8292609: Cherry-pick WebKit 614.1 stabilization fixes

Reviewed-by: kcr, arapte, jvos

Author: Hima Bindu Meda

modules/javafx.web/src/main/native/Source/JavaScriptCore/b3/B3Generate.cpp

@@ -118,6 +118,7 @@ void generateToAir(Procedure& procedure)
     lowerMacrosAfterOptimizations(procedure);
     legalizeMemoryOffsets(procedure);
     moveConstants(procedure);
+    legalizeMemoryOffsets(procedure);
     if (Options::useB3CanonicalizePrePostIncrements() && procedure.optLevel() >= 2)
         canonicalizePrePostIncrements(procedure);
     eliminateDeadCode(procedure);

modules/javafx.web/src/main/native/Source/JavaScriptCore/b3/B3ReduceStrength.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -388,6 +388,61 @@ class IntRange {
         }
     }
 
+    template<typename T>
+    IntRange sExt()
+    {
+        ASSERT(m_min >= INT32_MIN);
+        ASSERT(m_max <= INT32_MAX);
+        int64_t typeMin = std::numeric_limits<T>::min();
+        int64_t typeMax = std::numeric_limits<T>::max();
+        auto min = m_min;
+        auto max = m_max;
+
+        if (typeMin <= min && min <= typeMax
+            && typeMin <= max && max <= typeMax)
+            return IntRange(min, max);
+
+        // Given type T with N bits, signed extension will turn bit N-1 as
+        // a sign bit. If bits N-1 upwards are identical for both min and max,
+        // then we're guaranteed that even after the sign extension, min and
+        // max will still be in increasing order.
+        //
+        // For example, when T is int8_t, the space of numbers from highest to
+        // lowest are as follows (in binary bits):
+        //
+        //      highest     0 111 1111  ^
+        //                    ...       |
+        //            1     0 000 0001  |   top segment
+        //            0     0 000 0000  v
+        //
+        //           -1     1 111 1111  ^
+        //           -2     1 111 1110  |   bottom segment
+        //                    ...       |
+        //       lowest     1 000 0000  v
+        //
+        // Note that if we exclude the sign bit, the range is made up of 2 segments
+        // of contiguous increasing numbers. If min and max are both in the same
+        // segment before the sign extension, then min and max will continue to be
+        // in a contiguous segment after the sign extension. Only when min and max
+        // spans across more than 1 of these segments, will min and max no longer
+        // be guaranteed to be in a contiguous range after the sign extension.
+        //
+        // Hence, we can check if bits N-1 and up are identical for the range min
+        // and max. If so, then the new min and max can be be computed by simply
+        // applying sign extension to their original values.
+
+        constexpr unsigned numberOfBits = countOfBits<T>;
+        constexpr int64_t segmentMask = (1ll << (numberOfBits - 1)) - 1;
+        constexpr int64_t topBitsMask = ~segmentMask;
+        int64_t minTopBits = topBitsMask & min;
+        int64_t maxTopBits = topBitsMask & max;
+
+        if (minTopBits == maxTopBits)
+            return IntRange(static_cast<int64_t>(static_cast<T>(min)), static_cast<int64_t>(static_cast<T>(max)));
+
+        return top<T>();
+    }
+
     IntRange zExt32()
     {
         ASSERT(m_min >= INT32_MIN);
@@ -2765,9 +2820,11 @@ class ReduceStrength {
                 rangeFor(value->child(1), timeToLive - 1), value->type());
 
         case SExt8:
+            return rangeFor(value->child(0), timeToLive - 1).sExt<int8_t>();
         case SExt16:
+            return rangeFor(value->child(0), timeToLive - 1).sExt<int16_t>();
         case SExt32:
-            return rangeFor(value->child(0), timeToLive - 1);
+            return rangeFor(value->child(0), timeToLive - 1).sExt<int32_t>();
 
         case ZExt32:
             return rangeFor(value->child(0), timeToLive - 1).zExt32();

modules/javafx.web/src/main/native/Source/JavaScriptCore/b3/testb3.h

@@ -555,6 +555,7 @@ void testTrappingLoadAddStore();
 void testTrappingLoadDCE();
 void testTrappingStoreElimination();
 void testMoveConstants();
+void testMoveConstantsWithLargeOffsets();
 void testPCOriginMapDoesntInsertNops();
 void testBitOrBitOrArgImmImm32(int, int, int c);
 void testBitOrImmBitOrArgImm32(int, int, int c);

