[JSC] Add @@toStringTag to WebAssembly.Global
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2020-05-04  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Add @@toStringTag to WebAssembly.Global
4         https://bugs.webkit.org/show_bug.cgi?id=211372
5
6         Reviewed by Sam Weinig.
7
8         As r260992 did for the other wasm prototypes, we should put @@toStringTag to WebAssembly.Global's prototype too.
9
10         * wasm/js/WebAssemblyGlobalPrototype.cpp:
11         (JSC::WebAssemblyGlobalPrototype::finishCreation):
12
13 2020-05-04  Devin Rousso  <drousso@apple.com>
14
15         Web Inspector: Worker: should use the name of the worker if it exists
16         https://bugs.webkit.org/show_bug.cgi?id=211244
17
18         Reviewed by Brian Burg.
19
20         * inspector/protocol/Worker.json:
21         Include the `name` in `Worker.workerCreated`.
22
23 2020-05-04  Devin Rousso  <drousso@apple.com>
24
25         Web Inspector: provide a way for inspector to turn on/off ITP debug mode and AdClickAttribution debug mode
26         https://bugs.webkit.org/show_bug.cgi?id=209763
27
28         Reviewed by Brian Burg.
29
30         * inspector/protocol/Page.json:
31         Add new enum values to `Page.Setting`:
32          - `AdClickAttributionDebugModeEnabled`
33          - `ITPDebugModeEnabled`
34
35 2020-05-03  Maciej Stachowiak  <mjs@apple.com>
36
37         Remove no longer needed WebKitAdditions include for JavaScriptCorePrefix.h
38         https://bugs.webkit.org/show_bug.cgi?id=211357
39
40         Reviewed by Mark Lam.
41
42         * JavaScriptCorePrefix.h:
43
44 2020-05-02  Mark Lam  <mark.lam@apple.com>
45
46         Gardening: rolling out r261050 and r261051.
47         https://bugs.webkit.org/show_bug.cgi?id=211328
48         <rdar://problem/62755865>
49
50         Not reviewed.
51
52         * assembler/CPU.h:
53
54 2020-05-01  Mark Lam  <mark.lam@apple.com>
55
56         Allow Bitmap to use up to a UCPURegister word size for internal bit storage.
57         https://bugs.webkit.org/show_bug.cgi?id=211328
58         <rdar://problem/62755865>
59
60         Reviewed by Yusuke Suzuki.
61
62         * assembler/CPU.h:
63
64 2020-05-01  Saam Barati  <sbarati@apple.com>
65
66         Have a thread local cache for the Wasm LLInt bytecode buffer
67         https://bugs.webkit.org/show_bug.cgi?id=211317
68
69         Reviewed by Filip Pizlo and Mark Lam.
70
71         One of the main things slowing down Wasm compile times is the banging
72         on bmalloc's global heap lock. This patch makes it so for the bytecode
73         instruction buffer, we keep a thread local cache with latest capacity
74         the thread needed to compile. This makes it so that in the average case,
75         we only do one malloc at the end of a compile to memcpy the final result.
76         
77         We clear these thread local caches when the WasmWorklist's automatic threads
78         underlying machine thread is destroyed.
79         
80         This is a 15% speedup in zen garden compile times on a 16-core Mac Pro.
81         This is a 4-5% speedup in zen garden compile times on a 6-core MBP.
82
83         * bytecode/InstructionStream.h:
84         (JSC::InstructionStreamWriter::setInstructionBuffer):
85         (JSC::InstructionStreamWriter::finalize):
86         * wasm/WasmLLIntGenerator.cpp:
87         (JSC::Wasm::threadSpecificBuffer):
88         (JSC::Wasm::clearLLIntThreadSpecificCache):
89         (JSC::Wasm::LLIntGenerator::LLIntGenerator):
90         (JSC::Wasm::LLIntGenerator::finalize):
91         * wasm/WasmLLIntGenerator.h:
92         * wasm/WasmWorklist.cpp:
93
94 2020-05-01  Per Arne Vollan  <pvollan@apple.com>
95
96         [Win] Fix AppleWin build
97         https://bugs.webkit.org/show_bug.cgi?id=211324
98
99         Reviewed by Don Olmstead.
100
101         Check if target WTF_CopyHeaders exists before using it.
102
103         * CMakeLists.txt:
104
105 2020-05-01  Don Olmstead  <don.olmstead@sony.com>
106
107         [GTK] Add additional exports to support hidden visibility
108         https://bugs.webkit.org/show_bug.cgi?id=211246
109
110         Reviewed by Michael Catanzaro.
111
112         * API/glib/JSCContextPrivate.h:
113         * API/glib/JSCValuePrivate.h:
114         * inspector/remote/glib/RemoteInspectorServer.h:
115         * inspector/remote/glib/RemoteInspectorUtils.h:
116
117 2020-05-01  Don Olmstead  <don.olmstead@sony.com>
118
119         Use export macros on all platforms
120         https://bugs.webkit.org/show_bug.cgi?id=211293
121
122         Reviewed by Michael Catanzaro.
123
124         Allow overriding of JS_EXPORT_PRIVATE if desired otherwise use the defaults.
125
126         * runtime/JSExportMacros.h:
127
128 2020-05-01  Saam Barati  <sbarati@apple.com>
129
130         Unreviewed. Non-speculative build fix for watchOS build.
131
132         * runtime/ArrayPrototype.cpp:
133         (JSC::shift):
134         (JSC::unshift):
135         (JSC::arrayProtoFuncToLocaleString):
136         (JSC::arrayProtoFuncReverse):
137         (JSC::arrayProtoFuncSlice):
138         (JSC::arrayProtoFuncSplice):
139         * runtime/JSONObject.cpp:
140         (JSC::Stringifier::Stringifier):
141
142 2020-05-01  Saam Barati  <sbarati@apple.com>
143
144         Unreviewed. Speculative build fix for watchOS build.
145
146         * runtime/ArrayPrototype.cpp:
147         (JSC::shift):
148
149 2020-05-01  Alexey Shvayka  <shvaikalesh@gmail.com>
150
151         [WebIDL] Interface prototype objects should define @@toStringTag
152         https://bugs.webkit.org/show_bug.cgi?id=211020
153
154         Unreviewed follow-up to r260992.
155
156         * runtime/JSArrayBufferPrototype.cpp:
157         (JSC::JSArrayBufferPrototype::finishCreation): Revert change in attempt to fix ARMv7 test.
158
159 2020-05-01  David Kilzer  <ddkilzer@apple.com>
160
161         JSC::PropertySlot::m_attributes is uninitialized in constructor
162         <https://webkit.org/b/211267>
163
164         Reviewed by Mark Lam.
165
166         * runtime/PropertySlot.h:
167         (JSC::PropertySlot::PropertySlot):
168         - Initialize m_attributes and m_additionalData, and make use of
169           default initializers.
170
171 2020-05-01  Alexey Shvayka  <shvaikalesh@gmail.com>
172
173         [WebIDL] Interface prototype objects should define @@toStringTag
174         https://bugs.webkit.org/show_bug.cgi?id=211020
175
176         Reviewed by Darin Adler.
177
178         WebIDL spec was recently updated [1] to define @@toStringTag on interface prototype objects.
179         This change aligns WebIDL with ECMA-262 built-ins and Blink's behavior. Gecko have also
180         expressed implementation commitment.
181
182         This patch implements the spec change, making `X.prototype.toString()` return "[object X]"
183         instead of "[object XPrototype]", where X is WebIDL interface. This behavior is proven to
184         be web compatible (shipping in Chrome since Q2 2016) and matches class strings of iterator
185         prototype objects [2] introduced in r253855.
186
187         We define @@toStringTag for all WebAssembly interfaces but Error subclasses since they
188         are not defined using WebIDL [3].
189
190         This change also introduces JSC_TO_STRING_TAG_WITHOUT_TRANSITION() macro that sets up
191         @@toStringTag using ClassInfo to avoid extra strings creation, ensuring `className` equality
192         between prototype and instance classes (fixing a few discrepancies), as well as correct
193         descriptors. It also ensures using faster jsNontrivialString() and relieves from putting
194         more code into CodeGeneratorJS.pm.
195
196         [1]: https://github.com/heycam/webidl/pull/357
197         [2]: https://heycam.github.io/webidl/#es-iterator-prototype-object
198         [3]: https://webassembly.github.io/spec/js-api/#error-objects
199
200         Tests: imported/w3c/web-platform-tests/wasm/jsapi/instance/toString.any.js
201                imported/w3c/web-platform-tests/wasm/jsapi/memory/toString.any.js
202                imported/w3c/web-platform-tests/wasm/jsapi/module/toString.any.js
203                imported/w3c/web-platform-tests/wasm/jsapi/table/toString.any.js
204
205         * runtime/ArrayIteratorPrototype.cpp:
206         (JSC::ArrayIteratorPrototype::finishCreation):
207         * runtime/AsyncFunctionPrototype.cpp:
208         (JSC::AsyncFunctionPrototype::finishCreation):
209         * runtime/AsyncGeneratorFunctionPrototype.cpp:
210         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
211         * runtime/AsyncGeneratorPrototype.cpp:
212         (JSC::AsyncGeneratorPrototype::finishCreation):
213         * runtime/BigIntPrototype.cpp:
214         (JSC::BigIntPrototype::finishCreation):
215         * runtime/GeneratorFunctionPrototype.cpp:
216         (JSC::GeneratorFunctionPrototype::finishCreation):
217         * runtime/GeneratorPrototype.cpp:
218         (JSC::GeneratorPrototype::finishCreation):
219         * runtime/IntlCollatorPrototype.cpp:
220         (JSC::IntlCollatorPrototype::finishCreation):
221         * runtime/IntlDateTimeFormatPrototype.cpp:
222         (JSC::IntlDateTimeFormatPrototype::finishCreation):
223         * runtime/IntlNumberFormatPrototype.cpp:
224         (JSC::IntlNumberFormatPrototype::finishCreation):
225         * runtime/IntlPluralRulesPrototype.cpp:
226         (JSC::IntlPluralRulesPrototype::finishCreation):
227         * runtime/IntlRelativeTimeFormatPrototype.cpp:
228         (JSC::IntlRelativeTimeFormatPrototype::finishCreation):
229         * runtime/JSArrayBufferPrototype.cpp:
230         (JSC::JSArrayBufferPrototype::finishCreation):
231         * runtime/JSDataViewPrototype.cpp:
232         (JSC::JSDataViewPrototype::finishCreation):
233         * runtime/JSONObject.cpp:
234         (JSC::JSONObject::finishCreation):
235         * runtime/JSObject.h:
236         * runtime/JSPromisePrototype.cpp:
237         (JSC::JSPromisePrototype::finishCreation):
238         * runtime/MapIteratorPrototype.cpp:
239         (JSC::MapIteratorPrototype::finishCreation):
240         * runtime/MapPrototype.cpp:
241         (JSC::MapPrototype::finishCreation):
242         * runtime/MathObject.cpp:
243         (JSC::MathObject::finishCreation):
244         * runtime/RegExpStringIteratorPrototype.cpp:
245         (JSC::RegExpStringIteratorPrototype::finishCreation):
246         * runtime/SetIteratorPrototype.cpp:
247         (JSC::SetIteratorPrototype::finishCreation):
248         * runtime/SetPrototype.cpp:
249         (JSC::SetPrototype::finishCreation):
250         * runtime/StringIteratorPrototype.cpp:
251         (JSC::StringIteratorPrototype::finishCreation):
252         * runtime/SymbolPrototype.cpp:
253         (JSC::SymbolPrototype::finishCreation):
254         * runtime/WeakMapPrototype.cpp:
255         (JSC::WeakMapPrototype::finishCreation):
256         * runtime/WeakObjectRefPrototype.cpp:
257         (JSC::WeakObjectRefPrototype::finishCreation):
258         * runtime/WeakSetPrototype.cpp:
259         (JSC::WeakSetPrototype::finishCreation):
260         * wasm/js/WebAssemblyInstancePrototype.cpp:
261         (JSC::WebAssemblyInstancePrototype::finishCreation):
262         * wasm/js/WebAssemblyMemoryPrototype.cpp:
263         (JSC::WebAssemblyMemoryPrototype::finishCreation):
264         * wasm/js/WebAssemblyModulePrototype.cpp:
265         (JSC::WebAssemblyModulePrototype::finishCreation):
266         * wasm/js/WebAssemblyTablePrototype.cpp:
267         (JSC::WebAssemblyTablePrototype::finishCreation):
268
269 2020-05-01  Saam Barati  <sbarati@apple.com>
270
271         We can't cast toLength result to unsigned
272         https://bugs.webkit.org/show_bug.cgi?id=211205
273         <rdar://problem/62625562>
274
275         Reviewed by Yusuke Suzuki.
276
277         toLength, according to the spec, returns a 53-bit integer. In our
278         implementation, we return a double. However, there were many callsites
279         that did something like:
280         ```
281         unsigned length = toLength(obj);
282         ```
283         
284         This is bad for a few reasons:
285         - Casting to unsigned from double is undefined behavior when the integer
286         is greater than UINT_MAX. In practice, this means that we'd have different
287         engine behavior depending on what architecture we'd be running on. For
288         example, if the length were UINT_MAX + 1, on x86, we'd treat the
289         length as zero. On arm64, we'd treat it as UINT_MAX. Both are wrong.
290         - We weren't spec compliant. We were just ignoring that these numbers could
291         be 53-bit integers.
292         
293         This patch addresses each bad use of the undefined behavior, and by doing so,
294         makes us more spec compliant.
295
296         * dfg/DFGOperations.cpp:
297         * jit/JITOperations.cpp:
298         (JSC::getByVal):
299         * runtime/ArrayPrototype.cpp:
300         (JSC::getProperty):
301         (JSC::setLength):
302         (JSC::argumentClampedIndexFromStartOrEnd):
303         (JSC::shift):
304         (JSC::unshift):
305         (JSC::arrayProtoFuncToLocaleString):
306         (JSC::arrayProtoFuncPop):
307         (JSC::arrayProtoFuncPush):
308         (JSC::arrayProtoFuncReverse):
309         (JSC::arrayProtoFuncShift):
310         (JSC::arrayProtoFuncSlice):
311         (JSC::arrayProtoFuncSplice):
312         (JSC::arrayProtoFuncUnShift):
313         (JSC::fastIndexOf):
314         (JSC::arrayProtoFuncIndexOf):
315         (JSC::arrayProtoFuncLastIndexOf):
316         * runtime/Identifier.h:
317         (JSC::Identifier::from):
318         * runtime/IntlObject.cpp:
319         (JSC::canonicalizeLocaleList):
320         * runtime/JSONObject.cpp:
321         (JSC::Stringifier::Stringifier):
322         (JSC::Stringifier::Holder::appendNextProperty):
323         (JSC::Walker::walk):
324         * runtime/JSObject.cpp:
325         (JSC::JSObject::hasProperty const):
326         * runtime/JSObject.h:
327         (JSC::JSObject::putByIndexInline):
328         (JSC::JSObject::putDirectIndex):
329         (JSC::JSObject::canGetIndexQuickly const):
330         (JSC::JSObject::tryGetIndexQuickly const):
331         * runtime/JSObjectInlines.h:
332         (JSC::JSObject::getPropertySlot):
333         (JSC::JSObject::deleteProperty):
334         (JSC::JSObject::get const):
335         * runtime/PropertySlot.h:
336         (JSC::PropertySlot::getValue const):
337         * tools/JSDollarVM.cpp:
338         (JSC::functionSetUserPreferredLanguages):
339
340 2020-04-30  Ross Kirsling  <ross.kirsling@sony.com>
341
342         TriState should be an enum class and use "Indeterminate" instead of "Mixed"
343         https://bugs.webkit.org/show_bug.cgi?id=211268
344
345         Reviewed by Mark Lam.
346
347         * b3/B3Const32Value.cpp:
348         (JSC::B3::Const32Value::equalConstant const):
349         (JSC::B3::Const32Value::notEqualConstant const):
350         (JSC::B3::Const32Value::lessThanConstant const):
351         (JSC::B3::Const32Value::greaterThanConstant const):
352         (JSC::B3::Const32Value::lessEqualConstant const):
353         (JSC::B3::Const32Value::greaterEqualConstant const):
354         (JSC::B3::Const32Value::aboveConstant const):
355         (JSC::B3::Const32Value::belowConstant const):
356         (JSC::B3::Const32Value::aboveEqualConstant const):
357         (JSC::B3::Const32Value::belowEqualConstant const):
358         * b3/B3Const64Value.cpp:
359         (JSC::B3::Const64Value::equalConstant const):
360         (JSC::B3::Const64Value::notEqualConstant const):
361         (JSC::B3::Const64Value::lessThanConstant const):
362         (JSC::B3::Const64Value::greaterThanConstant const):
363         (JSC::B3::Const64Value::lessEqualConstant const):
364         (JSC::B3::Const64Value::greaterEqualConstant const):
365         (JSC::B3::Const64Value::aboveConstant const):
366         (JSC::B3::Const64Value::belowConstant const):
367         (JSC::B3::Const64Value::aboveEqualConstant const):
368         (JSC::B3::Const64Value::belowEqualConstant const):
369         * b3/B3ConstDoubleValue.cpp:
370         (JSC::B3::ConstDoubleValue::equalConstant const):
371         (JSC::B3::ConstDoubleValue::notEqualConstant const):
372         (JSC::B3::ConstDoubleValue::lessThanConstant const):
373         (JSC::B3::ConstDoubleValue::greaterThanConstant const):
374         (JSC::B3::ConstDoubleValue::lessEqualConstant const):
375         (JSC::B3::ConstDoubleValue::greaterEqualConstant const):
376         (JSC::B3::ConstDoubleValue::equalOrUnorderedConstant const):
377         * b3/B3ConstFloatValue.cpp:
378         (JSC::B3::ConstFloatValue::equalConstant const):
379         (JSC::B3::ConstFloatValue::notEqualConstant const):
380         (JSC::B3::ConstFloatValue::lessThanConstant const):
381         (JSC::B3::ConstFloatValue::greaterThanConstant const):
382         (JSC::B3::ConstFloatValue::lessEqualConstant const):
383         (JSC::B3::ConstFloatValue::greaterEqualConstant const):
384         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant const):
385         * b3/B3Procedure.cpp:
386         (JSC::B3::Procedure::addBoolConstant):
387         * b3/B3Procedure.h:
388         * b3/B3ReduceStrength.cpp:
389         * b3/B3Value.cpp:
390         (JSC::B3::Value::equalConstant const):
391         (JSC::B3::Value::notEqualConstant const):
392         (JSC::B3::Value::lessThanConstant const):
393         (JSC::B3::Value::greaterThanConstant const):
394         (JSC::B3::Value::lessEqualConstant const):
395         (JSC::B3::Value::greaterEqualConstant const):
396         (JSC::B3::Value::aboveConstant const):
397         (JSC::B3::Value::belowConstant const):
398         (JSC::B3::Value::aboveEqualConstant const):
399         (JSC::B3::Value::belowEqualConstant const):
400         (JSC::B3::Value::equalOrUnorderedConstant const):
401         (JSC::B3::Value::asTriState const):
402         * b3/B3Value.h:
403         * bytecode/CodeBlock.cpp:
404         (JSC::CodeBlock::~CodeBlock):
405         (JSC::CodeBlock::thresholdForJIT):
406         * bytecode/UnlinkedCodeBlock.cpp:
407         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
408         * bytecode/UnlinkedFunctionExecutable.cpp:
409         (JSC::UnlinkedFunctionExecutable::visitChildren):
410         * bytecompiler/NodesCodegen.cpp:
411         (JSC::ConstantNode::emitBytecodeInConditionContext):
412         (JSC::BinaryOpNode::emitBytecodeInConditionContext):
413         (JSC::BinaryOpNode::tryFoldToBranch):
414         * dfg/DFGByteCodeParser.cpp:
415         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
416         * dfg/DFGCFGSimplificationPhase.cpp:
417         (JSC::DFG::CFGSimplificationPhase::run):
418         * dfg/DFGLazyJSValue.cpp:
419         (JSC::DFG::equalToSingleCharacter):
420         (JSC::DFG::equalToStringImpl):
421         (JSC::DFG::LazyJSValue::strictEqual const):
422         * dfg/DFGSpeculativeJIT64.cpp:
423         (JSC::DFG::SpeculativeJIT::compile):
424         * ftl/FTLLowerDFGToB3.cpp:
425         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
426         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
427         * ftl/FTLOutput.cpp:
428         (JSC::FTL::Output::equal):
429         (JSC::FTL::Output::notEqual):
430         (JSC::FTL::Output::above):
431         (JSC::FTL::Output::aboveOrEqual):
432         (JSC::FTL::Output::below):
433         (JSC::FTL::Output::belowOrEqual):
434         (JSC::FTL::Output::greaterThan):
435         (JSC::FTL::Output::greaterThanOrEqual):
436         (JSC::FTL::Output::lessThan):
437         (JSC::FTL::Output::lessThanOrEqual):
438         * jit/JITOperations.cpp:
439         * runtime/CachedTypes.cpp:
440         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
441         * runtime/DefinePropertyAttributes.h:
442         (JSC::DefinePropertyAttributes::DefinePropertyAttributes):
443         (JSC::DefinePropertyAttributes::hasWritable const):
444         (JSC::DefinePropertyAttributes::writable const):
445         (JSC::DefinePropertyAttributes::hasConfigurable const):
446         (JSC::DefinePropertyAttributes::configurable const):
447         (JSC::DefinePropertyAttributes::hasEnumerable const):
448         (JSC::DefinePropertyAttributes::enumerable const):
449         (JSC::DefinePropertyAttributes::setWritable):
450         (JSC::DefinePropertyAttributes::setConfigurable):
451         (JSC::DefinePropertyAttributes::setEnumerable):
452         * runtime/IntlCollator.cpp:
453         (JSC::IntlCollator::initializeCollator):
454         * runtime/IntlDateTimeFormat.cpp:
455         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
456         * runtime/IntlNumberFormat.cpp:
457         (JSC::IntlNumberFormat::initializeNumberFormat):
458         * runtime/IntlObject.cpp:
459         (JSC::intlBooleanOption):
460         * runtime/JSCJSValueInlines.h:
461         (JSC::JSValue::pureStrictEqual):
462         (JSC::JSValue::pureToBoolean const):
463         * runtime/JSCellInlines.h:
464         (JSC::JSCell::pureToBoolean const):
465
466 2020-04-30  Ross Kirsling  <ross.kirsling@sony.com>
467
468         [JSC] intlBooleanOption should return TriState instead of taking an out param
469         https://bugs.webkit.org/show_bug.cgi?id=211256
470
471         Reviewed by Darin Adler and Mark Lam.
472
473         Boolean options for Intl constructors can have default values of true, false, or undefined.
474         To handle the undefined case, intlBooleanOption currently has a `bool& usesFallback` param;
475         we should have the return type simply be a TriState instead.
