ebfb56aea7253db176cae49566cf78ec0765bbee
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2020-05-04  Devin Rousso  <drousso@apple.com>
2
3         Web Inspector: Worker: should use the name of the worker if it exists
4         https://bugs.webkit.org/show_bug.cgi?id=211244
5
6         Reviewed by Brian Burg.
7
8         * inspector/protocol/Worker.json:
9         Include the `name` in `Worker.workerCreated`.
10
11 2020-05-04  Devin Rousso  <drousso@apple.com>
12
13         Web Inspector: provide a way for inspector to turn on/off ITP debug mode and AdClickAttribution debug mode
14         https://bugs.webkit.org/show_bug.cgi?id=209763
15
16         Reviewed by Brian Burg.
17
18         * inspector/protocol/Page.json:
19         Add new enum values to `Page.Setting`:
20          - `AdClickAttributionDebugModeEnabled`
21          - `ITPDebugModeEnabled`
22
23 2020-05-03  Maciej Stachowiak  <mjs@apple.com>
24
25         Remove no longer needed WebKitAdditions include for JavaScriptCorePrefix.h
26         https://bugs.webkit.org/show_bug.cgi?id=211357
27
28         Reviewed by Mark Lam.
29
30         * JavaScriptCorePrefix.h:
31
32 2020-05-02  Mark Lam  <mark.lam@apple.com>
33
34         Gardening: rolling out r261050 and r261051.
35         https://bugs.webkit.org/show_bug.cgi?id=211328
36         <rdar://problem/62755865>
37
38         Not reviewed.
39
40         * assembler/CPU.h:
41
42 2020-05-01  Mark Lam  <mark.lam@apple.com>
43
44         Allow Bitmap to use up to a UCPURegister word size for internal bit storage.
45         https://bugs.webkit.org/show_bug.cgi?id=211328
46         <rdar://problem/62755865>
47
48         Reviewed by Yusuke Suzuki.
49
50         * assembler/CPU.h:
51
52 2020-05-01  Saam Barati  <sbarati@apple.com>
53
54         Have a thread local cache for the Wasm LLInt bytecode buffer
55         https://bugs.webkit.org/show_bug.cgi?id=211317
56
57         Reviewed by Filip Pizlo and Mark Lam.
58
59         One of the main things slowing down Wasm compile times is the banging
60         on bmalloc's global heap lock. This patch makes it so for the bytecode
61         instruction buffer, we keep a thread local cache with latest capacity
62         the thread needed to compile. This makes it so that in the average case,
63         we only do one malloc at the end of a compile to memcpy the final result.
64         
65         We clear these thread local caches when the WasmWorklist's automatic threads
66         underlying machine thread is destroyed.
67         
68         This is a 15% speedup in zen garden compile times on a 16-core Mac Pro.
69         This is a 4-5% speedup in zen garden compile times on a 6-core MBP.
70
71         * bytecode/InstructionStream.h:
72         (JSC::InstructionStreamWriter::setInstructionBuffer):
73         (JSC::InstructionStreamWriter::finalize):
74         * wasm/WasmLLIntGenerator.cpp:
75         (JSC::Wasm::threadSpecificBuffer):
76         (JSC::Wasm::clearLLIntThreadSpecificCache):
77         (JSC::Wasm::LLIntGenerator::LLIntGenerator):
78         (JSC::Wasm::LLIntGenerator::finalize):
79         * wasm/WasmLLIntGenerator.h:
80         * wasm/WasmWorklist.cpp:
81
82 2020-05-01  Per Arne Vollan  <pvollan@apple.com>
83
84         [Win] Fix AppleWin build
85         https://bugs.webkit.org/show_bug.cgi?id=211324
86
87         Reviewed by Don Olmstead.
88
89         Check if target WTF_CopyHeaders exists before using it.
90
91         * CMakeLists.txt:
92
93 2020-05-01  Don Olmstead  <don.olmstead@sony.com>
94
95         [GTK] Add additional exports to support hidden visibility
96         https://bugs.webkit.org/show_bug.cgi?id=211246
97
98         Reviewed by Michael Catanzaro.
99
100         * API/glib/JSCContextPrivate.h:
101         * API/glib/JSCValuePrivate.h:
102         * inspector/remote/glib/RemoteInspectorServer.h:
103         * inspector/remote/glib/RemoteInspectorUtils.h:
104
105 2020-05-01  Don Olmstead  <don.olmstead@sony.com>
106
107         Use export macros on all platforms
108         https://bugs.webkit.org/show_bug.cgi?id=211293
109
110         Reviewed by Michael Catanzaro.
111
112         Allow overriding of JS_EXPORT_PRIVATE if desired otherwise use the defaults.
113
114         * runtime/JSExportMacros.h:
115
116 2020-05-01  Saam Barati  <sbarati@apple.com>
117
118         Unreviewed. Non-speculative build fix for watchOS build.
119
120         * runtime/ArrayPrototype.cpp:
121         (JSC::shift):
122         (JSC::unshift):
123         (JSC::arrayProtoFuncToLocaleString):
124         (JSC::arrayProtoFuncReverse):
125         (JSC::arrayProtoFuncSlice):
126         (JSC::arrayProtoFuncSplice):
127         * runtime/JSONObject.cpp:
128         (JSC::Stringifier::Stringifier):
129
130 2020-05-01  Saam Barati  <sbarati@apple.com>
131
132         Unreviewed. Speculative build fix for watchOS build.
133
134         * runtime/ArrayPrototype.cpp:
135         (JSC::shift):
136
137 2020-05-01  Alexey Shvayka  <shvaikalesh@gmail.com>
138
139         [WebIDL] Interface prototype objects should define @@toStringTag
140         https://bugs.webkit.org/show_bug.cgi?id=211020
141
142         Unreviewed follow-up to r260992.
143
144         * runtime/JSArrayBufferPrototype.cpp:
145         (JSC::JSArrayBufferPrototype::finishCreation): Revert change in attempt to fix ARMv7 test.
146
147 2020-05-01  David Kilzer  <ddkilzer@apple.com>
148
149         JSC::PropertySlot::m_attributes is uninitialized in constructor
150         <https://webkit.org/b/211267>
151
152         Reviewed by Mark Lam.
153
154         * runtime/PropertySlot.h:
155         (JSC::PropertySlot::PropertySlot):
156         - Initialize m_attributes and m_additionalData, and make use of
157           default initializers.
158
159 2020-05-01  Alexey Shvayka  <shvaikalesh@gmail.com>
160
161         [WebIDL] Interface prototype objects should define @@toStringTag
162         https://bugs.webkit.org/show_bug.cgi?id=211020
163
164         Reviewed by Darin Adler.
165
166         WebIDL spec was recently updated [1] to define @@toStringTag on interface prototype objects.
167         This change aligns WebIDL with ECMA-262 built-ins and Blink's behavior. Gecko have also
168         expressed implementation commitment.
169
170         This patch implements the spec change, making `X.prototype.toString()` return "[object X]"
171         instead of "[object XPrototype]", where X is WebIDL interface. This behavior is proven to
172         be web compatible (shipping in Chrome since Q2 2016) and matches class strings of iterator
173         prototype objects [2] introduced in r253855.
174
175         We define @@toStringTag for all WebAssembly interfaces but Error subclasses since they
176         are not defined using WebIDL [3].
177
178         This change also introduces JSC_TO_STRING_TAG_WITHOUT_TRANSITION() macro that sets up
179         @@toStringTag using ClassInfo to avoid extra strings creation, ensuring `className` equality
180         between prototype and instance classes (fixing a few discrepancies), as well as correct
181         descriptors. It also ensures using faster jsNontrivialString() and relieves from putting
182         more code into CodeGeneratorJS.pm.
183
184         [1]: https://github.com/heycam/webidl/pull/357
185         [2]: https://heycam.github.io/webidl/#es-iterator-prototype-object
186         [3]: https://webassembly.github.io/spec/js-api/#error-objects
187
188         Tests: imported/w3c/web-platform-tests/wasm/jsapi/instance/toString.any.js
189                imported/w3c/web-platform-tests/wasm/jsapi/memory/toString.any.js
190                imported/w3c/web-platform-tests/wasm/jsapi/module/toString.any.js
191                imported/w3c/web-platform-tests/wasm/jsapi/table/toString.any.js
192
193         * runtime/ArrayIteratorPrototype.cpp:
194         (JSC::ArrayIteratorPrototype::finishCreation):
195         * runtime/AsyncFunctionPrototype.cpp:
196         (JSC::AsyncFunctionPrototype::finishCreation):
197         * runtime/AsyncGeneratorFunctionPrototype.cpp:
198         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
199         * runtime/AsyncGeneratorPrototype.cpp:
200         (JSC::AsyncGeneratorPrototype::finishCreation):
201         * runtime/BigIntPrototype.cpp:
202         (JSC::BigIntPrototype::finishCreation):
203         * runtime/GeneratorFunctionPrototype.cpp:
204         (JSC::GeneratorFunctionPrototype::finishCreation):
205         * runtime/GeneratorPrototype.cpp:
206         (JSC::GeneratorPrototype::finishCreation):
207         * runtime/IntlCollatorPrototype.cpp:
208         (JSC::IntlCollatorPrototype::finishCreation):
209         * runtime/IntlDateTimeFormatPrototype.cpp:
210         (JSC::IntlDateTimeFormatPrototype::finishCreation):
211         * runtime/IntlNumberFormatPrototype.cpp:
212         (JSC::IntlNumberFormatPrototype::finishCreation):
213         * runtime/IntlPluralRulesPrototype.cpp:
214         (JSC::IntlPluralRulesPrototype::finishCreation):
215         * runtime/IntlRelativeTimeFormatPrototype.cpp:
216         (JSC::IntlRelativeTimeFormatPrototype::finishCreation):
217         * runtime/JSArrayBufferPrototype.cpp:
218         (JSC::JSArrayBufferPrototype::finishCreation):
219         * runtime/JSDataViewPrototype.cpp:
220         (JSC::JSDataViewPrototype::finishCreation):
221         * runtime/JSONObject.cpp:
222         (JSC::JSONObject::finishCreation):
223         * runtime/JSObject.h:
224         * runtime/JSPromisePrototype.cpp:
225         (JSC::JSPromisePrototype::finishCreation):
226         * runtime/MapIteratorPrototype.cpp:
227         (JSC::MapIteratorPrototype::finishCreation):
228         * runtime/MapPrototype.cpp:
229         (JSC::MapPrototype::finishCreation):
230         * runtime/MathObject.cpp:
231         (JSC::MathObject::finishCreation):
232         * runtime/RegExpStringIteratorPrototype.cpp:
233         (JSC::RegExpStringIteratorPrototype::finishCreation):
234         * runtime/SetIteratorPrototype.cpp:
235         (JSC::SetIteratorPrototype::finishCreation):
236         * runtime/SetPrototype.cpp:
237         (JSC::SetPrototype::finishCreation):
238         * runtime/StringIteratorPrototype.cpp:
239         (JSC::StringIteratorPrototype::finishCreation):
240         * runtime/SymbolPrototype.cpp:
241         (JSC::SymbolPrototype::finishCreation):
242         * runtime/WeakMapPrototype.cpp:
243         (JSC::WeakMapPrototype::finishCreation):
244         * runtime/WeakObjectRefPrototype.cpp:
245         (JSC::WeakObjectRefPrototype::finishCreation):
246         * runtime/WeakSetPrototype.cpp:
247         (JSC::WeakSetPrototype::finishCreation):
248         * wasm/js/WebAssemblyInstancePrototype.cpp:
249         (JSC::WebAssemblyInstancePrototype::finishCreation):
250         * wasm/js/WebAssemblyMemoryPrototype.cpp:
251         (JSC::WebAssemblyMemoryPrototype::finishCreation):
252         * wasm/js/WebAssemblyModulePrototype.cpp:
253         (JSC::WebAssemblyModulePrototype::finishCreation):
254         * wasm/js/WebAssemblyTablePrototype.cpp:
255         (JSC::WebAssemblyTablePrototype::finishCreation):
256
257 2020-05-01  Saam Barati  <sbarati@apple.com>
258
259         We can't cast toLength result to unsigned
260         https://bugs.webkit.org/show_bug.cgi?id=211205
261         <rdar://problem/62625562>
262
263         Reviewed by Yusuke Suzuki.
264
265         toLength, according to the spec, returns a 53-bit integer. In our
266         implementation, we return a double. However, there were many callsites
267         that did something like:
268         ```
269         unsigned length = toLength(obj);
270         ```
271         
272         This is bad for a few reasons:
273         - Casting to unsigned from double is undefined behavior when the integer
274         is greater than UINT_MAX. In practice, this means that we'd have different
275         engine behavior depending on what architecture we'd be running on. For
276         example, if the length were UINT_MAX + 1, on x86, we'd treat the
277         length as zero. On arm64, we'd treat it as UINT_MAX. Both are wrong.
278         - We weren't spec compliant. We were just ignoring that these numbers could
279         be 53-bit integers.
280         
281         This patch addresses each bad use of the undefined behavior, and by doing so,
282         makes us more spec compliant.
283
284         * dfg/DFGOperations.cpp:
285         * jit/JITOperations.cpp:
286         (JSC::getByVal):
287         * runtime/ArrayPrototype.cpp:
288         (JSC::getProperty):
289         (JSC::setLength):
290         (JSC::argumentClampedIndexFromStartOrEnd):
291         (JSC::shift):
292         (JSC::unshift):
293         (JSC::arrayProtoFuncToLocaleString):
294         (JSC::arrayProtoFuncPop):
295         (JSC::arrayProtoFuncPush):
296         (JSC::arrayProtoFuncReverse):
297         (JSC::arrayProtoFuncShift):
298         (JSC::arrayProtoFuncSlice):
299         (JSC::arrayProtoFuncSplice):
300         (JSC::arrayProtoFuncUnShift):
301         (JSC::fastIndexOf):
302         (JSC::arrayProtoFuncIndexOf):
303         (JSC::arrayProtoFuncLastIndexOf):
304         * runtime/Identifier.h:
305         (JSC::Identifier::from):
306         * runtime/IntlObject.cpp:
307         (JSC::canonicalizeLocaleList):
308         * runtime/JSONObject.cpp:
309         (JSC::Stringifier::Stringifier):
310         (JSC::Stringifier::Holder::appendNextProperty):
311         (JSC::Walker::walk):
312         * runtime/JSObject.cpp:
313         (JSC::JSObject::hasProperty const):
314         * runtime/JSObject.h:
315         (JSC::JSObject::putByIndexInline):
316         (JSC::JSObject::putDirectIndex):
317         (JSC::JSObject::canGetIndexQuickly const):
318         (JSC::JSObject::tryGetIndexQuickly const):
319         * runtime/JSObjectInlines.h:
320         (JSC::JSObject::getPropertySlot):
321         (JSC::JSObject::deleteProperty):
322         (JSC::JSObject::get const):
323         * runtime/PropertySlot.h:
324         (JSC::PropertySlot::getValue const):
325         * tools/JSDollarVM.cpp:
326         (JSC::functionSetUserPreferredLanguages):
327
328 2020-04-30  Ross Kirsling  <ross.kirsling@sony.com>
329
330         TriState should be an enum class and use "Indeterminate" instead of "Mixed"
331         https://bugs.webkit.org/show_bug.cgi?id=211268
332
333         Reviewed by Mark Lam.
334
335         * b3/B3Const32Value.cpp:
336         (JSC::B3::Const32Value::equalConstant const):
337         (JSC::B3::Const32Value::notEqualConstant const):
338         (JSC::B3::Const32Value::lessThanConstant const):
339         (JSC::B3::Const32Value::greaterThanConstant const):
340         (JSC::B3::Const32Value::lessEqualConstant const):
341         (JSC::B3::Const32Value::greaterEqualConstant const):
342         (JSC::B3::Const32Value::aboveConstant const):
343         (JSC::B3::Const32Value::belowConstant const):
344         (JSC::B3::Const32Value::aboveEqualConstant const):
345         (JSC::B3::Const32Value::belowEqualConstant const):
346         * b3/B3Const64Value.cpp:
347         (JSC::B3::Const64Value::equalConstant const):
348         (JSC::B3::Const64Value::notEqualConstant const):
349         (JSC::B3::Const64Value::lessThanConstant const):
350         (JSC::B3::Const64Value::greaterThanConstant const):
351         (JSC::B3::Const64Value::lessEqualConstant const):
352         (JSC::B3::Const64Value::greaterEqualConstant const):
353         (JSC::B3::Const64Value::aboveConstant const):
354         (JSC::B3::Const64Value::belowConstant const):
355         (JSC::B3::Const64Value::aboveEqualConstant const):
356         (JSC::B3::Const64Value::belowEqualConstant const):
357         * b3/B3ConstDoubleValue.cpp:
358         (JSC::B3::ConstDoubleValue::equalConstant const):
359         (JSC::B3::ConstDoubleValue::notEqualConstant const):
360         (JSC::B3::ConstDoubleValue::lessThanConstant const):
361         (JSC::B3::ConstDoubleValue::greaterThanConstant const):
362         (JSC::B3::ConstDoubleValue::lessEqualConstant const):
363         (JSC::B3::ConstDoubleValue::greaterEqualConstant const):
364         (JSC::B3::ConstDoubleValue::equalOrUnorderedConstant const):
365         * b3/B3ConstFloatValue.cpp:
366         (JSC::B3::ConstFloatValue::equalConstant const):
367         (JSC::B3::ConstFloatValue::notEqualConstant const):
368         (JSC::B3::ConstFloatValue::lessThanConstant const):
369         (JSC::B3::ConstFloatValue::greaterThanConstant const):
370         (JSC::B3::ConstFloatValue::lessEqualConstant const):
371         (JSC::B3::ConstFloatValue::greaterEqualConstant const):
372         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant const):
373         * b3/B3Procedure.cpp:
374         (JSC::B3::Procedure::addBoolConstant):
375         * b3/B3Procedure.h:
376         * b3/B3ReduceStrength.cpp:
377         * b3/B3Value.cpp:
378         (JSC::B3::Value::equalConstant const):
379         (JSC::B3::Value::notEqualConstant const):
380         (JSC::B3::Value::lessThanConstant const):
381         (JSC::B3::Value::greaterThanConstant const):
382         (JSC::B3::Value::lessEqualConstant const):
383         (JSC::B3::Value::greaterEqualConstant const):
384         (JSC::B3::Value::aboveConstant const):
385         (JSC::B3::Value::belowConstant const):
386         (JSC::B3::Value::aboveEqualConstant const):
387         (JSC::B3::Value::belowEqualConstant const):
388         (JSC::B3::Value::equalOrUnorderedConstant const):
389         (JSC::B3::Value::asTriState const):
390         * b3/B3Value.h:
391         * bytecode/CodeBlock.cpp:
392         (JSC::CodeBlock::~CodeBlock):
393         (JSC::CodeBlock::thresholdForJIT):
394         * bytecode/UnlinkedCodeBlock.cpp:
395         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
396         * bytecode/UnlinkedFunctionExecutable.cpp:
397         (JSC::UnlinkedFunctionExecutable::visitChildren):
398         * bytecompiler/NodesCodegen.cpp:
399         (JSC::ConstantNode::emitBytecodeInConditionContext):
400         (JSC::BinaryOpNode::emitBytecodeInConditionContext):
401         (JSC::BinaryOpNode::tryFoldToBranch):
402         * dfg/DFGByteCodeParser.cpp:
403         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
404         * dfg/DFGCFGSimplificationPhase.cpp:
405         (JSC::DFG::CFGSimplificationPhase::run):
406         * dfg/DFGLazyJSValue.cpp:
407         (JSC::DFG::equalToSingleCharacter):
408         (JSC::DFG::equalToStringImpl):
409         (JSC::DFG::LazyJSValue::strictEqual const):
410         * dfg/DFGSpeculativeJIT64.cpp:
411         (JSC::DFG::SpeculativeJIT::compile):
412         * ftl/FTLLowerDFGToB3.cpp:
413         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
414         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
415         * ftl/FTLOutput.cpp:
416         (JSC::FTL::Output::equal):
417         (JSC::FTL::Output::notEqual):
418         (JSC::FTL::Output::above):
419         (JSC::FTL::Output::aboveOrEqual):
420         (JSC::FTL::Output::below):
421         (JSC::FTL::Output::belowOrEqual):
422         (JSC::FTL::Output::greaterThan):
423         (JSC::FTL::Output::greaterThanOrEqual):
424         (JSC::FTL::Output::lessThan):
425         (JSC::FTL::Output::lessThanOrEqual):
426         * jit/JITOperations.cpp:
427         * runtime/CachedTypes.cpp:
428         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
429         * runtime/DefinePropertyAttributes.h:
430         (JSC::DefinePropertyAttributes::DefinePropertyAttributes):
431         (JSC::DefinePropertyAttributes::hasWritable const):
432         (JSC::DefinePropertyAttributes::writable const):
433         (JSC::DefinePropertyAttributes::hasConfigurable const):
434         (JSC::DefinePropertyAttributes::configurable const):
435         (JSC::DefinePropertyAttributes::hasEnumerable const):
436         (JSC::DefinePropertyAttributes::enumerable const):
437         (JSC::DefinePropertyAttributes::setWritable):
438         (JSC::DefinePropertyAttributes::setConfigurable):
439         (JSC::DefinePropertyAttributes::setEnumerable):
440         * runtime/IntlCollator.cpp:
441         (JSC::IntlCollator::initializeCollator):
442         * runtime/IntlDateTimeFormat.cpp:
443         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
444         * runtime/IntlNumberFormat.cpp:
445         (JSC::IntlNumberFormat::initializeNumberFormat):
446         * runtime/IntlObject.cpp:
447         (JSC::intlBooleanOption):
448         * runtime/JSCJSValueInlines.h:
449         (JSC::JSValue::pureStrictEqual):
450         (JSC::JSValue::pureToBoolean const):
451         * runtime/JSCellInlines.h:
452         (JSC::JSCell::pureToBoolean const):
453
454 2020-04-30  Ross Kirsling  <ross.kirsling@sony.com>
455
456         [JSC] intlBooleanOption should return TriState instead of taking an out param
457         https://bugs.webkit.org/show_bug.cgi?id=211256
458
459         Reviewed by Darin Adler and Mark Lam.
460
461         Boolean options for Intl constructors can have default values of true, false, or undefined.
462         To handle the undefined case, intlBooleanOption currently has a `bool& usesFallback` param;
463         we should have the return type simply be a TriState instead.
464
465         * runtime/IntlCollator.cpp:
466         (JSC::IntlCollator::initializeCollator):
467         * runtime/IntlDateTimeFormat.cpp:
468         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
469         * runtime/IntlNumberFormat.cpp:
470         (JSC::IntlNumberFormat::initializeNumberFormat):
471         * runtime/IntlObject.cpp:
472         (JSC::intlBooleanOption):
473         * runtime/IntlObject.h:
474
475 2020-04-30  Devin Rousso  <drousso@apple.com>
476
477         WebKit.WebContent process crashes when web developer tools are opened in Safari
478         https://bugs.webkit.org/show_bug.cgi?id=210794
479         <rdar://problem/62214651>
480
481         Reviewed by Brian Burg.
482
483         * inspector/InjectedScriptManager.cpp:
484         (Inspector::InjectedScriptManager::injectedScriptFor):
485         Don't crash if a `TerminatedExecutionError` is thrown.
486
487         * inspector/InjectedScriptBase.cpp:
488         (Inspector::InjectedScriptBase::makeCall):
489         Report the actual error message. Check that the result has a value before attempting to make
490         a `JSON::Value` out of it.
491
492 2020-04-29  Ross Kirsling  <ross.kirsling@sony.com>
493
494         Ensure Intl classes don't have naming conflicts with unified builds
495         https://bugs.webkit.org/show_bug.cgi?id=211213
496
497         Reviewed by Yusuke Suzuki.
498
499         Each Intl class usually has an array named relevantExtensionsKeys and a function named localeData.
500         This can result in redefinition errors when unified builds put two of them into the same translation unit. 
501         Some are already guarding against this with an internal namespace while others are not.
502
503         As a uniform approach, this patch makes each localeData function a static method and
504         puts each relevantExtensionsKeys array (as well as any constants for its indices) into an internal namespace.
505
506         Furthermore, since three different classes are defining an identical UFieldPositionIteratorDeleter,
507         this patch consolidates them into one definition in IntlObject.
508
509         * runtime/IntlCollator.cpp:
510         (JSC::IntlCollator::sortLocaleData): Renamed from JSC::sortLocaleData.
