Implement Object.fromEntries
360         https://bugs.webkit.org/show_bug.cgi?id=188481
361
362         Reviewed by Darin Adler.
363
364         Object.fromEntries becomes stage 3[1]. This patch implements it by using builtin JS.
365
366         [1]: https://tc39.github.io/proposal-object-from-entries/
367
368         * builtins/ObjectConstructor.js:
369         (fromEntries):
370         * runtime/ObjectConstructor.cpp:
371
372 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
373
374         Function object should convert params to string before throw a parsing error
375         https://bugs.webkit.org/show_bug.cgi?id=188874
376
377         Reviewed by Darin Adler.
378
379         ToString operation onto the `body` of the Function constructor should be performed
380         before checking syntax correctness of the parameters.
381
382         * runtime/FunctionConstructor.cpp:
383         (JSC::constructFunctionSkippingEvalEnabledCheck):
384
385 2018-08-31  Mark Lam  <mark.lam@apple.com>
386
387         Fix exception check accounting in constructJSWebAssemblyCompileError().
388         https://bugs.webkit.org/show_bug.cgi?id=189185
389         <rdar://problem/39786007>
390
391         Reviewed by Michael Saboff.
392
393         Also add an exception check in JSWebAssemblyModule::createStub() so that we don't
394         inadvertently overwrite a pre-existing exception (if present).
395
396         * wasm/js/JSWebAssemblyModule.cpp:
397         (JSC::JSWebAssemblyModule::createStub):
398         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
399         (JSC::constructJSWebAssemblyCompileError):
400
401 2018-08-31  Mark Lam  <mark.lam@apple.com>
402
403         Gardening: ARMv7 build fix.
404         https://bugs.webkit.org/show_bug.cgi?id=158911
405
406         Not reviewed.
407
408         * assembler/MacroAssemblerARMv7.h:
409         (JSC::MacroAssemblerARMv7::patchableBranch8):
410
411 2018-08-31  Mark Lam  <mark.lam@apple.com>
412
413         Fix exception check accounting in JSDataView::defineOwnProperty().
414         https://bugs.webkit.org/show_bug.cgi?id=189186
415         <rdar://problem/39786049>
416
417         Reviewed by Michael Saboff.
418
419         * runtime/JSDataView.cpp:
420         (JSC::JSDataView::defineOwnProperty):
421
422 2018-08-31  Mark Lam  <mark.lam@apple.com>
423
424         Add missing exception check in arrayProtoFuncLastIndexOf().
425         https://bugs.webkit.org/show_bug.cgi?id=189184
426         <rdar://problem/39785959>
427
428         Reviewed by Yusuke Suzuki.
429
430         * runtime/ArrayPrototype.cpp:
431         (JSC::arrayProtoFuncLastIndexOf):
432
433 2018-08-31  Saam barati  <sbarati@apple.com>
434
435         convertToRegExpMatchFastGlobal must use KnownString as the child use kind
436         https://bugs.webkit.org/show_bug.cgi?id=189173
437         <rdar://problem/43501645>
438
439         Reviewed by Michael Saboff.
440
441         We were crashing during validation because mayExit returned true
442         at a point in the program when we weren't allowed to exit.
443         
444         The issue was is in StrengthReduction: we end up emitting code that
445         had a StringUse on an edge after a node that did side effects and before
446         an ExitOK/bytecode number transition. However, StrenghReduction did the
447         right thing here and also emitted the type checks before the node with
448         side effects. It just did bad bookkeeping. The node we convert to needs
449         to use KnownStringUse instead of StringUse for the child edge.
450
451         * dfg/DFGNode.cpp:
452         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
453         (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
454         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
455         (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
456         * dfg/DFGNode.h:
457         * dfg/DFGStrengthReductionPhase.cpp:
458         (JSC::DFG::StrengthReductionPhase::handleNode):
459
460 2018-08-30  Saam barati  <sbarati@apple.com>
461
462         Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
463         https://bugs.webkit.org/show_bug.cgi?id=189166
464
465         Reviewed by Mark Lam.
466
467         * bytecode/AccessCase.cpp:
468         (JSC::AccessCase::generateImpl):
469         * bytecode/GetterSetterAccessCase.cpp:
470         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
471         * bytecode/InlineAccess.cpp:
472         (JSC::getScratchRegister):
473         * bytecode/PolymorphicAccess.cpp:
474         (JSC::PolymorphicAccess::regenerate):
475         * bytecode/StructureStubInfo.h:
476         (JSC::StructureStubInfo::valueRegs const):
477         * jit/JITInlineCacheGenerator.cpp:
478         (JSC::JITByIdGenerator::JITByIdGenerator):
479         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
480         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
481
482 2018-08-30  Saam barati  <sbarati@apple.com>
483
484         InlineAccess should do StringLength
485         https://bugs.webkit.org/show_bug.cgi?id=158911
486
487         Reviewed by Yusuke Suzuki.
488
489         This patch extends InlineAccess to support StringLength. This patch also
490         fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
491         I forgot to implement this for ArrayLength in the initial InlineAccess
492         implementation.  Supporting StringLength is a natural extension of the
493         InlineAccess machinery.
494
495         * assembler/MacroAssembler.h:
496         (JSC::MacroAssembler::patchableBranch8):
497         * assembler/MacroAssemblerARM64.h:
498         (JSC::MacroAssemblerARM64::patchableBranch8):
499         * bytecode/AccessCase.cpp:
500         (JSC::AccessCase::fromStructureStubInfo):
501         * bytecode/BytecodeDumper.cpp:
502         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
503         * bytecode/InlineAccess.cpp:
504         (JSC::InlineAccess::dumpCacheSizesAndCrash):
505         (JSC::InlineAccess::generateSelfPropertyAccess):
506         (JSC::getScratchRegister):
507         (JSC::InlineAccess::generateSelfPropertyReplace):
508         (JSC::InlineAccess::generateArrayLength):
509         (JSC::InlineAccess::generateSelfInAccess):
510         (JSC::InlineAccess::generateStringLength):
511         * bytecode/InlineAccess.h:
512         * bytecode/PolymorphicAccess.cpp:
513         (JSC::PolymorphicAccess::regenerate):
514         * bytecode/StructureStubInfo.cpp:
515         (JSC::StructureStubInfo::initStringLength):
516         (JSC::StructureStubInfo::deref):
517         (JSC::StructureStubInfo::aboutToDie):
518         (JSC::StructureStubInfo::propagateTransitions):
519         * bytecode/StructureStubInfo.h:
520         (JSC::StructureStubInfo::baseGPR const):
521         * jit/Repatch.cpp:
522         (JSC::tryCacheGetByID):
523
524 2018-08-30  Saam barati  <sbarati@apple.com>
525
526         CSE DataViewGet* DFG nodes
527         https://bugs.webkit.org/show_bug.cgi?id=188768
528
529         Reviewed by Yusuke Suzuki.
530
531         This patch makes it so that we CSE DataViewGet* accesses. To do this,
532         I needed to add a third descriptor to HeapLocation to represent the
533         isLittleEndian child. This patch is neutral on compile time benchmarks,
534         and is a 50% speedup on a trivial CSE microbenchmark that I added.
535
536         * dfg/DFGClobberize.h:
537         (JSC::DFG::clobberize):
538         * dfg/DFGFixupPhase.cpp:
539         (JSC::DFG::FixupPhase::fixupNode):
540         * dfg/DFGHeapLocation.cpp:
541         (WTF::printInternal):
542         * dfg/DFGHeapLocation.h:
543         (JSC::DFG::HeapLocation::HeapLocation):
544         (JSC::DFG::HeapLocation::hash const):
545         (JSC::DFG::HeapLocation::operator== const):
546         (JSC::DFG::indexedPropertyLocForResultType):
547
548 2018-08-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
549
550         output of toString() of Generator is wrong
551         https://bugs.webkit.org/show_bug.cgi?id=188952
552
553         Reviewed by Saam Barati.
554
555         Function#toString does not respect generator and async generator.
556         This patch fixes them and supports all the function types.
557
558         * runtime/FunctionPrototype.cpp:
559         (JSC::functionProtoFuncToString):
560
561 2018-08-29  Mark Lam  <mark.lam@apple.com>
562
563         Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
564         https://bugs.webkit.org/show_bug.cgi?id=189132
565         <rdar://problem/42513068>
566
567         Reviewed by Saam Barati.
568
569         * runtime/JSCJSValueInlines.h:
570         (JSC::JSValue::toPropertyKey const):
571         * runtime/JSString.cpp:
572         (JSC::JSRopeString::resolveRopeToAtomicString const):
573
574 2018-08-29  Commit Queue  <commit-queue@webkit.org>
575
576         Unreviewed, rolling out r235432 and r235436.
577         https://bugs.webkit.org/show_bug.cgi?id=189086
578
579         Is a Swift source breaking change. (Requested by keith_miller
580         on #webkit).
581
582         Reverted changesets:
583
584         "Add nullablity attributes to JSValue"
585         https://bugs.webkit.org/show_bug.cgi?id=189047
586         https://trac.webkit.org/changeset/235432
587
588         "Add nullablity attributes to JSValue"
589         https://bugs.webkit.org/show_bug.cgi?id=189047
590         https://trac.webkit.org/changeset/235436
591
592 2018-08-28  Mark Lam  <mark.lam@apple.com>
593
594         Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
595         https://bugs.webkit.org/show_bug.cgi?id=189059
596         <rdar://problem/40335354>
597
598         Reviewed by Saam Barati.
599
600         1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
601         2. Added $vm.dumpRegisters().
602
603             Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
604             Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
605
606            Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
607            It will treat inlined frames content as registers in the bounding physical frame.
608
609            Here's an example of such a dump on a DFG frame:
610
611                 Register frame: 
612
613                 -----------------------------------------------------------------------------
614                             use            |   address  |                value               
615                 -----------------------------------------------------------------------------
616                 [r 12 arguments[  7]]      | 0x7ffeefbfd330 | 0xa                Undefined
617                 [r 11 arguments[  6]]      | 0x7ffeefbfd328 | 0x10bbb3e80        Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
618                 [r 10 arguments[  5]]      | 0x7ffeefbfd320 | 0xa                Undefined
619                 [r  9 arguments[  4]]      | 0x7ffeefbfd318 | 0xa                Undefined
620                 [r  8 arguments[  3]]      | 0x7ffeefbfd310 | 0xa                Undefined
621                 [r  7 arguments[  2]]      | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
622                 [r  6 arguments[  1]]      | 0x7ffeefbfd300 | 0x10bbd00f0        Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
623                 [r  5           this]      | 0x7ffeefbfd2f8 | 0x10bbe0000        Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
624                 -----------------------------------------------------------------------------
625                 [ArgumentCount]            | 0x7ffeefbfd2f0 | 7 
626                 [ReturnVPC]                | 0x7ffeefbfd2f0 | 164 (line 57)
627                 [Callee]                   | 0x7ffeefbfd2e8 | 0x10bb68db0        Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
628                 [CodeBlock]                | 0x7ffeefbfd2e0 | 0x10bb2f8e0        __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
629                 [ReturnPC]                 | 0x7ffeefbfd2d8 | 0x10064d14c 
630                 [CallerFrame]              | 0x7ffeefbfd2d0 | 0x7ffeefbfd380 
631                 -----------------------------------------------------------------------------
632                 [r -1  CalleeSaveReg]      | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
633                 [r -2  CalleeSaveReg]      | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
634                 [r -3  CalleeSaveReg]      | 0x7ffeefbfd2b8 | 0x10baf1608        
635                 [r -4               ]      | 0x7ffeefbfd2b0 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
636                 [r -5               ]      | 0x7ffeefbfd2a8 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
637                 [r -6               ]      | 0x7ffeefbfd2a0 | 0xa                Undefined
638                 -----------------------------------------------------------------------------
639                 [r -7]                     | 0x7ffeefbfd298 | 0x10bb6fdc0        String (atomic) (identifier): length, StructureID: 4
640                 [r -8]                     | 0x7ffeefbfd290 | 0x10bbb7ec0        Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
641                 [r -9]                     | 0x7ffeefbfd288 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
642                 [r-10]                     | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
643                 [r-11]                     | 0x7ffeefbfd278 | 0x10bbb4290        Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
644                 [r-12]                     | 0x7ffeefbfd270 | 0x100000001        
645                 [r-13]                     | 0x7ffeefbfd268 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
646                 [r-14]                     | 0x7ffeefbfd260 | 0x0                
647                 [r-15]                     | 0x7ffeefbfd258 | 0x10064d14c        
648                 [r-16]                     | 0x7ffeefbfd250 | 0x7ffeefbfd2d0     
649                 [r-17]                     | 0x7ffeefbfd248 | 0x67ec87ee177      INVALID
650                 [r-18]                     | 0x7ffeefbfd240 | 0x7ffeefbfd250     
651                 -----------------------------------------------------------------------------
652
653         3. Removed dumpCallFrame() from the jsc shell.  We have the following tools that
654            we can use in its place:
655
656             $vm.dumpCallFrame()
657             $vm.dumpBytecodeFor()
658             $vm.dumpRegisters()     // Just added in this patch.
659
660         4. Also fixed a bug in BytecodeDumper: it should only access
661            CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
662
663         * bytecode/BytecodeDumper.cpp:
664         (JSC::BytecodeDumper<Block>::printCallOp):
665         * interpreter/Interpreter.cpp:
666         (JSC::Interpreter::dumpCallFrame): Deleted.
667         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
668         (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
669         (JSC::Interpreter::dumpRegisters): Deleted.
670         * interpreter/Interpreter.h:
671         * jsc.cpp:
672         (GlobalObject::finishCreation):
673         (functionDumpCallFrame): Deleted.
674         * tools/JSDollarVM.cpp:
675         (JSC::functionDumpRegisters):
676         (JSC::JSDollarVM::finishCreation):
677         * tools/VMInspector.cpp:
678         (JSC::VMInspector::dumpRegisters):
679         * tools/VMInspector.h:
680
681 2018-08-28  Keith Miller  <keith_miller@apple.com>
682
683         Add nullablity attributes to JSValue
684         https://bugs.webkit.org/show_bug.cgi?id=189047
685
686         Reviewed by Dan Bernstein.
687
688         Switch to using NS_ASSUME_NONNULL_BEGIN/END.
689
690         * API/JSValue.h:
691
692 2018-08-28  Keith Miller  <keith_miller@apple.com>
693
694         Add nullablity attributes to JSValue
695         https://bugs.webkit.org/show_bug.cgi?id=189047
696
697         Reviewed by Geoffrey Garen.
698
699         * API/JSValue.h:
700
701 2018-08-27  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
702
703         [WebAssembly] Parse wasm modules in a streaming fashion
704         https://bugs.webkit.org/show_bug.cgi?id=188943
705
706         Reviewed by Mark Lam.
707
708         This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
709         Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
710         we start integrating it into BBQPlan and dropping the old ModuleParser.