476
477         * runtime/IntlCollator.cpp:
478         (JSC::IntlCollator::initializeCollator):
479         * runtime/IntlDateTimeFormat.cpp:
480         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
481         * runtime/IntlNumberFormat.cpp:
482         (JSC::IntlNumberFormat::initializeNumberFormat):
483         * runtime/IntlObject.cpp:
484         (JSC::intlBooleanOption):
485         * runtime/IntlObject.h:
486
487 2020-04-30  Devin Rousso  <drousso@apple.com>
488
489         WebKit.WebContent process crashes when web developer tools are opened in Safari
490         https://bugs.webkit.org/show_bug.cgi?id=210794
491         <rdar://problem/62214651>
492
493         Reviewed by Brian Burg.
494
495         * inspector/InjectedScriptManager.cpp:
496         (Inspector::InjectedScriptManager::injectedScriptFor):
497         Don't crash if a `TerminatedExecutionError` is thrown.
498
499         * inspector/InjectedScriptBase.cpp:
500         (Inspector::InjectedScriptBase::makeCall):
501         Report the actual error message. Check that the result has a value before attempting to make
502         a `JSON::Value` out of it.
503
504 2020-04-29  Ross Kirsling  <ross.kirsling@sony.com>
505
506         Ensure Intl classes don't have naming conflicts with unified builds
507         https://bugs.webkit.org/show_bug.cgi?id=211213
508
509         Reviewed by Yusuke Suzuki.
510
511         Each Intl class usually has an array named relevantExtensionsKeys and a function named localeData.
512         This can result in redefinition errors when unified builds put two of them into the same translation unit. 
513         Some are already guarding against this with an internal namespace while others are not.
514
515         As a uniform approach, this patch makes each localeData function a static method and
516         puts each relevantExtensionsKeys array (as well as any constants for its indices) into an internal namespace.
517
518         Furthermore, since three different classes are defining an identical UFieldPositionIteratorDeleter,
519         this patch consolidates them into one definition in IntlObject.
520
521         * runtime/IntlCollator.cpp:
522         (JSC::IntlCollator::sortLocaleData): Renamed from JSC::sortLocaleData.
523         (JSC::IntlCollator::searchLocaleData): Renamed from JSC::searchLocaleData.
524         (JSC::IntlCollator::initializeCollator):
525         * runtime/IntlCollator.h:
526         * runtime/IntlDateTimeFormat.cpp:
527         (JSC::IntlDateTimeFormat::localeData): Renamed from JSC::IntlDTFInternal::localeData.
528         (JSC::toDateTimeOptionsAnyDate): Renamed from JSC::IntlDTFInternal::toDateTimeOptionsAnyDate.
529         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
530         (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted.
531         * runtime/IntlDateTimeFormat.h:
532         * runtime/IntlNumberFormat.cpp:
533         (JSC::IntlNumberFormat::localeData): Renamed from JSC::IntlNFInternal::localeData.
534         (JSC::IntlNumberFormat::initializeNumberFormat):
535         (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted.
536         * runtime/IntlNumberFormat.h:
537         * runtime/IntlObject.cpp:
538         (JSC::UFieldPositionIteratorDeleter::operator() const): Added.
539         * runtime/IntlObject.h:
540         * runtime/IntlPluralRules.cpp:
541         (JSC::IntlPluralRules::localeData): Renamed from JSC::localeData.
542         * runtime/IntlPluralRules.h:
543         * runtime/IntlRelativeTimeFormat.cpp:
544         (JSC::IntlRelativeTimeFormat::localeData): Renamed from JSC::localeData.
545         (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
546         (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted.
547         * runtime/IntlRelativeTimeFormat.h:
548
549 2020-04-29  Ross Kirsling  <ross.kirsling@sony.com>
550
551         Unreviewed follow-up to r260848.
552         LowerDFGToB3 has its own isFunction which should NOT have been renamed.
553
554         * ftl/FTLLowerDFGToB3.cpp:
555         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
556         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
557         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
558         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
559         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
560         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
561         (JSC::FTL::DFG::LowerDFGToB3::isFunction): Renamed from isCallable.
562
563 2020-04-29  Alexey Shvayka  <shvaikalesh@gmail.com>
564
565         AsyncFromSyncIterator methods should not pass absent values
566         https://bugs.webkit.org/show_bug.cgi?id=211147
567
568         Reviewed by Ross Kirsling.
569
570         This patch implements minor spec change [1] to match async and sync iteration
571         from the perspective of userland `next` and `return` iterator methods.
572         `throw` method always receives an argument, yet we align with others to be
573         consistent and future-proof.
574
575         This change is already implemented in SpiderMonkey.
576
577         [1]: https://github.com/tc39/ecma262/pull/1776
578
579         * builtins/AsyncFromSyncIteratorPrototype.js:
580
581 2020-04-29  Mark Lam  <mark.lam@apple.com>
582
583         Freezing of Gigacage and JSC Configs should be thread safe.
584         https://bugs.webkit.org/show_bug.cgi?id=211201
585         <rdar://problem/62597619>
586
587         Reviewed by Yusuke Suzuki.
588
589         If a client creates multiple VM instances in different threads concurrently, the
590         following race can occur:
591
592         Config::permanentlyFreeze() contains the following code:
593
594             if (!g_jscConfig.isPermanentlyFrozen)         // Point P1
595                 g_jscConfig.isPermanentlyFrozen = true;   // Point P2
596
597         Let's say there are 2 threads T1 and T2.
598
599         1. T1 creates a VM and gets to point P1, and sees that g_jscConfig.isPermanentlyFrozen is not set.
600            T1 is about to execute P2 when it gets pre-empted.
601
602         2. T2 creates a VM and gets to point P1, and sees that g_jscConfig.isPermanentlyFrozen is not set.
603            T2 proceeds to point P2 and sets g_jscConfig.isPermanentlyFrozen to true.
604            T2 goes on to freeze the Config and makes it not writable.
605
606         3. T1 gets to run again, and proceeds to point P2.
607            T1 tries to set g_jscConfig.isPermanentlyFrozen to true.
608            But because the Config has been frozen against writes, the write to
609            g_jscConfig.isPermanentlyFrozen results in a crash.
610
611         This is a classic TOCTOU bug.  The fix is simply to ensure that only one thread
612         can enter Config::permanentlyFreeze() at a time.
613
614         Ditto for Gigacage::permanentlyFreezeGigacageConfig().
615
616         * runtime/JSCConfig.cpp:
617         (JSC::Config::permanentlyFreeze):
618
619 2020-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
620
621         [JSC] JSStringJoiner is missing BigInt handling
622         https://bugs.webkit.org/show_bug.cgi?id=211174
623
624         Reviewed by Mark Lam.
625
626         JSStringJoiner missed handling of BigInt (specifically BigInt32) and appending empty string incorrectly.
627         In debug build, assertion hits. We should support BigInt in JSStringJoiner.
628
629         * runtime/JSStringJoiner.h:
630         (JSC::JSStringJoiner::appendWithoutSideEffects):
631
632 2020-04-29  Saam Barati  <sbarati@apple.com>
633
634         U_STRING_NOT_TERMINATED_WARNING ICU must be handled when using the output buffer as a C string
635         https://bugs.webkit.org/show_bug.cgi?id=211142
636         <rdar://problem/62530860>
637
638         Reviewed by Darin Adler.
639
640         * runtime/IntlDateTimeFormat.cpp:
641         (JSC::defaultTimeZone):
642         (JSC::canonicalizeTimeZoneName):
643         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
644         (JSC::IntlDateTimeFormat::format):
645         (JSC::IntlDateTimeFormat::formatToParts):
646         * runtime/IntlNumberFormat.cpp:
647         (JSC::IntlNumberFormat::format):
648         (JSC::IntlNumberFormat::formatToParts):
649         * runtime/IntlObject.cpp:
650         (JSC::convertICULocaleToBCP47LanguageTag):
651         (JSC::canonicalizeLanguageTag):
652         * runtime/IntlRelativeTimeFormat.cpp:
653         (JSC::IntlRelativeTimeFormat::formatInternal):
654         (JSC::IntlRelativeTimeFormat::formatToParts):
655         * runtime/StringPrototype.cpp:
656         (JSC::toLocaleCase):
657         (JSC::normalize):
658
659 2020-04-28  Saam Barati  <sbarati@apple.com>
660
661         Unreviewed. Fix 32-bit build.
662
663         * runtime/JSBigInt.cpp:
664         (JSC::JSBigInt::createFrom):
665         (JSC::Int32BigIntImpl::digit):
666
667 2020-04-28  Commit Queue  <commit-queue@webkit.org>
668
669         Unreviewed, reverting r260876 and r260877.
670         https://bugs.webkit.org/show_bug.cgi?id=211165
671
672         Broke build (Requested by yusukesuzuki on #webkit).
673
674         Reverted changesets:
675
676         "Unreviewed, build fix on watchOS"
677         https://bugs.webkit.org/show_bug.cgi?id=210978
678         https://trac.webkit.org/changeset/260876
679
680         "Unreviewed, speculative build fix on watchOS part 2"
681         https://bugs.webkit.org/show_bug.cgi?id=210978
682         https://trac.webkit.org/changeset/260877
683
684 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
685
686         Unreviewed, speculative build fix on watchOS part 2
687         https://bugs.webkit.org/show_bug.cgi?id=210978
688
689         * runtime/JSBigInt.cpp:
690         (JSC::JSBigInt::createFrom):
691         (JSC::Int32BigIntImpl::digit):
692         * runtime/JSBigInt.h:
693
694 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
695
696         Unreviewed, build fix on watchOS
697         https://bugs.webkit.org/show_bug.cgi?id=210978
698
699         * runtime/JSBigInt.cpp:
700         (JSC::JSBigInt::createFrom):
701         (JSC::Int32BigIntImpl::digit):
702         * runtime/JSBigInt.h:
703
704 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
705
706         [JSC] BigInt constructor should accept larger integers than safe-integers
707         https://bugs.webkit.org/show_bug.cgi?id=210755
708
709         Reviewed by Darin Adler.
710
711         While our implementation of BigInt constructor only accepts safe integers, it should accept all integers.
712         This patch implements it by creating JSBigInt::createFrom(double). We port double bit processing part from
713         V8 as the same to the other part of JSBigInt.
714
715         * runtime/BigIntConstructor.cpp:
716         (JSC::callBigIntConstructor):
717         * runtime/JSBigInt.cpp:
718         (JSC::JSBigInt::createFrom):
719         * runtime/JSBigInt.h:
720         * runtime/MathCommon.h:
721         (JSC::isInteger):
722         (JSC::isSafeInteger):
723         * runtime/NumberConstructor.cpp:
724         (JSC::numberConstructorFuncIsSafeInteger):
725         * runtime/NumberConstructor.h:
726
727 2020-04-28  Ross Kirsling  <ross.kirsling@sony.com>
728
729         [JSC] Align upon the name isCallable instead of isFunction
730         https://bugs.webkit.org/show_bug.cgi?id=211140
731
732         Reviewed by Darin Adler.
733
734         Follow-up to r260722. Usage is now cleanly separated between isFunction / getCallData,
735         but the name isCallable is still clearer than isFunction so let's flip that after all.
736
737         * API/JSContextRef.cpp:
738         (JSGlobalContextSetUnhandledRejectionCallback):
739         * API/JSObjectRef.cpp:
740         (JSObjectIsFunction):
741         * dfg/DFGOperations.cpp:
742         * ftl/FTLLowerDFGToB3.cpp:
743         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
744         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
745         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
746         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
747         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
748         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
749         (JSC::FTL::DFG::LowerDFGToB3::isCallable):
750         (JSC::FTL::DFG::LowerDFGToB3::isFunction): Deleted.
751         * ftl/FTLOperations.cpp:
752         (JSC::FTL::operationTypeOfObjectAsTypeofType):
753         * jsc.cpp:
754         (functionSetUnhandledRejectionCallback):
755         * runtime/CommonSlowPaths.cpp:
756         (JSC::SLOW_PATH_DECL):
757         * runtime/ExceptionHelpers.cpp:
758         (JSC::errorDescriptionForValue):
759         * runtime/FunctionPrototype.cpp:
760         (JSC::functionProtoFuncToString):
761         * runtime/InternalFunction.cpp:
762         (JSC::getFunctionRealm):
763         * runtime/JSCJSValue.h:
764         * runtime/JSCJSValueInlines.h:
765         (JSC::JSValue::isCallable const):
766         (JSC::JSValue::isFunction const): Deleted.
767         * runtime/JSCell.h:
768         * runtime/JSCellInlines.h:
769         (JSC::JSCell::isCallable):
770         (JSC::JSCell::isFunction): Deleted.
771         * runtime/JSONObject.cpp:
772         (JSC::Stringifier::appendStringifiedValue):
773         * runtime/ObjectConstructor.cpp:
774         (JSC::toPropertyDescriptor):
775         * runtime/ObjectPrototype.cpp:
776         (JSC::objectProtoFuncDefineGetter):
777         (JSC::objectProtoFuncDefineSetter):
778         * runtime/Operations.cpp:
779         (JSC::jsTypeStringForValue):
780         (JSC::jsIsObjectTypeOrNull):
781         * runtime/ProxyObject.cpp:
782         (JSC::ProxyObject::structureForTarget):
783         (JSC::ProxyObject::finishCreation):
784         * runtime/RuntimeType.cpp:
785         (JSC::runtimeTypeForValue):
786         * tools/JSDollarVM.cpp:
787         (JSC::functionCallWithStackSize):
788         (JSC::functionFindTypeForExpression):
789         (JSC::functionReturnTypeFor):
790         (JSC::functionHasBasicBlockExecuted):
791         (JSC::functionBasicBlockExecutionCount):
792         * wasm/WasmInstance.cpp:
793         (JSC::Wasm::Instance::setFunctionWrapper):
794         * wasm/WasmOperations.cpp:
795         (JSC::Wasm::operationIterateResults):
796         (JSC::Wasm::operationWasmRefFunc):
797         * wasm/js/WebAssemblyModuleRecord.cpp:
798         (JSC::WebAssemblyModuleRecord::link):
799         * wasm/js/WebAssemblyWrapperFunction.cpp:
800         (JSC::WebAssemblyWrapperFunction::finishCreation):
801
802 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
803
804         [JSC] NumberConstructor should accept BigInt
805         https://bugs.webkit.org/show_bug.cgi?id=210835
806
807         Reviewed by Mark Lam.
808
809         This patch fixes our Number constructor behavior to accept BigInt. According to the spec[1],
810         Number constructor should accept BigInt and should generate numbers from that.
811
812         We port V8's BigInt to double conversion code as we did for the other HeapBigInt runtime functions.
813
814         And we introduce CallNumberConstructor DFG node and handle Number constructor call with BigInt correctly
815         in DFG and FTL. Previously we were emitting ToNumber DFG node for Number constructor. But this is wrong
816         now since ToNumber does not accept BigInt and throws an error, and Number constructor should not use
817         ToNumber to implement its implementation. So we should introduce slightly different semantics: CallNumberConstructor
818         as we introduced CallStringConstructor in addition to ToString DFG node. And we add appropriate BigInt32 path
819         to emit efficient CallNumberConstructor machine code.
820
821         [1]: https://tc39.es/ecma262/#sec-number-constructor-number-value
822
823         * dfg/DFGAbstractInterpreterInlines.h:
824         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
825         * dfg/DFGBackwardsPropagationPhase.cpp:
826         (JSC::DFG::BackwardsPropagationPhase::propagate):
827         * dfg/DFGByteCodeParser.cpp:
828         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
829         * dfg/DFGClobberize.h:
830         (JSC::DFG::clobberize):
831         * dfg/DFGConstantFoldingPhase.cpp:
832         (JSC::DFG::ConstantFoldingPhase::foldConstants):
833         * dfg/DFGDoesGC.cpp:
834         (JSC::DFG::doesGC):
835         * dfg/DFGFixupPhase.cpp:
836         (JSC::DFG::FixupPhase::fixupNode):
837         (JSC::DFG::FixupPhase::fixupToNumberOrToNumericOrCallNumberConstructor):
838         (JSC::DFG::FixupPhase::fixupToNumeric): Deleted.
839         (JSC::DFG::FixupPhase::fixupToNumber): Deleted.
840         * dfg/DFGNode.h:
841         (JSC::DFG::Node::hasHeapPrediction):
842         * dfg/DFGNodeType.h:
843         * dfg/DFGOperations.cpp:
844         * dfg/DFGOperations.h:
845         * dfg/DFGPredictionPropagationPhase.cpp:
846         * dfg/DFGSafeToExecute.h:
847         (JSC::DFG::safeToExecute):
848         * dfg/DFGSpeculativeJIT.cpp:
849         (JSC::DFG::SpeculativeJIT::compileToNumeric):
850         (JSC::DFG::SpeculativeJIT::compileCallNumberConstructor):
851         * dfg/DFGSpeculativeJIT.h:
852         * dfg/DFGSpeculativeJIT32_64.cpp:
853         (JSC::DFG::SpeculativeJIT::compile):
854         * dfg/DFGSpeculativeJIT64.cpp:
855         (JSC::DFG::SpeculativeJIT::compile):
856         * ftl/FTLCapabilities.cpp:
857         (JSC::FTL::canCompile):
858         * ftl/FTLLowerDFGToB3.cpp:
859         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
860         (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor):
861         * runtime/JSBigInt.cpp:
862         (JSC::JSBigInt::decideRounding):
863         (JSC::JSBigInt::toNumberHeap):
864         * runtime/JSBigInt.h:
865         * runtime/NumberConstructor.cpp:
866         (JSC::constructNumberConstructor):
867         (JSC::callNumberConstructor):
868
869 2020-04-27  Yusuke Suzuki  <ysuzuki@apple.com>
870
871         [JSC] Throw OutOfMemoryError instead of RangeError if BigInt is too big
872         https://bugs.webkit.org/show_bug.cgi?id=211111
873
874         Reviewed by Saam Barati.
875
876         Currently, we are throwing a RangeError if we detect that JSBigInt becomes too large. But this is not consistent with our JSString's policy.
877         We should throw OutOfMemoryError in this case. This also makes DFG simple since DFG allows throwing OutOfMemoryError in any places which node
878         is even removed.