modules/javafx.web/src/main/native/Source/JavaScriptCore/b3/testb3_1.cpp

@@ -760,6 +760,7 @@ void run(const char* filter)
     RUN(testTrappingLoadDCE());
     RUN(testTrappingStoreElimination());
     RUN(testMoveConstants());
+    RUN(testMoveConstantsWithLargeOffsets());
     RUN(testPCOriginMapDoesntInsertNops());
     RUN(testPinRegisters());
     RUN(testReduceStrengthReassociation(true));

modules/javafx.web/src/main/native/Source/JavaScriptCore/b3/testb3_6.cpp

@@ -2839,6 +2839,32 @@ void testMoveConstants()
     }
 }
 
+extern "C" {
+static JSC_DECLARE_JIT_OPERATION_WITHOUT_WTF_INTERNAL(testMoveConstantsWithLargeOffsetsFunc, double, (double));
+}
+JSC_DEFINE_JIT_OPERATION(testMoveConstantsWithLargeOffsetsFunc, double, (double a))
+{
+    return a;
+}
+
+void testMoveConstantsWithLargeOffsets()
+{
+    Procedure proc;
+    BasicBlock* root = proc.addBlock();
+    Value* result = root->appendNew<ConstDoubleValue>(proc, Origin(), 0);
+    double rhs = 0;
+    for (size_t i = 0; i < 4100; i++) {
+        rhs += i;
+        Value* callResult = root->appendNew<CCallValue>(proc, Double, Origin(),
+            root->appendNew<ConstPtrValue>(proc, Origin(), tagCFunction<OperationPtrTag>(testMoveConstantsWithLargeOffsetsFunc)),
+            root->appendNew<ConstDoubleValue>(proc, Origin(), i));
+        result = root->appendNew<Value>(proc, Add, Origin(), result, callResult);
+    }
+    root->appendNewControlValue(proc, Return, Origin(), result);
+
+    CHECK_EQ(compileAndRun<double>(proc), rhs);
+}
+
 void testPCOriginMapDoesntInsertNops()
 {
     Procedure proc;

modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -4694,6 +4694,10 @@ void TryNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
         }
 
         generator.emitProfileControlFlow(m_tryBlock->endOffset() + 1);
+
+        if (generator.shouldBeConcernedWithCompletionValue())
+            generator.emitLoad(tryCatchDst.get(), jsUndefined());
+
         if (m_finallyBlock)
             generator.emitNode(tryCatchDst.get(), m_catchBlock);
         else

modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -4974,8 +4974,11 @@ void SpeculativeJIT::compile(Node* node)
         if (node->child2().useKind() != UntypedUse)
             speculate(node, node->child2());
 
-        m_jit.load32(MacroAssembler::Address(mapGPR, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfCapacity()), maskGPR);
+        CCallHelpers::JumpList notPresentInTable;
+
         m_jit.loadPtr(MacroAssembler::Address(mapGPR, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfBuffer()), bufferGPR);
+        notPresentInTable.append(m_jit.branchTestPtr(CCallHelpers::Zero, bufferGPR));
+        m_jit.load32(MacroAssembler::Address(mapGPR, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfCapacity()), maskGPR);
         m_jit.sub32(TrustedImm32(1), maskGPR);
         m_jit.move(hashGPR, indexGPR);
 
@@ -4987,8 +4990,8 @@ void SpeculativeJIT::compile(Node* node)
         m_jit.and32(maskGPR, indexGPR);
         m_jit.loadPtr(MacroAssembler::BaseIndex(bufferGPR, indexGPR, MacroAssembler::TimesEight), bucketGPR);
         m_jit.move(bucketGPR, resultGPR);
-        auto notPresentInTable = m_jit.branchPtr(MacroAssembler::Equal,
-            bucketGPR, TrustedImmPtr(bitwise_cast<size_t>(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::emptyValue())));
+        notPresentInTable.append(m_jit.branchPtr(MacroAssembler::Equal,
+            bucketGPR, TrustedImmPtr(bitwise_cast<size_t>(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::emptyValue()))));
         loopAround.append(m_jit.branchPtr(MacroAssembler::Equal,
             bucketGPR, TrustedImmPtr(bitwise_cast<size_t>(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::deletedValue()))));
 

modules/javafx.web/src/main/native/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -12322,6 +12322,7 @@ IGNORE_CLANG_WARNINGS_END
     void compileGetMapBucket()
     {
         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
+        LBasicBlock indexSetUp = m_out.newBlock();
         LBasicBlock loopStart = m_out.newBlock();
         LBasicBlock loopAround = m_out.newBlock();
         LBasicBlock slowPath = m_out.newBlock();
@@ -12330,8 +12331,6 @@ IGNORE_CLANG_WARNINGS_END
         LBasicBlock notDeletedValue = m_out.newBlock();
         LBasicBlock continuation = m_out.newBlock();
 
