2020-11-03 Alan Coon <alancoon@apple.com> Cherry-pick r269338. rdar://problem/71014532 Don't assert there is no checkpoint side state when dropping the JSLock https://bugs.webkit.org/show_bug.cgi?id=218537 Reviewed by Filip Pizlo. You may have multiple OSR exit sidestate data on the stack, and then call into API code, which might DropAllLocks. Hence, this assert is wrong. Working on a test. Will land in a followup. * runtime/JSLock.cpp: (JSC::JSLock::willReleaseLock): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@269338 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-11-03 Saam Barati <sbarati@apple.com> Don't assert there is no checkpoint side state when dropping the JSLock https://bugs.webkit.org/show_bug.cgi?id=218537 Reviewed by Filip Pizlo. You may have multiple OSR exit sidestate data on the stack, and then call into API code, which might DropAllLocks. Hence, this assert is wrong. Working on a test. Will land in a followup. * runtime/JSLock.cpp: (JSC::JSLock::willReleaseLock): 2020-10-12 Babak Shafiei <bshafiei@apple.com> Cherry-pick r268330. rdar://problem/70189394 Strip patch version from TARGET_MAC_OS_X_VERSION_MAJOR when building for macOS Big Sur or later https://bugs.webkit.org/show_bug.cgi?id=217594 rdar://70188497 Patch by Luming Yin <luming_yin@apple.com> on 2020-10-11 Reviewed by Darin Adler. To ensure successful Mac Catalyst WebKit builds, strip the patch version from TARGET_MAC_OS_X_VERSION_MAJOR by using two `base:`s on MACOSX_DEPLOYMENT_TARGET. * Configurations/Base.xcconfig: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268330 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-10-11 Luming Yin <luming_yin@apple.com> Strip patch version from TARGET_MAC_OS_X_VERSION_MAJOR when building for macOS Big Sur or later https://bugs.webkit.org/show_bug.cgi?id=217594 rdar://70188497 Reviewed by Darin Adler. To ensure successful Mac Catalyst WebKit builds, strip the patch version from TARGET_MAC_OS_X_VERSION_MAJOR by using two `base:`s on MACOSX_DEPLOYMENT_TARGET. * Configurations/Base.xcconfig: 2020-10-12 Babak Shafiei <bshafiei@apple.com> Cherry-pick r268327. rdar://problem/70189401 Ignore deployment suffix and identifier when computing major OS version for macOS Big Sur and newer https://bugs.webkit.org/show_bug.cgi?id=217584 rdar://70168426 Patch by Luming Yin <luming_yin@apple.com> on 2020-10-11 Reviewed by Darin Adler. Stop using MACOSX_DEPLOYMENT_TARGET:suffix:identifier to compute major OS versions. Only use the deployment target base for macOS Big Sur and newer. Keep the manual definitions for legacy versions of macOS. * Configurations/Base.xcconfig: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268327 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-10-11 Luming Yin <luming_yin@apple.com> Ignore deployment suffix and identifier when computing major OS version for macOS Big Sur and newer https://bugs.webkit.org/show_bug.cgi?id=217584 rdar://70168426 Reviewed by Darin Adler. Stop using MACOSX_DEPLOYMENT_TARGET:suffix:identifier to compute major OS versions. Only use the deployment target base for macOS Big Sur and newer. Keep the manual definitions for legacy versions of macOS. * Configurations/Base.xcconfig: 2020-09-27 Alan Coon <alancoon@apple.com> Cherry-pick r267304. rdar://problem/69594380 [JSC] PreciseAllocation's isNewlyAllocated flag should be propagated from isMarked at GC begin phase to make isLive correct https://bugs.webkit.org/show_bug.cgi?id=216717 Reviewed by Mark Lam. When starting full GC, at beginMarking, PreciseAllocation's mark bit is cleared to be usable for upcoming marking. However, this means that HeapCell::isLive will see this object as dead until it is marked. Let's consider that this object is not newly allocated one. Then, its isNewlyAllocated is false. And now mark bit is also cleared. Since PreciseAllocation::isLive is isNewlyAllocated || isMarked, then it looks dead, while it is live. This confuses HeapCell:isLive function and makes some of watchpoints perform wrong decisions (e.g. this condition is no longer valid, let's just discard it). At the beginning of full collection, we should propagate the old mark bit to isNewlyAllocated so that it looks live during marking. This is similar trick to MarkedBlock::aboutToMark. * heap/PreciseAllocation.cpp: (JSC::PreciseAllocation::flip): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267304 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-09-18 Yusuke Suzuki <ysuzuki@apple.com> [JSC] PreciseAllocation's isNewlyAllocated flag should be propagated from isMarked at GC begin phase to make isLive correct https://bugs.webkit.org/show_bug.cgi?id=216717 Reviewed by Mark Lam. When starting full GC, at beginMarking, PreciseAllocation's mark bit is cleared to be usable for upcoming marking. However, this means that HeapCell::isLive will see this object as dead until it is marked. Let's consider that this object is not newly allocated one. Then, its isNewlyAllocated is false. And now mark bit is also cleared. Since PreciseAllocation::isLive is isNewlyAllocated || isMarked, then it looks dead, while it is live. This confuses HeapCell:isLive function and makes some of watchpoints perform wrong decisions (e.g. this condition is no longer valid, let's just discard it). At the beginning of full collection, we should propagate the old mark bit to isNewlyAllocated so that it looks live during marking. This is similar trick to MarkedBlock::aboutToMark. * heap/PreciseAllocation.cpp: (JSC::PreciseAllocation::flip): 2020-09-25 Alan Coon <alancoon@apple.com> Cherry-pick r267135. rdar://problem/69586651 JSImmutableButterfly::get needs to return jsDoubleNumber for double arrays https://bugs.webkit.org/show_bug.cgi?id=216589 <rdar://problem/68061245> Reviewed by Yusuke Suzuki. JSTests: * stress/jsimmutablebutterfly-get-must-return-double-boxed-value.js: Added. Source/JavaScriptCore: We are using JSImmutableButterfly::get in AI to constant fold GetByVal, but we were failing to always return a boxed double value for double loads. We were calling jsNumber instead of jsDooubleNumber. This is in contrast to the runtime, which always returns a double boxed value. This would lead AI to disagree with the runtime, and miscompile code. * runtime/JSImmutableButterfly.h: (JSC::JSImmutableButterfly::get const): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267135 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-09-15 Saam Barati <sbarati@apple.com> JSImmutableButterfly::get needs to return jsDoubleNumber for double arrays https://bugs.webkit.org/show_bug.cgi?id=216589 <rdar://problem/68061245> Reviewed by Yusuke Suzuki. We are using JSImmutableButterfly::get in AI to constant fold GetByVal, but we were failing to always return a boxed double value for double loads. We were calling jsNumber instead of jsDooubleNumber. This is in contrast to the runtime, which always returns a double boxed value. This would lead AI to disagree with the runtime, and miscompile code. * runtime/JSImmutableButterfly.h: (JSC::JSImmutableButterfly::get const): 2020-09-25 Alan Coon <alancoon@apple.com> Cherry-pick r267113. rdar://problem/69586723 CustomFunctionEquivalence PropertyCondition needs to check if the structure has the property https://bugs.webkit.org/show_bug.cgi?id=216575 <rdar://problem/68286930> Reviewed by Yusuke Suzuki. JSTests: * stress/has-static-property-property-condition-needs-to-check-if-structure-has-property.js: Added. (foo): Source/JavaScriptCore: The CustomFunctionEquivalence PropertyCondition would only return false to isStillValidAssumingImpurePropertyWatchpoint if the Structure's static property table was reified or if the static property table did not contain the property. However, this missed the obvious case of where we store to this property in normal object storage without reifying the static property table. The fix here is simple: we first check if the Structure's property table has this property, and if so, return false. This patch also renames CustomFunctionEquivalence to HasStaticProperty to better capture what we're doing. * bytecode/ObjectPropertyCondition.h: (JSC::ObjectPropertyCondition::hasStaticProperty): (JSC::ObjectPropertyCondition::customFunctionEquivalence): Deleted. * bytecode/ObjectPropertyConditionSet.cpp: (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const): (JSC::ObjectPropertyConditionSet::slotBaseCondition const): (JSC::generateConditionsForPrototypePropertyHitCustom): * bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::dumpInContext const): (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const): (JSC::PropertyCondition::isStillValid const): (JSC::PropertyCondition::isWatchableWhenValid const): (WTF::printInternal): * bytecode/PropertyCondition.h: (JSC::PropertyCondition::hasStaticProperty): (JSC::PropertyCondition::hash const): (JSC::PropertyCondition::operator== const): (JSC::PropertyCondition::customFunctionEquivalence): Deleted. * tools/JSDollarVM.cpp: (JSC::functionCreateStaticCustomValue): (JSC::JSDollarVM::finishCreation): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267113 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-09-15 Saam Barati <sbarati@apple.com> CustomFunctionEquivalence PropertyCondition needs to check if the structure has the property https://bugs.webkit.org/show_bug.cgi?id=216575 <rdar://problem/68286930> Reviewed by Yusuke Suzuki. The CustomFunctionEquivalence PropertyCondition would only return false to isStillValidAssumingImpurePropertyWatchpoint if the Structure's static property table was reified or if the static property table did not contain the property. However, this missed the obvious case of where we store to this property in normal object storage without reifying the static property table. The fix here is simple: we first check if the Structure's property table has this property, and if so, return false. This patch also renames CustomFunctionEquivalence to HasStaticProperty to better capture what we're doing. * bytecode/ObjectPropertyCondition.h: (JSC::ObjectPropertyCondition::hasStaticProperty): (JSC::ObjectPropertyCondition::customFunctionEquivalence): Deleted. * bytecode/ObjectPropertyConditionSet.cpp: (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const): (JSC::ObjectPropertyConditionSet::slotBaseCondition const): (JSC::generateConditionsForPrototypePropertyHitCustom): * bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::dumpInContext const): (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const): (JSC::PropertyCondition::isStillValid const): (JSC::PropertyCondition::isWatchableWhenValid const): (WTF::printInternal): * bytecode/PropertyCondition.h: (JSC::PropertyCondition::hasStaticProperty): (JSC::PropertyCondition::hash const): (JSC::PropertyCondition::operator== const): (JSC::PropertyCondition::customFunctionEquivalence): Deleted. * tools/JSDollarVM.cpp: (JSC::functionCreateStaticCustomValue): (JSC::JSDollarVM::finishCreation): 2020-09-25 Alan Coon <alancoon@apple.com> Cherry-pick r266813. rdar://problem/69582551 OutOfBoundsSaneChain operations should use their own heap locations https://bugs.webkit.org/show_bug.cgi?id=216328 <rdar://problem/68568039> Reviewed by Keith Miller. JSTests: * stress/out-of-bounds-sane-chain-need-their-own-heap-location.js: Added. (foo): Source/JavaScriptCore: There is code in local CSE that does some basic bounds check elimination for PutByVal. It does this analysis by seeing if a particular heap location is already defined, and if so, it eliminates the bounds check for the PutByVal. This doesn't work for OutOfBoundsSaneChain for the obvious reason that these GetByVals are not proven to be in bounds. So GetByVal's in the OutOfBoundsSaneChain mode reusing non OutOfBoundsSaneChain heap locations can lead to a bug where we mistakenly remove a bounds check. The fix is to have all OutOfBoundsSaneChain operations use distinct heaps, and for CSE to not query those heaps. * dfg/DFGArrayMode.h: (JSC::DFG::ArrayMode::isAnySaneChain const): Deleted. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266813 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-09-09 Saam Barati <sbarati@apple.com> OutOfBoundsSaneChain operations should use their own heap locations https://bugs.webkit.org/show_bug.cgi?id=216328 <rdar://problem/68568039> Reviewed by Keith Miller. There is code in local CSE that does some basic bounds check elimination for PutByVal. It does this analysis by seeing if a particular heap location is already defined, and if so, it eliminates the bounds check for the PutByVal. This doesn't work for OutOfBoundsSaneChain for the obvious reason that these GetByVals are not proven to be in bounds. So GetByVal's in the OutOfBoundsSaneChain mode reusing non OutOfBoundsSaneChain heap locations can lead to a bug where we mistakenly remove a bounds check. The fix is to have all OutOfBoundsSaneChain operations use distinct heaps, and for CSE to not query those heaps. * dfg/DFGArrayMode.h: (JSC::DFG::ArrayMode::isAnySaneChain const): Deleted. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: 2020-09-18 Alan Coon <alancoon@apple.com> Cherry-pick r266907. rdar://problem/69178126 [JSC] unshift / shift should take structure lock https://bugs.webkit.org/show_bug.cgi?id=216378 <rdar://problem/68496096> Reviewed by Mark Lam. JSTests: * stress/unshift-and-concurrent-access.js: Added. Source/JavaScriptCore: When unshifting / shifting butterfly, we need to move property storage values too. If property storage values are moved while concurrent JIT compiler is accessing it, it could include garbage value. For example, concurrent JIT compiler is accessing [2] property storage. 1 2 3 [ JSValue ][ JSValue ][ Header ] But unshift moved it like this. 1 2 3 [ JSValue ][ JSValue ][ Header ] Since butterfly pointer held by JSObject is not updated yet, concurrent JIT compiler will read [ Header ] as JSValue and crash. In this patch, we take structure lock when shifting existing butterfly since this affect on property storage. Since JSObject::getDirectConcurrently takes a structure lock, this locking prevents concurrent compilers from getting an invalid value. * runtime/JSArray.cpp: (JSC::JSArray::unshiftCountSlowCase): (JSC::JSArray::shiftCountWithArrayStorage): (JSC::JSArray::unshiftCountWithArrayStorage): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266907 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-09-10 Yusuke Suzuki <ysuzuki@apple.com> [JSC] unshift / shift should take structure lock https://bugs.webkit.org/show_bug.cgi?id=216378 <rdar://problem/68496096> Reviewed by Mark Lam. When unshifting / shifting butterfly, we need to move property storage values too. If property storage values are moved while concurrent JIT compiler is accessing it, it could include garbage value. For example, concurrent JIT compiler is accessing [2] property storage. 1 2 3 [ JSValue ][ JSValue ][ Header ] But unshift moved it like this. 1 2 3 [ JSValue ][ JSValue ][ Header ] Since butterfly pointer held by JSObject is not updated yet, concurrent JIT compiler will read [ Header ] as JSValue and crash. In this patch, we take structure lock when shifting existing butterfly since this affect on property storage. Since JSObject::getDirectConcurrently takes a structure lock, this locking prevents concurrent compilers from getting an invalid value. * runtime/JSArray.cpp: (JSC::JSArray::unshiftCountSlowCase): (JSC::JSArray::shiftCountWithArrayStorage): (JSC::JSArray::unshiftCountWithArrayStorage): 2020-09-17 Alan Coon <alancoon@apple.com> Cherry-pick r267017. rdar://problem/69100994 Don't assume byte code operands are uint32 JSValues https://bugs.webkit.org/show_bug.cgi?id=216386 Reviewed by Yusuke Suzuki. JSTests: * stress/dont-assume-bytecode-operand-is-uint32.js: Added. (async foo): Source/JavaScriptCore: The slow path for enumerator_generic_pname was assuming that its input index operand would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true because that value can have double format in the DFG, and remain in that format when we exit from the DFG to baseline/LLInt code. This was found via the widening number fuzzing agent. I also audited two more places that seem like they suffer from the same issue, and also switched them to using the asUInt32AsAnyInt function: - enumerator_structure_pname - create_rest * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267017 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-09-14 Saam Barati <sbarati@apple.com> Don't assume byte code operands are uint32 JSValues https://bugs.webkit.org/show_bug.cgi?id=216386 Reviewed by Yusuke Suzuki. The slow path for enumerator_generic_pname was assuming that its input index operand would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true because that value can have double format in the DFG, and remain in that format when we exit from the DFG to baseline/LLInt code. This was found via the widening number fuzzing agent. I also audited two more places that seem like they suffer from the same issue, and also switched them to using the asUInt32AsAnyInt function: - enumerator_structure_pname - create_rest * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): 2020-09-17 Alan Coon <alancoon@apple.com> Cherry-pick r266747. rdar://problem/69101160 re-enable TCSM on all OSs https://bugs.webkit.org/show_bug.cgi?id=216281 Reviewed by Tadeu Zagallo. * runtime/Options.cpp: (JSC::defaultTCSMValue): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266747 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-09-08 Saam Barati <sbarati@apple.com> re-enable TCSM on all OSs https://bugs.webkit.org/show_bug.cgi?id=216281 Reviewed by Tadeu Zagallo. * runtime/Options.cpp: (JSC::defaultTCSMValue): 2020-09-10 Alan Coon <alancoon@apple.com> Cherry-pick r266715. rdar://problem/68652550 [JSC] Special property caching should check Structure's cacheability https://bugs.webkit.org/show_bug.cgi?id=216222 Reviewed by Saam Barati. JSTests: * stress/module-namespace-object-caching.js: Added. (shouldBe): (async fn): * stress/not-cache-over-uncacheable-dictionary.js: Added. (shouldBe): * stress/resources/to-string-module.js: Added. (export.toString): * stress/resources/value-of-module.js: Added. (export.valueOf): Source/JavaScriptCore: While StructureRareData::cacheSpecialPropertySlow caches properties, the way it takes is incomplete. It is not checking Structure's cacheability. We were caching miss condition even if structure is !propertyAccessesAreCacheableForAbsence. We should perform the same check done in IC case. Strictly speaking, we can cache value for uncacheable-dictionary because we are setting property change watchpoint (which will fire). But it sounds not so profitable if this structure is uncacheable. * runtime/JSObject.cpp: (JSC::JSObject::convertToUncacheableDictionary): * runtime/JSObject.h: * runtime/StructureRareData.cpp: (JSC::StructureRareData::cacheSpecialPropertySlow): * tools/JSDollarVM.cpp: (JSC::functionToUncacheableDictionary): (JSC::JSDollarVM::finishCreation): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266715 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-09-08 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Special property caching should check Structure's cacheability https://bugs.webkit.org/show_bug.cgi?id=216222 Reviewed by Saam Barati. While StructureRareData::cacheSpecialPropertySlow caches properties, the way it takes is incomplete. It is not checking Structure's cacheability. We were caching miss condition even if structure is !propertyAccessesAreCacheableForAbsence. We should perform the same check done in IC case. Strictly speaking, we can cache value for uncacheable-dictionary because we are setting property change watchpoint (which will fire). But it sounds not so profitable if this structure is uncacheable. * runtime/JSObject.cpp: (JSC::JSObject::convertToUncacheableDictionary): * runtime/JSObject.h: * runtime/StructureRareData.cpp: (JSC::StructureRareData::cacheSpecialPropertySlow): * tools/JSDollarVM.cpp: (JSC::functionToUncacheableDictionary): (JSC::JSDollarVM::finishCreation): 2020-09-10 Alan Coon <alancoon@apple.com> Cherry-pick r266567. rdar://problem/68652653 [JSC] Cache toString / valueOf / @@toPrimitive for major cases https://bugs.webkit.org/show_bug.cgi?id=216061 Reviewed by Saam Barati. JSTests: * stress/delete-cached-to-primitive-property.js: Added. (shouldBe): (object.__proto__.Symbol.toPrimitive): * stress/delete-cached-to-string-property.js: Added. (shouldBe): (object.__proto__.toString): * stress/delete-cached-value-of-property.js: Added. (shouldBe): (shouldThrow): (object.__proto__.valueOf): * stress/hide-cached-to-primitive-property.js: Added. (shouldBe): (object.__proto__.Symbol.toPrimitive): * stress/hide-cached-to-string-property.js: Added. (shouldBe): (object.__proto__.toString): * stress/hide-cached-value-of-property.js: Added. (shouldBe): (object.__proto__.valueOf): * stress/replace-cached-to-primitive-property.js: Added. (shouldBe): (object.__proto__.Symbol.toPrimitive): * stress/replace-cached-to-string-property.js: Added. (shouldBe): (object.__proto__.toString): * stress/replace-cached-value-of-property.js: Added. (shouldBe): (object.__proto__.valueOf): Source/JavaScriptCore: When toPrimitive is called, we need to look-up three properties at most to perform operation. And these special properties do not have caching mechanism at all. We found that Speedometer2/EmberJS-Debug-TodoMVC is using very much time for this property look-up. We should have caching mechanism in StructureRareData, which should be similar to @@toStringTag & Object#toString caching mechanism. This patch generalizes @@toStringTag & Object#toString caching mechanism as SpecialPropertyCache. And we accelerate toString / valueOf / @@toPrimitive look-ups in toPrimitive with this caching mechanism. This patch improved Speedometer2/EmberJS-Debug-TodoMVC by 10%. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/Watchpoint.cpp: * bytecode/Watchpoint.h: * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.cpp. (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::CachedSpecialPropertyAdaptiveStructureWatchpoint): (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install): (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::fireInternal): * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.h. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::objectProtoToStringFunction const): * runtime/JSObject.cpp: (JSC::callToPrimitiveFunction): (JSC::JSObject::ordinaryToPrimitive const): (JSC::JSObject::toPrimitive const): * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::finishCreation): (JSC::objectProtoFuncToString): * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::cacheSpecialProperty): (JSC::Structure::setObjectToStringValue): Deleted. * runtime/StructureRareData.cpp: (JSC::StructureRareData::visitChildren): (JSC::StructureRareData::ensureSpecialPropertyCacheSlow): (JSC::StructureRareData::giveUpOnSpecialPropertyCache): (JSC::StructureRareData::cacheSpecialPropertySlow): (JSC::StructureRareData::clearCachedSpecialProperty): (JSC::StructureRareData::finalizeUnconditionally): (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint): (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::isValid const): (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::handleFire): (JSC::StructureRareData::setObjectToStringValue): Deleted. (JSC::StructureRareData::clearObjectToStringValue): Deleted. (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::ObjectToStringAdaptiveInferredPropertyValueWatchpoint): Deleted. (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid const): Deleted. (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire): Deleted. * runtime/StructureRareData.h: * runtime/StructureRareDataInlines.h: (JSC::StructureRareData::cachedSpecialProperty const): (JSC::StructureRareData::canCacheSpecialProperty): (JSC::StructureRareData::ensureSpecialPropertyCache): (JSC::StructureRareData::cacheSpecialProperty): (JSC::StructureRareData::objectToStringValue const): Deleted. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266567 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-09-02 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Cache toString / valueOf / @@toPrimitive for major cases https://bugs.webkit.org/show_bug.cgi?id=216061 Reviewed by Saam Barati. When toPrimitive is called, we need to look-up three properties at most to perform operation. And these special properties do not have caching mechanism at all. We found that Speedometer2/EmberJS-Debug-TodoMVC is using very much time for this property look-up. We should have caching mechanism in StructureRareData, which should be similar to @@toStringTag & Object#toString caching mechanism. This patch generalizes @@toStringTag & Object#toString caching mechanism as SpecialPropertyCache. And we accelerate toString / valueOf / @@toPrimitive look-ups in toPrimitive with this caching mechanism. This patch improved Speedometer2/EmberJS-Debug-TodoMVC by 10%. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/Watchpoint.cpp: * bytecode/Watchpoint.h: * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.cpp. (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::CachedSpecialPropertyAdaptiveStructureWatchpoint): (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install): (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::fireInternal): * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.h. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::objectProtoToStringFunction const): * runtime/JSObject.cpp: (JSC::callToPrimitiveFunction): (JSC::JSObject::ordinaryToPrimitive const): (JSC::JSObject::toPrimitive const): * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::finishCreation): (JSC::objectProtoFuncToString): * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::cacheSpecialProperty): (JSC::Structure::setObjectToStringValue): Deleted. * runtime/StructureRareData.cpp: (JSC::StructureRareData::visitChildren): (JSC::StructureRareData::ensureSpecialPropertyCacheSlow): (JSC::StructureRareData::giveUpOnSpecialPropertyCache): (JSC::StructureRareData::cacheSpecialPropertySlow): (JSC::StructureRareData::clearCachedSpecialProperty): (JSC::StructureRareData::finalizeUnconditionally): (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint): (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::isValid const): (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::handleFire): (JSC::StructureRareData::setObjectToStringValue): Deleted. (JSC::StructureRareData::clearObjectToStringValue): Deleted. (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::ObjectToStringAdaptiveInferredPropertyValueWatchpoint): Deleted. (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid const): Deleted. (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire): Deleted. * runtime/StructureRareData.h: * runtime/StructureRareDataInlines.h: (JSC::StructureRareData::cachedSpecialProperty const): (JSC::StructureRareData::canCacheSpecialProperty): (JSC::StructureRareData::ensureSpecialPropertyCache): (JSC::StructureRareData::cacheSpecialProperty): (JSC::StructureRareData::objectToStringValue const): Deleted. 2020-09-10 Alan Coon <alancoon@apple.com> Cherry-pick r266496. rdar://problem/68652591 ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp https://bugs.webkit.org/show_bug.cgi?id=216103 Reviewed by Saam Barati. JSTests: New teset. * stress/custom-get-set-override.js: Added. (overrideFunction.o.customFunction): (overrideFunction): Source/JavaScriptCore: Changed the ASSERT to an if statement. This checks to see if, the likely newly changed, property is still a custom getter setter before caching its access as such. * bytecode/ObjectPropertyConditionSet.cpp: (JSC::generateConditionsForPrototypePropertyHitCustom): * tools/JSDollarVM.cpp: Added test helper function. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266496 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-09-02 Michael Saboff <msaboff@apple.com> ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp https://bugs.webkit.org/show_bug.cgi?id=216103 Reviewed by Saam Barati. Changed the ASSERT to an if statement. This checks to see if, the likely newly changed, property is still a custom getter setter before caching its access as such. * bytecode/ObjectPropertyConditionSet.cpp: (JSC::generateConditionsForPrototypePropertyHitCustom): * tools/JSDollarVM.cpp: Added test helper function. 2020-09-10 Alan Coon <alancoon@apple.com> Cherry-pick r266406. rdar://problem/68652786 Remove some PtrTag debugging code from release builds. https://bugs.webkit.org/show_bug.cgi?id=216025 <rdar://problem/68098263> Reviewed by Saam Barati. Source/JavaScriptCore: Removed PtrTag name lookup debugging utility from release builds. * runtime/JSCPtrTag.cpp: * runtime/JSCPtrTag.h: Source/WTF: Converted uses of PtrTagAction::ReleaseAssert to PtrTagAction::DebugAssert. These assertions serve a purpose during development (hence, PtrTagAction::DebugAssert), but is no longer needed for release builds. Previously, we use these assertions to verify that pointers are tagged correctly in release build. Clang takes care of that automatically now. Also removed PtrTag name lookup debugging utility from release builds. * wtf/PtrTag.cpp: * wtf/PtrTag.h: (WTF::untagCodePtr): (WTF::retagCodePtrImpl): (WTF::assertIsCFunctionPtr): (WTF::assertIsNotTagged): (WTF::assertIsTagged): (WTF::assertIsTaggedWith): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266406 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-08-31 Mark Lam <mark.lam@apple.com> Remove some PtrTag debugging code from release builds. https://bugs.webkit.org/show_bug.cgi?id=216025 <rdar://problem/68098263> Reviewed by Saam Barati. Removed PtrTag name lookup debugging utility from release builds. * runtime/JSCPtrTag.cpp: * runtime/JSCPtrTag.h: 2020-09-10 Alan Coon <alancoon@apple.com> Cherry-pick r266359. rdar://problem/68652634 [JSC] StructureStubInfo / CallLinkInfo / ByValInfo should set CodeOrigin or BytecodeIndex at construction https://bugs.webkit.org/show_bug.cgi?id=215987 <rdar://problem/66370323> Reviewed by Mark Lam. We had race condition during construction of StructureStubInfo and CodeOrigin field setting. 1. The thread creates StructureStubInfo by calling CodeBlock::addStubInfo. This is guarded by the lock. But at this point we are not setting StructureStubInfo::codeOrigin. 2. Then (1)'s thread attempts to set StructureStubInfo::codeOrigin. But at this point, it is not guarded by the lock. 3. Before (2) is executed, DFG ByteCodeParser calls CodeBlock::getICStatusMap. It creates HashMap<CodeOrigin, StructureStubInfo*>. 4. Since StructureStubInfo*'s codeOrigin is not configured yet, (3) sees invalid CodeOrigin. And storing invalid CodeOrigin as a HashMap key is not correct. We should configure CodeOrigin at construction of StructureStubInfo, which is guarded by the lock. We have the same problem for CallLinkInfo and ByValInfo. This patch fixes them. To reproduce this, we need to execute a script 2~ days repeatedly. So it is difficult to add a test. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/ByValInfo.h: (JSC::ByValInfo::ByValInfo): (JSC::ByValInfo::setUp): * bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::CallLinkInfo): * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::setUpCall): (JSC::CallLinkInfo::setCodeOrigin): Deleted. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::addStubInfo): (JSC::CodeBlock::addByValInfo): (JSC::CodeBlock::addCallLinkInfo): * bytecode/CodeBlock.h: * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::StructureStubInfo): * bytecode/StructureStubInfo.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): * jit/JIT.cpp: (JSC::JIT::link): * jit/JITCall.cpp: (JSC::JIT::compileCallEvalSlowCase): (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileCallEvalSlowCase): (JSC::JIT::compileOpCall): * jit/JITInlineCacheGenerator.cpp: (JSC::garbageStubInfo): (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_has_indexed_property): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_has_indexed_property): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_val): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_put_by_val): * wasm/js/WasmToJS.cpp: (JSC::Wasm::wasmToJS): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266359 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-08-31 Yusuke Suzuki <ysuzuki@apple.com> [JSC] StructureStubInfo / CallLinkInfo / ByValInfo should set CodeOrigin or BytecodeIndex at construction https://bugs.webkit.org/show_bug.cgi?id=215987 <rdar://problem/66370323> Reviewed by Mark Lam. We had race condition during construction of StructureStubInfo and CodeOrigin field setting. 1. The thread creates StructureStubInfo by calling CodeBlock::addStubInfo. This is guarded by the lock. But at this point we are not setting StructureStubInfo::codeOrigin. 2. Then (1)'s thread attempts to set StructureStubInfo::codeOrigin. But at this point, it is not guarded by the lock. 3. Before (2) is executed, DFG ByteCodeParser calls CodeBlock::getICStatusMap. It creates HashMap<CodeOrigin, StructureStubInfo*>. 4. Since StructureStubInfo*'s codeOrigin is not configured yet, (3) sees invalid CodeOrigin. And storing invalid CodeOrigin as a HashMap key is not correct. We should configure CodeOrigin at construction of StructureStubInfo, which is guarded by the lock. We have the same problem for CallLinkInfo and ByValInfo. This patch fixes them. To reproduce this, we need to execute a script 2~ days repeatedly. So it is difficult to add a test. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/ByValInfo.h: (JSC::ByValInfo::ByValInfo): (JSC::ByValInfo::setUp): * bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::CallLinkInfo): * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::setUpCall): (JSC::CallLinkInfo::setCodeOrigin): Deleted. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::addStubInfo): (JSC::CodeBlock::addByValInfo): (JSC::CodeBlock::addCallLinkInfo): * bytecode/CodeBlock.h: * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::StructureStubInfo): * bytecode/StructureStubInfo.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): * jit/JIT.cpp: (JSC::JIT::link): * jit/JITCall.cpp: (JSC::JIT::compileCallEvalSlowCase): (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileCallEvalSlowCase): (JSC::JIT::compileOpCall): * jit/JITInlineCacheGenerator.cpp: (JSC::garbageStubInfo): (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_has_indexed_property): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_has_indexed_property): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_val): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_put_by_val): * wasm/js/WasmToJS.cpp: (JSC::Wasm::wasmToJS): 2020-09-03 Alan Coon <alancoon@apple.com> Cherry-pick r266159. rdar://problem/67951883 [JSC] FTL should use m_origin instead of m_node->origin since m_node can be nullptr https://bugs.webkit.org/show_bug.cgi?id=215833 Reviewed by Mark Lam. JSTests: * stress/ftl-entry-osr-exit-has-nullptr-node.js: Added. (foo): Source/JavaScriptCore: While we are using m_node->origin, m_node can be nullptr (at the entry of the FTL function). m_origin is always pointing appropriate origin. We should use it instead. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor): (JSC::FTL::DFG::LowerDFGToB3::compileToThis): (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): (JSC::FTL::DFG::LowerDFGToB3::compileStrCat): (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub): (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32): (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv): (JSC::FTL::DFG::LowerDFGToB3::compileValueMod): (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs): (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary): (JSC::FTL::DFG::LowerDFGToB3::compileValuePow): (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom): (JSC::FTL::DFG::LowerDFGToB3::compileArithRound): (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor): (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil): (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc): (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt): (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound): (JSC::FTL::DFG::LowerDFGToB3::compileIncOrDec): (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): (JSC::FTL::DFG::LowerDFGToB3::compileGetById): (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis): (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis): (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis): (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree): (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty): (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty): (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById): (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById): (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal): (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush): (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice): (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop): (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope): (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation): (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments): (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments): (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments): (JSC::FTL::DFG::LowerDFGToB3::compileCreateArgumentsButterfly): (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest): (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeysOrObjectGetOwnPropertyNames): (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate): (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol): (JSC::FTL::DFG::LowerDFGToB3::compileNewArray): (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): (JSC::FTL::DFG::LowerDFGToB3::compileSpread): (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer): (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileToNumber): (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric): (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor): (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf): (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive): (JSC::FTL::DFG::LowerDFGToB3::compileToPropertyKey): (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode): (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset): (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis): (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): (JSC::FTL::DFG::LowerDFGToB3::compileSameValue): (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength): (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileSwitch): (JSC::FTL::DFG::LowerDFGToB3::compileThrow): (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError): (JSC::FTL::DFG::LowerDFGToB3::mapHashString): (JSC::FTL::DFG::LowerDFGToB3::compileMapHash): (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket): (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd): (JSC::FTL::DFG::LowerDFGToB3::compileMapSet): (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsObject): (JSC::FTL::DFG::LowerDFGToB3::compileIsCallable): (JSC::FTL::DFG::LowerDFGToB3::compileIsConstructor): (JSC::FTL::DFG::LowerDFGToB3::compileInByVal): (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): (JSC::FTL::DFG::LowerDFGToB3::compileParseInt): (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom): (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty): (JSC::FTL::DFG::LowerDFGToB3::compileHasStructurePropertyImpl): (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname): (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator): (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation): (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps): (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp): (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName): (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace): (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail): (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength): (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee): (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart): (JSC::FTL::DFG::LowerDFGToB3::compare): (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice): (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase): (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix): (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant): (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval): (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope): (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar): (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar): (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint): (JSC::FTL::DFG::LowerDFGToB3::genericJSValueCompare): (JSC::FTL::DFG::LowerDFGToB3::stringsEqual): (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray): (JSC::FTL::DFG::LowerDFGToB3::boolify): (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined): (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds): (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow): (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath): (JSC::FTL::DFG::LowerDFGToB3::masqueradesAsUndefinedWatchpointIsStillValid): (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const): (JSC::FTL::DFG::LowerDFGToB3::callCheck): (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit): * jsc.cpp: (runJSC): * runtime/OptionsList.h: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266159 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-08-25 Yusuke Suzuki <ysuzuki@apple.com> [JSC] FTL should use m_origin instead of m_node->origin since m_node can be nullptr https://bugs.webkit.org/show_bug.cgi?id=215833 Reviewed by Mark Lam. While we are using m_node->origin, m_node can be nullptr (at the entry of the FTL function). m_origin is always pointing appropriate origin. We should use it instead. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor): (JSC::FTL::DFG::LowerDFGToB3::compileToThis): (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): (JSC::FTL::DFG::LowerDFGToB3::compileStrCat): (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub): (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32): (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv): (JSC::FTL::DFG::LowerDFGToB3::compileValueMod): (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs): (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary): (JSC::FTL::DFG::LowerDFGToB3::compileValuePow): (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom): (JSC::FTL::DFG::LowerDFGToB3::compileArithRound): (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor): (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil): (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc): (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt): (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound): (JSC::FTL::DFG::LowerDFGToB3::compileIncOrDec): (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): (JSC::FTL::DFG::LowerDFGToB3::compileGetById): (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis): (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis): (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis): (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree): (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty): (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty): (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById): (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById): (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal): (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush): (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice): (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop): (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope): (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation): (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments): (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments): (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments): (JSC::FTL::DFG::LowerDFGToB3::compileCreateArgumentsButterfly): (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest): (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeysOrObjectGetOwnPropertyNames): (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate): (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol): (JSC::FTL::DFG::LowerDFGToB3::compileNewArray): (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): (JSC::FTL::DFG::LowerDFGToB3::compileSpread): (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer): (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileToNumber): (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric): (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor): (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf): (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive): (JSC::FTL::DFG::LowerDFGToB3::compileToPropertyKey): (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode): (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset): (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis): (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): (JSC::FTL::DFG::LowerDFGToB3::compileSameValue): (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength): (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileSwitch): (JSC::FTL::DFG::LowerDFGToB3::compileThrow): (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError): (JSC::FTL::DFG::LowerDFGToB3::mapHashString): (JSC::FTL::DFG::LowerDFGToB3::compileMapHash): (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket): (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd): (JSC::FTL::DFG::LowerDFGToB3::compileMapSet): (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsObject): (JSC::FTL::DFG::LowerDFGToB3::compileIsCallable): (JSC::FTL::DFG::LowerDFGToB3::compileIsConstructor): (JSC::FTL::DFG::LowerDFGToB3::compileInByVal): (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): (JSC::FTL::DFG::LowerDFGToB3::compileParseInt): (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom): (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty): (JSC::FTL::DFG::LowerDFGToB3::compileHasStructurePropertyImpl): (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname): (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator): (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation): (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps): (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp): (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName): (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace): (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail): (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength): (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee): (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart): (JSC::FTL::DFG::LowerDFGToB3::compare): (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice): (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase): (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix): (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant): (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval): (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope): (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar): (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar): (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint): (JSC::FTL::DFG::LowerDFGToB3::genericJSValueCompare): (JSC::FTL::DFG::LowerDFGToB3::stringsEqual): (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray): (JSC::FTL::DFG::LowerDFGToB3::boolify): (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined): (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds): (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow): (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath): (JSC::FTL::DFG::LowerDFGToB3::masqueradesAsUndefinedWatchpointIsStillValid): (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const): (JSC::FTL::DFG::LowerDFGToB3::callCheck): (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit): * jsc.cpp: (runJSC): * runtime/OptionsList.h: 2020-09-01 Alan Coon <alancoon@apple.com> Cherry-pick r266178. rdar://problem/68164567 [JSC] Add ASCII comparison fast path for IntlCollator https://bugs.webkit.org/show_bug.cgi?id=215798 Reviewed by Darin Adler, Ross Kirsling, and Saam Barati. JSTests: * stress/string-locale-compare-uca-ducet.js: Added. (shouldBe): * stress/string-localeCompare.js: (data.sort): Source/JavaScriptCore: The idea behind this change is the following: ICU Collator's comparison is too slow. We should have fast path for ASCII strings when we know this equals to ICU Collator's result. The problem is that even for ASCII strings, collation is super complicated! 1. Unicode defines Unicode Collation Algorithm (UCA). To perform collation, it uses collation element tables which defines weights on various levels per code point. UCA also offers the Default Unicode Collation Element Table (DUCET). This UCA with DUCET is used when using ICU Root Collator. 2. UCA collation consists of rules, which defines how collation works. And ICU locales define customized collations by adding special rules to that. 3. UCA behaves differently by using different options. Based on that, our observation is that some of major locales are not defining additional rules in (2). This means that they behaves the same to UCA with DUCET. This patch implements a simplified version of comparison which generates the same results for ASCII strings (excluding control characters) to UCA with DUCET. This fast path can be usable only when the following conditions are met. 1. The collator does not have additional rules to ICU Root Colator. 2. The collator is using default options. These checks are very important since there are a lot of edge-case locales. For example, 1. th (Thai language) ignores punctuations (even including ASCII punctuations) by default. This is defined as ignore-punctuations option is enabled by default, so without (2)'s check, th comparison becomes wrong. 2. There are contraction concept (multiple letters behave as a single letter). "ch" letters are ordered interestingly in Czech language. So even in ASCII, Czech shows very interesting collation behavior. So we cannot safely take this fast path without carefully querying the information to ICU. This shows 37% improvement in JetStream2/cdjs in en-US environment. * runtime/IntlCollator.cpp: (JSC::IntlCollator::initializeCollator): (JSC::IntlCollator::compareStrings const): (JSC::canDoASCIIUCADUCETComparisonWithUCollator): (JSC::IntlCollator::updateCanDoASCIIUCADUCETComparison const): (JSC::IntlCollator::checkICULocaleInvariants): * runtime/IntlCollator.h: * runtime/IntlObject.cpp: (JSC::intlCollatorAvailableLocales): * runtime/IntlObject.h: * runtime/IntlObjectInlines.h: (JSC::canUseASCIIUCADUCETComparison): (JSC::compareASCIIWithUCADUCET): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266178 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-08-26 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Add ASCII comparison fast path for IntlCollator https://bugs.webkit.org/show_bug.cgi?id=215798 Reviewed by Darin Adler, Ross Kirsling, and Saam Barati. The idea behind this change is the following: ICU Collator's comparison is too slow. We should have fast path for ASCII strings when we know this equals to ICU Collator's result. The problem is that even for ASCII strings, collation is super complicated! 1. Unicode defines Unicode Collation Algorithm (UCA). To perform collation, it uses collation element tables which defines weights on various levels per code point. UCA also offers the Default Unicode Collation Element Table (DUCET). This UCA with DUCET is used when using ICU Root Collator. 2. UCA collation consists of rules, which defines how collation works. And ICU locales define customized collations by adding special rules to that. 3. UCA behaves differently by using different options. Based on that, our observation is that some of major locales are not defining additional rules in (2). This means that they behaves the same to UCA with DUCET. This patch implements a simplified version of comparison which generates the same results for ASCII strings (excluding control characters) to UCA with DUCET. This fast path can be usable only when the following conditions are met. 1. The collator does not have additional rules to ICU Root Colator. 2. The collator is using default options. These checks are very important since there are a lot of edge-case locales. For example, 1. th (Thai language) ignores punctuations (even including ASCII punctuations) by default. This is defined as ignore-punctuations option is enabled by default, so without (2)'s check, th comparison becomes wrong. 2. There are contraction concept (multiple letters behave as a single letter). "ch" letters are ordered interestingly in Czech language. So even in ASCII, Czech shows very interesting collation behavior. So we cannot safely take this fast path without carefully querying the information to ICU. This shows 37% improvement in JetStream2/cdjs in en-US environment. * runtime/IntlCollator.cpp: (JSC::IntlCollator::initializeCollator): (JSC::IntlCollator::compareStrings const): (JSC::canDoASCIIUCADUCETComparisonWithUCollator): (JSC::IntlCollator::updateCanDoASCIIUCADUCETComparison const): (JSC::IntlCollator::checkICULocaleInvariants): * runtime/IntlCollator.h: * runtime/IntlObject.cpp: (JSC::intlCollatorAvailableLocales): * runtime/IntlObject.h: * runtime/IntlObjectInlines.h: (JSC::canUseASCIIUCADUCETComparison): (JSC::compareASCIIWithUCADUCET): 2020-08-28 Alan Coon <alancoon@apple.com> Cherry-pick r266254. rdar://problem/67949890 GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined https://bugs.webkit.org/show_bug.cgi?id=215894 <rdar://problem/67669696> Reviewed by Michael Saboff and Keith Miller. JSTests: * stress/oob-sane-chain-double-constant-fold-to-PNaN.js: Added. Source/JavaScriptCore: GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined(). The constant folding for this though was folding to jsUndefined(). I forgot to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain implementation. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266254 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-08-27 Saam Barati <sbarati@apple.com> GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined https://bugs.webkit.org/show_bug.cgi?id=215894 <rdar://problem/67669696> Reviewed by Michael Saboff and Keith Miller. GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined(). The constant folding for this though was folding to jsUndefined(). I forgot to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain implementation. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 2020-08-21 Alexey Shvayka <shvaikalesh@gmail.com> StrictEq should not care about masqueradesAsUndefinedWatchpoint https://bugs.webkit.org/show_bug.cgi?id=215743 Reviewed by Yusuke Suzuki. This patch removes masqueradesAsUndefinedWatchpoint handling for StrictEq from fixupCompareStrictEqAndSameValue(), aligning it with SameValue. According to the spec [1], only a few language constructs special-case [[IsHTMLDDA]] objects: ToBoolean, abstract equality, and `typeof`. No behavior change. [1]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue): 2020-08-21 Commit Queue <commit-queue@webkit.org> Unreviewed, reverting r265965. https://bugs.webkit.org/show_bug.cgi?id=215744 getCallData can be called from DFG concurrent compiler, but it is not safe in DOM PluginObject Reverted changeset: "Use jsTypeofIsObject() in DFG AI and operationTypeOfIsObject()" https://bugs.webkit.org/show_bug.cgi?id=144457 https://trac.webkit.org/changeset/265965 2020-08-21 Alexey Shvayka <shvaikalesh@gmail.com> Align "length" properties of function prototypes with the spec https://bugs.webkit.org/show_bug.cgi?id=215716 Reviewed by Ross Kirsling. This change defines Function.prototype.length [1] as [[Configurable]] and removes "length" properties from other (async/generator) function prototypes that are ordinary non-callable objects [2], aligning JSC with V8 and SpiderMonkey. Also, adds inherits() ASSERT in FunctionPrototype::finishCreation() to match (most of) the other built-ins. [1]: https://tc39.es/ecma262/#sec-properties-of-the-function-prototype-object [2]: https://tc39.es/ecma262/#sec-async-function-prototype-properties * runtime/AsyncFunctionPrototype.cpp: (JSC::AsyncFunctionPrototype::finishCreation): * runtime/AsyncGeneratorFunctionPrototype.cpp: (JSC::AsyncGeneratorFunctionPrototype::finishCreation): * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::finishCreation): * runtime/GeneratorFunctionPrototype.cpp: (JSC::GeneratorFunctionPrototype::finishCreation): 2020-08-21 Alexey Shvayka <shvaikalesh@gmail.com> Define Intl[Symbol.toStringTag] https://bugs.webkit.org/show_bug.cgi?id=215715 Reviewed by Ross Kirsling. This patch utilizes JSC_TO_STRING_TAG_WITHOUT_TRANSITION() to define Symbol.toStringTag on Intl namespace object, implementing the recent spec change [1] and aligning JSC with V8. Also, adds inherits() ASSERT to match (most of) the other built-ins. [1]: https://github.com/tc39/ecma402/pull/487 * runtime/IntlObject.cpp: (JSC::IntlObject::finishCreation): 2020-08-21 Alexey Shvayka <shvaikalesh@gmail.com> Function.prototype.bind should not clamp "length" to int32 https://bugs.webkit.org/show_bug.cgi?id=215733 Reviewed by Darin Adler. This patch fixes to integer conversion of target function's "length" values beyond UINT_MAX, aligning JSC with the spec [1], V8 and SpiderMonkey. `double` is used instead of `uint64_t` to retain semantics of JS Number type [2] and hold Infinity values. To avoid spreading `double length` over JSFunction::create() and its subclasses, JSBoundFunction is modified to use JSFunction::finishCreation(VM&) overload, removing 2 unused arguments and speeding up bound function creation by ~9%. [1]: https://tc39.es/ecma262/#sec-function.prototype.bind (step 6.c.i) [2]: https://tc39.es/ecma262/#sec-ecmascript-language-types-number-type * builtins/FunctionPrototype.js: (bind): * runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::create): (JSC::JSBoundFunction::JSBoundFunction): (JSC::JSBoundFunction::finishCreation): * runtime/JSBoundFunction.h: * runtime/JSFunction.cpp: (JSC::JSFunction::finishCreation): (JSC::JSFunction::reifyLength): * runtime/JSGlobalObject.cpp: (JSC::makeBoundFunction): 2020-08-20 Saam Barati <sbarati@apple.com> Replace IC on Proxy must write barrier Proxy's target https://bugs.webkit.org/show_bug.cgi?id=215720 Reviewed by Yusuke Suzuki. The put_by_id opcode in the baseline and the DFG/FTl will emit a writeBarrier after the operation is complete. But it does this to the base object. In the case of an IC with the base as a Proxy, we're not actually storing to the Proxy, but instead, the Proxy's target. This patch makes it so our IC code writeBarriers the Proxy's target. This fixed a crash when running Speedometer2. * bytecode/AccessCase.cpp: (JSC::AccessCase::canReplace const): (JSC::AccessCase::generateImpl): * bytecode/PolymorphicAccess.cpp: (JSC::AccessGenerationState::preserveLiveRegistersToStackForCallWithoutExceptions): * bytecode/PolymorphicAccess.h: 2020-08-20 Alexey Shvayka <shvaikalesh@gmail.com> Invalid early errors for class methods named "constructor" and "prototype" https://bugs.webkit.org/show_bug.cgi?id=215413 Reviewed by Darin Adler. This change removes invalid early syntax errors, allowing static async/generator methods named "constructor" and instance async/generator methods named "prototype", which aligns JSC with the spec [1], V8, and SpiderMonkey. Also, removes a FIXME related to super() calls outside constructor that was resolved in r181404 and is covered by test262 suite. [1]: https://tc39.es/ecma262/#sec-class-definitions-static-semantics-early-errors * parser/Parser.cpp: (JSC::Parser<LexerType>::parseClass): 2020-08-20 Alexey Shvayka <shvaikalesh@gmail.com> Use jsTypeofIsObject() in DFG AI and operationTypeOfIsObject() https://bugs.webkit.org/show_bug.cgi?id=144457 Reviewed by Saam Barati. This patch: 1. Refactors jsTypeofIsObject(), leveraging fast path of isCallable(), moves it to the header, and utilizes it in DFG AI and operationTypeOfIsObject() to eliminate code duplication. 2. Splits jsTypeofIsFunction() into 2 methods to accomodate operationTypeOfIsFunction() calling it with JSObject* argument. 3. Removes orphaned slow_path_is_object declaration. No behavior change, `typeof` microbenchmarks are neutral. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGOperations.cpp: * runtime/CommonSlowPaths.h: * runtime/Operations.cpp: (JSC::jsTypeofIsObject): Deleted. * runtime/Operations.h: (JSC::jsTypeofIsObject): (JSC::jsTypeofIsFunction): 2020-08-19 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Add Object.getOwnPropertyNames caching as it is done for Object.keys, and accelerate Object.getOwnPropertyDescriptor https://bugs.webkit.org/show_bug.cgi?id=215666 Reviewed by Saam Barati. Object.getOwnPropertyNames is immutable for Structure if structure meets some conditions. And we have optimization for Object.keys. This patch wires existing caching mechanism for Object.keys to Object.getOwnPropertyNames so that Object.getOwnPropertyNames has full support of caching & inlined code in DFG / FTL. We also pre-bake structure for the result of Object.getOwnPropertyDescriptor so that we do not need to perform hash table lookup every time we create an object for Object.getOwnPropertyDescriptor. This makes Object.getOwnPropertyDescriptor 2x faster from the microbenchmark. The above two optimization makes Speedometer2/Inferno-TodoMVC 7% faster, and it also optimizes Speedometer2/EmberJS-Debug by 5%. In total, we can get 0.7 - 1.0% progression in Speedometer2. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileObjectKeysOrObjectGetOwnPropertyNames): (JSC::DFG::SpeculativeJIT::compileObjectKeys): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeysOrObjectGetOwnPropertyNames): (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): Deleted. * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * runtime/IteratorOperations.cpp: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::dataPropertyDescriptorObjectStructure const): (JSC::JSGlobalObject::accessorPropertyDescriptorObjectStructure const): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncOwnKeys): * runtime/ObjectConstructor.cpp: (JSC::objectConstructorGetOwnPropertyNames): (JSC::objectConstructorGetOwnPropertySymbols): (JSC::objectConstructorKeys): (JSC::ownPropertyKeys): (JSC::constructObjectFromPropertyDescriptorSlow): * runtime/ObjectConstructor.h: (JSC::createDataPropertyDescriptorObjectStructure): (JSC::createAccessorPropertyDescriptorObjectStructure): (JSC::constructObjectFromPropertyDescriptor): * runtime/ReflectObject.cpp: (JSC::reflectObjectOwnKeys): * runtime/Structure.cpp: (JSC::Structure::canCachePropertyNameEnumerator const): * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::setCachedPropertyNames): (JSC::Structure::cachedPropertyNames const): (JSC::Structure::cachedPropertyNamesIgnoringSentinel const): (JSC::Structure::canCacheOwnPropertyNames const): (JSC::Structure::setCachedOwnKeys): Deleted. (JSC::Structure::cachedOwnKeys const): Deleted. (JSC::Structure::cachedOwnKeysIgnoringSentinel const): Deleted. (JSC::Structure::canCacheOwnKeys const): Deleted. * runtime/StructureRareData.cpp: (JSC::StructureRareData::visitChildren): * runtime/StructureRareData.h: * runtime/StructureRareDataInlines.h: (JSC::StructureRareData::cachedPropertyNames const): (JSC::StructureRareData::cachedPropertyNamesIgnoringSentinel const): (JSC::StructureRareData::cachedPropertyNamesConcurrently const): (JSC::StructureRareData::setCachedPropertyNames): (JSC::StructureRareData::cachedOwnKeys const): Deleted. (JSC::StructureRareData::cachedOwnKeysIgnoringSentinel const): Deleted. (JSC::StructureRareData::cachedOwnKeysConcurrently const): Deleted. (JSC::StructureRareData::setCachedOwnKeys): Deleted. 2020-08-19 Alexey Shvayka <shvaikalesh@gmail.com> Introduce OpIsCallable bytecode and intrinsic https://bugs.webkit.org/show_bug.cgi?id=215572 Reviewed by Ross Kirsling and Saam Barati. This patch: 1. Aligns slow_path_is_function with DFG/FTL implementations by introducing jsTypeofIsFunction() helper. This fixes `typeof document.all === "function"` to return `false` instead of `true`. 2. Renames is_function bytecode op to typeof_is_function, aligning it with typeof_is_undefined and typeof_is_object. New name offers better semantics and clearly communicates the op should be avoided when implementing new features because of `typeof` behavior with [[IsHTMLDDA]] objects [1]. 3. Adds is_callable bytecode op and utilizes it in built-ins via intrinsic, removing `typeof callback === "function"` checks. This prevents [[IsHTMLDDA]] objects from being considered non-callable [2]. To preserve the fast path for JSFunctionType, createFunctionThatMasqueradesAsUndefined() is relocated to InternalFunction. `typeof` microbenchmarks are neutral. [1]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot-typeof [2]: https://tc39.es/ecma262/#sec-array.prototype.map (step 3) * builtins/ArrayConstructor.js: * builtins/ArrayPrototype.js: (reduce): (reduceRight): (every): (forEach): (filter): (map): (some): (find): (findIndex): (sort): (flatMap): * builtins/FunctionPrototype.js: (overriddenName.string_appeared_here.symbolHasInstance): (bind): * builtins/MapPrototype.js: (forEach): * builtins/PromiseConstructor.js: (all): (allSettled): (any): (race): (nakedConstructor.Promise): (nakedConstructor.InternalPromise): * builtins/PromiseOperations.js: (globalPrivate.newPromiseCapabilitySlow): (globalPrivate.resolvePromise): (globalPrivate.resolveWithoutPromise): * builtins/PromisePrototype.js: (finally): (globalPrivate.getThenFinally): (globalPrivate.getCatchFinally): * builtins/ReflectObject.js: (apply): * builtins/RegExpPrototype.js: (globalPrivate.regExpExec): (overriddenName.string_appeared_here.replace): * builtins/SetPrototype.js: (forEach): * builtins/TypedArrayConstructor.js: * builtins/TypedArrayPrototype.js: (every): (find): (findIndex): (forEach): (some): (sort): (reduce): (reduceRight): (map): (filter): * bytecode/BytecodeIntrinsicRegistry.h: * bytecode/BytecodeList.rb: * bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitEqualityOpImpl): (JSC::BytecodeGenerator::emitIsCallable): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIsCallable): (JSC::DFG::SpeculativeJIT::compileIsFunction): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileIsCallable): (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction): Deleted. * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JITOperations.h: * jsc.cpp: (functionMakeMasquerader): * llint/LowLevelInterpreter.asm: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: * runtime/InternalFunction.cpp: (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined): * runtime/InternalFunction.h: * runtime/JSFunction.cpp: (JSC::JSFunction::createFunctionThatMasqueradesAsUndefined): Deleted. * runtime/JSFunction.h: * runtime/Operations.h: (JSC::jsTypeofIsFunction): 2020-08-19 Saam Barati <sbarati@apple.com> REGRESSION (r265775): DFG ASSERTION FAILED: AI-clobberize disagreement; AI says FoldedClobber while clobberize says (Direct:[], Super:[]) https://bugs.webkit.org/show_bug.cgi?id=215639 <rdar://problem/67376432> Reviewed by Robin Morisset. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 2020-08-19 Tadeu Zagallo <tzagallo@apple.com> B3 IntRange is incorrect for negative masks https://bugs.webkit.org/show_bug.cgi?id=215536 <rdar://problem/67130430> Reviewed by Michael Saboff and Robin Morisset. In the B3 ReduceStrength phase, we compute rangeForMask as (0, mask). This is correct for positive values, but incorrect when negative. To fix it, we use `(INT_MIN & mask, INT_MAX & mask)` as the range for negative masks. * b3/B3ReduceStrength.cpp: * b3/testb3.h: * b3/testb3_1.cpp: (run): * b3/testb3_5.cpp: (testCheckSubBitAnd): 2020-08-18 Saam Barati <sbarati@apple.com> Update byte offsets in JSString.h comment https://bugs.webkit.org/show_bug.cgi?id=215621 Reviewed by Yusuke Suzuki. * runtime/JSString.h: 2020-08-17 Saam Barati <sbarati@apple.com> Have an OOB+SaneChain Array::Speculation https://bugs.webkit.org/show_bug.cgi?id=215487 Reviewed by Yusuke Suzuki. This patch adds a new ArrayMode speculation in the DFG/FTL called OutOfBoundsSaneChain. It allows us to do fast things when we go OOB, like simply return undefined. This is because we install watchpoints on the prototype chain to ensure they have no indexed properties. This patch implements OutOfBoundsSaneChain on GetByVal over Int32/Double/Contiguous original JS arrays. We can extend it in the future to non original JS arrays if we prove their prototype is Array.prototype. To implement this properly, we also need to ensure that the index isn't negative, as Array.prototype/Object.prototype may have negative indexed accessors. We do this via speculation, and if we ever recompile, and see an exit because of this, we will stop speculating OutOfBoundsSaneChain. This is about 20% faster on crypto-md5-SP. And ~3-4x faster on the microbenchmarks I created. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::refine const): (JSC::DFG::arraySpeculationToString): * dfg/DFGArrayMode.h: (JSC::DFG::ArrayMode::isInBoundsSaneChain const): (JSC::DFG::ArrayMode::isOutOfBoundsSaneChain const): (JSC::DFG::ArrayMode::isOutOfBounds const): (JSC::DFG::ArrayMode::isEffectfulOutOfBounds const): (JSC::DFG::ArrayMode::isInBounds const): (JSC::DFG::ArrayMode::isSaneChain const): Deleted. * dfg/DFGCSEPhase.cpp: * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::checkArray): (JSC::DFG::FixupPhase::setSaneChainIfPossible): (JSC::DFG::FixupPhase::convertToHasIndexedProperty): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnString): (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGValidate.cpp: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): 2020-08-16 Alexey Shvayka <shvaikalesh@gmail.com> Remove OpIsObjectOrNull from ClassExprNode::emitBytecode() https://bugs.webkit.org/show_bug.cgi?id=214525 Reviewed by Keith Miller. This patch: 1. Replaces OpIsObjectOrNull in ClassExprNode::emitBytecode() [1] with emitIsObject() + emitIsNull(), preventing DFG/FTL from throwing a TypeError if `document.all` is the value of superclass "prototype" property, which aligns JSC with V8 and SpiderMonkey. Also, tweaks error message to reflect that `null` is allowed. 2. Renames is_object_or_null bytecode op to typeof_is_object, fixing the confusing operationObjectIsObject() name, and aligns it with typeof_is_undefined. New name offers better semantics and clearly communicates the op should be avoided when implementing new features because of `typeof` behavior with [[IsHTMLDDA]] objects [2]. [1]: https://tc39.es/ecma262/#sec-runtime-semantics-classdefinitionevaluation (step 5.g.ii) [2]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot-typeof * bytecode/BytecodeList.rb: * bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitEqualityOpImpl): * bytecompiler/NodesCodegen.cpp: (JSC::ClassExprNode::emitBytecode): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileTypeOfIsObject): (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsObject): (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull): Deleted. * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * llint/LowLevelInterpreter.asm: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: * runtime/Operations.cpp: (JSC::jsTypeofIsObject): (JSC::jsIsObjectTypeOrNull): Deleted. * runtime/Operations.h: 2020-08-15 Adrian Perez de Castro <aperez@igalia.com> Unreviewed non-unified source build fix * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Add missing OperandsInlines.h header. 2020-08-14 Caio Lima <ticaiolima@gmail.com> [ARMv7][JSC] Conservative GC is not considering `r7` as a root https://bugs.webkit.org/show_bug.cgi?id=215512 Reviewed by Yusuke Suzuki. Since `r7` is a callee-saved register on ARMv7 we need to consider it as a conservative root. See the statement "A subroutine must preserve the contents of the registers r4-r8, r10, r11 and SP (and r9 in PCS variants that designate r9 as v6) form page 15 of https://developer.arm.com/documentation/ihi0042/f/. * heap/RegisterState.h: 2020-08-12 Keith Miller <keith_miller@apple.com> OSRAvailabilityAnalysis shouldn't mark GetStack nodes directly as valid places for recovery https://bugs.webkit.org/show_bug.cgi?id=215434 Reviewed by Saam Barati. It's somewhat subtle why we cannot use the node for the GetStack itself in the Availability's node field. The reason is that if we did we would need to make any phase that converts nodes to GetStack availability aware. For instance, a place where this could come up is in constant folding if you had a graph like the following, which could arise from PutStack sinking: BB#1: @1: NewObject() @2: MovHint(@1, inline-arg1) @3: Jump(#2, #3) BB#2: @4: PutStack(@1, inline-arg1) @5: GetMyArgumentByVal(inline-arg1) @6: Jump(#3) BB#3: @7: InvalidationPoint() If constant folding converts @5 to a GetStack then at @7 inline-arg1 won't be available since at the end of BB#1 our availability is (@1, DeadFlush) and (@5, FlushedAt(inline-arg1)). When that gets merged at BB#3 then the availability will be (nullptr, ConflictingFlush). This patch also makes validation check that availability is sane at each pontential exit site if Options::validateFTLOSRExitLiveness() is set. Since this is actually a Phase we also need to make sure that we don't infinite loop, so there is now a m_isValidating field on m_graph. The validateOSRExitAvailability phase is also careful not to modify the Graph, in order to avoid masking bugs when validating. In a followup patch I intend to look into why MovHint elimination will convert: @2: MovHint(@0, loc1, bc#1, ExitInvalid) @3: KillStack(loc1, bc#2, ExitValid) @4: MovHint(@1 loc1, bc#2, ExitInvalid) into @2: ZombieHint(@0, loc1, bc#1, ExitInvalid) @3: KillStack(loc1, bc#2, ExitValid) @4: MovHint(@1 loc1, bc#2, ExitInvalid) when loc1 is live in the bytecode at bc#2. But for now, the validation rule works around this by only checking when mayExit and the nodes exitOK agree exiting is possible. * dfg/DFGGraph.h: * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase): (JSC::DFG::OSRAvailabilityAnalysisPhase::run): (JSC::DFG::performOSRAvailabilityAnalysis): (JSC::DFG::validateOSRExitAvailability): (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): * dfg/DFGOSRAvailabilityAnalysisPhase.h: * dfg/DFGPhase.h: (JSC::DFG::runPhase): * dfg/DFGValidate.cpp: 2020-08-13 Alexey Shvayka <shvaikalesh@gmail.com> Cache Structure::attributeChangeTransition() https://bugs.webkit.org/show_bug.cgi?id=214890 Reviewed by Yusuke Suzuki. With this change, a non-dictionary structure adds attribute-change transitions to transition table, making redefinition to previous atttributes a fast path. After too many transitions, the structure becomes a dictionary, firing the transition watchpoint. Attribute-change transitions pin their property tables, preventing forEachPropertyConcurrently() traversal. This patch advances provided microbenchmark by ~90% and progresses Speedometer2/EmberJS-Debug-TodoMVC by ~12% (~5% over r264573). No behavior change. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::getRegExpPrototypeProperty): * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): * runtime/Structure.cpp: (JSC::Structure::materializePropertyTable): (JSC::Structure::removeNewPropertyTransition): (JSC::Structure::attributeChangeTransition): * runtime/Structure.h: 2020-08-13 Alexey Shvayka <shvaikalesh@gmail.com> Rework StructureTransitionTable::Hash::Key encoding https://bugs.webkit.org/show_bug.cgi?id=215483 Reviewed by Yusuke Suzuki. This patch implements new encoding of StructureTransitionTable::Hash::Key to enable storing attribute change transitions in a transition table. Since PropertyMapEntry attributes are always uint8_t, the remaining 8 bits are used for TransitionKind, which also accommodates non-property transitions, removing a bit hacky toAttributes() and utilization of unused pointer bits. This change also introduces TransitionKind::Unknown we can validate against, preventing addition transition from being a default, which could be unsafe. No behavior change. * runtime/JSObject.cpp: (JSC::JSObject::notifyPresenceOfIndexedAccessors): (JSC::JSObject::createInitialUndecided): (JSC::JSObject::createInitialInt32): (JSC::JSObject::createInitialDouble): (JSC::JSObject::createInitialContiguous): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertUndecidedToArrayStorage): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToContiguous): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::convertFromCopyOnWrite): (JSC::JSObject::switchToSlowPutArrayStorage): (JSC::JSObject::suggestedArrayStorageTransition const): * runtime/JSObject.h: * runtime/Structure.cpp: (JSC::StructureTransitionTable::contains const): (JSC::StructureTransitionTable::get const): (JSC::StructureTransitionTable::add): (JSC::Structure::Structure): (JSC::Structure::addPropertyTransitionToExistingStructureImpl): (JSC::Structure::addNewPropertyTransition): (JSC::Structure::removePropertyTransitionFromExistingStructureImpl): (JSC::Structure::removeNewPropertyTransition): (JSC::Structure::sealTransition): (JSC::Structure::freezeTransition): (JSC::Structure::preventExtensionsTransition): (JSC::Structure::nonPropertyTransitionSlow): * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::nonPropertyTransition): * runtime/StructureTransitionTable.h: (JSC::changesIndexingType): (JSC::newIndexingType): (JSC::preventsExtensions): (JSC::setsDontDeleteOnAllProperties): (JSC::setsReadOnlyOnNonAccessorProperties): (JSC::StructureTransitionTable::Hash::Key::Key): (JSC::StructureTransitionTable::Hash::Key::attributes const): (JSC::StructureTransitionTable::Hash::Key::transitionKind const): (JSC::StructureTransitionTable::Hash::hash): (JSC::toAttributes): Deleted. (JSC::StructureTransitionTable::Hash::Key::isAddition const): Deleted. 