711
712         * JavaScriptCore.xcodeproj/project.pbxproj:
713         * Sources.txt:
714         * tools/JSDollarVM.cpp:
715         (WTF::WasmStreamingParser::WasmStreamingParser):
716         (WTF::WasmStreamingParser::create):
717         (WTF::WasmStreamingParser::createStructure):
718         (WTF::WasmStreamingParser::streamingParser):
719         (WTF::WasmStreamingParser::finishCreation):
720         (WTF::functionWasmStreamingParserAddBytes):
721         (WTF::functionWasmStreamingParserFinalize):
722         (JSC::functionCreateWasmStreamingParser):
723         (JSC::JSDollarVM::finishCreation):
724         The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
725         this interface to test streaming parser in the JSC shell.
726
727         * wasm/WasmBBQPlan.cpp:
728         (JSC::Wasm::BBQPlan::BBQPlan):
729         (JSC::Wasm::BBQPlan::parseAndValidateModule):
730         (JSC::Wasm::BBQPlan::prepare):
731         (JSC::Wasm::BBQPlan::compileFunctions):
732         (JSC::Wasm::BBQPlan::complete):
733         (JSC::Wasm::BBQPlan::work):
734         * wasm/WasmBBQPlan.h:
735         BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
736         In subsequent patches, we will remove this, and stream the data into the BBQPlan.
737
738         * wasm/WasmFormat.h:
739         * wasm/WasmModuleInformation.cpp:
740         (JSC::Wasm::ModuleInformation::ModuleInformation):
741         * wasm/WasmModuleInformation.h:
742         One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
743         since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
744         in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
745         Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
746         a function with this data can be done concurrently with StreamingParser.
747
748         (JSC::Wasm::ModuleInformation::create):
749         (JSC::Wasm::ModuleInformation::memoryCount const):
750         (JSC::Wasm::ModuleInformation::tableCount const):
751         memoryCount and tableCount should be recorded in ModuleInformation.
752
753         * wasm/WasmModuleParser.cpp:
754         (JSC::Wasm::ModuleParser::parse):
755         (JSC::Wasm::makeI32InitExpr): Deleted.
756         (JSC::Wasm::ModuleParser::parseType): Deleted.
757         (JSC::Wasm::ModuleParser::parseImport): Deleted.
758         (JSC::Wasm::ModuleParser::parseFunction): Deleted.
759         (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
760         (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
761         (JSC::Wasm::ModuleParser::parseTable): Deleted.
762         (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
763         (JSC::Wasm::ModuleParser::parseMemory): Deleted.
764         (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
765         (JSC::Wasm::ModuleParser::parseExport): Deleted.
766         (JSC::Wasm::ModuleParser::parseStart): Deleted.
767         (JSC::Wasm::ModuleParser::parseElement): Deleted.
768         (JSC::Wasm::ModuleParser::parseCode): Deleted.
769         (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
770         (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
771         (JSC::Wasm::ModuleParser::parseData): Deleted.
772         (JSC::Wasm::ModuleParser::parseCustom): Deleted.
773         Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
774         SectionParser is also used by StreamingParser.
775
776         * wasm/WasmModuleParser.h:
777         (): Deleted.
778         * wasm/WasmNameSection.h:
779         (JSC::Wasm::NameSection::NameSection):
780         (JSC::Wasm::NameSection::create):
781         (JSC::Wasm::NameSection::setHash):
782         Hash calculation is deferred since all the source is not available in streaming parsing.
783
784         * wasm/WasmNameSectionParser.cpp:
785         (JSC::Wasm::NameSectionParser::parse):
786         * wasm/WasmNameSectionParser.h:
787         Use Ref<NameSection>.
788
789         * wasm/WasmOMGPlan.cpp:
790         (JSC::Wasm::OMGPlan::work):
791         Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
792         OMGPlan can get data of the function by using ModuleInformation::functions.
793
794         * wasm/WasmParser.h:
795         (JSC::Wasm::Parser::source const):
796         (JSC::Wasm::Parser::length const):
797         (JSC::Wasm::Parser::offset const):
798         (JSC::Wasm::Parser::fail const):
799         (JSC::Wasm::makeI32InitExpr):
800         * wasm/WasmPlan.cpp:
801         (JSC::Wasm::Plan::Plan):
802         Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
803
804         * wasm/WasmPlan.h:
805         * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
806         SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
807         ModuleParser and the new StreamingParser.
808
809         (JSC::Wasm::SectionParser::parseType):
810         (JSC::Wasm::SectionParser::parseImport):
811         (JSC::Wasm::SectionParser::parseFunction):
812         (JSC::Wasm::SectionParser::parseResizableLimits):
813         (JSC::Wasm::SectionParser::parseTableHelper):
814         (JSC::Wasm::SectionParser::parseTable):
815         (JSC::Wasm::SectionParser::parseMemoryHelper):
816         (JSC::Wasm::SectionParser::parseMemory):
817         (JSC::Wasm::SectionParser::parseGlobal):
818         (JSC::Wasm::SectionParser::parseExport):
819         (JSC::Wasm::SectionParser::parseStart):
820         (JSC::Wasm::SectionParser::parseElement):
821         (JSC::Wasm::SectionParser::parseCode):
822         (JSC::Wasm::SectionParser::parseInitExpr):
823         (JSC::Wasm::SectionParser::parseGlobalType):
824         (JSC::Wasm::SectionParser::parseData):
825         (JSC::Wasm::SectionParser::parseCustom):
826         * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
827         * wasm/WasmStreamingParser.cpp: Added.
828         (JSC::Wasm::parseUInt7):
829         (JSC::Wasm::StreamingParser::fail):
830         (JSC::Wasm::StreamingParser::StreamingParser):
831         (JSC::Wasm::StreamingParser::parseModuleHeader):
832         (JSC::Wasm::StreamingParser::parseSectionID):
833         (JSC::Wasm::StreamingParser::parseSectionSize):
834         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
835         Code section in Wasm binary is specially handled compared with the other sections since it includes
836         a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
837         streaming validation / compilation of Wasm functions.
838
839         (JSC::Wasm::StreamingParser::parseFunctionSize):
840         (JSC::Wasm::StreamingParser::parseFunctionPayload):
841         (JSC::Wasm::StreamingParser::parseSectionPayload):
842         (JSC::Wasm::StreamingParser::consume):
843         (JSC::Wasm::StreamingParser::consumeVarUInt32):
844         (JSC::Wasm::StreamingParser::addBytes):
845         (JSC::Wasm::StreamingParser::failOnState):
846         (JSC::Wasm::StreamingParser::finalize):
847         * wasm/WasmStreamingParser.h: Added.
848         (JSC::Wasm::StreamingParser::addBytes):
849         (JSC::Wasm::StreamingParser::errorMessage const):
850         This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
851         StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
852         StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
853         the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
854         incoming byte stream.
855
856         * wasm/js/JSWebAssemblyModule.cpp:
857         (JSC::JSWebAssemblyModule::source const): Deleted.
858         All the source should not be held.
859
860         * wasm/js/JSWebAssemblyModule.h:
861         * wasm/js/WebAssemblyPrototype.cpp:
862         (JSC::webAssemblyValidateFunc):
863
864 2018-08-27  Mark Lam  <mark.lam@apple.com>
865
866         Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
867         https://bugs.webkit.org/show_bug.cgi?id=188577
868         <rdar://problem/42985684>
869
870         Reviewed by Saam Barati.
871
872         1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
873            (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
874
875            The StackOverflowFrame is a sentinel frame that the low level code (exception
876            throwing code, stack visitor, and stack unwinding code) will know to skip
877            over.  The StackOverflowFrame will also have a valid JSCallee so that client
878            code can compute the globalObject or VM from this frame.
879
880            As a result, client code that throws StackOverflowErrors no longer need to
881            compute the caller frame to throw from: it just converts the top frame into
882            a StackOverflowFrame and everything should *Just Work*.
883
884         2. NativeCallFrameTracerWithRestore is now obsolete.
885
886            Instead, client code should always call convertToStackOverflowFrame() on the
887            frame before instantiating a NativeCallFrameTracer with it.
888
889            This means that topCallFrame will always point to the top CallFrame (which
890            may be a StackOverflowFrame), and topEntryFrame will always point to the top
891            EntryFrame.  We'll never temporarily point them to the previous EntryFrame
892            (which we used to do with NativeCallFrameTracerWithRestore).
893
894         3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
895            CallFrame, and will know how to handle a StackOverflowFrame if they see one.
896
897            This obsoletes the UnwindStart flag.
898
899         * CMakeLists.txt:
900         * JavaScriptCore.xcodeproj/project.pbxproj:
901         * Sources.txt:
902         * debugger/Debugger.cpp:
903         (JSC::Debugger::pauseIfNeeded):
904         * interpreter/CallFrame.cpp:
905         (JSC::CallFrame::callerFrame const):
906         (JSC::CallFrame::unsafeCallerFrame const):
907         (JSC::CallFrame::convertToStackOverflowFrame):
908         (JSC::CallFrame::callerFrame): Deleted.
909         (JSC::CallFrame::unsafeCallerFrame): Deleted.
910         * interpreter/CallFrame.h:
911         (JSC::ExecState::iterate):
912         * interpreter/CallFrameInlines.h: Added.
913         (JSC::CallFrame::isStackOverflowFrame const):
914         (JSC::CallFrame::isWasmFrame const):
915         * interpreter/EntryFrame.h: Added.
916         (JSC::EntryFrame::vmEntryRecordOffset):
917         (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
918         * interpreter/FrameTracers.h:
919         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
920         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
921         * interpreter/Interpreter.cpp:
922         (JSC::Interpreter::unwind):
923         * interpreter/Interpreter.h:
924         * interpreter/StackVisitor.cpp:
925         (JSC::StackVisitor::StackVisitor):
926         * interpreter/StackVisitor.h:
927         (JSC::StackVisitor::visit):
928         (JSC::StackVisitor::topEntryFrameIsEmpty const):
929         * interpreter/VMEntryRecord.h:
930         (JSC::VMEntryRecord::callee const):
931         (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
932         (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
933         * jit/AssemblyHelpers.h:
934         * jit/JITExceptions.cpp:
935         (JSC::genericUnwind):
936         * jit/JITExceptions.h:
937         * jit/JITOperations.cpp:
938         * llint/LLIntOffsetsExtractor.cpp:
939         * llint/LLIntSlowPaths.cpp:
940         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
941         * llint/LowLevelInterpreter.asm:
942         * llint/LowLevelInterpreter32_64.asm:
943         * llint/LowLevelInterpreter64.asm:
944         * runtime/CallData.cpp:
945         * runtime/CommonSlowPaths.cpp:
946         (JSC::throwArityCheckStackOverflowError):
947         (JSC::SLOW_PATH_DECL):
948         * runtime/CommonSlowPathsExceptions.cpp: Removed.
949         * runtime/CommonSlowPathsExceptions.h: Removed.
950         * runtime/Completion.cpp:
951         (JSC::evaluateWithScopeExtension):
952         * runtime/JSGeneratorFunction.h:
953         * runtime/JSGlobalObject.cpp:
954         (JSC::JSGlobalObject::init):
955         (JSC::JSGlobalObject::visitChildren):
956         * runtime/JSGlobalObject.h:
957         (JSC::JSGlobalObject::stackOverflowFrameCallee const):
958         * runtime/VM.cpp:
959         (JSC::VM::throwException):
960         * runtime/VM.h:
961         * runtime/VMInlines.h:
962         (JSC::VM::topJSCallFrame const):
963
964 2018-08-27  Keith Rollin  <krollin@apple.com>
965
966         Unreviewed build fix -- disable LTO for production builds
967
968         * Configurations/Base.xcconfig:
969
970 2018-08-27  Aditya Keerthi  <akeerthi@apple.com>
971
972         Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
973         https://bugs.webkit.org/show_bug.cgi?id=188931
974
975         Reviewed by Wenson Hsieh.
976
977         * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
978
979 2018-08-27  Devin Rousso  <drousso@apple.com>
980
981         Web Inspector: provide autocompletion for event breakpoints
982         https://bugs.webkit.org/show_bug.cgi?id=188717
983
984         Reviewed by Brian Burg.
985
986         * inspector/protocol/DOM.json:
987         Add `getSupportedEventNames` command.
988
989 2018-08-27  Keith Rollin  <krollin@apple.com>
990
991         Build system support for LTO
992         https://bugs.webkit.org/show_bug.cgi?id=187785
993         <rdar://problem/42353132>
994
995         Reviewed by Dan Bernstein.
996
997         Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
998         LTO.
999
1000         * Configurations/Base.xcconfig:
1001         * Configurations/DebugRelease.xcconfig:
1002
1003 2018-08-27  Patrick Griffis  <pgriffis@igalia.com>
1004
1005         [GTK][JSC] Add warn_unused_result attribute to some APIs
1006         https://bugs.webkit.org/show_bug.cgi?id=188983
1007
1008         Reviewed by Michael Catanzaro.
1009
1010         * API/glib/JSCValue.h:
1011
1012 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1013
1014         [JSC] Array.prototype.reverse modifies JSImmutableButterfly
1015         https://bugs.webkit.org/show_bug.cgi?id=188794
1016
1017         Reviewed by Saam Barati.
1018
1019         While Array.prototype.reverse modifies the butterfly of the given Array,
1020         it does not account JSImmutableButterfly case. So it accidentally modifies
1021         the content of JSImmutableButterfly.
1022         This patch converts CoW arrays to writable arrays before reversing.
1023
1024         * runtime/ArrayPrototype.cpp:
1025         (JSC::arrayProtoFuncReverse):
1026         * runtime/JSObject.h:
1027         (JSC::JSObject::ensureWritable):
1028
1029 2018-08-24  Michael Saboff  <msaboff@apple.com>
1030
1031         YARR: Update UCS canonicalization tables for Unicode 11
1032         https://bugs.webkit.org/show_bug.cgi?id=188928
1033
1034         Reviewed by Mark Lam.
1035
1036         Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
1037
1038         This passes JavaScriptCore and test262 tests.
1039
1040         * yarr/YarrCanonicalizeUCS2.cpp:
1041         * yarr/YarrCanonicalizeUCS2.js:
1042         (printHeader):
1043
1044 2018-08-24  Michael Saboff  <msaboff@apple.com>
1045
1046         YARR: JIT RegExps with non-greedy parenthesized sub patterns
1047         https://bugs.webkit.org/show_bug.cgi?id=180876
1048
1049         Reviewed by Filip Pizlo.
1050
1051         Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
1052         For the matching code, the greedy path was correct except that we don't try matching for the
1053         non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
1054         first / next match when we backtrack.  The backtracking code needs to check to see if we have
1055         tried the first match or if we can do another match.
1056
1057         Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
1058         count.  Did other minor cleanup as well.