511         (JSC::IntlCollator::searchLocaleData): Renamed from JSC::searchLocaleData.
512         (JSC::IntlCollator::initializeCollator):
513         * runtime/IntlCollator.h:
514         * runtime/IntlDateTimeFormat.cpp:
515         (JSC::IntlDateTimeFormat::localeData): Renamed from JSC::IntlDTFInternal::localeData.
516         (JSC::toDateTimeOptionsAnyDate): Renamed from JSC::IntlDTFInternal::toDateTimeOptionsAnyDate.
517         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
518         (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted.
519         * runtime/IntlDateTimeFormat.h:
520         * runtime/IntlNumberFormat.cpp:
521         (JSC::IntlNumberFormat::localeData): Renamed from JSC::IntlNFInternal::localeData.
522         (JSC::IntlNumberFormat::initializeNumberFormat):
523         (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted.
524         * runtime/IntlNumberFormat.h:
525         * runtime/IntlObject.cpp:
526         (JSC::UFieldPositionIteratorDeleter::operator() const): Added.
527         * runtime/IntlObject.h:
528         * runtime/IntlPluralRules.cpp:
529         (JSC::IntlPluralRules::localeData): Renamed from JSC::localeData.
530         * runtime/IntlPluralRules.h:
531         * runtime/IntlRelativeTimeFormat.cpp:
532         (JSC::IntlRelativeTimeFormat::localeData): Renamed from JSC::localeData.
533         (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
534         (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted.
535         * runtime/IntlRelativeTimeFormat.h:
536
537 2020-04-29  Ross Kirsling  <ross.kirsling@sony.com>
538
539         Unreviewed follow-up to r260848.
540         LowerDFGToB3 has its own isFunction which should NOT have been renamed.
541
542         * ftl/FTLLowerDFGToB3.cpp:
543         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
544         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
545         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
546         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
547         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
548         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
549         (JSC::FTL::DFG::LowerDFGToB3::isFunction): Renamed from isCallable.
550
551 2020-04-29  Alexey Shvayka  <shvaikalesh@gmail.com>
552
553         AsyncFromSyncIterator methods should not pass absent values
554         https://bugs.webkit.org/show_bug.cgi?id=211147
555
556         Reviewed by Ross Kirsling.
557
558         This patch implements minor spec change [1] to match async and sync iteration
559         from the perspective of userland `next` and `return` iterator methods.
560         `throw` method always receives an argument, yet we align with others to be
561         consistent and future-proof.
562
563         This change is already implemented in SpiderMonkey.
564
565         [1]: https://github.com/tc39/ecma262/pull/1776
566
567         * builtins/AsyncFromSyncIteratorPrototype.js:
568
569 2020-04-29  Mark Lam  <mark.lam@apple.com>
570
571         Freezing of Gigacage and JSC Configs should be thread safe.
572         https://bugs.webkit.org/show_bug.cgi?id=211201
573         <rdar://problem/62597619>
574
575         Reviewed by Yusuke Suzuki.
576
577         If a client creates multiple VM instances in different threads concurrently, the
578         following race can occur:
579
580         Config::permanentlyFreeze() contains the following code:
581
582             if (!g_jscConfig.isPermanentlyFrozen)         // Point P1
583                 g_jscConfig.isPermanentlyFrozen = true;   // Point P2
584
585         Let's say there are 2 threads T1 and T2.
586
587         1. T1 creates a VM and gets to point P1, and sees that g_jscConfig.isPermanentlyFrozen is not set.
588            T1 is about to execute P2 when it gets pre-empted.
589
590         2. T2 creates a VM and gets to point P1, and sees that g_jscConfig.isPermanentlyFrozen is not set.
591            T2 proceeds to point P2 and sets g_jscConfig.isPermanentlyFrozen to true.
592            T2 goes on to freeze the Config and makes it not writable.
593
594         3. T1 gets to run again, and proceeds to point P2.
595            T1 tries to set g_jscConfig.isPermanentlyFrozen to true.
596            But because the Config has been frozen against writes, the write to
597            g_jscConfig.isPermanentlyFrozen results in a crash.
598
599         This is a classic TOCTOU bug.  The fix is simply to ensure that only one thread
600         can enter Config::permanentlyFreeze() at a time.
601
602         Ditto for Gigacage::permanentlyFreezeGigacageConfig().
603
604         * runtime/JSCConfig.cpp:
605         (JSC::Config::permanentlyFreeze):
606
607 2020-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
608
609         [JSC] JSStringJoiner is missing BigInt handling
610         https://bugs.webkit.org/show_bug.cgi?id=211174
611
612         Reviewed by Mark Lam.
613
614         JSStringJoiner missed handling of BigInt (specifically BigInt32) and appending empty string incorrectly.
615         In debug build, assertion hits. We should support BigInt in JSStringJoiner.
616
617         * runtime/JSStringJoiner.h:
618         (JSC::JSStringJoiner::appendWithoutSideEffects):
619
620 2020-04-29  Saam Barati  <sbarati@apple.com>
621
622         U_STRING_NOT_TERMINATED_WARNING ICU must be handled when using the output buffer as a C string
623         https://bugs.webkit.org/show_bug.cgi?id=211142
624         <rdar://problem/62530860>
625
626         Reviewed by Darin Adler.
627
628         * runtime/IntlDateTimeFormat.cpp:
629         (JSC::defaultTimeZone):
630         (JSC::canonicalizeTimeZoneName):
631         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
632         (JSC::IntlDateTimeFormat::format):
633         (JSC::IntlDateTimeFormat::formatToParts):
634         * runtime/IntlNumberFormat.cpp:
635         (JSC::IntlNumberFormat::format):
636         (JSC::IntlNumberFormat::formatToParts):
637         * runtime/IntlObject.cpp:
638         (JSC::convertICULocaleToBCP47LanguageTag):
639         (JSC::canonicalizeLanguageTag):
640         * runtime/IntlRelativeTimeFormat.cpp:
641         (JSC::IntlRelativeTimeFormat::formatInternal):
642         (JSC::IntlRelativeTimeFormat::formatToParts):
643         * runtime/StringPrototype.cpp:
644         (JSC::toLocaleCase):
645         (JSC::normalize):
646
647 2020-04-28  Saam Barati  <sbarati@apple.com>
648
649         Unreviewed. Fix 32-bit build.
650
651         * runtime/JSBigInt.cpp:
652         (JSC::JSBigInt::createFrom):
653         (JSC::Int32BigIntImpl::digit):
654
655 2020-04-28  Commit Queue  <commit-queue@webkit.org>
656
657         Unreviewed, reverting r260876 and r260877.
658         https://bugs.webkit.org/show_bug.cgi?id=211165
659
660         Broke build (Requested by yusukesuzuki on #webkit).
661
662         Reverted changesets:
663
664         "Unreviewed, build fix on watchOS"
665         https://bugs.webkit.org/show_bug.cgi?id=210978
666         https://trac.webkit.org/changeset/260876
667
668         "Unreviewed, speculative build fix on watchOS part 2"
669         https://bugs.webkit.org/show_bug.cgi?id=210978
670         https://trac.webkit.org/changeset/260877
671
672 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
673
674         Unreviewed, speculative build fix on watchOS part 2
675         https://bugs.webkit.org/show_bug.cgi?id=210978
676
677         * runtime/JSBigInt.cpp:
678         (JSC::JSBigInt::createFrom):
679         (JSC::Int32BigIntImpl::digit):
680         * runtime/JSBigInt.h:
681
682 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
683
684         Unreviewed, build fix on watchOS
685         https://bugs.webkit.org/show_bug.cgi?id=210978
686
687         * runtime/JSBigInt.cpp:
688         (JSC::JSBigInt::createFrom):
689         (JSC::Int32BigIntImpl::digit):
690         * runtime/JSBigInt.h:
691
692 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
693
694         [JSC] BigInt constructor should accept larger integers than safe-integers
695         https://bugs.webkit.org/show_bug.cgi?id=210755
696
697         Reviewed by Darin Adler.
698
699         While our implementation of BigInt constructor only accepts safe integers, it should accept all integers.
700         This patch implements it by creating JSBigInt::createFrom(double). We port double bit processing part from
701         V8 as the same to the other part of JSBigInt.
702
703         * runtime/BigIntConstructor.cpp:
704         (JSC::callBigIntConstructor):
705         * runtime/JSBigInt.cpp:
706         (JSC::JSBigInt::createFrom):
707         * runtime/JSBigInt.h:
708         * runtime/MathCommon.h:
709         (JSC::isInteger):
710         (JSC::isSafeInteger):
711         * runtime/NumberConstructor.cpp:
712         (JSC::numberConstructorFuncIsSafeInteger):
713         * runtime/NumberConstructor.h:
714
715 2020-04-28  Ross Kirsling  <ross.kirsling@sony.com>
716
717         [JSC] Align upon the name isCallable instead of isFunction
718         https://bugs.webkit.org/show_bug.cgi?id=211140
719
720         Reviewed by Darin Adler.
721
722         Follow-up to r260722. Usage is now cleanly separated between isFunction / getCallData,
723         but the name isCallable is still clearer than isFunction so let's flip that after all.
724
725         * API/JSContextRef.cpp:
726         (JSGlobalContextSetUnhandledRejectionCallback):
727         * API/JSObjectRef.cpp:
728         (JSObjectIsFunction):
729         * dfg/DFGOperations.cpp:
730         * ftl/FTLLowerDFGToB3.cpp:
731         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
732         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
733         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
734         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
735         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
736         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
737         (JSC::FTL::DFG::LowerDFGToB3::isCallable):
738         (JSC::FTL::DFG::LowerDFGToB3::isFunction): Deleted.
739         * ftl/FTLOperations.cpp:
740         (JSC::FTL::operationTypeOfObjectAsTypeofType):
741         * jsc.cpp:
742         (functionSetUnhandledRejectionCallback):
743         * runtime/CommonSlowPaths.cpp:
744         (JSC::SLOW_PATH_DECL):
745         * runtime/ExceptionHelpers.cpp:
746         (JSC::errorDescriptionForValue):
747         * runtime/FunctionPrototype.cpp:
748         (JSC::functionProtoFuncToString):
749         * runtime/InternalFunction.cpp:
750         (JSC::getFunctionRealm):
751         * runtime/JSCJSValue.h:
752         * runtime/JSCJSValueInlines.h:
753         (JSC::JSValue::isCallable const):
754         (JSC::JSValue::isFunction const): Deleted.
755         * runtime/JSCell.h:
756         * runtime/JSCellInlines.h:
757         (JSC::JSCell::isCallable):
758         (JSC::JSCell::isFunction): Deleted.
759         * runtime/JSONObject.cpp:
760         (JSC::Stringifier::appendStringifiedValue):
761         * runtime/ObjectConstructor.cpp:
762         (JSC::toPropertyDescriptor):
763         * runtime/ObjectPrototype.cpp:
764         (JSC::objectProtoFuncDefineGetter):
765         (JSC::objectProtoFuncDefineSetter):
766         * runtime/Operations.cpp:
767         (JSC::jsTypeStringForValue):
768         (JSC::jsIsObjectTypeOrNull):
769         * runtime/ProxyObject.cpp:
770         (JSC::ProxyObject::structureForTarget):
771         (JSC::ProxyObject::finishCreation):
772         * runtime/RuntimeType.cpp:
773         (JSC::runtimeTypeForValue):
774         * tools/JSDollarVM.cpp:
775         (JSC::functionCallWithStackSize):
776         (JSC::functionFindTypeForExpression):
777         (JSC::functionReturnTypeFor):
778         (JSC::functionHasBasicBlockExecuted):
779         (JSC::functionBasicBlockExecutionCount):
780         * wasm/WasmInstance.cpp:
781         (JSC::Wasm::Instance::setFunctionWrapper):
782         * wasm/WasmOperations.cpp:
783         (JSC::Wasm::operationIterateResults):
784         (JSC::Wasm::operationWasmRefFunc):
785         * wasm/js/WebAssemblyModuleRecord.cpp:
786         (JSC::WebAssemblyModuleRecord::link):
787         * wasm/js/WebAssemblyWrapperFunction.cpp:
788         (JSC::WebAssemblyWrapperFunction::finishCreation):
789
790 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
791
792         [JSC] NumberConstructor should accept BigInt
793         https://bugs.webkit.org/show_bug.cgi?id=210835
794
795         Reviewed by Mark Lam.
796
797         This patch fixes our Number constructor behavior to accept BigInt. According to the spec[1],
798         Number constructor should accept BigInt and should generate numbers from that.
799
800         We port V8's BigInt to double conversion code as we did for the other HeapBigInt runtime functions.
801
802         And we introduce CallNumberConstructor DFG node and handle Number constructor call with BigInt correctly
803         in DFG and FTL. Previously we were emitting ToNumber DFG node for Number constructor. But this is wrong
804         now since ToNumber does not accept BigInt and throws an error, and Number constructor should not use
805         ToNumber to implement its implementation. So we should introduce slightly different semantics: CallNumberConstructor
806         as we introduced CallStringConstructor in addition to ToString DFG node. And we add appropriate BigInt32 path
807         to emit efficient CallNumberConstructor machine code.
808
809         [1]: https://tc39.es/ecma262/#sec-number-constructor-number-value
810
811         * dfg/DFGAbstractInterpreterInlines.h:
812         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
813         * dfg/DFGBackwardsPropagationPhase.cpp:
814         (JSC::DFG::BackwardsPropagationPhase::propagate):
815         * dfg/DFGByteCodeParser.cpp:
816         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
817         * dfg/DFGClobberize.h:
818         (JSC::DFG::clobberize):
819         * dfg/DFGConstantFoldingPhase.cpp:
820         (JSC::DFG::ConstantFoldingPhase::foldConstants):
821         * dfg/DFGDoesGC.cpp:
822         (JSC::DFG::doesGC):
823         * dfg/DFGFixupPhase.cpp:
824         (JSC::DFG::FixupPhase::fixupNode):
825         (JSC::DFG::FixupPhase::fixupToNumberOrToNumericOrCallNumberConstructor):
826         (JSC::DFG::FixupPhase::fixupToNumeric): Deleted.
827         (JSC::DFG::FixupPhase::fixupToNumber): Deleted.
828         * dfg/DFGNode.h:
829         (JSC::DFG::Node::hasHeapPrediction):
830         * dfg/DFGNodeType.h:
831         * dfg/DFGOperations.cpp:
832         * dfg/DFGOperations.h:
833         * dfg/DFGPredictionPropagationPhase.cpp:
834         * dfg/DFGSafeToExecute.h:
835         (JSC::DFG::safeToExecute):
836         * dfg/DFGSpeculativeJIT.cpp:
837         (JSC::DFG::SpeculativeJIT::compileToNumeric):
838         (JSC::DFG::SpeculativeJIT::compileCallNumberConstructor):
839         * dfg/DFGSpeculativeJIT.h:
840         * dfg/DFGSpeculativeJIT32_64.cpp:
841         (JSC::DFG::SpeculativeJIT::compile):
842         * dfg/DFGSpeculativeJIT64.cpp:
843         (JSC::DFG::SpeculativeJIT::compile):
844         * ftl/FTLCapabilities.cpp:
845         (JSC::FTL::canCompile):
846         * ftl/FTLLowerDFGToB3.cpp:
847         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
848         (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor):
849         * runtime/JSBigInt.cpp:
850         (JSC::JSBigInt::decideRounding):
851         (JSC::JSBigInt::toNumberHeap):
852         * runtime/JSBigInt.h:
853         * runtime/NumberConstructor.cpp:
854         (JSC::constructNumberConstructor):
855         (JSC::callNumberConstructor):
856
857 2020-04-27  Yusuke Suzuki  <ysuzuki@apple.com>
858
859         [JSC] Throw OutOfMemoryError instead of RangeError if BigInt is too big
860         https://bugs.webkit.org/show_bug.cgi?id=211111
861
862         Reviewed by Saam Barati.
863
864         Currently, we are throwing a RangeError if we detect that JSBigInt becomes too large. But this is not consistent with our JSString's policy.
865         We should throw OutOfMemoryError in this case. This also makes DFG simple since DFG allows throwing OutOfMemoryError in any places which node
866         is even removed.
867
868         * dfg/DFGFixupPhase.cpp:
869         (JSC::DFG::FixupPhase::fixupNode):
870         * runtime/ExceptionHelpers.cpp:
871         (JSC::throwOutOfMemoryError):
872         * runtime/ExceptionHelpers.h:
873         * runtime/JSBigInt.cpp:
874         (JSC::JSBigInt::tryCreateWithLength):
875         (JSC::JSBigInt::exponentiateHeap):
876         (JSC::JSBigInt::leftShiftByAbsolute):
877         (JSC::JSBigInt::allocateFor):
878
879 2020-04-27  Saam Barati  <sbarati@apple.com>
880
881         BigInt math runtime shouldn't convert BigInt32 input operands to a heap cell when doing math
882         https://bugs.webkit.org/show_bug.cgi?id=210978
883
884         Reviewed by Yusuke Suzuki.
885
886         This patch adds support in the runtime for doing alomst all BigInt math
887         operations on the inputs either being Int32, HeapBigInt, or a mixing
888         of both. Before, if we detected a binary operation on an Int32 and a
889         HeapBigInt, this would lead us to convert the Int32 operand into a HeapBigInt.
890         
891         This is especially bad because we'd repeat this for all math ops. For example,
892         if x is a BigInt32, and all rhs are a HeapBigInt, we'd repeatedly convert x
893         to a HeapBigInt for each operation:
894         ```
895         x + y
896         x * y
897         x - y
898         x >> y
899         x << y
900         etc
901         ```
902         
903         To teach the runtime how to operate both over a BigInt32 and a HeapBigInt, I
904         templatized the runtime math operations to work both over BigInt32 and
905         HeapBigInt wrapper classes that expose the same interface.
906         
907         This is a ~28% speedup on microbenchmarks/sunspider-sha1-big-int.js
908
909         * ftl/FTLLowerDFGToB3.cpp:
910         (JSC::FTL::DFG::LowerDFGToB3::compare):
911         * jit/JITOperations.cpp:
912         * runtime/CommonSlowPaths.cpp:
913         (JSC::SLOW_PATH_DECL):
914         * runtime/JSBigInt.cpp:
915         (JSC::HeapBigIntImpl::HeapBigIntImpl):
916         (JSC::HeapBigIntImpl::isZero):
917         (JSC::HeapBigIntImpl::sign):
918         (JSC::HeapBigIntImpl::length):
919         (JSC::HeapBigIntImpl::digit):
920         (JSC::HeapBigIntImpl::toHeapBigInt):
921         (JSC::Int32BigIntImpl::Int32BigIntImpl):
922         (JSC::Int32BigIntImpl::isZero):
923         (JSC::Int32BigIntImpl::sign):
924         (JSC::Int32BigIntImpl::length):
925         (JSC::Int32BigIntImpl::digit):
926         (JSC::Int32BigIntImpl::toHeapBigInt):
927         (JSC::JSBigInt::ImplResult::ImplResult):
928         (JSC::tryConvertToBigInt32):
929         (JSC::JSBigInt::inplaceMultiplyAdd):
930         (JSC::JSBigInt::exponentiateImpl):
931         (JSC::JSBigInt::exponentiate):
932         (JSC::JSBigInt::multiplyImpl):
933         (JSC::JSBigInt::multiply):
934         (JSC::JSBigInt::divideImpl):
935         (JSC::JSBigInt::divide):
936         (JSC::JSBigInt::copy):
937         (JSC::JSBigInt::unaryMinusImpl):
938         (JSC::JSBigInt::unaryMinus):
939         (JSC::JSBigInt::remainderImpl):
940         (JSC::JSBigInt::remainder):
941         (JSC::JSBigInt::incImpl):
942         (JSC::JSBigInt::inc):
943         (JSC::JSBigInt::decImpl):
944         (JSC::JSBigInt::dec):
945         (JSC::JSBigInt::addImpl):
946         (JSC::JSBigInt::add):
947         (JSC::JSBigInt::subImpl):
948         (JSC::JSBigInt::sub):
949         (JSC::JSBigInt::bitwiseAndImpl):
950         (JSC::JSBigInt::bitwiseAnd):
951         (JSC::JSBigInt::bitwiseOrImpl):
952         (JSC::JSBigInt::bitwiseOr):
953         (JSC::JSBigInt::bitwiseXorImpl):
954         (JSC::JSBigInt::bitwiseXor):
955         (JSC::JSBigInt::leftShiftImpl):
956         (JSC::JSBigInt::leftShift):
957         (JSC::JSBigInt::leftShiftSlow):
958         (JSC::JSBigInt::signedRightShiftImpl):
959         (JSC::JSBigInt::signedRightShift):
960         (JSC::JSBigInt::bitwiseNotImpl):
961         (JSC::JSBigInt::bitwiseNot):
962         (JSC::JSBigInt::internalMultiplyAdd):
963         (JSC::JSBigInt::multiplyAccumulate):
964         (JSC::JSBigInt::absoluteCompare):
965         (JSC::JSBigInt::compareImpl):
966         (JSC::JSBigInt::compare):
967         (JSC::JSBigInt::absoluteAdd):
968         (JSC::JSBigInt::absoluteSub):
969         (JSC::JSBigInt::absoluteDivWithDigitDivisor):
970         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
971         (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
972         (JSC::JSBigInt::absoluteBitwiseOp):
973         (JSC::JSBigInt::absoluteAnd):
974         (JSC::JSBigInt::absoluteOr):
975         (JSC::JSBigInt::absoluteAndNot):
976         (JSC::JSBigInt::absoluteXor):
977         (JSC::JSBigInt::absoluteAddOne):
978         (JSC::JSBigInt::absoluteSubOne):
979         (JSC::JSBigInt::leftShiftByAbsolute):
980         (JSC::JSBigInt::rightShiftByAbsolute):
981         (JSC::JSBigInt::rightShiftByMaximum):
982         (JSC::JSBigInt::toStringGeneric):
983         (JSC::JSBigInt::toShiftAmount):
984         (JSC::JSBigInt::exponentiateHeap): Deleted.
985         (JSC::JSBigInt::multiplyHeap): Deleted.
986         (JSC::JSBigInt::divideHeap): Deleted.
987         (JSC::JSBigInt::unaryMinusHeap): Deleted.
988         (JSC::JSBigInt::remainderHeap): Deleted.
989         (JSC::JSBigInt::incHeap): Deleted.
990         (JSC::JSBigInt::decHeap): Deleted.
991         (JSC::JSBigInt::addHeap): Deleted.
992         (JSC::JSBigInt::subHeap): Deleted.
993         (JSC::JSBigInt::bitwiseAndHeap): Deleted.
994         (JSC::JSBigInt::bitwiseOrHeap): Deleted.
995         (JSC::JSBigInt::bitwiseXorHeap): Deleted.
996         (JSC::JSBigInt::leftShiftHeap): Deleted.
997         (JSC::JSBigInt::signedRightShiftHeap): Deleted.
998         (JSC::JSBigInt::bitwiseNotHeap): Deleted.
999         (JSC::JSBigInt::compareToInt32): Deleted.
1000         * runtime/JSBigInt.h:
1001         * runtime/Operations.cpp:
1002         (JSC::jsAddSlowCase):
1003         * runtime/Operations.h:
1004         (JSC::compareBigInt):
1005         (JSC::compareBigInt32ToOtherPrimitive):
1006         (JSC::arithmeticBinaryOp):
1007         (JSC::jsSub):
1008         (JSC::jsMul):
1009         (JSC::jsDiv):
1010         (JSC::jsRemainder):
1011         (JSC::jsPow):
1012         (JSC::jsInc):
1013         (JSC::jsDec):
1014         (JSC::jsBitwiseNot):
1015         (JSC::shift):
1016         (JSC::jsLShift):
1017         (JSC::jsRShift):
1018         (JSC::bitwiseBinaryOp):
1019         (JSC::jsBitwiseAnd):
1020         (JSC::jsBitwiseOr):
1021         (JSC::jsBitwiseXor):
1022
1023 2020-04-27  Yusuke Suzuki  <ysuzuki@apple.com>
1024
1025         [JSC] >>> should call ToNumeric
1026         https://bugs.webkit.org/show_bug.cgi?id=211065
1027
1028         Reviewed by Ross Kirsling.
1029
1030         While BigInt does not support >>> operator, >>> operator should call ToNumeric (in this case, toBigIntOrInt32) for both before throwing an error.
1031         We call toBigIntOrInt32 for both operands, and throw an error. And after that, casting int32_t to uint32_t to perform >>> operator. This is correct
1032         since the only difference between toUint32 and toInt32 is casting int32_t result to uint32_t.
