Flaky IntersectionObserver web platform tests involving style updates
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-10-16  Mark Lam  <mark.lam@apple.com>
2
3         GetIndexedPropertyStorage can GC.
4         https://bugs.webkit.org/show_bug.cgi?id=190625
5         <rdar://problem/45309366>
6
7         Reviewed by Saam Barati.
8
9         This is because if the ArrayMode type is String, the DFG and FTL will be emitting
10         a call to operationResolveRope, and operationResolveRope can GC.  This patch
11         updates doesGC() to reflect this.
12
13         * dfg/DFGDoesGC.cpp:
14         (JSC::DFG::doesGC):
15
16 2018-10-16  Fujii Hironori  <Hironori.Fujii@sony.com>
17
18         Unreviewed, rolling out r237188, r237189, and r237197.
19
20         It breaks WinCairo Debug builds and Release LayoutTests
21
22         Reverted changesets:
23
24         https://bugs.webkit.org/show_bug.cgi?id=189708
25         https://trac.webkit.org/changeset/237188
26
27         "Unreviewed, forgot to add untracked files."
28         https://trac.webkit.org/changeset/237189
29
30         "isASTErroneous in offlineasm should de-macroify before
31         looking for Errors"
32         https://bugs.webkit.org/show_bug.cgi?id=190634
33         https://trac.webkit.org/changeset/237197
34
35 2018-10-16  Devin Rousso  <drousso@apple.com>
36
37         Web Inspector: Canvas: capture previously saved states and add them to the recording payload
38         https://bugs.webkit.org/show_bug.cgi?id=190473
39
40         Reviewed by Joseph Pecoraro.
41
42         * inspector/protocol/Recording.json:
43         Add `states` key to `InitialState` object.
44
45 2018-10-16  Keith Miller  <keith_miller@apple.com>
46
47         isASTErroneous in offlineasm should de-macroify before looking for Errors
48         https://bugs.webkit.org/show_bug.cgi?id=190634
49
50         Reviewed by Mark Lam.
51
52         If a macro isn't usable in a configuration it might still cause us to
53         think the ast is invalid. This change runs the de-macroifier before
54         looking for errors.
55
56         Also, it adds a missing include to Printer.h.
57
58         * assembler/Printer.h:
59         * offlineasm/settings.rb:
60
61 2018-10-16  Justin Michaud  <justin_michaud@apple.com>
62
63         Implement feature flag and bindings for CSS Painting API
64         https://bugs.webkit.org/show_bug.cgi?id=190237
65
66         Reviewed by Ryosuke Niwa.
67
68         * Configurations/FeatureDefines.xcconfig:
69
70 2018-10-16  Keith Miller  <keith_miller@apple.com>
71
72         Unreviewed, forgot to add untracked files.
73
74         * llint/LLIntSettingsExtractor.cpp: Added.
75         (main):
76         * offlineasm/generate_settings_extractor.rb: Added.
77
78 2018-10-16  Keith Miller  <keith_miller@apple.com>
79
80         Unreviewed, reland https://bugs.webkit.org/show_bug.cgi?id=189708 with build fix.
81
82         * CMakeLists.txt:
83         * JavaScriptCore.xcodeproj/project.pbxproj:
84         * llint/LLIntOffsetsExtractor.cpp:
85         (JSC::LLIntOffsetsExtractor::dummy):
86         * offlineasm/generate_offset_extractor.rb:
87         * offlineasm/offsets.rb:
88         * offlineasm/settings.rb:
89
90 2018-10-16  Keith Miller  <keith_miller@apple.com>
91
92         Unreviewed, add missing include.
93
94         * runtime/BasicBlockLocation.h:
95
96 2018-10-15  Keith Miller  <keith_miller@apple.com>
97
98         Support arm64 CPUs with a 32-bit address space
99         https://bugs.webkit.org/show_bug.cgi?id=190273
100
101         Reviewed by Michael Saboff.
102
103         This patch adds support for arm64_32 in the LLInt. In order to
104         make this work we needed to add a new type that reflects the size
105         of a cpu register. This type is called CPURegister or UCPURegister
106         for the unsigned version. Most places that used void* or intptr_t
107         to refer to a register have been changed to use this new type.
108
109         * JavaScriptCore.xcodeproj/project.pbxproj:
110         * assembler/ARM64Assembler.h:
111         (JSC::isInt):
112         (JSC::is4ByteAligned):
113         (JSC::PairPostIndex::PairPostIndex):
114         (JSC::PairPreIndex::PairPreIndex):
115         (JSC::ARM64Assembler::readPointer):
116         (JSC::ARM64Assembler::readCallTarget):
117         (JSC::ARM64Assembler::computeJumpType):
118         (JSC::ARM64Assembler::linkCompareAndBranch):
119         (JSC::ARM64Assembler::linkConditionalBranch):
120         (JSC::ARM64Assembler::linkTestAndBranch):
121         (JSC::ARM64Assembler::loadRegisterLiteral):
122         (JSC::ARM64Assembler::loadStoreRegisterPairPostIndex):
123         (JSC::ARM64Assembler::loadStoreRegisterPairPreIndex):
124         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
125         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
126         (JSC::isInt7): Deleted.
127         (JSC::isInt11): Deleted.
128         * assembler/CPU.h:
129         (JSC::isAddress64Bit):
130         (JSC::isAddress32Bit):
131         * assembler/MacroAssembler.h:
132         (JSC::MacroAssembler::shouldBlind):
133         * assembler/MacroAssemblerARM64.cpp:
134         (JSC::MacroAssemblerARM64::collectCPUFeatures):
135         * assembler/MacroAssemblerARM64.h:
136         (JSC::MacroAssemblerARM64::load):
137         (JSC::MacroAssemblerARM64::store):
138         (JSC::MacroAssemblerARM64::isInIntRange): Deleted.
139         * assembler/Printer.h:
140         * assembler/ProbeContext.h:
141         (JSC::Probe::CPUState::gpr):
142         (JSC::Probe::CPUState::spr):
143         (JSC::Probe::Context::gpr):
144         (JSC::Probe::Context::spr):
145         * b3/B3ConstPtrValue.h:
146         * b3/B3StackmapSpecial.cpp:
147         (JSC::B3::StackmapSpecial::isArgValidForRep):
148         * b3/air/AirArg.h:
149         (JSC::B3::Air::Arg::stackSlot const):
150         (JSC::B3::Air::Arg::special const):
151         * b3/air/testair.cpp:
152         * b3/testb3.cpp:
153         (JSC::B3::testStoreConstantPtr):
154         (JSC::B3::testInterpreter):
155         (JSC::B3::testAddShl32):
156         (JSC::B3::testLoadBaseIndexShift32):
157         * bindings/ScriptFunctionCall.cpp:
158         (Deprecated::ScriptCallArgumentHandler::appendArgument):
159         * bindings/ScriptFunctionCall.h:
160         * bytecode/CodeBlock.cpp:
161         (JSC::roundCalleeSaveSpaceAsVirtualRegisters):
162         * dfg/DFGOSRExit.cpp:
163         (JSC::DFG::restoreCalleeSavesFor):
164         (JSC::DFG::saveCalleeSavesFor):
165         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
166         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
167         * dfg/DFGOSRExitCompilerCommon.cpp:
168         (JSC::DFG::reifyInlinedCallFrames):
169         * dfg/DFGSpeculativeJIT64.cpp:
170         (JSC::DFG::SpeculativeJIT::compile):
171         * disassembler/UDis86Disassembler.cpp:
172         (JSC::tryToDisassembleWithUDis86):
173         * ftl/FTLLowerDFGToB3.cpp:
174         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
175         * heap/MachineStackMarker.cpp:
176         (JSC::copyMemory):
177         * interpreter/CallFrame.h:
178         (JSC::ExecState::returnPC const):
179         (JSC::ExecState::hasReturnPC const):
180         (JSC::ExecState::clearReturnPC):
181         (JSC::ExecState::returnPCOffset):
182         (JSC::ExecState::isGlobalExec const):
183         (JSC::ExecState::setReturnPC):
184         * interpreter/CalleeBits.h:
185         (JSC::CalleeBits::boxWasm):
186         (JSC::CalleeBits::isWasm const):
187         (JSC::CalleeBits::asWasmCallee const):
188         * interpreter/Interpreter.cpp:
189         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
190         * interpreter/VMEntryRecord.h:
191         * jit/AssemblyHelpers.h:
192         (JSC::AssemblyHelpers::clearStackFrame):
193         * jit/RegisterAtOffset.h:
194         (JSC::RegisterAtOffset::offsetAsIndex const):
195         * jit/RegisterAtOffsetList.cpp:
196         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
197         * llint/LLIntData.cpp:
198         (JSC::LLInt::Data::performAssertions):
199         * llint/LLIntOfflineAsmConfig.h:
200         * llint/LowLevelInterpreter.asm:
201         * llint/LowLevelInterpreter64.asm:
202         * offlineasm/arm64.rb:
203         * offlineasm/asm.rb:
204         * offlineasm/ast.rb:
205         * offlineasm/backends.rb:
206         * offlineasm/parser.rb:
207         * offlineasm/x86.rb:
208         * runtime/BasicBlockLocation.cpp:
209         (JSC::BasicBlockLocation::dumpData const):
210         (JSC::BasicBlockLocation::emitExecuteCode const):
211         * runtime/BasicBlockLocation.h:
212         * runtime/HasOwnPropertyCache.h:
213         * runtime/JSBigInt.cpp:
214         (JSC::JSBigInt::inplaceMultiplyAdd):
215         (JSC::JSBigInt::digitDiv):
216         * runtime/JSBigInt.h:
217         * runtime/JSObject.h:
218         * runtime/Options.cpp:
219         (JSC::jitEnabledByDefault):
220         * runtime/Options.h:
221         * runtime/RegExp.cpp:
222         (JSC::RegExp::printTraceData):
223         * runtime/SamplingProfiler.cpp:
224         (JSC::CFrameWalker::walk):
225         * runtime/SlowPathReturnType.h:
226         (JSC::encodeResult):
227         (JSC::decodeResult):
228         * tools/SigillCrashAnalyzer.cpp:
229         (JSC::SigillCrashAnalyzer::dumpCodeBlock):
230
231 2018-10-15  Justin Fan  <justin_fan@apple.com>
232
233         Add WebGPU 2018 feature flag and experimental feature flag
234         https://bugs.webkit.org/show_bug.cgi?id=190509
235
236         Reviewed by Dean Jackson.
237
238         Re-add ENABLE_WEBGPU, an experimental feature flag, and a RuntimeEnabledFeature
239         for the 2018 WebGPU prototype.
240
241         * Configurations/FeatureDefines.xcconfig:
242
243 2018-10-15  Timothy Hatcher  <timothy@apple.com>
244
245         Add support for prefers-color-scheme media query
246         https://bugs.webkit.org/show_bug.cgi?id=190499
247         rdar://problem/45212025
248
249         Reviewed by Dean Jackson.
250
251         * Configurations/FeatureDefines.xcconfig: Added ENABLE_DARK_MODE_CSS.
252
253 2018-10-15  Commit Queue  <commit-queue@webkit.org>
254
255         Unreviewed, rolling out r237084, r237088, r237098, and
256         r237114.
257         https://bugs.webkit.org/show_bug.cgi?id=190602
258
259         Breaks internal builds. (Requested by ryanhaddad on #webkit).
260
261         Reverted changesets:
262
263         "Separate configuration extraction from offset extraction"
264         https://bugs.webkit.org/show_bug.cgi?id=189708
265         https://trac.webkit.org/changeset/237084
266
267         "Gardening: Build fix after r237084."
268         https://bugs.webkit.org/show_bug.cgi?id=189708
269         https://trac.webkit.org/changeset/237088
270
271         "Gardening: Build fix after r237084."
272         https://bugs.webkit.org/show_bug.cgi?id=189708
273         https://trac.webkit.org/changeset/237098
274
275         "REGRESSION (r237084): JavaScriptCore fails to build on Linux"
276         https://trac.webkit.org/changeset/237114
277
278 2018-10-15  Keith Miller  <keith_miller@apple.com>
279
280         BytecodeDumper should print all switch labels
281         https://bugs.webkit.org/show_bug.cgi?id=190596
282
283         Reviewed by Saam Barati.
284
285         Right now the bytecode dumper only prints the default target not any of the
286         non-default targets.
287
288         * bytecode/BytecodeDumper.cpp:
289         (JSC::BytecodeDumper<Block>::dumpBytecode):
290
291 2018-10-15  Saam barati  <sbarati@apple.com>
292
293         Emit fjcvtzs on ARM64E on Darwin
294         https://bugs.webkit.org/show_bug.cgi?id=184023
295
296         Reviewed by Yusuke Suzuki and Filip Pizlo.
297
298         ARMv8.3 introduced the fjcvtzs instruction which does double->int32
299         conversion using the semantics defined by JavaScript:
300         http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0801g/hko1477562192868.html
301         This patch teaches JSC to use that instruction when possible.
302
303         * assembler/ARM64Assembler.h:
304         (JSC::ARM64Assembler::fjcvtzs):
305         (JSC::ARM64Assembler::fjcvtzsInsn):
306         * assembler/MacroAssemblerARM64.cpp:
307         (JSC::MacroAssemblerARM64::collectCPUFeatures):
308         * assembler/MacroAssemblerARM64.h:
309         (JSC::MacroAssemblerARM64::supportsDoubleToInt32ConversionUsingJavaScriptSemantics):
310         (JSC::MacroAssemblerARM64::convertDoubleToInt32UsingJavaScriptSemantics):
311         * dfg/DFGSpeculativeJIT.cpp:
312         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
313         * disassembler/ARM64/A64DOpcode.cpp:
314         * disassembler/ARM64/A64DOpcode.h:
315         (JSC::ARM64Disassembler::A64DOpcode::appendInstructionName):
316         * ftl/FTLLowerDFGToB3.cpp:
317         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
318         * jit/JITRightShiftGenerator.cpp:
319         (JSC::JITRightShiftGenerator::generateFastPath):
320         * runtime/MathCommon.h:
321         (JSC::toInt32):
322
323 2018-10-15  Saam Barati  <sbarati@apple.com>
324
325         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
326         https://bugs.webkit.org/show_bug.cgi?id=190262
327         <rdar://problem/44986241>
328
329         Reviewed by Mark Lam.
330
331         We would take the fast path for shiftCountWithArrayStorage when the array
332         hasHoles(). However, the code for this was wrong. It'd incorrectly update
333         ArrayStorage::m_numValuesInVector. Since the hasHoles() for ArrayStorage
334         path is never taken in JetStream 2, this patch just removes that from
335         the fast path. Instead, we just fallback to the slow path when hasHoles().