1059
1060         Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
1061
1062         Updated the text in some comments, both for this change as well as accuracy for existing code.
1063
1064         * yarr/YarrJIT.cpp:
1065         (JSC::Yarr::YarrGenerator::generate):
1066         (JSC::Yarr::YarrGenerator::backtrack):
1067         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1068         (JSC::Yarr::YarrGenerator::compile):
1069         (JSC::Yarr::dumpCompileFailure):
1070         (JSC::Yarr::jitCompile):
1071         * yarr/YarrJIT.h:
1072         (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
1073         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
1074
1075 2018-08-23  Simon Fraser  <simon.fraser@apple.com>
1076
1077         Add support for dumping GC heap snapshots, and a viewer
1078         https://bugs.webkit.org/show_bug.cgi?id=186416
1079
1080         Reviewed by Joseph Pecoraro.
1081
1082         Make a way to dump information about the GC heap that is useful for looking for leaked
1083         or abandoned objects. This dump is obtained (on Apple platforms) via:
1084             notifyutil -p com.apple.WebKit.dumpGCHeap
1085         which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
1086         
1087         This leverages the heap snapshot used by Web Inspector, adding an alternate format for
1088         the snapshot JSON that adds additional data about objects and why they are GC roots.
1089
1090         SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
1091         the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
1092         objects visited via opaque roots, we record the reason why via a new out param to
1093         isReachableFromOpaqueRoots().
1094
1095         HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
1096         additional information including the address of the JSCell* and the wrapped object (for
1097         JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
1098         be the document URL.
1099
1100         GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
1101
1102         * API/JSAPIWrapperObject.mm:
1103         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1104         * API/JSManagedValue.mm:
1105         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
1106         * API/glib/JSAPIWrapperObjectGLib.cpp:
1107         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1108         * CMakeLists.txt:
1109         * heap/ConservativeRoots.h:
1110         (JSC::ConservativeRoots::size const):
1111         (JSC::ConservativeRoots::size): Deleted.
1112         * heap/Heap.cpp:
1113         (JSC::Heap::addCoreConstraints):
1114         * heap/HeapSnapshotBuilder.cpp:
1115         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
1116         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
1117         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
1118         (JSC::HeapSnapshotBuilder::buildSnapshot):
1119         (JSC::HeapSnapshotBuilder::appendNode):
1120         (JSC::HeapSnapshotBuilder::appendEdge):
1121         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
1122         (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
1123         (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
1124         (JSC::snapshotTypeToString):
1125         (JSC::rootTypeToString):
1126         (JSC::HeapSnapshotBuilder::setLabelForCell):
1127         (JSC::HeapSnapshotBuilder::descriptionForCell const):
1128         (JSC::HeapSnapshotBuilder::json):
1129         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
1130         * heap/HeapSnapshotBuilder.h:
1131         * heap/SlotVisitor.cpp:
1132         (JSC::SlotVisitor::appendSlow):
1133         * heap/SlotVisitor.h:
1134         (JSC::SlotVisitor::heapSnapshotBuilder const):
1135         (JSC::SlotVisitor::rootMarkReason const):
1136         (JSC::SlotVisitor::setRootMarkReason):
1137         (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
1138         (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
1139         * heap/WeakBlock.cpp:
1140         (JSC::WeakBlock::specializedVisit):
1141         * heap/WeakHandleOwner.cpp:
1142         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
1143         * heap/WeakHandleOwner.h:
1144         * runtime/SimpleTypedArrayController.cpp:
1145         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
1146         * runtime/SimpleTypedArrayController.h:
1147         * tools/JSDollarVM.cpp:
1148
1149 2018-08-23  Saam barati  <sbarati@apple.com>
1150
1151         JSRunLoopTimer may run part of a member function after it's destroyed
1152         https://bugs.webkit.org/show_bug.cgi?id=188426
1153
1154         Reviewed by Mark Lam.
1155
1156         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1157         to end up running timer code after the class had been destroyed.
1158         
1159         The issue I spotted was in this function:
1160         ```
1161         void JSRunLoopTimer::timerDidFire()
1162         {
1163             JSLock* apiLock = m_apiLock.get();
1164             if (!apiLock) {
1165                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1166                 return;
1167             }
1168             // HERE
1169             std::lock_guard<JSLock> lock(*apiLock);
1170             RefPtr<VM> vm = apiLock->vm();
1171             if (!vm) {
1172                 // The VM has been destroyed, so we should just give up.
1173                 return;
1174             }
1175         
1176             doWork();
1177         }
1178         ```
1179         
1180         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1181         switched before grabbing the API lock. Then, some other thread destroys the VM.
1182         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1183         timer would run code and access member variables after it was destroyed.
1184         
1185         This patch fixes this issue by introducing a new timer manager class. 
1186         This class manages timers on a per VM basis. When a timer is scheduled,
1187         this class refs the timer. It also calls the timer callback while actively
1188         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1189         callback after the timer has been destroyed. However, calling a timer callback
1190         can still race with the VM being destroyed. We continue to detect this case and
1191         bail out of the callback early.
1192         
1193         This patch also removes a lot of duplicate code between GCActivityCallback
1194         and JSRunLoopTimer.
1195
1196         * heap/EdenGCActivityCallback.cpp:
1197         (JSC::EdenGCActivityCallback::doCollection):
1198         (JSC::EdenGCActivityCallback::lastGCLength):
1199         (JSC::EdenGCActivityCallback::deathRate):
1200         * heap/EdenGCActivityCallback.h:
1201         * heap/FullGCActivityCallback.cpp:
1202         (JSC::FullGCActivityCallback::doCollection):
1203         (JSC::FullGCActivityCallback::lastGCLength):
1204         (JSC::FullGCActivityCallback::deathRate):
1205         * heap/FullGCActivityCallback.h:
1206         * heap/GCActivityCallback.cpp:
1207         (JSC::GCActivityCallback::doWork):
1208         (JSC::GCActivityCallback::scheduleTimer):
1209         (JSC::GCActivityCallback::didAllocate):
1210         (JSC::GCActivityCallback::willCollect):
1211         (JSC::GCActivityCallback::cancel):
1212         (JSC::GCActivityCallback::cancelTimer): Deleted.
1213         (JSC::GCActivityCallback::nextFireTime): Deleted.
1214         * heap/GCActivityCallback.h:
1215         * heap/Heap.cpp:
1216         (JSC::Heap::reportAbandonedObjectGraph):
1217         (JSC::Heap::notifyIncrementalSweeper):
1218         (JSC::Heap::updateAllocationLimits):
1219         (JSC::Heap::didAllocate):
1220         * heap/IncrementalSweeper.cpp:
1221         (JSC::IncrementalSweeper::scheduleTimer):
1222         (JSC::IncrementalSweeper::doWork):
1223         (JSC::IncrementalSweeper::doSweep):
1224         (JSC::IncrementalSweeper::sweepNextBlock):
1225         (JSC::IncrementalSweeper::startSweeping):
1226         (JSC::IncrementalSweeper::stopSweeping):
1227         * heap/IncrementalSweeper.h:
1228         * heap/StopIfNecessaryTimer.cpp:
1229         (JSC::StopIfNecessaryTimer::doWork):
1230         (JSC::StopIfNecessaryTimer::scheduleSoon):
1231         * heap/StopIfNecessaryTimer.h:
1232         * runtime/JSRunLoopTimer.cpp:
1233         (JSC::epochTime):
1234         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1235         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1236         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1237         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1238         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1239         (JSC::JSRunLoopTimer::Manager::shared):
1240         (JSC::JSRunLoopTimer::Manager::registerVM):
1241         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1242         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1243         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1244         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1245         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1246         (JSC::JSRunLoopTimer::timerDidFire):
1247         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1248         (JSC::JSRunLoopTimer::timeUntilFire):
1249         (JSC::JSRunLoopTimer::setTimeUntilFire):
1250         (JSC::JSRunLoopTimer::cancelTimer):
1251         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1252         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1253         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1254         * runtime/JSRunLoopTimer.h:
1255         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1256         * runtime/PromiseDeferredTimer.cpp:
1257         (JSC::PromiseDeferredTimer::doWork):
1258         (JSC::PromiseDeferredTimer::runRunLoop):
1259         (JSC::PromiseDeferredTimer::addPendingPromise):
1260         (JSC::PromiseDeferredTimer::hasPendingPromise):
1261         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1262         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1263         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1264         * runtime/PromiseDeferredTimer.h:
1265         * runtime/VM.cpp:
1266         (JSC::VM::VM):
1267         (JSC::VM::~VM):
1268         (JSC::VM::setRunLoop):
1269         (JSC::VM::registerRunLoopTimer): Deleted.
1270         (JSC::VM::unregisterRunLoopTimer): Deleted.
1271         * runtime/VM.h:
1272         (JSC::VM::runLoop const):
1273         * wasm/js/WebAssemblyPrototype.cpp:
1274         (JSC::webAssemblyModuleValidateAsyncInternal):
1275         (JSC::instantiate):
1276         (JSC::compileAndInstantiate):
1277         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1278         (JSC::webAssemblyCompileStreamingInternal):
1279         (JSC::webAssemblyInstantiateStreamingInternal):
1280
1281 2018-08-23  Mark Lam  <mark.lam@apple.com>
1282
1283         Move vmEntryGlobalObject() to VM from CallFrame.
1284         https://bugs.webkit.org/show_bug.cgi?id=188900
1285         <rdar://problem/43655753>
1286
1287         Reviewed by Michael Saboff.
1288
1289         Also introduced CallFrame::isGlobalExec() which makes use of one property of
1290         GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
1291         CallFrame::initGlobalExec() ensures this.
1292
1293         In contrast, normal CallFrames always have a callerFrame (because they must at
1294         least be preceded by a VM EntryFrame) and a returnPC (at least return to the
1295         VM entry glue).
1296
1297         * API/APIUtils.h:
1298         (handleExceptionIfNeeded):
1299         (setException):
1300         * API/JSBase.cpp:
1301         (JSEvaluateScript):
1302         (JSCheckScriptSyntax):
1303         * API/JSContextRef.cpp:
1304         (JSGlobalContextRetain):
1305         (JSGlobalContextRelease):
1306         (JSGlobalContextCopyName):
1307         (JSGlobalContextSetName):
1308         (JSGlobalContextGetRemoteInspectionEnabled):
1309         (JSGlobalContextSetRemoteInspectionEnabled):
1310         (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
1311         (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
1312         (JSGlobalContextGetDebuggerRunLoop):
1313         (JSGlobalContextSetDebuggerRunLoop):
1314         (JSGlobalContextGetAugmentableInspectorController):
1315         * API/JSValue.mm:
1316         (reportExceptionToInspector):
1317         * API/glib/JSCClass.cpp:
1318         (jscContextForObject):
1319         * API/glib/JSCContext.cpp:
1320         (jsc_context_evaluate_in_object):
1321         * debugger/Debugger.cpp:
1322         (JSC::Debugger::pauseIfNeeded):
1323         * debugger/DebuggerCallFrame.cpp:
1324         (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
1325         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1326         * interpreter/CallFrame.cpp:
1327         (JSC::CallFrame::vmEntryGlobalObject): Deleted.
1328         * interpreter/CallFrame.h:
1329         (JSC::ExecState::scope const):
1330         (JSC::ExecState::noCaller):
1331         (JSC::ExecState::isGlobalExec const):
1332         * interpreter/Interpreter.cpp:
1333         (JSC::notifyDebuggerOfUnwinding):
1334         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
1335         (JSC::Interpreter::debug):
1336         * runtime/CallData.cpp:
1337         (JSC::profiledCall):
1338         * runtime/Completion.cpp:
1339         (JSC::evaluate):
1340         (JSC::profiledEvaluate):
1341         (JSC::evaluateWithScopeExtension):
1342         (JSC::loadAndEvaluateModule):
1343         (JSC::loadModule):
1344         (JSC::linkAndEvaluateModule):
1345         (JSC::importModule):
1346         * runtime/ConstructData.cpp:
1347         (JSC::profiledConstruct):
1348         * runtime/Error.cpp:
1349         (JSC::getStackTrace):
1350         * runtime/VM.cpp:
1351         (JSC::VM::throwException):
1352         (JSC::VM::vmEntryGlobalObject const):
1353         * runtime/VM.h:
1354
1355 2018-08-23  Andy Estes  <aestes@apple.com>
1356
1357         [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
1358         https://bugs.webkit.org/show_bug.cgi?id=188829
1359
1360         Reviewed by Tim Horton.
1361
1362         * Configurations/FeatureDefines.xcconfig:
1363
1364 2018-08-23  Devin Rousso  <drousso@apple.com>
1365
1366         Web Inspector: support breakpoints for timers and animation-frame events
1367         https://bugs.webkit.org/show_bug.cgi?id=188778
1368
1369         Reviewed by Brian Burg.
1370
1371         * inspector/protocol/Debugger.json:
1372         Add `AnimationFrame` and `Timer` types to the list of pause reasons.
1373
1374         * inspector/protocol/DOMDebugger.json:
1375         Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
1376          - `setEventListenerBreakpoint`
1377          - `removeEventListenerBreakpoint`
1378          - `setInstrumentationBreakpoint`
1379          - `removeInstrumentationBreakpoint`
1380         Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
1381
1382         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1383         (CppProtocolTypesHeaderGenerator.generate_output):
1384         (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
1385         (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
1386         (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
1387         Generate `DefaultHash` for all `enum class` used by inspector protocols.
1388
1389         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1390         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1391         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1392         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1393         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1394         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1395         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1396
1397 2018-08-23  Michael Saboff  <msaboff@apple.com>
1398
1399         YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
1400         https://bugs.webkit.org/show_bug.cgi?id=188895
1401
1402         Reviewed by Mark Lam.
1403
1404         Found while working on another change.  This will allow processing of nested
1405         parenthesis that require saved ParenContext structures.
1406
1407         * yarr/YarrJIT.cpp:
1408         (JSC::Yarr::YarrGenerator::compile):
1409
1410 2018-08-22  Michael Saboff  <msaboff@apple.com>
1411
1412         https://bugs.webkit.org/show_bug.cgi?id=188859
1413         Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
1414
1415         Rubber-stamped by Saam Barati.
1416
1417         Deleted these two functions.
1418
1419         * jit/JITOperations.cpp:
1420         * jit/JITOperations.h:
1421
1422 2018-08-22  Mark Lam  <mark.lam@apple.com>
1423
1424         The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
1425         https://bugs.webkit.org/show_bug.cgi?id=188298
1426         <rdar://problem/42888427>
1427
1428         Reviewed by Saam Barati.
1429
1430         In the event that both targets of a Branch is the same block, then even if we'll
1431         always take one path of the branch, the other target is not unreachable because
1432         it is the same target as the one in the taken path.  Hence, it should not be
1433         jettisoned.
1434
1435         * JavaScriptCore.xcodeproj/project.pbxproj:
1436         - Added DFGCFG.h which is in use and should have been added to the project.