1033
1034         * dfg/DFGOperations.cpp:
1035         * runtime/CommonSlowPaths.cpp:
1036         (JSC::SLOW_PATH_DECL):
1037         * runtime/Operations.h:
1038         (JSC::shift):
1039         (JSC::jsURShift):
1040
1041 2020-04-27  Keith Miller  <keith_miller@apple.com>
1042
1043         OSR Exit compiler should know and print the exiting DFG node's index
1044         https://bugs.webkit.org/show_bug.cgi?id=210998
1045
1046         Reviewed by Mark Lam.
1047
1048         The only interesting thing here is that we set the node to index 0 if there is no node.
1049         AFAICT, we only don't have a node when we are checking arguments.
1050
1051         * dfg/DFGOSRExit.cpp:
1052         (JSC::DFG::OSRExit::OSRExit):
1053         (JSC::DFG::operationCompileOSRExit):
1054         * dfg/DFGOSRExitBase.h:
1055         (JSC::DFG::OSRExitBase::OSRExitBase):
1056         * ftl/FTLLowerDFGToB3.cpp:
1057         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1058         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1059         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
1060         * ftl/FTLOSRExit.cpp:
1061         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
1062         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
1063         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
1064         (JSC::FTL::OSRExit::OSRExit):
1065         * ftl/FTLOSRExit.h:
1066         * ftl/FTLOSRExitCompiler.cpp:
1067         (JSC::FTL::compileStub):
1068
1069 2020-04-27  Saam Barati  <sbarati@apple.com>
1070
1071         compilePeepHoleBigInt32Branch needs to handle all conditions
1072         https://bugs.webkit.org/show_bug.cgi?id=211096
1073         <rdar://problem/62469971>
1074
1075         Reviewed by Yusuke Suzuki.
1076
1077         We were falling through to the generic path for all conditions which
1078         weren't Equal/NotEqual. The generic path does not do speculation, so
1079         it was leading to potential miscompiles because we omitted a type check.
1080         Defining compilePeepHoleBigInt32Branch for other conditions is trivial,
1081         so this patch just implements that.
1082
1083         This failure is caught by microbenchmarks/sunspider-sha1-big-int.js
1084
1085         * dfg/DFGSpeculativeJIT.cpp:
1086         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1087         * dfg/DFGSpeculativeJIT64.cpp:
1088         (JSC::DFG::SpeculativeJIT::compilePeepHoleBigInt32Branch):
1089
1090 2020-04-27  Jason Lawrence  <lawrence.j@apple.com>
1091
1092         Unreviewed, reverting r260772.
1093
1094         This commit caused tests to start failing internally.
1095
1096         Reverted changeset:
1097
1098         "OSR Exit compiler should know and print the exiting DFG
1099         node's index"
1100         https://bugs.webkit.org/show_bug.cgi?id=210998
1101         https://trac.webkit.org/changeset/260772
1102
1103 2020-04-27  Yusuke Suzuki  <ysuzuki@apple.com>
1104
1105         [JSC] Add $vm.assertEnabled() to suppress Debug crash expected tests in release+assert build
1106         https://bugs.webkit.org/show_bug.cgi?id=211089
1107
1108         Reviewed by Keith Miller.
1109
1110         Expose ASSERT_ENABLED condition to the shell to control crash expected tests.
1111
1112         * tools/JSDollarVM.cpp:
1113         (JSC::functionAssertEnabled):
1114         (JSC::JSDollarVM::finishCreation):
1115
1116 2020-04-27  Keith Miller  <keith_miller@apple.com>
1117
1118         OSR Exit compiler should know and print the exiting DFG node's index
1119         https://bugs.webkit.org/show_bug.cgi?id=210998
1120
1121         Reviewed by Mark Lam.
1122
1123         The only interesting thing here is that we set the node to index 0 if there is no node.
1124         AFAICT, we only don't have a node when we are checking arguments.
1125
1126         * dfg/DFGOSRExit.cpp:
1127         (JSC::DFG::OSRExit::OSRExit):
1128         (JSC::DFG::operationCompileOSRExit):
1129         * dfg/DFGOSRExitBase.h:
1130         (JSC::DFG::OSRExitBase::OSRExitBase):
1131         * ftl/FTLLowerDFGToB3.cpp:
1132         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1133         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1134         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
1135         * ftl/FTLOSRExit.cpp:
1136         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
1137         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
1138         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
1139         (JSC::FTL::OSRExit::OSRExit):
1140         * ftl/FTLOSRExit.h:
1141         * ftl/FTLOSRExitCompiler.cpp:
1142         (JSC::FTL::compileStub):
1143
1144 2020-04-27  Ross Kirsling  <ross.kirsling@sony.com>
1145
1146         [JSC] CallData/ConstructData should include CallType/ConstructType
1147         https://bugs.webkit.org/show_bug.cgi?id=211059
1148
1149         Reviewed by Darin Adler.
1150
1151         getCallData/getConstructData return a CallType/ConstructType and have a CallData/ConstructData out param,
1152         and then *both* of these are passed side-by-side to `call`/`construct`, which all seems a bit silly.
1153
1154         This patch merges CallType/ConstructType into CallData/ConstructData such that getCallData/getConstructData
1155         no longer need an out param and `call`/`construct` require one less overt parameter.
1156
1157         In so doing, it also:
1158         - removes ConstructData entirely as it's an exact duplicate of CallData
1159         - renames enum value Host to Native in alignment with CallData's union
1160
1161         * API/JSCallbackConstructor.cpp:
1162         (JSC::JSCallbackConstructor::getConstructData):
1163         * API/JSCallbackConstructor.h:
1164         * API/JSCallbackObject.h:
1165         * API/JSCallbackObjectFunctions.h:
1166         (JSC::JSCallbackObject<Parent>::getConstructData):
1167         (JSC::JSCallbackObject<Parent>::getCallData):
1168         * API/JSObjectRef.cpp:
1169         (JSObjectCallAsFunction):
1170         (JSObjectCallAsConstructor):
1171         * bindings/ScriptFunctionCall.cpp:
1172         (Deprecated::ScriptFunctionCall::call):
1173         * bindings/ScriptFunctionCall.h:
1174         * dfg/DFGOperations.cpp:
1175         * inspector/InjectedScriptManager.cpp:
1176         (Inspector::InjectedScriptManager::createInjectedScript):
1177         * inspector/InspectorEnvironment.h:
1178         * interpreter/Interpreter.cpp:
1179         (JSC::Interpreter::executeProgram):
1180         (JSC::Interpreter::executeCall):
1181         (JSC::Interpreter::executeConstruct):
1182         * interpreter/Interpreter.h:
1183         * jit/JITOperations.cpp:
1184         * jsc.cpp:
1185         (functionDollarAgentReceiveBroadcast):
1186         * llint/LLIntSlowPaths.cpp:
1187         (JSC::LLInt::handleHostCall):
1188         * runtime/ArrayPrototype.cpp:
1189         (JSC::arrayProtoFuncToString):
1190         (JSC::arrayProtoFuncToLocaleString):
1191         * runtime/CallData.cpp:
1192         (JSC::call):
1193         (JSC::profiledCall):
1194         * runtime/CallData.h:
1195         * runtime/ClassInfo.h:
1196         * runtime/CommonSlowPaths.cpp:
1197         (JSC::SLOW_PATH_DECL):
1198         * runtime/ConstructData.cpp:
1199         (JSC::construct):
1200         (JSC::profiledConstruct):
1201         * runtime/ConstructData.h:
1202         (JSC::construct):
1203         (JSC::profiledConstruct):
1204         (): Deleted.
1205         * runtime/DatePrototype.cpp:
1206         (JSC::dateProtoFuncToJSON):
1207         * runtime/GetterSetter.cpp:
1208         (JSC::callGetter):
1209         (JSC::callSetter):
1210         * runtime/InternalFunction.cpp:
1211         (JSC::InternalFunction::getCallData):
1212         (JSC::InternalFunction::getConstructData):
1213         * runtime/InternalFunction.h:
1214         * runtime/IteratorOperations.cpp:
1215         (JSC::iteratorNext):
1216         (JSC::iteratorClose):
1217         (JSC::hasIteratorMethod):
1218         (JSC::iteratorMethod):
1219         (JSC::iteratorForIterable):
1220         * runtime/JSBoundFunction.cpp:
1221         (JSC::boundThisNoArgsFunctionCall):
1222         (JSC::boundFunctionCall):
1223         (JSC::boundThisNoArgsFunctionConstruct):
1224         (JSC::boundFunctionConstruct):
1225         * runtime/JSCJSValue.h:
1226         * runtime/JSCell.cpp:
1227         (JSC::JSCell::getCallData):
1228         (JSC::JSCell::getConstructData):
1229         * runtime/JSCell.h:
1230         * runtime/JSCellInlines.h:
1231         (JSC::JSCell::isFunction):
1232         (JSC::JSCell::isConstructor):
1233         * runtime/JSFunction.cpp:
1234         (JSC::JSFunction::getCallData):
1235         (JSC::JSFunction::getConstructData):
1236         * runtime/JSFunction.h:
1237         * runtime/JSInternalPromise.cpp:
1238         (JSC::JSInternalPromise::then):
1239         * runtime/JSMicrotask.cpp:
1240         (JSC::JSMicrotask::run):
1241         * runtime/JSModuleLoader.cpp:
1242         (JSC::JSModuleLoader::dependencyKeysIfEvaluated):
1243         (JSC::JSModuleLoader::provideFetch):
1244         (JSC::JSModuleLoader::loadAndEvaluateModule):
1245         (JSC::JSModuleLoader::loadModule):
1246         (JSC::JSModuleLoader::linkAndEvaluateModule):
1247         (JSC::JSModuleLoader::requestImportModule):
1248         * runtime/JSONObject.cpp:
1249         (JSC::Stringifier::isCallableReplacer const):
1250         (JSC::Stringifier::Stringifier):
1251         (JSC::Stringifier::toJSON):
1252         (JSC::Stringifier::appendStringifiedValue):
1253         (JSC::Walker::Walker):
1254         (JSC::Walker::callReviver):
1255         (JSC::JSONProtoFuncParse):
1256         * runtime/JSObject.cpp:
1257         (JSC::ordinarySetSlow):
1258         (JSC::callToPrimitiveFunction):
1259         (JSC::JSObject::hasInstance):
1260         (JSC::JSObject::getMethod):
1261         * runtime/JSObject.h:
1262         * runtime/JSObjectInlines.h:
1263         (JSC::getCallData):
1264         (JSC::getConstructData):
1265         * runtime/JSPromise.cpp:
1266         (JSC::JSPromise::createDeferredData):
1267         (JSC::JSPromise::resolvedPromise):
1268         (JSC::callFunction):
1269         * runtime/MapConstructor.cpp:
1270         (JSC::constructMap):
1271         * runtime/ObjectPrototype.cpp:
1272         (JSC::objectProtoFuncToLocaleString):
1273         * runtime/ProxyObject.cpp:
1274         (JSC::performProxyGet):
1275         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1276         (JSC::ProxyObject::performHasProperty):
1277         (JSC::ProxyObject::performPut):
1278         (JSC::performProxyCall):
1279         (JSC::ProxyObject::getCallData):
1280         (JSC::performProxyConstruct):
1281         (JSC::ProxyObject::getConstructData):
1282         (JSC::ProxyObject::performDelete):
1283         (JSC::ProxyObject::performPreventExtensions):
1284         (JSC::ProxyObject::performIsExtensible):
1285         (JSC::ProxyObject::performDefineOwnProperty):
1286         (JSC::ProxyObject::performGetOwnPropertyNames):
1287         (JSC::ProxyObject::performSetPrototype):
1288         (JSC::ProxyObject::performGetPrototype):
1289         * runtime/ProxyObject.h:
1290         * runtime/ReflectObject.cpp:
1291         (JSC::reflectObjectConstruct):
1292         * runtime/SamplingProfiler.cpp:
1293         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1294         * runtime/SetConstructor.cpp:
1295         (JSC::constructSet):
1296         * runtime/StringPrototype.cpp:
1297         (JSC::replaceUsingRegExpSearch):
1298         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1299         (JSC::operationStringProtoFuncReplaceRegExpString):
1300         (JSC::replaceUsingStringSearch):
1301         * runtime/VM.cpp:
1302         (JSC::VM::callPromiseRejectionCallback):
1303         * runtime/WeakMapConstructor.cpp:
1304         (JSC::constructWeakMap):
1305         * runtime/WeakSetConstructor.cpp:
1306         (JSC::constructWeakSet):
1307         * tools/JSDollarVM.cpp:
1308         (JSC::callWithStackSizeProbeFunction):
1309         * wasm/js/WebAssemblyModuleRecord.cpp:
1310         (JSC::WebAssemblyModuleRecord::evaluate):
1311         * wasm/js/WebAssemblyWrapperFunction.cpp:
1312         (JSC::callWebAssemblyWrapperFunction):
1313
1314 2020-04-26  Ross Kirsling  <ross.kirsling@sony.com>
1315
1316         [JSC] Clearly distinguish isConstructor from getConstructData
1317         https://bugs.webkit.org/show_bug.cgi?id=211053
1318
1319         Reviewed by Sam Weinig.
1320
1321         Follow-up to r260722. Remove the isConstructor overload that duplicates getConstructData
1322         and clearly distinguish the usage of these two functions.
1323
1324         * runtime/JSCJSValue.h:
1325         * runtime/JSCJSValueInlines.h:
1326         * runtime/JSCell.h:
1327         * runtime/JSCellInlines.h:
1328         (JSC::JSCell::isConstructor):
1329         Remove isConstructor overload.
1330
1331         * runtime/JSBoundFunction.cpp:
1332         (JSC::JSBoundFunction::create):
1333         Don't use getConstructData if you don't need ConstructData.
1334
1335         * runtime/ReflectObject.cpp:
1336         (JSC::reflectObjectConstruct):
1337         Use getConstructData if you need ConstructData.
1338
1339         * API/JSObjectRef.cpp:
1340         (JSObjectIsFunction):
1341         Use isFunction (leftover spot from last patch).
1342
1343 2020-04-26  Alexey Shvayka  <shvaikalesh@gmail.com>
1344
1345         Symbol should have [[Construct]] internal method
1346         https://bugs.webkit.org/show_bug.cgi?id=211050
1347
1348         Reviewed by Yusuke Suzuki.
1349
1350         This change introduces constructSymbol() method, which unconditionally throws
1351         a TypeError, since its presence is observable when, for example, Symbol is a
1352         [[ProxyTarget]] itself [1]. Aligns JSC with the spec [2], V8, and SpiderMonkey.
1353
1354         [1]: https://tc39.es/ecma262/#sec-proxycreate (step 7.b)
1355         [2]: https://tc39.es/ecma262/#constructor
1356
1357         * runtime/SymbolConstructor.cpp:
1358         (JSC::SymbolConstructor::SymbolConstructor):
1359         (JSC::constructSymbol):
1360
1361 2020-04-26  Alexey Shvayka  <shvaikalesh@gmail.com>
1362
1363         InternalFunction::createSubclassStructure should use newTarget's globalObject
1364         https://bugs.webkit.org/show_bug.cgi?id=202599
1365
1366         Reviewed by Yusuke Suzuki.
1367
1368         If "prototype" of NewTarget is not an object, built-in constructors [1] should acquire
1369         default [[Prototype]] from realm of NewTarget, utilizing GetFunctionRealm helper [2].
1370         Before this change, realm of active constructor was used instead. This patch introduces
1371         GetFunctionRealm and aligns all subclassable constructors with the spec, V8, and SpiderMonkey.
1372
1373         This change inlines fast paths checks of InternalFunction::createSubclassStructure() and
1374         simplifies its signature; getFunctionRealm() is invoked in slow paths only.
1375
1376         While a dynamically created function uses NewTarget's realm for its default [[Prototype]]
1377         similar to other built-ins, its "prototype" object inherit from ObjectPrototype
1378         of active constructor's realm [3] (just like their scope), making it retain references
1379         to 2 different global objects. To accomodate this behavior, this change introduces
1380         `scopeGlobalObject` in JSFunction.cpp methods.
1381
1382         Above-mentioned behavior also simplifies creation of JSGenerator and JSAsyncGenerator
1383         instances since NewTarget's realm is irrelevant to them.
1384
1385         IntlCollatorConstructor::collatorStructure() and 6 similar methods are removed:
1386         a) to impose good practice of using newTarget's globalObject;
1387         b) with this change, each of them have 1 call site max;
1388         c) other JSC constructors have no methods alike.
1389
1390         [1]: https://tc39.es/ecma262/#sec-map-constructor (step 2)
1391         [2]: https://tc39.es/ecma262/#sec-getfunctionrealm
1392         [3]: https://tc39.es/ecma262/#sec-createdynamicfunction (steps 23-25)
1393
1394         * dfg/DFGOperations.cpp:
1395         * runtime/AggregateErrorConstructor.cpp:
1396         (JSC::callAggregateErrorConstructor):
1397         (JSC::constructAggregateErrorConstructor):
1398         * runtime/AggregateErrorConstructor.h:
1399         * runtime/AsyncFunctionConstructor.cpp:
1400         (JSC::constructAsyncFunctionConstructor):
1401         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1402         (JSC::constructAsyncGeneratorFunctionConstructor):
1403         * runtime/BooleanConstructor.cpp:
1404         (JSC::constructWithBooleanConstructor):
1405         * runtime/CommonSlowPaths.cpp:
1406         (JSC::SLOW_PATH_DECL):
1407         (JSC::createInternalFieldObject):
1408         * runtime/DateConstructor.cpp:
1409         (JSC::constructDate):
1410         * runtime/ErrorConstructor.cpp:
1411         (JSC::constructErrorConstructor):
1412         * runtime/FunctionConstructor.cpp:
1413         (JSC::constructFunctionSkippingEvalEnabledCheck):
1414         * runtime/InternalFunction.cpp:
1415         (JSC::InternalFunction::createSubclassStructure):
1416         (JSC::getFunctionRealm):
1417         (JSC::InternalFunction::createSubclassStructureSlow): Deleted.
1418         * runtime/InternalFunction.h:
1419         (JSC::InternalFunction::createSubclassStructure): Deleted.
1420         * runtime/IntlCollatorConstructor.cpp:
1421         (JSC::constructIntlCollator):
1422         (JSC::callIntlCollator):
1423         * runtime/IntlCollatorConstructor.h:
1424         * runtime/IntlDateTimeFormatConstructor.cpp:
1425         (JSC::constructIntlDateTimeFormat):
1426         (JSC::callIntlDateTimeFormat):
1427         * runtime/IntlDateTimeFormatConstructor.h:
1428         * runtime/IntlNumberFormatConstructor.cpp:
1429         (JSC::constructIntlNumberFormat):
1430         (JSC::callIntlNumberFormat):
1431         * runtime/IntlNumberFormatConstructor.h:
1432         * runtime/IntlPluralRulesConstructor.cpp:
1433         (JSC::constructIntlPluralRules):
1434         * runtime/IntlPluralRulesConstructor.h:
1435         * runtime/IntlRelativeTimeFormatConstructor.cpp:
1436         (JSC::constructIntlRelativeTimeFormat):
1437         * runtime/IntlRelativeTimeFormatConstructor.h:
1438         * runtime/JSArrayBufferConstructor.cpp:
1439         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
1440         * runtime/JSFunction.cpp:
1441         (JSC::JSFunction::prototypeForConstruction):
1442         (JSC::JSFunction::getOwnPropertySlot):
1443         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1444         (JSC::constructGenericTypedArrayView):
1445         * runtime/JSGlobalObjectInlines.h:
1446         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
1447         * runtime/MapConstructor.cpp:
1448         (JSC::constructMap):
1449         * runtime/NativeErrorConstructor.cpp:
1450         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
1451         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
1452         * runtime/NativeErrorConstructor.h:
1453         * runtime/NumberConstructor.cpp:
1454         (JSC::constructNumberConstructor):
1455         * runtime/ObjectConstructor.cpp:
1456         (JSC::constructObjectWithNewTarget):
1457         * runtime/RegExpConstructor.cpp:
1458         (JSC::getRegExpStructure):
1459         (JSC::constructRegExp):
1460         (JSC::esSpecRegExpCreate):
1461         * runtime/RegExpConstructor.h:
1462         * runtime/SetConstructor.cpp:
1463         (JSC::constructSet):
1464         * runtime/StringConstructor.cpp:
1465         (JSC::constructWithStringConstructor):
1466         * runtime/WeakMapConstructor.cpp:
1467         (JSC::constructWeakMap):
1468         * runtime/WeakObjectRefConstructor.cpp:
1469         (JSC::constructWeakRef):
1470         * runtime/WeakSetConstructor.cpp:
1471         (JSC::constructWeakSet):
1472         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1473         (JSC::constructJSWebAssemblyCompileError):
1474         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1475         (JSC::constructJSWebAssemblyInstance):
1476         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1477         (JSC::constructJSWebAssemblyLinkError):
1478         * wasm/js/WebAssemblyModuleConstructor.cpp:
1479         (JSC::WebAssemblyModuleConstructor::createModule):
1480         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1481         (JSC::constructJSWebAssemblyRuntimeError):
1482
1483 2020-04-26  Yusuke Suzuki  <ysuzuki@apple.com>
1484
1485         [JSC] ValueAdd, VaueSub, ValueMul, Inc, Dec should say SpecBigInt32 prediction based on ArithProfile
1486         https://bugs.webkit.org/show_bug.cgi?id=211038
1487
1488         Reviewed by Filip Pizlo.
1489
1490         This patch adds profile feedback to ValueAdd, ValueSub, ValueMul, Inc, Dec to say SpecBigInt32 prediction.
1491
1492         Our HeapBigInt v.s. BigInt32 strategy is simpler than Double v.s. Int32 strategy: we always
1493         prefer BigInt32 over HeapBigInt. This is because HeapBigInt calculation and conversion require
1494         much higher cost than BigInt32. This tradeoff is largely different from Double v.s. Int32.
1495         So keeping HeapBigInt is simply inefficient when we can use BigInt32.
1496
1497         This means that ArithProfile's feedback is also very simple. If we see HeapBigInt, this means
1498         overflow happens. In DFG, we propagate this information to ValueAdd, ValueSub, and ValueMul nodes
1499         and record it in DFGNodeFlags. And based on this information, we change the prediction and
1500         speculation in prediction propagation and fixup phase.
1501
1502         We change exit reason from Overflow to BigInt32Overflow since Overflow is solely used for Int32 case,
1503         and we have Int52Overflow for Int52 case. We should have BigInt32Overflow for BigInt32 to precisely
1504         record and tell about what happens in DFG as a feedback for the next compilation.
1505
1506         We add BigInt32 speculation for ValueSub. Previously, we missed that in fixup phase and we always
1507         speculate ValueSub with AnyBigIntUse or HeapBigIntUse. Now it can use BigInt32Use.
1508
1509         We also fix Inc / Dec's fixup phase to use BigInt path. Previously, it was always using UntypedUse since
1510         `node->child1()->shouldSpeculateUntypedForArithmetic()` returns true for BigInt. We fix the ordering of
1511         speculation attempts as it is done in the other places in fixup phase.
1512
1513         This patch offers 7.9% performance improvement in sunspider-sha1-big-int.
1514
1515                                                ToT                     Patched
1516
1517             sunspider-sha1-big-int      134.5668+-2.8695     ^    124.6743+-0.7541        ^ definitely 1.0793x faster
1518
1519         * bytecode/ExitKind.cpp:
1520         (JSC::exitKindToString):
1521         * bytecode/ExitKind.h:
1522         * bytecode/SpeculatedType.h:
1523         * dfg/DFGAbstractInterpreterInlines.h:
1524         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1525         * dfg/DFGByteCodeParser.cpp:
1526         (JSC::DFG::ByteCodeParser::makeSafe):
1527         (JSC::DFG::ByteCodeParser::makeDivSafe):
1528         * dfg/DFGFixupPhase.cpp:
1529         (JSC::DFG::FixupPhase::fixupNode):
1530         * dfg/DFGGraph.h:
1531         (JSC::DFG::Graph::binaryArithShouldSpeculateBigInt32):
1532         (JSC::DFG::Graph::unaryArithShouldSpeculateBigInt32):
1533         * dfg/DFGNode.h:
1534         (JSC::DFG::Node::mayHaveBigInt32Result):
1535         (JSC::DFG::Node::mayHaveHeapBigIntResult):
1536         (JSC::DFG::Node::mayHaveBigIntResult):
1537         (JSC::DFG::Node::canSpeculateBigInt32):
1538         (JSC::DFG::Node::canSpeculateInt52):
1539         * dfg/DFGNodeFlags.cpp:
1540         (JSC::DFG::dumpNodeFlags):
1541         * dfg/DFGNodeFlags.h:
1542         (JSC::DFG::nodeMayHaveHeapBigInt):
1543         (JSC::DFG::nodeCanSpeculateBigInt32):
1544         * dfg/DFGPredictionPropagationPhase.cpp:
1545         * dfg/DFGSpeculativeJIT.cpp:
1546         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1547         (JSC::DFG::SpeculativeJIT::compileValueSub):
1548         (JSC::DFG::SpeculativeJIT::compileValueMul):
1549         (JSC::DFG::SpeculativeJIT::compileValueDiv):
1550         (JSC::DFG::SpeculativeJIT::speculateHeapBigInt):
1551         * ftl/FTLLowerDFGToB3.cpp:
1552         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1553         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
1554         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
1555         (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
1556
1557 2020-04-25  Ross Kirsling  <ross.kirsling@sony.com>
1558
1559         [JSC] isCallable is redundant with isFunction
1560         https://bugs.webkit.org/show_bug.cgi?id=211037
1561
1562         Reviewed by Yusuke Suzuki.
1563
1564         isCallable is only being used in two places and has the same definition as isFunction (aside from out params).