-        LBasicBlock lastNext = m_out.insertNewBlocksBefore(loopStart);
-
         LValue map;
         if (m_node->child1().useKind() == MapObjectUse)
             map = lowMapObject(m_node->child1());
@@ -12347,8 +12346,11 @@ IGNORE_CLANG_WARNINGS_END
         LValue hash = lowInt32(m_node->child3());
 
         LValue buffer = m_out.loadPtr(map, m_heaps.HashMapImpl_buffer);
-        LValue mask = m_out.sub(m_out.load32(map, m_heaps.HashMapImpl_capacity), m_out.int32One);
 
+        m_out.branch(m_out.isNull(buffer), unsure(notPresentInTable), unsure(indexSetUp));
+
+        LBasicBlock lastNext = m_out.appendTo(indexSetUp, loopStart);
+        LValue mask = m_out.sub(m_out.load32(map, m_heaps.HashMapImpl_capacity), m_out.int32One);
         ValueFromBlock indexStart = m_out.anchor(hash);
         m_out.jump(loopStart);
 

modules/javafx.web/src/main/native/Source/JavaScriptCore/inspector/remote/RemoteInspector.h

@@ -93,6 +93,7 @@ class JS_EXPORT_PRIVATE RemoteInspector final
             Vector<std::pair<String, String>> certificates;
             struct Proxy {
                 String type;
+                std::optional<String> autoconfigURL;
                 std::optional<String> ftpURL;
                 std::optional<String> httpURL;
                 std::optional<String> httpsURL;

modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp

@@ -51,9 +51,6 @@ AbstractModuleRecord::AbstractModuleRecord(VM& vm, Structure* structure, const I
 
 void AbstractModuleRecord::finishCreation(JSGlobalObject* globalObject, VM& vm)
 {
-    DeferTerminationForAWhile deferScope(vm);
-    auto scope = DECLARE_CATCH_SCOPE(vm);
-
     Base::finishCreation(vm);
     ASSERT(inherits(vm, info()));
 
@@ -62,8 +59,7 @@ void AbstractModuleRecord::finishCreation(JSGlobalObject* globalObject, VM& vm)
     for (unsigned index = 0; index < values.size(); ++index)
         Base::internalField(index).set(vm, this, values[index]);
 
-    JSMap* map = JSMap::create(globalObject, vm, globalObject->mapStructure());
-    scope.releaseAssertNoException();
+    JSMap* map = JSMap::create(vm, globalObject->mapStructure());
     m_dependenciesMap.set(vm, this, map);
     putDirect(vm, Identifier::fromString(vm, "dependenciesMap"_s), m_dependenciesMap.get());
 }

modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/HashMapImpl.h

@@ -209,7 +209,7 @@ class HashMapBuffer {
         return bitwise_cast<BucketType**>(this);
     }
 
-    static HashMapBuffer* create(JSGlobalObject* globalObject, VM& vm, JSCell*, uint32_t capacity)
+    static HashMapBuffer* tryCreate(JSGlobalObject* globalObject, VM& vm, uint32_t capacity)
     {
         auto scope = DECLARE_THROW_SCOPE(vm);
         size_t allocationSize = HashMapBuffer::allocationSize(capacity);
@@ -239,7 +239,7 @@ ALWAYS_INLINE uint32_t wangsInt64Hash(uint64_t key);
 ALWAYS_INLINE uint32_t jsMapHash(JSBigInt*);
 ALWAYS_INLINE uint32_t jsMapHash(JSGlobalObject*, VM&, JSValue);
 ALWAYS_INLINE uint32_t shouldShrink(uint32_t capacity, uint32_t keyCount);
-ALWAYS_INLINE uint32_t shouldRehashAfterAdd(uint32_t capacity, uint32_t keyCount, uint32_t deleteCount);
+ALWAYS_INLINE uint32_t shouldRehash(uint32_t capacity, uint32_t keyCount, uint32_t deleteCount);
 ALWAYS_INLINE uint32_t nextCapacity(uint32_t capacity, uint32_t keyCount);
 
 template <typename HashMapBucketType>
@@ -256,28 +256,15 @@ class HashMapImpl : public JSNonFinalObject {
 