1437         * dfg/DFGCFGSimplificationPhase.cpp:
1438         (JSC::DFG::CFGSimplificationPhase::run):
1439
1440 2018-08-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1441
1442         [JSC] HeapUtil should care about pointer overflow
1443         https://bugs.webkit.org/show_bug.cgi?id=188740
1444
1445         Reviewed by Saam Barati.
1446
1447         `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
1448         For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
1449         with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
1450
1451         * heap/HeapUtil.h:
1452         (JSC::HeapUtil::findGCObjectPointersForMarking):
1453
1454 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1455
1456         [JSC] Should not rotate constant with 64
1457         https://bugs.webkit.org/show_bug.cgi?id=188556
1458
1459         Reviewed by Saam Barati.
1460
1461         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1462         But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
1463         where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
1464         the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
1465
1466         * assembler/MacroAssembler.h:
1467         (JSC::MacroAssembler::generateRotationSeed):
1468         (JSC::MacroAssembler::rotationBlindConstant):
1469
1470 2018-08-21  Commit Queue  <commit-queue@webkit.org>
1471
1472         Unreviewed, rolling out r235107.
1473         https://bugs.webkit.org/show_bug.cgi?id=188832
1474
1475         "It revealed bugs in Blob code as well as regressed JS
1476         performance tests" (Requested by saamyjoon on #webkit).
1477
1478         Reverted changeset:
1479
1480         "JSRunLoopTimer may run part of a member function after it's
1481         destroyed"
1482         https://bugs.webkit.org/show_bug.cgi?id=188426
1483         https://trac.webkit.org/changeset/235107
1484
1485 2018-08-21  Saam barati  <sbarati@apple.com>
1486
1487         JSRunLoopTimer may run part of a member function after it's destroyed
1488         https://bugs.webkit.org/show_bug.cgi?id=188426
1489
1490         Reviewed by Mark Lam.
1491
1492         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1493         to end up running timer code after the class had been destroyed.
1494         
1495         The issue I spotted was in this function:
1496         ```
1497         void JSRunLoopTimer::timerDidFire()
1498         {
1499             JSLock* apiLock = m_apiLock.get();
1500             if (!apiLock) {
1501                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1502                 return;
1503             }
1504             // HERE
1505             std::lock_guard<JSLock> lock(*apiLock);
1506             RefPtr<VM> vm = apiLock->vm();
1507             if (!vm) {
1508                 // The VM has been destroyed, so we should just give up.
1509                 return;
1510             }
1511         
1512             doWork();
1513         }
1514         ```
1515         
1516         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1517         switched before grabbing the API lock. Then, some other thread destroys the VM.
1518         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1519         timer would run code and access member variables after it was destroyed.
1520         
1521         This patch fixes this issue by introducing a new timer manager class. 
1522         This class manages timers on a per VM basis. When a timer is scheduled,
1523         this class refs the timer. It also calls the timer callback while actively
1524         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1525         callback after the timer has been destroyed. However, calling a timer callback
1526         can still race with the VM being destroyed. We continue to detect this case and
1527         bail out of the callback early.
1528         
1529         This patch also removes a lot of duplicate code between GCActivityCallback
1530         and JSRunLoopTimer.
1531
1532         * heap/EdenGCActivityCallback.cpp:
1533         (JSC::EdenGCActivityCallback::doCollection):
1534         (JSC::EdenGCActivityCallback::lastGCLength):
1535         (JSC::EdenGCActivityCallback::deathRate):
1536         * heap/EdenGCActivityCallback.h:
1537         * heap/FullGCActivityCallback.cpp:
1538         (JSC::FullGCActivityCallback::doCollection):
1539         (JSC::FullGCActivityCallback::lastGCLength):
1540         (JSC::FullGCActivityCallback::deathRate):
1541         * heap/FullGCActivityCallback.h:
1542         * heap/GCActivityCallback.cpp:
1543         (JSC::GCActivityCallback::doWork):
1544         (JSC::GCActivityCallback::scheduleTimer):
1545         (JSC::GCActivityCallback::didAllocate):
1546         (JSC::GCActivityCallback::willCollect):
1547         (JSC::GCActivityCallback::cancel):
1548         (JSC::GCActivityCallback::cancelTimer): Deleted.
1549         (JSC::GCActivityCallback::nextFireTime): Deleted.
1550         * heap/GCActivityCallback.h:
1551         * heap/Heap.cpp:
1552         (JSC::Heap::reportAbandonedObjectGraph):
1553         (JSC::Heap::notifyIncrementalSweeper):
1554         (JSC::Heap::updateAllocationLimits):
1555         (JSC::Heap::didAllocate):
1556         * heap/IncrementalSweeper.cpp:
1557         (JSC::IncrementalSweeper::scheduleTimer):
1558         (JSC::IncrementalSweeper::doWork):
1559         (JSC::IncrementalSweeper::doSweep):
1560         (JSC::IncrementalSweeper::sweepNextBlock):
1561         (JSC::IncrementalSweeper::startSweeping):
1562         (JSC::IncrementalSweeper::stopSweeping):
1563         * heap/IncrementalSweeper.h:
1564         * heap/StopIfNecessaryTimer.cpp:
1565         (JSC::StopIfNecessaryTimer::doWork):
1566         (JSC::StopIfNecessaryTimer::scheduleSoon):
1567         * heap/StopIfNecessaryTimer.h:
1568         * runtime/JSRunLoopTimer.cpp:
1569         (JSC::epochTime):
1570         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1571         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1572         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1573         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1574         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1575         (JSC::JSRunLoopTimer::Manager::shared):
1576         (JSC::JSRunLoopTimer::Manager::registerVM):
1577         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1578         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1579         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1580         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1581         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1582         (JSC::JSRunLoopTimer::timerDidFire):
1583         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1584         (JSC::JSRunLoopTimer::timeUntilFire):
1585         (JSC::JSRunLoopTimer::setTimeUntilFire):
1586         (JSC::JSRunLoopTimer::cancelTimer):
1587         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1588         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1589         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1590         * runtime/JSRunLoopTimer.h:
1591         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1592         * runtime/PromiseDeferredTimer.cpp:
1593         (JSC::PromiseDeferredTimer::doWork):
1594         (JSC::PromiseDeferredTimer::runRunLoop):
1595         (JSC::PromiseDeferredTimer::addPendingPromise):
1596         (JSC::PromiseDeferredTimer::hasPendingPromise):
1597         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1598         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1599         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1600         * runtime/PromiseDeferredTimer.h:
1601         * runtime/VM.cpp:
1602         (JSC::VM::VM):
1603         (JSC::VM::~VM):
1604         (JSC::VM::setRunLoop):
1605         (JSC::VM::registerRunLoopTimer): Deleted.
1606         (JSC::VM::unregisterRunLoopTimer): Deleted.
1607         * runtime/VM.h:
1608         (JSC::VM::runLoop const):
1609         * wasm/js/WebAssemblyPrototype.cpp:
1610         (JSC::webAssemblyModuleValidateAsyncInternal):
1611         (JSC::instantiate):
1612         (JSC::compileAndInstantiate):
1613         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1614         (JSC::webAssemblyCompileStreamingInternal):
1615         (JSC::webAssemblyInstantiateStreamingInternal):
1616
1617 2018-08-20  Saam barati  <sbarati@apple.com>
1618
1619         Inline DataView accesses into DFG/FTL
1620         https://bugs.webkit.org/show_bug.cgi?id=188573
1621         <rdar://problem/43286746>
1622
1623         Reviewed by Michael Saboff.
1624
1625         This patch teaches the DFG/FTL to inline DataView accesses. The approach is
1626         straight forward. We inline the various get*/set* operations as intrinsics.
1627         
1628         This patch takes the most obvious approach for now. We OSR exit when:
1629         - An isLittleEndian argument is provided, and is not a boolean.
1630         - The index isn't an integer.
1631         - The |this| isn't a DataView.
1632         - We do an OOB access (or see a neutered array)
1633         
1634         To implement this change in a performant way, this patch teaches the macro
1635         assembler how to emit byte swap operations. The semantics of the added functions
1636         are byteSwap + zero extend. This means for the 16bit byte swaps, we need
1637         to actually emit zero extend instructions. For the 32/64bit byte swaps,
1638         the instructions already have these semantics.
1639         
1640         This patch is just a lightweight initial implementation. There are some easy
1641         extensions we can do in future changes:
1642         - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
1643         - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
1644
1645         * assembler/MacroAssemblerARM64.h:
1646         (JSC::MacroAssemblerARM64::byteSwap16):
1647         (JSC::MacroAssemblerARM64::byteSwap32):
1648         (JSC::MacroAssemblerARM64::byteSwap64):
1649         * assembler/MacroAssemblerX86Common.h:
1650         (JSC::MacroAssemblerX86Common::byteSwap32):
1651         (JSC::MacroAssemblerX86Common::byteSwap16):
1652         (JSC::MacroAssemblerX86Common::byteSwap64):
1653         * assembler/X86Assembler.h:
1654         (JSC::X86Assembler::bswapl_r):
1655         (JSC::X86Assembler::bswapq_r):
1656         (JSC::X86Assembler::shiftInstruction16):
1657         (JSC::X86Assembler::rolw_i8r):
1658         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1659         * assembler/testmasm.cpp:
1660         (JSC::testByteSwap):
1661         (JSC::run):
1662         * bytecode/DataFormat.h:
1663         * bytecode/SpeculatedType.cpp:
1664         (JSC::dumpSpeculation):
1665         (JSC::speculationFromClassInfo):
1666         (JSC::speculationFromJSType):
1667         (JSC::speculationFromString):
1668         * bytecode/SpeculatedType.h:
1669         * dfg/DFGAbstractInterpreterInlines.h:
1670         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1671         * dfg/DFGByteCodeParser.cpp:
1672         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1673         * dfg/DFGClobberize.h:
1674         (JSC::DFG::clobberize):
1675         * dfg/DFGDoesGC.cpp:
1676         (JSC::DFG::doesGC):
1677         * dfg/DFGFixupPhase.cpp:
1678         (JSC::DFG::FixupPhase::fixupNode):
1679         * dfg/DFGNode.h:
1680         (JSC::DFG::Node::hasHeapPrediction):
1681         (JSC::DFG::Node::dataViewData):
1682         * dfg/DFGNodeType.h:
1683         * dfg/DFGPredictionPropagationPhase.cpp:
1684         * dfg/DFGSafeToExecute.h:
1685         (JSC::DFG::SafeToExecuteEdge::operator()):
1686         (JSC::DFG::safeToExecute):
1687         * dfg/DFGSpeculativeJIT.cpp:
1688         (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
1689         (JSC::DFG::SpeculativeJIT::speculate):
1690         * dfg/DFGSpeculativeJIT.h:
1691         * dfg/DFGSpeculativeJIT32_64.cpp:
1692         (JSC::DFG::SpeculativeJIT::compile):
1693         * dfg/DFGSpeculativeJIT64.cpp:
1694         (JSC::DFG::SpeculativeJIT::compile):
1695         * dfg/DFGUseKind.cpp:
1696         (WTF::printInternal):
1697         * dfg/DFGUseKind.h:
1698         (JSC::DFG::typeFilterFor):
1699         (JSC::DFG::isCell):
1700         * ftl/FTLCapabilities.cpp:
1701         (JSC::FTL::canCompile):
1702         * ftl/FTLLowerDFGToB3.cpp:
1703         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1704         (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
1705         (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
1706         (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
1707         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
1708         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
1709         (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
1710         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1711         (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
1712         * runtime/Intrinsic.cpp:
1713         (JSC::intrinsicName):
1714         * runtime/Intrinsic.h:
1715         * runtime/JSDataViewPrototype.cpp:
1716
1717 2018-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1718
1719         [YARR] Extend size of fixed characters bulk matching in 64bit platform
1720         https://bugs.webkit.org/show_bug.cgi?id=181989
1721
1722         Reviewed by Michael Saboff.
1723
1724         This patch extends bulk matching style for fixed-sized characters.
1725         In 64bit environment, the GPR can hold up to 8 characters. This change
1726         reduces the code size since we can fuse multiple `mov` operations into one.
1727
1728         * assembler/LinkBuffer.h:
1729         * runtime/Options.h:
1730         * yarr/YarrJIT.cpp:
1731         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1732         (JSC::Yarr::YarrGenerator::compile):
1733
1734 2018-08-20  Devin Rousso  <drousso@apple.com>
1735
1736         Web Inspector: allow breakpoints to be set for specific event listeners
1737         https://bugs.webkit.org/show_bug.cgi?id=183138
1738
1739         Reviewed by Joseph Pecoraro.
1740
1741         * inspector/protocol/DOM.json:
1742         Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
1743         takes an `eventListenerId` and toggles whether that specific usage of that event listener
1744         should have a breakpoint and pause before running.
1745
1746 2018-08-20  Mark Lam  <mark.lam@apple.com>
1747
1748         Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
1749         https://bugs.webkit.org/show_bug.cgi?id=188769
1750
1751         Reviewed by Michael Saboff.
1752
1753         * llint/LowLevelInterpreter.asm:
1754         - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
1755           so that libunwind doesn't get confused by the 2 labels pointing to the same
1756           code address.
1757
1758 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1759
1760         [GLIB] Add API to throw exceptions using printf formatted strings
1761         https://bugs.webkit.org/show_bug.cgi?id=188698
1762
1763         Reviewed by Michael Catanzaro.
1764
1765         Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
1766         JSCException using printf formatted string.
1767
1768         * API/glib/JSCContext.cpp:
1769         (jsc_context_throw_printf):
1770         (jsc_context_throw_with_name_printf):
1771         * API/glib/JSCContext.h:
1772         * API/glib/JSCException.cpp:
1773         (jsc_exception_new_printf):
1774         (jsc_exception_new_vprintf):
1775         (jsc_exception_new_with_name_printf):
1776         (jsc_exception_new_with_name_vprintf):
1777         * API/glib/JSCException.h:
1778         * API/glib/docs/jsc-glib-4.0-sections.txt:
1779
1780 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1781
1782         [GLIB] Complete the JSCException API
1783         https://bugs.webkit.org/show_bug.cgi?id=188695
1784
1785         Reviewed by Michael Catanzaro.
1786
1787         Add more API to JSCException:
1788          - New function to get the column number
1789          - New function get exception as string (toString())
1790          - Add the possibility to create exceptions with a custom error name.
1791          - New function to get the exception error name
1792          - New function to get the exception backtrace.
1793          - New convenience function to report a exception by returning a formatted string with all the exception
1794            details, to be shown as a user error message.
1795
1796         * API/glib/JSCContext.cpp:
1797         (jsc_context_throw_with_name):
1798         * API/glib/JSCContext.h:
1799         * API/glib/JSCException.cpp:
1800         (jscExceptionEnsureProperties):
1801         (jsc_exception_new):
1802         (jsc_exception_new_with_name):
1803         (jsc_exception_get_name):
1804         (jsc_exception_get_column_number):
1805         (jsc_exception_get_back_trace_string):
1806         (jsc_exception_to_string):
1807         (jsc_exception_report):
1808         * API/glib/JSCException.h:
1809         * API/glib/docs/jsc-glib-4.0-sections.txt:
1810
1811 2018-08-19  Commit Queue  <commit-queue@webkit.org>
1812
1813         Unreviewed, rolling out r234852.
1814         https://bugs.webkit.org/show_bug.cgi?id=188736
1815
1816         Workaround is not correct (Requested by yusukesuzuki on
1817         #webkit).