2020-08-12 Keith Rollin <krollin@apple.com> Remove the need for defining USE_NEW_BUILD_SYSTEM https://bugs.webkit.org/show_bug.cgi?id=215439 Reviewed by Darin Adler. When building WebKit for XCBuild, we currently require that the external build system (such as the Makefile, build-webkit, etc.) defines the USE_NEW_BUILD_SYSTEM=YES build setting. This build setting controls parts of our build instructions that are sensitive to when XCBuild or the Legacy build system are being used. Notably, we need to know when to use our custom “copy and modify” scripts with copying certain header files (used with the Legacy build system) vs. using the enhanced Copy Headers build phase that’s enabled with APPLY_RULES_IN_COPY_HEADERS=YES (introduced with and used by XCBuild). The choice of which method to copy headers is used is controlled by USE_NEW_BUILD_SYSTEM. There is no built-in build setting that we can probe to help us determine which approach to take when copying and modifying headers, which is why we need to define USE_NEW_BUILD_SYSTEM ourselves. But it turns out that we can *detect* which build system is being used by taking advantage of a subtle difference between the two systems. As noted in: https://developer.apple.com/documentation/xcode-release-notes/build-system-release-notes-for-xcode-10 “When an .xcconfig file contains multiple assignments of the same build setting, later assignments using $(inherited) or $(<setting_name>) will inherit from earlier assignments in the .xcconfig. The legacy build system caused every use of $(inherited) or $(<setting_name>) skip any other values defined within the .xcconfig.” This difference can be exploited as follows: WK_WHICH_BUILD_SYSTEM = not_ WK_WHICH_BUILD_SYSTEM = $(inherited)legacy WK_USE_NEW_BUILD_SYSTEM = $(WK_USE_NEW_BUILD_SYSTEM_$(WK_WHICH_BUILD_SYSTEM)) WK_USE_NEW_BUILD_SYSTEM_legacy = NO WK_USE_NEW_BUILD_SYSTEM_not_legacy = YES We can then use WK_USE_NEW_BUILD_SYSTEM where we used to use the externally-defined USE_NEW_BUILD_SYSTEM. * Configurations/Base.xcconfig: * Configurations/JavaScriptCore.xcconfig: * JavaScriptCore.xcodeproj/project.pbxproj: 2020-08-12 Saam Barati <sbarati@apple.com> Inline cache Replace and Setters on PureForwardingProxy https://bugs.webkit.org/show_bug.cgi?id=215250 Reviewed by Yusuke Suzuki. We didn't used to cache any Puts on PureForwardingProxy. This patch implements Replace and JS/Custom Setters on PureForwardingProxy. We don't support Transition puts because in our current implementation different global objects will never share the same structure. This patch also aligns how our runtime and the ICs invoke Customs when the passed in |this| value is a JSProxy. For custom accessors, our runtime passes in the JSProxy, where our ICs used to pass in the target of the JSProxy, for the receiver value. For custom values, the IC behavior and the runtime were already aligned in passing in the property owner, which is the JSProxy's target. This patch aligns our IC behavior to match our runtime behavior. This patch also renames some of the registers in the IC code to clear up what they're used for. This is a 2.5x speedup on the microbenchmark I've added, and a 15-20% speedup on JetStream2's 3d-cube-SP. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateWithGuard): (JSC::AccessCase::generateImpl): * bytecode/GetterSetterAccessCase.cpp: (JSC::GetterSetterAccessCase::create): * bytecode/GetterSetterAccessCase.h: * jit/JITOperations.cpp: * jit/Repatch.cpp: (JSC::tryCachePutByID): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::originalStructureBeforePut): (JSC::CommonSlowPaths::putDirectWithReify): 2020-08-11 Mark Lam <mark.lam@apple.com> ScriptExecutable::newCodeBlockFor() neglected to set the exception pointer result in one case. https://bugs.webkit.org/show_bug.cgi?id=215357 <rdar://problem/57675112> Reviewed by Yusuke Suzuki. At the bottom of ScriptExecutable::newCodeBlockFor(), it calls: RELEASE_AND_RETURN(throwScope, FunctionCodeBlock::create(vm, executable, unlinkedCodeBlock, scope)); However, ScriptExecutable::newCodeBlockFor() has 2 return values: a CodeBlock*, and a passed in Exception*& that needs to be set if there's an exception. FunctionCodeBlock::create() is capable of returning a null CodeBlock* because CodeBlock::finishCreation() can throw exceptions. As a result, we have a scenario here where ScriptExecutable::newCodeBlockFor() can return a null CodeBlock* without setting the Exception*& result. Consequently, Interpreter::executeCall() is relying on this and can end up crashing while dereferencing a null CodeBlock* because the exception result was not set. This patch fixes ScriptExecutable::newCodeBlockFor() to set the exception result. * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::newCodeBlockFor): 2020-08-10 Lauro Moura <lmoura@igalia.com> [CMake][JSC] Fix testapiScripts copy location https://bugs.webkit.org/show_bug.cgi?id=215338 file(COPY src/dir DESTINATION target/dir) copies the entire `dir` inside target/dir instead of only the contents. Reviewed by Alex Christensen. * shell/CMakeLists.txt: 2020-08-10 Alex Christensen <achristensen@webkit.org> REGRESSION(r261159) PokerBros only shows black screen https://bugs.webkit.org/show_bug.cgi?id=215293 <rdar://problem/66073740> Reviewed by Keith Miller. The PokerBros app has some logic that was broken by the change in behavior of r261159. It caused the app do do nothing except show a black screen upon opening. Revert to the old behavior for this app until they update to iOS14. * runtime/JSObject.cpp: (JSC::needsOldStringName): (JSC::JSObject::toStringName): 2020-08-10 Yusuke Suzuki <ysuzuki@apple.com> [JSC] JSFinalObject::finishCreation's ASSERT has stale condition https://bugs.webkit.org/show_bug.cgi?id=215317 Reviewed by Mark Lam. JSFinalObject::finishCreation assumes that there is no out-of-line property storage (inline storage capacity == total storage capacity). But this is wrong when passing Butterfly* parameter to JSFinalObject. Previously, this feature is not used and we instead used JSObject::createRawObject, which bypasses this assertion. But now, we start using this when creating an object for MaterializeNewObject in DFG and FTL, and then we hit the crash because this assertion does not consider about non-nullptr butterfly. This patch makes create function explicit by introducing `JSFinalObject::createWithButterfly`, which is similar to JSArray::createWithButterfly. And we fix the assertion by checking butterfly existence. By renaming JSFinalObject::create to JSFinalObject::createWithButterfly when getting butterfly, this patch also clarifies that only MaterializeNewObject related functions, which were using JSObject::createRawObject to bypass this assertion, is passing butterfly. * dfg/DFGOperations.cpp: * runtime/JSObject.h: (JSC::JSFinalObject::createWithButterfly): (JSC::JSFinalObject::create): 2020-08-09 Commit Queue <commit-queue@webkit.org> Unreviewed, reverting r265392. https://bugs.webkit.org/show_bug.cgi?id=215316 Crash ARM64 / ARM64E JSC tests Reverted changeset: "REGRESSION(r261159) PokerBros only shows black screen" https://bugs.webkit.org/show_bug.cgi?id=215293 https://trac.webkit.org/changeset/265392 2020-08-09 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Make CommandLine on Worker agent (JSC shell feature for testing) work on iOS https://bugs.webkit.org/show_bug.cgi?id=215311 <rdar://problem/66660053> Reviewed by Mark Lam. We should not reconfigure Options since this is once initialized. Since Options are frozen, this results in crash. * jsc.cpp: (CommandLine::CommandLine): (functionDollarAgentStart): 2020-08-09 Commit Queue <commit-queue@webkit.org> Unreviewed, reverting r263195, r263252, and r265394. https://bugs.webkit.org/show_bug.cgi?id=215312 Revert all related GC Bitmap changes because some of perf is not fully recovered Reverted changesets: "Replace JSC::FreeList linked list with a Bitmap." https://bugs.webkit.org/show_bug.cgi?id=213071 https://trac.webkit.org/changeset/263195 "Unify Bitmap math loops in MarkedBlock::Handle::specializedSweep()." https://bugs.webkit.org/show_bug.cgi?id=213345 https://trac.webkit.org/changeset/263252 "[JSC] Disable ENABLE_BITMAP_FREELIST" https://bugs.webkit.org/show_bug.cgi?id=215285 https://trac.webkit.org/changeset/265394 2020-08-08 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Speculate children first in DFG NewArray https://bugs.webkit.org/show_bug.cgi?id=215308 <rdar://problem/64749263> Reviewed by Mark Lam. SpeculativeJIT::emitAllocateRawObject can create uninitialized butterfly since we later fill them. However, DFG NewArray node has speculation after that. So if speculation failure happens, we release half-baked butterfly. Let's see the example. 8459 emitAllocateRawObject(resultGPR, structure, storageGPR, numElements, vectorLengthHint); ... 8482 case ALL_INT32_INDEXING_TYPES: 8483 case ALL_CONTIGUOUS_INDEXING_TYPES: { 8484 JSValueOperand operand(this, use, ManualOperandSpeculation); 8485 JSValueRegs operandRegs = operand.jsValueRegs(); 8486 if (hasInt32(node->indexingType())) { 8487 DFG_TYPE_CHECK( 8488 operandRegs, use, SpecInt32Only, 8489 m_jit.branchIfNotInt32(operandRegs)); 8490 } 8491 m_jit.storeValue(operandRegs, MacroAssembler::Address(storageGPR, sizeof(JSValue) * operandIdx)); 8492 break; 8493 } L8487-L8489 is doing speculation check. If it failed, the rest of the butterfly can be filled with garbage. This looks OK since it is Int32 butterfly so GC never scans it. However, if have-a-bad-time happens and the array is reachable from the conservative root, this half-baked array is converted from Int32 array to ArrayStorage. At that time, since Int32 butterfly should hold JSInt32, we store this garbage to ArrayStorage. Later, if conservative root still holds this array, and GC scans this garbage as as JSValue, this value confuses GC. In this patch, we first perform speculation before creating uninitialized JSArray so that we can ensure that we never exit after creating this array until we fill it. This strategy is the same to FTL's NewArray implementation. And we also found that emitAllocateRawObject is allocating an object from JSFinalObject space while we use it for JSArray too. We should get per-type allocator to ensure JSArray is allocated in its IsoSubspace. * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::compileNewArray): (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNewArray): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): * runtime/JSObject.h: (JSC::JSObject::createRawObject): Deleted. 2020-08-07 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Disable ENABLE_BITMAP_FREELIST https://bugs.webkit.org/show_bug.cgi?id=215285 Reviewed by Mark Lam. From performance bots, we observed that, 1. MBP11,4 shows 1% regression in Speedometer2. 2. The other MBP / iMac / MBA bots show neutral or slight regression in Speedometer2. Based on the above result, for now, we disable this feature. * heap/FreeList.h: 2020-08-07 Alex Christensen <achristensen@webkit.org> REGRESSION(r261159) PokerBros only shows black screen https://bugs.webkit.org/show_bug.cgi?id=215293 Reviewed by Keith Miller. The PokerBros app has some logic that was broken by the change in behavior of r261159. It caused the app do do nothing except show a black screen upon opening. Revert to the old behavior for this app until they update to iOS14. * runtime/JSObject.cpp: (JSC::needsOldStringName): (JSC::JSObject::toStringName): 2020-08-07 Michael Saboff <msaboff@apple.com> RegExp sticky not matching alternates correctly, ignoring lastIndex requirement https://bugs.webkit.org/show_bug.cgi?id=214181 Reviewed by Yusuke Suzuki. In the YARR JIT, we need to check for sticky patterns before checking for fixed character terms when backtracking. The YARR interpreter doesn't have this issue. * yarr/YarrJIT.cpp: 2020-08-05 Tim Horton <timothy_horton@apple.com> Remove all references to non-existent 10.16 https://bugs.webkit.org/show_bug.cgi?id=215202 Reviewed by Wenson Hsieh. * Configurations/Base.xcconfig: * Configurations/DebugRelease.xcconfig: * Configurations/Version.xcconfig: * Configurations/WebKitTargetConditionals.xcconfig: 2020-08-05 Saam Barati <sbarati@apple.com> Fix returnEarlyFromInfiniteLoopsForFuzzing in DFG and validateDoesGC https://bugs.webkit.org/show_bug.cgi?id=215194 <rdar://problem/66158641> Reviewed by Mark Lam. I already fixed this same issue in the FTL in r264330, but I forgot to do it in the DFG. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2020-08-05 Keith Miller <keith_miller@apple.com> The various AllowList options should be able to take the function name inline https://bugs.webkit.org/show_bug.cgi?id=215184 Reviewed by Saam Barati. Right now when I use the various AllowList JSC options I almost always only care about a single function. Right now you need to create a file with that single name in it. That is inconvenient, so this patch changes the behavior to treat the string as the function name if no file at that path exists. I'm also speculatively assuming fopen doesn't return ENOENT when it fails due to sandboxing... I didn't feel like testing it because this is a debug option. * runtime/OptionsList.h: * tools/FunctionAllowlist.cpp: (JSC::FunctionAllowlist::FunctionAllowlist): 2020-08-05 Keith Miller <keith_miller@apple.com> Add assertions / inline capacity to checkpoint side state stacks https://bugs.webkit.org/show_bug.cgi?id=215175 Reviewed by Saam Barati. The inline capacity should hopefully avoid unneeded mallocs close to 100% of the time during our OSR exit ramp. * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): * runtime/VM.cpp: (JSC::VM::pushCheckpointOSRSideState): * runtime/VM.h: 2020-08-04 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Use LazyNeverDestroyed & std::call_once for complex singletons https://bugs.webkit.org/show_bug.cgi?id=215153 <rdar://problem/65718983> Reviewed by Mark Lam. We are getting some crashes in RemoteInspector and this speculatively fixes the crash. My guess is that NeverDestroyed<RemoteInspector> calls constructor twice in heavily contended situation: WebKit's static does not have thread-safety. If two threads come here at the same time, it is possible that constructor is invoked twice. In that case, later constructor will clear members, which involves clearing Lock m_mutex field. This makes Lock's invariant broken. This patch uses LazyNeverDestroyed and std::call_once to ensure invoking constructor only once. * API/glib/JSCVirtualMachine.cpp: * dfg/DFGCommonData.cpp: * disassembler/Disassembler.cpp: * inspector/remote/RemoteInspector.h: * inspector/remote/cocoa/RemoteInspectorCocoa.mm: (Inspector::RemoteInspector::singleton): * inspector/remote/glib/RemoteInspectorGlib.cpp: (Inspector::RemoteInspector::singleton): * inspector/remote/socket/RemoteInspectorServer.cpp: (Inspector::RemoteInspectorServer::singleton): * inspector/remote/socket/RemoteInspectorServer.h: * inspector/remote/socket/RemoteInspectorSocket.cpp: (Inspector::RemoteInspector::singleton): * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: (Inspector::RemoteInspectorSocketEndpoint::singleton): * interpreter/Interpreter.cpp: (JSC::Interpreter::opcodeIDTable): * runtime/IntlObject.cpp: (JSC::intlAvailableLocales): (JSC::intlCollatorAvailableLocales): (JSC::defaultLocale): (JSC::numberingSystemsForLocale): 2020-08-04 Keith Miller <keith_miller@apple.com> CheckpointSideState shoud play nicely with StackOverflowException unwinding. https://bugs.webkit.org/show_bug.cgi?id=215114 Reviewed by Saam Barati. This patch fixes an issue where we the StackVisitor would automatically unwind into the first frame before calling into the provided functor. As a note, we do this because the first frame is not fully initialized at the time we check for stack overflow. When this happened we would fail to clear the side state causing a memory leak. To fix this the unwind function now clears every checkpoint up to and including the call frame containing our handler. Some care needs to be taken that we don't clear checkpoint side state for other threads, which could happen if there are no checkpoints on the current thread and an API miggrated us from another thread below the current thread. This patch also makes two refacorings. The first is to make the checkpoint side state into a stack, which is how we used it anyway. The second is that CallFrame::dump and everything associated with it is now marked const so we can PointerDump a CallFrame*. * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): * interpreter/CallFrame.cpp: (JSC::CallFrame::bytecodeIndex const): (JSC::CallFrame::codeOrigin const): (JSC::CallFrame::dump const): (JSC::CallFrame::bytecodeIndex): Deleted. (JSC::CallFrame::codeOrigin): Deleted. (JSC::CallFrame::dump): Deleted. * interpreter/CallFrame.h: (JSC::CallFrame::argument const): (JSC::CallFrame::uncheckedArgument const): (JSC::CallFrame::getArgumentUnsafe const): (JSC::CallFrame::thisValue const): (JSC::CallFrame::newTarget const): (JSC::CallFrame::argument): Deleted. (JSC::CallFrame::uncheckedArgument): Deleted. (JSC::CallFrame::getArgumentUnsafe): Deleted. (JSC::CallFrame::thisValue): Deleted. (JSC::CallFrame::newTarget): Deleted. * interpreter/CheckpointOSRExitSideState.h: (JSC::CheckpointOSRExitSideState::CheckpointOSRExitSideState): * interpreter/Interpreter.cpp: (JSC::UnwindFunctor::operator() const): (JSC::Interpreter::unwind): (): Deleted. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call): (JSC::LLInt::slow_path_checkpoint_osr_exit): * runtime/VM.cpp: (JSC::VM::scanSideState const): (JSC::VM::pushCheckpointOSRSideState): (JSC::VM::popCheckpointOSRSideState): (JSC::VM::popAllCheckpointOSRSideStateUntil): (JSC::VM::addCheckpointOSRSideState): Deleted. (JSC::VM::findCheckpointOSRSideState): Deleted. * runtime/VM.h: 2020-08-03 Alberto Garcia <berto@igalia.com> [GTK] 2.29.4 fails to build in armhf https://bugs.webkit.org/show_bug.cgi?id=214966 Reviewed by Michael Catanzaro. SP register cannot be used as a destination register of SUB or ADD on Thumb mode. * llint/LowLevelInterpreter32_64.asm: 2020-08-03 Adrian Perez de Castro <aperez@igalia.com> Non-unified build fixes, early August 20202 edition https://bugs.webkit.org/show_bug.cgi?id=215082 Unreviewed build fix. * dfg/DFGOSREntry.h: Add missing inclusion of CodeLocation.h * ftl/FTLGeneratedFunction.h: Ditto. * jit/CallFrameShuffler.h: Forward-declare CCallHelpers. 2020-08-02 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, fix CLoop build https://bugs.webkit.org/show_bug.cgi?id=215010 * tools/SigillCrashAnalyzer.cpp: 2020-08-02 Commit Queue <commit-queue@webkit.org> Unreviewed, reverting r265151. https://bugs.webkit.org/show_bug.cgi?id=215074 Broke ARM64E JSC tests Reverted changeset: "validate untagArrayPtr" https://bugs.webkit.org/show_bug.cgi?id=214953 https://trac.webkit.org/changeset/265151 2020-08-01 Commit Queue <commit-queue@webkit.org> Unreviewed, reverting r265097, r265113, and r265122. https://bugs.webkit.org/show_bug.cgi?id=215065 Broke AppleSilicon Big Sur Reverted changesets: "Strip pointers instead of authing for byteOffset to not allow for a possible way to guess data pac" https://bugs.webkit.org/show_bug.cgi?id=214952 https://trac.webkit.org/changeset/265097 "Compute number of PAC bits from what the OS says its address space is" https://bugs.webkit.org/show_bug.cgi?id=214986 https://trac.webkit.org/changeset/265113 "Remove UB from nonPACBitsMask computation" https://bugs.webkit.org/show_bug.cgi?id=214996 https://trac.webkit.org/changeset/265122 2020-07-31 Keith Miller <keith_miller@apple.com> Move Options setter to where we allow access to the Options object https://bugs.webkit.org/show_bug.cgi?id=215028 Reviewed by Saam Barati. Right now jsc CLI crashes when assertions are enabled on iOS. * jsc.cpp: (main): (CommandLine::parseArguments): 2020-07-31 Saam Barati <sbarati@apple.com> Re-enable NO_SMT on Catalina https://bugs.webkit.org/show_bug.cgi?id=215024 Reviewed by Alexey Proskuryakov. * runtime/Options.cpp: (JSC::defaultTCSMValue): * runtime/OptionsList.h: 2020-07-31 Saam Barati <sbarati@apple.com> validate untagArrayPtr https://bugs.webkit.org/show_bug.cgi?id=214953 Reviewed by Keith Miller. This patch adds validation to untagArrayPtr along paths where we don't immediately store/load from the result. This patch also changes the removeArrayPtrTag macro assembler function to use shifts instead of xpacd to strip the tag, because it's faster. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::untagArrayPtr): (JSC::MacroAssemblerARM64E::removeArrayPtrTag): * assembler/testmasm.cpp: (JSC::testCagePreservesPACFailureBit): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateWithGuard): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): (JSC::FTL::DFG::LowerDFGToB3::caged): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::cageWithoutUntagging): (JSC::AssemblyHelpers::cageConditionallyAndUntag): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageWithoutUntagging): Deleted. (JSC::AssemblyHelpers::cageConditionally): Deleted. * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::AirIRGenerator::addCallIndirect): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::jsCallEntrypointSlow): 2020-07-31 Keith Miller <keith_miller@apple.com> Reduce over include usage in JSC https://bugs.webkit.org/show_bug.cgi?id=215010 Reviewed by Mark Lam. My first attempt to fix https://bugs.webkit.org/show_bug.cgi?id=215009 by making it so we don't include FastJITPermissions.h in TestWebKitAPI, was unsuccessful. Mostly because I gave up after several hours of building... I figure it's still worth it to land the last working version I was able to get building. * assembler/MacroAssemblerCodeRef.h: * bytecode/CodeBlock.cpp: * bytecode/PolymorphicAccess.h: * inspector/agents/InspectorRuntimeAgent.cpp: * interpreter/CallFrame.h: * jit/ThunkGenerators.cpp: * llint/LLIntOffsetsExtractor.cpp: * runtime/TypeLocationCache.cpp: * runtime/VM.cpp: (JSC::VM::getCTIStub): * runtime/VM.h: (JSC::VM::getCTIStub): Deleted. * tools/JSDollarVM.cpp: 2020-07-31 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Follow-up changes after r265036 https://bugs.webkit.org/show_bug.cgi?id=214982 Reviewed by Darin Adler. * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): Remove dupe definitions in OSRExit. * jit/JITCall32_64.cpp: (JSC::JIT::emit_op_iterator_open): We should use emitJumpSlowCaseIfNotJSCell(regT1). 2020-07-30 Keith Miller <keith_miller@apple.com> Remove UB from nonPACBitsMask computation https://bugs.webkit.org/show_bug.cgi?id=214996 Reviewed by Tadeu Zagallo. For non-ARM64E we now set numberOfPACBits to zero, which was causing UB in our computation of the nonPACBitsMask. * assembler/MacroAssemblerARM64E.h: 2020-07-30 Keith Miller <keith_miller@apple.com> Compute number of PAC bits from what the OS says its address space is https://bugs.webkit.org/show_bug.cgi?id=214986 Reviewed by Saam Barati. * assembler/MacroAssemblerARM64E.h: 2020-07-30 Caio Lima <ticaiolima@gmail.com> [JSC][32-bits] interator_next should check for EmptyValue instead of undefined to execute LLInt fast path https://bugs.webkit.org/show_bug.cgi?id=214963 Reviewed by Yusuke Suzuki. There was a bug in previous implementation that allows execution of `interator_next` fast path if we set ArrayIterator.prototype.next to 0. This happened because we were not properly checking `ValueEmpty` from `m_next`. This patch is fixing such issue and doing the proper verification. * llint/LowLevelInterpreter32_64.asm: 2020-07-30 Saam Barati <sbarati@apple.com> Strip pointers instead of authing for byteOffset to not allow for a possible way to guess data pac https://bugs.webkit.org/show_bug.cgi?id=214952 Reviewed by Keith Miller. In the old way of doing things, we would auth the vector pointer before subtracting the base from it. Since we never validated the auth, this allowed for a potential data-PAC bypass by just repeatedly calling byteOffset in a loop and observing the integer result of the operation. Since byteOffset does no loads/stores, it suffices to just strip the PAC bits before doing the subtraction. This eliminates any such attacks like the above because the PAC bits are ignored. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): 2020-07-29 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Add B3::BottomTupleValue node https://bugs.webkit.org/show_bug.cgi?id=214956 <rdar://problem/65192877> Reviewed by Keith Miller. In B3 strength reduction, we convert B3 values to bottom value based on type after Oops kind, and then they are *typically* removed later. While we support bottom values for usual types, we do not have a bottom value for tuple type. So when replaceWithBottom is called, we fail to replace Patchpoints producing tuples with bottom values. This patch newly adds B3 BottomTupleValue, which is just a BottomValue for tuple. We can extend it to generate arbitrary constant tuple values, but for now, we just support bottom tuple values. We add a new node instead of generating patchpoint which generates bottom values since BottomTupleValues implementation is simpler: BottomTupleValue just emits bunch of zero clear for Air tmps and Air does everything automatically. On the other hand, implementing a patchpoint needs to add code which clears things with zero while checking the ValueRep. And since we have Const32, Const64, etc. values, having this kind of value for tuple too is natural. Plus, this design allows us to remove bunch of unnecessary instructions after lowering this to Air since Air knows what instructions will be emitted by this BottomTupleValue, and Air can remove a lot of zero clear instructions if they are not read later by Extract. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * b3/B3BottomTupleValue.cpp: Copied from Source/JavaScriptCore/b3/B3InsertionSet.cpp. (JSC::B3::BottomTupleValue::dumpMeta const): * b3/B3BottomTupleValue.h: Copied from Source/JavaScriptCore/b3/B3InsertionSet.cpp. * b3/B3InsertionSet.cpp: (JSC::B3::InsertionSet::insertBottom): * b3/B3LowerToAir.cpp: * b3/B3Opcode.cpp: (WTF::printInternal): * b3/B3Opcode.h: * b3/B3Procedure.cpp: (JSC::B3::Procedure::addBottom): * b3/B3TypeMap.h: (JSC::B3::TypeMap::TypeMap): Deleted. * b3/B3Validate.cpp: * b3/B3Value.cpp: (JSC::B3::Value::effects const): (JSC::B3::Value::key const): * b3/B3Value.h: * b3/B3ValueInlines.h: * b3/B3ValueKey.cpp: (JSC::B3::ValueKey::materialize const): * b3/testb3_7.cpp: (testBottomTupleValue): (addTupleTests): 2020-07-29 Tadeu Zagallo <tzagallo@apple.com> WebAssembly validation for call_indirect is incorrect https://bugs.webkit.org/show_bug.cgi?id=214901 <rdar://problem/65189677> Reviewed by Saam Barati. There was an incorrect condition when validating call_indirect's arguments, which often resulted in skipping this validation. * wasm/WasmFunctionParser.h: (JSC::Wasm::FunctionParser<Context>::parseExpression): 2020-07-29 Mark Lam <mark.lam@apple.com> Update some JSArrayBufferView comments and add some assertions. https://bugs.webkit.org/show_bug.cgi?id=214914 Reviewed by Darin Adler. * runtime/ArrayBuffer.cpp: (JSC::ArrayBuffer::createAdopted): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): (JSC::JSArrayBufferView::finalize): * runtime/JSArrayBufferView.h: 2020-07-29 Paulo Matos <pmatos@igalia.com> for..of intrinsics implementation for 32bits https://bugs.webkit.org/show_bug.cgi?id=214737 Reviewed by Yusuke Suzuki. Joint work with Caio Lima <ticaiolima@gmail.com>. Implements for..of intrinsics for 32bits. Adds or8 instruction to ARMv7 and MIPS Macro Assembler. Adds intrinsic operations to LLInt and Baseline for 32bits. Fixes DFG OSR Exit bug, where checkpoint temporary value is incorrectly recreated for Baseline. Refactors code in DFG OSR Exit to be easier to modify and maintain by separating the switch cases for 32 and 64bits. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::or8): Adds or8(TrustedImm, AbsoluteAddress) (JSC::MacroAssemblerARMv7::or32): (JSC::MacroAssemblerARMv7::store8): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::or8): Adds or8(TrustedImm, AbsoluteAddress) (JSC::MacroAssemblerMIPS::store8): * assembler/testmasm.cpp: (JSC::testOrImmMem): Tests or8 * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitEnumeration): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): Fixes DFG OSR Exit bug, where checkpoint temporary value is incorrectly recreated for Baseline. Refactors code in DFG OSR Exit to be easier to modify and maintain by separating the switch cases for 32 and 64bits. * jit/JIT.h: * jit/JITCall32_64.cpp: (JSC::JIT::emitPutCallResult): (JSC::JIT::compileSetupFrame): (JSC::JIT::compileOpCall): (JSC::JIT::emit_op_iterator_open): (JSC::JIT::emitSlow_op_iterator_open): (JSC::JIT::emit_op_iterator_next): (JSC::JIT::emitSlow_op_iterator_next): * jit/JITInlines.h: (JSC::JIT::emitJumpSlowCaseIfNotJSCell): * llint/LowLevelInterpreter32_64.asm: 2020-07-29 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Reflect object should have toStringTag with "Reflect" https://bugs.webkit.org/show_bug.cgi?id=214909 Reviewed by Mark Lam. We call JSC_TO_STRING_TAG_WITHOUT_TRANSITION in ReflectObject to set "Reflect" @@toStringTag, which fixes one test262 failure. * runtime/ReflectObject.cpp: (JSC::ReflectObject::finishCreation): 2020-07-28 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Add hasCustomGetterSetterProperties to canAccessPropertiesQuicklyForEnumeration https://bugs.webkit.org/show_bug.cgi?id=214908 <rdar://problem/65883816> Reviewed by Mark Lam. canAccessPropertiesQuicklyForEnumeration should filter out hasCustomGetterSetterProperties too. * runtime/Structure.cpp: (JSC::Structure::canAccessPropertiesQuicklyForEnumeration const): 2020-07-28 Caitlin Potter <caitp@igalia.com> [JSC] add IC support for op_get_private_name https://bugs.webkit.org/show_bug.cgi?id=213545 Reviewed by Saam Barati. The baseline JIT now supports a fast path for op_private_name, using a variant of GetByVal IC. The generated AccessCase has the following qualities: - Always "direct", relying only on the current structure for cachebility - Never impure (DOM properties are not supported at this time, ProxyObjects are treated as JSObjects) Based on the microbenchmark reviewed on https://bugs.webkit.org/show_bug.cgi?id=213544, this sees an improvement of roughly 50% on average. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::reset): * bytecode/StructureStubInfo.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): * jit/ICStats.h: * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITInlineCacheGenerator.cpp: (JSC::JITGetByValGenerator::JITGetByValGenerator): * jit/JITInlineCacheGenerator.h: * jit/JITOperations.cpp: (JSC::getPrivateName): * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emit_op_get_private_name): (JSC::JIT::emitSlow_op_get_private_name): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emit_op_get_private_name): (JSC::JIT::emitSlow_op_get_private_name): * jit/Repatch.cpp: (JSC::appropriateOptimizingGetByFunction): (JSC::appropriateGetByFunction): (JSC::tryCacheGetBy): * jit/Repatch.h: 2020-07-27 Yusuke Suzuki <ysuzuki@apple.com> [JSC][wasm] Truncating slightly less than INT32_MIN is incorrect https://bugs.webkit.org/show_bug.cgi?id=214834 Reviewed by Darin Adler. Wasm trunc_f64_s should handle (INT32_MIN - 1.0, INT32_MIN) range too. * llint/WebAssembly.asm: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::addOp<OpType::I32TruncSF64>): 2020-07-28 Mark Lam <mark.lam@apple.com> ASSERTION FAILED: isSymbol() in Source/JavaScriptCore/runtime/JSCell.cpp(188) https://bugs.webkit.org/show_bug.cgi?id=214837 Reviewed by Darin Adler. The issue found by this bug was that jsc shell test properties were enumerable. These properties are only meant for test development use. They will never be present in a productized JavaScript environment. This patch helps reduce the change of users of the jsc shell tripping up on these test properties when enumerating the global object. * jsc.cpp: 2020-07-28 Yusuke Suzuki <ysuzuki@apple.com> IndexedDB binding utilities miss exception checks https://bugs.webkit.org/show_bug.cgi?id=214820 <rdar://problem/66152374> Reviewed by Mark Lam. jsStringWithCache does not need to take JSGlobalObject*. * runtime/JSString.h: (JSC::jsStringWithCache): 2020-07-27 Mark Lam <mark.lam@apple.com> DisallowVMEntry needs a copy assignment operator, detected by gcc's -Wdeprecated-copy warning https://bugs.webkit.org/show_bug.cgi?id=214809 Reviewed by Yusuke Suzuki. According to https://en.cppreference.com/w/cpp/language/copy_assignment, "The generation of the implicitly-defined copy assignment operator is deprecated (since C++11) if T has a user-declared destructor or user-declared copy constructor." DisallowVMEntry has both a user-declared destructor and a user-declared copy constructor. Hence, it needs to define its own copy assignment operator to placate the compiler. This patch also adds back WTF_FORBID_HEAP_ALLOCATION to DisallowVMEntry. DisallowVMEntry should always have forbid heap allocation. It was accidentally removed in a prior patch. * runtime/DisallowVMEntry.h: (JSC::DisallowVMEntryImpl::operator=): 2020-07-27 Caio Lima <ticaiolima@gmail.com> DoesGC failures in debug mode in 32bits https://bugs.webkit.org/show_bug.cgi?id=214449 Reviewed by Mark Lam. Adding the DoesGC update code into OSRExit::compileExit for 32-bits. * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): 2020-07-24 Mark Lam <mark.lam@apple.com> pluginElementCustomGetOwnPropertySlot() should support VMInquiry requests. https://bugs.webkit.org/show_bug.cgi?id=214555 <rdar://problem/65855400> Reviewed by Yusuke Suzuki. 1. Add handling for VMInquiry failure in JSObject::getPropertySlot() and JSObject::getNonIndexPropertySlot(). Basically, if the query isTaintedByOpaqueObject, then we should treat the false result as a failed VMInquiry. 2. Fix JSModuleNamespaceObject::getOwnPropertySlotCommon() and ProxyObject::getOwnPropertySlotCommon() to initialize the PropertySlot to a jsUndefined() value if we have a failed VMInquiry. The client shouldn't be reading the value if the VMInquiry failed, but as a defensive action, we'll initialize the slot to effectively return an undefined value. * runtime/JSModuleNamespaceObject.cpp: (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon): * runtime/JSObjectInlines.h: (JSC::JSObject::getPropertySlot): (JSC::JSObject::getNonIndexPropertySlot): * runtime/ProxyObject.cpp: (JSC::ProxyObject::getOwnPropertySlotCommon): 2020-07-24 Dean Jackson <dino@apple.com> JavaScriptCore Xcode project has some errors https://bugs.webkit.org/show_bug.cgi?id=214775 Reviewed by Yusuke Suzuki. When looking at the build output for JavaScriptCore I noticed two weird errors in the Xcode project file. Firstly, there was a broken group called "runtime" that was causing some files to appear duplicated. Secondly, there was a generated file WebAssemblyCompileErrorConstructor.lut.h whose location was incorrectly identified as being part of the project source. Xcode moved a bunch of other things around, but it seems to compile fine. Weirdly, the diff shows that the project file had unusual whitespace. I wonder if it had been edited by hand. * JavaScriptCore.xcodeproj/project.pbxproj: 2020-07-24 Yusuke Suzuki <ysuzuki@apple.com> [JSC] DFG::AbstractValue::filterByValue should re-filter configured m_value via m_type https://bugs.webkit.org/show_bug.cgi?id=214721 <rdar://problem/65882837> Reviewed by Mark Lam. Let's consider the following case. 1. Input AbstractValue is saying SpecObjectOther. 2. We have CheckIsConstant with StringPrototype (which is SpecObjectOther | SpecStringObject in the current SpeculatedType). 3. We call filterByValue, which filters m_type by SpecObjectOther | SpecStringObject. But the filtered m_type is SpecObjectOther since (2)'s SpeculatedType is broader. 4. We store the given constant (StringPrototype) to m_value. 5. This AbstractValue's m_type is SpecObjectOther while its m_value's SpeculatedType is SpecObjectOther | SpecStringObject. Contradiction! When setting m_value by filterByValue, we should filter m_value with m_type to ensure that m_value is the expected one. This patch also avoid using SpecObjectOther | SpecStringObject for StringPrototype since we can return narrower type for that. * bytecode/SpeculatedType.cpp: (JSC::speculationFromStructure): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::filterByValue): (JSC::DFG::AbstractValue::filter): * dfg/DFGPredictionPropagationPhase.cpp: * runtime/StringObject.cpp: (JSC::StringObject::finishCreation): 2020-07-24 Alexey Shvayka <shvaikalesh@gmail.com> JSON.parse should not modify non-configurable properties. https://bugs.webkit.org/show_bug.cgi?id=163446 Reviewed by Darin Adler. This change implements step 2.c.ii.3 of InternalizeJSONProperty [1], replacing put() with defineOwnProperty(). Using the latter fixes JSON.parse() with non-configurable (failures are silently ignored; see note in the spec), non-writable, and accessor properties, aligning JSC with V8 and SpiderMonkey. Since it's extremely unlikely for userland `reviver` to remove or redefine the next property, a fast path for PropertyAttribute::None attributes is introduced. It advances microbenchmarks/json-parse-object-*.js by ~13%. [1]: https://tc39.es/ecma262/#sec-internalizejsonproperty * runtime/JSONObject.cpp: (JSC::Walker::walk): 2020-07-24 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Do not use hardened Array for Intl supportedLocalesOf https://bugs.webkit.org/show_bug.cgi?id=214676 Reviewed by Mark Lam. We do not need to call getOwnPropertyNames & defineOwnProperty because hardening array of Intl.XXX.supportedLocalesOf is removed from the spec. We should just return an array from bestFitSupportedLocales or lookupSupportedLocales, while this change is not observable to users (but it is better for performance). This fully fixes https://github.com/tc39/ecma402/pull/278. * runtime/IntlObject.cpp: (JSC::supportedLocales): 2020-07-23 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Arrow function |this| resolution should not be trapped by with-scope https://bugs.webkit.org/show_bug.cgi?id=214716 <rdar://problem/65980639> Reviewed by Darin Adler. We were using usual "this" named variable in lexical-environment to load and store arrow-function's |this|. But since this looks normal variable, it can be trapped by "with" scope's object while it should not be. We use thisPrivateName instead to avoid this behavior since Proxy does not trap private names. * builtins/BuiltinNames.h: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded): (JSC::BytecodeGenerator::variable): (JSC::BytecodeGenerator::createVariable): (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment): (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope): * bytecompiler/NodesCodegen.cpp: (JSC::HasOwnPropertyFunctionCallDotNode::emitBytecode): (JSC::ForInNode::emitBytecode): * runtime/CommonIdentifiers.cpp: (JSC::CommonIdentifiers::CommonIdentifiers): * runtime/CommonIdentifiers.h: 2020-07-23 Yusuke Suzuki <ysuzuki@apple.com> [JSC] FTL OSR entry should store boxed |this| https://bugs.webkit.org/show_bug.cgi?id=214675 <rdar://problem/65474072> Reviewed by Michael Saboff and Mark Lam. In this patch, after ensuring that we will go to FTL OSR entry, we store boxed |this| instead of the unboxed value to agree to the FTL assumption that all arguments should be boxed. * dfg/DFGOperations.cpp: * ftl/FTLOSREntry.cpp: (JSC::FTL::prepareOSREntry): 2020-07-23 Yusuke Suzuki <ysuzuki@apple.com> [JSC] BigInt can be `false` in boolean context in DFG AI https://bugs.webkit.org/show_bug.cgi?id=214678 <rdar://problem/65894751> Reviewed by Mark Lam. DFG::AbstractInterpreter::booleanResult returns wrong result if finite structure includes HeapBigInt structure since HeapBigInt 0n can be evaluated `false` in boolean context while this function does not care it. This patch fixes it and cleans up code by using WTF/TriState. * dfg/DFGAbstractInterpreter.h: (): Deleted. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult): (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 2020-07-23 Caio Lima <ticaiolima@gmail.com> [32-bits] Fixing the return of doVMEntry into LowLevelInterpreter32_64.asm https://bugs.webkit.org/show_bug.cgi?id=214641 Reviewed by Mark Lam. Adjusting the return of `doVMEntry` for 32-bits LLInt to proper set `EncodedJSValue` return in little-endian architectures. It is expected that tag is stored in `r1` and payload is stored in `r0`. * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: 2020-07-23 Alexey Shvayka <shvaikalesh@gmail.com> Remove ArrayNode::m_optional https://bugs.webkit.org/show_bug.cgi?id=214294 Reviewed by Darin Adler. m_optional, which dates back to KJS era, means "is this an array with optional trailing comma, with elision, or an empty array". It was used by ArrayNode::streamTo() to preserve a trailing comma when converting array node to source string, as well as in few other places, before ECMA-262 clarified trailing comma in array literals [1]. Currently, m_optional is used only by ArrayNode::isSimpleArray(), along with m_elision. Checking m_elision is enough since trailing comma doesn't add extra `undefined` element. This patch completely removes m_optional, speeding up destructuring and function.apply() with empty arrays and arrays with trailing commas by ~55% and a factor of 11 respectively. Reflect.apply() optimization (https://webkit.org/b/190668) will also benefit from this change. Also, this change converts isSpreadExpression() check to an ASSERT (was enabled by r196323). [1]: https://tc39.es/ecma262/#sec-array-initializer * bytecompiler/NodesCodegen.cpp: (JSC::ArrayNode::isSimpleArray const): (JSC::ArrayNode::toArgumentList const): (JSC::ArrayNode::emitDirectBinding): * parser/NodeConstructors.h: (JSC::ArrayNode::ArrayNode): * parser/Nodes.h: 2020-07-23 Alexey Shvayka <shvaikalesh@gmail.com> Remove emitIsUndefined() from ClassExprNode::emitBytecode() https://bugs.webkit.org/show_bug.cgi?id=214645 Reviewed by Darin Adler. This change removes `superclass === undefined` check because it's missing from the spec [1] and isn't a common case. No behavior change: values except `null` are passed to OpIsConstructor, resulting in the same error being thrown for `undefined`. Test: LayoutTests/js/class-syntax-extends.html [1]: https://tc39.es/ecma262/#sec-runtime-semantics-classdefinitionevaluation (step 5.e) * bytecompiler/NodesCodegen.cpp: (JSC::ClassExprNode::emitBytecode): 2020-07-22 Conrad Shultz <conrad_shultz@apple.com> Update macOS Version macros https://bugs.webkit.org/show_bug.cgi?id=214653 Reviewed by Tim Horton. * Configurations/Base.xcconfig: * Configurations/DebugRelease.xcconfig: * Configurations/Version.xcconfig: * Configurations/WebKitTargetConditionals.xcconfig: 2020-07-22 Geoffrey Garen <ggaren@apple.com> WTF::Function adoption should be explicit instead of implicit https://bugs.webkit.org/show_bug.cgi?id=214654 Reviewed by Darin Adler. * heap/Heap.cpp: (JSC::Heap::LambdaFinalizerOwner::finalize): Use new adopt function. 2020-07-22 Mark Lam <mark.lam@apple.com> Disallow VM entry when doing a VMInquiry. https://bugs.webkit.org/show_bug.cgi?id=214624 <rdar://problem/65915314> Reviewed by Saam Barati. 1. In PropertySlot's constructor, automatically install a DisallowVMEntry scope if the passed in internal method type is VMInquiry. This ensures that we won't be able to enter the VM to call JS code while doing the inquiry. As a result, the PropertySlot constructor will now take an optional VM pointer, which is must be passed in in when the internal method type is VMInquiry. Note that the handling of attempts to enter the VM depends on Options::crashOnDisallowedVMEntry(). On Debug build (due to ASSERT_ENABLED), Options::crashOnDisallowedVMEntry() defaults to true and the VM will crash on disallowed entry. On Release build, Options::crashOnDisallowedVMEntry() defaults to false and disallow entry attempts into the VM will be treated like calling an empty function that returns undefined. This is not new behavior in this patch, but I just want to have a reminder here of how DisallowVMEntry will be enforcing no entry into the VM while doing a VMInquiry. 2. After VMInquiry gets, sometimes the client code wants to do other work that do entails entering the VM. In such cases, we need to reset the PropertySlot's disallowVMEntry scope. Fixed up a few places in client code to do this reset. 3. Make the DisableVMEntry scope copyable. At least one place wants to copy PropertySlot, and as a result, will need to copy its embedded DisableVMEntry scope as well if installed. For DisableVMEntry, we'll handle copying semantics as follows: copying a DisableVMEntry will ref the VM::disallowVMEntryCount. The count will be decremented when both instances are destructed. As a result, VM entry will be disallowed as long as one of the copies are still alive. 4. For the setObjectToStringValue() method of Structure and StructureRareData, we were previously passing a PropertySlot by copy. We don't really need to do this. Ultimately, only StructureRareData::setObjectToStringValue() needs to access a few of the PropertySlot query methods. So, we changed these methods to pass a `const PropertySlot&` instead to void the needless copying. * API/JSCallbackObjectFunctions.h: (JSC::JSCallbackObject<Parent>::put): (JSC::JSCallbackObject<Parent>::staticFunctionGetter): * heap/HeapSnapshotBuilder.cpp: (JSC::HeapSnapshotBuilder::json): * inspector/JSInjectedScriptHost.cpp: (Inspector::JSInjectedScriptHost::queryInstances): * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): * jit/JITOperations.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/DisallowVMEntry.h: (JSC::DisallowVMEntryImpl::DisallowVMEntryImpl): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::sanitizedToString): * runtime/JSFunction.cpp: (JSC::JSFunction::getOwnNonIndexPropertyNames): (JSC::JSFunction::put): (JSC::JSFunction::defineOwnProperty): * runtime/JSGenericTypedArrayViewConstructorInlines.h: (JSC::constructGenericTypedArrayViewWithArguments): * runtime/JSGlobalObject.cpp: (JSC::getGetterById): (JSC::JSGlobalObject::defineOwnProperty): (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): * runtime/JSObject.cpp: (JSC::JSObject::calculatedClassName): * runtime/JSObjectInlines.h: (JSC::JSObject::getPrivateFieldSlot): * runtime/JSScope.cpp: (JSC::abstractAccess): * runtime/PropertySlot.h: (JSC::PropertySlot::PropertySlot): * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::StackFrame::nameFromCallee): * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::setObjectToStringValue): * runtime/StructureRareData.cpp: (JSC::StructureRareData::setObjectToStringValue): * runtime/StructureRareData.h: * tools/JSDollarVM.cpp: (JSC::functionGetGetterSetter): 2020-07-22 Geoffrey Garen <ggaren@apple.com> JSRunLoopTimer should use WTF::RunLoop rather than custom CF code https://bugs.webkit.org/show_bug.cgi?id=214102 Unreviewed, re-landing r264242 with crash fixed. We needed to synchronize timer destruction with timer firing. * runtime/DeferredWorkTimer.cpp: (JSC::DeferredWorkTimer::doWork): (JSC::DeferredWorkTimer::runRunLoop): * runtime/JSRunLoopTimer.cpp: (JSC::epochTime): (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): (JSC::JSRunLoopTimer::Manager::timerDidFireCallback): (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData): (JSC::JSRunLoopTimer::Manager::timerDidFire): (JSC::JSRunLoopTimer::Manager::registerVM): (JSC::JSRunLoopTimer::Manager::scheduleTimer): (JSC::JSRunLoopTimer::Manager::cancelTimer): (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop): Deleted. (JSC::JSRunLoopTimer::Manager::didChangeRunLoop): Deleted. * runtime/JSRunLoopTimer.h: (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): Deleted. * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::create): (JSC::VM::tryCreate): (JSC::VM::setRunLoop): Deleted. * runtime/VM.h: (JSC::VM::runLoop const): 2020-07-21 Mark Lam <mark.lam@apple.com> Simplify DisallowScope, DisallowGC, and DisallowVMReentry implementations. https://bugs.webkit.org/show_bug.cgi?id=214539 <rdar://problem/65795729> Reviewed by Keith Miller. Previously, DisallowScope needed to support enabling and disabling. This was only needed to enable the implementation of ObjectInitializationScope. Now, we can make the DisallowGC and DisallowVMReentry inside ObjectInitializationScope optional with WTF::Optional. With that we can simplify these scopes and make them true RAII scope objects. This patch also does the following: 1. Renamed DisallowVMReentry to DisallowVMEntry. The scope can be used to disable VM entry completely. There's no need to restrict it to only re-entries. 2. Enforcement of DisallowVMReentry is now done in the LLInt's doVMEntry() instead of the VMEntryScope's constructor. This is a stronger guarantee. If Options::crashOnDisallowedVMEntry() is true, the VM will crash if it sees an attempt to enter the VM while disallowed. If Options::crashOnDisallowedVMEntry() is false, an attempt to call into the VM while disallowed will return immediately with an undefined result without invoking any script. By default, Options::crashOnDisallowedVMEntry() is true if ASSERT_ENABLED is true. 3. Change DisallowScope and DisallowGC to be based on ASSERT_ENABLED instead of NEBUG. 4. Make DisallowVMEntry always enforceable, not just when ASSERT_ENABLED. It's enforcement action depends on Options::crashOnDisallowedVMEntry() as described above. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * heap/DeferGC.cpp: * heap/DeferGC.h: (JSC::DisallowGC::DisallowGC): (JSC::DisallowGC::initialize): * interpreter/Interpreter.cpp: (JSC::Interpreter::executeProgram): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::execute): (JSC::Interpreter::executeModuleProgram): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::llint_check_vm_entry_permission): * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/DisallowScope.h: (JSC::DisallowScope::DisallowScope): (JSC::DisallowScope::~DisallowScope): (JSC::DisallowScope::isInEffectOnCurrentThread): (JSC::DisallowScope::enable): Deleted. (JSC::DisallowScope::disable): Deleted. (JSC::DisallowScope::enterScope): Deleted. (JSC::DisallowScope::exitScope): Deleted. * runtime/DisallowVMEntry.h: Copied from Source/JavaScriptCore/runtime/DisallowVMReentry.h. (JSC::DisallowVMEntryImpl::DisallowVMEntryImpl): (JSC::DisallowVMEntryImpl::~DisallowVMEntryImpl): (JSC::DisallowVMEntryImpl::isEngaged const): (JSC::DisallowVMEntryImpl::release): (JSC::DisallowVMReentry::DisallowVMReentry): Deleted. (JSC::DisallowVMReentry::initialize): Deleted. (JSC::DisallowVMReentry::scopeReentryCount): Deleted. (JSC::DisallowVMReentry::setScopeReentryCount): Deleted. * runtime/DisallowVMReentry.cpp: Removed. * runtime/DisallowVMReentry.h: Removed. * runtime/InitializeThreading.cpp: (JSC::initialize): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): * runtime/ObjectInitializationScope.cpp: (JSC::ObjectInitializationScope::ObjectInitializationScope): (JSC::ObjectInitializationScope::notifyAllocated): (JSC::ObjectInitializationScope::notifyInitialized): * runtime/ObjectInitializationScope.h: (JSC::ObjectInitializationScope::vm const): (JSC::ObjectInitializationScope::ObjectInitializationScope): (JSC::ObjectInitializationScope::~ObjectInitializationScope): (JSC::ObjectInitializationScope::notifyAllocated): (JSC::ObjectInitializationScope::notifyInitialized): * runtime/OptionsList.h: * runtime/RegExpMatchesArray.h: (JSC::tryCreateUninitializedRegExpMatchesArray): * runtime/VM.h: * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): 2020-07-21 Mark Lam <mark.lam@apple.com> llint_slow_path_get_private_name() should not be using PropertySlot::InternalMethodType::VMInquiry. https://bugs.webkit.org/show_bug.cgi?id=214603 Reviewed by Yusuke Suzuki. VMInquiry means (1) the get operation should not call back into JS, (2) it should not throw any exceptions (except for OutOfMemoryError or StackOverflowError which can be thrown at any time), or have any side effects that is observable from JS code. In this case, llint_slow_path_get_private_name() is just implementating PrivateFieldGet (https://tc39.es/proposal-class-fields/#sec-privatefieldget) and should actually be using PropertySlot::InternalMethodType::GetOwnProperty (according to https://tc39.es/proposal-class-fields/#sec-privatefieldfind). This patch makes the above change, and also adds an assert in JSObject::getPrivateField to ensure that no one calls it for a VMInquiry since it is not supported. Also added a PropertySlot::isVMInquiry() convenience query method. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/JSObjectInlines.h: (JSC::JSObject::getPrivateField): * runtime/PropertySlot.h: (JSC::PropertySlot::isVMInquiry const): 2020-07-21 Keith Miller <keith_miller@apple.com> Fix FinalizationRegistry GC finalizer interation https://bugs.webkit.org/show_bug.cgi?id=214586 <rdar://65854264> Reviewed by Mark Lam and Yusuke Suzuki. Turns out when you remove the ith element from a Vector and you increment the index anyway you skip things... Use the helper functions instead. This fixes an ASAN crash on our FinalizationRegistry tests. * heap/Heap.cpp: (JSC::Heap::finalizeUnconditionalFinalizers): * runtime/DeferredWorkTimer.cpp: (JSC::DeferredWorkTimer::addPendingWork): (JSC::DeferredWorkTimer::hasPendingWork): (JSC::DeferredWorkTimer::hasDependancyInPendingWork): (JSC::DeferredWorkTimer::cancelPendingWork): * runtime/JSFinalizationRegistry.cpp: (JSC::JSFinalizationRegistry::finalizeUnconditionally): (JSC::JSFinalizationRegistry::takeDeadHoldingsValue): 2020-07-21 Saam Barati <sbarati@apple.com> Disable NO_SMT by default https://bugs.webkit.org/show_bug.cgi?id=214607 Reviewed by Filip Pizlo. * runtime/OptionsList.h: 2020-07-21 Caio Lima <ticaiolima@gmail.com> Debug build is failing after r264537 on Linux https://bugs.webkit.org/show_bug.cgi?id=214596 Reviewed by Yusuke Suzuki. Removing `ASSERT_UNDER_CONTEXPR_CONTEXT(0)` to avoid compilation failure of Debug builds on Linux. * runtime/IntlObject.cpp: (JSC::relevantExtensionKeyString): 2020-07-21 Adrian Perez de Castro <aperez@igalia.com> Unreview non-unified source build fix * runtime/IntlDisplayNames.cpp: Add missing <unicode/ucurr.h> header. 2020-07-20 Mark Lam <mark.lam@apple.com> TryGetById clobberize rules are wrong. https://bugs.webkit.org/show_bug.cgi?id=163834 <rdar://problem/65625807> Reviewed by Keith Miller. Theoretically, TryGetById can do the same things GetById does i.e. reify lazy properties, read the stack, etc. Hence, its clobberize rule should be clobberTop just like GetById. However, in practice, we don't currently use @tryGetById to access anything on the stack (and probably never will). But as a conservative measure, we'll just treat TryGetById like it can. In clobberize terms, this means we declare TryGetById as doing read(World) (just like GetById) instead of read(Heap). * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGClobbersExitState.cpp: (JSC::DFG::clobbersExitState): 2020-07-20 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, fix duplicate forward declaration introduced by merge conflict https://bugs.webkit.org/show_bug.cgi?id=209779 * runtime/IntlRelativeTimeFormat.h: 2020-07-20 Yusuke Suzuki <ysuzuki@apple.com> [ECMA-402] Implement Intl.DisplayNames https://bugs.webkit.org/show_bug.cgi?id=209779 Reviewed by Ross Kirsling. This patch implements Intl.DisplayNames behind useIntlDisplayNames=1 flag. Intl.DisplayNames can offer readable "display-name" for ICU language, script, region, currency codes. For example, it can offer "United States" string for "US" region code. We use ICU ULocaleDisplayNames to implement it, except for currency since ULocaleDisplayNames is not supporting currency correctly: it ignores "long", "short", and "narrow" style configurations. We need to call ucurr_getName directly. This patch appropriately adds unicode-language-id parsing in IntlLocale.cpp so that we can validate language id when it is passed to `Intl.DisplayNames#of` as defined in the spec. * CMakeLists.txt: * DerivedSources-input.xcfilelist: * DerivedSources-output.xcfilelist: * DerivedSources.make: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * runtime/CommonIdentifiers.h: * runtime/IntlDisplayNames.cpp: Added. (JSC::IntlDisplayNames::create): (JSC::IntlDisplayNames::createStructure): (JSC::IntlDisplayNames::IntlDisplayNames): (JSC::IntlDisplayNames::finishCreation): (JSC::IntlDisplayNames::initializeDisplayNames): (JSC::IntlDisplayNames::of const): (JSC::IntlDisplayNames::resolvedOptions const): (JSC::IntlDisplayNames::styleString): (JSC::IntlDisplayNames::typeString): (JSC::IntlDisplayNames::fallbackString): * runtime/IntlDisplayNames.h: Copied from Source/JavaScriptCore/runtime/IntlRelativeTimeFormat.h. * runtime/IntlDisplayNamesConstructor.cpp: Added. (JSC::IntlDisplayNamesConstructor::create): (JSC::IntlDisplayNamesConstructor::createStructure): (JSC::IntlDisplayNamesConstructor::IntlDisplayNamesConstructor): (JSC::IntlDisplayNamesConstructor::finishCreation): (JSC::constructIntlDisplayNames): (JSC::callIntlDisplayNames): (JSC::IntlDisplayNamesConstructorSupportedLocalesOf): * runtime/IntlDisplayNamesConstructor.h: Added. * runtime/IntlDisplayNamesPrototype.cpp: Added. (JSC::IntlDisplayNamesPrototype::create): (JSC::IntlDisplayNamesPrototype::createStructure): (JSC::IntlDisplayNamesPrototype::IntlDisplayNamesPrototype): (JSC::IntlDisplayNamesPrototype::finishCreation): (JSC::IntlDisplayNamesPrototypeFuncOf): (JSC::IntlDisplayNamesPrototypeFuncResolvedOptions): * runtime/IntlDisplayNamesPrototype.h: Added. * runtime/IntlLocale.cpp: (JSC::isUnicodeLanguageSubtag): Deleted. (JSC::isUnicodeScriptSubtag): Deleted. (JSC::isUnicodeRegionSubtag): Deleted. * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): * runtime/IntlObject.cpp: (JSC::createDisplayNamesConstructor): (JSC::IntlObject::finishCreation): (JSC::isUnicodeLanguageSubtag): (JSC::isUnicodeScriptSubtag): (JSC::isUnicodeRegionSubtag): (JSC::isUnicodeVariantSubtag): (JSC::isUnicodeLanguageId): (JSC::isWellFormedCurrencyCode): * runtime/IntlObject.h: (JSC::intlDisplayNamesAvailableLocales): * runtime/IntlRelativeTimeFormat.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::displayNamesStructure): * runtime/OptionsList.h: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: 2020-07-20 Geoffrey Garen <ggaren@apple.com> REGRESSION (r264242): [ macOS ] imported/w3c/web-platform-tests/wasm/jsapi/constructor/instantiate.any.html is a flaky crash https://bugs.webkit.org/show_bug.cgi?id=214572 Unreviewed, reverting r264242. * runtime/JSRunLoopTimer.cpp: (JSC::epochTime): (JSC::JSRunLoopTimer::Manager::timerDidFireCallback): (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop): (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData): (JSC::JSRunLoopTimer::Manager::timerDidFire): (JSC::JSRunLoopTimer::Manager::registerVM): (JSC::JSRunLoopTimer::Manager::scheduleTimer): (JSC::JSRunLoopTimer::Manager::cancelTimer): (JSC::JSRunLoopTimer::Manager::didChangeRunLoop): * runtime/JSRunLoopTimer.h: (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): * runtime/PromiseTimer.cpp: (JSC::PromiseTimer::doWork): (JSC::PromiseTimer::runRunLoop): * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::create): (JSC::VM::tryCreate): (JSC::VM::setRunLoop): * runtime/VM.h: (JSC::VM::runLoop const): 2020-07-20 Ross Kirsling <ross.kirsling@sony.com> [JSC] eval?.() should be indirect eval https://bugs.webkit.org/show_bug.cgi?id=214568 Reviewed by Keith Miller. eval?.() is specified as indirect eval, but (virtually) all implementations assumed it should be direct eval. I raised this topic in today's TC39 meeting and we've decided to keep the spec as it is. * parser/ASTBuilder.h: (JSC::ASTBuilder::makeFunctionCallNode): Don't use EvalFunctionCallNode for optional call of eval. 2020-07-20 Adrian Perez de Castro <aperez@igalia.com> Non unified build fixes, midsummer 2020 edition https://bugs.webkit.org/show_bug.cgi?id=213616 Unreviewed build fix. * b3/air/AirTmpInlines.h: (JSC::B3::Air::TmpWidth::widths): Moved from AirTmpWidth.h * b3/air/AirTmpWidth.cpp: Included AirTmpInlines.h * b3/air/AirTmpWidth.h: TmpWidth::widths() moved out from here. * runtime/ExceptionFuzz.cpp: Add missing inclusion of JSCJSValueInlines.h * runtime/StructureIDTable.cpp: Add missing inclusions of wtf/DataLog.h and wtf/RawPointer.h * runtime/VMTraps.cpp: Ditto. 2020-07-20 Keith Miller <keith_miller@apple.com> Add support for FinalizationRegistries https://bugs.webkit.org/show_bug.cgi?id=199888 Reviewed by Yusuke Suzuki. This patch adds support for FinalizationRegistries. There are two main parts to this patch, the first is refactoring PromiseTimer a more general into DeferredWorkTimer. This allows us to finally have a "real" setTimeout on the jsc command line. The second part is adding all the new classes needed for FinalizationRegistries. The refactoring is mostly a rename but does two main new things. The first is that it now notifies the VM we have finished a synchronuous JS execution, so that WeakRefs can be collected. The second is that it now catches any exceptions and forwards the to a new method on the global object method table. For WebCore, this reports the exception to the console. For API users, this calls their exceptionHandler block. For the CLI, it exits with exit status 3 (our general exception exit status). Unfortunately, there's not currently an ergonomic way to pass the expected exception from the CLI arguments to this handler so that's not supported here. In order to support FinalizationRegistry this patch adds a "new" class JSDestructibleInternalFieldObjectImpl, which allows us to have a destructible object with internal fields. Since the order of collection doesn't matter we currently use C++ HashTables on the FinalizationRegistry. Since users can unregister objects while the callback is pending we have a hash table for the live entries and a second hash table for the dead ones. Lastly, because users are not requred to provide a token for unregistration we have two extra Vectors containing the live/dead objects that are not unregisterible. * API/JSAPIGlobalObject.cpp: * API/JSAPIGlobalObject.mm: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * heap/Heap.cpp: (JSC::Heap::finalizeUnconditionalFinalizers): * jsc.cpp: (functionSetTimeout): (functionFinalizationRegistryLiveCount): (functionFinalizationRegistryDeadCount): (main): (checkUncaughtException): (checkException): (GlobalObject::reportUncaughtExceptionAtEventLoop): (runJSC): * runtime/ArrayIteratorPrototype.cpp: * runtime/CommonIdentifiers.h: * runtime/DeferredWorkTimer.cpp: Renamed from Source/JavaScriptCore/runtime/PromiseTimer.cpp. (JSC::DeferredWorkTimer::DeferredWorkTimer): (JSC::DeferredWorkTimer::doWork): (JSC::DeferredWorkTimer::runRunLoop): (JSC::DeferredWorkTimer::addPendingWork): (JSC::DeferredWorkTimer::hasPendingWork): (JSC::DeferredWorkTimer::hasDependancyInPendingWork): (JSC::DeferredWorkTimer::cancelPendingWork): (JSC::DeferredWorkTimer::scheduleWorkSoon): * runtime/DeferredWorkTimer.h: Renamed from Source/JavaScriptCore/runtime/PromiseTimer.h. * runtime/FinalizationRegistryConstructor.cpp: Added. (JSC::FinalizationRegistryConstructor::finishCreation): (JSC::FinalizationRegistryConstructor::FinalizationRegistryConstructor): (JSC::callFinalizationRegistry): (JSC::constructFinalizationRegistry): * runtime/FinalizationRegistryConstructor.h: Copied from Source/JavaScriptCore/API/JSAPIGlobalObject.cpp. * runtime/FinalizationRegistryPrototype.cpp: Added. (JSC::FinalizationRegistryPrototype::finishCreation): (JSC::getFinalizationRegistry): (JSC::protoFuncFinalizationRegistryRegister): (JSC::protoFuncFinalizationRegistryUnregister): * runtime/FinalizationRegistryPrototype.h: Copied from Source/JavaScriptCore/API/JSAPIGlobalObject.cpp. * runtime/IdentifierInlines.h: (JSC::Identifier::Identifier): * runtime/JSFinalizationRegistry.cpp: Added. (JSC::JSFinalizationRegistry::createStructure): (JSC::JSFinalizationRegistry::create): (JSC::JSFinalizationRegistry::finishCreation): (JSC::JSFinalizationRegistry::visitChildren): (JSC::JSFinalizationRegistry::destroy): (JSC::JSFinalizationRegistry::finalizeUnconditionally): (JSC::JSFinalizationRegistry::runFinalizationCleanup): (JSC::JSFinalizationRegistry::takeDeadHoldingsValue): (JSC::JSFinalizationRegistry::registerTarget): (JSC::JSFinalizationRegistry::unregister): (JSC::JSFinalizationRegistry::liveCount): (JSC::JSFinalizationRegistry::deadCount): (JSC::JSFinalizationRegistry::toStringName): * runtime/JSFinalizationRegistry.h: Added. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reportUncaughtExceptionAtEventLoop): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::stackOverflowFrameCallee const): (JSC::JSGlobalObject::arrayIteratorProtocolWatchpointSet): (JSC::JSGlobalObject::mapIteratorProtocolWatchpointSet): (JSC::JSGlobalObject::setIteratorProtocolWatchpointSet): (JSC::JSGlobalObject::stringIteratorProtocolWatchpointSet): (JSC::JSGlobalObject::mapSetWatchpointSet): (JSC::JSGlobalObject::setAddWatchpointSet): (JSC::JSGlobalObject::arraySpeciesWatchpointSet): (JSC::JSGlobalObject::arrayJoinWatchpointSet): (JSC::JSGlobalObject::numberToStringWatchpointSet): * runtime/JSInternalFieldObjectImpl.h: * runtime/JSInternalFieldObjectImplInlines.h: (JSC::Base>::visitChildren): (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren): Deleted. * runtime/JSPromise.cpp: (JSC::JSPromise::resolve): (JSC::JSPromise::reject): * runtime/StructureIDTable.cpp: (JSC::StructureIDTable::allocateID): (JSC::StructureIDTable::deallocateID): * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::~VM): * runtime/VM.h: * wasm/js/JSWebAssembly.cpp: (JSC::webAssemblyModuleValidateAsyncInternal): (JSC::instantiate): (JSC::compileAndInstantiate): (JSC::webAssemblyModuleInstantinateAsyncInternal): (JSC::webAssemblyCompileStreamingInternal): (JSC::webAssemblyInstantiateStreamingInternal): * wasm/js/JSWebAssemblyCodeBlock.h: 2020-07-20 Michael Catanzaro <mcatanzaro@gnome.org> JSC build scripts should be quiet by default https://bugs.webkit.org/show_bug.cgi?id=214535 Reviewed by Saam Barati. There's no need for these scripts to print "Nothing changed" when they don't do anything. * offlineasm/asm.rb: * offlineasm/generate_offset_extractor.rb: * offlineasm/generate_settings_extractor.rb: 2020-07-19 Fujii Hironori <Hironori.Fujii@sony.com> Unreviewed non-unified source build fix * runtime/IntlDateTimeFormat.cpp: * runtime/IntlRelativeTimeFormat.h: 2020-07-19 Michael Catanzaro <mcatanzaro@gnome.org> -Warray-bounds warnings in testb3 and testair https://bugs.webkit.org/show_bug.cgi?id=214533 Reviewed by Darin Adler. Suppress these warnings when building testb3 and testair. * shell/CMakeLists.txt: 2020-07-19 Michael Catanzaro <mcatanzaro@gnome.org> cpp_generator.py:134: SyntaxWarning: "is" with a literal. Did you mean "=="? https://bugs.webkit.org/show_bug.cgi?id=214530 Reviewed by Philippe Normand. * inspector/scripts/codegen/cpp_generator.py: (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): 2020-07-18 Mark Lam <mark.lam@apple.com> Fixed regression due to r264507: Math.{min|max} inequality test should use DoubleNotEqualOrUnordered instead DoubleNotEqualAndOrdered. https://bugs.webkit.org/show_bug.cgi?id=214526 <rdar://problem/65778061> Reviewed by Yusuke Suzuki. This bug resulted in NaNs being handled by the "equal" case in some scenarios, which resulted in an assertion failure in a ValueRep on an internal test. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithMinMax): 2020-07-18 Alexey Shvayka <shvaikalesh@gmail.com> Redefining a property should not change its insertion index (Object.keys order) https://bugs.webkit.org/show_bug.cgi?id=142933 Reviewed by Saam Barati. Before this change, JSC used to delete & put back a non-indexed property just to update attributes, which was less efficient and corrupted observable property order. This patch: 1. Rewrites validateAndApplyPropertyDescriptor() to closely resemble the spec [1]. 2. Drops property deletion, inlines putDescriptor(), and sets necessary Structure flags in attributeChangeTransition(). 3. Simplifies validateAndApplyPropertyDescriptor() a bit by obtaining GetterSetter instance from current descriptor rather then calling getDirect(). This change aligns property order with V8 and SpiderMonkey, advancing provided microbenchmarks by 5-85% (especially for objects in dictionary mode). SixSpeed, SunSpider, and ARES-6 are all neutral. [1]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor * runtime/JSObject.cpp: (JSC::validateAndApplyPropertyDescriptor): (JSC::JSObject::defineOwnNonIndexProperty): (JSC::putDescriptor): Deleted. * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): * runtime/PropertyDescriptor.cpp: (JSC::PropertyDescriptor::slowGetterSetter const): (JSC::PropertyDescriptor::slowGetterSetter): Deleted. * runtime/PropertyDescriptor.h: * runtime/Structure.cpp: (JSC::Structure::attributeChangeTransition): 2020-07-17 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Clean up resolveLocale https://bugs.webkit.org/show_bug.cgi?id=214446 Reviewed by Darin Adler. Introduce RelevantExtensionKey and optimize resolveLocale implementation which avoids using HashMap for input and output. We instead use std::array<T, numberOfRelevantExtensionKeys> since # of RelevantExtensionKeys is only 6. For input option, we use std::array<Optional<String>, numberOfRelevantExtensionKeys> since this distinguish non-set-option and null String(). For output extension values, we simply use std::array<String, numberOfRelevantExtensionKeys>. * runtime/IntlCollator.cpp: (JSC::IntlCollator::sortLocaleData): (JSC::IntlCollator::searchLocaleData): (JSC::IntlCollator::initializeCollator): * runtime/IntlCollator.h: * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::localeData): (JSC::IntlDateTimeFormat::initializeDateTimeFormat): * runtime/IntlDateTimeFormat.h: * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::localeData): (JSC::IntlNumberFormat::initializeNumberFormat): * runtime/IntlNumberFormat.h: * runtime/IntlObject.cpp: (JSC::relevantExtensionKeyString): (JSC::resolveLocale): * runtime/IntlObject.h: * runtime/IntlPluralRules.cpp: (JSC::IntlPluralRules::localeData): (JSC::IntlPluralRules::initializePluralRules): * runtime/IntlPluralRules.h: * runtime/IntlRelativeTimeFormat.cpp: (JSC::IntlRelativeTimeFormat::localeData): (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): * runtime/IntlRelativeTimeFormat.h: 2020-07-17 Xan López <xan@igalia.com> Math.max() can yield the wrong result for max(0, -0). https://bugs.webkit.org/show_bug.cgi?id=204457 Reviewed by Mark Lam. The implementations for Math.{max,min} in both DFG and FTL are not considering the fact that according to the spec -0.0 < 0.0 (which is not true for normal double arithmetic). See: https://tc39.es/ecma262/#sec-math.max and https://tc39.es/ecma262/#sec-math.min Beyond tweaking the algorithms used in DFG and FTL we must implement the and/or operations on double in MIPS and ARMv7, since these are used in the DFG JIT to distinguish between -0.0 and 0.0. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::vand): (JSC::ARMv7Assembler::vorr): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::andDouble): (JSC::MacroAssemblerARMv7::orDouble): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::andDouble): (JSC::MacroAssemblerMIPS::orDouble): * assembler/testmasm.cpp: (JSC::testAndOrDouble): (JSC::run): * dfg/DFGAbstractInterpreterInlines.h: consider that -0.0 < 0.0 per the ECMAScript spec. (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGSpeculativeJIT.cpp: ditto. (JSC::DFG::SpeculativeJIT::compileArithMinMax): * ftl/FTLLowerDFGToB3.cpp: ditto. (JSC::FTL::DFG::LowerDFGToB3::compileArithMinOrMax): 2020-07-17 Alexey Shvayka <shvaikalesh@gmail.com> emitIsUndefined() should not special-case [[IsHTMLDDA]] objects https://bugs.webkit.org/show_bug.cgi?id=214443 Reviewed by Yusuke Suzuki. According to Annex B [1], there is only a handful of language constructs that handle [[IsHTMLDDA]] objects: ToBoolean, abstract equality with `null` or `undefined`, and `typeof`. Currently, op_is_undefined does special-case masquarader objects, even though it is used beyond `typeof`. With this change, emitIsUndefined() produces `=== undefined`, which meets developer expectations and the spec for all its usages, while op_is_undefined is renamed to op_typeof_is_undefined. New name offers better semantics and clearly communicates the op should be avoided when implementing new features. Apart from fixing default values with [[IsHTMLDDA]] objects [2], this change brings significant speed-up: +50% for function parameters and +20% for object destructuring (masqueradesAsUndefinedWatchpoint is not fired). This patch also introduces similar emitIsNull() method to avoid breaking masquarader object as superclass test262 case. [1]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot [2]: https://tc39.es/ecma262/#sec-runtime-semantics-keyedbindinginitialization (step 2) * bytecode/BytecodeList.rb: * bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitEqualityOpImpl): (JSC::BytecodeGenerator::emitIsUndefined): Deleted. * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitIsNull): (JSC::BytecodeGenerator::emitIsUndefined): * bytecompiler/NodesCodegen.cpp: (JSC::ForInNode::emitBytecode): (JSC::ClassExprNode::emitBytecode): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGWatchpointCollectionPhase.cpp: (JSC::DFG::WatchpointCollectionPhase::handle): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsUndefined): (JSC::FTL::DFG::LowerDFGToB3::compileIsUndefined): Deleted. * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_typeof_is_undefined): (JSC::JIT::emit_op_is_undefined): Deleted. * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_typeof_is_undefined): (JSC::JIT::emit_op_is_undefined): Deleted. * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2020-07-16 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Clean up Intl option parsing code by introducing intlOption<> https://bugs.webkit.org/show_bug.cgi?id=214437 Reviewed by Ross Kirsling. This patch introduces intlOption<>(...) function and remove redundant string comparisons. This makes option handling efficient, and it makes code clean. * runtime/IntlCollator.cpp: (JSC::IntlCollator::initializeCollator): * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::initializeDateTimeFormat): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): * runtime/IntlObject.cpp: (JSC::resolveLocale): (JSC::supportedLocales): * runtime/IntlObject.h: * runtime/IntlObjectInlines.h: (JSC::intlOption): * runtime/IntlPluralRules.cpp: (JSC::IntlPluralRules::initializePluralRules): * runtime/IntlRelativeTimeFormat.cpp: (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): 2020-07-16 Fujii Hironori <Hironori.Fujii@sony.com> [WTF] Remove the unnecessary inner class DefaultHash<T>::Hash https://bugs.webkit.org/show_bug.cgi?id=214389 Reviewed by Darin Adler. * assembler/MacroAssemblerCodeRef.h: * b3/B3CheckSpecial.h: * b3/B3Kind.h: * b3/B3ValueKey.h: * b3/air/AirAllocateRegistersByGraphColoring.cpp: * b3/air/AirArg.h: * b3/air/AirTmp.h: * bytecode/BytecodeIndex.h: * bytecode/CallVariant.h: * bytecode/CodeOrigin.h: * bytecode/DFGExitProfile.h: * bytecode/LazyOperandValueProfile.h: * bytecode/ObjectPropertyCondition.h: * bytecode/PropertyCondition.h: * dfg/DFGAbstractHeap.h: * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGByteCodeParser.cpp: * dfg/DFGCSEPhase.cpp: * dfg/DFGCompilationKey.h: * dfg/DFGDesiredGlobalProperty.h: * dfg/DFGHeapLocation.h: * dfg/DFGLivenessAnalysisPhase.cpp: * dfg/DFGMinifiedID.h: * dfg/DFGNodeFlowProjection.h: * dfg/DFGPromotedHeapLocation.h: * dfg/DFGPropertyTypeKey.h: * dfg/DFGPureValue.h: * ftl/FTLLocation.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): * ftl/FTLSlowPathCallKey.h: * heap/MarkedBlock.h: * heap/VisitRaceKey.h: * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: * inspector/scripts/tests/expected/enum-values.json-result: * inspector/scripts/tests/expected/type-declaration-array-type.json-result: * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: * inspector/scripts/tests/expected/type-declaration-object-type.json-result: * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: * jit/ICStats.h: * jit/JITThunks.h: * jit/Reg.h: * jit/RegisterSet.h: * parser/VariableEnvironment.h: * profiler/ProfilerOrigin.h: * profiler/ProfilerOriginStack.h: * profiler/ProfilerUID.h: * runtime/CachedTypes.cpp: * runtime/ControlFlowProfiler.h: * runtime/NativeFunction.h: * runtime/PrototypeKey.h: * runtime/RegExpKey.h: * runtime/TemplateObjectDescriptor.h: * runtime/TypeProfiler.h: * runtime/VarOffset.h: * runtime/WeakGCMap.h: * wasm/WasmBBQPlan.h: * wasm/WasmCodeBlock.h: * wasm/WasmEntryPlan.h: * wasm/WasmLLIntPlan.h: * wasm/WasmSignature.h: 2020-07-16 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Use unvalidatedGet instead of get to access UnlinkedCodeBlock from CodeBlock destructor https://bugs.webkit.org/show_bug.cgi?id=214403 <rdar://problem/65527229> Reviewed by Mark Lam. WriteBarrier<>::get has a check whether this is not executed when sweeping cells. This is good assertion since destruction order of cells are not defined in general, so member cell access from a destructor is almost always wrong. But in CodeBlock case, this is OK because (1) CodeBlock destructor accesses UnlinkedCodeBlock and (2) GC ensures that CodeBlock gets destroyed before UnlinkedCodeBlock gets destroyed. So this assertion is hit incorrectly. In this patch, we use WriteBarrier<>::unvalidatedGet in CodeBlock destructor to bypass the above assertion explicitly. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::~CodeBlock): * heap/Heap.cpp: (JSC::Heap::deleteUnmarkedCompiledCode): 2020-07-15 Fujii Hironori <Hironori.Fujii@sony.com> [CMake][WebDriver] Generating WebDriverAtoms.cpp is rarely failing as "ImportError: No module named jsmin" https://bugs.webkit.org/show_bug.cgi?id=214339 Reviewed by Don Olmstead. * CMakeLists.txt: Renamed stageSharedScripts to JavaScriptCoreSharedScripts. 2020-07-15 Mark Lam <mark.lam@apple.com> Add handling of out of memory handling while adding a worklet module. https://bugs.webkit.org/show_bug.cgi?id=214354 <rdar://problem/65271931> Reviewed by Yusuke Suzuki and Keith Miller. Add VM::tryCreate() that can fail if we encounter an out of memory issue. As always, we're taking a best effort approach to handling out of memory errors. Hence, we will not attempt to exhaustively handle every OOME scenario. This patch only checks for failure to allocate a BigInt due to Gigacage exhaustion. While it doesn't handle other allocation errors, it does enable us to add handling of other cases in the future as needed. * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::tryCreate): * runtime/VM.h: 2020-07-15 Jim Mason <jmason@ibinx.com> [WTF] Fix PackedAlignedPtr for X86_64 canonical addresses https://bugs.webkit.org/show_bug.cgi?id=214142 Reviewed by Mark Lam Fixed pointer test to use unsigned in place of signed. * wasm/js/WebAssemblyFunction.cpp: (JSC::callWebAssemblyFunction): 2020-07-15 Alexey Shvayka <shvaikalesh@gmail.com> Emit HasOwnPropertyFunctionCallDotNode for "Reflect" identifiers https://bugs.webkit.org/show_bug.cgi?id=214325 Reviewed by Darin Adler and Saam Barati. Currently, HasOwnPropertyFunctionCallDotNode is emitted for all ResolveNodes except ones with "Reflect" identifier. This exception doesn't seem necessary as ReflectObject inherits ordinary `Object.prototype.hasOwnProperty` method. This patch removes the exception, advancing provided "Reflect" microbenchmark by 20%. No behavior change. * parser/ASTBuilder.h: (JSC::ASTBuilder::makeFunctionCallNode): 2020-07-15 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Introduce JSCTEST_hardTimeout https://bugs.webkit.org/show_bug.cgi?id=214343 Reviewed by Mark Lam. JSC Debug tests are failing consistently these days, https://build.webkit.org/builders/Apple-Catalina-Debug-JSC-Tests/. My guess is that some tests get stuck inside JSC even if timeout occurs. Let's consider the following case. 1. The test is having `JSC_useConcurrentJIT=0`. 2. The test is building super heavy FTL code in the main thread. 3. The timeout thread notifies the VM about the timeout. 4. But VM does not stop since it is running super heavy FTL compilation. 5. After 1200 seconds, buildbot terminates the entire test. In the above case, JSC gets stuck, and eventually buildbot terminates. In this patch, we introduce JSCTEST_hardTimeout. After soft-timeout (usual timeout) happens, we wait another JSCTEST_hardTimeout seconds. And if the JSC shell is not finished, we forcefully terminates the JSC shell via exit(EXIT_FAILURE), to avoid entire JSC test termination in buildbot. We pick 300 seconds. This means, after soft-timeout occurs, we wait for 5 mins, and if the JSC shell is still active, kill it. 5 mins sounds reasonable amount of time. And this should fit within buildbot's hard timeout (1200 seconds). * jsc.cpp: (startTimeoutTimer): 2020-07-14 Saam Barati <sbarati@apple.com> We must hold the CodeBlock lock when calling StructureStubInfo::reset https://bugs.webkit.org/show_bug.cgi?id=214332 <rdar://problem/64940787> Reviewed by Yusuke Suzuki. There was a race between resetting the StructureStubInfo, and reading from it from the compiler thread. There was one place inside Repatch where we didn't hold the CodeBlock's lock when calling StructureStubInfo::reset. To make it clear which functions require the CodeBlock's lock to be held when called, I've changed all such functions to take the LockHolder as a parameter. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finalizeBaselineJITInlineCaches): * bytecode/StructureStubClearingWatchpoint.cpp: (JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal): (JSC::AdaptiveValueStructureStubClearingWatchpoint::handleFire): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::initGetByIdSelf): (JSC::StructureStubInfo::initArrayLength): (JSC::StructureStubInfo::initStringLength): (JSC::StructureStubInfo::initPutByIdReplace): (JSC::StructureStubInfo::initInByIdSelf): (JSC::StructureStubInfo::addAccessCase): (JSC::StructureStubInfo::reset): (JSC::StructureStubInfo::visitWeakReferences): (JSC::StructureStubInfo::setCacheType): * bytecode/StructureStubInfo.h: * jit/Repatch.cpp: (JSC::fireWatchpointsAndClearStubIfNeeded): (JSC::tryCacheGetBy): (JSC::tryCachePutByID): (JSC::tryCacheInByID): 2020-07-14 Mark Lam <mark.lam@apple.com> Handle out of memory error while creating an error message in the literal parser. https://bugs.webkit.org/show_bug.cgi?id=214313 <rdar://problem/65031745> Reviewed by Saam Barati. * runtime/LiteralParser.cpp: (JSC::LiteralParser<CharType>::parse): 2020-07-14 Caitlin Potter <caitp@igalia.com> [JSC] fixup LLInt fast path in op_get_private_name https://bugs.webkit.org/show_bug.cgi?id=214311 Reviewed by Tadeu Zagallo. The LLInt slow path would previously always be taken in op_get_private_name, due to not comparing the operand field name's JSValue payload with the cached field name, but the register index itself. This fixup can't really be verified by tests, as it is primarily a minor performance improvement. * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2020-07-14 Xan Lopez <xan@igalia.com> [JSC] Remove compiler warning in JSBigInt https://bugs.webkit.org/show_bug.cgi?id=214298 Reviewed by Sam Weinig. * runtime/JSBigInt.cpp: (JSC::JSBigInt::parseInt): no need to ASSERT >= 0 with an unsigned int. 2020-07-14 Fujii Hironori <Hironori.Fujii@sony.com> Unreviewed non-unified build fixes * runtime/IntlObject.cpp: 2020-07-13 Fujii Hironori <Hironori.Fujii@sony.com> Unreviewed non-unified build fixes * dfg/DFGCodeOriginPool.h: 2020-07-13 Saam Barati <sbarati@apple.com> returnEarlyFromInfiniteLoopsForFuzzing and validateDoesGC may fail when used together in the FTL https://bugs.webkit.org/show_bug.cgi?id=214289 <rdar://problem/65272138> Reviewed by Keith Miller. Because the patchpoint we use for returnEarlyFromInfiniteLoopsForFuzzing doesn't read or write any heap ranges, B3 move memory ops around it. In particular, it might move the validate DoesGC store above it. In the FTL, we should make returnEarlyFromInfiniteLoopsForFuzzing mimic what Return does for validating DoesGC. * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint): 2020-07-13 Yusuke Suzuki <ysuzuki@apple.com> [JSC] IntlLocale::initializeLocale should have scope.release https://bugs.webkit.org/show_bug.cgi?id=214271 <rdar://problem/65467314> Reviewed by Darin Adler. Add missing scope.release() to suppress validateExceptionChecks crash. * runtime/IntlLocale.cpp: (JSC::IntlLocale::initializeLocale): 2020-07-13 Yusuke Suzuki <ysuzuki@apple.com> [JSC] FTL isCellOrMisc should be isCellOrMiscOrBigInt32 https://bugs.webkit.org/show_bug.cgi?id=214269 <rdar://problem/65475129> Reviewed by Mark Lam. FTL isCellOrMisc's check can accept BigInt32 too. So it should be isCellOrMiscOrBigInt32. Since our proven type filter does not include SpecBigInt32, isCellOrMisc can be folded into false for BigInt32 AbstractValue. This patch fixes that filter. And we also reviewed places using isCellOrMisc / isNotCellOrMisc. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileSwitch): (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellNorBigIntToInt32): (JSC::FTL::DFG::LowerDFGToB3::isCellOrMiscOrBigInt32): (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMiscOrBigInt32): (JSC::FTL::DFG::LowerDFGToB3::isNumber): (JSC::FTL::DFG::LowerDFGToB3::isNotNumber): (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc): Deleted. (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc): Deleted. 2020-07-13 Geoffrey Garen <ggaren@apple.com> Unreviewed, re-landing r264242 with crash fixed. Re-landed changeset: "JSRunLoopTimer should use WTF::RunLoop rather than custom CF code" https://bugs.webkit.org/show_bug.cgi?id=214102 https://trac.webkit.org/changeset/264242 * runtime/JSRunLoopTimer.cpp: (JSC::epochTime): (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): (JSC::JSRunLoopTimer::Manager::timerDidFireCallback): (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData): (JSC::JSRunLoopTimer::Manager::timerDidFire): (JSC::JSRunLoopTimer::Manager::registerVM): (JSC::JSRunLoopTimer::Manager::scheduleTimer): (JSC::JSRunLoopTimer::Manager::cancelTimer): (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop): Deleted. (JSC::JSRunLoopTimer::Manager::didChangeRunLoop): Deleted. * runtime/JSRunLoopTimer.h: (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): Deleted. * runtime/PromiseTimer.cpp: (JSC::PromiseTimer::doWork): (JSC::PromiseTimer::runRunLoop): * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::create): (JSC::VM::setRunLoop): Deleted. * runtime/VM.h: (JSC::VM::runLoop const): 2020-07-13 Keith Miller <keith_miller@apple.com> Clean up SourceProvider and add caller relative load script to jsc.cpp https://bugs.webkit.org/show_bug.cgi?id=214205 Reviewed by Yusuke Suzuki. This patch originally was just to add an optional parameter to our load function so that any relative path is computed with respect to calling script. Rather than computing the path relative to the current working directory. The main advantage of this is now you can run all the JSTests/stress scripts from anywhere rather than only from the stress directory. This also matches jsc.cpp's module loader implementation. To make this possible a surprising number of changes were needed. Specifically, it was much easier to get this to work if we converted SourceOrigin's url to a WTF::URL rather than just a WTF::String. At the same time it became clear that SourceProvider's m_sourceURL is really not a URL but more of a file name, which can sometimes be a URL. It's possible that we don't need m_sourceURL at all but we should do that in a different patch. Additionally, jsc.cpp now uses WTF::URL for handling file paths. This is cleaner than managing trying to do it ourselves and should work across all the ports. Lastly, the JSC CLI no longer accepts "bare-name" specifiers. i.e. all specifiers must start with "/", "./", or "../". This matches what we do in our Obj-C API and in WebCore. While fixing tests I also noticed that the error message was almost useless since it didn't tell you what the specifier or referrer in question so that information is now part of the user visible error. * API/JSAPIGlobalObject.mm: (JSC::computeValidImportSpecifier): (JSC::JSAPIGlobalObject::moduleLoaderImportModule): * API/JSBase.cpp: (JSEvaluateScript): (JSCheckScriptSyntax): * API/JSObjectRef.cpp: (JSObjectMakeFunction): * API/JSScript.mm: (-[JSScript sourceCode]): * API/JSScriptRef.cpp: * API/glib/JSCContext.cpp: (jsc_context_check_syntax): * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::BuiltinExecutables): * debugger/DebuggerLocation.cpp: (JSC::DebuggerLocation::DebuggerLocation): * debugger/DebuggerLocation.h: (JSC::DebuggerLocation::DebuggerLocation): * inspector/ScriptDebugServer.cpp: (Inspector::ScriptDebugServer::sourceParsed): * jsc.cpp: (currentWorkingDirectory): (absolutePath): (GlobalObject::moduleLoaderImportModule): (GlobalObject::moduleLoaderResolve): (jscSource): (fetchModuleFromLocalFileSystem): (GlobalObject::moduleLoaderFetch): (functionLoad): (functionCallerSourceOrigin): (functionDollarAgentStart): (functionCheckModuleSyntax): (runWithOptions): (runInteractive): (ModuleName::startsWithRoot const): Deleted. (ModuleName::ModuleName): Deleted. (extractDirectoryName): Deleted. (resolvePath): Deleted. * parser/Nodes.h: (JSC::ScopeNode::source const): (JSC::ScopeNode::sourceURL const): Deleted. * parser/SourceCode.h: (JSC::makeSource): * parser/SourceCodeKey.h: (JSC::SourceCodeKey::host const): * parser/SourceProvider.cpp: (JSC::SourceProvider::SourceProvider): * parser/SourceProvider.h: (JSC::SourceProvider::sourceURL const): (JSC::StringSourceProvider::create): (JSC::StringSourceProvider::StringSourceProvider): (JSC::SourceProvider::url const): Deleted. * runtime/CachedTypes.cpp: (JSC::CachedSourceOrigin::encode): (JSC::CachedSourceOrigin::decode const): (JSC::CachedSourceProviderShape::encode): (JSC::CachedStringSourceProvider::decode const): (JSC::CachedWebAssemblySourceProvider::decode const): * runtime/Error.cpp: (JSC::addErrorInfo): * runtime/FunctionConstructor.cpp: (JSC::constructFunctionSkippingEvalEnabledCheck): * runtime/ScriptExecutable.h: (JSC::ScriptExecutable::sourceURL const): * runtime/SourceOrigin.h: (JSC::SourceOrigin::SourceOrigin): (JSC::SourceOrigin::url const): (JSC::SourceOrigin::string const): (JSC::SourceOrigin::isNull const): * runtime/ThrowScope.cpp: (JSC::ThrowScope::throwException): * runtime/ThrowScope.h: (JSC::ThrowScope::throwException): (JSC::throwVMException): * tools/FunctionOverrides.cpp: (JSC::initializeOverrideInfo): * tools/JSDollarVM.cpp: (JSC::doPrint): (JSC::functionCrash): 2020-07-12 Yusuke Suzuki <ysuzuki@apple.com> [JSC] String.protoytpe.toLocaleLowerCase's availableLocales HashSet is inefficient https://bugs.webkit.org/show_bug.cgi?id=213158 Reviewed by Darin Adler. Currently, we are always creating the same HashSet every time String.protoytpe.toLocaleLowerCase is called. We changed bestAvailableLocale to take predicate function. And we pass a predicate which returns true for case-sensitive locales. * runtime/IntlObject.cpp: (JSC::bestAvailableLocale): * runtime/IntlObject.h: * runtime/IntlObjectInlines.h: (JSC::bestAvailableLocale): * runtime/StringPrototype.cpp: (JSC::computeTwoCharacters16Code): (JSC::toLocaleCase): 2020-07-12 Yusuke Suzuki <ysuzuki@apple.com> [JSC] We should keep unaligned access feature in certain architectures in macro-assembler https://bugs.webkit.org/show_bug.cgi?id=214243 Reviewed by Darin Adler. We introduced the assertion in r263049, but this assertion crashes in testb3 Debug build. testb3 actually tests unaligned access feature since ARM64 and x64 allow it. And unaligned access is useful for Yarr etc., so we want to keep unaligned access feature if architecture allows it. We should make this assertion effective only if CPU(NEEDS_ALIGNED_ACCESS) is true. * assembler/MacroAssembler.h: (JSC::MacroAssembler::loadPtr): 2020-07-12 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Avoid JSString creation in Intl.Locale#{minimize,maximize} https://bugs.webkit.org/show_bug.cgi?id=214231 Reviewed by Darin Adler. Add initializeLocale function taking String to avoid unnecessary JSString creation in Intl.Locale#{maximize,minimize}. * runtime/IntlLocale.cpp: (JSC::IntlLocale::initializeLocale): * runtime/IntlLocale.h: * runtime/IntlLocalePrototype.cpp: (JSC::IntlLocalePrototypeFuncMaximize): (JSC::IntlLocalePrototypeFuncMinimize): 2020-07-11 Yusuke Suzuki <ysuzuki@apple.com> Intl.Locale maximize, minimize should return Intl.Locale instead of String https://bugs.webkit.org/show_bug.cgi?id=214223 <rdar://problem/65413620> Reviewed by Ross Kirsling. Intl.Locale#{maximize,minimize} should return Intl.Locale object instead of generated locale string. We also add some protection and use jsString instead of jsNontrivialString because it would be still possible that ICU's locale recognition and our locale interpretation do not agree each other and ICU failed to produce locale, and then the string becomes empty. Since this is a boundary between third-party library and JSC, and we are not ensuring our invariant inside third-party library, taking safer path makes it better. We also change IntlLocale#{maximize,minimize} C++ function names to maximal and minimal to align them to the sepc's definitions. * runtime/IntlLocale.cpp: (JSC::IntlLocale::maximal): (JSC::IntlLocale::minimal): (JSC::IntlLocale::maximize): Deleted. (JSC::IntlLocale::minimize): Deleted. * runtime/IntlLocale.h: * runtime/IntlLocalePrototype.cpp: (JSC::IntlLocalePrototypeFuncMaximize): (JSC::IntlLocalePrototypeFuncMinimize): (JSC::IntlLocalePrototypeFuncToString): (JSC::IntlLocalePrototypeGetterBaseName): (JSC::IntlLocalePrototypeGetterCalendar): (JSC::IntlLocalePrototypeGetterCaseFirst): (JSC::IntlLocalePrototypeGetterCollation): (JSC::IntlLocalePrototypeGetterHourCycle): (JSC::IntlLocalePrototypeGetterNumberingSystem): (JSC::IntlLocalePrototypeGetterLanguage): (JSC::IntlLocalePrototypeGetterScript): (JSC::IntlLocalePrototypeGetterRegion): 2020-07-10 Chris Dumez <cdumez@apple.com> Unreviewed, reverting r264242. Caused many crashes on iOS bots Reverted changeset: "JSRunLoopTimer should use WTF::RunLoop rather than custom CF code" https://bugs.webkit.org/show_bug.cgi?id=214102 https://trac.webkit.org/changeset/264242 2020-07-10 Geoffrey Garen <ggaren@apple.com> JSRunLoopTimer should use WTF::RunLoop rather than custom CF code https://bugs.webkit.org/show_bug.cgi?id=214102 Reviewed by Darin Adler. The generic RunLoop codepath was already mostly right. Just needed to clarify the API to demonstrate that VMs do not hop from one RunLoop to another. * runtime/JSRunLoopTimer.cpp: (JSC::epochTime): Removed the CF path. (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): Include a RunLoop as a constructor argument so that the web thread can override it. (JSC::JSRunLoopTimer::Manager::timerDidFireCallback): Removed the CF path. (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData): No need to explicitly clear our RunLoop -- the RunLoop::Timer destructor will do the job. (JSC::JSRunLoopTimer::Manager::timerDidFire): (JSC::JSRunLoopTimer::Manager::registerVM): (JSC::JSRunLoopTimer::Manager::scheduleTimer): (JSC::JSRunLoopTimer::Manager::cancelTimer): Removed the CF path. (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop): Deleted. (JSC::JSRunLoopTimer::Manager::didChangeRunLoop): Deleted. Changing RunLoops is not actually a feature we use. * runtime/JSRunLoopTimer.h: (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): Deleted. * runtime/PromiseTimer.cpp: (JSC::PromiseTimer::doWork): (JSC::PromiseTimer::runRunLoop): Removed the CF path. * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::create): (JSC::VM::setRunLoop): Deleted. * runtime/VM.h: (JSC::VM::runLoop const): Require a RunLoop in the VM constructor in order to clarify that we always know our RunLoop and never change it. 2020-07-09 Brian Burg <bburg@apple.com> REGRESSION(r262302): ITMLKit debuggables in listings are missing a title, use UUID instead https://bugs.webkit.org/show_bug.cgi?id=214153 Reviewed by Devin Rousso. * inspector/remote/cocoa/RemoteInspectorCocoa.mm: (Inspector::RemoteInspector::listingForInspectionTarget const): Looks like this is due to copypasta. 2020-07-09 Alexey Shvayka <shvaikalesh@gmail.com> ErrorInstance::finishCreation() puts "message" twice, with different attributes https://bugs.webkit.org/show_bug.cgi?id=214089 Reviewed by Yusuke Suzuki. This change refactors appendSourceToError() to return new message, making it almost pure and eliminating extra JSString -> String -> JSString conversion and {get,put}Direct() calls from ErrorInstance::finishCreation(). Also, moves null message check as early as possible. Removed putDirect() call didn't pass PropertyAttribute::DontEnum. An implementation detail, that is about to change in https://webkit.org/b/142933, prevented "message" property from beind redefined with PropertyAttribute::None. No behavior change. Advances provided microbenchmark by 5%. * runtime/ErrorInstance.cpp: (JSC::appendSourceToErrorMessage): (JSC::ErrorInstance::finishCreation): (JSC::appendSourceToError): Deleted. 2020-07-08 Yusuke Suzuki <ysuzuki@apple.com> [JSC] B3 PureCSE should ignore values which are moved to new BasicBlock https://bugs.webkit.org/show_bug.cgi?id=214115 <rdar://problem/65189470> Reviewed by Saam Barati. We are performing "Select" specialization like this. BB#target ... @a = Select(@p, @x, 42) @b = Add(@a, 35) Check(@b) @c = ... becomes this: BB#predecessor ... Branch(@p, #truecase, #falsecase) BB#truecase: @b_truecase = Add(@x, 35) Check(@b_truecase) Upsilon(@x, ^a) Upsilon(@b_truecase, ^b) Jump(#continuation) BB#falsecase: @b_falsecase = Add(42, 35) Check(@b_falsecase) Upsilon(42, ^a) Upsilon(@b_falsecase, ^b) Jump(#continuation) BB#continuation: @a = Phi() @b = Phi() Jump(#target) BB#target @c = ... In the above transformation, we create a new BasicBlock and move @a and @b to that one. This is good since we do not need to rewrite all the use of @a and @b. However, this confuses PureCSE since @a and @b point to a BasicBlock (BB#continuation) which is not inserted into the graph yet. This patch changes PureCSE so that it ignores values which owners are not inserted yet. * b3/B3BasicBlock.h: (JSC::B3::BasicBlock::isInserted const): * b3/B3GenericBlockInsertionSet.h: (JSC::B3::GenericBlockInsertionSet::insert): * b3/B3PureCSE.cpp: (JSC::B3::PureCSE::findMatch): (JSC::B3::PureCSE::process): * b3/air/AirBasicBlock.h: 2020-07-08 Saam Barati <sbarati@apple.com> Add a fuzzing toggle for LICM https://bugs.webkit.org/show_bug.cgi?id=214093 Reviewed by Yusuke Suzuki. We have an AI based safety checker for LICM, to determine if it's safe to hoist nodes. Historically, we've had bugs here, where we allow unsafe hoisting. In practice, we've been saved by safety checks also being hoisted at the same time as the operation they're protecting, so even if we have bugs in AI-based safeToExecute, things usually just work. Since we've had security bugs here before, where the safety checks don't get hoisted, leading to issues, it's helpful if we can fuzz this area. This patch implements a way to says we won't hoist a node based on some probability, allowing us to play with what does and doesn't get hoisted. * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::run): * runtime/OptionsList.h: 2020-07-08 Saam Barati <sbarati@apple.com> Add a way to return early from detected infinite loops to aid the fuzzer https://bugs.webkit.org/show_bug.cgi?id=214067 Reviewed by Yusuke Suzuki. It's useful for the fuzzer to not get stuck in infinite loops so its test cases can make forward progress trying to find bugs. This patch adds a new mechanism where we can early return if we've exceeded a total execution count for a static loop in bytecode. Note: this is not on a per-frame basis, but it's a way to implement this in a non-invasive way which is also practical for the fuzzer to use. * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: (JSC::B3::Air::GenerateAndAllocateRegisters::generate): * b3/air/AirCode.cpp: (JSC::B3::Air::Code::emitEpilogue): * b3/air/AirCode.h: * b3/air/AirGenerate.cpp: (JSC::B3::Air::generateWithAlreadyAllocatedRegisters): * bytecode/BytecodeList.rb: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::~CodeBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_loop_hint): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/mips.rb: * runtime/OptionsList.h: * runtime/VM.cpp: (JSC::VM::addLoopHintExecutionCounter): (JSC::VM::getLoopHintExecutionCounter): (JSC::VM::removeLoopHintExecutionCounter): * runtime/VM.h: 2020-07-07 Yusuke Suzuki <ysuzuki@apple.com> [JSC] BytecodeGenerator should be robust against failed constant generation https://bugs.webkit.org/show_bug.cgi?id=214062 <rdar://problem/65117916> Reviewed by Saam Barati. Some code in NodesCodegen.cpp assumes `jsValue(generator)` call for constant nodes must succeed. But this can fail when BigInt in source code is too large and becomes OOM. BytecodeGenerator should be robust against BigInt OOM. * bytecompiler/NodesCodegen.cpp: (JSC::ConstantNode::emitBytecodeInConditionContext): (JSC::ArrayNode::emitBytecode): (JSC::BinaryOpNode::tryFoldToBranch): 2020-07-07 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Should not pass Exception to JSPromise::reject https://bugs.webkit.org/show_bug.cgi?id=214061 <rdar://problem/65134450> Reviewed by Mark Lam. In some places, we are passing Exception* as JSValue instead of Exception::value()'s JSValue. Error and Exception are different, and Exception is not an object. We should pass Exception::value()'s thrown value instead. I checked `reject(` call sites and ensure error is passed. * API/JSAPIGlobalObject.mm: (JSC::JSAPIGlobalObject::moduleLoaderImportModule): (JSC::JSAPIGlobalObject::moduleLoaderFetch): * jsc.cpp: (GlobalObject::moduleLoaderImportModule): (GlobalObject::moduleLoaderFetch): * runtime/JSModuleLoader.cpp: (JSC::JSModuleLoader::importModule): (JSC::JSModuleLoader::resolve): (JSC::JSModuleLoader::fetch): (JSC::moduleLoaderParseModule): * runtime/JSPromise.cpp: (JSC::JSPromise::resolve): (JSC::JSPromise::reject): 2020-07-07 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Fix btjs by recovering CallFrame::describeFrame https://bugs.webkit.org/show_bug.cgi?id=214055 Reviewed by Mark Lam. While CallFrame::describeFrame is not used in WebKit tree, it is used in LLDB btjs which is invoked from python. So we need to keep it. We also use std::call_once based buffer allocation instead of `static char buffer[...]` to avoid spreading debug-use-only buffer in BSS segment. * interpreter/CallFrame.cpp: (JSC::CallFrame::describeFrame): * interpreter/CallFrame.h: 2020-07-07 Keith Miller <keith_miller@apple.com> Bytecode UseDef should be aware of checkpoints https://bugs.webkit.org/show_bug.cgi?id=213566 Reviewed by Saam Barati. Previously, we tried to solve teaching DFG about uses and defs of locals across checkpoints by asking what locals were def'd at some checkpoint. However, this was subtly wrong because we couldn't report any uses at subsequent checkpoints so DFG thought the local was dead immediately after its birth. This patch reverts that change and instead teaches BytecodeUseDef about checkpoints. Right now, BytecodeUseDef only knows about locals at checkpoints but in the future we may teach it about tmps at well. Since the vectors containing our liveness bitmaps were already sparse (they are indexed by the bytecode offset) we can reuse the gaps to hold our checkpoint liveness information. To make sure we don't overlap between the next bytecode and a checkpoint for the current bytecode there is now a static assert that the length of the bytecode is greater than the number of checkpoints. This assumption is already true for existing bytecodes with checkpoints (and likely to be true for future ones anyway). Many of the BytecodeLivenessPropegation functions have been renamed to reflect that they operate over the full instruction, including checkpoints, rather than just the BytecodeIndex passed. Lastly, this patch makes a speculative fix to forAllKilledOperands where we wouldn't report that all tmps die at the end of each bytecode. I can't think of a case where this would break things but it's probably good hygiene. * bytecode/BytecodeGeneratorification.cpp: (JSC::GeneratorLivenessAnalysis::run): * bytecode/BytecodeIndex.h: (JSC::BytecodeIndex::BytecodeIndex): (JSC::BytecodeIndex::checkpoint const): (JSC::BytecodeIndex::withCheckpoint const): (JSC::BytecodeIndex::pack): * bytecode/BytecodeLivenessAnalysis.cpp: (JSC::BytecodeLivenessAnalysis::computeFullLiveness): (JSC::BytecodeLivenessAnalysis::dumpResults): (JSC::tmpLivenessForCheckpoint): (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeIndex): Deleted. (JSC::livenessForCheckpoint): Deleted. * bytecode/BytecodeLivenessAnalysis.h: (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtInstruction): * bytecode/BytecodeLivenessAnalysisInlines.h: (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndexDef): (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndexUse): (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndexUseInExceptionHandler): (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndex): (JSC::BytecodeLivenessPropagation::stepOverInstruction): (JSC::BytecodeLivenessPropagation::computeLocalLivenessForInstruction): (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock): (JSC::BytecodeLivenessPropagation::getLivenessInfoAtInstruction): (JSC::BytecodeLivenessPropagation::stepOverInstructionDef): Deleted. (JSC::BytecodeLivenessPropagation::stepOverInstructionUse): Deleted. (JSC::BytecodeLivenessPropagation::stepOverInstructionUseInExceptionHandler): Deleted. (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeIndex): Deleted. (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeIndex): Deleted. * bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeIndex): (JSC::computeDefsForBytecodeIndex): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow): (JSC::CodeBlock::validate): * bytecode/FullBytecodeLiveness.h: (JSC::FullBytecodeLiveness::getLiveness const): (JSC::FullBytecodeLiveness::toIndex): * bytecode/Instruction.h: (JSC::BaseInstruction::numberOfCheckpoints const): * bytecompiler/BytecodeGenerator.cpp: (JSC::ForInContext::finalize): * dfg/DFGForAllKills.h: (JSC::DFG::forAllKilledOperands): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::isLiveInBytecode): * dfg/DFGGraph.h: * dfg/DFGMovHintRemovalPhase.cpp: * dfg/DFGPlan.cpp: (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary): * generator/Opcode.rb: * generator/Section.rb: 2020-07-06 Geoffrey Garen <ggaren@apple.com> callOnMainThread should use the same queue as RunLoop::dispatch https://bugs.webkit.org/show_bug.cgi?id=213830 Reviewed by Brady Eidson. * JavaScriptCore.order: 2020-07-05 Commit Queue <commit-queue@webkit.org> Unreviewed, reverting r263960. https://bugs.webkit.org/show_bug.cgi?id=213980 Re-land, because r263959 somehow fixed the build issue caused by r263953 Reverted changeset: "Unreviewed, reverting r263953 and r263959." https://bugs.webkit.org/show_bug.cgi?id=213979 https://trac.webkit.org/changeset/263960 2020-07-05 Commit Queue <commit-queue@webkit.org> Unreviewed, reverting r263953 and r263959. https://bugs.webkit.org/show_bug.cgi?id=213979 Broke internal build Reverted changesets: "[Cocoa] Move almost all features from FeatureDefines.xcconfig to PlatformEnableCocoa.h" https://bugs.webkit.org/show_bug.cgi?id=212542 https://trac.webkit.org/changeset/263953 "[Cocoa] Remove FEATURE_DEFINES from the Cocoa/Xcode build system" https://bugs.webkit.org/show_bug.cgi?id=213976 https://trac.webkit.org/changeset/263959 2020-07-05 Darin Adler <darin@apple.com> [Cocoa] Remove FEATURE_DEFINES from the Cocoa/Xcode build system https://bugs.webkit.org/show_bug.cgi?id=213976 Reviewed by Sam Weinig. * Configurations/Base.xcconfig: Removed FEATURE_DEFINES. * Configurations/FeatureDefines.xcconfig: Removed. * Configurations/JSC.xcconfig: Removed include of FeatureDefines.xcconfig. * Configurations/JavaScriptCore.xcconfig: Ditto. * Configurations/ToolExecutable.xcconfig: Ditto. * DerivedSources-input.xcfilelist: Removed FeatureDefines.xcconfig. * DerivedSources.make: Removed FEATURE_DEFINES and FEATURE_DEFINE_FLAGS. * JavaScriptCore.xcodeproj/project.pbxproj: Removed FeatureDefines.xcconfig. 2020-07-05 Darin Adler <darin@apple.com> [Cocoa] Move almost all features from FeatureDefines.xcconfig to PlatformEnableCocoa.h https://bugs.webkit.org/show_bug.cgi?id=212542 Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: Delete everything except ENABLE_EXPERIMENTAL_FEATURES and ENABLE_WEBRTC. 2020-07-05 Philippe Normand <pnormand@igalia.com> Web Inspector: Fix python3 build warnings https://bugs.webkit.org/show_bug.cgi?id=213971 Reviewed by Sam Weinig. Fix Python3 syntax warnings. Using 'is' with string literals triggers those. Adopt the == operator instead, which is more idiomatic anyway. * inspector/scripts/codegen/cpp_generator.py: (CppGenerator.cpp_getter_method_for_type): (CppGenerator.cpp_setter_method_for_type): * inspector/scripts/codegen/objc_generator.py: (ObjCTypeCategory.category_for_type): (ObjCGenerator.objc_type_for_raw_name): (ObjCGenerator.objc_class_for_raw_name): (ObjCGenerator.protocol_type_for_raw_name): (ObjCGenerator.objc_protocol_export_expression_for_variable): (ObjCGenerator.objc_protocol_import_expression_for_variable): (ObjCGenerator.objc_to_protocol_expression_for_member): (ObjCGenerator.protocol_to_objc_expression_for_member): (ObjCGenerator.payload_to_objc_expression_for_member): (ObjCGenerator.objc_setter_method_for_member_internal): (ObjCGenerator.objc_getter_method_for_member_internal): (ObjCGenerator.objc_protocol_export_expression_for_variable.is): Deleted. (ObjCGenerator.objc_protocol_import_expression_for_variable.is): Deleted. (ObjCGenerator.objc_to_protocol_expression_for_member.is): Deleted. (ObjCGenerator.protocol_to_objc_expression_for_member.is): Deleted. 2020-07-04 Darin Adler <darin@apple.com> [Cocoa] Remove all features from FeatureDefines.xcconfig that are already mentioned in PlatformEnableCocoa.h https://bugs.webkit.org/show_bug.cgi?id=213962 Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: Removed all features that were mentioned in PlatformEnableCocoa.h; the rules in that file now define whether they are enabled. 2020-07-04 Alexey Shvayka <shvaikalesh@gmail.com> %TypedArray%.prototype.{indexOf,lastIndexOf} are not spec-perfect https://bugs.webkit.org/show_bug.cgi?id=213715 Reviewed by Yusuke Suzuki. This patch: 1. Implements step 3 of {Array,%TypedArray%}.prototype.indexOf [1] and %TypedArray%.prototype.lastIndexOf [2] since it is observable when second argument is an object with userland toString() or valueOf() method. Advances provided microbenchmark by 100% for Array and by 25% for %TypedArray%. 2. Removes argument count check from %TypedArray%.prototype.{indexOf,lastIndexOf}, allowing these methods to be invoked w/o arguments. The spec treats missing arguments as `undefined`, always returning -1 for typed arrays. Both changes align JSC with V8 and SpiderMonkey. [1]: https://tc39.es/ecma262/#sec-array.prototype.indexof [2]: https://tc39.es/ecma262/#sec-%typedarray%.prototype.lastindexof * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncIndexOf): (JSC::arrayProtoFuncLastIndexOf): * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: (JSC::genericTypedArrayViewProtoFuncIndexOf): (JSC::genericTypedArrayViewProtoFuncLastIndexOf): 2020-07-04 Darin Adler <darin@apple.com> [Cocoa] Remove unconditional features from FeatureDefines.xcconfig, making sure they are covered in PlatformEnableCocoa.h https://bugs.webkit.org/show_bug.cgi?id=212418 Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: Removed features that are either unconditionally not enabled, or unconditionally enabled. Double checked that all the enabled ones are either in PlatformEnable.h or PlatformEnableCocoa.h. 2020-07-03 Darin Adler <darin@apple.com> Make generate-unified-sources.sh not depend on features being listed in FEATURE_DEFINES environment variable https://bugs.webkit.org/show_bug.cgi?id=212420 Reviewed by Don Olmstead. * Scripts/generate-unified-sources.sh: Removed many unneeded quote marks from the invocation of generate-unified-source-bundles.rb. 2020-07-04 Darin Adler <darin@apple.com> Update comment in FeatureDefines.xcconfig since PlatformEnableCocoa.h should be used instead https://bugs.webkit.org/show_bug.cgi?id=213952 Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: Updated comment. 2020-07-03 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Promise should check whether a user-provided function is set by using `@isUndefinedOrNull` https://bugs.webkit.org/show_bug.cgi?id=213951 Reviewed by Ross Kirsling. If a user-provided function is masquerade-as-undefined value, `if (!xxx.@onRejected)` returns wrong value since this function object is considered as undefined in this context. We should use `@isUndefinedOrNull` here instead since this if-branch is checking whether this property is null/undefined actually. And `if (@isUndefinedOrNull(...))` is efficient since we have `jundefined_or_null` / `jnundefined_or_null` bytecodes. * builtins/PromiseOperations.js: (globalPrivate.promiseReactionJob): 2020-07-03 Sam Weinig <weinig@apple.com> Remove support for ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE https://bugs.webkit.org/show_bug.cgi?id=213932 Reviewed by Darin Adler. Removes support for non-standard <input type="datetime">, currently being guarded by the macro ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE. This macro, was added back in 2013 as a temporary measure to support some engines who shipped support for <input type="datetime">. It is currently not enabled for any ports so now seems like as good a time as any to remove it. * Configurations/FeatureDefines.xcconfig: 2020-07-03 Sam Weinig <weinig@apple.com> Add "-Wliteral-conversion" warning to Xcode based builds and fix the issues it finds https://bugs.webkit.org/show_bug.cgi?id=213931 Reviewed by Darin Adler. * Configurations/Base.xcconfig: Add -Wliteral-conversion. 2020-07-03 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Add exception checks before and after viewWithUnderlyingString https://bugs.webkit.org/show_bug.cgi?id=213923 <rdar://problem/65068473> Reviewed by Sam Weinig. This patch inserts missing exception checks before and after viewWithUnderlyingString. * jsc.cpp: (printInternal): (functionDebug): * runtime/FunctionConstructor.cpp: (JSC::constructFunctionSkippingEvalEnabledCheck): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncParseFloat): * runtime/JSONObject.cpp: (JSC::JSONProtoFuncParse): * runtime/StringPrototype.cpp: (JSC::stringProtoFuncCharAt): (JSC::stringProtoFuncCharCodeAt): 2020-07-03 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Add exception checks in JSStringBuilder and Array#join https://bugs.webkit.org/show_bug.cgi?id=213915 <rdar://problem/64878225> Reviewed by Saam Barati and Mark Lam. This patch adds missing exception checks into Array#join's certain place and JSStringBuilder. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): * runtime/JSStringJoiner.h: (JSC::JSStringJoiner::append): 2020-07-03 Fujii Hironori <Hironori.Fujii@sony.com> Builtin internal wrapper implementation files wrap static global initialization code with incorrect guards https://bugs.webkit.org/show_bug.cgi?id=213792 Reviewed by Youenn Fablet. Streams API hadn't worked since r263700 for AppleWin and WinCairo ports. r263700 removed the unused ENABLE_STREAMS_API. Before r263700, the static global initialization code was wrapped by "ENABLE(WEB_RTC) || ENABLE(STREAMS_API)". After r263700, it was wrapped by "ENABLE(WEB_RTC)". AppleWin and WinCairo doesn't turn on ENABLE_WEB_RTC. So, builtins for Streams API weren't properly initialized for them. * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: Rebaselined. * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: (BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method): Removed calling wrap_with_guard for the value of _generate_initialize_static_globals(). 2020-07-02 Alex Christensen <achristensen@webkit.org> Update Mac CMake build * PlatformMac.cmake: 2020-07-02 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Configure option-offered numberingSystem in Intl.NumberFormat through locale https://bugs.webkit.org/show_bug.cgi?id=213872 Reviewed by Ross Kirsling. We need to pass numberingSystem option to ICU through locale when constructing UNumberFormat. We are passing it when we get "en-US-u-nu-hanidec" locale, but we are not passing it when we are getting `new Intl.NumberFormat("en-US", { numberingSystem: "hanidec" })`. * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): 2020-07-01 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Intl.Collator should set usage:"search" option through ICU locale https://bugs.webkit.org/show_bug.cgi?id=213869 Reviewed by Ross Kirsling. Intl.Collator has usage:"search" option, and it affects on collation. However, UCollator does not have an interface to set this collation option, and only way to configure UCollator is setting "-u-co-search" unicode extension to passed locale string. This patch adds "-u-co-search" unicode extension if Usage::Search is specified. * runtime/IntlCollator.cpp: (JSC::IntlCollator::initializeCollator): 2020-07-01 Keith Miller <keith_miller@apple.com> Rename zeroExtend32ToPtr to zeroExtend32ToWord https://bugs.webkit.org/show_bug.cgi?id=213866 Reviewed by Saam Barati. The old name no longer makes sense now that we have configurations where sizeof(void*) != sizeof(CPURegister). * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32): (JSC::MacroAssemblerARM64::zeroExtend32ToWord): (JSC::MacroAssemblerARM64::branchMul32): (JSC::MacroAssemblerARM64::zeroExtend32ToPtr): Deleted. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::zeroExtend32ToWord): (JSC::MacroAssemblerARMv7::zeroExtend32ToPtr): Deleted. * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::zeroExtend32ToWord): (JSC::MacroAssemblerMIPS::zeroExtend32ToPtr): Deleted. * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::add32): (JSC::MacroAssemblerX86Common::and32): (JSC::MacroAssemblerX86Common::mul32): (JSC::MacroAssemblerX86Common::or32): (JSC::MacroAssemblerX86Common::xor32): (JSC::MacroAssemblerX86Common::zeroExtend32ToWord): (JSC::MacroAssemblerX86Common::branchAdd32): (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr): Deleted. * b3/air/AirOpcode.opcodes: * bytecode/AccessCase.cpp: (JSC::AccessCase::generateWithGuard): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileStringSlice): (JSC::DFG::SpeculativeJIT::compileValueToInt32): (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult): (JSC::DFG::SpeculativeJIT::compileArithDiv): (JSC::DFG::SpeculativeJIT::compileCreateRest): (JSC::DFG::SpeculativeJIT::compileArraySlice): (JSC::DFG::SpeculativeJIT::compileArrayIndexOf): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): (JSC::DFG::SpeculativeJIT::emitAllocateButterfly): (JSC::DFG::SpeculativeJIT::compileWeakMapGet): (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::reboxAccordingToFormat): * jit/CallFrameShuffler64.cpp: (JSC::CallFrameShuffler::emitBox): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_has_indexed_property): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_has_indexed_property): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_val): * jit/JSInterfaceJIT.h: (JSC::JSInterfaceJIT::emitLoadInt32): * wasm/js/JSToWasm.cpp: (JSC::Wasm::boxWasmResult): * wasm/js/WasmToJS.cpp: (JSC::Wasm::wasmToJS): * wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::jsCallEntrypointSlow): * yarr/YarrJIT.cpp: 2020-07-01 Saam Barati <sbarati@apple.com> Script to copy over testapi.js is redundant in xcodebuild https://bugs.webkit.org/show_bug.cgi?id=213824 Reviewed by Keith Miller. We're already copying over the entire testapiScripts directory. No need to manually copy just one file from it, too. * JavaScriptCore.xcodeproj/project.pbxproj: 2020-07-01 Tetsuharu Ohzeki <tetsuharu.ohzeki@gmail.com> Use properly flag names for tests of Tools/Scripts/run-builtins-generator-tests https://bugs.webkit.org/show_bug.cgi?id=213733 Reviewed by Youenn Fablet. Test cases under Source/JavaScriptCore/Scripts/tests/builtins/ uses exist compilation flags. But they can take an arbitary flag name and don't have to use an exist flag. I think it's better to rename them to more proper ones. * Scripts/tests/builtins/WebCore-ArbitraryConditionalGuard-Separate.js: * Scripts/tests/builtins/WebCore-DuplicateKeyValueAnnotation-Separate.js: * Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js: * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js: * Scripts/tests/builtins/WebCore-xmlCasingTest-Separate.js: * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: 2020-06-30 Peng Liu <peng.liu6@apple.com> Enable the support of FULLSCREEN_API in WebKitTestRunner https://bugs.webkit.org/show_bug.cgi?id=213774 Reviewed by Youenn Fablet. Replace the definition of ENABLE_FULLSCREEN_API in FeatureDefines.xcconfig with the one in PlatformEnableCocoa.h. We have to do that because WebKitTestRunner does not have a FeatureDefines.xcconfig but it uses "ENABLE(FULLSCREEN_API)" to conditionally compile code to test the element fullscreen API. WebKitTestRunner can use the macro defined in PlatformEnableCocoa.h. * Configurations/FeatureDefines.xcconfig: 2020-06-30 Andy Estes <aestes@apple.com> [Xcode] Enable the "My Mac (Mac Catalyst)" destination in WebKit Xcode projects https://bugs.webkit.org/show_bug.cgi?id=213740 Reviewed by Darin Adler. * Configurations/Base.xcconfig: Set SUPPORTS_MACCATALYST to YES to tell Xcode that this project supports building for Mac Catalyst. 2020-06-29 Tetsuharu Ohzeki <tetsuharu.ohzeki@gmail.com> Remove ENABLE_STREAMS_API compilation flag https://bugs.webkit.org/show_bug.cgi?id=213728 Reviewed by Sam Weinig. test cases under Scripts/tests/builtins/ does not uses this removed compilation flag. So we don't have to touch them in this change. But they are confusable so I plan to fix them in bug 213733. * Configurations/FeatureDefines.xcconfig: 2020-06-29 Keith Miller <keith_miller@apple.com> ConservativeRoots should mark any cell it finds an interior pointer to https://bugs.webkit.org/show_bug.cgi?id=213686 Reviewed by Yusuke Suzuki. Currently, if ConserativeRoots finds an interior pointer to a cell it will only mark that cell if it's a butterfly of some kind. However, this can cause problems if the C++ or B3 compilers pre-compute the offset of some cell member they want to load from after a call. If this happens and that interior pointer is the only reference to the cell it can get collected while it is still "alive". A naive patch that doesn't return from findGCObjectPointersForMarking after finding a live non-interior, non-butterfly cell was a 2% regression on Speedometer2 and JetStream2. So, this patch immediately returns after marking some non-butterfly cell, which appears to have fixed the regression locally. Given this was such a big regression (likely from running MarkedBlock::isLive) more than once there's possibly an optimization opportunity here. I filed https://bugs.webkit.org/show_bug.cgi?id=213687 to investigate further. * heap/HeapCell.cpp: (WTF::printInternal): * heap/HeapCell.h: (JSC::isJSCellKind): (JSC::mayHaveIndexingHeader): (JSC::hasInteriorPointers): Deleted. * heap/HeapUtil.h: (JSC::HeapUtil::findGCObjectPointersForMarking): * heap/SlotVisitor.cpp: (JSC::SlotVisitor::appendJSCellOrAuxiliary): * runtime/VM.cpp: (JSC::VM::VM): 2020-06-28 Geoffrey Garen <ggaren@apple.com> Rename initializeThreading to initialize https://bugs.webkit.org/show_bug.cgi?id=213674 Reviewed by Mark Lam. * API/JSClassRef.cpp: * API/JSContextRef.cpp: (JSContextGroupCreate): (JSGlobalContextCreate): (JSGlobalContextCreateInGroup): * API/JSObjectRef.cpp: (JSClassCreate): * API/JSStringRef.cpp: (JSStringCreateWithCharacters): (JSStringCreateWithUTF8CString): (JSStringCreateWithCharactersNoCopy): * API/JSStringRefCF.cpp: (JSStringCreateWithCFString): * API/tests/CompareAndSwapTest.cpp: (testCompareAndSwap): * API/tests/ExecutionTimeLimitTest.cpp: (testExecutionTimeLimit): * API/tests/FunctionOverridesTest.cpp: (testFunctionOverrides): * API/tests/MultithreadedMultiVMExecutionTest.cpp: (startMultithreadedMultiVMExecutionTest): * API/tests/PingPongStackOverflowTest.cpp: (testPingPongStackOverflow): * JavaScriptCore.order: * assembler/testmasm.cpp: (JSC::run): * b3/air/testair.cpp: (main): * b3/testb3_1.cpp: (main): * dfg/testdfg.cpp: (main): * dynbench.cpp: (main): * inspector/remote/cocoa/RemoteInspectorCocoa.mm: (Inspector::RemoteInspector::singleton): * jsc.cpp: (main): (jscmain): * runtime/InitializeThreading.cpp: (JSC::initialize): (JSC::initializeThreading): Deleted. * runtime/InitializeThreading.h: * runtime/JSCConfig.h: * shell/playstation/TestShell.cpp: (setupTestRun): * testRegExp.cpp: (main): 2020-06-27 Saam Barati <sbarati@apple.com> BytecodeBasicBlock::addSuccessor should check if the successor already exists https://bugs.webkit.org/show_bug.cgi?id=213670 Reviewed by Yusuke Suzuki. It makes it nicer for algorithms using BytecodeGraph to not have to consider whether or not there are duplicates in the successor list. Also, because of this, bytecode liveness was doing extra work since it walked the successor list, including any duplicates in it. * bytecode/BytecodeBasicBlock.h: (JSC::BytecodeBasicBlock::addSuccessor): 2020-06-27 Saam Barati <sbarati@apple.com> Change bytecode dumping to dump the bytecode control flow graph https://bugs.webkit.org/show_bug.cgi?id=213669 Reviewed by Yusuke Suzuki. This makes the bytecode control flow graphs much easier to understand, and puts bytecode dumping in more in line with how we dump other IRs. The new dumps look like this: ``` foo#Ahf63N:[0x1035bc120->0x1035e5100, NoneFunctionCall, 36]: 13 instructions (0 16-bit instructions, 0 32-bit instructions, 1 instructions with metadata); 156 bytes (120 metadata bytes); 2 parameter(s); 8 callee register(s); 6 variable(s); scope at loc4 bb#1 [ 0] enter [ 1] get_scope loc4 [ 3] mov loc5, loc4 [ 6] check_traps [ 7] mov loc6, <JSValue()>(const0) [ 10] mov loc6, Undefined(const1) [ 13] mod loc7, arg1, Int32: 2(const2) [ 17] jfalse loc7, 8(->25) Successors: [ #3 #2 ] bb#2 [ 20] mov loc6, Int32: 42(const3) [ 23] jmp 5(->28) Successors: [ #4 ] bb#3 [ 25] mov loc6, Int32: 77(const4) Successors: [ #4 ] bb#4 [ 28] add loc7, arg1, loc6, OperandTypes(126, 126) [ 34] ret loc7 Successors: [ ] ``` * bytecode/BytecodeDumper.cpp: (JSC::dumpHeader): (JSC::dumpFooter): (JSC::CodeBlockBytecodeDumper<Block>::dumpBlock): (JSC::CodeBlockBytecodeDumper<Block>::dumpGraph): * bytecode/BytecodeDumper.h: * bytecode/BytecodeGraph.h: (JSC::BytecodeGraph::dump): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): 2020-06-27 Stephan Szabo <stephan.szabo@sony.com> [PlayStation] Update test runner for changes to Options and signing https://bugs.webkit.org/show_bug.cgi?id=213650 Reviewed by Don Olmstead. * shell/playstation/Initializer.cpp: Load ICU library * shell/playstation/TestShell.cpp: Update between test options reset 2020-06-26 Geoffrey Garen <ggaren@apple.com> Initializing the main thread should initialize the main run loop https://bugs.webkit.org/show_bug.cgi?id=213637 Reviewed by Anders Carlsson. * JavaScriptCore.order: Removed some defunct stuff. * shell/playstation/TestShell.cpp: (setupTestRun): Merged initializeThreading call with initializeMainThread call because initializeMainThread is a superset. 2020-06-25 Yusuke Suzuki <ysuzuki@apple.com> REGRESSION(r263035): stress/get-prototype-of.js broken on s390x https://bugs.webkit.org/show_bug.cgi?id=213307 Reviewed by Ross Kirsling. Structure::m_outOfLineTypeFlags is uint16_t. If we access this field as 32bit field, we have different value in big endian architectures. Since we do not have half-size-load branch instructions, we should load this uint16_t value via `loadh` (which zero-extends the loaded value) and perform branch onto that value. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitLoadPrototype): * llint/LowLevelInterpreter64.asm: 2020-06-25 Mark Lam <mark.lam@apple.com> JSCell constructor needs to ensure that the passed in structure is still alive. https://bugs.webkit.org/show_bug.cgi?id=213593 <rdar://problem/64597573> Reviewed by Yusuke Suzuki. Note that in the initializer list of the `JSCell(VM&, Structure*)` constructor, we are only using values inside the passed in structure but not necessarily the structure pointer itself. All these values are contained inside Structure::m_blob. Note also that this constructor is an inline function. Hence, the compiler may choose to pre-compute the address of structure->m_blob and discard the structure pointer itself. Here's an example: 0x10317a21e <+1054>: movq 0x18(%rsp), %rdx // rdx:vm = &vm 0x10317a223 <+1059>: addq $0x8, %r13 // r13 = &structure.m_blob <== pre-compute address of m_blob !!! // r13 previously contained the structure pointer. // Now, there's no more references to the structure base address. 0x10317a227 <+1063>: leaq 0x48(%rdx), %rdi // arg0:heap = &vm.heap 0x10317a22b <+1067>: movl $0x10, %edx // arg2:size = 16. 0x10317a230 <+1072>: movq %rdi, 0x28(%rsp) 0x10317a235 <+1077>: xorl %esi, %esi // arg1:deferralContext = 0 0x10317a237 <+1079>: callq 0x10317ae60 // call JSC::allocateCell<JSC::JSArray> <== Can GC here !!! 0x10317a23c <+1084>: movq %rax, %rbx // rbx:cell = rax:allocation result. ... 0x10317a253 <+1107>: movl (%r13), %eax // eax = m_blob.structureID <== Use pre-computed m_blob address here. There's a chance that the GC may run while allocating this cell. In the event that the structure is newly instantiated just before calling this constructor, there may not be any other references to it. As a result, the structure may get collected before the cell is even constructed. To avoid this possibility, we need to ensure that the structure pointer is still alive by the time this constructor is called. I am not committing any tests for this issue because the test cases relies on: 1. Manually forcing an O3 ASan Release build. 2. Not running jsc with --useDollarVM=1. Note: the JSC test harness automatically adds --useDollarVM=1 for all test runs. 3. Memory being allocated in a specific order. The recent Bitmap FreeList change enabled this issue to manifest. The old linked list FreeList implementation would have hidden the issue. 4. Adding some logging code can also make the issue stop manifesting. In short, the test cases will not detect any regression even if we commit them because the existing automatic regression test runs will not have the necessary conditions for reproducing the issue. The tests are also somewhat fragile where any changes in memory layout may stop the issue from manifesting in an observable way. * runtime/JSCellInlines.h: (JSC::JSCell::JSCell): 2020-06-24 Ross Kirsling <ross.kirsling@sony.com> [Intl] Disprefer using ICU enums directly as instance variables https://bugs.webkit.org/show_bug.cgi?id=213587 Reviewed by Yusuke Suzuki. * runtime/IntlPluralRules.cpp: (JSC::IntlPluralRules::initializePluralRules): (JSC::IntlPluralRules::resolvedOptions const): * runtime/IntlPluralRules.h: * runtime/IntlRelativeTimeFormat.cpp: (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): (JSC::IntlRelativeTimeFormat::styleString): Renamed from JSC::styleString. (JSC::IntlRelativeTimeFormat::resolvedOptions const): (JSC::numericString): Deleted. * runtime/IntlRelativeTimeFormat.h: 2020-06-24 Caitlin Potter <caitp@igalia.com> [JSC] handle Put/DefinePrivateField in resetPutByID https://bugs.webkit.org/show_bug.cgi?id=213583 Reviewed by Yusuke Suzuki. r262613 extends and uses PutByValDirect to support updating and defining private fields, in order to reuse the IC machinery. The necessary resetPutByID change was erroneously omitted, and is presented here. * jit/Repatch.cpp: (JSC::resetPutByID): 2020-06-24 Yusuke Suzuki <ysuzuki@apple.com> [JSC] llintTrue / jitTrue can encounter native functions https://bugs.webkit.org/show_bug.cgi?id=213442 <rdar://problem/64257914> Reviewed by Mark Lam. If the CallFrame is for native function, associated CodeBlock is nullptr. This patch fixes this case to handle it gracefully. * tools/JSDollarVM.cpp: (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor): (JSC::CallerFrameJITTypeFunctor::operator() const): (JSC::functionBaselineJITTrue): (JSC::JSDollarVM::finishCreation): (JSC::functionJITTrue): Deleted. 2020-06-24 Umar Iqbal <uiqbal@apple.com> We should resurrect the older patch that collects some statistics of web API calls https://bugs.webkit.org/show_bug.cgi?id=213319 Reviewed by Brent Fulgham. + Enabled ENABLE_WEB_API_STATISTICS flag * Configurations/FeatureDefines.xcconfig: 2020-06-24 Alexey Shvayka <shvaikalesh@gmail.com> Add DFG/FTL fast path for GetPrototypeOf based on OverridesGetPrototype flag https://bugs.webkit.org/show_bug.cgi?id=213191 Reviewed by Yusuke Suzuki. This patch: 1. Introduces `loadInlineOffset` LLInt macro (64-bit only) and utilizes it in `get_prototype_of` since we assert that `knownPolyProtoOffset` is an inline offset. 2. Brings baseline JIT fast path to 32-bit builds, progressing `super-getter.js` microbenchmark by a factor of 10 (w/o DFG). 3. Adds GetPrototypeOf DFG/FTL fast paths that leverage OverridesGetPrototype type info flag, advancing provided rare objects microbenchmark by ~46% (~37% w/o FTL). Also, cleans up existing DFG fast path by using AssemblyHelpers::loadValue(). 4. Extracts AssemblyHelpers::emitLoadPrototype() and uses it in baseline JIT, DFG, and InstanceOfGeneric access case. With this change, `instanceof` access case handles all [[GetPrototypeOf]] overrides (before: only Proxy objects), which is more correct, yet not observable enough to provide a test case. `instanceof` microbenchmarks are neutral. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateWithGuard): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitLoadPrototype): * jit/AssemblyHelpers.h: * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_get_prototype_of): * llint/LowLevelInterpreter64.asm: 2020-06-24 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Clobberize misses `write(Heap)` report in some nodes https://bugs.webkit.org/show_bug.cgi?id=213525 <rdar://problem/64642067> Reviewed by Mark Lam. In some DFG nodes, clobberize phase misses `clobberTopFunctor` call while it is `write(Heap)`, which confuses clobberizing validation. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2020-06-23 Mark Lam <mark.lam@apple.com> Handle string overflow in DFG graph dump while validating AI. https://bugs.webkit.org/show_bug.cgi?id=213524 <rdar://problem/64635620> Not reviewed. Applying refinement suggested by Darin in https://bugs.webkit.org/show_bug.cgi?id=213524#c3. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::validateAIState): 2020-06-23 Mark Lam <mark.lam@apple.com> Handle string overflow in DFG graph dump while validating AI. https://bugs.webkit.org/show_bug.cgi?id=213524 <rdar://problem/64635620> Reviewed by Saam Barati. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::validateAIState): 2020-06-23 Devin Rousso <drousso@apple.com> Keyframe animation doesn't 't show up in the Animations timeline https://bugs.webkit.org/show_bug.cgi?id=213441 Reviewed by Brian Burg. * inspector/protocol/Animation.json: An `interationCount` of `Infinity` is not JSON serializable, so represent it as `-1` instead. 2020-06-22 Saam Barati <sbarati@apple.com> Attempt to fix watchOS simulator build. * assembler/FastJITPermissions.h: (threadSelfRestrictRWXToRW): (threadSelfRestrictRWXToRX): 2020-06-22 Saam Barati <sbarati@apple.com> Allow building JavaScriptCore Mac+arm64 in public SDK build https://bugs.webkit.org/show_bug.cgi?id=213472 Reviewed by Sam Weinig. We used to only builld code for fast permission switching when using the Apple internal SDK. However, with arm64 on macOS, this is no longer a viable implementation strategy. This patch makes it so we can build JSC on macOS+arm64 using the public Xcode SDK. - ENABLE_FAST_JIT_PERMISSIONS is removed. We now use runtime checks instead. - In the new suite of OS betas, pthreads has added API for fast permissions switching. We now use this API instead of using the non-public SDK found in the kernel headers. - We fall back to the separated W/X heaps when fast permissions checking is not supported. This all happens at runtime. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::fillNops): * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::fillNops): * assembler/FastJITPermissions.h: Added. (useFastJITPermissions): (threadSelfRestrictRWXToRW): (threadSelfRestrictRWXToRX): (fastJITPermissionsIsSupported): * assembler/LinkBuffer.cpp: (JSC::memcpyWrapper): (JSC::LinkBuffer::copyCompactAndLinkCode): * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::fillNops): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::link): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::link): * jit/ExecutableAllocator.cpp: (JSC::initializeJITPageReservation): * jit/ExecutableAllocator.h: (JSC::performJITMemcpy): (JSC::useFastJITPermissions): Deleted. * runtime/JSCConfig.h: * runtime/Options.cpp: (JSC::Options::recomputeDependentOptions): * runtime/OptionsList.h: 2020-06-22 Tim Horton <timothy_horton@apple.com> Disable the JS JIT when running in a translated process https://bugs.webkit.org/show_bug.cgi?id=213478 Reviewed by Saam Barati. * runtime/Options.cpp: (JSC::Options::recomputeDependentOptions): Based on our performance experiements, disable the JavaScript JIT (but not the regular expression, DOM, or Wasm JIT) when running in a translated process. 2020-06-22 Tim Horton <timothy_horton@apple.com> Update macOS version macros https://bugs.webkit.org/show_bug.cgi?id=213484 Reviewed by Alexey Proskuryakov. * Configurations/Base.xcconfig: * Configurations/DebugRelease.xcconfig: * Configurations/Version.xcconfig: * Configurations/WebKitTargetConditionals.xcconfig: 2020-06-19 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Check Gigacage usage before launching VM https://bugs.webkit.org/show_bug.cgi?id=213410 Reviewed by Mark Lam. Since VM allocates JSBigInt from Gigacage, it is possible that VM creation fails when Gigacage is exhausted. As a work-around for internal testing, we insert ad-hoc Gigacage usage check before launching a new agent. If 80% of Gigacage is used, we fail to launch a new VM gracefully. * assembler/testmasm.cpp: (JSC::testCagePreservesPACFailureBit): * jsc.cpp: (functionDollarAgentStart): 2020-06-19 James Darpinian <jdarpinian@chromium.org> Typed array constructor behaves differently when length is not passed or when undefined is passed https://bugs.webkit.org/show_bug.cgi?id=184232 Reviewed by Yusuke Suzuki. Passing undefined for length should have the same effect as omitting the argument. It was being treated as 0 instead. * runtime/JSGenericTypedArrayViewConstructorInlines.h: (JSC::constructGenericTypedArrayView): 2020-06-19 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Attempt to reduce timeout failures on Apple Watch Series 3 https://bugs.webkit.org/show_bug.cgi?id=213419 Reviewed by Mark Lam. * tools/JSDollarVM.cpp: (JSC::functionUseJIT): (JSC::JSDollarVM::finishCreation): 2020-06-19 Mark Lam <mark.lam@apple.com> toString of String doesn't check integrity of structureID in one path. https://bugs.webkit.org/show_bug.cgi?id=213338 Reviewed by Saam Barati. * runtime/StringPrototype.cpp: (JSC::stringProtoFuncToString): 2020-06-19 Saam Barati <sbarati@apple.com> Have a memory monitor thread in jsc shell when running tests using --memory-limited https://bugs.webkit.org/show_bug.cgi?id=213389 Reviewed by Mark Lam. When testing on iOS, there are times high memory usage from a JSC test will jetsam our entire test runner. This makes it so we don't get any test results from that test run, which can make it difficult to track testing results. This patch introduces an optional memory monitoring thread to the JSC shell. It's a best effort approach. If memory usage exceeds the passed in threshold, we crash the process. Similar to how the timeout mechanism works. On Cocoa platforms, we also perform this check in the low memory warning handler. Currently, we use this feature when running JSC stress tests in "--memory-limited" mode. * jsc.cpp: (crashIfExceedingMemoryLimit): (startMemoryMonitoringThreadIfNeeded): (jscmain): 2020-06-19 Mark Lam <mark.lam@apple.com> Make $vm properties non-configurable, non-enumerable, and non-writable. https://bugs.webkit.org/show_bug.cgi?id=213395 Reviewed by Saam Barati and Yusuke Suzuki. $vm provides functions for test development and VM debugging. There's no reason for them to be configurable, enumerable, and writable. We particularly don't want them to be enumerable as this can trip up some fuzzers. Fuzzers should not be fuzzing the $vm object which doesn't exist in real world uses of JavaScriptCore. * tools/JSDollarVM.cpp: (JSC::JSDollarVM::finishCreation): (JSC::JSDollarVM::addFunction): (JSC::JSDollarVM::addConstructibleFunction): 2020-06-19 Tuomas Karkkainen <tuomas.webkit@apple.com> functionCpuClflush checks that the second argument is Int32 but it actually expects it to be UInt32 https://bugs.webkit.org/show_bug.cgi?id=213388 Reviewed by Saam Barati. This changes the check from isInt32() to isUInt32() so that the logic is consistent. * tools/JSDollarVM.cpp: 2020-06-18 Mark Lam <mark.lam@apple.com> Unify Bitmap math loops in MarkedBlock::Handle::specializedSweep(). https://bugs.webkit.org/show_bug.cgi?id=213345 Reviewed by Robin Morisset and Saam Barati. This change appears to be performance neutral. However, we'll take the change because we know that it does less work, and the new way of expressing the Bitmap math in MarkedBlock::Handle::specializedSweep() does appear to be easier to understand than the old code. Also addressed feedback from Robin and Saam in https://bugs.webkit.org/show_bug.cgi?id=213071. Changes made: 1. Use the new Bitmap::words() API to get direct access to the underlying bits storage. With this, we can do the merging of the marked and newlyAllocated bits with a single pass looping thru the bitmap words. 2. In MarkedBlock::Handle::specializedSweep()'s Bitmap free list code, moved the implementation of handleDeadCells lambda down to the call to freeAtoms.forEachSetBit() because this is the only place it is used. 3. Fixed MarkedBlock::Handle::specializedSweep()'s Bitmap free list code to handle the dead cells unconditionally. This condition check was wrongly adapted from the linked list implementation where handleDeadCell() was called in 2 places depending on the destruction mode. With the Bitmap free list, there is only once place to handle the dead cells, and it should be executed unconditionally. This fixes a bug where the FreeList::originalSize() never gets computed if the cells in the block does not need destruction. 4. Renamed FreeList::bitmapRows() to FreeList::bitmapRowsMinusOne(). Renamed FreeList::offsetOfBitmapRows() to FreeList::offsetOfBitmapRowsMinusOne(). 5. Also fixed some typos in comments. * heap/FreeList.h: (JSC::FreeList::bitmapIsEmpty const): (JSC::FreeList::offsetOfBitmapRowsMinusOne): (JSC::FreeList::bitmapRowsMinusOne const): (JSC::FreeList::offsetOfBitmapRows): Deleted. (JSC::FreeList::bitmapRows const): Deleted. * heap/FreeListInlines.h: (JSC::FreeList::allocate): (JSC::FreeList::forEach const): * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::specializedSweep): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): 2020-06-18 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Remove dead non-ICU locale Date code since we are always using ICU version https://bugs.webkit.org/show_bug.cgi?id=213362 Reviewed by Ross Kirsling. There are old non-ICU version of Date locale code. But this is now dead code since we are always using ICU version, which is invoked from builtin JS DatePrototype.js. We should remove these dead code. * runtime/DatePrototype.cpp: (JSC::DatePrototype::finishCreation): (): Deleted. (JSC::styleFromArgString): Deleted. (JSC::formatLocaleDate): Deleted. (JSC::dateProtoFuncToLocaleString): Deleted. (JSC::dateProtoFuncToLocaleDateString): Deleted. (JSC::dateProtoFuncToLocaleTimeString): Deleted. 2020-06-18 Ross Kirsling <ross.kirsling@sony.com> Unreviewed, address Darin's feedback on r263227. * runtime/IntlRelativeTimeFormat.cpp: (JSC::IntlRelativeTimeFormat::UNumberFormatDeleter::operator() const): (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): (JSC::IntlRelativeTimeFormat::formatToParts const): * runtime/IntlRelativeTimeFormat.h: Keep ownership over our UNumberFormat instance after all, to avoid relying on behavior ICU isn't explicitly guaranteeing. 2020-06-18 Ross Kirsling <ross.kirsling@sony.com> [Intl] Enable RelativeTimeFormat and Locale by default https://bugs.webkit.org/show_bug.cgi?id=213324 Reviewed by Yusuke Suzuki. * runtime/IntlObject.cpp: (JSC::createDateTimeFormatConstructor): (JSC::createLocaleConstructor): (JSC::createNumberFormatConstructor): (JSC::createRelativeTimeFormatConstructor): (JSC::IntlObject::finishCreation): Unconditionalize creation of RelativeTimeFormat and Locale constructors. * runtime/IntlRelativeTimeFormat.cpp: (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): (JSC::IntlRelativeTimeFormat::formatToParts const): (JSC::IntlRelativeTimeFormat::UNumberFormatDeleter::operator() const): Deleted. * runtime/IntlRelativeTimeFormat.h: Fix an actual bug -- URelativeDateTimeFormatter *adopts* the UNumberFormat it's instantiated with, so we can't keep a unique_ptr to it. * runtime/OptionsList.h: Remove feature flags. 2020-06-18 Alexey Shvayka <shvaikalesh@gmail.com> Promise built-in functions should be anonymous non-constructors https://bugs.webkit.org/show_bug.cgi?id=213317 Reviewed by Darin Adler. This patch makes userland-exposed Promise built-in functions non-constructors and sets their "name" properties to empty strings as per spec [1], aligning JSC with V8 and SpiderMonkey. @createResolvingFunctionsWithoutPromise change is covered by test262's async-generator/yield-thenable-create-resolving-functions-*.js cases. Promise microbenchmarks are neutral. Promise constructors bytecode is unchanged, while @createResolvingFunctions* bytecode is reduced by 2 instructions. [1]: https://tc39.es/ecma262/#sec-ecmascript-standard-built-in-objects * builtins/PromiseConstructor.js: (nakedConstructor.Promise): (nakedConstructor.InternalPromise): * builtins/PromiseOperations.js: (globalPrivate.newPromiseCapabilitySlow): (globalPrivate.createResolvingFunctions): (globalPrivate.createResolvingFunctionsWithoutPromise): (globalPrivate.createResolvingFunctions.resolve): Deleted. (globalPrivate.createResolvingFunctions.reject): Deleted. (resolve): Deleted. (reject): Deleted. * builtins/PromisePrototype.js: (globalPrivate.getThenFinally): (globalPrivate.getCatchFinally): (valueThunk): Deleted. (thrower): Deleted. 2020-06-18 Alexey Shvayka <shvaikalesh@gmail.com> TypedArray.prototype.set is incorrect with primitives https://bugs.webkit.org/show_bug.cgi?id=212730 Reviewed by Yusuke Suzuki. This change implements step 14 of %TypedArray%.prototype.set [1], which coerces primitives to objects instead of throwing an error, aligning JSC with V8 and SpiderMonkey. [1]: https://tc39.es/ecma262/#sec-%typedarray%.prototype.set-array-offset * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: (JSC::genericTypedArrayViewProtoFuncSet): 2020-06-17 Mark Lam <mark.lam@apple.com> Replace JSC::FreeList linked list with a Bitmap. https://bugs.webkit.org/show_bug.cgi?id=213071 Reviewed by Filip Pizlo. Implement an alternative to the linked list FreeList. This alternative uses a Bitmap to record which atom in the block is available for allocation. The intuition here is that allocation using the Bitmap implementation will do: 2 loads - m_currentRowBitmap, m_currentMarkedBlockRowAddress 1 store - m_currentRowBitmap whereas the linked list implementation will do: 3 loads - m_scrambledHead, m_secret, result->scrambledNext 1 store - m_scrambledHead and result->scrambledNext is from a different region of code and therefore not in the same cache line. The downside of the Bitmap implementation is that it uses more instructions. This change is currently only enabled for x86_64, which shows about a 0.8% progression on Speedometer 2. It appears to be about a 1% regression on ARM64E. Hence, for now, we keep the linked list implementation for ARM64 builds. This is how the Bitmap FreeList works: 1. The Bitmap implementation only replaces the linked list implementation. It does not replace the bump allocator. 2. The Bitmap allocator keeps a m_bitmap that is initialized in MarkedBlock::Handle::specializedSweep() to have a bit set for each atom location that is available for allocation (i.e. is free). Note that a cell is usually allocated using more than 1 atom. Only the bit corresponding to the first atom (in that cell length range of free atoms) will be set. This is consistent with how bits in MarkedBlock::Footer::m_marks and MarkedBlock::Footer::m_newlyAllocated are set i.e. only the bit for the first atom in the cell can be set. 3. The allocation algorithm thinks of the MarkedBlock as consisting of rows of atoms, where the number of atoms in a row equals the number of bits in a AtomsBitmap::Word. On 64-bit CPUs, this would be 64. We will start allocating from the last (highest numbered) row down to the first (row 0). As we allocate, we will only update m_currentRowIndex and m_currentRowBitmap. m_bitmap will not be updated. This is so in order to reduce the number of instructions executed during an allocation. When m_currentRowIndex points to N, the AtomsBitmap::Word for row N in m_bitmap will have been copied into m_currentRowBitmap. This is the row that we will be allocating from until the row is exhausted. This is how we know whether an atom is available for allocation or not: i. Atoms in any rows above m_currentRowIndex are guaranteed to be allocated already (because we allocate downwards), and hence, are not available. ii. For row m_currentRowIndex, m_currentRowBitmap is the source of truth on which atoms in the row are available for allocation. iii. For rows below m_currentRowIndex, m_bitmap is the source of truth on which atoms are available for allocation. When m_currentRowIndex reaches 0, the info in m_bitmap is completely obsoleted, and m_currentRowBitmap holds the availability info for row 0. When both m_currentRowIndex and m_currentRowBitmap are 0, then we have completely exhausted the block and no more atoms are available for allocation. 4. Allocation happens in 3 paths: fast, middle, slow. The fast path checks m_currentRowBitmap. If it's not 0, then we compute the bit number of the lowest set bit in it. That bit number will be used together with m_currentMarkedBlockRowAddress to compute the address of the atom location available for allocation. m_currentRowBitmap will be updated to clear the bit for the atom that has just ben allocated. If m_currentRowBitmap is 0, then we'll go to the middle path. The middle path checks m_currentRowIndex to see if we have more rows to allocate from. For each m_currentRowIndex, we check its corresponding AtomsBitmap::Word in m_bitmap. If the word is non-zero, we copy it to m_currentRowBitmap and jump to the fast path to do the allocation. The middle path will update m_currentRowIndex to point to the current row we're allocating from. If we have decremented m_currentRowIndex down to 0 but still can't find a non-zero AtomsBitmap::Word in m_bitmap, then the block has been exhausted, and we'll go to the slow path. The slow path is analogous to the old slow path i.e. we try to refill the LocalAllocator with a new MarkedBlock. 5. On the layout of fields in FreeList (see changes in FreeList.h), we try to preserve the positions of the bump allocator fields. The only change we made there is in the location of m_cellSize. It is now moved up next to m_remaining, and m_originalSize is moved down. This is because m_originalSize is only accessed in the slow path, and m_cellSize is accessed in the bump allocation path. Next, we try to put Bitmap allocation fields where the linked list fields would have been. The one bit of trickiness is that we'll put m_currentMarkedBlockRowAddress in a union with m_payloadEnd. This is because m_payloadEnd is only used in the bump allocation path. If m_remaining is 0, then we can reuse this location for m_currentMarkedBlockRowAddress. With this, we would have 4 bytes of padding after m_currentRowIndex. For compactness, we put m_originalSize there in that space. For builds that use the linked list implementation, m_originalSize will be located below after m_cellSize. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): * heap/FreeList.cpp: (JSC::FreeList::clear): (JSC::FreeList::initializeAtomsBitmap): (JSC::FreeList::initializeBump): (JSC::FreeList::contains const): (JSC::FreeList::dump const): * heap/FreeList.h: (JSC::FreeList::bitmapIsEmpty const): (JSC::FreeList::allocationWillFail const): (JSC::FreeList::offsetOfCurrentRowBitmap): (JSC::FreeList::offsetOfBitmapRows): (JSC::FreeList::offsetOfCurrentRowIndex): (JSC::FreeList::offsetOfCurrentMarkedBlockRowAddress): (JSC::FreeList::offsetOfRemaining): (JSC::FreeList::atomsBitmap): (JSC::FreeList::bitmapRows const): (JSC::FreeList::offsetOfOriginalSize): Deleted. * heap/FreeListInlines.h: (JSC::FreeList::allocate): (JSC::FreeList::forEach const): * heap/LocalAllocator.cpp: (JSC::LocalAllocator::isFreeListedCell const): * heap/MarkedBlock.h: (JSC::MarkedBlock::Handle::atomAt const): * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::specializedSweep): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): 2020-06-17 Mark Lam <mark.lam@apple.com> StructureIDTable::validate() doesn't work when compiled with GCC. https://bugs.webkit.org/show_bug.cgi?id=213302 <rdar://problem/64452172> Reviewed by Yusuke Suzuki. I was previously using ensureStillAliveHere() to force the validation load to not be elided. However, this is not how ensureStillAliveHere() works. The proper way to force the load is to use a volatile pointer instead, which is applied in this patch. With Clang, the ensureStillAliveHere() happened to do what I expected, but with GCC it did not. The compiler is at liberty to elide the load because there is no memory clobbering operation between the load and the call to ensureStillAliveHere(). Switching to using the volatile pointer solution. * runtime/StructureIDTable.h: (JSC::StructureIDTable::validate): 2020-06-17 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Freeze JSBigInt when setting it as a constant in AI https://bugs.webkit.org/show_bug.cgi?id=213310 <rdar://problem/64450410> Reviewed by Mark Lam. JSCells should be explicitly frozen via DFG::Graph::freeze or DFG::Graph::freezeStrong. And heap JSBigInt is JSCell. We should freeze it before setting it as a parameter of setConstant in AI. We use DFG::Graph::freeze since we know that this is coming from somewhere in DFG graph: this ToNumeric node itself is not newly producing this JSBigInt. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 2020-06-17 Keith Miller <keith_miller@apple.com> $vm.haveABadTime/isHavingABadTime should work with non-globalObject parameters https://bugs.webkit.org/show_bug.cgi?id=213304 Reviewed by Mark Lam. Previously, $vm.haveABadTime would crash if passed a non-globalObject object as the first parameter because it was missing a `return` in front the error handling case. This patch resolves that issue but also extends the semantics of haveABadTime/isHavingABadTime to either use the global object of the first parameter even if it's not a JSGlobalObject. If no argument is passed, haveABadTime/isHavingABadTime instead use the global object of the callee. * tools/JSDollarVM.cpp: (JSC::functionHaveABadTime): (JSC::functionIsHavingABadTime): 2020-06-17 Mark Lam <mark.lam@apple.com> Gardening: move some unused data inside ENABLE(JIT) to unbreak the CLoop build. https://bugs.webkit.org/show_bug.cgi?id=213255 Not reviewed. * assembler/testmasm.cpp: 2020-06-17 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, avoid node access in link-task https://bugs.webkit.org/show_bug.cgi?id=213266 <rdar://problem/64453001> * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCheckJSCast): 2020-06-17 Mark Lam <mark.lam@apple.com> Add a shiftAndAdd() emitter in AssemblyHelpers. https://bugs.webkit.org/show_bug.cgi?id=213255 Reviewed by Michael Saboff. void shiftAndAdd(RegisterID base, RegisterID index, uint8_t shift, RegisterID dest, Optional<RegisterID> = { }); Emits code to compute: dest = base + index << shift. * assembler/testmasm.cpp: (doubleOperands): (floatOperands): (int32Operands): (int64Operands): (JSC::testShiftAndAdd): (JSC::run): (JSC::doubleOperands): Deleted. (JSC::floatOperands): Deleted. (JSC::int32Operands): Deleted. (JSC::int64Operands): Deleted. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::shiftAndAdd): 2020-06-17 Michael Saboff <msaboff@apple.com> [Wasm] Reduce the amount of memory used by the Air register coloring allocator https://bugs.webkit.org/show_bug.cgi?id=212106 Reviewed by Yusuke Suzuki. Changed InterferenceEdge to be a templated class so we can instantiate an unsigned short version to cut memory in half for code that has less than 2^16 temps. Through instrumentation, my testing showed that almost all compilations use the 16bit implementation. Although this change is for all B3/Air compilations at O2, Wasm compilations are usally larger and therefore get the greatest benefit. This allowed increasing the default value for the option webAssemblyBBQFallbackSize, with a small increase in memory usage. * b3/air/AirAllocateRegistersByGraphColoring.cpp: * runtime/OptionsList.h: 2020-06-16 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Check NullSetterFunction under strict-mode context since structure / PropertyCondition are unaware of this https://bugs.webkit.org/show_bug.cgi?id=213266 Reviewed by Mark Lam. Our PropertyCondition is tracking the shape of Structure. This is enough for IC except for one case: throwing an error when invoking null setters in strict code. "use strict"; var object = { get value() { return 42; } } object.value = 42; In the above case, we need to throw an error. Let's consider the following scenario. 1. Object has valid setter. 2. IC is buffering OPC which includes (1)'s object in [[Prototype]] hit. 3. IC commits buffered AccessCase with OPC. And PropertyCondition says Object + setter-offset => Presence. 4. Object deletes its setter. 5. Just after (4), DFG concurrently reads buffered committed OPCs. 6. DFG see that PropertyCondition is valid even after (4) since accessor property does exist. 7. Set up DFG sequence `GetSetter, Call`. 8. DFG calls null-setter under strict code, which is not assumed to be called. In this patch, we insert NullSetterFunction check before setter invocation under strict mode. In IC, if we see NullSetterFunction, we replace the calling target with special function which throws an error. In DFG / FTL, we emit `CheckNotJSCast` DFG node which ensures that this setter is not null setter. In IC code, we already have null-setter checking code before. So this change does not have any impact in terms of performance. In DFG / FTL code, we only insert this check when we do not inline this setter. This is because inlining emits `CheckCell` anyway so we can know that this is not NullSetterFunction. And this means that DFG Call opcode exists after CheckNotJSCast. Since Call opcode loads the fields of call target anyway, this also does not affect on performance. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::regenerate): * bytecode/PolymorphicAccess.h: (JSC::AccessGenerationState::AccessGenerationState): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::addAccessCase): * bytecode/StructureStubInfo.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleCall): (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::handlePutById): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::hasClassInfo const): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCheckJSCast): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStructureAbstractValue.cpp: (JSC::DFG::StructureAbstractValue::isNotSubClassOf const): * dfg/DFGStructureAbstractValue.h: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileCheckJSCast): * jit/Repatch.cpp: (JSC::tryCacheGetBy): (JSC::tryCacheArrayGetByVal): (JSC::tryCachePutByID): (JSC::tryCacheDeleteBy): (JSC::tryCacheInByID): (JSC::tryCacheInstanceOf): * jit/ThunkGenerators.cpp: (JSC::virtualThunkFor): * runtime/InternalFunction.cpp: (JSC::InternalFunction::finishCreation): * runtime/JSCast.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::nullSetterStrictFunction const): * runtime/JSType.cpp: (WTF::printInternal): * runtime/JSType.h: * runtime/NullSetterFunction.cpp: (JSC::NullSetterFunctionInternal::callThrowError): (JSC::NullSetterFunction::NullSetterFunction): * runtime/NullSetterFunction.h: 2020-06-16 Mark Lam <mark.lam@apple.com> Make Options::useJIT() be the canonical source of truth on whether we should use the JIT. https://bugs.webkit.org/show_bug.cgi?id=212556 <rdar://problem/63780436> Reviewed by Saam Barati. After r263055, Options::useJIT() always equals VM::canUseJIT() after canUseJIT() has been computed. This patch removes VM::canUseJIT(), and replaces all calls to it with calls to Options::useJIT(). In the old code, VM::canUseJIT() would assert s_canUseJITIsSet to ensure that its clients will not access s_canUseJIT before it is initialized. We not have an equivalent mechanism with Options. This is how it works: 1. There are 2 new Options flags in the g_jscConfig: g_jscConfig.options.isFinalized g_jscConfig.options.allowUnfinalizedAccess g_jscConfig.options.isFinalized means that all Options values are finalized i.e. initialization is complete and ready to be frozen in the Config. g_jscConfig.options.isFinalized is set by initializeThreading() by calling Options::finalize() once options initialization is complete. g_jscConfig.options.allowUnfinalizedAccess is an allowance for clients to access Options values before they are finalized. This is only needed in options initialization code where Options values are read and written to. g_jscConfig.options.allowUnfinalizedAccess is set and cleared using the Options::AllowUnfinalizedAccessScope RAII object. The few pieces of code that do options initialization will instantiate this scope object. 2. All Options accessors (e.g. Option::useJIT()) will now assert that either g_jscConfig.options.allowUnfinalizedAccess or g_jscConfig.options.isFinalized is set. 3. Since r263055, Options::recomputeDependentOptions() ensures that if useJIT() is false, all other JIT options (e.g. useBaselineJIT(), useDFTJIT(), useFTLJIT(), etc.) are also false. This patch also adds useBBQJIT() and useOMGJIT() to that list. With this, checks for useJIT() are now redundant if there's also another JIT option check, e.g. useRegExpJIT() or useDFGJIT(). When redundant, this patch elides the useJIT() check (which used to be a VM::canUseJIT() check). Ideally, we should also introduce a separate abstraction for requested option values before finalization than the finalized option values that will be adopted by the system. We'll do this as a separate exercise in a later patch. * API/tests/ExecutionTimeLimitTest.cpp: (testExecutionTimeLimit): * API/tests/FunctionOverridesTest.cpp: (testFunctionOverrides): * API/tests/PingPongStackOverflowTest.cpp: (testPingPongStackOverflow): - Removed redundant calls to Options::initialize(). * API/tests/testapi.c: (main): - move the call to testExecutionTimeLimit() to after finalizeMultithreadedMultiVMExecutionTest() returns. This is because testExecutionTimeLimit() modifies JIT options at runtime as part of its testing. This can wreak havoc on the rest of the system that expects the options to be frozen. Ideally, we'll find a way for testExecutionTimeLimit() to do its work without changing JIT options, but that is not easy to do. For now, we'll just run it at the end as a workaround. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::setNumParameters): * bytecode/CodeBlock.h: (JSC::CodeBlock::numberOfArgumentValueProfiles): (JSC::CodeBlock::valueProfileForArgument): * dfg/DFGCapabilities.cpp: (JSC::DFG::isSupported): * heap/Heap.cpp: (JSC::Heap::completeAllJITPlans): (JSC::Heap::iterateExecutingAndCompilingCodeBlocks): (JSC::Heap::gatherScratchBufferRoots): (JSC::Heap::removeDeadCompilerWorklistEntries): (JSC::Heap::stopThePeriphery): (JSC::Heap::suspendCompilerThreads): (JSC::Heap::resumeCompilerThreads): (JSC::Heap::addCoreConstraints): * interpreter/AbstractPC.cpp: (JSC::AbstractPC::AbstractPC): * jit/JITThunks.cpp: (JSC::JITThunks::ctiNativeCall): (JSC::JITThunks::ctiNativeConstruct): (JSC::JITThunks::ctiNativeTailCall): (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags): (JSC::JITThunks::ctiInternalFunctionCall): (JSC::JITThunks::ctiInternalFunctionConstruct): (JSC::JITThunks::hostFunctionStub): * jsc.cpp: (CommandLine::parseArguments): (jscmain): * llint/LLIntEntrypoint.cpp: (JSC::LLInt::setFunctionEntrypoint): (JSC::LLInt::setEvalEntrypoint): (JSC::LLInt::setProgramEntrypoint): (JSC::LLInt::setModuleProgramEntrypoint): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::shouldJIT): (JSC::LLInt::jitCompileAndSetHeuristics): * runtime/InitializeThreading.cpp: (JSC::initializeThreading): * runtime/JSCConfig.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::numberToStringWatchpointSet): * runtime/Options.cpp: (JSC::jitEnabledByDefault): (JSC::disableAllJITOptions): (JSC::Options::initialize): - Move the calls to dumpOptionsIfNeeded() and ensureOptionsAreCoherent() to the end after all the options have been initialized because this where they belong. (JSC::Options::finalize): (JSC::Options::setOptions): (JSC::Options::setOption): (JSC::Options::dumpAllOptions): (JSC::Options::ensureOptionsAreCoherent): * runtime/Options.h: (JSC::Options::AllowUnfinalizedAccessScope::AllowUnfinalizedAccessScope): (JSC::Options::AllowUnfinalizedAccessScope::~AllowUnfinalizedAccessScope): * runtime/OptionsList.h: * runtime/RegExp.cpp: (JSC::RegExp::compile): (JSC::RegExp::compileMatchOnly): * runtime/SymbolTable.h: (JSC::SymbolTableEntry::isWatchable const): * runtime/VM.cpp: (JSC::VM::computeCanUseJIT): (JSC::VM::VM): (JSC::VM::getHostFunction): (JSC::VM::getCTIInternalFunctionTrampolineFor): * runtime/VM.h: (JSC::VM::isInMiniMode): (JSC::VM::canUseJIT): Deleted. * wasm/WasmCapabilities.h: (JSC::Wasm::isSupported): * wasm/WasmOperations.cpp: (JSC::Wasm::shouldJIT): * wasm/WasmSlowPaths.cpp: (JSC::LLInt::shouldJIT): 2020-06-16 Robin Morisset <rmorisset@apple.com> Optimize Air::TmpWidth analysis in IRC https://bugs.webkit.org/show_bug.cgi?id=152478 Reviewed by Filip Pizlo. AirTmpWidth currently uses a HashMap to map tmps to their width. Since tmps have consecutive indices, we can instead use vectors (one for GP and one for FP tmps). As a bonus, we can just compute the width of the tmps of the bank the register allocator is currently looking at. This cuts the time spent in the register allocator in JetStream2 by about 100ms out of 3.4s (or sometimes 80ms out of 2.4, the bimodality of the time spent is due to a huge function in tagcloud-SP which usually but not always reach the FTL, I'll check later if it can be fixed by tweaking the inliner). * b3/air/AirAllocateRegistersByGraphColoring.cpp: (JSC::B3::Air::allocateRegistersByGraphColoring): * b3/air/AirTmpWidth.cpp: (JSC::B3::Air::TmpWidth::TmpWidth): (JSC::B3::Air::TmpWidth::recompute): * b3/air/AirTmpWidth.h: (JSC::B3::Air::TmpWidth::width const): (JSC::B3::Air::TmpWidth::requiredWidth): (JSC::B3::Air::TmpWidth::defWidth const): (JSC::B3::Air::TmpWidth::useWidth const): (JSC::B3::Air::TmpWidth::Widths::Widths): (JSC::B3::Air::TmpWidth::widths): (JSC::B3::Air::TmpWidth::widths const): (JSC::B3::Air::TmpWidth::addWidths): (JSC::B3::Air::TmpWidth::widthsVector): 2020-06-16 Fujii Hironori <Hironori.Fujii@sony.com> [CMake][Visual Studio] CombinedDomains.json is generated twice in JavaScriptCore.vcxproj and InspectorBackendCommands.vcxproj https://bugs.webkit.org/show_bug.cgi?id=213225 Reviewed by Don Olmstead. Since r262203 (Bug 210014) added a new target InspectorBackendCommands, CombinedDomains.json is generated twice in JavaScriptCore.vcxproj and InspectorBackendCommands.vcxproj. This caused unnecessary incremental builds. The fundamental issue of this issue was fixed in CMake side. <https://gitlab.kitware.com/cmake/cmake/issues/16767> However, JavaScriptCore target needs to have a direct or indirect dependency of InspectorBackendCommands target for CMake Visual Studio generator to eliminate duplicated custom commands. * CMakeLists.txt: Added add_dependencies(JavaScriptCore InspectorBackendCommands). 2020-06-16 Mark Lam <mark.lam@apple.com> Add SIGABRT handler for non OS(DARWIN) builds to the jsc shell with the -s option. https://bugs.webkit.org/show_bug.cgi?id=213200 Reviewed by Michael Catanzaro. This is needed because non OS(DARWIN) builds uses abort as their "CRASH"ing mechanism. * jsc.cpp: (CommandLine::parseArguments): 2020-06-15 Michael Catanzaro <mcatanzaro@gnome.org> WTF signal machinery is guarded by #if USE(PTHREADS) && HAVE(MACHINE_CONTEXT) but does not use pthreads or machine context https://bugs.webkit.org/show_bug.cgi?id=213223 Reviewed by Mark Lam. Use #if OS(UNIX) here too. This should fix stress/ensure-crash.js when HAVE(MACHINE_CONTEXT) is false. * jsc.cpp: (printUsageStatement): (CommandLine::parseArguments): 2020-06-15 Pavel Feldman <pavel.feldman@gmail.com> Web Inspector: introduce request interception https://bugs.webkit.org/show_bug.cgi?id=207446 Reviewed by Devin Rousso. This change introduces network request interception to the Network protocol domain. It adds Network.interceptWithRequest notification that can be continued, modified or fulfilled. NetworkStage enum can now have 'request' and 'response' values. * inspector/protocol/Network.json: 2020-06-15 Tadeu Zagallo <tzagallo@apple.com> op_iterator_open getNext checkpoint needs to declare it uses m_iterator https://bugs.webkit.org/show_bug.cgi?id=213106 <rdar://problem/63416838> Reviewed by Keith Miller. Currently, we have no way of specifying that a checkpoint uses an operand defined at an earlier point in the same bytecode, which is the case for op_iterator_open: we assume that it will have already allocated the iterator and stored it in m_iterator by the time we get to the getNext checkpoint. In order to support that, we change tmpLivenessForCheckpoint to livenessForCheckpoint and allow it to also declare the use of the operands defined within the bytecode. * bytecode/BytecodeLivenessAnalysis.cpp: (JSC::livenessForCheckpoint): (JSC::tmpLivenessForCheckpoint): Deleted. * bytecode/BytecodeLivenessAnalysis.h: * bytecode/FullBytecodeLiveness.h: * dfg/DFGForAllKills.h: (JSC::DFG::forAllKilledOperands): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::isLiveInBytecode): * dfg/DFGGraph.h: 2020-06-15 Alexey Shvayka <shvaikalesh@gmail.com> Expand JSObject::defineOwnIndexedProperty() fast path for existing properties https://bugs.webkit.org/show_bug.cgi?id=213133 Reviewed by Yusuke Suzuki. This patch expands fast path of JSObject::defineOwnIndexedProperty() to cover existing properties if given data descriptor has no falsy attributes, preventing the object from entering SparseMode. The optimization is possible due to this invariant: indexed properties of non-SparseMode objects have attributes of PropertyAttribute::None (except for typed arrays; added assert covers it). PropertyDescriptor::attributesOverridingCurrent() with PropertyAttribute::None descriptor is used to support partial descriptors like {value: 1, writable: true}. This change advances Object.defineProperty microbenchmark by 35%; array read/write benchmark following property redefinition is progressed by a factor of 16 due to avoiding SparseMode. * runtime/JSObject.cpp: (JSC::JSObject::defineOwnIndexedProperty): 2020-06-15 Robin Morisset <rmorisset@apple.com> testB3::testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead() has a validation failure in debug mode https://bugs.webkit.org/show_bug.cgi?id=196103 <rdar://problem/57808549> Reviewed by Keith Miller. The problem was trivial: patchpoints were referring to constants that were defined after them. Just exchanging the order of the definition was enough to make this test pass. * b3/testb3_1.cpp: (shouldRun): * b3/testb3_7.cpp: (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead): 2020-06-15 Mark Lam <mark.lam@apple.com> Do not install the VMTraps signal handler if Options::useJIT=false. https://bugs.webkit.org/show_bug.cgi?id=212543 <rdar://problem/63772519> Reviewed by Keith Miller. VMTraps is only needed for JITted code. Hence, if the JIT is disabled, we should set Options::usePollingTraps() to true to indicate that we won't be using VMTraps. With this change, we no longer install any signal handling machinery if Options::useJIT() is false. Because we may still disable the JIT even if useJIT() is true (due to failure to allocate JIT memory or a number of other factors), we will also add a check of VM::canUseJIT() in initializeThreading(), and disable useJIT() if needed. Of course, this also means we need to call Options::recomputeDependentOptions() to make other options consistent with useJIT() being false. * runtime/InitializeThreading.cpp: (JSC::initializeThreading): * runtime/Options.cpp: (JSC::disableAllJITOptions): (JSC::Options::recomputeDependentOptions): (JSC::recomputeDependentOptions): Deleted. * runtime/Options.h: * runtime/VMTraps.cpp: (JSC::VMTraps::initializeSignals): * tools/SigillCrashAnalyzer.cpp: (JSC::SigillCrashAnalyzer::instance): 2020-06-15 Keith Miller <keith_miller@apple.com> CheckIsConstant should not use BadCache exit kind https://bugs.webkit.org/show_bug.cgi?id=213141 Reviewed by Yusuke Suzuki. The BadCache exit kind causes the OSR exit compilers to try to update ArrayProfiles. This is just incorrect for CheckIsConstant since the node's origin may not even have an ArrayProfile... BadCache also strongly assumes the value it's profiling is a cell, which is clearly not always the case for CheckIsConstant. CheckIsConstant now uses the BadConstantValue (BadValue conflicts with macros exported by X11 on GTK) exit kind for all use kinds, which is just a rename of BadCell. All existing places where we can emit a CheckIsConstant already have a story for BadConstantValue. * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFromLLInt): (JSC::CallLinkStatus::computeExitSiteData): * bytecode/ExitKind.cpp: (JSC::exitKindToString): * bytecode/ExitKind.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::handleIntrinsicCall): (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::handlePutByVal): (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::isPseudoTerminal): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCheckIsConstant): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileCheckIsConstant): (JSC::FTL::DFG::LowerDFGToB3::compileCheckBadValue): (JSC::FTL::DFG::LowerDFGToB3::compileCheckBadCell): Deleted. 2020-06-15 Yusuke Suzuki <ysuzuki@apple.com> Webkit Feature BigInt on webkit.org https://bugs.webkit.org/show_bug.cgi?id=197546 Reviewed by Sam Weinig. Add BigInt entry to JSC features.json. * features.json: 2020-06-15 Keith Miller <keith_miller@apple.com> JIT thunks should work on arm64_32 https://bugs.webkit.org/show_bug.cgi?id=213103 Reviewed by Saam Barati. This patch fixes various issues when running JSC on arm64_32 with useJIT=1 and useBaselineJIT=0. In particular this patch makes the following changes: 1) ScalePtr is now just part of the Scale enum and is set based on the size of the address space. 2) MacroAssembler::*Ptr functions call 32/64 bit variants based on Address space size rather than cpu architecture. Vetting of callsites using Ptr as 64 will happen in future patches since it's hard to comprehensively vet. 3) Add some missing variants of functions for when pointers are 32-bit. 4) Add a load/storeReg function that stores a full register regardless of pointer size for storing/loading callee saves. 5) numberOfDFGCompiles should report a big number for useBaselineJIT=0 as some tests fail by default if useBaselineJIT=0 but useJIT=1. 6) Assert BaseIndex has a scale of PtrSize or TimesOne (for pre-scaled values) when passed to a load/storePtr function. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::timesPtr): Deleted. * assembler/MacroAssembler.h: (JSC::MacroAssembler::rotateRightPtr): (JSC::MacroAssembler::loadPtr): (JSC::MacroAssembler::loadPtrWithCompactAddressOffsetPatch): (JSC::MacroAssembler::branchPtr): (JSC::MacroAssembler::storePtr): (JSC::MacroAssembler::shouldBlindDouble): (JSC::MacroAssembler::moveDouble): (JSC::MacroAssembler::store64): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::add32): (JSC::MacroAssemblerARM64::signExtend32ToPtr): (JSC::MacroAssemblerARM64::loadPtr): (JSC::MacroAssemblerARM64::call): (JSC::MacroAssemblerARM64::farJump): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::rotateRight32): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::rotateRight32): * assembler/MacroAssemblerX86.h: * assembler/MacroAssemblerX86_64.h: * b3/B3LowerMacros.cpp: * b3/testb3_6.cpp: (testInterpreter): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitLoadStructure): (JSC::AssemblyHelpers::emitAllocateVariableSized): (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer): (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::storeReg): (JSC::AssemblyHelpers::loadReg): (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters): (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr): (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32): (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64): (JSC::AssemblyHelpers::emitPutToCallFrameHeader): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_enumerator_structure_pname): (JSC::JIT::emit_op_enumerator_generic_pname): * jit/ThunkGenerators.cpp: (JSC::nativeForGenerator): * runtime/TestRunnerUtils.cpp: (JSC::numberOfDFGCompiles): 2020-06-15 Caitlin Potter <caitp@igalia.com> [JSC] add machinery to disable JIT tiers when experimental features are enabled https://bugs.webkit.org/show_bug.cgi?id=213193 Reviewed by Mark Lam. A new macro FOR_EACH_JSC_EXPERIMENTAL_OPTION() supplies flags indicating the supported JIT tiers (or, in the future, other options) of a particular feature, in an easy to understand format. These flags are then used to recompute dependent feature flags. This should simplify the incremental development of language features. * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * runtime/Options.cpp: (JSC::recomputeDependentOptions): * runtime/OptionsList.h: 2020-06-15 Keith Miller <keith_miller@apple.com> Signal handlers should have a two phase installation. https://bugs.webkit.org/show_bug.cgi?id=213160 Reviewed by Mark Lam. * jsc.cpp: (CommandLine::parseArguments): (jscmain): * runtime/InitializeThreading.cpp: (JSC::initializeThreading): * runtime/VMTraps.cpp: * tools/SigillCrashAnalyzer.cpp: (JSC::installCrashHandler): * wasm/WasmFaultSignalHandler.cpp: (JSC::Wasm::enableFastMemory): (JSC::Wasm::prepareFastMemory): * wasm/WasmFaultSignalHandler.h: 2020-06-15 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, fix LLInt https://bugs.webkit.org/show_bug.cgi?id=157972 loadi only takes address. * llint/LowLevelInterpreter64.asm: 2020-06-15 Alexey Shvayka <shvaikalesh@gmail.com> super should not depend on __proto__ https://bugs.webkit.org/show_bug.cgi?id=157972 Reviewed by Saam Barati. Before this change, both super() call [1] and super.property [2] relied on Object.prototype.__proto__ to acquire super base, which was observable and incorrect if __proto__ gets removed. This patch introduces get_prototype_of bytecode, ensuring returned values are profiled so the op can be wired to existing DFG and FTL implementations. In order to avoid performance regression w/o DFG (__proto__ is optimized via IntrinsicGetterAccessCase), fast paths for LLInt and baseline JIT are added (64-bit only), utilizing OverridesGetPrototypeOutOfLine type info flag. This change aligns JSC with V8 and SpiderMonkey, progressing microbenchmarks/ super-get-by-{id,val}-with-this-monomorphic.js by 7-10%. SixSpeed is neutral. Also, extracts JSValue::getPrototype() method to avoid code duplication and utilizes it in objectConstructorGetPrototypeOf(), advancing provided microbenchmark by 40%. [1]: https://tc39.es/ecma262/#sec-getsuperconstructor (step 5) [2]: https://tc39.es/ecma262/#sec-getsuperbase (step 5) * builtins/BuiltinNames.h: * bytecode/BytecodeIntrinsicRegistry.h: * bytecode/BytecodeList.rb: * bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/Opcode.h: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGetPrototypeOf): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::emitSuperBaseForCallee): (JSC::emitGetSuperFunctionForConstruct): (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPrototypeOf): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicGetter): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGOperations.cpp: * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_get_prototype_of): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::getPrototype const): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncProtoGetter): * runtime/JSObject.cpp: (JSC::JSObject::calculatedClassName): * runtime/JSObject.h: (JSC::JSObject::getPrototype): * runtime/JSObjectInlines.h: (JSC::JSObject::canPerformFastPutInlineExcludingProto): (JSC::JSObject::getPropertySlot): (JSC::JSObject::getNonIndexPropertySlot): * runtime/JSProxy.h: * runtime/JSTypeInfo.h: (JSC::TypeInfo::overridesGetPrototype const): * runtime/ObjectConstructor.cpp: (JSC::objectConstructorGetPrototypeOf): * runtime/ProxyObject.h: * runtime/Structure.h: * runtime/Structure.cpp: (JSC::Structure::validateFlags): 2020-06-13 Devin Rousso <drousso@apple.com> Make `errors` an own property of `AggregateError` instead of a prototype accessor https://bugs.webkit.org/show_bug.cgi?id=212677 Reviewed by Yusuke Suzuki. * runtime/AggregateError.h: (JSC::AggregateError::destroy): Deleted. (JSC::AggregateError::subspaceFor): Deleted. (JSC::AggregateError::errors): Deleted. * runtime/AggregateError.cpp: (JSC::AggregateError::AggregateError): (JSC::AggregateError::finishCreation): Added. (JSC::AggregateError::visitChildren): Deleted. * runtime/AggregateErrorPrototype.h: * runtime/AggregateErrorPrototype.cpp: (JSC::AggregateErrorPrototype::finishCreation): (JSC::aggregateErrorPrototypeAccessorErrors): Deleted. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::initializeAggregateErrorConstructor): * runtime/VM.h: * runtime/VM.cpp: (JSC::VM::VM): * heap/Heap.cpp: (JSC::Heap::finalizeUnconditionalFinalizers): Remove `aggregateErrorSpace` since `AggregateError` doesn't add any new member variables. Ensure that it can share an `IsoSubspace` with `ErrorInstance`. * runtime/CommonIdentifiers.h: Add `errors`. 2020-06-12 Robin Morisset <rmorisset@apple.com> The ||= operator (and similar ones) should produce valid bytecode even if the right side is a static error https://bugs.webkit.org/show_bug.cgi?id=213154 Reviewed by Devin Rousso. There were two minor issues here that interacted: - emitThrowReferenceError did not take an optional `dst` argument like everything else, and instead always returned a new temporary. As a result, the various functions that sometimes did "return emitThrowReferenceError(..);" could return a different RegisterID than the one provided to them through `dst`, breaking the invariant stated at the top of the file. - ShortCircuitReadModifyResolveNode::emitBytecode used the result of such a function, unnecessarily, and (correctly) relied on the invariant being upheld. The combination of these led to the bytecode trying to do a move of a temporary that was only defined in one of the predecessors of the basic block it was on, which was caught by validateBytecode. I fixed both issues, and verified that either fix is enough to stop the bug. I fixed the first because other code may depend on that invariant in more subtle ways. I fixed the second because it was just unnecessary complexity and made the code misleading. I also reworded the comment at the top of NodesCodegen.cpp based on Keith's explanation and Mark's advice to make it less cryptic. * bytecompiler/NodesCodegen.cpp: (JSC::ThrowableExpressionData::emitThrowReferenceError): (JSC::PostfixNode::emitBytecode): (JSC::DeleteBracketNode::emitBytecode): (JSC::DeleteDotNode::emitBytecode): (JSC::PrefixNode::emitBytecode): (JSC::ShortCircuitReadModifyResolveNode::emitBytecode): (JSC::AssignErrorNode::emitBytecode): * parser/Nodes.h: 2020-06-12 Yusuke Suzuki <ysuzuki@apple.com> [JSC] el(Greek) characters' upper-case conversion is locale-sensitive https://bugs.webkit.org/show_bug.cgi?id=213155 <rdar://problem/55018467> Reviewed by Darin Adler. CLDR defines 4 locales which has language-sensitive case conversions. "az", "el", "lt", and "tr", where, az = Azerbaijani el = Greek lt = Lithuanian tr = Turkish We can ensure it easily like this. 1. Download CLDR data 2. `ls common/transforms/*Upper.xml` common/transforms/az-Upper.xml common/transforms/el-Upper.xml common/transforms/lt-Upper.xml common/transforms/tr-Upper.xml And ECMA-402 String.prototype.{toLocaleLowerCase,toLocaleUpperCase} requires these locales are listed as `availableLocales`. > 7. Let availableLocales be a List with language tags that includes the languages for which the Unicode Character > Database contains language sensitive case mappings. Implementations may add additional language tags if they > support case mapping for additional locales. https://tc39.es/ecma402/#sup-string.prototype.tolocalelowercase This patch adds "el" to our maintained availableLocales list. Previously we only had "az", "lt", and "tr". * runtime/StringPrototype.cpp: (JSC::toLocaleCase): (JSC::stringProtoFuncToLocaleUpperCase): 2020-06-12 Keith Miller <keith_miller@apple.com> Tests expecting a crash should use a signal handler in the JSC CLI process https://bugs.webkit.org/show_bug.cgi?id=212479 Reviewed by Yusuke Suzuki. Have the -s option use WTF::Signals and make sure it adds breakpoint catching as well. * jsc.cpp: (printUsageStatement): (CommandLine::parseArguments): * tools/SigillCrashAnalyzer.cpp: (JSC::installCrashHandler): 2020-06-12 Alexey Shvayka <shvaikalesh@gmail.com> AsyncGenerator should await "return" completions https://bugs.webkit.org/show_bug.cgi?id=212774 Reviewed by Ross Kirsling. This patch fixes 2 spec discrepancies, observable with async generators if the value of "return" completion is a Promise, aligning JSC with V8 and SpiderMonkey. * builtins/AsyncGeneratorPrototype.js: (onFulfilled): This change implements step 8 of AsyncGeneratorYield [1], that is executed after step 15 of AsyncGeneratorResumeNext [2] (implemented as @doAsyncGeneratorBodyCall). We are safe to rely on [[AsyncGeneratorState]] being "suspendedYield" (set in step 6 of AsyncGeneratorYield [1]) instead of adding extra field to AsyncGenerator: AsyncGeneratorResumeNext [2] does not overwrite "suspendedYield" state. This change fixes most of test262 cases. [1]: https://tc39.es/ecma262/#sec-asyncgeneratoryield [2]: https://tc39.es/ecma262/#sec-asyncgeneratorresumenext * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitDelegateYield): This change implements step 7.c.iii.1 of yield* runtime semantics [3], that is observable only if [[Value]] has userland "then" getter. Awaited result is discarded. This change fixes async-generator/yield-star-return-then-getter-ticks.js test262 case. [3]: https://tc39.es/ecma262/#sec-generator-function-definitions-runtime-semantics-evaluation 2020-06-12 Ross Kirsling <ross.kirsling@sony.com> Unreviewed, address Darin's feedback on r262890. * runtime/IntlObject.cpp: (JSC::addScriptlessLocaleIfNeeded): Use != instead of < for clarity. 2020-06-12 Adrian Perez de Castro <aperez@igalia.com> Build is broken with EVENT_LOOP_TYPE=GLib https://bugs.webkit.org/show_bug.cgi?id=212987 Reviewed by Konstantin Tokarev. * PlatformJSCOnly.cmake: Add sources needed to support the remote inspector to JavaScriptCore_SOURCES. 2020-06-11 Saam Barati <sbarati@apple.com> Linear Scan uses the wrong Interval for spills for tmps with roles of early def or late use https://bugs.webkit.org/show_bug.cgi?id=213055 <rdar://problem/59874018> Reviewed by Yusuke Suzuki. There was a bug in linear scan when computing the live range interval for spill tmps that had early defs or late uses. When linear scan spills a tmp, it creates a new tmp that it loads to and stores from, and replaces the old tmp with the new tmp, and emits stores/loads around pertinent instructions. The live interval for such tmps is small by nature, it's contained in the interval for the instruction itself. However, we'd build this interval purely based off the original tmp's arg timing. So, for example, let's consider a program like this: RandoInsn: LateUse:Tmp1, Use:Tmp2, [early = N, late = N+1] Let's say that Tmp1's last use is RandoInsn, and it had a def before RandoInsn, therefore, its live range will be something like: [J where J < N, N+1] and now imagine we spilled Tmp1 for some reason, and rewrote the program to be: Move Addr(spill for Tmp1), TmpSpill RandoInsn: LateUse:TmpSpill, Use:Tmp2, [early = N, late = N+1] We used to incorrectly mark the live range for TmpSpill to just be [N+1, N+2). However, the bug here is that we neglected that TmpSpill actually had an earlier def at [N, N+1). So, the live range for TmpSpill was wrong. This could incorrectly lead us to allocate Tmp2 and TmpSpill to the same register, since their live ranges may not intersect if Tmp2 dies at RandoInsn. We also had the symmetric bug for EarlyDefs: we wouldn't account for the store-spill that'd happen after something like RandoInsn. The fix is to account for the loads/stores of spill tmps when assigning them a live range. This patch contains a standalone test in testair. It also fixes crashes we had when running B3O1 tests using typed arrays on arm64e since we had patchpoints that utilized LateUse for signing and auth. * b3/B3Procedure.h: * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: * b3/air/testair.cpp: 2020-06-11 Saam Barati <sbarati@apple.com> Replace uses of black/white list with block/allow list https://bugs.webkit.org/show_bug.cgi?id=213084 Reviewed by Keith Miller. We should be using racially neutral names in our code. From Chromium style guide: "Terms such as 'blacklist' and 'whitelist' reinforce the notion that black==bad and white==good." * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * b3/air/AirLowerAfterRegAlloc.cpp: (JSC::B3::Air::lowerAfterRegAlloc): * dfg/DFGDriver.cpp: (JSC::DFG::ensureGlobalDFGAllowlist): (JSC::DFG::compileImpl): (JSC::DFG::ensureGlobalDFGWhitelist): Deleted. * dfg/DFGTierUpCheckInjectionPhase.cpp: (JSC::DFG::ensureGlobalFTLAllowlist): (JSC::DFG::TierUpCheckInjectionPhase::run): (JSC::DFG::ensureGlobalFTLWhitelist): Deleted. * heap/MachineStackMarker.cpp: * inspector/scripts/codegen/objc_generator.py: (ObjCGenerator.should_generate_types_for_domain): (ObjCGenerator.should_generate_commands_for_domain): (ObjCGenerator.should_generate_events_for_domain): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::ensureGlobalJITAllowlist): (JSC::LLInt::shouldJIT): (JSC::LLInt::ensureGlobalJITWhitelist): Deleted. * runtime/OptionsList.h: * tools/FunctionAllowlist.cpp: Copied from Source/JavaScriptCore/tools/FunctionWhitelist.cpp. (JSC::FunctionAllowlist::FunctionAllowlist): (JSC::FunctionAllowlist::contains const): (JSC::FunctionWhitelist::FunctionWhitelist): Deleted. (JSC::FunctionWhitelist::contains const): Deleted. * tools/FunctionAllowlist.h: Copied from Source/JavaScriptCore/tools/FunctionWhitelist.h. * tools/FunctionWhitelist.cpp: Removed. * tools/FunctionWhitelist.h: Removed. 2020-06-11 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Return DisposableCallSiteIndex when destroying GCAwareJITStubRoutineWithExceptionHandler https://bugs.webkit.org/show_bug.cgi?id=213069 <rdar://problem/64205186> Reviewed by Saam Barati. Inside GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount, we are returning DisposableCallSiteIndex to freelist. However, GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount can be called even if the code of GCAwareJITStubRoutineWithExceptionHandler is on the stack. Let's consider the following scenario. 1. Execute GCAwareJITStubRoutineWithExceptionHandler's code. Set CallSiteIndex to the stack. 2. Execute more code. (1)'s GCAwareJITStubRoutineWithExceptionHandler's code is on the stack. 3. (1)'s GCAwareJITStubRoutineWithExceptionHandler's refcount becomes zero. 4. CallSiteIndex of GCAwareJITStubRoutineWithExceptionHandler is returned. 5. Execute StackVisitor to construct frames. But we cannot find CodeOrigin corresponding to CallSiteIndex stored in (1) since it is already returned. DisposableCallSiteIndex should be returned after ensuring that GCAwareJITStubRoutineWithExceptionHandler's code is not on the stack. Detecting this is the functionality what GCAwareJITStubRoutineWithExceptionHandler can offer. It is destroyed after ensuring that GCAwareJITStubRoutineWithExceptionHandler's code is not on the stack. This patch delays DisposableCallSiteIndex returning until we destroy owner GCAwareJITStubRoutineWithExceptionHandler. But it is possible that CodeBlock* corresponding to GCAwareJITStubRoutineWithExceptionHandler is already destroyed. To avoid this condition, we extract CodeOrigins vector as Ref<DFG::CodeOriginPool> and keep it alive from GCAwareJITStubRoutineWithExceptionHandler too. And since CodeOrigin addition / removal happens only from the main thread after finishing the compilation, and GCAwareJITStubRoutineWithExceptionHandler's destructor is called from the Heap's finalizer, which must be executed from the main thread, we can just modify it without a lock. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::newExceptionHandlingCallSiteIndex): (JSC::CodeBlock::codeOrigins): * bytecode/CodeBlock.h: (JSC::CodeBlock::codeOrigin): * dfg/DFGCodeOriginPool.cpp: Added. (JSC::DFG::CodeOriginPool::addCodeOrigin): (JSC::DFG::CodeOriginPool::addUniqueCallSiteIndex): (JSC::DFG::CodeOriginPool::lastCallSite const): (JSC::DFG::CodeOriginPool::addDisposableCallSiteIndex): (JSC::DFG::CodeOriginPool::removeDisposableCallSiteIndex): (JSC::DFG::CodeOriginPool::shrinkToFit): * dfg/DFGCodeOriginPool.h: Added. (JSC::DFG::CodeOriginPool::create): (JSC::DFG::CodeOriginPool::get): (JSC::DFG::CodeOriginPool::size const): * dfg/DFGCommonData.cpp: (JSC::DFG::CommonData::shrinkToFit): (JSC::DFG::CommonData::addCodeOrigin): Deleted. (JSC::DFG::CommonData::addUniqueCallSiteIndex): Deleted. (JSC::DFG::CommonData::lastCallSite const): Deleted. (JSC::DFG::CommonData::addDisposableCallSiteIndex): Deleted. (JSC::DFG::CommonData::removeDisposableCallSiteIndex): Deleted. * dfg/DFGCommonData.h: (JSC::DFG::CommonData::CommonData): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exceptionCheck): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::addCallSite): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compilePutById): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): (JSC::FTL::DFG::LowerDFGToB3::compileInById): (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf): (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail): (JSC::FTL::DFG::LowerDFGToB3::getById): (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis): (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath): (JSC::FTL::DFG::LowerDFGToB3::callPreflight): * ftl/FTLSlowPathCall.cpp: (JSC::FTL::callSiteIndexForCodeOrigin): * jit/GCAwareJITStubRoutine.cpp: (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler): (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler): (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie): (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount): * jit/GCAwareJITStubRoutine.h: 2020-06-11 Alexey Shvayka <shvaikalesh@gmail.com> RegExp.prototype getters should throw on cross-realm access https://bugs.webkit.org/show_bug.cgi?id=213075 Reviewed by Saam Barati. This patch makes RegExp.prototype getters throw TypeError when called on RegExp.prototype object from another realm, aligning JSC with V8 and SpiderMonkey. The spec [1] allows same-realm access to avoid breaking the web, while makes RegExp.prototype an ordinary object (rather than RegExp instance) where possible. [1]: https://tc39.es/ecma262/#sec-get-regexp.prototype.global (step 3.a) * runtime/RegExpPrototype.cpp: (JSC::regExpProtoGetterGlobal): (JSC::regExpProtoGetterIgnoreCase): (JSC::regExpProtoGetterMultiline): (JSC::regExpProtoGetterDotAll): (JSC::regExpProtoGetterSticky): (JSC::regExpProtoGetterUnicode): (JSC::regExpProtoGetterSource): 2020-06-11 Paulo Matos <pmatos@igalia.com> Add missing include to JSONObject.cpp - non-unified build https://bugs.webkit.org/show_bug.cgi?id=213073 Reviewed by Adrian Perez de Castro. * runtime/JSONObject.cpp: 2020-06-10 Ross Kirsling <ross.kirsling@sony.com> REGRESSION(r260697): [Intl] "missing script" locales like zh-TW are no longer mapped https://bugs.webkit.org/show_bug.cgi?id=213007 Reviewed by Darin Adler. addMissingScriptLocales was removed from IntlObject when changing our locale resolution to depend more directly on ICU, but apparently even latest ICU won't perform this legacy "region implies script" mapping for us. ICU 65+ does have uloc_openAvailableByType which will do the trick, so perhaps we should use this in the future, but it still doesn't seem to help us with Collator, which has its own separate set of "available locales". The exact set of locales which should be mapped is currently under discussion here: https://github.com/tc39/ecma402/issues/159 But the crux seems to be that we should ensure we have an xx-ZZ alias for all available xx-Yyyy-ZZ locales. * runtime/IntlObject.cpp: (JSC::addScriptlessLocaleIfNeeded): (JSC::intlAvailableLocales): (JSC::intlCollatorAvailableLocales): 2020-06-10 Yusuke Suzuki <ysuzuki@apple.com> [JSC] JSCallbackObject::deleteProperty should redirect to Parent::deletePropertyByIndex if propertyName is index https://bugs.webkit.org/show_bug.cgi?id=213041 <rdar://problem/64204300> Reviewed by Darin Adler. We have an infinite recursion here. -> JSCallbackObject::deletePropertyByIndex -> JSCell::deleteProperty -> JSCallbackObject::deleteProperty -> JSObject::deleteProperty -> JSCallbackObject::deletePropertyByIndex When propertyName in JSCallbackObject::deleteProperty is an index, we should go to JSObject::deletePropertyByIndex instead of JSObject::deleteProperty. * API/JSCallbackObjectFunctions.h: (JSC::JSCallbackObject<Parent>::deleteProperty): 2020-06-09 Mark Lam <mark.lam@apple.com> Stringifier::appendStringifiedValue() should not assume it is always safe to recurse. https://bugs.webkit.org/show_bug.cgi?id=213006 <rdar://problem/64154840> Reviewed by Keith Miller. In r262727, I suggested that Alexey Shvayka add an assertion in Stringifier::appendStringifiedValue() to assert that it is safe to recurse because we don't expect it to recurse into itself. Turns out this is a bad idea because a client may be doing the recursing before calling Stringifier::appendStringifiedValue(). As a result, Stringifier::appendStringifiedValue() ends up being executed with the stack pointer already in the reserved zone. This is legal, and is what the reserved zone is intended for as long as we don't recurse from here. However, this also means that asserting vm.isSafeToRecurseSoft() here will surely fail because we are already in the reserved zone area. The fix is simply to remove this faulty assertion. * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): 2020-06-09 Mark Lam <mark.lam@apple.com> Disambiguate the OverridesGetPropertyNames structure flag https://bugs.webkit.org/show_bug.cgi?id=212909 <rdar://problem/63823557> Reviewed by Saam Barati. Previously, the OverridesGetPropertyNames structure flag could mean 2 different things: 1. the getPropertyNames() method is overridden, or 2. any of the forms of getPropertyName() is overridden: getPropertyName, getOwnPropertyNames, getOwnNonIndexPropertyNames Some parts of the code expects one definition while other parts expect the other. This patch disambiguates between the 2 by introducing OverridesAnyFormOfGetPropertyNames for definition (2). OverridesGetPropertyNames now only means definition (1). Note: we could have implemented overridesGetPropertyNames() by doing a comparison of the getPropertyNames pointer in the MethodTable. This is a little slower than checking a TypeInfo flag, but probably doesn't matter a lot in the code paths where overridesGetPropertyNames() is called. However, we have bits in TypeInfo left. So, we'll might as well use it. This ambiguity resulted in JSObject::getPropertyNames() recursing infinitely when it didn't think it could recurse. This is demonstrated in JSTests/stress/unexpected-stack-overflow-below-JSObject-getPropertyNames.js as follows: 1. The test case invokes JSObject::getPropertyNames on a JSArray. 2. In the while loop at the bottom of JSObject::getPropertynames(), we check `if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {`. 3. The test overrides proto as follows: `arg0.__proto__ = arr1` where both arg0 and arr1 are JArrays. 4. In the old code, JSArray sets OverridesGetPropertyNames but does not override getPropertyNames(). It actually meant to set OverridesAnyFormOfGetPropertyNames (after we disambiguated it) because JSArray overrides getOwnNonIndexPropertyNames(). 5. When we get to the check at (2), we ask if the prototype overridesGetPropertyNames(). Since JSArray sets OverridesGetPropertyNames, the answer is yes / true. JSObject::getPropertynames() then proceeds to invoke `prototype->methodTable(vm)->getPropertyNames(prototype, globalObject, propertyNames, mode);` But because JSArray does not actually overrides getPropertyNames(), we're actually invoking JSObject::getPropertyNames() here. Viola! Infinite loop. With this patch, JSArray is disambiguated to set OverridesAnyFormOfGetPropertyNames instead of OverridesGetPropertyNames, and this infinite loop no longer exists. This patch also made the following changes: 1. Templatized TypeInfo::isSetOnFlags1() and TypeInfo::isSetOnFlags2() so that we can used static_asserts instead of a debug ASSERT to verify the integrity of the flag we're checking against. 2. Added a Structure::validateFlags() called from the Structure constructor. validateFlags() will verify the following: a. OverridesGetOwnPropertySlot must be set in the flags if getOwnPropertySlot is overridden in the MethodTable. b. InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero must be set in the flags if getOwnPropertySlotByIndex is overridden in the MethodTable. c. HasPutPropertySecurityCheck must be set in the flags if doPutPropertySecurityCheck is overridden in the MethodTable. d. OverridesGetPropertyNames must be set in the flags if getPropertyNames is overridden in the MethodTable. e. OverridesAnyFormOfGetPropertyNames must be set in the flags if any of getPropertyNames, getOwnPropertyNames, or getOwnNonIndexPropertyNames are overridden in the MethodTable. An alternate solution would be to automatically set these flags if we detect their corresponding methods are overridden. However, this alternate solution requires this laundry list to be checked every time a structure is constructed. The current implementation of having the required flags already pre-determined as a constant is more efficient in terms of performance and code space. Also, it only takes one instantiation of the structure to verify that the flags are valid. Since we only write JSCell / JSObject classes when we need them and we always write tests to exercise new code (especially such classes), we're guaranteed the flags validation will be exercised. 3. Made JSObject::getOwnPropertySlot() and JSObject::doPutPropertySecurityCheck() not inlined when ASSERT_ENABLED. This is needed in order for Structure::validateFlags() to do its checks using function pointer comparisons. Otherwise, the inline functions can result in multiple instantiations of these functions. For example, WebCore can get its own copy of JSObject::getOwnPropertySlot() and the comparisons will think the function is overridden even when it's not. 4. Structure::validateFlags() found the following problems which are now fixed: GetterSetter was not using its StructureFlags. As a result, it was missing the OverridesGetOwnPropertySlot flag. JSDataView did not define its StructureFlags. It was missing the OverridesGetOwnPropertySlot and OverridesAnyFormOfGetPropertyNames flags. 5. Changed a TypeInfo constructor to not have a default argument for the flags value. Also grepped for all uses of this constructor to make sure that it is passed the StructureFlags field. This exercise found the following issue: JSAPIValueWrapper was not using its StructureFlags when creating its structure. Previously, it was just ignoring the StructureIsImmortal flag in StructureFlags. 6. Hardened the assertions for hasReadOnlyOrGetterSetterPropertiesExcludingProto() and hasGetterSetterProperties() in the Structure constructor. Previously, if the flag is set, it verifies that the ClassInfo has the appropriate data expected by the flag. However, it does not assert the reverse i.e. that if the ClassInfo data exists, then the flag must also be set. The new assertions now checks both. Moved the overridesGetCallData() assertion into Structure::validateFlags() because it concerns the OverridesGetCallData flag. This assertion has also ben hardened. * API/JSAPIValueWrapper.h: * API/JSCallbackObject.h: * debugger/DebuggerScope.h: * inspector/JSInjectedScriptHostPrototype.h: * inspector/JSJavaScriptCallFramePrototype.h: * runtime/ClonedArguments.h: * runtime/ErrorInstance.h: * runtime/GenericArguments.h: * runtime/GetterSetter.h: * runtime/JSArray.h: * runtime/JSDataView.h: * runtime/JSFunction.h: * runtime/JSGenericTypedArrayView.h: * runtime/JSGlobalObject.h: * runtime/JSLexicalEnvironment.h: * runtime/JSModuleEnvironment.h: * runtime/JSModuleNamespaceObject.h: * runtime/JSObject.cpp: (JSC::JSObject::doPutPropertySecurityCheck): (JSC::JSObject::getOwnPropertySlot): * runtime/JSObject.h: (JSC::JSObject::getOwnPropertySlotImpl): (JSC::JSObject::getOwnPropertySlot): * runtime/JSProxy.h: * runtime/JSString.h: * runtime/JSSymbolTableObject.h: * runtime/JSTypeInfo.h: (JSC::TypeInfo::TypeInfo): (JSC::TypeInfo::masqueradesAsUndefined const): (JSC::TypeInfo::implementsHasInstance const): (JSC::TypeInfo::implementsDefaultHasInstance const): (JSC::TypeInfo::overridesGetCallData const): (JSC::TypeInfo::overridesToThis const): (JSC::TypeInfo::structureIsImmortal const): (JSC::TypeInfo::overridesGetPropertyNames const): (JSC::TypeInfo::overridesAnyFormOfGetPropertyNames const): (JSC::TypeInfo::prohibitsPropertyCaching const): (JSC::TypeInfo::getOwnPropertySlotIsImpure const): (JSC::TypeInfo::getOwnPropertySlotIsImpureForPropertyAbsence const): (JSC::TypeInfo::hasPutPropertySecurityCheck const): (JSC::TypeInfo::newImpurePropertyFiresWatchpoints const): (JSC::TypeInfo::isImmutablePrototypeExoticObject const): (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero const): (JSC::TypeInfo::isSetOnFlags1 const): (JSC::TypeInfo::isSetOnFlags2 const): * runtime/ObjectConstructor.cpp: (JSC::objectConstructorAssign): * runtime/ProxyObject.h: * runtime/RegExpObject.h: * runtime/StringObject.h: * runtime/Structure.cpp: (JSC::Structure::validateFlags): (JSC::Structure::Structure): * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::canCacheOwnKeys const): * tools/JSDollarVM.cpp: 2020-06-09 Jonathan Bedard <jbedard@apple.com> JavaScriptCore: Support tvOS and watchOS builds with the public SDK https://bugs.webkit.org/show_bug.cgi?id=212788 <rdar://problem/64000087> Reviewed by Tim Horton. * Configurations/Base.xcconfig: Link to tvOS and watchOS framework stubs. * Configurations/JavaScriptCore.xcconfig: Use iOS flags for all embedded platforms. 2020-06-09 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Shrink __DATA,(__data,__bss,__common) more https://bugs.webkit.org/show_bug.cgi?id=212863 Reviewed by Sam Weinig. 1. Use `unsigned` instead of `size_t` in GC size-class array. We know that this number never exceeds largeCutoff, which must be much maller than UINT32_MAX. 2. Add missing const to various variables to put them DATA,__const instead of DATA,__data etc. * heap/MarkedSpace.cpp: (JSC::MarkedSpace::initializeSizeClassForStepSize): * heap/MarkedSpace.h: * heap/VisitRaceKey.cpp: * heap/VisitRaceKey.h: * inspector/agents/InspectorDebuggerAgent.cpp: * inspector/agents/InspectorDebuggerAgent.h: * runtime/PropertyDescriptor.cpp: * runtime/PropertyDescriptor.h: 2020-06-08 Keith Miller <keith_miller@apple.com> Removed unneeded POINTER_WIDTH macro from b3 https://bugs.webkit.org/show_bug.cgi?id=212927 Reviewed by Yusuke Suzuki. C++20 has real constexpr functions so we don't need the POINTER_WIDTH macro anymore. * b3/B3Width.h: (JSC::B3::pointerWidth): * b3/air/opcode_generator.rb: 2020-06-08 Alexey Shvayka <shvaikalesh@gmail.com> JSON.stringify should throw stack overflow error https://bugs.webkit.org/show_bug.cgi?id=143511 Reviewed by Ross Kirsling and Mark Lam. This change adds m_holderStack.size() check, reusing the limit of JSON.parse, and throws StackOverflowError if exceeded, aligning JSC with V8 and SpiderMonkey. Even with all the cyclic structure checks in place, excess is possible due to very deeply nested object, user-provided "toJSON" method or functional replacer. While Stringifier::appendStringifiedValue() and Holder::appendNextProperty() mutually call each other, recursion is avoided by !holderStackWasEmpty check and do/while loop at the end of appendStringifiedValue(), as well as cyclic structure check as per spec [1]. [1]: https://tc39.es/ecma262/#sec-serializejsonobject (step 1) * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): (JSC::Walker::walk): 2020-06-08 Jonathan Bedard <jbedard@apple.com> JavaScriptCore: Fix PLATFORM(TVOS) macro https://bugs.webkit.org/show_bug.cgi?id=212900 <rdar://problem/64118879> Unreviewed build fix. * tools/JSDollarVM.cpp: (JSC::functionIsMemoryLimited): PLATFORM(TVOS) should be PLATFORM(APPLETV). 2020-06-07 Philippe Normand <pnormand@igalia.com> Remove ENABLE_VIDEO_TRACK ifdef guards https://bugs.webkit.org/show_bug.cgi?id=212568 Reviewed by Youenn Fablet. * Configurations/FeatureDefines.xcconfig: Remove ENABLE_VIDEO_TRACK, which is now enabled by default under the ENABLE_VIDEO guard. 2020-06-07 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Checksum for generated files should be emitted at the end of the files https://bugs.webkit.org/show_bug.cgi?id=212875 Reviewed by Mark Lam. If the offlineasm file generation is interrupted in the middle of the generation, it already emitted checksum. So next file generation can accept this broken file as a result of offlineasm and skip file generation. We should emit checksum at the end of files. For now, this patch takes a quick way: just iterating lines, getting a last line and use it for checksum comparison. * generator/GeneratedFile.rb: * offlineasm/asm.rb: 2020-06-06 Mark Lam <mark.lam@apple.com> Make CodeBlockHash robust against unreasonably long source code. https://bugs.webkit.org/show_bug.cgi?id=212847 <rdar://problem/64024279> Reviewed by Saam Barati. This patch adds a heuristic to avoid trying to compute the CodeBlockHash on unreasonably long source code strings. This is done by first applying a length check and, if needed, computing the hash with an alternate method. This is OK to do because: 1. CodeBlockHash is not a critical hash. 2. In practice, reasonable source code are not that long. 3. And if they are that long, then we are still diversifying the hash on their length. But if they do collide, it's OK. The only invariant here is that we should always produce the same hash for the same source string. Since the algorithm is deterministic, this invariant is not violated. * bytecode/CodeBlockHash.cpp: (JSC::CodeBlockHash::CodeBlockHash): 2020-06-06 Devin Rousso <drousso@apple.com> Web Inspector: unify the naming scheme for agents used by instrumentation https://bugs.webkit.org/show_bug.cgi?id=212859 Reviewed by Timothy Hatcher. Inspector agents fall into one of three categories: - "persistent" when Web Inspector is connected - "enabled" when that agent is `enable`d, such as if the corresponding tab is visible - "tracking" when that agent is part of a timeline recording. The only exception to this is the Console agent, as that exists regardless of whether Web Inspector is connected as it needs to preserve messages logged before Web Inspector connects. Also remove the "Inspector" prefix from getter/setter methods as it adds confusion if that agent also has subclasses (e.g. `InspectorRuntimeAgent` and `PageRuntimeAgent`). * inspector/JSGlobalObjectConsoleClient.h: * inspector/JSGlobalObjectInspectorController.cpp: * inspector/agents/InspectorConsoleAgent.h: 2020-06-05 Michael Saboff <msaboff@apple.com> Make FAST_JIT_PERMISSIONS check in LinkBuffer::copyCompactAndLinkCode a runtime check https://bugs.webkit.org/show_bug.cgi?id=212825 Reviewed by Saam Barati. Added useFastJITPermissions() for runtime checks of FAST_JIT_PERMISSIONS including the cases where it is conditional on OS settings. This is now used in a few places to declutter the code. When using the fast JIT permissions path, the JIT memory is the direct output of the linking. Modified BranchCompactionLinkBuffer to hold a pointer to that output "buffer" or a temporarily allocated buffer depending on if fast JIT permissions are enabled. Broke out the "verify hash" conditionally compiled code with a file local ENABLE_VERIFY_JIT_HASH macro for readability. * assembler/LinkBuffer.cpp: (JSC::BranchCompactionLinkBuffer::BranchCompactionLinkBuffer): (JSC::BranchCompactionLinkBuffer::~BranchCompactionLinkBuffer): Changed this to use a provided buffer or a malloc'ed buffer. When using a malloc'ed buffer, we put it in a thread local cache. (JSC::LinkBuffer::copyCompactAndLinkCode): * jit/ExecutableAllocator.h: (JSC::useFastJITPermissions): (JSC::performJITMemcpy): 2020-06-05 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Put dfgOpNames in __DATA,__const section instead of __DATA,__data https://bugs.webkit.org/show_bug.cgi?id=212840 Reviewed by Saam Barati. dfgOpNames array itself is not const annotated, and the compiler makes it __DATA,__data instead of __DATA,__const. We should annotate it with const to ensure that this is compiled into __DATA,__const. We also remove unused CallFrame::describeFrame since it allocates some bss memory, while we have more sophisticated mechanism (VMInspector) for this functionality and this function is no longer used. * dfg/DFGDoesGCCheck.cpp: (JSC::DFG::DoesGCCheck::verifyCanGC): * dfg/DFGGraph.cpp: * dfg/DFGGraph.h: * interpreter/CallFrame.cpp: (JSC::CallFrame::describeFrame): Deleted. * interpreter/CallFrame.h: 2020-06-05 Tadeu Zagallo <tzagallo@apple.com> REGRESSION(r262523): Fix testb3 https://bugs.webkit.org/show_bug.cgi?id=212791 Reviewed by Mark Lam. * b3/testb3_1.cpp: (run): (main): 2020-06-05 Paulo Matos <pmatos@igalia.com> Add missing ECMAMode header to fix NonUnified Build https://bugs.webkit.org/show_bug.cgi?id=212838 Reviewed by Darin Adler. * bytecode/PutByValFlags.h: 2020-06-05 Saam Barati <sbarati@apple.com> Audit safe to execute https://bugs.webkit.org/show_bug.cgi?id=207075 <rdar://problem/59085094> Reviewed by Yusuke Suzuki. This audit found one interesting case for DOMJIT nodes. We emit safety checks for CallDOM/CallDOMGetter inside fixup phase and the bytecode parser. When determining if these nodes are safe to execute, we need to also ensure that these checks hold. I've also added a helper to JSDollarVM to ensure that this patch doesn't break LICM of DOMJIT. This patch also moves some nodes we will never hoist to return false. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleDOMJITGetter): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::attemptToMakeCallDOM): * dfg/DFGNode.h: (JSC::DFG::Node::classInfo): (JSC::DFG::Node::requiredDOMJITClassInfo): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * tools/JSDollarVM.cpp: (JSC::functionCreateDOMJITGetterNoEffectsObject): (JSC::JSDollarVM::finishCreation): 2020-06-05 Devin Rousso <drousso@apple.com> Logical Assignment: perform NamedEvaluation of anonymous functions https://bugs.webkit.org/show_bug.cgi?id=212679 Reviewed by Ross Kirsling. * parser/ASTBuilder.h: (JSC::ASTBuilder::makeAssignNode): 2020-06-05 Yusuke Suzuki <ysuzuki@apple.com> DOM constructor should only accept Ref<> / ExceptionOr<Ref<>> for creation to ensure toJSNewlyCreated is always returning object https://bugs.webkit.org/show_bug.cgi?id=212767 Reviewed by Darin Adler. * runtime/JSObject.h: (JSC::asObject): 2020-06-05 Andy Estes <aestes@apple.com> [Apple Pay] Remove conditionals for ENABLE_APPLE_PAY_SESSION_V(3|4) https://bugs.webkit.org/show_bug.cgi?id=212541 <rdar://problem/63781452> Reviewed by Darin Adler. APPLE_PAY_SESSION_V(3|4) is now enabled whenever APPLE_PAY itself is enabled. * Configurations/FeatureDefines.xcconfig: 2020-06-05 Caitlin Potter <caitp@igalia.com> [JSC] Add support for private class fields https://bugs.webkit.org/show_bug.cgi?id=206431 Reviewed by Saam Barati. Expanding upon the earlier public class fields patch, we implement the remaining (and significant parts) of the instance fields (https://tc39.es/proposal-class-fields/). There are a variety of key changes here: - Parser now understands the concept of private names (Token PRIVATENAME). - 1 new opcode (op_get_private_name), one changed opcode (op_put_by_val_direct). - A method for creating Symbol objects with a null PrivateSymbolImpl is exposed as a LinkTimeConstant (@createPrivateSymbol). - Null Private Symbols are stored by name (not a valid identifier) in a JSScope, and are loaded from the outer scope whenever they are used by the modified opcodes. The changes to op_put_by_val_direct include a new bytecode operand (PutByValFlags) which are used to distinguish between overwriting or defining a new private field. Specifically, when it comes to private field accesses, it's necessary to throw an exception when accessing a field which does not exist, or when attempting to define a private field which has already been defined. During the evaluation of a class expression, before the class element list is evaluated (in case any computed property names expressions refer to a new private field), a new PrivateSymbol is created for each individual private field name, and stored in the class lexical scope. Private field names are loaded from scope before their use. This prevents multiple evaluations of the same class source from accessing each other's private fields, because the values of the symbols loaded from the class scope would be distinct. This is required by the proposal text, and is the key reason why we use ByVal lookups rather than ById lookups. To illustrate, typical private field access will look like: <Field Reads> resolve_scope <scope=>, <currentScope>, "#x", GlobalProperty, 0 get_from_scope <symbol=>, <scope>, "#x", 1050624<DoNotThrowIfNotFound|GlobalProperty|NotInitialization>, 0, 0 get_private_name <value=>, <receiver --- probably 'this'>, <symbol> <Field Writes> resolve_scope <scope=>, <currentScope>, "#x", GlobalProperty, 0 get_from_scope <symbol=>, <scope>, "#x", 1050624<DoNotThrowIfNotFound|GlobalProperty|NotInitialization>, 0, 0 put_by_val_direct <receiver, probably 'this'>, <symbol>, <value>, <PutByValPrivateName> <Field Definition> resolve_scope <scope=>, <currentScope>, "#x", GlobalProperty, 0 get_from_scope <symbol=>, <scope>, "#x", 1050624<DoNotThrowIfNotFound|GlobalProperty|NotInitialization>, 0, 0 put_by_val_direct <receiver, probably 'this'>, <symbol>, <value>, <PutByValPrivateName|PutByValThrowIfExists> The feature is currently hidden behind the feature flag JSC::Options::usePrivateClassFields. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * builtins/BuiltinNames.h: * bytecode/BytecodeList.rb: * bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finalizeLLIntInlineCaches): * bytecode/Fits.h: * bytecode/LinkTimeConstant.h: * bytecode/PutByValFlags.cpp: Copied from Source/JavaScriptCore/bytecode/PutKind.h. (WTF::printInternal): * bytecode/PutByValFlags.h: Added. (JSC::PutByValFlags::create): (JSC::PutByValFlags::createDirect): (JSC::PutByValFlags::createDefinePrivateField): (JSC::PutByValFlags::createPutPrivateField): (JSC::PutByValFlags::isDirect const): (JSC::PutByValFlags::ecmaMode const): (JSC::PutByValFlags::privateFieldAccessKind const): (JSC::PutByValFlags::isPrivateFieldAccess const): (JSC::PutByValFlags::isPrivateFieldPut const): (JSC::PutByValFlags::isPrivateFieldAdd const): (JSC::PutByValFlags::PutByValFlags): * bytecode/PutKind.h: * bytecode/UnlinkedFunctionExecutable.cpp: (JSC::generateUnlinkedFunctionCodeBlock): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::instantiateLexicalVariables): (JSC::BytecodeGenerator::emitDirectGetByVal): (JSC::BytecodeGenerator::emitDirectPutByVal): (JSC::BytecodeGenerator::emitDefinePrivateField): (JSC::BytecodeGenerator::emitPrivateFieldPut): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::PropertyListNode::emitDeclarePrivateFieldNames): (JSC::PropertyListNode::emitBytecode): (JSC::PropertyListNode::emitPutConstantProperty): (JSC::DotAccessorNode::emitBytecode): (JSC::BaseDotNode::emitGetPropertyValue): (JSC::BaseDotNode::emitPutProperty): (JSC::FunctionCallDotNode::emitBytecode): (JSC::PostfixNode::emitDot): (JSC::PrefixNode::emitDot): (JSC::AssignDotNode::emitBytecode): (JSC::ReadModifyDotNode::emitBytecode): (JSC::DefineFieldNode::emitBytecode): (JSC::ClassExprNode::emitBytecode): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ecmaMode): (JSC::DFG::ecmaMode<OpPutByValDirect>): (JSC::DFG::ByteCodeParser::handlePutByVal): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::cachedPutById): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compilePutById): * generator/DSL.rb: * jit/ICStats.h: * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITInlineCacheGenerator.cpp: (JSC::JITPutByIdGenerator::JITPutByIdGenerator): (JSC::JITPutByIdGenerator::slowPathFunction): * jit/JITInlineCacheGenerator.h: (JSC::JITPutByIdGenerator::JITPutByIdGenerator): * jit/JITInlines.h: (JSC::JIT::ecmaMode): (JSC::JIT::ecmaMode<OpPutById>): (JSC::JIT::ecmaMode<OpPutByValDirect>): (JSC::JIT::privateFieldAccessKind): (JSC::JIT::privateFieldAccessKind<OpPutByValDirect>): * jit/JITOperations.cpp: (JSC::putPrivateField): (JSC::definePrivateField): * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitPutByValWithCachedId): (JSC::JIT::emitSlow_op_put_by_val): (JSC::JIT::emit_op_put_by_id): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitSlow_op_put_by_val): (JSC::JIT::emit_op_put_by_id): * jit/Repatch.cpp: (JSC::appropriateGenericPutByIdFunction): (JSC::appropriateOptimizingPutByIdFunction): (JSC::tryCachePutByID): * llint/LLIntOffsetsExtractor.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * parser/ASTBuilder.h: (JSC::ASTBuilder::createDotAccess): (JSC::ASTBuilder::isPrivateLocation): (JSC::ASTBuilder::makeFunctionCallNode): (JSC::ASTBuilder::makeAssignNode): * parser/Lexer.cpp: (JSC::Lexer<LChar>::parseIdentifier): (JSC::Lexer<UChar>::parseIdentifier): (JSC::Lexer<CharacterType>::parseIdentifierSlowCase): (JSC::Lexer<T>::lexWithoutClearingLineTerminator): * parser/NodeConstructors.h: (JSC::BaseDotNode::BaseDotNode): (JSC::DotAccessorNode::DotAccessorNode): (JSC::FunctionCallDotNode::FunctionCallDotNode): (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode): (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode): (JSC::HasOwnPropertyFunctionCallDotNode::HasOwnPropertyFunctionCallDotNode): (JSC::AssignDotNode::AssignDotNode): (JSC::ReadModifyDotNode::ReadModifyDotNode): * parser/Nodes.cpp: (JSC::PropertyListNode::shouldCreateLexicalScopeForClass): * parser/Nodes.h: (JSC::ExpressionNode::isPrivateLocation const): (JSC::BaseDotNode::base const): (JSC::BaseDotNode::identifier const): (JSC::BaseDotNode::type const): (JSC::BaseDotNode::isPrivateField const): * parser/Parser.cpp: (JSC::Parser<LexerType>::parseVariableDeclarationList): (JSC::Parser<LexerType>::parseDestructuringPattern): (JSC::Parser<LexerType>::parseClass): (JSC::Parser<LexerType>::parseInstanceFieldInitializerSourceElements): (JSC::Parser<LexerType>::usePrivateName): (JSC::Parser<LexerType>::parseMemberExpression): (JSC::Parser<LexerType>::parseUnaryExpression): (JSC::Parser<LexerType>::printUnexpectedTokenText): * parser/Parser.h: (JSC::Scope::isPrivateNameScope const): (JSC::Scope::setIsPrivateNameScope): (JSC::Scope::hasPrivateName): (JSC::Scope::copyUndeclaredPrivateNamesTo): (JSC::Scope::hasUsedButUndeclaredPrivateNames const): (JSC::Scope::usePrivateName): (JSC::Scope::declarePrivateName): (JSC::Parser::findPrivateNameScope): (JSC::Parser::privateNameScope): (JSC::Parser::copyUndeclaredPrivateNamesToOuterScope): (JSC::Parser::matchAndUpdate): (JSC::Parser<LexerType>::parse): (JSC::parse): * parser/ParserTokens.h: * parser/SyntaxChecker.h: (JSC::SyntaxChecker::createDotAccess): (JSC::SyntaxChecker::operatorStackPop): * parser/VariableEnvironment.cpp: (JSC::VariableEnvironment::operator=): (JSC::VariableEnvironment::swap): (JSC::CompactVariableEnvironment::CompactVariableEnvironment): * parser/VariableEnvironment.h: (JSC::VariableEnvironmentEntry::isPrivateName const): (JSC::VariableEnvironmentEntry::setIsPrivateName): (JSC::PrivateNameEntry::PrivateNameEntry): (JSC::PrivateNameEntry::isUsed const): (JSC::PrivateNameEntry::isDeclared const): (JSC::PrivateNameEntry::setIsUsed): (JSC::PrivateNameEntry::setIsDeclared): (JSC::PrivateNameEntry::bits const): (JSC::PrivateNameEntry::operator== const): (JSC::VariableEnvironment::VariableEnvironment): (JSC::VariableEnvironment::size const): (JSC::VariableEnvironment::mapSize const): (JSC::VariableEnvironment::declarePrivateName): (JSC::VariableEnvironment::usePrivateName): (JSC::VariableEnvironment::privateNames const): (JSC::VariableEnvironment::privateNamesSize const): (JSC::VariableEnvironment::hasPrivateName): (JSC::VariableEnvironment::copyPrivateNamesTo const): (JSC::VariableEnvironment::copyUndeclaredPrivateNamesTo const): (JSC::VariableEnvironment::RareData::RareData): (JSC::VariableEnvironment::getOrAddPrivateName): * runtime/CachedTypes.cpp: (JSC::CachedOptional::decodeAsPtr const): (JSC::CachedVariableEnvironmentRareData::encode): (JSC::CachedVariableEnvironmentRareData::decode const): (JSC::CachedVariableEnvironment::encode): (JSC::CachedVariableEnvironment::decode const): (JSC::CachedSymbolTableRareData::encode): (JSC::CachedSymbolTableRareData::decode const): (JSC::CachedSymbolTable::encode): (JSC::CachedSymbolTable::decode const): * runtime/CodeCache.cpp: (JSC::generateUnlinkedCodeBlockImpl): * runtime/CommonIdentifiers.cpp: (JSC::CommonIdentifiers::CommonIdentifiers): * runtime/CommonIdentifiers.h: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: * runtime/ExceptionHelpers.cpp: (JSC::createInvalidPrivateNameError): (JSC::createRedefinedPrivateNameError): * runtime/ExceptionHelpers.h: * runtime/JSGlobalObject.cpp: (JSC::createPrivateSymbol): (JSC::JSGlobalObject::init): * runtime/JSObject.h: * runtime/JSObjectInlines.h: (JSC::JSObject::getPrivateFieldSlot): (JSC::JSObject::getPrivateField): (JSC::JSObject::putPrivateField): (JSC::JSObject::definePrivateField): * runtime/JSScope.cpp: (JSC::JSScope::collectClosureVariablesUnderTDZ): * runtime/OptionsList.h: * runtime/SymbolTable.cpp: (JSC::SymbolTable::cloneScopePart): * runtime/SymbolTable.h: 2020-06-05 Paulo Matos <pmatos@igalia.com> Fix includes to fix latest non-unified builds breakages https://bugs.webkit.org/show_bug.cgi?id=212802 Reviewed by Adrian Perez de Castro. * dfg/DFGDoesGCCheck.cpp: * runtime/JSDateMath.h: 2020-06-04 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Report extra memory allocation from PropertyTable https://bugs.webkit.org/show_bug.cgi?id=212793 Reviewed by Saam Barati. This patch adds extra memory reporting from PropertyTable to make GC responsive to the increase of memory in PropertyTable. * runtime/PropertyMapHashTable.h: (JSC::PropertyTable::add): (JSC::PropertyTable::remove): (JSC::PropertyTable::rehash): (JSC::PropertyTable::dataSize): * runtime/PropertyTable.cpp: (JSC::PropertyTable::finishCreation): (JSC::PropertyTable::visitChildren): * runtime/Structure.cpp: (JSC::Structure::materializePropertyTable): * runtime/StructureInlines.h: (JSC::Structure::add): (JSC::Structure::remove): 2020-06-04 Commit Queue <commit-queue@webkit.org> Unreviewed, reverting r262583. https://bugs.webkit.org/show_bug.cgi?id=212799 Internal source code has the same bug, needs to be landed after fixing internal source Reverted changeset: "DOM constructor should only accept Ref<> / ExceptionOr<Ref<>> for creation to ensure toJSNewlyCreated is always returning object" https://bugs.webkit.org/show_bug.cgi?id=212767 https://trac.webkit.org/changeset/262583 2020-06-04 Michael Saboff <msaboff@apple.com> Add a Thread Specific Cache for LinkBuffer::CompactAndLinkCode() https://bugs.webkit.org/show_bug.cgi?id=212765 Reviewed by Saam Barati. Added a thread local buffer for CPU types that use a second buffer when compacting. This is very similary to the work done in https://bugs.webkit.org/show_bug.cgi?id=212562. * assembler/LinkBuffer.cpp: (JSC::threadSpecificBranchCompactionLinkBuffer): (JSC::BranchCompactionLinkBuffer::BranchCompactionLinkBuffer): (JSC::BranchCompactionLinkBuffer::~BranchCompactionLinkBuffer): (JSC::BranchCompactionLinkBuffer::data): (JSC::BranchCompactionLinkBuffer::takeBufferIfLarger): (JSC::BranchCompactionLinkBuffer::size): (JSC::LinkBuffer::copyCompactAndLinkCode): 2020-06-04 Mark Lam <mark.lam@apple.com> Add Options::validateDoesGC() for turning DoesGC validation on/off. https://bugs.webkit.org/show_bug.cgi?id=212773 Reviewed by Saam Barati. It will default to on if ASSERT_ENABLED because we want testing to be done with the validation on. When needed, we can turn it off if we need to e.g. to de-clutter disassembly dumps while debugging. If Options::validateDoesGC() is false, we turn off JIT code emission for this check, as well as skip the validation checks. There are still places in C++ code that store to DoesGC::m_value without checking Options::validateDoesGC(). It doesn't hurt to just let these stores proceed, and performance-wise, it's probably cheaper to just do the store unconditionally than to gate it on a load of Options::validateDoesGC() first. Also made it explicit that the check on validateDFGDoesGC is a constexpr check. * dfg/DFGDoesGCCheck.cpp: (JSC::DFG::DoesGCCheck::verifyCanGC): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): * runtime/OptionsList.h: 2020-06-04 Ross Kirsling <ross.kirsling@sony.com> Intl classes should have meaningful @@toStringTag values https://bugs.webkit.org/show_bug.cgi?id=212769 Reviewed by Yusuke Suzuki. Implementation of https://github.com/tc39/ecma402/pull/430, which achieved consensus this week. This ensures we get "[object Intl.Collator]" (etc.) instead "[object Object]" for older Intl classes. * runtime/IntlCollatorPrototype.cpp: * runtime/IntlDateTimeFormatPrototype.cpp: * runtime/IntlNumberFormatPrototype.cpp: * runtime/IntlPluralRulesPrototype.cpp: 2020-06-04 Alexey Shvayka <shvaikalesh@gmail.com> GetMethod isn't performed properly on iterators https://bugs.webkit.org/show_bug.cgi?id=212771 Reviewed by Saam Barati. Before this change, iterator's "return" and "throw" methods with value of `null` were considered incorrect rather than missing, causing TypeError to be thrown. This patch aligns method lookup of iterators with the spec [1], V8, and SpiderMonkey by utilizing isUndefinedOrNull(), which doesn't special-case [[IsHTMLDDA]] objects [2], fixing a few Annex B tests. for/of microbenchmarks are neutral. [1]: https://tc39.es/ecma262/#sec-getmethod (step 3) [2]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot * builtins/AsyncFromSyncIteratorPrototype.js: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitIteratorGenericClose): (JSC::BytecodeGenerator::emitGetAsyncIterator): (JSC::BytecodeGenerator::emitDelegateYield): * runtime/IteratorOperations.cpp: (JSC::iteratorClose): * runtime/JSGenericTypedArrayViewConstructorInlines.h: (JSC::constructGenericTypedArrayViewWithArguments): 2020-06-04 Mark Lam <mark.lam@apple.com> Reduce DFGDoesGCCheck to only storing a uint32_t. https://bugs.webkit.org/show_bug.cgi?id=212734 Reviewed by Saam Barati and Caio Lima. This patch changes the encoding of DoesGCCheck so that it will fit better in a uint32_t. This has the following benefits: 1. speed improvement for debug builds because it now takes less instructions (especially in JITted code) to store to DoesGCCheck::m_value. 