1565         Where CallData is needed, getCallData should be used; where CallData is not needed, isFunction should be used.
1566
1567         * runtime/JSCJSValue.h:
1568         * runtime/JSCJSValueInlines.h:
1569         (JSC::JSValue::isCallable const): Deleted.
1570         * runtime/JSCell.h:
1571         * runtime/JSCellInlines.h:
1572         (JSC::JSCell::isCallable): Deleted.
1573         Remove isCallable.
1574
1575         * runtime/JSONObject.cpp:
1576         (JSC::Stringifier::Stringifier):
1577         (JSC::Stringifier::toJSON):
1578         Use getCallData if you need CallData.
1579
1580         * runtime/ExceptionHelpers.cpp:
1581         (JSC::errorDescriptionForValue):
1582         * runtime/ObjectConstructor.cpp:
1583         (JSC::toPropertyDescriptor):
1584         * runtime/ObjectPrototype.cpp:
1585         (JSC::objectProtoFuncDefineGetter):
1586         (JSC::objectProtoFuncDefineSetter):
1587         Don't use getCallData if you don't need CallData. 
1588
1589 2020-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
1590
1591         [JSC] Handle BigInt32 INT32_MIN shift amount
1592         https://bugs.webkit.org/show_bug.cgi?id=211030
1593
1594         Reviewed by Darin Adler.
1595
1596         Our BigInt shift-operation does not correctly handle INT32_MIN shift amount, and producing a wrong result.
1597         This patch fixes it.
1598
1599         * runtime/Operations.h:
1600         (JSC::shift):
1601
1602 2020-04-25  Darin Adler  <darin@apple.com>
1603
1604         [Cocoa] Deal with another round of Xcode upgrade checks
1605         https://bugs.webkit.org/show_bug.cgi?id=211027
1606
1607         Reviewed by Alexey Proskuryakov.
1608
1609         * JavaScriptCore.xcodeproj/project.pbxproj: Bump the upgrade check version.
1610         Add a harmless base localization; this project contains nothing localized.
1611
1612 2020-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
1613
1614         [JSC] Add fast path for BigInt32 left-shift
1615         https://bugs.webkit.org/show_bug.cgi?id=211029
1616
1617         Reviewed by Saam Barati.
1618
1619         Currently, the left-shift operation misses the fast path for BigInt32 <> BigInt32 case. This patch adds it. We also fixes
1620         prediction-propagation for left/right shift to use existing heap prediction instead of polluting the result with SpecBigInt.
1621         This offer 4.5% improvement in microbenchmarks/sunspider-sha1-big-int.js.
1622
1623         * dfg/DFGPredictionPropagationPhase.cpp:
1624         * runtime/Operations.h:
1625         (JSC::shift):
1626
1627 2020-04-25  Ross Kirsling  <ross.kirsling@sony.com>
1628
1629         Unreviewed fix for JSC Debug tests following r210853.
1630
1631         * runtime/IntlObject.cpp:
1632         (JSC::canonicalizeLanguageTag):
1633         (JSC::canonicalizeLocaleList):
1634         (JSC::defaultLocale):
1635         Deal with unchecked exception by moving tryGetUtf8 call out of canonicalizeLanguageTag; it's meant to
1636         verify the user input from canonicalizeLocaleList and needn't change the noexcept-ness of defaultLocale.
1637
1638 2020-04-25  Alex Christensen  <achristensen@webkit.org>
1639
1640         Prepare to remove automatic URL->String conversion operators
1641         https://bugs.webkit.org/show_bug.cgi?id=211007
1642
1643         Reviewed by Darin Adler.
1644
1645         * API/JSAPIGlobalObject.mm:
1646         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
1647         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1648         * API/JSScript.mm:
1649         (validateBytecodeCachePath):
1650         (+[JSScript scriptOfType:memoryMappedFromASCIIFile:withSourceURL:andBytecodeCache:inVirtualMachine:error:]):
1651         * inspector/ScriptDebugServer.cpp:
1652         (Inspector::ScriptDebugServer::sourceParsed):
1653         * parser/Nodes.h:
1654         (JSC::ScopeNode::sourceURL const):
1655         * runtime/CachedTypes.cpp:
1656         (JSC::CachedSourceProviderShape::encode):
1657         * runtime/Error.cpp:
1658         (JSC::addErrorInfo):
1659         * runtime/ScriptExecutable.h:
1660         (JSC::ScriptExecutable::sourceURL const):
1661
1662 2020-04-25  Ross Kirsling  <ross.kirsling@sony.com>
1663
1664         [Intl] Locale validation/canonicalization should defer to ICU
1665         https://bugs.webkit.org/show_bug.cgi?id=210853
1666
1667         Reviewed by Darin Adler.
1668
1669         The mappings for locale canonicalization in latest CLDR are sufficiently complex
1670         that it really no longer makes sense not to have ICU do this work for us.
1671
1672         This means the UTS 35 canonicalization desired by ECMA-402 will not be fully achievable until ICU ~67,
1673         but it's better than reaching right into CLDR and pretending that we *are* ICU.
1674         (On this point, we thus align with V8 and diverge from SM.)
1675
1676         Of course, we can still add our own pre-validations / post-canonicalizations if desired.
1677
1678         * CMakeLists.txt:
1679         * DerivedSources-input.xcfilelist:
1680         * DerivedSources-output.xcfilelist:
1681         * DerivedSources.make:
1682         * JavaScriptCore.xcodeproj/project.pbxproj:
1683         * Scripts/generateIntlCanonicalizeLanguage.py: Removed.
1684         * runtime/IntlObject.cpp:
1685         (JSC::intlAvailableLocales):
1686         (JSC::intlCollatorAvailableLocales):
1687         (JSC::canonicalizeLanguageTag):
1688         (JSC::canonicalizeLocaleList):
1689         (JSC::defaultLocale):
1690         (JSC::removeUnicodeLocaleExtension):
1691         (JSC::addMissingScriptLocales): Deleted. This one was ostensibly a fix for an old ICU bug.
1692         (JSC::privateUseLangTag): Deleted.
1693         (JSC::preferredLanguage): Deleted.
1694         (JSC::preferredRegion): Deleted.
1695         (JSC::canonicalLangTag): Deleted.
1696         * ucd/language-subtag-registry.txt: Removed.
1697
1698 2020-04-24  Yusuke Suzuki  <ysuzuki@apple.com>
1699
1700         Fix internal build by using strcmp instead of using string literal comparison
1701         https://bugs.webkit.org/show_bug.cgi?id=211011
1702
1703         Reviewed by Keith Miller.
1704
1705         Use strcmp for string literal comparison to expect that this is fully handled by compiler and converted into constant at compile time.
1706
1707         * runtime/JSGlobalObject.cpp:
1708         (JSC::JSGlobalObject::init):
1709
1710 2020-04-24  Mark Lam  <mark.lam@apple.com>
1711
1712         Suppress ASan on DFG::clobberize() to work around an ASan bug.
1713         https://bugs.webkit.org/show_bug.cgi?id=211012
1714         <rdar://problem/62275430>
1715
1716         Reviewed by Yusuke Suzuki.
1717
1718         ASan was incorrectly thinking that we're accessing invalid stack memory when we're not.
1719
1720         * dfg/DFGClobberize.h:
1721         (JSC::DFG::clobberize):
1722
1723 2020-04-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1724
1725         Fix WASM Error classes and re-sync wpt/wasm/jsapi from upstream
1726         https://bugs.webkit.org/show_bug.cgi?id=210980
1727
1728         Reviewed by Keith Miller.
1729
1730         assert_throws_js() harness, which is extensively used by wpt/wasm/jsapi tests,
1731         was recently updated to assert that passed constructors subclass Error in
1732         spec-perfect way.
1733
1734         With this patch, WebAssembly errors have Error as [[Prototype]] of their constructors
1735         and define correct "name" and "message" properties on their prototypes, aligning JSC
1736         with the spec [1], V8 and SpiderMonkey.
1737
1738         [1]: https://webassembly.github.io/spec/js-api/#error-objects
1739
1740         * runtime/JSGlobalObject.cpp:
1741         (JSC::JSGlobalObject::init):
1742         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
1743         (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
1744         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
1745         (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
1746         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
1747         (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
1748
1749 2020-04-24  Saam Barati  <sbarati@apple.com>
1750
1751         Return BigInt32 whenever we can
1752         https://bugs.webkit.org/show_bug.cgi?id=210922
1753
1754         Reviewed by Yusuke Suzuki.
1755
1756         This patch makes it so our runtime functions for big int math on heap
1757         big ints converts the result to a big int 32 when possible.
1758         
1759         The inspiration for this patch came from converting SunSpider's sha1 benchmark to
1760         using big ints. I found that that original implementation of big int 32
1761         was a ~35% slowdown here. This patch speeds it up by 86% from ToT, and
1762         36% faster than before big int 32 was introduced.
1763         
1764         To make this sound in the DFG/FTL, we are currently reporting that all
1765         HeapBigInt math ops return SpecBigInt, instead of SpecHeapBigInt.
1766         However, we want to do better in a follow up. We need some kind of profiling
1767         system where we determine if we should speculate if the result is big int
1768         32, a heap big int, or both:
1769         https://bugs.webkit.org/show_bug.cgi?id=210982
1770
1771         * dfg/DFGAbstractInterpreterInlines.h:
1772         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1773         * dfg/DFGFixupPhase.cpp:
1774         (JSC::DFG::FixupPhase::fixupNode):
1775         * dfg/DFGOperations.cpp:
1776         * dfg/DFGOperations.h:
1777         * dfg/DFGSpeculativeJIT.cpp:
1778         (JSC::DFG::SpeculativeJIT::compileValueBitNot):
1779         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
1780         (JSC::DFG::SpeculativeJIT::compileValueLShiftOp):
1781         (JSC::DFG::SpeculativeJIT::compileValueBitRShift):
1782         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1783         (JSC::DFG::SpeculativeJIT::compileValueSub):
1784         (JSC::DFG::SpeculativeJIT::compileValueMul):
1785         (JSC::DFG::SpeculativeJIT::compileValueDiv):
1786         (JSC::DFG::SpeculativeJIT::compileValueMod):
1787         (JSC::DFG::SpeculativeJIT::compileValuePow):
1788         * jit/JITOperations.cpp:
1789         * jsc.cpp:
1790         (functionCreateBigInt32):
1791         * runtime/BigIntConstructor.cpp:
1792         (JSC::toBigInt):
1793         (JSC::callBigIntConstructor):
1794         * runtime/CommonSlowPaths.cpp:
1795         (JSC::SLOW_PATH_DECL):
1796         * runtime/JSBigInt.cpp:
1797         (JSC::JSBigInt::exponentiateHeap):
1798         (JSC::JSBigInt::multiplyHeap):
1799         (JSC::JSBigInt::divideHeap):
1800         (JSC::JSBigInt::unaryMinusHeap):
1801         (JSC::JSBigInt::remainderHeap):
1802         (JSC::JSBigInt::incHeap):
1803         (JSC::JSBigInt::decHeap):
1804         (JSC::JSBigInt::addHeap):
1805         (JSC::JSBigInt::subHeap):
1806         (JSC::JSBigInt::bitwiseAndHeap):
1807         (JSC::JSBigInt::bitwiseOrHeap):
1808         (JSC::JSBigInt::bitwiseXorHeap):
1809         (JSC::JSBigInt::leftShiftHeap):
1810         (JSC::JSBigInt::signedRightShiftHeap):
1811         (JSC::JSBigInt::bitwiseNotHeap):
1812         (JSC::JSBigInt::absoluteAdd):
1813         (JSC::JSBigInt::absoluteSub):
1814         (JSC::JSBigInt::parseInt):
1815         (JSC::JSBigInt::exponentiate): Deleted.
1816         (JSC::JSBigInt::multiply): Deleted.
1817         (JSC::JSBigInt::divide): Deleted.
1818         (JSC::JSBigInt::unaryMinus): Deleted.
1819         (JSC::JSBigInt::remainder): Deleted.
1820         (JSC::JSBigInt::inc): Deleted.
1821         (JSC::JSBigInt::dec): Deleted.
1822         (JSC::JSBigInt::add): Deleted.
1823         (JSC::JSBigInt::sub): Deleted.
1824         (JSC::JSBigInt::bitwiseAnd): Deleted.
1825         (JSC::JSBigInt::bitwiseOr): Deleted.
1826         (JSC::JSBigInt::bitwiseXor): Deleted.
1827         (JSC::JSBigInt::leftShift): Deleted.
1828         (JSC::JSBigInt::signedRightShift): Deleted.
1829         (JSC::JSBigInt::bitwiseNot): Deleted.
1830         * runtime/JSBigInt.h:
1831         * runtime/JSCJSValue.h:
1832         (JSC::jsBigInt32):
1833         * runtime/JSCJSValueInlines.h:
1834         (JSC::JSValue::JSValue):
1835         * runtime/Operations.cpp:
1836         (JSC::jsAddSlowCase):
1837         * runtime/Operations.h:
1838         (JSC::jsSub):
1839         (JSC::jsMul):
1840         (JSC::jsDiv):
1841         (JSC::jsInc):
1842         (JSC::jsDec):
1843         (JSC::jsBitwiseNot):
1844         (JSC::shift):
1845         (JSC::bitwiseBinaryOp):
1846
1847 2020-04-24  Michael Catanzaro  <mcatanzaro@gnome.org>
1848
1849         [GTK][WPE][JSCOnly] compile error when -DWTF_CPU_ARM64_CORTEXA53=ON set for arm64
1850         https://bugs.webkit.org/show_bug.cgi?id=197192
1851
1852         Reviewed by Yusuke Suzuki.
1853
1854         This workaround is supposed to fix WebKit on old Cortex A53 CPUs, but it has been broken
1855         since 2018, and people would like to use WebKit on modern Cortex A53. If anyone using WebKit
1856         on the original hardware wants to fix and reimplement the workaround, feel free.
1857
1858         * assembler/ARM64Assembler.h:
1859         (JSC::ARM64Assembler::adrp):
1860         (JSC::ARM64Assembler::madd):
1861         (JSC::ARM64Assembler::msub):
1862         (JSC::ARM64Assembler::smaddl):
1863         (JSC::ARM64Assembler::smsubl):
1864         (JSC::ARM64Assembler::umaddl):
1865         (JSC::ARM64Assembler::umsubl):
1866         (JSC::ARM64Assembler::nopCortexA53Fix835769): Deleted.
1867         (JSC::ARM64Assembler::nopCortexA53Fix843419): Deleted.
1868         * offlineasm/arm64.rb:
1869         * offlineasm/instructions.rb:
1870
1871 2020-04-24  Yusuke Suzuki  <ysuzuki@apple.com>
1872
1873         [JSC] Fix DataFormatJSBigInt32 missing part
1874         https://bugs.webkit.org/show_bug.cgi?id=210986
1875
1876         Reviewed by Mark Lam.
1877
1878         Add missing part of DataFormatJSBigInt32 implementation.
1879
1880         * bytecode/DataFormat.h:
1881         (JSC::dataFormatToString):
1882         * dfg/DFGSpeculativeJIT.cpp:
1883         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
1884
1885 2020-04-24  Yusuke Suzuki  <ysuzuki@apple.com>
1886
1887         Unreviewed, build fix in Windows
1888         https://bugs.webkit.org/show_bug.cgi?id=210892
1889
1890         Windows MSVC does not have proper understanding of IGNORE_RETURN_TYPE_WARNINGS_BEGIN.
1891
1892         * runtime/JSBigInt.h:
1893         (JSC::invertBigIntCompareResult):
1894
1895 2020-04-24  Yusuke Suzuki  <ysuzuki@apple.com>
1896
1897         [JSC] DFG compare should speculate BigInt well
1898         https://bugs.webkit.org/show_bug.cgi?id=210892
1899
1900         Reviewed by Saam Barati.
1901
1902         Compare operations in DFG does not support BigInt related speculations. As a result, DFG fixup phase emits DoubleRep for operands, and
1903         causes OSR exit. This patch adds BigInt32, HeapBigInt, and AnyBigIntUse support to DFG compare operations to avoid OSR exits.
1904         We also introduce JSBigInt::compareToInt32 to avoid allocating JSBigInt only for comparison, and optimize C++ runtime for JSBigInt comparison.
1905
1906         * dfg/DFGAbstractInterpreterInlines.h:
1907         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1908         * dfg/DFGDoesGC.cpp:
1909         (JSC::DFG::doesGC):
1910         * dfg/DFGFixupPhase.cpp:
1911         (JSC::DFG::FixupPhase::fixupNode):
1912         * dfg/DFGSpeculativeJIT.cpp:
1913         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1914         (JSC::DFG::SpeculativeJIT::compileValueSub):
1915         (JSC::DFG::SpeculativeJIT::compileValueMul):
1916         (JSC::DFG::SpeculativeJIT::compare):
1917         (JSC::DFG::SpeculativeJIT::genericJSValueNonPeepholeCompare):
1918         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
1919         * dfg/DFGSpeculativeJIT.h:
1920         * dfg/DFGSpeculativeJIT64.cpp:
1921         (JSC::DFG::SpeculativeJIT::compileBigInt32Compare):
1922         * ftl/FTLLowerDFGToB3.cpp:
1923         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
1924         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1925         (JSC::FTL::DFG::LowerDFGToB3::compare):
1926         (JSC::FTL::DFG::LowerDFGToB3::genericJSValueCompare):
1927         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare): Deleted.
1928         * jit/AssemblyHelpers.h:
1929         (JSC::AssemblyHelpers::unboxBigInt32):
1930         * runtime/JSBigInt.cpp:
1931         (JSC::JSBigInt::compareToInt32):
1932         * runtime/JSBigInt.h:
1933         (JSC::swapBigIntCompareResult):
1934         * runtime/Operations.h:
1935         (JSC::compareBigInt):
1936         (JSC::compareBigInt32ToOtherPrimitive):
1937         (JSC::bigIntCompare):
1938
1939 2020-04-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1940
1941         Proxy.revocable should not have [[Construct]] slot
1942         https://bugs.webkit.org/show_bug.cgi?id=210959
1943
1944         Reviewed by Darin Adler.
1945
1946         This change removes proxyRevocableConstructorThrowError() since its presence is
1947         observable when, for example, Proxy.revocable is a [[ProxyTarget]] itself [1].
1948         Also removes unnecessary newTarget() check in constructProxyObject() and
1949         2 extra ArgList instances.
1950
1951         This patch aligns JSC with the spec [2], V8 and SpiderMonkey.
1952
1953         [1]: https://tc39.es/ecma262/#sec-proxycreate (step 7.b)
1954         [2]: https://tc39.es/ecma262/#sec-ecmascript-standard-built-in-objects
1955
1956         * runtime/ProxyConstructor.cpp:
1957         (JSC::makeRevocableProxy):
1958         (JSC::ProxyConstructor::finishCreation):
1959         (JSC::constructProxyObject):
1960         (JSC::proxyRevocableConstructorThrowError): Deleted.
1961
1962 2020-04-24  Yusuke Suzuki  <ysuzuki@apple.com>
1963
1964         [JSC] DFG AI for some bitops + BigInt32 should be precise
1965         https://bugs.webkit.org/show_bug.cgi?id=210956
1966
1967         Reviewed by Keith Miller.
1968
1969         Use SpecBigInt32 for ValueBitXor, ValueBitAnd, and ValueBitOr since they are always producing BigInt32 and they have inlined implementations in DFG / FTL.
1970
1971         * dfg/DFGAbstractInterpreterInlines.h:
1972         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1973
1974 2020-04-23  Alexey Shvayka  <shvaikalesh@gmail.com>
1975
1976         Remove revoked Proxy checks from ProxyCreate
1977         https://bugs.webkit.org/show_bug.cgi?id=210862
1978
1979         Reviewed by Ross Kirsling.
1980
1981         This change removes revoked Proxy checks from ProxyCreate [1], implementing
1982         https://github.com/tc39/ecma262/pull/1814 and aligning JSC with SpiderMonkey.
1983         Also cleans up ProxyObject creation by using isFunction() instead of
1984         isCallable(), which are identical.
1985
1986         [1]: https://tc39.es/ecma262/#sec-proxycreate (steps 2, 4)
1987
1988         * runtime/ProxyObject.cpp:
1989         (JSC::ProxyObject::structureForTarget):
1990         (JSC::ProxyObject::finishCreation):
1991
1992 2020-04-22  Keith Miller  <keith_miller@apple.com>
1993
1994         Fix OSR exiting/iterator object checks in for-of bytecodes
1995         https://bugs.webkit.org/show_bug.cgi?id=210882
1996
1997         Reviewed by Saam Barati.
1998
1999         This patch fixes some bugs in the DFGBytecodeParser where we would
2000         set the exit origin for the SetLocal following the iterator_open/next
2001         first call to the next bytecode. This meant that if out-of-line
2002         Symbol.iterator or next functions returned an unexpected non-cell
2003         we would OSR past the rest of the next bytecode rather than to the
2004         first checkpoint.
2005
2006         This patch also makes sure we properly throw for non-objects returned
2007         from either of the above functions in all tiers (and adds tests).
2008
2009         Finally, this patch makes a small optimization where we just ArithBitOr the
2010         iterator's closed state (index == -1) and index is out of bounds. We can't
2011         do a CompareBelow check because the index is effectively an int33_t.
2012
2013         * bytecode/BytecodeIndex.h:
2014         (JSC::BytecodeIndex::withCheckpoint const):
2015         * dfg/DFGByteCodeParser.cpp:
2016         (JSC::DFG::ByteCodeParser::nextOpcodeIndex const):
2017         (JSC::DFG::ByteCodeParser::nextCheckpoint const):
2018         (JSC::DFG::ByteCodeParser::progressToNextCheckpoint):
2019         (JSC::DFG::ByteCodeParser::handleCall):
2020         (JSC::DFG::ByteCodeParser::handleCallVariant):
2021         (JSC::DFG::ByteCodeParser::handleInlining):
2022         (JSC::DFG::ByteCodeParser::handleGetById):
2023         (JSC::DFG::ByteCodeParser::handlePutById):
2024         (JSC::DFG::ByteCodeParser::parseGetById):
2025         (JSC::DFG::ByteCodeParser::parseBlock):
2026         (JSC::DFG::ByteCodeParser::handlePutByVal):
2027         * jit/JITCall.cpp:
2028         (JSC::JIT::emitSlow_op_iterator_open):
2029         * llint/LLIntSlowPaths.cpp:
2030         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2031         (JSC::LLInt::handleIteratorNextCheckpoint):
2032
2033 2020-04-22  Darin Adler  <darin@apple.com>
2034
2035         [Cocoa] Build with UChar as char16_t even in builds that use Apple's internal SDK
2036         https://bugs.webkit.org/show_bug.cgi?id=210845
2037
2038         Reviewed by Anders Carlsson.
2039
2040         * Configurations/Base.xcconfig: Move ICU-configuring macros to Platform.h.
2041
2042 2020-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
2043
2044         [JSC] branchIfBigInt32 can use BigInt32Mask and remove branchIfNumber filter
2045         https://bugs.webkit.org/show_bug.cgi?id=210870
2046
2047         Reviewed by Saam Barati.
2048
2049         By using BigInt32Mask, we can detect BigInt32 without filtering Numbers. In this patch,
2050
2051         1. Remove branchIfBigInt32KnownNotNumber and branchIfNotBigInt32KnownNotNumber. And always use branchBigInt32 and branchNotBigInt32 instead.