1818
1819         Reverted changeset:
1820
1821         "[JSC] Should not rotate constant with 64"
1822         https://bugs.webkit.org/show_bug.cgi?id=188556
1823         https://trac.webkit.org/changeset/234852
1824
1825 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1826
1827         [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
1828         https://bugs.webkit.org/show_bug.cgi?id=188716
1829
1830         Reviewed by Darin Adler.
1831
1832         Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
1833         The compiler can emit appropriate mov operations in x86 even if we use these
1834         helper functions.
1835
1836         * assembler/AssemblerBuffer.h:
1837         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
1838         (JSC::AssemblerBuffer::putIntegral):
1839         (JSC::AssemblerBuffer::putIntegralUnchecked):
1840         * assembler/MacroAssemblerX86.h:
1841         (JSC::MacroAssemblerX86::readCallTarget):
1842         * assembler/X86Assembler.h:
1843         (JSC::X86Assembler::linkJump):
1844         (JSC::X86Assembler::readPointer):
1845         (JSC::X86Assembler::replaceWithHlt):
1846         (JSC::X86Assembler::replaceWithJump):
1847         (JSC::X86Assembler::setPointer):
1848         (JSC::X86Assembler::setInt32):
1849         (JSC::X86Assembler::setInt8):
1850         * interpreter/InterpreterInlines.h:
1851         (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
1852
1853 2018-08-17  Saam barati  <sbarati@apple.com>
1854
1855         intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
1856         https://bugs.webkit.org/show_bug.cgi?id=188707
1857         <rdar://problem/43015442>
1858
1859         Reviewed by Mark Lam.
1860
1861         We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
1862         OSR enter at the head of a block. We verify it's safe to OSR enter by checking
1863         that each incoming value is compatible with its corresponding AbstractValue.
1864         
1865         The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
1866         with abstract values that were clobbererd. This meant that the value we're
1867         verifying with at OSR entry effectively has an infinite structure set because
1868         it's clobbered. So, imagine we have code like this:
1869         ```
1870         ---> We OSR enter here, and we're clobbered here
1871         InvalidationPoint
1872         GetByOffset(@base)
1873         ```
1874         
1875         The abstract value for @base inside intersectionOfPastValuesAtHead has a
1876         clobberred structure set, so we'd allow an incoming object with any
1877         structure. However, this is wrong because the invalidation point is no
1878         longer fulfilling its promise that it filters the structure that @base has.
1879         
1880         We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
1881         as if the incoming value may be live past an InvalidationPoint.
1882         This places a stricter requirement that to safely OSR enter at any basic
1883         block, all incoming values must be compatible as if they lived past
1884         the execution of an invalidation point.
1885
1886         * dfg/DFGCFAPhase.cpp:
1887         (JSC::DFG::CFAPhase::run):
1888
1889 2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>
1890
1891         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1892         https://bugs.webkit.org/show_bug.cgi?id=188589
1893
1894         Reviewed by Mark Lam.
1895         And reviewed by Yusuke Suzuki for Hironori's change.
1896
1897         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1898         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1899
1900         - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1901         - We make GPRReg and FPRReg int8_t enums.
1902         - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1903         - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
1904           if `enum : int8_t` is used instead of `enum`.
1905
1906         * assembler/ARM64Assembler.h:
1907         * assembler/ARMAssembler.h:
1908         * assembler/ARMv7Assembler.h:
1909         * assembler/MIPSAssembler.h:
1910         * assembler/MacroAssembler.h:
1911         * assembler/X86Assembler.h:
1912         * jit/CCallHelpers.h:
1913         (JSC::CCallHelpers::clampArrayToSize):
1914         * jit/FPRInfo.h:
1915         * jit/GPRInfo.h:
1916         (JSC::JSValueRegs::JSValueRegs):
1917         (JSC::JSValueRegs::tagGPR const):
1918         (JSC::JSValueRegs::payloadGPR const):
1919         (JSC::JSValueSource::JSValueSource):
1920         (JSC::JSValueSource::unboxedCell):
1921         (JSC::JSValueSource::operator bool const):
1922         (JSC::JSValueSource::base const):
1923         (JSC::JSValueSource::tagGPR const):
1924         (JSC::JSValueSource::payloadGPR const):
1925         (JSC::JSValueSource::hasKnownTag const):
1926
1927 2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1928
1929         [JSC] alignas for RegisterState should respect alignof(RegisterState) too
1930         https://bugs.webkit.org/show_bug.cgi?id=188686
1931
1932         Reviewed by Saam Barati.
1933
1934         RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
1935         for `alignof` for RegisterState.
1936
1937         * heap/RegisterState.h:
1938
1939 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1940
1941         [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
1942         https://bugs.webkit.org/show_bug.cgi?id=188571
1943
1944         Reviewed by Saam Barati.
1945
1946         UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
1947         allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
1948         without considering alignment of them. This patch adds DisjunctionContext::allocationSize
1949         and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
1950         The size is always rounded to `sizeof(void*)` so that these classes are always allocated
1951         with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
1952         than or equal to `sizeof(void*)` by `static_assert`.
1953
1954         * yarr/YarrInterpreter.cpp:
1955         (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
1956         (JSC::Yarr::Interpreter::allocDisjunctionContext):
1957         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
1958         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
1959         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
1960         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
1961         (JSC::Yarr::Interpreter::Interpreter):
1962         (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
1963
1964 2018-08-15  Keith Miller  <keith_miller@apple.com>
1965
1966         Remove evernote hacks
1967         https://bugs.webkit.org/show_bug.cgi?id=188591
1968
1969         Reviewed by Joseph Pecoraro.
1970
1971         The hack was added in 2012 and the evernote app seems to work now.
1972         It's probably not needed anymore.
1973
1974         * API/JSValueRef.cpp:
1975         (JSValueUnprotect):
1976         (evernoteHackNeeded): Deleted.
1977
1978 2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>
1979
1980         Unreviewed, rolling out r234874 and r234876.
1981
1982         WinCairo port can't compile
1983
1984         Reverted changesets:
1985
1986         "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
1987         https://bugs.webkit.org/show_bug.cgi?id=188589
1988         https://trac.webkit.org/changeset/234874
1989
1990         "Unreviewed, attempt to fix CLoop build"
1991         https://bugs.webkit.org/show_bug.cgi?id=188589
1992         https://trac.webkit.org/changeset/234876
1993
1994 2018-08-14  Saam barati  <sbarati@apple.com>
1995
1996         HashMap<Ref<P>, V> asserts when V is not zero for its empty value
1997         https://bugs.webkit.org/show_bug.cgi?id=188582
1998
1999         Reviewed by Sam Weinig.
2000
2001         * runtime/SparseArrayValueMap.h:
2002
2003 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2004
2005         Unreviewed, attempt to fix CLoop build
2006         https://bugs.webkit.org/show_bug.cgi?id=188589
2007
2008         * assembler/MacroAssembler.h:
2009
2010 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2011
2012         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
2013         https://bugs.webkit.org/show_bug.cgi?id=188589
2014
2015         Reviewed by Mark Lam.
2016
2017         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
2018         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
2019
2020         1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
2021         2. We make GPRReg and FPRReg int8_t enums.
2022         3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
2023
2024         * assembler/ARM64Assembler.h:
2025         * assembler/ARMAssembler.h:
2026         * assembler/ARMv7Assembler.h:
2027         * assembler/MIPSAssembler.h:
2028         * assembler/X86Assembler.h:
2029         * jit/FPRInfo.h:
2030         * jit/GPRInfo.h:
2031         (JSC::JSValueRegs::JSValueRegs):
2032         (JSC::JSValueRegs::tagGPR const):
2033         (JSC::JSValueRegs::payloadGPR const):
2034         (JSC::JSValueSource::JSValueSource):
2035         (JSC::JSValueSource::unboxedCell):
2036         (JSC::JSValueSource::operator bool const):
2037         (JSC::JSValueSource::base const):
2038         (JSC::JSValueSource::tagGPR const):
2039         (JSC::JSValueSource::payloadGPR const):
2040         (JSC::JSValueSource::hasKnownTag const):
2041
2042 2018-08-14  Keith Miller  <keith_miller@apple.com>
2043
2044         Add missing availability macro.
2045         https://bugs.webkit.org/show_bug.cgi?id=188563
2046
2047         Reviewed by Mark Lam.
2048
2049         * API/JSValueRef.h:
2050
2051 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2052
2053         [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
2054         https://bugs.webkit.org/show_bug.cgi?id=188560
2055
2056         Reviewed by Keith Miller.
2057
2058         While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
2059         it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
2060         uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
2061         `m_wasSeenInJIT { false }`.
2062
2063         * bytecode/GetByIdStatus.h:
2064
2065 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2066
2067         [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
2068         https://bugs.webkit.org/show_bug.cgi?id=188557
2069
2070         Reviewed by Mark Lam.
2071
2072         DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
2073         processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
2074         in UBSan's result.
2075
2076         * dfg/DFGPredictionPropagationPhase.cpp:
2077
2078 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2079
2080         [JSC] Should not rotate constant with 64
2081         https://bugs.webkit.org/show_bug.cgi?id=188556
2082
2083         Reviewed by Mark Lam.
2084
2085         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
2086         But if a seed becomes 64, the following code performs `value << 64` where value's type
2087         is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
2088         range of [0, 64) not to generate code causing UBs. This is found by UBSan.
2089
2090         * assembler/MacroAssembler.h:
2091         (JSC::MacroAssembler::generateRotationSeed):
2092         (JSC::MacroAssembler::rotationBlindConstant):
2093
2094 2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2095
2096         Disable JIT on IA-32 without SSE2
2097         https://bugs.webkit.org/show_bug.cgi?id=188476
2098
2099         Reviewed by Michael Catanzaro.
2100
2101         Including missing header (MacroAssembler.h) in case of other
2102         operating systems than Windows too.
2103
2104         * runtime/Options.cpp:
2105
2106 2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2107
2108         Disable JIT on IA-32 without SSE2
2109         https://bugs.webkit.org/show_bug.cgi?id=188476
2110
2111         Reviewed by Yusuke Suzuki.
2112
2113         On IA-32 CPUs without SSE2 most of the webpages cannot load
2114         if the JIT is turned on.
2115
2116         * runtime/Options.cpp:
2117         (JSC::recomputeDependentOptions):
2118
2119 2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
2120
2121         Web Inspector: console.log fires getters for deep properties
2122         https://bugs.webkit.org/show_bug.cgi?id=187542
2123         <rdar://problem/42873158>
2124
2125         Reviewed by Saam Barati.
2126
2127         * inspector/InjectedScriptSource.js:
2128         (RemoteObject.prototype._isPreviewableObject):
2129         Avoid getters/setters when checking for simple properties to preview.
2130         Here we avoid invoking `object[property]` if it could be a user getter.
2131
2132 2018-08-10  Keith Miller  <keith_miller@apple.com>
2133
2134         Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
2135         https://bugs.webkit.org/show_bug.cgi?id=185127
2136
2137         Reviewed by Saam Barati.
2138
2139         Previously, we would truncate the indicies passed to slice to an
2140         int. This meant that the value was not getting properly clamped
2141         later.
2142
2143         This patch also removes a non-spec compliant check that slice was
2144         passed at least one argument.
2145
2146         * runtime/ArrayBuffer.cpp:
2147         (JSC::ArrayBuffer::clampValue):
2148         (JSC::ArrayBuffer::clampIndex const):
2149         (JSC::ArrayBuffer::slice const):
2150         * runtime/ArrayBuffer.h:
2151         (JSC::ArrayBuffer::clampValue): Deleted.
2152         (JSC::ArrayBuffer::clampIndex const): Deleted.
2153         * runtime/JSArrayBufferPrototype.cpp:
2154         (JSC::arrayBufferProtoFuncSlice):
2155
2156 2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2157
2158         Date.UTC should not return NaN with only Year param
2159         https://bugs.webkit.org/show_bug.cgi?id=188378
2160
2161         Reviewed by Keith Miller.
2162
2163         Date.UTC requires one argument for |year|. But the other ones are optional.
2164         This patch fix this handling.
2165
2166         * runtime/DateConstructor.cpp:
2167         (JSC::millisecondsFromComponents):
2168
2169 2018-08-08  Keith Miller  <keith_miller@apple.com>
2170
2171         Array.prototype.sort should call @toLength instead of ">>> 0"
2172         https://bugs.webkit.org/show_bug.cgi?id=188430
2173
2174         Reviewed by Saam Barati.
2175
2176         Also add a new function to $vm that will fetch a private
2177         property. This can be useful for running builtin helper functions.
2178
2179         * builtins/ArrayPrototype.js:
2180         (sort):
2181         * tools/JSDollarVM.cpp:
2182         (JSC::functionGetPrivateProperty):
2183         (JSC::JSDollarVM::finishCreation):
2184
2185 2018-08-08  Keith Miller  <keith_miller@apple.com>
2186
2187         Array.prototype.sort should throw TypeError if param is a not callable object
2188         https://bugs.webkit.org/show_bug.cgi?id=188382
2189
2190         Reviewed by Saam Barati.
2191
2192         Improve spec compatability by checking if the Array.prototype.sort comparator is a function
2193         before doing anything else.
2194
2195         Also, refactor the various helper functions to use let instead of var.
2196
2197         * builtins/ArrayPrototype.js:
2198         (sort.stringComparator):
2199         (sort.compactSparse):
2200         (sort.compactSlow):
2201         (sort.compact):
2202         (sort.merge):
2203         (sort.mergeSort):
2204         (sort.bucketSort):
2205         (sort.comparatorSort):
2206         (sort.stringSort):
2207         (sort):
2208
2209 2018-08-08  Michael Saboff  <msaboff@apple.com>
2210
2211         Yarr JIT should include annotations with dumpDisassembly=true
2212         https://bugs.webkit.org/show_bug.cgi?id=188415
2213
2214         Reviewed by Yusuke Suzuki.
2215
2216         Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
2217         Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
2218         then the backtracking code through the YarrPattern ops in reverse order, the disassembler
2219         needs to do the same think.
2220
2221         Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
2222         out simple methods for what was needed by the YarrDisassembler.
2223
2224         Here is abbreviated sample output after this change.
2225
2226         Generated JIT code for 8-bit regular expression /ab*c/:
2227             Code at [0x469561c03720, 0x469561c03840):
2228                 0x469561c03720: push %rbp
2229                 0x469561c03721: mov %rsp, %rbp
2230                 ...