336         If we find evidence that this matters for real use cases, we can
337         figure out a way to make the fast path work.
338
339         * runtime/JSArray.cpp:
340         (JSC::JSArray::shiftCountWithArrayStorage):
341
342 2018-10-15  Commit Queue  <commit-queue@webkit.org>
343
344         Unreviewed, rolling out r237054.
345         https://bugs.webkit.org/show_bug.cgi?id=190593
346
347         "this regressed JetStream 2 by 6% on iOS" (Requested by
348         saamyjoon on #webkit).
349
350         Reverted changeset:
351
352         "[JSC] JSC should have "parseFunction" to optimize Function
353         constructor"
354         https://bugs.webkit.org/show_bug.cgi?id=190340
355         https://trac.webkit.org/changeset/237054
356
357 2018-10-14  David Kilzer  <ddkilzer@apple.com>
358
359         REGRESSION (r237084): JavaScriptCore fails to build on Linux
360         <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10949>
361
362         * llint/LLIntSettingsExtractor.cpp: Attempt to fix build by
363         including <stdio.h>.
364
365 2018-10-15  Alex Christensen  <achristensen@webkit.org>
366
367         Shrink more enum classes
368         https://bugs.webkit.org/show_bug.cgi?id=190540
369
370         Reviewed by Chris Dumez.
371
372         * runtime/ConsoleTypes.h:
373
374 2018-10-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
375
376         [JSC] Disable DOMJIT on 32bit architecture
377         https://bugs.webkit.org/show_bug.cgi?id=190387
378
379         Reviewed by Mark Lam.
380
381         We disable DOMJIT on 32bit architecture due to exhaustion of registers.
382
383         * runtime/Options.h:
384
385 2018-10-15  Alex Christensen  <achristensen@webkit.org>
386
387         Include EnumTraits.h less
388         https://bugs.webkit.org/show_bug.cgi?id=190535
389
390         Reviewed by Chris Dumez.
391
392         * runtime/ConsoleTypes.h:
393
394 2018-10-14  Mark Lam  <mark.lam@apple.com>
395
396         Gardening: Build fix after r237084.
397         https://bugs.webkit.org/show_bug.cgi?id=189708
398
399         Unreviewd.
400
401         * llint/LLIntOffsetsExtractor.cpp:
402
403 2018-10-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
404
405         [JSC] Remove Option::useAsyncIterator
406         https://bugs.webkit.org/show_bug.cgi?id=190567
407
408         Reviewed by Saam Barati.
409
410         Async iterator is enabled by default at 2017-08-09. It is already shipped in several releases,
411         and we can think that it is already mature. Let's drop the option `Option::useAsyncIterator`.
412
413         * Configurations/FeatureDefines.xcconfig:
414         * bytecompiler/BytecodeGenerator.cpp:
415         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
416         (JSC::BytecodeGenerator::emitNewFunction):
417         * parser/ASTBuilder.h:
418         (JSC::ASTBuilder::createFunctionMetadata):
419         * parser/Parser.cpp:
420         (JSC::Parser<LexerType>::parseForStatement):
421         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
422         (JSC::Parser<LexerType>::parseClass):
423         (JSC::Parser<LexerType>::parseProperty):
424         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
425         * runtime/Options.h:
426
427 2018-10-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
428
429         [JSC] Remove Options::useObjectRestSpread
430         https://bugs.webkit.org/show_bug.cgi?id=190568
431
432         Reviewed by Saam Barati.
433
434         Options::useObjectRestSpread is enabled by default at 2017-06-27. It is already shipped in several releases,
435         and we can think that it is mature. Let's drop Options::useObjectRestSpread() flag.
436
437         * parser/Parser.cpp:
438         (JSC::Parser<LexerType>::Parser):
439         (JSC::Parser<LexerType>::parseDestructuringPattern):
440         (JSC::Parser<LexerType>::parseProperty):
441         * parser/Parser.h:
442         * runtime/Options.h:
443
444 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
445
446         [JSC] JSON.stringify can accept call-with-no-arguments
447         https://bugs.webkit.org/show_bug.cgi?id=190343
448
449         Reviewed by Mark Lam.
450
451         JSON.stringify can accept `JSON.stringify()` call (call-with-no-arguments) according to the spec[1].
452         Instead of throwing an error, we should take the first argument as `undefined` if it is not given.
453
454         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
455
456         * runtime/JSONObject.cpp:
457         (JSC::JSONProtoFuncStringify):
458
459 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
460
461         Gardening: Build fix after r237084.
462         https://bugs.webkit.org/show_bug.cgi?id=189708
463
464         Unreviewd.
465
466         * JavaScriptCore.xcodeproj/project.pbxproj:
467
468 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
469
470         Separate configuration extraction from offset extraction
471         https://bugs.webkit.org/show_bug.cgi?id=189708
472
473         Reviewed by Keith Miller.
474
475         Instead of generating a file with all offsets for every combination of
476         configurations, we first generate a file with only the configuration
477         indices and pass that to the offset extractor. The offset extractor then
478         only generates the offsets for valid configurations
479
480         * CMakeLists.txt:
481         * JavaScriptCore.xcodeproj/project.pbxproj:
482         * llint/LLIntOffsetsExtractor.cpp:
483         (JSC::LLIntOffsetsExtractor::dummy):
484         * llint/LLIntSettingsExtractor.cpp: Added.
485         (main):
486         * offlineasm/generate_offset_extractor.rb:
487         * offlineasm/generate_settings_extractor.rb: Added.
488         * offlineasm/offsets.rb:
489         * offlineasm/settings.rb:
490
491 2018-10-12  Ryan Haddad  <ryanhaddad@apple.com>
492
493         Unreviewed, rolling out r237063.
494
495         Caused layout test fast/dom/Window/window-postmessage-clone-
496         deep-array.html to fail on macOS and iOS Debug bots.
497
498         Reverted changeset:
499
500         "[JSC] Remove gcc warnings on mips and armv7"
501         https://bugs.webkit.org/show_bug.cgi?id=188598
502         https://trac.webkit.org/changeset/237063
503
504 2018-10-11  Guillaume Emont  <guijemont@igalia.com>
505
506         [JSC] Remove gcc warnings on mips and armv7
507         https://bugs.webkit.org/show_bug.cgi?id=188598
508
509         Reviewed by Mark Lam.
510
511         Fix many gcc/clang warnings that are false positives, mostly alignment
512         issues.
513
514         * assembler/MacroAssemblerPrinter.cpp:
515         (JSC::Printer::printMemory):
516         Use bitwise_cast instead of reinterpret_cast.
517         * assembler/testmasm.cpp:
518         (JSC::floatOperands):
519         marked as potentially unused as it is not used on all platforms.
520         (JSC::testProbeModifiesStackValues):
521         modifiedFlags is not used on mips, so don't declare it.
522         * bytecode/CodeBlock.h:
523         Make ScriptExecutable::prepareForExecution() return an
524         std::optional<Exception*> instead of a JSObject*.
525         * interpreter/Interpreter.cpp:
526         (JSC::Interpreter::executeProgram):
527         (JSC::Interpreter::executeCall):
528         (JSC::Interpreter::executeConstruct):
529         (JSC::Interpreter::prepareForRepeatCall):
530         (JSC::Interpreter::execute):
531         (JSC::Interpreter::executeModuleProgram):
532         Update calling code for the prototype change of
533         ScriptExecutable::prepareForExecution().
534         * jit/JITOperations.cpp: Same as for Interpreter.cpp.
535         * llint/LLIntSlowPaths.cpp:
536         (JSC::LLInt::setUpCall): Same as for Interpreter.cpp.
537         * runtime/JSBigInt.cpp:
538         (JSC::JSBigInt::dataStorage):
539         Use bitwise_cast instead of reinterpret_cast.
540         * runtime/ScriptExecutable.cpp:
541         * runtime/ScriptExecutable.h:
542         Make ScriptExecutable::prepareForExecution() return an
543         std::optional<Exception*> instead of a JSObject*.
544         * tools/JSDollarVM.cpp:
545         (JSC::codeBlockFromArg): Use bitwise_cast instead of reinterpret_cast.
546
547 2018-10-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
548
549         Use currentStackPointer more
550         https://bugs.webkit.org/show_bug.cgi?id=190503
551
552         Reviewed by Saam Barati.
553
554         * runtime/VM.cpp:
555         (JSC::VM::committedStackByteCount):
556
557 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
558
559         [JSC] JSC should have "parseFunction" to optimize Function constructor
560         https://bugs.webkit.org/show_bug.cgi?id=190340
561
562         Reviewed by Mark Lam.
563
564         The current Function constructor is suboptimal. We parse the piece of the same code three times to meet
565         the spec requirement. (1) check parameters syntax, (2) check body syntax, and (3) parse the entire function.
566         And to parse 1-3 correctly, we create two strings, the parameters and the entire function. This operation
567         is really costly and ideally we should meet the above requirement by the one time parsing.
568
569         To meet the above requirement, we add a special function for Parser, parseSingleFunction. This function
570         takes `std::optional<int> functionConstructorParametersEndPosition` and check this end position is correct in the parser.
571         For example, if we run the code,
572
573             Function('/*', '*/){')
574
575         According to the spec, this should produce '/*' parameter string and '*/){' body string. And parameter
576         string should be syntax-checked by the parser, and raise the error since it is incorrect. Instead of doing
577         that, in our implementation, we first create the entire string.
578
579             function anonymous(/*) {
580                 */){
581             }
582
583         And we parse it. At that time, we also pass the end position of the parameters to the parser. In the above case,
584         the position of the `function anonymous(/*)' <> is passed. And in the parser, we check that the last token
585         offset of the parameters is the given end position. This check allows us to raise the error correctly to the
586         above example while we parse the entire function only once. And we do not need to create two strings too.
587
588         This improves the performance of the Function constructor significantly. And web-tooling-benchmark/uglify-js is
589         significantly sped up (28.2%).
590
591         Before:
592             uglify-js:  2.94 runs/s
593         After:
594             uglify-js:  3.77 runs/s
595
596         * bytecode/UnlinkedFunctionExecutable.cpp:
597         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
598         * bytecode/UnlinkedFunctionExecutable.h:
599         * parser/Parser.cpp:
600         (JSC::Parser<LexerType>::parseInner):
601         (JSC::Parser<LexerType>::parseSingleFunction):
602         (JSC::Parser<LexerType>::parseFunctionInfo):
603         (JSC::Parser<LexerType>::parseFunctionDeclaration):
604         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
605         (JSC::Parser<LexerType>::parseClass):
606         (JSC::Parser<LexerType>::parsePropertyMethod):
607         (JSC::Parser<LexerType>::parseGetterSetter):
608         (JSC::Parser<LexerType>::parseFunctionExpression):
609         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
610         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
611         * parser/Parser.h:
612         (JSC::Parser<LexerType>::parse):
613         (JSC::parse):
614         (JSC::parseFunctionForFunctionConstructor):
615         * parser/ParserModes.h:
616         * parser/ParserTokens.h:
617         (JSC::JSTextPosition::JSTextPosition):
618         (JSC::JSTokenLocation::JSTokenLocation): Deleted.
619         * parser/SourceCodeKey.h:
620         (JSC::SourceCodeKey::SourceCodeKey):
621         (JSC::SourceCodeKey::operator== const):
622         * runtime/CodeCache.cpp:
623         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
624         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
625         * runtime/CodeCache.h:
626         * runtime/FunctionConstructor.cpp:
627         (JSC::constructFunctionSkippingEvalEnabledCheck):
628         * runtime/FunctionExecutable.cpp:
629         (JSC::FunctionExecutable::fromGlobalCode):
630         * runtime/FunctionExecutable.h:
631
632 2018-10-11  Ross Kirsling  <ross.kirsling@sony.com>
633
634         Fix non-existent define `CPU(JSVALUE64)`
635         https://bugs.webkit.org/show_bug.cgi?id=190479
636
637         Reviewed by Yusuke Suzuki.
638
639         * jit/CCallHelpers.h:
640         (JSC::CCallHelpers::setupArgumentsImpl):
641         Correct CPU(JSVALUE64) to USE(JSVALUE64).
642
643 2018-10-11  Keith Rollin  <krollin@apple.com>
644
645         CURRENT_ARCH should not be used in Run Script phase.
646         https://bugs.webkit.org/show_bug.cgi?id=190407
647         <rdar://problem/45133556>
648
649         Reviewed by Alexey Proskuryakov.
650
651         CURRENT_ARCH is used in a number of Xcode Run Script phases. However,
652         CURRENT_ARCH is not well-defined during this phase (and may even have
653         the value "undefined") since this phase is run just once per build
654         rather than once per supported architecture. Migrate away from
655         CURRENT_ARCH in favor of ARCHS, either by iterating over ARCHS and
656         performing an operation for each value, or by picking the first entry
657         in ARCHS and using that as a representative value.
658
659         * JavaScriptCore.xcodeproj/project.pbxproj: Store
660         LLIntDesiredOffsets.h into a directory with a name based on ARCHS
661         rather than CURRENT_ARCH.
662
663 2018-10-10  Mark Lam  <mark.lam@apple.com>
664
665         Changes towards allowing use of the ASAN detect_stack_use_after_return option.
666         https://bugs.webkit.org/show_bug.cgi?id=190405
667         <rdar://problem/45131464>
668
669         Reviewed by Michael Saboff.
670
671         The ASAN detect_stack_use_after_return option checks for use of stack variables
672         after they have been freed.  It does this by allocating relevant stack variables
673         in heap memory (instead of on the stack) if the code ever takes the address of
674         those stack variables.  Unfortunately, this is a common idiom that we use to
675         compute the approximate stack pointer value.  As a result, on such ASAN runs, the
676         computed approximate stack pointer value will point into the heap instead of the
677         stack.  This breaks the VM's expectations and wreaks havoc.
678
679         To fix this, we use the newly introduced WTF::currentStackPointer() instead of
680         taking the address of stack variables.
681
682         We also need to enhance ExceptionScopes to be able to work with ASAN
683         detect_stack_use_after_return which will allocated the scope in the heap.  We
684         work around this by passing the current stack pointer of the instantiating calling
685         frame into the scope constructor, and using that for the position check in
686         ~ThrowScope() instead.