879
880         * dfg/DFGFixupPhase.cpp:
881         (JSC::DFG::FixupPhase::fixupNode):
882         * runtime/ExceptionHelpers.cpp:
883         (JSC::throwOutOfMemoryError):
884         * runtime/ExceptionHelpers.h:
885         * runtime/JSBigInt.cpp:
886         (JSC::JSBigInt::tryCreateWithLength):
887         (JSC::JSBigInt::exponentiateHeap):
888         (JSC::JSBigInt::leftShiftByAbsolute):
889         (JSC::JSBigInt::allocateFor):
890
891 2020-04-27  Saam Barati  <sbarati@apple.com>
892
893         BigInt math runtime shouldn't convert BigInt32 input operands to a heap cell when doing math
894         https://bugs.webkit.org/show_bug.cgi?id=210978
895
896         Reviewed by Yusuke Suzuki.
897
898         This patch adds support in the runtime for doing alomst all BigInt math
899         operations on the inputs either being Int32, HeapBigInt, or a mixing
900         of both. Before, if we detected a binary operation on an Int32 and a
901         HeapBigInt, this would lead us to convert the Int32 operand into a HeapBigInt.
902         
903         This is especially bad because we'd repeat this for all math ops. For example,
904         if x is a BigInt32, and all rhs are a HeapBigInt, we'd repeatedly convert x
905         to a HeapBigInt for each operation:
906         ```
907         x + y
908         x * y
909         x - y
910         x >> y
911         x << y
912         etc
913         ```
914         
915         To teach the runtime how to operate both over a BigInt32 and a HeapBigInt, I
916         templatized the runtime math operations to work both over BigInt32 and
917         HeapBigInt wrapper classes that expose the same interface.
918         
919         This is a ~28% speedup on microbenchmarks/sunspider-sha1-big-int.js
920
921         * ftl/FTLLowerDFGToB3.cpp:
922         (JSC::FTL::DFG::LowerDFGToB3::compare):
923         * jit/JITOperations.cpp:
924         * runtime/CommonSlowPaths.cpp:
925         (JSC::SLOW_PATH_DECL):
926         * runtime/JSBigInt.cpp:
927         (JSC::HeapBigIntImpl::HeapBigIntImpl):
928         (JSC::HeapBigIntImpl::isZero):
929         (JSC::HeapBigIntImpl::sign):
930         (JSC::HeapBigIntImpl::length):
931         (JSC::HeapBigIntImpl::digit):
932         (JSC::HeapBigIntImpl::toHeapBigInt):
933         (JSC::Int32BigIntImpl::Int32BigIntImpl):
934         (JSC::Int32BigIntImpl::isZero):
935         (JSC::Int32BigIntImpl::sign):
936         (JSC::Int32BigIntImpl::length):
937         (JSC::Int32BigIntImpl::digit):
938         (JSC::Int32BigIntImpl::toHeapBigInt):
939         (JSC::JSBigInt::ImplResult::ImplResult):
940         (JSC::tryConvertToBigInt32):
941         (JSC::JSBigInt::inplaceMultiplyAdd):
942         (JSC::JSBigInt::exponentiateImpl):
943         (JSC::JSBigInt::exponentiate):
944         (JSC::JSBigInt::multiplyImpl):
945         (JSC::JSBigInt::multiply):
946         (JSC::JSBigInt::divideImpl):
947         (JSC::JSBigInt::divide):
948         (JSC::JSBigInt::copy):
949         (JSC::JSBigInt::unaryMinusImpl):
950         (JSC::JSBigInt::unaryMinus):
951         (JSC::JSBigInt::remainderImpl):
952         (JSC::JSBigInt::remainder):
953         (JSC::JSBigInt::incImpl):
954         (JSC::JSBigInt::inc):
955         (JSC::JSBigInt::decImpl):
956         (JSC::JSBigInt::dec):
957         (JSC::JSBigInt::addImpl):
958         (JSC::JSBigInt::add):
959         (JSC::JSBigInt::subImpl):
960         (JSC::JSBigInt::sub):
961         (JSC::JSBigInt::bitwiseAndImpl):
962         (JSC::JSBigInt::bitwiseAnd):
963         (JSC::JSBigInt::bitwiseOrImpl):
964         (JSC::JSBigInt::bitwiseOr):
965         (JSC::JSBigInt::bitwiseXorImpl):
966         (JSC::JSBigInt::bitwiseXor):
967         (JSC::JSBigInt::leftShiftImpl):
968         (JSC::JSBigInt::leftShift):
969         (JSC::JSBigInt::leftShiftSlow):
970         (JSC::JSBigInt::signedRightShiftImpl):
971         (JSC::JSBigInt::signedRightShift):
972         (JSC::JSBigInt::bitwiseNotImpl):
973         (JSC::JSBigInt::bitwiseNot):
974         (JSC::JSBigInt::internalMultiplyAdd):
975         (JSC::JSBigInt::multiplyAccumulate):
976         (JSC::JSBigInt::absoluteCompare):
977         (JSC::JSBigInt::compareImpl):
978         (JSC::JSBigInt::compare):
979         (JSC::JSBigInt::absoluteAdd):
980         (JSC::JSBigInt::absoluteSub):
981         (JSC::JSBigInt::absoluteDivWithDigitDivisor):
982         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
983         (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
984         (JSC::JSBigInt::absoluteBitwiseOp):
985         (JSC::JSBigInt::absoluteAnd):
986         (JSC::JSBigInt::absoluteOr):
987         (JSC::JSBigInt::absoluteAndNot):
988         (JSC::JSBigInt::absoluteXor):
989         (JSC::JSBigInt::absoluteAddOne):
990         (JSC::JSBigInt::absoluteSubOne):
991         (JSC::JSBigInt::leftShiftByAbsolute):
992         (JSC::JSBigInt::rightShiftByAbsolute):
993         (JSC::JSBigInt::rightShiftByMaximum):
994         (JSC::JSBigInt::toStringGeneric):
995         (JSC::JSBigInt::toShiftAmount):
996         (JSC::JSBigInt::exponentiateHeap): Deleted.
997         (JSC::JSBigInt::multiplyHeap): Deleted.
998         (JSC::JSBigInt::divideHeap): Deleted.
999         (JSC::JSBigInt::unaryMinusHeap): Deleted.
1000         (JSC::JSBigInt::remainderHeap): Deleted.
1001         (JSC::JSBigInt::incHeap): Deleted.
1002         (JSC::JSBigInt::decHeap): Deleted.
1003         (JSC::JSBigInt::addHeap): Deleted.
1004         (JSC::JSBigInt::subHeap): Deleted.
1005         (JSC::JSBigInt::bitwiseAndHeap): Deleted.
1006         (JSC::JSBigInt::bitwiseOrHeap): Deleted.
1007         (JSC::JSBigInt::bitwiseXorHeap): Deleted.
1008         (JSC::JSBigInt::leftShiftHeap): Deleted.
1009         (JSC::JSBigInt::signedRightShiftHeap): Deleted.
1010         (JSC::JSBigInt::bitwiseNotHeap): Deleted.
1011         (JSC::JSBigInt::compareToInt32): Deleted.
1012         * runtime/JSBigInt.h:
1013         * runtime/Operations.cpp:
1014         (JSC::jsAddSlowCase):
1015         * runtime/Operations.h:
1016         (JSC::compareBigInt):
1017         (JSC::compareBigInt32ToOtherPrimitive):
1018         (JSC::arithmeticBinaryOp):
1019         (JSC::jsSub):
1020         (JSC::jsMul):
1021         (JSC::jsDiv):
1022         (JSC::jsRemainder):
1023         (JSC::jsPow):
1024         (JSC::jsInc):
1025         (JSC::jsDec):
1026         (JSC::jsBitwiseNot):
1027         (JSC::shift):
1028         (JSC::jsLShift):
1029         (JSC::jsRShift):
1030         (JSC::bitwiseBinaryOp):
1031         (JSC::jsBitwiseAnd):
1032         (JSC::jsBitwiseOr):
1033         (JSC::jsBitwiseXor):
1034
1035 2020-04-27  Yusuke Suzuki  <ysuzuki@apple.com>
1036
1037         [JSC] >>> should call ToNumeric
1038         https://bugs.webkit.org/show_bug.cgi?id=211065
1039
1040         Reviewed by Ross Kirsling.
1041
1042         While BigInt does not support >>> operator, >>> operator should call ToNumeric (in this case, toBigIntOrInt32) for both before throwing an error.
1043         We call toBigIntOrInt32 for both operands, and throw an error. And after that, casting int32_t to uint32_t to perform >>> operator. This is correct
1044         since the only difference between toUint32 and toInt32 is casting int32_t result to uint32_t.
1045
1046         * dfg/DFGOperations.cpp:
1047         * runtime/CommonSlowPaths.cpp:
1048         (JSC::SLOW_PATH_DECL):
1049         * runtime/Operations.h:
1050         (JSC::shift):
1051         (JSC::jsURShift):
1052
1053 2020-04-27  Keith Miller  <keith_miller@apple.com>
1054
1055         OSR Exit compiler should know and print the exiting DFG node's index
1056         https://bugs.webkit.org/show_bug.cgi?id=210998
1057
1058         Reviewed by Mark Lam.
1059
1060         The only interesting thing here is that we set the node to index 0 if there is no node.
1061         AFAICT, we only don't have a node when we are checking arguments.
1062
1063         * dfg/DFGOSRExit.cpp:
1064         (JSC::DFG::OSRExit::OSRExit):
1065         (JSC::DFG::operationCompileOSRExit):
1066         * dfg/DFGOSRExitBase.h:
1067         (JSC::DFG::OSRExitBase::OSRExitBase):
1068         * ftl/FTLLowerDFGToB3.cpp:
1069         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1070         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1071         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
1072         * ftl/FTLOSRExit.cpp:
1073         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
1074         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
1075         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
1076         (JSC::FTL::OSRExit::OSRExit):
1077         * ftl/FTLOSRExit.h:
1078         * ftl/FTLOSRExitCompiler.cpp:
1079         (JSC::FTL::compileStub):
1080
1081 2020-04-27  Saam Barati  <sbarati@apple.com>
1082
1083         compilePeepHoleBigInt32Branch needs to handle all conditions
1084         https://bugs.webkit.org/show_bug.cgi?id=211096
1085         <rdar://problem/62469971>
1086
1087         Reviewed by Yusuke Suzuki.
1088
1089         We were falling through to the generic path for all conditions which
1090         weren't Equal/NotEqual. The generic path does not do speculation, so
1091         it was leading to potential miscompiles because we omitted a type check.
1092         Defining compilePeepHoleBigInt32Branch for other conditions is trivial,
1093         so this patch just implements that.
1094
1095         This failure is caught by microbenchmarks/sunspider-sha1-big-int.js
1096
1097         * dfg/DFGSpeculativeJIT.cpp:
1098         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1099         * dfg/DFGSpeculativeJIT64.cpp:
1100         (JSC::DFG::SpeculativeJIT::compilePeepHoleBigInt32Branch):
1101
1102 2020-04-27  Jason Lawrence  <lawrence.j@apple.com>
1103
1104         Unreviewed, reverting r260772.
1105
1106         This commit caused tests to start failing internally.
1107
1108         Reverted changeset:
1109
1110         "OSR Exit compiler should know and print the exiting DFG
1111         node's index"
1112         https://bugs.webkit.org/show_bug.cgi?id=210998
1113         https://trac.webkit.org/changeset/260772
1114
1115 2020-04-27  Yusuke Suzuki  <ysuzuki@apple.com>
1116
1117         [JSC] Add $vm.assertEnabled() to suppress Debug crash expected tests in release+assert build
1118         https://bugs.webkit.org/show_bug.cgi?id=211089
1119
1120         Reviewed by Keith Miller.
1121
1122         Expose ASSERT_ENABLED condition to the shell to control crash expected tests.
1123
1124         * tools/JSDollarVM.cpp:
1125         (JSC::functionAssertEnabled):
1126         (JSC::JSDollarVM::finishCreation):
1127
1128 2020-04-27  Keith Miller  <keith_miller@apple.com>
1129
1130         OSR Exit compiler should know and print the exiting DFG node's index
1131         https://bugs.webkit.org/show_bug.cgi?id=210998
1132
1133         Reviewed by Mark Lam.
1134
1135         The only interesting thing here is that we set the node to index 0 if there is no node.
1136         AFAICT, we only don't have a node when we are checking arguments.
1137
1138         * dfg/DFGOSRExit.cpp:
1139         (JSC::DFG::OSRExit::OSRExit):
1140         (JSC::DFG::operationCompileOSRExit):
1141         * dfg/DFGOSRExitBase.h:
1142         (JSC::DFG::OSRExitBase::OSRExitBase):
1143         * ftl/FTLLowerDFGToB3.cpp:
1144         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1145         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1146         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
1147         * ftl/FTLOSRExit.cpp:
1148         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
1149         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
1150         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
1151         (JSC::FTL::OSRExit::OSRExit):
1152         * ftl/FTLOSRExit.h:
1153         * ftl/FTLOSRExitCompiler.cpp:
1154         (JSC::FTL::compileStub):
1155
1156 2020-04-27  Ross Kirsling  <ross.kirsling@sony.com>
1157
1158         [JSC] CallData/ConstructData should include CallType/ConstructType
1159         https://bugs.webkit.org/show_bug.cgi?id=211059
1160
1161         Reviewed by Darin Adler.
1162
1163         getCallData/getConstructData return a CallType/ConstructType and have a CallData/ConstructData out param,
1164         and then *both* of these are passed side-by-side to `call`/`construct`, which all seems a bit silly.
1165
1166         This patch merges CallType/ConstructType into CallData/ConstructData such that getCallData/getConstructData
1167         no longer need an out param and `call`/`construct` require one less overt parameter.
1168
1169         In so doing, it also:
1170         - removes ConstructData entirely as it's an exact duplicate of CallData
1171         - renames enum value Host to Native in alignment with CallData's union
1172
1173         * API/JSCallbackConstructor.cpp:
1174         (JSC::JSCallbackConstructor::getConstructData):
1175         * API/JSCallbackConstructor.h:
1176         * API/JSCallbackObject.h:
1177         * API/JSCallbackObjectFunctions.h:
1178         (JSC::JSCallbackObject<Parent>::getConstructData):
1179         (JSC::JSCallbackObject<Parent>::getCallData):
1180         * API/JSObjectRef.cpp:
1181         (JSObjectCallAsFunction):
1182         (JSObjectCallAsConstructor):
1183         * bindings/ScriptFunctionCall.cpp:
1184         (Deprecated::ScriptFunctionCall::call):
1185         * bindings/ScriptFunctionCall.h:
1186         * dfg/DFGOperations.cpp:
1187         * inspector/InjectedScriptManager.cpp:
1188         (Inspector::InjectedScriptManager::createInjectedScript):
1189         * inspector/InspectorEnvironment.h:
1190         * interpreter/Interpreter.cpp:
1191         (JSC::Interpreter::executeProgram):
1192         (JSC::Interpreter::executeCall):
1193         (JSC::Interpreter::executeConstruct):
1194         * interpreter/Interpreter.h:
1195         * jit/JITOperations.cpp:
1196         * jsc.cpp:
1197         (functionDollarAgentReceiveBroadcast):
1198         * llint/LLIntSlowPaths.cpp:
1199         (JSC::LLInt::handleHostCall):
1200         * runtime/ArrayPrototype.cpp:
1201         (JSC::arrayProtoFuncToString):
1202         (JSC::arrayProtoFuncToLocaleString):
1203         * runtime/CallData.cpp:
1204         (JSC::call):
1205         (JSC::profiledCall):
1206         * runtime/CallData.h:
1207         * runtime/ClassInfo.h:
1208         * runtime/CommonSlowPaths.cpp:
1209         (JSC::SLOW_PATH_DECL):
1210         * runtime/ConstructData.cpp:
1211         (JSC::construct):
1212         (JSC::profiledConstruct):
1213         * runtime/ConstructData.h:
1214         (JSC::construct):
1215         (JSC::profiledConstruct):
1216         (): Deleted.
1217         * runtime/DatePrototype.cpp:
1218         (JSC::dateProtoFuncToJSON):
1219         * runtime/GetterSetter.cpp:
1220         (JSC::callGetter):
1221         (JSC::callSetter):
1222         * runtime/InternalFunction.cpp:
1223         (JSC::InternalFunction::getCallData):
1224         (JSC::InternalFunction::getConstructData):
1225         * runtime/InternalFunction.h:
1226         * runtime/IteratorOperations.cpp:
1227         (JSC::iteratorNext):
1228         (JSC::iteratorClose):
1229         (JSC::hasIteratorMethod):
1230         (JSC::iteratorMethod):
1231         (JSC::iteratorForIterable):
1232         * runtime/JSBoundFunction.cpp:
1233         (JSC::boundThisNoArgsFunctionCall):
1234         (JSC::boundFunctionCall):
1235         (JSC::boundThisNoArgsFunctionConstruct):
1236         (JSC::boundFunctionConstruct):
1237         * runtime/JSCJSValue.h:
1238         * runtime/JSCell.cpp:
1239         (JSC::JSCell::getCallData):
1240         (JSC::JSCell::getConstructData):
1241         * runtime/JSCell.h:
1242         * runtime/JSCellInlines.h:
1243         (JSC::JSCell::isFunction):
1244         (JSC::JSCell::isConstructor):
1245         * runtime/JSFunction.cpp:
1246         (JSC::JSFunction::getCallData):
1247         (JSC::JSFunction::getConstructData):
1248         * runtime/JSFunction.h:
1249         * runtime/JSInternalPromise.cpp:
1250         (JSC::JSInternalPromise::then):
1251         * runtime/JSMicrotask.cpp:
1252         (JSC::JSMicrotask::run):
1253         * runtime/JSModuleLoader.cpp:
1254         (JSC::JSModuleLoader::dependencyKeysIfEvaluated):
1255         (JSC::JSModuleLoader::provideFetch):
1256         (JSC::JSModuleLoader::loadAndEvaluateModule):
1257         (JSC::JSModuleLoader::loadModule):
1258         (JSC::JSModuleLoader::linkAndEvaluateModule):
1259         (JSC::JSModuleLoader::requestImportModule):
1260         * runtime/JSONObject.cpp:
1261         (JSC::Stringifier::isCallableReplacer const):
1262         (JSC::Stringifier::Stringifier):
1263         (JSC::Stringifier::toJSON):
1264         (JSC::Stringifier::appendStringifiedValue):
1265         (JSC::Walker::Walker):
1266         (JSC::Walker::callReviver):
1267         (JSC::JSONProtoFuncParse):
1268         * runtime/JSObject.cpp:
1269         (JSC::ordinarySetSlow):
1270         (JSC::callToPrimitiveFunction):
1271         (JSC::JSObject::hasInstance):
1272         (JSC::JSObject::getMethod):
1273         * runtime/JSObject.h:
1274         * runtime/JSObjectInlines.h:
1275         (JSC::getCallData):
1276         (JSC::getConstructData):
1277         * runtime/JSPromise.cpp:
1278         (JSC::JSPromise::createDeferredData):
1279         (JSC::JSPromise::resolvedPromise):
1280         (JSC::callFunction):
1281         * runtime/MapConstructor.cpp:
1282         (JSC::constructMap):
1283         * runtime/ObjectPrototype.cpp:
1284         (JSC::objectProtoFuncToLocaleString):
1285         * runtime/ProxyObject.cpp:
1286         (JSC::performProxyGet):
1287         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1288         (JSC::ProxyObject::performHasProperty):
1289         (JSC::ProxyObject::performPut):
1290         (JSC::performProxyCall):
1291         (JSC::ProxyObject::getCallData):
1292         (JSC::performProxyConstruct):
1293         (JSC::ProxyObject::getConstructData):
1294         (JSC::ProxyObject::performDelete):
1295         (JSC::ProxyObject::performPreventExtensions):
1296         (JSC::ProxyObject::performIsExtensible):
1297         (JSC::ProxyObject::performDefineOwnProperty):
1298         (JSC::ProxyObject::performGetOwnPropertyNames):
1299         (JSC::ProxyObject::performSetPrototype):
1300         (JSC::ProxyObject::performGetPrototype):
1301         * runtime/ProxyObject.h:
1302         * runtime/ReflectObject.cpp:
1303         (JSC::reflectObjectConstruct):
1304         * runtime/SamplingProfiler.cpp:
1305         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1306         * runtime/SetConstructor.cpp:
1307         (JSC::constructSet):
1308         * runtime/StringPrototype.cpp:
1309         (JSC::replaceUsingRegExpSearch):
1310         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1311         (JSC::operationStringProtoFuncReplaceRegExpString):
1312         (JSC::replaceUsingStringSearch):
1313         * runtime/VM.cpp:
1314         (JSC::VM::callPromiseRejectionCallback):
1315         * runtime/WeakMapConstructor.cpp:
1316         (JSC::constructWeakMap):
1317         * runtime/WeakSetConstructor.cpp:
1318         (JSC::constructWeakSet):
1319         * tools/JSDollarVM.cpp:
1320         (JSC::callWithStackSizeProbeFunction):
1321         * wasm/js/WebAssemblyModuleRecord.cpp:
1322         (JSC::WebAssemblyModuleRecord::evaluate):
1323         * wasm/js/WebAssemblyWrapperFunction.cpp:
1324         (JSC::callWebAssemblyWrapperFunction):
1325
1326 2020-04-26  Ross Kirsling  <ross.kirsling@sony.com>
1327
1328         [JSC] Clearly distinguish isConstructor from getConstructData
1329         https://bugs.webkit.org/show_bug.cgi?id=211053
1330
1331         Reviewed by Sam Weinig.
1332
1333         Follow-up to r260722. Remove the isConstructor overload that duplicates getConstructData
1334         and clearly distinguish the usage of these two functions.