2231                 0x469561c03762: sub $0x40, %rsp
2232              == Matching ==
2233            0:OpBodyAlternativeBegin minimum size 2
2234                 0x469561c03766: add $0x2, %esi
2235                 0x469561c03769: cmp %edx, %esi
2236                 0x469561c0376b: ja 0x469561c037fa
2237            1:OpTerm TypePatternCharacter 'a'
2238                 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
2239                 0x469561c03776: cmp $0x61, %eax
2240                 0x469561c03779: jnz 0x469561c037e9
2241            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
2242                 0x469561c0377f: xor %r9d, %r9d
2243                 0x469561c03782: cmp %edx, %esi
2244                 0x469561c03784: jz 0x469561c037a2
2245                 ...
2246                 0x469561c0379d: jmp 0x469561c03782
2247                 0x469561c037a2: mov %r9, 0x8(%rsp)
2248            3:OpTerm TypePatternCharacter 'c'
2249                 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
2250                 0x469561c037ac: cmp $0x63, %eax
2251                 0x469561c037af: jnz 0x469561c037d1
2252            4:OpBodyAlternativeEnd
2253                 0x469561c037b5: add $0x40, %rsp
2254                 ...
2255                 0x469561c037cf: pop %rbp
2256                 0x469561c037d0: ret
2257              == Backtracking ==
2258            4:OpBodyAlternativeEnd
2259            3:OpTerm TypePatternCharacter 'c'
2260            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
2261                 0x469561c037d1: mov 0x8(%rsp), %r9
2262                 ...
2263                 0x469561c037e4: jmp 0x469561c037a2
2264            1:OpTerm TypePatternCharacter 'a'
2265            0:OpBodyAlternativeBegin minimum size 2
2266                 0x469561c037e9: mov %rsi, %rax
2267                 ...
2268                 0x469561c0382f: pop %rbp
2269                 0x469561c03830: ret
2270
2271         * JavaScriptCore.xcodeproj/project.pbxproj:
2272         * Sources.txt:
2273         * runtime/RegExp.cpp:
2274         (JSC::RegExp::compile):
2275         (JSC::RegExp::compileMatchOnly):
2276         * yarr/YarrDisassembler.cpp: Added.
2277         (JSC::Yarr::YarrDisassembler::indentString):
2278         (JSC::Yarr::YarrDisassembler::YarrDisassembler):
2279         (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
2280         (JSC::Yarr::YarrDisassembler::dump):
2281         (JSC::Yarr::YarrDisassembler::dumpHeader):
2282         (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
2283         (JSC::Yarr::YarrDisassembler::dumpForInstructions):
2284         (JSC::Yarr::YarrDisassembler::dumpDisassembly):
2285         * yarr/YarrDisassembler.h: Added.
2286         (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
2287         (JSC::Yarr::YarrDisassembler::setStartOfCode):
2288         (JSC::Yarr::YarrDisassembler::setForGenerate):
2289         (JSC::Yarr::YarrDisassembler::setForBacktrack):
2290         (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
2291         (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
2292         (JSC::Yarr::YarrDisassembler::setEndOfCode):
2293         (JSC::Yarr::YarrDisassembler::indentString):
2294         * yarr/YarrJIT.cpp:
2295         (JSC::Yarr::YarrGenerator::generate):
2296         (JSC::Yarr::YarrGenerator::backtrack):
2297         (JSC::Yarr::YarrGenerator::YarrGenerator):
2298         (JSC::Yarr::YarrGenerator::compile):
2299         (JSC::Yarr::jitCompile):
2300         * yarr/YarrJIT.h:
2301         * yarr/YarrPattern.cpp:
2302         (JSC::Yarr::dumpCharacterClass):
2303         (JSC::Yarr::PatternTerm::dump):
2304         (JSC::Yarr::YarrPattern::dumpPatternString):
2305         (JSC::Yarr::YarrPattern::dumpPattern):
2306         * yarr/YarrPattern.h:
2307
2308 2018-08-05  Darin Adler  <darin@apple.com>
2309
2310         [Cocoa] More tweaks and refactoring to prepare for ARC
2311         https://bugs.webkit.org/show_bug.cgi?id=188245
2312
2313         Reviewed by Dan Bernstein.
2314
2315         * API/JSValue.mm: Use __unsafe_unretained.
2316         (JSContainerConvertor::convert): Use auto for compatibility with the above.
2317         * API/JSWrapperMap.mm:
2318         (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
2319         (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
2320
2321         * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
2322
2323 2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2324
2325         Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
2326         https://bugs.webkit.org/show_bug.cgi?id=188328
2327
2328         Reviewed by Saam Barati.
2329
2330         Shrinking the size of PropertyCondition can improve memory consumption by a lot.
2331         For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
2332         and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
2333         as a member field.
2334
2335         This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
2336         PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
2337         are within 48bit, we can put PropertyCondition::Kind in this unused bits.
2338         To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
2339         folds a pointer and 1byte type into 64bit data.
2340
2341         This change shrinks PropertyCondition from 24bytes to 16bytes.
2342
2343         * bytecode/PropertyCondition.cpp:
2344         (JSC::PropertyCondition::dumpInContext const):
2345         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2346         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
2347         (JSC::PropertyCondition::isStillValid const):
2348         (JSC::PropertyCondition::isWatchableWhenValid const):
2349         * bytecode/PropertyCondition.h:
2350         (JSC::PropertyCondition::PropertyCondition):
2351         (JSC::PropertyCondition::presenceWithoutBarrier):
2352         (JSC::PropertyCondition::absenceWithoutBarrier):
2353         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2354         (JSC::PropertyCondition::equivalenceWithoutBarrier):
2355         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
2356         (JSC::PropertyCondition::operator bool const):
2357         (JSC::PropertyCondition::kind const):
2358         (JSC::PropertyCondition::uid const):
2359         (JSC::PropertyCondition::hasOffset const):
2360         (JSC::PropertyCondition::hasAttributes const):
2361         (JSC::PropertyCondition::hasPrototype const):
2362         (JSC::PropertyCondition::hasRequiredValue const):
2363         (JSC::PropertyCondition::hash const):
2364         (JSC::PropertyCondition::operator== const):
2365         (JSC::PropertyCondition::isHashTableDeletedValue const):
2366         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
2367
2368 2018-08-07  Mark Lam  <mark.lam@apple.com>
2369
2370         Use a more specific PtrTag for PlatformRegisters PC and LR.
2371         https://bugs.webkit.org/show_bug.cgi?id=188366
2372         <rdar://problem/42984123>
2373
2374         Reviewed by Keith Miller.
2375
2376         Also fixed a bug in linkRegister(), which was previously returning the PC instead
2377         of LR.  It now returns LR.
2378
2379         * runtime/JSCPtrTag.h:
2380         * runtime/MachineContext.h:
2381         (JSC::MachineContext::instructionPointer):
2382         (JSC::MachineContext::linkRegister):
2383         * runtime/VMTraps.cpp:
2384         (JSC::SignalContext::SignalContext):
2385         * tools/SigillCrashAnalyzer.cpp:
2386         (JSC::SignalContext::SignalContext):
2387
2388 2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2389
2390         Hardcoded LFENCE instruction
2391         https://bugs.webkit.org/show_bug.cgi?id=188145
2392
2393         Reviewed by Filip Pizlo.
2394
2395         Remove lfence instruction because it is crashing systems without SSE2 and
2396         this is not the way how WebKit mitigates Spectre.
2397
2398         * runtime/JSLock.cpp:
2399         (JSC::JSLock::didAcquireLock):
2400         (JSC::JSLock::willReleaseLock):
2401
2402 2018-08-04  David Kilzer  <ddkilzer@apple.com>
2403
2404         REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
2405         <https://webkit.org/b/188331>
2406
2407         Reviewed by Yusuke Suzuki.
2408
2409         * runtime/TemplateObjectDescriptor.h:
2410         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
2411         Use `m_rawstrings` instead of `rawStrings` to calculate hash.
2412
2413 2018-08-03  Saam Barati  <sbarati@apple.com>
2414
2415         Give the `jsc` shell the JIT entitlement
2416         https://bugs.webkit.org/show_bug.cgi?id=188324
2417         <rdar://problem/42885806>
2418
2419         Reviewed by Dan Bernstein.
2420
2421         This should help us in ensuring the system jsc is able to JIT.
2422
2423         * Configurations/JSC.xcconfig:
2424         * JavaScriptCore.xcodeproj/project.pbxproj:
2425         * allow-jit-macOS.entitlements: Added.
2426
2427 2018-08-03  Alex Christensen  <achristensen@webkit.org>
2428
2429         Fix spelling of "overridden"
2430         https://bugs.webkit.org/show_bug.cgi?id=188315
2431
2432         Reviewed by Darin Adler.
2433
2434         * API/JSExport.h:
2435         * inspector/InjectedScriptSource.js:
2436
2437 2018-08-02  Saam Barati  <sbarati@apple.com>
2438
2439         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
2440         https://bugs.webkit.org/show_bug.cgi?id=188271
2441         <rdar://problem/42850884>
2442
2443         Reviewed by Michael Saboff.
2444
2445         This patch defends against the instructionPointer containing garbage bits.
2446         See radar for details.
2447
2448         * runtime/MachineContext.h:
2449         (JSC::MachineContext::instructionPointer):
2450         * runtime/SamplingProfiler.cpp:
2451         (JSC::SamplingProfiler::takeSample):
2452         * runtime/VMTraps.cpp:
2453         (JSC::SignalContext::SignalContext):
2454         (JSC::SignalContext::tryCreate):
2455         * tools/CodeProfiling.cpp:
2456         (JSC::profilingTimer):
2457         * tools/SigillCrashAnalyzer.cpp:
2458         (JSC::SignalContext::SignalContext):
2459         (JSC::SignalContext::tryCreate):
2460         (JSC::SignalContext::dump):
2461         (JSC::installCrashHandler):
2462         * wasm/WasmFaultSignalHandler.cpp:
2463         (JSC::Wasm::trapHandler):
2464
2465 2018-08-02  David Fenton  <david_fenton@apple.com>
2466
2467         Unreviewed, rolling out r234489.
2468
2469         Caused 50+ crashes and 60+ API failures on iOS
2470
2471         Reverted changeset:
2472
2473         "[WTF] Rename String::format to String::deprecatedFormat"
2474         https://bugs.webkit.org/show_bug.cgi?id=188191
2475         https://trac.webkit.org/changeset/234489
2476
2477 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2478
2479         Add self.queueMicrotask(f) on DOMWindow
2480         https://bugs.webkit.org/show_bug.cgi?id=188212
2481
2482         Reviewed by Ryosuke Niwa.
2483
2484         * CMakeLists.txt:
2485         * JavaScriptCore.xcodeproj/project.pbxproj:
2486         * Sources.txt:
2487         * runtime/JSGlobalObject.cpp:
2488         (JSC::enqueueJob):
2489         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
2490         (JSC::createJSMicrotask):
2491         Export them to WebCore.
2492
2493         (JSC::JSMicrotask::run):
2494         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
2495         Add another version of JSMicrotask which does not have arguments.
2496
2497 2018-08-01  Tomas Popela  <tpopela@redhat.com>
2498
2499         [WTF] Rename String::format to String::deprecatedFormat
2500         https://bugs.webkit.org/show_bug.cgi?id=188191
2501
2502         Reviewed by Darin Adler.
2503
2504         It should be replaced with string concatenation.
2505
2506         * bytecode/CodeBlock.cpp:
2507         (JSC::CodeBlock::nameForRegister):
2508         * inspector/InjectedScriptBase.cpp:
2509         (Inspector::InjectedScriptBase::makeCall):
2510         * inspector/InspectorBackendDispatcher.cpp:
2511         (Inspector::BackendDispatcher::getPropertyValue):
2512         * inspector/agents/InspectorConsoleAgent.cpp:
2513         (Inspector::InspectorConsoleAgent::enable):
2514         (Inspector::InspectorConsoleAgent::stopTiming):
2515         * jsc.cpp:
2516         (FunctionJSCStackFunctor::operator() const):
2517         * parser/Lexer.cpp:
2518         (JSC::Lexer<T>::invalidCharacterMessage const):
2519         * runtime/IntlDateTimeFormat.cpp:
2520         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2521         * runtime/IntlObject.cpp:
2522         (JSC::canonicalizeLocaleList):
2523         * runtime/LiteralParser.cpp:
2524         (JSC::LiteralParser<CharType>::Lexer::lex):
2525         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2526         (JSC::LiteralParser<CharType>::parse):
2527         * runtime/LiteralParser.h:
2528         (JSC::LiteralParser::getErrorMessage):
2529
2530 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2531
2532         [INTL] Allow "unknown" formatToParts types
2533         https://bugs.webkit.org/show_bug.cgi?id=188176
2534
2535         Reviewed by Darin Adler.
2536
2537         Originally extra unexpected field types were marked as "literal", since
2538         the spec did not account for these. The ECMA 402 spec has since been updated
2539         to specify "unknown" should be used in these cases.
2540
2541         Currently there is no known way to reach these cases, so no tests can
2542         account for them. Theoretically they shoudn't exist, but they are specified,
2543         just to be safe. Marking them as "unknown" instead of "literal" hopefully
2544         will make such cases easy to identify if they ever happen.
2545
2546         * runtime/IntlDateTimeFormat.cpp:
2547         (JSC::IntlDateTimeFormat::partTypeString):
2548         * runtime/IntlNumberFormat.cpp:
2549         (JSC::IntlNumberFormat::partTypeString):
2550
2551 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2552
2553         [INTL] Implement hourCycle in DateTimeFormat
2554         https://bugs.webkit.org/show_bug.cgi?id=188006
2555
2556         Reviewed by Darin Adler.
2557
2558         Implemented hourCycle, updating both the skeleton and the final pattern.
2559         Changed resolveLocale to assume undefined options are not given and null
2560         strings actually mean null, which removes the tag extension.
2561
2562         * runtime/CommonIdentifiers.h:
2563         * runtime/IntlCollator.cpp:
2564         (JSC::IntlCollator::initializeCollator):
2565         * runtime/IntlDateTimeFormat.cpp:
2566         (JSC::IntlDTFInternal::localeData):
2567         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2568         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2569         (JSC::IntlDateTimeFormat::resolvedOptions):
2570         * runtime/IntlDateTimeFormat.h:
2571         * runtime/IntlObject.cpp:
2572         (JSC::resolveLocale):
2573
2574 2018-08-01  Keith Miller  <keith_miller@apple.com>
2575
2576         JSArrayBuffer should have its own JSType
2577         https://bugs.webkit.org/show_bug.cgi?id=188231
2578
2579         Reviewed by Saam Barati.
2580
2581         * runtime/JSArrayBuffer.cpp:
2582         (JSC::JSArrayBuffer::createStructure):
2583         * runtime/JSCast.h:
2584         * runtime/JSType.h:
2585
2586 2018-07-31  Keith Miller  <keith_miller@apple.com>
2587
2588         Unreviewed 32-bit build fix...
2589
2590         * dfg/DFGSpeculativeJIT32_64.cpp:
2591
2592 2018-07-31  Keith Miller  <keith_miller@apple.com>
2593
2594         Long compiling JSC files should not be unified
2595         https://bugs.webkit.org/show_bug.cgi?id=188205
2596
2597         Reviewed by Saam Barati.
2598
2599         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
2600         to compile. Unifying them means touching anything in the same
2601         bundle as those files takes a long time to incrementally build.