2052         2. Remove branchIfNumber type filtering in DFG.
2053         3. Use BigInt32Mask based scheme in FTL.
2054         4. Add and64(TrustedImm64, RegisterID) implementations in MacroAssembler.
2055         5. Add TagRegistersMode version in branchIfBigInt. We use numberTagRegister to produce really efficient code[1] by avoiding large constant materialization.
2056
2057         [1]: From
2058                 mov %rax, %rdx
2059                 mov $0xfffe000000000012, %r11
2060                 and %r11, %rdx
2061                 cmp $0x12, %rdx
2062              To
2063                 lea 0x12(%r14), %rdx
2064                 and %rax, %rdx
2065                 cmp $0x12, %rdx
2066
2067         * assembler/MacroAssemblerARM64.h:
2068         (JSC::MacroAssemblerARM64::and64):
2069         * assembler/MacroAssemblerX86_64.h:
2070         (JSC::MacroAssemblerX86_64::and64):
2071         * bytecode/ArithProfile.cpp:
2072         (JSC::ArithProfile<BitfieldType>::emitObserveResult):
2073         * dfg/DFGSpeculativeJIT64.cpp:
2074         (JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32):
2075         * ftl/FTLLowerDFGToB3.cpp:
2076         (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
2077         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2078         (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt):
2079         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2080         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
2081         (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32):
2082         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32):
2083         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32):
2084         (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt):
2085         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32):
2086         (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt):
2087         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotCell): Deleted.
2088         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotNumber): Deleted.
2089         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32KnownNotNumber): Deleted.
2090         (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigIntKnownNotNumber): Deleted.
2091         * jit/AssemblyHelpers.cpp:
2092         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
2093         (JSC::AssemblyHelpers::branchIfValue):
2094         * jit/AssemblyHelpers.h:
2095         (JSC::AssemblyHelpers::branchIfBigInt32):
2096         (JSC::AssemblyHelpers::branchIfNotBigInt32):
2097         (JSC::AssemblyHelpers::emitTypeOf):
2098         (JSC::AssemblyHelpers::branchIfBigInt32KnownNotNumber): Deleted.
2099         (JSC::AssemblyHelpers::branchIfNotBigInt32KnownNotNumber): Deleted.
2100
2101 2020-04-22  Saam Barati  <sbarati@apple.com>
2102
2103         BigInt32 parsing should be precise
2104         https://bugs.webkit.org/show_bug.cgi?id=210869
2105
2106         Reviewed by Robin Morisset.
2107
2108         Our algorithm before was conservative, and might produce a heap big int even
2109         if the value could be an int32. This patch makes the algorithm precise on
2110         64-bit, always producing a bigint32 if the number is indeed an int32.
2111
2112         * jsc.cpp:
2113         (functionUseBigInt32):
2114         (functionIsBigInt32):
2115         (functionIsHeapBigInt):
2116         * runtime/JSBigInt.cpp:
2117         (JSC::JSBigInt::parseInt):
2118
2119 2020-04-22  Saam Barati  <sbarati@apple.com>
2120
2121         Edge use kind asserts are wrong for BigInt32 on ValueBitLShift
2122         https://bugs.webkit.org/show_bug.cgi?id=210872
2123
2124         Reviewed by Yusuke Suzuki, Mark Lam, and Robin Morisset.
2125
2126         This is already covered by the v8 tests Yusuke checked in.
2127
2128         * dfg/DFGSpeculativeJIT.cpp:
2129         (JSC::DFG::SpeculativeJIT::emitUntypedOrAnyBigIntBitOp):
2130         * ftl/FTLLowerDFGToB3.cpp:
2131         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
2132         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
2133
2134 2020-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
2135
2136         [JSC] JSBigInt inc operation does not produce right HeapBigInt zero
2137         https://bugs.webkit.org/show_bug.cgi?id=210860
2138
2139         Reviewed by Mark Lam.
2140
2141         JSBigInt::inc can produce signed HeapBigInt zero, which is not meeting the invariant of JSBigInt.
2142         This patch fixes it by checking zero status before setting `setSign(true)`.
2143
2144         * runtime/JSBigInt.cpp:
2145         (JSC::JSBigInt::inc):
2146         * runtime/JSCJSValue.cpp:
2147         (JSC::JSValue::dumpInContextAssumingStructure const):
2148
2149 2020-04-22  Devin Rousso  <drousso@apple.com>
2150
2151         Web Inspector: Debugger: Step Over should only step through comma expressions if they are comma statements
2152         https://bugs.webkit.org/show_bug.cgi?id=210588
2153
2154         Reviewed by Brian Burg.
2155
2156         * parser/Nodes.h:
2157         (JSC::ExpressionNode::isStatement const): Added.
2158         (JSC::ExpressionNode::setIsStatement): Added.
2159         * parser/NodeConstructors.h:
2160         (JSC::ExprStatementNode::ExprStatementNode):
2161         (JSC::DeclarationStatement::DeclarationStatement):
2162         (JSC::ReturnNode::ReturnNode):
2163         (JSC::ThrowNode::ThrowNode):
2164         * bytecompiler/NodesCodegen.cpp:
2165         (JSC::CommaNode::emitBytecode):
2166         Only emit `WillExecuteStatement` debug hooks inside `CommaNode` if it's the only child of a
2167         statement parent node (e.g. `a(), b(), c()` vs `true && (a(), b(), c()) && true`).
2168
2169         * parser/Parser.h:
2170         * parser/Parser.cpp:
2171         (JSC::Parser<LexerType>::parseReturnStatement):
2172         (JSC::Parser<LexerType>::parseThrowStatement):
2173         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2174         (JSC::Parser<LexerType>::parseExpressionStatement):
2175         (JSC::Parser<LexerType>::parseExpression):
2176         Only record a pause location for each sub-expression in a comma separated expression if it's
2177         the only child of a statement (e.g. `a(), b(), c()` vs `true && (a(), b(), c()) && true`).
2178
2179 2020-04-22  Saam Barati  <sbarati@apple.com>
2180
2181         ValueBitNot is wrong in FTL with AnyBigIntUse
2182         https://bugs.webkit.org/show_bug.cgi?id=210846
2183
2184         Reviewed by Yusuke Suzuki.
2185
2186         We forgot to speculate.
2187
2188         * ftl/FTLLowerDFGToB3.cpp:
2189         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
2190
2191 2020-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
2192
2193         [JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results
2194         https://bugs.webkit.org/show_bug.cgi?id=210839
2195
2196         Reviewed by Saam Barati.
2197
2198         While runtime function of bitwise ops with BigInt32 sometimes returns HeapBigInt, DFG AI is setting SpecBigInt32
2199         as a result value. This leads to miscompilation particularly in FTL since FTL uses this information to remove
2200         a lot of branches.
2201
2202         And we found that FTL BigInt32 predicate is not correctly checking state. This patch fixes it too.
2203
2204         Added test case found this (v8-bigint32-sar.js).
2205
2206         * dfg/DFGAbstractInterpreterInlines.h:
2207         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2208         * ftl/FTLLowerDFGToB3.cpp:
2209         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
2210         (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
2211         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2212         (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt):
2213         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2214         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
2215         (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32):
2216         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotCell):
2217         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotNumber):
2218         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32KnownNotNumber):
2219         (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigIntKnownNotNumber):
2220         (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigIntUnknownWhetherCell):
2221         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32):
2222         (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt):
2223         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32): Deleted.
2224         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32): Deleted.
2225         (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt): Deleted.
2226
2227 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
2228
2229         Unreviewed, build fix for watchOS
2230         https://bugs.webkit.org/show_bug.cgi?id=210832
2231
2232         If function is not defined, static declaration should not be declared, otherwise, unused-function-error happens.
2233
2234         * jsc.cpp:
2235
2236 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
2237
2238         Unreviewd, speculative Windows build fix part 2
2239         https://bugs.webkit.org/show_bug.cgi?id=210834
2240
2241         * runtime/Options.cpp:
2242         (JSC::strncasecmp):
2243
2244 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
2245
2246         Unreviewed, fix windows build failure
2247         https://bugs.webkit.org/show_bug.cgi?id=210834
2248
2249         * runtime/Options.cpp:
2250         (JSC::strncasecmp):
2251
2252 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
2253
2254         [JSC] SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq should expect AnyBigIntUse
2255         https://bugs.webkit.org/show_bug.cgi?id=210832
2256
2257         Reviewed by Mark Lam.
2258
2259         SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq will get AnyBigIntUse now. We should use ManualOperandSpeculation
2260         and speculate function to perform speculation check.
2261
2262         * dfg/DFGSpeculativeJIT32_64.cpp:
2263         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2264         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2265         * dfg/DFGSpeculativeJIT64.cpp:
2266         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2267         * jsc.cpp:
2268         (functionCreateHeapBigInt):
2269         (functionCreateBigInt32):
2270         * runtime/BigIntConstructor.cpp:
2271         (JSC::toBigInt):
2272         (JSC::callBigIntConstructor):
2273         * runtime/BigIntConstructor.h:
2274         * runtime/JSBigInt.h:
2275
2276 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
2277
2278         Canonicalize JSBigInt generated by structured-cloning by calling rightTrim
2279         https://bugs.webkit.org/show_bug.cgi?id=210816
2280
2281         Reviewed by Keith Miller and Darin Adler.
2282
2283         * runtime/JSBigInt.h:
2284
2285 2020-04-21  Peng Liu  <peng.liu6@apple.com>
2286
2287         Fix MACCATALYST build failures
2288         https://bugs.webkit.org/show_bug.cgi?id=210815
2289
2290         Reviewed by Tim Horton.
2291
2292         * Configurations/FeatureDefines.xcconfig:
2293
2294 2020-04-21  Keith Miller  <keith_miller@apple.com>
2295
2296         JSC's options should be case insensitive
2297         https://bugs.webkit.org/show_bug.cgi?id=210834
2298
2299         Reviewed by Yusuke Suzuki.
2300
2301         * runtime/Options.cpp:
2302         (JSC::Options::setOptionWithoutAlias):
2303         (JSC::Options::setAliasedOption):
2304         * runtime/OptionsList.h:
2305
2306 2020-04-21  Alexey Shvayka  <shvaikalesh@gmail.com>
2307
2308         constructObjectFromPropertyDescriptor() is incorrect with partial descriptors
2309         https://bugs.webkit.org/show_bug.cgi?id=184629
2310
2311         Reviewed by Ross Kirsling.
2312
2313         Before this change, constructObjectFromPropertyDescriptor() serialized a value-only descriptor
2314         with nullish m_seenAttributes to {value, writable: false, enumerable: false, configurable: false}
2315         instead of just {value}. This was observable when ordinarySetSlow() was called on a Proxy
2316         `receiver` with "defineProperty" trap.
2317
2318         This patch makes constructObjectFromPropertyDescriptor() 1:1 with the spec [2], aligning JSC
2319         with V8 and SpiderMonkey, and also cleans up its call sites from handling exceptions and
2320         `undefined` value returns.
2321
2322         [1]: https://tc39.es/ecma262/#sec-ordinarysetwithowndescriptor (step 3.d.iv)
2323         [2]: https://tc39.es/ecma262/#sec-frompropertydescriptor
2324
2325         * runtime/ObjectConstructor.cpp:
2326         (JSC::objectConstructorGetOwnPropertyDescriptor):
2327         (JSC::objectConstructorGetOwnPropertyDescriptors):
2328         * runtime/ObjectConstructor.h:
2329         (JSC::constructObjectFromPropertyDescriptor):
2330         * runtime/ProxyObject.cpp:
2331         (JSC::ProxyObject::performDefineOwnProperty):
2332
2333 2020-04-20  Yusuke Suzuki  <ysuzuki@apple.com>
2334
2335         Check Structure attributes in Object.assign exhaustively
2336         https://bugs.webkit.org/show_bug.cgi?id=210782
2337         <rdar://problem/62065853>
2338
2339         Reviewed by Mark Lam.
2340
2341         * runtime/ObjectConstructor.cpp:
2342         (JSC::objectConstructorAssign):
2343
2344 2020-04-21  Adrian Perez de Castro  <aperez@igalia.com>
2345
2346         Non-unified build fixes late February 2020 edition
2347         https://bugs.webkit.org/show_bug.cgi?id=210767
2348
2349         Unreviewed build fix.
2350
2351         * dfg/DFGValueRepReductionPhase.cpp: Add missing JSCJSValueInlines.h header.
2352         * jit/JITCall.cpp: Add missing SlowPathCall.h header.
2353         * runtime/AggregateError.cpp: Add missing JSCJSValueInlines.h, JSCellInlines.h, and
2354         JSGlobalObjectInlines.h headers.
2355         * runtime/AggregateErrorConstructor.cpp: Added missing JSCJSValueInlines.h, JSCellInlines.h,
2356         and VMInlines.h headers.
2357         * runtime/AggregateErrorPrototype.cpp: Added missing AggregateError.h, IdentifierInlines.h,
2358         JSCJSValueInlines.h, JSCellInlines.h, JSGlobalObjectInlines.h, and VMInlines.h headers.
2359         * runtime/Intrinsic.h: Added missing wtf/Optional.h header.
2360
2361 2020-04-20  Ross Kirsling  <ross.kirsling@sony.com>
2362
2363         Classes marked final should not use protected access specifier
2364         https://bugs.webkit.org/show_bug.cgi?id=210775
2365
2366         Reviewed by Daniel Bates.
2367
2368         * API/JSAPIValueWrapper.h:
2369         * API/JSCallbackConstructor.h:
2370         * API/JSCallbackObject.h:
2371         * b3/B3ExtractValue.h:
2372         * bytecode/UnlinkedFunctionExecutable.h:
2373         * inspector/JSGlobalObjectConsoleClient.h:
2374         * inspector/JSInjectedScriptHost.h:
2375         * inspector/JSJavaScriptCallFrame.h:
2376         * jsc.cpp:
2377         * runtime/AggregateError.h:
2378         * runtime/AggregateErrorPrototype.h:
2379         * runtime/ArrayConstructor.h:
2380         * runtime/ArrayPrototype.h:
2381         * runtime/AsyncFunctionPrototype.h:
2382         * runtime/AsyncGeneratorFunctionPrototype.h:
2383         * runtime/AtomicsObject.h:
2384         * runtime/BigIntConstructor.h:
2385         * runtime/BigIntObject.h:
2386         * runtime/BigIntPrototype.h:
2387         * runtime/BooleanConstructor.h:
2388         * runtime/BooleanPrototype.h:
2389         * runtime/ConsoleObject.h:
2390         * runtime/DateConstructor.h:
2391         * runtime/DatePrototype.h:
2392         * runtime/ErrorConstructor.h:
2393         * runtime/ErrorPrototype.h:
2394         * runtime/FileBasedFuzzerAgent.h:
2395         * runtime/FunctionPrototype.h:
2396         * runtime/FunctionRareData.h:
2397         * runtime/GeneratorFunctionPrototype.h:
2398         * runtime/GenericTypedArrayView.h:
2399         * runtime/InspectorInstrumentationObject.h:
2400         * runtime/IntlCollator.h:
2401         * runtime/IntlCollatorConstructor.h:
2402         * runtime/IntlCollatorPrototype.h:
2403         * runtime/IntlDateTimeFormat.h:
2404         * runtime/IntlDateTimeFormatConstructor.h:
2405         * runtime/IntlDateTimeFormatPrototype.h:
2406         * runtime/IntlNumberFormat.h:
2407         * runtime/IntlNumberFormatConstructor.h:
2408         * runtime/IntlNumberFormatPrototype.h:
2409         * runtime/IntlPluralRules.h:
2410         * runtime/IntlPluralRulesConstructor.h:
2411         * runtime/IntlPluralRulesPrototype.h:
2412         * runtime/IntlRelativeTimeFormatConstructor.h:
2413         * runtime/IntlRelativeTimeFormatPrototype.h:
2414         * runtime/JSArrayBuffer.h:
2415         * runtime/JSArrayBufferConstructor.h:
2416         * runtime/JSArrayBufferPrototype.h:
2417         * runtime/JSAsyncGenerator.h:
2418         * runtime/JSBoundFunction.h:
2419         * runtime/JSCustomGetterSetterFunction.h:
2420         * runtime/JSDataView.h:
2421         * runtime/JSDataViewPrototype.h:
2422         * runtime/JSGenerator.h:
2423         * runtime/JSGenericTypedArrayView.h:
2424         * runtime/JSGenericTypedArrayViewConstructor.h:
2425         * runtime/JSGenericTypedArrayViewPrototype.h:
2426         * runtime/JSGlobalLexicalEnvironment.h:
2427         * runtime/JSModuleLoader.h:
2428         * runtime/JSModuleNamespaceObject.h:
2429         * runtime/JSNativeStdFunction.h:
2430         * runtime/JSONObject.h:
2431         * runtime/JSObject.h:
2432         * runtime/JSTemplateObjectDescriptor.h:
2433         * runtime/JSTypedArrayViewConstructor.h:
2434         * runtime/JSTypedArrayViewPrototype.h:
2435         * runtime/MathObject.h:
2436         * runtime/NativeExecutable.h:
2437         * runtime/NumberConstructor.h:
2438         * runtime/NumberPrototype.h:
2439         * runtime/ObjectConstructor.h:
2440         * runtime/ObjectPrototype.h:
2441         * runtime/PredictionFileCreatingFuzzerAgent.h:
2442         * runtime/ReflectObject.h:
2443         * runtime/RegExp.h:
2444         * runtime/RegExpConstructor.h:
2445         * runtime/RegExpObject.h:
2446         * runtime/RegExpPrototype.h:
2447         * runtime/StringPrototype.h:
2448         * runtime/Structure.h:
2449         * runtime/Symbol.h:
2450         * runtime/SymbolConstructor.h:
2451         * runtime/SymbolObject.h:
2452         * runtime/SymbolPrototype.h:
2453         * runtime/VMTraps.cpp:
2454         * testRegExp.cpp:
2455         * wasm/WasmBBQPlan.h:
2456         * wasm/WasmLLIntPlan.h:
2457         * wasm/WasmWorklist.cpp:
2458         * wasm/js/JSWebAssembly.h:
2459         * wasm/js/JSWebAssemblyCompileError.h:
2460         * wasm/js/JSWebAssemblyInstance.h:
2461         * wasm/js/JSWebAssemblyLinkError.h:
2462         * wasm/js/JSWebAssemblyRuntimeError.h:
2463         * wasm/js/WebAssemblyCompileErrorConstructor.h:
2464         * wasm/js/WebAssemblyCompileErrorPrototype.h:
2465         * wasm/js/WebAssemblyGlobalConstructor.h:
2466         * wasm/js/WebAssemblyGlobalPrototype.h:
2467         * wasm/js/WebAssemblyInstanceConstructor.h:
2468         * wasm/js/WebAssemblyInstancePrototype.h:
2469         * wasm/js/WebAssemblyLinkErrorConstructor.h:
2470         * wasm/js/WebAssemblyLinkErrorPrototype.h:
2471         * wasm/js/WebAssemblyMemoryConstructor.h:
2472         * wasm/js/WebAssemblyMemoryPrototype.h:
2473         * wasm/js/WebAssemblyModuleConstructor.h:
2474         * wasm/js/WebAssemblyModulePrototype.h:
2475         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
2476         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
2477         * wasm/js/WebAssemblyTableConstructor.h:
2478         * wasm/js/WebAssemblyTablePrototype.h:
2479         * wasm/js/WebAssemblyWrapperFunction.h:
2480
2481 2020-04-20  Peng Liu  <peng.liu6@apple.com>
2482
2483         Fix build failures when video fullscreen and picture-in-picture is disabled
2484         https://bugs.webkit.org/show_bug.cgi?id=210777
2485
2486         Reviewed by Eric Carlson.
2487
2488         * Configurations/FeatureDefines.xcconfig:
2489
2490 2020-04-20  Ross Kirsling  <ross.kirsling@sony.com>
2491
2492         Intl classes shouldn't need an m_initialized* field
2493         https://bugs.webkit.org/show_bug.cgi?id=210764
2494
2495         Reviewed by Darin Adler.
2496
2497         Existing Intl classes each have a field like m_initializedNumberFormat, but this is unnecessary on two levels:
2498           1. The thing that gets initialized is a unique pointer to an ICU struct, so we can check it directly.
2499           2. Everywhere we're checking this is redundant since we've already done the same check on the prototype side,
2500              therefore we can just ASSERT before using said ICU struct.
2501
2502         While we're at it, clean up other stuff like:
2503           - Move stuff that doesn't need to be part of the class to the CPP file (e.g. UFieldPositionIteratorDeleter).
2504           - Merge createCollator into initializeCollator (seems like this is probably the oldest code in this space).
2505
2506         * runtime/IntlCollator.cpp:
2507         (JSC::IntlCollator::initializeCollator):
2508         (JSC::IntlCollator::compareStrings):
2509         (JSC::IntlCollator::resolvedOptions):
2510         (JSC::IntlCollator::createCollator): Deleted.
2511         * runtime/IntlCollator.h:
2512         * runtime/IntlDateTimeFormat.cpp:
2513         (JSC::UFieldPositionIteratorDeleter::operator() const):
2514         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2515         (JSC::IntlDateTimeFormat::resolvedOptions):
2516         (JSC::IntlDateTimeFormat::format):
2517         (JSC::partTypeString):
2518         (JSC::IntlDateTimeFormat::formatToParts):
2519         (JSC::IntlDateTimeFormat::UFieldPositionIteratorDeleter::operator() const): Deleted.
2520         (JSC::IntlDateTimeFormat::partTypeString): Deleted.
2521         * runtime/IntlDateTimeFormat.h:
2522         * runtime/IntlNumberFormat.cpp:
2523         (JSC::UFieldPositionIteratorDeleter::operator() const):
2524         (JSC::IntlNumberFormatField::IntlNumberFormatField):
2525         (JSC::IntlNumberFormat::initializeNumberFormat):
2526         (JSC::IntlNumberFormat::format):
2527         (JSC::IntlNumberFormat::resolvedOptions):
2528         (JSC::partTypeString):
2529         (JSC::IntlNumberFormat::formatToParts):
2530         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const): Deleted.
2531         (JSC::IntlNumberFormat::partTypeString): Deleted.
2532         * runtime/IntlNumberFormat.h:
2533         * runtime/IntlPluralRules.cpp:
2534         (JSC::localeData):
2535         (JSC::IntlPluralRules::initializePluralRules):
2536         (JSC::IntlPluralRules::resolvedOptions):
2537         (JSC::IntlPluralRules::select):
2538         (JSC::IntlPRInternal::localeData): Deleted.
2539         * runtime/IntlPluralRules.h:
2540
2541 2020-04-20  Keith Miller  <keith_miller@apple.com>
2542
2543         FTL doesn't observe the use kind of CheckIsConstant's child1
2544         https://bugs.webkit.org/show_bug.cgi?id=210763
2545
2546         Reviewed by Yusuke Suzuki.
2547
2548         Somehow, this didn't get added when I changed CheckIsConstant and didn't show up
2549         when I tested r260377 because I tested in release. Fortunately, the produced
2550         DFG IR will be the same.
2551
2552         * ftl/FTLLowerDFGToB3.cpp:
2553         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIsConstant):
2554
2555 2020-04-20  Yusuke Suzuki  <ysuzuki@apple.com>
2556
2557         [JSC] Skip test262 for non-safe-integer range BigIntConstructor
2558         https://bugs.webkit.org/show_bug.cgi?id=210749
2559
2560         Reviewed by Keith Miller.
2561
2562         * runtime/BigIntConstructor.cpp:
2563         (JSC::callBigIntConstructor):
2564
2565 2020-04-20  Keith Miller  <keith_miller@apple.com>
2566
2567         Fix CheckIsConstant for non-constant values and checking for empty
2568         https://bugs.webkit.org/show_bug.cgi?id=210752
2569
2570         Reviewed by Saam Barati.
2571
2572         We need to make sure that we only have one speculated type if our value
2573         is empty.
