Bug 1642593 - Transpile GuardAnyClass. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77793

Bug 1642593 - Support GuardToClass in CacheIR. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77792

Bug 1642593 - Create a InlinableNativeGuardToClass function to allow for more code sharing. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77791

Bug 1642593 - Transpile GuardAnyClass. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77793

Bug 1642593 - Support GuardToClass in CacheIR. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77792

Bug 1642593 - Create a InlinableNativeGuardToClass function to allow for more code sharing. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77791

Bug 1596691 - Add a JSParser target to fuzz-tests. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77006

Bug 1612636: Add test r=jandem Differential Revision: https://phabricator.services.mozilla.com/D61795

Bug 1596691 - Add a JSParser target to fuzz-tests. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77006

Bug 1641708 - Transpile IsCallable/IsConstructor r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77383

Bug 1641708 - Support IsConstructor in CacheIR r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77382

Bug 1641708 - Support IsCallable in CacheIR r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77381

Bug 1641708 - Move isCallableOrConstructor to the MacroAssembler r=jandem Differential Revision: https://phabricator.services.mozilla.com/D77380

Bug 1640476 - Warp: Transpile Function.prototype.call. r=jandem I changed the CacheIR code to specialize on the actual call target. I think polymorphic targets are actually not totally common, GDocs for example uses hasOwnProperty.call() a lot. When we start supporting guardNotClassConstructor etc. this should just start working as well though. Differential Revision: https://phabricator.services.mozilla.com/D76620

Bug 1640300 - Transpile scripted calls r=jandem Differential Revision: https://phabricator.services.mozilla.com/D76559

Bug 1640300 - Factor out WarpCacheIRTranspiler::emitCallFunction r=jandem Differential Revision: https://phabricator.services.mozilla.com/D76558

Bug 1640300 - Construct WrappedFunction based on new function metadata stored in CacheIR r=jandem Differential Revision: https://phabricator.services.mozilla.com/D76557

Bug 1640748 - Warp: Fix LoadArgumentSlot transpilation. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D76758

Bug 1630607: arm64: check that upper high bits are zero'd when boxing a 32-bit value; r=jandem Differential Revision: https://phabricator.services.mozilla.com/D71175

Bug 1639991: Use offsetOf accessors for match result object slots r=jandem Also did a drive-by comment clean-up I missed when adding dotAll. Differential Revision: https://phabricator.services.mozilla.com/D76391

Bug 1362154: Part 6: Fall back to OOL call for named captures in Ion r=jandem Named captures add a `groups` property to the match result. The shape of that group depends on the regexp. Allocating an object in masm requires monomorphizing on a particular template object, but all of our existing Ion regexp code is designed to handle arbitrary regexps. This means we can't allocate the `groups` object in jitcode without a lot of work. Given that we have to call into C++ to allocate, we might as well just use the existing OOL fallback. This performs a VM call to RegExpMatcherRaw, which will simply call CreateRegExpMatchResult. Differential Revision: https://phabricator.services.mozilla.com/D76038

Bug 1639839 - Warp: Transpile JSOp::New. r=jandem We also need to ignore the template metadata for things like `new Array`. In the future of course we should actually use that for optimizations. Differential Revision: https://phabricator.services.mozilla.com/D76303

Bug 1639159 - Transpile ArrayPush. r=jandem I tried to compare BaselineCacheIRCompiler::emitArrayPush and CodeGenerator::emitArrayPush to make sure I didn't miss any implicit guards. It seems like the Ion inline path is actually more limited though. MArrayPush is typed in Ion to return Int32, that is however not really true, because array.length can overflow INT32_MAX. Ion currently handles this via TI invalidation. For simplicity I decided to instead add a bailout before we even try to push. In the future we should look into some approach that doesn't require invalidation to handle this. Differential Revision: https://phabricator.services.mozilla.com/D75926

Bug 1639159 - Transpile LoadProto. r=jandem Due to the previous guards emitted by CacheIR we know that this is always going to load a static prototype. For example using MGetPrototypeOf would also try to handle dynamic prototypes. I added a JIT assertion to make sure this assumption holds. Differential Revision: https://phabricator.services.mozilla.com/D75925

Bug 1639503 - Add folding for MGuardObjectIdentity. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D76109

Bug 1638470 - Move script atoms from RuntimeScriptData to PrivateScriptData. r=mgaudet,jandem In practice there is not much saved by sharing these atoms in the runtime these days. Moving this simplifies the script data structures and simplies the Stencil code. Depends on D75643 Differential Revision: https://phabricator.services.mozilla.com/D75644

Bug 1638460 - Warp: Support transpiling Calls to known natives. r=jandem Depends on D75701 Differential Revision: https://phabricator.services.mozilla.com/D75633

Bug 1638460 - Factor out the MCall creation logic to makeCall. r=jandem Depends on D75700 Differential Revision: https://phabricator.services.mozilla.com/D75701

Bug 1638460 - Create a WarpBuilderShared base class. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D75700

Bug 1638460 - Warp: Support transpiling Calls to known natives. r=jandem Depends on D75701 Differential Revision: https://phabricator.services.mozilla.com/D75633

Bug 1638460 - Factor out the MCall creation logic to makeCall. r=jandem Depends on D75700 Differential Revision: https://phabricator.services.mozilla.com/D75701

Bug 1638460 - Create a WarpBuilderShared base class. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D75700

Bug 1638787 - Support return values and timeouts in JSRT fuzzing interface. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D75773

Bug 1638586 - Introduce and use branchNeg32. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D75690

Bug 1638586 - Cleanup and share more code for double abs in Ion. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D75689

Bug 1065894 - Part 8: Add test cases. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D74627

