CodeCache should check that the UnlinkedCodeBlock was successfully created before...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog-2018-09-11
1 2018-09-10  Michael Saboff  <msaboff@apple.com>
2
3         Test262 failure with Named Capture Groups - using a reference before the group is defined
4         https://bugs.webkit.org/show_bug.cgi?id=189407
5
6         Reviewed by Alex Christensen.
7
8         Added code to save the named forward references we see during parsing and validating that
9         they are all present when parsing the RegExp is complete.  If there are unnamed references,
10         we reparse with some variation of behavior.  Just like for numeric references, the
11         behavior is different depending on whether or not the unicode (u flag) is present.  
12         For non-unicode patterns, we treat the \k<...> as a literal pattern.  For a unicode 
13         pattern we throw an exception.
14
15         Did some refactoring, renaming YarrPattern::reset() and YarrPatternConstructor::reset()
16         resetForReparsing() as that is the only use for those methods.  Also changed
17         all the delegate methods that take a String to take a const String& to eliminate
18         copy churn.
19
20         * yarr/YarrParser.h:
21         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
22         (JSC::Yarr::Parser::CharacterClassParserDelegate::isValidNamedForwardReference):
23         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedForwardReference):
24         (JSC::Yarr::Parser::parseEscape):
25         * yarr/YarrPattern.cpp:
26         (JSC::Yarr::YarrPatternConstructor::resetForReparsing):
27         (JSC::Yarr::YarrPatternConstructor::saveUnmatchedNamedForwardReferences):
28         (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
29         (JSC::Yarr::YarrPatternConstructor::isValidNamedForwardReference):
30         (JSC::Yarr::YarrPatternConstructor::atomNamedForwardReference):
31         (JSC::Yarr::YarrPattern::compile):
32         (JSC::Yarr::YarrPatternConstructor::reset): Deleted.
33         * yarr/YarrPattern.h:
34         (JSC::Yarr::YarrPattern::resetForReparsing):
35         (JSC::Yarr::YarrPattern::containsIllegalNamedForwardReferences):
36         (JSC::Yarr::YarrPattern::reset): Deleted.
37         * yarr/YarrSyntaxChecker.cpp:
38         (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
39         (JSC::Yarr::SyntaxChecker::isValidNamedForwardReference):
40         (JSC::Yarr::SyntaxChecker::atomNamedForwardReference):
41
42 2018-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
43
44         [JSC] Remove loadModule function in jsc.cpp
45         https://bugs.webkit.org/show_bug.cgi?id=184808
46
47         Reviewed by Darin Adler.
48
49         Since we have `import`, we do not need to have `loadModule` function for testing purpose.
50
51         * jsc.cpp:
52         (GlobalObject::finishCreation):
53         (functionLoadModule): Deleted.
54
55 2018-09-07  Mark Lam  <mark.lam@apple.com>
56
57         Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions.
58         https://bugs.webkit.org/show_bug.cgi?id=189317
59         <rdar://problem/44152198>
60
61         Reviewed by Filip Pizlo.
62
63         handleIntrinsicCall() is normally used for checking if an op_call is a call to
64         an intrinsic function, and inlining it if it's a match.
65
66         However, getter and setter functions also does calls, and uses handleCall()
67         to implement the call.  handleCall() eventually calls handleIntrinsicCall() to
68         check for intrinsics.  This results in a bug because handleIntrinsicCall()
69         sometimes relies on the ArrayProfile* of the instruction, and is always assuming
70         that the instruction is op_call shaped.  This turns out to be not true: getters
71         and setters can get there with op_get_by_val and op_put_by_val instead.
72
73         Since the intrinsic functions handled by handleIntrinsicCall() are never
74         intended to be used as getter / setter functions anyway, we can prevent this
75         whole class of bugs by having handleIntrinsicCall() fail early if the
76         instruction is not op_call shaped.
77
78         To implement this fix, we did the following:
79
80         1. Introduced the OpcodeShape enum.
81         2. Introduced isOpcodeShape<OpcodeShape>() for testing if a instruction of the
82            shape of the specified OpcodeShape.
83         3. Introduced arrayProfileFor<OpcodeShape>() for fetching the ArrayProfile* from
84            the instruction given the OpcodeShape.
85
86            Using this arrayProfileFor template has the following benefits:
87            1. Centralizes the definition of which instructions has an ArrayProfile* operand.
88            2. Centralizes the definition of which operand is the ArrayProfile*.
89            3. Asserts that the instruction is of the expected shape when retrieving the
90               ArrayProfile*.
91
92         4. Added ArrayProfile::m_typeName and ArrayProfile::s_typeName which are used
93            in ArrayProfile::isValid() as a sanity check that a retrieved ArrayProfile*
94            indeed does point to an ArrayProfile.
95
96         * JavaScriptCore.xcodeproj/project.pbxproj:
97         * bytecode/ArrayProfile.cpp:
98         * bytecode/ArrayProfile.h:
99         (JSC::ArrayProfile::isValid const):
100         * bytecode/OpcodeInlines.h: Added.
101         (JSC::isOpcodeShape):
102         (JSC::arrayProfileFor):
103         * dfg/DFGByteCodeParser.cpp:
104         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
105         (JSC::DFG::ByteCodeParser::parseBlock):
106         * jit/JITCall.cpp:
107         (JSC::JIT::compileOpCall):
108         * jit/JITCall32_64.cpp:
109         (JSC::JIT::compileOpCall):
110         * jit/JITOpcodes.cpp:
111         (JSC::JIT::emit_op_has_indexed_property):
112         * jit/JITOpcodes32_64.cpp:
113         (JSC::JIT::emit_op_has_indexed_property):
114         * jit/JITPropertyAccess.cpp:
115         (JSC::JIT::emit_op_get_by_val):
116         (JSC::JIT::emit_op_put_by_val):
117         (JSC::JIT::emitGenericContiguousPutByVal):
118         (JSC::JIT::emitArrayStoragePutByVal):
119         (JSC::JIT::emitIntTypedArrayPutByVal):
120         (JSC::JIT::emitFloatTypedArrayPutByVal):
121         * jit/JITPropertyAccess32_64.cpp:
122         (JSC::JIT::emit_op_get_by_val):
123         (JSC::JIT::emit_op_put_by_val):
124         (JSC::JIT::emitGenericContiguousPutByVal):
125         (JSC::JIT::emitArrayStoragePutByVal):
126         * llint/LLIntSlowPaths.cpp:
127         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
128         (JSC::LLInt::getByVal):
129         * runtime/CommonSlowPaths.cpp:
130         (JSC::SLOW_PATH_DECL):
131
132 2018-09-06  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
133
134         [DFG] DFG should handle String#toString
135         https://bugs.webkit.org/show_bug.cgi?id=189151
136
137         Reviewed by Saam Barati.
138
139         We handle String#toString and String#valueOf in DFG by introducing StringValueOf node.
140         In the fixup phase, we attempt to lower StringValueOf to the existing ToString or Identity
141         nodes. If we fail to lower it, we have StringValueOf(UntypedUse), which may raise an error
142         if an argument is neither String nor StringObject. The error message in String#toString and
143         String#valueOf is poor, which will be handled in a separate bug[1].
144
145         It improves simple microbenchmarks by 53.4 - 67.6%.
146
147                                               baseline                  patched
148
149             string-object-to-string       21.7308+-3.3147     ^     12.9655+-0.0527        ^ definitely 1.6760x faster
150             string-object-value-of        20.1122+-0.0691     ^     13.1134+-0.2482        ^ definitely 1.5337x faster
151
152         [1]: https://bugs.webkit.org/show_bug.cgi?id=189357
153
154         * dfg/DFGAbstractInterpreterInlines.h:
155         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
156         * dfg/DFGByteCodeParser.cpp:
157         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
158         * dfg/DFGClobberize.h:
159         (JSC::DFG::clobberize):
160         * dfg/DFGDoesGC.cpp:
161         (JSC::DFG::doesGC):
162         * dfg/DFGFixupPhase.cpp:
163         (JSC::DFG::FixupPhase::fixupNode):
164         (JSC::DFG::FixupPhase::fixupStringValueOf):
165         * dfg/DFGNode.h:
166         (JSC::DFG::Node::convertToToString):
167         * dfg/DFGNodeType.h:
168         * dfg/DFGOperations.cpp:
169         * dfg/DFGOperations.h:
170         * dfg/DFGPredictionPropagationPhase.cpp:
171         * dfg/DFGSafeToExecute.h:
172         (JSC::DFG::safeToExecute):
173         * dfg/DFGSpeculativeJIT.cpp:
174         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf):
175         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor): Deleted.
176         * dfg/DFGSpeculativeJIT.h:
177         * dfg/DFGSpeculativeJIT32_64.cpp:
178         (JSC::DFG::SpeculativeJIT::compile):
179         * dfg/DFGSpeculativeJIT64.cpp:
180         (JSC::DFG::SpeculativeJIT::compile):
181         * ftl/FTLCapabilities.cpp:
182         (JSC::FTL::canCompile):
183         * ftl/FTLLowerDFGToB3.cpp:
184         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
185         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
186         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor): Deleted.
187
188 2018-09-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
189
190         [WebAssembly] Optimize JS to Wasm call by using pointer of Signature as SignatureIndex
191         https://bugs.webkit.org/show_bug.cgi?id=189401
192
193         Reviewed by Mark Lam.
194
195         SignatureInformation is a global repository for Signature to make Signature atomic.
196         It takes Ref<Signature>&& and generates SignatureIndex. And we get const Signature&
197         by using this SignatureIndex. However, converting SignatureIndex to const Signature&
198         always looks up a hash table. This is costly since JS to Wasm calls always use
199         Signature& to check types of arguments.
200
201         Instead of using this hash table, this patch uses a pointer of Signature as SignatureIndex.
202         This allows us to convert SignatureIndex to Signature by just casting it.
203
204         We also optimize SignatureInformation::singleton by making an accessor function inlined.
205         And we move ProtoCallFrame::init to the header since it's just setting values.
206
207         This change significantly optimizes JS to wasm calls (1e7 times) from 600ms to 320ms.
208
209         In the future, we can remove SignatureIndex by directly handling Ref<Signature>: adding
210         deref() of Signature which unregisters itself from SignatureInformation carefully. Or we can
211         make SignatureIndex uint32_t by introducing a mechanism similar to StructureID.
212
213         * JavaScriptCore.xcodeproj/project.pbxproj:
214         * Sources.txt:
215         * interpreter/ProtoCallFrame.h:
216         (JSC::ProtoCallFrame::init):
217         * wasm/WasmB3IRGenerator.cpp:
218         (JSC::Wasm::B3IRGenerator::addCallIndirect):
219         * wasm/WasmBBQPlan.cpp:
220         * wasm/WasmFormat.h:
221         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfSignatureIndex):
222         * wasm/WasmFunctionParser.h:
223         * wasm/WasmModule.h:
224         * wasm/WasmOMGPlan.cpp:
225         * wasm/WasmSectionParser.cpp:
226         (JSC::Wasm::SectionParser::parseType):
227         * wasm/WasmSignature.cpp:
228         (JSC::Wasm::SignatureInformation::adopt):
229         (JSC::Wasm::SignatureInformation::tryCleanup):
230         (JSC::Wasm::SignatureInformation::singleton): Deleted.
231         (JSC::Wasm::SignatureInformation::get): Deleted.
232         * wasm/WasmSignature.h:
233         (JSC::Wasm::Signature::index const):
234         (JSC::Wasm::SignatureHash::SignatureHash):
235         (JSC::Wasm::SignatureHash::hash):
236         (JSC::Wasm::SignatureHash::isHashTableDeletedValue const):
237         (JSC::Wasm::SignatureHash::empty): Deleted.
238         (JSC::Wasm::SignatureHash::deleted): Deleted.
239         * wasm/WasmSignatureInlines.h: Renamed from Source/JavaScriptCore/interpreter/ProtoCallFrame.cpp.
240         (JSC::Wasm::SignatureInformation::singleton):
241         (JSC::Wasm::SignatureInformation::get):
242         * wasm/js/JSToWasm.cpp:
243         * wasm/js/JSWebAssemblyModule.h:
244         * wasm/js/WasmToJS.cpp:
245         (JSC::Wasm::wasmToJS):
246         * wasm/js/WebAssemblyFunction.cpp:
247         * wasm/js/WebAssemblyModuleRecord.cpp:
248         * wasm/js/WebAssemblyWrapperFunction.cpp:
249
250 2018-09-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
251
252         [JSC] Put .throwStackOverflow code after the fast path in LLInt doVMEntry
253         https://bugs.webkit.org/show_bug.cgi?id=189410
254
255         Reviewed by Mark Lam.
256
257         Put .throwStackOverflow code after the fast path in LLInt doVMEntry to
258         make doVMEntry code tight.
259
260         * llint/LLIntThunks.cpp:
261         (JSC::vmEntryToWasm): Deleted.
262         * llint/LLIntThunks.h:
263         (JSC::vmEntryToWasm):
264         * llint/LowLevelInterpreter32_64.asm:
265         * llint/LowLevelInterpreter64.asm:
266
267 2018-09-06  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
268
269         [WebAssembly] Optimize JS to Wasm call by removing Vector allocation
270         https://bugs.webkit.org/show_bug.cgi?id=189353
271
272         Reviewed by Mark Lam.
273
274         JS to Wasm call always allocates Vector for the arguments. This is really costly if the wasm function is small.
275         This patch adds an initial size parameter to the Vector to avoid allocations for small sized arguments.
276
277         * runtime/ArgList.h:
278         * wasm/js/WebAssemblyFunction.cpp:
279         (JSC::callWebAssemblyFunction):
280
281 2018-08-31  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
282
283         [JSC] Clean up StructureStubClearingWatchpoint
284         https://bugs.webkit.org/show_bug.cgi?id=189156
285
286         Reviewed by Saam Barati.
287
288         Cleaning up StructureStubClearingWatchpoint by holding StructureStubClearingWatchpoint in Bag
289         in WatchpointsOnStructureStubInfo. This removes hacky linked list code for StructureStubClearingWatchpoint.
290
291         * bytecode/StructureStubClearingWatchpoint.cpp:
292         (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
293         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint): Deleted.
294         (JSC::StructureStubClearingWatchpoint::push): Deleted.
295         (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo): Deleted.
296         * bytecode/StructureStubClearingWatchpoint.h:
297         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
298
299 2018-09-06  Michael Saboff  <msaboff@apple.com>
300
301         Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
302         https://bugs.webkit.org/show_bug.cgi?id=189380
303
304         Reviewed by Saam Barati.
305
306         Account for the case where in Math.pow(NaN, y) where y could be 0.
307
308         * bytecode/SpeculatedType.cpp:
309         (JSC::typeOfDoublePow):
310
311 2018-09-06  Mark Lam  <mark.lam@apple.com>
312
313         Gardening: only visit m_cachedStructureID if it's not null.
314         https://bugs.webkit.org/show_bug.cgi?id=189124
315         <rdar://problem/43863605>
316
317         Not reviewed.
318
319         * runtime/JSPropertyNameEnumerator.cpp:
320         (JSC::JSPropertyNameEnumerator::visitChildren):
321
322 2018-09-06  Tomas Popela  <tpopela@redhat.com>
323
324         [JSC] Build broken after r234975 on s390x, ppc64le, armv7hl
325         https://bugs.webkit.org/show_bug.cgi?id=189078
326
327         Reviewed by Mark Lam.
328
329         Caused by the GCC bug - https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70124.
330         Using the ternary operator instead of std::max() fixes it.
331
332         * heap/RegisterState.h:
333
334 2018-09-05  Mark Lam  <mark.lam@apple.com>
335
336         JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
337         https://bugs.webkit.org/show_bug.cgi?id=189124
338         <rdar://problem/43863605>
339
340         Reviewed by Filip Pizlo.
341
342         It is assumed that the Structure for the m_cachedStructureID will remain alive
343         while the m_cachedStructureID is in use.  This prevents the structureID from being
344         re-used for a different Structure.