2574
2575         * dfg/DFGAbstractInterpreterInlines.h:
2576         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2577
2578 2020-04-20  Darin Adler  <darin@apple.com>
2579
2580         Use #import instead of #include in Objective-C and don't use #pragma once
2581         https://bugs.webkit.org/show_bug.cgi?id=210724
2582
2583         Reviewed by David Kilzer.
2584
2585         * API/JSAPIWrapperObject.mm:
2586         * API/JSContext.h:
2587         * API/JSContext.mm:
2588         * API/JSScriptInternal.h:
2589         * API/JSValue.mm:
2590         * API/JSVirtualMachine.mm:
2591         * API/JSVirtualMachinePrivate.h:
2592         * API/JSWrapperMap.mm:
2593         * API/ObjCCallbackFunction.mm:
2594         * API/tests/CurrentThisInsideBlockGetterTest.mm:
2595         More #import, less #pragma once.
2596
2597 2020-04-20  Yusuke Suzuki  <ysuzuki@apple.com>
2598
2599         StructuredClone algorithm should be aware of BigInt
2600         https://bugs.webkit.org/show_bug.cgi?id=210728
2601
2602         Reviewed by Mark Lam.
2603
2604         * CMakeLists.txt:
2605         * runtime/BigIntObject.h:
2606         * runtime/JSBigInt.cpp:
2607         (JSC::JSBigInt::digit): Deleted.
2608         (JSC::JSBigInt::setDigit): Deleted.
2609         * runtime/JSBigInt.h:
2610         (JSC::JSBigInt::digit):
2611         (JSC::JSBigInt::setDigit):
2612
2613 2020-04-19  Ross Kirsling  <ross.kirsling@sony.com>
2614
2615         [ECMA-402] Intl.RelativeTimeFormat missing in WebKit
2616         https://bugs.webkit.org/show_bug.cgi?id=209770
2617
2618         Reviewed by Darin Adler.
2619
2620         This patch implements the recent ECMA-402 feature Intl.RelativeTimeFormat.
2621
2622         RelativeTimeFormat has format / formatToParts functions like NumberFormat / DateTimeFormat
2623         and is used to turn a number and unit into a formatted relative time string, e.g.:
2624
2625           new Intl.RelativeTimeFormat('en').format(10, 'day')
2626           > 'in 10 days'
2627
2628           new Intl.RelativeTimeFormat('en', { numeric: 'auto' }).format(0, 'day')
2629           > 'today'
2630
2631         Implementation of RelativeTimeFormat#formatToParts makes direct use of NumberFormat#formatToParts,
2632         as the relative time string consists of at most one formatted number with optional literal text on either side.
2633
2634         This feature is runtime-guarded by the `useIntlRelativeTimeFormat` option.
2635
2636         * CMakeLists.txt:
2637         * DerivedSources-input.xcfilelist:
2638         * DerivedSources-output.xcfilelist:
2639         * DerivedSources.make:
2640         * JavaScriptCore.xcodeproj/project.pbxproj:
2641         * Sources.txt:
2642         * runtime/CommonIdentifiers.h:
2643         * runtime/IntlRelativeTimeFormat.cpp: Added.
2644         * runtime/IntlRelativeTimeFormat.h: Added.
2645         * runtime/IntlRelativeTimeFormatConstructor.cpp: Added.
2646         * runtime/IntlRelativeTimeFormatConstructor.h: Added.
2647         * runtime/IntlRelativeTimeFormatPrototype.cpp: Added.
2648         * runtime/IntlRelativeTimeFormatPrototype.h: Added.
2649         * runtime/JSGlobalObject.cpp:
2650         (JSC::JSGlobalObject::init):
2651         (JSC::JSGlobalObject::visitChildren):
2652         * runtime/JSGlobalObject.h:
2653         (JSC::JSGlobalObject::relativeTimeFormatStructure):
2654         * runtime/OptionsList.h:
2655         * runtime/VM.cpp:
2656         (JSC::VM::VM):
2657         * runtime/VM.h:
2658         Add feature and runtime option.
2659
2660         * runtime/IntlDateTimeFormat.cpp:
2661         (JSC::IntlDateTimeFormat::formatToParts):
2662         * runtime/IntlPluralRules.cpp:
2663         (JSC::IntlPluralRules::initializePluralRules):
2664         (JSC::IntlPluralRules::resolvedOptions):
2665         Make "type" a property name.
2666
2667         * runtime/IntlNumberFormat.cpp:
2668         (JSC::IntlNumberFormat::initializeNumberFormat):
2669         (JSC::IntlNumberFormat::resolvedOptions):
2670         (JSC::IntlNumberFormat::formatToPartsInternal):
2671         (JSC::IntlNumberFormat::formatToParts):
2672         * runtime/IntlNumberFormat.h:
2673         Factor out formatToPartsInternal so that RelativeTimeFormat can use it with its own UNumberFormat.
2674         (This logic is too complicated to duplicate; it's because ICU won't split, e.g., "10,000" into parts for us.)
2675
2676         * runtime/IntlObject.cpp:
2677         (JSC::IntlObject::IntlObject):
2678         (JSC::IntlObject::create):
2679         (JSC::IntlObject::finishCreation):
2680         (JSC::intlAvailableLocales):
2681         (JSC::intlCollatorAvailableLocales):
2682         (JSC::isUnicodeLocaleIdentifierType):
2683         (JSC::supportedLocales):
2684         (JSC::intlDateTimeFormatAvailableLocales): Deleted.
2685         (JSC::intlNumberFormatAvailableLocales): Deleted.
2686         * runtime/IntlObject.h:
2687         (JSC::intlDateTimeFormatAvailableLocales):
2688         (JSC::intlNumberFormatAvailableLocales):
2689         (JSC::intlPluralRulesAvailableLocales):
2690         (JSC::intlRelativeTimeFormatAvailableLocales):
2691         Perform three corrections for Intl classes:
2692           1. Collator should be the only class with unique "available locales".
2693              [unum|udat]_getAvailable exist but they've deferred to uloc_getAvailable for 20 years.
2694           2. isUnicodeLocaleIdentifierType isn't just `alphanum{3,8}` but rather `alphanum{3,8} (sep alphanum{3,8})*`.
2695              This is my own mistake from r239941.
2696           3. supportedLocalesOf entries should not be frozen.
2697              Changed in https://github.com/tc39/ecma402/pull/278.
2698
2699         * tools/JSDollarVM.cpp:
2700         (JSC::functionICUVersion):
2701         (JSC::JSDollarVM::finishCreation):
2702         Add $vm.icuVersion so that we can add per-line skips to stress tests.
2703
2704 2020-04-19  Yusuke Suzuki  <ysuzuki@apple.com>
2705
2706         [JSC] SlowPathCall is not supported by callOperation in Windows
2707         https://bugs.webkit.org/show_bug.cgi?id=210727
2708
2709         Reviewed by Ross Kirsling.
2710
2711         In Windows, SlowPathCall should be handled by JITSlowPathCall, otherwise, stack is not correctly allocated.
2712
2713         * jit/JITCall.cpp:
2714         (JSC::JIT::emit_op_iterator_open):
2715         (JSC::JIT::emit_op_iterator_next):
2716         * jit/SlowPathCall.h:
2717         (JSC::JITSlowPathCall::call):
2718
2719 2020-04-19  Yusuke Suzuki  <ysuzuki@apple.com>
2720
2721         [JSC] Enable BigInt
2722         https://bugs.webkit.org/show_bug.cgi?id=210726
2723
2724         Reviewed by Mark Lam.
2725
2726         * runtime/OptionsList.h:
2727
2728 2020-04-19  Yusuke Suzuki  <ysuzuki@apple.com>
2729
2730         [JSC] LLInt slow path call should not have third argument
2731         https://bugs.webkit.org/show_bug.cgi?id=210721
2732
2733         Reviewed by Mark Lam.
2734
2735         LLInt callSlowPath does not work with third argument in Windows, CLoop etc. LLInt slow-path should not take third argument,
2736         instead, use `bytecode.metadata(...)` to get metadata.
2737
2738         * jit/JITCall.cpp:
2739         (JSC::JIT::emit_op_iterator_open):
2740         (JSC::JIT::emit_op_iterator_next):
2741         * llint/LowLevelInterpreter64.asm:
2742         * runtime/CommonSlowPaths.cpp:
2743         (JSC::iterator_open_try_fast):
2744         (JSC::SLOW_PATH_DECL):
2745         (JSC::iterator_next_try_fast):
2746         (JSC::iterator_open_try_fast_narrow): Deleted.
2747         (JSC::iterator_open_try_fast_wide16): Deleted.
2748         (JSC::iterator_open_try_fast_wide32): Deleted.
2749         (JSC::iterator_next_try_fast_narrow): Deleted.
2750         (JSC::iterator_next_try_fast_wide16): Deleted.
2751         (JSC::iterator_next_try_fast_wide32): Deleted.
2752         * runtime/CommonSlowPaths.h:
2753
2754 2020-04-19  Mark Lam  <mark.lam@apple.com>
2755
2756         Fix missing exception checks and handling in JSC APIs.
2757         https://bugs.webkit.org/show_bug.cgi?id=210715
2758         <rdar://problem/61599658>
2759
2760         Reviewed by Saam Barati.
2761
2762         * API/APICallbackFunction.h:
2763         (JSC::APICallbackFunction::call):
2764         - We should return early if an exception was thrown.  We should not be using the
2765           result in any way since we cannot rely on it having any sane value.
2766         (JSC::APICallbackFunction::construct):
2767         - For consistency, also return an undefined here when an exception was thrown.
2768
2769         * API/JSCallbackObjectFunctions.h:
2770         (JSC::JSCallbackObject<Parent>::construct):
2771         (JSC::JSCallbackObject<Parent>::call):
2772         - Return an undefined if an exception was thrown.  Don't return the potentially
2773           garbage result value.  Who knows what the client code will do with it.  Returning
2774           an undefined here makes the code more robust.
2775
2776         * API/JSObjectRef.cpp:
2777         (JSObjectGetProperty):
2778         (JSObjectHasPropertyForKey):
2779         (JSObjectGetPropertyForKey):
2780         (JSObjectDeletePropertyForKey):
2781         (JSObjectGetPropertyAtIndex):
2782         (JSObjectDeleteProperty):
2783         - Explicitly return a nullptr if an exception was thrown.  The toRef() on the
2784           result that follows the exception check may or may not return a nullptr
2785           (also see toRef(JSC::VM& vm, JSC::JSValue v) for !CPU(ADDRESS64)).
2786
2787         * API/JSValueRef.cpp:
2788         (JSValueIsEqual):
2789         (JSValueIsInstanceOfConstructor):
2790         - For consistency, make these return false if an exception is thrown.
2791
2792         * API/ObjCCallbackFunction.mm:
2793         (JSC::objCCallbackFunctionCallAsFunction):
2794         (JSC::objCCallbackFunctionCallAsConstructor):
2795         (JSC::ObjCCallbackFunctionImpl::call):
2796         - Add some assertions and return early if an exception was thrown.
2797
2798 2020-04-18  Keith Miller  <keith_miller@apple.com>
2799
2800         Fix CLoop build for iterator opcodes
2801         https://bugs.webkit.org/show_bug.cgi?id=210709
2802
2803         Reviewed by Robin Morisset.
2804
2805         We need to add a default paramater for the metadata pointer
2806         in the CLoop build. Additionally, the helper declarations need
2807         to be in the various slow path header files. Lastly we need
2808         opcode labels for our new JS call return points.
2809
2810         * bytecode/BytecodeList.rb:
2811         * llint/LLIntSlowPaths.cpp:
2812         * llint/LLIntSlowPaths.h:
2813         * runtime/CommonSlowPaths.h:
2814
2815 2020-04-18  Robin Morisset  <rmorisset@apple.com>
2816
2817         Support an inlined representation in JSValue of small BigInts ("BigInt32")
2818         https://bugs.webkit.org/show_bug.cgi?id=206182
2819
2820         Reviewed by Yusuke Suzuki.
2821
2822         This patch attempts to optimize the performance of BigInts, when they are small (32 bit or less).
2823         It works by inlining them into JSValue on 64-bit platforms, avoiding the allocation of a JSBigInt.
2824         The bit pattern we use is 0000:XXXX:XXXX:0012
2825         This representation works because of the following things:
2826         - It cannot be confused with a Double or Integer thanks to the top bits
2827         - It cannot be confused with a pointer to a Cell, thanks to bit 1 which is set to true
2828         - It cannot be confused with a pointer to wasm thanks to bit 0 which is set to false
2829         - It cannot be confused with true/false because bit 2 is set to false
2830         - It cannot be confused for null/undefined because bit 4 is set to true
2831
2832         This entire change is gated by USE(BIGINT32), to make it easier to disable if it turns out to have bugs.
2833         It should also make it much easier to verify if a given bug comes from it or from something else.
2834
2835         Note that in this patch we create BigInt32s when parsing small BigInt constants, and most operations (e.g. Add or BitOr) produce a BigInt32 if both of their operands are BigInt32,
2836         but we don't produce a BigInt32 from for example the substraction/division of two large heap-allocated JSBigInts, even if the result fits in 32-bits.
2837         As a result, small BigInts can now either be heap-allocated or inlined in the JSValue.
2838
2839         This patch includes a significant refactor of various slow paths, which are now grouped together in Operations.h
2840         Because this increased the size of Operations.h significantly, I split the parts of Operations.h which are only used by the GC into Scribble.h, to avoid bloating compile times.
2841
2842         In the DFG and FTL we now have 3 UseKinds for BigInts: HeapBigIntUse, BigInt32Use and AnyBigIntUse.
2843         The latter is useful when we know that we are receiving BigInts, but speculation indicates a mix of heap-allocated and small (inlined) big-ints.
2844
2845         Unfortunately, a naive implementation of this patch significantly regresses the performance of StrictEq (and its variants), as it is no longer true that a cell and a non-cell cannot be equal.
2846         Before this patch, the code was jumping to a slow path if either:
2847         - at least one operand is a double
2848         - or both operands are cells
2849         Now, it also needs to jump to the slow path if at least one is a cell.
2850         To recover this performance cost, I significantly rewrote this code, from
2851           if (left is Cell && right is Cell) {
2852             if (left == right)
2853               return true;
2854             goto slowPath;
2855           }
2856           if (! left is Int32) {
2857             if (left is Number)
2858               goto slowPath
2859           }
2860           if (! right is Int32) {
2861             if (right is Number)
2862               goto slowPath
2863           }
2864           return left == right
2865         To the following:
2866           if (left is Double || right is Double)
2867             goto slowPath
2868           if (left == right)
2869             return true;
2870           if (left is Cell || right is Cell)
2871             goto slowPath
2872           return false;
2873         I believe this to be faster than just replacing (left is Cell && right is Cell) by an ||, because I found a bit-trick to check (left is Double || right is Double) which should help reduce the pressure on the branch predictor.
2874         Early JetStream2 tests appear to confirm that this patch is roughly neutral while it was a 0.5% regression before I used this trick, but the numbers are still too noisy, I plan to do more measurements before landing this patch.
2875
2876         I don't yet have performance numbers for this patch on a BigInt benchmark, I will get such numbers before trying to land it, but I'd like some review in the meantime.
2877
2878         * JavaScriptCore.xcodeproj/project.pbxproj:
2879         * assembler/X86Assembler.h:
2880         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2881         * bytecode/ArithProfile.cpp:
2882         (JSC::ArithProfile<BitfieldType>::emitObserveResult):
2883         (JSC::ArithProfile<BitfieldType>::shouldEmitSetBigInt32 const):
2884         (JSC::ArithProfile<BitfieldType>::shouldEmitSetHeapBigInt const):
2885         (JSC::ArithProfile<BitfieldType>::emitSetHeapBigInt const):
2886         (JSC::ArithProfile<BitfieldType>::emitSetBigInt32 const):
2887         (WTF::printInternal):
2888         * bytecode/ArithProfile.h:
2889         (JSC::ObservedResults::didObserveNonInt32):
2890         (JSC::ObservedResults::didObserveBigInt):
2891         (JSC::ObservedResults::didObserveHeapBigInt):
2892         (JSC::ObservedResults::didObserveBigInt32):
2893         (JSC::ArithProfile::didObserveHeapBigInt const):
2894         (JSC::ArithProfile::didObserveBigInt32 const):
2895         (JSC::ArithProfile::setObservedHeapBigInt):
2896         (JSC::ArithProfile::setObservedBigInt32):
2897         (JSC::ArithProfile::observeResult):
2898         * bytecode/BytecodeList.rb:
2899         * bytecode/BytecodeLivenessAnalysisInlines.h:
2900         * bytecode/BytecodeUseDef.cpp:
2901         (JSC::computeUsesForBytecodeIndexImpl):
2902         (JSC::computeDefsForBytecodeIndexImpl):
2903         * bytecode/CodeBlock.cpp:
2904         * bytecode/DataFormat.h:
2905         * bytecode/MethodOfGettingAValueProfile.cpp:
2906         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2907         * bytecode/MethodOfGettingAValueProfile.h:
2908         * bytecode/SpeculatedType.cpp:
2909         (JSC::dumpSpeculation):
2910         (JSC::speculationFromClassInfo):
2911         (JSC::speculationFromStructure):
2912         (JSC::speculationFromValue):
2913         (JSC::speculationFromJSType):
2914         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2915         * bytecode/SpeculatedType.h:
2916         (JSC::isBigInt32Speculation):
2917         (JSC::isHeapBigIntSpeculation):
2918         (JSC::isBigIntSpeculation):
2919         * bytecompiler/BytecodeGenerator.cpp:
2920         (JSC::BytecodeGenerator::emitEqualityOpImpl):
2921         (JSC::BytecodeGenerator::addBigIntConstant):
2922         * bytecompiler/BytecodeGenerator.h:
2923         * dfg/DFGAbstractInterpreterInlines.h:
2924         (JSC::DFG::isToThisAnIdentity):
2925         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2926         * dfg/DFGByteCodeParser.cpp:
2927         (JSC::DFG::ByteCodeParser::parseBlock):
2928         * dfg/DFGCapabilities.cpp:
2929         (JSC::DFG::capabilityLevel):
2930         * dfg/DFGClobberize.h:
2931         (JSC::DFG::clobberize):
2932         * dfg/DFGConstantFoldingPhase.cpp:
2933         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2934         * dfg/DFGDoesGC.cpp:
2935         (JSC::DFG::doesGC):
2936         * dfg/DFGFixupPhase.cpp:
2937         (JSC::DFG::FixupPhase::fixupNode):
2938         (JSC::DFG::FixupPhase::fixupToThis):
2939         (JSC::DFG::FixupPhase::fixupToNumeric):
2940         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2941         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2942         * dfg/DFGMayExit.cpp:
2943         * dfg/DFGNode.h:
2944         (JSC::DFG::Node::shouldSpeculateBigInt32):
2945         (JSC::DFG::Node::shouldSpeculateHeapBigInt):
2946         * dfg/DFGNodeType.h:
2947         * dfg/DFGOSRExit.cpp:
2948         (JSC::DFG::OSRExit::compileExit):
2949         * dfg/DFGOSRExit.h:
2950         * dfg/DFGOperations.cpp:
2951         * dfg/DFGOperations.h:
2952         * dfg/DFGPredictionPropagationPhase.cpp:
2953         * dfg/DFGSafeToExecute.h:
2954         (JSC::DFG::SafeToExecuteEdge::operator()):
2955         (JSC::DFG::safeToExecute):
2956         * dfg/DFGSpeculativeJIT.cpp:
2957         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2958         (JSC::DFG::SpeculativeJIT::compileValueBitNot):
2959         (JSC::DFG::SpeculativeJIT::emitUntypedOrAnyBigIntBitOp):
2960         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
2961         (JSC::DFG::SpeculativeJIT::emitUntypedOrBigIntRightShiftBitOp):
2962         (JSC::DFG::SpeculativeJIT::compileValueLShiftOp):
2963         (JSC::DFG::SpeculativeJIT::compileValueBitRShift):
2964         (JSC::DFG::SpeculativeJIT::compileShiftOp):
2965         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2966         (JSC::DFG::SpeculativeJIT::compileValueSub):
2967         (JSC::DFG::SpeculativeJIT::compileIncOrDec):
2968         (JSC::DFG::SpeculativeJIT::compileValueNegate):
2969         (JSC::DFG::SpeculativeJIT::compileValueMul):
2970         (JSC::DFG::SpeculativeJIT::compileValueDiv):
2971         (JSC::DFG::SpeculativeJIT::compileValueMod):
2972         (JSC::DFG::SpeculativeJIT::compileValuePow):
2973         (JSC::DFG::SpeculativeJIT::compare):
2974         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2975         (JSC::DFG::SpeculativeJIT::speculateHeapBigInt):
2976         (JSC::DFG::SpeculativeJIT::speculate):
2977         (JSC::DFG::SpeculativeJIT::compileToNumeric):
2978         (JSC::DFG::SpeculativeJIT::compileHeapBigIntEquality):
2979         * dfg/DFGSpeculativeJIT.h:
2980         (JSC::DFG::SpeculateBigInt32Operand::SpeculateBigInt32Operand):
2981         (JSC::DFG::SpeculateBigInt32Operand::~SpeculateBigInt32Operand):
2982         (JSC::DFG::SpeculateBigInt32Operand::edge const):
2983         (JSC::DFG::SpeculateBigInt32Operand::node const):
2984         (JSC::DFG::SpeculateBigInt32Operand::gpr):
2985         (JSC::DFG::SpeculateBigInt32Operand::use):
2986         * dfg/DFGSpeculativeJIT32_64.cpp:
2987         (JSC::DFG::SpeculativeJIT::compile):
2988         * dfg/DFGSpeculativeJIT64.cpp:
2989         (JSC::DFG::SpeculativeJIT::fillJSValue):
2990         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2991         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2992         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2993         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2994         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2995         (JSC::DFG::SpeculativeJIT::speculateBigInt32):
2996         (JSC::DFG::SpeculativeJIT::speculateAnyBigInt):
2997         (JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32):
2998         (JSC::DFG::SpeculativeJIT::compileBigInt32Compare):
2999         (JSC::DFG::SpeculativeJIT::compilePeepHoleBigInt32Branch):
3000         (JSC::DFG::SpeculativeJIT::compile):
3001         * dfg/DFGStrengthReductionPhase.cpp:
3002         (JSC::DFG::StrengthReductionPhase::handleNode):
3003         * dfg/DFGUseKind.cpp:
3004         (WTF::printInternal):
3005         * dfg/DFGUseKind.h:
3006         (JSC::DFG::typeFilterFor):
3007         (JSC::DFG::isCell):
3008         * ftl/FTLCapabilities.cpp:
3009         (JSC::FTL::canCompile):
3010         * ftl/FTLCommonValues.cpp:
3011         (JSC::FTL::CommonValues::initializeConstants):
3012         * ftl/FTLCommonValues.h:
3013         * ftl/FTLLowerDFGToB3.cpp:
3014         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3015         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3016         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
3017         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
3018         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
3019         (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
3020         (JSC::FTL::DFG::LowerDFGToB3::compileValueMod):
3021         (JSC::FTL::DFG::LowerDFGToB3::compileValuePow):
3022         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
3023         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
3024         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
3025         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
3026         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
3027         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitRShift):
3028         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift):
3029         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
3030         (JSC::FTL::DFG::LowerDFGToB3::compileBitURShift):
3031         (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
3032         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
3033         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
3034         (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt):
3035         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
3036         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
3037         (JSC::FTL::DFG::LowerDFGToB3::boolify):
3038         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
3039         (JSC::FTL::DFG::LowerDFGToB3::lowHeapBigInt):
3040         (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32):
3041         (JSC::FTL::DFG::LowerDFGToB3::isBigInt32):
3042         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32):
3043         (JSC::FTL::DFG::LowerDFGToB3::unboxBigInt32):
3044         (JSC::FTL::DFG::LowerDFGToB3::boxBigInt32):
3045         (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt):
3046         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3047         (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigIntUnknownWhetherCell):
3048         (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigInt):
3049         (JSC::FTL::DFG::LowerDFGToB3::isHeapBigInt):
3050         (JSC::FTL::DFG::LowerDFGToB3::speculateHeapBigInt):
3051         (JSC::FTL::DFG::LowerDFGToB3::speculateHeapBigIntUnknownWhetherCell):
3052         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32):
3053         (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt):
3054         * ftl/FTLOSRExitCompiler.cpp:
3055         (JSC::FTL::compileStub):
3056         * heap/HeapSnapshotBuilder.cpp:
3057         (JSC::HeapSnapshotBuilder::json):
3058         * heap/MarkedBlockInlines.h:
3059         * heap/PreciseAllocation.cpp:
3060         * inspector/agents/InspectorHeapAgent.cpp:
3061         (Inspector::InspectorHeapAgent::getPreview):
3062         * interpreter/Interpreter.cpp:
3063         (JSC::sizeOfVarargs):
3064         * jit/AssemblyHelpers.cpp:
3065         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
3066         (JSC::AssemblyHelpers::branchIfValue):
3067         * jit/AssemblyHelpers.h:
3068         (JSC::AssemblyHelpers::branchIfBigInt32):
3069         (JSC::AssemblyHelpers::branchIfBigInt32KnownNotNumber):
3070         (JSC::AssemblyHelpers::branchIfNotBigInt32KnownNotNumber):
3071         (JSC::AssemblyHelpers::branchIfHeapBigInt):
3072         (JSC::AssemblyHelpers::branchIfNotHeapBigInt):
3073         (JSC::AssemblyHelpers::unboxBigInt32):
3074         (JSC::AssemblyHelpers::boxBigInt32):
3075         (JSC::AssemblyHelpers::emitTypeOf):
3076         * jit/JIT.cpp:
3077         (JSC::JIT::privateCompileMainPass):
3078         * jit/JIT.h:
3079         * jit/JITArithmetic.cpp:
3080         (JSC::JIT::emit_op_negate):
3081         (JSC::JIT::emitSlow_op_negate):
3082         * jit/JITOpcodes.cpp:
3083         (JSC::JIT::emit_op_is_big_int):
3084         (JSC::JIT::compileOpStrictEq):
3085         (JSC::JIT::compileOpStrictEqJump):
3086         (JSC::JIT::emit_op_to_numeric):
3087         * jit/JITOpcodes32_64.cpp:
3088         (JSC::JIT::emit_op_is_big_int):
3089         (JSC::JIT::emit_op_to_numeric):
3090         * jit/JITOperations.cpp:
3091         * jit/JITOperations.h:
3092         * llint/LLIntOfflineAsmConfig.h:
3093         * llint/LowLevelInterpreter.asm:
3094         * llint/LowLevelInterpreter64.asm:
3095         * parser/ParserArena.cpp:
3096         (JSC::IdentifierArena::makeBigIntDecimalIdentifier):
3097         * runtime/ArrayPrototype.cpp:
3098         * runtime/BigIntConstructor.cpp:
3099         (JSC::toBigInt):
3100         (JSC::callBigIntConstructor):
3101         * runtime/BigIntObject.cpp:
3102         (JSC::BigIntObject::create):
3103         (JSC::BigIntObject::finishCreation):
3104         * runtime/BigIntObject.h:
3105         * runtime/BigIntPrototype.cpp:
3106         (JSC::toThisBigIntValue):
3107         (JSC::bigIntProtoFuncToStringImpl):
3108         * runtime/CommonSlowPaths.cpp:
3109         (JSC::SLOW_PATH_DECL):
3110         (JSC::updateArithProfileForUnaryArithOp):
3111         (JSC::updateArithProfileForBinaryArithOp):
3112         * runtime/JSBigInt.cpp:
3113         (JSC::JSBigInt::createStructure):
3114         (JSC::JSBigInt::parseInt):
3115         (JSC::JSBigInt::stringToBigInt):
3116         (JSC::JSBigInt::inc):
3117         (JSC::JSBigInt::dec):
3118         (JSC::JSBigInt::bitwiseAnd):
3119         (JSC::JSBigInt::toStringGeneric):
3120         (JSC::JSBigInt::equalsToNumber):
3121         (JSC::JSBigInt::equalsToInt32):
3122         * runtime/JSBigInt.h:
3123         (JSC::asHeapBigInt):
3124         * runtime/JSCJSValue.cpp:
3125         (JSC::JSValue::toNumberSlowCase const):
3126         (JSC::JSValue::toObjectSlowCase const):
3127         (JSC::JSValue::toThisSlowCase const):
3128         (JSC::JSValue::synthesizePrototype const):
3129         (JSC::JSValue::dumpInContextAssumingStructure const):
3130         (JSC::JSValue::dumpForBacktrace const):
3131         (JSC::JSValue::toStringSlowCase const):
3132         * runtime/JSCJSValue.h:
3133         * runtime/JSCJSValueInlines.h:
3134         (JSC::JSValue::JSValue):
3135         (JSC::JSValue::asHeapBigInt const):
3136         (JSC::JSValue::isBigInt const):
3137         (JSC::JSValue::isHeapBigInt const):
3138         (JSC::JSValue::isBigInt32 const):
3139         (JSC::JSValue::bigInt32AsInt32 const):
3140         (JSC::JSValue::isPrimitive const):
3141         (JSC::JSValue::getPrimitiveNumber):
3142         (JSC::JSValue::toNumeric const):
3143         (JSC::JSValue::toBigIntOrInt32 const):
3144         (JSC::JSValue::equalSlowCaseInline):
3145         (JSC::JSValue::strictEqualForCells):
3146         (JSC::JSValue::strictEqual):
3147         (JSC::JSValue::pureStrictEqual):
3148         (JSC::JSValue::pureToBoolean const):
3149         * runtime/JSCell.cpp:
3150         (JSC::JSCell::put):
3151         (JSC::JSCell::putByIndex):
3152         (JSC::JSCell::toPrimitive const):
3153         (JSC::JSCell::getPrimitiveNumber const):
3154         (JSC::JSCell::toNumber const):
3155         (JSC::JSCell::toObjectSlow const):
3156         * runtime/JSCell.h:
3157         * runtime/JSCellInlines.h:
3158         (JSC::JSCell::isHeapBigInt const):
3159         (JSC::JSCell::toBoolean const):
3160         (JSC::JSCell::pureToBoolean const):
3161         * runtime/JSString.h:
3162         (JSC::JSValue::toBoolean const):
3163         * runtime/JSType.cpp:
3164         (WTF::printInternal):
3165         * runtime/JSType.h:
3166         * runtime/JSTypeInfo.h:
3167         * runtime/ObjectInitializationScope.cpp:
3168         * runtime/Operations.cpp:
3169         (JSC::jsAddSlowCase):
3170         (JSC::jsIsObjectTypeOrNull):
3171         * runtime/Operations.h:
3172         (JSC::compareBigIntToOtherPrimitive):
3173         (JSC::bigIntCompare):
3174         (JSC::jsLess):
3175         (JSC::jsLessEq):
3176         (JSC::arithmeticBinaryOp):
3177         (JSC::jsSub):
3178         (JSC::jsMul):
3179         (JSC::jsDiv):
3180         (JSC::jsRemainder):
3181         (JSC::jsPow):
3182         (JSC::jsInc):
3183         (JSC::jsDec):
3184         (JSC::jsBitwiseNot):
3185         (JSC::shift):
3186         (JSC::jsLShift):
3187         (JSC::jsRShift):
3188         (JSC::bitwiseBinaryOp):
3189         (JSC::jsBitwiseAnd):
3190         (JSC::jsBitwiseOr):
3191         (JSC::jsBitwiseXor):
3192         * runtime/Scribble.h: Copied from Source/JavaScriptCore/runtime/BigIntObject.h.