687
688         The above is only a start towards enabling ASAN detect_stack_use_after_return on
689         the VM.  There are still other issues to be resolved before we can run with this
690         ASAN option.
691
692         * runtime/CatchScope.h:
693         * runtime/ExceptionEventLocation.h:
694         (JSC::ExceptionEventLocation::ExceptionEventLocation):
695         * runtime/ExceptionScope.h:
696         (JSC::ExceptionScope::stackPosition const):
697         * runtime/JSLock.cpp:
698         (JSC::JSLock::didAcquireLock):
699         * runtime/ThrowScope.cpp:
700         (JSC::ThrowScope::~ThrowScope):
701         * runtime/ThrowScope.h:
702         * runtime/VM.h:
703         (JSC::VM::needExceptionCheck const):
704         (JSC::VM::isSafeToRecurse const):
705         * wasm/js/WebAssemblyFunction.cpp:
706         (JSC::callWebAssemblyFunction):
707         * yarr/YarrPattern.cpp:
708         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
709
710 2018-10-10  Devin Rousso  <drousso@apple.com>
711
712         Web Inspector: create special Network waterfall for media events
713         https://bugs.webkit.org/show_bug.cgi?id=189773
714         <rdar://problem/44626605>
715
716         Reviewed by Joseph Pecoraro.
717
718         * inspector/protocol/DOM.json:
719         Add `didFireEvent` event that is fired when specific event listeners added by
720         `InspectorInstrumentation::addEventListenersToNode` are fired.
721
722 2018-10-10  Michael Saboff  <msaboff@apple.com>
723
724         Increase executable memory pool from 64MB to 128MB for ARM64
725         https://bugs.webkit.org/show_bug.cgi?id=190453
726
727         Reviewed by Saam Barati.
728
729         * jit/ExecutableAllocator.cpp:
730
731 2018-10-10  Devin Rousso  <drousso@apple.com>
732
733         Web Inspector: notify the frontend when a canvas has started recording via console.record
734         https://bugs.webkit.org/show_bug.cgi?id=190306
735
736         Reviewed by Brian Burg.
737
738         * inspector/protocol/Canvas.json:
739         Add `recordingStarted` event.
740
741         * inspector/protocol/Recording.json:
742         Add `Initiator` enum for determining who started the recording.
743
744 2018-10-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
745
746         [JSC] Rename createXXX to tryCreateXXX if it can return RefPtr
747         https://bugs.webkit.org/show_bug.cgi?id=190429
748
749         Reviewed by Saam Barati.
750
751         Some createXXX functions can fail. But sometimes the caller does not perform error checking.
752         To make it explicit that these functions can fail, we rename these functions from createXXX
753         to tryCreateXXX. In this patch, we focus on non-JS-managed factory functions. If the factory
754         function does not fail, it should return Ref<>. Otherwise, it should be named as tryCreateXXX
755         and it should return RefPtr<>.
756
757         This patch mainly focuses on TypedArray factory functions. Previously, these functions are
758         `RefPtr<XXXArray> create(...)`. This patch changes them to `RefPtr<XXXArray> tryCreate(...)`.
759         And we also introduce `Ref<XXXArray> create(...)` function which internally performs
760         RELEASE_ASSERT on the result of `tryCreate(...)`.
761
762         And we also convert OpaqueJSString::create to OpaqueJSString::tryCreate since it can fail.
763
764         This change actually finds one place which does not perform any null checkings while it uses
765         `RefPtr<> create(...)` function.
766
767         * API/JSCallbackObjectFunctions.h:
768         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
769         (JSC::JSCallbackObject<Parent>::put):
770         (JSC::JSCallbackObject<Parent>::putByIndex):
771         (JSC::JSCallbackObject<Parent>::deleteProperty):
772         (JSC::JSCallbackObject<Parent>::callbackGetter):
773         * API/JSClassRef.h:
774         (StaticValueEntry::StaticValueEntry):
775         * API/JSContext.mm:
776         (-[JSContext evaluateScript:withSourceURL:]):
777         (-[JSContext setName:]):
778         * API/JSContextRef.cpp:
779         (JSGlobalContextCopyName):
780         (JSContextCreateBacktrace):
781         * API/JSObjectRef.cpp:
782         (JSObjectCopyPropertyNames):
783         * API/JSScriptRef.cpp:
784         * API/JSStringRef.cpp:
785         (JSStringCreateWithCharactersNoCopy):
786         * API/JSValue.mm:
787         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
788         (+[JSValue valueWithNewErrorFromMessage:inContext:]):
789         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
790         (performPropertyOperation):
791         (-[JSValue invokeMethod:withArguments:]):
792         (containerValueToObject):
793         (objectToValueWithoutCopy):
794         (objectToValue):
795         * API/JSValueRef.cpp:
796         (JSValueCreateJSONString):
797         (JSValueToStringCopy):
798         * API/OpaqueJSString.cpp:
799         (OpaqueJSString::tryCreate):
800         (OpaqueJSString::create): Deleted.
801         * API/OpaqueJSString.h:
802         * API/glib/JSCContext.cpp:
803         (evaluateScriptInContext):
804         * API/glib/JSCValue.cpp:
805         (jsc_value_new_string_from_bytes):
806         * ftl/FTLLazySlowPath.h:
807         (JSC::FTL::LazySlowPath::createGenerator):
808         * ftl/FTLLazySlowPathCall.h:
809         (JSC::FTL::createLazyCallGenerator):
810         * ftl/FTLOSRExit.cpp:
811         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
812         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
813         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
814         * ftl/FTLOSRExit.h:
815         * ftl/FTLPatchpointExceptionHandle.cpp:
816         (JSC::FTL::PatchpointExceptionHandle::create):
817         (JSC::FTL::PatchpointExceptionHandle::createHandle):
818         * ftl/FTLPatchpointExceptionHandle.h:
819         * heap/EdenGCActivityCallback.h:
820         (JSC::GCActivityCallback::tryCreateEdenTimer):
821         (JSC::GCActivityCallback::createEdenTimer): Deleted.
822         * heap/FullGCActivityCallback.h:
823         (JSC::GCActivityCallback::tryCreateFullTimer):
824         (JSC::GCActivityCallback::createFullTimer): Deleted.
825         * heap/GCActivityCallback.h:
826         * heap/Heap.cpp:
827         (JSC::Heap::Heap):
828         * inspector/AsyncStackTrace.cpp:
829         (Inspector::AsyncStackTrace::create):
830         * inspector/AsyncStackTrace.h:
831         * jsc.cpp:
832         (fillBufferWithContentsOfFile):
833         * runtime/ArrayBuffer.h:
834         * runtime/GenericTypedArrayView.h:
835         * runtime/GenericTypedArrayViewInlines.h:
836         (JSC::GenericTypedArrayView<Adaptor>::create):
837         (JSC::GenericTypedArrayView<Adaptor>::tryCreate):
838         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
839         (JSC::GenericTypedArrayView<Adaptor>::tryCreateUninitialized):
840         (JSC::GenericTypedArrayView<Adaptor>::subarray const):
841         * runtime/JSArrayBufferView.cpp:
842         (JSC::JSArrayBufferView::possiblySharedImpl):
843         * runtime/JSGenericTypedArrayViewInlines.h:
844         (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
845         (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
846         * wasm/WasmMemory.cpp:
847         (JSC::Wasm::Memory::create):
848         (JSC::Wasm::Memory::tryCreate):
849         * wasm/WasmMemory.h:
850         * wasm/WasmTable.cpp:
851         (JSC::Wasm::Table::tryCreate):
852         (JSC::Wasm::Table::create): Deleted.
853         * wasm/WasmTable.h:
854         * wasm/js/JSWebAssemblyInstance.cpp:
855         (JSC::JSWebAssemblyInstance::create):
856         * wasm/js/JSWebAssemblyMemory.cpp:
857         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
858         * wasm/js/WebAssemblyMemoryConstructor.cpp:
859         (JSC::constructJSWebAssemblyMemory):
860         * wasm/js/WebAssemblyModuleRecord.cpp:
861         (JSC::WebAssemblyModuleRecord::link):
862         * wasm/js/WebAssemblyTableConstructor.cpp:
863         (JSC::constructJSWebAssemblyTable):
864
865 2018-10-09  Devin Rousso  <drousso@apple.com>
866
867         Web Inspector: show redirect requests in Network and Timelines tabs
868         https://bugs.webkit.org/show_bug.cgi?id=150005
869         <rdar://problem/5378164>
870
871         Reviewed by Joseph Pecoraro.
872
873         * inspector/protocol/Network.json:
874         Add missing fields to `ResourceTiming`.
875
876 2018-10-09  Claudio Saavedra  <csaavedra@igalia.com>
877
878         [WPE] Explicitly link against gmodule where used
879         https://bugs.webkit.org/show_bug.cgi?id=190398
880
881         Reviewed by Michael Catanzaro.
882
883         * PlatformWPE.cmake:
884
885 2018-10-08  Justin Fan  <justin_fan@apple.com>
886
887         WebGPU: Rename old WebGPU prototype to WebMetal
888         https://bugs.webkit.org/show_bug.cgi?id=190325
889         <rdar://problem/44990443>
890
891         Reviewed by Dean Jackson.
892
893         Rename WebGPU prototype files to WebMetal in preparation for implementing the new (Oct 2018) WebGPU interface.
894
895         * Configurations/FeatureDefines.xcconfig:
896         * inspector/protocol/Canvas.json:
897         * inspector/scripts/codegen/generator.py:
898
899 2018-10-08  Aditya Keerthi  <akeerthi@apple.com>
900
901         Make <input type=color> a runtime enabled (on-by-default) feature
902         https://bugs.webkit.org/show_bug.cgi?id=189162
903
904         Reviewed by Wenson Hsieh and Tim Horton.
905
906         * Configurations/FeatureDefines.xcconfig:
907
908 2018-10-08  Devin Rousso  <drousso@apple.com>
909
910         Web Inspector: group media network entries by the node that triggered the request
911         https://bugs.webkit.org/show_bug.cgi?id=189606
912         <rdar://problem/44438527>
913
914         Reviewed by Brian Burg.
915
916         * inspector/protocol/Network.json:
917         Add an optional `nodeId` field to the `Initiator` object that is set it is possible to
918         determine which ancestor node triggered the load. It may not correspond directly to the node
919         with the href/src, as that url may only be used by an ancestor for loading.
920
921 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
922
923         [JSC][Linux] Use non-truncated name for JIT workers in Linux
924         https://bugs.webkit.org/show_bug.cgi?id=190339
925
926         Reviewed by Mark Lam.
927
928         The current thread names are meaningless in Linux environment. We do not want to
929         have truncated name in Linux: we want to have clear name in Linux. Instead, we
930         should have the name for Linux separately from the name used in the non-Linux
931         environments. This patch adds FTLWorker, DFGWorker, and JITWorker names for
932         Linux environment.
933
934         * dfg/DFGWorklist.cpp:
935         (JSC::DFG::createWorklistName):
936         (JSC::DFG::Worklist::Worklist):
937         (JSC::DFG::Worklist::create):
938         (JSC::DFG::ensureGlobalDFGWorklist):
939         (JSC::DFG::ensureGlobalFTLWorklist):
940         * dfg/DFGWorklist.h:
941         * jit/JITWorklist.cpp:
942
943 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
944
945         Name Heap threads
946         https://bugs.webkit.org/show_bug.cgi?id=190337
947
948         Reviewed by Mark Lam.
949
950         Name heap threads as "Heap Helper Thread". In Linux, we name it "HeapHelper" since
951         Linux does not accept the name longer than 15. We do not want to use the short name
952         for non-Linux environment. And we want to have clear name in Linux: truncated name
953         is not good. So, having the two names is the only way.
954
955         * heap/HeapHelperPool.cpp:
956         (JSC::heapHelperPool):
957
958 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
959
960         [JSC] Avoid creating ProgramExecutable in checkSyntax
961         https://bugs.webkit.org/show_bug.cgi?id=190332
962
963         Reviewed by Mark Lam.
964
965         uglify-js in web-tooling-benchmark executes massive number of Function constructor calls.
966         In Function constructor code, we perform checkSyntax for body and parameters. So fast checkSyntax
967         is important when the performance of Function constructor matters. Current checkSyntax code
968         unnecessarily allocates ProgramExecutable. This patch removes this allocation and improves
969         the benchmark score slightly.
970
971         Before:
972             uglify-js:  2.87 runs/s
973         After:
974             uglify-js:  2.94 runs/s
975
976         * runtime/Completion.cpp:
977         (JSC::checkSyntaxInternal):
978         (JSC::checkSyntax):
979         * runtime/ProgramExecutable.cpp:
980         (JSC::ProgramExecutable::checkSyntax): Deleted.
981         * runtime/ProgramExecutable.h:
982
983 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
984
985         [ESNext][BigInt] Implement support for "|"
986         https://bugs.webkit.org/show_bug.cgi?id=186229
987
988         Reviewed by Yusuke Suzuki.
989
990         This patch is introducing support for BigInt into bitwise "or" operator.
991         In addition, we are also introducing 2 new DFG nodes, named "ArithBitOr" and
992         "ValueBitOr", to replace "BitOr" node. The idea is to follow the
993         difference that we make on Arith<op> and Value<op>, where ArithBitOr
994         handles cases when the operands are Int32 and ValueBitOr handles
995         the remaining cases.
996
997         We are also changing op_bitor to use ValueProfile. We are using
998         ValueProfile during DFG generation to emit "ArithBitOr" when
999         outcome prediction is Int32.
1000
1001         * bytecode/CodeBlock.cpp:
1002         (JSC::CodeBlock::finishCreation):
1003         (JSC::CodeBlock::arithProfileForPC):
1004         * bytecompiler/BytecodeGenerator.cpp:
1005         (JSC::BytecodeGenerator::emitBinaryOp):
1006         * dfg/DFGAbstractInterpreterInlines.h:
1007         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1008         * dfg/DFGBackwardsPropagationPhase.cpp:
1009         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
1010         (JSC::DFG::BackwardsPropagationPhase::propagate):
1011         * dfg/DFGByteCodeParser.cpp:
1012         (JSC::DFG::ByteCodeParser::parseBlock):
1013         * dfg/DFGClobberize.h:
1014         (JSC::DFG::clobberize):
1015         * dfg/DFGDoesGC.cpp:
1016         (JSC::DFG::doesGC):
1017         * dfg/DFGFixupPhase.cpp:
1018         (JSC::DFG::FixupPhase::fixupNode):
1019         * dfg/DFGNodeType.h:
1020         * dfg/DFGOperations.cpp:
1021         (JSC::DFG::bitwiseOp):
1022         * dfg/DFGOperations.h:
1023         * dfg/DFGPredictionPropagationPhase.cpp:
1024         * dfg/DFGSafeToExecute.h:
1025         (JSC::DFG::safeToExecute):
1026         * dfg/DFGSpeculativeJIT.cpp:
1027         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
1028         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
1029         * dfg/DFGSpeculativeJIT.h:
1030         (JSC::DFG::SpeculativeJIT::bitOp):
1031         * dfg/DFGSpeculativeJIT32_64.cpp:
1032         (JSC::DFG::SpeculativeJIT::compile):
1033         * dfg/DFGSpeculativeJIT64.cpp:
1034         (JSC::DFG::SpeculativeJIT::compile):
1035         * dfg/DFGStrengthReductionPhase.cpp:
1036         (JSC::DFG::StrengthReductionPhase::handleNode):
1037         * ftl/FTLCapabilities.cpp:
1038         (JSC::FTL::canCompile):
1039         * ftl/FTLLowerDFGToB3.cpp:
1040         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1041         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
1042         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitOr):
1043         (JSC::FTL::DFG::LowerDFGToB3::compileBitOr): Deleted.