2. enables this check for 32-bit platforms as well. Fun fact: we currently have 373 DFG::NodeTypes. Hence, 9 bits for nodeOp. The new encoding provides 21 bis for the nodeIndex. This gives us up to 2097152 node indexes. In my experience, I've never seen more than 3 decimal digits for the nodeIndex so far. If we ever find that we need more than 21 bits of nodeIndex, we have 2 options to deal with it: 1. We can just ignore the high bits. After all, it is the nodeOp that is the most interesting piece of data we need to debug doesGC issues. 2. We can make DoesGCCheck use uint64_t for storage. This encoding automatically scales to 64-bit, while still allowing the more efficient form of storing a 32-bit immediate to be used for the common cases. This patch also makes ENABLE_DFG_DOES_GC_VALIDATION dependent on ENABLE(DFG_JIT). DoesGC is only relevant for the DFG and FTL JITs. * dfg/DFGDoesGCCheck.cpp: (JSC::DFG::DoesGCCheck::verifyCanGC): * dfg/DFGDoesGCCheck.h: (JSC::DFG::DoesGCCheck::encode): (JSC::DFG::DoesGCCheck::expectDoesGC const): (JSC::DFG::DoesGCCheck::isSpecial const): (JSC::DFG::DoesGCCheck::special): (JSC::DFG::DoesGCCheck::nodeOp): (JSC::DFG::DoesGCCheck::nodeIndex): (JSC::DFG::DoesGCCheck::expectDoesGC): Deleted. (JSC::DFG::DoesGCCheck::isSpecial): Deleted. (JSC::DFG::DoesGCCheck::specialIndex): Deleted. (JSC::DFG::DoesGCCheck::bits): Deleted. * dfg/DFGNodeType.h: * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): * heap/Heap.h: 2020-06-04 Tim Horton <timothy_horton@apple.com> Work around broken system version macro https://bugs.webkit.org/show_bug.cgi?id=212726 Reviewed by Dan Bernstein. * Configurations/DebugRelease.xcconfig: 2020-06-04 Andy Estes <aestes@apple.com> [watchOS] Re-enable content filtering in the simulator build https://bugs.webkit.org/show_bug.cgi?id=212711 <rdar://problem/63938350> Reviewed by Wenson Hsieh. * Configurations/FeatureDefines.xcconfig: 2020-06-04 Mark Lam <mark.lam@apple.com> SpeculativeJIT::compileDateGet()'s slow path does not need an exception check. https://bugs.webkit.org/show_bug.cgi?id=212645 Reviewed by Yusuke Suzuki. SpeculativeJIT::compileDateGet() implements a bunch of Date intrinsics which call into a C++ operation function do their work. However, the call to these operation functions were done using a slow path generator configured to automatically emit exception checks after the call. These exception checks are unneeded because those functions will not throw any exceptions. This issue was found with JSC stress test runs on a debug build. The doesGC verifier was failing on the exceptionFuzz/date-format-xparb.js test. The reason is because doesGC does not expect any these Date intrinsics to throw any exceptions, but SpeculativeJIT was emitting the unneeded exception checks there. These exception check sites get turned into throw sites by the exceptionFuzzer, and they allocate an Error object there. This allocation made the doesGC verifier not happy. This patch fixes this issue by changing SpeculativeJIT::compileDateGet() to pass ExceptionCheckRequirement::CheckNotNeeded to the slow path generator. The patch also proves that all the operation functions cannot throw any exceptions. Previously, the operations passes a VM& to the Date functions. The purpose for doing this is so that the Date functions can work with a few date cache data structures stored as VM fields. This patch refactors those VM fields into a VM::DateCache struct, and changed all those Date functions to take a VM::DateCache& instead of a VM&. Since the Date functions no longer take a VM&, this proves that they cannot throw because they would need a VM& to make a ThrowScope in order to throw. Update: Yusuke pointed out that the lack of a JSGlobalObject* argument is sufficient to guarantee that the Date functions cannot throw. However, we'll keep this DateCache refactoring since it provides additional info that the Date functions only operate on the DateCache fields and nothing else in VM. Also removed DFG::JITCompile's fastExceptionCheck() which is unused. * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::fastExceptionCheck): Deleted. * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileDateGet): * runtime/DateConstructor.cpp: (JSC::millisecondsFromComponents): (JSC::callDate): * runtime/DateInstance.cpp: (JSC::DateInstance::calculateGregorianDateTime const): (JSC::DateInstance::calculateGregorianDateTimeUTC const): * runtime/DateInstance.h: * runtime/DatePrototype.cpp: (JSC::formatLocaleDate): (JSC::formateDateInstance): (JSC::dateProtoFuncToISOString): (JSC::dateProtoFuncGetFullYear): (JSC::dateProtoFuncGetUTCFullYear): (JSC::dateProtoFuncGetMonth): (JSC::dateProtoFuncGetUTCMonth): (JSC::dateProtoFuncGetDate): (JSC::dateProtoFuncGetUTCDate): (JSC::dateProtoFuncGetDay): (JSC::dateProtoFuncGetUTCDay): (JSC::dateProtoFuncGetHours): (JSC::dateProtoFuncGetUTCHours): (JSC::dateProtoFuncGetMinutes): (JSC::dateProtoFuncGetUTCMinutes): (JSC::dateProtoFuncGetSeconds): (JSC::dateProtoFuncGetUTCSeconds): (JSC::dateProtoFuncGetTimezoneOffset): (JSC::setNewValueFromTimeArgs): (JSC::setNewValueFromDateArgs): (JSC::dateProtoFuncSetYear): (JSC::dateProtoFuncGetYear): * runtime/JSDateMath.cpp: (JSC::localTimeOffset): (JSC::gregorianDateTimeToMS): (JSC::msToGregorianDateTime): (JSC::parseDate): * runtime/JSDateMath.h: * runtime/VM.cpp: (JSC::VM::resetDateCache): * runtime/VM.h: 2020-06-04 Paulo Matos <pmatos@igalia.com> Fix 32bit build broken at r262513 https://bugs.webkit.org/show_bug.cgi?id=212735 Unreviewed Gardening. Proper fix is being worked out under https://bugs.webkit.org/show_bug.cgi?id=212734 * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): 2020-06-03 Tadeu Zagallo <tzagallo@apple.com> Disable B3 hoistLoopInvariantValues by default https://bugs.webkit.org/show_bug.cgi?id=212511 <rdar://problem/63813245> Reviewed by Mark Lam. The hoistLoopInvariantValues optimization in B3 does not calculate the cost of hoisting the candidates. For example, in the test case provided with the bug, a switch inside a loop can lead to hoisting the body of several switch cases which would never be executed. Other than leading to worse runtime, this also increases the pressure in the register allocate, leading to worse compile times (~10x worse in this case). I have added a FIXME to consider adding cost calculation and re-enabling this pass, but given that we already have LICM in DFG, it should be ok to disable it for now. * b3/B3Generate.cpp: (JSC::B3::generateToAir): * runtime/OptionsList.h: 2020-06-03 Mark Lam <mark.lam@apple.com> Gardening: fix broken Windows debug build. https://bugs.webkit.org/show_bug.cgi?id=212680 Not reviewed. * dfg/DFGDoesGCCheck.cpp: (JSC::DFG::DoesGCCheck::verifyCanGC): * dfg/DFGDoesGCCheck.h: 2020-06-03 Mark Lam <mark.lam@apple.com> [Re-landing] Enhance DoesGC verification to print more useful info when verification fails. https://bugs.webkit.org/show_bug.cgi?id=212680 Reviewed by Yusuke Susuki. When DoesGC verification fails, the first step of debugging it would be to find out what and which DFG node resulted in the failed verification. In pre-existing code, all we get is an assertion failure. This patch makes it so that the verifier will dump useful info. Here's an example: Error: DoesGC failed @ D@34 DateGetInt32OrNaN in #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)] [0] frame 0x7ffee8285660 { name: sourceURL: isInlinedFrame: false callee: 0x1135f6820 returnPC: 0x50ce61248ae6 callerFrame: 0x7ffee82856f0 rawLocationBits: 5 0x5 codeBlock: 0x1135bd1d0 #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)] hasCodeOrigins: true callSiteIndex: 5 of 13 jitCode: 0x113020200 start 0x50ce61214c60 end 0x50ce61219b00 line: 1 column: 60 EntryFrame: 0x7ffee8285860 } [1] frame 0x7ffee82856f0 { name: sourceURL: date-format-xparb.js isInlinedFrame: false callee: 0x1135f65a0 returnPC: 0x50ce61227e99 callerFrame: 0x7ffee8285770 rawLocationBits: 4 0x4 codeBlock: 0x1135bd0a0 #BU6Zcd:[0x1135bd0a0->0x1135bc260->0x1135e5180, DFGFunctionCall, 112 (DidTryToEnterInLoop)] hasCodeOrigins: true callSiteIndex: 4 of 12 jitCode: 0x113004000 start 0x50ce61212c60 end 0x50ce61214960 line: 26 column: 22 EntryFrame: 0x7ffee8285860 } [2] frame 0x7ffee8285770 { name: sourceURL: date-format-xparb.js isInlinedFrame: false callee: 0x1135f64e0 returnPC: 0x108058eb1 callerFrame: 0x7ffee82857e0 rawLocationBits: 1001 0x3e9 codeBlock: 0x1135bc130 #DAS9xe:[0x1135bc130->0x1135e5100, BaselineFunctionCall, 1149] bc#1001 of 1149 line: 417 column: 38 EntryFrame: 0x7ffee8285860 } [3] frame 0x7ffee82857e0 { name: global code sourceURL: date-format-xparb.js isInlinedFrame: false callee: 0x1130f97b8 returnPC: 0x108039043 callerFrame: 0x0 rawLocationBits: 23 0x17 codeBlock: 0x1135bc000 <global>#CukXvt:[0x1135bc000->0x1130cd768, LLIntGlobal, 81] bc#23 of 81 line: 425 column: 3 EntryFrame: 0x7ffee8285860 } ASSERTION FAILED: expectDoesGC() The error message now comes with the node index, NodeType, codeBlock which this failure was found in, and the JS call stack that led to the failure. Changes made: 1. Introduced a DoesGCCheck value that is used to encode some of the above data. Previously, we only recorded whether doesGC() returns true or false for the Node. Now, we record the nodeIndex and nodeOp as well. Note that we also set DoesGC expectations for OSR exits. So, DoesGCCheck includes Special cases for those. 2. Added store64(TrustedImm64 imm, const void* address) emitters for X86_64 and ARM64. Also added a test for this new emitter in testmasm. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::store64): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::store64): * assembler/testmasm.cpp: (JSC::testStore64Imm64AddressPointer): (JSC::run): * dfg/DFGDoesGCCheck.cpp: Copied from Source/JavaScriptCore/dfg/DFGDoesGCCheck.cpp. * dfg/DFGDoesGCCheck.h: Copied from Source/JavaScriptCore/dfg/DFGDoesGCCheck.h. * dfg/DFGGraph.cpp: * dfg/DFGOSRExit.cpp: (JSC::DFG::operationCompileOSRExit): (JSC::DFG::OSRExit::compileExit): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): (JSC::FTL::operationCompileFTLOSRExit): * heap/CompleteSubspace.cpp: (JSC::CompleteSubspace::tryAllocateSlow): (JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual): * heap/CompleteSubspaceInlines.h: (JSC::CompleteSubspace::allocateNonVirtual): * heap/DeferGC.h: (JSC::DeferGC::~DeferGC): * heap/GCDeferralContextInlines.h: (JSC::GCDeferralContext::~GCDeferralContext): * heap/Heap.cpp: (JSC::Heap::collectNow): (JSC::Heap::collectAsync): (JSC::Heap::collectSync): (JSC::Heap::stopIfNecessarySlow): (JSC::Heap::collectIfNecessaryOrDefer): * heap/Heap.h: (JSC::Heap::addressOfDoesGC): (JSC::Heap::setDoesGCExpectation): (JSC::Heap::verifyCanGC): (JSC::Heap::expectDoesGC const): Deleted. (JSC::Heap::setExpectDoesGC): Deleted. (JSC::Heap::addressOfExpectDoesGC): Deleted. * heap/HeapInlines.h: (JSC::Heap::acquireAccess): (JSC::Heap::stopIfNecessary): * heap/LocalAllocatorInlines.h: (JSC::LocalAllocator::allocate): * heap/PreciseAllocation.cpp: (JSC::PreciseAllocation::tryCreate): (JSC::PreciseAllocation::createForLowerTier): * runtime/JSString.h: (JSC::jsSingleCharacterString): (JSC::JSString::toAtomString const): (JSC::JSString::toExistingAtomString const): (JSC::JSString::value const): (JSC::JSString::tryGetValue const): (JSC::JSRopeString::unsafeView const): (JSC::JSRopeString::viewWithUnderlyingString const): (JSC::JSString::unsafeView const): * runtime/RegExpMatchesArray.h: (JSC::createRegExpMatchesArray): 2020-06-03 Mark Lam <mark.lam@apple.com> DFGSSAConversionPhase.cpp needs to #include OperandsInlines.h. https://bugs.webkit.org/show_bug.cgi?id=212687 Reviewed by Keith Miller. Without this, strange build failures can happen with unified builds. For example, the Windows build started failing due a linkage error in this file when the patch from https://bugs.webkit.org/show_bug.cgi?id=212680 landed. 212680 introduced a new .cpp file, and that probably bumped DFGSSAConversionPhase.cpp into another unified unit, thereby depriving it from seeing the OperandsInlines.h #include'd by another .cpp. * dfg/DFGSSAConversionPhase.cpp: 2020-06-03 Mark Lam <mark.lam@apple.com> Fix non-unified --jsc-only build. https://bugs.webkit.org/show_bug.cgi?id=212707 Reviewed by Yusuke Suzuki. These files need JSGlobalObjectInlines.h. But rather than adding yet another #include, we'll just remove many individual ones and just #include JSCInlines.h instead. * wasm/js/JSToWasmICCallee.cpp: * wasm/js/WebAssemblyCompileErrorConstructor.cpp: * wasm/js/WebAssemblyCompileErrorPrototype.cpp: * wasm/js/WebAssemblyGlobalPrototype.cpp: * wasm/js/WebAssemblyInstanceConstructor.cpp: * wasm/js/WebAssemblyInstancePrototype.cpp: * wasm/js/WebAssemblyLinkErrorConstructor.cpp: * wasm/js/WebAssemblyLinkErrorPrototype.cpp: * wasm/js/WebAssemblyModulePrototype.cpp: * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp: 2020-06-03 Rob Buis <rbuis@igalia.com> Make generated C++ code use modern C++ https://bugs.webkit.org/show_bug.cgi?id=190714 Reviewed by Jonathan Bedard. Update inspector protocol generator and rebaseline the tests. * inspector/scripts/codegen/cpp_generator_templates.py: * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: * inspector/scripts/tests/expected/enum-values.json-result: * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: * inspector/scripts/tests/expected/type-declaration-array-type.json-result: * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: * inspector/scripts/tests/expected/type-declaration-object-type.json-result: * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: * yarr/generateYarrUnicodePropertyTables.py: 2020-06-02 Mark Lam <mark.lam@apple.com> Rolling out r262475 to unbreak Windows bot. https://bugs.webkit.org/show_bug.cgi?id=212680 Not reviewed. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * assembler/MacroAssemblerARM64.h: * assembler/MacroAssemblerX86_64.h: * assembler/testmasm.cpp: (JSC::testCountTrailingZeros64WithoutNullCheck): (JSC::run): (JSC::testStore64Imm64AddressPointer): Deleted. * dfg/DFGDoesGCCheck.cpp: Removed. * dfg/DFGDoesGCCheck.h: Removed. * dfg/DFGGraph.cpp: * dfg/DFGOSRExit.cpp: (JSC::DFG::operationCompileOSRExit): (JSC::DFG::OSRExit::compileExit): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): (JSC::FTL::operationCompileFTLOSRExit): * heap/CompleteSubspace.cpp: (JSC::CompleteSubspace::tryAllocateSlow): (JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual): * heap/CompleteSubspaceInlines.h: (JSC::CompleteSubspace::allocateNonVirtual): * heap/DeferGC.h: (JSC::DeferGC::~DeferGC): * heap/GCDeferralContextInlines.h: (JSC::GCDeferralContext::~GCDeferralContext): * heap/Heap.cpp: (JSC::Heap::collectNow): (JSC::Heap::collectAsync): (JSC::Heap::collectSync): (JSC::Heap::stopIfNecessarySlow): (JSC::Heap::collectIfNecessaryOrDefer): * heap/Heap.h: (JSC::Heap::expectDoesGC const): (JSC::Heap::setExpectDoesGC): (JSC::Heap::addressOfExpectDoesGC): (JSC::Heap::addressOfDoesGC): Deleted. (JSC::Heap::setDoesGCExpectation): Deleted. (JSC::Heap::verifyCanGC): Deleted. * heap/HeapInlines.h: (JSC::Heap::acquireAccess): (JSC::Heap::stopIfNecessary): * heap/LocalAllocatorInlines.h: (JSC::LocalAllocator::allocate): * heap/PreciseAllocation.cpp: (JSC::PreciseAllocation::tryCreate): (JSC::PreciseAllocation::createForLowerTier): * runtime/JSString.h: (JSC::jsSingleCharacterString): (JSC::JSString::toAtomString const): (JSC::JSString::toExistingAtomString const): (JSC::JSString::value const): (JSC::JSString::tryGetValue const): (JSC::JSRopeString::unsafeView const): (JSC::JSRopeString::viewWithUnderlyingString const): (JSC::JSString::unsafeView const): * runtime/RegExpMatchesArray.h: (JSC::createRegExpMatchesArray): 2020-06-02 Mark Lam <mark.lam@apple.com> Enhance DoesGC verification to print more useful info when verification fails. https://bugs.webkit.org/show_bug.cgi?id=212680 Reviewed by Yusuke Suzuki. When DoesGC verification fails, the first step of debugging it would be to find out what and which DFG node resulted in the failed verification. In pre-existing code, all we get is an assertion failure. This patch makes it so that the verifier will dump useful info. Here's an example: Error: DoesGC failed @ D@34 DateGetInt32OrNaN in #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)] [0] frame 0x7ffee8285660 { name: sourceURL: isInlinedFrame: false callee: 0x1135f6820 returnPC: 0x50ce61248ae6 callerFrame: 0x7ffee82856f0 rawLocationBits: 5 0x5 codeBlock: 0x1135bd1d0 #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)] hasCodeOrigins: true callSiteIndex: 5 of 13 jitCode: 0x113020200 start 0x50ce61214c60 end 0x50ce61219b00 line: 1 column: 60 EntryFrame: 0x7ffee8285860 } [1] frame 0x7ffee82856f0 { name: sourceURL: date-format-xparb.js isInlinedFrame: false callee: 0x1135f65a0 returnPC: 0x50ce61227e99 callerFrame: 0x7ffee8285770 rawLocationBits: 4 0x4 codeBlock: 0x1135bd0a0 #BU6Zcd:[0x1135bd0a0->0x1135bc260->0x1135e5180, DFGFunctionCall, 112 (DidTryToEnterInLoop)] hasCodeOrigins: true callSiteIndex: 4 of 12 jitCode: 0x113004000 start 0x50ce61212c60 end 0x50ce61214960 line: 26 column: 22 EntryFrame: 0x7ffee8285860 } [2] frame 0x7ffee8285770 { name: sourceURL: date-format-xparb.js isInlinedFrame: false callee: 0x1135f64e0 returnPC: 0x108058eb1 callerFrame: 0x7ffee82857e0 rawLocationBits: 1001 0x3e9 codeBlock: 0x1135bc130 #DAS9xe:[0x1135bc130->0x1135e5100, BaselineFunctionCall, 1149] bc#1001 of 1149 line: 417 column: 38 EntryFrame: 0x7ffee8285860 } [3] frame 0x7ffee82857e0 { name: global code sourceURL: date-format-xparb.js isInlinedFrame: false callee: 0x1130f97b8 returnPC: 0x108039043 callerFrame: 0x0 rawLocationBits: 23 0x17 codeBlock: 0x1135bc000 <global>#CukXvt:[0x1135bc000->0x1130cd768, LLIntGlobal, 81] bc#23 of 81 line: 425 column: 3 EntryFrame: 0x7ffee8285860 } ASSERTION FAILED: expectDoesGC() The error message now comes with the node index, NodeType, codeBlock which this failure was found in, and the JS call stack that led to the failure. Changes made: 1. Introduced a DoesGCCheck value that is used to encode some of the above data. Previously, we only recorded whether doesGC() returns true or false for the Node. Now, we record the nodeIndex and nodeOp as well. Note that we also set DoesGC expectations for OSR exits. So, DoesGCCheck includes Special cases for those. 2. Added store64(TrustedImm64 imm, const void* address) emitters for X86_64 and ARM64. Also added a test for this new emitter in testmasm. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::store64): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::store64): * assembler/testmasm.cpp: (JSC::testStore64Imm64AddressPointer): (JSC::run): * dfg/DFGDoesGCCheck.cpp: Added. (JSC::DFG::DoesGCCheck::verifyCanGC): * dfg/DFGDoesGCCheck.h: Added. (JSC::DFG::DoesGCCheck::DoesGCCheck): (JSC::DFG::DoesGCCheck::encode): (JSC::DFG::DoesGCCheck::set): (JSC::DFG::DoesGCCheck::expectDoesGC): (JSC::DFG::DoesGCCheck::special): (JSC::DFG::DoesGCCheck::nodeIndex): (JSC::DFG::DoesGCCheck::nodeOp): (JSC::DFG::DoesGCCheck::isSpecial): (JSC::DFG::DoesGCCheck::specialIndex): (JSC::DFG::DoesGCCheck::bits): * dfg/DFGGraph.cpp: * dfg/DFGOSRExit.cpp: (JSC::DFG::operationCompileOSRExit): (JSC::DFG::OSRExit::compileExit): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): (JSC::FTL::operationCompileFTLOSRExit): * heap/CompleteSubspace.cpp: (JSC::CompleteSubspace::tryAllocateSlow): (JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual): * heap/CompleteSubspaceInlines.h: (JSC::CompleteSubspace::allocateNonVirtual): * heap/DeferGC.h: (JSC::DeferGC::~DeferGC): * heap/GCDeferralContextInlines.h: (JSC::GCDeferralContext::~GCDeferralContext): * heap/Heap.cpp: (JSC::Heap::collectNow): (JSC::Heap::collectAsync): (JSC::Heap::collectSync): (JSC::Heap::stopIfNecessarySlow): (JSC::Heap::collectIfNecessaryOrDefer): * heap/Heap.h: (JSC::Heap::addressOfDoesGC): (JSC::Heap::setDoesGCExpectation): (JSC::Heap::verifyCanGC): (JSC::Heap::expectDoesGC const): Deleted. (JSC::Heap::setExpectDoesGC): Deleted. (JSC::Heap::addressOfExpectDoesGC): Deleted. * heap/HeapInlines.h: (JSC::Heap::acquireAccess): (JSC::Heap::stopIfNecessary): * heap/LocalAllocatorInlines.h: (JSC::LocalAllocator::allocate): * heap/PreciseAllocation.cpp: (JSC::PreciseAllocation::tryCreate): (JSC::PreciseAllocation::createForLowerTier): * runtime/JSString.h: (JSC::jsSingleCharacterString): (JSC::JSString::toAtomString const): (JSC::JSString::toExistingAtomString const): (JSC::JSString::value const): (JSC::JSString::tryGetValue const): (JSC::JSRopeString::unsafeView const): (JSC::JSRopeString::viewWithUnderlyingString const): (JSC::JSString::unsafeView const): * runtime/RegExpMatchesArray.h: (JSC::createRegExpMatchesArray): 2020-06-02 Mark Lam <mark.lam@apple.com> VMInspector APIs should be taking a VM* instead of a JSGlobalObject*. https://bugs.webkit.org/show_bug.cgi?id=212676 Reviewed by Saam Barati and Robin Morisset. This because: 1. None of the functions currently taking a JSGlobalObject* actually need the globalObject. All of them need the VM. 2. The role of the VMInspector is to enable inspection of the VM. By requiring that it be passed a JSGlobalObject*, we were actually preventing the VMInspector from being used in code that have a VM to inspect but don't have a JSGlobalObject to use. The reason I'm choosing to pass VM* instead of VM& is because it makes these functions trivial to call using lldb interactively. The VMInspector functions are also intentionally designed so that they can be used for this purpose. On occasion, I may have to cast literal numbers (addresses) to VM*. Technically, I could cast a number to VM* and dereference it to get a VM& too. However, at present, lldb is often buggy and not always reliable with casts. I would like to lessen the chance that lldb fails on me when I'm deep in the middle of a debugging session, and have a need to call one of these functions. * tools/JSDollarVM.cpp: (JSC::functionGC): (JSC::functionEdenGC): (JSC::functionCodeBlockForFrame): (JSC::codeBlockFromArg): (JSC::functionDumpCallFrame): (JSC::functionDumpStack): * tools/VMInspector.cpp: (JSC::VMInspector::currentThreadOwnsJSLock): (JSC::ensureCurrentThreadOwnsJSLock): (JSC::VMInspector::gc): (JSC::VMInspector::edenGC): (JSC::VMInspector::isValidCodeBlock): (JSC::VMInspector::codeBlockForFrame): (JSC::VMInspector::dumpCallFrame): (JSC::VMInspector::dumpStack): * tools/VMInspector.h: 2020-06-02 Keith Rollin <krollin@apple.com> Revert FEATURES_DEFINES related changes https://bugs.webkit.org/show_bug.cgi?id=212664 <rdar://problem/63893033> Reviewed by Andy Estes. Bug 262310, Bug 262311, Bug 262318, and Bug 262331 involve changes to FEATURE_DEFINES and how the values there relate to those found in the Platform*.h files. Those changes break XCBuild (by removing the .xcfilelist related to UnifiedSources and the process for generating them), and so are being reverted. * Configurations/FeatureDefines.xcconfig: 2020-06-02 Ryan Haddad <ryanhaddad@apple.com> Unreviewed, reverting r262424. Caused webkitpy test failure Reverted changeset: "Make generated C++ code use modern C++" https://bugs.webkit.org/show_bug.cgi?id=190714 https://trac.webkit.org/changeset/262424 2020-06-02 Mark Lam <mark.lam@apple.com> Change Gigacage::Config to use storage in WebConfig::g_config instead of its own. https://bugs.webkit.org/show_bug.cgi?id=212585 <rdar://problem/63812487> Reviewed by Yusuke Suzuki. * assembler/testmasm.cpp: (JSC::testCagePreservesPACFailureBit): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::caged): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageConditionally): * llint/LowLevelInterpreter64.asm: * runtime/JSCConfig.h: (JSC::Config::isPermanentlyFrozen): 2020-06-02 Saam Barati <sbarati@apple.com> MultiDeleteByOffset should not always def https://bugs.webkit.org/show_bug.cgi?id=212621 <rdar://problem/63824182> Reviewed by Yusuke Suzuki. Clobberize used to claim that MultiDeleteByOffset always defd a value. That's an incorrect modeling of MultiDeleteByOffset though, since it might have delete misses in its variant list. This would lead us to incorrectly CSE when we shouldn't. This patch fixes this by saying MultiDeleteByOffset only defs when all its cases write out a value (are hits). * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGNode.cpp: (JSC::DFG::MultiDeleteByOffsetData::allVariantsStoreEmpty const): * dfg/DFGNode.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileMultiDeleteByOffset): 2020-06-02 Rob Buis <rbuis@igalia.com> Make generated C++ code use modern C++ https://bugs.webkit.org/show_bug.cgi?id=190714 Reviewed by Sam Weinig. Update inspector protocol generator and rebaseline the tests. * inspector/scripts/codegen/cpp_generator_templates.py: * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: * inspector/scripts/tests/expected/enum-values.json-result: * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: * inspector/scripts/tests/expected/type-declaration-array-type.json-result: * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: * inspector/scripts/tests/expected/type-declaration-object-type.json-result: * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: * yarr/generateYarrUnicodePropertyTables.py: 2020-06-02 Paulo Matos <pmatos@igalia.com> Fix assert message formatting https://bugs.webkit.org/show_bug.cgi?id=212591 Reviewed by Adrian Perez de Castro. Fixes warning by gcc - lineParts.size() is size_t, %zu should be used. * runtime/FuzzerPredictions.cpp: (JSC::FuzzerPredictions::FuzzerPredictions): 2020-06-01 Devin Rousso <drousso@apple.com> Web Inspector: Graphics: should use the `id` (name) of the animation if it exists https://bugs.webkit.org/show_bug.cgi?id=212618 Reviewed by Timothy Hatcher. * inspector/protocol/Animation.json: - added an optional `name` property to the `Animation.Animation` type - created a new `Animation.nameChanged` event 2020-06-01 Saam Barati <sbarati@apple.com> Correct misunderstandings on how ThreadSpecific work https://bugs.webkit.org/show_bug.cgi?id=212616 Reviewed by Michael Saboff. There were two misunderstandings I had when writing code using ThreadSpecific when doing LLInt bytecode buffer caching in Wasm. 1. For ThreadSpecific<Vector>, I was calling Vector's constructor twice unnecessarily, and incorrectly, since we ended up constructing over an already constructed Vector for the second call. When doing operator* or operator-> on a ThreadSpecific<T>, T() is called if it has not been initialized yet. So there is no need to do manually call the constructor the second time. 2. There is no need to try to destroy entries for ThreadSpecific manually since we already run destructors when the thread goes away. This patch removes code for (1) and (2) both from the Wasm bytecode buffer and from AssemblerData. * assembler/AssemblerBuffer.cpp: (JSC::clearAssembleDataThreadSpecificCache): Deleted. * assembler/AssemblerBuffer.h: (JSC::AssemblerBuffer::AssemblerBuffer): (JSC::AssemblerBuffer::~AssemblerBuffer): (JSC::AssemblerBuffer::getThreadSpecificAssemblerData): Deleted. * dfg/DFGWorklist.cpp: * jit/JITWorklist.cpp: * wasm/WasmLLIntGenerator.cpp: (JSC::Wasm::LLIntGenerator::LLIntGenerator): (JSC::Wasm::clearLLIntThreadSpecificCache): Deleted. * wasm/WasmLLIntGenerator.h: * wasm/WasmWorklist.cpp: 2020-06-01 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, fix build failure in ARMv7k https://bugs.webkit.org/show_bug.cgi?id=212595 * runtime/JSCJSValue.cpp: (JSC::JSValue::toThisSlowCase const): 2020-06-01 Yusuke Suzuki <ysuzuki@apple.com> [JSC] JSBigInt::rightTrim can miss |this| pointer and leads to incorrect GC collection https://bugs.webkit.org/show_bug.cgi?id=212601 Reviewed by Saam Barati. This is pretty rare case. But in some optimization level, JSBigInt::rightTrim could store |this| + offset pointer into the stack instead of |this| and make conservative GC think that |this| JSBigInt is unreachable. We put ensureStillAliveHere(this) to ensure that this is alive. * runtime/JSBigInt.cpp: (JSC::JSBigInt::rightTrim): 2020-06-01 Mark Lam <mark.lam@apple.com> x86.rb's LabelReference.x86LoadOperand()'s address operand should be a pointer type. https://bugs.webkit.org/show_bug.cgi?id=212603 Reviewed by Saam Barati. The current implementation mistakenly sets the address type to that of the value being loaded. I encountered this issue when I was trying to do a loadb from a global address. Because of this bug, the emitted code was trying do a load using %al (8 byte register) as the pointer to load from. With this fix, it now loads from %rax. * offlineasm/x86.rb: 2020-06-01 Yusuke Suzuki <ysuzuki@apple.com> [JSC] JSValue::toThis should not throw exception https://bugs.webkit.org/show_bug.cgi?id=212595 Reviewed by Mark Lam. Including WebCore code, there are a lot of code which assume JSValue::toThis should not throw an exception. This assumption was now broken after making JSBigInt allocation graceful for OOM. But for this particular JSValue::toThis case, we can make it non-throwing code. This patch makes JSValue::toThis non-throwing code to fix exception-missing debug assertions. We ensure that BigIntObject can hold BigInt32 (actually, it can already if toObjectSlowCase path is taken). * runtime/BigIntObject.cpp: (JSC::BigIntObject::create): * runtime/JSCJSValue.cpp: (JSC::JSValue::toThisSlowCase const): 2020-06-01 Yusuke Suzuki <ysuzuki@apple.com> [JSC] BigInt operations should handle exception correctly https://bugs.webkit.org/show_bug.cgi?id=212596 Reviewed by Mark Lam. Some places miss exception check / explicit scope-release while BigInt operations can now throw an exception. This patch adds them. They are covered by existing stress tests with Debug build. * runtime/Operations.h: (JSC::compareBigIntToOtherPrimitive): (JSC::compareBigInt32ToOtherPrimitive): (JSC::jsInc): (JSC::jsDec): (JSC::jsBitwiseNot): 2020-05-31 Michael Saboff <msaboff@apple.com> Consider a Thread Specific Cache for AssemblerBuffers https://bugs.webkit.org/show_bug.cgi?id=212562 Reviewed by Filip Pizlo. This patch creates a thread local cache of AssemblerData in the hopes that it will reduce memory allocation churn. The cache is cleared when a thread is destroyed. If an AssemblerData is destroyed in another thread, its storage is cached by the destroying thread. Made a few changes described below to facilite the swap as well as returning a clear()'ed AssemblerData back to its original state. Reviewed by Filip Pizlo. * assembler/AssemblerBuffer.cpp: (JSC::threadSpecificAssemblerData): (JSC::clearAssembleDataThreadSpecificCache): * assembler/AssemblerBuffer.h: (JSC::AssemblerData::AssemblerData): (JSC::AssemblerData::operator=): The copy constructor and assignment operator now perform complete AssemblerBuffer swaps. (JSC::AssemblerData::takeBufferIfLarger): A new method that will conditionally copy the enclosed buffer of the argument to "this" if the argument's buffer is larger than the current buffer of "this". (JSC::AssemblerData::~AssemblerData): (JSC::AssemblerData::clear): The destructor now calls clear which has been changed to reset the buffer to one with inline capacity. (JSC::AssemblerBuffer::AssemblerBuffer): Take the cached out of line buffer if there is one. (JSC::AssemblerBuffer::~AssemblerBuffer): Cache the enclosed out of line buffer if it is larger than the currently cached one. (JSC::AssemblerBuffer::getThreadSpecificAssemblerData): * dfg/DFGWorklist.cpp: * jit/JITWorklist.cpp: * wasm/WasmWorklist.cpp: 2020-05-31 Mark Lam <mark.lam@apple.com> Change JSC::Config to use storage in WTF::Config instead of its own. https://bugs.webkit.org/show_bug.cgi?id=212575 <rdar://problem/63796584> Reviewed by Yusuke Suzuki. Since Configs must be rounded up to CeilingOnPageSize, this will save us some memory since the contents of both Configs do not add up to CeilingOnPageSize. g_jscConfig is now located at g_wtfConfig.spaceForExtensions. * runtime/JSCConfig.cpp: (JSC::Config::disableFreezingForTesting): (JSC::Config::enableRestrictedOptions): (JSC::Config::permanentlyFreeze): Deleted. * runtime/JSCConfig.h: (JSC::Config::permanentlyFreeze): (JSC::Config::isPermanentlyFrozen): (): Deleted. * runtime/Options.cpp: (JSC::Options::setOptions): * tools/JSDollarVM.cpp: (JSC::functionCallWithStackSize): 2020-05-30 Mark Lam <mark.lam@apple.com> Rename Signal::BadAccess to Signal::AccessFault. https://bugs.webkit.org/show_bug.cgi?id=212577 Reviewed by Yusuke Suzuki. * runtime/VMTraps.cpp: * wasm/WasmFaultSignalHandler.cpp: (JSC::Wasm::enableFastMemory): 2020-05-30 Yusuke Suzuki <ysuzuki@apple.com> [JSC] for-in should allocate new temporary register for base https://bugs.webkit.org/show_bug.cgi?id=212519 <rdar://problem/63722044> Reviewed by Saam Barati. While r262233 keeps for-in's enumerated object in variable register if possible to use this register for heuristics driving an optimization, for-in body can replace the content of this register during enumeration and confuse enumerator. Instead, we record Variable information in StructureForInContext. This allows us to detect patterns using heap-variables too. Further, this patch extends pattern-matching code to support ThisNode too. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::pushStructureForInScope): * bytecompiler/BytecodeGenerator.h: (JSC::Variable::Variable): (JSC::Variable::isResolved const): (JSC::Variable::symbolTableConstantIndex const): (JSC::Variable::ident const): (JSC::Variable::offset const): (JSC::Variable::isLocal const): (JSC::Variable::local const): (JSC::Variable::isReadOnly const): (JSC::Variable::isSpecial const): (JSC::Variable::isConst const): (JSC::Variable::setIsReadOnly): (JSC::Variable::operator== const): (JSC::StructureForInContext::StructureForInContext): (JSC::StructureForInContext::baseVariable const): (JSC::StructureForInContext::base const): Deleted. * bytecompiler/NodesCodegen.cpp: (JSC::HasOwnPropertyFunctionCallDotNode::emitBytecode): (JSC::ForInNode::emitBytecode): * parser/ASTBuilder.h: (JSC::ASTBuilder::makeFunctionCallNode): * parser/Nodes.h: (JSC::ExpressionNode::isThisNode const): 2020-05-30 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, fix JSC debug tests' exception checking https://bugs.webkit.org/show_bug.cgi?id=212512 * runtime/JSBigInt.cpp: (JSC::JSBigInt::createWithLength): (JSC::JSBigInt::allocateFor): 2020-05-30 Mark Lam <mark.lam@apple.com> AssemblyHelpers::callExceptionFuzz() is passing a wrong argument to operationExceptionFuzz(). https://bugs.webkit.org/show_bug.cgi?id=212561 Reviewed by Yusuke Suzuki. There's 2 possible solution to this issue: 1. Thread the globalObject from all the way up the clients calling into callExceptionFuzz(), or 2. Introduce a operationExceptionFuzzWithCallFrame() wrapper take receives a VM* and CallFrame*, and use these to get the lexicalGlobalObject. This patch applies solution 2. Solution 1 is too unwieldy because it will cause the threading of the globalObject argument to fan out to many clients, and almost all of those clients currently do not need the globalObject. Hence, implementing this solution may incur some performance penalty in normal code, for the sole benefit of this one fuzzing tool. Secondly, the exception fuzzer doesn't really care which globalObject is used. It only cares that an exception is thrown, and we need a globalObject in order to throw that exception. Hence, there is no benefit to threading the globalObject down from all the clients. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::callExceptionFuzz): * jit/JITOperations.cpp: * jit/JITOperations.h: 2020-05-29 Yusuke Suzuki <ysuzuki@apple.com> [JSC] JSBigInt allocation should be graceful for OOM https://bugs.webkit.org/show_bug.cgi?id=212512 Reviewed by Mark Lam. This patch allows JSBigInt's storage allocation to fail gracefully if OOM condition happens. We thread JSGlobalObject* instead of VM& and throw OOM error if storage allocation failed. We also rename `JSGlobalObject* globalObject` parameter to `JSGlobalObject* nullOrGlobalObjectForOOM` if it can be nullptr. * jit/JITOperations.cpp: * jsc.cpp: (functionCreateHeapBigInt): * parser/ParserArena.cpp: (JSC::IdentifierArena::makeBigIntDecimalIdentifier): * runtime/BigIntConstructor.cpp: (JSC::toBigInt): (JSC::callBigIntConstructor): * runtime/BigIntPrototype.cpp: (JSC::toThisBigIntValue): (JSC::bigIntProtoFuncToString): (JSC::bigIntProtoFuncToLocaleString): (JSC::bigIntProtoFuncValueOf): * runtime/CachedTypes.cpp: (JSC::CachedBigInt::decode const): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/IntlNumberFormatPrototype.cpp: (JSC::IntlNumberFormatFuncFormat): * runtime/JSBigInt.cpp: (JSC::JSBigInt::createZero): (JSC::JSBigInt::tryCreateZero): (JSC::JSBigInt::createWithLength): (JSC::JSBigInt::tryCreateWithLength): (JSC::JSBigInt::createFrom): (JSC::JSBigInt::tryCreateFrom): (JSC::JSBigInt::createFromImpl): (JSC::JSBigInt::parseInt): (JSC::HeapBigIntImpl::toHeapBigInt): (JSC::Int32BigIntImpl::toHeapBigInt): (JSC::zeroImpl): (JSC::JSBigInt::exponentiateImpl): (JSC::JSBigInt::multiplyImpl): (JSC::JSBigInt::divideImpl): (JSC::JSBigInt::copy): (JSC::JSBigInt::unaryMinusImpl): (JSC::JSBigInt::unaryMinus): (JSC::JSBigInt::remainderImpl): (JSC::JSBigInt::incImpl): (JSC::JSBigInt::decImpl): (JSC::JSBigInt::addImpl): (JSC::JSBigInt::subImpl): (JSC::JSBigInt::bitwiseAndImpl): (JSC::JSBigInt::bitwiseOrImpl): (JSC::JSBigInt::bitwiseXorImpl): (JSC::JSBigInt::absoluteAdd): (JSC::JSBigInt::absoluteSub): (JSC::JSBigInt::absoluteDivWithDigitDivisor): (JSC::JSBigInt::absoluteDivWithBigIntDivisor): (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy): (JSC::JSBigInt::absoluteBitwiseOp): (JSC::JSBigInt::absoluteAnd): (JSC::JSBigInt::absoluteOr): (JSC::JSBigInt::absoluteAndNot): (JSC::JSBigInt::absoluteXor): (JSC::JSBigInt::absoluteAddOne): (JSC::JSBigInt::absoluteSubOne): (JSC::JSBigInt::leftShiftByAbsolute): (JSC::JSBigInt::rightShiftByAbsolute): (JSC::JSBigInt::rightShiftByMaximum): (JSC::JSBigInt::toStringBasePowerOfTwo): (JSC::JSBigInt::toStringGeneric): (JSC::JSBigInt::rightTrim): (JSC::JSBigInt::tryRightTrim): (JSC::JSBigInt::allocateFor): (JSC::JSBigInt::asIntNImpl): (JSC::JSBigInt::asUintNImpl): (JSC::JSBigInt::truncateToNBits): (JSC::JSBigInt::truncateAndSubFromPowerOfTwo): (JSC::JSBigInt::createWithLengthUnchecked): Deleted. * runtime/JSBigInt.h: * runtime/JSCJSValue.cpp: (JSC::JSValue::toThisSlowCase const): * runtime/VM.cpp: (JSC::VM::VM): 2020-05-29 Saam Barati <sbarati@apple.com> We need to properly model heap ranges of Delete in DFG/B3 https://bugs.webkit.org/show_bug.cgi?id=212538 <rdar://problem/63670964> Reviewed by Filip Pizlo. We need to properly model the aliasing dependencies of an inlined delete operation. We had a bug in the B3 IR we generated from code like this for a delete followed by a property addition: ``` const o = { y: 0 }; delete o.y; o.z = 0; ``` generated: ``` note: bb#5 dominates bb#10, bb#10 dominates bb#15 bb#5 Void b@125 = Store($-562949953421312(b@282), b@112, offset = 16, ControlDependent|Writes:129, D@30) bb#10 Void b@171 = Store($0(b@2), b@112, offset = 16, ControlDependent|Writes:129, D@37) bb#15 Void b@217 = Store($-562949953421312(b@282), b@112, offset = 16, ControlDependent|Writes:130, D@44) ``` Notice that "y" and "z" ended up at the same property offset. In the above program, B3 proves the pointer we're storing to is the same value in all three stores (b@112). However, because of how it does store forwarding, it determined it could eliminate b@217 because b@125 already stored the same value to the same pointer. It didn't know that b@171 was a write because its heap range is different than @217. Generally, when using two heap ranges, it's telling B3 that two pointers don't alias. ``` @A, Heap_H @B, Heap_H ``` In the above program, - If @B reads H and @A writes H, then @B is dependent on @A. - If @B writes H, then @B is dependent on @A if @A reads or writes H. So for delete, we need to model the deletion of a property as actually writing to all named properties that may exist at that slot given a series of structure transitions. We model this by saying the PutStructure for an inlined delete, or MultiDeleteByOffset, writes to all named properties (which is a superset of all named properties that may exist at that slot through a series of transitions). * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * ftl/FTLAbstractHeap.cpp: (JSC::FTL::IndexedAbstractHeap::dump): (JSC::FTL::NumberedAbstractHeap::dump): (JSC::FTL::AbsoluteAbstractHeap::dump): (JSC::FTL::IndexedAbstractHeap::dump const): Deleted. (JSC::FTL::NumberedAbstractHeap::dump const): Deleted. (JSC::FTL::AbsoluteAbstractHeap::dump const): Deleted. * ftl/FTLAbstractHeap.h: (JSC::FTL::IndexedAbstractHeap::atAnyIndex): (JSC::FTL::NumberedAbstractHeap::atAnyNumber): (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress): (JSC::FTL::IndexedAbstractHeap::atAnyIndex const): Deleted. (JSC::FTL::NumberedAbstractHeap::atAnyNumber const): Deleted. (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress const): Deleted. * ftl/FTLAbstractHeapRepository.cpp: (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure): (JSC::FTL::DFG::LowerDFGToB3::compileMultiDeleteByOffset): 2020-05-29 Andy Estes <aestes@apple.com> [Apple Pay] Remove conditionals for ENABLE_APPLE_PAY_SESSION_V(3|4) https://bugs.webkit.org/show_bug.cgi?id=212541 Reviewed by Darin Adler. APPLE_PAY_SESSION_V(3|4) is now enabled whenever APPLE_PAY itself is enabled. * Configurations/FeatureDefines.xcconfig: 2020-05-29 Darin Adler <darin@apple.com> Remove things from FeatureDefines.xcconfig that are covered by PlatformEnableCocoa.h https://bugs.webkit.org/show_bug.cgi?id=212418 Rubber-stamped by Simon Fraser. * Configurations/FeatureDefines.xcconfig: Add back ENABLE_CSS_CONIC_GRADIENTS, removed by accident. 2020-05-27 Darin Adler <darin@apple.com> Remove things from FeatureDefines.xcconfig that are covered by PlatformEnableCocoa.h https://bugs.webkit.org/show_bug.cgi?id=212418 Reviewed by Andy Estes. * Configurations/FeatureDefines.xcconfig: Removed 83 of the 119 things defined in this file. There are 36 more that are slightly more complex that we can remove carefully later. 2020-05-29 Darin Adler <darin@apple.com> [Cocoa] Pass all defines from Platform.h to various scripts, not just the ones from .xcconfig https://bugs.webkit.org/show_bug.cgi?id=212451 Reviewed by Sam Weinig. * DerivedSources.make: Run the preprocessor on Platform.h and parse the output into FEATURE_AND_PLATFORM_DEFINES. Use that and FEATURE_AND_PLATFORM_DEFINE_DEPENDENCIES whenever we need a list of defines. Also took out some Windows-specific stuff since this is now only used on Mac platforms. Use ":=" when calling $(shell) to make sure the same shell command is not invoked over and over again. 2020-05-29 Keith Rollin <krollin@apple.com> Revert switch to XCBuild https://bugs.webkit.org/show_bug.cgi?id=212530 <rdar://problem/63764632> Unreviewed build fix. Bug 209890 enabled the use of XCBuild by default. Since then, some build issues have shown up. While addressing them, temporarily turn off the use of XCBuild by default. * Configurations/JavaScriptCore.xcconfig: * JavaScriptCore.xcodeproj/project.pbxproj: 2020-05-29 Commit Queue <commit-queue@webkit.org> Unreviewed, reverting r262245. https://bugs.webkit.org/show_bug.cgi?id=212531 "Caused WebCore's 'Check .xcfilelists' build phase to be ~100x slower" Reverted changeset: "[Cocoa] Pass all defines from Platform.h to various scripts, not just the ones from .xcconfig" https://bugs.webkit.org/show_bug.cgi?id=212451 https://trac.webkit.org/changeset/262245 2020-05-29 Devin Rousso <drousso@apple.com> Web Inspector: add ITML debuggable/target type https://bugs.webkit.org/show_bug.cgi?id=203300 <rdar://problem/56545896> Reviewed by Joseph Pecoraro and Brian Burg. * API/JSContextPrivate.h: * API/JSContext.mm: (-[JSContext _setITMLDebuggableType]): Added. * runtime/JSGlobalObject.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::setIsITML): Added. Create an SPI for marking a `JSContext` as an ITML context for Web Inspector. * runtime/JSGlobalObjectDebuggable.h: (isType): * inspector/remote/RemoteControllableTarget.h: * inspector/remote/RemoteInspectionTarget.h: * inspector/remote/RemoteInspectorConstants.h: * inspector/JSGlobalObjectInspectorController.cpp: (Inspector::JSGlobalObjectInspectorController::connectFrontend): Don't dispatch `Inspector.activateExtraDomains` unless we're a basic `JavaScript` debuggable. * inspector/remote/cocoa/RemoteInspectorCocoa.mm: (Inspector::RemoteInspector::listingForInspectionTarget const): * inspector/scripts/codegen/models.py: (validate_target_types): * inspector/scripts/codegen/objc_generator.py: (ObjCGenerator): * inspector/scripts/tests/expected/fail-on-command-targetTypes-value.json-error: * inspector/scripts/tests/expected/fail-on-domain-debuggableTypes-value.json-error: * inspector/scripts/tests/expected/fail-on-domain-targetTypes-value.json-error: * inspector/scripts/tests/expected/fail-on-event-targetTypes-value.json-error: * inspector/protocol/Audit.json: * inspector/protocol/CSS.json: * inspector/protocol/Console.json: * inspector/protocol/DOM.json: * inspector/protocol/DOMStorage.json: * inspector/protocol/Database.json: * inspector/protocol/Debugger.json: * inspector/protocol/Heap.json: * inspector/protocol/Inspector.json: * inspector/protocol/Network.json: * inspector/protocol/Page.json: * inspector/protocol/Runtime.json: * inspector/protocol/Security.json: Add support for `itml` debuggables and targets, marking non-ITML commands/events with `page`. 2020-05-29 Mark Lam <mark.lam@apple.com> Add a check for errors when computing a utf string in jsc shell's runInteractive(). https://bugs.webkit.org/show_bug.cgi?id=212526 <rdar://problem/63757892> Reviewed by Michael Saboff. * jsc.cpp: (runInteractive): 2020-05-28 Devin Rousso <drousso@apple.com> Web Inspector: add missing condition guards when generating objc protocol files https://bugs.webkit.org/show_bug.cgi?id=212494 Reviewed by Timothy Hatcher. * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations): * inspector/scripts/codegen/generate_objc_configuration_header.py: (ObjCConfigurationHeaderGenerator._generate_properties_for_domain): * inspector/scripts/codegen/generate_objc_configuration_implementation.py: (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains): (ObjCConfigurationImplementationGenerator._generate_ivars): (ObjCConfigurationImplementationGenerator._generate_dealloc): (ObjCConfigurationImplementationGenerator._generate_event_dispatcher_getter_for_domain): (ObjCConfigurationImplementationGenerator._variable_name_prefix_for_domain): Deleted. * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations): (ObjCFrontendDispatcherImplementationGenerator._generate_event): * inspector/scripts/codegen/generate_objc_header.py: (ObjCHeaderGenerator._generate_forward_declarations): (ObjCHeaderGenerator._generate_enums): (ObjCHeaderGenerator._generate_types): (ObjCHeaderGenerator._generate_command_protocols): (ObjCHeaderGenerator._generate_event_interfaces): (ObjCHeaderGenerator._generate_single_event_interface): * inspector/scripts/codegen/generate_objc_internal_header.py: (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces): * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions): * inspector/scripts/tests/definitions-with-mac-platform.json: * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result: 2020-05-27 Keith Miller <keith_miller@apple.com> for-of should check the iterable is a JSArray for FastArray in DFG iterator_open https://bugs.webkit.org/show_bug.cgi?id=212383 Reviewed by Saam Barati. This patch fixes an issue where we didn't check that the iterable operand to iterator_open was a JSArray when lowering the FastArray only variant of the bytecode to the DFG. This meant we would OSR exit at the iterator_next's lowering then assertion failure in the checkpoint OSR exit helper. To make this work, this patch extends (and renames from CheckSubClass) CheckJSCast to use the same JSType information that we use for the jsCast function. In order to get the JSType range from a ClassInfo* the macro that autogenerates MethodTable now also fills a Optional<JSTypeRange> into the ClassInfo as well. Lastly, speculationFromClassInfo was misused by AI. This patch renames it to speculationFromClassInfoInheritance to better reflect how AI was using it. The only other user of speculationFromClassInfo was speculationFromStructure. Any case where speculationFromClassInfoInteritance would differ from what a Structure would tell you has been hoisted to speculationFromStructure. * assembler/testmasm.cpp: (JSC::testBranchIfType): (JSC::testBranchIfNotType): * bytecode/SpeculatedType.cpp: (JSC::speculationFromClassInfoInheritance): (JSC::speculationFromStructure): (JSC::speculationFromClassInfo): Deleted. * bytecode/SpeculatedType.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::filterClassInfo): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleDOMJITGetter): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::attemptToMakeCallDOM): (JSC::DFG::FixupPhase::fixupCheckJSCast): (JSC::DFG::FixupPhase::fixupCheckSubClass): Deleted. * dfg/DFGNode.h: (JSC::DFG::Node::hasClassInfo const): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkArray): (JSC::DFG::SpeculativeJIT::compileCheckJSCast): (JSC::DFG::SpeculativeJIT::compileCheckSubClass): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileCheckJSCast): (JSC::FTL::DFG::LowerDFGToB3::isCellWithType): (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView): (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): Deleted. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfType): (JSC::AssemblyHelpers::branchIfNotType): * runtime/ClassInfo.h: * runtime/JSCast.h: (JSC::JSTypeRange::contains const): (JSC::JSCastingHelpers::inheritsJSTypeImpl): * runtime/JSFunction.cpp: (JSC::JSFunction::assertTypeInfoFlagInvariants): * tools/JSDollarVM.cpp: (JSC::functionCreateDOMJITCheckJSCastObject): (JSC::JSDollarVM::finishCreation): (JSC::functionCreateDOMJITCheckSubClassObject): Deleted. 2020-05-27 Darin Adler <darin@apple.com> [Cocoa] Pass all defines from Platform.h to various scripts, not just the ones from .xcconfig https://bugs.webkit.org/show_bug.cgi?id=212451 Reviewed by Sam Weinig. * DerivedSources.make: Run the preprocessor on Platform.h and parse the output into FEATURE_AND_PLATFORM_DEFINES. Use that and FEATURE_AND_PLATFORM_DEFINE_DEPENDENCIES whenever we need a list of defines. Also took out some Windows-specific stuff since this is now only used on Mac platforms. 2020-05-28 Michael Catanzaro <mcatanzaro@gnome.org> Web Inspector: generate_cpp_protocol_types_header.py:294: SyntaxWarning: "is" with a literal. Did you mean "=="? https://bugs.webkit.org/show_bug.cgi?id=212468 Reviewed by Timothy Hatcher. Use "==" instead of "is" to compare against 0. * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: 2020-05-28 Mark Lam <mark.lam@apple.com> Gardening: Add an assertNoException() to placate the exception checker and green the bots. https://bugs.webkit.org/show_bug.cgi?id=212248 Not reviewed. This solution was pointed out by Caio Lima in https://bugs.webkit.org/show_bug.cgi?id=212248#c10. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): 2020-05-27 Saam Barati <sbarati@apple.com> hasOwnProperty inside structure property for-in loop should use an opcode like has_structure_property but for hasOwnProperty https://bugs.webkit.org/show_bug.cgi?id=212248 Reviewed by Keith Miller. This patch applies the same principles from r262083 but to hasOwnProperty. In this patch, we have a fast path for this syntactic pattern when iterating structure properties: for (let <p> in <o>) if (<o>.hasOwnProperty(<p>)) We look for both <p> and <o> as resolve nodes, and we look for them being the same values both in the header and inside the body. Using a simple static analysis, when we detect this pattern, we compare the result of `<o>.hasOwnProperty` to the original hasOwnProperty function. If it's the same, we execute the fast path new bytecode has_own_structure_property, which on the fast path is two loads, a compare and branch, and a materialization of the boolean constant true. On the slow path, has_own_structure_property just executes the runtime code for hasOwnProperty. In my testing, this seems like it might be 3-5% faster on Speedometer 2's react subtests. I was getting some noise when running the tests locally, so I can't say for certain it's a definite speedup. But the data implies it has a good chance at being a speedup. * builtins/BuiltinNames.h: * bytecode/BytecodeList.rb: * bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * bytecode/LinkTimeConstant.h: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitWideJumpIfNotFunctionHasOwnProperty): (JSC::BytecodeGenerator::recordHasOwnStructurePropertyInForInLoop): (JSC::BytecodeGenerator::emitHasOwnStructureProperty): (JSC::BytecodeGenerator::pushStructureForInScope): (JSC::StructureForInContext::finalize): (JSC::BytecodeGenerator::findStructureForInContext): * bytecompiler/BytecodeGenerator.h: (JSC::StructureForInContext::StructureForInContext): (JSC::StructureForInContext::base const): (JSC::StructureForInContext::addHasOwnPropertyJump): * bytecompiler/Label.h: (JSC::GenericBoundLabel::GenericBoundLabel): * bytecompiler/NodesCodegen.cpp: (JSC::HasOwnPropertyFunctionCallDotNode::emitBytecode): (JSC::ForInNode::emitBytecode): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileHasStructureProperty): (JSC::DFG::SpeculativeJIT::compileHasOwnStructurePropertyImpl): (JSC::DFG::SpeculativeJIT::compileHasOwnStructureProperty): (JSC::DFG::SpeculativeJIT::compileInStructureProperty): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnStructureProperty): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_has_structure_propertyImpl): (JSC::JIT::emit_op_has_structure_property): (JSC::JIT::emit_op_has_own_structure_property): (JSC::JIT::emit_op_in_structure_property): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_has_structure_propertyImpl): (JSC::JIT::emit_op_has_structure_property): (JSC::JIT::emit_op_has_own_structure_property): (JSC::JIT::emit_op_in_structure_property): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * parser/ASTBuilder.h: (JSC::ASTBuilder::makeFunctionCallNode): * parser/NodeConstructors.h: (JSC::HasOwnPropertyFunctionCallDotNode::HasOwnPropertyFunctionCallDotNode): * parser/Nodes.h: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/ObjectPrototype.cpp: (JSC::objectPrototypeHasOwnProperty): (JSC::objectProtoFuncHasOwnProperty): * runtime/ObjectPrototype.h: 2020-05-27 Yusuke Suzuki <ysuzuki@apple.com> [ macOS iOS ] REGRESSION(r261600?): imported/w3c/web-platform-tests/html/dom/reflection-embedded.html & imported/w3c/web-platform-tests/html/dom/reflection-forms.html are flaky failures https://bugs.webkit.org/show_bug.cgi?id=212430 Reviewed by Saam Barati. r261600 added IsConstructor rule to DFG AI. That rule is saying that if the object is not JSFunction and not ProxyObject, then it must not be a constructor. But this is wrong since any objects can implement getConstructData and DOM constructors are actually implementing it while it is not JSFunction and it is not ProxyObject. This patch removes that rule. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * tools/JSDollarVM.cpp: 2020-05-27 Saam Barati <sbarati@apple.com> Limit memory used by wasm/references/multitable.js on memory limited devices https://bugs.webkit.org/show_bug.cgi?id=212437 Reviewed by Keith Miller. * tools/JSDollarVM.cpp: (JSC::functionIsMemoryLimited): (JSC::JSDollarVM::finishCreation): 2020-05-27 David Kilzer <ddkilzer@apple.com> REGRESSION: Build errors during JavaScriptCore "Generate Derived Sources" about missing Availability.h header and invalid SDKROOT [-Wmissing-sysroot] <https://webkit.org/b/212436> Unreviewed build fix. * Scripts/generate-derived-sources.sh: Pass SDKROOT to `make` command from the current environment. 2020-05-27 Mark Lam <mark.lam@apple.com> Add missing #include for when LLINT_TRACING is enabled. https://bugs.webkit.org/show_bug.cgi?id=212433 Reviewed by Tadeu Zagallo. * llint/LLIntExceptions.cpp: 2020-05-27 Devin Rousso <drousso@apple.com> Web Inspector: replace `featureGuard` and `availability` with a combined `condition` that accepts any macro https://bugs.webkit.org/show_bug.cgi?id=210014 Reviewed by Brian Burg. Previously, the generated InspectorBackendCommands.js would include code for things that the backend doesn't actually support. By using actual macros and preprocessing that file, we can ensure that the frontend doesn't incorrectly think that something is supported by the page being inspected: - the `Canvas` commands and events related to shader programs/pipelines should only exist when the corresponding context type exists, namely `ENABLE(WEBGL)` and `ENABLE(WEBGPU)`. - iOS doesn't support showing rulers, so create a variant of `DOM.setInspectModeEnabled` that only exists for `PLATFORM(IOS_FAMILY)` that doesn't have the `showRulers` optional parameter, as well as removing `Page.setShowRulers` entirely. - setting the forced appearance should only be possible if dark mode is supported. - web archives only exist if CF is used. * inspector/protocol/CPUProfiler.json: * inspector/protocol/Canvas.json: * inspector/protocol/DOM.json: * inspector/protocol/IndexedDB.json: * inspector/protocol/Inspector.json: * inspector/protocol/Memory.json: * inspector/protocol/Page.json: * inspector/protocol/ServiceWorker.json: * Scripts/generate-derived-sources.sh: Set `CC` if it hasn't already been set. * DerivedSources.make: * DerivedSources-input.xcfilelist: Preprocess `InspectorBackendCommands.js.in` to get an accurate `InspectorBackendCommands.js` that follows the logic/description above. * CMakeLists.txt: Create a new `InspectorBackendCommands` target now that `InspectorBackendCommands.js` is generated seprately from the rest of the protocol files. * Configurations/FeatureDefines.xcconfig: Add `ENABLE_WEB_ARCHIVE` since it's always enabled in wtf/PlatformEnableCocoa.h. * inspector/scripts/generate-inspector-protocol-bindings.py: (generate_from_specification): (generate_from_specification.load_specification): * inspector/scripts/codegen/generator.py: (Generator.__init__): (Generator.model): (Generator.set_generator_setting): (Generator.type_declarations_for_domain): (Generator.commands_for_domain): (Generator.events_for_domain): (Generator.wrap_with_guard_for_condition): Added. (Generator.platform): Deleted. (Generator.can_generate_platform): Deleted. (Generator.wrap_with_guard_for_domain): Deleted. (Generator.wrap_with_guard): Deleted. * inspector/scripts/codegen/models.py: (Frameworks): (Protocol.parse_domain): (Protocol.parse_type_declaration): (Protocol.parse_command): (Protocol.parse_event): (Domain.__init__): (TypeDeclaration.__init__): (Command.__init__): (Event.__init__): (Platform): Deleted. (Platform.__init__): Deleted. (Platform.fromString): Deleted. (Platforms): Deleted. (Platforms.__metaclass__): Deleted. (Platforms.__metaclass__.__iter__): Deleted. * inspector/scripts/codegen/generator_templates.py: Remove `platform` as it is handled by `condition`. * inspector/scripts/codegen/preprocess.pl: Copied from Source/WebCore/bindings/scripts/preprocessor.pm. * inspector/scripts/codegen/generate_js_backend_commands.py: (JSBackendCommandsGenerator.output_filename): (JSBackendCommandsGenerator.generate_domain): Output to `InspectorBackendCommands.js.in` that includes `#if` for preprocessing. * inspector/scripts/codegen/cpp_generator_templates.py: * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py: (CppAlternateBackendDispatcherHeaderGenerator.generate_output): (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain): (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate): (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain): (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain): (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command): * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: (CppBackendDispatcherImplementationGenerator.generate_output): (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain): (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain): (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain): (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain): (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py: (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain): (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event): * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain): (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: (CppProtocolTypesHeaderGenerator._generate_versions): * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body): (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain): (CppProtocolTypesImplementationGenerator._generate_open_field_names): (CppProtocolTypesImplementationGenerator._generate_builders_for_domain): * inspector/scripts/codegen/objc_generator_templates.py: * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain): (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command): * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain): (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_command): * inspector/scripts/codegen/generate_objc_header.py: (add_newline): (ObjCHeaderGenerator.generate_output): (ObjCHeaderGenerator._generate_forward_declarations): (ObjCHeaderGenerator._generate_enums): (ObjCHeaderGenerator._generate_types): (ObjCHeaderGenerator._generate_type_interface): (ObjCHeaderGenerator._generate_command_protocols): (ObjCHeaderGenerator._generate_single_command_protocol): (ObjCHeaderGenerator._generate_event_interfaces): (ObjCHeaderGenerator._generate_single_event_interface): (ObjCHeaderGenerator._generate_enum_for_platforms): Deleted. * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: (add_newline): (ObjCProtocolTypeConversionsHeaderGenerator.generate_output): (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions): (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_for_platforms): Deleted. * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py: (add_newline): (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface): (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_method_declaration): (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation): (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_method_implementation): * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py: (add_newline): (ObjCProtocolTypesImplementationGenerator.generate_type_implementations): (ObjCProtocolTypesImplementationGenerator.generate_type_implementation): Wrap each domain, type, command, and event with the associated `condition` (if it exists). * inspector/scripts/tests/command-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/command-targetType-matching-domain-debuggableType.json. * inspector/scripts/tests/commands-with-async-attribute.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/commands-with-async-attribute.json. * inspector/scripts/tests/commands-with-optional-call-return-parameters.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/commands-with-optional-call-return-parameters.json. * inspector/scripts/tests/definitions-with-mac-platform.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/mac/definitions-with-mac-platform.json. * inspector/scripts/tests/domain-debuggableTypes.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/domain-debuggableTypes.json. * inspector/scripts/tests/domain-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/domain-targetType-matching-domain-debuggableType.json. * inspector/scripts/tests/domain-targetTypes.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/domain-targetTypes.json. * inspector/scripts/tests/domains-with-varying-command-sizes.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/domains-with-varying-command-sizes.json. * inspector/scripts/tests/enum-values.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/enum-values.json. * inspector/scripts/tests/event-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/event-targetType-matching-domain-debuggableType.json. * inspector/scripts/tests/events-with-optional-parameters.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/events-with-optional-parameters.json. * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/command-targetType-matching-domain-debuggableType.json-result. * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result. * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result. * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result. * inspector/scripts/tests/expected/domain-debuggableTypes.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/domain-debuggableTypes.json-result. * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/domain-targetType-matching-domain-debuggableType.json-result. * inspector/scripts/tests/expected/domain-targetTypes.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/domain-targetTypes.json-result. * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result. * inspector/scripts/tests/expected/enum-values.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/enum-values.json-result. * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/event-targetType-matching-domain-debuggableType.json-result. * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result. * inspector/scripts/tests/expected/fail-on-command-targetType-matching-domain-debuggableType.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-command-targetType-matching-domain-debuggableType.json-error. * inspector/scripts/tests/expected/fail-on-command-targetTypes-type.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-command-targetTypes-type.json-error. * inspector/scripts/tests/expected/fail-on-command-targetTypes-value.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-command-targetTypes-value.json-error. * inspector/scripts/tests/expected/fail-on-domain-debuggableTypes-type.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-domain-debuggableTypes-type.json-error. * inspector/scripts/tests/expected/fail-on-domain-debuggableTypes-value.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-domain-debuggableTypes-value.json-error. * inspector/scripts/tests/expected/fail-on-domain-targetType-matching-domain-debuggableType.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-domain-targetType-matching-domain-debuggableType.json-error. * inspector/scripts/tests/expected/fail-on-domain-targetTypes-type.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-domain-targetTypes-type.json-error. * inspector/scripts/tests/expected/fail-on-domain-targetTypes-value.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-domain-targetTypes-value.json-error. * inspector/scripts/tests/expected/fail-on-duplicate-command-call-parameter-names.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-duplicate-command-call-parameter-names.json-error. * inspector/scripts/tests/expected/fail-on-duplicate-command-return-parameter-names.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-duplicate-command-return-parameter-names.json-error. * inspector/scripts/tests/expected/fail-on-duplicate-event-parameter-names.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-duplicate-event-parameter-names.json-error. * inspector/scripts/tests/expected/fail-on-duplicate-type-declarations.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-duplicate-type-declarations.json-error. * inspector/scripts/tests/expected/fail-on-duplicate-type-member-names.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-duplicate-type-member-names.json-error. * inspector/scripts/tests/expected/fail-on-enum-with-no-values.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-enum-with-no-values.json-error. * inspector/scripts/tests/expected/fail-on-event-targetType-matching-domain-debuggableType.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-event-targetType-matching-domain-debuggableType.json-error. * inspector/scripts/tests/expected/fail-on-event-targetTypes-type.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-event-targetTypes-type.json-error. * inspector/scripts/tests/expected/fail-on-event-targetTypes-value.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-event-targetTypes-value.json-error. * inspector/scripts/tests/expected/fail-on-number-typed-optional-parameter-flag.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-number-typed-optional-parameter-flag.json-error. * inspector/scripts/tests/expected/fail-on-number-typed-optional-type-member.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-number-typed-optional-type-member.json-error. * inspector/scripts/tests/expected/fail-on-string-typed-optional-parameter-flag.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-string-typed-optional-parameter-flag.json-error. * inspector/scripts/tests/expected/fail-on-string-typed-optional-type-member.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-string-typed-optional-type-member.json-error. * inspector/scripts/tests/expected/fail-on-type-declaration-using-type-reference.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-type-declaration-using-type-reference.json-error. * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-type-reference-as-primitive-type.json-error. * inspector/scripts/tests/expected/fail-on-type-with-lowercase-name.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-type-with-lowercase-name.json-error. * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-unknown-type-reference-in-type-declaration.json-error. * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-member.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-unknown-type-reference-in-type-member.json-error. * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result. * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result. * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result. * inspector/scripts/tests/expected/should-strip-comments.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/should-strip-comments.json-result. * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result. * inspector/scripts/tests/expected/type-declaration-array-type.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result. * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result. * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result. * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result. * inspector/scripts/tests/expected/type-with-open-parameters.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result. * inspector/scripts/tests/expected/version.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/version.json-result. * inspector/scripts/tests/fail-on-command-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-command-targetType-matching-domain-debuggableType.json. * inspector/scripts/tests/fail-on-command-targetTypes-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-command-targetTypes-type.json. * inspector/scripts/tests/fail-on-command-targetTypes-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-command-targetTypes-value.json. * inspector/scripts/tests/fail-on-domain-debuggableTypes-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-debuggableTypes-type.json. * inspector/scripts/tests/fail-on-domain-debuggableTypes-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-debuggableTypes-value.json. * inspector/scripts/tests/fail-on-domain-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-targetType-matching-domain-debuggableType.json. * inspector/scripts/tests/fail-on-domain-targetTypes-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-targetTypes-type.json. * inspector/scripts/tests/fail-on-domain-targetTypes-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-targetTypes-value.json. * inspector/scripts/tests/fail-on-duplicate-command-call-parameter-names.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-duplicate-command-call-parameter-names.json. * inspector/scripts/tests/fail-on-duplicate-command-return-parameter-names.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-duplicate-command-return-parameter-names.json. * inspector/scripts/tests/fail-on-duplicate-event-parameter-names.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-duplicate-event-parameter-names.json. * inspector/scripts/tests/fail-on-duplicate-type-declarations.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-duplicate-type-declarations.json. * inspector/scripts/tests/fail-on-duplicate-type-member-names.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-duplicate-type-member-names.json. * inspector/scripts/tests/fail-on-enum-with-no-values.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-enum-with-no-values.json. * inspector/scripts/tests/fail-on-event-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-event-targetType-matching-domain-debuggableType.json. * inspector/scripts/tests/fail-on-event-targetTypes-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-event-targetTypes-type.json. * inspector/scripts/tests/fail-on-event-targetTypes-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-event-targetTypes-value.json. * inspector/scripts/tests/fail-on-number-typed-optional-parameter-flag.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-number-typed-optional-parameter-flag.json. * inspector/scripts/tests/fail-on-number-typed-optional-type-member.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-number-typed-optional-type-member.json. * inspector/scripts/tests/fail-on-string-typed-optional-parameter-flag.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-string-typed-optional-parameter-flag.json. * inspector/scripts/tests/fail-on-string-typed-optional-type-member.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-string-typed-optional-type-member.json. * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-type-declaration-using-type-reference.json. * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-type-reference-as-primitive-type.json. * inspector/scripts/tests/fail-on-type-with-lowercase-name.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-type-with-lowercase-name.json. * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-unknown-type-reference-in-type-declaration.json. * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-unknown-type-reference-in-type-member.json. * inspector/scripts/tests/generate-domains-with-feature-guards.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/generate-domains-with-feature-guards.json. * inspector/scripts/tests/same-type-id-different-domain.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/same-type-id-different-domain.json. * inspector/scripts/tests/shadowed-optional-type-setters.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/shadowed-optional-type-setters.json. * inspector/scripts/tests/should-strip-comments.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/should-strip-comments.json. * inspector/scripts/tests/type-declaration-aliased-primitive-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-declaration-aliased-primitive-type.json. * inspector/scripts/tests/type-declaration-array-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-declaration-array-type.json. * inspector/scripts/tests/type-declaration-enum-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-declaration-enum-type.json. * inspector/scripts/tests/type-declaration-object-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-declaration-object-type.json. * inspector/scripts/tests/type-requiring-runtime-casts.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-requiring-runtime-casts.json. * inspector/scripts/tests/type-with-open-parameters.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-with-open-parameters.json. * inspector/scripts/tests/version.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/version.json. * inspector/scripts/tests/generic/definitions-with-mac-platform.json: Removed. * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: Removed. * inspector/scripts/tests/generic/fail-on-command-with-invalid-platform.json: Removed. * inspector/scripts/tests/generic/expected/fail-on-command-with-invalid-platform.json-error: Removed. * inspector/scripts/tests/generic/fail-on-type-with-invalid-platform.json: Removed. * inspector/scripts/tests/generic/expected/fail-on-type-with-invalid-platform.json-error: Removed. * inspector/scripts/tests/ios/definitions-with-mac-platform.json: Removed. * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: Removed. * inspector/scripts/tests/all/definitions-with-mac-platform.json: Removed. * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: Removed. Don't separate the inspector generator tests by platform. 