3193         (JSC::scribbleFreeCells):
3194         (JSC::isScribbledValue):
3195         (JSC::scribble):
3196         * runtime/StructureInlines.h:
3197         (JSC::prototypeForLookupPrimitiveImpl):
3198
3199 2020-04-18  Keith Miller  <keith_miller@apple.com>
3200
3201         Unreviewed, remove commented out/dead code that didn't failed to
3202         get removed when landing r260323.
3203
3204         * llint/LLIntSlowPaths.cpp:
3205         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3206         * runtime/CommonSlowPaths.cpp:
3207         (JSC::iterator_next_try_fast):
3208
3209 2020-04-18  Keith Miller  <keith_miller@apple.com>
3210
3211         Redesign how we do for-of iteration for JSArrays
3212         https://bugs.webkit.org/show_bug.cgi?id=175454
3213
3214         Reviewed by Filip Pizlo and Saam Barati.
3215
3216         This patch intrinsics for-of iteration for JSArrays when they are
3217         being iterated with the built-in Symbol.iterator. We do this by
3218         adding two new bytecodes op_iterator_open and
3219         op_iterator_next. These bytecodes are essentially a fused set of
3220         existing bytecodes with a special case for our intrinsiced JSArray
3221         case. This patch only adds support for these instructions on
3222         64-bit.
3223
3224
3225         The op_iterator_open bytecode is semantically the same as:
3226         iterator = symbolIterator.@call(iterable);
3227         next = iterator.next;
3228
3229         where iterable is the rhs of the for-of and symbolIterator is the
3230         result of running iterable.symbolIterator;
3231
3232
3233         The op_iterator_next bytecode is semantically the same as:
3234         nextResult = next.@call(iterator);
3235         done = nextResult.done;
3236         value = done ? (undefined / bottom) : nextResult.value;
3237
3238         where nextResult is a temporary (the value VirtualRegister in the
3239         LLInt/Baseline and a tmp in the DFG).
3240
3241         In order to make sure these bytecodes have the same perfomance as
3242         the existing bytecode sequence, we need to make sure we have the
3243         same profiling data and inline caching. Most of the existing
3244         get_by_id code assumed a particular bytecode member name was the
3245         same in each flavor get_by_id access. This patch adds template
3246         specialized functions that vend the correct
3247         Profile/VirtualRegister for the current bytecode/checkpoint. This
3248         means we can have meaningful names for our Bytecode structs and
3249         still use the generic functions.
3250
3251         In the LLInt most of the logic for calls/get_by_id had to be
3252         factored into helper macros, so we could have bytecodes that are
3253         some combination of those.
3254
3255         The trickiest part of this patch was getting the hand rolled DFG
3256         IR to work correctly. This is because we don't have a great way to
3257         express large chucks of DFG graph that doesn't involve manually
3258         tracking all the DFG's invariants. Such as:
3259
3260         1) Flushing/Phantoming values at the end of each block.
3261         2) Rolling forwards and backwards the BytecodeIndex when switching
3262            blocks.
3263         3) Remembering to GetLocal each variable at the top of every block.
3264         4) Ensuring that the JSValue stored to the op_iterator_next.m_value
3265            local does not cause us to OSR exit at the set local.
3266
3267         (4) is handled by a new function, bottomValueMatchingSpeculation,
3268         on DFGGraph that produces a FrozenValue that is roughly the bottom
3269         for a given speculated type. In a future patch we should make this
3270         more complete, probably by adding a VM::bottomCellForSetLocal that
3271         prediction propagation and AI know how treat as a true bottom
3272         value. See: https://bugs.webkit.org/show_bug.cgi?id=210694
3273
3274         Lastly, this patch changes the DFG NodeType, CheckCell to be
3275         CheckIsConstant.  CheckIsConstant is equivalent to the == operator
3276         on JSValue where it just checks the register values are the
3277         same. In order to keep the same perf that we had for CheckCell,
3278         CheckIsConstant supports CellUse.
3279
3280         * CMakeLists.txt:
3281         * JavaScriptCore.xcodeproj/project.pbxproj:
3282         * assembler/MacroAssemblerARM64.h:
3283         (JSC::MacroAssemblerARM64::or8):
3284         (JSC::MacroAssemblerARM64::store8):
3285         * assembler/MacroAssemblerX86_64.h:
3286         (JSC::MacroAssemblerX86_64::or8):
3287         * bytecode/ArrayProfile.h:
3288         (JSC::ArrayProfile::observeStructureID):
3289         (JSC::ArrayProfile::observeStructure):
3290         * bytecode/BytecodeList.rb:
3291         * bytecode/BytecodeLivenessAnalysis.cpp:
3292         (JSC::tmpLivenessForCheckpoint):
3293         * bytecode/BytecodeOperandsForCheckpoint.h: Added.
3294         (JSC::arrayProfileForImpl):
3295         (JSC::hasArrayProfileFor):
3296         (JSC::arrayProfileFor):
3297         (JSC::valueProfileForImpl):
3298         (JSC::hasValueProfileFor):
3299         (JSC::valueProfileFor):
3300         (JSC::destinationFor):
3301         (JSC::calleeFor):
3302         (JSC::argumentCountIncludingThisFor):
3303         (JSC::stackOffsetInRegistersForCall):
3304         (JSC::callLinkInfoFor):
3305         * bytecode/BytecodeUseDef.cpp:
3306         (JSC::computeUsesForBytecodeIndexImpl):
3307         (JSC::computeDefsForBytecodeIndexImpl):
3308         * bytecode/CallLinkInfo.cpp:
3309         (JSC::CallLinkInfo::callTypeFor):
3310         * bytecode/CallLinkStatus.cpp:
3311         (JSC::CallLinkStatus::computeFromLLInt):
3312         * bytecode/CodeBlock.cpp:
3313         (JSC::CodeBlock::finishCreation):
3314         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3315         (JSC::CodeBlock::tryGetValueProfileForBytecodeIndex):
3316         * bytecode/CodeBlock.h:
3317         (JSC::CodeBlock::instructionAt const):
3318         * bytecode/CodeBlockInlines.h:
3319         (JSC::CodeBlock::forEachValueProfile):
3320         (JSC::CodeBlock::forEachArrayProfile):
3321         * bytecode/GetByStatus.cpp:
3322         (JSC::GetByStatus::computeFromLLInt):
3323         * bytecode/Instruction.h:
3324         (JSC::BaseInstruction::width const):
3325         (JSC::BaseInstruction::hasCheckpoints const):
3326         (JSC::BaseInstruction::asKnownWidth const):
3327         (JSC::BaseInstruction::wide16 const):
3328         (JSC::BaseInstruction::wide32 const):
3329         * bytecode/InstructionStream.h:
3330         * bytecode/IterationModeMetadata.h: Copied from Source/JavaScriptCore/bytecode/SuperSampler.h.
3331         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3332         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3333         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
3334         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3335         * bytecode/Opcode.h:
3336         * bytecode/SpeculatedType.h:
3337         (JSC::isSubtypeSpeculation):
3338         (JSC::speculationContains):
3339         * bytecode/SuperSampler.h:
3340         (JSC::SuperSamplerScope::release):
3341         * bytecompiler/BytecodeGenerator.cpp:
3342         (JSC::BytecodeGenerator::emitGenericEnumeration):
3343         (JSC::BytecodeGenerator::emitEnumeration):
3344         (JSC::BytecodeGenerator::emitIsEmpty):
3345         (JSC::BytecodeGenerator::emitIteratorOpen):
3346         (JSC::BytecodeGenerator::emitIteratorNext):
3347         (JSC::BytecodeGenerator::emitGetGenericIterator):
3348         (JSC::BytecodeGenerator::emitIteratorGenericNext):
3349         (JSC::BytecodeGenerator::emitIteratorGenericNextWithValue):
3350         (JSC::BytecodeGenerator::emitIteratorGenericClose):
3351         (JSC::BytecodeGenerator::emitGetAsyncIterator):
3352         (JSC::BytecodeGenerator::emitDelegateYield):
3353         (JSC::BytecodeGenerator::emitIteratorNextWithValue): Deleted.
3354         (JSC::BytecodeGenerator::emitIteratorClose): Deleted.
3355         (JSC::BytecodeGenerator::emitGetIterator): Deleted.
3356         * bytecompiler/BytecodeGenerator.h:
3357         * bytecompiler/NodesCodegen.cpp:
3358         (JSC::ArrayPatternNode::bindValue const):
3359         * dfg/DFGAbstractInterpreterInlines.h:
3360         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3361         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
3362         * dfg/DFGAtTailAbstractState.h:
3363         (JSC::DFG::AtTailAbstractState::size const):
3364         (JSC::DFG::AtTailAbstractState::numberOfTmps const):
3365         (JSC::DFG::AtTailAbstractState::atIndex):
3366         (JSC::DFG::AtTailAbstractState::tmp):
3367         * dfg/DFGByteCodeParser.cpp:
3368         (JSC::DFG::ByteCodeParser::progressToNextCheckpoint):
3369         (JSC::DFG::ByteCodeParser::get):
3370         (JSC::DFG::ByteCodeParser::set):
3371         (JSC::DFG::ByteCodeParser::jsConstant):
3372         (JSC::DFG::ByteCodeParser::weakJSConstant):
3373         (JSC::DFG::ByteCodeParser::addCall):
3374         (JSC::DFG::ByteCodeParser::allocateUntargetableBlock):
3375         (JSC::DFG::ByteCodeParser::handleCall):
3376         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
3377         (JSC::DFG::ByteCodeParser::inlineCall):
3378         (JSC::DFG::ByteCodeParser::handleCallVariant):
3379         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
3380         (JSC::DFG::ByteCodeParser::handleInlining):
3381         (JSC::DFG::ByteCodeParser::handleMinMax):
3382         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3383         (JSC::DFG::ByteCodeParser::handleDOMJITCall):
3384         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3385         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3386         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
3387         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
3388         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3389         (JSC::DFG::ByteCodeParser::handleGetById):
3390         (JSC::DFG::ByteCodeParser::parseBlock):
3391         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3392         (JSC::DFG::ByteCodeParser::handlePutByVal):
3393         (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject):
3394         (JSC::DFG::ByteCodeParser::parse):
3395         * dfg/DFGCFGSimplificationPhase.cpp:
3396         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
3397         (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
3398         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3399         * dfg/DFGCapabilities.cpp:
3400         (JSC::DFG::capabilityLevel):
3401         * dfg/DFGClobberize.h:
3402         (JSC::DFG::clobberize):
3403         * dfg/DFGConstantFoldingPhase.cpp:
3404         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3405         * dfg/DFGDoesGC.cpp:
3406         (JSC::DFG::doesGC):
3407         * dfg/DFGFixupPhase.cpp:
3408         (JSC::DFG::FixupPhase::fixupNode):
3409         (JSC::DFG::FixupPhase::addStringReplacePrimordialChecks):
3410         * dfg/DFGForAllKills.h:
3411         (JSC::DFG::forAllKilledOperands):
3412         * dfg/DFGGraph.cpp:
3413         (JSC::DFG::Graph::bottomValueMatchingSpeculation):
3414         * dfg/DFGGraph.h:
3415         * dfg/DFGInPlaceAbstractState.cpp:
3416         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3417         (JSC::DFG::InPlaceAbstractState::initialize):
3418         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3419         (JSC::DFG::InPlaceAbstractState::merge):
3420         * dfg/DFGInPlaceAbstractState.h:
3421         (JSC::DFG::InPlaceAbstractState::size const):
3422         (JSC::DFG::InPlaceAbstractState::numberOfTmps const):
3423         (JSC::DFG::InPlaceAbstractState::atIndex):
3424         (JSC::DFG::InPlaceAbstractState::operand):
3425         (JSC::DFG::InPlaceAbstractState::local):
3426         (JSC::DFG::InPlaceAbstractState::argument):
3427         (JSC::DFG::InPlaceAbstractState::variableAt): Deleted.
3428         * dfg/DFGLazyJSValue.h:
3429         (JSC::DFG::LazyJSValue::speculatedType const):
3430         * dfg/DFGNode.h:
3431         (JSC::DFG::Node::hasConstant):
3432         (JSC::DFG::Node::hasCellOperand):
3433         * dfg/DFGNodeType.h:
3434         * dfg/DFGOSRExitCompilerCommon.cpp:
3435         (JSC::DFG::callerReturnPC):
3436         * dfg/DFGPredictionPropagationPhase.cpp:
3437         * dfg/DFGSafeToExecute.h:
3438         (JSC::DFG::safeToExecute):
3439         * dfg/DFGSpeculativeJIT.cpp:
3440         (JSC::DFG::SpeculativeJIT::compileCheckIsConstant):
3441         (JSC::DFG::SpeculativeJIT::compileCheckCell): Deleted.
3442         * dfg/DFGSpeculativeJIT.h:
3443         * dfg/DFGSpeculativeJIT32_64.cpp:
3444         (JSC::DFG::SpeculativeJIT::compile):
3445         * dfg/DFGSpeculativeJIT64.cpp:
3446         (JSC::DFG::SpeculativeJIT::compile):
3447         * dfg/DFGValidate.cpp:
3448         * ftl/FTLCapabilities.cpp:
3449         (JSC::FTL::canCompile):
3450         * ftl/FTLLowerDFGToB3.cpp:
3451         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3452         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIsConstant):
3453         (JSC::FTL::DFG::LowerDFGToB3::compileCheckCell): Deleted.
3454         * generator/DSL.rb:
3455         * generator/Metadata.rb:
3456         * generator/Section.rb:
3457         * jit/JIT.cpp:
3458         (JSC::JIT::privateCompileMainPass):
3459         (JSC::JIT::privateCompileSlowCases):
3460         * jit/JIT.h:
3461         * jit/JITCall.cpp:
3462         (JSC::JIT::emitPutCallResult):
3463         (JSC::JIT::compileSetupFrame):
3464         (JSC::JIT::compileOpCall):
3465         (JSC::JIT::emit_op_iterator_open):
3466         (JSC::JIT::emitSlow_op_iterator_open):
3467         (JSC::JIT::emit_op_iterator_next):
3468         (JSC::JIT::emitSlow_op_iterator_next):
3469         * jit/JITCall32_64.cpp:
3470         (JSC::JIT::emit_op_iterator_open):
3471         (JSC::JIT::emitSlow_op_iterator_open):
3472         (JSC::JIT::emit_op_iterator_next):
3473         (JSC::JIT::emitSlow_op_iterator_next):
3474         * jit/JITInlines.h:
3475         (JSC::JIT::updateTopCallFrame):
3476         (JSC::JIT::advanceToNextCheckpoint):
3477         (JSC::JIT::emitJumpSlowToHotForCheckpoint):
3478         (JSC::JIT::emitValueProfilingSite):
3479         * jit/JITOperations.cpp:
3480         * jit/JITOperations.h:
3481         * llint/LLIntSlowPaths.cpp:
3482         (JSC::LLInt::setupGetByIdPrototypeCache):
3483         (JSC::LLInt::performLLIntGetByID):
3484         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3485         (JSC::LLInt::genericCall):
3486         (JSC::LLInt::handleIteratorOpenCheckpoint):
3487         (JSC::LLInt::handleIteratorNextCheckpoint):
3488         (JSC::LLInt::slow_path_checkpoint_osr_exit):
3489         (JSC::LLInt::llint_dump_value):
3490         * llint/LowLevelInterpreter.asm:
3491         * llint/LowLevelInterpreter32_64.asm:
3492         * llint/LowLevelInterpreter64.asm:
3493         * offlineasm/transform.rb:
3494         * runtime/CommonSlowPaths.cpp:
3495         (JSC::iterator_open_try_fast):
3496         (JSC::iterator_open_try_fast_narrow):
3497         (JSC::iterator_open_try_fast_wide16):
3498         (JSC::iterator_open_try_fast_wide32):
3499         (JSC::iterator_next_try_fast):
3500         (JSC::iterator_next_try_fast_narrow):
3501         (JSC::iterator_next_try_fast_wide16):
3502         (JSC::iterator_next_try_fast_wide32):
3503         * runtime/CommonSlowPaths.h:
3504         * runtime/Intrinsic.cpp:
3505         (JSC::interationKindForIntrinsic):
3506         * runtime/Intrinsic.h:
3507         * runtime/JSArrayIterator.h:
3508         * runtime/JSCJSValue.h:
3509         * runtime/JSCJSValueInlines.h:
3510         (JSC::JSValue::isCallable const):
3511         * runtime/JSCast.h:
3512         * runtime/JSGlobalObject.h:
3513         (JSC::JSGlobalObject::arrayProtoValuesFunctionConcurrently const):
3514         * runtime/OptionsList.h:
3515         * runtime/Structure.cpp:
3516         (JSC::Structure::dumpBrief const):
3517
3518 2020-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3519
3520         [JSC] Replace DFG NewPromise with NewInternalFieldObject
3521         https://bugs.webkit.org/show_bug.cgi?id=210687
3522
3523         Reviewed by Saam Barati.
3524
3525         The feature of DFG::NewPromise can be implemented completely with DFG::NewInternalFieldObject. This reduces code duplication, and furthermore,
3526         this offers Object Allocation Sinking support for free. This patch replaces DFG::NewPromise with DFG::NewInternalFieldObject and remove DFG::NewPromise
3527         completely.
3528
3529         * dfg/DFGAbstractInterpreterInlines.h:
3530         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3531         * dfg/DFGByteCodeParser.cpp:
3532         (JSC::DFG::ByteCodeParser::parseBlock):
3533         * dfg/DFGClobberize.h:
3534         (JSC::DFG::clobberize):
3535         * dfg/DFGClobbersExitState.cpp:
3536         (JSC::DFG::clobbersExitState):
3537         * dfg/DFGConstantFoldingPhase.cpp:
3538         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3539         * dfg/DFGDoesGC.cpp:
3540         (JSC::DFG::doesGC):
3541         * dfg/DFGFixupPhase.cpp:
3542         (JSC::DFG::FixupPhase::fixupNode):
3543         * dfg/DFGNode.h:
3544         (JSC::DFG::Node::convertToNewInternalFieldObject):
3545         (JSC::DFG::Node::convertToNewInternalFieldObjectWithInlineFields):
3546         (JSC::DFG::Node::hasIsInternalPromise):
3547         (JSC::DFG::Node::hasStructure):
3548         (JSC::DFG::Node::convertToNewPromise): Deleted.