345
346         * runtime/JSPropertyNameEnumerator.cpp:
347         (JSC::JSPropertyNameEnumerator::visitChildren):
348
349 2018-09-05  Ross Kirsling  <ross.kirsling@sony.com>
350
351         [ESNext] Symbol.prototype.description
352         https://bugs.webkit.org/show_bug.cgi?id=186686
353
354         Reviewed by Keith Miller.
355
356         Symbol.prototype.description was implemented in r232404, but has one small bug:
357         It should return undefined for a null symbol.
358
359         * runtime/Symbol.cpp:
360         (JSC::Symbol::description const):
361         * runtime/SymbolPrototype.cpp:
362         (JSC::symbolProtoGetterDescription):
363         Address the null symbol case.
364
365 2018-09-04  Keith Miller  <keith_miller@apple.com>
366
367         RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83
368         https://bugs.webkit.org/show_bug.cgi?id=188917
369
370         Reviewed by Mark Lam.
371
372         Our allocators should be able to handle allocating a zero-sized object.
373         Zero-sized objects will be allocated into the smallest size class.
374
375         * dfg/DFGSpeculativeJIT.cpp:
376         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
377         * ftl/FTLLowerDFGToB3.cpp:
378         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
379         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
380         * heap/MarkedSpace.h:
381         (JSC::MarkedSpace::sizeClassToIndex):
382         (JSC::MarkedSpace::indexToSizeClass):
383         * jit/AssemblyHelpers.cpp:
384         (JSC::AssemblyHelpers::emitAllocateVariableSized):
385         * runtime/JSArrayBufferView.cpp:
386         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
387
388 2018-09-05  Mark Lam  <mark.lam@apple.com>
389
390         Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOrigin.
391         https://bugs.webkit.org/show_bug.cgi?id=189300
392         <rdar://problem/39681779>
393
394         Reviewed by Saam Barati.
395
396         At the time a DeferredSourceDump is instantiated, it captures a CodeOrigin value
397         which points to a InlineCallFrame in the DFG::Plan's m_inlineCallFrames set.  The
398         DeferredSourceDump is later used to dump source even if the compilation fails.
399         This is intentional so that we can use this tool to see what source fails to
400         compile as well.
401
402         The DFG::Plan may have been destructed by then, and since the compilation failed,
403         the InlineCallFrame is also destructed.  This means DeferredSourceDump::dump()
404         may be end up accessing freed memory.
405
406         DeferredSourceDump doesn't really need a CodeOrigin.  All it wants is the caller
407         bytecodeIndex for the call to an inlined function.  Hence, we can fix this issue
408         by changing DeferredSourceDump to capture the caller bytecodeIndex instead.
409
410         In this patch, we also change DeferredSourceDump's m_codeBlock and m_rootCodeBlock
411         to be Strong references to ensure that the CodeBlocks are kept alive until they
412         can be dumped.
413
414         * bytecode/DeferredCompilationCallback.cpp:
415         (JSC::DeferredCompilationCallback::dumpCompiledSourcesIfNeeded):
416         * bytecode/DeferredSourceDump.cpp:
417         (JSC::DeferredSourceDump::DeferredSourceDump):
418         (JSC::DeferredSourceDump::dump):
419         * bytecode/DeferredSourceDump.h:
420         * dfg/DFGByteCodeParser.cpp:
421         (JSC::DFG::ByteCodeParser::parseCodeBlock):
422
423 2018-09-05  David Kilzer  <ddkilzer@apple.com>
424
425         REGRESSION (r235419): DFGCFG.h is missing from JavaScriptCore Xcode project
426
427         Found using `tidy-Xcode-project-file --missing` (see Bug
428         188754).  Fix was made manually.
429
430         * JavaScriptCore.xcodeproj/project.pbxproj:
431         (dfg/DFGCFG.h): Revert accidental change in r235419 by restoring
432         `name` and `path` values to file reference.
433
434 2018-09-05  Mark Lam  <mark.lam@apple.com>
435
436         isAsyncGeneratorMethodParseMode() should check for SourceParseMode::AsyncGeneratorWrapperMethodMode.
437         https://bugs.webkit.org/show_bug.cgi?id=189292
438         <rdar://problem/38907433>
439
440         Reviewed by Saam Barati.
441
442         Previously, isAsyncGeneratorMethodParseMode() was checking for AsyncGeneratorWrapperFunctionMode
443         instead of AsyncGeneratorWrapperMethodMode.  This patch fixes it
444         to check for AsyncGeneratorWrapperMethodMode (to match what is expected as indicated
445         in the name isAsyncGeneratorMethodParseMode).
446
447         * parser/ParserModes.h:
448         (JSC::isAsyncGeneratorMethodParseMode):
449
450 2018-09-04  Michael Saboff  <msaboff@apple.com>
451
452         Unreviewed indentations change.
453
454         * yarr/YarrJIT.cpp:
455         (JSC::Yarr::YarrGenerator::matchBackreference):
456
457 2018-09-04  Michael Saboff  <msaboff@apple.com>
458
459         JSC Build error when changing CPU type: offlineasm: No magic values found. Skipping assembly file generation
460         https://bugs.webkit.org/show_bug.cgi?id=189274
461
462         Reviewed by Saam Barati.
463
464         Put the derived file LLIntDesiredOffsets.h in an architecture specific subdirectory to make them unique.
465
466         Some I got this change mixed up with the change for r235636.  The changes to JavaScriptCore.xcodeproj/project.pbxproj
467         where landed there.
468
469         * JavaScriptCore.xcodeproj/project.pbxproj:
470
471 2018-09-04  Michael Saboff  <msaboff@apple.com>
472
473         YARR: JIT RegExps with back references
474         https://bugs.webkit.org/show_bug.cgi?id=180874
475
476         Reviewed by Filip Pizlo.
477
478         Implemented JIT'ed back references for all counted types.  The only type of back references
479         not handled in the JIT are 16bit matches that ignore case.  Such support would require the
480         canonicalization that is currently handled in the Yarr interpreter via a C funtion call.
481         The back reference processing for surrogate pairs is implemented by individually comparing
482         each surrogate ala memcmp.
483
484         Added a generated canonicalization table for the LChar (8bit) domain to process case
485         ignored back references.
486
487         Added macro assembler load16(ExtendedAddress) for indexed access to the canonicalization table.
488
489         Added a new JIT failure reason for forward references as the check to JIT expressions with
490         forward references we're handled synonimously those containing back references.
491
492         This change is only enabled for 64 bit platforms.
493
494         * assembler/MacroAssemblerARM64.h:
495         (JSC::MacroAssemblerARM64::load16):
496         * assembler/MacroAssemblerX86_64.h:
497         (JSC::MacroAssemblerX86_64::load16):
498         * runtime/RegExp.cpp:
499         (JSC::RegExp::compile):
500         (JSC::RegExp::compileMatchOnly):
501         * yarr/YarrCanonicalize.h:
502         * yarr/YarrCanonicalizeUCS2.cpp:
503         * yarr/YarrCanonicalizeUCS2.js:
504         (set characters.hex.set string_appeared_here):
505         * yarr/YarrJIT.cpp:
506         (JSC::Yarr::YarrGenerator::checkNotEnoughInput):
507         (JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates):
508         (JSC::Yarr::YarrGenerator::matchBackreference):
509         (JSC::Yarr::YarrGenerator::generateBackReference):
510         (JSC::Yarr::YarrGenerator::backtrackBackReference):
511         (JSC::Yarr::YarrGenerator::generateTerm):
512         (JSC::Yarr::YarrGenerator::backtrackTerm):
513         (JSC::Yarr::YarrGenerator::compile):
514         (JSC::Yarr::dumpCompileFailure):
515         * yarr/YarrJIT.h:
516         * yarr/YarrPattern.h:
517         (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
518         (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
519
520 2018-09-04  Mark Lam  <mark.lam@apple.com>
521
522         Make the jsc shell print, printErr, and debug functions more robust.
523         https://bugs.webkit.org/show_bug.cgi?id=189268
524         <rdar://problem/41192690>
525
526         Reviewed by Keith Miller.
527
528         We'll now check for UTF8 conversion errors.
529
530         * jsc.cpp:
531         (cStringFromViewWithString):
532         (printInternal):
533         (functionDebug):
534
535 2018-09-04  Michael Catanzaro  <mcatanzaro@igalia.com>
536
537         [WPE][GTK] Add more unused result warnings to JSC API
538         https://bugs.webkit.org/show_bug.cgi?id=189243
539
540         Reviewed by Carlos Garcia Campos.
541
542         The jsc_context_evaluate() family of functions has a (transfer full) return value, but the
543         caller may be tempted to not inspect it if uninterested in the return value. This would be
544         an error, because it must be freed.
545
546         * API/glib/JSCContext.h:
547
548 2018-09-03  Mark Lam  <mark.lam@apple.com>
549
550         The watchdog sometimes fails to terminate a script.
551         https://bugs.webkit.org/show_bug.cgi?id=189227
552         <rdar://problem/39932857>
553
554         Reviewed by Saam Barati.
555
556         Consider the following scenario:
557
558         1. We have an infinite loop bytecode sequence as follows:
559
560             [  13] loop_hint
561             [  14] check_traps
562             [  15] jmp               -2(->13)
563
564         2. The VM tiers up from LLInt -> BaselineJIT -> DFG -> FTL.
565
566            Note that op_check_traps is represented as a CheckTraps node in the DFG and FTL.
567            When we're not using pollingTraps (JSC_usePollingTraps is false by default),
568            we emit no code for CheckTraps, but only record an InvalidationPoint there.
569
570         3. The watchdog fires, and invalidates all InvalidationPoints in the FTL CodeBlock.
571
572            InvalidationPoints OSR exits to the next instruction by design.  In this case,
573            that means the VM will resumes executing at the op_jmp, which jumps to the
574            op_loop_hint opcode.  At the loop_hint, the VM discovers that the function is
575            already hot, and attempts to tier up.  It immediately discovers that a replacement
576            CodeBlock is available because we still haven't jettisoned the DFG CodeBlock
577            nor the FTL CodeBlock that was previously compiled for this function.
578
579            Note that jettisoning a CodeBlock necessarily means the VM will invalidate
580            its InvalidationPoints (if the CodeBlock is DFG/FTL).  However, the reverse
581            is not true: merely invalidating the InvalidationPoints does not necessarily
582            mean that the CodeBlock is jettisoned.
583
584            VMTraps::tryInstallTrapBreakpoints() runs from a separate thread.  Hence,
585            it is only safe for it to invalidate a CodeBlock's InvalidationPoints.  It
586            is not safe for the CodeBlock to be jettisoned from another thread.  Instead,
587            the VMTraps mechanism relies on the script thread running to an op_check_traps
588            in the baseline JIT code where it will do the necessary jettisoning of optimized
589            CodeBlocks.
590
591         Since the op_check_traps never get executed, the VM will perpetually tier up in
592         the op_loop_hint, OSR exit to the op_jmp, jump to the op_loop_hint, and repeat.
593         Consequently, the watchdog fails to terminate this script.
594
595         In this patch, we fix this by making the DFG BytecodeParser emit an InvalidationPoint
596         node directly (when the VM is not configured to use polling traps).  This ensures
597         that the check traps invalidation point will OSR exit to the op_check_traps opcode
598         in the baseline JIT.
599
600         In this patch, we also change VMTraps::tryInstallTrapBreakpoints() to use
601         CallFrame::unsafeCodeBlock() instead of CallFrame::codeBlock().  This is because
602         we don't really know if the frame is properly set up.  We're just conservatively
603         probing the stack.  ASAN does not like this probing.  Using unsafeCodeBlock() here
604         will suppress the false positive ASAN complaint.
605
606         * dfg/DFGByteCodeParser.cpp:
607         (JSC::DFG::ByteCodeParser::parseBlock):
608         * dfg/DFGClobberize.h:
609         (JSC::DFG::clobberize):
610         * dfg/DFGFixupPhase.cpp:
611         (JSC::DFG::FixupPhase::fixupNode):
612         * dfg/DFGPredictionPropagationPhase.cpp:
613         * dfg/DFGSpeculativeJIT.cpp:
614         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
615         * dfg/DFGSpeculativeJIT32_64.cpp:
616         (JSC::DFG::SpeculativeJIT::compile):
617         * dfg/DFGSpeculativeJIT64.cpp:
618         (JSC::DFG::SpeculativeJIT::compile):
619         * ftl/FTLLowerDFGToB3.cpp:
620         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
621         * runtime/VMTraps.cpp:
622         (JSC::VMTraps::tryInstallTrapBreakpoints):
623
624 2018-09-03  Mark Lam  <mark.lam@apple.com>
625
626         CallFrame::unsafeCallee() should use an ASAN suppressed Register::asanUnsafePointer().
627         https://bugs.webkit.org/show_bug.cgi?id=189247
628
629         Reviewed by Saam Barati.
630
631         * interpreter/CallFrame.h:
632         (JSC::ExecState::unsafeCallee const):
633         * interpreter/Register.h:
634         (JSC::Register::asanUnsafePointer const):
635         (JSC::Register::unsafePayload const):
636
637 2018-09-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
638
639         Implement Object.fromEntries
640         https://bugs.webkit.org/show_bug.cgi?id=188481
641
642         Reviewed by Darin Adler.
643
644         Object.fromEntries becomes stage 3[1]. This patch implements it by using builtin JS.
645
646         [1]: https://tc39.github.io/proposal-object-from-entries/
647
648         * builtins/ObjectConstructor.js:
649         (fromEntries):
650         * runtime/ObjectConstructor.cpp:
651
652 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
653
654         Function object should convert params to string before throw a parsing error
655         https://bugs.webkit.org/show_bug.cgi?id=188874
656
657         Reviewed by Darin Adler.
658
659         ToString operation onto the `body` of the Function constructor should be performed
660         before checking syntax correctness of the parameters.
661
662         * runtime/FunctionConstructor.cpp:
663         (JSC::constructFunctionSkippingEvalEnabledCheck):
664
665 2018-08-31  Mark Lam  <mark.lam@apple.com>
666
667         Fix exception check accounting in constructJSWebAssemblyCompileError().
668         https://bugs.webkit.org/show_bug.cgi?id=189185
669         <rdar://problem/39786007>
670
671         Reviewed by Michael Saboff.
672
673         Also add an exception check in JSWebAssemblyModule::createStub() so that we don't
674         inadvertently overwrite a pre-existing exception (if present).
675
676         * wasm/js/JSWebAssemblyModule.cpp:
677         (JSC::JSWebAssemblyModule::createStub):
678         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
679         (JSC::constructJSWebAssemblyCompileError):
680
681 2018-08-31  Mark Lam  <mark.lam@apple.com>
682
683         Gardening: ARMv7 build fix.
684         https://bugs.webkit.org/show_bug.cgi?id=158911
685
686         Not reviewed.
687
688         * assembler/MacroAssemblerARMv7.h:
689         (JSC::MacroAssemblerARMv7::patchableBranch8):
690
691 2018-08-31  Mark Lam  <mark.lam@apple.com>
692
693         Fix exception check accounting in JSDataView::defineOwnProperty().
694         https://bugs.webkit.org/show_bug.cgi?id=189186
695         <rdar://problem/39786049>
696
697         Reviewed by Michael Saboff.
698
699         * runtime/JSDataView.cpp:
700         (JSC::JSDataView::defineOwnProperty):
701
702 2018-08-31  Mark Lam  <mark.lam@apple.com>
703
704         Add missing exception check in arrayProtoFuncLastIndexOf().
705         https://bugs.webkit.org/show_bug.cgi?id=189184
706         <rdar://problem/39785959>
707
708         Reviewed by Yusuke Suzuki.
709
710         * runtime/ArrayPrototype.cpp:
711         (JSC::arrayProtoFuncLastIndexOf):
712
713 2018-08-31  Saam barati  <sbarati@apple.com>
714
715         convertToRegExpMatchFastGlobal must use KnownString as the child use kind
716         https://bugs.webkit.org/show_bug.cgi?id=189173
717         <rdar://problem/43501645>
718
719         Reviewed by Michael Saboff.
720
721         We were crashing during validation because mayExit returned true
722         at a point in the program when we weren't allowed to exit.
723         
724         The issue was is in StrengthReduction: we end up emitting code that
725         had a StringUse on an edge after a node that did side effects and before
726         an ExitOK/bytecode number transition. However, StrenghReduction did the
727         right thing here and also emitted the type checks before the node with
728         side effects. It just did bad bookkeeping. The node we convert to needs
729         to use KnownStringUse instead of StringUse for the child edge.