2020-05-27 Keith Miller <keith_miller@apple.com> in_structure_property needs to handle constants on the RHS of the "in" https://bugs.webkit.org/show_bug.cgi?id=212399 Reviewed by Saam Barati. * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): 2020-05-27 Keith Rollin <krollin@apple.com> Enable the use of XCBuild by default in Apple builds https://bugs.webkit.org/show_bug.cgi?id=209890 <rdar://problem/44182078> Unreviewed build fix. Check the value of XCODE_VERSION_ACTUAL rather than XCODE_VERSION_MAJOR when determining whether to use the XCBuild or non-XCBuild method of running header post-processing scripts. * JavaScriptCore.xcodeproj/project.pbxproj: 2020-05-26 Mark Lam <mark.lam@apple.com> Add some new emitters to the X86_64 and ARM64 MacroAssemblers. https://bugs.webkit.org/show_bug.cgi?id=212385 Reviewed by Robin Morisset. This patch adds these MacroAssembler emitters: clearBit64 clearBits64WithMask countTrailingZeros64WithoutNullCheck clearBit64 clears a bit. clearBits64WithMask does the equivalent of and64 with the 1's complement of the provided mask. countTrailingZeros64WithoutNullCheck does the same thing as countTrailingZeros64, except that it assumes that the word in the register it is processing will never be null, and therefore skips the null check. This is useful in code generation that already does a null check ahead of time. So, there's no need to do a redundant null check. Also added testmasm tests for these emitters. * assembler/AbortReason.h: * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::clearBit64): (JSC::MacroAssemblerARM64::clearBits64WithMask): (JSC::MacroAssemblerARM64::countTrailingZeros64WithoutNullCheck): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::countTrailingZeros64WithoutNullCheck): (JSC::MacroAssemblerX86_64::clearBit64): (JSC::MacroAssemblerX86_64::clearBits64WithMask): * assembler/X86Assembler.h: (JSC::X86Assembler::btrq_rr): * assembler/testmasm.cpp: (JSC::testClearBit64): (JSC::testClearBits64WithMask): (JSC::testClearBits64WithMaskTernary): (JSC::testCountTrailingZeros64Impl): (JSC::testCountTrailingZeros64): (JSC::testCountTrailingZeros64WithoutNullCheck): (JSC::run): 2020-05-26 Yoshiaki JITSUKAWA <yoshiaki.jitsukawa@sony.com> [PlayStation] Enable RemoteWebInspector https://bugs.webkit.org/show_bug.cgi?id=212312 Reviewed by Don Olmstead. * API/JSRemoteInspectorServer.cpp: Fix compile error. * PlatformPlayStation.cmake: Add JSRemoteInspectorServer.h to the public header list. * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: Set PlayStation specific socket option. 2020-05-26 Alexey Shvayka <shvaikalesh@gmail.com> IteratorClose should suppress GetMethod errors https://bugs.webkit.org/show_bug.cgi?id=212378 Reviewed by Keith Miller. This patch implements recent spec change [1] that prevents "return" method lookup error from overriding outer exception, aligning JSC with V8 and SpiderMonkey. It is accomplished by moving pushTry() before emitGetById() in BytecodeGenerator.cpp (covered by test262 suite) and removal of RETURN_IF_EXCEPTION in IteratorOperations.cpp (added a stress test). Before this patch, JSC partly implemented the spec change [1] by suppressing TypeError if "return" method of iterator was not callable. BytecodeGenerator::emitDelegateYield() is intentionally left unchanged. Also, this patch utilizes emitIteratorGenericClose() to avoid code duplication. for/of microbenchmarks are neutral. [1]: https://github.com/tc39/ecma262/pull/1408 * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGenericEnumeration): (JSC::BytecodeGenerator::emitEnumeration): * runtime/IteratorOperations.cpp: (JSC::iteratorClose): 2020-05-26 Mark Lam <mark.lam@apple.com> SamplingProfiler::takeSample() should not assume that ENABLE(WEBASSEMBLY) means Wasm is enabled. https://bugs.webkit.org/show_bug.cgi?id=212382 Reviewed by Saam Barati. Wasm can still be disabled at runtime with JSC options. Fixing this will allow sampling profiler tests to run with JSC_useJIT=0 without crashing. * runtime/SamplingProfiler.cpp: (JSC::FrameWalker::FrameWalker): (JSC::FrameWalker::recordJITFrame): (JSC::CFrameWalker::CFrameWalker): (JSC::SamplingProfiler::takeSample): 2020-05-26 Keith Rollin <krollin@apple.com> Enable the use of XCBuild by default in Apple builds https://bugs.webkit.org/show_bug.cgi?id=209890 <rdar://problem/44182078> Reviewed by Darin Adler. Switch from the "legacy" Xcode build system to the "new" build system (also known as "XCBuild"). Switching to the new system speeds up builds by a small percentage, better validates projects for build-related issues (such as dependency cycles), lets WebKit benefit from future improvements in XCBuild such as those coming from the underlying llbuild open source project, and prepares us for any other tools built for this new ecosystem. Specific changes: - Remove Xcode project and workspace settings that selected the Build system, allowing the default to take hold (which is currently the New build system). - Updated webkitdirs.pm with a terser check for Xcode version. - Update build-webkit and Makefile.shared to be explicit when using the old build system (no longer treat it as a default or fall-back configuration). - Update various xcconfig files similarly to treat the default as using the new build system. - Update various post-processing build steps to check for Xcode 11.4 and to no longer treat the default as using the old build system. * Configurations/JavaScriptCore.xcconfig: * JavaScriptCore.xcodeproj/project.pbxproj: 2020-05-23 Paulo Matos <pmatos@igalia.com> Fix non-unified builds for x86_64 https://bugs.webkit.org/show_bug.cgi?id=212297 Reviewed by Adrian Perez de Castro. * b3/B3BasicBlock.cpp: * b3/B3CaseCollection.cpp: * b3/B3DuplicateTails.cpp: * b3/B3EnsureLoopPreHeaders.cpp: * b3/B3FenceValue.cpp: * b3/B3HoistLoopInvariantValues.cpp: * b3/B3LegalizeMemoryOffsets.cpp: * b3/B3LowerMacrosAfterOptimizations.cpp: * b3/B3LowerToAir.cpp: * b3/B3MathExtras.cpp: * b3/B3MemoryValue.cpp: * b3/B3Procedure.cpp: * b3/B3StackmapValue.cpp: * b3/B3SwitchValue.cpp: * b3/B3UseCounts.cpp: * b3/B3Validate.cpp: * b3/B3VariableValue.cpp: * b3/B3WasmAddressValue.cpp: * b3/B3WasmBoundsCheckValue.cpp: * ftl/FTLCommonValues.cpp: * ftl/FTLCompile.cpp: * ftl/FTLOSREntry.cpp: * ftl/FTLOSRExitCompiler.cpp: * wasm/WasmInstance.cpp: * wasm/WasmStreamingParser.cpp: * wasm/js/JSToWasm.cpp: * wasm/js/JSToWasmICCallee.cpp: * wasm/js/JSWebAssembly.cpp: * wasm/js/JSWebAssemblyCodeBlock.cpp: * wasm/js/WebAssemblyCompileErrorConstructor.cpp: * wasm/js/WebAssemblyCompileErrorPrototype.cpp: * wasm/js/WebAssemblyFunction.cpp: * wasm/js/WebAssemblyFunctionBase.cpp: * wasm/js/WebAssemblyGlobalPrototype.cpp: * wasm/js/WebAssemblyInstanceConstructor.cpp: * wasm/js/WebAssemblyInstancePrototype.cpp: * wasm/js/WebAssemblyLinkErrorConstructor.cpp: * wasm/js/WebAssemblyLinkErrorPrototype.cpp: * wasm/js/WebAssemblyMemoryConstructor.cpp: * wasm/js/WebAssemblyMemoryPrototype.cpp: * wasm/js/WebAssemblyModuleConstructor.cpp: * wasm/js/WebAssemblyModulePrototype.cpp: * wasm/js/WebAssemblyModuleRecord.cpp: * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp: * wasm/js/WebAssemblyTableConstructor.cpp: * wasm/js/WebAssemblyTablePrototype.cpp: 2020-05-22 Yoshiaki JITSUKAWA <yoshiaki.jitsukawa@sony.com> [PlayStation] Enable JSC shell to run https://bugs.webkit.org/show_bug.cgi?id=212294 Reviewed by Ross Kirsling. * shell/PlatformPlayStation.cmake: Set working directory for Visual Studio * shell/playstation/Initializer.cpp: Load libJavaScriptCore as we now build it as SHARED. 2020-05-22 Alexey Shvayka <shvaikalesh@gmail.com> Array.prototype.splice doesn't set "length" of returned object https://bugs.webkit.org/show_bug.cgi?id=212285 Reviewed by Darin Adler. This change implements step 12 of Array.prototype.splice [1], which is observable if result object is not JSArray, aligning JSC with V8 and SpiderMonkey. Only slow path of splice() is affected by this patch; zero-argument case already performs setLength(). Microbenchmarks are neutral. [1]: https://tc39.es/ecma262/#sec-array.prototype.splice * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSplice): 2020-05-22 Saam Barati <sbarati@apple.com> in_by_val inside structure property for-in loop should use an opcode like has_structure_property but for "in" https://bugs.webkit.org/show_bug.cgi?id=212239 Reviewed by Tadeu Zagallo. There is code inside Speedometer 2 that is like: ``` for (let p in o) { if (p in o2) ... } ``` Where o and o2 frequently share the same structure. Elm does this when it's diffing two objects. We already optimize o2[p] (get_by_val) in the above loop for structure properties. This patch adds that same optimization for in_by_val. Because we already emit a "structure" loop for for-in, where we iterate structure properties, the fast path for the above, where o and o2 have the same structure is simply a structure check followed by return true. This patch introduces the new opcode: op_in_structure_property. Its fast path is identical to op_has_structure_property. Its slow path, however, behaves like "in", which uses the HasProperty internal method, unlike op_has_structure_property, which uses the GetOwnProperty internal method. This behavior difference is observable using Proxy. This a 5% perf improvement in the Elm subtest in Speedometer 2. * bytecode/BytecodeList.rb: * bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitInByVal): (JSC::rewriteOp): (JSC::StructureForInContext::finalize): * bytecompiler/BytecodeGenerator.h: (JSC::StructureForInContext::addInInst): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInStructureProperty): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileHasStructurePropertyImpl): (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty): (JSC::FTL::DFG::LowerDFGToB3::compileInStructureProperty): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_in_structure_property): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_in_structure_property): * llint/LLIntOffsetsExtractor.cpp: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: * runtime/JSObject.cpp: (JSC::JSObject::hasPropertyGeneric const): * runtime/JSPropertyNameEnumerator.h: 2020-05-22 Keith Miller <keith_miller@apple.com> Checkpoint inlined call return handler needs an exception check when dispatching https://bugs.webkit.org/show_bug.cgi?id=212104 Reviewed by Yusuke Suzuki. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::dispatchToNextInstruction): (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call): (JSC::LLInt::slow_path_checkpoint_osr_exit): 2020-05-22 Paulo Matos <pmatos@igalia.com> Fix non-unified builds for i386 build https://bugs.webkit.org/show_bug.cgi?id=212258 Reviewed by Adrian Perez de Castro. * API/JSContextRef.cpp: * bytecode/IntrinsicGetterAccessCase.cpp: * inspector/InjectedScriptHost.cpp: * llint/LLIntData.cpp: * llint/LLIntThunks.cpp: * runtime/Exception.cpp: * runtime/ExecutableBase.cpp: * runtime/JSBigInt.cpp: * runtime/JSInternalPromiseConstructor.cpp: * runtime/JSString.cpp: * runtime/ScopedArgumentsTable.cpp: * runtime/ScriptExecutable.cpp: * runtime/SparseArrayValueMap.cpp: * runtime/StructureRareData.cpp: 2020-05-22 Paulo Matos <pmatos@igalia.com> Fix typo in JSCVirtualMachine documentation Unreviewed Typo Fix. * API/glib/JSCVirtualMachine.cpp: 2020-05-21 Robin Morisset <rmorisset@apple.com> Various compile-time boolean flags could/should be marked constexpr https://bugs.webkit.org/show_bug.cgi?id=212244 Reviewed by Mark Lam. This trivial patch saves roughly 16kB from the JavaScriptCore binary in release mode. * b3/B3OptimizeAssociativeExpressionTrees.cpp: * b3/air/AirAllocateRegistersByGraphColoring.cpp: * b3/air/AirSimplifyCFG.cpp: (JSC::B3::Air::simplifyCFG): * b3/air/AirTmpWidth.cpp: (JSC::B3::Air::TmpWidth::recompute): * dfg/DFGPredictionPropagationPhase.cpp: * heap/GCIncomingRefCountedInlines.h: (JSC::GCIncomingRefCounted<T>::filterIncomingReferences): * heap/Heap.cpp: (JSC::Heap::updateAllocationLimits): * wasm/WasmEntryPlan.cpp: 2020-05-21 Robin Morisset <rmorisset@apple.com> Remove AssemblerBufferWithConstantPool.h (as it has been dead for years) https://bugs.webkit.org/show_bug.cgi?id=212241 Reviewed by Yusuke Suzuki. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/AssemblerBufferWithConstantPool.h: Removed. 2020-05-21 Alexey Shvayka <shvaikalesh@gmail.com> Use @isUndefinedOrNull instead of abstract equality with null https://bugs.webkit.org/show_bug.cgi?id=210954 Reviewed by Yusuke Suzuki. This patch: a) Replaces 2 `!== @undefined` comparisons in String.prototype.{replace,replaceAll} with @isUndefinedOrNull() as per spec [1], aligning JSC with V8 and SpiderMonkey. b) Replaces 3 `!= @undefined` and 7 `!= null` comparisons with @isUndefinedOrNull() as only the latter is correct with [[IsHTMLDDA]] aka MasqueradesAsUndefined objects [2]. c) Removes @isDictionary() since it is unused, easy to inline and its name is quite misleading: one might expect it to perform Structure::isDictionary(). [1]: https://tc39.es/ecma262/#sec-getmethod (step 3) [2]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot * builtins/ArrayConstructor.js: * builtins/GlobalOperations.js: (globalPrivate.isDictionary): Deleted. * builtins/RegExpPrototype.js: (Symbol.split): Unobservable as there is `=== null` check in @regExpExec. * builtins/StringPrototype.js: (match): (replace): (replaceAll): (search): (split): * builtins/TypedArrayConstructor.js: 2020-05-21 Saam Barati <sbarati@apple.com> Add an option that exposes functions on the global object to turn on and off the sampling profiler and the super sampler https://bugs.webkit.org/show_bug.cgi?id=212178 Reviewed by Yusuke Suzuki. When profiling things like Speedometer inside the browser, it's important to to only enable the super sampler and the sampling profiler around the code that you want profiled. Otherwise, you will be profiling things that aren't relevant to the benchmark score. This patch adds a new option, exposeProfilersOnGlobalObject, which when true, will expose JS functions on the global object that allow enabling/disabling the super sampler and the sampling profiler. This way, we can change the Speedometer source code locally such that these profilers are only sampling code accounted for in the benchmark score. * bytecode/SuperSampler.cpp: (JSC::initializeSuperSampler): (JSC::enableSuperSampler): (JSC::disableSuperSampler): * bytecode/SuperSampler.h: * jsc.cpp: (jscmain): * runtime/JSGlobalObject.cpp: (JSC::enableSamplingProfiler): (JSC::disableSamplingProfiler): (JSC::enableSuperSampler): (JSC::disableSuperSampler): (JSC::JSGlobalObject::init): * runtime/OptionsList.h: 2020-05-21 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Fix 32bit JSBigInt with INT32_MAX < x <= UINT32_MAX https://bugs.webkit.org/show_bug.cgi?id=212193 Reviewed by Mark Lam. In 32bit architecture, we are creating one-length JSBigInt for INT32_MIN <= x <= INT32_MAX, and two-length JSBigInt otherwise. This is wrong since one-length JSBigInt should cover from -UINT32_MAX <= x <= UINT32_MAX. This patch fixes the bug and cleans up createFrom(VM&, int64_t). And it also adds JSBigInt::createFrom(VM&, uint64_t) in preparation for [1] Currently, this path is not used while it was used previously because BigIntConstructor starts using JSBigInt::createFrom(VM&, double). But this will be used in [1], and simply the existing implementation is wrong. [1]: https://bugs.webkit.org/show_bug.cgi?id=190800 * runtime/JSBigInt.cpp: (JSC::JSBigInt::createFromImpl): (JSC::JSBigInt::createFrom): * runtime/JSBigInt.h: 2020-05-21 Paulo Matos <pmatos@igalia.com> Further non-unified build fixes https://bugs.webkit.org/show_bug.cgi?id=212195 Reviewed by Adrian Perez de Castro. * bytecode/InstanceOfStatus.cpp: * heap/MarkedSpace.cpp: * runtime/ObjectInitializationScope.cpp: * runtime/ThrowScope.cpp: 2020-05-21 Alexey Shvayka <shvaikalesh@gmail.com> Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1 https://bugs.webkit.org/show_bug.cgi?id=212167 Reviewed by Saam Barati. This patch increases "length" limit of Array.prototype.concat result to @MAX_SAFE_INTEGER and changes thrown error to TypeError, aligning JSC with the spec [1], V8, and SpiderMonkey. Also, adds missing @MAX_SAFE_INTEGER overflow check in Array.from [2] (we implement similar checks in other methods). SunSpider and microbenchmarks/concat-append-one.js are both neutral. [1]: https://tc39.es/ecma262/#sec-array.prototype.concat (steps 5.c.iii, 5.d.ii) [2]: https://tc39.es/ecma262/#sec-array.from (step 5.e.i) * builtins/ArrayConstructor.js: (from): * builtins/ArrayPrototype.js: (globalPrivate.concatSlowPath): 2020-05-20 Michael Saboff <msaboff@apple.com> [Wasm] Limit the size of Wasm function we optimize in OMG mode https://bugs.webkit.org/show_bug.cgi?id=212105 Reviewed by Filip Pizlo. Given that memory grows O(N^2) compiling Wasm code through the OMG path, we can run out of memory when compiling large Wasm functions. This change adds a limit option, webAssemblyBBQFallbackSize, When the Wasm function size is equal to or greater than this limit we always compile using BBQ optimization parameters. As part of this change, we still go through the OMG loop entry OSR code generation path for functions that are at or above the threshold, but we compile such functions with BBQ compilation optimization levels. Also for Wasm functions at or above the threashold, we don't tier up to an OMG compiled normal entry function. Instead we stay with the BBQ compiled version. * runtime/OptionsList.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::AirIRGenerator): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::B3IRGenerator): (JSC::Wasm::parseAndCompile): * wasm/WasmCompilationMode.cpp: (JSC::Wasm::wasmFunctionSizeCanBeOMGCompiled): * wasm/WasmCompilationMode.h: * wasm/WasmOperations.cpp: (JSC::Wasm::operationWasmTriggerOSREntryNow): 2020-05-19 Ross Kirsling <ross.kirsling@sony.com> REGRESSION(r261755): Win/Linux non-unified builds have hundreds of link failures https://bugs.webkit.org/show_bug.cgi?id=212111 Unreviewed build fix. * API/: * bindings/: * bytecode/: * bytecompiler/NodesCodegen.cpp: * debugger/: * dfg/: * heap/: * inspector/: * interpreter/: * jit/: * llint/LLIntEntrypoint.cpp: * parser/: * profiler/: * runtime/: Restore *Inlines.h includes for >300 files, but try to preserve the spirit of the original patch by pruning redundancies along the way. 2020-05-19 Mark Lam <mark.lam@apple.com> Put PtrTagLookup data structures in Configs for freezing. https://bugs.webkit.org/show_bug.cgi?id=212089 <rdar://problem/63401487> Reviewed by Robin Morisset. PtrTagLookup data structures were always meant to only be initialized once at initialization time and never modified thereafter. This patch puts them in the Configs for freezing to document and enforce this invariant. * runtime/JSCConfig.h: * runtime/JSCPtrTag.cpp: (JSC::initializePtrTagLookup): 2020-05-19 Youenn Fablet <youenn@apple.com> [ Mac wk1 Debug ] imported/w3c/web-platform-tests/fetch/api/basic/stream-safe-creation.any.html is flaky crashing with alerts - WTFCrashWithInfo - SC::JSObject::get(JSC::JSGlobalObject*, JSC::PropertyName) https://bugs.webkit.org/show_bug.cgi?id=211923 <rdar://problem/63244249> Reviewed by Mark Lam. * runtime/JSObject.h: (JSC::JSObject::get const): When calling get, a terminate exception might happen if running in workers. Return early in that case. Add an ASSERT that only terminated exceptions can actually happen. 2020-05-18 Andy Estes <aestes@apple.com> http/tests/ssl/applepay/ApplePayInstallmentConfiguration.https.html fails in public SDK builds https://bugs.webkit.org/show_bug.cgi?id=212000 <rdar://problem/63323082> Reviewed by Youenn Fablet. * Configurations/FeatureDefines.xcconfig: 2020-05-18 Saam Barati <sbarati@apple.com> Do more speculation that a GetByVal/PutByVal will have an int32 index based on data from ArrayProfile https://bugs.webkit.org/show_bug.cgi?id=211877 Reviewed by Yusuke Suzuki. Before this patch, when a GetByVal or PutByVal had a non int32 prediction for their incoming index, they'd fall completely off the fast path. However, there are programs where an int32 is boxed inside a double, but our notion of predicted types don't fully capture this fact. For example, if we have a double Add to produce an array index, that double Add will predict a full double result, not a SpecAnyIntAsDouble. However, for GetByVal and PutByVal, there is information from ArrayProfile we can use to determine if the incoming value is expected to be in int32 range. The heuristic this patch introduces is: isFullNumberSpeculation(indexSpeculation) && node->arrayMode().isSpecific() && node->arrayMode().isInBounds() && !m_graph.hasExitSite(node->origin.semantic, Overflow) // DoubleAsInt32 will exit with Overflow on failure If these conditions are met, we'll now emit a DoubleAsInt32 conversion node for the index. This puts along the fast path for GetByVal and PutByVal on array accesses where the incoming index is an int32 boxed in a double. To make the above isFullNumberSpeculation check more robust, this patch also makes it so non index double accesses result in marking the array profile as out of bounds. So this means indices greater than max safe index, and also, fractional doubles. This is a 3.75x speedup on microbenchmarks/get-and-put-by-val-double-index-dont-fall-off-a-cliff.js * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * jit/JITOperations.cpp: (JSC::getByVal): 2020-05-18 Yusuke Suzuki <ysuzuki@apple.com> [JSC] BigInt peephole compare should speculate appropriately https://bugs.webkit.org/show_bug.cgi?id=212037 <rdar://problem/63346966> Reviewed by Saam Barati. SpeculativeJIT::nonSpeculativePeepholeBranch missed BigInt speculation. This patch renames it to SpeculativeJIT::genericJSValuePeepholeBranch and adds speculation checks appropriately. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): (JSC::DFG::SpeculativeJIT::genericJSValuePeepholeBranch): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted. * dfg/DFGSpeculativeJIT.h: 2020-05-18 Keith Miller <keith_miller@apple.com> OSR loop entry to iterator_next generic needs to CheckNotEmpty on m_next https://bugs.webkit.org/show_bug.cgi?id=212001 Reviewed by Saam Barati. If we happen to OSR enter into iterator_next during a for-of loop that has only profiled a generic iterator but is actually running a fast iterator we will incorrectly perform the Call node This could happen if we loop_hint OSR enter the first time have seen a fast iterator. If this happens right now, we generate the following code: D@113:<!2:loc15> GetLocal(Check:Untyped:D@198, JS|MustGen|UseAsOther, Function|Empty, loc13(W~/FlushedJSValue), machine:loc10, R:Stack(loc13),Stack(loc5), bc#46, ExitValid) predicting Function|Empty 0x4913f1806151: mov -0x58(%rbp), %rsi D@114:<!0:-> FilterCallLinkStatus(Check:Untyped:D@113, MustGen, (Function: Object: 0x1053f47e0 with butterfly 0x0 (Structure 0x1053f9260:[0x6dad, Function, {}, NonArray, Proto:0x1050fc248]), StructureID: 28077; Executable: next#Ddkruz:[0x1053c0480->0x1053e4a80, BaselineFunctionCall, 54 (StrictMode)]), R:Stack(loc5), W:SideState, bc#46, ExitValid) D@115:<!6:loc15> Call(Check:Untyped:D@113, Check:Untyped:D@110, JS|MustGen|VarArgs|UseAsOther, Final, R:World,Stack(loc5), W:Heap, ExitsForExceptions, ClobbersExit, bc#46, ExitValid) predicting Final 0x4913f1806155: mov $0x1, 0x10(%rsp) 0x4913f180615d: mov %rax, 0x18(%rsp) 0x4913f1806162: mov %rsi, 0x8(%rsp) 0x4913f1806167: mov %rax, -0xa0(%rbp) 0x4913f180616e: mov $0x0, 0x24(%rbp) 0x4913f1806175: mov $0x0, %r11 0x4913f180617f: cmp %r11, %rsi 0x4913f1806182: jnz 0x4913f1806192 0x4913f1806188: call 0x4913f180618d 0x4913f180618d: jmp 0x4913f18061ae 0x4913f1806192: mov %rsi, %rax 0x4913f1806195: mov $0x1050cfcb0, %rdx 0x4913f180619f: mov $0x1052fab68, %rcx 0x4913f18061a9: call 0x4913f1801680 0x4913f18061ae: lea -0xd0(%rbp), %rsp D@116:<!0:-> MovHint(Check:Untyped:D@115, MustGen, tmp0, R:Stack(loc5), W:SideState, ClobbersExit, bc#46, ExitInvalid) D@332:<!0:-> InvalidationPoint(MustGen, R:Stack(loc5), W:SideState, Exits, bc#46, exit: bc#46cp#1, ExitValid) D@335:<!0:-> CheckStructure(Check:Cell:D@115, MustGen, [%B2:Object], R:Stack(loc5),JSCell_structureID, Exits, bc#46, exit: bc#46cp#1, ExitValid) 0x4913f18061b5: test %rax, %r15 0x4913f18061b8: jnz 0x4913f18068db 0x4913f18061be: cmp $0xcaae, (%rax) 0x4913f18061c4: jnz 0x4913f18068f1 Loc13 in this IR is the location of the next function. Since it's nullptr, we will pass the initial fast-path value of 0 and make a garbage call. This is because Call does not know how to handle empty values. Subsequently, we will fail a structure check for the Call's result and OSR exit to the getDone checkpoint. The fix for this is to simply put a CheckNotEmpty at the top of the generic case. 99.9% of the time this check will be eliminated so it doesn't really cost anything. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): 2020-05-17 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, link fix for our internal Debug build * heap/AlignedMemoryAllocator.cpp: 2020-05-17 Lauro Moura <lmoura@igalia.com> [JSC] Silence unused-but-set-parameter warnings for older compilers https://bugs.webkit.org/show_bug.cgi?id=212006 Reviewed by Mark Lam. GCC up to 9.x will emit unused-but-set-parameter for the sources parameter when NumberOfRegisters is zero (the if block is eliminated) and for destinations when also ASSERT_ENABLED is false. * jit/CCallHelpers.h: (JSC::CCallHelpers::setupStubArgs): 2020-05-16 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Make OutOfMemory error as instance of RangeError https://bugs.webkit.org/show_bug.cgi?id=211952 Reviewed by Mark Lam. The spec sometimes requires "check parameters and throw RangeError" before allocating an object. But we are just allocating an object and throwing an out-of-memory error since wrong parameter will cause out-of-memory. If out-of-memory error is RangeError, then we can keep our current behavior while we can make us spec compliant. And note that out-of-memory error is RangeError in SpiderMonkey and V8. This patch makes out-of-memory error as RangeError instead of Error. We also fix @throwOutOfMemoryError in builtin code: the previous thrown errors are not marked as out-of-memory error. * bytecode/BytecodeList.rb: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitThrowStaticError): (JSC::BytecodeGenerator::emitThrowReferenceError): (JSC::BytecodeGenerator::emitThrowTypeError): (JSC::BytecodeGenerator::emitThrowRangeError): (JSC::BytecodeGenerator::emitThrowOutOfMemoryError): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::RegExpNode::emitBytecode): (JSC::BytecodeIntrinsicNode::emit_intrinsic_throwTypeError): (JSC::BytecodeIntrinsicNode::emit_intrinsic_throwRangeError): * dfg/DFGOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/Error.cpp: (JSC::createError): (JSC::createOutOfMemoryError): * runtime/Error.h: * runtime/ErrorType.cpp: (JSC::errorTypeName): (WTF::printInternal): * runtime/ErrorType.h: We introduced ErrorTypeWithExtension separately from ErrorType to keep ErrorType one-on-one to spec-specified error types. 2020-05-15 Yusuke Suzuki <ysuzuki@apple.com> [JSC] getFunctionRealm should not use recursion https://bugs.webkit.org/show_bug.cgi?id=211965 <rdar://problem/63268287> Reviewed by Saam Barati. This patch avoids using recursion in getFunctionRealm to avoid stack-overflow. * runtime/InternalFunction.cpp: (JSC::getFunctionRealm): 2020-05-15 Keith Miller <keith_miller@apple.com> Unreviewed, fix internal arm64e build. * dfg/DFGSpeculativeJIT.cpp: 2020-05-15 Keith Miller <keith_miller@apple.com> Unreviewed, fix internal fast tls build. * jit/AssemblyHelpers.cpp: 2020-05-15 Ross Kirsling <ross.kirsling@sony.com> [IWYU] Remove unnecessary includes from JSC implementation files https://bugs.webkit.org/show_bug.cgi?id=211867 Reviewed by Keith Miller. * API/: * assembler/: * b3/: * bindings/: * builtins/BuiltinExecutables.cpp: * bytecode/: * bytecompiler/: * debugger/: * dfg/: * disassembler/: * ftl/: * heap/: * inspector/: * interpreter/: * jit/: * jsc.cpp: * llint/: * parser/: * profiler/: * runtime/: * testRegExp.cpp: * tools/: * wasm/: * yarr/: 2020-05-15 Michael Catanzaro <mcatanzaro@gnome.org> -Wtype-limits warning spam from CCallHelpers.h https://bugs.webkit.org/show_bug.cgi?id=211701 Reviewed by Darin Adler. Skip the problematic loops when TargetSize or NumberOfRegisters is 0 using constexpr if. Solution suggested by Mark Lam. * jit/CCallHelpers.h: (JSC::CCallHelpers::setupStubArgs): (JSC::CCallHelpers::clampArrayToSize): 2020-05-15 Mark Lam <mark.lam@apple.com> Remove debugging dataLogs in LinkBuffer::copyCompactAndLinkCode() for release builds. https://bugs.webkit.org/show_bug.cgi?id=211961 <rdar://problem/63264848> Reviewed by Keith Miller. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): 2020-05-15 Paulo Matos <pmatos@igalia.com> Fix ARM NEON only assert https://bugs.webkit.org/show_bug.cgi?id=211889 Reviewed by Mark Lam. Fix assert that breaks if ARM does not contain NEON extensions - the register d16 is only defined if NEON exists. * assembler/ARMv7Assembler.h: (JSC::RegisterNames::asSingle): (JSC::RegisterNames::asSingleUpper): 2020-05-14 Saam Barati <sbarati@apple.com> GetByVal and PutByVal runtime operations shouldn't fall off a performance cliff when the property is an integer boxed as a double https://bugs.webkit.org/show_bug.cgi?id=211935 Reviewed by Yusuke Suzuki and Mark Lam. There were parts in the runtime for get_by_val that weren't properly handling ints boxed as doubles along the fast path. This could lead to terrible performance as we could go from double -> string -> int while converting the subscript into a property to access. This patch fixes that, and removes the duplicate code we had throughout the codebase that does this conversion. I'm adding a new functions tryGetAsUint32Index and tryGetAsInt32 which will handle the double to int conversion. This is a 10x speedup on the microbenchmark get-and-put-by-val-double-index-dont-fall-off-a-cliff.js * dfg/DFGOperations.cpp: (JSC::DFG::putByValInternal): * jit/JITOperations.cpp: (JSC::getByVal): * jsc.cpp: (functionAsDoubleNumber): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::getByVal): (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::tryGetAsUint32Index): (JSC::JSValue::tryGetAsInt32): 2020-05-14 Devin Rousso <drousso@apple.com> [ESNext] enable logical assignment operators by default https://bugs.webkit.org/show_bug.cgi?id=211921 Reviewed by Yusuke Suzuki. * runtime/OptionsList.h: * parser/Lexer.cpp: (JSC::Lexer<T>::lexWithoutClearingLineTerminator): Remove `useLogicalAssignmentOperators` option. 2020-05-14 Keith Miller <keith_miller@apple.com> Undecided Arrays shouldn't need to be OriginalArray to covert to GetArrayLength https://bugs.webkit.org/show_bug.cgi?id=211914 Reviewed by Saam Barati. Also, fix a bug that arrayModesThatPassFiltering() can't handle Undecided arrays. Because we can now emit a CheckArray on Undecided AI will try to figure out what types flow out of the check. Since Undecided was unhandled by filtering, AI will assume bottom is the only possible value and the DFG/FTL will insert a breakpoint, causing a crash. * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::refine const): * dfg/DFGArrayMode.h: (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const): 2020-05-14 Keith Miller <keith_miller@apple.com> GetArrayLength should be "blessed" during Fixup phase in the DFG https://bugs.webkit.org/show_bug.cgi?id=211540 Reviewed by Saam Barati. If we got an ArrayMode during bytecode parsing for-of that expects to be configured during Fixup, then right now we will crash on GetArrayLength. This fixes GetArrayLength to properly call blessArrayOperation and fixes clobberize to know that GetArrayLength could have a ForceExit ArrayMode briefly before being cleaned up. When blessing GetArrayLength we can now produce CheckArrays that have an AnyTypedArray ArrayMode::Type. So this patch expands CheckArray to properly handle that. To help with this we expand branchIfType to have a starting JSType and an optional ending JSType. Additionally, to prevent extra checks AI has been taught to fold more ArrayModes so we should almost always avoid new runtime checks. Lastly, make sure that Undecided Arrays don't fall back to generic because GetArrayLength can't be converted to... GetArrayLenth. Also, GetArrayLength would previously pass it's own speculation for the speculation of the index, which logically doesn't make sense. So this patch adds a new constant, which is SpecInt32Only, that can be passed if a DFG node doesn't have an index. * assembler/testmasm.cpp: (JSC::testBranchIfType): (JSC::testBranchIfNotType): (JSC::run): * dfg/DFGArrayMode.cpp: (JSC::DFG::canBecomeGetArrayLength): * dfg/DFGArrayMode.h: * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::blessArrayOperation): (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkArray): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfType): (JSC::AssemblyHelpers::branchIfNotType): * runtime/JSType.h: 2020-05-13 Keith Miller <keith_miller@apple.com> iteration bytecodes need to handle osr exiting from inlined getter frames https://bugs.webkit.org/show_bug.cgi?id=211873 Reviewed by Saam Barati. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call): 2020-05-13 Devin Rousso <drousso@apple.com> Web Inspector: rename CSS.StyleSheetOrigin.Regular to CSS.StyleSheetOrigin.Author to match the spec https://bugs.webkit.org/show_bug.cgi?id=211827 Reviewed by Timothy Hatcher. * inspector/protocol/CSS.json: 2020-05-13 Yusuke Suzuki <ysuzuki@apple.com> JSDOMWindowBase m_windowCloseWatchpoints must be Ref<> https://bugs.webkit.org/show_bug.cgi?id=211844 Reviewed by Mark Lam. * bytecode/Watchpoint.cpp: (JSC::InlineWatchpointSet::inflateSlow): * bytecode/Watchpoint.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): * runtime/Structure.cpp: (JSC::Structure::ensurePropertyReplacementWatchpointSet): * runtime/SymbolTable.cpp: (JSC::SymbolTableEntry::prepareToWatch): * runtime/VM.cpp: (JSC::VM::ensureWatchpointSetForImpureProperty): 2020-05-13 Caio Lima <ticaiolima@gmail.com> Making 32-bits JIT build without Unified Build system https://bugs.webkit.org/show_bug.cgi?id=211853 Reviewed by Adrian Perez de Castro. This patch is moving some templates to allow non-unified builds on 32-bits JIT configurations. Those templates were from JITArithmetic32_64 and JITPropertyAccess32_64. * jit/JITArithmetic.cpp: (JSC::JIT::emit_compareAndJump): (JSC::JIT::emit_compareUnsignedAndJump): (JSC::JIT::emit_compareUnsigned): (JSC::JIT::emit_compareAndJumpSlow): (JSC::JIT::emitBinaryDoubleOp): * jit/JITArithmetic32_64.cpp: (JSC::JIT::emit_compareAndJump): Deleted. (JSC::JIT::emit_compareUnsignedAndJump): Deleted. (JSC::JIT::emit_compareUnsigned): Deleted. (JSC::JIT::emit_compareAndJumpSlow): Deleted. (JSC::JIT::emitBinaryDoubleOp): Deleted. * jit/JITOpcodes32_64.cpp: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitPutByValWithCachedId): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitPutByValWithCachedId): Deleted. 2020-05-13 Caio Lima <ticaiolima@gmail.com> [JSC] Support delete by val/id IC on 32-bits https://bugs.webkit.org/show_bug.cgi?id=208207 Reviewed by Saam Barati. This patch implements DeleteById and DeleteByVal IC on 32-bits JIT. It includes both Baseline and DFG changes. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileDeleteById): (JSC::DFG::SpeculativeJIT::compileDeleteByVal): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileDeleteById): Deleted. (JSC::DFG::SpeculativeJIT::compileDeleteByVal): Deleted. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileDeleteById): Deleted. (JSC::DFG::SpeculativeJIT::compileDeleteByVal): Deleted. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): * jit/JITInlineCacheGenerator.cpp: (JSC::JITDelByValGenerator::JITDelByValGenerator): (JSC::JITDelByIdGenerator::JITDelByIdGenerator): * jit/JITInlineCacheGenerator.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_del_by_id): (JSC::JIT::emit_op_del_by_val): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_del_by_id): (JSC::JIT::emit_op_del_by_val): (JSC::JIT::emitSlow_op_del_by_val): (JSC::JIT::emitSlow_op_del_by_id): 2020-05-13 Saam Barati <sbarati@apple.com> MovHint can see an arguments object be MovHinted to a Tmp https://bugs.webkit.org/show_bug.cgi?id=211820 <rdar://problem/62882158> Reviewed by Keith Miller. We had an assert that it wasn't possible to have a MovHint from an arguments object to a Tmp. However, this is possible with for-of. There is nothing about the current algorithm that is specific to only VirtualRegisters. The algorithm also works over Tmps. So I've generalized the algorithm to just work over Operand. * dfg/DFGVarargsForwardingPhase.cpp: 2020-05-13 Alexey Shvayka <shvaikalesh@gmail.com> Move @isConstructor checks from fast paths of Array.from and Array.of https://bugs.webkit.org/show_bug.cgi?id=211805 Reviewed by Keith Miller. This semantically equivalent change advances provided Array.{from,of} microbenchmarks by ~60%. Also, this patch removes @isConstructor check from @newPromiseCapabilitySlow (that is heavily used by Promise subclasses) since it comes right before [[Construct]], its message doesn't add more clarity, and constructability of its argument was likely checked by @speciesConstructor. * builtins/ArrayConstructor.js: (of): (from): * builtins/PromiseOperations.js: (globalPrivate.newPromiseCapabilitySlow): 2020-05-12 Alexey Shvayka <shvaikalesh@gmail.com> Implement @isConstructor bytecode intrinsic and bytecode for that https://bugs.webkit.org/show_bug.cgi?id=144093 Reviewed by Keith Miller. This change replaces @isConstructor link-time-constant with bytecode intrinsic and utilizes it in ClassExprNode::emitBytecode() according to the spec [1], aligning JSC with V8 and SpiderMonkey. Before this patch, we checked if "prototype" of superclass is an object, which is incorrect for generators and bound non-constructor functions with own "prototype". OpIsConstructor's fast path can't be easily compiled, and it's not a hot code anyway, so instead we reduce code bloat by just calling slow ops from DFG and FTL (if we bail out, we slow down all @isConstructor call sites). This advances microbenchmarks/is-constructor.js by ~35%. [1]: https://tc39.es/ecma262/#sec-runtime-semantics-classdefinitionevaluation (step 5.f) * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * builtins/BuiltinNames.h: * bytecode/BytecodeIntrinsicRegistry.h: * bytecode/BytecodeList.rb: * bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitIsConstructor): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ClassExprNode::emitBytecode): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIsConstructor): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileIsConstructor): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * llint/LowLevelInterpreter.asm: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: * runtime/ECMAScriptSpecInternalFunctions.cpp: Removed. * runtime/ECMAScriptSpecInternalFunctions.h: Removed. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): 2020-05-12 Robin Morisset <rmorisset@apple.com> Exception check for OOM is a bit too late in JSBigInt::exponentiate. https://bugs.webkit.org/show_bug.cgi?id=211823 Reviewed by Mark Lam. We were doing multiplyImpl(...).payload.asHeapBigInt(), but multiplyImpl can return a null payload if it causes an exception. So we must first check whether an exception was raised, and only if not can we do asHeapBigInt. * runtime/JSBigInt.cpp: (JSC::JSBigInt::exponentiateImpl): 2020-05-12 Saam Barati <sbarati@apple.com> handling of Check in VarargsForwardingPhase is too pessimistic https://bugs.webkit.org/show_bug.cgi?id=211810 Reviewed by Keith Miller and Filip Pizlo. We were treating a check, even if it wasn't on the sink candidate, as if it could escape the candidate. That's wrong. Only checks on the candidate have the escaping ability. * dfg/DFGVarargsForwardingPhase.cpp: 2020-05-12 Keith Miller <keith_miller@apple.com> The bottom value set for m_value in iterator_next should be materialized after a done getter https://bugs.webkit.org/show_bug.cgi?id=211811 Reviewed by Saam Barati. Right now, if the done getter contains control flow, then we will have the bottom value in a different block from the MovHint/SetLocal and we will fail to validate. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): 2020-05-12 Ross Kirsling <ross.kirsling@sony.com> Fix existing usage of final/override/virtual in JSC and WTF https://bugs.webkit.org/show_bug.cgi?id=211772 Reviewed by Darin Adler. * API/JSAPIWrapperObject.mm: * API/JSManagedValue.mm: * API/JSScriptSourceProvider.h: * API/ObjCCallbackFunction.mm: * API/glib/JSAPIWrapperGlobalObject.cpp: * API/glib/JSAPIWrapperObjectGLib.cpp: * API/glib/JSCWeakValue.cpp: * bytecode/AccessCaseSnippetParams.cpp: * bytecode/AccessCaseSnippetParams.h: * bytecode/CodeBlock.cpp: * bytecode/StructureStubClearingWatchpoint.h: * bytecode/VariableWriteFireDetail.h: * bytecode/Watchpoint.h: * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h: * dfg/DFGArrayifySlowPathGenerator.h: * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: * dfg/DFGSaneStringGetByValSlowPathGenerator.h: * dfg/DFGSlowPathGenerator.h: * dfg/DFGSnippetParams.h: * dfg/DFGWorklist.cpp: * ftl/FTLSnippetParams.h: * heap/BlockDirectory.cpp: * heap/EdenGCActivityCallback.h: * heap/FullGCActivityCallback.h: * heap/Heap.cpp: * heap/Heap.h: * heap/IncrementalSweeper.h: * heap/IsoCellSet.cpp: * heap/IsoCellSetInlines.h: * heap/IsoHeapCellType.h: * heap/IsoInlinedHeapCellType.h: * heap/ParallelSourceAdapter.h: * heap/StopIfNecessaryTimer.h: * heap/Subspace.cpp: * heap/SubspaceInlines.h: * inspector/InjectedScript.h: * inspector/JSGlobalObjectConsoleClient.h: * inspector/JSGlobalObjectInspectorController.h: * inspector/JSGlobalObjectScriptDebugServer.h: * inspector/JSInjectedScriptHost.cpp: * inspector/agents/InspectorAgent.h: * inspector/agents/InspectorScriptProfilerAgent.h: * inspector/agents/InspectorTargetAgent.h: * inspector/agents/JSGlobalObjectAuditAgent.h: * inspector/agents/JSGlobalObjectDebuggerAgent.h: * inspector/agents/JSGlobalObjectRuntimeAgent.h: * inspector/augmentable/AlternateDispatchableAgent.h: * inspector/remote/RemoteConnectionToTarget.h: * inspector/remote/RemoteInspector.h: * inspector/remote/socket/RemoteInspectorServer.h: * inspector/scripts/codegen/cpp_generator_templates.py: * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: * inspector/scripts/tests/generic/expected/command-targetType-matching-domain-debuggableType.json-result: * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: * inspector/scripts/tests/generic/expected/domain-debuggableTypes.json-result: * inspector/scripts/tests/generic/expected/domain-targetType-matching-domain-debuggableType.json-result: * inspector/scripts/tests/generic/expected/domain-targetTypes.json-result: * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result: * inspector/scripts/tests/generic/expected/enum-values.json-result: * inspector/scripts/tests/generic/expected/event-targetType-matching-domain-debuggableType.json-result: * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: * jit/JITWorklist.cpp: * parser/Nodes.h: * parser/SourceProvider.h: * runtime/DataView.h: * runtime/DoublePredictionFuzzerAgent.h: * runtime/FileBasedFuzzerAgent.h: * runtime/GenericTypedArrayView.h: * runtime/JSMicrotask.cpp: * runtime/NarrowingNumberPredictionFuzzerAgent.h: * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: * runtime/PredictionFileCreatingFuzzerAgent.h: * runtime/PromiseTimer.h: * runtime/RandomizingFuzzerAgent.h: * runtime/RegExpCache.h: * runtime/Structure.cpp: * runtime/StructureRareData.cpp: * runtime/VMTraps.cpp: * runtime/WideningNumberPredictionFuzzerAgent.h: * tools/JSDollarVM.cpp: * wasm/WasmBBQPlan.h: * wasm/WasmCallee.h: * wasm/WasmLLIntPlan.h: * wasm/WasmOMGForOSREntryPlan.h: * wasm/WasmOMGPlan.h: * wasm/WasmWorklist.cpp: * yarr/YarrJIT.cpp: 2020-05-12 Ross Kirsling <ross.kirsling@sony.com> [clang-tidy] Run modernize-use-override over JSC, then ensure as much as possible is final https://bugs.webkit.org/show_bug.cgi?id=211743 Reviewed by Saam Barati. * API/JSScriptRef.cpp: * b3/B3ArgumentRegValue.h: * b3/B3AtomicValue.h: * b3/B3CCallValue.h: * b3/B3CheckSpecial.h: * b3/B3CheckValue.h: * b3/B3Const32Value.h: * b3/B3Const64Value.h: * b3/B3ConstDoubleValue.h: * b3/B3ConstFloatValue.h: * b3/B3DataSection.h: * b3/B3ExtractValue.h: * b3/B3FenceValue.h: * b3/B3MemoryValue.h: * b3/B3PatchpointSpecial.h: * b3/B3PatchpointValue.h: * b3/B3SlotBaseValue.h: * b3/B3StackmapSpecial.h: * b3/B3StackmapValue.h: * b3/B3SwitchValue.h: * b3/B3UpsilonValue.h: * b3/B3VariableValue.h: * b3/B3WasmAddressValue.h: * b3/B3WasmBoundsCheckValue.h: * b3/air/AirCCallSpecial.h: * b3/air/AirPrintSpecial.h: * bytecode/BytecodeDumper.h: * bytecode/GetterSetterAccessCase.h: * bytecode/InstanceOfAccessCase.h: * bytecode/IntrinsicGetterAccessCase.h: * bytecode/ModuleNamespaceAccessCase.h: * bytecode/ProxyableAccessCase.h: * bytecode/Watchpoint.h: * dfg/DFGFailedFinalizer.h: * dfg/DFGGraph.h: * dfg/DFGJITCode.h: * dfg/DFGJITFinalizer.h: * dfg/DFGToFTLDeferredCompilationCallback.h: * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: * ftl/FTLForOSREntryJITCode.h: * ftl/FTLJITCode.h: * ftl/FTLJITFinalizer.h: * heap/CompleteSubspace.h: * heap/FastMallocAlignedMemoryAllocator.h: * heap/GigacageAlignedMemoryAllocator.h: * heap/HeapSnapshotBuilder.h: * heap/IsoAlignedMemoryAllocator.h: * heap/IsoSubspace.h: * heap/IsoSubspacePerVM.cpp: * heap/IsoSubspacePerVM.h: * heap/MarkStackMergingConstraint.h: * heap/SimpleMarkingConstraint.h: * heap/SpaceTimeMutatorScheduler.h: * heap/StochasticSpaceTimeMutatorScheduler.h: * heap/SynchronousStopTheWorldMutatorScheduler.h: * jit/GCAwareJITStubRoutine.h: * jit/JITCode.h: * jit/JITThunks.h: * jit/JITToDFGDeferredCompilationCallback.h: * jit/PolymorphicCallStubRoutine.h: * jsc.cpp: * parser/Lexer.cpp: Address warning. * runtime/JSDestructibleObjectHeapCellType.h: * runtime/SimpleTypedArrayController.h: * runtime/Structure.h: * runtime/WeakGCMap.h: * wasm/WasmEntryPlan.h: 2020-05-12 Michael Catanzaro <mcatanzaro@gnome.org> -Wsign-compare warnings in FTLLowerDFGToB3.cpp and DFGSpeculativeJIT.cpp https://bugs.webkit.org/show_bug.cgi?id=211783 Reviewed by Darin Adler. This fixes -Wsign-compare warnings introduced in r260331. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueBitNot): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): 2020-05-12 Truitt Savell <tsavell@apple.com> Unreviewed, reverting r261542. Broke internal builds Reverted changeset: "[clang-tidy] Run modernize-use-override over JSC, then ensure as much as possible is final" https://bugs.webkit.org/show_bug.cgi?id=211743 https://trac.webkit.org/changeset/261542 2020-05-12 Mark Lam <mark.lam@apple.com> Wasm::enableFastMemory() was called too late. https://bugs.webkit.org/show_bug.cgi?id=211773 Reviewed by Yusuke Suzuki. If Wasm fast memory is to be enabled, we should just do it in initializeThreading() just like for all the other signal handlers that need to be initialized for JSC. This simplifies its initialization and ensures that it is done in a timely manner before Configs are frozen. * jsc.cpp: (jscmain): * runtime/InitializeThreading.cpp: (JSC::initializeThreading): 2020-05-11 Darin Adler <darin@apple.com> Fix problems caught by replacing WTF::Optional with std::optional https://bugs.webkit.org/show_bug.cgi?id=211703 Reviewed by Chris Dumez. * runtime/MachineContext.h: (JSC::MachineContext::instructionPointer): Use explcit makeOptional here, to work around the fact that MacroAssemblerCodePtr uses an unusual technique to disable conversions to everything except bool. 2020-05-11 Yoshiaki JITSUKAWA <yoshiaki.jitsukawa@sony.com> Fix build errors after r260992 https://bugs.webkit.org/show_bug.cgi?id=211756 Reviewed by Darin Adler. Add JSC namespace specifier to NonIntrinsic and PropertyAttribute in the macros in JSObject.h since those can be used outside of or without introducing JSC namespace. * runtime/JSObject.h: 2020-05-11 Ross Kirsling <ross.kirsling@sony.com> [clang-tidy] Run modernize-use-override over JSC, then ensure as much as possible is final https://bugs.webkit.org/show_bug.cgi?id=211743 Reviewed by Saam Barati. * API/JSScriptRef.cpp: * b3/B3ArgumentRegValue.h: * b3/B3AtomicValue.h: * b3/B3CCallValue.h: * b3/B3CheckSpecial.h: * b3/B3CheckValue.h: * b3/B3Const32Value.h: * b3/B3Const64Value.h: * b3/B3ConstDoubleValue.h: * b3/B3ConstFloatValue.h: * b3/B3DataSection.h: * b3/B3ExtractValue.h: * b3/B3FenceValue.h: * b3/B3MemoryValue.h: * b3/B3PatchpointSpecial.h: * b3/B3PatchpointValue.h: * b3/B3SlotBaseValue.h: * b3/B3StackmapSpecial.h: * b3/B3StackmapValue.h: * b3/B3SwitchValue.h: * b3/B3UpsilonValue.h: * b3/B3VariableValue.h: * b3/B3WasmAddressValue.h: * b3/B3WasmBoundsCheckValue.h: * b3/air/AirCCallSpecial.h: * b3/air/AirPrintSpecial.h: * bytecode/BytecodeDumper.h: * bytecode/GetterSetterAccessCase.h: * bytecode/InstanceOfAccessCase.h: * bytecode/IntrinsicGetterAccessCase.h: * bytecode/ModuleNamespaceAccessCase.h: * bytecode/ProxyableAccessCase.h: * bytecode/Watchpoint.h: * dfg/DFGFailedFinalizer.h: * dfg/DFGGraph.h: * dfg/DFGJITCode.h: * dfg/DFGJITFinalizer.h: * dfg/DFGToFTLDeferredCompilationCallback.h: * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: * ftl/FTLForOSREntryJITCode.h: * ftl/FTLJITCode.h: * ftl/FTLJITFinalizer.h: * heap/CompleteSubspace.h: * heap/FastMallocAlignedMemoryAllocator.h: * heap/GigacageAlignedMemoryAllocator.h: * heap/HeapSnapshotBuilder.h: * heap/IsoAlignedMemoryAllocator.h: * heap/IsoSubspace.h: * heap/IsoSubspacePerVM.cpp: * heap/IsoSubspacePerVM.h: * heap/MarkStackMergingConstraint.h: * heap/SimpleMarkingConstraint.h: * heap/SpaceTimeMutatorScheduler.h: * heap/StochasticSpaceTimeMutatorScheduler.h: * heap/SynchronousStopTheWorldMutatorScheduler.h: * jit/GCAwareJITStubRoutine.h: * jit/JITCode.h: * jit/JITThunks.h: * jit/JITToDFGDeferredCompilationCallback.h: * jit/PolymorphicCallStubRoutine.h: * jsc.cpp: * parser/Lexer.cpp: Address warning. * runtime/JSDestructibleObjectHeapCellType.h: * runtime/SimpleTypedArrayController.h: * runtime/Structure.h: * runtime/WeakGCMap.h: * wasm/WasmEntryPlan.h: 2020-05-11 Mark Lam <mark.lam@apple.com> Introduce WTF::Config and put Signal.cpp's init-once globals in it. https://bugs.webkit.org/show_bug.cgi?id=211729 <rdar://problem/62938878> Reviewed by Keith Miller and Saam Barati. 1. Initialize VMTraps' signals early now that we'll be freezing signals at the end of the first VM initialization. 2. Move the !initializeThreadingHasBeenCalled RELEASE_ASSERT in initializeThreading() to the bottom of the function. This way, we'll also catch bugs which may cause us to jump into the middle of the function. Added a compilerFence there to ensure that the RELEASE_ASSERT is only executed after all initialization is done. This guarantees that it will only be executed at the end. 3. Call WTF::Config::permanentlyFreeze() from JSC::Config::permanentlyFreeze() for obvious reasons: freezing one should freeze the other. * runtime/InitializeThreading.cpp: (JSC::initializeThreading): * runtime/JSCConfig.cpp: (JSC::Config::permanentlyFreeze): * runtime/VMTraps.cpp: (JSC::VMTraps::initializeSignals): * runtime/VMTraps.h: 2020-05-11 Keith Miller <keith_miller@apple.com> Remove unused BytecodeKills.h https://bugs.webkit.org/show_bug.cgi?id=211753 Reviewed by Yusuke Suzuki. No one uses this class anymore, we should get rid of it. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/BytecodeKills.h: Removed. * bytecode/BytecodeLivenessAnalysis.cpp: (JSC::BytecodeLivenessAnalysis::computeKills): Deleted. * bytecode/BytecodeLivenessAnalysis.h: * dfg/DFGGraph.cpp: (JSC::DFG::Graph::killsFor): Deleted. * dfg/DFGGraph.h: 2020-05-10 Ross Kirsling <ross.kirsling@sony.com> [clang-tidy] Run modernize-use-nullptr over JSC https://bugs.webkit.org/show_bug.cgi?id=211706 Reviewed by Darin Adler. * API/APICallbackFunction.h: * API/JSAPIGlobalObject.h: * API/JSBase.cpp: * API/JSCallbackObjectFunctions.h: * API/JSClassRef.cpp: * API/JSContextRef.cpp: * API/JSObjectRef.cpp: * API/JSScriptRef.cpp: * API/JSValueRef.cpp: * API/JSWeakObjectMapRefPrivate.cpp: * API/tests/ExecutionTimeLimitTest.cpp: * API/tests/PingPongStackOverflowTest.cpp: * assembler/AbstractMacroAssembler.h: * assembler/CPU.cpp: * bytecode/CodeBlock.cpp: * bytecode/DeleteByIdVariant.cpp: * bytecode/GetByIdVariant.cpp: * bytecode/InByIdVariant.cpp: * bytecode/InlineCallFrame.cpp: * bytecode/LazyOperandValueProfile.cpp: * bytecode/PutByIdVariant.cpp: * bytecode/ValueProfile.h: * bytecode/ValueRecovery.cpp: * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: * debugger/DebuggerScope.h: * dfg/DFGAbstractValue.cpp: * dfg/DFGAdjacencyList.h: * dfg/DFGArgumentPosition.h: * dfg/DFGArrayifySlowPathGenerator.h: * dfg/DFGAvailability.h: * dfg/DFGByteCodeParser.cpp: * dfg/DFGCFGSimplificationPhase.cpp: * dfg/DFGCPSRethreadingPhase.cpp: * dfg/DFGCompilationKey.h: * dfg/DFGConstantFoldingPhase.cpp: * dfg/DFGDisassembler.cpp: * dfg/DFGDoubleFormatState.h: * dfg/DFGEdge.h: * dfg/DFGFixupPhase.cpp: * dfg/DFGFrozenValue.cpp: * dfg/DFGGenerationInfo.h: * dfg/DFGGraph.h: * dfg/DFGInPlaceAbstractState.cpp: * dfg/DFGIntegerCheckCombiningPhase.cpp: * dfg/DFGLazyJSValue.cpp: * dfg/DFGNode.h: * dfg/DFGOSREntrypointCreationPhase.cpp: * dfg/DFGOSRExit.cpp: * dfg/DFGOperations.cpp: * dfg/DFGSilentRegisterSavePlan.h: * dfg/DFGSpeculativeJIT.cpp: * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: * dfg/DFGStructureAbstractValue.cpp: * dfg/DFGTransition.cpp: * dfg/DFGTypeCheckHoistingPhase.cpp: * dfg/DFGWorklist.cpp: * ftl/FTLAbstractHeapRepository.h: * ftl/FTLAvailableRecovery.h: * ftl/FTLExitValue.cpp: * ftl/FTLFormattedValue.h: * ftl/FTLJITCode.cpp: * ftl/FTLLink.cpp: * ftl/FTLLowerDFGToB3.cpp: * ftl/FTLLoweredNodeValue.h: * ftl/FTLOSREntry.cpp: * ftl/FTLOSRExitCompiler.cpp: * ftl/FTLTypedPointer.h: * ftl/FTLValueFromBlock.h: * ftl/FTLValueRange.h: * heap/GCSegmentedArray.h: * heap/Handle.h: * heap/HandleSet.h: * heap/HandleTypes.h: * heap/HeapSnapshotBuilder.cpp: * heap/MarkedBlockInlines.h: * heap/Strong.h: * heap/WeakImpl.h: * heap/WeakInlines.h: * heap/WeakSet.cpp: * heap/WeakSet.h: * interpreter/CallFrame.cpp: * interpreter/CallFrame.h: * interpreter/Interpreter.cpp: * interpreter/ProtoCallFrame.h: * interpreter/StackVisitor.cpp: * interpreter/StackVisitor.h: * jit/AssemblyHelpers.h: * jit/CCallHelpers.h: * jit/JITCode.cpp: * jit/JITOperations.cpp: * jit/Repatch.cpp: * jit/ThunkGenerators.cpp: * jsc.cpp: * llint/LLIntSlowPaths.cpp: * parser/ASTBuilder.h: * parser/Lexer.cpp: * parser/Lexer.h: * parser/Nodes.cpp: * parser/Nodes.h: * parser/Parser.cpp: * parser/Parser.h: * parser/ParserArena.cpp: * parser/ParserArena.h: * parser/ParserFunctionInfo.h: * parser/SyntaxChecker.h: * parser/UnlinkedSourceCode.h: * profiler/ProfilerBytecodeSequence.cpp: * profiler/ProfilerCompilation.cpp: * profiler/ProfilerDatabase.cpp: * profiler/ProfilerOSRExitSite.cpp: * profiler/ProfilerOriginStack.cpp: * runtime/ArgList.h: * runtime/ArrayPrototype.cpp: * runtime/ClonedArguments.cpp: * runtime/CommonSlowPaths.cpp: * runtime/Completion.h: * runtime/DataView.h: * runtime/DatePrototype.cpp: * runtime/DirectEvalExecutable.cpp: * runtime/DumpContext.cpp: * runtime/FunctionExecutable.cpp: * runtime/IndirectEvalExecutable.cpp: * runtime/JSArray.cpp: * runtime/JSArrayBufferView.cpp: * runtime/JSCJSValue.cpp: * runtime/JSCJSValueInlines.h: * runtime/JSCell.cpp: * runtime/JSDataView.cpp: * runtime/JSDestructibleObject.h: * runtime/JSFunction.cpp: * runtime/JSGlobalObject.cpp: * runtime/JSGlobalObject.h: * runtime/JSONObject.cpp: * runtime/JSObject.cpp: * runtime/JSObject.h: * runtime/JSScope.cpp: * runtime/JSScope.h: * runtime/LiteralParser.cpp: * runtime/OptionsList.h: * runtime/PropertyDescriptor.cpp: * runtime/PropertyMapHashTable.h: * runtime/PropertySlot.h: * runtime/PutPropertySlot.h: * runtime/RegExpMatchesArray.h: * runtime/RegExpPrototype.cpp: * runtime/StringPrototype.cpp: * runtime/Structure.cpp: * runtime/Structure.h: * runtime/TestRunnerUtils.cpp: * runtime/TypedArrayType.cpp: * runtime/VM.cpp: * runtime/Watchdog.cpp: * runtime/Watchdog.h: * runtime/WriteBarrier.h: * testRegExp.cpp: * tools/JSDollarVM.cpp: * wasm/WasmSlowPaths.cpp: * yarr/RegularExpression.h: * yarr/YarrInterpreter.cpp: * yarr/YarrJIT.cpp: * yarr/YarrJIT.h: * yarr/YarrPattern.cpp: * yarr/YarrPattern.h: 2020-05-09 Ross Kirsling <ross.kirsling@sony.com> Fix build errors and warnings for non-unified JSCOnly https://bugs.webkit.org/show_bug.cgi?id=211655 Reviewed by Darin Adler and Yusuke Suzuki. * bytecode/BytecodeDumper.cpp: (JSC::isConstantRegisterIndex): Deleted. Remove unused function. * llint/LLIntEntrypoint.cpp: * llint/LLIntThunks.cpp: * llint/LLIntThunks.h: * runtime/AggregateErrorConstructor.cpp: * runtime/AggregateErrorPrototype.cpp: * wasm/js/WebAssemblyFunction.cpp: Fix includes. * tools/JSDollarVM.cpp: Deal with "unused constant" warnings for needsDestruction. * wasm/WasmLLIntPlan.cpp: * wasm/WasmSignature.cpp: Remove unused constants. 2020-05-08 Darin Adler <darin@apple.com> Streamline MarkupAccumulator to improve efficiency a bit https://bugs.webkit.org/show_bug.cgi?id=211656 Reviewed by Anders Carlsson. * b3/air/AirFixPartialRegisterStalls.h: Fix spelling of "explicitly". 2020-05-08 Alexey Shvayka <shvaikalesh@gmail.com> Array.prototype.concat fast path checks should not be observable https://bugs.webkit.org/show_bug.cgi?id=211643 Reviewed by Ross Kirsling. This change utilizes @tryGetByIdWithWellKnownSymbol intrinsic to make off the spec Symbol.isConcatSpreadable lookups unobservable to userland code, aligning JSC with V8 and SpiderMonkey. Since @tryGetById uses PropertySlot::getPureResult(), which returns `null` for Proxy [[Get]] traps and JS getters (covered by stress/try-get-by-id.js), we can safely compare its result `undefined`. Also, this allows us to remove @isProxyObject check as Proxy argument is never a fast path anyway. This patch is neutral on microbenchmarks/concat-append-one.js. * builtins/ArrayPrototype.js: (concat): 2020-05-07 Michael Catanzaro <mcatanzaro@gnome.org> Simplify preprocessor guards in GCMemoryOperations.h https://bugs.webkit.org/show_bug.cgi?id=211588 Reviewed by Darin Adler. If we adjust the guards a bit, then we don't need to repeat the fallback path. * heap/GCMemoryOperations.h: (JSC::gcSafeMemmove): (JSC::gcSafeZeroMemory): 2020-05-07 Mark Lam <mark.lam@apple.com> Give the DFG and FTL WorkList threads more stack space on ASAN builds. https://bugs.webkit.org/show_bug.cgi?id=211535 <rdar://problem/62947884> Reviewed by Geoffrey Garen. * dfg/DFGWorklist.cpp: (JSC::DFG::Worklist::ThreadBody::ThreadBody): - Mark the AutomaticThread as ThreadType::Compiler. 2020-05-07 Daniel Kolesa <daniel@octaforge.org> REGRESSION(r251875): Crash in JSC::StructureIDTable::get on ppc64le: gcSafeMemcpy broken on JSVALUE64 platforms other than x86_64 and aarch64 https://bugs.webkit.org/show_bug.cgi?id=210685 Reviewed by Michael Catanzaro. Fix gcSafeMemcpy on non-x86_64/aarch64 64-bit architectures. We were hitting an incorrect x86_64 assertion on values larger than mediumCutoff on JSVALUE64 architectures other than x86_64 and aarch64, as the control flow is wrong. * heap/GCMemoryOperations.h: (JSC::gcSafeMemcpy): 2020-05-07 Mark Lam <mark.lam@apple.com> Add stack checks to the DFG and FTL bytecode parser. https://bugs.webkit.org/show_bug.cgi?id=211547 <rdar://problem/62958880> Reviewed by Yusuke Suzuki. Inlining can cause some level of recursion of the DFG bytecode parser. We should do a stack check at each inlining check before recursing. If a stack overflow appears to be imminent, then just refuse to inline, and therefore, don't recurse deeper into the parser. This issue is more noticeable on ASan debug builds where stack frames can be humongous. Removed the SUPPRESS_ASAN on cloberrize() and the associated comment from r260692. It was a mis-diagnosis. The stack checks are what we need. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleVarargsInlining): (JSC::DFG::ByteCodeParser::handleInlining): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGGraph.h: 2020-05-07 Darin Adler <darin@apple.com> REGRESSION (r261257): Lifetime problem with upconverted characters in toLocaleCase https://bugs.webkit.org/show_bug.cgi?id=211580 rdar://62980449 Reviewed by Yusuke Suzuki. The problem comes from the fact that callBufferProducingFunction is moving the same arguments multiple times. At the moment, this works around the only practical problem with that, but later it should be fixed in callBufferProducingFunction. * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Work around mistakes in how callBufferProducingFunction works with arguments by calling get() explicitly on the result of upconvertedCharacters. Later we could fix callBufferProducingFunction to be safer, but for now this solves the problem. * runtime/StringPrototype.cpp: (JSC::toLocaleCase): Ditto. 2020-05-07 Keith Miller <keith_miller@apple.com> Fix ArrayMode nodes after r261260 https://bugs.webkit.org/show_bug.cgi?id=211543 Reviewed by Yusuke Suzuki. I accidentally ran tests with a release build rather than release+assert when uploading r261260. This patch skips the CheckArray node in the ArrayMode clobbersTop() logic before Fixup. And also marks a GetArrayLength in the TypedArray intrsinics as ExitOK. This patch also relands r261260. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicGetter): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2020-05-07 Ryan Haddad <ryanhaddad@apple.com> Unreviewed, reverting r261260. Caused 26 JSC test failures Reverted changeset: "DFG ByVal nodes with ArrayModes should clobberTop until Fixup phase runs." https://bugs.webkit.org/show_bug.cgi?id=211531 https://trac.webkit.org/changeset/261260 2020-05-07 Mark Lam <mark.lam@apple.com> Fix broken exceptionFuzz tests. https://bugs.webkit.org/show_bug.cgi?id=211550 Reviewed by Yusuke Suzuki. Remove the bad and now unused utility function to set Options::useExceptionFuzz(). * tools/JSDollarVM.cpp: (JSC::JSDollarVM::finishCreation): (JSC::functionEnableExceptionFuzz): Deleted. 2020-05-06 Keith Miller <keith_miller@apple.com> DFG ByVal nodes with ArrayModes should clobberTop until Fixup phase runs. https://bugs.webkit.org/show_bug.cgi?id=211531 Reviewed by Yusuke Suzuki. When parsing bytecode we may pick a relatively constrained ArrayMode based on our profiling. Some of these modes may not clobber exit state. However, Fixup sometimes wants to widen this to a more generic mode based on other data. This causes us to think it was valid to exit immediately after the GetByVal/HasIndexedProperty, which would be wrong with the wider ArrayMode. We may also incorrectly insert invalidition points if clobberize gives us the wrong data. To fix this clobberize should say All ByVal nodes clobberTop() until after fixup. Additionally, this patch adds an assertion that nodes don't go from not clobbering exit state to clobbering exit state during fixup. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::performFixup): * dfg/DFGGraph.h: 2020-05-06 Darin Adler <darin@apple.com> Make a helper for the pattern of ICU functions that may need to be called twice to populate a buffer https://bugs.webkit.org/show_bug.cgi?id=211499 Reviewed by Ross Kirsling. * runtime/IntlDateTimeFormat.cpp: (JSC::defaultTimeZone): Use callBufferProducingFunction. (JSC::canonicalizeTimeZoneName): Ditto. (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Ditto. (JSC::IntlDateTimeFormat::format const): Ditto. (JSC::IntlDateTimeFormat::formatToParts const): Ditto. * runtime/IntlLocale.cpp: (JSC::LocaleIDBuilder::toCanonical): Ditto. (JSC::IntlLocale::language): Ditto. (JSC::IntlLocale::script): Ditto. (JSC::IntlLocale::region): Ditto. * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::format const): Ditto. (JSC::IntlNumberFormat::formatToParts const): Ditto. * runtime/IntlObject.cpp: (JSC::languageTagForLocaleID): Ditto. * runtime/IntlRelativeTimeFormat.cpp: (JSC::IntlRelativeTimeFormat::formatInternal const): Ditto. (JSC::IntlRelativeTimeFormat::formatToParts const): Ditto. * runtime/StringPrototype.cpp: (JSC::toLocaleCase): Ditto. 2020-05-06 Devin Rousso <drousso@apple.com> ASSERT_WITH_MESSAGE(m_isOwnedByMainThread == isMainThread()) when web inspecting https://bugs.webkit.org/show_bug.cgi?id=203638 <rdar://problem/56761893> Reviewed by Brian Burg. Mark the `InspectorEnvironment::executionStopwatch` abstract function as `const` and have it return a `Stopwatch&` instead of a `RefPtr<Stopwatch>&` as callers assume that it exists. By not using a `RefPtr`, an additional `copyRef` can be avoided. * inspector/InspectorEnvironment.h: * inspector/JSGlobalObjectInspectorController.h: * inspector/JSGlobalObjectInspectorController.cpp: (Inspector::JSGlobalObjectInspectorController::executionStopwatch const): Added. (Inspector::JSGlobalObjectInspectorController::executionStopwatch): Deleted. * inspector/agents/InspectorDebuggerAgent.cpp: (Inspector::InspectorDebuggerAgent::didPause): (Inspector::InspectorDebuggerAgent::breakpointActionProbe): (Inspector::InspectorDebuggerAgent::didContinue): * inspector/agents/InspectorHeapAgent.cpp: (Inspector::InspectorHeapAgent::snapshot): (Inspector::InspectorHeapAgent::willGarbageCollect): (Inspector::InspectorHeapAgent::didGarbageCollect): * inspector/agents/InspectorScriptProfilerAgent.cpp: (Inspector::InspectorScriptProfilerAgent::startTracking): (Inspector::InspectorScriptProfilerAgent::willEvaluateScript): (Inspector::InspectorScriptProfilerAgent::didEvaluateScript): (Inspector::InspectorScriptProfilerAgent::trackingComplete): * runtime/SamplingProfiler.h: * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::SamplingProfiler): * runtime/VM.h: * runtime/VM.cpp: (JSC::VM::ensureSamplingProfiler): 2020-05-05 Ross Kirsling <ross.kirsling@sony.com> [ECMA-402] Implement Intl.Locale https://bugs.webkit.org/show_bug.cgi?id=209772 Reviewed by Darin Adler and Saam Barati. This patch implements the recent ECMA-402 feature Intl.Locale. This is effectively a wrapper class for all the pieces of uloc.h that ECMA-402 cares about. (If we used the C++ API, there's a LocaleBuilder that would make this much easier, but in sticking to the C API, it's basically an object that has an ICU localeID as data and uloc_* functions as methods / getters. Furthermore, there's no way to modify said data, so every method / getter can be lazy and cache its result.) Usage example: >>> locale = new Intl.Locale('ja', { region: 'JP', calendar: 'japanese', numeric: false }) "ja-JP-u-ca-japanese-kn-false" >>> locale.baseName "ja-JP" Intl.Locale can be used anywhere that Intl APIs accept locale strings as input parameters, and is moreover hoped to be the class by which future Web APIs will handle the current locale. This feature is runtime-guarded by the `useIntlLocale` option. * CMakeLists.txt: * DerivedSources-input.xcfilelist: * DerivedSources-output.xcfilelist: * DerivedSources.make: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * runtime/CommonIdentifiers.h: * runtime/IntlLocale.cpp: Added. * runtime/IntlLocale.h: Added. * runtime/IntlLocaleConstructor.cpp: Added. * runtime/IntlLocaleConstructor.h: Added. * runtime/IntlLocalePrototype.cpp: Added. * runtime/IntlLocalePrototype.h: Added. * runtime/IntlObject.cpp: (JSC::IntlObject::finishCreation): (JSC::localeIDBufferForLanguageTag): Added. (JSC::languageTagForLocaleID): Renamed from JSC::convertICULocaleToBCP47LanguageTag. (JSC::intlAvailableLocales): (JSC::intlCollatorAvailableLocales): (JSC::canonicalizeLanguageTag): (JSC::canonicalizeLocaleList): (JSC::defaultLocale): * runtime/IntlObject.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::collatorStructure): (JSC::JSGlobalObject::numberFormatStructure): (JSC::JSGlobalObject::localeStructure): * runtime/OptionsList.h: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: 2020-05-05 Keith Miller <keith_miller@apple.com> clobberize validator should use branchTest8 directly. https://bugs.webkit.org/show_bug.cgi?id=211469 Reviewed by Yusuke Suzuki. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 2020-05-05 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Implement BigInt.asIntN and BigInt.asUintN https://bugs.webkit.org/show_bug.cgi?id=181144 Reviewed by Darin Adler. This patch implements BigInt.asIntN[1] and BigInt.asUintN[2] features. As the same to the other BigInt runtime C++ code, we port V8 code to JSC to implement both. BigInt.asIntN is `static_cast<intN_t>(BigInt value)` and BigInt.asUintN is `static_cast<uintN_t>(BigInt value)`. They are getting slice of N bits from two's complement representation of the given BigInt. The difference between asIntN and asUintN is asIntN renders MSB as a sign. This patch is once rolled out due to ARM64_32 build failure, which is caused by the existing bug[3]. Relanding it since it is now fixed. [1]: https://tc39.es/ecma262/#sec-bigint.asintn [2]: https://tc39.es/ecma262/#sec-bigint.asuintn [3]: https://trac.webkit.org/changeset/261174/webkit * runtime/BigIntConstructor.cpp: (JSC::toBigInt): (JSC::bigIntConstructorFuncAsUintN): (JSC::bigIntConstructorFuncAsIntN): * runtime/JSBigInt.cpp: (JSC::zeroImpl): (JSC::JSBigInt::divideImpl): (JSC::JSBigInt::unaryMinusImpl): (JSC::JSBigInt::remainderImpl): (JSC::JSBigInt::digitDiv): (JSC::JSBigInt::absoluteSub): (JSC::JSBigInt::asIntNImpl): (JSC::JSBigInt::asUintNImpl): (JSC::JSBigInt::truncateToNBits): (JSC::JSBigInt::truncateAndSubFromPowerOfTwo): (JSC::JSBigInt::asIntN): (JSC::JSBigInt::asUintN): * runtime/JSBigInt.h: 2020-05-05 Ross Kirsling <ross.kirsling@sony.com> [Intl] Alphabetize extension keys and correctly mark const methods https://bugs.webkit.org/show_bug.cgi?id=211359 Reviewed by Darin Adler. Two cleanup items for Intl classes: 1. Ensure `resolvedOptions().locale` returns relevant extension keys in alphabetical order. ICU does this for us via Intl.getCanonicalLocales / Intl.*.supportedLocalesOf but not via ResolveLocale. However, we don't need to do any sorting in ResolveLocale; we can just pre-alphabetize relevantExtensionKeys. (See also https://github.com/tc39/ecma402/pull/433.) 2. Ensure Intl classes are marking const methods correctly. * runtime/IntlCollator.cpp: (JSC::IntlCollator::sortLocaleData): (JSC::IntlCollator::searchLocaleData): (JSC::IntlCollator::compareStrings const): Add const specifier. (JSC::IntlCollator::resolvedOptions const): Add const specifier. * runtime/IntlCollator.h: * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::localeData): (JSC::IntlDateTimeFormat::resolvedOptions const): Add const specifier. (JSC::IntlDateTimeFormat::format const): Add const specifier. (JSC::IntlDateTimeFormat::formatToParts const): Add const specifier. * runtime/IntlDateTimeFormat.h: * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::format const): Add const specifier. (JSC::IntlNumberFormat::resolvedOptions const): Add const specifier. (JSC::IntlNumberFormat::formatToParts const): Add const specifier. * runtime/IntlNumberFormat.h: * runtime/IntlPluralRules.cpp: (JSC::IntlPluralRules::resolvedOptions const): Add const specifier. (JSC::IntlPluralRules::select const): Add const specifier. * runtime/IntlPluralRules.h: * runtime/IntlRelativeTimeFormat.cpp: (JSC::IntlRelativeTimeFormat::resolvedOptions const): Add const specifier. (JSC::IntlRelativeTimeFormat::formatInternal const): Add const specifier. (JSC::IntlRelativeTimeFormat::format const): Add const specifier. (JSC::IntlRelativeTimeFormat::formatToParts const): Add const specifier. * runtime/IntlRelativeTimeFormat.h: 2020-05-05 Keith Miller <keith_miller@apple.com> Add Clobberize validator for clobber top. https://bugs.webkit.org/show_bug.cgi?id=209432 Reviewed by Yusuke Suzuki. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::scratchRegister): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::scratchRegister): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCurrentBlock): * dfg/DFGSpeculativeJIT64.cpp: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): (JSC::FTL::DFG::LowerDFGToB3::compileBlock): (JSC::FTL::DFG::LowerDFGToB3::compileNode): * interpreter/Interpreter.cpp: (JSC::eval): (JSC::Interpreter::executeProgram): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::execute): (JSC::Interpreter::executeModuleProgram): * jit/JITCodeInlines.h: (JSC::JITCode::execute): * llint/LLIntThunks.h: (JSC::vmEntryToWasm): * runtime/OptionsList.h: * runtime/VM.h: 2020-05-05 Mark Lam <mark.lam@apple.com> Allow Bitmap to use up to a UCPURegister word size for internal bit storage. https://bugs.webkit.org/show_bug.cgi?id=211328 <rdar://problem/62755865> Reviewed by Yusuke Suzuki. * assembler/CPU.h: 2020-05-05 Keith Miller <keith_miller@apple.com> iterator_open should remap the symbolIterator argument correctly when inlined. https://bugs.webkit.org/show_bug.cgi?id=211308 <rdar://problem/62287877> Reviewed by Mark Lam. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): 2020-05-05 Yusuke Suzuki <ysuzuki@apple.com> [JSC] JSBigInt::maxLengthBits and JSBigInt::maxLength are wrong https://bugs.webkit.org/show_bug.cgi?id=211445 Reviewed by Mark Lam. JSBigInt::maxLengthBits and JSBigInt::maxLength definitions are wrong. 1. We are defining maxLength and maxLengthBits as an unrelated value to each other. This is wrong. maxLength should be defined as maxLengthBits / (sizeof(Digit) * bitsPerByte). 2. We use `sizeof(void*)` and assume that `sizeof(Digit) == sizeof(void*)`. This is wrong in ARM64_32 environment where Digit size is sizeof(uint64_t) while the pointer size is sizeof(uint32_t). This causes compile errors in ARM64_32 when the code is using these values with static_assert. * runtime/JSBigInt.h: 2020-05-05 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, reverting r261156. Break ARM64_32 build due to existing bug Reverted changeset: "[JSC] Implement BigInt.asIntN and BigInt.asUintN" https://bugs.webkit.org/show_bug.cgi?id=181144 https://trac.webkit.org/changeset/261156 2020-05-05 Alexey Shvayka <shvaikalesh@gmail.com> Object.prototype.toString is not spec-perfect https://bugs.webkit.org/show_bug.cgi?id=199138 Reviewed by Darin Adler and Keith Miller. Before ES6, Object.prototype.toString relied only on internal [[Class]] slot. Starting with ES6, Object.prototype.toString checks for a handful of internal slots, mimicing [[Class]], to ensure backwards compatibility for pre-ES6 instances. Newly-added built-ins provide @@toStringTag for the method to use. Before this change, Object.prototype.toString in JSC relied on className() a.k.a [[Class]] for all instances. For (almost all) new built-ins, it was overriden by toStringName() returning "Object", while @@toStringTag was set to correct value. This is quite an error-prone approach and observable spec discrepancy if @@toStringTag is deleted or set to a non-string. This change eliminates the above-mentioned discrepancy and fixes Object.prototype.toString to return "[object Function]" for callable Proxy objects, aligning JSC with the spec [1], V8, and SpiderMonkey. For Object.prototype.toString to work through DebuggerScope and JSProxy, we perform all checks in JSObject::toStringName(). Given that isArray() may throw a TypeError [2], we invoke toStringName() before @@toStringTag lookup to accomodate revoked Proxy case. Also, this patch defines @@toStringTag for WebAssembly namespace object (to match Chrome), JSC shell, and ConsoleObject. [1]: https://tc39.es/ecma262/#sec-object.prototype.tostring [2]: https://tc39.es/ecma262/#sec-isarray (step 3.a) * jsc.cpp: * runtime/BigIntObject.cpp: (JSC::BigIntObject::toStringName): Deleted. * runtime/BigIntObject.h: * runtime/BooleanObject.cpp: (JSC::BooleanObject::toStringName): * runtime/BooleanObject.h: * runtime/ConsoleObject.cpp: (JSC::ConsoleObject::finishCreation): * runtime/DateInstance.cpp: (JSC::DateInstance::toStringName): * runtime/DateInstance.h: * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::toStringName): * runtime/ErrorInstance.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::toStringName): Deleted. * runtime/JSArrayBufferView.h: * runtime/JSMap.cpp: (JSC::JSMap::toStringName): Deleted. * runtime/JSMap.h: * runtime/JSObject.cpp: (JSC::JSObject::toStringName): * runtime/JSSet.cpp: (JSC::JSSet::toStringName): Deleted. * runtime/JSSet.h: * runtime/JSWeakMap.cpp: (JSC::JSWeakMap::toStringName): Deleted. * runtime/JSWeakMap.h: * runtime/JSWeakObjectRef.cpp: (JSC::JSWeakObjectRef::toStringName): Deleted. * runtime/JSWeakObjectRef.h: * runtime/JSWeakSet.cpp: (JSC::JSWeakSet::toStringName): Deleted. * runtime/JSWeakSet.h: * runtime/NumberObject.cpp: (JSC::NumberObject::toStringName): * runtime/NumberObject.h: * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncToString): * runtime/ProxyObject.cpp: (JSC::ProxyObject::toStringName): Deleted. * runtime/ProxyObject.h: * runtime/RegExpObject.cpp: (JSC::RegExpObject::toStringName): * runtime/RegExpObject.h: * runtime/StringObject.cpp: (JSC::StringObject::toStringName): * runtime/StringObject.h: * runtime/SymbolObject.cpp: (JSC::SymbolObject::toStringName): Deleted. * runtime/SymbolObject.h: * wasm/js/JSWebAssembly.cpp: (JSC::JSWebAssembly::finishCreation): 2020-05-04 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Implement BigInt.asIntN and BigInt.asUintN https://bugs.webkit.org/show_bug.cgi?id=181144 Reviewed by Darin Adler. This patch implements BigInt.asIntN[1] and BigInt.asUintN[2] features. As the same to the other BigInt runtime C++ code, we port V8 code to JSC to implement both. BigInt.asIntN is `static_cast<intN_t>(BigInt value)` and BigInt.asUintN is `static_cast<uintN_t>(BigInt value)`. They are getting slice of N bits from two's complement representation of the given BigInt. The difference between asIntN and asUintN is asIntN renders MSB as a sign. [1]: https://tc39.es/ecma262/#sec-bigint.asintn [2]: https://tc39.es/ecma262/#sec-bigint.asuintn * runtime/BigIntConstructor.cpp: (JSC::toBigInt): (JSC::bigIntConstructorFuncAsUintN): (JSC::bigIntConstructorFuncAsIntN): * runtime/JSBigInt.cpp: (JSC::JSBigInt::zeroImpl): (JSC::JSBigInt::divideImpl): (JSC::JSBigInt::unaryMinusImpl): (JSC::JSBigInt::remainderImpl): (JSC::JSBigInt::digitDiv): (JSC::JSBigInt::asIntNImpl): (JSC::JSBigInt::asUintNImpl): (JSC::JSBigInt::truncateToNBits): (JSC::JSBigInt::truncateAndSubFromPowerOfTwo): (JSC::JSBigInt::asIntN): (JSC::JSBigInt::asUintN): * runtime/JSBigInt.h: 2020-05-04 Yusuke Suzuki <ysuzuki@apple.com> [JSC] DFG NotCellUse is used without considering about BigInt32 https://bugs.webkit.org/show_bug.cgi?id=211395 Reviewed by Saam Barati. When we see CompareXXX(BigInt32, Double), we are emitting CompareXXX(DoubleRep(BigInt:NotCellUse), Double). But this has two problems. 