2602         This patch separates those files so they build standalone.
2603
2604         * JavaScriptCore.xcodeproj/project.pbxproj:
2605         * Sources.txt:
2606         * dfg/DFGSpeculativeJIT64.cpp:
2607
2608 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2609
2610         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
2611         https://bugs.webkit.org/show_bug.cgi?id=188201
2612
2613         Reviewed by Keith Miller.
2614
2615         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
2616         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
2617         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
2618         never becomes broken state. This patch removes unnecessary locking.
2619
2620         * runtime/JSObject.cpp:
2621         (JSC::JSObject::visitButterflyImpl):
2622
2623 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
2624
2625         [JSC] Remove gcc warnings for 32-bit platforms
2626         https://bugs.webkit.org/show_bug.cgi?id=187803
2627
2628         Reviewed by Yusuke Suzuki.
2629
2630         * assembler/MacroAssemblerPrinter.cpp:
2631         (JSC::Printer::printPCRegister):
2632         (JSC::Printer::printRegisterID):
2633         (JSC::Printer::printAddress):
2634         * dfg/DFGSpeculativeJIT.cpp:
2635         (JSC::DFG::SpeculativeJIT::speculateNumber):
2636         (JSC::DFG::SpeculativeJIT::speculateMisc):
2637         * jit/CCallHelpers.h:
2638         (JSC::CCallHelpers::calculatePokeOffset):
2639         * runtime/Options.cpp:
2640         (JSC::parse):
2641
2642 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
2643
2644         watchOS engineering build is broken after r234227
2645         https://bugs.webkit.org/show_bug.cgi?id=188180
2646
2647         Reviewed by Keith Miller.
2648
2649         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
2650         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
2651         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
2652         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
2653
2654         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
2655         entirely, since there's no relevant version to replace them with.
2656
2657         * postprocess-headers.sh:
2658
2659 2018-07-30  Keith Miller  <keith_miller@apple.com>
2660
2661         Clarify conversion rules for JSValue property access API
2662         https://bugs.webkit.org/show_bug.cgi?id=188179
2663
2664         Reviewed by Geoffrey Garen.
2665
2666         * API/JSValue.h:
2667
2668 2018-07-30  Keith Miller  <keith_miller@apple.com>
2669
2670         Rename some JSC API functions/types.
2671         https://bugs.webkit.org/show_bug.cgi?id=188173
2672
2673         Reviewed by Saam Barati.
2674
2675         * API/JSObjectRef.cpp:
2676         (JSObjectHasPropertyForKey):
2677         (JSObjectGetPropertyForKey):
2678         (JSObjectSetPropertyForKey):
2679         (JSObjectDeletePropertyForKey):
2680         (JSObjectHasPropertyKey): Deleted.
2681         (JSObjectGetPropertyKey): Deleted.
2682         (JSObjectSetPropertyKey): Deleted.
2683         (JSObjectDeletePropertyKey): Deleted.
2684         * API/JSObjectRef.h:
2685         * API/JSValue.h:
2686         * API/JSValue.mm:
2687         (-[JSValue valueForProperty:]):
2688         (-[JSValue setValue:forProperty:]):
2689         (-[JSValue deleteProperty:]):
2690         (-[JSValue hasProperty:]):
2691         (-[JSValue defineProperty:descriptor:]):
2692         * API/tests/testapi.cpp:
2693         (TestAPI::run):
2694
2695 2018-07-30  Mark Lam  <mark.lam@apple.com>
2696
2697         Add a debugging utility to dump the memory layout of a JSCell.
2698         https://bugs.webkit.org/show_bug.cgi?id=188157
2699
2700         Reviewed by Yusuke Suzuki.
2701
2702         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
2703         dump the memory contents of a cell and if present, its butterfly for debugging
2704         purposes.
2705
2706         Example usage for JS code when JSC_useDollarVM=true:
2707
2708             $vm.dumpCell(obj);
2709
2710         Example usage from C++ code or from lldb: 
2711
2712             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
2713
2714         Some examples of dumps:
2715
2716             <0x104bc8260, Object>
2717               [0] 0x104bc8260 : 0x010016000000016c header
2718                 structureID 364 0x16c structure 0x104b721b0
2719                 indexingTypeAndMisc 0 0x0 NonArray
2720                 type 22 0x16
2721                 flags 0 0x0
2722                 cellState 1
2723               [1] 0x104bc8268 : 0x0000000000000000 butterfly
2724               [2] 0x104bc8270 : 0xffff000000000007
2725               [3] 0x104bc8278 : 0xffff000000000008
2726
2727             <0x104bb4360, Array>
2728               [0] 0x104bb4360 : 0x0108210b00000171 header
2729                 structureID 369 0x171 structure 0x104b723e0
2730                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
2731                 type 33 0x21
2732                 flags 8 0x8
2733                 cellState 1
2734               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
2735                 base 0x8000f46e0
2736                 hasIndexingHeader YES hasAnyArrayStorage YES
2737                 publicLength 4 vectorLength 7 indexBias 2
2738                 preCapacity 2 propertyCapacity 4
2739                   <--- preCapacity
2740                   [0] 0x8000f46e0 : 0x0000000000000000
2741                   [1] 0x8000f46e8 : 0x0000000000000000
2742                   <--- propertyCapacity
2743                   [2] 0x8000f46f0 : 0x0000000000000000
2744                   [3] 0x8000f46f8 : 0x0000000000000000
2745                   [4] 0x8000f4700 : 0xffff00000000000d
2746                   [5] 0x8000f4708 : 0xffff00000000000c
2747                   <--- indexingHeader
2748                   [6] 0x8000f4710 : 0x0000000700000004
2749                   <--- butterfly
2750                   <--- arrayStorage
2751                   [7] 0x8000f4718 : 0x0000000000000000
2752                   [8] 0x8000f4720 : 0x0000000400000002
2753                   <--- indexedProperties
2754                   [9] 0x8000f4728 : 0xffff000000000008
2755                   [10] 0x8000f4730 : 0xffff000000000009
2756                   [11] 0x8000f4738 : 0xffff000000000005
2757                   [12] 0x8000f4740 : 0xffff000000000006
2758                   [13] 0x8000f4748 : 0x0000000000000000
2759                   [14] 0x8000f4750 : 0x0000000000000000
2760                   [15] 0x8000f4758 : 0x0000000000000000
2761                   <--- unallocated capacity
2762                   [16] 0x8000f4760 : 0x0000000000000000
2763                   [17] 0x8000f4768 : 0x0000000000000000
2764                   [18] 0x8000f4770 : 0x0000000000000000
2765                   [19] 0x8000f4778 : 0x0000000000000000
2766
2767         * runtime/JSObject.h:
2768         * tools/JSDollarVM.cpp:
2769         (JSC::functionDumpCell):
2770         (JSC::JSDollarVM::finishCreation):
2771         * tools/VMInspector.cpp:
2772         (JSC::VMInspector::dumpCellMemory):
2773         (JSC::IndentationScope::IndentationScope):
2774         (JSC::IndentationScope::~IndentationScope):
2775         (JSC::VMInspector::dumpCellMemoryToStream):
2776         * tools/VMInspector.h:
2777
2778 2018-07-27  Mark Lam  <mark.lam@apple.com>
2779
2780         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
2781         https://bugs.webkit.org/show_bug.cgi?id=188123
2782         <rdar://problem/42672268>
2783
2784         Reviewed by Keith Miller.
2785
2786         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
2787            padding space in VM and Heap, and should not cost any measurable perf to
2788            initialize and update.
2789
2790         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
2791
2792            worldState tells us the value we failed the assertion on.
2793
2794            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
2795            that led us here.
2796
2797            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
2798
2799            VM::isEntered() tells us if the current VM is currently executing JS code.
2800
2801            Some of this data may be redundant, but the redundancy is intentional so that
2802            we can double check what is really happening at the time of crash.
2803
2804         * heap/Heap.cpp:
2805         (JSC::asInt):
2806         (JSC::Heap::checkConn):
2807         (JSC::Heap::changePhase):
2808         * heap/Heap.h:
2809         * runtime/VM.cpp:
2810         (JSC::VM::nextID):
2811         (JSC::VM::VM):
2812         * runtime/VM.h:
2813         (JSC::VM::numberOfIDs):
2814         (JSC::VM::id const):
2815         (JSC::VM::isEntered const):
2816
2817 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2818
2819         [JSC] Record CoW status in ArrayProfile correctly
2820         https://bugs.webkit.org/show_bug.cgi?id=187949
2821
2822         Reviewed by Saam Barati.
2823
2824         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
2825         This is important since our OSR exit compiler records m_observedArrayModes by calculating
2826         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
2827         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
2828         Array::Generic DFG nodes.
2829
2830         * bytecode/ArrayProfile.h:
2831         (JSC::asArrayModes):
2832         (JSC::ArrayProfile::ArrayProfile):
2833         * dfg/DFGOSRExit.cpp:
2834         (JSC::DFG::OSRExit::compileExit):
2835         * ftl/FTLOSRExitCompiler.cpp:
2836         (JSC::FTL::compileStub):
2837         * runtime/IndexingType.h:
2838
2839 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2840
2841         [INTL] Remove INTL sub-feature compile flags
2842         https://bugs.webkit.org/show_bug.cgi?id=188081
2843
2844         Reviewed by Michael Catanzaro.
2845
2846         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
2847         The runtime flags are still present, and should be relied on instead.
2848         The defines for ICU features have also been updated to match HAVE() style.
2849
2850         * Configurations/FeatureDefines.xcconfig:
2851         * runtime/IntlPluralRules.cpp:
2852         (JSC::IntlPluralRules::resolvedOptions):
2853         (JSC::IntlPluralRules::select):
2854         * runtime/IntlPluralRules.h:
2855         * runtime/Options.h:
2856
2857 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2858
2859         [JSC] Dump IndexingMode in Structure
2860         https://bugs.webkit.org/show_bug.cgi?id=188085
2861
2862         Reviewed by Keith Miller.
2863
2864         Dump IndexingMode instead of IndexingType.
2865
2866         * runtime/Structure.cpp:
2867         (JSC::Structure::dump const):
2868
2869 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
2870
2871         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
2872         https://bugs.webkit.org/show_bug.cgi?id=187963
2873
2874         Reviewed by Alex Christensen.
2875
2876         * inspector/InspectorBackendDispatcher.cpp:
2877         (Inspector::BackendDispatcher::dispatch):
2878         * jsc.cpp:
2879         (ModuleName::ModuleName):
2880         (resolvePath):
2881         * runtime/IntlObject.cpp:
2882         (JSC::canonicalizeLanguageTag):
2883         (JSC::removeUnicodeLocaleExtension):
2884         Update split/splitAllowingEmptyEntries usage.
2885
2886 2018-07-26  Commit Queue  <commit-queue@webkit.org>
2887
2888         Unreviewed, rolling out r234181 and r234189.
2889         https://bugs.webkit.org/show_bug.cgi?id=188075
2890
2891         These are not needed right now (Requested by thorton on
2892         #webkit).
2893
2894         Reverted changesets:
2895
2896         "Enable Web Content Filtering on watchOS"
2897         https://bugs.webkit.org/show_bug.cgi?id=187979
2898         https://trac.webkit.org/changeset/234181
2899
2900         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
2901         https://bugs.webkit.org/show_bug.cgi?id=187985
2902         https://trac.webkit.org/changeset/234189
2903
2904 2018-07-26  Mark Lam  <mark.lam@apple.com>
2905
2906         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
2907         https://bugs.webkit.org/show_bug.cgi?id=188065
2908         <rdar://problem/42515726>
2909
2910         Reviewed by Saam Barati.
2911
2912         * runtime/ArrayPrototype.cpp:
2913         (JSC::clearElement):
2914         (JSC::copyElements):
2915         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2916
2917 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2918
2919         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
2920         https://bugs.webkit.org/show_bug.cgi?id=167991
2921
2922         Reviewed by Michael Catanzaro.
2923
2924         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
2925         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
2926         no more cases where you might have an invalid locale come back from resolveLocale.
2927
2928         * runtime/IntlObject.cpp:
2929         (JSC::convertICULocaleToBCP47LanguageTag):
2930         (JSC::defaultLocale):
2931         (JSC::lookupMatcher):
2932         * runtime/IntlObject.h:
2933         * runtime/JSGlobalObject.cpp:
2934         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2935         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2936         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2937         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2938
2939 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2940
2941         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
2942         https://bugs.webkit.org/show_bug.cgi?id=188040
2943
2944         Unreviewed build fix for AppleWin port.
2945
2946         * API/tests/testapi.c: Disabled warning C4204.
2947         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
2948
2949 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2950
2951         [JSC API] We should support the symbol type in our C/Obj-C API
2952         https://bugs.webkit.org/show_bug.cgi?id=175836
2953
2954         Unreviewed build fix for Windows port.
2955
2956         r234227 introduced a compilation error unresolved external symbol
2957         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
2958
2959         Windows ports are compiling testapi.c as C++ by using /TP switch.
2960
2961         * API/tests/testapi.c:
2962         (main): Removed `::` prefix of ::SetErrorMode Windows API.
2963         (dllLauncherEntryPoint): Converted into C style.
2964         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
2965
2966 2018-07-25  Keith Miller  <keith_miller@apple.com>
2967
2968         [JSC API] We should support the symbol type in our C/Obj-C API
2969         https://bugs.webkit.org/show_bug.cgi?id=175836
2970
2971         Reviewed by Filip Pizlo.
2972
2973         This patch makes the following API additions:
2974         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
2975         2) Create a symbol on both APIs.
2976         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
2977         4) Add Get/Set/Delete in the C API.
2978
2979         We can do 3 because it is both binary and source compatable with
2980         the existing API. I added (4) because the current property access
2981         APIs only have the ability to get Strings. It was possible to
2982         merge symbols into JSStringRef but that felt confusing and exposes
2983         implementation details of our engine. The new functions match the
2984         same meaning that they have in JS, thus should be forward
2985         compatible with any future language extensions.
2986
2987         Lastly, this patch adds the same availability preproccessing phase
2988         in WebCore to JavaScriptCore, which enables TBA features for
2989         testing on previous releases.