730
731         * dfg/DFGNode.cpp:
732         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
733         (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
734         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
735         (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
736         * dfg/DFGNode.h:
737         * dfg/DFGStrengthReductionPhase.cpp:
738         (JSC::DFG::StrengthReductionPhase::handleNode):
739
740 2018-08-30  Saam barati  <sbarati@apple.com>
741
742         Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
743         https://bugs.webkit.org/show_bug.cgi?id=189166
744
745         Reviewed by Mark Lam.
746
747         * bytecode/AccessCase.cpp:
748         (JSC::AccessCase::generateImpl):
749         * bytecode/GetterSetterAccessCase.cpp:
750         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
751         * bytecode/InlineAccess.cpp:
752         (JSC::getScratchRegister):
753         * bytecode/PolymorphicAccess.cpp:
754         (JSC::PolymorphicAccess::regenerate):
755         * bytecode/StructureStubInfo.h:
756         (JSC::StructureStubInfo::valueRegs const):
757         * jit/JITInlineCacheGenerator.cpp:
758         (JSC::JITByIdGenerator::JITByIdGenerator):
759         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
760         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
761
762 2018-08-30  Saam barati  <sbarati@apple.com>
763
764         InlineAccess should do StringLength
765         https://bugs.webkit.org/show_bug.cgi?id=158911
766
767         Reviewed by Yusuke Suzuki.
768
769         This patch extends InlineAccess to support StringLength. This patch also
770         fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
771         I forgot to implement this for ArrayLength in the initial InlineAccess
772         implementation.  Supporting StringLength is a natural extension of the
773         InlineAccess machinery.
774
775         * assembler/MacroAssembler.h:
776         (JSC::MacroAssembler::patchableBranch8):
777         * assembler/MacroAssemblerARM64.h:
778         (JSC::MacroAssemblerARM64::patchableBranch8):
779         * bytecode/AccessCase.cpp:
780         (JSC::AccessCase::fromStructureStubInfo):
781         * bytecode/BytecodeDumper.cpp:
782         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
783         * bytecode/InlineAccess.cpp:
784         (JSC::InlineAccess::dumpCacheSizesAndCrash):
785         (JSC::InlineAccess::generateSelfPropertyAccess):
786         (JSC::getScratchRegister):
787         (JSC::InlineAccess::generateSelfPropertyReplace):
788         (JSC::InlineAccess::generateArrayLength):
789         (JSC::InlineAccess::generateSelfInAccess):
790         (JSC::InlineAccess::generateStringLength):
791         * bytecode/InlineAccess.h:
792         * bytecode/PolymorphicAccess.cpp:
793         (JSC::PolymorphicAccess::regenerate):
794         * bytecode/StructureStubInfo.cpp:
795         (JSC::StructureStubInfo::initStringLength):
796         (JSC::StructureStubInfo::deref):
797         (JSC::StructureStubInfo::aboutToDie):
798         (JSC::StructureStubInfo::propagateTransitions):
799         * bytecode/StructureStubInfo.h:
800         (JSC::StructureStubInfo::baseGPR const):
801         * jit/Repatch.cpp:
802         (JSC::tryCacheGetByID):
803
804 2018-08-30  Saam barati  <sbarati@apple.com>
805
806         CSE DataViewGet* DFG nodes
807         https://bugs.webkit.org/show_bug.cgi?id=188768
808
809         Reviewed by Yusuke Suzuki.
810
811         This patch makes it so that we CSE DataViewGet* accesses. To do this,
812         I needed to add a third descriptor to HeapLocation to represent the
813         isLittleEndian child. This patch is neutral on compile time benchmarks,
814         and is a 50% speedup on a trivial CSE microbenchmark that I added.
815
816         * dfg/DFGClobberize.h:
817         (JSC::DFG::clobberize):
818         * dfg/DFGFixupPhase.cpp:
819         (JSC::DFG::FixupPhase::fixupNode):
820         * dfg/DFGHeapLocation.cpp:
821         (WTF::printInternal):
822         * dfg/DFGHeapLocation.h:
823         (JSC::DFG::HeapLocation::HeapLocation):
824         (JSC::DFG::HeapLocation::hash const):
825         (JSC::DFG::HeapLocation::operator== const):
826         (JSC::DFG::indexedPropertyLocForResultType):
827
828 2018-08-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
829
830         output of toString() of Generator is wrong
831         https://bugs.webkit.org/show_bug.cgi?id=188952
832
833         Reviewed by Saam Barati.
834
835         Function#toString does not respect generator and async generator.
836         This patch fixes them and supports all the function types.
837
838         * runtime/FunctionPrototype.cpp:
839         (JSC::functionProtoFuncToString):
840
841 2018-08-29  Mark Lam  <mark.lam@apple.com>
842
843         Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
844         https://bugs.webkit.org/show_bug.cgi?id=189132
845         <rdar://problem/42513068>
846
847         Reviewed by Saam Barati.
848
849         * runtime/JSCJSValueInlines.h:
850         (JSC::JSValue::toPropertyKey const):
851         * runtime/JSString.cpp:
852         (JSC::JSRopeString::resolveRopeToAtomicString const):
853
854 2018-08-29  Commit Queue  <commit-queue@webkit.org>
855
856         Unreviewed, rolling out r235432 and r235436.
857         https://bugs.webkit.org/show_bug.cgi?id=189086
858
859         Is a Swift source breaking change. (Requested by keith_miller
860         on #webkit).
861
862         Reverted changesets:
863
864         "Add nullablity attributes to JSValue"
865         https://bugs.webkit.org/show_bug.cgi?id=189047
866         https://trac.webkit.org/changeset/235432
867
868         "Add nullablity attributes to JSValue"
869         https://bugs.webkit.org/show_bug.cgi?id=189047
870         https://trac.webkit.org/changeset/235436
871
872 2018-08-28  Mark Lam  <mark.lam@apple.com>
873
874         Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
875         https://bugs.webkit.org/show_bug.cgi?id=189059
876         <rdar://problem/40335354>
877
878         Reviewed by Saam Barati.
879
880         1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
881         2. Added $vm.dumpRegisters().
882
883             Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
884             Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
885
886            Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
887            It will treat inlined frames content as registers in the bounding physical frame.
888
889            Here's an example of such a dump on a DFG frame:
890
891                 Register frame: 
892
893                 -----------------------------------------------------------------------------
894                             use            |   address  |                value               
895                 -----------------------------------------------------------------------------
896                 [r 12 arguments[  7]]      | 0x7ffeefbfd330 | 0xa                Undefined
897                 [r 11 arguments[  6]]      | 0x7ffeefbfd328 | 0x10bbb3e80        Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
898                 [r 10 arguments[  5]]      | 0x7ffeefbfd320 | 0xa                Undefined
899                 [r  9 arguments[  4]]      | 0x7ffeefbfd318 | 0xa                Undefined
900                 [r  8 arguments[  3]]      | 0x7ffeefbfd310 | 0xa                Undefined
901                 [r  7 arguments[  2]]      | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
902                 [r  6 arguments[  1]]      | 0x7ffeefbfd300 | 0x10bbd00f0        Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
903                 [r  5           this]      | 0x7ffeefbfd2f8 | 0x10bbe0000        Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
904                 -----------------------------------------------------------------------------
905                 [ArgumentCount]            | 0x7ffeefbfd2f0 | 7 
906                 [ReturnVPC]                | 0x7ffeefbfd2f0 | 164 (line 57)
907                 [Callee]                   | 0x7ffeefbfd2e8 | 0x10bb68db0        Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
908                 [CodeBlock]                | 0x7ffeefbfd2e0 | 0x10bb2f8e0        __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
909                 [ReturnPC]                 | 0x7ffeefbfd2d8 | 0x10064d14c 
910                 [CallerFrame]              | 0x7ffeefbfd2d0 | 0x7ffeefbfd380 
911                 -----------------------------------------------------------------------------
912                 [r -1  CalleeSaveReg]      | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
913                 [r -2  CalleeSaveReg]      | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
914                 [r -3  CalleeSaveReg]      | 0x7ffeefbfd2b8 | 0x10baf1608        
915                 [r -4               ]      | 0x7ffeefbfd2b0 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
916                 [r -5               ]      | 0x7ffeefbfd2a8 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
917                 [r -6               ]      | 0x7ffeefbfd2a0 | 0xa                Undefined
918                 -----------------------------------------------------------------------------
919                 [r -7]                     | 0x7ffeefbfd298 | 0x10bb6fdc0        String (atomic) (identifier): length, StructureID: 4
920                 [r -8]                     | 0x7ffeefbfd290 | 0x10bbb7ec0        Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
921                 [r -9]                     | 0x7ffeefbfd288 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
922                 [r-10]                     | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
923                 [r-11]                     | 0x7ffeefbfd278 | 0x10bbb4290        Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
924                 [r-12]                     | 0x7ffeefbfd270 | 0x100000001        
925                 [r-13]                     | 0x7ffeefbfd268 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
926                 [r-14]                     | 0x7ffeefbfd260 | 0x0                
927                 [r-15]                     | 0x7ffeefbfd258 | 0x10064d14c        
928                 [r-16]                     | 0x7ffeefbfd250 | 0x7ffeefbfd2d0     
929                 [r-17]                     | 0x7ffeefbfd248 | 0x67ec87ee177      INVALID
930                 [r-18]                     | 0x7ffeefbfd240 | 0x7ffeefbfd250     
931                 -----------------------------------------------------------------------------
932
933         3. Removed dumpCallFrame() from the jsc shell.  We have the following tools that
934            we can use in its place:
935
936             $vm.dumpCallFrame()
937             $vm.dumpBytecodeFor()
938             $vm.dumpRegisters()     // Just added in this patch.
939
940         4. Also fixed a bug in BytecodeDumper: it should only access
941            CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
942
943         * bytecode/BytecodeDumper.cpp:
944         (JSC::BytecodeDumper<Block>::printCallOp):
945         * interpreter/Interpreter.cpp:
946         (JSC::Interpreter::dumpCallFrame): Deleted.
947         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
948         (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
949         (JSC::Interpreter::dumpRegisters): Deleted.
950         * interpreter/Interpreter.h:
951         * jsc.cpp:
952         (GlobalObject::finishCreation):
953         (functionDumpCallFrame): Deleted.
954         * tools/JSDollarVM.cpp:
955         (JSC::functionDumpRegisters):
956         (JSC::JSDollarVM::finishCreation):
957         * tools/VMInspector.cpp:
958         (JSC::VMInspector::dumpRegisters):
959         * tools/VMInspector.h:
960
961 2018-08-28  Keith Miller  <keith_miller@apple.com>
962
963         Add nullablity attributes to JSValue
964         https://bugs.webkit.org/show_bug.cgi?id=189047
965
966         Reviewed by Dan Bernstein.
967
968         Switch to using NS_ASSUME_NONNULL_BEGIN/END.
969
970         * API/JSValue.h:
971
972 2018-08-28  Keith Miller  <keith_miller@apple.com>
973
974         Add nullablity attributes to JSValue
975         https://bugs.webkit.org/show_bug.cgi?id=189047
976
977         Reviewed by Geoffrey Garen.
978
979         * API/JSValue.h:
980
981 2018-08-27  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
982
983         [WebAssembly] Parse wasm modules in a streaming fashion
984         https://bugs.webkit.org/show_bug.cgi?id=188943
985
986         Reviewed by Mark Lam.
987
988         This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
989         Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
990         we start integrating it into BBQPlan and dropping the old ModuleParser.
991
992         * JavaScriptCore.xcodeproj/project.pbxproj:
993         * Sources.txt:
994         * tools/JSDollarVM.cpp:
995         (WTF::WasmStreamingParser::WasmStreamingParser):
996         (WTF::WasmStreamingParser::create):
997         (WTF::WasmStreamingParser::createStructure):
998         (WTF::WasmStreamingParser::streamingParser):
999         (WTF::WasmStreamingParser::finishCreation):
1000         (WTF::functionWasmStreamingParserAddBytes):
1001         (WTF::functionWasmStreamingParserFinalize):
1002         (JSC::functionCreateWasmStreamingParser):
1003         (JSC::JSDollarVM::finishCreation):
1004         The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
1005         this interface to test streaming parser in the JSC shell.
1006
1007         * wasm/WasmBBQPlan.cpp:
1008         (JSC::Wasm::BBQPlan::BBQPlan):
1009         (JSC::Wasm::BBQPlan::parseAndValidateModule):
1010         (JSC::Wasm::BBQPlan::prepare):
1011         (JSC::Wasm::BBQPlan::compileFunctions):
1012         (JSC::Wasm::BBQPlan::complete):
1013         (JSC::Wasm::BBQPlan::work):
1014         * wasm/WasmBBQPlan.h:
1015         BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
1016         In subsequent patches, we will remove this, and stream the data into the BBQPlan.
1017
1018         * wasm/WasmFormat.h:
1019         * wasm/WasmModuleInformation.cpp:
1020         (JSC::Wasm::ModuleInformation::ModuleInformation):
1021         * wasm/WasmModuleInformation.h:
1022         One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
1023         since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
1024         in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
1025         Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
1026         a function with this data can be done concurrently with StreamingParser.
1027
1028         (JSC::Wasm::ModuleInformation::create):
1029         (JSC::Wasm::ModuleInformation::memoryCount const):
1030         (JSC::Wasm::ModuleInformation::tableCount const):
1031         memoryCount and tableCount should be recorded in ModuleInformation.
1032
1033         * wasm/WasmModuleParser.cpp:
1034         (JSC::Wasm::ModuleParser::parse):
1035         (JSC::Wasm::makeI32InitExpr): Deleted.
1036         (JSC::Wasm::ModuleParser::parseType): Deleted.
1037         (JSC::Wasm::ModuleParser::parseImport): Deleted.
1038         (JSC::Wasm::ModuleParser::parseFunction): Deleted.
1039         (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
1040         (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
1041         (JSC::Wasm::ModuleParser::parseTable): Deleted.
1042         (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
1043         (JSC::Wasm::ModuleParser::parseMemory): Deleted.
1044         (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
1045         (JSC::Wasm::ModuleParser::parseExport): Deleted.
1046         (JSC::Wasm::ModuleParser::parseStart): Deleted.
1047         (JSC::Wasm::ModuleParser::parseElement): Deleted.
1048         (JSC::Wasm::ModuleParser::parseCode): Deleted.
1049         (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
1050         (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
1051         (JSC::Wasm::ModuleParser::parseData): Deleted.
1052         (JSC::Wasm::ModuleParser::parseCustom): Deleted.
1053         Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
1054         SectionParser is also used by StreamingParser.
1055
1056         * wasm/WasmModuleParser.h:
1057         (): Deleted.
1058         * wasm/WasmNameSection.h:
1059         (JSC::Wasm::NameSection::NameSection):
1060         (JSC::Wasm::NameSection::create):
1061         (JSC::Wasm::NameSection::setHash):
1062         Hash calculation is deferred since all the source is not available in streaming parsing.
1063
1064         * wasm/WasmNameSectionParser.cpp:
1065         (JSC::Wasm::NameSectionParser::parse):
1066         * wasm/WasmNameSectionParser.h:
1067         Use Ref<NameSection>.
1068
1069         * wasm/WasmOMGPlan.cpp:
1070         (JSC::Wasm::OMGPlan::work):
1071         Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
1072         OMGPlan can get data of the function by using ModuleInformation::functions.
1073
1074         * wasm/WasmParser.h:
1075         (JSC::Wasm::Parser::source const):
1076         (JSC::Wasm::Parser::length const):
1077         (JSC::Wasm::Parser::offset const):
1078         (JSC::Wasm::Parser::fail const):
1079         (JSC::Wasm::makeI32InitExpr):
1080         * wasm/WasmPlan.cpp:
1081         (JSC::Wasm::Plan::Plan):
1082         Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
1083
1084         * wasm/WasmPlan.h:
1085         * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
1086         SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
1087         ModuleParser and the new StreamingParser.
1088
1089         (JSC::Wasm::SectionParser::parseType):
1090         (JSC::Wasm::SectionParser::parseImport):
1091         (JSC::Wasm::SectionParser::parseFunction):
1092         (JSC::Wasm::SectionParser::parseResizableLimits):
1093         (JSC::Wasm::SectionParser::parseTableHelper):
1094         (JSC::Wasm::SectionParser::parseTable):
1095         (JSC::Wasm::SectionParser::parseMemoryHelper):
1096         (JSC::Wasm::SectionParser::parseMemory):
1097         (JSC::Wasm::SectionParser::parseGlobal):
1098         (JSC::Wasm::SectionParser::parseExport):
1099         (JSC::Wasm::SectionParser::parseStart):
1100         (JSC::Wasm::SectionParser::parseElement):
1101         (JSC::Wasm::SectionParser::parseCode):
1102         (JSC::Wasm::SectionParser::parseInitExpr):
1103         (JSC::Wasm::SectionParser::parseGlobalType):
1104         (JSC::Wasm::SectionParser::parseData):
1105         (JSC::Wasm::SectionParser::parseCustom):
1106         * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
1107         * wasm/WasmStreamingParser.cpp: Added.