1. We should emit CompareXXX(UntypedUse, UntypedUse) in this case. 2. DoubleRep(NotCellUse) does not support converting BigInt32 to double. Since DoubleRep's semantics is for ToNumber, it should not accept BigInt32 since it should throw an error. However, DoubleRep currently assumes that NotCellUse value can be converted to double without any errors. To keep DoubleRep's semantics ToNumber, we replace NotCellUse with NotCellNorBigIntUse, which rejects BigInt32. This patch also uses NotCellNorBigIntUse for ValueToInt32 because of the same reason. For CompareXXX and CompareEq nodes, we can optimize it if we introduce new DoubleRepAcceptingBigInt32 DFG node which can convert BigInt32 to Double, since CompareXXX and CompareEq are not requiring toNumber semantics. This should be done in a separate bug https://bugs.webkit.org/show_bug.cgi?id=211407. * bytecode/SpeculatedType.h: (JSC::isNotCellNorBigIntSpeculation): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixIntConvertingEdge): (JSC::DFG::FixupPhase::fixupChecksInBlock): * dfg/DFGNode.h: (JSC::DFG::Node::shouldSpeculateNotCellNorBigInt): * dfg/DFGSafeToExecute.h: (JSC::DFG::SafeToExecuteEdge::operator()): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueToInt32): (JSC::DFG::SpeculativeJIT::compileDoubleRep): (JSC::DFG::SpeculativeJIT::speculateNotCellNorBigInt): (JSC::DFG::SpeculativeJIT::speculate): * dfg/DFGSpeculativeJIT.h: * dfg/DFGUseKind.cpp: (WTF::printInternal): * dfg/DFGUseKind.h: (JSC::DFG::typeFilterFor): (JSC::DFG::checkMayCrashIfInputIsEmpty): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep): (JSC::FTL::DFG::LowerDFGToB3::compileValueToInt32): (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellNorBigIntToInt32): (JSC::FTL::DFG::LowerDFGToB3::speculate): (JSC::FTL::DFG::LowerDFGToB3::speculateNotCellNorBigInt): (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32): Deleted. 2020-05-04 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Add @@toStringTag to WebAssembly.Global https://bugs.webkit.org/show_bug.cgi?id=211372 Reviewed by Sam Weinig. As r260992 did for the other wasm prototypes, we should put @@toStringTag to WebAssembly.Global's prototype too. * wasm/js/WebAssemblyGlobalPrototype.cpp: (JSC::WebAssemblyGlobalPrototype::finishCreation): 2020-05-04 Devin Rousso <drousso@apple.com> Web Inspector: Worker: should use the name of the worker if it exists https://bugs.webkit.org/show_bug.cgi?id=211244 Reviewed by Brian Burg. * inspector/protocol/Worker.json: Include the `name` in `Worker.workerCreated`. 2020-05-04 Devin Rousso <drousso@apple.com> Web Inspector: provide a way for inspector to turn on/off ITP debug mode and AdClickAttribution debug mode https://bugs.webkit.org/show_bug.cgi?id=209763 Reviewed by Brian Burg. * inspector/protocol/Page.json: Add new enum values to `Page.Setting`: - `AdClickAttributionDebugModeEnabled` - `ITPDebugModeEnabled` 2020-05-03 Maciej Stachowiak <mjs@apple.com> Remove no longer needed WebKitAdditions include for JavaScriptCorePrefix.h https://bugs.webkit.org/show_bug.cgi?id=211357 Reviewed by Mark Lam. * JavaScriptCorePrefix.h: 2020-05-02 Mark Lam <mark.lam@apple.com> Gardening: rolling out r261050 and r261051. https://bugs.webkit.org/show_bug.cgi?id=211328 <rdar://problem/62755865> Not reviewed. * assembler/CPU.h: 2020-05-01 Mark Lam <mark.lam@apple.com> Allow Bitmap to use up to a UCPURegister word size for internal bit storage. https://bugs.webkit.org/show_bug.cgi?id=211328 <rdar://problem/62755865> Reviewed by Yusuke Suzuki. * assembler/CPU.h: 2020-05-01 Saam Barati <sbarati@apple.com> Have a thread local cache for the Wasm LLInt bytecode buffer https://bugs.webkit.org/show_bug.cgi?id=211317 Reviewed by Filip Pizlo and Mark Lam. One of the main things slowing down Wasm compile times is the banging on bmalloc's global heap lock. This patch makes it so for the bytecode instruction buffer, we keep a thread local cache with latest capacity the thread needed to compile. This makes it so that in the average case, we only do one malloc at the end of a compile to memcpy the final result. We clear these thread local caches when the WasmWorklist's automatic threads underlying machine thread is destroyed. This is a 15% speedup in zen garden compile times on a 16-core Mac Pro. This is a 4-5% speedup in zen garden compile times on a 6-core MBP. * bytecode/InstructionStream.h: (JSC::InstructionStreamWriter::setInstructionBuffer): (JSC::InstructionStreamWriter::finalize): * wasm/WasmLLIntGenerator.cpp: (JSC::Wasm::threadSpecificBuffer): (JSC::Wasm::clearLLIntThreadSpecificCache): (JSC::Wasm::LLIntGenerator::LLIntGenerator): (JSC::Wasm::LLIntGenerator::finalize): * wasm/WasmLLIntGenerator.h: * wasm/WasmWorklist.cpp: 2020-05-01 Per Arne Vollan <pvollan@apple.com> [Win] Fix AppleWin build https://bugs.webkit.org/show_bug.cgi?id=211324 Reviewed by Don Olmstead. Check if target WTF_CopyHeaders exists before using it. * CMakeLists.txt: 2020-05-01 Don Olmstead <don.olmstead@sony.com> [GTK] Add additional exports to support hidden visibility https://bugs.webkit.org/show_bug.cgi?id=211246 Reviewed by Michael Catanzaro. * API/glib/JSCContextPrivate.h: * API/glib/JSCValuePrivate.h: * inspector/remote/glib/RemoteInspectorServer.h: * inspector/remote/glib/RemoteInspectorUtils.h: 2020-05-01 Don Olmstead <don.olmstead@sony.com> Use export macros on all platforms https://bugs.webkit.org/show_bug.cgi?id=211293 Reviewed by Michael Catanzaro. Allow overriding of JS_EXPORT_PRIVATE if desired otherwise use the defaults. * runtime/JSExportMacros.h: 2020-05-01 Saam Barati <sbarati@apple.com> Unreviewed. Non-speculative build fix for watchOS build. * runtime/ArrayPrototype.cpp: (JSC::shift): (JSC::unshift): (JSC::arrayProtoFuncToLocaleString): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncSlice): (JSC::arrayProtoFuncSplice): * runtime/JSONObject.cpp: (JSC::Stringifier::Stringifier): 2020-05-01 Saam Barati <sbarati@apple.com> Unreviewed. Speculative build fix for watchOS build. * runtime/ArrayPrototype.cpp: (JSC::shift): 2020-05-01 Alexey Shvayka <shvaikalesh@gmail.com> [WebIDL] Interface prototype objects should define @@toStringTag https://bugs.webkit.org/show_bug.cgi?id=211020 Unreviewed follow-up to r260992. * runtime/JSArrayBufferPrototype.cpp: (JSC::JSArrayBufferPrototype::finishCreation): Revert change in attempt to fix ARMv7 test. 2020-05-01 David Kilzer <ddkilzer@apple.com> JSC::PropertySlot::m_attributes is uninitialized in constructor <https://webkit.org/b/211267> Reviewed by Mark Lam. * runtime/PropertySlot.h: (JSC::PropertySlot::PropertySlot): - Initialize m_attributes and m_additionalData, and make use of default initializers. 2020-05-01 Alexey Shvayka <shvaikalesh@gmail.com> [WebIDL] Interface prototype objects should define @@toStringTag https://bugs.webkit.org/show_bug.cgi?id=211020 Reviewed by Darin Adler. WebIDL spec was recently updated [1] to define @@toStringTag on interface prototype objects. This change aligns WebIDL with ECMA-262 built-ins and Blink's behavior. Gecko have also expressed implementation commitment. This patch implements the spec change, making `X.prototype.toString()` return "[object X]" instead of "[object XPrototype]", where X is WebIDL interface. This behavior is proven to be web compatible (shipping in Chrome since Q2 2016) and matches class strings of iterator prototype objects [2] introduced in r253855. We define @@toStringTag for all WebAssembly interfaces but Error subclasses since they are not defined using WebIDL [3]. This change also introduces JSC_TO_STRING_TAG_WITHOUT_TRANSITION() macro that sets up @@toStringTag using ClassInfo to avoid extra strings creation, ensuring `className` equality between prototype and instance classes (fixing a few discrepancies), as well as correct descriptors. It also ensures using faster jsNontrivialString() and relieves from putting more code into CodeGeneratorJS.pm. [1]: https://github.com/heycam/webidl/pull/357 [2]: https://heycam.github.io/webidl/#es-iterator-prototype-object [3]: https://webassembly.github.io/spec/js-api/#error-objects Tests: imported/w3c/web-platform-tests/wasm/jsapi/instance/toString.any.js imported/w3c/web-platform-tests/wasm/jsapi/memory/toString.any.js imported/w3c/web-platform-tests/wasm/jsapi/module/toString.any.js imported/w3c/web-platform-tests/wasm/jsapi/table/toString.any.js * runtime/ArrayIteratorPrototype.cpp: (JSC::ArrayIteratorPrototype::finishCreation): * runtime/AsyncFunctionPrototype.cpp: (JSC::AsyncFunctionPrototype::finishCreation): * runtime/AsyncGeneratorFunctionPrototype.cpp: (JSC::AsyncGeneratorFunctionPrototype::finishCreation): * runtime/AsyncGeneratorPrototype.cpp: (JSC::AsyncGeneratorPrototype::finishCreation): * runtime/BigIntPrototype.cpp: (JSC::BigIntPrototype::finishCreation): * runtime/GeneratorFunctionPrototype.cpp: (JSC::GeneratorFunctionPrototype::finishCreation): * runtime/GeneratorPrototype.cpp: (JSC::GeneratorPrototype::finishCreation): * runtime/IntlCollatorPrototype.cpp: (JSC::IntlCollatorPrototype::finishCreation): * runtime/IntlDateTimeFormatPrototype.cpp: (JSC::IntlDateTimeFormatPrototype::finishCreation): * runtime/IntlNumberFormatPrototype.cpp: (JSC::IntlNumberFormatPrototype::finishCreation): * runtime/IntlPluralRulesPrototype.cpp: (JSC::IntlPluralRulesPrototype::finishCreation): * runtime/IntlRelativeTimeFormatPrototype.cpp: (JSC::IntlRelativeTimeFormatPrototype::finishCreation): * runtime/JSArrayBufferPrototype.cpp: (JSC::JSArrayBufferPrototype::finishCreation): * runtime/JSDataViewPrototype.cpp: (JSC::JSDataViewPrototype::finishCreation): * runtime/JSONObject.cpp: (JSC::JSONObject::finishCreation): * runtime/JSObject.h: * runtime/JSPromisePrototype.cpp: (JSC::JSPromisePrototype::finishCreation): * runtime/MapIteratorPrototype.cpp: (JSC::MapIteratorPrototype::finishCreation): * runtime/MapPrototype.cpp: (JSC::MapPrototype::finishCreation): * runtime/MathObject.cpp: (JSC::MathObject::finishCreation): * runtime/RegExpStringIteratorPrototype.cpp: (JSC::RegExpStringIteratorPrototype::finishCreation): * runtime/SetIteratorPrototype.cpp: (JSC::SetIteratorPrototype::finishCreation): * runtime/SetPrototype.cpp: (JSC::SetPrototype::finishCreation): * runtime/StringIteratorPrototype.cpp: (JSC::StringIteratorPrototype::finishCreation): * runtime/SymbolPrototype.cpp: (JSC::SymbolPrototype::finishCreation): * runtime/WeakMapPrototype.cpp: (JSC::WeakMapPrototype::finishCreation): * runtime/WeakObjectRefPrototype.cpp: (JSC::WeakObjectRefPrototype::finishCreation): * runtime/WeakSetPrototype.cpp: (JSC::WeakSetPrototype::finishCreation): * wasm/js/WebAssemblyInstancePrototype.cpp: (JSC::WebAssemblyInstancePrototype::finishCreation): * wasm/js/WebAssemblyMemoryPrototype.cpp: (JSC::WebAssemblyMemoryPrototype::finishCreation): * wasm/js/WebAssemblyModulePrototype.cpp: (JSC::WebAssemblyModulePrototype::finishCreation): * wasm/js/WebAssemblyTablePrototype.cpp: (JSC::WebAssemblyTablePrototype::finishCreation): 2020-05-01 Saam Barati <sbarati@apple.com> We can't cast toLength result to unsigned https://bugs.webkit.org/show_bug.cgi?id=211205 <rdar://problem/62625562> Reviewed by Yusuke Suzuki. toLength, according to the spec, returns a 53-bit integer. In our implementation, we return a double. However, there were many callsites that did something like: ``` unsigned length = toLength(obj); ``` This is bad for a few reasons: - Casting to unsigned from double is undefined behavior when the integer is greater than UINT_MAX. In practice, this means that we'd have different engine behavior depending on what architecture we'd be running on. For example, if the length were UINT_MAX + 1, on x86, we'd treat the length as zero. On arm64, we'd treat it as UINT_MAX. Both are wrong. - We weren't spec compliant. We were just ignoring that these numbers could be 53-bit integers. This patch addresses each bad use of the undefined behavior, and by doing so, makes us more spec compliant. * dfg/DFGOperations.cpp: * jit/JITOperations.cpp: (JSC::getByVal): * runtime/ArrayPrototype.cpp: (JSC::getProperty): (JSC::setLength): (JSC::argumentClampedIndexFromStartOrEnd): (JSC::shift): (JSC::unshift): (JSC::arrayProtoFuncToLocaleString): (JSC::arrayProtoFuncPop): (JSC::arrayProtoFuncPush): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncShift): (JSC::arrayProtoFuncSlice): (JSC::arrayProtoFuncSplice): (JSC::arrayProtoFuncUnShift): (JSC::fastIndexOf): (JSC::arrayProtoFuncIndexOf): (JSC::arrayProtoFuncLastIndexOf): * runtime/Identifier.h: (JSC::Identifier::from): * runtime/IntlObject.cpp: (JSC::canonicalizeLocaleList): * runtime/JSONObject.cpp: (JSC::Stringifier::Stringifier): (JSC::Stringifier::Holder::appendNextProperty): (JSC::Walker::walk): * runtime/JSObject.cpp: (JSC::JSObject::hasProperty const): * runtime/JSObject.h: (JSC::JSObject::putByIndexInline): (JSC::JSObject::putDirectIndex): (JSC::JSObject::canGetIndexQuickly const): (JSC::JSObject::tryGetIndexQuickly const): * runtime/JSObjectInlines.h: (JSC::JSObject::getPropertySlot): (JSC::JSObject::deleteProperty): (JSC::JSObject::get const): * runtime/PropertySlot.h: (JSC::PropertySlot::getValue const): * tools/JSDollarVM.cpp: (JSC::functionSetUserPreferredLanguages): 2020-04-30 Ross Kirsling <ross.kirsling@sony.com> TriState should be an enum class and use "Indeterminate" instead of "Mixed" https://bugs.webkit.org/show_bug.cgi?id=211268 Reviewed by Mark Lam. * b3/B3Const32Value.cpp: (JSC::B3::Const32Value::equalConstant const): (JSC::B3::Const32Value::notEqualConstant const): (JSC::B3::Const32Value::lessThanConstant const): (JSC::B3::Const32Value::greaterThanConstant const): (JSC::B3::Const32Value::lessEqualConstant const): (JSC::B3::Const32Value::greaterEqualConstant const): (JSC::B3::Const32Value::aboveConstant const): (JSC::B3::Const32Value::belowConstant const): (JSC::B3::Const32Value::aboveEqualConstant const): (JSC::B3::Const32Value::belowEqualConstant const): * b3/B3Const64Value.cpp: (JSC::B3::Const64Value::equalConstant const): (JSC::B3::Const64Value::notEqualConstant const): (JSC::B3::Const64Value::lessThanConstant const): (JSC::B3::Const64Value::greaterThanConstant const): (JSC::B3::Const64Value::lessEqualConstant const): (JSC::B3::Const64Value::greaterEqualConstant const): (JSC::B3::Const64Value::aboveConstant const): (JSC::B3::Const64Value::belowConstant const): (JSC::B3::Const64Value::aboveEqualConstant const): (JSC::B3::Const64Value::belowEqualConstant const): * b3/B3ConstDoubleValue.cpp: (JSC::B3::ConstDoubleValue::equalConstant const): (JSC::B3::ConstDoubleValue::notEqualConstant const): (JSC::B3::ConstDoubleValue::lessThanConstant const): (JSC::B3::ConstDoubleValue::greaterThanConstant const): (JSC::B3::ConstDoubleValue::lessEqualConstant const): (JSC::B3::ConstDoubleValue::greaterEqualConstant const): (JSC::B3::ConstDoubleValue::equalOrUnorderedConstant const): * b3/B3ConstFloatValue.cpp: (JSC::B3::ConstFloatValue::equalConstant const): (JSC::B3::ConstFloatValue::notEqualConstant const): (JSC::B3::ConstFloatValue::lessThanConstant const): (JSC::B3::ConstFloatValue::greaterThanConstant const): (JSC::B3::ConstFloatValue::lessEqualConstant const): (JSC::B3::ConstFloatValue::greaterEqualConstant const): (JSC::B3::ConstFloatValue::equalOrUnorderedConstant const): * b3/B3Procedure.cpp: (JSC::B3::Procedure::addBoolConstant): * b3/B3Procedure.h: * b3/B3ReduceStrength.cpp: * b3/B3Value.cpp: (JSC::B3::Value::equalConstant const): (JSC::B3::Value::notEqualConstant const): (JSC::B3::Value::lessThanConstant const): (JSC::B3::Value::greaterThanConstant const): (JSC::B3::Value::lessEqualConstant const): (JSC::B3::Value::greaterEqualConstant const): (JSC::B3::Value::aboveConstant const): (JSC::B3::Value::belowConstant const): (JSC::B3::Value::aboveEqualConstant const): (JSC::B3::Value::belowEqualConstant const): (JSC::B3::Value::equalOrUnorderedConstant const): (JSC::B3::Value::asTriState const): * b3/B3Value.h: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::thresholdForJIT): * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): * bytecode/UnlinkedFunctionExecutable.cpp: (JSC::UnlinkedFunctionExecutable::visitChildren): * bytecompiler/NodesCodegen.cpp: (JSC::ConstantNode::emitBytecodeInConditionContext): (JSC::BinaryOpNode::emitBytecodeInConditionContext): (JSC::BinaryOpNode::tryFoldToBranch): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::run): * dfg/DFGLazyJSValue.cpp: (JSC::DFG::equalToSingleCharacter): (JSC::DFG::equalToStringImpl): (JSC::DFG::LazyJSValue::strictEqual const): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): * ftl/FTLOutput.cpp: (JSC::FTL::Output::equal): (JSC::FTL::Output::notEqual): (JSC::FTL::Output::above): (JSC::FTL::Output::aboveOrEqual): (JSC::FTL::Output::below): (JSC::FTL::Output::belowOrEqual): (JSC::FTL::Output::greaterThan): (JSC::FTL::Output::greaterThanOrEqual): (JSC::FTL::Output::lessThan): (JSC::FTL::Output::lessThanOrEqual): * jit/JITOperations.cpp: * runtime/CachedTypes.cpp: (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): * runtime/DefinePropertyAttributes.h: (JSC::DefinePropertyAttributes::DefinePropertyAttributes): (JSC::DefinePropertyAttributes::hasWritable const): (JSC::DefinePropertyAttributes::writable const): (JSC::DefinePropertyAttributes::hasConfigurable const): (JSC::DefinePropertyAttributes::configurable const): (JSC::DefinePropertyAttributes::hasEnumerable const): (JSC::DefinePropertyAttributes::enumerable const): (JSC::DefinePropertyAttributes::setWritable): (JSC::DefinePropertyAttributes::setConfigurable): (JSC::DefinePropertyAttributes::setEnumerable): * runtime/IntlCollator.cpp: (JSC::IntlCollator::initializeCollator): * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::initializeDateTimeFormat): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): * runtime/IntlObject.cpp: (JSC::intlBooleanOption): * runtime/JSCJSValueInlines.h: (JSC::JSValue::pureStrictEqual): (JSC::JSValue::pureToBoolean const): * runtime/JSCellInlines.h: (JSC::JSCell::pureToBoolean const): 2020-04-30 Ross Kirsling <ross.kirsling@sony.com> [JSC] intlBooleanOption should return TriState instead of taking an out param https://bugs.webkit.org/show_bug.cgi?id=211256 Reviewed by Darin Adler and Mark Lam. Boolean options for Intl constructors can have default values of true, false, or undefined. To handle the undefined case, intlBooleanOption currently has a `bool& usesFallback` param; we should have the return type simply be a TriState instead. * runtime/IntlCollator.cpp: (JSC::IntlCollator::initializeCollator): * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::initializeDateTimeFormat): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): * runtime/IntlObject.cpp: (JSC::intlBooleanOption): * runtime/IntlObject.h: 2020-04-30 Devin Rousso <drousso@apple.com> WebKit.WebContent process crashes when web developer tools are opened in Safari https://bugs.webkit.org/show_bug.cgi?id=210794 <rdar://problem/62214651> Reviewed by Brian Burg. * inspector/InjectedScriptManager.cpp: (Inspector::InjectedScriptManager::injectedScriptFor): Don't crash if a `TerminatedExecutionError` is thrown. * inspector/InjectedScriptBase.cpp: (Inspector::InjectedScriptBase::makeCall): Report the actual error message. Check that the result has a value before attempting to make a `JSON::Value` out of it. 2020-04-29 Ross Kirsling <ross.kirsling@sony.com> Ensure Intl classes don't have naming conflicts with unified builds https://bugs.webkit.org/show_bug.cgi?id=211213 Reviewed by Yusuke Suzuki. Each Intl class usually has an array named relevantExtensionsKeys and a function named localeData. This can result in redefinition errors when unified builds put two of them into the same translation unit. Some are already guarding against this with an internal namespace while others are not. As a uniform approach, this patch makes each localeData function a static method and puts each relevantExtensionsKeys array (as well as any constants for its indices) into an internal namespace. Furthermore, since three different classes are defining an identical UFieldPositionIteratorDeleter, this patch consolidates them into one definition in IntlObject. * runtime/IntlCollator.cpp: (JSC::IntlCollator::sortLocaleData): Renamed from JSC::sortLocaleData. (JSC::IntlCollator::searchLocaleData): Renamed from JSC::searchLocaleData. (JSC::IntlCollator::initializeCollator): * runtime/IntlCollator.h: * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::localeData): Renamed from JSC::IntlDTFInternal::localeData. (JSC::toDateTimeOptionsAnyDate): Renamed from JSC::IntlDTFInternal::toDateTimeOptionsAnyDate. (JSC::IntlDateTimeFormat::initializeDateTimeFormat): (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted. * runtime/IntlDateTimeFormat.h: * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::localeData): Renamed from JSC::IntlNFInternal::localeData. (JSC::IntlNumberFormat::initializeNumberFormat): (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted. * runtime/IntlNumberFormat.h: * runtime/IntlObject.cpp: (JSC::UFieldPositionIteratorDeleter::operator() const): Added. * runtime/IntlObject.h: * runtime/IntlPluralRules.cpp: (JSC::IntlPluralRules::localeData): Renamed from JSC::localeData. * runtime/IntlPluralRules.h: * runtime/IntlRelativeTimeFormat.cpp: (JSC::IntlRelativeTimeFormat::localeData): Renamed from JSC::localeData. (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted. * runtime/IntlRelativeTimeFormat.h: 2020-04-29 Ross Kirsling <ross.kirsling@sony.com> Unreviewed follow-up to r260848. LowerDFGToB3 has its own isFunction which should NOT have been renamed. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull): (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction): (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): (JSC::FTL::DFG::LowerDFGToB3::isFunction): Renamed from isCallable. 2020-04-29 Alexey Shvayka <shvaikalesh@gmail.com> AsyncFromSyncIterator methods should not pass absent values https://bugs.webkit.org/show_bug.cgi?id=211147 Reviewed by Ross Kirsling. This patch implements minor spec change [1] to match async and sync iteration from the perspective of userland `next` and `return` iterator methods. `throw` method always receives an argument, yet we align with others to be consistent and future-proof. This change is already implemented in SpiderMonkey. [1]: https://github.com/tc39/ecma262/pull/1776 * builtins/AsyncFromSyncIteratorPrototype.js: 2020-04-29 Mark Lam <mark.lam@apple.com> Freezing of Gigacage and JSC Configs should be thread safe. https://bugs.webkit.org/show_bug.cgi?id=211201 <rdar://problem/62597619> Reviewed by Yusuke Suzuki. If a client creates multiple VM instances in different threads concurrently, the following race can occur: Config::permanentlyFreeze() contains the following code: if (!g_jscConfig.isPermanentlyFrozen) // Point P1 g_jscConfig.isPermanentlyFrozen = true; // Point P2 Let's say there are 2 threads T1 and T2. 1. T1 creates a VM and gets to point P1, and sees that g_jscConfig.isPermanentlyFrozen is not set. T1 is about to execute P2 when it gets pre-empted. 2. T2 creates a VM and gets to point P1, and sees that g_jscConfig.isPermanentlyFrozen is not set. T2 proceeds to point P2 and sets g_jscConfig.isPermanentlyFrozen to true. T2 goes on to freeze the Config and makes it not writable. 3. T1 gets to run again, and proceeds to point P2. T1 tries to set g_jscConfig.isPermanentlyFrozen to true. But because the Config has been frozen against writes, the write to g_jscConfig.isPermanentlyFrozen results in a crash. This is a classic TOCTOU bug. The fix is simply to ensure that only one thread can enter Config::permanentlyFreeze() at a time. Ditto for Gigacage::permanentlyFreezeGigacageConfig(). * runtime/JSCConfig.cpp: (JSC::Config::permanentlyFreeze): 2020-04-29 Yusuke Suzuki <ysuzuki@apple.com> [JSC] JSStringJoiner is missing BigInt handling https://bugs.webkit.org/show_bug.cgi?id=211174 Reviewed by Mark Lam. JSStringJoiner missed handling of BigInt (specifically BigInt32) and appending empty string incorrectly. In debug build, assertion hits. We should support BigInt in JSStringJoiner. * runtime/JSStringJoiner.h: (JSC::JSStringJoiner::appendWithoutSideEffects): 2020-04-29 Saam Barati <sbarati@apple.com> U_STRING_NOT_TERMINATED_WARNING ICU must be handled when using the output buffer as a C string https://bugs.webkit.org/show_bug.cgi?id=211142 <rdar://problem/62530860> Reviewed by Darin Adler. * runtime/IntlDateTimeFormat.cpp: (JSC::defaultTimeZone): (JSC::canonicalizeTimeZoneName): (JSC::IntlDateTimeFormat::initializeDateTimeFormat): (JSC::IntlDateTimeFormat::format): (JSC::IntlDateTimeFormat::formatToParts): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::format): (JSC::IntlNumberFormat::formatToParts): * runtime/IntlObject.cpp: (JSC::convertICULocaleToBCP47LanguageTag): (JSC::canonicalizeLanguageTag): * runtime/IntlRelativeTimeFormat.cpp: (JSC::IntlRelativeTimeFormat::formatInternal): (JSC::IntlRelativeTimeFormat::formatToParts): * runtime/StringPrototype.cpp: (JSC::toLocaleCase): (JSC::normalize): 2020-04-28 Saam Barati <sbarati@apple.com> Unreviewed. Fix 32-bit build. * runtime/JSBigInt.cpp: (JSC::JSBigInt::createFrom): (JSC::Int32BigIntImpl::digit): 2020-04-28 Commit Queue <commit-queue@webkit.org> Unreviewed, reverting r260876 and r260877. https://bugs.webkit.org/show_bug.cgi?id=211165 Broke build (Requested by yusukesuzuki on #webkit). Reverted changesets: "Unreviewed, build fix on watchOS" https://bugs.webkit.org/show_bug.cgi?id=210978 https://trac.webkit.org/changeset/260876 "Unreviewed, speculative build fix on watchOS part 2" https://bugs.webkit.org/show_bug.cgi?id=210978 https://trac.webkit.org/changeset/260877 2020-04-28 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, speculative build fix on watchOS part 2 https://bugs.webkit.org/show_bug.cgi?id=210978 * runtime/JSBigInt.cpp: (JSC::JSBigInt::createFrom): (JSC::Int32BigIntImpl::digit): * runtime/JSBigInt.h: 2020-04-28 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, build fix on watchOS https://bugs.webkit.org/show_bug.cgi?id=210978 * runtime/JSBigInt.cpp: (JSC::JSBigInt::createFrom): (JSC::Int32BigIntImpl::digit): * runtime/JSBigInt.h: 2020-04-28 Yusuke Suzuki <ysuzuki@apple.com> [JSC] BigInt constructor should accept larger integers than safe-integers https://bugs.webkit.org/show_bug.cgi?id=210755 Reviewed by Darin Adler. While our implementation of BigInt constructor only accepts safe integers, it should accept all integers. This patch implements it by creating JSBigInt::createFrom(double). We port double bit processing part from V8 as the same to the other part of JSBigInt. * runtime/BigIntConstructor.cpp: (JSC::callBigIntConstructor): * runtime/JSBigInt.cpp: (JSC::JSBigInt::createFrom): * runtime/JSBigInt.h: * runtime/MathCommon.h: (JSC::isInteger): (JSC::isSafeInteger): * runtime/NumberConstructor.cpp: (JSC::numberConstructorFuncIsSafeInteger): * runtime/NumberConstructor.h: 2020-04-28 Ross Kirsling <ross.kirsling@sony.com> [JSC] Align upon the name isCallable instead of isFunction https://bugs.webkit.org/show_bug.cgi?id=211140 Reviewed by Darin Adler. Follow-up to r260722. Usage is now cleanly separated between isFunction / getCallData, but the name isCallable is still clearer than isFunction so let's flip that after all. * API/JSContextRef.cpp: (JSGlobalContextSetUnhandledRejectionCallback): * API/JSObjectRef.cpp: (JSObjectIsFunction): * dfg/DFGOperations.cpp: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull): (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction): (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): (JSC::FTL::DFG::LowerDFGToB3::isCallable): (JSC::FTL::DFG::LowerDFGToB3::isFunction): Deleted. * ftl/FTLOperations.cpp: (JSC::FTL::operationTypeOfObjectAsTypeofType): * jsc.cpp: (functionSetUnhandledRejectionCallback): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/ExceptionHelpers.cpp: (JSC::errorDescriptionForValue): * runtime/FunctionPrototype.cpp: (JSC::functionProtoFuncToString): * runtime/InternalFunction.cpp: (JSC::getFunctionRealm): * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::isCallable const): (JSC::JSValue::isFunction const): Deleted. * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::isCallable): (JSC::JSCell::isFunction): Deleted. * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): * runtime/ObjectConstructor.cpp: (JSC::toPropertyDescriptor): * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncDefineGetter): (JSC::objectProtoFuncDefineSetter): * runtime/Operations.cpp: (JSC::jsTypeStringForValue): (JSC::jsIsObjectTypeOrNull): * runtime/ProxyObject.cpp: (JSC::ProxyObject::structureForTarget): (JSC::ProxyObject::finishCreation): * runtime/RuntimeType.cpp: (JSC::runtimeTypeForValue): * tools/JSDollarVM.cpp: (JSC::functionCallWithStackSize): (JSC::functionFindTypeForExpression): (JSC::functionReturnTypeFor): (JSC::functionHasBasicBlockExecuted): (JSC::functionBasicBlockExecutionCount): * wasm/WasmInstance.cpp: (JSC::Wasm::Instance::setFunctionWrapper): * wasm/WasmOperations.cpp: (JSC::Wasm::operationIterateResults): (JSC::Wasm::operationWasmRefFunc): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::link): * wasm/js/WebAssemblyWrapperFunction.cpp: (JSC::WebAssemblyWrapperFunction::finishCreation): 2020-04-28 Yusuke Suzuki <ysuzuki@apple.com> [JSC] NumberConstructor should accept BigInt https://bugs.webkit.org/show_bug.cgi?id=210835 Reviewed by Mark Lam. This patch fixes our Number constructor behavior to accept BigInt. According to the spec[1], Number constructor should accept BigInt and should generate numbers from that. We port V8's BigInt to double conversion code as we did for the other HeapBigInt runtime functions. And we introduce CallNumberConstructor DFG node and handle Number constructor call with BigInt correctly in DFG and FTL. Previously we were emitting ToNumber DFG node for Number constructor. But this is wrong now since ToNumber does not accept BigInt and throws an error, and Number constructor should not use ToNumber to implement its implementation. So we should introduce slightly different semantics: CallNumberConstructor as we introduced CallStringConstructor in addition to ToString DFG node. And we add appropriate BigInt32 path to emit efficient CallNumberConstructor machine code. [1]: https://tc39.es/ecma262/#sec-number-constructor-number-value * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::propagate): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupToNumberOrToNumericOrCallNumberConstructor): (JSC::DFG::FixupPhase::fixupToNumeric): Deleted. (JSC::DFG::FixupPhase::fixupToNumber): Deleted. * dfg/DFGNode.h: (JSC::DFG::Node::hasHeapPrediction): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileToNumeric): (JSC::DFG::SpeculativeJIT::compileCallNumberConstructor): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor): * runtime/JSBigInt.cpp: (JSC::JSBigInt::decideRounding): (JSC::JSBigInt::toNumberHeap): * runtime/JSBigInt.h: * runtime/NumberConstructor.cpp: (JSC::constructNumberConstructor): (JSC::callNumberConstructor): 2020-04-27 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Throw OutOfMemoryError instead of RangeError if BigInt is too big https://bugs.webkit.org/show_bug.cgi?id=211111 Reviewed by Saam Barati. Currently, we are throwing a RangeError if we detect that JSBigInt becomes too large. But this is not consistent with our JSString's policy. We should throw OutOfMemoryError in this case. This also makes DFG simple since DFG allows throwing OutOfMemoryError in any places which node is even removed. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * runtime/ExceptionHelpers.cpp: (JSC::throwOutOfMemoryError): * runtime/ExceptionHelpers.h: * runtime/JSBigInt.cpp: (JSC::JSBigInt::tryCreateWithLength): (JSC::JSBigInt::exponentiateHeap): (JSC::JSBigInt::leftShiftByAbsolute): (JSC::JSBigInt::allocateFor): 2020-04-27 Saam Barati <sbarati@apple.com> BigInt math runtime shouldn't convert BigInt32 input operands to a heap cell when doing math https://bugs.webkit.org/show_bug.cgi?id=210978 Reviewed by Yusuke Suzuki. This patch adds support in the runtime for doing alomst all BigInt math operations on the inputs either being Int32, HeapBigInt, or a mixing of both. Before, if we detected a binary operation on an Int32 and a HeapBigInt, this would lead us to convert the Int32 operand into a HeapBigInt. This is especially bad because we'd repeat this for all math ops. For example, if x is a BigInt32, and all rhs are a HeapBigInt, we'd repeatedly convert x to a HeapBigInt for each operation: ``` x + y x * y x - y x >> y x << y etc ``` To teach the runtime how to operate both over a BigInt32 and a HeapBigInt, I templatized the runtime math operations to work both over BigInt32 and HeapBigInt wrapper classes that expose the same interface. This is a ~28% speedup on microbenchmarks/sunspider-sha1-big-int.js * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compare): * jit/JITOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::HeapBigIntImpl::HeapBigIntImpl): (JSC::HeapBigIntImpl::isZero): (JSC::HeapBigIntImpl::sign): (JSC::HeapBigIntImpl::length): (JSC::HeapBigIntImpl::digit): (JSC::HeapBigIntImpl::toHeapBigInt): (JSC::Int32BigIntImpl::Int32BigIntImpl): (JSC::Int32BigIntImpl::isZero): (JSC::Int32BigIntImpl::sign): (JSC::Int32BigIntImpl::length): (JSC::Int32BigIntImpl::digit): (JSC::Int32BigIntImpl::toHeapBigInt): (JSC::JSBigInt::ImplResult::ImplResult): (JSC::tryConvertToBigInt32): (JSC::JSBigInt::inplaceMultiplyAdd): (JSC::JSBigInt::exponentiateImpl): (JSC::JSBigInt::exponentiate): (JSC::JSBigInt::multiplyImpl): (JSC::JSBigInt::multiply): (JSC::JSBigInt::divideImpl): (JSC::JSBigInt::divide): (JSC::JSBigInt::copy): (JSC::JSBigInt::unaryMinusImpl): (JSC::JSBigInt::unaryMinus): (JSC::JSBigInt::remainderImpl): (JSC::JSBigInt::remainder): (JSC::JSBigInt::incImpl): (JSC::JSBigInt::inc): (JSC::JSBigInt::decImpl): (JSC::JSBigInt::dec): (JSC::JSBigInt::addImpl): (JSC::JSBigInt::add): (JSC::JSBigInt::subImpl): (JSC::JSBigInt::sub): (JSC::JSBigInt::bitwiseAndImpl): (JSC::JSBigInt::bitwiseAnd): (JSC::JSBigInt::bitwiseOrImpl): (JSC::JSBigInt::bitwiseOr): (JSC::JSBigInt::bitwiseXorImpl): (JSC::JSBigInt::bitwiseXor): (JSC::JSBigInt::leftShiftImpl): (JSC::JSBigInt::leftShift): (JSC::JSBigInt::leftShiftSlow): (JSC::JSBigInt::signedRightShiftImpl): (JSC::JSBigInt::signedRightShift): (JSC::JSBigInt::bitwiseNotImpl): (JSC::JSBigInt::bitwiseNot): (JSC::JSBigInt::internalMultiplyAdd): (JSC::JSBigInt::multiplyAccumulate): (JSC::JSBigInt::absoluteCompare): (JSC::JSBigInt::compareImpl): (JSC::JSBigInt::compare): (JSC::JSBigInt::absoluteAdd): (JSC::JSBigInt::absoluteSub): (JSC::JSBigInt::absoluteDivWithDigitDivisor): (JSC::JSBigInt::absoluteDivWithBigIntDivisor): (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy): (JSC::JSBigInt::absoluteBitwiseOp): (JSC::JSBigInt::absoluteAnd): (JSC::JSBigInt::absoluteOr): (JSC::JSBigInt::absoluteAndNot): (JSC::JSBigInt::absoluteXor): (JSC::JSBigInt::absoluteAddOne): (JSC::JSBigInt::absoluteSubOne): (JSC::JSBigInt::leftShiftByAbsolute): (JSC::JSBigInt::rightShiftByAbsolute): (JSC::JSBigInt::rightShiftByMaximum): (JSC::JSBigInt::toStringGeneric): (JSC::JSBigInt::toShiftAmount): (JSC::JSBigInt::exponentiateHeap): Deleted. (JSC::JSBigInt::multiplyHeap): Deleted. (JSC::JSBigInt::divideHeap): Deleted. (JSC::JSBigInt::unaryMinusHeap): Deleted. (JSC::JSBigInt::remainderHeap): Deleted. (JSC::JSBigInt::incHeap): Deleted. (JSC::JSBigInt::decHeap): Deleted. (JSC::JSBigInt::addHeap): Deleted. (JSC::JSBigInt::subHeap): Deleted. (JSC::JSBigInt::bitwiseAndHeap): Deleted. (JSC::JSBigInt::bitwiseOrHeap): Deleted. (JSC::JSBigInt::bitwiseXorHeap): Deleted. (JSC::JSBigInt::leftShiftHeap): Deleted. (JSC::JSBigInt::signedRightShiftHeap): Deleted. (JSC::JSBigInt::bitwiseNotHeap): Deleted. (JSC::JSBigInt::compareToInt32): Deleted. * runtime/JSBigInt.h: * runtime/Operations.cpp: (JSC::jsAddSlowCase): * runtime/Operations.h: (JSC::compareBigInt): (JSC::compareBigInt32ToOtherPrimitive): (JSC::arithmeticBinaryOp): (JSC::jsSub): (JSC::jsMul): (JSC::jsDiv): (JSC::jsRemainder): (JSC::jsPow): (JSC::jsInc): (JSC::jsDec): (JSC::jsBitwiseNot): (JSC::shift): (JSC::jsLShift): (JSC::jsRShift): (JSC::bitwiseBinaryOp): (JSC::jsBitwiseAnd): (JSC::jsBitwiseOr): (JSC::jsBitwiseXor): 2020-04-27 Yusuke Suzuki <ysuzuki@apple.com> [JSC] >>> should call ToNumeric https://bugs.webkit.org/show_bug.cgi?id=211065 Reviewed by Ross Kirsling. While BigInt does not support >>> operator, >>> operator should call ToNumeric (in this case, toBigIntOrInt32) for both before throwing an error. We call toBigIntOrInt32 for both operands, and throw an error. And after that, casting int32_t to uint32_t to perform >>> operator. This is correct since the only difference between toUint32 and toInt32 is casting int32_t result to uint32_t. * dfg/DFGOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/Operations.h: (JSC::shift): (JSC::jsURShift): 2020-04-27 Keith Miller <keith_miller@apple.com> OSR Exit compiler should know and print the exiting DFG node's index https://bugs.webkit.org/show_bug.cgi?id=210998 Reviewed by Mark Lam. The only interesting thing here is that we set the node to index 0 if there is no node. AFAICT, we only don't have a node when we are checking arguments. * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::operationCompileOSRExit): * dfg/DFGOSRExitBase.h: (JSC::DFG::OSRExitBase::OSRExitBase): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint): (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation): * ftl/FTLOSRExit.cpp: (JSC::FTL::OSRExitDescriptor::emitOSRExit): (JSC::FTL::OSRExitDescriptor::emitOSRExitLater): (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle): (JSC::FTL::OSRExit::OSRExit): * ftl/FTLOSRExit.h: * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): 2020-04-27 Saam Barati <sbarati@apple.com> compilePeepHoleBigInt32Branch needs to handle all conditions https://bugs.webkit.org/show_bug.cgi?id=211096 <rdar://problem/62469971> Reviewed by Yusuke Suzuki. We were falling through to the generic path for all conditions which weren't Equal/NotEqual. The generic path does not do speculation, so it was leading to potential miscompiles because we omitted a type check. Defining compilePeepHoleBigInt32Branch for other conditions is trivial, so this patch just implements that. This failure is caught by microbenchmarks/sunspider-sha1-big-int.js * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleBigInt32Branch): 2020-04-27 Jason Lawrence <lawrence.j@apple.com> Unreviewed, reverting r260772. This commit caused tests to start failing internally. Reverted changeset: "OSR Exit compiler should know and print the exiting DFG node's index" https://bugs.webkit.org/show_bug.cgi?id=210998 https://trac.webkit.org/changeset/260772 2020-04-27 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Add $vm.assertEnabled() to suppress Debug crash expected tests in release+assert build https://bugs.webkit.org/show_bug.cgi?id=211089 Reviewed by Keith Miller. Expose ASSERT_ENABLED condition to the shell to control crash expected tests. * tools/JSDollarVM.cpp: (JSC::functionAssertEnabled): (JSC::JSDollarVM::finishCreation): 2020-04-27 Keith Miller <keith_miller@apple.com> OSR Exit compiler should know and print the exiting DFG node's index https://bugs.webkit.org/show_bug.cgi?id=210998 Reviewed by Mark Lam. The only interesting thing here is that we set the node to index 0 if there is no node. AFAICT, we only don't have a node when we are checking arguments. * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::operationCompileOSRExit): * dfg/DFGOSRExitBase.h: (JSC::DFG::OSRExitBase::OSRExitBase): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint): (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation): * ftl/FTLOSRExit.cpp: (JSC::FTL::OSRExitDescriptor::emitOSRExit): (JSC::FTL::OSRExitDescriptor::emitOSRExitLater): (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle): (JSC::FTL::OSRExit::OSRExit): * ftl/FTLOSRExit.h: * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): 2020-04-27 Ross Kirsling <ross.kirsling@sony.com> [JSC] CallData/ConstructData should include CallType/ConstructType https://bugs.webkit.org/show_bug.cgi?id=211059 Reviewed by Darin Adler. getCallData/getConstructData return a CallType/ConstructType and have a CallData/ConstructData out param, and then *both* of these are passed side-by-side to `call`/`construct`, which all seems a bit silly. This patch merges CallType/ConstructType into CallData/ConstructData such that getCallData/getConstructData no longer need an out param and `call`/`construct` require one less overt parameter. In so doing, it also: - removes ConstructData entirely as it's an exact duplicate of CallData - renames enum value Host to Native in alignment with CallData's union * API/JSCallbackConstructor.cpp: (JSC::JSCallbackConstructor::getConstructData): * API/JSCallbackConstructor.h: * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::JSCallbackObject<Parent>::getConstructData): (JSC::JSCallbackObject<Parent>::getCallData): * API/JSObjectRef.cpp: (JSObjectCallAsFunction): (JSObjectCallAsConstructor): * bindings/ScriptFunctionCall.cpp: (Deprecated::ScriptFunctionCall::call): * bindings/ScriptFunctionCall.h: * dfg/DFGOperations.cpp: * inspector/InjectedScriptManager.cpp: (Inspector::InjectedScriptManager::createInjectedScript): * inspector/InspectorEnvironment.h: * interpreter/Interpreter.cpp: (JSC::Interpreter::executeProgram): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): * interpreter/Interpreter.h: * jit/JITOperations.cpp: * jsc.cpp: (functionDollarAgentReceiveBroadcast): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::handleHostCall): * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): (JSC::arrayProtoFuncToLocaleString): * runtime/CallData.cpp: (JSC::call): (JSC::profiledCall): * runtime/CallData.h: * runtime/ClassInfo.h: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/ConstructData.cpp: (JSC::construct): (JSC::profiledConstruct): * runtime/ConstructData.h: (JSC::construct): (JSC::profiledConstruct): (): Deleted. * runtime/DatePrototype.cpp: (JSC::dateProtoFuncToJSON): * runtime/GetterSetter.cpp: (JSC::callGetter): (JSC::callSetter): * runtime/InternalFunction.cpp: (JSC::InternalFunction::getCallData): (JSC::InternalFunction::getConstructData): * runtime/InternalFunction.h: * runtime/IteratorOperations.cpp: (JSC::iteratorNext): (JSC::iteratorClose): (JSC::hasIteratorMethod): (JSC::iteratorMethod): (JSC::iteratorForIterable): * runtime/JSBoundFunction.cpp: (JSC::boundThisNoArgsFunctionCall): (JSC::boundFunctionCall): (JSC::boundThisNoArgsFunctionConstruct): (JSC::boundFunctionConstruct): * runtime/JSCJSValue.h: * runtime/JSCell.cpp: (JSC::JSCell::getCallData): (JSC::JSCell::getConstructData): * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::isFunction): (JSC::JSCell::isConstructor): * runtime/JSFunction.cpp: (JSC::JSFunction::getCallData): (JSC::JSFunction::getConstructData): * runtime/JSFunction.h: * runtime/JSInternalPromise.cpp: (JSC::JSInternalPromise::then): * runtime/JSMicrotask.cpp: (JSC::JSMicrotask::run): * runtime/JSModuleLoader.cpp: (JSC::JSModuleLoader::dependencyKeysIfEvaluated): (JSC::JSModuleLoader::provideFetch): (JSC::JSModuleLoader::loadAndEvaluateModule): (JSC::JSModuleLoader::loadModule): (JSC::JSModuleLoader::linkAndEvaluateModule): (JSC::JSModuleLoader::requestImportModule): * runtime/JSONObject.cpp: (JSC::Stringifier::isCallableReplacer const): (JSC::Stringifier::Stringifier): (JSC::Stringifier::toJSON): (JSC::Stringifier::appendStringifiedValue): (JSC::Walker::Walker): (JSC::Walker::callReviver): (JSC::JSONProtoFuncParse): * runtime/JSObject.cpp: (JSC::ordinarySetSlow): (JSC::callToPrimitiveFunction): (JSC::JSObject::hasInstance): (JSC::JSObject::getMethod): * runtime/JSObject.h: * runtime/JSObjectInlines.h: (JSC::getCallData): (JSC::getConstructData): * runtime/JSPromise.cpp: (JSC::JSPromise::createDeferredData): (JSC::JSPromise::resolvedPromise): (JSC::callFunction): * runtime/MapConstructor.cpp: (JSC::constructMap): * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncToLocaleString): * runtime/ProxyObject.cpp: (JSC::performProxyGet): (JSC::ProxyObject::performInternalMethodGetOwnProperty): (JSC::ProxyObject::performHasProperty): (JSC::ProxyObject::performPut): (JSC::performProxyCall): (JSC::ProxyObject::getCallData): (JSC::performProxyConstruct): (JSC::ProxyObject::getConstructData): (JSC::ProxyObject::performDelete): (JSC::ProxyObject::performPreventExtensions): (JSC::ProxyObject::performIsExtensible): (JSC::ProxyObject::performDefineOwnProperty): (JSC::ProxyObject::performGetOwnPropertyNames): (JSC::ProxyObject::performSetPrototype): (JSC::ProxyObject::performGetPrototype): * runtime/ProxyObject.h: * runtime/ReflectObject.cpp: (JSC::reflectObjectConstruct): * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::processUnverifiedStackTraces): * runtime/SetConstructor.cpp: (JSC::constructSet): * runtime/StringPrototype.cpp: (JSC::replaceUsingRegExpSearch): (JSC::operationStringProtoFuncReplaceRegExpEmptyStr): (JSC::operationStringProtoFuncReplaceRegExpString): (JSC::replaceUsingStringSearch): * runtime/VM.cpp: (JSC::VM::callPromiseRejectionCallback): * runtime/WeakMapConstructor.cpp: (JSC::constructWeakMap): * runtime/WeakSetConstructor.cpp: (JSC::constructWeakSet): * tools/JSDollarVM.cpp: (JSC::callWithStackSizeProbeFunction): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::evaluate): * wasm/js/WebAssemblyWrapperFunction.cpp: (JSC::callWebAssemblyWrapperFunction): 2020-04-26 Ross Kirsling <ross.kirsling@sony.com> [JSC] Clearly distinguish isConstructor from getConstructData https://bugs.webkit.org/show_bug.cgi?id=211053 Reviewed by Sam Weinig. Follow-up to r260722. Remove the isConstructor overload that duplicates getConstructData and clearly distinguish the usage of these two functions. * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::isConstructor): Remove isConstructor overload. * runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::create): Don't use getConstructData if you don't need ConstructData. * runtime/ReflectObject.cpp: (JSC::reflectObjectConstruct): Use getConstructData if you need ConstructData. * API/JSObjectRef.cpp: (JSObjectIsFunction): Use isFunction (leftover spot from last patch). 2020-04-26 Alexey Shvayka <shvaikalesh@gmail.com> Symbol should have [[Construct]] internal method https://bugs.webkit.org/show_bug.cgi?id=211050 Reviewed by Yusuke Suzuki. This change introduces constructSymbol() method, which unconditionally throws a TypeError, since its presence is observable when, for example, Symbol is a [[ProxyTarget]] itself [1]. Aligns JSC with the spec [2], V8, and SpiderMonkey. [1]: https://tc39.es/ecma262/#sec-proxycreate (step 7.b) [2]: https://tc39.es/ecma262/#constructor * runtime/SymbolConstructor.cpp: (JSC::SymbolConstructor::SymbolConstructor): (JSC::constructSymbol): 2020-04-26 Alexey Shvayka <shvaikalesh@gmail.com> InternalFunction::createSubclassStructure should use newTarget's globalObject https://bugs.webkit.org/show_bug.cgi?id=202599 Reviewed by Yusuke Suzuki. If "prototype" of NewTarget is not an object, built-in constructors [1] should acquire default [[Prototype]] from realm of NewTarget, utilizing GetFunctionRealm helper [2]. Before this change, realm of active constructor was used instead. This patch introduces GetFunctionRealm and aligns all subclassable constructors with the spec, V8, and SpiderMonkey. This change inlines fast paths checks of InternalFunction::createSubclassStructure() and simplifies its signature; getFunctionRealm() is invoked in slow paths only. While a dynamically created function uses NewTarget's realm for its default [[Prototype]] similar to other built-ins, its "prototype" object inherit from ObjectPrototype of active constructor's realm [3] (just like their scope), making it retain references to 2 different global objects. To accomodate this behavior, this change introduces `scopeGlobalObject` in JSFunction.cpp methods. Above-mentioned behavior also simplifies creation of JSGenerator and JSAsyncGenerator instances since NewTarget's realm is irrelevant to them. IntlCollatorConstructor::collatorStructure() and 6 similar methods are removed: a) to impose good practice of using newTarget's globalObject; b) with this change, each of them have 1 call site max; c) other JSC constructors have no methods alike. [1]: https://tc39.es/ecma262/#sec-map-constructor (step 2) [2]: https://tc39.es/ecma262/#sec-getfunctionrealm [3]: https://tc39.es/ecma262/#sec-createdynamicfunction (steps 23-25) * dfg/DFGOperations.cpp: * runtime/AggregateErrorConstructor.cpp: (JSC::callAggregateErrorConstructor): (JSC::constructAggregateErrorConstructor): * runtime/AggregateErrorConstructor.h: * runtime/AsyncFunctionConstructor.cpp: (JSC::constructAsyncFunctionConstructor): * runtime/AsyncGeneratorFunctionConstructor.cpp: (JSC::constructAsyncGeneratorFunctionConstructor): * runtime/BooleanConstructor.cpp: (JSC::constructWithBooleanConstructor): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): (JSC::createInternalFieldObject): * runtime/DateConstructor.cpp: (JSC::constructDate): * runtime/ErrorConstructor.cpp: (JSC::constructErrorConstructor): * runtime/FunctionConstructor.cpp: (JSC::constructFunctionSkippingEvalEnabledCheck): * runtime/InternalFunction.cpp: (JSC::InternalFunction::createSubclassStructure): (JSC::getFunctionRealm): (JSC::InternalFunction::createSubclassStructureSlow): Deleted. * runtime/InternalFunction.h: (JSC::InternalFunction::createSubclassStructure): Deleted. * runtime/IntlCollatorConstructor.cpp: (JSC::constructIntlCollator): (JSC::callIntlCollator): * runtime/IntlCollatorConstructor.h: * runtime/IntlDateTimeFormatConstructor.cpp: (JSC::constructIntlDateTimeFormat): (JSC::callIntlDateTimeFormat): * runtime/IntlDateTimeFormatConstructor.h: * runtime/IntlNumberFormatConstructor.cpp: (JSC::constructIntlNumberFormat): (JSC::callIntlNumberFormat): * runtime/IntlNumberFormatConstructor.h: * runtime/IntlPluralRulesConstructor.cpp: (JSC::constructIntlPluralRules): * runtime/IntlPluralRulesConstructor.h: * runtime/IntlRelativeTimeFormatConstructor.cpp: (JSC::constructIntlRelativeTimeFormat): * runtime/IntlRelativeTimeFormatConstructor.h: * runtime/JSArrayBufferConstructor.cpp: (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer): * runtime/JSFunction.cpp: (JSC::JSFunction::prototypeForConstruction): (JSC::JSFunction::getOwnPropertySlot): * runtime/JSGenericTypedArrayViewConstructorInlines.h: (JSC::constructGenericTypedArrayView): * runtime/JSGlobalObjectInlines.h: (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const): * runtime/MapConstructor.cpp: (JSC::constructMap): * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor): (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor): * runtime/NativeErrorConstructor.h: * runtime/NumberConstructor.cpp: (JSC::constructNumberConstructor): * runtime/ObjectConstructor.cpp: (JSC::constructObjectWithNewTarget): * runtime/RegExpConstructor.cpp: (JSC::getRegExpStructure): (JSC::constructRegExp): (JSC::esSpecRegExpCreate): * runtime/RegExpConstructor.h: * runtime/SetConstructor.cpp: (JSC::constructSet): * runtime/StringConstructor.cpp: (JSC::constructWithStringConstructor): * runtime/WeakMapConstructor.cpp: (JSC::constructWeakMap): * runtime/WeakObjectRefConstructor.cpp: (JSC::constructWeakRef): * runtime/WeakSetConstructor.cpp: (JSC::constructWeakSet): * wasm/js/WebAssemblyCompileErrorConstructor.cpp: (JSC::constructJSWebAssemblyCompileError): * wasm/js/WebAssemblyInstanceConstructor.cpp: (JSC::constructJSWebAssemblyInstance): * wasm/js/WebAssemblyLinkErrorConstructor.cpp: (JSC::constructJSWebAssemblyLinkError): * wasm/js/WebAssemblyModuleConstructor.cpp: (JSC::WebAssemblyModuleConstructor::createModule): * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: (JSC::constructJSWebAssemblyRuntimeError): 2020-04-26 Yusuke Suzuki <ysuzuki@apple.com> [JSC] ValueAdd, VaueSub, ValueMul, Inc, Dec should say SpecBigInt32 prediction based on ArithProfile https://bugs.webkit.org/show_bug.cgi?id=211038 Reviewed by Filip Pizlo. This patch adds profile feedback to ValueAdd, ValueSub, ValueMul, Inc, Dec to say SpecBigInt32 prediction. Our HeapBigInt v.s. BigInt32 strategy is simpler than Double v.s. Int32 strategy: we always prefer BigInt32 over HeapBigInt. This is because HeapBigInt calculation and conversion require much higher cost than BigInt32. This tradeoff is largely different from Double v.s. Int32. So keeping HeapBigInt is simply inefficient when we can use BigInt32. This means that ArithProfile's feedback is also very simple. If we see HeapBigInt, this means overflow happens. In DFG, we propagate this information to ValueAdd, ValueSub, and ValueMul nodes and record it in DFGNodeFlags. And based on this information, we change the prediction and speculation in prediction propagation and fixup phase. We change exit reason from Overflow to BigInt32Overflow since Overflow is solely used for Int32 case, and we have Int52Overflow for Int52 case. We should have BigInt32Overflow for BigInt32 to precisely record and tell about what happens in DFG as a feedback for the next compilation. We add BigInt32 speculation for ValueSub. Previously, we missed that in fixup phase and we always speculate ValueSub with AnyBigIntUse or HeapBigIntUse. Now it can use BigInt32Use. We also fix Inc / Dec's fixup phase to use BigInt path. Previously, it was always using UntypedUse since `node->child1()->shouldSpeculateUntypedForArithmetic()` returns true for BigInt. We fix the ordering of speculation attempts as it is done in the other places in fixup phase. This patch offers 7.9% performance improvement in sunspider-sha1-big-int. ToT Patched sunspider-sha1-big-int 134.5668+-2.8695 ^ 124.6743+-0.7541 ^ definitely 1.0793x faster * bytecode/ExitKind.cpp: (JSC::exitKindToString): * bytecode/ExitKind.h: * bytecode/SpeculatedType.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::makeSafe): (JSC::DFG::ByteCodeParser::makeDivSafe): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGGraph.h: (JSC::DFG::Graph::binaryArithShouldSpeculateBigInt32): (JSC::DFG::Graph::unaryArithShouldSpeculateBigInt32): * dfg/DFGNode.h: (JSC::DFG::Node::mayHaveBigInt32Result): (JSC::DFG::Node::mayHaveHeapBigIntResult): (JSC::DFG::Node::mayHaveBigIntResult): (JSC::DFG::Node::canSpeculateBigInt32): (JSC::DFG::Node::canSpeculateInt52): * dfg/DFGNodeFlags.cpp: (JSC::DFG::dumpNodeFlags): * dfg/DFGNodeFlags.h: (JSC::DFG::nodeMayHaveHeapBigInt): (JSC::DFG::nodeCanSpeculateBigInt32): * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueAdd): (JSC::DFG::SpeculativeJIT::compileValueSub): (JSC::DFG::SpeculativeJIT::compileValueMul): (JSC::DFG::SpeculativeJIT::compileValueDiv): (JSC::DFG::SpeculativeJIT::speculateHeapBigInt): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv): 2020-04-25 Ross Kirsling <ross.kirsling@sony.com> [JSC] isCallable is redundant with isFunction https://bugs.webkit.org/show_bug.cgi?id=211037 Reviewed by Yusuke Suzuki. isCallable is only being used in two places and has the same definition as isFunction (aside from out params). Where CallData is needed, getCallData should be used; where CallData is not needed, isFunction should be used. * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::isCallable const): Deleted. * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::isCallable): Deleted. Remove isCallable. * runtime/JSONObject.cpp: (JSC::Stringifier::Stringifier): (JSC::Stringifier::toJSON): Use getCallData if you need CallData. * runtime/ExceptionHelpers.cpp: (JSC::errorDescriptionForValue): * runtime/ObjectConstructor.cpp: (JSC::toPropertyDescriptor): * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncDefineGetter): (JSC::objectProtoFuncDefineSetter): Don't use getCallData if you don't need CallData. 2020-04-25 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Handle BigInt32 INT32_MIN shift amount https://bugs.webkit.org/show_bug.cgi?id=211030 Reviewed by Darin Adler. Our BigInt shift-operation does not correctly handle INT32_MIN shift amount, and producing a wrong result. This patch fixes it. * runtime/Operations.h: (JSC::shift): 2020-04-25 Darin Adler <darin@apple.com> [Cocoa] Deal with another round of Xcode upgrade checks https://bugs.webkit.org/show_bug.cgi?id=211027 Reviewed by Alexey Proskuryakov. * JavaScriptCore.xcodeproj/project.pbxproj: Bump the upgrade check version. Add a harmless base localization; this project contains nothing localized. 2020-04-25 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Add fast path for BigInt32 left-shift https://bugs.webkit.org/show_bug.cgi?id=211029 Reviewed by Saam Barati. Currently, the left-shift operation misses the fast path for BigInt32 <> BigInt32 case. This patch adds it. We also fixes prediction-propagation for left/right shift to use existing heap prediction instead of polluting the result with SpecBigInt. This offer 4.5% improvement in microbenchmarks/sunspider-sha1-big-int.js. * dfg/DFGPredictionPropagationPhase.cpp: * runtime/Operations.h: (JSC::shift): 2020-04-25 Ross Kirsling <ross.kirsling@sony.com> Unreviewed fix for JSC Debug tests following r210853. * runtime/IntlObject.cpp: (JSC::canonicalizeLanguageTag): (JSC::canonicalizeLocaleList): (JSC::defaultLocale): Deal with unchecked exception by moving tryGetUtf8 call out of canonicalizeLanguageTag; it's meant to verify the user input from canonicalizeLocaleList and needn't change the noexcept-ness of defaultLocale. 2020-04-25 Alex Christensen <achristensen@webkit.org> Prepare to remove automatic URL->String conversion operators https://bugs.webkit.org/show_bug.cgi?id=211007 Reviewed by Darin Adler. * API/JSAPIGlobalObject.mm: (JSC::JSAPIGlobalObject::moduleLoaderResolve): (JSC::JSAPIGlobalObject::moduleLoaderImportModule): * API/JSScript.mm: (validateBytecodeCachePath): (+[JSScript scriptOfType:memoryMappedFromASCIIFile:withSourceURL:andBytecodeCache:inVirtualMachine:error:]): * inspector/ScriptDebugServer.cpp: (Inspector::ScriptDebugServer::sourceParsed): * parser/Nodes.h: (JSC::ScopeNode::sourceURL const): * runtime/CachedTypes.cpp: (JSC::CachedSourceProviderShape::encode): * runtime/Error.cpp: (JSC::addErrorInfo): * runtime/ScriptExecutable.h: (JSC::ScriptExecutable::sourceURL const): 2020-04-25 Ross Kirsling <ross.kirsling@sony.com> [Intl] Locale validation/canonicalization should defer to ICU https://bugs.webkit.org/show_bug.cgi?id=210853 Reviewed by Darin Adler. The mappings for locale canonicalization in latest CLDR are sufficiently complex that it really no longer makes sense not to have ICU do this work for us. This means the UTS 35 canonicalization desired by ECMA-402 will not be fully achievable until ICU ~67, but it's better than reaching right into CLDR and pretending that we *are* ICU. (On this point, we thus align with V8 and diverge from SM.) Of course, we can still add our own pre-validations / post-canonicalizations if desired. * CMakeLists.txt: * DerivedSources-input.xcfilelist: * DerivedSources-output.xcfilelist: * DerivedSources.make: * JavaScriptCore.xcodeproj/project.pbxproj: * Scripts/generateIntlCanonicalizeLanguage.py: Removed. * runtime/IntlObject.cpp: (JSC::intlAvailableLocales): (JSC::intlCollatorAvailableLocales): (JSC::canonicalizeLanguageTag): (JSC::canonicalizeLocaleList): (JSC::defaultLocale): (JSC::removeUnicodeLocaleExtension): (JSC::addMissingScriptLocales): Deleted. This one was ostensibly a fix for an old ICU bug. (JSC::privateUseLangTag): Deleted. (JSC::preferredLanguage): Deleted. (JSC::preferredRegion): Deleted. (JSC::canonicalLangTag): Deleted. * ucd/language-subtag-registry.txt: Removed. 2020-04-24 Yusuke Suzuki <ysuzuki@apple.com> Fix internal build by using strcmp instead of using string literal comparison https://bugs.webkit.org/show_bug.cgi?id=211011 Reviewed by Keith Miller. Use strcmp for string literal comparison to expect that this is fully handled by compiler and converted into constant at compile time. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): 2020-04-24 Mark Lam <mark.lam@apple.com> Suppress ASan on DFG::clobberize() to work around an ASan bug. https://bugs.webkit.org/show_bug.cgi?id=211012 <rdar://problem/62275430> Reviewed by Yusuke Suzuki. ASan was incorrectly thinking that we're accessing invalid stack memory when we're not. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2020-04-24 Alexey Shvayka <shvaikalesh@gmail.com> Fix WASM Error classes and re-sync wpt/wasm/jsapi from upstream https://bugs.webkit.org/show_bug.cgi?id=210980 Reviewed by Keith Miller. assert_throws_js() harness, which is extensively used by wpt/wasm/jsapi tests, was recently updated to assert that passed constructors subclass Error in spec-perfect way. With this patch, WebAssembly errors have Error as [[Prototype]] of their constructors and define correct "name" and "message" properties on their prototypes, aligning JSC with the spec [1], V8 and SpiderMonkey. [1]: https://webassembly.github.io/spec/js-api/#error-objects * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * wasm/js/WebAssemblyCompileErrorPrototype.cpp: (JSC::WebAssemblyCompileErrorPrototype::finishCreation): * wasm/js/WebAssemblyLinkErrorPrototype.cpp: (JSC::WebAssemblyLinkErrorPrototype::finishCreation): * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp: (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation): 2020-04-24 Saam Barati <sbarati@apple.com> Return BigInt32 whenever we can https://bugs.webkit.org/show_bug.cgi?id=210922 Reviewed by Yusuke Suzuki. This patch makes it so our runtime functions for big int math on heap big ints converts the result to a big int 32 when possible. The inspiration for this patch came from converting SunSpider's sha1 benchmark to using big ints. I found that that original implementation of big int 32 was a ~35% slowdown here. This patch speeds it up by 86% from ToT, and 36% faster than before big int 32 was introduced. To make this sound in the DFG/FTL, we are currently reporting that all HeapBigInt math ops return SpecBigInt, instead of SpecHeapBigInt. However, we want to do better in a follow up. We need some kind of profiling system where we determine if we should speculate if the result is big int 32, a heap big int, or both: https://bugs.webkit.org/show_bug.cgi?id=210982 * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueBitNot): (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp): (JSC::DFG::SpeculativeJIT::compileValueLShiftOp): (JSC::DFG::SpeculativeJIT::compileValueBitRShift): (JSC::DFG::SpeculativeJIT::compileValueAdd): (JSC::DFG::SpeculativeJIT::compileValueSub): (JSC::DFG::SpeculativeJIT::compileValueMul): (JSC::DFG::SpeculativeJIT::compileValueDiv): (JSC::DFG::SpeculativeJIT::compileValueMod): (JSC::DFG::SpeculativeJIT::compileValuePow): * jit/JITOperations.cpp: * jsc.cpp: (functionCreateBigInt32): * runtime/BigIntConstructor.cpp: (JSC::toBigInt): (JSC::callBigIntConstructor): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::exponentiateHeap): (JSC::JSBigInt::multiplyHeap): (JSC::JSBigInt::divideHeap): (JSC::JSBigInt::unaryMinusHeap): (JSC::JSBigInt::remainderHeap): (JSC::JSBigInt::incHeap): (JSC::JSBigInt::decHeap): (JSC::JSBigInt::addHeap): (JSC::JSBigInt::subHeap): (JSC::JSBigInt::bitwiseAndHeap): (JSC::JSBigInt::bitwiseOrHeap): (JSC::JSBigInt::bitwiseXorHeap): (JSC::JSBigInt::leftShiftHeap): (JSC::JSBigInt::signedRightShiftHeap): (JSC::JSBigInt::bitwiseNotHeap): (JSC::JSBigInt::absoluteAdd): (JSC::JSBigInt::absoluteSub): (JSC::JSBigInt::parseInt): (JSC::JSBigInt::exponentiate): Deleted. (JSC::JSBigInt::multiply): Deleted. (JSC::JSBigInt::divide): Deleted. (JSC::JSBigInt::unaryMinus): Deleted. (JSC::JSBigInt::remainder): Deleted. (JSC::JSBigInt::inc): Deleted. (JSC::JSBigInt::dec): Deleted. (JSC::JSBigInt::add): Deleted. (JSC::JSBigInt::sub): Deleted. (JSC::JSBigInt::bitwiseAnd): Deleted. (JSC::JSBigInt::bitwiseOr): Deleted. (JSC::JSBigInt::bitwiseXor): Deleted. (JSC::JSBigInt::leftShift): Deleted. (JSC::JSBigInt::signedRightShift): Deleted. (JSC::JSBigInt::bitwiseNot): Deleted. * runtime/JSBigInt.h: * runtime/JSCJSValue.h: (JSC::jsBigInt32): * runtime/JSCJSValueInlines.h: (JSC::JSValue::JSValue): * runtime/Operations.cpp: (JSC::jsAddSlowCase): * runtime/Operations.h: (JSC::jsSub): (JSC::jsMul): (JSC::jsDiv): (JSC::jsInc): (JSC::jsDec): (JSC::jsBitwiseNot): (JSC::shift): (JSC::bitwiseBinaryOp): 2020-04-24 Michael Catanzaro <mcatanzaro@gnome.org> [GTK][WPE][JSCOnly] compile error when -DWTF_CPU_ARM64_CORTEXA53=ON set for arm64 https://bugs.webkit.org/show_bug.cgi?id=197192 Reviewed by Yusuke Suzuki. This workaround is supposed to fix WebKit on old Cortex A53 CPUs, but it has been broken since 2018, and people would like to use WebKit on modern Cortex A53. If anyone using WebKit on the original hardware wants to fix and reimplement the workaround, feel free. * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::adrp): (JSC::ARM64Assembler::madd): (JSC::ARM64Assembler::msub): (JSC::ARM64Assembler::smaddl): (JSC::ARM64Assembler::smsubl): (JSC::ARM64Assembler::umaddl): (JSC::ARM64Assembler::umsubl): (JSC::ARM64Assembler::nopCortexA53Fix835769): Deleted. (JSC::ARM64Assembler::nopCortexA53Fix843419): Deleted. * offlineasm/arm64.rb: * offlineasm/instructions.rb: 2020-04-24 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Fix DataFormatJSBigInt32 missing part https://bugs.webkit.org/show_bug.cgi?id=210986 Reviewed by Mark Lam. Add missing part of DataFormatJSBigInt32 implementation. * bytecode/DataFormat.h: (JSC::dataFormatToString): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): 2020-04-24 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, build fix in Windows https://bugs.webkit.org/show_bug.cgi?id=210892 Windows MSVC does not have proper understanding of IGNORE_RETURN_TYPE_WARNINGS_BEGIN. * runtime/JSBigInt.h: (JSC::invertBigIntCompareResult): 2020-04-24 Yusuke Suzuki <ysuzuki@apple.com> [JSC] DFG compare should speculate BigInt well https://bugs.webkit.org/show_bug.cgi?id=210892 Reviewed by Saam Barati. Compare operations in DFG does not support BigInt related speculations. As a result, DFG fixup phase emits DoubleRep for operands, and causes OSR exit. This patch adds BigInt32, HeapBigInt, and AnyBigIntUse support to DFG compare operations to avoid OSR exits. We also introduce JSBigInt::compareToInt32 to avoid allocating JSBigInt only for comparison, and optimize C++ runtime for JSBigInt comparison. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueAdd): (JSC::DFG::SpeculativeJIT::compileValueSub): (JSC::DFG::SpeculativeJIT::compileValueMul): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::genericJSValueNonPeepholeCompare): (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileBigInt32Compare): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): (JSC::FTL::DFG::LowerDFGToB3::compare): (JSC::FTL::DFG::LowerDFGToB3::genericJSValueCompare): (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare): Deleted. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::unboxBigInt32): * runtime/JSBigInt.cpp: (JSC::JSBigInt::compareToInt32): * runtime/JSBigInt.h: (JSC::swapBigIntCompareResult): * runtime/Operations.h: (JSC::compareBigInt): (JSC::compareBigInt32ToOtherPrimitive): (JSC::bigIntCompare): 2020-04-24 Alexey Shvayka <shvaikalesh@gmail.com> Proxy.revocable should not have [[Construct]] slot https://bugs.webkit.org/show_bug.cgi?id=210959 Reviewed by Darin Adler. This change removes proxyRevocableConstructorThrowError() since its presence is observable when, for example, Proxy.revocable is a [[ProxyTarget]] itself [1]. Also removes unnecessary newTarget() check in constructProxyObject() and 2 extra ArgList instances. This patch aligns JSC with the spec [2], V8 and SpiderMonkey. [1]: https://tc39.es/ecma262/#sec-proxycreate (step 7.b) [2]: https://tc39.es/ecma262/#sec-ecmascript-standard-built-in-objects * runtime/ProxyConstructor.cpp: (JSC::makeRevocableProxy): (JSC::ProxyConstructor::finishCreation): (JSC::constructProxyObject): (JSC::proxyRevocableConstructorThrowError): Deleted. 2020-04-24 Yusuke Suzuki <ysuzuki@apple.com> [JSC] DFG AI for some bitops + BigInt32 should be precise https://bugs.webkit.org/show_bug.cgi?id=210956 Reviewed by Keith Miller. Use SpecBigInt32 for ValueBitXor, ValueBitAnd, and ValueBitOr since they are always producing BigInt32 and they have inlined implementations in DFG / FTL. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 2020-04-23 Alexey Shvayka <shvaikalesh@gmail.com> Remove revoked Proxy checks from ProxyCreate https://bugs.webkit.org/show_bug.cgi?id=210862 Reviewed by Ross Kirsling. This change removes revoked Proxy checks from ProxyCreate [1], implementing https://github.com/tc39/ecma262/pull/1814 and aligning JSC with SpiderMonkey. Also cleans up ProxyObject creation by using isFunction() instead of isCallable(), which are identical. [1]: https://tc39.es/ecma262/#sec-proxycreate (steps 2, 4) * runtime/ProxyObject.cpp: (JSC::ProxyObject::structureForTarget): (JSC::ProxyObject::finishCreation): 2020-04-22 Keith Miller <keith_miller@apple.com> Fix OSR exiting/iterator object checks in for-of bytecodes https://bugs.webkit.org/show_bug.cgi?id=210882 Reviewed by Saam Barati. This patch fixes some bugs in the DFGBytecodeParser where we would set the exit origin for the SetLocal following the iterator_open/next first call to the next bytecode. This meant that if out-of-line Symbol.iterator or next functions returned an unexpected non-cell we would OSR past the rest of the next bytecode rather than to the first checkpoint. This patch also makes sure we properly throw for non-objects returned from either of the above functions in all tiers (and adds tests). Finally, this patch makes a small optimization where we just ArithBitOr the iterator's closed state (index == -1) and index is out of bounds. We can't do a CompareBelow check because the index is effectively an int33_t. * bytecode/BytecodeIndex.h: (JSC::BytecodeIndex::withCheckpoint const): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::nextOpcodeIndex const): (JSC::DFG::ByteCodeParser::nextCheckpoint const): (JSC::DFG::ByteCodeParser::progressToNextCheckpoint): (JSC::DFG::ByteCodeParser::handleCall): (JSC::DFG::ByteCodeParser::handleCallVariant): (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::handlePutById): (JSC::DFG::ByteCodeParser::parseGetById): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::handlePutByVal): * jit/JITCall.cpp: (JSC::JIT::emitSlow_op_iterator_open): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::handleIteratorNextCheckpoint): 2020-04-22 Darin Adler <darin@apple.com> [Cocoa] Build with UChar as char16_t even in builds that use Apple's internal SDK https://bugs.webkit.org/show_bug.cgi?id=210845 Reviewed by Anders Carlsson. * Configurations/Base.xcconfig: Move ICU-configuring macros to Platform.h. 2020-04-22 Yusuke Suzuki <ysuzuki@apple.com> [JSC] branchIfBigInt32 can use BigInt32Mask and remove branchIfNumber filter https://bugs.webkit.org/show_bug.cgi?id=210870 Reviewed by Saam Barati. By using BigInt32Mask, we can detect BigInt32 without filtering Numbers. In this patch, 1. Remove branchIfBigInt32KnownNotNumber and branchIfNotBigInt32KnownNotNumber. And always use branchBigInt32 and branchNotBigInt32 instead. 2. Remove branchIfNumber type filtering in DFG. 3. Use BigInt32Mask based scheme in FTL. 4. Add and64(TrustedImm64, RegisterID) implementations in MacroAssembler. 5. Add TagRegistersMode version in branchIfBigInt. We use numberTagRegister to produce really efficient code[1] by avoiding large constant materialization. [1]: From mov %rax, %rdx mov $0xfffe000000000012, %r11 and %r11, %rdx cmp $0x12, %rdx To lea 0x12(%r14), %rdx and %rax, %rdx cmp $0x12, %rdx * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::and64): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::and64): * bytecode/ArithProfile.cpp: (JSC::ArithProfile<BitfieldType>::emitObserveResult): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt): (JSC::FTL::DFG::LowerDFGToB3::boolify): (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32): (JSC::FTL::DFG::LowerDFGToB3::isBigInt32): (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32): (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt): (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32): (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt): (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotCell): Deleted. (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotNumber): Deleted. (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32KnownNotNumber): Deleted. (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigIntKnownNotNumber): Deleted. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitConvertValueToBoolean): (JSC::AssemblyHelpers::branchIfValue): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfBigInt32): (JSC::AssemblyHelpers::branchIfNotBigInt32): (JSC::AssemblyHelpers::emitTypeOf): (JSC::AssemblyHelpers::branchIfBigInt32KnownNotNumber): Deleted. (JSC::AssemblyHelpers::branchIfNotBigInt32KnownNotNumber): Deleted. 2020-04-22 Saam Barati <sbarati@apple.com> BigInt32 parsing should be precise https://bugs.webkit.org/show_bug.cgi?id=210869 Reviewed by Robin Morisset. Our algorithm before was conservative, and might produce a heap big int even if the value could be an int32. This patch makes the algorithm precise on 64-bit, always producing a bigint32 if the number is indeed an int32. * jsc.cpp: (functionUseBigInt32): (functionIsBigInt32): (functionIsHeapBigInt): * runtime/JSBigInt.cpp: (JSC::JSBigInt::parseInt): 2020-04-22 Saam Barati <sbarati@apple.com> Edge use kind asserts are wrong for BigInt32 on ValueBitLShift https://bugs.webkit.org/show_bug.cgi?id=210872 Reviewed by Yusuke Suzuki, Mark Lam, and Robin Morisset. This is already covered by the v8 tests Yusuke checked in. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitUntypedOrAnyBigIntBitOp): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet): 2020-04-22 Yusuke Suzuki <ysuzuki@apple.com> [JSC] JSBigInt inc operation does not produce right HeapBigInt zero https://bugs.webkit.org/show_bug.cgi?id=210860 Reviewed by Mark Lam. JSBigInt::inc can produce signed HeapBigInt zero, which is not meeting the invariant of JSBigInt. This patch fixes it by checking zero status before setting `setSign(true)`. * runtime/JSBigInt.cpp: (JSC::JSBigInt::inc): * runtime/JSCJSValue.cpp: (JSC::JSValue::dumpInContextAssumingStructure const): 2020-04-22 Devin Rousso <drousso@apple.com> Web Inspector: Debugger: Step Over should only step through comma expressions if they are comma statements https://bugs.webkit.org/show_bug.cgi?id=210588 Reviewed by Brian Burg. * parser/Nodes.h: (JSC::ExpressionNode::isStatement const): Added. (JSC::ExpressionNode::setIsStatement): Added. * parser/NodeConstructors.h: (JSC::ExprStatementNode::ExprStatementNode): (JSC::DeclarationStatement::DeclarationStatement): (JSC::ReturnNode::ReturnNode): (JSC::ThrowNode::ThrowNode): * bytecompiler/NodesCodegen.cpp: (JSC::CommaNode::emitBytecode): Only emit `WillExecuteStatement` debug hooks inside `CommaNode` if it's the only child of a statement parent node (e.g. `a(), b(), c()` vs `true && (a(), b(), c()) && true`). * parser/Parser.h: * parser/Parser.cpp: (JSC::Parser<LexerType>::parseReturnStatement): (JSC::Parser<LexerType>::parseThrowStatement): (JSC::Parser<LexerType>::parseExpressionOrLabelStatement): (JSC::Parser<LexerType>::parseExpressionStatement): (JSC::Parser<LexerType>::parseExpression): Only record a pause location for each sub-expression in a comma separated expression if it's the only child of a statement (e.g. `a(), b(), c()` vs `true && (a(), b(), c()) && true`). 2020-04-22 Saam Barati <sbarati@apple.com> ValueBitNot is wrong in FTL with AnyBigIntUse https://bugs.webkit.org/show_bug.cgi?id=210846 Reviewed by Yusuke Suzuki. We forgot to speculate. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): 2020-04-22 Yusuke Suzuki <ysuzuki@apple.com> [JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results https://bugs.webkit.org/show_bug.cgi?id=210839 Reviewed by Saam Barati. While runtime function of bitwise ops with BigInt32 sometimes returns HeapBigInt, DFG AI is setting SpecBigInt32 as a result value. This leads to miscompilation particularly in FTL since FTL uses this information to remove a lot of branches. And we found that FTL BigInt32 predicate is not correctly checking state. This patch fixes it too. Added test case found this (v8-bigint32-sar.js). * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt): (JSC::FTL::DFG::LowerDFGToB3::boolify): (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32): (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotCell): (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotNumber): (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32KnownNotNumber): (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigIntKnownNotNumber): (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigIntUnknownWhetherCell): (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32): (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt): (JSC::FTL::DFG::LowerDFGToB3::isBigInt32): Deleted. (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32): Deleted. (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt): Deleted. 