1044         * jit/JITArithmetic.cpp:
1045         (JSC::JIT::emit_op_bitor):
1046         * llint/LowLevelInterpreter32_64.asm:
1047         * llint/LowLevelInterpreter64.asm:
1048         * runtime/CommonSlowPaths.cpp:
1049         (JSC::SLOW_PATH_DECL):
1050         * runtime/JSBigInt.cpp:
1051         (JSC::JSBigInt::bitwiseAnd):
1052         (JSC::JSBigInt::bitwiseOr):
1053         (JSC::JSBigInt::absoluteBitwiseOp):
1054         (JSC::JSBigInt::absoluteAddOne):
1055         * runtime/JSBigInt.h:
1056
1057 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1058
1059         [JSC] Use new extra memory reporting in SparseArrayMap
1060         https://bugs.webkit.org/show_bug.cgi?id=190278
1061
1062         Reviewed by Keith Miller.
1063
1064         This patch switches the extra memory reporting mechanism from deprecatedReportExtraMemory
1065         to reportExtraMemoryAllocated & reportExtraMemoryVisited in SparseArrayMap.
1066
1067         * runtime/SparseArrayValueMap.cpp:
1068         (JSC::SparseArrayValueMap::add):
1069         (JSC::SparseArrayValueMap::visitChildren):
1070
1071 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1072
1073         [JSC][Linux] Support Perf JITDump logging
1074         https://bugs.webkit.org/show_bug.cgi?id=189893
1075
1076         Reviewed by Mark Lam.
1077
1078         This patch adds Linux `perf` command's JIT Dump support. It allows JSC to tell perf about JIT code information.
1079         We add a command line option, `--logJITCodeForPerf`, which dumps `jit-%pid.dump` in the current directory.
1080         By using this dump and perf.data output, we can annotate JIT code with profiling information.
1081
1082             $ echo "(function f() { var s = 0; for (var i = 0; i < 1000000000; i++) { s += i; } return s; })();" > test.js
1083             $ perf record -k mono ../../WebKitBuild/perf/Release/bin/jsc test.js --logJITCodeForPerf=true
1084             [ perf record: Woken up 1 times to write data ]
1085             [ perf record: Captured and wrote 0.182 MB perf.data (4346 samples) ]
1086             $ perf inject --jit -i perf.data -o perf.jit.data
1087             $ perf report -i perf.jit.data
1088
1089         * Sources.txt:
1090         * assembler/LinkBuffer.cpp:
1091         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1092         * assembler/LinkBuffer.h:
1093         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1094         * assembler/PerfLog.cpp: Added.
1095         (JSC::PerfLog::singleton):
1096         (JSC::generateTimestamp):
1097         (JSC::getCurrentThreadID):
1098         (JSC::PerfLog::PerfLog):
1099         (JSC::PerfLog::write):
1100         (JSC::PerfLog::flush):
1101         (JSC::PerfLog::log):
1102         * assembler/PerfLog.h: Added.
1103         * jit/ExecutableAllocator.cpp:
1104         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1105         * runtime/Options.cpp:
1106         (JSC::Options::isAvailable):
1107         * runtime/Options.h:
1108
1109 2018-10-05  Mark Lam  <mark.lam@apple.com>
1110
1111         Gardening: Build fix after r236880.
1112         https://bugs.webkit.org/show_bug.cgi?id=190317
1113
1114         Unreviewed.
1115
1116         * jit/ExecutableAllocator.h:
1117
1118 2018-10-05  Mark Lam  <mark.lam@apple.com>
1119
1120         performJITMemcpy() should handle the case when the executable allocator is not initialized yet.
1121         https://bugs.webkit.org/show_bug.cgi?id=190317
1122         <rdar://problem/45039398>
1123
1124         Reviewed by Saam Barati.
1125
1126         When SeparatedWXHeaps is in use, jitWriteThunkGenerator() will call performJITMemcpy()
1127         to copy memory before the JIT fixed memory pool is initialize.  Before r236864,
1128         performJITMemcpy() would just do a memcpy in that case.  We need to restore the
1129         equivalent behavior.
1130
1131         * jit/ExecutableAllocator.cpp:
1132         (JSC::isJITPC):
1133         * jit/ExecutableAllocator.h:
1134         (JSC::performJITMemcpy):
1135
1136 2018-10-05  Carlos Eduardo Ramalho  <cadubentzen@gmail.com>
1137
1138         [WPE][JSC] Use Unified Sources for Platform-specific sources
1139         https://bugs.webkit.org/show_bug.cgi?id=190300
1140
1141         Reviewed by Yusuke Suzuki.
1142
1143         Currently the GTK port already used Unified Sources with the same source files.
1144         As WPE has conditional code using gmodule, we need to add GLIB_GMODULE_LIBRARIES
1145         to the list of libraries to link with.
1146
1147         * PlatformWPE.cmake:
1148         * SourcesWPE.txt: Added.
1149         * shell/PlatformWPE.cmake:
1150
1151 2018-10-05  Mike Gorse  <mgorse@alum.wpi.edu>
1152
1153         [GTK] build fails with python 3 if LANG and LC_TYPE are unset
1154         https://bugs.webkit.org/show_bug.cgi?id=190258
1155
1156         Reviewed by Konstantin Tokarev.
1157
1158         * Scripts/cssmin.py: Set stdout to UTF-8 on python 3.
1159         * Scripts/generateIntlCanonicalizeLanguage.py: Open files with
1160           encoding=UTF-8 on Python 3.
1161         * yarr/generateYarrCanonicalizeUnicode: Ditto.
1162         * yarr/generateYarrUnicodePropertyTables.py: Ditto.
1163
1164 2018-10-04  Mark Lam  <mark.lam@apple.com>
1165
1166         Move start/EndOfFixedExecutableMemoryPool pointers into the FixedVMPoolExecutableAllocator object.
1167         https://bugs.webkit.org/show_bug.cgi?id=190295
1168         <rdar://problem/19197193>
1169
1170         Reviewed by Saam Barati.
1171
1172         This allows us to use the tagging logic already baked into MacroAssemblerCodePtr
1173         instead of needing to use our own custom version here.
1174
1175         * jit/ExecutableAllocator.cpp:
1176         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1177         (JSC::FixedVMPoolExecutableAllocator::memoryStart):
1178         (JSC::FixedVMPoolExecutableAllocator::memoryEnd):
1179         (JSC::FixedVMPoolExecutableAllocator::isJITPC):
1180         (JSC::ExecutableAllocator::allocate):
1181         (JSC::startOfFixedExecutableMemoryPoolImpl):
1182         (JSC::endOfFixedExecutableMemoryPoolImpl):
1183         (JSC::isJITPC):
1184         * jit/ExecutableAllocator.h:
1185
1186 2018-10-04  Mark Lam  <mark.lam@apple.com>
1187
1188         Disable Options::useWebAssemblyFastMemory() on linux if ASAN signal handling is not disabled.
1189         https://bugs.webkit.org/show_bug.cgi?id=190283
1190         <rdar://problem/45015752>
1191
1192         Reviewed by Keith Miller.
1193
1194         * runtime/Options.cpp:
1195         (JSC::Options::initialize):
1196         * wasm/WasmFaultSignalHandler.cpp:
1197         (JSC::Wasm::enableFastMemory):
1198
1199 2018-10-03  Ross Kirsling  <ross.kirsling@sony.com>
1200
1201         [JSC] print() changes CRLF to CRCRLF on Windows
1202         https://bugs.webkit.org/show_bug.cgi?id=190228
1203
1204         Reviewed by Mark Lam.
1205
1206         * jsc.cpp:
1207         (main):
1208         Ultimately, this is just the normal behavior of printf in text mode on Windows.
1209         Since we're reading in files as binary, we need to be printing out as binary too
1210         (just as we do in DumpRenderTree and ImageDiff.)
1211
1212 2018-10-03  Saam barati  <sbarati@apple.com>
1213
1214         lowXYZ in FTLLower should always filter the type of the incoming edge
1215         https://bugs.webkit.org/show_bug.cgi?id=189939
1216         <rdar://problem/44407030>
1217
1218         Reviewed by Michael Saboff.
1219
1220         For example, the FTL may know more about data flow than AI in certain programs,
1221         and it needs to inform AI of these data flow properties to appease the assertion
1222         we have in AI that a node must perform type checks on its child nodes.
1223         
1224         For example, consider this program:
1225         
1226         ```
1227         bb#1
1228         a: Phi // Let's say it has an Int32 result, so it goes into the int32 hash table in FTLLower
1229         Branch(...,  #2, #3)
1230         
1231         bb#2
1232         ArrayifyToStructure(Cell:@a) // This modifies @a to have the its previous type union the type of some structure set.
1233         Jump(#3)
1234         
1235         bb#3
1236         c: Add(Int32:@something, Int32:@a)
1237         ```
1238         
1239         When the Add node does lowInt32() for @a, FTL lower used to just grab it
1240         from the int32 hash table without filtering the AbstractValue. However,
1241         the parent node is asking for a type check to happen, so we must inform
1242         AI of this "type check" if we want to appease the assertion that all nodes
1243         perform type checks for their edges that semantically perform type checks.
1244         This patch makes it so we filter the AbstractValue in the lowXYZ even
1245         if FTLLower proved the value must be XYZ.
1246
1247         * ftl/FTLLowerDFGToB3.cpp:
1248         (JSC::FTL::DFG::LowerDFGToB3::compilePhi):
1249         (JSC::FTL::DFG::LowerDFGToB3::simulatedTypeCheck):
1250         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
1251         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
1252         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
1253
1254 2018-10-03  Michael Saboff  <msaboff@apple.com>
1255
1256         Command line jsc should report memory footprint in bytes
1257         https://bugs.webkit.org/show_bug.cgi?id=190267
1258
1259         Reviewed by Mark Lam.
1260
1261         Change to leave the footprint values from the system unmodified.
1262
1263         * jsc.cpp:
1264         (JSCMemoryFootprint::finishCreation):
1265
1266 2018-10-03  Mark Lam  <mark.lam@apple.com>
1267
1268         Suppress unreachable code warning for LLIntAssembly.h code.
1269         https://bugs.webkit.org/show_bug.cgi?id=190263
1270         <rdar://problem/44986532>
1271
1272         Reviewed by Saam Barati.
1273
1274         This is needed because LLIntAssembly.h is template generated from LowLevelInterpreter
1275         asm files, and may contain dead code which are harmless, but will trip up the warning.
1276         We should suppress the warning so that it doesn't break builds.
1277
1278         * llint/LowLevelInterpreter.cpp:
1279         (JSC::CLoop::execute):
1280
1281 2018-10-03  Dan Bernstein  <mitz@apple.com>
1282
1283         JavaScriptCore part of [Xcode] Update some build settings as recommended by Xcode 10
1284         https://bugs.webkit.org/show_bug.cgi?id=190250
1285
1286         Reviewed by Alex Christensen.
1287
1288         * API/tests/Regress141275.mm:
1289         (-[JSTEvaluator _sourcePerform]): Addressed newly-enabled CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF
1290           by making the self-retaining explicit.
1291
1292         * API/tests/testapi.cpp:
1293         (testCAPIViaCpp): Addressed newly-enabled CLANG_WARN_UNREACHABLE_CODE by breaking out of the
1294           loop instead of returning from the lambda.
1295
1296         * Configurations/Base.xcconfig: Enabled CLANG_WARN_COMMA, CLANG_WARN_UNREACHABLE_CODE,
1297           CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS, CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF, and
1298           CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED.
1299
1300         * JavaScriptCore.xcodeproj/project.pbxproj: Removed a duplicate reference to
1301           UnlinkedFunctionExecutable.h, and let Xcode update the project file.
1302
1303         * assembler/MacroAssemblerPrinter.cpp:
1304         (JSC::Printer::printAllRegisters): Addressed newly-enabled CLANG_WARN_COMMA by replacing
1305           some commas with semicolons.
1306
1307 2018-10-03  Mark Lam  <mark.lam@apple.com>
1308
1309         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1310         https://bugs.webkit.org/show_bug.cgi?id=190187
1311         <rdar://problem/42512909>
1312
1313         Reviewed by Michael Saboff.
1314
1315         Allowing different max string lengths at each level opens up opportunities for
1316         bugs to creep in.  With 2 different max length values, it is more difficult to
1317         keep the story straight on how we do overflow / bounds checks at each place in
1318         the code.  It's also difficult to tell if a seemingly valid check at the WTF level
1319         will have bad ramifications at the JSC level.  Also, it's also not meaningful to
1320         support a max length > INT_MAX.  To eliminate this class of bugs, we'll
1321         standardize on a MaxLength of INT_MAX at all levels.
1322
1323         We'll also standardize the way we do length overflow checks on using
1324         CheckedArithmetic, and add some asserts to document the assumptions of the code.
1325
1326         * runtime/FunctionConstructor.cpp:
1327         (JSC::constructFunctionSkippingEvalEnabledCheck):
1328         - Fix OOM error handling which crashed a test after the new MaxLength was applied.