Bug 1065894 - Part 7: Inline 'byteLength' and 'byteOffset' getters for DataViews. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D74625

Bug 1065894 - Part 6: Inline DataView setter functions. r=jandem Similar to the previous part, inline the setter functions based on the current `StoreUnboxedScalar` support. Differential Revision: https://phabricator.services.mozilla.com/D74624

Bug 1065894 - Part 5: Inline DataView getter functions. r=jandem The implementation of `LoadDataViewElement` follows `LoadUnboxedScalar`, therefore most `LoadDataViewElement` functions were placed next to their counterparts from `LoadUnboxedScalar`. MCallOptimize: - The two single-byte getters `getInt8` and `getUint8` are directly inlined through `LoadUnboxedScalar`. - This let's us avoid duplicating the single byte extra cases in Lowering. - And `MLoadDataViewElement` doesn't need to save the otherwise unused `littleEndian` parameter. Lowering: - Optimises the case when `littleEndian` is a constant value, so we can avoid branching around the byte swap instructions in most cases. - As usual, x86 needs special-casing because there are too few registers available. I didn't bother to implement the following two optimisations for `LoadUnboxedScalar` to `LoadDataViewElement`: - `AnalyzeLoadUnboxedScalar` from EffectiveAddressAnalysis - Constant index optimisation in lowering/codegen Both optimisations are currently unavailable due to Spectre index masking, so it didn't seem worthwhile to spend time to support them for `LoadDataViewElement`. Differential Revision: https://phabricator.services.mozilla.com/D74623

Bug 1065894 - Part 4: Add LInt64Definition::BogusTemp. r=jandem Change LInt64Definition to a proper class and add a `BogusTemp` method to it. This will be used in the next patches. Differential Revision: https://phabricator.services.mozilla.com/D74622

Bug 1065894 - Part 3: Add unaligned load and store functions to the assemblers. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D74621

Bug 1065894 - Part 2: Add byte swap instructions to the assemblers. r=jandem x86/x64: - Implement the 2-byte swap instructions using `rol`, matching the output of Clang for the `__builtin_bswap16` built-in. - 4-byte and 8-byte swaps are implemented through `bswap`. - The actual `rol` and `bswap` functions are derived from upstream. arm32: - Implement 2-byte swap with sign extend using `revsh`. - Implement 2-byte swap with zero extend using `rev16` followed by `uxth`. - 4-byte and 8-byte swaps are implemented through `rev`. arm64: - Implement 2-byte swap using `rev16` followed by either `sxth` or `uxth`. - 4-byte and 8-byte swaps are implemented through `rev`. Differential Revision: https://phabricator.services.mozilla.com/D74620

Bug 1065894 - Part 1: Rename TypedArray mir nodes to mention ArrayBufferView. r=jandem Following bug 1496378, update MIR nodes to mention ArrayBufferView instead of TypedArray. Later patches in this stack will make use of them for DataView objects. Differential Revision: https://phabricator.services.mozilla.com/D74619

Bug 1637755 - Support transpiling simple (optimized) native calls. r=jandem,iain I changed GuardSpecificNativeFunction to GuardSpecificFunction (aka Object), which is easier to optimize. With this patch we can transpile calls to str.charCodeAt and str.charAt. Differential Revision: https://phabricator.services.mozilla.com/D75200

Bug 1637529 - Rewrite the shell module loader in C++ r=jandem Sorry for the big patch. This is a straight rewrite of shell/ModuleLoader.js in C++. It's mostly straigtforward but there were a couple of clunky parts: using promises/closures from C++ was rather verbose and I had to write some string utilities. Differential Revision: https://phabricator.services.mozilla.com/D75271

Bug 1637529 - Rewrite the shell module loader in C++ r=jandem Sorry for the big patch. This is a straight rewrite of shell/ModuleLoader.js in C++. It's mostly straigtforward but there were a couple of clunky parts: using promises/closures from C++ was rather verbose and I had to write some string utilities. Differential Revision: https://phabricator.services.mozilla.com/D75271

Bug 1638246 - [MIPS] Add branchTestGCThing, unboxGCThingForGCBarrier and fix branchValueIsNurseryCell. r=jandem Differential Revision: https://phabricator.services.mozilla.com/D75479

Bug 1634135: Fix look-behind back-references r=jandem If a look-behind back-reference succeeds, we have to subtract the length of the capture from the current position (so that the current position points to the beginning of the capture). We don't have the length in a register, so we have to read it from the capture registers, which are stored on the stack. However, we pushed the initial value of the current position, so the stack pointer is offset by one word from where we expect. The fix is to pop the saved value *before* subtracting the length. With this fix, we pass all the test262 tests for look-behind assertions, dotAll, and unicode property escapes. (I will turn them on in a separate bug.) Differential Revision: https://phabricator.services.mozilla.com/D73113

Bug 1637189: Add test case r=jandem We don't have great test coverage for two-byte strings. This testcase triggers the bug, but at some point I think we should do something more systematic (like a mode where we force two-byte strings everywhere). Depends on D74900 Differential Revision: https://phabricator.services.mozilla.com/D74901

Bug 1637189: Don't clobber current_position_ when it's non-volatile r=jandem Unicode case-insensitive backreferences crash on 32-bit x86, but not on 64-bit. The problem is in the code deciding which registers to save before calling CaseInsensitiveCompareUCStrings. We save all the volatile registers, except for a couple that we know we won't need. After we do that, we modify current_position_, with the implicit expectation that it was saved. That's true on x86-64, but not true on x86-32. The old version of this code used the same approach, but assigned its registers in a different order in the NativeRegExpMacroAssembler constructor, so we got away with it. The fix is to ensure we always save/restore current_position, even if it's not volatile. Differential Revision: https://phabricator.services.mozilla.com/D74900