1108         (JSC::Wasm::parseUInt7):
1109         (JSC::Wasm::StreamingParser::fail):
1110         (JSC::Wasm::StreamingParser::StreamingParser):
1111         (JSC::Wasm::StreamingParser::parseModuleHeader):
1112         (JSC::Wasm::StreamingParser::parseSectionID):
1113         (JSC::Wasm::StreamingParser::parseSectionSize):
1114         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
1115         Code section in Wasm binary is specially handled compared with the other sections since it includes
1116         a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
1117         streaming validation / compilation of Wasm functions.
1118
1119         (JSC::Wasm::StreamingParser::parseFunctionSize):
1120         (JSC::Wasm::StreamingParser::parseFunctionPayload):
1121         (JSC::Wasm::StreamingParser::parseSectionPayload):
1122         (JSC::Wasm::StreamingParser::consume):
1123         (JSC::Wasm::StreamingParser::consumeVarUInt32):
1124         (JSC::Wasm::StreamingParser::addBytes):
1125         (JSC::Wasm::StreamingParser::failOnState):
1126         (JSC::Wasm::StreamingParser::finalize):
1127         * wasm/WasmStreamingParser.h: Added.
1128         (JSC::Wasm::StreamingParser::addBytes):
1129         (JSC::Wasm::StreamingParser::errorMessage const):
1130         This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
1131         StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
1132         StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
1133         the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
1134         incoming byte stream.
1135
1136         * wasm/js/JSWebAssemblyModule.cpp:
1137         (JSC::JSWebAssemblyModule::source const): Deleted.
1138         All the source should not be held.
1139
1140         * wasm/js/JSWebAssemblyModule.h:
1141         * wasm/js/WebAssemblyPrototype.cpp:
1142         (JSC::webAssemblyValidateFunc):
1143
1144 2018-08-27  Mark Lam  <mark.lam@apple.com>
1145
1146         Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
1147         https://bugs.webkit.org/show_bug.cgi?id=188577
1148         <rdar://problem/42985684>
1149
1150         Reviewed by Saam Barati.
1151
1152         1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
1153            (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
1154
1155            The StackOverflowFrame is a sentinel frame that the low level code (exception
1156            throwing code, stack visitor, and stack unwinding code) will know to skip
1157            over.  The StackOverflowFrame will also have a valid JSCallee so that client
1158            code can compute the globalObject or VM from this frame.
1159
1160            As a result, client code that throws StackOverflowErrors no longer need to
1161            compute the caller frame to throw from: it just converts the top frame into
1162            a StackOverflowFrame and everything should *Just Work*.
1163
1164         2. NativeCallFrameTracerWithRestore is now obsolete.
1165
1166            Instead, client code should always call convertToStackOverflowFrame() on the
1167            frame before instantiating a NativeCallFrameTracer with it.
1168
1169            This means that topCallFrame will always point to the top CallFrame (which
1170            may be a StackOverflowFrame), and topEntryFrame will always point to the top
1171            EntryFrame.  We'll never temporarily point them to the previous EntryFrame
1172            (which we used to do with NativeCallFrameTracerWithRestore).
1173
1174         3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
1175            CallFrame, and will know how to handle a StackOverflowFrame if they see one.
1176
1177            This obsoletes the UnwindStart flag.
1178
1179         * CMakeLists.txt:
1180         * JavaScriptCore.xcodeproj/project.pbxproj:
1181         * Sources.txt:
1182         * debugger/Debugger.cpp:
1183         (JSC::Debugger::pauseIfNeeded):
1184         * interpreter/CallFrame.cpp:
1185         (JSC::CallFrame::callerFrame const):
1186         (JSC::CallFrame::unsafeCallerFrame const):
1187         (JSC::CallFrame::convertToStackOverflowFrame):
1188         (JSC::CallFrame::callerFrame): Deleted.
1189         (JSC::CallFrame::unsafeCallerFrame): Deleted.
1190         * interpreter/CallFrame.h:
1191         (JSC::ExecState::iterate):
1192         * interpreter/CallFrameInlines.h: Added.
1193         (JSC::CallFrame::isStackOverflowFrame const):
1194         (JSC::CallFrame::isWasmFrame const):
1195         * interpreter/EntryFrame.h: Added.
1196         (JSC::EntryFrame::vmEntryRecordOffset):
1197         (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
1198         * interpreter/FrameTracers.h:
1199         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
1200         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
1201         * interpreter/Interpreter.cpp:
1202         (JSC::Interpreter::unwind):
1203         * interpreter/Interpreter.h:
1204         * interpreter/StackVisitor.cpp:
1205         (JSC::StackVisitor::StackVisitor):
1206         * interpreter/StackVisitor.h:
1207         (JSC::StackVisitor::visit):
1208         (JSC::StackVisitor::topEntryFrameIsEmpty const):
1209         * interpreter/VMEntryRecord.h:
1210         (JSC::VMEntryRecord::callee const):
1211         (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
1212         (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
1213         * jit/AssemblyHelpers.h:
1214         * jit/JITExceptions.cpp:
1215         (JSC::genericUnwind):
1216         * jit/JITExceptions.h:
1217         * jit/JITOperations.cpp:
1218         * llint/LLIntOffsetsExtractor.cpp:
1219         * llint/LLIntSlowPaths.cpp:
1220         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1221         * llint/LowLevelInterpreter.asm:
1222         * llint/LowLevelInterpreter32_64.asm:
1223         * llint/LowLevelInterpreter64.asm:
1224         * runtime/CallData.cpp:
1225         * runtime/CommonSlowPaths.cpp:
1226         (JSC::throwArityCheckStackOverflowError):
1227         (JSC::SLOW_PATH_DECL):
1228         * runtime/CommonSlowPathsExceptions.cpp: Removed.
1229         * runtime/CommonSlowPathsExceptions.h: Removed.
1230         * runtime/Completion.cpp:
1231         (JSC::evaluateWithScopeExtension):
1232         * runtime/JSGeneratorFunction.h:
1233         * runtime/JSGlobalObject.cpp:
1234         (JSC::JSGlobalObject::init):
1235         (JSC::JSGlobalObject::visitChildren):
1236         * runtime/JSGlobalObject.h:
1237         (JSC::JSGlobalObject::stackOverflowFrameCallee const):
1238         * runtime/VM.cpp:
1239         (JSC::VM::throwException):
1240         * runtime/VM.h:
1241         * runtime/VMInlines.h:
1242         (JSC::VM::topJSCallFrame const):
1243
1244 2018-08-27  Keith Rollin  <krollin@apple.com>
1245
1246         Unreviewed build fix -- disable LTO for production builds
1247
1248         * Configurations/Base.xcconfig:
1249
1250 2018-08-27  Aditya Keerthi  <akeerthi@apple.com>
1251
1252         Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
1253         https://bugs.webkit.org/show_bug.cgi?id=188931
1254
1255         Reviewed by Wenson Hsieh.
1256
1257         * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
1258
1259 2018-08-27  Devin Rousso  <drousso@apple.com>
1260
1261         Web Inspector: provide autocompletion for event breakpoints
1262         https://bugs.webkit.org/show_bug.cgi?id=188717
1263
1264         Reviewed by Brian Burg.
1265
1266         * inspector/protocol/DOM.json:
1267         Add `getSupportedEventNames` command.
1268
1269 2018-08-27  Keith Rollin  <krollin@apple.com>
1270
1271         Build system support for LTO
1272         https://bugs.webkit.org/show_bug.cgi?id=187785
1273         <rdar://problem/42353132>
1274
1275         Reviewed by Dan Bernstein.
1276
1277         Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
1278         LTO.
1279
1280         * Configurations/Base.xcconfig:
1281         * Configurations/DebugRelease.xcconfig:
1282
1283 2018-08-27  Patrick Griffis  <pgriffis@igalia.com>
1284
1285         [GTK][JSC] Add warn_unused_result attribute to some APIs
1286         https://bugs.webkit.org/show_bug.cgi?id=188983
1287
1288         Reviewed by Michael Catanzaro.
1289
1290         * API/glib/JSCValue.h:
1291
1292 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1293
1294         [JSC] Array.prototype.reverse modifies JSImmutableButterfly
1295         https://bugs.webkit.org/show_bug.cgi?id=188794
1296
1297         Reviewed by Saam Barati.
1298
1299         While Array.prototype.reverse modifies the butterfly of the given Array,
1300         it does not account JSImmutableButterfly case. So it accidentally modifies
1301         the content of JSImmutableButterfly.
1302         This patch converts CoW arrays to writable arrays before reversing.
1303
1304         * runtime/ArrayPrototype.cpp:
1305         (JSC::arrayProtoFuncReverse):
1306         * runtime/JSObject.h:
1307         (JSC::JSObject::ensureWritable):
1308
1309 2018-08-24  Michael Saboff  <msaboff@apple.com>
1310
1311         YARR: Update UCS canonicalization tables for Unicode 11
1312         https://bugs.webkit.org/show_bug.cgi?id=188928
1313
1314         Reviewed by Mark Lam.
1315
1316         Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
1317
1318         This passes JavaScriptCore and test262 tests.
1319
1320         * yarr/YarrCanonicalizeUCS2.cpp:
1321         * yarr/YarrCanonicalizeUCS2.js:
1322         (printHeader):
1323
1324 2018-08-24  Michael Saboff  <msaboff@apple.com>
1325
1326         YARR: JIT RegExps with non-greedy parenthesized sub patterns
1327         https://bugs.webkit.org/show_bug.cgi?id=180876
1328
1329         Reviewed by Filip Pizlo.
1330
1331         Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
1332         For the matching code, the greedy path was correct except that we don't try matching for the
1333         non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
1334         first / next match when we backtrack.  The backtracking code needs to check to see if we have
1335         tried the first match or if we can do another match.
1336
1337         Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
1338         count.  Did other minor cleanup as well.
1339
1340         Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
1341
1342         Updated the text in some comments, both for this change as well as accuracy for existing code.
1343
1344         * yarr/YarrJIT.cpp:
1345         (JSC::Yarr::YarrGenerator::generate):
1346         (JSC::Yarr::YarrGenerator::backtrack):
1347         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1348         (JSC::Yarr::YarrGenerator::compile):
1349         (JSC::Yarr::dumpCompileFailure):
1350         (JSC::Yarr::jitCompile):
1351         * yarr/YarrJIT.h:
1352         (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
1353         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
1354
1355 2018-08-23  Simon Fraser  <simon.fraser@apple.com>
1356
1357         Add support for dumping GC heap snapshots, and a viewer
1358         https://bugs.webkit.org/show_bug.cgi?id=186416
1359
1360         Reviewed by Joseph Pecoraro.
1361
1362         Make a way to dump information about the GC heap that is useful for looking for leaked
1363         or abandoned objects. This dump is obtained (on Apple platforms) via:
1364             notifyutil -p com.apple.WebKit.dumpGCHeap
1365         which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
1366         
1367         This leverages the heap snapshot used by Web Inspector, adding an alternate format for
1368         the snapshot JSON that adds additional data about objects and why they are GC roots.
1369
1370         SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
1371         the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
1372         objects visited via opaque roots, we record the reason why via a new out param to
1373         isReachableFromOpaqueRoots().
1374
1375         HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
1376         additional information including the address of the JSCell* and the wrapped object (for
1377         JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
1378         be the document URL.
1379
1380         GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
1381
1382         * API/JSAPIWrapperObject.mm:
1383         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1384         * API/JSManagedValue.mm:
1385         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
1386         * API/glib/JSAPIWrapperObjectGLib.cpp:
1387         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1388         * CMakeLists.txt:
1389         * heap/ConservativeRoots.h:
1390         (JSC::ConservativeRoots::size const):
1391         (JSC::ConservativeRoots::size): Deleted.
1392         * heap/Heap.cpp:
1393         (JSC::Heap::addCoreConstraints):
1394         * heap/HeapSnapshotBuilder.cpp:
1395         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
1396         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
1397         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
1398         (JSC::HeapSnapshotBuilder::buildSnapshot):
1399         (JSC::HeapSnapshotBuilder::appendNode):
1400         (JSC::HeapSnapshotBuilder::appendEdge):
1401         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
1402         (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
1403         (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
1404         (JSC::snapshotTypeToString):
1405         (JSC::rootTypeToString):
1406         (JSC::HeapSnapshotBuilder::setLabelForCell):
1407         (JSC::HeapSnapshotBuilder::descriptionForCell const):
1408         (JSC::HeapSnapshotBuilder::json):
1409         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
1410         * heap/HeapSnapshotBuilder.h:
1411         * heap/SlotVisitor.cpp:
1412         (JSC::SlotVisitor::appendSlow):
1413         * heap/SlotVisitor.h:
1414         (JSC::SlotVisitor::heapSnapshotBuilder const):
1415         (JSC::SlotVisitor::rootMarkReason const):
1416         (JSC::SlotVisitor::setRootMarkReason):
1417         (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
1418         (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
1419         * heap/WeakBlock.cpp:
1420         (JSC::WeakBlock::specializedVisit):
1421         * heap/WeakHandleOwner.cpp:
1422         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
1423         * heap/WeakHandleOwner.h:
1424         * runtime/SimpleTypedArrayController.cpp:
1425         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
1426         * runtime/SimpleTypedArrayController.h:
1427         * tools/JSDollarVM.cpp:
1428
1429 2018-08-23  Saam barati  <sbarati@apple.com>
1430
1431         JSRunLoopTimer may run part of a member function after it's destroyed
1432         https://bugs.webkit.org/show_bug.cgi?id=188426
1433
1434         Reviewed by Mark Lam.
1435
1436         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1437         to end up running timer code after the class had been destroyed.
1438         
1439         The issue I spotted was in this function:
1440         ```
1441         void JSRunLoopTimer::timerDidFire()
1442         {
1443             JSLock* apiLock = m_apiLock.get();
1444             if (!apiLock) {
1445                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1446                 return;
1447             }
1448             // HERE
1449             std::lock_guard<JSLock> lock(*apiLock);
1450             RefPtr<VM> vm = apiLock->vm();
1451             if (!vm) {
1452                 // The VM has been destroyed, so we should just give up.
1453                 return;
1454             }
1455         
1456             doWork();
1457         }
1458         ```
1459         
1460         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1461         switched before grabbing the API lock. Then, some other thread destroys the VM.
1462         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1463         timer would run code and access member variables after it was destroyed.
1464         
1465         This patch fixes this issue by introducing a new timer manager class. 
1466         This class manages timers on a per VM basis. When a timer is scheduled,
1467         this class refs the timer. It also calls the timer callback while actively
1468         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1469         callback after the timer has been destroyed. However, calling a timer callback
1470         can still race with the VM being destroyed. We continue to detect this case and
1471         bail out of the callback early.
1472         
1473         This patch also removes a lot of duplicate code between GCActivityCallback
1474         and JSRunLoopTimer.
1475
1476         * heap/EdenGCActivityCallback.cpp:
1477         (JSC::EdenGCActivityCallback::doCollection):
1478         (JSC::EdenGCActivityCallback::lastGCLength):
1479         (JSC::EdenGCActivityCallback::deathRate):
1480         * heap/EdenGCActivityCallback.h:
1481         * heap/FullGCActivityCallback.cpp:
1482         (JSC::FullGCActivityCallback::doCollection):
1483         (JSC::FullGCActivityCallback::lastGCLength):
1484         (JSC::FullGCActivityCallback::deathRate):
1485         * heap/FullGCActivityCallback.h:
1486         * heap/GCActivityCallback.cpp:
1487         (JSC::GCActivityCallback::doWork):
1488         (JSC::GCActivityCallback::scheduleTimer):
1489         (JSC::GCActivityCallback::didAllocate):
1490         (JSC::GCActivityCallback::willCollect):
1491         (JSC::GCActivityCallback::cancel):
1492         (JSC::GCActivityCallback::cancelTimer): Deleted.
1493         (JSC::GCActivityCallback::nextFireTime): Deleted.