1329         * runtime/JSString.h:
1330         (JSC::JSString::finishCreation):
1331         (JSC::JSString::createHasOtherOwner):
1332         (JSC::JSString::setLength):
1333         * runtime/JSStringInlines.h:
1334         (JSC::jsMakeNontrivialString):
1335         * runtime/Operations.h:
1336         (JSC::jsString):
1337
1338 2018-10-03  Koby Boyango  <koby.b@mce-sys.com>
1339
1340         [JSC] Add a C++ callable overload of objectConstructorSeal
1341         https://bugs.webkit.org/show_bug.cgi?id=190137
1342
1343         Reviewed by Yusuke Suzuki.
1344
1345         * runtime/ObjectConstructor.cpp:
1346         * runtime/ObjectConstructor.h:
1347
1348 2018-10-02  Dominik Infuehr  <dinfuehr@igalia.com>
1349
1350         Fix Disassembler-output on ARM Thumb2
1351         https://bugs.webkit.org/show_bug.cgi?id=190203
1352
1353         On ARMv7 with Thumb2 addresses have bit 0 set to 1 to force
1354         execution in thumb mode for jumps and calls. The actual machine
1355         instructions are still aligned to 2-bytes though. Use dataLocation() as
1356         start address for disassembling since it unsets the thumb bit.
1357         Until now the disassembler would start at the wrong address (off by 1),
1358         resulting in the wrong disassembled machine instructions.
1359
1360         Reviewed by Mark Lam.
1361
1362         * disassembler/CapstoneDisassembler.cpp:
1363         (JSC::tryToDisassemble):
1364
1365 2018-10-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1366
1367         [JSC] Add stub of ExecutableAllocator used when JIT is disabled
1368         https://bugs.webkit.org/show_bug.cgi?id=190215
1369
1370         Reviewed by Mark Lam.
1371
1372         When ENABLE(JIT) is disabled, we do not use JIT. But we ExecutableAllocator is still available since
1373         it is guarded by ENABLE(ASSEMBLER). ENABLE(ASSEMBLER) is necessary for LLInt ASM interpreter since
1374         our MacroAssembler tells machine architecture information. Eventually, we would like to decouple
1375         this machine architecture information from MacroAssembler. But for now, we use ENABLE(ASSEMBLER)
1376         for LLInt ASM interpreter even if JIT is disabled by ENABLE(JIT).
1377
1378         To ensure any executable memory allocation is not done, we add a stub of ExecutableAllocator for
1379         non-JIT configurations. This does not have any functionality allocating executable memory, thus
1380         any accidental operation cannot attempt to allocate executable memory if ENABLE(JIT) = OFF.
1381
1382         * jit/ExecutableAllocator.cpp:
1383         (JSC::ExecutableAllocator::initializeAllocator):
1384         (JSC::ExecutableAllocator::singleton):
1385         * jit/ExecutableAllocator.h:
1386         (JSC::ExecutableAllocator::isValid const):
1387         (JSC::ExecutableAllocator::underMemoryPressure):
1388         (JSC::ExecutableAllocator::memoryPressureMultiplier):
1389         (JSC::ExecutableAllocator::dumpProfile):
1390         (JSC::ExecutableAllocator::allocate):
1391         (JSC::ExecutableAllocator::isValidExecutableMemory):
1392         (JSC::ExecutableAllocator::committedByteCount):
1393         (JSC::ExecutableAllocator::getLock const):
1394         (JSC::performJITMemcpy):
1395
1396 2018-10-01  Dean Jackson  <dino@apple.com>
1397
1398         Remove CSS Animation Triggers
1399         https://bugs.webkit.org/show_bug.cgi?id=190175
1400         <rdar://problem/44925626>
1401
1402         Reviewed by Simon Fraser.
1403
1404         * Configurations/FeatureDefines.xcconfig:
1405
1406 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1407
1408         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1409         https://bugs.webkit.org/show_bug.cgi?id=190033
1410
1411         Reviewed by Yusuke Suzuki.
1412
1413         The implementation of JSBigInt::toStringToGeneric doesn't handle power
1414         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
1415         implemented JSBigInt::toStringBasePowerOfTwo that follows the
1416         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
1417         digit.
1418
1419         * runtime/JSBigInt.cpp:
1420         (JSC::JSBigInt::toString):
1421         (JSC::JSBigInt::toStringBasePowerOfTwo):
1422         * runtime/JSBigInt.h:
1423
1424 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1425
1426         [JSC] Add branchIfNaN and branchIfNotNaN
1427         https://bugs.webkit.org/show_bug.cgi?id=190122
1428
1429         Reviewed by Mark Lam.
1430
1431         Add AssemblyHelpers::{branchIfNaN, branchIfNotNaN} to make code more readable.
1432
1433         * dfg/DFGSpeculativeJIT.cpp:
1434         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1435         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1436         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
1437         (JSC::DFG::SpeculativeJIT::compileSpread):
1438         (JSC::DFG::SpeculativeJIT::compileNewArray):
1439         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
1440         (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
1441         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1442         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1443         * dfg/DFGSpeculativeJIT32_64.cpp:
1444         (JSC::DFG::SpeculativeJIT::compile):
1445         * dfg/DFGSpeculativeJIT64.cpp:
1446         (JSC::DFG::SpeculativeJIT::compile):
1447         * jit/AssemblyHelpers.cpp:
1448         (JSC::AssemblyHelpers::purifyNaN):
1449         * jit/AssemblyHelpers.h:
1450         (JSC::AssemblyHelpers::branchIfNaN):
1451         (JSC::AssemblyHelpers::branchIfNotNaN):
1452         * jit/JITPropertyAccess.cpp:
1453         (JSC::JIT::emitGenericContiguousPutByVal):
1454         (JSC::JIT::emitDoubleLoad):
1455         (JSC::JIT::emitFloatTypedArrayGetByVal):
1456         * jit/JITPropertyAccess32_64.cpp:
1457         (JSC::JIT::emitGenericContiguousPutByVal):
1458         * wasm/js/JSToWasm.cpp:
1459         (JSC::Wasm::createJSToWasmWrapper):
1460
1461 2018-10-01  Mark Lam  <mark.lam@apple.com>
1462
1463         Function.toString() should also copy the source code Functions that are class definitions.
1464         https://bugs.webkit.org/show_bug.cgi?id=190186
1465         <rdar://problem/44733360>
1466
1467         Reviewed by Saam Barati.
1468
1469         Previously, if the Function is a class definition, functionProtoFuncToString()
1470         would create a String using StringView::toStringWithoutCopying(), and use that
1471         String to make a JSString.  This is not a problem if the underlying SourceProvider
1472         (that backs the characters in that StringView) is immortal.  However, this is
1473         not always the case in practice.
1474
1475         This patch fixes this issue by changing functionProtoFuncToString() to create the
1476         String using StringView::toString() instead, which makes a copy of the underlying
1477         characters buffer.  This detaches the resultant JSString from the SourceProvider
1478         characters buffer that it was created from, and ensure that the underlying
1479         characters buffer of the string will be alive for the entire lifetime of the
1480         JSString.
1481
1482         * runtime/FunctionPrototype.cpp:
1483         (JSC::functionProtoFuncToString):
1484
1485 2018-10-01  Keith Miller  <keith_miller@apple.com>
1486
1487         Create a RELEASE_AND_RETURN macro for ExceptionScopes
1488         https://bugs.webkit.org/show_bug.cgi?id=190163
1489
1490         Reviewed by Mark Lam.
1491
1492         The new RELEASE_AND_RETURN does all the work for cases
1493         where you want to return the result of some expression
1494         without explicitly checking for an exception. This is
1495         much like the existing RETURN_IF_EXCEPTION macro.
1496
1497         * dfg/DFGOperations.cpp:
1498         (JSC::DFG::newTypedArrayWithSize):
1499         * interpreter/Interpreter.cpp:
1500         (JSC::eval):
1501         * jit/JITOperations.cpp:
1502         (JSC::getByVal):
1503         * jsc.cpp:
1504         (functionDollarAgentReceiveBroadcast):
1505         * llint/LLIntSlowPaths.cpp:
1506         (JSC::LLInt::setUpCall):
1507         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1508         (JSC::LLInt::varargsSetup):
1509         * profiler/ProfilerDatabase.cpp:
1510         (JSC::Profiler::Database::toJSON const):
1511         * runtime/AbstractModuleRecord.cpp:
1512         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1513         * runtime/ArrayConstructor.cpp:
1514         (JSC::constructArrayWithSizeQuirk):
1515         * runtime/ArrayPrototype.cpp:
1516         (JSC::getProperty):
1517         (JSC::fastJoin):
1518         (JSC::arrayProtoFuncToString):
1519         (JSC::arrayProtoFuncToLocaleString):
1520         (JSC::arrayProtoFuncJoin):
1521         (JSC::arrayProtoFuncPop):
1522         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1523         * runtime/BigIntConstructor.cpp:
1524         (JSC::toBigInt):
1525         * runtime/CommonSlowPaths.h:
1526         (JSC::CommonSlowPaths::opInByVal):
1527         * runtime/ConstructData.cpp:
1528         (JSC::construct):
1529         * runtime/DateConstructor.cpp:
1530         (JSC::dateParse):
1531         * runtime/DatePrototype.cpp:
1532         (JSC::dateProtoFuncToPrimitiveSymbol):
1533         * runtime/DirectArguments.h:
1534         * runtime/ErrorConstructor.cpp:
1535         (JSC::Interpreter::constructWithErrorConstructor):
1536         * runtime/ErrorPrototype.cpp:
1537         (JSC::errorProtoFuncToString):
1538         * runtime/ExceptionScope.h:
1539         * runtime/FunctionConstructor.cpp:
1540         (JSC::constructFunction):
1541         * runtime/FunctionPrototype.cpp:
1542         (JSC::functionProtoFuncToString):
1543         * runtime/GenericArgumentsInlines.h:
1544         (JSC::GenericArguments<Type>::defineOwnProperty):
1545         * runtime/GetterSetter.cpp:
1546         (JSC::callGetter):
1547         * runtime/IntlCollatorConstructor.cpp:
1548         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1549         * runtime/IntlCollatorPrototype.cpp:
1550         (JSC::IntlCollatorFuncCompare):
1551         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1552         * runtime/IntlDateTimeFormatConstructor.cpp:
1553         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1554         * runtime/IntlDateTimeFormatPrototype.cpp:
1555         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1556         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1557         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1558         * runtime/IntlNumberFormatConstructor.cpp:
1559         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1560         * runtime/IntlNumberFormatPrototype.cpp:
1561         (JSC::IntlNumberFormatFuncFormatNumber):
1562         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1563         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1564         * runtime/IntlObject.cpp:
1565         (JSC::intlNumberOption):
1566         * runtime/IntlObjectInlines.h:
1567         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1568         * runtime/IntlPluralRules.cpp:
1569         (JSC::IntlPluralRules::resolvedOptions):
1570         * runtime/IntlPluralRulesConstructor.cpp:
1571         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
1572         * runtime/IntlPluralRulesPrototype.cpp:
1573         (JSC::IntlPluralRulesPrototypeFuncSelect):
1574         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1575         * runtime/JSArray.cpp:
1576         (JSC::JSArray::defineOwnProperty):
1577         (JSC::JSArray::put):
1578         (JSC::JSArray::setLength):
1579         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1580         * runtime/JSArrayBufferPrototype.cpp:
1581         (JSC::arrayBufferProtoGetterFuncByteLength):
1582         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1583         * runtime/JSArrayInlines.h:
1584         (JSC::toLength):
1585         * runtime/JSBoundFunction.cpp:
1586         (JSC::boundFunctionCall):
1587         (JSC::boundFunctionConstruct):
1588         * runtime/JSCJSValue.cpp:
1589         (JSC::JSValue::putToPrimitive):
1590         * runtime/JSCJSValueInlines.h:
1591         (JSC::JSValue::toIndex const):
1592         (JSC::JSValue::toPropertyKey const):
1593         (JSC::JSValue::get const):
1594         (JSC::JSValue::getPropertySlot const):
1595         (JSC::JSValue::getOwnPropertySlot const):
1596         (JSC::JSValue::equalSlowCaseInline):
1597         * runtime/JSDataView.cpp:
1598         (JSC::JSDataView::put):
1599         (JSC::JSDataView::defineOwnProperty):
1600         * runtime/JSFunction.cpp:
1601         (JSC::JSFunction::put):
1602         (JSC::JSFunction::defineOwnProperty):
1603         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1604         (JSC::constructGenericTypedArrayViewWithArguments):
1605         (JSC::constructGenericTypedArrayView):
1606         * runtime/JSGenericTypedArrayViewInlines.h:
1607         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1608         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1609         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1610         (JSC::speciesConstruct):
1611         (JSC::genericTypedArrayViewProtoFuncJoin):
1612         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1613         * runtime/JSGlobalObject.cpp:
1614         (JSC::JSGlobalObject::put):
1615         * runtime/JSGlobalObjectFunctions.cpp:
1616         (JSC::decode):
1617         (JSC::globalFuncEval):
1618         (JSC::globalFuncProtoGetter):
1619         * runtime/JSInternalPromise.cpp:
1620         (JSC::JSInternalPromise::then):
1621         * runtime/JSModuleEnvironment.cpp:
1622         (JSC::JSModuleEnvironment::put):
1623         * runtime/JSModuleLoader.cpp:
1624         (JSC::JSModuleLoader::provideFetch):
1625         (JSC::JSModuleLoader::loadAndEvaluateModule):
1626         (JSC::JSModuleLoader::loadModule):
1627         (JSC::JSModuleLoader::linkAndEvaluateModule):
1628         (JSC::JSModuleLoader::requestImportModule):
1629         (JSC::JSModuleLoader::getModuleNamespaceObject):
1630         (JSC::moduleLoaderRequestedModules):
1631         * runtime/JSONObject.cpp:
1632         (JSC::Stringifier::stringify):
1633         (JSC::Stringifier::toJSON):
1634         (JSC::Walker::walk):