1335
1336         * runtime/JSCJSValue.h:
1337         * runtime/JSCJSValueInlines.h:
1338         * runtime/JSCell.h:
1339         * runtime/JSCellInlines.h:
1340         (JSC::JSCell::isConstructor):
1341         Remove isConstructor overload.
1342
1343         * runtime/JSBoundFunction.cpp:
1344         (JSC::JSBoundFunction::create):
1345         Don't use getConstructData if you don't need ConstructData.
1346
1347         * runtime/ReflectObject.cpp:
1348         (JSC::reflectObjectConstruct):
1349         Use getConstructData if you need ConstructData.
1350
1351         * API/JSObjectRef.cpp:
1352         (JSObjectIsFunction):
1353         Use isFunction (leftover spot from last patch).
1354
1355 2020-04-26  Alexey Shvayka  <shvaikalesh@gmail.com>
1356
1357         Symbol should have [[Construct]] internal method
1358         https://bugs.webkit.org/show_bug.cgi?id=211050
1359
1360         Reviewed by Yusuke Suzuki.
1361
1362         This change introduces constructSymbol() method, which unconditionally throws
1363         a TypeError, since its presence is observable when, for example, Symbol is a
1364         [[ProxyTarget]] itself [1]. Aligns JSC with the spec [2], V8, and SpiderMonkey.
1365
1366         [1]: https://tc39.es/ecma262/#sec-proxycreate (step 7.b)
1367         [2]: https://tc39.es/ecma262/#constructor
1368
1369         * runtime/SymbolConstructor.cpp:
1370         (JSC::SymbolConstructor::SymbolConstructor):
1371         (JSC::constructSymbol):
1372
1373 2020-04-26  Alexey Shvayka  <shvaikalesh@gmail.com>
1374
1375         InternalFunction::createSubclassStructure should use newTarget's globalObject
1376         https://bugs.webkit.org/show_bug.cgi?id=202599
1377
1378         Reviewed by Yusuke Suzuki.
1379
1380         If "prototype" of NewTarget is not an object, built-in constructors [1] should acquire
1381         default [[Prototype]] from realm of NewTarget, utilizing GetFunctionRealm helper [2].
1382         Before this change, realm of active constructor was used instead. This patch introduces
1383         GetFunctionRealm and aligns all subclassable constructors with the spec, V8, and SpiderMonkey.
1384
1385         This change inlines fast paths checks of InternalFunction::createSubclassStructure() and
1386         simplifies its signature; getFunctionRealm() is invoked in slow paths only.
1387
1388         While a dynamically created function uses NewTarget's realm for its default [[Prototype]]
1389         similar to other built-ins, its "prototype" object inherit from ObjectPrototype
1390         of active constructor's realm [3] (just like their scope), making it retain references
1391         to 2 different global objects. To accomodate this behavior, this change introduces
1392         `scopeGlobalObject` in JSFunction.cpp methods.
1393
1394         Above-mentioned behavior also simplifies creation of JSGenerator and JSAsyncGenerator
1395         instances since NewTarget's realm is irrelevant to them.
1396
1397         IntlCollatorConstructor::collatorStructure() and 6 similar methods are removed:
1398         a) to impose good practice of using newTarget's globalObject;
1399         b) with this change, each of them have 1 call site max;
1400         c) other JSC constructors have no methods alike.
1401
1402         [1]: https://tc39.es/ecma262/#sec-map-constructor (step 2)
1403         [2]: https://tc39.es/ecma262/#sec-getfunctionrealm
1404         [3]: https://tc39.es/ecma262/#sec-createdynamicfunction (steps 23-25)
1405
1406         * dfg/DFGOperations.cpp:
1407         * runtime/AggregateErrorConstructor.cpp:
1408         (JSC::callAggregateErrorConstructor):
1409         (JSC::constructAggregateErrorConstructor):
1410         * runtime/AggregateErrorConstructor.h:
1411         * runtime/AsyncFunctionConstructor.cpp:
1412         (JSC::constructAsyncFunctionConstructor):
1413         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1414         (JSC::constructAsyncGeneratorFunctionConstructor):
1415         * runtime/BooleanConstructor.cpp:
1416         (JSC::constructWithBooleanConstructor):
1417         * runtime/CommonSlowPaths.cpp:
1418         (JSC::SLOW_PATH_DECL):
1419         (JSC::createInternalFieldObject):
1420         * runtime/DateConstructor.cpp:
1421         (JSC::constructDate):
1422         * runtime/ErrorConstructor.cpp:
1423         (JSC::constructErrorConstructor):
1424         * runtime/FunctionConstructor.cpp:
1425         (JSC::constructFunctionSkippingEvalEnabledCheck):
1426         * runtime/InternalFunction.cpp:
1427         (JSC::InternalFunction::createSubclassStructure):
1428         (JSC::getFunctionRealm):
1429         (JSC::InternalFunction::createSubclassStructureSlow): Deleted.
1430         * runtime/InternalFunction.h:
1431         (JSC::InternalFunction::createSubclassStructure): Deleted.
1432         * runtime/IntlCollatorConstructor.cpp:
1433         (JSC::constructIntlCollator):
1434         (JSC::callIntlCollator):
1435         * runtime/IntlCollatorConstructor.h:
1436         * runtime/IntlDateTimeFormatConstructor.cpp:
1437         (JSC::constructIntlDateTimeFormat):
1438         (JSC::callIntlDateTimeFormat):
1439         * runtime/IntlDateTimeFormatConstructor.h:
1440         * runtime/IntlNumberFormatConstructor.cpp:
1441         (JSC::constructIntlNumberFormat):
1442         (JSC::callIntlNumberFormat):
1443         * runtime/IntlNumberFormatConstructor.h:
1444         * runtime/IntlPluralRulesConstructor.cpp:
1445         (JSC::constructIntlPluralRules):
1446         * runtime/IntlPluralRulesConstructor.h:
1447         * runtime/IntlRelativeTimeFormatConstructor.cpp:
1448         (JSC::constructIntlRelativeTimeFormat):
1449         * runtime/IntlRelativeTimeFormatConstructor.h:
1450         * runtime/JSArrayBufferConstructor.cpp:
1451         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
1452         * runtime/JSFunction.cpp:
1453         (JSC::JSFunction::prototypeForConstruction):
1454         (JSC::JSFunction::getOwnPropertySlot):
1455         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1456         (JSC::constructGenericTypedArrayView):
1457         * runtime/JSGlobalObjectInlines.h:
1458         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
1459         * runtime/MapConstructor.cpp:
1460         (JSC::constructMap):
1461         * runtime/NativeErrorConstructor.cpp:
1462         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
1463         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
1464         * runtime/NativeErrorConstructor.h:
1465         * runtime/NumberConstructor.cpp:
1466         (JSC::constructNumberConstructor):
1467         * runtime/ObjectConstructor.cpp:
1468         (JSC::constructObjectWithNewTarget):
1469         * runtime/RegExpConstructor.cpp:
1470         (JSC::getRegExpStructure):
1471         (JSC::constructRegExp):
1472         (JSC::esSpecRegExpCreate):
1473         * runtime/RegExpConstructor.h:
1474         * runtime/SetConstructor.cpp:
1475         (JSC::constructSet):
1476         * runtime/StringConstructor.cpp:
1477         (JSC::constructWithStringConstructor):
1478         * runtime/WeakMapConstructor.cpp:
1479         (JSC::constructWeakMap):
1480         * runtime/WeakObjectRefConstructor.cpp:
1481         (JSC::constructWeakRef):
1482         * runtime/WeakSetConstructor.cpp:
1483         (JSC::constructWeakSet):
1484         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1485         (JSC::constructJSWebAssemblyCompileError):
1486         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1487         (JSC::constructJSWebAssemblyInstance):
1488         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1489         (JSC::constructJSWebAssemblyLinkError):
1490         * wasm/js/WebAssemblyModuleConstructor.cpp:
1491         (JSC::WebAssemblyModuleConstructor::createModule):
1492         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1493         (JSC::constructJSWebAssemblyRuntimeError):
1494
1495 2020-04-26  Yusuke Suzuki  <ysuzuki@apple.com>
1496
1497         [JSC] ValueAdd, VaueSub, ValueMul, Inc, Dec should say SpecBigInt32 prediction based on ArithProfile
1498         https://bugs.webkit.org/show_bug.cgi?id=211038
1499
1500         Reviewed by Filip Pizlo.
1501
1502         This patch adds profile feedback to ValueAdd, ValueSub, ValueMul, Inc, Dec to say SpecBigInt32 prediction.
1503
1504         Our HeapBigInt v.s. BigInt32 strategy is simpler than Double v.s. Int32 strategy: we always
1505         prefer BigInt32 over HeapBigInt. This is because HeapBigInt calculation and conversion require
1506         much higher cost than BigInt32. This tradeoff is largely different from Double v.s. Int32.
1507         So keeping HeapBigInt is simply inefficient when we can use BigInt32.
1508
1509         This means that ArithProfile's feedback is also very simple. If we see HeapBigInt, this means
1510         overflow happens. In DFG, we propagate this information to ValueAdd, ValueSub, and ValueMul nodes
1511         and record it in DFGNodeFlags. And based on this information, we change the prediction and
1512         speculation in prediction propagation and fixup phase.
1513
1514         We change exit reason from Overflow to BigInt32Overflow since Overflow is solely used for Int32 case,
1515         and we have Int52Overflow for Int52 case. We should have BigInt32Overflow for BigInt32 to precisely
1516         record and tell about what happens in DFG as a feedback for the next compilation.
1517
1518         We add BigInt32 speculation for ValueSub. Previously, we missed that in fixup phase and we always
1519         speculate ValueSub with AnyBigIntUse or HeapBigIntUse. Now it can use BigInt32Use.
1520
1521         We also fix Inc / Dec's fixup phase to use BigInt path. Previously, it was always using UntypedUse since
1522         `node->child1()->shouldSpeculateUntypedForArithmetic()` returns true for BigInt. We fix the ordering of
1523         speculation attempts as it is done in the other places in fixup phase.
1524
1525         This patch offers 7.9% performance improvement in sunspider-sha1-big-int.
1526
1527                                                ToT                     Patched
1528
1529             sunspider-sha1-big-int      134.5668+-2.8695     ^    124.6743+-0.7541        ^ definitely 1.0793x faster
1530
1531         * bytecode/ExitKind.cpp:
1532         (JSC::exitKindToString):
1533         * bytecode/ExitKind.h:
1534         * bytecode/SpeculatedType.h:
1535         * dfg/DFGAbstractInterpreterInlines.h:
1536         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1537         * dfg/DFGByteCodeParser.cpp:
1538         (JSC::DFG::ByteCodeParser::makeSafe):
1539         (JSC::DFG::ByteCodeParser::makeDivSafe):
1540         * dfg/DFGFixupPhase.cpp:
1541         (JSC::DFG::FixupPhase::fixupNode):
1542         * dfg/DFGGraph.h:
1543         (JSC::DFG::Graph::binaryArithShouldSpeculateBigInt32):
1544         (JSC::DFG::Graph::unaryArithShouldSpeculateBigInt32):
1545         * dfg/DFGNode.h:
1546         (JSC::DFG::Node::mayHaveBigInt32Result):
1547         (JSC::DFG::Node::mayHaveHeapBigIntResult):
1548         (JSC::DFG::Node::mayHaveBigIntResult):
1549         (JSC::DFG::Node::canSpeculateBigInt32):
1550         (JSC::DFG::Node::canSpeculateInt52):
1551         * dfg/DFGNodeFlags.cpp:
1552         (JSC::DFG::dumpNodeFlags):
1553         * dfg/DFGNodeFlags.h:
1554         (JSC::DFG::nodeMayHaveHeapBigInt):
1555         (JSC::DFG::nodeCanSpeculateBigInt32):
1556         * dfg/DFGPredictionPropagationPhase.cpp:
1557         * dfg/DFGSpeculativeJIT.cpp:
1558         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1559         (JSC::DFG::SpeculativeJIT::compileValueSub):
1560         (JSC::DFG::SpeculativeJIT::compileValueMul):
1561         (JSC::DFG::SpeculativeJIT::compileValueDiv):
1562         (JSC::DFG::SpeculativeJIT::speculateHeapBigInt):
1563         * ftl/FTLLowerDFGToB3.cpp:
1564         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1565         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
1566         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
1567         (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
1568
1569 2020-04-25  Ross Kirsling  <ross.kirsling@sony.com>
1570
1571         [JSC] isCallable is redundant with isFunction
1572         https://bugs.webkit.org/show_bug.cgi?id=211037
1573
1574         Reviewed by Yusuke Suzuki.
1575
1576         isCallable is only being used in two places and has the same definition as isFunction (aside from out params).
1577         Where CallData is needed, getCallData should be used; where CallData is not needed, isFunction should be used.
1578
1579         * runtime/JSCJSValue.h:
1580         * runtime/JSCJSValueInlines.h:
1581         (JSC::JSValue::isCallable const): Deleted.
1582         * runtime/JSCell.h:
1583         * runtime/JSCellInlines.h:
1584         (JSC::JSCell::isCallable): Deleted.
1585         Remove isCallable.
1586
1587         * runtime/JSONObject.cpp:
1588         (JSC::Stringifier::Stringifier):
1589         (JSC::Stringifier::toJSON):
1590         Use getCallData if you need CallData.
1591
1592         * runtime/ExceptionHelpers.cpp:
1593         (JSC::errorDescriptionForValue):
1594         * runtime/ObjectConstructor.cpp:
1595         (JSC::toPropertyDescriptor):
1596         * runtime/ObjectPrototype.cpp:
1597         (JSC::objectProtoFuncDefineGetter):
1598         (JSC::objectProtoFuncDefineSetter):
1599         Don't use getCallData if you don't need CallData. 
1600
1601 2020-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
1602
1603         [JSC] Handle BigInt32 INT32_MIN shift amount
1604         https://bugs.webkit.org/show_bug.cgi?id=211030
1605
1606         Reviewed by Darin Adler.
1607
1608         Our BigInt shift-operation does not correctly handle INT32_MIN shift amount, and producing a wrong result.
1609         This patch fixes it.
1610
1611         * runtime/Operations.h:
1612         (JSC::shift):
1613
1614 2020-04-25  Darin Adler  <darin@apple.com>
1615
1616         [Cocoa] Deal with another round of Xcode upgrade checks
1617         https://bugs.webkit.org/show_bug.cgi?id=211027
1618
1619         Reviewed by Alexey Proskuryakov.
1620
1621         * JavaScriptCore.xcodeproj/project.pbxproj: Bump the upgrade check version.
1622         Add a harmless base localization; this project contains nothing localized.
1623
1624 2020-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
1625
1626         [JSC] Add fast path for BigInt32 left-shift
1627         https://bugs.webkit.org/show_bug.cgi?id=211029
1628
1629         Reviewed by Saam Barati.
1630
1631         Currently, the left-shift operation misses the fast path for BigInt32 <> BigInt32 case. This patch adds it. We also fixes
1632         prediction-propagation for left/right shift to use existing heap prediction instead of polluting the result with SpecBigInt.
1633         This offer 4.5% improvement in microbenchmarks/sunspider-sha1-big-int.js.
1634
1635         * dfg/DFGPredictionPropagationPhase.cpp:
1636         * runtime/Operations.h:
1637         (JSC::shift):
1638
1639 2020-04-25  Ross Kirsling  <ross.kirsling@sony.com>
1640
1641         Unreviewed fix for JSC Debug tests following r210853.
1642
1643         * runtime/IntlObject.cpp:
1644         (JSC::canonicalizeLanguageTag):
1645         (JSC::canonicalizeLocaleList):
1646         (JSC::defaultLocale):
1647         Deal with unchecked exception by moving tryGetUtf8 call out of canonicalizeLanguageTag; it's meant to
1648         verify the user input from canonicalizeLocaleList and needn't change the noexcept-ness of defaultLocale.
1649
1650 2020-04-25  Alex Christensen  <achristensen@webkit.org>
1651
1652         Prepare to remove automatic URL->String conversion operators
1653         https://bugs.webkit.org/show_bug.cgi?id=211007
1654
1655         Reviewed by Darin Adler.
1656
1657         * API/JSAPIGlobalObject.mm:
1658         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
1659         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1660         * API/JSScript.mm:
1661         (validateBytecodeCachePath):
1662         (+[JSScript scriptOfType:memoryMappedFromASCIIFile:withSourceURL:andBytecodeCache:inVirtualMachine:error:]):
1663         * inspector/ScriptDebugServer.cpp:
1664         (Inspector::ScriptDebugServer::sourceParsed):
1665         * parser/Nodes.h:
1666         (JSC::ScopeNode::sourceURL const):
1667         * runtime/CachedTypes.cpp:
1668         (JSC::CachedSourceProviderShape::encode):
1669         * runtime/Error.cpp:
1670         (JSC::addErrorInfo):
1671         * runtime/ScriptExecutable.h:
1672         (JSC::ScriptExecutable::sourceURL const):
1673
1674 2020-04-25  Ross Kirsling  <ross.kirsling@sony.com>
1675
1676         [Intl] Locale validation/canonicalization should defer to ICU
1677         https://bugs.webkit.org/show_bug.cgi?id=210853
1678
1679         Reviewed by Darin Adler.
1680
1681         The mappings for locale canonicalization in latest CLDR are sufficiently complex
1682         that it really no longer makes sense not to have ICU do this work for us.
1683
1684         This means the UTS 35 canonicalization desired by ECMA-402 will not be fully achievable until ICU ~67,
1685         but it's better than reaching right into CLDR and pretending that we *are* ICU.
1686         (On this point, we thus align with V8 and diverge from SM.)
1687
1688         Of course, we can still add our own pre-validations / post-canonicalizations if desired.
1689
1690         * CMakeLists.txt:
1691         * DerivedSources-input.xcfilelist:
1692         * DerivedSources-output.xcfilelist:
1693         * DerivedSources.make:
1694         * JavaScriptCore.xcodeproj/project.pbxproj:
1695         * Scripts/generateIntlCanonicalizeLanguage.py: Removed.
1696         * runtime/IntlObject.cpp:
1697         (JSC::intlAvailableLocales):
1698         (JSC::intlCollatorAvailableLocales):
1699         (JSC::canonicalizeLanguageTag):
1700         (JSC::canonicalizeLocaleList):
1701         (JSC::defaultLocale):
1702         (JSC::removeUnicodeLocaleExtension):
1703         (JSC::addMissingScriptLocales): Deleted. This one was ostensibly a fix for an old ICU bug.
1704         (JSC::privateUseLangTag): Deleted.
1705         (JSC::preferredLanguage): Deleted.
1706         (JSC::preferredRegion): Deleted.
1707         (JSC::canonicalLangTag): Deleted.
1708         * ucd/language-subtag-registry.txt: Removed.
1709
1710 2020-04-24  Yusuke Suzuki  <ysuzuki@apple.com>
1711
1712         Fix internal build by using strcmp instead of using string literal comparison
1713         https://bugs.webkit.org/show_bug.cgi?id=211011
1714
1715         Reviewed by Keith Miller.
1716
1717         Use strcmp for string literal comparison to expect that this is fully handled by compiler and converted into constant at compile time.
1718
1719         * runtime/JSGlobalObject.cpp:
1720         (JSC::JSGlobalObject::init):
1721
1722 2020-04-24  Mark Lam  <mark.lam@apple.com>
1723
1724         Suppress ASan on DFG::clobberize() to work around an ASan bug.
1725         https://bugs.webkit.org/show_bug.cgi?id=211012
1726         <rdar://problem/62275430>
1727
1728         Reviewed by Yusuke Suzuki.
1729
1730         ASan was incorrectly thinking that we're accessing invalid stack memory when we're not.
1731
1732         * dfg/DFGClobberize.h:
1733         (JSC::DFG::clobberize):
1734
1735 2020-04-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1736
1737         Fix WASM Error classes and re-sync wpt/wasm/jsapi from upstream
1738         https://bugs.webkit.org/show_bug.cgi?id=210980
1739
1740         Reviewed by Keith Miller.
1741
1742         assert_throws_js() harness, which is extensively used by wpt/wasm/jsapi tests,
1743         was recently updated to assert that passed constructors subclass Error in
1744         spec-perfect way.
1745
1746         With this patch, WebAssembly errors have Error as [[Prototype]] of their constructors
1747         and define correct "name" and "message" properties on their prototypes, aligning JSC
1748         with the spec [1], V8 and SpiderMonkey.
