Bug 1709216: Add copyToScratchValueRegister to fix x86 r=jandem `useFixedValueRegister` was unused (since bug 1673553 part 94, I think), so I cannibalized it for spare parts. Differential Revision: https://phabricator.services.mozilla.com/D114769

Bug 1709216: Transpile SameValueResult r=jandem Depends on D114258 Differential Revision: https://phabricator.services.mozilla.com/D114259

Bug 1709216: Rename SameValue MIR op r=jandem Rename this to make room for the next patch to use that name when transpiling SameValueResult. Depends on D114257 Differential Revision: https://phabricator.services.mozilla.com/D114258

Bug 1709216: Optimize polymorphic Object.is in CacheIR r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114257

Bug 1710140: Improve test coverage of inlined bailout code r=jandem While removing dead code I accidentally broke getters and setters, and noticed that only setters currently have coverage (ion/bug765454.js), so I'm adding a testcase for bailing out inlined getters as well. Driveby: I've had a local patch floating around for a while to tweak trial inlining jitspew, but I've been too lazy to open a bug and land it; this is just related enough to justify folding it in. Differential Revision: https://phabricator.services.mozilla.com/D114768

Bug 1710126 - Use the PropertyDescriptor constructors for NativeGetOwnPropertyDescriptor. r=jandem I am not sure if we should preserve parts of the accessor comment, because the constructor always create complete descriptor now. In the future switching GetPropertyAttributes to return JS::PropertyAttributes seems like a good idea. Depends on D114838 Differential Revision: https://phabricator.services.mozilla.com/D114839

Bug 1710126 - Create complete AccessorDescriptors. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114838

Bug 1707792 - Store self-hosted canonical name in extended slot. r=jandem Now, when _SetCanonicalName is used, store the canonical name on the extended slot instead of clobbering the display name. This ensures the function names in the self-hosted realm match their binding names and the original source code for better clarity. Instead we apply the canonical name during function cloning where special cases already needed to exist to find the "original" name. The net result should be easier to understand. Differential Revision: https://phabricator.services.mozilla.com/D113455

Bug 1710126 - Make PropertyDescriptor getter and setter private. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114637

Bug 1710126 - Make PropertyDescriptor attrs private. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114636

Bug 1710126 - Remove setGetter/setSetter. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114635

Bug 1709541 - Disable failing tests for wasi. r=jandem There are only two failing tests. First one bug908915.js failed because of the lack of OSObject.cpp::ResolvePath support for wasi. The second one is failed because it exceeds the recursion limit. Differential Revision: https://phabricator.services.mozilla.com/D114325

Bug 1709328: Fix baseline IC register assignment for GetElemSuper r=jandem When bug 1472211 reordered the operands of GetElemSuper, we got our register assignments out of sync. Our GetElemSuper baseline ICs have been silently failing ever since. This patch re-establishes a consistent assignment between BaselineCodeGen::emit_GetElemSuper, GetPropIRGenerator, and BaselineCacheIRCompiler::init: obj = input operand 0 = baseline frame slot 0 id/key = input operand 1 = R1 receiver = input operand 2 = R0 We have a testcase for megamorphic GetElemSuper, but it didn't catch this bug because our ICs just failed silently (either because a property name is not a valid receiver, or because the superbase object is not a valid property name) and let the fallback handle it. The testcase I've attached to this bug doesn't fail prior to bug 1661211 part 1, where we added support for non-object receivers for GetElemSuper, but I checked out old revisions immediately before and after bug 1472211 and verified in rr that GetNativeDataPropertyByValuePure was passed the correct id before, and the receiver object after. Drive-by: while investigating this bug, I realized that `attachMegamorphicNativeSlot` had an unused argument left over from TI removal. Differential Revision: https://phabricator.services.mozilla.com/D114513

Bug 1709216: Transpile SameValueResult r=jandem Depends on D114258 Differential Revision: https://phabricator.services.mozilla.com/D114259