1494         * heap/GCActivityCallback.h:
1495         * heap/Heap.cpp:
1496         (JSC::Heap::reportAbandonedObjectGraph):
1497         (JSC::Heap::notifyIncrementalSweeper):
1498         (JSC::Heap::updateAllocationLimits):
1499         (JSC::Heap::didAllocate):
1500         * heap/IncrementalSweeper.cpp:
1501         (JSC::IncrementalSweeper::scheduleTimer):
1502         (JSC::IncrementalSweeper::doWork):
1503         (JSC::IncrementalSweeper::doSweep):
1504         (JSC::IncrementalSweeper::sweepNextBlock):
1505         (JSC::IncrementalSweeper::startSweeping):
1506         (JSC::IncrementalSweeper::stopSweeping):
1507         * heap/IncrementalSweeper.h:
1508         * heap/StopIfNecessaryTimer.cpp:
1509         (JSC::StopIfNecessaryTimer::doWork):
1510         (JSC::StopIfNecessaryTimer::scheduleSoon):
1511         * heap/StopIfNecessaryTimer.h:
1512         * runtime/JSRunLoopTimer.cpp:
1513         (JSC::epochTime):
1514         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1515         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1516         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1517         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1518         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1519         (JSC::JSRunLoopTimer::Manager::shared):
1520         (JSC::JSRunLoopTimer::Manager::registerVM):
1521         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1522         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1523         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1524         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1525         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1526         (JSC::JSRunLoopTimer::timerDidFire):
1527         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1528         (JSC::JSRunLoopTimer::timeUntilFire):
1529         (JSC::JSRunLoopTimer::setTimeUntilFire):
1530         (JSC::JSRunLoopTimer::cancelTimer):
1531         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1532         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1533         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1534         * runtime/JSRunLoopTimer.h:
1535         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1536         * runtime/PromiseDeferredTimer.cpp:
1537         (JSC::PromiseDeferredTimer::doWork):
1538         (JSC::PromiseDeferredTimer::runRunLoop):
1539         (JSC::PromiseDeferredTimer::addPendingPromise):
1540         (JSC::PromiseDeferredTimer::hasPendingPromise):
1541         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1542         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1543         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1544         * runtime/PromiseDeferredTimer.h:
1545         * runtime/VM.cpp:
1546         (JSC::VM::VM):
1547         (JSC::VM::~VM):
1548         (JSC::VM::setRunLoop):
1549         (JSC::VM::registerRunLoopTimer): Deleted.
1550         (JSC::VM::unregisterRunLoopTimer): Deleted.
1551         * runtime/VM.h:
1552         (JSC::VM::runLoop const):
1553         * wasm/js/WebAssemblyPrototype.cpp:
1554         (JSC::webAssemblyModuleValidateAsyncInternal):
1555         (JSC::instantiate):
1556         (JSC::compileAndInstantiate):
1557         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1558         (JSC::webAssemblyCompileStreamingInternal):
1559         (JSC::webAssemblyInstantiateStreamingInternal):
1560
1561 2018-08-23  Mark Lam  <mark.lam@apple.com>
1562
1563         Move vmEntryGlobalObject() to VM from CallFrame.
1564         https://bugs.webkit.org/show_bug.cgi?id=188900
1565         <rdar://problem/43655753>
1566
1567         Reviewed by Michael Saboff.
1568
1569         Also introduced CallFrame::isGlobalExec() which makes use of one property of
1570         GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
1571         CallFrame::initGlobalExec() ensures this.
1572
1573         In contrast, normal CallFrames always have a callerFrame (because they must at
1574         least be preceded by a VM EntryFrame) and a returnPC (at least return to the
1575         VM entry glue).
1576
1577         * API/APIUtils.h:
1578         (handleExceptionIfNeeded):
1579         (setException):
1580         * API/JSBase.cpp:
1581         (JSEvaluateScript):
1582         (JSCheckScriptSyntax):
1583         * API/JSContextRef.cpp:
1584         (JSGlobalContextRetain):
1585         (JSGlobalContextRelease):
1586         (JSGlobalContextCopyName):
1587         (JSGlobalContextSetName):
1588         (JSGlobalContextGetRemoteInspectionEnabled):
1589         (JSGlobalContextSetRemoteInspectionEnabled):
1590         (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
1591         (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
1592         (JSGlobalContextGetDebuggerRunLoop):
1593         (JSGlobalContextSetDebuggerRunLoop):
1594         (JSGlobalContextGetAugmentableInspectorController):
1595         * API/JSValue.mm:
1596         (reportExceptionToInspector):
1597         * API/glib/JSCClass.cpp:
1598         (jscContextForObject):
1599         * API/glib/JSCContext.cpp:
1600         (jsc_context_evaluate_in_object):
1601         * debugger/Debugger.cpp:
1602         (JSC::Debugger::pauseIfNeeded):
1603         * debugger/DebuggerCallFrame.cpp:
1604         (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
1605         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1606         * interpreter/CallFrame.cpp:
1607         (JSC::CallFrame::vmEntryGlobalObject): Deleted.
1608         * interpreter/CallFrame.h:
1609         (JSC::ExecState::scope const):
1610         (JSC::ExecState::noCaller):
1611         (JSC::ExecState::isGlobalExec const):
1612         * interpreter/Interpreter.cpp:
1613         (JSC::notifyDebuggerOfUnwinding):
1614         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
1615         (JSC::Interpreter::debug):
1616         * runtime/CallData.cpp:
1617         (JSC::profiledCall):
1618         * runtime/Completion.cpp:
1619         (JSC::evaluate):
1620         (JSC::profiledEvaluate):
1621         (JSC::evaluateWithScopeExtension):
1622         (JSC::loadAndEvaluateModule):
1623         (JSC::loadModule):
1624         (JSC::linkAndEvaluateModule):
1625         (JSC::importModule):
1626         * runtime/ConstructData.cpp:
1627         (JSC::profiledConstruct):
1628         * runtime/Error.cpp:
1629         (JSC::getStackTrace):
1630         * runtime/VM.cpp:
1631         (JSC::VM::throwException):
1632         (JSC::VM::vmEntryGlobalObject const):
1633         * runtime/VM.h:
1634
1635 2018-08-23  Andy Estes  <aestes@apple.com>
1636
1637         [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
1638         https://bugs.webkit.org/show_bug.cgi?id=188829
1639
1640         Reviewed by Tim Horton.
1641
1642         * Configurations/FeatureDefines.xcconfig:
1643
1644 2018-08-23  Devin Rousso  <drousso@apple.com>
1645
1646         Web Inspector: support breakpoints for timers and animation-frame events
1647         https://bugs.webkit.org/show_bug.cgi?id=188778
1648
1649         Reviewed by Brian Burg.
1650
1651         * inspector/protocol/Debugger.json:
1652         Add `AnimationFrame` and `Timer` types to the list of pause reasons.
1653
1654         * inspector/protocol/DOMDebugger.json:
1655         Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
1656          - `setEventListenerBreakpoint`
1657          - `removeEventListenerBreakpoint`
1658          - `setInstrumentationBreakpoint`
1659          - `removeInstrumentationBreakpoint`
1660         Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
1661
1662         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1663         (CppProtocolTypesHeaderGenerator.generate_output):
1664         (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
1665         (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
1666         (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
1667         Generate `DefaultHash` for all `enum class` used by inspector protocols.
1668
1669         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1670         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1671         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1672         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1673         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1674         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1675         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1676
1677 2018-08-23  Michael Saboff  <msaboff@apple.com>
1678
1679         YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
1680         https://bugs.webkit.org/show_bug.cgi?id=188895
1681
1682         Reviewed by Mark Lam.
1683
1684         Found while working on another change.  This will allow processing of nested
1685         parenthesis that require saved ParenContext structures.
1686
1687         * yarr/YarrJIT.cpp:
1688         (JSC::Yarr::YarrGenerator::compile):
1689
1690 2018-08-22  Michael Saboff  <msaboff@apple.com>
1691
1692         https://bugs.webkit.org/show_bug.cgi?id=188859
1693         Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
1694
1695         Rubber-stamped by Saam Barati.
1696
1697         Deleted these two functions.
1698
1699         * jit/JITOperations.cpp:
1700         * jit/JITOperations.h:
1701
1702 2018-08-22  Mark Lam  <mark.lam@apple.com>
1703
1704         The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
1705         https://bugs.webkit.org/show_bug.cgi?id=188298
1706         <rdar://problem/42888427>
1707
1708         Reviewed by Saam Barati.
1709
1710         In the event that both targets of a Branch is the same block, then even if we'll
1711         always take one path of the branch, the other target is not unreachable because
1712         it is the same target as the one in the taken path.  Hence, it should not be
1713         jettisoned.
1714
1715         * JavaScriptCore.xcodeproj/project.pbxproj:
1716         - Added DFGCFG.h which is in use and should have been added to the project.
1717         * dfg/DFGCFGSimplificationPhase.cpp:
1718         (JSC::DFG::CFGSimplificationPhase::run):
1719
1720 2018-08-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1721
1722         [JSC] HeapUtil should care about pointer overflow
1723         https://bugs.webkit.org/show_bug.cgi?id=188740
1724
1725         Reviewed by Saam Barati.
1726
1727         `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
1728         For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
1729         with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
1730
1731         * heap/HeapUtil.h:
1732         (JSC::HeapUtil::findGCObjectPointersForMarking):
1733
1734 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1735
1736         [JSC] Should not rotate constant with 64
1737         https://bugs.webkit.org/show_bug.cgi?id=188556
1738
1739         Reviewed by Saam Barati.
1740
1741         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1742         But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
1743         where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
1744         the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
1745
1746         * assembler/MacroAssembler.h:
1747         (JSC::MacroAssembler::generateRotationSeed):
1748         (JSC::MacroAssembler::rotationBlindConstant):
1749
1750 2018-08-21  Commit Queue  <commit-queue@webkit.org>
1751
1752         Unreviewed, rolling out r235107.
1753         https://bugs.webkit.org/show_bug.cgi?id=188832
1754
1755         "It revealed bugs in Blob code as well as regressed JS
1756         performance tests" (Requested by saamyjoon on #webkit).
1757
1758         Reverted changeset:
1759
1760         "JSRunLoopTimer may run part of a member function after it's
1761         destroyed"
1762         https://bugs.webkit.org/show_bug.cgi?id=188426
1763         https://trac.webkit.org/changeset/235107
1764
1765 2018-08-21  Saam barati  <sbarati@apple.com>
1766
1767         JSRunLoopTimer may run part of a member function after it's destroyed
1768         https://bugs.webkit.org/show_bug.cgi?id=188426
1769
1770         Reviewed by Mark Lam.
1771
1772         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1773         to end up running timer code after the class had been destroyed.
1774         
1775         The issue I spotted was in this function:
1776         ```
1777         void JSRunLoopTimer::timerDidFire()
1778         {
1779             JSLock* apiLock = m_apiLock.get();
1780             if (!apiLock) {
1781                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1782                 return;
1783             }
1784             // HERE
1785             std::lock_guard<JSLock> lock(*apiLock);
1786             RefPtr<VM> vm = apiLock->vm();
1787             if (!vm) {
1788                 // The VM has been destroyed, so we should just give up.
1789                 return;
1790             }
1791         
1792             doWork();
1793         }
1794         ```
1795         
1796         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1797         switched before grabbing the API lock. Then, some other thread destroys the VM.
1798         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1799         timer would run code and access member variables after it was destroyed.
1800         
1801         This patch fixes this issue by introducing a new timer manager class. 
1802         This class manages timers on a per VM basis. When a timer is scheduled,
1803         this class refs the timer. It also calls the timer callback while actively
1804         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1805         callback after the timer has been destroyed. However, calling a timer callback
1806         can still race with the VM being destroyed. We continue to detect this case and
1807         bail out of the callback early.
1808         
1809         This patch also removes a lot of duplicate code between GCActivityCallback
1810         and JSRunLoopTimer.
1811
1812         * heap/EdenGCActivityCallback.cpp:
1813         (JSC::EdenGCActivityCallback::doCollection):
1814         (JSC::EdenGCActivityCallback::lastGCLength):
1815         (JSC::EdenGCActivityCallback::deathRate):
1816         * heap/EdenGCActivityCallback.h:
1817         * heap/FullGCActivityCallback.cpp:
1818         (JSC::FullGCActivityCallback::doCollection):
1819         (JSC::FullGCActivityCallback::lastGCLength):
1820         (JSC::FullGCActivityCallback::deathRate):
1821         * heap/FullGCActivityCallback.h:
1822         * heap/GCActivityCallback.cpp:
1823         (JSC::GCActivityCallback::doWork):
1824         (JSC::GCActivityCallback::scheduleTimer):
1825         (JSC::GCActivityCallback::didAllocate):
1826         (JSC::GCActivityCallback::willCollect):
1827         (JSC::GCActivityCallback::cancel):
1828         (JSC::GCActivityCallback::cancelTimer): Deleted.
1829         (JSC::GCActivityCallback::nextFireTime): Deleted.
1830         * heap/GCActivityCallback.h:
1831         * heap/Heap.cpp:
1832         (JSC::Heap::reportAbandonedObjectGraph):
1833         (JSC::Heap::notifyIncrementalSweeper):
1834         (JSC::Heap::updateAllocationLimits):
1835         (JSC::Heap::didAllocate):
1836         * heap/IncrementalSweeper.cpp:
1837         (JSC::IncrementalSweeper::scheduleTimer):
1838         (JSC::IncrementalSweeper::doWork):
1839         (JSC::IncrementalSweeper::doSweep):
1840         (JSC::IncrementalSweeper::sweepNextBlock):
1841         (JSC::IncrementalSweeper::startSweeping):
1842         (JSC::IncrementalSweeper::stopSweeping):
1843         * heap/IncrementalSweeper.h:
1844         * heap/StopIfNecessaryTimer.cpp:
1845         (JSC::StopIfNecessaryTimer::doWork):
1846         (JSC::StopIfNecessaryTimer::scheduleSoon):
1847         * heap/StopIfNecessaryTimer.h:
1848         * runtime/JSRunLoopTimer.cpp:
1849         (JSC::epochTime):
1850         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1851         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1852         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1853         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1854         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1855         (JSC::JSRunLoopTimer::Manager::shared):
1856         (JSC::JSRunLoopTimer::Manager::registerVM):
1857         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1858         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1859         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1860         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1861         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1862         (JSC::JSRunLoopTimer::timerDidFire):
1863         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1864         (JSC::JSRunLoopTimer::timeUntilFire):
1865         (JSC::JSRunLoopTimer::setTimeUntilFire):
1866         (JSC::JSRunLoopTimer::cancelTimer):
1867         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1868         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1869         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1870         * runtime/JSRunLoopTimer.h:
1871         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1872         * runtime/PromiseDeferredTimer.cpp:
1873         (JSC::PromiseDeferredTimer::doWork):
1874         (JSC::PromiseDeferredTimer::runRunLoop):
1875         (JSC::PromiseDeferredTimer::addPendingPromise):
1876         (JSC::PromiseDeferredTimer::hasPendingPromise):
1877         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1878         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1879         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1880         * runtime/PromiseDeferredTimer.h:
1881         * runtime/VM.cpp:
1882         (JSC::VM::VM):
1883         (JSC::VM::~VM):
1884         (JSC::VM::setRunLoop):
1885         (JSC::VM::registerRunLoopTimer): Deleted.
1886         (JSC::VM::unregisterRunLoopTimer): Deleted.
1887         * runtime/VM.h:
1888         (JSC::VM::runLoop const):
1889         * wasm/js/WebAssemblyPrototype.cpp:
1890         (JSC::webAssemblyModuleValidateAsyncInternal):
1891         (JSC::instantiate):
1892         (JSC::compileAndInstantiate):
1893         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1894         (JSC::webAssemblyCompileStreamingInternal):
1895         (JSC::webAssemblyInstantiateStreamingInternal):
1896
1897 2018-08-20  Saam barati  <sbarati@apple.com>
1898
1899         Inline DataView accesses into DFG/FTL
1900         https://bugs.webkit.org/show_bug.cgi?id=188573
1901         <rdar://problem/43286746>
1902
1903         Reviewed by Michael Saboff.
1904
1905         This patch teaches the DFG/FTL to inline DataView accesses. The approach is
1906         straight forward. We inline the various get*/set* operations as intrinsics.
1907         
1908         This patch takes the most obvious approach for now. We OSR exit when:
1909         - An isLittleEndian argument is provided, and is not a boolean.
1910         - The index isn't an integer.
1911         - The |this| isn't a DataView.
1912         - We do an OOB access (or see a neutered array)
1913         
1914         To implement this change in a performant way, this patch teaches the macro
1915         assembler how to emit byte swap operations. The semantics of the added functions
1916         are byteSwap + zero extend. This means for the 16bit byte swaps, we need
1917         to actually emit zero extend instructions. For the 32/64bit byte swaps,
1918         the instructions already have these semantics.