2020-04-21 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, build fix for watchOS https://bugs.webkit.org/show_bug.cgi?id=210832 If function is not defined, static declaration should not be declared, otherwise, unused-function-error happens. * jsc.cpp: 2020-04-21 Yusuke Suzuki <ysuzuki@apple.com> Unreviewd, speculative Windows build fix part 2 https://bugs.webkit.org/show_bug.cgi?id=210834 * runtime/Options.cpp: (JSC::strncasecmp): 2020-04-21 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, fix windows build failure https://bugs.webkit.org/show_bug.cgi?id=210834 * runtime/Options.cpp: (JSC::strncasecmp): 2020-04-21 Yusuke Suzuki <ysuzuki@apple.com> [JSC] SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq should expect AnyBigIntUse https://bugs.webkit.org/show_bug.cgi?id=210832 Reviewed by Mark Lam. SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq will get AnyBigIntUse now. We should use ManualOperandSpeculation and speculate function to perform speculation check. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): * jsc.cpp: (functionCreateHeapBigInt): (functionCreateBigInt32): * runtime/BigIntConstructor.cpp: (JSC::toBigInt): (JSC::callBigIntConstructor): * runtime/BigIntConstructor.h: * runtime/JSBigInt.h: 2020-04-21 Yusuke Suzuki <ysuzuki@apple.com> Canonicalize JSBigInt generated by structured-cloning by calling rightTrim https://bugs.webkit.org/show_bug.cgi?id=210816 Reviewed by Keith Miller and Darin Adler. * runtime/JSBigInt.h: 2020-04-21 Peng Liu <peng.liu6@apple.com> Fix MACCATALYST build failures https://bugs.webkit.org/show_bug.cgi?id=210815 Reviewed by Tim Horton. * Configurations/FeatureDefines.xcconfig: 2020-04-21 Keith Miller <keith_miller@apple.com> JSC's options should be case insensitive https://bugs.webkit.org/show_bug.cgi?id=210834 Reviewed by Yusuke Suzuki. * runtime/Options.cpp: (JSC::Options::setOptionWithoutAlias): (JSC::Options::setAliasedOption): * runtime/OptionsList.h: 2020-04-21 Alexey Shvayka <shvaikalesh@gmail.com> constructObjectFromPropertyDescriptor() is incorrect with partial descriptors https://bugs.webkit.org/show_bug.cgi?id=184629 Reviewed by Ross Kirsling. Before this change, constructObjectFromPropertyDescriptor() serialized a value-only descriptor with nullish m_seenAttributes to {value, writable: false, enumerable: false, configurable: false} instead of just {value}. This was observable when ordinarySetSlow() was called on a Proxy `receiver` with "defineProperty" trap. This patch makes constructObjectFromPropertyDescriptor() 1:1 with the spec [2], aligning JSC with V8 and SpiderMonkey, and also cleans up its call sites from handling exceptions and `undefined` value returns. [1]: https://tc39.es/ecma262/#sec-ordinarysetwithowndescriptor (step 3.d.iv) [2]: https://tc39.es/ecma262/#sec-frompropertydescriptor * runtime/ObjectConstructor.cpp: (JSC::objectConstructorGetOwnPropertyDescriptor): (JSC::objectConstructorGetOwnPropertyDescriptors): * runtime/ObjectConstructor.h: (JSC::constructObjectFromPropertyDescriptor): * runtime/ProxyObject.cpp: (JSC::ProxyObject::performDefineOwnProperty): 2020-04-20 Yusuke Suzuki <ysuzuki@apple.com> Check Structure attributes in Object.assign exhaustively https://bugs.webkit.org/show_bug.cgi?id=210782 <rdar://problem/62065853> Reviewed by Mark Lam. * runtime/ObjectConstructor.cpp: (JSC::objectConstructorAssign): 2020-04-21 Adrian Perez de Castro <aperez@igalia.com> Non-unified build fixes late February 2020 edition https://bugs.webkit.org/show_bug.cgi?id=210767 Unreviewed build fix. * dfg/DFGValueRepReductionPhase.cpp: Add missing JSCJSValueInlines.h header. * jit/JITCall.cpp: Add missing SlowPathCall.h header. * runtime/AggregateError.cpp: Add missing JSCJSValueInlines.h, JSCellInlines.h, and JSGlobalObjectInlines.h headers. * runtime/AggregateErrorConstructor.cpp: Added missing JSCJSValueInlines.h, JSCellInlines.h, and VMInlines.h headers. * runtime/AggregateErrorPrototype.cpp: Added missing AggregateError.h, IdentifierInlines.h, JSCJSValueInlines.h, JSCellInlines.h, JSGlobalObjectInlines.h, and VMInlines.h headers. * runtime/Intrinsic.h: Added missing wtf/Optional.h header. 2020-04-20 Ross Kirsling <ross.kirsling@sony.com> Classes marked final should not use protected access specifier https://bugs.webkit.org/show_bug.cgi?id=210775 Reviewed by Daniel Bates. * API/JSAPIValueWrapper.h: * API/JSCallbackConstructor.h: * API/JSCallbackObject.h: * b3/B3ExtractValue.h: * bytecode/UnlinkedFunctionExecutable.h: * inspector/JSGlobalObjectConsoleClient.h: * inspector/JSInjectedScriptHost.h: * inspector/JSJavaScriptCallFrame.h: * jsc.cpp: * runtime/AggregateError.h: * runtime/AggregateErrorPrototype.h: * runtime/ArrayConstructor.h: * runtime/ArrayPrototype.h: * runtime/AsyncFunctionPrototype.h: * runtime/AsyncGeneratorFunctionPrototype.h: * runtime/AtomicsObject.h: * runtime/BigIntConstructor.h: * runtime/BigIntObject.h: * runtime/BigIntPrototype.h: * runtime/BooleanConstructor.h: * runtime/BooleanPrototype.h: * runtime/ConsoleObject.h: * runtime/DateConstructor.h: * runtime/DatePrototype.h: * runtime/ErrorConstructor.h: * runtime/ErrorPrototype.h: * runtime/FileBasedFuzzerAgent.h: * runtime/FunctionPrototype.h: * runtime/FunctionRareData.h: * runtime/GeneratorFunctionPrototype.h: * runtime/GenericTypedArrayView.h: * runtime/InspectorInstrumentationObject.h: * runtime/IntlCollator.h: * runtime/IntlCollatorConstructor.h: * runtime/IntlCollatorPrototype.h: * runtime/IntlDateTimeFormat.h: * runtime/IntlDateTimeFormatConstructor.h: * runtime/IntlDateTimeFormatPrototype.h: * runtime/IntlNumberFormat.h: * runtime/IntlNumberFormatConstructor.h: * runtime/IntlNumberFormatPrototype.h: * runtime/IntlPluralRules.h: * runtime/IntlPluralRulesConstructor.h: * runtime/IntlPluralRulesPrototype.h: * runtime/IntlRelativeTimeFormatConstructor.h: * runtime/IntlRelativeTimeFormatPrototype.h: * runtime/JSArrayBuffer.h: * runtime/JSArrayBufferConstructor.h: * runtime/JSArrayBufferPrototype.h: * runtime/JSAsyncGenerator.h: * runtime/JSBoundFunction.h: * runtime/JSCustomGetterSetterFunction.h: * runtime/JSDataView.h: * runtime/JSDataViewPrototype.h: * runtime/JSGenerator.h: * runtime/JSGenericTypedArrayView.h: * runtime/JSGenericTypedArrayViewConstructor.h: * runtime/JSGenericTypedArrayViewPrototype.h: * runtime/JSGlobalLexicalEnvironment.h: * runtime/JSModuleLoader.h: * runtime/JSModuleNamespaceObject.h: * runtime/JSNativeStdFunction.h: * runtime/JSONObject.h: * runtime/JSObject.h: * runtime/JSTemplateObjectDescriptor.h: * runtime/JSTypedArrayViewConstructor.h: * runtime/JSTypedArrayViewPrototype.h: * runtime/MathObject.h: * runtime/NativeExecutable.h: * runtime/NumberConstructor.h: * runtime/NumberPrototype.h: * runtime/ObjectConstructor.h: * runtime/ObjectPrototype.h: * runtime/PredictionFileCreatingFuzzerAgent.h: * runtime/ReflectObject.h: * runtime/RegExp.h: * runtime/RegExpConstructor.h: * runtime/RegExpObject.h: * runtime/RegExpPrototype.h: * runtime/StringPrototype.h: * runtime/Structure.h: * runtime/Symbol.h: * runtime/SymbolConstructor.h: * runtime/SymbolObject.h: * runtime/SymbolPrototype.h: * runtime/VMTraps.cpp: * testRegExp.cpp: * wasm/WasmBBQPlan.h: * wasm/WasmLLIntPlan.h: * wasm/WasmWorklist.cpp: * wasm/js/JSWebAssembly.h: * wasm/js/JSWebAssemblyCompileError.h: * wasm/js/JSWebAssemblyInstance.h: * wasm/js/JSWebAssemblyLinkError.h: * wasm/js/JSWebAssemblyRuntimeError.h: * wasm/js/WebAssemblyCompileErrorConstructor.h: * wasm/js/WebAssemblyCompileErrorPrototype.h: * wasm/js/WebAssemblyGlobalConstructor.h: * wasm/js/WebAssemblyGlobalPrototype.h: * wasm/js/WebAssemblyInstanceConstructor.h: * wasm/js/WebAssemblyInstancePrototype.h: * wasm/js/WebAssemblyLinkErrorConstructor.h: * wasm/js/WebAssemblyLinkErrorPrototype.h: * wasm/js/WebAssemblyMemoryConstructor.h: * wasm/js/WebAssemblyMemoryPrototype.h: * wasm/js/WebAssemblyModuleConstructor.h: * wasm/js/WebAssemblyModulePrototype.h: * wasm/js/WebAssemblyRuntimeErrorConstructor.h: * wasm/js/WebAssemblyRuntimeErrorPrototype.h: * wasm/js/WebAssemblyTableConstructor.h: * wasm/js/WebAssemblyTablePrototype.h: * wasm/js/WebAssemblyWrapperFunction.h: 2020-04-20 Peng Liu <peng.liu6@apple.com> Fix build failures when video fullscreen and picture-in-picture is disabled https://bugs.webkit.org/show_bug.cgi?id=210777 Reviewed by Eric Carlson. * Configurations/FeatureDefines.xcconfig: 2020-04-20 Ross Kirsling <ross.kirsling@sony.com> Intl classes shouldn't need an m_initialized* field https://bugs.webkit.org/show_bug.cgi?id=210764 Reviewed by Darin Adler. Existing Intl classes each have a field like m_initializedNumberFormat, but this is unnecessary on two levels: 1. The thing that gets initialized is a unique pointer to an ICU struct, so we can check it directly. 2. Everywhere we're checking this is redundant since we've already done the same check on the prototype side, therefore we can just ASSERT before using said ICU struct. While we're at it, clean up other stuff like: - Move stuff that doesn't need to be part of the class to the CPP file (e.g. UFieldPositionIteratorDeleter). - Merge createCollator into initializeCollator (seems like this is probably the oldest code in this space). * runtime/IntlCollator.cpp: (JSC::IntlCollator::initializeCollator): (JSC::IntlCollator::compareStrings): (JSC::IntlCollator::resolvedOptions): (JSC::IntlCollator::createCollator): Deleted. * runtime/IntlCollator.h: * runtime/IntlDateTimeFormat.cpp: (JSC::UFieldPositionIteratorDeleter::operator() const): (JSC::IntlDateTimeFormat::initializeDateTimeFormat): (JSC::IntlDateTimeFormat::resolvedOptions): (JSC::IntlDateTimeFormat::format): (JSC::partTypeString): (JSC::IntlDateTimeFormat::formatToParts): (JSC::IntlDateTimeFormat::UFieldPositionIteratorDeleter::operator() const): Deleted. (JSC::IntlDateTimeFormat::partTypeString): Deleted. * runtime/IntlDateTimeFormat.h: * runtime/IntlNumberFormat.cpp: (JSC::UFieldPositionIteratorDeleter::operator() const): (JSC::IntlNumberFormatField::IntlNumberFormatField): (JSC::IntlNumberFormat::initializeNumberFormat): (JSC::IntlNumberFormat::format): (JSC::IntlNumberFormat::resolvedOptions): (JSC::partTypeString): (JSC::IntlNumberFormat::formatToParts): (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const): Deleted. (JSC::IntlNumberFormat::partTypeString): Deleted. * runtime/IntlNumberFormat.h: * runtime/IntlPluralRules.cpp: (JSC::localeData): (JSC::IntlPluralRules::initializePluralRules): (JSC::IntlPluralRules::resolvedOptions): (JSC::IntlPluralRules::select): (JSC::IntlPRInternal::localeData): Deleted. * runtime/IntlPluralRules.h: 2020-04-20 Keith Miller <keith_miller@apple.com> FTL doesn't observe the use kind of CheckIsConstant's child1 https://bugs.webkit.org/show_bug.cgi?id=210763 Reviewed by Yusuke Suzuki. Somehow, this didn't get added when I changed CheckIsConstant and didn't show up when I tested r260377 because I tested in release. Fortunately, the produced DFG IR will be the same. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCheckIsConstant): 2020-04-20 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Skip test262 for non-safe-integer range BigIntConstructor https://bugs.webkit.org/show_bug.cgi?id=210749 Reviewed by Keith Miller. * runtime/BigIntConstructor.cpp: (JSC::callBigIntConstructor): 2020-04-20 Keith Miller <keith_miller@apple.com> Fix CheckIsConstant for non-constant values and checking for empty https://bugs.webkit.org/show_bug.cgi?id=210752 Reviewed by Saam Barati. We need to make sure that we only have one speculated type if our value is empty. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 2020-04-20 Darin Adler <darin@apple.com> Use #import instead of #include in Objective-C and don't use #pragma once https://bugs.webkit.org/show_bug.cgi?id=210724 Reviewed by David Kilzer. * API/JSAPIWrapperObject.mm: * API/JSContext.h: * API/JSContext.mm: * API/JSScriptInternal.h: * API/JSValue.mm: * API/JSVirtualMachine.mm: * API/JSVirtualMachinePrivate.h: * API/JSWrapperMap.mm: * API/ObjCCallbackFunction.mm: * API/tests/CurrentThisInsideBlockGetterTest.mm: More #import, less #pragma once. 2020-04-20 Yusuke Suzuki <ysuzuki@apple.com> StructuredClone algorithm should be aware of BigInt https://bugs.webkit.org/show_bug.cgi?id=210728 Reviewed by Mark Lam. * CMakeLists.txt: * runtime/BigIntObject.h: * runtime/JSBigInt.cpp: (JSC::JSBigInt::digit): Deleted. (JSC::JSBigInt::setDigit): Deleted. * runtime/JSBigInt.h: (JSC::JSBigInt::digit): (JSC::JSBigInt::setDigit): 2020-04-19 Ross Kirsling <ross.kirsling@sony.com> [ECMA-402] Intl.RelativeTimeFormat missing in WebKit https://bugs.webkit.org/show_bug.cgi?id=209770 Reviewed by Darin Adler. This patch implements the recent ECMA-402 feature Intl.RelativeTimeFormat. RelativeTimeFormat has format / formatToParts functions like NumberFormat / DateTimeFormat and is used to turn a number and unit into a formatted relative time string, e.g.: new Intl.RelativeTimeFormat('en').format(10, 'day') > 'in 10 days' new Intl.RelativeTimeFormat('en', { numeric: 'auto' }).format(0, 'day') > 'today' Implementation of RelativeTimeFormat#formatToParts makes direct use of NumberFormat#formatToParts, as the relative time string consists of at most one formatted number with optional literal text on either side. This feature is runtime-guarded by the `useIntlRelativeTimeFormat` option. * CMakeLists.txt: * DerivedSources-input.xcfilelist: * DerivedSources-output.xcfilelist: * DerivedSources.make: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * runtime/CommonIdentifiers.h: * runtime/IntlRelativeTimeFormat.cpp: Added. * runtime/IntlRelativeTimeFormat.h: Added. * runtime/IntlRelativeTimeFormatConstructor.cpp: Added. * runtime/IntlRelativeTimeFormatConstructor.h: Added. * runtime/IntlRelativeTimeFormatPrototype.cpp: Added. * runtime/IntlRelativeTimeFormatPrototype.h: Added. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::relativeTimeFormatStructure): * runtime/OptionsList.h: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: Add feature and runtime option. * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::formatToParts): * runtime/IntlPluralRules.cpp: (JSC::IntlPluralRules::initializePluralRules): (JSC::IntlPluralRules::resolvedOptions): Make "type" a property name. * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): (JSC::IntlNumberFormat::resolvedOptions): (JSC::IntlNumberFormat::formatToPartsInternal): (JSC::IntlNumberFormat::formatToParts): * runtime/IntlNumberFormat.h: Factor out formatToPartsInternal so that RelativeTimeFormat can use it with its own UNumberFormat. (This logic is too complicated to duplicate; it's because ICU won't split, e.g., "10,000" into parts for us.) * runtime/IntlObject.cpp: (JSC::IntlObject::IntlObject): (JSC::IntlObject::create): (JSC::IntlObject::finishCreation): (JSC::intlAvailableLocales): (JSC::intlCollatorAvailableLocales): (JSC::isUnicodeLocaleIdentifierType): (JSC::supportedLocales): (JSC::intlDateTimeFormatAvailableLocales): Deleted. (JSC::intlNumberFormatAvailableLocales): Deleted. * runtime/IntlObject.h: (JSC::intlDateTimeFormatAvailableLocales): (JSC::intlNumberFormatAvailableLocales): (JSC::intlPluralRulesAvailableLocales): (JSC::intlRelativeTimeFormatAvailableLocales): Perform three corrections for Intl classes: 1. Collator should be the only class with unique "available locales". [unum|udat]_getAvailable exist but they've deferred to uloc_getAvailable for 20 years. 2. isUnicodeLocaleIdentifierType isn't just `alphanum{3,8}` but rather `alphanum{3,8} (sep alphanum{3,8})*`. This is my own mistake from r239941. 3. supportedLocalesOf entries should not be frozen. Changed in https://github.com/tc39/ecma402/pull/278. * tools/JSDollarVM.cpp: (JSC::functionICUVersion): (JSC::JSDollarVM::finishCreation): Add $vm.icuVersion so that we can add per-line skips to stress tests. 2020-04-19 Yusuke Suzuki <ysuzuki@apple.com> [JSC] SlowPathCall is not supported by callOperation in Windows https://bugs.webkit.org/show_bug.cgi?id=210727 Reviewed by Ross Kirsling. In Windows, SlowPathCall should be handled by JITSlowPathCall, otherwise, stack is not correctly allocated. * jit/JITCall.cpp: (JSC::JIT::emit_op_iterator_open): (JSC::JIT::emit_op_iterator_next): * jit/SlowPathCall.h: (JSC::JITSlowPathCall::call): 2020-04-19 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Enable BigInt https://bugs.webkit.org/show_bug.cgi?id=210726 Reviewed by Mark Lam. * runtime/OptionsList.h: 2020-04-19 Yusuke Suzuki <ysuzuki@apple.com> [JSC] LLInt slow path call should not have third argument https://bugs.webkit.org/show_bug.cgi?id=210721 Reviewed by Mark Lam. LLInt callSlowPath does not work with third argument in Windows, CLoop etc. LLInt slow-path should not take third argument, instead, use `bytecode.metadata(...)` to get metadata. * jit/JITCall.cpp: (JSC::JIT::emit_op_iterator_open): (JSC::JIT::emit_op_iterator_next): * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: (JSC::iterator_open_try_fast): (JSC::SLOW_PATH_DECL): (JSC::iterator_next_try_fast): (JSC::iterator_open_try_fast_narrow): Deleted. (JSC::iterator_open_try_fast_wide16): Deleted. (JSC::iterator_open_try_fast_wide32): Deleted. (JSC::iterator_next_try_fast_narrow): Deleted. (JSC::iterator_next_try_fast_wide16): Deleted. (JSC::iterator_next_try_fast_wide32): Deleted. * runtime/CommonSlowPaths.h: 2020-04-19 Mark Lam <mark.lam@apple.com> Fix missing exception checks and handling in JSC APIs. https://bugs.webkit.org/show_bug.cgi?id=210715 <rdar://problem/61599658> Reviewed by Saam Barati. * API/APICallbackFunction.h: (JSC::APICallbackFunction::call): - We should return early if an exception was thrown. We should not be using the result in any way since we cannot rely on it having any sane value. (JSC::APICallbackFunction::construct): - For consistency, also return an undefined here when an exception was thrown. * API/JSCallbackObjectFunctions.h: (JSC::JSCallbackObject<Parent>::construct): (JSC::JSCallbackObject<Parent>::call): - Return an undefined if an exception was thrown. Don't return the potentially garbage result value. Who knows what the client code will do with it. Returning an undefined here makes the code more robust. * API/JSObjectRef.cpp: (JSObjectGetProperty): (JSObjectHasPropertyForKey): (JSObjectGetPropertyForKey): (JSObjectDeletePropertyForKey): (JSObjectGetPropertyAtIndex): (JSObjectDeleteProperty): - Explicitly return a nullptr if an exception was thrown. The toRef() on the result that follows the exception check may or may not return a nullptr (also see toRef(JSC::VM& vm, JSC::JSValue v) for !CPU(ADDRESS64)). * API/JSValueRef.cpp: (JSValueIsEqual): (JSValueIsInstanceOfConstructor): - For consistency, make these return false if an exception is thrown. * API/ObjCCallbackFunction.mm: (JSC::objCCallbackFunctionCallAsFunction): (JSC::objCCallbackFunctionCallAsConstructor): (JSC::ObjCCallbackFunctionImpl::call): - Add some assertions and return early if an exception was thrown. 2020-04-18 Keith Miller <keith_miller@apple.com> Fix CLoop build for iterator opcodes https://bugs.webkit.org/show_bug.cgi?id=210709 Reviewed by Robin Morisset. We need to add a default paramater for the metadata pointer in the CLoop build. Additionally, the helper declarations need to be in the various slow path header files. Lastly we need opcode labels for our new JS call return points. * bytecode/BytecodeList.rb: * llint/LLIntSlowPaths.cpp: * llint/LLIntSlowPaths.h: * runtime/CommonSlowPaths.h: 2020-04-18 Robin Morisset <rmorisset@apple.com> Support an inlined representation in JSValue of small BigInts ("BigInt32") https://bugs.webkit.org/show_bug.cgi?id=206182 Reviewed by Yusuke Suzuki. This patch attempts to optimize the performance of BigInts, when they are small (32 bit or less). It works by inlining them into JSValue on 64-bit platforms, avoiding the allocation of a JSBigInt. The bit pattern we use is 0000:XXXX:XXXX:0012 This representation works because of the following things: - It cannot be confused with a Double or Integer thanks to the top bits - It cannot be confused with a pointer to a Cell, thanks to bit 1 which is set to true - It cannot be confused with a pointer to wasm thanks to bit 0 which is set to false - It cannot be confused with true/false because bit 2 is set to false - It cannot be confused for null/undefined because bit 4 is set to true This entire change is gated by USE(BIGINT32), to make it easier to disable if it turns out to have bugs. It should also make it much easier to verify if a given bug comes from it or from something else. Note that in this patch we create BigInt32s when parsing small BigInt constants, and most operations (e.g. Add or BitOr) produce a BigInt32 if both of their operands are BigInt32, but we don't produce a BigInt32 from for example the substraction/division of two large heap-allocated JSBigInts, even if the result fits in 32-bits. As a result, small BigInts can now either be heap-allocated or inlined in the JSValue. This patch includes a significant refactor of various slow paths, which are now grouped together in Operations.h Because this increased the size of Operations.h significantly, I split the parts of Operations.h which are only used by the GC into Scribble.h, to avoid bloating compile times. In the DFG and FTL we now have 3 UseKinds for BigInts: HeapBigIntUse, BigInt32Use and AnyBigIntUse. The latter is useful when we know that we are receiving BigInts, but speculation indicates a mix of heap-allocated and small (inlined) big-ints. Unfortunately, a naive implementation of this patch significantly regresses the performance of StrictEq (and its variants), as it is no longer true that a cell and a non-cell cannot be equal. Before this patch, the code was jumping to a slow path if either: - at least one operand is a double - or both operands are cells Now, it also needs to jump to the slow path if at least one is a cell. To recover this performance cost, I significantly rewrote this code, from if (left is Cell && right is Cell) { if (left == right) return true; goto slowPath; } if (! left is Int32) { if (left is Number) goto slowPath } if (! right is Int32) { if (right is Number) goto slowPath } return left == right To the following: if (left is Double || right is Double) goto slowPath if (left == right) return true; if (left is Cell || right is Cell) goto slowPath return false; I believe this to be faster than just replacing (left is Cell && right is Cell) by an ||, because I found a bit-trick to check (left is Double || right is Double) which should help reduce the pressure on the branch predictor. Early JetStream2 tests appear to confirm that this patch is roughly neutral while it was a 0.5% regression before I used this trick, but the numbers are still too noisy, I plan to do more measurements before landing this patch. I don't yet have performance numbers for this patch on a BigInt benchmark, I will get such numbers before trying to land it, but I'd like some review in the meantime. * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/X86Assembler.h: (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM): * bytecode/ArithProfile.cpp: (JSC::ArithProfile<BitfieldType>::emitObserveResult): (JSC::ArithProfile<BitfieldType>::shouldEmitSetBigInt32 const): (JSC::ArithProfile<BitfieldType>::shouldEmitSetHeapBigInt const): (JSC::ArithProfile<BitfieldType>::emitSetHeapBigInt const): (JSC::ArithProfile<BitfieldType>::emitSetBigInt32 const): (WTF::printInternal): * bytecode/ArithProfile.h: (JSC::ObservedResults::didObserveNonInt32): (JSC::ObservedResults::didObserveBigInt): (JSC::ObservedResults::didObserveHeapBigInt): (JSC::ObservedResults::didObserveBigInt32): (JSC::ArithProfile::didObserveHeapBigInt const): (JSC::ArithProfile::didObserveBigInt32 const): (JSC::ArithProfile::setObservedHeapBigInt): (JSC::ArithProfile::setObservedBigInt32): (JSC::ArithProfile::observeResult): * bytecode/BytecodeList.rb: * bytecode/BytecodeLivenessAnalysisInlines.h: * bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * bytecode/CodeBlock.cpp: * bytecode/DataFormat.h: * bytecode/MethodOfGettingAValueProfile.cpp: (JSC::MethodOfGettingAValueProfile::emitReportValue const): * bytecode/MethodOfGettingAValueProfile.h: * bytecode/SpeculatedType.cpp: (JSC::dumpSpeculation): (JSC::speculationFromClassInfo): (JSC::speculationFromStructure): (JSC::speculationFromValue): (JSC::speculationFromJSType): (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations): * bytecode/SpeculatedType.h: (JSC::isBigInt32Speculation): (JSC::isHeapBigIntSpeculation): (JSC::isBigIntSpeculation): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitEqualityOpImpl): (JSC::BytecodeGenerator::addBigIntConstant): * bytecompiler/BytecodeGenerator.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::isToThisAnIdentity): (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupToThis): (JSC::DFG::FixupPhase::fixupToNumeric): (JSC::DFG::FixupPhase::observeUseKindOnNode): (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue): * dfg/DFGMayExit.cpp: * dfg/DFGNode.h: (JSC::DFG::Node::shouldSpeculateBigInt32): (JSC::DFG::Node::shouldSpeculateHeapBigInt): * dfg/DFGNodeType.h: * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): * dfg/DFGOSRExit.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::SafeToExecuteEdge::operator()): (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): (JSC::DFG::SpeculativeJIT::compileValueBitNot): (JSC::DFG::SpeculativeJIT::emitUntypedOrAnyBigIntBitOp): (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp): (JSC::DFG::SpeculativeJIT::emitUntypedOrBigIntRightShiftBitOp): (JSC::DFG::SpeculativeJIT::compileValueLShiftOp): (JSC::DFG::SpeculativeJIT::compileValueBitRShift): (JSC::DFG::SpeculativeJIT::compileShiftOp): (JSC::DFG::SpeculativeJIT::compileValueAdd): (JSC::DFG::SpeculativeJIT::compileValueSub): (JSC::DFG::SpeculativeJIT::compileIncOrDec): (JSC::DFG::SpeculativeJIT::compileValueNegate): (JSC::DFG::SpeculativeJIT::compileValueMul): (JSC::DFG::SpeculativeJIT::compileValueDiv): (JSC::DFG::SpeculativeJIT::compileValueMod): (JSC::DFG::SpeculativeJIT::compileValuePow): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compileStrictEq): (JSC::DFG::SpeculativeJIT::speculateHeapBigInt): (JSC::DFG::SpeculativeJIT::speculate): (JSC::DFG::SpeculativeJIT::compileToNumeric): (JSC::DFG::SpeculativeJIT::compileHeapBigIntEquality): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculateBigInt32Operand::SpeculateBigInt32Operand): (JSC::DFG::SpeculateBigInt32Operand::~SpeculateBigInt32Operand): (JSC::DFG::SpeculateBigInt32Operand::edge const): (JSC::DFG::SpeculateBigInt32Operand::node const): (JSC::DFG::SpeculateBigInt32Operand::gpr): (JSC::DFG::SpeculateBigInt32Operand::use): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillJSValue): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::speculateBigInt32): (JSC::DFG::SpeculativeJIT::speculateAnyBigInt): (JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32): (JSC::DFG::SpeculativeJIT::compileBigInt32Compare): (JSC::DFG::SpeculativeJIT::compilePeepHoleBigInt32Branch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * dfg/DFGUseKind.cpp: (WTF::printInternal): * dfg/DFGUseKind.h: (JSC::DFG::typeFilterFor): (JSC::DFG::isCell): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLCommonValues.cpp: (JSC::FTL::CommonValues::initializeConstants): * ftl/FTLCommonValues.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv): (JSC::FTL::DFG::LowerDFGToB3::compileValueMod): (JSC::FTL::DFG::LowerDFGToB3::compileValuePow): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): (JSC::FTL::DFG::LowerDFGToB3::compileArithBitRShift): (JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift): (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): (JSC::FTL::DFG::LowerDFGToB3::compileBitURShift): (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric): (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt): (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet): (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet): (JSC::FTL::DFG::LowerDFGToB3::boolify): (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): (JSC::FTL::DFG::LowerDFGToB3::lowHeapBigInt): (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32): (JSC::FTL::DFG::LowerDFGToB3::isBigInt32): (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32): (JSC::FTL::DFG::LowerDFGToB3::unboxBigInt32): (JSC::FTL::DFG::LowerDFGToB3::boxBigInt32): (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt): (JSC::FTL::DFG::LowerDFGToB3::speculate): (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigIntUnknownWhetherCell): (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigInt): (JSC::FTL::DFG::LowerDFGToB3::isHeapBigInt): (JSC::FTL::DFG::LowerDFGToB3::speculateHeapBigInt): (JSC::FTL::DFG::LowerDFGToB3::speculateHeapBigIntUnknownWhetherCell): (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32): (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): * heap/HeapSnapshotBuilder.cpp: (JSC::HeapSnapshotBuilder::json): * heap/MarkedBlockInlines.h: * heap/PreciseAllocation.cpp: * inspector/agents/InspectorHeapAgent.cpp: (Inspector::InspectorHeapAgent::getPreview): * interpreter/Interpreter.cpp: (JSC::sizeOfVarargs): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitConvertValueToBoolean): (JSC::AssemblyHelpers::branchIfValue): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfBigInt32): (JSC::AssemblyHelpers::branchIfBigInt32KnownNotNumber): (JSC::AssemblyHelpers::branchIfNotBigInt32KnownNotNumber): (JSC::AssemblyHelpers::branchIfHeapBigInt): (JSC::AssemblyHelpers::branchIfNotHeapBigInt): (JSC::AssemblyHelpers::unboxBigInt32): (JSC::AssemblyHelpers::boxBigInt32): (JSC::AssemblyHelpers::emitTypeOf): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITArithmetic.cpp: (JSC::JIT::emit_op_negate): (JSC::JIT::emitSlow_op_negate): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_is_big_int): (JSC::JIT::compileOpStrictEq): (JSC::JIT::compileOpStrictEqJump): (JSC::JIT::emit_op_to_numeric): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_is_big_int): (JSC::JIT::emit_op_to_numeric): * jit/JITOperations.cpp: * jit/JITOperations.h: * llint/LLIntOfflineAsmConfig.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * parser/ParserArena.cpp: (JSC::IdentifierArena::makeBigIntDecimalIdentifier): * runtime/ArrayPrototype.cpp: * runtime/BigIntConstructor.cpp: (JSC::toBigInt): (JSC::callBigIntConstructor): * runtime/BigIntObject.cpp: (JSC::BigIntObject::create): (JSC::BigIntObject::finishCreation): * runtime/BigIntObject.h: * runtime/BigIntPrototype.cpp: (JSC::toThisBigIntValue): (JSC::bigIntProtoFuncToStringImpl): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): (JSC::updateArithProfileForUnaryArithOp): (JSC::updateArithProfileForBinaryArithOp): * runtime/JSBigInt.cpp: (JSC::JSBigInt::createStructure): (JSC::JSBigInt::parseInt): (JSC::JSBigInt::stringToBigInt): (JSC::JSBigInt::inc): (JSC::JSBigInt::dec): (JSC::JSBigInt::bitwiseAnd): (JSC::JSBigInt::toStringGeneric): (JSC::JSBigInt::equalsToNumber): (JSC::JSBigInt::equalsToInt32): * runtime/JSBigInt.h: (JSC::asHeapBigInt): * runtime/JSCJSValue.cpp: (JSC::JSValue::toNumberSlowCase const): (JSC::JSValue::toObjectSlowCase const): (JSC::JSValue::toThisSlowCase const): (JSC::JSValue::synthesizePrototype const): (JSC::JSValue::dumpInContextAssumingStructure const): (JSC::JSValue::dumpForBacktrace const): (JSC::JSValue::toStringSlowCase const): * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::JSValue): (JSC::JSValue::asHeapBigInt const): (JSC::JSValue::isBigInt const): (JSC::JSValue::isHeapBigInt const): (JSC::JSValue::isBigInt32 const): (JSC::JSValue::bigInt32AsInt32 const): (JSC::JSValue::isPrimitive const): (JSC::JSValue::getPrimitiveNumber): (JSC::JSValue::toNumeric const): (JSC::JSValue::toBigIntOrInt32 const): (JSC::JSValue::equalSlowCaseInline): (JSC::JSValue::strictEqualForCells): (JSC::JSValue::strictEqual): (JSC::JSValue::pureStrictEqual): (JSC::JSValue::pureToBoolean const): * runtime/JSCell.cpp: (JSC::JSCell::put): (JSC::JSCell::putByIndex): (JSC::JSCell::toPrimitive const): (JSC::JSCell::getPrimitiveNumber const): (JSC::JSCell::toNumber const): (JSC::JSCell::toObjectSlow const): * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::isHeapBigInt const): (JSC::JSCell::toBoolean const): (JSC::JSCell::pureToBoolean const): * runtime/JSString.h: (JSC::JSValue::toBoolean const): * runtime/JSType.cpp: (WTF::printInternal): * runtime/JSType.h: * runtime/JSTypeInfo.h: * runtime/ObjectInitializationScope.cpp: * runtime/Operations.cpp: (JSC::jsAddSlowCase): (JSC::jsIsObjectTypeOrNull): * runtime/Operations.h: (JSC::compareBigIntToOtherPrimitive): (JSC::bigIntCompare): (JSC::jsLess): (JSC::jsLessEq): (JSC::arithmeticBinaryOp): (JSC::jsSub): (JSC::jsMul): (JSC::jsDiv): (JSC::jsRemainder): (JSC::jsPow): (JSC::jsInc): (JSC::jsDec): (JSC::jsBitwiseNot): (JSC::shift): (JSC::jsLShift): (JSC::jsRShift): (JSC::bitwiseBinaryOp): (JSC::jsBitwiseAnd): (JSC::jsBitwiseOr): (JSC::jsBitwiseXor): * runtime/Scribble.h: Copied from Source/JavaScriptCore/runtime/BigIntObject.h. (JSC::scribbleFreeCells): (JSC::isScribbledValue): (JSC::scribble): * runtime/StructureInlines.h: (JSC::prototypeForLookupPrimitiveImpl): 2020-04-18 Keith Miller <keith_miller@apple.com> Unreviewed, remove commented out/dead code that didn't failed to get removed when landing r260323. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/CommonSlowPaths.cpp: (JSC::iterator_next_try_fast): 2020-04-18 Keith Miller <keith_miller@apple.com> Redesign how we do for-of iteration for JSArrays https://bugs.webkit.org/show_bug.cgi?id=175454 Reviewed by Filip Pizlo and Saam Barati. This patch intrinsics for-of iteration for JSArrays when they are being iterated with the built-in Symbol.iterator. We do this by adding two new bytecodes op_iterator_open and op_iterator_next. These bytecodes are essentially a fused set of existing bytecodes with a special case for our intrinsiced JSArray case. This patch only adds support for these instructions on 64-bit. The op_iterator_open bytecode is semantically the same as: iterator = symbolIterator.@call(iterable); next = iterator.next; where iterable is the rhs of the for-of and symbolIterator is the result of running iterable.symbolIterator; The op_iterator_next bytecode is semantically the same as: nextResult = next.@call(iterator); done = nextResult.done; value = done ? (undefined / bottom) : nextResult.value; where nextResult is a temporary (the value VirtualRegister in the LLInt/Baseline and a tmp in the DFG). In order to make sure these bytecodes have the same perfomance as the existing bytecode sequence, we need to make sure we have the same profiling data and inline caching. Most of the existing get_by_id code assumed a particular bytecode member name was the same in each flavor get_by_id access. This patch adds template specialized functions that vend the correct Profile/VirtualRegister for the current bytecode/checkpoint. This means we can have meaningful names for our Bytecode structs and still use the generic functions. In the LLInt most of the logic for calls/get_by_id had to be factored into helper macros, so we could have bytecodes that are some combination of those. The trickiest part of this patch was getting the hand rolled DFG IR to work correctly. This is because we don't have a great way to express large chucks of DFG graph that doesn't involve manually tracking all the DFG's invariants. Such as: 1) Flushing/Phantoming values at the end of each block. 2) Rolling forwards and backwards the BytecodeIndex when switching blocks. 3) Remembering to GetLocal each variable at the top of every block. 4) Ensuring that the JSValue stored to the op_iterator_next.m_value local does not cause us to OSR exit at the set local. (4) is handled by a new function, bottomValueMatchingSpeculation, on DFGGraph that produces a FrozenValue that is roughly the bottom for a given speculated type. In a future patch we should make this more complete, probably by adding a VM::bottomCellForSetLocal that prediction propagation and AI know how treat as a true bottom value. See: https://bugs.webkit.org/show_bug.cgi?id=210694 Lastly, this patch changes the DFG NodeType, CheckCell to be CheckIsConstant. CheckIsConstant is equivalent to the == operator on JSValue where it just checks the register values are the same. In order to keep the same perf that we had for CheckCell, CheckIsConstant supports CellUse. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::or8): (JSC::MacroAssemblerARM64::store8): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::or8): * bytecode/ArrayProfile.h: (JSC::ArrayProfile::observeStructureID): (JSC::ArrayProfile::observeStructure): * bytecode/BytecodeList.rb: * bytecode/BytecodeLivenessAnalysis.cpp: (JSC::tmpLivenessForCheckpoint): * bytecode/BytecodeOperandsForCheckpoint.h: Added. (JSC::arrayProfileForImpl): (JSC::hasArrayProfileFor): (JSC::arrayProfileFor): (JSC::valueProfileForImpl): (JSC::hasValueProfileFor): (JSC::valueProfileFor): (JSC::destinationFor): (JSC::calleeFor): (JSC::argumentCountIncludingThisFor): (JSC::stackOffsetInRegistersForCall): (JSC::callLinkInfoFor): * bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::callTypeFor): * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFromLLInt): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::finalizeLLIntInlineCaches): (JSC::CodeBlock::tryGetValueProfileForBytecodeIndex): * bytecode/CodeBlock.h: (JSC::CodeBlock::instructionAt const): * bytecode/CodeBlockInlines.h: (JSC::CodeBlock::forEachValueProfile): (JSC::CodeBlock::forEachArrayProfile): * bytecode/GetByStatus.cpp: (JSC::GetByStatus::computeFromLLInt): * bytecode/Instruction.h: (JSC::BaseInstruction::width const): (JSC::BaseInstruction::hasCheckpoints const): (JSC::BaseInstruction::asKnownWidth const): (JSC::BaseInstruction::wide16 const): (JSC::BaseInstruction::wide32 const): * bytecode/InstructionStream.h: * bytecode/IterationModeMetadata.h: Copied from Source/JavaScriptCore/bytecode/SuperSampler.h. * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal): (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache): * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: * bytecode/Opcode.h: * bytecode/SpeculatedType.h: (JSC::isSubtypeSpeculation): (JSC::speculationContains): * bytecode/SuperSampler.h: (JSC::SuperSamplerScope::release): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGenericEnumeration): (JSC::BytecodeGenerator::emitEnumeration): (JSC::BytecodeGenerator::emitIsEmpty): (JSC::BytecodeGenerator::emitIteratorOpen): (JSC::BytecodeGenerator::emitIteratorNext): (JSC::BytecodeGenerator::emitGetGenericIterator): (JSC::BytecodeGenerator::emitIteratorGenericNext): (JSC::BytecodeGenerator::emitIteratorGenericNextWithValue): (JSC::BytecodeGenerator::emitIteratorGenericClose): (JSC::BytecodeGenerator::emitGetAsyncIterator): (JSC::BytecodeGenerator::emitDelegateYield): (JSC::BytecodeGenerator::emitIteratorNextWithValue): Deleted. (JSC::BytecodeGenerator::emitIteratorClose): Deleted. (JSC::BytecodeGenerator::emitGetIterator): Deleted. * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ArrayPatternNode::bindValue const): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues): * dfg/DFGAtTailAbstractState.h: (JSC::DFG::AtTailAbstractState::size const): (JSC::DFG::AtTailAbstractState::numberOfTmps const): (JSC::DFG::AtTailAbstractState::atIndex): (JSC::DFG::AtTailAbstractState::tmp): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::progressToNextCheckpoint): (JSC::DFG::ByteCodeParser::get): (JSC::DFG::ByteCodeParser::set): (JSC::DFG::ByteCodeParser::jsConstant): (JSC::DFG::ByteCodeParser::weakJSConstant): (JSC::DFG::ByteCodeParser::addCall): (JSC::DFG::ByteCodeParser::allocateUntargetableBlock): (JSC::DFG::ByteCodeParser::handleCall): (JSC::DFG::ByteCodeParser::emitFunctionChecks): (JSC::DFG::ByteCodeParser::inlineCall): (JSC::DFG::ByteCodeParser::handleCallVariant): (JSC::DFG::ByteCodeParser::handleVarargsInlining): (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::handleMinMax): (JSC::DFG::ByteCodeParser::handleIntrinsicCall): (JSC::DFG::ByteCodeParser::handleDOMJITCall): (JSC::DFG::ByteCodeParser::handleIntrinsicGetter): (JSC::DFG::ByteCodeParser::handleDOMJITGetter): (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad): (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor): (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): (JSC::DFG::ByteCodeParser::handlePutByVal): (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): (JSC::DFG::CFGSimplificationPhase::jettisonBlock): (JSC::DFG::CFGSimplificationPhase::mergeBlocks): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::addStringReplacePrimordialChecks): * dfg/DFGForAllKills.h: (JSC::DFG::forAllKilledOperands): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::bottomValueMatchingSpeculation): * dfg/DFGGraph.h: * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::beginBasicBlock): (JSC::DFG::InPlaceAbstractState::initialize): (JSC::DFG::InPlaceAbstractState::endBasicBlock): (JSC::DFG::InPlaceAbstractState::merge): * dfg/DFGInPlaceAbstractState.h: (JSC::DFG::InPlaceAbstractState::size const): (JSC::DFG::InPlaceAbstractState::numberOfTmps const): (JSC::DFG::InPlaceAbstractState::atIndex): (JSC::DFG::InPlaceAbstractState::operand): (JSC::DFG::InPlaceAbstractState::local): (JSC::DFG::InPlaceAbstractState::argument): (JSC::DFG::InPlaceAbstractState::variableAt): Deleted. * dfg/DFGLazyJSValue.h: (JSC::DFG::LazyJSValue::speculatedType const): * dfg/DFGNode.h: (JSC::DFG::Node::hasConstant): (JSC::DFG::Node::hasCellOperand): * dfg/DFGNodeType.h: * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::callerReturnPC): * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCheckIsConstant): (JSC::DFG::SpeculativeJIT::compileCheckCell): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGValidate.cpp: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileCheckIsConstant): (JSC::FTL::DFG::LowerDFGToB3::compileCheckCell): Deleted. * generator/DSL.rb: * generator/Metadata.rb: * generator/Section.rb: * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITCall.cpp: (JSC::JIT::emitPutCallResult): (JSC::JIT::compileSetupFrame): (JSC::JIT::compileOpCall): (JSC::JIT::emit_op_iterator_open): (JSC::JIT::emitSlow_op_iterator_open): (JSC::JIT::emit_op_iterator_next): (JSC::JIT::emitSlow_op_iterator_next): * jit/JITCall32_64.cpp: (JSC::JIT::emit_op_iterator_open): (JSC::JIT::emitSlow_op_iterator_open): (JSC::JIT::emit_op_iterator_next): (JSC::JIT::emitSlow_op_iterator_next): * jit/JITInlines.h: (JSC::JIT::updateTopCallFrame): (JSC::JIT::advanceToNextCheckpoint): (JSC::JIT::emitJumpSlowToHotForCheckpoint): (JSC::JIT::emitValueProfilingSite): * jit/JITOperations.cpp: * jit/JITOperations.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setupGetByIdPrototypeCache): (JSC::LLInt::performLLIntGetByID): (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::genericCall): (JSC::LLInt::handleIteratorOpenCheckpoint): (JSC::LLInt::handleIteratorNextCheckpoint): (JSC::LLInt::slow_path_checkpoint_osr_exit): (JSC::LLInt::llint_dump_value): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/transform.rb: * runtime/CommonSlowPaths.cpp: (JSC::iterator_open_try_fast): (JSC::iterator_open_try_fast_narrow): (JSC::iterator_open_try_fast_wide16): (JSC::iterator_open_try_fast_wide32): (JSC::iterator_next_try_fast): (JSC::iterator_next_try_fast_narrow): (JSC::iterator_next_try_fast_wide16): (JSC::iterator_next_try_fast_wide32): * runtime/CommonSlowPaths.h: * runtime/Intrinsic.cpp: (JSC::interationKindForIntrinsic): * runtime/Intrinsic.h: * runtime/JSArrayIterator.h: * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::isCallable const): * runtime/JSCast.h: * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::arrayProtoValuesFunctionConcurrently const): * runtime/OptionsList.h: * runtime/Structure.cpp: (JSC::Structure::dumpBrief const): 2020-04-18 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Replace DFG NewPromise with NewInternalFieldObject https://bugs.webkit.org/show_bug.cgi?id=210687 Reviewed by Saam Barati. The feature of DFG::NewPromise can be implemented completely with DFG::NewInternalFieldObject. This reduces code duplication, and furthermore, this offers Object Allocation Sinking support for free. This patch replaces DFG::NewPromise with DFG::NewInternalFieldObject and remove DFG::NewPromise completely. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGClobbersExitState.cpp: (JSC::DFG::clobbersExitState): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::convertToNewInternalFieldObject): (JSC::DFG::Node::convertToNewInternalFieldObjectWithInlineFields): (JSC::DFG::Node::hasIsInternalPromise): (JSC::DFG::Node::hasStructure): (JSC::DFG::Node::convertToNewPromise): Deleted. * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject): (JSC::DFG::SpeculativeJIT::compileNewPromise): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStoreBarrierInsertionPhase.cpp: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewInternalFieldObject): (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise): Deleted. * ftl/FTLOperations.cpp: (JSC::FTL::operationPopulateObjectInOSR): (JSC::FTL::operationMaterializeObjectInOSR): * runtime/JSInternalPromise.cpp: (JSC::JSInternalPromise::createWithInitialValues): * runtime/JSInternalPromise.h: * runtime/JSPromise.cpp: (JSC::JSPromise::createWithInitialValues): (JSC::JSPromise::finishCreation): (JSC::JSPromise::status const): (JSC::JSPromise::result const): (JSC::JSPromise::flags const): (JSC::JSPromise::resolve): (JSC::JSPromise::reject): (JSC::JSPromise::rejectAsHandled): * runtime/JSPromise.h: (JSC::JSPromise::initialValues): (JSC::JSPromise::internalField const): (JSC::JSPromise::internalField): 2020-04-18 Yusuke Suzuki <ysuzuki@apple.com> Unreviewed, build fix for ARM64E after r260310 https://bugs.webkit.org/show_bug.cgi?id=207330 r260310 uses undefined function Instruction.cloneWithNewOperands in arm64e.rb and throws an error. This patch calls `node.cloneWithNewOperands`. * offlineasm/arm64e.rb: 2020-04-18 Alexey Shvayka <shvaikalesh@gmail.com> RegExp.prototype[@@search] should use SameValue https://bugs.webkit.org/show_bug.cgi?id=173226 Reviewed by Yusuke Suzuki. This change exposes Object.is implementation as link-time-constant @sameValue and utilizes it in RegExp.prototype[@@search] per spec [1], aligning JSC with V8 and SpiderMonkey. [1]: https://tc39.es/ecma262/#sec-regexp.prototype-@@search (steps 5, 8) * builtins/BuiltinNames.h: * builtins/RegExpPrototype.js: (Symbol.search): * bytecode/LinkTimeConstant.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/ObjectConstructor.cpp: * runtime/ObjectConstructor.h: 2020-04-18 Angelos Oikonomopoulos <angelos@igalia.com> Fix code origin when lowering offlineasm instructions on MIPS/ARM64E https://bugs.webkit.org/show_bug.cgi?id=207330 Reviewed by Mark Lam. Instruction operands are mapped to RegisterID in RegisterID.forName and the operation is memoized. Therefore, we can't use the codeOrigin of the operand at that point. Use the codeOrigin of the original instruction instead. * offlineasm/arm64e.rb: * offlineasm/ast.rb: * offlineasm/mips.rb: * offlineasm/risc.rb: 2020-04-18 Angelos Oikonomopoulos <angelos@igalia.com> REGRESSION(r260246): It broke build on MIPS32 https://bugs.webkit.org/show_bug.cgi?id=210665 Reviewed by Aakash Jain. The mnemonic for 'store halfword' is 'sh', not 'shv'. This appears to be a typo in a path that was never exercised. Exposed by r260246; riscLowerMisplacedAddresses now calls into riscAsRegisters with an 'h' suffix, which results in a 'storeh' instruction. The storeh is then lowered to the non-existent 'shv'. * offlineasm/mips.rb: 2020-04-17 Commit Queue <commit-queue@webkit.org> Unreviewed, reverting r260279. https://bugs.webkit.org/show_bug.cgi?id=210678 Throwing error would be more efficient, having a generic code is still worth doing (Requested by yusukesuzuki on #webkit). Reverted changeset: "[JSC] We do not need to have exit-check for Map/Set iterator functions" https://bugs.webkit.org/show_bug.cgi?id=210667 https://trac.webkit.org/changeset/260279 2020-04-17 Saam Barati <sbarati@apple.com> GetTypedArrayByteOffset is broken on arm64e https://bugs.webkit.org/show_bug.cgi?id=210631 Reviewed by Mark Lam. The vector of JSArrayBufferView is signed even when null on arm64e. However, we were comparing against zero, which is wrong. This patch changes it so we do the right thing and instead compare against whatever constant (ptr=nullptr,size=0) signs as. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::rawBits const): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::nullVectorPtr): 2020-04-17 Yusuke Suzuki <ysuzuki@apple.com> [JSC] We do not need to have exit-check for Map/Set iterator functions https://bugs.webkit.org/show_bug.cgi?id=210667 Reviewed by Michael Saboff. If the intrinsic's DFG node does not support general cases, we should check exit-frequency to avoid exit-recompile loop. However, Map/Set iterator creation functions (values, keys, entries) always require Map / Set types. And throwing an error when this is not met. So, the current DFG nodes for these intrinsic supports all the cases except for the case throwing an error, and error will exit anyway. So we do not need to have this exit-frequency guard here. This path is already tested by map-iterator-check-before-fail.js / set-iterator-check-before-fail.js. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): 2020-04-17 Devin Rousso <drousso@apple.com> Rename NullishEq / NULLISHEQUAL to CoalesceEq / COALESCEEQUAL to match the spec https://bugs.webkit.org/show_bug.cgi?id=210663 Reviewed by Ross Kirsling. * bytecompiler/NodesCodegen.cpp: (JSC::emitShortCircuitAssignment): * parser/ASTBuilder.h: (JSC::ASTBuilder::makeAssignNode): * parser/Lexer.cpp: (JSC::Lexer<T>::lexWithoutClearingLineTerminator): * parser/Nodes.h: * parser/Parser.cpp: (JSC::Parser<LexerType>::parseAssignmentExpression): * parser/ParserTokens.h: 2020-04-17 Devin Rousso <drousso@apple.com> Implement Promise.any and AggregateError https://bugs.webkit.org/show_bug.cgi?id=202566 Reviewed by Yusuke Suzuki. `Promise.any` resolves when any of the given `promises` resolve, but only rejects if _all_ of the given `promises` reject. In order to support aggregating all of the `reason` values for all of the rejections, a new error type `AggregateError` is introduced which has an `get errors` that returns an aggregated array of the `reason` values. * builtins/PromiseConstructor.js: (all.newResolveElement): (allSettled.newResolveRejectElements): (any): Added. (any.newRejectElement): Added. * runtime/JSPromiseConstructor.cpp: * builtins/BuiltinNames.h: * bytecode/LinkTimeConstant.h: * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::errorStructure const): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::initializeAggregateErrorConstructor): Added. (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): Expose `@AggregateError` for builtins. * runtime/AggregateError.h: Added. (JSC::AggregateError::destroy): (JSC::AggregateError::subspaceFor): (JSC::AggregateError::createStructure): (JSC::AggregateError::create): (JSC::AggregateError::errors const): * runtime/AggregateError.cpp: Added. (JSC::AggregateError::AggregateError): (JSC::AggregateError::visitChildren): (JSC::AggregateError::create): (JSC::AggregateError::finishCreation): * runtime/AggregateErrorPrototype.h: Added. * runtime/AggregateErrorPrototype.cpp: Added. (JSC::AggregateErrorPrototype::AggregateErrorPrototype): (JSC::AggregateErrorPrototype::finishCreation): (JSC::aggregateErrorPrototypeAccessorErrors): * runtime/AggregateErrorConstructor.h: Added. * runtime/AggregateErrorConstructor.cpp: Added. (JSC::callAggregateErrorConstructor): (JSC::constructAggregateErrorConstructor): (JSC::AggregateErrorConstructor::AggregateErrorConstructor): (JSC::AggregateErrorConstructor::finishCreation): * runtime/ErrorType.h: * runtime/ErrorType.cpp: (JSC::errorTypeName): * runtime/VM.h: * runtime/VM.cpp: (JSC::VM::VM): Make an `IsoSubspace` for `AggregateError` as it has a different size than `ErrorInstance`. * runtime/ErrorInstance.h: (JSC::ErrorInstance::create): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::finishCreation): * wasm/js/JSWebAssemblyCompileError.cpp: (JSC::JSWebAssemblyCompileError::create): * wasm/js/JSWebAssemblyLinkError.cpp: (JSC::JSWebAssemblyLinkError::create): * wasm/js/JSWebAssemblyRuntimeError.cpp: (JSC::JSWebAssemblyRuntimeError::create): Assign to `ErrorInstance` member variables inside `ErrorInstance::finishCreation` instead of inside `ErrorInstance::create` so that subclasses don't have to do the work as well. * runtime/Error.cpp: (JSC::createError): * runtime/ErrorPrototype.h: (JSC::ErrorPrototype::createStructure): * runtime/NativeErrorPrototype.h: (JSC::NativeErrorPrototype::createStructure): Drive-by: fix incorrect usage of `ErrorInstanceType` since `ErrorPrototype` does not inherit from `ErrorInstance` (and therefore neither does `NativeErrorPrototype`). * runtime/ArgList.h: Add `WTF_MAKE_NONMOVABLE` to `MarkedArgumentBuffer`. * Sources.txt: * JavaScriptCore.xcodeproj/project.pbxproj: 2020-04-17 Ross Kirsling <ross.kirsling@sony.com> Clean up some Intl classes following the ICU upgrade https://bugs.webkit.org/show_bug.cgi?id=210637 Reviewed by Yusuke Suzuki. In r259606, I removed the compile-time guards for {DateTimeFormat, NumberFormat}.prototype.formatToParts, but I forgot to move the method setup back to the lookup table. This patch addresses that and prunes various other unnecessary includes and forward declarations. * runtime/IntlCollator.h: * runtime/IntlCollatorConstructor.h: * runtime/IntlDateTimeFormat.h: * runtime/IntlDateTimeFormatConstructor.h: * runtime/IntlDateTimeFormatPrototype.cpp: (JSC::IntlDateTimeFormatPrototype::create): (JSC::IntlDateTimeFormatPrototype::finishCreation): * runtime/IntlDateTimeFormatPrototype.h: * runtime/IntlNumberFormat.h: * runtime/IntlNumberFormatConstructor.h: * runtime/IntlNumberFormatPrototype.cpp: (JSC::IntlNumberFormatPrototype::create): (JSC::IntlNumberFormatPrototype::finishCreation): * runtime/IntlNumberFormatPrototype.h: * runtime/IntlObject.h: * runtime/IntlPluralRules.h: * runtime/IntlPluralRulesConstructor.h: * runtime/IntlPluralRulesPrototype.cpp: (JSC::IntlPluralRulesPrototype::create): (JSC::IntlPluralRulesPrototype::finishCreation): * runtime/IntlPluralRulesPrototype.h: 2020-04-17 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Map/Set iterator creation functions should fail with BadType etc. before executing insertChecks https://bugs.webkit.org/show_bug.cgi?id=210649 <rdar://problem/61925452> Reviewed by Mark Lam. Since insertChecks adds some DFG nodes, we should determine whether this intrinsic handling is OK or not before executing insertChecks. Otherwise, we will hit an assertion with `!didInsertChecks`. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): 2020-04-17 Mark Lam <mark.lam@apple.com> offlineasm is generating the wrong load/store for the "orh" instruction. https://bugs.webkit.org/show_bug.cgi?id=210639 <rdar://problem/21501876> Reviewed by Robin Morisset. For example, on ARM64E, the "orh" instruction was generating the following: "\tldr w17, [x1, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 "\torr w17, w17, #64\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 "\tstr w17, [x1, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 i.e. a 32-bit load, followed by a 32-bit OR, followed by a 32-bit store. Instead, it should be generating the following: "\tldrh w17, [x1, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 "\torr w17, w17, #64\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 "\tstrh w17, [x1, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 i.e. a 16-bit load, followed by a 32-bit OR, followed by a 16-bit store. This bug also affects ARM64, ARMv7, and MIPS (basically any backend that uses riscLowerMisplacedAddresses() from rise.rb). It does not affect x86, x86_64, and C_LOOP (which was written based on x86). * offlineasm/risc.rb: 2020-04-16 Ross Kirsling <ross.kirsling@sony.com> REGRESSION(r259480): Two new failing i18n tests https://bugs.webkit.org/show_bug.cgi?id=210605 Reviewed by Darin Adler. * runtime/IntlDateTimeFormat.cpp: (JSC::isUTCEquivalent): (JSC::defaultTimeZone): (JSC::canonicalizeTimeZoneName): The default time zone needs to be canonicalized too. * runtime/IntlObject.cpp: (JSC::canonicalLangTag): (JSC::resolveLocale): Deal with some odd ""_s cases from my previous patch. (Drive-by fix inspired by Darin's comments on this one.) 2020-04-16 Sergio Villar Senin <svillar@igalia.com> Unreviewed build fix for non unified builds. * dfg/DFGOperations.cpp: Added missing includes. 2020-04-16 Mark Lam <mark.lam@apple.com> [Re-landing] Use more PAC diversity for JIT probe code. https://bugs.webkit.org/show_bug.cgi?id=210252 <rdar://problem/54490367> Reviewed by Keith Miller. Introducing new PtrTags: JITProbePtrTag - for the client probe function. JITProbeTrampolinePtrTag - for calling the ctiMasmProbeTrampoline. JITProbeExecutorPtrTag - for calling the probe executor. Currently, this is only the Probe::executeProbe(). JITProbeStackInitializationFunctionPtrTag - for calling the optional stack initialization function that the client probe function may set. We'll now use these in the JIT probe mechanism instead of adopting the default CFunctionPtrTag. Fixed an assert in MacroAssemblerARM64.cpp which does not apply to non ARM64E builds. * assembler/MacroAssembler.cpp: (JSC::MacroAssembler::probe): * assembler/MacroAssemblerARM64.cpp: (JSC::MacroAssembler::probe): * assembler/MacroAssemblerPrinter.h: (JSC::MacroAssembler::print): * assembler/ProbeContext.h: * runtime/JSCPtrTag.h: * tools/JSDollarVM.cpp: (JSC::callWithStackSizeProbeFunction): * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): 2020-04-16 Mark Lam <mark.lam@apple.com> Rolling out r259897: Causing crashes on iOS. https://bugs.webkit.org/show_bug.cgi?id=210252 Not reviewed. * assembler/MacroAssembler.cpp: (JSC::MacroAssembler::probe): * assembler/MacroAssemblerARM64.cpp: (JSC::MacroAssembler::probe): * assembler/MacroAssemblerPrinter.h: (JSC::MacroAssembler::print): * assembler/ProbeContext.h: * runtime/JSCPtrTag.h: * tools/JSDollarVM.cpp: (JSC::callWithStackSizeProbeFunction): * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): 2020-04-16 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Implement JSMapIterator/JSSetIterator with JSInternalFieldObjectImpl https://bugs.webkit.org/show_bug.cgi?id=210023 Reviewed by Keith Miller. This patch reimplement JSMapIterator/JSSetIterator with JSInternalFieldObjectImpl. This makes current JSFinalObject-based Map/SetIterator simple and small. We generalize NewArrayIterator/PhantomNewArrayIterator to convert them to NewInternalFieldObject/PhantomNewInternalFieldObject to support JSMapIterator/JSSetIterator too in DFG / FTL. This makes allocation efficient and object-allocation-sinking aware. * builtins/BuiltinNames.h: * builtins/MapIteratorPrototype.js: (globalPrivate.mapIteratorNext): (next): * builtins/MapPrototype.js: (globalPrivate.MapIterator): Deleted. (values): Deleted. (keys): Deleted. (entries): Deleted. * builtins/SetIteratorPrototype.js: (globalPrivate.setIteratorNext): (next): * builtins/SetPrototype.js: (globalPrivate.SetIterator): Deleted. (values): Deleted. (entries): Deleted. * bytecode/BytecodeIntrinsicRegistry.cpp: (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): * bytecode/BytecodeIntrinsicRegistry.h: * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitIsMapIterator): (JSC::BytecodeGenerator::emitIsSetIterator): * bytecompiler/NodesCodegen.cpp: (JSC::mapIteratorInternalFieldIndex): (JSC::setIteratorInternalFieldIndex): (JSC::BytecodeIntrinsicNode::emit_intrinsic_getMapIteratorInternalField): (JSC::BytecodeIntrinsicNode::emit_intrinsic_getSetIteratorInternalField): (JSC::BytecodeIntrinsicNode::emit_intrinsic_putMapIteratorInternalField): (JSC::BytecodeIntrinsicNode::emit_intrinsic_putSetIteratorInternalField): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGClobbersExitState.cpp: (JSC::DFG::clobbersExitState): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGMayExit.cpp: * dfg/DFGNode.h: (JSC::DFG::Node::convertToPhantomNewInternalFieldObject): (JSC::DFG::Node::hasStructure): (JSC::DFG::Node::isPhantomAllocation): (JSC::DFG::Node::convertToPhantomNewArrayIterator): Deleted. * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObjectImpl): (JSC::DFG::SpeculativeJIT::compileNewGenerator): (JSC::DFG::SpeculativeJIT::compileNewAsyncGenerator): (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject): (JSC::DFG::SpeculativeJIT::compileNewArrayIterator): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStoreBarrierInsertionPhase.cpp: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObjectImpl): (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator): (JSC::FTL::DFG::LowerDFGToB3::compileNewAsyncGenerator): (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewInternalFieldObject): (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayIterator): Deleted. * ftl/FTLOperations.cpp: (JSC::FTL::operationPopulateObjectInOSR): (JSC::FTL::operationMaterializeObjectInOSR): * inspector/JSInjectedScriptHost.cpp: (Inspector::JSInjectedScriptHost::subtype): (Inspector::JSInjectedScriptHost::getInternalProperties): (Inspector::cloneMapIteratorObject): (Inspector::cloneSetIteratorObject): (Inspector::JSInjectedScriptHost::iteratorEntries): * runtime/CommonIdentifiers.h: * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * runtime/JSArrayIterator.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::mapIteratorPrototype const): (JSC::JSGlobalObject::setIteratorPrototype const): (JSC::JSGlobalObject::mapIteratorStructure const): (JSC::JSGlobalObject::setIteratorStructure const): * runtime/JSMapIterator.cpp: (JSC::JSMapIterator::createWithInitialValues): (JSC::JSMapIterator::finishCreation): (JSC::JSMapIterator::visitChildren): * runtime/JSMapIterator.h: * runtime/JSSetIterator.cpp: (JSC::JSSetIterator::createWithInitialValues): (JSC::JSSetIterator::finishCreation): (JSC::JSSetIterator::visitChildren): * runtime/JSSetIterator.h: * runtime/JSType.cpp: (WTF::printInternal): * runtime/JSType.h: * runtime/JSTypedArrayViewPrototype.cpp: (JSC::JSTypedArrayViewPrototype::finishCreation): * runtime/MapPrototype.cpp: (JSC::MapPrototype::finishCreation): (JSC::createMapIteratorObject): (JSC::mapProtoFuncValues): (JSC::mapProtoFuncKeys): (JSC::mapProtoFuncEntries): * runtime/SetPrototype.cpp: (JSC::SetPrototype::finishCreation): (JSC::createSetIteratorObject): (JSC::setProtoFuncValues): (JSC::setProtoFuncEntries): * runtime/VM.cpp: (JSC::VM::setIteratorStructureSlow): Deleted. (JSC::VM::mapIteratorStructureSlow): Deleted. * runtime/VM.h: (JSC::VM::setIteratorStructure): Deleted. (JSC::VM::mapIteratorStructure): Deleted. 2020-04-15 Yusuke Suzuki <ysuzuki@apple.com> [JSC] Use ensureStillAliveHere in FTL when content of storage should be kept alive https://bugs.webkit.org/show_bug.cgi?id=210583 <rdar://problem/61831515> Reviewed by Mark Lam. The content of Butterfly / ArrayStorage is kept alive only when the owner JSCell is alive. This means that we should keep the owner JSCell alive if we are loading content of storage which includes JSCells. This patch inserts ensureStillAliveHere in FTL to ensure this invariant. * ftl/FTLJITCode.cpp: (JSC::FTL::JITCode::~JITCode): Found that we get crash with `dumpDisassembly` if FTL::JITCode is destroyed while it fails to generate code while testing this. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt): (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt): (JSC::FTL::DFG::LowerDFGToB3::compileGetByOffset): (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset): 2020-04-15 Keith Miller <keith_miller@apple.com> Disable Store-load pair auto-vectorization for JSC https://bugs.webkit.org/show_bug.cgi?id=210574 Reviewed by Geoffrey Garen. slp-vectorization appears to make our slow path code significantly slower. That's because when we materialize our constant bytecode structs into C++ we load all the fields at the same time then widen them to the struct's member C++ size. Since we have 3 different possible sizes Clang generates a total mess of code. Disabling this does not appear to be a regression on any platform I tested and improves the performance of slow path code significantly in micro benchmarks. * CMakeLists.txt: * Configurations/JavaScriptCore.xcconfig: 2020-04-15 Robin Morisset <rmorisset@apple.com> Flaky Test: fetch/fetch-worker-crash.html https://bugs.webkit.org/show_bug.cgi?id=187257 <rdar://problem/48527526> Reviewed by Yusuke Suzuki. The crash is coming from setExceptionPorts which is inlined in WTF::registerThreadForMachExceptionHandling. From the error message we know that the problem is an "invalid port right". http://web.mit.edu/darwin/src/modules/xnu/osfmk/man/thread_set_exception_ports.html tells us that the "port right" is the third parameter to thread_set_exception_ports, which is exceptionPort in our case. exceptionPort is a global variable defined at the top of Signals.cpp: static mach_port_t exceptionPort; It is set in exactly one place: kern_return_t kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &exceptionPort); in a std::call_once, in startMachExceptionHandlerThread(). Note that startMachExceptionHandlerThread() is called from the main thread just before the point where we are stuck.. and there is no synchronization to make sure it completed and its effect is visible to the worker thread before it uses exceptionPort. So I think the crash is due to this race between allocating exceptionPort and using it, resulting in an invalid exceptionPort being sometimes passed to the kernel. So this patch is a simple speculative fix, by running startMachExceptionHandlerThread() in initializeThreading(), before JSLock()::lock() can be run. * runtime/InitializeThreading.cpp: (JSC::initializeThreading): 2020-04-15 Ross Kirsling <ross.kirsling@sony.com> Unreviewed build fix for r260161. * runtime/IntlObject.cpp: (JSC::canonicalLangTag): 2020-04-15 Ross Kirsling <ross.kirsling@sony.com> Unreviewed, address Darin's feedback on r260151. * runtime/IntlObject.cpp: (JSC::canonicalLangTag): 2020-04-15 Ross Kirsling <ross.kirsling@sony.com> [ECMA-402] Extension values should default to true, canonicalize without "-true" https://bugs.webkit.org/show_bug.cgi?id=210457 Reviewed by Yusuke Suzuki. This patch implements two simple intertwining updates to ECMA-402: - Valueless extension keys should not be dropped when resolving locale https://tc39.es/ecma402/#sec-resolvelocale (9.h.4.b) - Following UTS 35, "-true" should not appear in canonicalized locale ids https://tc39.es/ecma402/#sec-canonicalizeunicodelocaleid https://unicode.org/reports/tr35/#Canonical_Unicode_Locale_Identifiers ('Any type or tfield value "true" is removed.') * runtime/IntlObject.cpp: (JSC::canonicalLangTag): (JSC::resolveLocale): 2020-04-15 Ross Kirsling <ross.kirsling@sony.com> [ECMA-402] Fix Intl.DateTimeFormat patterns and fields in WebKit https://bugs.webkit.org/show_bug.cgi?id=209783 Reviewed by Keith Miller. This patch implements two intertwining normative changes to Intl.DateTimeFormat: - Calendar setting must be taken into account when choosing a date-time pattern https://github.com/tc39/ecma402/pull/349 - formatToParts must recognize relatedYear and yearName parts https://github.com/tc39/ecma402/pull/349 * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::initializeDateTimeFormat): (JSC::IntlDateTimeFormat::partTypeString): 2020-04-15 Devin Rousso <drousso@apple.com> [ESNext] Implement logical assignment operators https://bugs.webkit.org/show_bug.cgi?id=209716 Reviewed by Ross Kirsling. Implement the logical assignment operators proposal, which is now Stage 3. It introduces three new assignment operators which will only store the result of the rhs in the lhs if the lhs meets the given condition: - `??=`, for if the lhs is nullish (`null` or `undefined`) - `||=`, for if the lhs is falsy - `&&=`, for if the lhs is truthy This short circuiting can be beneficial as it can avoid a redundant store when used in the common JavaScript programming pattern of "defaulting" a parameter. ```js function foo(x) { x = x || 42; } ``` If `x` is a truthy value, it would result in the rhs `x` being stored back into the lhs `x`. In some situations, this can have negative unintended side-effects, such as for `innerHTML`. Logical assignment operators, however, are defined such that they only store if the rhs is to actually be needed/used, skipping the redundant store and simply returning lhs otherwise. In the case of readonly references, this means that an error is only thrown when the assignment occurs, meaning that if the lhs already satisfies the condition it will be used and returned with no error. * parser/ParserTokens.h: * parser/Lexer.cpp: (JSC::Lexer<T>::lexWithoutClearingLineTerminator): * parser/Parser.cpp: (JSC::Parser<LexerType>::parseAssignmentExpression): * parser/ASTBuilder.h: (JSC::ASTBuilder::makeAssignNode): * parser/Nodes.h: * parser/NodeConstructors.h: (JSC::ShortCircuitReadModifyResolveNode::ShortCircuitReadModifyResolveNode): Added. (JSC::ShortCircuitReadModifyBracketNode::ShortCircuitReadModifyBracketNode): Added. (JSC::ShortCircuitReadModifyDotNode::ShortCircuitReadModifyDotNode): Added. * bytecompiler/NodesCodegen.cpp: (JSC::emitShortCircuitAssignment): Added. (JSC::ShortCircuitReadModifyResolveNode::emitBytecode): Added. (JSC::ShortCircuitReadModifyDotNode::emitBytecode): Added. (JSC::ShortCircuitReadModifyBracketNode::emitBytecode): Added. * runtime/OptionsList.h: Add a `useLogicalAssignmentOperators` setting for controlling this feature. 2020-04-14 Devin Rousso <drousso@apple.com> Web Inspector: Debugger: add a Step next that steps by expression https://bugs.webkit.org/show_bug.cgi?id=210324 Reviewed by Timothy Hatcher. Step next is a hybrid of Step over and Step into which continues execution to the next pause opportunity within the current (or ancestor) call frame. It is especially useful when trying to debug minified code, such as trying to continue to `c()` in `a() && b() && c();`, where Step over would continue to the next statement (i.e. after the `;`) and Step in would continue to the first line inside `a()` (and would require a Step out to get back). * inspector/protocol/Debugger.json: * inspector/agents/InspectorDebuggerAgent.h: * inspector/agents/InspectorDebuggerAgent.cpp: (Inspector::InspectorDebuggerAgent::stepNext): Added. * debugger/Debugger.h: * debugger/Debugger.cpp: (JSC::Debugger::stepNextExpression): Added. (JSC::Debugger::atExpression): (JSC::Debugger::clearNextPauseState): 2020-04-13 Alexey Shvayka <shvaikalesh@gmail.com> REGRESSION (r259587): bterlson/eshost throws during init in strict mode https://bugs.webkit.org/show_bug.cgi?id=210470 Reviewed by Ross Kirsling. This change makes $262.IsHTMLDDA of JSC shell a CustomValue, allowing it to be reassigned and restoring compatibility with any version of https://github.com/bterlson/eshost. Since putDirectCustomAccessor() is now used instead of putGetter(), scope exception assert is no longer needed and can be safely removed, as well as JSObject::putGetter() export. * jsc.cpp: * runtime/JSObject.h: 2020-04-13 David Kilzer <ddkilzer@apple.com> Replace use of Checked<size_t, RecordOverflow> with CheckedSize <https://webkit.org/b/210461> Reviewed by Mark Lam. * heap/Heap.cpp: (JSC::Heap::deprecatedReportExtraMemorySlowCase): (JSC::Heap::extraMemorySize): (JSC::Heap::updateAllocationLimits): (JSC::Heap::reportExtraMemoryVisited): * heap/SlotVisitor.h: * runtime/ArgList.cpp: (JSC::MarkedArgumentBuffer::expandCapacity): 2020-04-10 Michael Saboff <msaboff@apple.com> [YARR] Allow for Unicode named capture group identifiers in non-Unicode regular expressions https://bugs.webkit.org/show_bug.cgi?id=210309 Reviewed by Ross Kirsling. Update YARR pattern processing to allow for non-BMP unicode identifier characters in named capture groups. This change was discussed and approved at the March/April 2020 TC-39 meeting. See https://github.com/tc39/ecma262/pull/1869 for the discussion and change. Updated tryConsumeUnicodeEscape() to allow for unicode escapes in non-unicode flagged regex's. Added the same support to consumePossibleSurrogatePair(). * yarr/YarrParser.h: (JSC::Yarr::Parser::consumePossibleSurrogatePair): (JSC::Yarr::Parser::parseCharacterClass): (JSC::Yarr::Parser::parseTokens): (JSC::Yarr::Parser::tryConsumeUnicodeEscape): (JSC::Yarr::Parser::tryConsumeIdentifierCharacter): 2020-04-13 Michael Catanzaro <mcatanzaro@gnome.org> Fix various build warnings https://bugs.webkit.org/show_bug.cgi?id=210429 Reviewed by Mark Lam. Fix -Wimplicit-fallthrough warning by adding a default case CRASH() to prevent the inner switch from falling through to the outer switch. * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::alreadyChecked const): 2020-04-12 Mark Lam <mark.lam@apple.com> Enable the ability to build the ASM LLInt for ARMv7k. https://bugs.webkit.org/show_bug.cgi?id=210412 Reviewed by Sam Weinig. Fix the offlineasm so that it can build the ASM LLInt for ARMv7k. This patch does not actually enable the ASM LLInt. The ARMv7k port still build the C Loop LLInt. Also, the ARMv7k ASM LLInt is still broken and needs additional work before it can run. This patch only fixes things so that it will build. * JavaScriptCore.xcodeproj/project.pbxproj: - Added generate_settings_extractor.rb to the project so that we can view it from inside Xcode. * offlineasm/arm.rb: - Added support for the globaladdr LLInt instruction for ARMv7k. * offlineasm/backends.rb: - Fix the backend to enable ARMV7 also when building for ARMv7k. 2020-04-12 Darin Adler <darin@apple.com> Fix a few mispellings of descendant and propagation https://bugs.webkit.org/show_bug.cgi?id=210409 Reviewed by Mark Lam. * ftl/FTLAbstractHeap.h: "descendants" * offlineasm/ast.rb: "descendants" 2020-04-12 Ross Kirsling <ross.kirsling@sony.com> [ECMA-402] WebKit Intl does not allow calendar and numberingSystem options https://bugs.webkit.org/show_bug.cgi?id=209784 Reviewed by Myles C. Maxfield. As an alternative to using `ca` and `nu` extensions in the locale string: - the Intl.DateTimeFormat constructor needs to be able to take `calendar` and `numberingSystem` options https://tc39.es/ecma402/#sec-initializedatetimeformat - the Intl.NumberFormat needs to be able to take a `numberingSystem` option https://tc39.es/ecma402/#sec-initializenumberformat Since we already support `ca` and `nu`, this is a very simple addition. The only interesting part is that we must verify that values for these options are 3-8 alphanumeric characters. * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::initializeDateTimeFormat): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): (JSC::IntlNumberFormat::resolvedOptions): * runtime/IntlObject.cpp: (JSC::isUnicodeLocaleIdentifierType): * runtime/IntlObject.h: 2020-04-10 Ross Kirsling <ross.kirsling@sony.com> [ECMA-402] Properly implement BigInt.prototype.toLocaleString https://bugs.webkit.org/show_bug.cgi?id=209782 Reviewed by Darin Adler. Our BigInt's toLocaleString has been simply falling back to toString instead of following ECMA-402. (https://tc39.es/ecma402/#sup-bigint.prototype.tolocalestring) Since {Number, BigInt}.prototype.toLocaleString are internally the same as Intl.NumberFormat.prototype.format, this patch simultaneously lets the latter method take a BigInt argument. (https://tc39.es/ecma402/#sec-number-format-functions) This patch continues to use the old unum_* API instead of ICU 62's new unumf_* API, as the latter would require a large refactor as well as fallback paths. (This will, however, be a prerequisite for https://bugs.webkit.org/show_bug.cgi?id=209774.) * runtime/BigIntPrototype.cpp: (JSC::bigIntProtoFuncToString): (JSC::bigIntProtoFuncToLocaleString): (JSC::bigIntProtoFuncToStringImpl): Deleted. * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::format): (JSC::IntlNumberFormat::formatNumber): Deleted. * runtime/IntlNumberFormat.h: * runtime/IntlNumberFormatPrototype.cpp: (JSC::IntlNumberFormatFuncFormat): (JSC::IntlNumberFormatPrototypeGetterFormat): (JSC::IntlNumberFormatFuncFormatNumber): Deleted. * runtime/NumberPrototype.cpp: (JSC::numberProtoFuncToLocaleString): 2020-04-10 Devin Rousso <drousso@apple.com> The rhs in `ReadModifyResolveNode` should be evaluated before throwing an exception if the lhs is read-only https://bugs.webkit.org/show_bug.cgi?id=210317 Reviewed by Ross Kirsling. * bytecompiler/NodesCodegen.cpp: (JSC::emitReadModifyAssignment): (JSC::ReadModifyResolveNode::emitBytecode): If the corresponding `Variable` is read-only, pass it to `emitReadModifyAssignment` as an additional optionl argument, where it will be used to `emitReadOnlyExceptionIfNeeded` after the rhs is emitted. 2020-04-10 Mark Lam <mark.lam@apple.com> Use more PAC diversity for JIT probe code. https://bugs.webkit.org/show_bug.cgi?id=210252 <rdar://problem/54490367> Reviewed by Keith Miller. Introducing new PtrTags: JITProbePtrTag - for the client probe function. JITProbeTrampolinePtrTag - for calling the ctiMasmProbeTrampoline. JITProbeExecutorPtrTag - for calling the probe executor. Currently, this is only the Probe::executeProbe(). JITProbeStackInitializationFunctionPtrTag - for calling the optional stack initialization function that the client probe function may set. We'll now use these in the JIT probe mechanism instead of adopting the default CFunctionPtrTag. * assembler/MacroAssembler.cpp: (JSC::MacroAssembler::probe): * assembler/MacroAssemblerARM64.cpp: (JSC::MacroAssembler::probe): * assembler/MacroAssemblerPrinter.h: (JSC::MacroAssembler::print): * assembler/ProbeContext.h: * runtime/JSCPtrTag.h: * tools/JSDollarVM.cpp: (JSC::callWithStackSizeProbeFunction): * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): 2020-04-10 Mark Lam <mark.lam@apple.com> [Follow up] Fix bad tests in testmasm's testCagePreservesPACFailureBit(). https://bugs.webkit.org/show_bug.cgi?id=210314 <rdar://problem/61556785> Not reviewed. Applying Keith's feedback in https://bugs.webkit.org/show_bug.cgi?id=210314#c5: added the stronger test but kept the weaker one as well. * assembler/testmasm.cpp: (JSC::testCagePreservesPACFailureBit): == Rolled over to ChangeLog-2020-04-10 ==