1635         (JSC::JSONProtoFuncStringify):
1636         * runtime/JSObject.cpp:
1637         (JSC::ordinarySetSlow):
1638         (JSC::JSObject::putInlineSlow):
1639         (JSC::JSObject::toPrimitive const):
1640         (JSC::JSObject::hasInstance):
1641         (JSC::JSObject::toNumber const):
1642         (JSC::JSObject::defineOwnIndexedProperty):
1643         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1644         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1645         (JSC::JSObject::defineOwnNonIndexProperty):
1646         * runtime/JSObject.h:
1647         (JSC::JSObject::get const):
1648         * runtime/JSObjectInlines.h:
1649         (JSC::JSObject::getPropertySlot const):
1650         (JSC::JSObject::putInlineForJSObject):
1651         * runtime/MapConstructor.cpp:
1652         (JSC::constructMap):
1653         * runtime/NativeErrorConstructor.cpp:
1654         (JSC::Interpreter::constructWithNativeErrorConstructor):
1655         * runtime/ObjectConstructor.cpp:
1656         (JSC::constructObject):
1657         (JSC::objectConstructorGetPrototypeOf):
1658         (JSC::objectConstructorGetOwnPropertyDescriptor):
1659         (JSC::objectConstructorGetOwnPropertyDescriptors):
1660         (JSC::objectConstructorGetOwnPropertyNames):
1661         (JSC::objectConstructorGetOwnPropertySymbols):
1662         (JSC::objectConstructorKeys):
1663         (JSC::objectConstructorDefineProperty):
1664         (JSC::objectConstructorDefineProperties):
1665         (JSC::objectConstructorCreate):
1666         * runtime/ObjectPrototype.cpp:
1667         (JSC::objectProtoFuncToLocaleString):
1668         (JSC::objectProtoFuncToString):
1669         * runtime/Operations.cpp:
1670         (JSC::jsAddSlowCase):
1671         * runtime/Operations.h:
1672         (JSC::jsString):
1673         (JSC::jsLess):
1674         (JSC::jsLessEq):
1675         * runtime/ParseInt.h:
1676         (JSC::toStringView):
1677         * runtime/ProxyConstructor.cpp:
1678         (JSC::constructProxyObject):
1679         * runtime/ProxyObject.cpp:
1680         (JSC::ProxyObject::toStringName):
1681         (JSC::performProxyGet):
1682         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1683         (JSC::ProxyObject::performHasProperty):
1684         (JSC::ProxyObject::getOwnPropertySlotCommon):
1685         (JSC::ProxyObject::performPut):
1686         (JSC::ProxyObject::putByIndexCommon):
1687         (JSC::performProxyCall):
1688         (JSC::performProxyConstruct):
1689         (JSC::ProxyObject::performDelete):
1690         (JSC::ProxyObject::performPreventExtensions):
1691         (JSC::ProxyObject::performIsExtensible):
1692         (JSC::ProxyObject::performDefineOwnProperty):
1693         (JSC::ProxyObject::performSetPrototype):
1694         (JSC::ProxyObject::performGetPrototype):
1695         * runtime/ReflectObject.cpp:
1696         (JSC::reflectObjectConstruct):
1697         (JSC::reflectObjectDefineProperty):
1698         (JSC::reflectObjectGet):
1699         (JSC::reflectObjectGetOwnPropertyDescriptor):
1700         (JSC::reflectObjectGetPrototypeOf):
1701         (JSC::reflectObjectOwnKeys):
1702         (JSC::reflectObjectSet):
1703         * runtime/RegExpConstructor.cpp:
1704         (JSC::constructRegExp):
1705         * runtime/RegExpObject.cpp:
1706         (JSC::RegExpObject::defineOwnProperty):
1707         (JSC::RegExpObject::matchGlobal):
1708         * runtime/RegExpPrototype.cpp:
1709         (JSC::regExpProtoFuncTestFast):
1710         (JSC::regExpProtoFuncExec):
1711         (JSC::regExpProtoFuncToString):
1712         * runtime/ScriptExecutable.cpp:
1713         (JSC::ScriptExecutable::newCodeBlockFor):
1714         * runtime/SetConstructor.cpp:
1715         (JSC::constructSet):
1716         * runtime/SparseArrayValueMap.cpp:
1717         (JSC::SparseArrayValueMap::putEntry):
1718         (JSC::SparseArrayEntry::put):
1719         * runtime/StringConstructor.cpp:
1720         (JSC::stringFromCharCode):
1721         (JSC::stringFromCodePoint):
1722         * runtime/StringObject.cpp:
1723         (JSC::StringObject::put):
1724         (JSC::StringObject::putByIndex):
1725         (JSC::StringObject::defineOwnProperty):
1726         * runtime/StringPrototype.cpp:
1727         (JSC::jsSpliceSubstrings):
1728         (JSC::jsSpliceSubstringsWithSeparators):
1729         (JSC::removeUsingRegExpSearch):
1730         (JSC::replaceUsingRegExpSearch):
1731         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1732         (JSC::replaceUsingStringSearch):
1733         (JSC::repeatCharacter):
1734         (JSC::replace):
1735         (JSC::stringProtoFuncReplaceUsingRegExp):
1736         (JSC::stringProtoFuncReplaceUsingStringSearch):
1737         (JSC::stringProtoFuncSplitFast):
1738         (JSC::stringProtoFuncToLowerCase):
1739         (JSC::stringProtoFuncToUpperCase):
1740         (JSC::toLocaleCase):
1741         (JSC::trimString):
1742         (JSC::stringProtoFuncIncludes):
1743         (JSC::builtinStringIncludesInternal):
1744         (JSC::normalize):
1745         (JSC::stringProtoFuncNormalize):
1746         * runtime/SymbolPrototype.cpp:
1747         (JSC::symbolProtoFuncToString):
1748         (JSC::symbolProtoFuncValueOf):
1749         * tools/JSDollarVM.cpp:
1750         (WTF::functionWasmStreamingParserAddBytes):
1751         (JSC::functionGetPrivateProperty):
1752         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1753         (JSC::constructJSWebAssemblyCompileError):
1754         * wasm/js/WebAssemblyModuleConstructor.cpp:
1755         (JSC::constructJSWebAssemblyModule):
1756         (JSC::WebAssemblyModuleConstructor::createModule):
1757         * wasm/js/WebAssemblyTableConstructor.cpp:
1758         (JSC::constructJSWebAssemblyTable):
1759         * wasm/js/WebAssemblyWrapperFunction.cpp:
1760         (JSC::callWebAssemblyWrapperFunction):
1761
1762 2018-10-01  Koby Boyango  <koby.b@mce-sys.com>
1763
1764         [JSC] Add a JSONStringify overload that receives a JSValue space
1765         https://bugs.webkit.org/show_bug.cgi?id=190131
1766
1767         Reviewed by Yusuke Suzuki.
1768
1769         * runtime/JSONObject.cpp:
1770         * runtime/JSONObject.h:
1771
1772 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1773
1774         Unreviewed, rolling out r236647.
1775         https://bugs.webkit.org/show_bug.cgi?id=190124
1776
1777         Breaking test stress/big-int-to-string.js (Requested by
1778         caiolima_ on #webkit).
1779
1780         Reverted changeset:
1781
1782         "[BigInt] BigInt.proptotype.toString is broken when radix is
1783         power of 2"
1784         https://bugs.webkit.org/show_bug.cgi?id=190033
1785         https://trac.webkit.org/changeset/236647
1786
1787 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1788
1789         [WebAssembly] Move type conversion code of JSToWasm return type to JS wasm wrapper
1790         https://bugs.webkit.org/show_bug.cgi?id=189498
1791
1792         Reviewed by Saam Barati.
1793
1794         To call JS-to-Wasm code we need to convert the result value from wasm function to
1795         the JS type. Previously this is done by callWebAssemblyFunction by using swtich
1796         over signature.returnType(). But since we know the value of `signature.returnType()`
1797         at compiling phase, we can emit a small conversion code directly to JSToWasm glue
1798         and remove this switch from callWebAssemblyFunction.
1799
1800         In JSToWasm glue code, we do not have tag registers. So we use DoNotHaveTagRegisters
1801         in boxInt32 and boxDouble. Since boxDouble does not have DoNotHaveTagRegisters version,
1802         we add an implementation for that.
1803
1804         * jit/AssemblyHelpers.h:
1805         (JSC::AssemblyHelpers::boxDouble):
1806         * wasm/js/JSToWasm.cpp:
1807         (JSC::Wasm::createJSToWasmWrapper):
1808         * wasm/js/WebAssemblyFunction.cpp:
1809         (JSC::callWebAssemblyFunction):
1810
1811 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1812
1813         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1814         https://bugs.webkit.org/show_bug.cgi?id=190033
1815
1816         Reviewed by Yusuke Suzuki.
1817
1818         The implementation of JSBigInt::toStringToGeneric doesn't handle power
1819         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
1820         implemented JSBigInt::toStringBasePowerOfTwo that follows the
1821         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
1822         digit.
1823
1824         * runtime/JSBigInt.cpp:
1825         (JSC::JSBigInt::toString):
1826         (JSC::JSBigInt::toStringBasePowerOfTwo):
1827         * runtime/JSBigInt.h:
1828
1829 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1830
1831         [ESNext][BigInt] Implement support for "&"
1832         https://bugs.webkit.org/show_bug.cgi?id=186228
1833
1834         Reviewed by Yusuke Suzuki.
1835
1836         This patch introduces support of BigInt into bitwise "&" operation.
1837         We are also introducing the ValueBitAnd DFG node, that is responsible
1838         to take care of JIT for non-Int32 operands. With the introduction of this
1839         new node, we renamed the BitAnd node to ArithBitAnd. The ArithBitAnd
1840         follows the behavior of ArithAdd and other arithmetic nodes, where
1841         the Arith<op> version always results in Number (in the case of
1842         ArithBitAnd, its is always an Int32).
1843
1844         * bytecode/CodeBlock.cpp:
1845         (JSC::CodeBlock::finishCreation):
1846         * bytecompiler/BytecodeGenerator.cpp:
1847         (JSC::BytecodeGenerator::emitBinaryOp):
1848         * dfg/DFGAbstractInterpreterInlines.h:
1849         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1850         * dfg/DFGBackwardsPropagationPhase.cpp:
1851         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
1852         (JSC::DFG::BackwardsPropagationPhase::propagate):
1853         * dfg/DFGByteCodeParser.cpp:
1854         (JSC::DFG::ByteCodeParser::parseBlock):
1855         * dfg/DFGClobberize.h:
1856         (JSC::DFG::clobberize):
1857         * dfg/DFGDoesGC.cpp:
1858         (JSC::DFG::doesGC):
1859         * dfg/DFGFixupPhase.cpp:
1860         (JSC::DFG::FixupPhase::fixupNode):
1861         * dfg/DFGNodeType.h:
1862         * dfg/DFGOperations.cpp:
1863         * dfg/DFGOperations.h:
1864         * dfg/DFGPredictionPropagationPhase.cpp:
1865         * dfg/DFGSafeToExecute.h:
1866         (JSC::DFG::safeToExecute):
1867         * dfg/DFGSpeculativeJIT.cpp:
1868         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
1869         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
1870         * dfg/DFGSpeculativeJIT.h:
1871         (JSC::DFG::SpeculativeJIT::bitOp):
1872         * dfg/DFGSpeculativeJIT32_64.cpp:
1873         (JSC::DFG::SpeculativeJIT::compile):
1874         * dfg/DFGSpeculativeJIT64.cpp:
1875         (JSC::DFG::SpeculativeJIT::compile):
1876         * dfg/DFGStrengthReductionPhase.cpp:
1877         (JSC::DFG::StrengthReductionPhase::handleNode):
1878         * ftl/FTLCapabilities.cpp:
1879         (JSC::FTL::canCompile):
1880         * ftl/FTLLowerDFGToB3.cpp:
1881         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1882         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
1883         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitAnd):
1884         (JSC::FTL::DFG::LowerDFGToB3::compileBitAnd): Deleted.
1885         * jit/JIT.h:
1886         * jit/JITArithmetic.cpp:
1887         (JSC::JIT::emitBitBinaryOpFastPath):
1888         (JSC::JIT::emit_op_bitand):
1889         * llint/LowLevelInterpreter32_64.asm:
1890         * llint/LowLevelInterpreter64.asm:
1891         * runtime/CommonSlowPaths.cpp:
1892         (JSC::SLOW_PATH_DECL):
1893         * runtime/JSBigInt.cpp:
1894         (JSC::JSBigInt::JSBigInt):
1895         (JSC::JSBigInt::initialize):
1896         (JSC::JSBigInt::createZero):
1897         (JSC::JSBigInt::createFrom):
1898         (JSC::JSBigInt::bitwiseAnd):
1899         (JSC::JSBigInt::absoluteBitwiseOp):
1900         (JSC::JSBigInt::absoluteAnd):
1901         (JSC::JSBigInt::absoluteOr):
1902         (JSC::JSBigInt::absoluteAndNot):
1903         (JSC::JSBigInt::absoluteAddOne):
1904         (JSC::JSBigInt::absoluteSubOne):
1905         * runtime/JSBigInt.h:
1906         * runtime/JSCJSValue.h:
1907         * runtime/JSCJSValueInlines.h:
1908         (JSC::JSValue::toBigIntOrInt32 const):
1909
1910 2018-09-28  Mark Lam  <mark.lam@apple.com>
1911
1912         Gardening: speculative build fix.
1913         <rdar://problem/44869924>
1914
1915         Not reviewed.
1916
1917         * assembler/LinkBuffer.cpp:
1918         (JSC::LinkBuffer::copyCompactAndLinkCode):
1919
1920 2018-09-28  Guillaume Emont  <guijemont@igalia.com>
1921
1922         [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions.
1923         https://bugs.webkit.org/show_bug.cgi?id=190080
1924
1925         Reviewed by Mark Lam.
1926
1927         * assembler/ARMv7Assembler.h:
1928         (JSC::ARMv7Assembler::link):
1929         (JSC::ARMv7Assembler::linkJumpT1):
1930         (JSC::ARMv7Assembler::linkJumpT2):
1931         (JSC::ARMv7Assembler::linkJumpT3):
1932         (JSC::ARMv7Assembler::linkJumpT4):
1933         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1934         (JSC::ARMv7Assembler::linkBX):
1935         (JSC::ARMv7Assembler::linkConditionalBX):
1936         * assembler/MacroAssemblerARMv7.h:
1937         (JSC::MacroAssemblerARMv7::link):
1938
1939 2018-09-27  Saam barati  <sbarati@apple.com>
1940
1941         Verify the contents of AssemblerBuffer on arm64e
1942         https://bugs.webkit.org/show_bug.cgi?id=190057
1943         <rdar://problem/38916630>
1944
1945         Reviewed by Mark Lam.
1946
1947         * assembler/ARM64Assembler.h:
1948         (JSC::ARM64Assembler::ARM64Assembler):
1949         (JSC::ARM64Assembler::fillNops):
1950         (JSC::ARM64Assembler::link):
1951         (JSC::ARM64Assembler::linkJumpOrCall):
1952         (JSC::ARM64Assembler::linkCompareAndBranch):
1953         (JSC::ARM64Assembler::linkConditionalBranch):
1954         (JSC::ARM64Assembler::linkTestAndBranch):
1955         (JSC::ARM64Assembler::unlinkedCode): Deleted.
1956         * assembler/ARMAssembler.h:
1957         (JSC::ARMAssembler::fillNops):
1958         * assembler/ARMv7Assembler.h:
1959         (JSC::ARMv7Assembler::unlinkedCode): Deleted.