1919         
1920         This patch is just a lightweight initial implementation. There are some easy
1921         extensions we can do in future changes:
1922         - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
1923         - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
1924
1925         * assembler/MacroAssemblerARM64.h:
1926         (JSC::MacroAssemblerARM64::byteSwap16):
1927         (JSC::MacroAssemblerARM64::byteSwap32):
1928         (JSC::MacroAssemblerARM64::byteSwap64):
1929         * assembler/MacroAssemblerX86Common.h:
1930         (JSC::MacroAssemblerX86Common::byteSwap32):
1931         (JSC::MacroAssemblerX86Common::byteSwap16):
1932         (JSC::MacroAssemblerX86Common::byteSwap64):
1933         * assembler/X86Assembler.h:
1934         (JSC::X86Assembler::bswapl_r):
1935         (JSC::X86Assembler::bswapq_r):
1936         (JSC::X86Assembler::shiftInstruction16):
1937         (JSC::X86Assembler::rolw_i8r):
1938         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1939         * assembler/testmasm.cpp:
1940         (JSC::testByteSwap):
1941         (JSC::run):
1942         * bytecode/DataFormat.h:
1943         * bytecode/SpeculatedType.cpp:
1944         (JSC::dumpSpeculation):
1945         (JSC::speculationFromClassInfo):
1946         (JSC::speculationFromJSType):
1947         (JSC::speculationFromString):
1948         * bytecode/SpeculatedType.h:
1949         * dfg/DFGAbstractInterpreterInlines.h:
1950         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1951         * dfg/DFGByteCodeParser.cpp:
1952         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1953         * dfg/DFGClobberize.h:
1954         (JSC::DFG::clobberize):
1955         * dfg/DFGDoesGC.cpp:
1956         (JSC::DFG::doesGC):
1957         * dfg/DFGFixupPhase.cpp:
1958         (JSC::DFG::FixupPhase::fixupNode):
1959         * dfg/DFGNode.h:
1960         (JSC::DFG::Node::hasHeapPrediction):
1961         (JSC::DFG::Node::dataViewData):
1962         * dfg/DFGNodeType.h:
1963         * dfg/DFGPredictionPropagationPhase.cpp:
1964         * dfg/DFGSafeToExecute.h:
1965         (JSC::DFG::SafeToExecuteEdge::operator()):
1966         (JSC::DFG::safeToExecute):
1967         * dfg/DFGSpeculativeJIT.cpp:
1968         (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
1969         (JSC::DFG::SpeculativeJIT::speculate):
1970         * dfg/DFGSpeculativeJIT.h:
1971         * dfg/DFGSpeculativeJIT32_64.cpp:
1972         (JSC::DFG::SpeculativeJIT::compile):
1973         * dfg/DFGSpeculativeJIT64.cpp:
1974         (JSC::DFG::SpeculativeJIT::compile):
1975         * dfg/DFGUseKind.cpp:
1976         (WTF::printInternal):
1977         * dfg/DFGUseKind.h:
1978         (JSC::DFG::typeFilterFor):
1979         (JSC::DFG::isCell):
1980         * ftl/FTLCapabilities.cpp:
1981         (JSC::FTL::canCompile):
1982         * ftl/FTLLowerDFGToB3.cpp:
1983         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1984         (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
1985         (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
1986         (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
1987         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
1988         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
1989         (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
1990         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1991         (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
1992         * runtime/Intrinsic.cpp:
1993         (JSC::intrinsicName):
1994         * runtime/Intrinsic.h:
1995         * runtime/JSDataViewPrototype.cpp:
1996
1997 2018-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1998
1999         [YARR] Extend size of fixed characters bulk matching in 64bit platform
2000         https://bugs.webkit.org/show_bug.cgi?id=181989
2001
2002         Reviewed by Michael Saboff.
2003
2004         This patch extends bulk matching style for fixed-sized characters.
2005         In 64bit environment, the GPR can hold up to 8 characters. This change
2006         reduces the code size since we can fuse multiple `mov` operations into one.
2007
2008         * assembler/LinkBuffer.h:
2009         * runtime/Options.h:
2010         * yarr/YarrJIT.cpp:
2011         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
2012         (JSC::Yarr::YarrGenerator::compile):
2013
2014 2018-08-20  Devin Rousso  <drousso@apple.com>
2015
2016         Web Inspector: allow breakpoints to be set for specific event listeners
2017         https://bugs.webkit.org/show_bug.cgi?id=183138
2018
2019         Reviewed by Joseph Pecoraro.
2020
2021         * inspector/protocol/DOM.json:
2022         Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
2023         takes an `eventListenerId` and toggles whether that specific usage of that event listener
2024         should have a breakpoint and pause before running.
2025
2026 2018-08-20  Mark Lam  <mark.lam@apple.com>
2027
2028         Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
2029         https://bugs.webkit.org/show_bug.cgi?id=188769
2030
2031         Reviewed by Michael Saboff.
2032
2033         * llint/LowLevelInterpreter.asm:
2034         - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
2035           so that libunwind doesn't get confused by the 2 labels pointing to the same
2036           code address.
2037
2038 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
2039
2040         [GLIB] Add API to throw exceptions using printf formatted strings
2041         https://bugs.webkit.org/show_bug.cgi?id=188698
2042
2043         Reviewed by Michael Catanzaro.
2044
2045         Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
2046         JSCException using printf formatted string.
2047
2048         * API/glib/JSCContext.cpp:
2049         (jsc_context_throw_printf):
2050         (jsc_context_throw_with_name_printf):
2051         * API/glib/JSCContext.h:
2052         * API/glib/JSCException.cpp:
2053         (jsc_exception_new_printf):
2054         (jsc_exception_new_vprintf):
2055         (jsc_exception_new_with_name_printf):
2056         (jsc_exception_new_with_name_vprintf):
2057         * API/glib/JSCException.h:
2058         * API/glib/docs/jsc-glib-4.0-sections.txt:
2059
2060 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
2061
2062         [GLIB] Complete the JSCException API
2063         https://bugs.webkit.org/show_bug.cgi?id=188695
2064
2065         Reviewed by Michael Catanzaro.
2066
2067         Add more API to JSCException:
2068          - New function to get the column number
2069          - New function get exception as string (toString())
2070          - Add the possibility to create exceptions with a custom error name.
2071          - New function to get the exception error name
2072          - New function to get the exception backtrace.
2073          - New convenience function to report a exception by returning a formatted string with all the exception
2074            details, to be shown as a user error message.
2075
2076         * API/glib/JSCContext.cpp:
2077         (jsc_context_throw_with_name):
2078         * API/glib/JSCContext.h:
2079         * API/glib/JSCException.cpp:
2080         (jscExceptionEnsureProperties):
2081         (jsc_exception_new):
2082         (jsc_exception_new_with_name):
2083         (jsc_exception_get_name):
2084         (jsc_exception_get_column_number):
2085         (jsc_exception_get_back_trace_string):
2086         (jsc_exception_to_string):
2087         (jsc_exception_report):
2088         * API/glib/JSCException.h:
2089         * API/glib/docs/jsc-glib-4.0-sections.txt:
2090
2091 2018-08-19  Commit Queue  <commit-queue@webkit.org>
2092
2093         Unreviewed, rolling out r234852.
2094         https://bugs.webkit.org/show_bug.cgi?id=188736
2095
2096         Workaround is not correct (Requested by yusukesuzuki on
2097         #webkit).
2098
2099         Reverted changeset:
2100
2101         "[JSC] Should not rotate constant with 64"
2102         https://bugs.webkit.org/show_bug.cgi?id=188556
2103         https://trac.webkit.org/changeset/234852
2104
2105 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2106
2107         [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
2108         https://bugs.webkit.org/show_bug.cgi?id=188716
2109
2110         Reviewed by Darin Adler.
2111
2112         Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
2113         The compiler can emit appropriate mov operations in x86 even if we use these
2114         helper functions.
2115
2116         * assembler/AssemblerBuffer.h:
2117         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
2118         (JSC::AssemblerBuffer::putIntegral):
2119         (JSC::AssemblerBuffer::putIntegralUnchecked):
2120         * assembler/MacroAssemblerX86.h:
2121         (JSC::MacroAssemblerX86::readCallTarget):
2122         * assembler/X86Assembler.h:
2123         (JSC::X86Assembler::linkJump):
2124         (JSC::X86Assembler::readPointer):
2125         (JSC::X86Assembler::replaceWithHlt):
2126         (JSC::X86Assembler::replaceWithJump):
2127         (JSC::X86Assembler::setPointer):
2128         (JSC::X86Assembler::setInt32):
2129         (JSC::X86Assembler::setInt8):
2130         * interpreter/InterpreterInlines.h:
2131         (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
2132
2133 2018-08-17  Saam barati  <sbarati@apple.com>
2134
2135         intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
2136         https://bugs.webkit.org/show_bug.cgi?id=188707
2137         <rdar://problem/43015442>
2138
2139         Reviewed by Mark Lam.
2140
2141         We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
2142         OSR enter at the head of a block. We verify it's safe to OSR enter by checking
2143         that each incoming value is compatible with its corresponding AbstractValue.
2144         
2145         The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
2146         with abstract values that were clobbererd. This meant that the value we're
2147         verifying with at OSR entry effectively has an infinite structure set because
2148         it's clobbered. So, imagine we have code like this:
2149         ```
2150         ---> We OSR enter here, and we're clobbered here
2151         InvalidationPoint
2152         GetByOffset(@base)
2153         ```
2154         
2155         The abstract value for @base inside intersectionOfPastValuesAtHead has a
2156         clobberred structure set, so we'd allow an incoming object with any
2157         structure. However, this is wrong because the invalidation point is no
2158         longer fulfilling its promise that it filters the structure that @base has.
2159         
2160         We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
2161         as if the incoming value may be live past an InvalidationPoint.
2162         This places a stricter requirement that to safely OSR enter at any basic
2163         block, all incoming values must be compatible as if they lived past
2164         the execution of an invalidation point.
2165
2166         * dfg/DFGCFAPhase.cpp:
2167         (JSC::DFG::CFAPhase::run):
2168
2169 2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>
2170
2171         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
2172         https://bugs.webkit.org/show_bug.cgi?id=188589
2173
2174         Reviewed by Mark Lam.
2175         And reviewed by Yusuke Suzuki for Hironori's change.
2176
2177         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
2178         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
2179
2180         - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
2181         - We make GPRReg and FPRReg int8_t enums.
2182         - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
2183         - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
2184           if `enum : int8_t` is used instead of `enum`.
2185
2186         * assembler/ARM64Assembler.h:
2187         * assembler/ARMAssembler.h:
2188         * assembler/ARMv7Assembler.h:
2189         * assembler/MIPSAssembler.h:
2190         * assembler/MacroAssembler.h:
2191         * assembler/X86Assembler.h:
2192         * jit/CCallHelpers.h:
2193         (JSC::CCallHelpers::clampArrayToSize):
2194         * jit/FPRInfo.h:
2195         * jit/GPRInfo.h:
2196         (JSC::JSValueRegs::JSValueRegs):
2197         (JSC::JSValueRegs::tagGPR const):
2198         (JSC::JSValueRegs::payloadGPR const):
2199         (JSC::JSValueSource::JSValueSource):
2200         (JSC::JSValueSource::unboxedCell):
2201         (JSC::JSValueSource::operator bool const):
2202         (JSC::JSValueSource::base const):
2203         (JSC::JSValueSource::tagGPR const):
2204         (JSC::JSValueSource::payloadGPR const):
2205         (JSC::JSValueSource::hasKnownTag const):
2206
2207 2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2208
2209         [JSC] alignas for RegisterState should respect alignof(RegisterState) too
2210         https://bugs.webkit.org/show_bug.cgi?id=188686
2211
2212         Reviewed by Saam Barati.
2213
2214         RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
2215         for `alignof` for RegisterState.
2216
2217         * heap/RegisterState.h:
2218
2219 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2220
2221         [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
2222         https://bugs.webkit.org/show_bug.cgi?id=188571
2223
2224         Reviewed by Saam Barati.
2225
2226         UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
2227         allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
2228         without considering alignment of them. This patch adds DisjunctionContext::allocationSize
2229         and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
2230         The size is always rounded to `sizeof(void*)` so that these classes are always allocated
2231         with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
2232         than or equal to `sizeof(void*)` by `static_assert`.
2233
2234         * yarr/YarrInterpreter.cpp:
2235         (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
2236         (JSC::Yarr::Interpreter::allocDisjunctionContext):
2237         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
2238         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
2239         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
2240         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
2241         (JSC::Yarr::Interpreter::Interpreter):
2242         (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
2243
2244 2018-08-15  Keith Miller  <keith_miller@apple.com>
2245
2246         Remove evernote hacks
2247         https://bugs.webkit.org/show_bug.cgi?id=188591
2248
2249         Reviewed by Joseph Pecoraro.
2250
2251         The hack was added in 2012 and the evernote app seems to work now.
2252         It's probably not needed anymore.
2253
2254         * API/JSValueRef.cpp:
2255         (JSValueUnprotect):
2256         (evernoteHackNeeded): Deleted.
2257
2258 2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>
2259
2260         Unreviewed, rolling out r234874 and r234876.
2261
2262         WinCairo port can't compile
2263
2264         Reverted changesets:
2265
2266         "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
2267         https://bugs.webkit.org/show_bug.cgi?id=188589
2268         https://trac.webkit.org/changeset/234874
2269
2270         "Unreviewed, attempt to fix CLoop build"
2271         https://bugs.webkit.org/show_bug.cgi?id=188589
2272         https://trac.webkit.org/changeset/234876
2273
2274 2018-08-14  Saam barati  <sbarati@apple.com>
2275
2276         HashMap<Ref<P>, V> asserts when V is not zero for its empty value
2277         https://bugs.webkit.org/show_bug.cgi?id=188582
2278
2279         Reviewed by Sam Weinig.
2280
2281         * runtime/SparseArrayValueMap.h:
2282
2283 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2284
2285         Unreviewed, attempt to fix CLoop build
2286         https://bugs.webkit.org/show_bug.cgi?id=188589
2287
2288         * assembler/MacroAssembler.h:
2289
2290 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2291
2292         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
2293         https://bugs.webkit.org/show_bug.cgi?id=188589
2294
2295         Reviewed by Mark Lam.
2296
2297         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
2298         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
2299
2300         1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
2301         2. We make GPRReg and FPRReg int8_t enums.
2302         3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
2303
2304         * assembler/ARM64Assembler.h:
2305         * assembler/ARMAssembler.h:
2306         * assembler/ARMv7Assembler.h:
2307         * assembler/MIPSAssembler.h:
2308         * assembler/X86Assembler.h:
2309         * jit/FPRInfo.h:
2310         * jit/GPRInfo.h:
2311         (JSC::JSValueRegs::JSValueRegs):
2312         (JSC::JSValueRegs::tagGPR const):
2313         (JSC::JSValueRegs::payloadGPR const):
2314         (JSC::JSValueSource::JSValueSource):
2315         (JSC::JSValueSource::unboxedCell):
2316         (JSC::JSValueSource::operator bool const):
2317         (JSC::JSValueSource::base const):
2318         (JSC::JSValueSource::tagGPR const):
2319         (JSC::JSValueSource::payloadGPR const):
2320         (JSC::JSValueSource::hasKnownTag const):
2321
2322 2018-08-14  Keith Miller  <keith_miller@apple.com>
2323
2324         Add missing availability macro.
2325         https://bugs.webkit.org/show_bug.cgi?id=188563
2326
2327         Reviewed by Mark Lam.
2328
2329         * API/JSValueRef.h:
2330
2331 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2332
2333         [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
2334         https://bugs.webkit.org/show_bug.cgi?id=188560
2335
2336         Reviewed by Keith Miller.
2337
2338         While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
2339         it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
2340         uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
2341         `m_wasSeenInJIT { false }`.
2342
2343         * bytecode/GetByIdStatus.h:
2344
2345 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2346
2347         [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
2348         https://bugs.webkit.org/show_bug.cgi?id=188557
2349
2350         Reviewed by Mark Lam.
2351
2352         DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
2353         processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
2354         in UBSan's result.
2355
2356         * dfg/DFGPredictionPropagationPhase.cpp:
2357
2358 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2359
2360         [JSC] Should not rotate constant with 64
2361         https://bugs.webkit.org/show_bug.cgi?id=188556
2362
2363         Reviewed by Mark Lam.
2364
2365         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
2366         But if a seed becomes 64, the following code performs `value << 64` where value's type
2367         is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
2368         range of [0, 64) not to generate code causing UBs. This is found by UBSan.