1749
1750         [1]: https://webassembly.github.io/spec/js-api/#error-objects
1751
1752         * runtime/JSGlobalObject.cpp:
1753         (JSC::JSGlobalObject::init):
1754         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
1755         (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
1756         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
1757         (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
1758         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
1759         (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
1760
1761 2020-04-24  Saam Barati  <sbarati@apple.com>
1762
1763         Return BigInt32 whenever we can
1764         https://bugs.webkit.org/show_bug.cgi?id=210922
1765
1766         Reviewed by Yusuke Suzuki.
1767
1768         This patch makes it so our runtime functions for big int math on heap
1769         big ints converts the result to a big int 32 when possible.
1770         
1771         The inspiration for this patch came from converting SunSpider's sha1 benchmark to
1772         using big ints. I found that that original implementation of big int 32
1773         was a ~35% slowdown here. This patch speeds it up by 86% from ToT, and
1774         36% faster than before big int 32 was introduced.
1775         
1776         To make this sound in the DFG/FTL, we are currently reporting that all
1777         HeapBigInt math ops return SpecBigInt, instead of SpecHeapBigInt.
1778         However, we want to do better in a follow up. We need some kind of profiling
1779         system where we determine if we should speculate if the result is big int
1780         32, a heap big int, or both:
1781         https://bugs.webkit.org/show_bug.cgi?id=210982
1782
1783         * dfg/DFGAbstractInterpreterInlines.h:
1784         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1785         * dfg/DFGFixupPhase.cpp:
1786         (JSC::DFG::FixupPhase::fixupNode):
1787         * dfg/DFGOperations.cpp:
1788         * dfg/DFGOperations.h:
1789         * dfg/DFGSpeculativeJIT.cpp:
1790         (JSC::DFG::SpeculativeJIT::compileValueBitNot):
1791         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
1792         (JSC::DFG::SpeculativeJIT::compileValueLShiftOp):
1793         (JSC::DFG::SpeculativeJIT::compileValueBitRShift):
1794         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1795         (JSC::DFG::SpeculativeJIT::compileValueSub):
1796         (JSC::DFG::SpeculativeJIT::compileValueMul):
1797         (JSC::DFG::SpeculativeJIT::compileValueDiv):
1798         (JSC::DFG::SpeculativeJIT::compileValueMod):
1799         (JSC::DFG::SpeculativeJIT::compileValuePow):
1800         * jit/JITOperations.cpp:
1801         * jsc.cpp:
1802         (functionCreateBigInt32):
1803         * runtime/BigIntConstructor.cpp:
1804         (JSC::toBigInt):
1805         (JSC::callBigIntConstructor):
1806         * runtime/CommonSlowPaths.cpp:
1807         (JSC::SLOW_PATH_DECL):
1808         * runtime/JSBigInt.cpp:
1809         (JSC::JSBigInt::exponentiateHeap):
1810         (JSC::JSBigInt::multiplyHeap):
1811         (JSC::JSBigInt::divideHeap):
1812         (JSC::JSBigInt::unaryMinusHeap):
1813         (JSC::JSBigInt::remainderHeap):
1814         (JSC::JSBigInt::incHeap):
1815         (JSC::JSBigInt::decHeap):
1816         (JSC::JSBigInt::addHeap):
1817         (JSC::JSBigInt::subHeap):
1818         (JSC::JSBigInt::bitwiseAndHeap):
1819         (JSC::JSBigInt::bitwiseOrHeap):
1820         (JSC::JSBigInt::bitwiseXorHeap):
1821         (JSC::JSBigInt::leftShiftHeap):
1822         (JSC::JSBigInt::signedRightShiftHeap):
1823         (JSC::JSBigInt::bitwiseNotHeap):
1824         (JSC::JSBigInt::absoluteAdd):
1825         (JSC::JSBigInt::absoluteSub):
1826         (JSC::JSBigInt::parseInt):
1827         (JSC::JSBigInt::exponentiate): Deleted.
1828         (JSC::JSBigInt::multiply): Deleted.
1829         (JSC::JSBigInt::divide): Deleted.
1830         (JSC::JSBigInt::unaryMinus): Deleted.
1831         (JSC::JSBigInt::remainder): Deleted.
1832         (JSC::JSBigInt::inc): Deleted.
1833         (JSC::JSBigInt::dec): Deleted.
1834         (JSC::JSBigInt::add): Deleted.
1835         (JSC::JSBigInt::sub): Deleted.
1836         (JSC::JSBigInt::bitwiseAnd): Deleted.
1837         (JSC::JSBigInt::bitwiseOr): Deleted.
1838         (JSC::JSBigInt::bitwiseXor): Deleted.
1839         (JSC::JSBigInt::leftShift): Deleted.
1840         (JSC::JSBigInt::signedRightShift): Deleted.
1841         (JSC::JSBigInt::bitwiseNot): Deleted.
1842         * runtime/JSBigInt.h:
1843         * runtime/JSCJSValue.h:
1844         (JSC::jsBigInt32):
1845         * runtime/JSCJSValueInlines.h:
1846         (JSC::JSValue::JSValue):
1847         * runtime/Operations.cpp:
1848         (JSC::jsAddSlowCase):
1849         * runtime/Operations.h:
1850         (JSC::jsSub):
1851         (JSC::jsMul):
1852         (JSC::jsDiv):
1853         (JSC::jsInc):
1854         (JSC::jsDec):
1855         (JSC::jsBitwiseNot):
1856         (JSC::shift):
1857         (JSC::bitwiseBinaryOp):
1858
1859 2020-04-24  Michael Catanzaro  <mcatanzaro@gnome.org>
1860
1861         [GTK][WPE][JSCOnly] compile error when -DWTF_CPU_ARM64_CORTEXA53=ON set for arm64
1862         https://bugs.webkit.org/show_bug.cgi?id=197192
1863
1864         Reviewed by Yusuke Suzuki.
1865
1866         This workaround is supposed to fix WebKit on old Cortex A53 CPUs, but it has been broken
1867         since 2018, and people would like to use WebKit on modern Cortex A53. If anyone using WebKit
1868         on the original hardware wants to fix and reimplement the workaround, feel free.
1869
1870         * assembler/ARM64Assembler.h:
1871         (JSC::ARM64Assembler::adrp):
1872         (JSC::ARM64Assembler::madd):
1873         (JSC::ARM64Assembler::msub):
1874         (JSC::ARM64Assembler::smaddl):
1875         (JSC::ARM64Assembler::smsubl):
1876         (JSC::ARM64Assembler::umaddl):
1877         (JSC::ARM64Assembler::umsubl):
1878         (JSC::ARM64Assembler::nopCortexA53Fix835769): Deleted.
1879         (JSC::ARM64Assembler::nopCortexA53Fix843419): Deleted.
1880         * offlineasm/arm64.rb:
1881         * offlineasm/instructions.rb:
1882
1883 2020-04-24  Yusuke Suzuki  <ysuzuki@apple.com>
1884
1885         [JSC] Fix DataFormatJSBigInt32 missing part
1886         https://bugs.webkit.org/show_bug.cgi?id=210986
1887
1888         Reviewed by Mark Lam.
1889
1890         Add missing part of DataFormatJSBigInt32 implementation.
1891
1892         * bytecode/DataFormat.h:
1893         (JSC::dataFormatToString):
1894         * dfg/DFGSpeculativeJIT.cpp:
1895         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
1896
1897 2020-04-24  Yusuke Suzuki  <ysuzuki@apple.com>
1898
1899         Unreviewed, build fix in Windows
1900         https://bugs.webkit.org/show_bug.cgi?id=210892
1901
1902         Windows MSVC does not have proper understanding of IGNORE_RETURN_TYPE_WARNINGS_BEGIN.
1903
1904         * runtime/JSBigInt.h:
1905         (JSC::invertBigIntCompareResult):
1906
1907 2020-04-24  Yusuke Suzuki  <ysuzuki@apple.com>
1908
1909         [JSC] DFG compare should speculate BigInt well
1910         https://bugs.webkit.org/show_bug.cgi?id=210892
1911
1912         Reviewed by Saam Barati.
1913
1914         Compare operations in DFG does not support BigInt related speculations. As a result, DFG fixup phase emits DoubleRep for operands, and
1915         causes OSR exit. This patch adds BigInt32, HeapBigInt, and AnyBigIntUse support to DFG compare operations to avoid OSR exits.
1916         We also introduce JSBigInt::compareToInt32 to avoid allocating JSBigInt only for comparison, and optimize C++ runtime for JSBigInt comparison.
1917
1918         * dfg/DFGAbstractInterpreterInlines.h:
1919         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1920         * dfg/DFGDoesGC.cpp:
1921         (JSC::DFG::doesGC):
1922         * dfg/DFGFixupPhase.cpp:
1923         (JSC::DFG::FixupPhase::fixupNode):
1924         * dfg/DFGSpeculativeJIT.cpp:
1925         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1926         (JSC::DFG::SpeculativeJIT::compileValueSub):
1927         (JSC::DFG::SpeculativeJIT::compileValueMul):
1928         (JSC::DFG::SpeculativeJIT::compare):
1929         (JSC::DFG::SpeculativeJIT::genericJSValueNonPeepholeCompare):
1930         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
1931         * dfg/DFGSpeculativeJIT.h:
1932         * dfg/DFGSpeculativeJIT64.cpp:
1933         (JSC::DFG::SpeculativeJIT::compileBigInt32Compare):
1934         * ftl/FTLLowerDFGToB3.cpp:
1935         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
1936         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1937         (JSC::FTL::DFG::LowerDFGToB3::compare):
1938         (JSC::FTL::DFG::LowerDFGToB3::genericJSValueCompare):
1939         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare): Deleted.
1940         * jit/AssemblyHelpers.h:
1941         (JSC::AssemblyHelpers::unboxBigInt32):
1942         * runtime/JSBigInt.cpp:
1943         (JSC::JSBigInt::compareToInt32):
1944         * runtime/JSBigInt.h:
1945         (JSC::swapBigIntCompareResult):
1946         * runtime/Operations.h:
1947         (JSC::compareBigInt):
1948         (JSC::compareBigInt32ToOtherPrimitive):
1949         (JSC::bigIntCompare):
1950
1951 2020-04-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1952
1953         Proxy.revocable should not have [[Construct]] slot
1954         https://bugs.webkit.org/show_bug.cgi?id=210959
1955
1956         Reviewed by Darin Adler.
1957
1958         This change removes proxyRevocableConstructorThrowError() since its presence is
1959         observable when, for example, Proxy.revocable is a [[ProxyTarget]] itself [1].
1960         Also removes unnecessary newTarget() check in constructProxyObject() and
1961         2 extra ArgList instances.
1962
1963         This patch aligns JSC with the spec [2], V8 and SpiderMonkey.
1964
1965         [1]: https://tc39.es/ecma262/#sec-proxycreate (step 7.b)
1966         [2]: https://tc39.es/ecma262/#sec-ecmascript-standard-built-in-objects
1967
1968         * runtime/ProxyConstructor.cpp:
1969         (JSC::makeRevocableProxy):
1970         (JSC::ProxyConstructor::finishCreation):
1971         (JSC::constructProxyObject):
1972         (JSC::proxyRevocableConstructorThrowError): Deleted.
1973
1974 2020-04-24  Yusuke Suzuki  <ysuzuki@apple.com>
1975
1976         [JSC] DFG AI for some bitops + BigInt32 should be precise
1977         https://bugs.webkit.org/show_bug.cgi?id=210956
1978
1979         Reviewed by Keith Miller.
1980
1981         Use SpecBigInt32 for ValueBitXor, ValueBitAnd, and ValueBitOr since they are always producing BigInt32 and they have inlined implementations in DFG / FTL.
1982
1983         * dfg/DFGAbstractInterpreterInlines.h:
1984         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1985
1986 2020-04-23  Alexey Shvayka  <shvaikalesh@gmail.com>
1987
1988         Remove revoked Proxy checks from ProxyCreate
1989         https://bugs.webkit.org/show_bug.cgi?id=210862
1990
1991         Reviewed by Ross Kirsling.
1992
1993         This change removes revoked Proxy checks from ProxyCreate [1], implementing
1994         https://github.com/tc39/ecma262/pull/1814 and aligning JSC with SpiderMonkey.
1995         Also cleans up ProxyObject creation by using isFunction() instead of
1996         isCallable(), which are identical.
1997
1998         [1]: https://tc39.es/ecma262/#sec-proxycreate (steps 2, 4)
1999
2000         * runtime/ProxyObject.cpp:
2001         (JSC::ProxyObject::structureForTarget):
2002         (JSC::ProxyObject::finishCreation):
2003
2004 2020-04-22  Keith Miller  <keith_miller@apple.com>
2005
2006         Fix OSR exiting/iterator object checks in for-of bytecodes
2007         https://bugs.webkit.org/show_bug.cgi?id=210882
2008
2009         Reviewed by Saam Barati.
2010
2011         This patch fixes some bugs in the DFGBytecodeParser where we would
2012         set the exit origin for the SetLocal following the iterator_open/next
2013         first call to the next bytecode. This meant that if out-of-line
2014         Symbol.iterator or next functions returned an unexpected non-cell
2015         we would OSR past the rest of the next bytecode rather than to the
2016         first checkpoint.
2017
2018         This patch also makes sure we properly throw for non-objects returned
2019         from either of the above functions in all tiers (and adds tests).
2020
2021         Finally, this patch makes a small optimization where we just ArithBitOr the
2022         iterator's closed state (index == -1) and index is out of bounds. We can't
2023         do a CompareBelow check because the index is effectively an int33_t.
2024
2025         * bytecode/BytecodeIndex.h:
2026         (JSC::BytecodeIndex::withCheckpoint const):
2027         * dfg/DFGByteCodeParser.cpp:
2028         (JSC::DFG::ByteCodeParser::nextOpcodeIndex const):
2029         (JSC::DFG::ByteCodeParser::nextCheckpoint const):
2030         (JSC::DFG::ByteCodeParser::progressToNextCheckpoint):
2031         (JSC::DFG::ByteCodeParser::handleCall):
2032         (JSC::DFG::ByteCodeParser::handleCallVariant):
2033         (JSC::DFG::ByteCodeParser::handleInlining):
2034         (JSC::DFG::ByteCodeParser::handleGetById):
2035         (JSC::DFG::ByteCodeParser::handlePutById):
2036         (JSC::DFG::ByteCodeParser::parseGetById):
2037         (JSC::DFG::ByteCodeParser::parseBlock):
2038         (JSC::DFG::ByteCodeParser::handlePutByVal):
2039         * jit/JITCall.cpp:
2040         (JSC::JIT::emitSlow_op_iterator_open):
2041         * llint/LLIntSlowPaths.cpp:
2042         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2043         (JSC::LLInt::handleIteratorNextCheckpoint):
2044
2045 2020-04-22  Darin Adler  <darin@apple.com>
2046
2047         [Cocoa] Build with UChar as char16_t even in builds that use Apple's internal SDK
2048         https://bugs.webkit.org/show_bug.cgi?id=210845
2049
2050         Reviewed by Anders Carlsson.
2051
2052         * Configurations/Base.xcconfig: Move ICU-configuring macros to Platform.h.
2053
2054 2020-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
2055
2056         [JSC] branchIfBigInt32 can use BigInt32Mask and remove branchIfNumber filter
2057         https://bugs.webkit.org/show_bug.cgi?id=210870
2058
2059         Reviewed by Saam Barati.
2060
2061         By using BigInt32Mask, we can detect BigInt32 without filtering Numbers. In this patch,
2062
2063         1. Remove branchIfBigInt32KnownNotNumber and branchIfNotBigInt32KnownNotNumber. And always use branchBigInt32 and branchNotBigInt32 instead.
2064         2. Remove branchIfNumber type filtering in DFG.
2065         3. Use BigInt32Mask based scheme in FTL.
2066         4. Add and64(TrustedImm64, RegisterID) implementations in MacroAssembler.
2067         5. Add TagRegistersMode version in branchIfBigInt. We use numberTagRegister to produce really efficient code[1] by avoiding large constant materialization.
2068
2069         [1]: From
2070                 mov %rax, %rdx
2071                 mov $0xfffe000000000012, %r11
2072                 and %r11, %rdx
2073                 cmp $0x12, %rdx
2074              To
2075                 lea 0x12(%r14), %rdx
2076                 and %rax, %rdx
2077                 cmp $0x12, %rdx
2078
2079         * assembler/MacroAssemblerARM64.h:
2080         (JSC::MacroAssemblerARM64::and64):
2081         * assembler/MacroAssemblerX86_64.h:
2082         (JSC::MacroAssemblerX86_64::and64):
2083         * bytecode/ArithProfile.cpp:
2084         (JSC::ArithProfile<BitfieldType>::emitObserveResult):
2085         * dfg/DFGSpeculativeJIT64.cpp:
2086         (JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32):
2087         * ftl/FTLLowerDFGToB3.cpp:
2088         (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
2089         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2090         (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt):
2091         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2092         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
2093         (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32):
2094         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32):
2095         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32):
2096         (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt):
2097         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32):
2098         (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt):
2099         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotCell): Deleted.
2100         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotNumber): Deleted.
2101         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32KnownNotNumber): Deleted.
2102         (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigIntKnownNotNumber): Deleted.
2103         * jit/AssemblyHelpers.cpp:
2104         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
2105         (JSC::AssemblyHelpers::branchIfValue):
2106         * jit/AssemblyHelpers.h:
2107         (JSC::AssemblyHelpers::branchIfBigInt32):
2108         (JSC::AssemblyHelpers::branchIfNotBigInt32):
2109         (JSC::AssemblyHelpers::emitTypeOf):
2110         (JSC::AssemblyHelpers::branchIfBigInt32KnownNotNumber): Deleted.
2111         (JSC::AssemblyHelpers::branchIfNotBigInt32KnownNotNumber): Deleted.
2112
2113 2020-04-22  Saam Barati  <sbarati@apple.com>
2114
2115         BigInt32 parsing should be precise
2116         https://bugs.webkit.org/show_bug.cgi?id=210869
2117
2118         Reviewed by Robin Morisset.
2119
2120         Our algorithm before was conservative, and might produce a heap big int even
2121         if the value could be an int32. This patch makes the algorithm precise on
2122         64-bit, always producing a bigint32 if the number is indeed an int32.
2123
2124         * jsc.cpp:
2125         (functionUseBigInt32):
2126         (functionIsBigInt32):
2127         (functionIsHeapBigInt):
2128         * runtime/JSBigInt.cpp:
2129         (JSC::JSBigInt::parseInt):
2130
2131 2020-04-22  Saam Barati  <sbarati@apple.com>
2132
2133         Edge use kind asserts are wrong for BigInt32 on ValueBitLShift
2134         https://bugs.webkit.org/show_bug.cgi?id=210872
2135
2136         Reviewed by Yusuke Suzuki, Mark Lam, and Robin Morisset.
2137
2138         This is already covered by the v8 tests Yusuke checked in.
2139
2140         * dfg/DFGSpeculativeJIT.cpp:
2141         (JSC::DFG::SpeculativeJIT::emitUntypedOrAnyBigIntBitOp):
2142         * ftl/FTLLowerDFGToB3.cpp:
2143         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
2144         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
2145
2146 2020-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
2147
2148         [JSC] JSBigInt inc operation does not produce right HeapBigInt zero
2149         https://bugs.webkit.org/show_bug.cgi?id=210860
2150
2151         Reviewed by Mark Lam.
2152
2153         JSBigInt::inc can produce signed HeapBigInt zero, which is not meeting the invariant of JSBigInt.
2154         This patch fixes it by checking zero status before setting `setSign(true)`.
2155
2156         * runtime/JSBigInt.cpp:
2157         (JSC::JSBigInt::inc):
2158         * runtime/JSCJSValue.cpp:
2159         (JSC::JSValue::dumpInContextAssumingStructure const):
2160
2161 2020-04-22  Devin Rousso  <drousso@apple.com>
2162
2163         Web Inspector: Debugger: Step Over should only step through comma expressions if they are comma statements
2164         https://bugs.webkit.org/show_bug.cgi?id=210588
2165
2166         Reviewed by Brian Burg.
2167
2168         * parser/Nodes.h:
2169         (JSC::ExpressionNode::isStatement const): Added.
2170         (JSC::ExpressionNode::setIsStatement): Added.
2171         * parser/NodeConstructors.h:
2172         (JSC::ExprStatementNode::ExprStatementNode):
2173         (JSC::DeclarationStatement::DeclarationStatement):
2174         (JSC::ReturnNode::ReturnNode):
2175         (JSC::ThrowNode::ThrowNode):
2176         * bytecompiler/NodesCodegen.cpp:
2177         (JSC::CommaNode::emitBytecode):
2178         Only emit `WillExecuteStatement` debug hooks inside `CommaNode` if it's the only child of a
2179         statement parent node (e.g. `a(), b(), c()` vs `true && (a(), b(), c()) && true`).