3549         * dfg/DFGNodeType.h:
3550         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3551         * dfg/DFGPredictionPropagationPhase.cpp:
3552         * dfg/DFGSafeToExecute.h:
3553         (JSC::DFG::safeToExecute):
3554         * dfg/DFGSpeculativeJIT.cpp:
3555         (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject):
3556         (JSC::DFG::SpeculativeJIT::compileNewPromise): Deleted.
3557         * dfg/DFGSpeculativeJIT.h:
3558         * dfg/DFGSpeculativeJIT32_64.cpp:
3559         (JSC::DFG::SpeculativeJIT::compile):
3560         * dfg/DFGSpeculativeJIT64.cpp:
3561         (JSC::DFG::SpeculativeJIT::compile):
3562         * dfg/DFGStoreBarrierInsertionPhase.cpp:
3563         * ftl/FTLCapabilities.cpp:
3564         (JSC::FTL::canCompile):
3565         * ftl/FTLLowerDFGToB3.cpp:
3566         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3567         (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject):
3568         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewInternalFieldObject):
3569         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise): Deleted.
3570         * ftl/FTLOperations.cpp:
3571         (JSC::FTL::operationPopulateObjectInOSR):
3572         (JSC::FTL::operationMaterializeObjectInOSR):
3573         * runtime/JSInternalPromise.cpp:
3574         (JSC::JSInternalPromise::createWithInitialValues):
3575         * runtime/JSInternalPromise.h:
3576         * runtime/JSPromise.cpp:
3577         (JSC::JSPromise::createWithInitialValues):
3578         (JSC::JSPromise::finishCreation):
3579         (JSC::JSPromise::status const):
3580         (JSC::JSPromise::result const):
3581         (JSC::JSPromise::flags const):
3582         (JSC::JSPromise::resolve):
3583         (JSC::JSPromise::reject):
3584         (JSC::JSPromise::rejectAsHandled):
3585         * runtime/JSPromise.h:
3586         (JSC::JSPromise::initialValues):
3587         (JSC::JSPromise::internalField const):
3588         (JSC::JSPromise::internalField):
3589
3590 2020-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3591
3592         Unreviewed, build fix for ARM64E after r260310
3593         https://bugs.webkit.org/show_bug.cgi?id=207330
3594
3595         r260310 uses undefined function Instruction.cloneWithNewOperands in arm64e.rb and throws an error.
3596         This patch calls `node.cloneWithNewOperands`.
3597
3598         * offlineasm/arm64e.rb:
3599
3600 2020-04-18  Alexey Shvayka  <shvaikalesh@gmail.com>
3601
3602         RegExp.prototype[@@search] should use SameValue
3603         https://bugs.webkit.org/show_bug.cgi?id=173226
3604
3605         Reviewed by Yusuke Suzuki.
3606
3607         This change exposes Object.is implementation as link-time-constant @sameValue and utilizes
3608         it in RegExp.prototype[@@search] per spec [1], aligning JSC with V8 and SpiderMonkey.
3609
3610         [1]: https://tc39.es/ecma262/#sec-regexp.prototype-@@search (steps 5, 8)
3611
3612         * builtins/BuiltinNames.h:
3613         * builtins/RegExpPrototype.js:
3614         (Symbol.search):
3615         * bytecode/LinkTimeConstant.h:
3616         * runtime/JSGlobalObject.cpp:
3617         (JSC::JSGlobalObject::init):
3618         * runtime/ObjectConstructor.cpp:
3619         * runtime/ObjectConstructor.h:
3620
3621 2020-04-18  Angelos Oikonomopoulos  <angelos@igalia.com>
3622
3623         Fix code origin when lowering offlineasm instructions on MIPS/ARM64E
3624         https://bugs.webkit.org/show_bug.cgi?id=207330
3625
3626         Reviewed by Mark Lam.
3627
3628         Instruction operands are mapped to RegisterID in RegisterID.forName
3629         and the operation is memoized. Therefore, we can't use the codeOrigin
3630         of the operand at that point. Use the codeOrigin of the original
3631         instruction instead.
3632
3633         * offlineasm/arm64e.rb:
3634         * offlineasm/ast.rb:
3635         * offlineasm/mips.rb:
3636         * offlineasm/risc.rb:
3637
3638 2020-04-18  Angelos Oikonomopoulos  <angelos@igalia.com>
3639
3640         REGRESSION(r260246): It broke build on MIPS32 
3641         https://bugs.webkit.org/show_bug.cgi?id=210665
3642
3643         Reviewed by Aakash Jain.
3644
3645         The mnemonic for 'store halfword' is 'sh', not 'shv'. This appears to
3646         be a typo in a path that was never exercised.
3647
3648         Exposed by r260246; riscLowerMisplacedAddresses now calls into
3649         riscAsRegisters with an 'h' suffix, which results in a 'storeh'
3650         instruction. The storeh is then lowered to the non-existent 'shv'.
3651
3652         * offlineasm/mips.rb:
3653
3654 2020-04-17  Commit Queue  <commit-queue@webkit.org>
3655
3656         Unreviewed, reverting r260279.
3657         https://bugs.webkit.org/show_bug.cgi?id=210678
3658
3659         Throwing error would be more efficient, having a generic code
3660         is still worth doing (Requested by yusukesuzuki on #webkit).
3661
3662         Reverted changeset:
3663
3664         "[JSC] We do not need to have exit-check for Map/Set iterator
3665         functions"
3666         https://bugs.webkit.org/show_bug.cgi?id=210667
3667         https://trac.webkit.org/changeset/260279
3668
3669 2020-04-17  Saam Barati  <sbarati@apple.com>
3670
3671         GetTypedArrayByteOffset is broken on arm64e
3672         https://bugs.webkit.org/show_bug.cgi?id=210631
3673
3674         Reviewed by Mark Lam.
3675
3676         The vector of JSArrayBufferView is signed even when null on arm64e.  However, we were
3677         comparing against zero, which is wrong. This patch changes it so we do the right thing
3678         and instead compare against whatever constant (ptr=nullptr,size=0) signs as.
3679
3680         * dfg/DFGSpeculativeJIT.cpp:
3681         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3682         * ftl/FTLLowerDFGToB3.cpp:
3683         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
3684         * runtime/CagedBarrierPtr.h:
3685         (JSC::CagedBarrierPtr::rawBits const):
3686         * runtime/JSArrayBufferView.h:
3687         (JSC::JSArrayBufferView::nullVectorPtr):
3688
3689 2020-04-17  Yusuke Suzuki  <ysuzuki@apple.com>
3690
3691         [JSC] We do not need to have exit-check for Map/Set iterator functions
3692         https://bugs.webkit.org/show_bug.cgi?id=210667
3693
3694         Reviewed by Michael Saboff.
3695
3696         If the intrinsic's DFG node does not support general cases, we should check exit-frequency to avoid exit-recompile loop.
3697         However, Map/Set iterator creation functions (values, keys, entries) always require Map / Set types. And throwing an error
3698         when this is not met. So, the current DFG nodes for these intrinsic supports all the cases except for the case throwing an
3699         error, and error will exit anyway. So we do not need to have this exit-frequency guard here.
3700
3701         This path is already tested by map-iterator-check-before-fail.js / set-iterator-check-before-fail.js.
3702
3703         * dfg/DFGByteCodeParser.cpp:
3704         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3705
3706 2020-04-17  Devin Rousso  <drousso@apple.com>
3707
3708         Rename NullishEq / NULLISHEQUAL to CoalesceEq / COALESCEEQUAL to match the spec
3709         https://bugs.webkit.org/show_bug.cgi?id=210663
3710
3711         Reviewed by Ross Kirsling.
3712
3713         * bytecompiler/NodesCodegen.cpp:
3714         (JSC::emitShortCircuitAssignment):
3715         * parser/ASTBuilder.h:
3716         (JSC::ASTBuilder::makeAssignNode):
3717         * parser/Lexer.cpp:
3718         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
3719         * parser/Nodes.h:
3720         * parser/Parser.cpp:
3721         (JSC::Parser<LexerType>::parseAssignmentExpression):
3722         * parser/ParserTokens.h:
3723
3724 2020-04-17  Devin Rousso  <drousso@apple.com>
3725
3726         Implement Promise.any and AggregateError
3727         https://bugs.webkit.org/show_bug.cgi?id=202566
3728
3729         Reviewed by Yusuke Suzuki.
3730
3731         `Promise.any` resolves when any of the given `promises` resolve, but only rejects if _all_
3732         of the given `promises` reject. In order to support aggregating all of the `reason` values
3733         for all of the rejections, a new error type `AggregateError` is introduced which has an
3734         `get errors` that returns an aggregated array of the `reason` values.
3735
3736         * builtins/PromiseConstructor.js:
3737         (all.newResolveElement):
3738         (allSettled.newResolveRejectElements):
3739         (any): Added.
3740         (any.newRejectElement): Added.
3741         * runtime/JSPromiseConstructor.cpp:
3742
3743         * builtins/BuiltinNames.h:
3744         * bytecode/LinkTimeConstant.h:
3745         * runtime/JSGlobalObject.h:
3746         (JSC::JSGlobalObject::errorStructure const):
3747         * runtime/JSGlobalObject.cpp:
3748         (JSC::JSGlobalObject::initializeAggregateErrorConstructor): Added.
3749         (JSC::JSGlobalObject::init):
3750         (JSC::JSGlobalObject::visitChildren):
3751         Expose `@AggregateError` for builtins.
3752
3753         * runtime/AggregateError.h: Added.
3754         (JSC::AggregateError::destroy):
3755         (JSC::AggregateError::subspaceFor):
3756         (JSC::AggregateError::createStructure):
3757         (JSC::AggregateError::create):
3758         (JSC::AggregateError::errors const):
3759         * runtime/AggregateError.cpp: Added.
3760         (JSC::AggregateError::AggregateError):
3761         (JSC::AggregateError::visitChildren):
3762         (JSC::AggregateError::create):
3763         (JSC::AggregateError::finishCreation):
3764         * runtime/AggregateErrorPrototype.h: Added.
3765         * runtime/AggregateErrorPrototype.cpp: Added.
3766         (JSC::AggregateErrorPrototype::AggregateErrorPrototype):
3767         (JSC::AggregateErrorPrototype::finishCreation):
3768         (JSC::aggregateErrorPrototypeAccessorErrors):
3769         * runtime/AggregateErrorConstructor.h: Added.
3770         * runtime/AggregateErrorConstructor.cpp: Added.
3771         (JSC::callAggregateErrorConstructor):
3772         (JSC::constructAggregateErrorConstructor):
3773         (JSC::AggregateErrorConstructor::AggregateErrorConstructor):
3774         (JSC::AggregateErrorConstructor::finishCreation):
3775         * runtime/ErrorType.h:
3776         * runtime/ErrorType.cpp:
3777         (JSC::errorTypeName):
3778
3779         * runtime/VM.h:
3780         * runtime/VM.cpp:
3781         (JSC::VM::VM):
3782         Make an `IsoSubspace` for `AggregateError` as it has a different size than `ErrorInstance`.
3783
3784         * runtime/ErrorInstance.h:
3785         (JSC::ErrorInstance::create):
3786         * runtime/ErrorInstance.cpp:
3787         (JSC::ErrorInstance::finishCreation):
3788         * wasm/js/JSWebAssemblyCompileError.cpp:
3789         (JSC::JSWebAssemblyCompileError::create):
3790         * wasm/js/JSWebAssemblyLinkError.cpp:
3791         (JSC::JSWebAssemblyLinkError::create):
3792         * wasm/js/JSWebAssemblyRuntimeError.cpp:
3793         (JSC::JSWebAssemblyRuntimeError::create):
3794         Assign to `ErrorInstance` member variables inside `ErrorInstance::finishCreation` instead of
3795         inside `ErrorInstance::create` so that subclasses don't have to do the work as well.
3796
3797         * runtime/Error.cpp:
3798         (JSC::createError):
3799
3800         * runtime/ErrorPrototype.h:
3801         (JSC::ErrorPrototype::createStructure):
3802         * runtime/NativeErrorPrototype.h:
3803         (JSC::NativeErrorPrototype::createStructure):
3804         Drive-by: fix incorrect usage of `ErrorInstanceType` since `ErrorPrototype` does not inherit
3805                   from `ErrorInstance` (and therefore neither does `NativeErrorPrototype`).
3806
3807         * runtime/ArgList.h:
3808         Add `WTF_MAKE_NONMOVABLE` to `MarkedArgumentBuffer`.
3809
3810         * Sources.txt:
3811         * JavaScriptCore.xcodeproj/project.pbxproj:
3812
3813 2020-04-17  Ross Kirsling  <ross.kirsling@sony.com>
3814
3815         Clean up some Intl classes following the ICU upgrade
3816         https://bugs.webkit.org/show_bug.cgi?id=210637
3817
3818         Reviewed by Yusuke Suzuki.
3819
3820         In r259606, I removed the compile-time guards for {DateTimeFormat, NumberFormat}.prototype.formatToParts,
3821         but I forgot to move the method setup back to the lookup table.
3822
3823         This patch addresses that and prunes various other unnecessary includes and forward declarations.
3824
3825         * runtime/IntlCollator.h:
3826         * runtime/IntlCollatorConstructor.h:
3827         * runtime/IntlDateTimeFormat.h:
3828         * runtime/IntlDateTimeFormatConstructor.h:
3829         * runtime/IntlDateTimeFormatPrototype.cpp:
3830         (JSC::IntlDateTimeFormatPrototype::create):
3831         (JSC::IntlDateTimeFormatPrototype::finishCreation):
3832         * runtime/IntlDateTimeFormatPrototype.h:
3833         * runtime/IntlNumberFormat.h:
3834         * runtime/IntlNumberFormatConstructor.h:
3835         * runtime/IntlNumberFormatPrototype.cpp:
3836         (JSC::IntlNumberFormatPrototype::create):
3837         (JSC::IntlNumberFormatPrototype::finishCreation):
3838         * runtime/IntlNumberFormatPrototype.h:
3839         * runtime/IntlObject.h:
3840         * runtime/IntlPluralRules.h:
3841         * runtime/IntlPluralRulesConstructor.h:
3842         * runtime/IntlPluralRulesPrototype.cpp:
3843         (JSC::IntlPluralRulesPrototype::create):
3844         (JSC::IntlPluralRulesPrototype::finishCreation):
3845         * runtime/IntlPluralRulesPrototype.h:
3846
3847 2020-04-17  Yusuke Suzuki  <ysuzuki@apple.com>
3848
3849         [JSC] Map/Set iterator creation functions should fail with BadType etc. before executing insertChecks
3850         https://bugs.webkit.org/show_bug.cgi?id=210649
3851         <rdar://problem/61925452>
3852
3853         Reviewed by Mark Lam.
3854
3855         Since insertChecks adds some DFG nodes, we should determine whether this intrinsic handling is OK or not before executing insertChecks.
3856         Otherwise, we will hit an assertion with `!didInsertChecks`.
3857
3858         * dfg/DFGByteCodeParser.cpp:
3859         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3860
3861 2020-04-17  Mark Lam  <mark.lam@apple.com>
3862
3863         offlineasm is generating the wrong load/store for the "orh" instruction.
3864         https://bugs.webkit.org/show_bug.cgi?id=210639
3865         <rdar://problem/21501876>
3866
3867         Reviewed by Robin Morisset.
3868
3869         For example, on ARM64E, the "orh" instruction was generating the following:
3870
3871             "\tldr w17, [x1, #0]\n"     // JavaScriptCore/llint/LowLevelInterpreter64.asm:919
3872             "\torr w17, w17, #64\n"     // JavaScriptCore/llint/LowLevelInterpreter64.asm:919
3873             "\tstr w17, [x1, #0]\n"     // JavaScriptCore/llint/LowLevelInterpreter64.asm:919
3874
3875         i.e. a 32-bit load, followed by a 32-bit OR, followed by a 32-bit store.
3876
3877         Instead, it should be generating the following:
3878
3879             "\tldrh w17, [x1, #0]\n"    // JavaScriptCore/llint/LowLevelInterpreter64.asm:919
3880             "\torr w17, w17, #64\n"     // JavaScriptCore/llint/LowLevelInterpreter64.asm:919
3881             "\tstrh w17, [x1, #0]\n"    // JavaScriptCore/llint/LowLevelInterpreter64.asm:919
3882
3883         i.e. a 16-bit load, followed by a 32-bit OR, followed by a 16-bit store.
3884
3885         This bug also affects ARM64, ARMv7, and MIPS (basically any backend that uses
3886         riscLowerMisplacedAddresses() from rise.rb).  It does not affect x86, x86_64, and
3887         C_LOOP (which was written based on x86).
3888
3889         * offlineasm/risc.rb:
3890
3891 2020-04-16  Ross Kirsling  <ross.kirsling@sony.com>
3892
3893         REGRESSION(r259480): Two new failing i18n tests
3894         https://bugs.webkit.org/show_bug.cgi?id=210605
3895
3896         Reviewed by Darin Adler.
3897
3898         * runtime/IntlDateTimeFormat.cpp:
3899         (JSC::isUTCEquivalent):
3900         (JSC::defaultTimeZone):
3901         (JSC::canonicalizeTimeZoneName):
3902         The default time zone needs to be canonicalized too.
3903
3904         * runtime/IntlObject.cpp:
3905         (JSC::canonicalLangTag):
3906         (JSC::resolveLocale):
3907         Deal with some odd ""_s cases from my previous patch.
3908         (Drive-by fix inspired by Darin's comments on this one.)
3909
3910 2020-04-16  Sergio Villar Senin  <svillar@igalia.com>
3911
3912         Unreviewed build fix for non unified builds.
3913
3914         * dfg/DFGOperations.cpp: Added missing includes.
3915
3916 2020-04-16  Mark Lam  <mark.lam@apple.com>
3917
3918         [Re-landing] Use more PAC diversity for JIT probe code.
3919         https://bugs.webkit.org/show_bug.cgi?id=210252
3920         <rdar://problem/54490367>
3921
3922         Reviewed by Keith Miller.
3923
3924         Introducing new PtrTags:
3925             JITProbePtrTag - for the client probe function.
3926             JITProbeTrampolinePtrTag - for calling the ctiMasmProbeTrampoline.
3927             JITProbeExecutorPtrTag - for calling the probe executor.
3928                 Currently, this is only the Probe::executeProbe().
3929             JITProbeStackInitializationFunctionPtrTag - for calling the optional stack
3930                 initialization function that the client probe function may set.
3931
3932         We'll now use these in the JIT probe mechanism instead of adopting the default
3933         CFunctionPtrTag.
3934
3935         Fixed an assert in MacroAssemblerARM64.cpp which does not apply to non ARM64E
3936         builds.
3937
3938         * assembler/MacroAssembler.cpp:
3939         (JSC::MacroAssembler::probe):
3940         * assembler/MacroAssemblerARM64.cpp:
3941         (JSC::MacroAssembler::probe):
3942         * assembler/MacroAssemblerPrinter.h:
3943         (JSC::MacroAssembler::print):
3944         * assembler/ProbeContext.h:
3945         * runtime/JSCPtrTag.h:
3946         * tools/JSDollarVM.cpp:
3947         (JSC::callWithStackSizeProbeFunction):
3948         * wasm/WasmAirIRGenerator.cpp:
3949         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
3950         * wasm/WasmB3IRGenerator.cpp:
3951         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
3952
3953 2020-04-16  Mark Lam  <mark.lam@apple.com>
3954
3955         Rolling out r259897: Causing crashes on iOS.
3956         https://bugs.webkit.org/show_bug.cgi?id=210252
3957
3958         Not reviewed.
3959
3960         * assembler/MacroAssembler.cpp:
3961         (JSC::MacroAssembler::probe):
3962         * assembler/MacroAssemblerARM64.cpp:
3963         (JSC::MacroAssembler::probe):
3964         * assembler/MacroAssemblerPrinter.h:
3965         (JSC::MacroAssembler::print):
3966         * assembler/ProbeContext.h:
3967         * runtime/JSCPtrTag.h:
3968         * tools/JSDollarVM.cpp:
3969         (JSC::callWithStackSizeProbeFunction):
3970         * wasm/WasmAirIRGenerator.cpp:
3971         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
3972         * wasm/WasmB3IRGenerator.cpp:
3973         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
3974
3975 2020-04-16  Yusuke Suzuki  <ysuzuki@apple.com>
3976
3977         [JSC] Implement JSMapIterator/JSSetIterator with JSInternalFieldObjectImpl
3978         https://bugs.webkit.org/show_bug.cgi?id=210023
3979
3980         Reviewed by Keith Miller.
3981
3982         This patch reimplement JSMapIterator/JSSetIterator with JSInternalFieldObjectImpl.
3983         This makes current JSFinalObject-based Map/SetIterator simple and small.
3984         We generalize NewArrayIterator/PhantomNewArrayIterator to convert them to NewInternalFieldObject/PhantomNewInternalFieldObject
3985         to support JSMapIterator/JSSetIterator too in DFG / FTL. This makes allocation efficient and object-allocation-sinking aware.
3986
3987         * builtins/BuiltinNames.h:
3988         * builtins/MapIteratorPrototype.js:
3989         (globalPrivate.mapIteratorNext):
3990         (next):
3991         * builtins/MapPrototype.js:
3992         (globalPrivate.MapIterator): Deleted.
3993         (values): Deleted.
3994         (keys): Deleted.
3995         (entries): Deleted.
3996         * builtins/SetIteratorPrototype.js:
3997         (globalPrivate.setIteratorNext):
3998         (next):
3999         * builtins/SetPrototype.js:
4000         (globalPrivate.SetIterator): Deleted.
4001         (values): Deleted.
4002         (entries): Deleted.
4003         * bytecode/BytecodeIntrinsicRegistry.cpp:
4004         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
4005         * bytecode/BytecodeIntrinsicRegistry.h:
4006         * bytecompiler/BytecodeGenerator.h:
4007         (JSC::BytecodeGenerator::emitIsMapIterator):
4008         (JSC::BytecodeGenerator::emitIsSetIterator):
4009         * bytecompiler/NodesCodegen.cpp:
4010         (JSC::mapIteratorInternalFieldIndex):
4011         (JSC::setIteratorInternalFieldIndex):
4012         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getMapIteratorInternalField):
4013         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getSetIteratorInternalField):
4014         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putMapIteratorInternalField):
4015         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putSetIteratorInternalField):
4016         * dfg/DFGAbstractInterpreterInlines.h:
4017         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
4018         * dfg/DFGByteCodeParser.cpp:
4019         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
4020         * dfg/DFGClobberize.h:
4021         (JSC::DFG::clobberize):
4022         * dfg/DFGClobbersExitState.cpp:
4023         (JSC::DFG::clobbersExitState):
4024         * dfg/DFGConstantFoldingPhase.cpp:
4025         (JSC::DFG::ConstantFoldingPhase::foldConstants):
4026         * dfg/DFGDoesGC.cpp:
4027         (JSC::DFG::doesGC):
4028         * dfg/DFGFixupPhase.cpp:
4029         (JSC::DFG::FixupPhase::fixupNode):
4030         * dfg/DFGMayExit.cpp:
4031         * dfg/DFGNode.h:
4032         (JSC::DFG::Node::convertToPhantomNewInternalFieldObject):
4033         (JSC::DFG::Node::hasStructure):
4034         (JSC::DFG::Node::isPhantomAllocation):
4035         (JSC::DFG::Node::convertToPhantomNewArrayIterator): Deleted.
4036         * dfg/DFGNodeType.h:
4037         * dfg/DFGObjectAllocationSinkingPhase.cpp:
4038         * dfg/DFGOperations.cpp:
4039         * dfg/DFGOperations.h:
4040         * dfg/DFGPredictionPropagationPhase.cpp:
4041         * dfg/DFGSafeToExecute.h:
4042         (JSC::DFG::safeToExecute):
4043         * dfg/DFGSpeculativeJIT.cpp:
4044         (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObjectImpl):
4045         (JSC::DFG::SpeculativeJIT::compileNewGenerator):