2369
2370         * assembler/MacroAssembler.h:
2371         (JSC::MacroAssembler::generateRotationSeed):
2372         (JSC::MacroAssembler::rotationBlindConstant):
2373
2374 2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2375
2376         Disable JIT on IA-32 without SSE2
2377         https://bugs.webkit.org/show_bug.cgi?id=188476
2378
2379         Reviewed by Michael Catanzaro.
2380
2381         Including missing header (MacroAssembler.h) in case of other
2382         operating systems than Windows too.
2383
2384         * runtime/Options.cpp:
2385
2386 2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2387
2388         Disable JIT on IA-32 without SSE2
2389         https://bugs.webkit.org/show_bug.cgi?id=188476
2390
2391         Reviewed by Yusuke Suzuki.
2392
2393         On IA-32 CPUs without SSE2 most of the webpages cannot load
2394         if the JIT is turned on.
2395
2396         * runtime/Options.cpp:
2397         (JSC::recomputeDependentOptions):
2398
2399 2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
2400
2401         Web Inspector: console.log fires getters for deep properties
2402         https://bugs.webkit.org/show_bug.cgi?id=187542
2403         <rdar://problem/42873158>
2404
2405         Reviewed by Saam Barati.
2406
2407         * inspector/InjectedScriptSource.js:
2408         (RemoteObject.prototype._isPreviewableObject):
2409         Avoid getters/setters when checking for simple properties to preview.
2410         Here we avoid invoking `object[property]` if it could be a user getter.
2411
2412 2018-08-10  Keith Miller  <keith_miller@apple.com>
2413
2414         Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
2415         https://bugs.webkit.org/show_bug.cgi?id=185127
2416
2417         Reviewed by Saam Barati.
2418
2419         Previously, we would truncate the indicies passed to slice to an
2420         int. This meant that the value was not getting properly clamped
2421         later.
2422
2423         This patch also removes a non-spec compliant check that slice was
2424         passed at least one argument.
2425
2426         * runtime/ArrayBuffer.cpp:
2427         (JSC::ArrayBuffer::clampValue):
2428         (JSC::ArrayBuffer::clampIndex const):
2429         (JSC::ArrayBuffer::slice const):
2430         * runtime/ArrayBuffer.h:
2431         (JSC::ArrayBuffer::clampValue): Deleted.
2432         (JSC::ArrayBuffer::clampIndex const): Deleted.
2433         * runtime/JSArrayBufferPrototype.cpp:
2434         (JSC::arrayBufferProtoFuncSlice):
2435
2436 2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2437
2438         Date.UTC should not return NaN with only Year param
2439         https://bugs.webkit.org/show_bug.cgi?id=188378
2440
2441         Reviewed by Keith Miller.
2442
2443         Date.UTC requires one argument for |year|. But the other ones are optional.
2444         This patch fix this handling.
2445
2446         * runtime/DateConstructor.cpp:
2447         (JSC::millisecondsFromComponents):
2448
2449 2018-08-08  Keith Miller  <keith_miller@apple.com>
2450
2451         Array.prototype.sort should call @toLength instead of ">>> 0"
2452         https://bugs.webkit.org/show_bug.cgi?id=188430
2453
2454         Reviewed by Saam Barati.
2455
2456         Also add a new function to $vm that will fetch a private
2457         property. This can be useful for running builtin helper functions.
2458
2459         * builtins/ArrayPrototype.js:
2460         (sort):
2461         * tools/JSDollarVM.cpp:
2462         (JSC::functionGetPrivateProperty):
2463         (JSC::JSDollarVM::finishCreation):
2464
2465 2018-08-08  Keith Miller  <keith_miller@apple.com>
2466
2467         Array.prototype.sort should throw TypeError if param is a not callable object
2468         https://bugs.webkit.org/show_bug.cgi?id=188382
2469
2470         Reviewed by Saam Barati.
2471
2472         Improve spec compatability by checking if the Array.prototype.sort comparator is a function
2473         before doing anything else.
2474
2475         Also, refactor the various helper functions to use let instead of var.
2476
2477         * builtins/ArrayPrototype.js:
2478         (sort.stringComparator):
2479         (sort.compactSparse):
2480         (sort.compactSlow):
2481         (sort.compact):
2482         (sort.merge):
2483         (sort.mergeSort):
2484         (sort.bucketSort):
2485         (sort.comparatorSort):
2486         (sort.stringSort):
2487         (sort):
2488
2489 2018-08-08  Michael Saboff  <msaboff@apple.com>
2490
2491         Yarr JIT should include annotations with dumpDisassembly=true
2492         https://bugs.webkit.org/show_bug.cgi?id=188415
2493
2494         Reviewed by Yusuke Suzuki.
2495
2496         Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
2497         Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
2498         then the backtracking code through the YarrPattern ops in reverse order, the disassembler
2499         needs to do the same think.
2500
2501         Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
2502         out simple methods for what was needed by the YarrDisassembler.
2503
2504         Here is abbreviated sample output after this change.
2505
2506         Generated JIT code for 8-bit regular expression /ab*c/:
2507             Code at [0x469561c03720, 0x469561c03840):
2508                 0x469561c03720: push %rbp
2509                 0x469561c03721: mov %rsp, %rbp
2510                 ...
2511                 0x469561c03762: sub $0x40, %rsp
2512              == Matching ==
2513            0:OpBodyAlternativeBegin minimum size 2
2514                 0x469561c03766: add $0x2, %esi
2515                 0x469561c03769: cmp %edx, %esi
2516                 0x469561c0376b: ja 0x469561c037fa
2517            1:OpTerm TypePatternCharacter 'a'
2518                 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
2519                 0x469561c03776: cmp $0x61, %eax
2520                 0x469561c03779: jnz 0x469561c037e9
2521            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
2522                 0x469561c0377f: xor %r9d, %r9d
2523                 0x469561c03782: cmp %edx, %esi
2524                 0x469561c03784: jz 0x469561c037a2
2525                 ...
2526                 0x469561c0379d: jmp 0x469561c03782
2527                 0x469561c037a2: mov %r9, 0x8(%rsp)
2528            3:OpTerm TypePatternCharacter 'c'
2529                 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
2530                 0x469561c037ac: cmp $0x63, %eax
2531                 0x469561c037af: jnz 0x469561c037d1
2532            4:OpBodyAlternativeEnd
2533                 0x469561c037b5: add $0x40, %rsp
2534                 ...
2535                 0x469561c037cf: pop %rbp
2536                 0x469561c037d0: ret
2537              == Backtracking ==
2538            4:OpBodyAlternativeEnd
2539            3:OpTerm TypePatternCharacter 'c'
2540            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
2541                 0x469561c037d1: mov 0x8(%rsp), %r9
2542                 ...
2543                 0x469561c037e4: jmp 0x469561c037a2
2544            1:OpTerm TypePatternCharacter 'a'
2545            0:OpBodyAlternativeBegin minimum size 2
2546                 0x469561c037e9: mov %rsi, %rax
2547                 ...
2548                 0x469561c0382f: pop %rbp
2549                 0x469561c03830: ret
2550
2551         * JavaScriptCore.xcodeproj/project.pbxproj:
2552         * Sources.txt:
2553         * runtime/RegExp.cpp:
2554         (JSC::RegExp::compile):
2555         (JSC::RegExp::compileMatchOnly):
2556         * yarr/YarrDisassembler.cpp: Added.
2557         (JSC::Yarr::YarrDisassembler::indentString):
2558         (JSC::Yarr::YarrDisassembler::YarrDisassembler):
2559         (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
2560         (JSC::Yarr::YarrDisassembler::dump):
2561         (JSC::Yarr::YarrDisassembler::dumpHeader):
2562         (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
2563         (JSC::Yarr::YarrDisassembler::dumpForInstructions):
2564         (JSC::Yarr::YarrDisassembler::dumpDisassembly):
2565         * yarr/YarrDisassembler.h: Added.
2566         (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
2567         (JSC::Yarr::YarrDisassembler::setStartOfCode):
2568         (JSC::Yarr::YarrDisassembler::setForGenerate):
2569         (JSC::Yarr::YarrDisassembler::setForBacktrack):
2570         (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
2571         (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
2572         (JSC::Yarr::YarrDisassembler::setEndOfCode):
2573         (JSC::Yarr::YarrDisassembler::indentString):
2574         * yarr/YarrJIT.cpp:
2575         (JSC::Yarr::YarrGenerator::generate):
2576         (JSC::Yarr::YarrGenerator::backtrack):
2577         (JSC::Yarr::YarrGenerator::YarrGenerator):
2578         (JSC::Yarr::YarrGenerator::compile):
2579         (JSC::Yarr::jitCompile):
2580         * yarr/YarrJIT.h:
2581         * yarr/YarrPattern.cpp:
2582         (JSC::Yarr::dumpCharacterClass):
2583         (JSC::Yarr::PatternTerm::dump):
2584         (JSC::Yarr::YarrPattern::dumpPatternString):
2585         (JSC::Yarr::YarrPattern::dumpPattern):
2586         * yarr/YarrPattern.h:
2587
2588 2018-08-05  Darin Adler  <darin@apple.com>
2589
2590         [Cocoa] More tweaks and refactoring to prepare for ARC
2591         https://bugs.webkit.org/show_bug.cgi?id=188245
2592
2593         Reviewed by Dan Bernstein.
2594
2595         * API/JSValue.mm: Use __unsafe_unretained.
2596         (JSContainerConvertor::convert): Use auto for compatibility with the above.
2597         * API/JSWrapperMap.mm:
2598         (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
2599         (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
2600
2601         * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
2602
2603 2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2604
2605         Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
2606         https://bugs.webkit.org/show_bug.cgi?id=188328
2607
2608         Reviewed by Saam Barati.
2609
2610         Shrinking the size of PropertyCondition can improve memory consumption by a lot.
2611         For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
2612         and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
2613         as a member field.
2614
2615         This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
2616         PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
2617         are within 48bit, we can put PropertyCondition::Kind in this unused bits.
2618         To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
2619         folds a pointer and 1byte type into 64bit data.
2620
2621         This change shrinks PropertyCondition from 24bytes to 16bytes.
2622
2623         * bytecode/PropertyCondition.cpp:
2624         (JSC::PropertyCondition::dumpInContext const):
2625         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2626         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
2627         (JSC::PropertyCondition::isStillValid const):
2628         (JSC::PropertyCondition::isWatchableWhenValid const):
2629         * bytecode/PropertyCondition.h:
2630         (JSC::PropertyCondition::PropertyCondition):
2631         (JSC::PropertyCondition::presenceWithoutBarrier):
2632         (JSC::PropertyCondition::absenceWithoutBarrier):
2633         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2634         (JSC::PropertyCondition::equivalenceWithoutBarrier):
2635         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
2636         (JSC::PropertyCondition::operator bool const):
2637         (JSC::PropertyCondition::kind const):
2638         (JSC::PropertyCondition::uid const):
2639         (JSC::PropertyCondition::hasOffset const):
2640         (JSC::PropertyCondition::hasAttributes const):
2641         (JSC::PropertyCondition::hasPrototype const):
2642         (JSC::PropertyCondition::hasRequiredValue const):
2643         (JSC::PropertyCondition::hash const):
2644         (JSC::PropertyCondition::operator== const):
2645         (JSC::PropertyCondition::isHashTableDeletedValue const):
2646         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
2647
2648 2018-08-07  Mark Lam  <mark.lam@apple.com>
2649
2650         Use a more specific PtrTag for PlatformRegisters PC and LR.
2651         https://bugs.webkit.org/show_bug.cgi?id=188366
2652         <rdar://problem/42984123>
2653
2654         Reviewed by Keith Miller.
2655
2656         Also fixed a bug in linkRegister(), which was previously returning the PC instead
2657         of LR.  It now returns LR.
2658
2659         * runtime/JSCPtrTag.h:
2660         * runtime/MachineContext.h:
2661         (JSC::MachineContext::instructionPointer):
2662         (JSC::MachineContext::linkRegister):
2663         * runtime/VMTraps.cpp:
2664         (JSC::SignalContext::SignalContext):
2665         * tools/SigillCrashAnalyzer.cpp:
2666         (JSC::SignalContext::SignalContext):
2667
2668 2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2669
2670         Hardcoded LFENCE instruction
2671         https://bugs.webkit.org/show_bug.cgi?id=188145
2672
2673         Reviewed by Filip Pizlo.
2674
2675         Remove lfence instruction because it is crashing systems without SSE2 and
2676         this is not the way how WebKit mitigates Spectre.
2677
2678         * runtime/JSLock.cpp:
2679         (JSC::JSLock::didAcquireLock):
2680         (JSC::JSLock::willReleaseLock):
2681
2682 2018-08-04  David Kilzer  <ddkilzer@apple.com>
2683
2684         REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
2685         <https://webkit.org/b/188331>
2686
2687         Reviewed by Yusuke Suzuki.
2688
2689         * runtime/TemplateObjectDescriptor.h:
2690         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
2691         Use `m_rawstrings` instead of `rawStrings` to calculate hash.
2692
2693 2018-08-03  Saam Barati  <sbarati@apple.com>
2694
2695         Give the `jsc` shell the JIT entitlement
2696         https://bugs.webkit.org/show_bug.cgi?id=188324
2697         <rdar://problem/42885806>
2698
2699         Reviewed by Dan Bernstein.
2700
2701         This should help us in ensuring the system jsc is able to JIT.
2702
2703         * Configurations/JSC.xcconfig:
2704         * JavaScriptCore.xcodeproj/project.pbxproj:
2705         * allow-jit-macOS.entitlements: Added.
2706
2707 2018-08-03  Alex Christensen  <achristensen@webkit.org>
2708
2709         Fix spelling of "overridden"
2710         https://bugs.webkit.org/show_bug.cgi?id=188315
2711
2712         Reviewed by Darin Adler.
2713
2714         * API/JSExport.h:
2715         * inspector/InjectedScriptSource.js:
2716
2717 2018-08-02  Saam Barati  <sbarati@apple.com>
2718
2719         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
2720         https://bugs.webkit.org/show_bug.cgi?id=188271
2721         <rdar://problem/42850884>
2722
2723         Reviewed by Michael Saboff.
2724
2725         This patch defends against the instructionPointer containing garbage bits.
2726         See radar for details.
2727
2728         * runtime/MachineContext.h:
2729         (JSC::MachineContext::instructionPointer):
2730         * runtime/SamplingProfiler.cpp:
2731         (JSC::SamplingProfiler::takeSample):
2732         * runtime/VMTraps.cpp:
2733         (JSC::SignalContext::SignalContext):
2734         (JSC::SignalContext::tryCreate):
2735         * tools/CodeProfiling.cpp:
2736         (JSC::profilingTimer):
2737         * tools/SigillCrashAnalyzer.cpp:
2738         (JSC::SignalContext::SignalContext):
2739         (JSC::SignalContext::tryCreate):
2740         (JSC::SignalContext::dump):
2741         (JSC::installCrashHandler):
2742         * wasm/WasmFaultSignalHandler.cpp:
2743         (JSC::Wasm::trapHandler):
2744
2745 2018-08-02  David Fenton  <david_fenton@apple.com>
2746
2747         Unreviewed, rolling out r234489.
2748
2749         Caused 50+ crashes and 60+ API failures on iOS
2750
2751         Reverted changeset:
2752
2753         "[WTF] Rename String::format to String::deprecatedFormat"
2754         https://bugs.webkit.org/show_bug.cgi?id=188191
2755         https://trac.webkit.org/changeset/234489
2756
2757 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2758
2759         Add self.queueMicrotask(f) on DOMWindow
2760         https://bugs.webkit.org/show_bug.cgi?id=188212
2761
2762         Reviewed by Ryosuke Niwa.
2763
2764         * CMakeLists.txt:
2765         * JavaScriptCore.xcodeproj/project.pbxproj:
2766         * Sources.txt:
2767         * runtime/JSGlobalObject.cpp:
2768         (JSC::enqueueJob):
2769         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
2770         (JSC::createJSMicrotask):
2771         Export them to WebCore.
2772
2773         (JSC::JSMicrotask::run):
2774         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
2775         Add another version of JSMicrotask which does not have arguments.
2776
2777 2018-08-01  Tomas Popela  <tpopela@redhat.com>
2778
2779         [WTF] Rename String::format to String::deprecatedFormat
2780         https://bugs.webkit.org/show_bug.cgi?id=188191
2781
2782         Reviewed by Darin Adler.
2783
2784         It should be replaced with string concatenation.
2785
2786         * bytecode/CodeBlock.cpp:
2787         (JSC::CodeBlock::nameForRegister):
2788         * inspector/InjectedScriptBase.cpp:
2789         (Inspector::InjectedScriptBase::makeCall):
2790         * inspector/InspectorBackendDispatcher.cpp:
2791         (Inspector::BackendDispatcher::getPropertyValue):
2792         * inspector/agents/InspectorConsoleAgent.cpp:
2793         (Inspector::InspectorConsoleAgent::enable):
2794         (Inspector::InspectorConsoleAgent::stopTiming):
2795         * jsc.cpp:
2796         (FunctionJSCStackFunctor::operator() const):
2797         * parser/Lexer.cpp:
2798         (JSC::Lexer<T>::invalidCharacterMessage const):
2799         * runtime/IntlDateTimeFormat.cpp:
2800         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2801         * runtime/IntlObject.cpp:
2802         (JSC::canonicalizeLocaleList):
2803         * runtime/LiteralParser.cpp:
2804         (JSC::LiteralParser<CharType>::Lexer::lex):
2805         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2806         (JSC::LiteralParser<CharType>::parse):
2807         * runtime/LiteralParser.h:
2808         (JSC::LiteralParser::getErrorMessage):
2809
2810 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2811
2812         [INTL] Allow "unknown" formatToParts types
2813         https://bugs.webkit.org/show_bug.cgi?id=188176
2814
2815         Reviewed by Darin Adler.
2816
2817         Originally extra unexpected field types were marked as "literal", since
2818         the spec did not account for these. The ECMA 402 spec has since been updated
2819         to specify "unknown" should be used in these cases.