Bug 1709216: Rename SameValue MIR op r=jandem Rename this to make room for the next patch to use that name when transpiling SameValueResult. Depends on D114257 Differential Revision: https://phabricator.services.mozilla.com/D114258

Bug 1709216: Optimize polymorphic Object.is in CacheIR r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114257

Bug 1708698 - Remove object from PropertyDescriptor in js/src. r=jandem Some of this code could be updated later to use PropertyDescriptor::Data. Differential Revision: https://phabricator.services.mozilla.com/D113977

Bug 1709288 - Remove unused input for NewArray cache kind r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114213

Bug 1700443: Remove JS_OPTIMIZED_ARGUMENTS r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114175

Bug 1700443: Remove AnalysisMode r=jandem Depends on D114173 Differential Revision: https://phabricator.services.mozilla.com/D114174

Bug 1700443: Clean up SetFrameArgumentsObject r=jandem The only remaining caller of SetFrameArgumentsObject is FinishBailoutToBaseline. Depends on D114172 Differential Revision: https://phabricator.services.mozilla.com/D114173

Bug 1700443: Clean up EnvironmentObject and Debugger r=jandem There's a separate usecase here that overloaded JS_OPTIMIZED_ARGUMENTS. getMissingArgumentsMaybeSentinelValue returns JS_OPTIMIZED_ARGUMENTS if it can't recreate the arguments object. The comment on createMissingArguments explains that this occurs if the environment is dead; see `tests/debug/Frame-eval-12.js`, where we return an inner function that subsequently tries to access its parent's arguments. There's a bunch of code on the devtools side of the wall to handle this case, and we have test coverage, so instead of ripping this out I'm just rewriting it to use a different magic value. Depends on D114171 Differential Revision: https://phabricator.services.mozilla.com/D114172

Bug 1700443: Remove MIRType::MagicOptimizedArguments r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114171

Bug 1700443: Remove FunApplyMagicArgs r=jandem Depends on D114169 Differential Revision: https://phabricator.services.mozilla.com/D114170

Bug 1700443: Remove dead CacheIR ops r=jandem The next patch removes CallFlags::FunApplyMagicArgs. Depends on D114036 Differential Revision: https://phabricator.services.mozilla.com/D114169

Bug 1700443: Clean up CompileInfo r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114036

Bug 1700443: Simplify JSScript flags for arguments r=jandem After the previous patches, JSScript still has three flags related to arguments analysis. Two of them are immutable (`argumentsHasVarBinding` and `alwaysNeedsArgsObj`), and one is mutable (`needsArgsObj`). We can simplify this down to just `needsArgsObj`, which is now immutable. After the simplification, there's no longer any difference between `argsObjAliasesFormals` and `argumentsAliasesFormals`. Depends on D114034 Differential Revision: https://phabricator.services.mozilla.com/D114035

Bug 1700443: Clean up BaselineCodeGen r=jandem The `HAS_ARGS_OBJ` flag in BaselineFrame needs to stick around for the baseline interpreter, but it's immutable for the baseline compiler. (The next patch will move `needsArgsObj` from MutableFlags to ImmutableFlags.) Depends on D114033 Differential Revision: https://phabricator.services.mozilla.com/D114034

Bug 1700443: Remove argumentsOptimizationFailed r=jandem Depends on D114032 Differential Revision: https://phabricator.services.mozilla.com/D114033

Bug 1700443: Remove AnalyzeArgumentsUsage r=jandem This patch removes the `needsArgsAnalysis` flag. Other flags will be cleaned up in a later patch. Differential Revision: https://phabricator.services.mozilla.com/D114032

Bug 1708839: Add implicit use after folding away fallible unbox r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114165

Bug 1708722 - Move error reporting APIs to a new public header r=jandem Differential Revision: https://phabricator.services.mozilla.com/D113993

Bug 1708472 - Part 4: Remove template object from NewArray fallback stub r=jandem Differential Revision: https://phabricator.services.mozilla.com/D113926