2180
2181         * parser/Parser.h:
2182         * parser/Parser.cpp:
2183         (JSC::Parser<LexerType>::parseReturnStatement):
2184         (JSC::Parser<LexerType>::parseThrowStatement):
2185         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2186         (JSC::Parser<LexerType>::parseExpressionStatement):
2187         (JSC::Parser<LexerType>::parseExpression):
2188         Only record a pause location for each sub-expression in a comma separated expression if it's
2189         the only child of a statement (e.g. `a(), b(), c()` vs `true && (a(), b(), c()) && true`).
2190
2191 2020-04-22  Saam Barati  <sbarati@apple.com>
2192
2193         ValueBitNot is wrong in FTL with AnyBigIntUse
2194         https://bugs.webkit.org/show_bug.cgi?id=210846
2195
2196         Reviewed by Yusuke Suzuki.
2197
2198         We forgot to speculate.
2199
2200         * ftl/FTLLowerDFGToB3.cpp:
2201         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
2202
2203 2020-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
2204
2205         [JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results
2206         https://bugs.webkit.org/show_bug.cgi?id=210839
2207
2208         Reviewed by Saam Barati.
2209
2210         While runtime function of bitwise ops with BigInt32 sometimes returns HeapBigInt, DFG AI is setting SpecBigInt32
2211         as a result value. This leads to miscompilation particularly in FTL since FTL uses this information to remove
2212         a lot of branches.
2213
2214         And we found that FTL BigInt32 predicate is not correctly checking state. This patch fixes it too.
2215
2216         Added test case found this (v8-bigint32-sar.js).
2217
2218         * dfg/DFGAbstractInterpreterInlines.h:
2219         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2220         * ftl/FTLLowerDFGToB3.cpp:
2221         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
2222         (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
2223         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2224         (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt):
2225         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2226         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
2227         (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32):
2228         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotCell):
2229         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotNumber):
2230         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32KnownNotNumber):
2231         (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigIntKnownNotNumber):
2232         (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigIntUnknownWhetherCell):
2233         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32):
2234         (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt):
2235         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32): Deleted.
2236         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32): Deleted.
2237         (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt): Deleted.
2238
2239 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
2240
2241         Unreviewed, build fix for watchOS
2242         https://bugs.webkit.org/show_bug.cgi?id=210832
2243
2244         If function is not defined, static declaration should not be declared, otherwise, unused-function-error happens.
2245
2246         * jsc.cpp:
2247
2248 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
2249
2250         Unreviewd, speculative Windows build fix part 2
2251         https://bugs.webkit.org/show_bug.cgi?id=210834
2252
2253         * runtime/Options.cpp:
2254         (JSC::strncasecmp):
2255
2256 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
2257
2258         Unreviewed, fix windows build failure
2259         https://bugs.webkit.org/show_bug.cgi?id=210834
2260
2261         * runtime/Options.cpp:
2262         (JSC::strncasecmp):
2263
2264 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
2265
2266         [JSC] SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq should expect AnyBigIntUse
2267         https://bugs.webkit.org/show_bug.cgi?id=210832
2268
2269         Reviewed by Mark Lam.
2270
2271         SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq will get AnyBigIntUse now. We should use ManualOperandSpeculation
2272         and speculate function to perform speculation check.
2273
2274         * dfg/DFGSpeculativeJIT32_64.cpp:
2275         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2276         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2277         * dfg/DFGSpeculativeJIT64.cpp:
2278         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2279         * jsc.cpp:
2280         (functionCreateHeapBigInt):
2281         (functionCreateBigInt32):
2282         * runtime/BigIntConstructor.cpp:
2283         (JSC::toBigInt):
2284         (JSC::callBigIntConstructor):
2285         * runtime/BigIntConstructor.h:
2286         * runtime/JSBigInt.h:
2287
2288 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
2289
2290         Canonicalize JSBigInt generated by structured-cloning by calling rightTrim
2291         https://bugs.webkit.org/show_bug.cgi?id=210816
2292
2293         Reviewed by Keith Miller and Darin Adler.
2294
2295         * runtime/JSBigInt.h:
2296
2297 2020-04-21  Peng Liu  <peng.liu6@apple.com>
2298
2299         Fix MACCATALYST build failures
2300         https://bugs.webkit.org/show_bug.cgi?id=210815
2301
2302         Reviewed by Tim Horton.
2303
2304         * Configurations/FeatureDefines.xcconfig:
2305
2306 2020-04-21  Keith Miller  <keith_miller@apple.com>
2307
2308         JSC's options should be case insensitive
2309         https://bugs.webkit.org/show_bug.cgi?id=210834
2310
2311         Reviewed by Yusuke Suzuki.
2312
2313         * runtime/Options.cpp:
2314         (JSC::Options::setOptionWithoutAlias):
2315         (JSC::Options::setAliasedOption):
2316         * runtime/OptionsList.h:
2317
2318 2020-04-21  Alexey Shvayka  <shvaikalesh@gmail.com>
2319
2320         constructObjectFromPropertyDescriptor() is incorrect with partial descriptors
2321         https://bugs.webkit.org/show_bug.cgi?id=184629
2322
2323         Reviewed by Ross Kirsling.
2324
2325         Before this change, constructObjectFromPropertyDescriptor() serialized a value-only descriptor
2326         with nullish m_seenAttributes to {value, writable: false, enumerable: false, configurable: false}
2327         instead of just {value}. This was observable when ordinarySetSlow() was called on a Proxy
2328         `receiver` with "defineProperty" trap.
2329
2330         This patch makes constructObjectFromPropertyDescriptor() 1:1 with the spec [2], aligning JSC
2331         with V8 and SpiderMonkey, and also cleans up its call sites from handling exceptions and
2332         `undefined` value returns.
2333
2334         [1]: https://tc39.es/ecma262/#sec-ordinarysetwithowndescriptor (step 3.d.iv)
2335         [2]: https://tc39.es/ecma262/#sec-frompropertydescriptor
2336
2337         * runtime/ObjectConstructor.cpp:
2338         (JSC::objectConstructorGetOwnPropertyDescriptor):
2339         (JSC::objectConstructorGetOwnPropertyDescriptors):
2340         * runtime/ObjectConstructor.h:
2341         (JSC::constructObjectFromPropertyDescriptor):
2342         * runtime/ProxyObject.cpp:
2343         (JSC::ProxyObject::performDefineOwnProperty):
2344
2345 2020-04-20  Yusuke Suzuki  <ysuzuki@apple.com>
2346
2347         Check Structure attributes in Object.assign exhaustively
2348         https://bugs.webkit.org/show_bug.cgi?id=210782
2349         <rdar://problem/62065853>
2350
2351         Reviewed by Mark Lam.
2352
2353         * runtime/ObjectConstructor.cpp:
2354         (JSC::objectConstructorAssign):
2355
2356 2020-04-21  Adrian Perez de Castro  <aperez@igalia.com>
2357
2358         Non-unified build fixes late February 2020 edition
2359         https://bugs.webkit.org/show_bug.cgi?id=210767
2360
2361         Unreviewed build fix.
2362
2363         * dfg/DFGValueRepReductionPhase.cpp: Add missing JSCJSValueInlines.h header.
2364         * jit/JITCall.cpp: Add missing SlowPathCall.h header.
2365         * runtime/AggregateError.cpp: Add missing JSCJSValueInlines.h, JSCellInlines.h, and
2366         JSGlobalObjectInlines.h headers.
2367         * runtime/AggregateErrorConstructor.cpp: Added missing JSCJSValueInlines.h, JSCellInlines.h,
2368         and VMInlines.h headers.
2369         * runtime/AggregateErrorPrototype.cpp: Added missing AggregateError.h, IdentifierInlines.h,
2370         JSCJSValueInlines.h, JSCellInlines.h, JSGlobalObjectInlines.h, and VMInlines.h headers.
2371         * runtime/Intrinsic.h: Added missing wtf/Optional.h header.
2372
2373 2020-04-20  Ross Kirsling  <ross.kirsling@sony.com>
2374
2375         Classes marked final should not use protected access specifier
2376         https://bugs.webkit.org/show_bug.cgi?id=210775
2377
2378         Reviewed by Daniel Bates.
2379
2380         * API/JSAPIValueWrapper.h:
2381         * API/JSCallbackConstructor.h:
2382         * API/JSCallbackObject.h:
2383         * b3/B3ExtractValue.h:
2384         * bytecode/UnlinkedFunctionExecutable.h:
2385         * inspector/JSGlobalObjectConsoleClient.h:
2386         * inspector/JSInjectedScriptHost.h:
2387         * inspector/JSJavaScriptCallFrame.h:
2388         * jsc.cpp:
2389         * runtime/AggregateError.h:
2390         * runtime/AggregateErrorPrototype.h:
2391         * runtime/ArrayConstructor.h:
2392         * runtime/ArrayPrototype.h:
2393         * runtime/AsyncFunctionPrototype.h:
2394         * runtime/AsyncGeneratorFunctionPrototype.h:
2395         * runtime/AtomicsObject.h:
2396         * runtime/BigIntConstructor.h:
2397         * runtime/BigIntObject.h:
2398         * runtime/BigIntPrototype.h:
2399         * runtime/BooleanConstructor.h:
2400         * runtime/BooleanPrototype.h:
2401         * runtime/ConsoleObject.h:
2402         * runtime/DateConstructor.h:
2403         * runtime/DatePrototype.h:
2404         * runtime/ErrorConstructor.h:
2405         * runtime/ErrorPrototype.h:
2406         * runtime/FileBasedFuzzerAgent.h:
2407         * runtime/FunctionPrototype.h:
2408         * runtime/FunctionRareData.h:
2409         * runtime/GeneratorFunctionPrototype.h:
2410         * runtime/GenericTypedArrayView.h:
2411         * runtime/InspectorInstrumentationObject.h:
2412         * runtime/IntlCollator.h:
2413         * runtime/IntlCollatorConstructor.h:
2414         * runtime/IntlCollatorPrototype.h:
2415         * runtime/IntlDateTimeFormat.h:
2416         * runtime/IntlDateTimeFormatConstructor.h:
2417         * runtime/IntlDateTimeFormatPrototype.h:
2418         * runtime/IntlNumberFormat.h:
2419         * runtime/IntlNumberFormatConstructor.h:
2420         * runtime/IntlNumberFormatPrototype.h:
2421         * runtime/IntlPluralRules.h:
2422         * runtime/IntlPluralRulesConstructor.h:
2423         * runtime/IntlPluralRulesPrototype.h:
2424         * runtime/IntlRelativeTimeFormatConstructor.h:
2425         * runtime/IntlRelativeTimeFormatPrototype.h:
2426         * runtime/JSArrayBuffer.h:
2427         * runtime/JSArrayBufferConstructor.h:
2428         * runtime/JSArrayBufferPrototype.h:
2429         * runtime/JSAsyncGenerator.h:
2430         * runtime/JSBoundFunction.h:
2431         * runtime/JSCustomGetterSetterFunction.h:
2432         * runtime/JSDataView.h:
2433         * runtime/JSDataViewPrototype.h:
2434         * runtime/JSGenerator.h:
2435         * runtime/JSGenericTypedArrayView.h:
2436         * runtime/JSGenericTypedArrayViewConstructor.h:
2437         * runtime/JSGenericTypedArrayViewPrototype.h:
2438         * runtime/JSGlobalLexicalEnvironment.h:
2439         * runtime/JSModuleLoader.h:
2440         * runtime/JSModuleNamespaceObject.h:
2441         * runtime/JSNativeStdFunction.h:
2442         * runtime/JSONObject.h:
2443         * runtime/JSObject.h:
2444         * runtime/JSTemplateObjectDescriptor.h:
2445         * runtime/JSTypedArrayViewConstructor.h:
2446         * runtime/JSTypedArrayViewPrototype.h:
2447         * runtime/MathObject.h:
2448         * runtime/NativeExecutable.h:
2449         * runtime/NumberConstructor.h:
2450         * runtime/NumberPrototype.h:
2451         * runtime/ObjectConstructor.h:
2452         * runtime/ObjectPrototype.h:
2453         * runtime/PredictionFileCreatingFuzzerAgent.h:
2454         * runtime/ReflectObject.h:
2455         * runtime/RegExp.h:
2456         * runtime/RegExpConstructor.h:
2457         * runtime/RegExpObject.h:
2458         * runtime/RegExpPrototype.h:
2459         * runtime/StringPrototype.h:
2460         * runtime/Structure.h:
2461         * runtime/Symbol.h:
2462         * runtime/SymbolConstructor.h:
2463         * runtime/SymbolObject.h:
2464         * runtime/SymbolPrototype.h:
2465         * runtime/VMTraps.cpp:
2466         * testRegExp.cpp:
2467         * wasm/WasmBBQPlan.h:
2468         * wasm/WasmLLIntPlan.h:
2469         * wasm/WasmWorklist.cpp:
2470         * wasm/js/JSWebAssembly.h:
2471         * wasm/js/JSWebAssemblyCompileError.h:
2472         * wasm/js/JSWebAssemblyInstance.h:
2473         * wasm/js/JSWebAssemblyLinkError.h:
2474         * wasm/js/JSWebAssemblyRuntimeError.h:
2475         * wasm/js/WebAssemblyCompileErrorConstructor.h:
2476         * wasm/js/WebAssemblyCompileErrorPrototype.h:
2477         * wasm/js/WebAssemblyGlobalConstructor.h:
2478         * wasm/js/WebAssemblyGlobalPrototype.h:
2479         * wasm/js/WebAssemblyInstanceConstructor.h:
2480         * wasm/js/WebAssemblyInstancePrototype.h:
2481         * wasm/js/WebAssemblyLinkErrorConstructor.h:
2482         * wasm/js/WebAssemblyLinkErrorPrototype.h:
2483         * wasm/js/WebAssemblyMemoryConstructor.h:
2484         * wasm/js/WebAssemblyMemoryPrototype.h:
2485         * wasm/js/WebAssemblyModuleConstructor.h:
2486         * wasm/js/WebAssemblyModulePrototype.h:
2487         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
2488         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
2489         * wasm/js/WebAssemblyTableConstructor.h:
2490         * wasm/js/WebAssemblyTablePrototype.h:
2491         * wasm/js/WebAssemblyWrapperFunction.h:
2492
2493 2020-04-20  Peng Liu  <peng.liu6@apple.com>
2494
2495         Fix build failures when video fullscreen and picture-in-picture is disabled
2496         https://bugs.webkit.org/show_bug.cgi?id=210777
2497
2498         Reviewed by Eric Carlson.
2499
2500         * Configurations/FeatureDefines.xcconfig:
2501
2502 2020-04-20  Ross Kirsling  <ross.kirsling@sony.com>
2503
2504         Intl classes shouldn't need an m_initialized* field
2505         https://bugs.webkit.org/show_bug.cgi?id=210764
2506
2507         Reviewed by Darin Adler.
2508
2509         Existing Intl classes each have a field like m_initializedNumberFormat, but this is unnecessary on two levels:
2510           1. The thing that gets initialized is a unique pointer to an ICU struct, so we can check it directly.
2511           2. Everywhere we're checking this is redundant since we've already done the same check on the prototype side,
2512              therefore we can just ASSERT before using said ICU struct.
2513
2514         While we're at it, clean up other stuff like:
2515           - Move stuff that doesn't need to be part of the class to the CPP file (e.g. UFieldPositionIteratorDeleter).
2516           - Merge createCollator into initializeCollator (seems like this is probably the oldest code in this space).
2517
2518         * runtime/IntlCollator.cpp:
2519         (JSC::IntlCollator::initializeCollator):
2520         (JSC::IntlCollator::compareStrings):
2521         (JSC::IntlCollator::resolvedOptions):
2522         (JSC::IntlCollator::createCollator): Deleted.
2523         * runtime/IntlCollator.h:
2524         * runtime/IntlDateTimeFormat.cpp:
2525         (JSC::UFieldPositionIteratorDeleter::operator() const):
2526         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2527         (JSC::IntlDateTimeFormat::resolvedOptions):
2528         (JSC::IntlDateTimeFormat::format):
2529         (JSC::partTypeString):
2530         (JSC::IntlDateTimeFormat::formatToParts):
2531         (JSC::IntlDateTimeFormat::UFieldPositionIteratorDeleter::operator() const): Deleted.
2532         (JSC::IntlDateTimeFormat::partTypeString): Deleted.
2533         * runtime/IntlDateTimeFormat.h:
2534         * runtime/IntlNumberFormat.cpp:
2535         (JSC::UFieldPositionIteratorDeleter::operator() const):
2536         (JSC::IntlNumberFormatField::IntlNumberFormatField):
2537         (JSC::IntlNumberFormat::initializeNumberFormat):
2538         (JSC::IntlNumberFormat::format):
2539         (JSC::IntlNumberFormat::resolvedOptions):
2540         (JSC::partTypeString):
2541         (JSC::IntlNumberFormat::formatToParts):
2542         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const): Deleted.
2543         (JSC::IntlNumberFormat::partTypeString): Deleted.
2544         * runtime/IntlNumberFormat.h:
2545         * runtime/IntlPluralRules.cpp:
2546         (JSC::localeData):
2547         (JSC::IntlPluralRules::initializePluralRules):
2548         (JSC::IntlPluralRules::resolvedOptions):
2549         (JSC::IntlPluralRules::select):
2550         (JSC::IntlPRInternal::localeData): Deleted.
2551         * runtime/IntlPluralRules.h:
2552
2553 2020-04-20  Keith Miller  <keith_miller@apple.com>
2554
2555         FTL doesn't observe the use kind of CheckIsConstant's child1
2556         https://bugs.webkit.org/show_bug.cgi?id=210763
2557
2558         Reviewed by Yusuke Suzuki.
2559
2560         Somehow, this didn't get added when I changed CheckIsConstant and didn't show up
2561         when I tested r260377 because I tested in release. Fortunately, the produced
2562         DFG IR will be the same.
2563
2564         * ftl/FTLLowerDFGToB3.cpp:
2565         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIsConstant):
2566
2567 2020-04-20  Yusuke Suzuki  <ysuzuki@apple.com>
2568
2569         [JSC] Skip test262 for non-safe-integer range BigIntConstructor
2570         https://bugs.webkit.org/show_bug.cgi?id=210749
2571
2572         Reviewed by Keith Miller.
2573
2574         * runtime/BigIntConstructor.cpp:
2575         (JSC::callBigIntConstructor):
2576
2577 2020-04-20  Keith Miller  <keith_miller@apple.com>
2578
2579         Fix CheckIsConstant for non-constant values and checking for empty
2580         https://bugs.webkit.org/show_bug.cgi?id=210752
2581
2582         Reviewed by Saam Barati.
2583
2584         We need to make sure that we only have one speculated type if our value
2585         is empty.
2586
2587         * dfg/DFGAbstractInterpreterInlines.h:
2588         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2589
2590 2020-04-20  Darin Adler  <darin@apple.com>
2591
2592         Use #import instead of #include in Objective-C and don't use #pragma once
2593         https://bugs.webkit.org/show_bug.cgi?id=210724
2594
2595         Reviewed by David Kilzer.
2596
2597         * API/JSAPIWrapperObject.mm:
2598         * API/JSContext.h:
2599         * API/JSContext.mm:
2600         * API/JSScriptInternal.h:
2601         * API/JSValue.mm:
2602         * API/JSVirtualMachine.mm:
2603         * API/JSVirtualMachinePrivate.h:
2604         * API/JSWrapperMap.mm:
2605         * API/ObjCCallbackFunction.mm:
2606         * API/tests/CurrentThisInsideBlockGetterTest.mm:
2607         More #import, less #pragma once.
2608
2609 2020-04-20  Yusuke Suzuki  <ysuzuki@apple.com>
2610
2611         StructuredClone algorithm should be aware of BigInt
2612         https://bugs.webkit.org/show_bug.cgi?id=210728
2613
2614         Reviewed by Mark Lam.
2615
2616         * CMakeLists.txt:
2617         * runtime/BigIntObject.h:
2618         * runtime/JSBigInt.cpp:
2619         (JSC::JSBigInt::digit): Deleted.
2620         (JSC::JSBigInt::setDigit): Deleted.
2621         * runtime/JSBigInt.h:
2622         (JSC::JSBigInt::digit):
2623         (JSC::JSBigInt::setDigit):
2624
2625 2020-04-19  Ross Kirsling  <ross.kirsling@sony.com>
2626
2627         [ECMA-402] Intl.RelativeTimeFormat missing in WebKit
2628         https://bugs.webkit.org/show_bug.cgi?id=209770
2629
2630         Reviewed by Darin Adler.
2631
2632         This patch implements the recent ECMA-402 feature Intl.RelativeTimeFormat.
2633
2634         RelativeTimeFormat has format / formatToParts functions like NumberFormat / DateTimeFormat
2635         and is used to turn a number and unit into a formatted relative time string, e.g.:
2636
2637           new Intl.RelativeTimeFormat('en').format(10, 'day')
2638           > 'in 10 days'
2639
2640           new Intl.RelativeTimeFormat('en', { numeric: 'auto' }).format(0, 'day')
2641           > 'today'
2642
2643         Implementation of RelativeTimeFormat#formatToParts makes direct use of NumberFormat#formatToParts,
2644         as the relative time string consists of at most one formatted number with optional literal text on either side.