2820
2821         Currently there is no known way to reach these cases, so no tests can
2822         account for them. Theoretically they shoudn't exist, but they are specified,
2823         just to be safe. Marking them as "unknown" instead of "literal" hopefully
2824         will make such cases easy to identify if they ever happen.
2825
2826         * runtime/IntlDateTimeFormat.cpp:
2827         (JSC::IntlDateTimeFormat::partTypeString):
2828         * runtime/IntlNumberFormat.cpp:
2829         (JSC::IntlNumberFormat::partTypeString):
2830
2831 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2832
2833         [INTL] Implement hourCycle in DateTimeFormat
2834         https://bugs.webkit.org/show_bug.cgi?id=188006
2835
2836         Reviewed by Darin Adler.
2837
2838         Implemented hourCycle, updating both the skeleton and the final pattern.
2839         Changed resolveLocale to assume undefined options are not given and null
2840         strings actually mean null, which removes the tag extension.
2841
2842         * runtime/CommonIdentifiers.h:
2843         * runtime/IntlCollator.cpp:
2844         (JSC::IntlCollator::initializeCollator):
2845         * runtime/IntlDateTimeFormat.cpp:
2846         (JSC::IntlDTFInternal::localeData):
2847         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2848         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2849         (JSC::IntlDateTimeFormat::resolvedOptions):
2850         * runtime/IntlDateTimeFormat.h:
2851         * runtime/IntlObject.cpp:
2852         (JSC::resolveLocale):
2853
2854 2018-08-01  Keith Miller  <keith_miller@apple.com>
2855
2856         JSArrayBuffer should have its own JSType
2857         https://bugs.webkit.org/show_bug.cgi?id=188231
2858
2859         Reviewed by Saam Barati.
2860
2861         * runtime/JSArrayBuffer.cpp:
2862         (JSC::JSArrayBuffer::createStructure):
2863         * runtime/JSCast.h:
2864         * runtime/JSType.h:
2865
2866 2018-07-31  Keith Miller  <keith_miller@apple.com>
2867
2868         Unreviewed 32-bit build fix...
2869
2870         * dfg/DFGSpeculativeJIT32_64.cpp:
2871
2872 2018-07-31  Keith Miller  <keith_miller@apple.com>
2873
2874         Long compiling JSC files should not be unified
2875         https://bugs.webkit.org/show_bug.cgi?id=188205
2876
2877         Reviewed by Saam Barati.
2878
2879         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
2880         to compile. Unifying them means touching anything in the same
2881         bundle as those files takes a long time to incrementally build.
2882         This patch separates those files so they build standalone.
2883
2884         * JavaScriptCore.xcodeproj/project.pbxproj:
2885         * Sources.txt:
2886         * dfg/DFGSpeculativeJIT64.cpp:
2887
2888 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2889
2890         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
2891         https://bugs.webkit.org/show_bug.cgi?id=188201
2892
2893         Reviewed by Keith Miller.
2894
2895         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
2896         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
2897         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
2898         never becomes broken state. This patch removes unnecessary locking.
2899
2900         * runtime/JSObject.cpp:
2901         (JSC::JSObject::visitButterflyImpl):
2902
2903 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
2904
2905         [JSC] Remove gcc warnings for 32-bit platforms
2906         https://bugs.webkit.org/show_bug.cgi?id=187803
2907
2908         Reviewed by Yusuke Suzuki.
2909
2910         * assembler/MacroAssemblerPrinter.cpp:
2911         (JSC::Printer::printPCRegister):
2912         (JSC::Printer::printRegisterID):
2913         (JSC::Printer::printAddress):
2914         * dfg/DFGSpeculativeJIT.cpp:
2915         (JSC::DFG::SpeculativeJIT::speculateNumber):
2916         (JSC::DFG::SpeculativeJIT::speculateMisc):
2917         * jit/CCallHelpers.h:
2918         (JSC::CCallHelpers::calculatePokeOffset):
2919         * runtime/Options.cpp:
2920         (JSC::parse):
2921
2922 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
2923
2924         watchOS engineering build is broken after r234227
2925         https://bugs.webkit.org/show_bug.cgi?id=188180
2926
2927         Reviewed by Keith Miller.
2928
2929         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
2930         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
2931         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
2932         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
2933
2934         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
2935         entirely, since there's no relevant version to replace them with.
2936
2937         * postprocess-headers.sh:
2938
2939 2018-07-30  Keith Miller  <keith_miller@apple.com>
2940
2941         Clarify conversion rules for JSValue property access API
2942         https://bugs.webkit.org/show_bug.cgi?id=188179
2943
2944         Reviewed by Geoffrey Garen.
2945
2946         * API/JSValue.h:
2947
2948 2018-07-30  Keith Miller  <keith_miller@apple.com>
2949
2950         Rename some JSC API functions/types.
2951         https://bugs.webkit.org/show_bug.cgi?id=188173
2952
2953         Reviewed by Saam Barati.
2954
2955         * API/JSObjectRef.cpp:
2956         (JSObjectHasPropertyForKey):
2957         (JSObjectGetPropertyForKey):
2958         (JSObjectSetPropertyForKey):
2959         (JSObjectDeletePropertyForKey):
2960         (JSObjectHasPropertyKey): Deleted.
2961         (JSObjectGetPropertyKey): Deleted.
2962         (JSObjectSetPropertyKey): Deleted.
2963         (JSObjectDeletePropertyKey): Deleted.
2964         * API/JSObjectRef.h:
2965         * API/JSValue.h:
2966         * API/JSValue.mm:
2967         (-[JSValue valueForProperty:]):
2968         (-[JSValue setValue:forProperty:]):
2969         (-[JSValue deleteProperty:]):
2970         (-[JSValue hasProperty:]):
2971         (-[JSValue defineProperty:descriptor:]):
2972         * API/tests/testapi.cpp:
2973         (TestAPI::run):
2974
2975 2018-07-30  Mark Lam  <mark.lam@apple.com>
2976
2977         Add a debugging utility to dump the memory layout of a JSCell.
2978         https://bugs.webkit.org/show_bug.cgi?id=188157
2979
2980         Reviewed by Yusuke Suzuki.
2981
2982         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
2983         dump the memory contents of a cell and if present, its butterfly for debugging
2984         purposes.
2985
2986         Example usage for JS code when JSC_useDollarVM=true:
2987
2988             $vm.dumpCell(obj);
2989
2990         Example usage from C++ code or from lldb: 
2991
2992             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
2993
2994         Some examples of dumps:
2995
2996             <0x104bc8260, Object>
2997               [0] 0x104bc8260 : 0x010016000000016c header
2998                 structureID 364 0x16c structure 0x104b721b0
2999                 indexingTypeAndMisc 0 0x0 NonArray
3000                 type 22 0x16
3001                 flags 0 0x0
3002                 cellState 1
3003               [1] 0x104bc8268 : 0x0000000000000000 butterfly
3004               [2] 0x104bc8270 : 0xffff000000000007
3005               [3] 0x104bc8278 : 0xffff000000000008
3006
3007             <0x104bb4360, Array>
3008               [0] 0x104bb4360 : 0x0108210b00000171 header
3009                 structureID 369 0x171 structure 0x104b723e0
3010                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
3011                 type 33 0x21
3012                 flags 8 0x8
3013                 cellState 1
3014               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
3015                 base 0x8000f46e0
3016                 hasIndexingHeader YES hasAnyArrayStorage YES
3017                 publicLength 4 vectorLength 7 indexBias 2
3018                 preCapacity 2 propertyCapacity 4
3019                   <--- preCapacity
3020                   [0] 0x8000f46e0 : 0x0000000000000000
3021                   [1] 0x8000f46e8 : 0x0000000000000000
3022                   <--- propertyCapacity
3023                   [2] 0x8000f46f0 : 0x0000000000000000
3024                   [3] 0x8000f46f8 : 0x0000000000000000
3025                   [4] 0x8000f4700 : 0xffff00000000000d
3026                   [5] 0x8000f4708 : 0xffff00000000000c
3027                   <--- indexingHeader
3028                   [6] 0x8000f4710 : 0x0000000700000004
3029                   <--- butterfly
3030                   <--- arrayStorage
3031                   [7] 0x8000f4718 : 0x0000000000000000
3032                   [8] 0x8000f4720 : 0x0000000400000002
3033                   <--- indexedProperties
3034                   [9] 0x8000f4728 : 0xffff000000000008
3035                   [10] 0x8000f4730 : 0xffff000000000009
3036                   [11] 0x8000f4738 : 0xffff000000000005
3037                   [12] 0x8000f4740 : 0xffff000000000006
3038                   [13] 0x8000f4748 : 0x0000000000000000
3039                   [14] 0x8000f4750 : 0x0000000000000000
3040                   [15] 0x8000f4758 : 0x0000000000000000
3041                   <--- unallocated capacity
3042                   [16] 0x8000f4760 : 0x0000000000000000
3043                   [17] 0x8000f4768 : 0x0000000000000000
3044                   [18] 0x8000f4770 : 0x0000000000000000
3045                   [19] 0x8000f4778 : 0x0000000000000000
3046
3047         * runtime/JSObject.h:
3048         * tools/JSDollarVM.cpp:
3049         (JSC::functionDumpCell):
3050         (JSC::JSDollarVM::finishCreation):
3051         * tools/VMInspector.cpp:
3052         (JSC::VMInspector::dumpCellMemory):
3053         (JSC::IndentationScope::IndentationScope):
3054         (JSC::IndentationScope::~IndentationScope):
3055         (JSC::VMInspector::dumpCellMemoryToStream):
3056         * tools/VMInspector.h:
3057
3058 2018-07-27  Mark Lam  <mark.lam@apple.com>
3059
3060         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
3061         https://bugs.webkit.org/show_bug.cgi?id=188123
3062         <rdar://problem/42672268>
3063
3064         Reviewed by Keith Miller.
3065
3066         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
3067            padding space in VM and Heap, and should not cost any measurable perf to
3068            initialize and update.
3069
3070         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
3071
3072            worldState tells us the value we failed the assertion on.
3073
3074            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
3075            that led us here.
3076
3077            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
3078
3079            VM::isEntered() tells us if the current VM is currently executing JS code.
3080
3081            Some of this data may be redundant, but the redundancy is intentional so that
3082            we can double check what is really happening at the time of crash.
3083
3084         * heap/Heap.cpp:
3085         (JSC::asInt):
3086         (JSC::Heap::checkConn):
3087         (JSC::Heap::changePhase):
3088         * heap/Heap.h:
3089         * runtime/VM.cpp:
3090         (JSC::VM::nextID):
3091         (JSC::VM::VM):
3092         * runtime/VM.h:
3093         (JSC::VM::numberOfIDs):
3094         (JSC::VM::id const):
3095         (JSC::VM::isEntered const):
3096
3097 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3098
3099         [JSC] Record CoW status in ArrayProfile correctly
3100         https://bugs.webkit.org/show_bug.cgi?id=187949
3101
3102         Reviewed by Saam Barati.
3103
3104         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
3105         This is important since our OSR exit compiler records m_observedArrayModes by calculating
3106         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
3107         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
3108         Array::Generic DFG nodes.
3109
3110         * bytecode/ArrayProfile.h:
3111         (JSC::asArrayModes):
3112         (JSC::ArrayProfile::ArrayProfile):
3113         * dfg/DFGOSRExit.cpp:
3114         (JSC::DFG::OSRExit::compileExit):
3115         * ftl/FTLOSRExitCompiler.cpp:
3116         (JSC::FTL::compileStub):
3117         * runtime/IndexingType.h:
3118
3119 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
3120
3121         [INTL] Remove INTL sub-feature compile flags
3122         https://bugs.webkit.org/show_bug.cgi?id=188081
3123
3124         Reviewed by Michael Catanzaro.
3125
3126         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
3127         The runtime flags are still present, and should be relied on instead.
3128         The defines for ICU features have also been updated to match HAVE() style.
3129
3130         * Configurations/FeatureDefines.xcconfig:
3131         * runtime/IntlPluralRules.cpp:
3132         (JSC::IntlPluralRules::resolvedOptions):
3133         (JSC::IntlPluralRules::select):
3134         * runtime/IntlPluralRules.h:
3135         * runtime/Options.h:
3136
3137 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3138
3139         [JSC] Dump IndexingMode in Structure
3140         https://bugs.webkit.org/show_bug.cgi?id=188085
3141
3142         Reviewed by Keith Miller.
3143
3144         Dump IndexingMode instead of IndexingType.
3145
3146         * runtime/Structure.cpp:
3147         (JSC::Structure::dump const):
3148
3149 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
3150
3151         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
3152         https://bugs.webkit.org/show_bug.cgi?id=187963
3153
3154         Reviewed by Alex Christensen.
3155
3156         * inspector/InspectorBackendDispatcher.cpp:
3157         (Inspector::BackendDispatcher::dispatch):
3158         * jsc.cpp:
3159         (ModuleName::ModuleName):
3160         (resolvePath):
3161         * runtime/IntlObject.cpp:
3162         (JSC::canonicalizeLanguageTag):
3163         (JSC::removeUnicodeLocaleExtension):
3164         Update split/splitAllowingEmptyEntries usage.
3165
3166 2018-07-26  Commit Queue  <commit-queue@webkit.org>
3167
3168         Unreviewed, rolling out r234181 and r234189.
3169         https://bugs.webkit.org/show_bug.cgi?id=188075
3170
3171         These are not needed right now (Requested by thorton on
3172         #webkit).
3173
3174         Reverted changesets:
3175
3176         "Enable Web Content Filtering on watchOS"
3177         https://bugs.webkit.org/show_bug.cgi?id=187979
3178         https://trac.webkit.org/changeset/234181
3179
3180         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
3181         https://bugs.webkit.org/show_bug.cgi?id=187985
3182         https://trac.webkit.org/changeset/234189
3183
3184 2018-07-26  Mark Lam  <mark.lam@apple.com>
3185
3186         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
3187         https://bugs.webkit.org/show_bug.cgi?id=188065
3188         <rdar://problem/42515726>
3189
3190         Reviewed by Saam Barati.
3191
3192         * runtime/ArrayPrototype.cpp:
3193         (JSC::clearElement):
3194         (JSC::copyElements):
3195         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3196
3197 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
3198
3199         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
3200         https://bugs.webkit.org/show_bug.cgi?id=167991
3201
3202         Reviewed by Michael Catanzaro.
3203
3204         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
3205         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
3206         no more cases where you might have an invalid locale come back from resolveLocale.
3207
3208         * runtime/IntlObject.cpp:
3209         (JSC::convertICULocaleToBCP47LanguageTag):
3210         (JSC::defaultLocale):
3211         (JSC::lookupMatcher):
3212         * runtime/IntlObject.h:
3213         * runtime/JSGlobalObject.cpp:
3214         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
3215         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
3216         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
3217         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3218
3219 2018-07-26  Fujii Hironori &n