1960         * assembler/AbstractMacroAssembler.h:
1961         (JSC::AbstractMacroAssembler::emitNops):
1962         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
1963         * assembler/AssemblerBuffer.h:
1964         (JSC::ARM64EHash::ARM64EHash):
1965         (JSC::ARM64EHash::update):
1966         (JSC::ARM64EHash::hash const):
1967         (JSC::ARM64EHash::randomSeed const):
1968         (JSC::AssemblerBuffer::AssemblerBuffer):
1969         (JSC::AssemblerBuffer::putShort):
1970         (JSC::AssemblerBuffer::putIntUnchecked):
1971         (JSC::AssemblerBuffer::putInt):
1972         (JSC::AssemblerBuffer::hash const):
1973         (JSC::AssemblerBuffer::data const):
1974         (JSC::AssemblerBuffer::putIntegralUnchecked):
1975         (JSC::AssemblerBuffer::append): Deleted.
1976         * assembler/LinkBuffer.cpp:
1977         (JSC::LinkBuffer::copyCompactAndLinkCode):
1978         * assembler/MIPSAssembler.h:
1979         (JSC::MIPSAssembler::fillNops):
1980         * assembler/MacroAssemblerARM64.h:
1981         (JSC::MacroAssemblerARM64::jumpsToLink):
1982         (JSC::MacroAssemblerARM64::link):
1983         (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
1984         * assembler/MacroAssemblerARMv7.h:
1985         (JSC::MacroAssemblerARMv7::jumpsToLink):
1986         (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
1987         * assembler/X86Assembler.h:
1988         (JSC::X86Assembler::fillNops):
1989
1990 2018-09-27  Mark Lam  <mark.lam@apple.com>
1991
1992         ByValInfo should not use integer offsets.
1993         https://bugs.webkit.org/show_bug.cgi?id=190070
1994         <rdar://problem/44803430>
1995
1996         Reviewed by Saam Barati.
1997
1998         Also moved some fields around to allow the ByValInfo struct to be more densely packed.
1999
2000         * bytecode/ByValInfo.h:
2001         (JSC::ByValInfo::ByValInfo):
2002         * jit/JIT.cpp:
2003         (JSC::JIT::link):
2004         * jit/JITOpcodes.cpp:
2005         (JSC::JIT::privateCompileHasIndexedProperty):
2006         * jit/JITOpcodes32_64.cpp:
2007         (JSC::JIT::privateCompileHasIndexedProperty):
2008         * jit/JITPropertyAccess.cpp:
2009         (JSC::JIT::privateCompileGetByVal):
2010         (JSC::JIT::privateCompileGetByValWithCachedId):
2011         (JSC::JIT::privateCompilePutByVal):
2012         (JSC::JIT::privateCompilePutByValWithCachedId):
2013
2014 2018-09-27  Saam barati  <sbarati@apple.com>
2015
2016         DFG::OSRExit::m_patchableCodeOffset should not be an int
2017         https://bugs.webkit.org/show_bug.cgi?id=190066
2018         <rdar://problem/39498244>
2019
2020         Reviewed by Mark Lam.
2021
2022         * dfg/DFGJITCompiler.cpp:
2023         (JSC::DFG::JITCompiler::linkOSRExits):
2024         (JSC::DFG::JITCompiler::link):
2025         * dfg/DFGOSRExit.cpp:
2026         (JSC::DFG::OSRExit::codeLocationForRepatch const):
2027         (JSC::DFG::OSRExit::compileOSRExit):
2028         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2029         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2030         (JSC::DFG::OSRExit::correctJump): Deleted.
2031         * dfg/DFGOSRExit.h:
2032         * dfg/DFGOSRExitCompilationInfo.h:
2033
2034 2018-09-27  Saam barati  <sbarati@apple.com>
2035
2036         Don't use int offsets in StructureStubInfo
2037         https://bugs.webkit.org/show_bug.cgi?id=190064
2038         <rdar://problem/44784719>
2039
2040         Reviewed by Mark Lam.
2041
2042         * bytecode/InlineAccess.cpp:
2043         (JSC::linkCodeInline):
2044         * bytecode/StructureStubInfo.h:
2045         (JSC::StructureStubInfo::slowPathCallLocation):
2046         (JSC::StructureStubInfo::doneLocation):
2047         (JSC::StructureStubInfo::slowPathStartLocation):
2048         * jit/JITInlineCacheGenerator.cpp:
2049         (JSC::JITInlineCacheGenerator::finalize):
2050
2051 2018-09-27  Mark Lam  <mark.lam@apple.com>
2052
2053         DFG::OSREntry::m_machineCodeOffset should be a CodeLocation.
2054         https://bugs.webkit.org/show_bug.cgi?id=190054
2055         <rdar://problem/44803543>
2056
2057         Reviewed by Saam Barati.
2058
2059         * dfg/DFGJITCode.h:
2060         (JSC::DFG::JITCode::appendOSREntryData):
2061         * dfg/DFGJITCompiler.cpp:
2062         (JSC::DFG::JITCompiler::noticeOSREntry):
2063         * dfg/DFGOSREntry.cpp:
2064         (JSC::DFG::OSREntryData::dumpInContext const):
2065         (JSC::DFG::prepareOSREntry):
2066         * dfg/DFGOSREntry.h:
2067         * runtime/JSCPtrTag.h:
2068
2069 2018-09-27  Mark Lam  <mark.lam@apple.com>
2070
2071         JITMathIC should not use integer offsets into machine code.
2072         https://bugs.webkit.org/show_bug.cgi?id=190030
2073         <rdar://problem/44803307>
2074
2075         Reviewed by Saam Barati.
2076
2077         We'll replace them with CodeLocation smart pointers instead.
2078
2079         * jit/JITMathIC.h:
2080         (JSC::isProfileEmpty):
2081
2082 2018-09-26  Mark Lam  <mark.lam@apple.com>
2083
2084         Options::useSeparatedWXHeap() should always be false when ENABLE(FAST_JIT_PERMISSIONS) && CPU(ARM64E).
2085         https://bugs.webkit.org/show_bug.cgi?id=190022
2086         <rdar://problem/44800928>
2087
2088         Reviewed by Saam Barati.
2089
2090         * jit/ExecutableAllocator.cpp:
2091         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2092         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2093         * jit/ExecutableAllocator.h:
2094         (JSC::performJITMemcpy):
2095         * runtime/Options.cpp:
2096         (JSC::recomputeDependentOptions):
2097
2098 2018-09-26  Mark Lam  <mark.lam@apple.com>
2099
2100         Assert that performJITMemcpy() is always called with instruction size aligned addresses on ARM64.
2101         https://bugs.webkit.org/show_bug.cgi?id=190016
2102         <rdar://problem/44802875>
2103
2104         Reviewed by Saam Barati.
2105
2106         Also assert in performJITMemcpy() that the entire buffer to be copied will fit in
2107         JIT memory.
2108
2109         * assembler/ARM64Assembler.h:
2110         (JSC::ARM64Assembler::fillNops):
2111         (JSC::ARM64Assembler::replaceWithVMHalt):
2112         (JSC::ARM64Assembler::replaceWithJump):
2113         (JSC::ARM64Assembler::replaceWithLoad):
2114         (JSC::ARM64Assembler::replaceWithAddressComputation):
2115         (JSC::ARM64Assembler::setPointer):
2116         (JSC::ARM64Assembler::repatchInt32):
2117         (JSC::ARM64Assembler::repatchCompact):
2118         (JSC::ARM64Assembler::linkJumpOrCall):
2119         (JSC::ARM64Assembler::linkCompareAndBranch):
2120         (JSC::ARM64Assembler::linkConditionalBranch):
2121         (JSC::ARM64Assembler::linkTestAndBranch):
2122         * assembler/LinkBuffer.cpp:
2123         (JSC::LinkBuffer::copyCompactAndLinkCode):
2124         (JSC::LinkBuffer::linkCode):
2125         * jit/ExecutableAllocator.h:
2126         (JSC::performJITMemcpy):
2127
2128 2018-09-25  Keith Miller  <keith_miller@apple.com>
2129
2130         Move Symbol API to SPI
2131         https://bugs.webkit.org/show_bug.cgi?id=189946
2132
2133         Reviewed by Michael Saboff.
2134
2135         Some of the property access methods on JSValue needed to be moved
2136         to a category so that SPI overloads don't result in a compiler
2137         error for internal users.
2138
2139         Additionally, this patch does not move the new enum entry for
2140         Symbols in the JSType enumeration.
2141
2142         * API/JSObjectRef.h:
2143         * API/JSObjectRefPrivate.h:
2144         * API/JSValue.h:
2145         * API/JSValuePrivate.h:
2146         * API/JSValueRef.h:
2147
2148 2018-09-26  Keith Miller  <keith_miller@apple.com>
2149
2150         We should zero unused property storage when rebalancing array storage.
2151         https://bugs.webkit.org/show_bug.cgi?id=188151
2152
2153         Reviewed by Michael Saboff.
2154
2155         In unshiftCountSlowCase we sometimes will move property storage to the right even when net adding elements.
2156         This can happen because we "balance" the pre/post-capacity in that code so we need to zero the unused
2157         property storage.
2158
2159         * runtime/JSArray.cpp:
2160         (JSC::JSArray::unshiftCountSlowCase):
2161
2162 2018-09-26  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2163
2164         Unreviewed, add scope verification handling
2165         https://bugs.webkit.org/show_bug.cgi?id=189780
2166
2167         * runtime/ArrayPrototype.cpp:
2168         (JSC::arrayProtoFuncIndexOf):
2169         (JSC::arrayProtoFuncLastIndexOf):
2170
2171 2018-09-26  Koby Boyango  <koby.b@mce.systems>
2172
2173         [JSC] offlineasm parser should handle CRLF in asm files
2174         https://bugs.webkit.org/show_bug.cgi?id=189949
2175
2176         Reviewed by Mark Lam.
2177
2178         * offlineasm/parser.rb:
2179
2180 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2181
2182         [JSC] Optimize Array#lastIndexOf
2183         https://bugs.webkit.org/show_bug.cgi?id=189780
2184
2185         Reviewed by Saam Barati.
2186
2187         Optimize Array#lastIndexOf as the same to Array#indexOf. We add a fast path
2188         for JSArray with contiguous storage.
2189
2190         * runtime/ArrayPrototype.cpp:
2191         (JSC::arrayProtoFuncLastIndexOf):
2192
2193 2018-09-25  Saam Barati  <sbarati@apple.com>
2194
2195         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2196         https://bugs.webkit.org/show_bug.cgi?id=189940
2197         <rdar://problem/43640987>
2198
2199         Reviewed by Mark Lam.
2200
2201         We were calling baselineCodeBlockForOriginAndBaselineCodeBlock with the FTL
2202         CodeBlock. There is nothing semantically wrong with doing that (except for
2203         poor naming), however, the poor naming here led us to make a real semantic
2204         mistake. We wanted the baseline CodeBlock's constant pool, but we were
2205         accessing the FTL CodeBlock's constant pool accidentally. We need to
2206         access the baseline CodeBlock's constant pool when we update the NewArrayBuffer
2207         constant value.
2208
2209         * bytecode/InlineCallFrame.h:
2210         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
2211         * ftl/FTLOperations.cpp:
2212         (JSC::FTL::operationMaterializeObjectInOSR):
2213
2214 2018-09-25  Joseph Pecoraro  <pecoraro@apple.com>
2215
2216         Web Inspector: Stricter block syntax in generated ObjC protocol interfaces
2217         https://bugs.webkit.org/show_bug.cgi?id=189962
2218         <rdar://problem/44648287>
2219
2220         Reviewed by Brian Burg.
2221
2222         * inspector/scripts/codegen/generate_objc_header.py:
2223         (ObjCHeaderGenerator._callback_block_for_command):
2224         If there are no return parameters include "void" in the block signature.
2225
2226         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2227         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2228         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2229         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2230         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2231         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2232         Rebaseline test results.
2233
2234 2018-09-24  Joseph Pecoraro  <pecoraro@apple.com>
2235
2236         Remove AUTHORS and THANKS files which are stale
2237         https://bugs.webkit.org/show_bug.cgi?id=189941
2238
2239         Reviewed by Darin Adler.
2240
2241         Included mentions below so their names are still in ChangeLogs.
2242
2243         * AUTHORS: Removed.
2244         Harri Porten (porten@kde.org) and Peter Kelly (pmk@post.com).
2245         These authors remain mentioned in copyrights in source files.
2246
2247         * THANKS: Removed.
2248         Richard Moore <rich@kde.org> - for filling the Math object with some life
2249         Daegeun Lee <realking@mizi.com> - for pointing out some bugs and providing much code for the String and Date object.
2250         Marco Pinelli <pinmc@libero.it> - for his patches
2251         Christian Kirsch <ck@held.mind.de> - for his contribution to the Date object
2252         
2253 2018-09-24  Fujii Hironori  <Hironori.Fujii@sony.com>
2254
2255         Rename WTF_COMPILER_GCC_OR_CLANG to WTF_COMPILER_GCC_COMPATIBLE
2256         https://bugs.webkit.org/show_bug.cgi?id=189733
2257
2258         Reviewed by Michael Catanzaro.
2259
2260         * assembler/ARM64Assembler.h:
2261         * assembler/ARMAssembler.h:
2262         (JSC::ARMAssembler::cacheFlush):
2263         * assembler/MacroAssemblerARM.cpp:
2264         (JSC::isVFPPresent):
2265         * assembler/MacroAssemblerARM64.cpp:
2266         * assembler/MacroAssemblerARMv7.cpp:
2267         * assembler/MacroAssemblerMIPS.cpp:
2268         * assembler/MacroAssemblerX86Common.cpp:
2269         * heap/HeapCell.cpp:
2270         * heap/HeapCell.h:
2271         * jit/HostCallReturnValue.h:
2272         * jit/JIT.h:
2273         * jit/JITOperations.cpp:
2274         * jit/ThunkGenerators.cpp:
2275         * runtime/ArrayConventions.cpp:
2276         (JSC::clearArrayMemset):
2277         * runtime/JSBigInt.cpp:
2278         (JSC::JSBigInt::digitDiv):
2279
2280 2018-09-24  Saam Barati  <sbarati@apple.com>
2281
2282         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2283         https://bugs.webkit.org/show_bug.cgi?id=189922
2284         <rdar://problem/44651275>
2285
2286         Reviewed by Mark Lam.
2287
2288         The implementation was first getting the length to iterate up to,
2289         then getting the starting index. However, getting the starting
2290         index may perform effects. e.g, it could change the length of the
2291         array. This changes it so we verify the length is still valid.