2645
2646         This feature is runtime-guarded by the `useIntlRelativeTimeFormat` option.
2647
2648         * CMakeLists.txt:
2649         * DerivedSources-input.xcfilelist:
2650         * DerivedSources-output.xcfilelist:
2651         * DerivedSources.make:
2652         * JavaScriptCore.xcodeproj/project.pbxproj:
2653         * Sources.txt:
2654         * runtime/CommonIdentifiers.h:
2655         * runtime/IntlRelativeTimeFormat.cpp: Added.
2656         * runtime/IntlRelativeTimeFormat.h: Added.
2657         * runtime/IntlRelativeTimeFormatConstructor.cpp: Added.
2658         * runtime/IntlRelativeTimeFormatConstructor.h: Added.
2659         * runtime/IntlRelativeTimeFormatPrototype.cpp: Added.
2660         * runtime/IntlRelativeTimeFormatPrototype.h: Added.
2661         * runtime/JSGlobalObject.cpp:
2662         (JSC::JSGlobalObject::init):
2663         (JSC::JSGlobalObject::visitChildren):
2664         * runtime/JSGlobalObject.h:
2665         (JSC::JSGlobalObject::relativeTimeFormatStructure):
2666         * runtime/OptionsList.h:
2667         * runtime/VM.cpp:
2668         (JSC::VM::VM):
2669         * runtime/VM.h:
2670         Add feature and runtime option.
2671
2672         * runtime/IntlDateTimeFormat.cpp:
2673         (JSC::IntlDateTimeFormat::formatToParts):
2674         * runtime/IntlPluralRules.cpp:
2675         (JSC::IntlPluralRules::initializePluralRules):
2676         (JSC::IntlPluralRules::resolvedOptions):
2677         Make "type" a property name.
2678
2679         * runtime/IntlNumberFormat.cpp:
2680         (JSC::IntlNumberFormat::initializeNumberFormat):
2681         (JSC::IntlNumberFormat::resolvedOptions):
2682         (JSC::IntlNumberFormat::formatToPartsInternal):
2683         (JSC::IntlNumberFormat::formatToParts):
2684         * runtime/IntlNumberFormat.h:
2685         Factor out formatToPartsInternal so that RelativeTimeFormat can use it with its own UNumberFormat.
2686         (This logic is too complicated to duplicate; it's because ICU won't split, e.g., "10,000" into parts for us.)
2687
2688         * runtime/IntlObject.cpp:
2689         (JSC::IntlObject::IntlObject):
2690         (JSC::IntlObject::create):
2691         (JSC::IntlObject::finishCreation):
2692         (JSC::intlAvailableLocales):
2693         (JSC::intlCollatorAvailableLocales):
2694         (JSC::isUnicodeLocaleIdentifierType):
2695         (JSC::supportedLocales):
2696         (JSC::intlDateTimeFormatAvailableLocales): Deleted.
2697         (JSC::intlNumberFormatAvailableLocales): Deleted.
2698         * runtime/IntlObject.h:
2699         (JSC::intlDateTimeFormatAvailableLocales):
2700         (JSC::intlNumberFormatAvailableLocales):
2701         (JSC::intlPluralRulesAvailableLocales):
2702         (JSC::intlRelativeTimeFormatAvailableLocales):
2703         Perform three corrections for Intl classes:
2704           1. Collator should be the only class with unique "available locales".
2705              [unum|udat]_getAvailable exist but they've deferred to uloc_getAvailable for 20 years.
2706           2. isUnicodeLocaleIdentifierType isn't just `alphanum{3,8}` but rather `alphanum{3,8} (sep alphanum{3,8})*`.
2707              This is my own mistake from r239941.
2708           3. supportedLocalesOf entries should not be frozen.
2709              Changed in https://github.com/tc39/ecma402/pull/278.
2710
2711         * tools/JSDollarVM.cpp:
2712         (JSC::functionICUVersion):
2713         (JSC::JSDollarVM::finishCreation):
2714         Add $vm.icuVersion so that we can add per-line skips to stress tests.
2715
2716 2020-04-19  Yusuke Suzuki  <ysuzuki@apple.com>
2717
2718         [JSC] SlowPathCall is not supported by callOperation in Windows
2719         https://bugs.webkit.org/show_bug.cgi?id=210727
2720
2721         Reviewed by Ross Kirsling.
2722
2723         In Windows, SlowPathCall should be handled by JITSlowPathCall, otherwise, stack is not correctly allocated.
2724
2725         * jit/JITCall.cpp:
2726         (JSC::JIT::emit_op_iterator_open):
2727         (JSC::JIT::emit_op_iterator_next):
2728         * jit/SlowPathCall.h:
2729         (JSC::JITSlowPathCall::call):
2730
2731 2020-04-19  Yusuke Suzuki  <ysuzuki@apple.com>
2732
2733         [JSC] Enable BigInt
2734         https://bugs.webkit.org/show_bug.cgi?id=210726
2735
2736         Reviewed by Mark Lam.
2737
2738         * runtime/OptionsList.h:
2739
2740 2020-04-19  Yusuke Suzuki  <ysuzuki@apple.com>
2741
2742         [JSC] LLInt slow path call should not have third argument
2743         https://bugs.webkit.org/show_bug.cgi?id=210721
2744
2745         Reviewed by Mark Lam.
2746
2747         LLInt callSlowPath does not work with third argument in Windows, CLoop etc. LLInt slow-path should not take third argument,
2748         instead, use `bytecode.metadata(...)` to get metadata.
2749
2750         * jit/JITCall.cpp:
2751         (JSC::JIT::emit_op_iterator_open):
2752         (JSC::JIT::emit_op_iterator_next):
2753         * llint/LowLevelInterpreter64.asm:
2754         * runtime/CommonSlowPaths.cpp:
2755         (JSC::iterator_open_try_fast):
2756         (JSC::SLOW_PATH_DECL):
2757         (JSC::iterator_next_try_fast):
2758         (JSC::iterator_open_try_fast_narrow): Deleted.
2759         (JSC::iterator_open_try_fast_wide16): Deleted.
2760         (JSC::iterator_open_try_fast_wide32): Deleted.
2761         (JSC::iterator_next_try_fast_narrow): Deleted.
2762         (JSC::iterator_next_try_fast_wide16): Deleted.
2763         (JSC::iterator_next_try_fast_wide32): Deleted.
2764         * runtime/CommonSlowPaths.h:
2765
2766 2020-04-19  Mark Lam  <mark.lam@apple.com>
2767
2768         Fix missing exception checks and handling in JSC APIs.
2769         https://bugs.webkit.org/show_bug.cgi?id=210715
2770         <rdar://problem/61599658>
2771
2772         Reviewed by Saam Barati.
2773
2774         * API/APICallbackFunction.h:
2775         (JSC::APICallbackFunction::call):
2776         - We should return early if an exception was thrown.  We should not be using the
2777           result in any way since we cannot rely on it having any sane value.
2778         (JSC::APICallbackFunction::construct):
2779         - For consistency, also return an undefined here when an exception was thrown.
2780
2781         * API/JSCallbackObjectFunctions.h:
2782         (JSC::JSCallbackObject<Parent>::construct):
2783         (JSC::JSCallbackObject<Parent>::call):
2784         - Return an undefined if an exception was thrown.  Don't return the potentially
2785           garbage result value.  Who knows what the client code will do with it.  Returning
2786           an undefined here makes the code more robust.
2787
2788         * API/JSObjectRef.cpp:
2789         (JSObjectGetProperty):
2790         (JSObjectHasPropertyForKey):
2791         (JSObjectGetPropertyForKey):
2792         (JSObjectDeletePropertyForKey):
2793         (JSObjectGetPropertyAtIndex):
2794         (JSObjectDeleteProperty):
2795         - Explicitly return a nullptr if an exception was thrown.  The toRef() on the
2796           result that follows the exception check may or may not return a nullptr
2797           (also see toRef(JSC::VM& vm, JSC::JSValue v) for !CPU(ADDRESS64)).
2798
2799         * API/JSValueRef.cpp:
2800         (JSValueIsEqual):
2801         (JSValueIsInstanceOfConstructor):
2802         - For consistency, make these return false if an exception is thrown.
2803
2804         * API/ObjCCallbackFunction.mm:
2805         (JSC::objCCallbackFunctionCallAsFunction):
2806         (JSC::objCCallbackFunctionCallAsConstructor):
2807         (JSC::ObjCCallbackFunctionImpl::call):
2808         - Add some assertions and return early if an exception was thrown.
2809
2810 2020-04-18  Keith Miller  <keith_miller@apple.com>
2811
2812         Fix CLoop build for iterator opcodes
2813         https://bugs.webkit.org/show_bug.cgi?id=210709
2814
2815         Reviewed by Robin Morisset.
2816
2817         We need to add a default paramater for the metadata pointer
2818         in the CLoop build. Additionally, the helper declarations need
2819         to be in the various slow path header files. Lastly we need
2820         opcode labels for our new JS call return points.
2821
2822         * bytecode/BytecodeList.rb:
2823         * llint/LLIntSlowPaths.cpp:
2824         * llint/LLIntSlowPaths.h:
2825         * runtime/CommonSlowPaths.h:
2826
2827 2020-04-18  Robin Morisset  <rmorisset@apple.com>
2828
2829         Support an inlined representation in JSValue of small BigInts ("BigInt32")
2830         https://bugs.webkit.org/show_bug.cgi?id=206182
2831
2832         Reviewed by Yusuke Suzuki.
2833
2834         This patch attempts to optimize the performance of BigInts, when they are small (32 bit or less).
2835         It works by inlining them into JSValue on 64-bit platforms, avoiding the allocation of a JSBigInt.
2836         The bit pattern we use is 0000:XXXX:XXXX:0012
2837         This representation works because of the following things:
2838         - It cannot be confused with a Double or Integer thanks to the top bits
2839         - It cannot be confused with a pointer to a Cell, thanks to bit 1 which is set to true
2840         - It cannot be confused with a pointer to wasm thanks to bit 0 which is set to false
2841         - It cannot be confused with true/false because bit 2 is set to false
2842         - It cannot be confused for null/undefined because bit 4 is set to true
2843
2844         This entire change is gated by USE(BIGINT32), to make it easier to disable if it turns out to have bugs.
2845         It should also make it much easier to verify if a given bug comes from it or from something else.
2846
2847         Note that in this patch we create BigInt32s when parsing small BigInt constants, and most operations (e.g. Add or BitOr) produce a BigInt32 if both of their operands are BigInt32,
2848         but we don't produce a BigInt32 from for example the substraction/division of two large heap-allocated JSBigInts, even if the result fits in 32-bits.
2849         As a result, small BigInts can now either be heap-allocated or inlined in the JSValue.
2850
2851         This patch includes a significant refactor of various slow paths, which are now grouped together in Operations.h
2852         Because this increased the size of Operations.h significantly, I split the parts of Operations.h which are only used by the GC into Scribble.h, to avoid bloating compile times.
2853
2854         In the DFG and FTL we now have 3 UseKinds for BigInts: HeapBigIntUse, BigInt32Use and AnyBigIntUse.
2855         The latter is useful when we know that we are receiving BigInts, but speculation indicates a mix of heap-allocated and small (inlined) big-ints.
2856
2857         Unfortunately, a naive implementation of this patch significantly regresses the performance of StrictEq (and its variants), as it is no longer true that a cell and a non-cell cannot be equal.
2858         Before this patch, the code was jumping to a slow path if either:
2859         - at least one operand is a double
2860         - or both operands are cells
2861         Now, it also needs to jump to the slow path if at least one is a cell.
2862         To recover this performance cost, I significantly rewrote this code, from
2863           if (left is Cell && right is Cell) {
2864             if (left == right)
2865               return true;
2866             goto slowPath;
2867           }
2868           if (! left is Int32) {
2869             if (left is Number)
2870               goto slowPath
2871           }
2872           if (! right is Int32) {
2873             if (right is Number)
2874               goto slowPath
2875           }
2876           return left == right
2877         To the following:
2878           if (left is Double || right is Double)
2879             goto slowPath
2880           if (left == right)
2881             return true;
2882           if (left is Cell || right is Cell)
2883             goto slowPath
2884           return false;
2885         I believe this to be faster than just replacing (left is Cell && right is Cell) by an ||, because I found a bit-trick to check (left is Double || right is Double) which should help reduce the pressure on the branch predictor.
2886         Early JetStream2 tests appear to confirm that this patch is roughly neutral while it was a 0.5% regression before I used this trick, but the numbers are still too noisy, I plan to do more measurements before landing this patch.
2887
2888         I don't yet have performance numbers for this patch on a BigInt benchmark, I will get such numbers before trying to land it, but I'd like some review in the meantime.
2889
2890         * JavaScriptCore.xcodeproj/project.pbxproj:
2891         * assembler/X86Assembler.h:
2892         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2893         * bytecode/ArithProfile.cpp:
2894         (JSC::ArithProfile<BitfieldType>::emitObserveResult):
2895         (JSC::ArithProfile<BitfieldType>::shouldEmitSetBigInt32 const):
2896         (JSC::ArithProfile<BitfieldType>::shouldEmitSetHeapBigInt const):
2897         (JSC::ArithProfile<BitfieldType>::emitSetHeapBigInt const):
2898         (JSC::ArithProfile<BitfieldType>::emitSetBigInt32 const):
2899         (WTF::printInternal):
2900         * bytecode/ArithProfile.h:
2901         (JSC::ObservedResults::didObserveNonInt32):
2902         (JSC::ObservedResults::didObserveBigInt):
2903         (JSC::ObservedResults::didObserveHeapBigInt):
2904         (JSC::ObservedResults::didObserveBigInt32):
2905         (JSC::ArithProfile::didObserveHeapBigInt const):
2906         (JSC::ArithProfile::didObserveBigInt32 const):
2907         (JSC::ArithProfile::setObservedHeapBigInt):
2908         (JSC::ArithProfile::setObservedBigInt32):
2909         (JSC::ArithProfile::observeResult):
2910         * bytecode/BytecodeList.rb:
2911         * bytecode/BytecodeLivenessAnalysisInlines.h:
2912         * bytecode/BytecodeUseDef.cpp:
2913         (JSC::computeUsesForBytecodeIndexImpl):
2914         (JSC::computeDefsForBytecodeIndexImpl):
2915         * bytecode/CodeBlock.cpp:
2916         * bytecode/DataFormat.h:
2917         * bytecode/MethodOfGettingAValueProfile.cpp:
2918         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2919         * bytecode/MethodOfGettingAValueProfile.h:
2920         * bytecode/SpeculatedType.cpp:
2921         (JSC::dumpSpeculation):
2922         (JSC::speculationFromClassInfo):
2923         (JSC::speculationFromStructure):
2924         (JSC::speculationFromValue):
2925         (JSC::speculationFromJSType):
2926         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2927         * bytecode/SpeculatedType.h:
2928         (JSC::isBigInt32Speculation):
2929         (JSC::isHeapBigIntSpeculation):
2930         (JSC::isBigIntSpeculation):
2931         * bytecompiler/BytecodeGenerator.cpp:
2932         (JSC::BytecodeGenerator::emitEqualityOpImpl):
2933         (JSC::BytecodeGenerator::addBigIntConstant):
2934         * bytecompiler/BytecodeGenerator.h:
2935         * dfg/DFGAbstractInterpreterInlines.h:
2936         (JSC::DFG::isToThisAnIdentity):
2937         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2938         * dfg/DFGByteCodeParser.cpp:
2939         (JSC::DFG::ByteCodeParser::parseBlock):
2940         * dfg/DFGCapabilities.cpp:
2941         (JSC::DFG::capabilityLevel):
2942         * dfg/DFGClobberize.h:
2943         (JSC::DFG::clobberize):
2944         * dfg/DFGConstantFoldingPhase.cpp:
2945         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2946         * dfg/DFGDoesGC.cpp:
2947         (JSC::DFG::doesGC):
2948         * dfg/DFGFixupPhase.cpp:
2949         (JSC::DFG::FixupPhase::fixupNode):
2950         (JSC::DFG::FixupPhase::fixupToThis):
2951         (JSC::DFG::FixupPhase::fixupToNumeric):
2952         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2953         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2954         * dfg/DFGMayExit.cpp:
2955         * dfg/DFGNode.h:
2956         (JSC::DFG::Node::shouldSpeculateBigInt32):
2957         (JSC::DFG::Node::shouldSpeculateHeapBigInt):
2958         * dfg/DFGNodeType.h:
2959         * dfg/DFGOSRExit.cpp:
2960         (JSC::DFG::OSRExit::compileExit):
2961         * dfg/DFGOSRExit.h:
2962         * dfg/DFGOperations.cpp:
2963         * dfg/DFGOperations.h:
2964         * dfg/DFGPredictionPropagationPhase.cpp:
2965         * dfg/DFGSafeToExecute.h:
2966         (JSC::DFG::SafeToExecuteEdge::operator()):
2967         (JSC::DFG::safeToExecute):
2968         * dfg/DFGSpeculativeJIT.cpp:
2969         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2970         (JSC::DFG::SpeculativeJIT::compileValueBitNot):
2971         (JSC::DFG::SpeculativeJIT::emitUntypedOrAnyBigIntBitOp):
2972         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
2973         (JSC::DFG::SpeculativeJIT::emitUntypedOrBigIntRightShiftBitOp):
2974         (JSC::DFG::SpeculativeJIT::compileValueLShiftOp):
2975         (JSC::DFG::SpeculativeJIT::compileValueBitRShift):
2976         (JSC::DFG::SpeculativeJIT::compileShiftOp):
2977         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2978         (JSC::DFG::SpeculativeJIT::compileValueSub):
2979         (JSC::DFG::SpeculativeJIT::compileIncOrDec):
2980         (JSC::DFG::SpeculativeJIT::compileValueNegate):
2981         (JSC::DFG::SpeculativeJIT::compileValueMul):
2982         (JSC::DFG::SpeculativeJIT::compileValueDiv):
2983         (JSC::DFG::SpeculativeJIT::compileValueMod):
2984         (JSC::DFG::SpeculativeJIT::compileValuePow):
2985         (JSC::DFG::SpeculativeJIT::compare):
2986         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2987         (JSC::DFG::SpeculativeJIT::speculateHeapBigInt):
2988         (JSC::DFG::SpeculativeJIT::speculate):
2989         (JSC::DFG::SpeculativeJIT::compileToNumeric):
2990         (JSC::DFG::SpeculativeJIT::compileHeapBigIntEquality):
2991         * dfg/DFGSpeculativeJIT.h:
2992         (JSC::DFG::SpeculateBigInt32Operand::SpeculateBigInt32Operand):
2993         (JSC::DFG::SpeculateBigInt32Operand::~SpeculateBigInt32Operand):
2994         (JSC::DFG::SpeculateBigInt32Operand::edge const):
2995         (JSC::DFG::SpeculateBigInt32Operand::node const):
2996         (JSC::DFG::SpeculateBigInt32Operand::gpr):
2997         (JSC::DFG::SpeculateBigInt32Operand::use):
2998         * dfg/DFGSpeculativeJIT32_64.cpp:
2999         (JSC::DFG::SpeculativeJIT::compile):
3000         * dfg/DFGSpeculativeJIT64.cpp:
3001         (JSC::DFG::SpeculativeJIT::fillJSValue):
3002         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
3003         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
3004         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3005         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3006         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3007         (JSC::DFG::SpeculativeJIT::speculateBigInt32):
3008         (JSC::DFG::SpeculativeJIT::speculateAnyBigInt):
3009         (JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32):
3010         (JSC::DFG::SpeculativeJIT::compileBigInt32Compare):
3011         (JSC::DFG::SpeculativeJIT::compilePeepHoleBigInt32Branch):
3012         (JSC::DFG::SpeculativeJIT::compile):
3013         * dfg/DFGStrengthReductionPhase.cpp:
3014         (JSC::DFG::StrengthReductionPhase::handleNode):
3015         * dfg/DFGUseKind.cpp:
3016         (WTF::printInternal):
3017         * dfg/DFGUseKind.h:
3018         (JSC::DFG::typeFilterFor):
3019         (JSC::DFG::isCell):
3020         * ftl/FTLCapabilities.cpp:
3021         (JSC::FTL::canCompile):
3022         * ftl/FTLCommonValues.cpp:
3023         (JSC::FTL::CommonValues::initializeConstants):
3024         * ftl/FTLCommonValues.h:
3025         * ftl/FTLLowerDFGToB3.cpp:
3026         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3027         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3028         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
3029         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
3030         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
3031         (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
3032         (JSC::FTL::DFG::LowerDFGToB3::compileValueMod):
3033         (JSC::FTL::DFG::LowerDFGToB3::compileValuePow):
3034         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
3035         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
3036         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
3037         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