2990
2991         * API/APICast.h:
2992         * API/JSBasePrivate.h:
2993         * API/JSContext.h:
2994         * API/JSContextPrivate.h:
2995         * API/JSContextRef.h:
2996         * API/JSContextRefInternal.h:
2997         * API/JSContextRefPrivate.h:
2998         * API/JSManagedValue.h:
2999         * API/JSObjectRef.cpp:
3000         (JSObjectHasPropertyKey):
3001         (JSObjectGetPropertyKey):
3002         (JSObjectSetPropertyKey):
3003         (JSObjectDeletePropertyKey):
3004         * API/JSObjectRef.h:
3005         * API/JSRemoteInspector.h:
3006         * API/JSTypedArray.h:
3007         * API/JSValue.h:
3008         * API/JSValue.mm:
3009         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
3010         (performPropertyOperation):
3011         (-[JSValue valueForProperty:valueForProperty:]):
3012         (-[JSValue setValue:forProperty:setValue:forProperty:]):
3013         (-[JSValue deleteProperty:deleteProperty:]):
3014         (-[JSValue hasProperty:hasProperty:]):
3015         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
3016         (-[JSValue isSymbol]):
3017         (-[JSValue objectForKeyedSubscript:]):
3018         (-[JSValue setObject:forKeyedSubscript:]):
3019         (-[JSValue valueForProperty:]): Deleted.
3020         (-[JSValue setValue:forProperty:]): Deleted.
3021         (-[JSValue deleteProperty:]): Deleted.
3022         (-[JSValue hasProperty:]): Deleted.
3023         (-[JSValue defineProperty:descriptor:]): Deleted.
3024         * API/JSValueRef.cpp:
3025         (JSValueGetType):
3026         (JSValueIsSymbol):
3027         (JSValueMakeSymbol):
3028         * API/JSValueRef.h:
3029         * API/WebKitAvailability.h:
3030         * API/tests/CurrentThisInsideBlockGetterTest.mm:
3031         * API/tests/CustomGlobalObjectClassTest.c:
3032         * API/tests/DateTests.mm:
3033         * API/tests/JSExportTests.mm:
3034         * API/tests/JSNode.c:
3035         * API/tests/JSNodeList.c:
3036         * API/tests/Node.c:
3037         * API/tests/NodeList.c:
3038         * API/tests/minidom.c:
3039         * API/tests/testapi.c:
3040         (main):
3041         * API/tests/testapi.cpp: Added.
3042         (APIString::APIString):
3043         (APIString::~APIString):
3044         (APIString::operator JSStringRef):
3045         (APIContext::APIContext):
3046         (APIContext::~APIContext):
3047         (APIContext::operator JSGlobalContextRef):
3048         (APIVector::APIVector):
3049         (APIVector::~APIVector):
3050         (APIVector::append):
3051         (testCAPIViaCpp):
3052         (TestAPI::evaluateScript):
3053         (TestAPI::callFunction):
3054         (TestAPI::functionReturnsTrue):
3055         (TestAPI::check):
3056         (TestAPI::checkJSAndAPIMatch):
3057         (TestAPI::interestingObjects):
3058         (TestAPI::interestingKeys):
3059         (TestAPI::run):
3060         * API/tests/testapi.mm:
3061         (testObjectiveCAPIMain):
3062         * JavaScriptCore.xcodeproj/project.pbxproj:
3063         * config.h:
3064         * postprocess-headers.sh:
3065         * shell/CMakeLists.txt:
3066         * testmem/testmem.mm:
3067
3068 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
3069
3070         [INTL] Call Typed Array elements toLocaleString with locale and options
3071         https://bugs.webkit.org/show_bug.cgi?id=185796
3072
3073         Reviewed by Keith Miller.
3074
3075         Improve ECMA 402 compliance of typed array toLocaleString, passing along
3076         the locale and options to element toLocaleString calls.
3077
3078         * builtins/TypedArrayPrototype.js:
3079         (toLocaleString):
3080
3081 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
3082
3083         [INTL] Intl constructor lengths should be configurable
3084         https://bugs.webkit.org/show_bug.cgi?id=187960
3085
3086         Reviewed by Saam Barati.
3087
3088         Removed DontDelete from Intl constructor lengths.
3089         Fixed DateTimeFormat formatToParts length.
3090
3091         * runtime/IntlCollatorConstructor.cpp:
3092         (JSC::IntlCollatorConstructor::finishCreation):
3093         * runtime/IntlDateTimeFormatConstructor.cpp:
3094         (JSC::IntlDateTimeFormatConstructor::finishCreation):
3095         * runtime/IntlDateTimeFormatPrototype.cpp:
3096         (JSC::IntlDateTimeFormatPrototype::finishCreation):
3097         * runtime/IntlNumberFormatConstructor.cpp:
3098         (JSC::IntlNumberFormatConstructor::finishCreation):
3099         * runtime/IntlPluralRulesConstructor.cpp:
3100         (JSC::IntlPluralRulesConstructor::finishCreation):
3101
3102 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
3103
3104         runJITThreadLimitTests is failing
3105         https://bugs.webkit.org/show_bug.cgi?id=187886
3106         <rdar://problem/42561966>
3107
3108         Unreviewed build fix for MSVC.
3109
3110         MSVC doen't support ternary operator without second operand.
3111
3112         * dfg/DFGWorklist.cpp:
3113         (JSC::DFG::getNumberOfDFGCompilerThreads):
3114         (JSC::DFG::getNumberOfFTLCompilerThreads):
3115
3116 2018-07-24  Commit Queue  <commit-queue@webkit.org>
3117
3118         Unreviewed, rolling out r234183.
3119         https://bugs.webkit.org/show_bug.cgi?id=187983
3120
3121         cause regression in Kraken gaussian blur and desaturate
3122         (Requested by yusukesuzuki on #webkit).
3123
3124         Reverted changeset:
3125
3126         "[JSC] Record CoW status in ArrayProfile"
3127         https://bugs.webkit.org/show_bug.cgi?id=187949
3128         https://trac.webkit.org/changeset/234183
3129
3130 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3131
3132         [JSC] Record CoW status in ArrayProfile
3133         https://bugs.webkit.org/show_bug.cgi?id=187949
3134
3135         Reviewed by Saam Barati.
3136
3137         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
3138         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
3139         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
3140         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
3141         CoW arrays.
3142
3143         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
3144         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
3145
3146         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
3147
3148                                       baseline                  patched
3149
3150         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
3151         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
3152
3153         * bytecode/ArrayProfile.cpp:
3154         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3155         * bytecode/ArrayProfile.h:
3156         (JSC::asArrayModes):
3157         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
3158
3159         (JSC::ArrayProfile::ArrayProfile):
3160         (JSC::ArrayProfile::addressOfObservedIndexingModes):
3161         (JSC::ArrayProfile::observedIndexingModes const):
3162         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
3163         So storing the union of seen IndexingMode in `unsigned` instead.
3164
3165         * dfg/DFGArrayMode.cpp:
3166         (JSC::DFG::ArrayMode::fromObserved):
3167         * dfg/DFGArrayMode.h:
3168         (JSC::DFG::ArrayMode::withProfile const):
3169         * jit/JITCall.cpp:
3170         (JSC::JIT::compileOpCall):
3171         * jit/JITCall32_64.cpp:
3172         (JSC::JIT::compileOpCall):
3173         * jit/JITInlines.h:
3174         (JSC::JIT::emitArrayProfilingSiteWithCell):
3175         * llint/LowLevelInterpreter.asm:
3176         * llint/LowLevelInterpreter32_64.asm:
3177         * llint/LowLevelInterpreter64.asm:
3178
3179 2018-07-24  Tim Horton  <timothy_horton@apple.com>
3180
3181         Enable Web Content Filtering on watchOS
3182         https://bugs.webkit.org/show_bug.cgi?id=187979
3183         <rdar://problem/42559346>
3184
3185         Reviewed by Wenson Hsieh.
3186
3187         * Configurations/FeatureDefines.xcconfig:
3188
3189 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
3190
3191         Don't modify Options when setting JIT thread limits
3192         https://bugs.webkit.org/show_bug.cgi?id=187886
3193
3194         Reviewed by Filip Pizlo.
3195
3196         Previously, when setting the JIT thread limit prior to the worklist
3197         initialization, it'd be set via Options, which didn't work if Options
3198         hadn't been initialized yet. Change it to use a static variable in the
3199         Worklist instead.
3200
3201         * API/JSVirtualMachine.mm:
3202         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
3203         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
3204         * API/tests/testapi.mm:
3205         (testObjectiveCAPIMain):
3206         * dfg/DFGWorklist.cpp:
3207         (JSC::DFG::getNumberOfDFGCompilerThreads):
3208         (JSC::DFG::getNumberOfFTLCompilerThreads):
3209         (JSC::DFG::setNumberOfDFGCompilerThreads):
3210         (JSC::DFG::setNumberOfFTLCompilerThreads):
3211         (JSC::DFG::ensureGlobalDFGWorklist):
3212         (JSC::DFG::ensureGlobalFTLWorklist):
3213         * dfg/DFGWorklist.h:
3214
3215 2018-07-24  Mark Lam  <mark.lam@apple.com>
3216
3217         Refactoring: make DFG::Plan a class.
3218         https://bugs.webkit.org/show_bug.cgi?id=187968
3219
3220         Reviewed by Saam Barati.
3221
3222         This patch makes all the DFG::Plan fields private, and provide accessor methods
3223         for them.  This makes it easier to reason about how these fields are used and
3224         modified.
3225
3226         * dfg/DFGAbstractInterpreterInlines.h:
3227         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3228         * dfg/DFGByteCodeParser.cpp:
3229         (JSC::DFG::ByteCodeParser::handleCall):
3230         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3231         (JSC::DFG::ByteCodeParser::handleInlining):
3232         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3233         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3234         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
3235         (JSC::DFG::ByteCodeParser::handleGetById):
3236         (JSC::DFG::ByteCodeParser::handlePutById):
3237         (JSC::DFG::ByteCodeParser::parseBlock):
3238         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3239         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3240         (JSC::DFG::ByteCodeParser::parse):
3241         * dfg/DFGCFAPhase.cpp:
3242         (JSC::DFG::CFAPhase::run):
3243         (JSC::DFG::CFAPhase::injectOSR):
3244         * dfg/DFGClobberize.h:
3245         (JSC::DFG::clobberize):
3246         * dfg/DFGCommonData.cpp:
3247         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
3248         * dfg/DFGCommonData.h:
3249         * dfg/DFGConstantFoldingPhase.cpp:
3250         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3251         * dfg/DFGDriver.cpp:
3252         (JSC::DFG::compileImpl):
3253         * dfg/DFGFinalizer.h:
3254         * dfg/DFGFixupPhase.cpp:
3255         (JSC::DFG::FixupPhase::fixupNode):
3256         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
3257         * dfg/DFGGraph.cpp:
3258         (JSC::DFG::Graph::Graph):
3259         (JSC::DFG::Graph::watchCondition):
3260         (JSC::DFG::Graph::inferredTypeFor):
3261         (JSC::DFG::Graph::requiredRegisterCountForExit):
3262         (JSC::DFG::Graph::registerFrozenValues):
3263         (JSC::DFG::Graph::registerStructure):
3264         (JSC::DFG::Graph::registerAndWatchStructureTransition):
3265         (JSC::DFG::Graph::assertIsRegistered):
3266         * dfg/DFGGraph.h:
3267         (JSC::DFG::Graph::compilation):
3268         (JSC::DFG::Graph::identifiers):
3269         (JSC::DFG::Graph::watchpoints):
3270         * dfg/DFGJITCompiler.cpp:
3271         (JSC::DFG::JITCompiler::JITCompiler):
3272         (JSC::DFG::JITCompiler::link):
3273         (JSC::DFG::JITCompiler::compile):
3274         (JSC::DFG::JITCompiler::compileFunction):
3275         (JSC::DFG::JITCompiler::disassemble):
3276         * dfg/DFGJITCompiler.h:
3277         (JSC::DFG::JITCompiler::addWeakReference):
3278         * dfg/DFGJITFinalizer.cpp:
3279         (JSC::DFG::JITFinalizer::finalize):
3280         (JSC::DFG::JITFinalizer::finalizeFunction):
3281         (JSC::DFG::JITFinalizer::finalizeCommon):
3282         * dfg/DFGOSREntrypointCreationPhase.cpp:
3283         (JSC::DFG::OSREntrypointCreationPhase::run):
3284         * dfg/DFGPhase.cpp:
3285         (JSC::DFG::Phase::beginPhase):
3286         * dfg/DFGPhase.h:
3287         (JSC::DFG::runAndLog):
3288         * dfg/DFGPlan.cpp:
3289         (JSC::DFG::Plan::Plan):
3290         (JSC::DFG::Plan::computeCompileTimes const):
3291         (JSC::DFG::Plan::reportCompileTimes const):
3292         (JSC::DFG::Plan::compileInThread):
3293         (JSC::DFG::Plan::compileInThreadImpl):
3294         (JSC::DFG::Plan::isStillValid):
3295         (JSC::DFG::Plan::reallyAdd):
3296         (JSC::DFG::Plan::notifyCompiling):
3297         (JSC::DFG::Plan::notifyReady):
3298         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
3299         (JSC::DFG::Plan::finalizeAndNotifyCallback):
3300         (JSC::DFG::Plan::key):
3301         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3302         (JSC::DFG::Plan::finalizeInGC):
3303         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
3304         (JSC::DFG::Plan::cancel):
3305         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
3306         * dfg/DFGPlan.h:
3307         (JSC::DFG::Plan::canTierUpAndOSREnter const):
3308         (JSC::DFG::Plan::vm const):
3309         (JSC::DFG::Plan::codeBlock):
3310         (JSC::DFG::Plan::mode const):
3311         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
3312         (JSC::DFG::Plan::mustHandleValues const):
3313         (JSC::DFG::Plan::threadData const):
3314         (JSC::DFG::Plan::compilation const):
3315         (JSC::DFG::Plan::finalizer const):
3316         (JSC::DFG::Plan::setFinalizer):
3317         (JSC::DFG::Plan::inlineCallFrames const):
3318         (JSC::DFG::Plan::watchpoints):
3319         (JSC::DFG::Plan::identifiers):
3320         (JSC::DFG::Plan::weakReferences):
3321         (JSC::DFG::Plan::transitions):
3322         (JSC::DFG::Plan::recordedStatuses):
3323         (JSC::DFG::Plan::willTryToTierUp const):
3324         (JSC::DFG::Plan::setWillTryToTierUp):
3325         (JSC::DFG::Plan::tierUpInLoopHierarchy):
3326         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
3327         (JSC::DFG::Plan::stage const):
3328         (JSC::DFG::Plan::callback const):
3329         (JSC::DFG::Plan::setCallback):
3330         * dfg/DFGPlanInlines.h:
3331         (JSC::DFG::Plan::iterateCodeBlocksForGC):
3332         * dfg/DFGPreciseLocalClobberize.h:
3333         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3334         * dfg/DFGPredictionInjectionPhase.cpp:
3335         (JSC::DFG::PredictionInjectionPhase::run):
3336         * dfg/DFGSafepoint.cpp:
3337         (JSC::DFG::Safepoint::Safepoint):
3338         (JSC::DFG::Safepoint::~Safepoint):
3339         (JSC::DFG::Safepoint::begin):
3340         * dfg/DFGSafepoint.h:
3341         * dfg/DFGSpeculativeJIT.h:
3342         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
3343         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
3344         * dfg/DFGStackLayoutPhase.cpp:
3345         (JSC::DFG::StackLayoutPh