     HashMapImpl(VM& vm, Structure* structure)
         : Base(vm, structure)
-        , m_keyCount(0)
-        , m_deleteCount(0)
-        , m_capacity(4)
     {
     }
 
-    HashMapImpl(VM& vm, Structure* structure, uint32_t sizeHint)
-        : Base(vm, structure)
-        , m_keyCount(0)
-        , m_deleteCount(0)
-    {
-        uint32_t capacity = (Checked<uint32_t>(sizeHint) * 2) + 1;
-        capacity = std::max<uint32_t>(WTF::roundUpToPowerOfTwo(capacity), 4U);
-        m_capacity = capacity;
-    }
-
     ALWAYS_INLINE HashMapBucketType** buffer() const
     {
         return m_buffer->buffer();
     }
 
-    void finishCreation(JSGlobalObject*, VM&);
+    void finishCreation(VM&);
     void finishCreation(JSGlobalObject*, VM&, HashMapImpl* base);
 
     static HashMapBucketType* emptyValue()
@@ -320,7 +307,7 @@ class HashMapImpl : public JSNonFinalObject {
         return m_keyCount;
     }
 
-    ALWAYS_INLINE void clear(JSGlobalObject*);
+    ALWAYS_INLINE void clear(VM&);
 
     ALWAYS_INLINE size_t bufferSizeInBytes() const
     {
@@ -355,42 +342,39 @@ class HashMapImpl : public JSNonFinalObject {
     }
 
 private:
-    ALWAYS_INLINE uint32_t shouldRehashAfterAdd() const
-    {
-        return JSC::shouldRehashAfterAdd(m_capacity, m_keyCount, m_deleteCount);
-    }
-
     ALWAYS_INLINE uint32_t shouldShrink() const
     {
         return JSC::shouldShrink(m_capacity, m_keyCount);
     }
 
-    ALWAYS_INLINE void setUpHeadAndTail(JSGlobalObject*, VM&);
+    ALWAYS_INLINE void setUpHeadAndTail(VM&);
 
     ALWAYS_INLINE void addNormalizedNonExistingForCloning(JSGlobalObject*, JSValue key, JSValue = JSValue());
+    ALWAYS_INLINE HashMapBucketType* addNormalizedNonExistingForCloningInternal(JSGlobalObject*, JSValue key, JSValue, uint32_t hash);
 
     template<typename CanUseBucket>
     ALWAYS_INLINE void addNormalizedInternal(JSGlobalObject*, JSValue key, JSValue, const CanUseBucket&);
 
     template<typename CanUseBucket>
-    ALWAYS_INLINE HashMapBucketType* addNormalizedInternal(VM&, JSValue key, JSValue, uint32_t hash, const CanUseBucket&);
+    ALWAYS_INLINE HashMapBucketType* addNormalizedInternal(JSGlobalObject*, JSValue key, JSValue, uint32_t hash, const CanUseBucket&);
 
     ALWAYS_INLINE HashMapBucketType** findBucketAlreadyHashedAndNormalized(JSGlobalObject*, JSValue key, uint32_t hash);
 
-    void rehash(JSGlobalObject*);
+    enum class RehashMode { BeforeAddition, AfterRemoval };
+    void rehash(JSGlobalObject*, RehashMode);
 
     ALWAYS_INLINE void checkConsistency() const;
 
-    void makeAndSetNewBuffer(JSGlobalObject*, VM&);
+    void makeAndSetNewBuffer(JSGlobalObject*, uint32_t newCapacity, VM&);
 
-    ALWAYS_INLINE void assertBufferIsEmpty() const;
+    ALWAYS_INLINE static void assertBufferIsEmpty(HashMapBucketType**, uint32_t capacity);
 
     WriteBarrier<HashMapBucketType> m_head;
     WriteBarrier<HashMapBucketType> m_tail;
     AuxiliaryBarrier<HashMapBufferType*> m_buffer;
-    uint32_t m_keyCount;
-    uint32_t m_deleteCount;
-    uint32_t m_capacity;
+    uint32_t m_keyCount { 0 };
+    uint32_t m_deleteCount { 0 };
+    uint32_t m_capacity { 0 };
 };
 
 } // namespace JSC