3038         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
3039         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitRShift):
3040         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift):
3041         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
3042         (JSC::FTL::DFG::LowerDFGToB3::compileBitURShift):
3043         (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
3044         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
3045         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
3046         (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt):
3047         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
3048         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
3049         (JSC::FTL::DFG::LowerDFGToB3::boolify):
3050         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
3051         (JSC::FTL::DFG::LowerDFGToB3::lowHeapBigInt):
3052         (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32):
3053         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32):
3054         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32):
3055         (JSC::FTL::DFG::LowerDFGToB3::unboxBigInt32):
3056         (JSC::FTL::DFG::LowerDFGToB3::boxBigInt32):
3057         (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt):
3058         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3059         (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigIntUnknownWhetherCell):
3060         (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigInt):
3061         (JSC::FTL::DFG::LowerDFGToB3::isHeapBigInt):
3062         (JSC::FTL::DFG::LowerDFGToB3::speculateHeapBigInt):
3063         (JSC::FTL::DFG::LowerDFGToB3::speculateHeapBigIntUnknownWhetherCell):
3064         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32):
3065         (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt):
3066         * ftl/FTLOSRExitCompiler.cpp:
3067         (JSC::FTL::compileStub):
3068         * heap/HeapSnapshotBuilder.cpp:
3069         (JSC::HeapSnapshotBuilder::json):
3070         * heap/MarkedBlockInlines.h:
3071         * heap/PreciseAllocation.cpp:
3072         * inspector/agents/InspectorHeapAgent.cpp:
3073         (Inspector::InspectorHeapAgent::getPreview):
3074         * interpreter/Interpreter.cpp:
3075         (JSC::sizeOfVarargs):
3076         * jit/AssemblyHelpers.cpp:
3077         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
3078         (JSC::AssemblyHelpers::branchIfValue):
3079         * jit/AssemblyHelpers.h:
3080         (JSC::AssemblyHelpers::branchIfBigInt32):
3081         (JSC::AssemblyHelpers::branchIfBigInt32KnownNotNumber):
3082         (JSC::AssemblyHelpers::branchIfNotBigInt32KnownNotNumber):
3083         (JSC::AssemblyHelpers::branchIfHeapBigInt):
3084         (JSC::AssemblyHelpers::branchIfNotHeapBigInt):
3085         (JSC::AssemblyHelpers::unboxBigInt32):
3086         (JSC::AssemblyHelpers::boxBigInt32):
3087         (JSC::AssemblyHelpers::emitTypeOf):
3088         * jit/JIT.cpp:
3089         (JSC::JIT::privateCompileMainPass):
3090         * jit/JIT.h:
3091         * jit/JITArithmetic.cpp:
3092         (JSC::JIT::emit_op_negate):
3093         (JSC::JIT::emitSlow_op_negate):
3094         * jit/JITOpcodes.cpp:
3095         (JSC::JIT::emit_op_is_big_int):
3096         (JSC::JIT::compileOpStrictEq):
3097         (JSC::JIT::compileOpStrictEqJump):
3098         (JSC::JIT::emit_op_to_numeric):
3099         * jit/JITOpcodes32_64.cpp:
3100         (JSC::JIT::emit_op_is_big_int):
3101         (JSC::JIT::emit_op_to_numeric):
3102         * jit/JITOperations.cpp:
3103         * jit/JITOperations.h:
3104         * llint/LLIntOfflineAsmConfig.h:
3105         * llint/LowLevelInterpreter.asm:
3106         * llint/LowLevelInterpreter64.asm:
3107         * parser/ParserArena.cpp:
3108         (JSC::IdentifierArena::makeBigIntDecimalIdentifier):
3109         * runtime/ArrayPrototype.cpp:
3110         * runtime/BigIntConstructor.cpp:
3111         (JSC::toBigInt):
3112         (JSC::callBigIntConstructor):
3113         * runtime/BigIntObject.cpp:
3114         (JSC::BigIntObject::create):
3115         (JSC::BigIntObject::finishCreation):
3116         * runtime/BigIntObject.h:
3117         * runtime/BigIntPrototype.cpp:
3118         (JSC::toThisBigIntValue):
3119         (JSC::bigIntProtoFuncToStringImpl):
3120         * runtime/CommonSlowPaths.cpp:
3121         (JSC::SLOW_PATH_DECL):
3122         (JSC::updateArithProfileForUnaryArithOp):
3123         (JSC::updateArithProfileForBinaryArithOp):
3124         * runtime/JSBigInt.cpp:
3125         (JSC::JSBigInt::createStructure):
3126         (JSC::JSBigInt::parseInt):
3127         (JSC::JSBigInt::stringToBigInt):
3128         (JSC::JSBigInt::inc):
3129         (JSC::JSBigInt::dec):
3130         (JSC::JSBigInt::bitwiseAnd):
3131         (JSC::JSBigInt::toStringGeneric):
3132         (JSC::JSBigInt::equalsToNumber):
3133         (JSC::JSBigInt::equalsToInt32):
3134         * runtime/JSBigInt.h:
3135         (JSC::asHeapBigInt):
3136         * runtime/JSCJSValue.cpp:
3137         (JSC::JSValue::toNumberSlowCase const):
3138         (JSC::JSValue::toObjectSlowCase const):
3139         (JSC::JSValue::toThisSlowCase const):
3140         (JSC::JSValue::synthesizePrototype const):
3141         (JSC::JSValue::dumpInContextAssumingStructure const):
3142         (JSC::JSValue::dumpForBacktrace const):
3143         (JSC::JSValue::toStringSlowCase const):
3144         * runtime/JSCJSValue.h:
3145         * runtime/JSCJSValueInlines.h:
3146         (JSC::JSValue::JSValue):
3147         (JSC::JSValue::asHeapBigInt const):
3148         (JSC::JSValue::isBigInt const):
3149         (JSC::JSValue::isHeapBigInt const):
3150         (JSC::JSValue::isBigInt32 const):
3151         (JSC::JSValue::bigInt32AsInt32 const):
3152         (JSC::JSValue::isPrimitive const):
3153         (JSC::JSValue::getPrimitiveNumber):
3154         (JSC::JSValue::toNumeric const):
3155         (JSC::JSValue::toBigIntOrInt32 const):
3156         (JSC::JSValue::equalSlowCaseInline):
3157         (JSC::JSValue::strictEqualForCells):
3158         (JSC::JSValue::strictEqual):
3159         (JSC::JSValue::pureStrictEqual):
3160         (JSC::JSValue::pureToBoolean const):
3161         * runtime/JSCell.cpp:
3162         (JSC::JSCell::put):
3163         (JSC::JSCell::putByIndex):
3164         (JSC::JSCell::toPrimitive const):
3165         (JSC::JSCell::getPrimitiveNumber const):
3166         (JSC::JSCell::toNumber const):
3167         (JSC::JSCell::toObjectSlow const):
3168         * runtime/JSCell.h:
3169         * runtime/JSCellInlines.h:
3170         (JSC::JSCell::isHeapBigInt const):
3171         (JSC::JSCell::toBoolean const):
3172         (JSC::JSCell::pureToBoolean const):
3173         * runtime/JSString.h:
3174         (JSC::JSValue::toBoolean const):
3175         * runtime/JSType.cpp:
3176         (WTF::printInternal):
3177         * runtime/JSType.h:
3178         * runtime/JSTypeInfo.h:
3179         * runtime/ObjectInitializationScope.cpp:
3180         * runtime/Operations.cpp:
3181         (JSC::jsAddSlowCase):
3182         (JSC::jsIsObjectTypeOrNull):
3183         * runtime/Operations.h:
3184         (JSC::compareBigIntToOtherPrimitive):
3185         (JSC::bigIntCompare):
3186         (JSC::jsLess):
3187         (JSC::jsLessEq):
3188         (JSC::arithmeticBinaryOp):
3189         (JSC::jsSub):
3190         (JSC::jsMul):
3191         (JSC::jsDiv):
3192         (JSC::jsRemainder):
3193         (JSC::jsPow):
3194         (JSC::jsInc):
3195         (JSC::jsDec):
3196         (JSC::jsBitwiseNot):
3197         (JSC::shift):
3198         (JSC::jsLShift):
3199         (JSC::jsRShift):
3200         (JSC::bitwiseBinaryOp):
3201         (JSC::jsBitwiseAnd):
3202         (JSC::jsBitwiseOr):
3203         (JSC::jsBitwiseXor):
3204         * runtime/Scribble.h: Copied from Source/JavaScriptCore/runtime/BigIntObject.h.
3205         (JSC::scribbleFreeCells):
3206         (JSC::isScribbledValue):
3207         (JSC::scribble):
3208         * runtime/StructureInlines.h:
3209         (JSC::prototypeForLookupPrimitiveImpl):
3210
3211 2020-04-18  Keith Miller  <keith_miller@apple.com>
3212
3213         Unreviewed, remove commented out/dead code that didn't failed to
3214         get removed when landing r260323.
3215
3216         * llint/LLIntSlowPaths.cpp:
3217         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3218         * runtime/CommonSlowPaths.cpp:
3219         (JSC::iterator_next_try_fast):
3220
3221 2020-04-18  Keith Miller  <keith_miller@apple.com>
3222
3223         Redesign how we do for-of iteration for JSArrays
3224         https://bugs.webkit.org/show_bug.cgi?id=175454
3225
3226         Reviewed by Filip Pizlo and Saam Barati.
3227
3228         This patch intrinsics for-of iteration for JSArrays when they are
3229         being iterated with the built-in Symbol.iterator. We do this by
3230         adding two new bytecodes op_iterator_open and
3231         op_iterator_next. These bytecodes are essentially a fused set of
3232         existing bytecodes with a special case for our intrinsiced JSArray
3233         case. This patch only adds support for these instructions on
3234         64-bit.
3235
3236
3237         The op_iterator_open bytecode is semantically the same as:
3238         iterator = symbolIterator.@call(iterable);
3239         next = iterator.next;
3240
3241         where iterable is the rhs of the for-of and symbolIterator is the
3242         result of running iterable.symbolIterator;
3243
3244
3245         The op_iterator_next bytecode is semantically the same as:
3246         nextResult = next.@call(iterator);
3247         done = nextResult.done;
3248         value = done ? (undefined / bottom) : nextResult.value;
3249
3250         where nextResult is a temporary (the value VirtualRegister in the
3251         LLInt/Baseline and a tmp in the DFG).
3252
3253         In order to make sure these bytecodes have the same perfomance as
3254         the existing bytecode sequence, we need to make sure we have the
3255         same profiling data and inline caching. Most of the existing
3256         get_by_id code assumed a particular bytecode member name was the
3257         same in each flavor get_by_id access. This patch adds template
3258         specialized functions that vend the correct
3259         Profile/VirtualRegister for the current bytecode/checkpoint. This
3260         means we can have meaningful names for our Bytecode structs and
3261         still use the generic functions.
3262
3263         In the LLInt most of the logic for calls/get_by_id had to be
3264         factored into helper macros, so we could have bytecodes that are
3265         some combination of those.
3266
3267         The trickiest part of this patch was getting the hand rolled DFG
3268         IR to work correctly. This is because we don't have a great way to
3269         express large chucks of DFG graph that doesn't involve manually
3270         tracking all the DFG's invariants. Such as:
3271
3272         1) Flushing/Phantoming values at the end of each block.
3273         2) Rolling forwards and backwards the BytecodeIndex when switching
3274            blocks.
3275         3) Remembering to GetLocal each variable at the top of every block.
3276         4) Ensuring that the JSValue stored to the op_iterator_next.m_value
3277            local does not cause us to OSR exit at the set local.
3278
3279         (4) is handled by a new function, bottomValueMatchingSpeculation,
3280         on DFGGraph that produces a FrozenValue that is roughly the bottom
3281         for a given speculated type. In a future patch we should make this
3282         more complete, probably by adding a VM::bottomCellForSetLocal that
3283         prediction propagation and AI know how treat as a true bottom
3284         value. See: https://bugs.webkit.org/show_bug.cgi?id=210694
3285
3286         Lastly, this patch changes the DFG NodeType, CheckCell to be
3287         CheckIsConstant.  CheckIsConstant is equivalent to the == operator
3288         on JSValue where it just checks the register values are the
3289         same. In order to keep the same perf that we had for CheckCell,
3290         CheckIsConstant supports CellUse.
3291
3292         * CMakeLists.txt:
3293         * JavaScriptCore.xcodeproj/project.pbxproj:
3294         * assembler/MacroAssemblerARM64.h:
3295         (JSC::MacroAssemblerARM64::or8):
3296         (JSC::MacroAssemblerARM64::store8):
3297         * assembler/MacroAssemblerX86_64.h:
3298         (JSC::MacroAssemblerX86_64::or8):
3299         * bytecode/ArrayProfile.h:
3300         (JSC::ArrayProfile::observeStructureID):
3301         (JSC::ArrayProfile::observeStructure):
3302         * bytecode/BytecodeList.rb:
3303         * bytecode/BytecodeLivenessAnalysis.cpp:
3304         (JSC::tmpLivenessForCheckpoint):
3305         * bytecode/BytecodeOperandsForCheckpoint.h: Added.
3306         (JSC::arrayProfileForImpl):
3307         (JSC::hasArrayProfileFor):
3308         (JSC::arrayProfileFor):
3309         (JSC::valueProfileForImpl):
3310         (JSC::hasValueProfileFor):
3311         (JSC::valueProfileFor):
3312         (JSC::destinationFor):
3313         (JSC::calleeFor):
3314         (JSC::argumentCountIncludingThisFor):
3315         (JSC::stackOffsetInRegistersForCall):
3316         (JSC::callLinkInfoFor):
3317         * bytecode/BytecodeUseDef.cpp:
3318         (JSC::computeUsesForBytecodeIndexImpl):
3319         (JSC::computeDefsForBytecodeIndexImpl):
3320         * bytecode/CallLinkInfo.cpp:
3321         (JSC::CallLinkInfo::callTypeFor):
3322         * bytecode/CallLinkStatus.cpp:
3323         (JSC::CallLinkStatus::computeFromLLInt):
3324         * bytecode/CodeBlock.cpp:
3325         (JSC::CodeBlock::finishCreation):
3326         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3327         (JSC::CodeBlock::tryGetValueProfileForBytecodeIndex):
3328         * bytecode/CodeBlock.h:
3329         (JSC::CodeBlock::instructionAt const):
3330         * bytecode/CodeBlockInlines.h:
3331         (JSC::CodeBlock::forEachValueProfile):
3332         (JSC::CodeBlock::forEachArrayProfile):
3333         * bytecode/GetByStatus.cpp:
3334         (JSC::GetByStatus::computeFromLLInt):
3335         * bytecode/Instruction.h:
3336         (JSC::BaseInstruction::width const):
3337         (JSC::BaseInstruction::hasCheckpoints const):
3338         (JSC::BaseInstruction::asKnownWidth const):
3339         (JSC::BaseInstruction::wide16 const):
3340         (JSC::BaseInstruction::wide32 const):
3341         * bytecode/InstructionStream.h:
3342         * bytecode/IterationModeMetadata.h: Copied from Source/JavaScriptCore/bytecode/SuperSampler.h.
3343         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3344         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3345         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
3346         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3347         * bytecode/Opcode.h:
3348         * bytecode/SpeculatedType.h:
3349         (JSC::isSubtypeSpeculation):
3350         (JSC::speculationContains):
3351         * bytecode/SuperSampler.h:
3352         (JSC::SuperSamplerScope::release):
3353         * bytecompiler/BytecodeGenerator.cpp:
3354         (JSC::BytecodeGenerator::emitGenericEnumeration):
3355         (JSC::BytecodeGenerator::emitEnumeration):
3356         (JSC::BytecodeGenerator::emitIsEmpty):
3357         (JSC::BytecodeGenerator::emitIteratorOpen):
3358         (JSC::BytecodeGenerator::emitIteratorNext):
3359         (JSC::BytecodeGenerator::emitGetGenericIterator):
3360         (JSC::BytecodeGenerator::emitIteratorGenericNext):
3361         (JSC::BytecodeGenerator::emitIteratorGenericNextWithValue):
3362         (JSC::BytecodeGenerator::emitIteratorGenericClose):
3363         (JSC::BytecodeGenerator::emitGetAsyncIterator):
3364         (JSC::BytecodeGenerator::emitDelegateYield):
3365         (JSC::BytecodeGenerator::emitIteratorNextWithValue): Deleted.
3366         (JSC::BytecodeGenerator::emitIteratorClose): Deleted.
3367         (JSC::BytecodeGenerator::emitGetIterator): Deleted.
3368         * bytecompiler/BytecodeGenerator.h:
3369         * bytecompiler/NodesCodegen.cpp:
3370         (JSC::ArrayPatternNode::bindValue const):
3371         * dfg/DFGAbstractInterpreterInlines.h:
3372         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3373         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
3374         * dfg/DFGAtTailAbstractState.h:
3375         (JSC::DFG::AtTailAbstractState::size const):
3376         (JSC::DFG::AtTailAbstractState::numberOfTmps const):
3377         (JSC::DFG::AtTailAbstractState::atIndex):
3378         (JSC::DFG::AtTailAbstractState::tmp):
3379         * dfg/DFGByteCodeParser.cpp:
3380         (JSC::DFG::ByteCodeParser::progressToNextCheckpoint):
3381         (JSC::DFG::ByteCodeParser::get):
3382         (JSC::DFG::ByteCodeParser::set):
3383         (JSC::DFG::ByteCodeParser::jsConstant):
3384         (JSC::DFG::ByteCodeParser::weakJSConstant):
3385         (JSC::DFG::ByteCodeParser::addCall):
3386         (JSC::DFG::ByteCodeParser::allocateUntargetableBlock):
3387         (JSC::DFG::ByteCodeParser::handleCall):
3388         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
3389         (JSC::DFG::ByteCodeParser::inlineCall):
3390         (JSC::DFG::ByteCodeParser::handleCallVariant):
3391         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
3392         (JSC::DFG::ByteCodeParser::handleInlining):
3393         (JSC::DFG::ByteCodeParser::handleMinMax):
3394         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3395         (JSC::DFG::ByteCodeParser::handleDOMJITCall):
3396         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3397         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3398         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
3399         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
3400         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3401         (JSC::DFG::ByteCodeParser::handleGetById):
3402         (JSC::DFG::ByteCodeParser::parseBlock):
3403         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3404         (JSC::DFG::ByteCodeParser::handlePutByVal):
3405         (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject):
3406         (JSC::DFG::ByteCodeParser::parse):
3407         * dfg/DFGCFGSimplificationPhase.cpp:
3408         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
3409         (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
3410         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3411         * dfg/DFGCapabilities.cpp:
3412         (JSC::DFG::capabilityLevel):
3413         * dfg/DFGClobberize.h:
3414         (JSC::DFG::clobberize):
3415         * dfg/DFGConstantFoldingPhase.cpp:
3416         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3417         * dfg/DFGDoesGC.cpp:
3418         (JSC::DFG::doesGC):
3419         * dfg/DFGFixupPhase.cpp:
3420         (JSC::DFG::FixupPhase::fixupNode):
3421         (JSC::DFG::FixupPhase::addStringReplacePrimordialChecks):
3422         * dfg/DFGForAllKills.h:
3423         (JSC::DFG::forAllKilledOperands):
3424         * dfg/DFGGraph.cpp:
3425         (JSC::DFG::Graph::bottomValueMatchingSpeculation):
3426         * dfg/DFGGraph.h:
3427         * dfg/DFGInPlaceAbstractState.cpp:
3428         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3429         (JSC::DFG::InPlaceAbstractState::initialize):
3430         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3431         (JSC::DFG::InPlaceAbstractState::merge):
3432         * dfg/DFGInPlaceAbstractState.h:
3433         (JSC::DFG::InPlaceAbstractState::size const):
3434         (JSC::DFG::InPlaceAbstractState::numberOfTmps const):
3435         (JSC::DFG::InPlaceAbstractState::atIndex):
3436         (JSC::DFG::InPlaceAbstractState::operand):
3437         (JSC::DFG::InPlaceAbstractState::local):
3438         (JSC::DFG::InPlaceAbstractState::argument):
3439         (JSC::DFG::InPlaceAbstractState::variableAt): Deleted.
3440         * dfg/DFGLazyJSValue.h:
3441         (JSC::DFG::LazyJSValue::speculatedType const):
3442         * dfg/DFGNode.h:
3443         (JSC::DFG::Node::hasConstant):
3444         (JSC::DFG::Node::hasCellOperand):
3445         * dfg/DFGNodeType.h:
3446         * dfg/DFGOSRExitCompilerCommon.cpp:
3447         (JSC::DFG::callerReturnPC):
3448         * dfg/DFGPredictionPropagationPhase.cpp:
3449         * dfg/DFGSafeToExecute.h:
3450         (JSC::DFG::safeToExecute):