Bug 1708472 - Part 1: Transpile optimised NewArray stub along the same lines as for NewObject r=jandem Differential Revision: https://phabricator.services.mozilla.com/D113923

Bug 1708722 - Move error reporting APIs to a new public header r=jandem Differential Revision: https://phabricator.services.mozilla.com/D113993

Bug 1706937 - Cleanup JS source-element callback. r=jandem Rename the JSGetElementCallback hook to JSSourceElementCallback to avoid confusion with GetElement operations. Differential Revision: https://phabricator.services.mozilla.com/D113985

Bug 1706937 - Handle nuked CCWs in JS shell source element hook. r=jandem While the shell uses a private value on the ScriptSourceObject that always has an "element" property, due to CCW nuking we may wind up with a dead-proxy object instead. Handle this case explicitly to avoid failing asserts below. Differential Revision: https://phabricator.services.mozilla.com/D113876

Bug 1681371 - Ship the .at() proposal. r=jandem,jorendorff Differential Revision: https://phabricator.services.mozilla.com/D102453

Bug 1708698 - Add PropertyDescriptor::Data and Accessor. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D114004

Bug 1706404 - Use Maybe<PropertyDescriptor> for JS_GetPropertyDescriptor in js/. r=jandem Depends on D113660 Differential Revision: https://phabricator.services.mozilla.com/D113661

Bug 1706404 - Use Maybe<PropertyDescriptor> for JS_GetPropertyDescriptor in js/. r=jandem Depends on D113660 Differential Revision: https://phabricator.services.mozilla.com/D113661

Bug 1706309 - Part 4: Remove template object from NewObject fallback stub r=jandem Now this is no longer used we can remove the tempalte object from the fallback stub. Differential Revision: https://phabricator.services.mozilla.com/D113659

Bug 1706309 - Part 2: Transpile NewPlainObject stub in warp r=jandem This transpiles the optimized stub for NewObject operations and removes WarpNewObject. I'm not sure whether to suppress bailout generation or not in WarpScriptOracle::maybeInlineIC. Iain said this was important but it doesn't seem to make any difference. Differential Revision: https://phabricator.services.mozilla.com/D112723

Bug 1706309 - Part 1: Remove the limitation on number of dynamic slots when attaching plain object stub r=jandem Differential Revision: https://phabricator.services.mozilla.com/D113658

Bug 1706694 - Simplify use of Add/RemoveCellMemory r=jandem These already check whether the associated cell is tenured so we can remove the extra checks. Depends on D113317 Differential Revision: https://phabricator.services.mozilla.com/D113506

Bug 1706694 - Tidy string flattening to use JSRope* in a few more places r=jandem Differential Revision: https://phabricator.services.mozilla.com/D113317

Bug 1706694 - Don't overwrite leftmost rope's internals at the start when reusing the leftmost child buffer in string flattening r=jandem This is unnecessary and was causing problems. We can leave the leftmost rope to be handled in the same way as all the other ropes, and move the special case to just avoid copying the chars when reusing the leftmost buffer. The problem was that now we always barrier ropes, before overwriting the left child pointer with the parent pointer. If this happens during incremental GC we must ensure we haven't already overwritten this pointer we the buffer pointer. This patch also moves changing the leftmost string into a dependent string until the end. Depends on D113316 Differential Revision: https://phabricator.services.mozilla.com/D113503

Bug 1706694 - When flattening ropes, store the parent pointer in the left child field rather than overwriting the cell header r=jandem This moves the part that sets the charater data pointer to finish_node as this also shares this field. We pass the parent pointer (and flags) into first_visit_node and set these after we've extracted the left child pointer. Differential Revision: https://phabricator.services.mozilla.com/D113316

Bug 1706314: Add OSR guards for mismatched phis r=jandem Differential Revision: https://phabricator.services.mozilla.com/D113417

Bug 1706314: Back out previous fix r=jandem Differential Revision: https://phabricator.services.mozilla.com/D113416