2292
2293         * runtime/ArrayPrototype.cpp:
2294         (JSC::arrayProtoFuncIndexOf):
2295
2296 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
2297
2298         offlineasm: fix macro scoping
2299         https://bugs.webkit.org/show_bug.cgi?id=189902
2300
2301         Reviewed by Mark Lam.
2302
2303         In the code below, the reference to `f` in `g`, which should refer to
2304         the outer macro definition will instead refer to the f argument of the
2305         anonymous macro passed to `g`. That leads to this code failing to
2306         compile (f expected 0 args but got 1).
2307         
2308         ```
2309         macro f(x)
2310             move x, t0
2311         end
2312         
2313         macro g(fn)
2314             fn(macro () f(42) end)
2315         end
2316         
2317         g(macro(f) f() end)
2318         ```
2319
2320         * offlineasm/ast.rb:
2321         * offlineasm/transform.rb:
2322
2323 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
2324
2325         Add forEach method for iterating CodeBlock's ValueProfiles
2326         https://bugs.webkit.org/show_bug.cgi?id=189897
2327
2328         Reviewed by Mark Lam.
2329
2330         Add method to abstract how we find ValueProfiles in a CodeBlock in
2331         preparation for https://bugs.webkit.org/show_bug.cgi?id=189785, when
2332         ValueProfiles will be stored in the MetadataTable.
2333
2334         * bytecode/CodeBlock.cpp:
2335         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2336         (JSC::CodeBlock::updateAllValueProfilePredictions):
2337         (JSC::CodeBlock::shouldOptimizeNow):
2338         (JSC::CodeBlock::dumpValueProfiles):
2339         * bytecode/CodeBlock.h:
2340         (JSC::CodeBlock::forEachValueProfile):
2341         (JSC::CodeBlock::numberOfArgumentValueProfiles):
2342         (JSC::CodeBlock::valueProfileForArgument):
2343         (JSC::CodeBlock::numberOfValueProfiles):
2344         (JSC::CodeBlock::valueProfile):
2345         (JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
2346         (JSC::CodeBlock::getFromAllValueProfiles): Deleted.
2347         * tools/HeapVerifier.cpp:
2348         (JSC::HeapVerifier::validateJSCell):
2349
2350 2018-09-24  Saam barati  <sbarati@apple.com>
2351
2352         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2353         https://bugs.webkit.org/show_bug.cgi?id=189682
2354         <rdar://problem/43557315>
2355
2356         Reviewed by Mark Lam.
2357
2358         Otherwise, if we have code like this:
2359         ```
2360         a: Arguments
2361         b: GetButterfly(@a)
2362         c: ForceExit
2363         d: GetArrayLength(@a, @b)
2364         ```
2365         it will get transformed into this invalid DFG IR:
2366         ```
2367         a: PhantomArguments
2368         b: Check(@a)
2369         c: ForceExit
2370         d: GetArrayLength(@a, @b)
2371         ```
2372         
2373         And we will fail DFG validation since @b does not have a result.
2374         
2375         The fix is to just remove all nodes after the ForceExit and plant an
2376         Unreachable after it. So the above code program will now turn into this:
2377         ```
2378         a: PhantomArguments
2379         b: Check(@a)
2380         c: ForceExit
2381         e: Unreachable
2382         ```
2383
2384         * dfg/DFGArgumentsEliminationPhase.cpp:
2385
2386 2018-09-22  Saam barati  <sbarati@apple.com>
2387
2388         The sampling should not use Strong<CodeBlock> in its machineLocation field
2389         https://bugs.webkit.org/show_bug.cgi?id=189319
2390
2391         Reviewed by Filip Pizlo.
2392
2393         The sampling profiler has a CLI mode where we gather information about inline
2394         call frames. That data structure was using a Strong<CodeBlock>. We were
2395         constructing this Strong<CodeBlock> during GC concurrently to processing all
2396         the Strong handles. This is a bug since we end up corrupting that data
2397         structure. This patch fixes this by just making this data structure use the
2398         sampling profiler's mechanism for holding onto and properly visiting heap pointers.
2399
2400         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2401         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2402         * runtime/SamplingProfiler.cpp:
2403         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2404
2405         (JSC::SamplingProfiler::reportTopFunctions):
2406         (JSC::SamplingProfiler::reportTopBytecodes):
2407         These CLI helpers needed a DeferGC otherwise we may end up deadlocking when we
2408         cause a GC to happen while already holding the sampling profiler's
2409         lock.
2410
2411 2018-09-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2412
2413         [JSC] Enable LLInt ASM interpreter on X64 and ARM64 in non JIT configuration
2414         https://bugs.webkit.org/show_bug.cgi?id=189778
2415
2416         Reviewed by Keith Miller.
2417
2418         LLInt ASM interpreter is 2x and 15% faster than CLoop interpreter on
2419         Linux and macOS respectively. We would like to enable it for non JIT
2420         configurations in X86_64 and ARM64.
2421
2422         This patch enables LLInt for non JIT builds in X86_64 and ARM64 architectures.
2423         Previously, we switch LLInt ASM interpreter and CLoop by using ENABLE(JIT)
2424         configuration. But it is wrong in the new scenario since we have a build
2425         configuration that uses LLInt ASM interpreter and JIT is disabled. We introduce
2426         ENABLE(C_LOOP) option, which represents that we use CLoop. And we replace
2427         ENABLE(JIT) with ENABLE(C_LOOP) if the previous ENABLE(JIT) is essentially just
2428         related to LLInt ASM interpreter and not related to JIT.
2429
2430         We also replace some ENABLE(JIT) configurations with ENABLE(ASSEMBLER).
2431         ENABLE(ASSEMBLER) is now enabled even if we disable JIT since MacroAssembler
2432         has machine register information that is used in LLInt ASM interpreter.
2433
2434         * API/tests/PingPongStackOverflowTest.cpp:
2435         (testPingPongStackOverflow):
2436         * CMakeLists.txt:
2437         * JavaScriptCore.xcodeproj/project.pbxproj:
2438         * assembler/MaxFrameExtentForSlowPathCall.h:
2439         * bytecode/CallReturnOffsetToBytecodeOffset.h: Removed. It is no longer used.
2440         * bytecode/CodeBlock.cpp:
2441         (JSC::CodeBlock::finishCreation):
2442         * bytecode/CodeBlock.h:
2443         (JSC::CodeBlock::calleeSaveRegisters const):
2444         (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters):
2445         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
2446         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2447         * bytecode/Opcode.h:
2448         (JSC::padOpcodeName):
2449         * heap/Heap.cpp:
2450         (JSC::Heap::gatherJSStackRoots):
2451         (JSC::Heap::stopThePeriphery):
2452         * interpreter/CLoopStack.cpp:
2453         * interpreter/CLoopStack.h:
2454         * interpreter/CLoopStackInlines.h:
2455         * interpreter/EntryFrame.h:
2456         * interpreter/Interpreter.cpp:
2457         (JSC::Interpreter::Interpreter):
2458         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2459         * interpreter/Interpreter.h:
2460         * interpreter/StackVisitor.cpp:
2461         (JSC::StackVisitor::Frame::calleeSaveRegisters):
2462         * interpreter/VMEntryRecord.h:
2463         * jit/ExecutableAllocator.h:
2464         * jit/FPRInfo.h:
2465         (WTF::printInternal):
2466         * jit/GPRInfo.cpp:
2467         * jit/GPRInfo.h:
2468         (WTF::printInternal):
2469         * jit/HostCallReturnValue.cpp:
2470         (JSC::getHostCallReturnValueWithExecState): Moved. They are used in LLInt ASM interpreter too.
2471         * jit/HostCallReturnValue.h:
2472         * jit/JITOperations.cpp:
2473         (JSC::getHostCallReturnValueWithExecState): Deleted.
2474         * jit/JITOperationsMSVC64.cpp:
2475         * jit/Reg.cpp:
2476         * jit/Reg.h:
2477         * jit/RegisterAtOffset.cpp:
2478         * jit/RegisterAtOffset.h:
2479         * jit/RegisterAtOffsetList.cpp:
2480         * jit/RegisterAtOffsetList.h:
2481         * jit/RegisterMap.h:
2482         * jit/RegisterSet.cpp:
2483         * jit/RegisterSet.h:
2484         * jit/TempRegisterSet.cpp:
2485         * jit/TempRegisterSet.h:
2486         * llint/LLIntCLoop.cpp:
2487         * llint/LLIntCLoop.h:
2488         * llint/LLIntData.cpp:
2489         (JSC::LLInt::initialize):
2490         (JSC::LLInt::Data::performAssertions):
2491         * llint/LLIntData.h:
2492         * llint/LLIntOfflineAsmConfig.h:
2493         * llint/LLIntOpcode.h:
2494         * llint/LLIntPCRanges.h:
2495         * llint/LLIntSlowPaths.cpp:
2496         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2497         * llint/LLIntSlowPaths.h:
2498         * llint/LLIntThunks.cpp:
2499         * llint/LowLevelInterpreter.cpp:
2500         * llint/LowLevelInterpreter.h:
2501         * runtime/JSCJSValue.h:
2502         * runtime/MachineContext.h:
2503         * runtime/SamplingProfiler.cpp:
2504         (JSC::SamplingProfiler::processUnverifiedStackTraces): Enable SamplingProfiler
2505         for LLInt ASM interpreter with non JIT configuration.
2506         * runtime/TestRunnerUtils.cpp:
2507         (JSC::optimizeNextInvocation):
2508         * runtime/VM.cpp:
2509         (JSC::VM::VM):
2510         (JSC::VM::getHostFunction):
2511         (JSC::VM::updateSoftReservedZoneSize):
2512         (JSC::sanitizeStackForVM):
2513         (JSC::VM::committedStackByteCount):
2514         * runtime/VM.h:
2515         * runtime/VMInlines.h:
2516         (JSC::VM::ensureStackCapacityFor):
2517         (JSC::VM::isSafeToRecurseSoft const):
2518
2519 2018-09-21  Keith Miller  <keith_miller@apple.com>
2520
2521         Add Promise SPI
2522         https://bugs.webkit.org/show_bug.cgi?id=189809
2523
2524         Reviewed by Saam Barati.
2525
2526         The Patch adds new SPI to create promises. It's mostly SPI because
2527         I want to see how internal users react to it before we make it
2528         public.
2529
2530         This patch adds a couple of new Obj-C SPI methods. The first
2531         creates a new promise using the same API that JS does where the
2532         user provides an executor callback. If an exception is raised
2533         in/to that callback the promise is automagically rejected. The
2534         other methods create a pre-resolved or rejected promise as this
2535         appears to be a common way to initialize a promise.
2536
2537         I was also considering adding a second version of executor API
2538         where it would catch specific Obj-C exceptions. This would work by
2539         taking a Class paramter and checking isKindOfClass: on the
2540         exception. I decided against this as nothing else in our API
2541         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2542         corrupt state if an Obj-C exception unwinds through JS frames.
2543
2544         This patch adds a new C function that will create a "deferred"
2545         promise. A deferred promise is a style of creating promise/futures
2546         where the resolve and reject functions are passed as outputs of a
2547         function. I went with this style for the C SPI because we don't have
2548         any concept of forwarding exceptions in the C API.
2549
2550         In order to make the C API work I refactored a bit of the promise code
2551         so that we can call a static method on JSDeferredPromise and just get
2552         the components without allocating an extra cell wrapper.
2553
2554         * API/JSContext.mm:
2555         (+[JSContext currentCallee]):
2556         * API/JSObjectRef.cpp:
2557         (JSObjectMakeDeferredPromise):
2558         * API/JSObjectRefPrivate.h:
2559         * API/JSValue.mm:
2560         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2561         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2562         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2563         * API/JSValuePrivate.h: Added.
2564         * API/JSVirtualMachine.mm:
2565         * API/JSVirtualMachinePrivate.h:
2566         * API/tests/testapi.c:
2567         (main):
2568         * API/tests/testapi.cpp:
2569         (APIContext::operator JSC::ExecState*):
2570         (TestAPI::failed const):
2571         (TestAPI::check):
2572         (TestAPI::basicSymbol):
2573         (TestAPI::symbolsTypeof):
2574         (TestAPI::symbolsGetPropertyForKey):
2575         (TestAPI::symbolsSetPropertyForKey):
2576         (TestAPI::symbolsHasPropertyForKey):
2577         (TestAPI::symbolsDeletePropertyForKey):
2578         (TestAPI::promiseResolveTrue):
2579         (TestAPI::promiseRejectTrue):
2580         (testCAPIViaCpp):
2581         (TestAPI::run): Deleted.
2582         * API/tests/testapi.mm:
2583         (testObjectiveCAPIMain):
2584         (promiseWithExecutor):
2585         (promiseRejectOnJSException):
2586         (promiseCreateResolved):
2587         (promiseCreateRejected):
2588         (parallelPromiseResolveTest):
2589         (testObjectiveCAPI):
2590         * JavaScriptCore.xcodeproj/project.pbxproj:
2591         * runtime/JSInternalPromiseDeferred.cpp:
2592         (JSC::JSInternalPromiseDeferred::create):
2593         * runtime/JSPromise.h:
2594         * runtime/JSPromiseConstructor.cpp:
2595         (JSC::constructPromise):
2596         * runtime/JSPromiseDeferred.cpp:
2597         (JSC::JSPromiseDeferred::createDeferredData):
2598         (JSC::JSPromiseDeferred::create):
2599         (JSC::JSPromiseDeferred::finishCreation):
2600         (JSC::newPromiseCapability): Deleted.
2601         * runtime/JSPromiseDeferred.h:
2602         (JSC::JSPromiseDeferred::promise const):
2603         (JSC::JSPromiseDeferred::resolve const):
2604         (JSC::JSPromiseDeferred::reject const):
2605
2606 2018-09-21  Ryan Haddad  <ryanhaddad@apple.com>
2607
2608         Unreviewed, rolling out r236359.
2609
2610         Broke the Windows build.
2611
2612         Reverted changeset:
2613
2614         "Add Promise SPI"
2615         https://bugs.webkit.org/show_bug.cgi?id=189809
2616         https://trac.webkit.org/changeset/236359
2617
2618 2018-09-21  Mark Lam  <mark.lam@apple.com>
2619
2620         JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState.
2621         https://bugs.webkit.org/show_bug.cgi?id=189855
2622         <rdar://problem/44680181>
2623
2624         Reviewed by Filip Pizlo.
2625
2626         tryGetValue() always passes a nullptr to JSRopeString::resolveRope() for the
2627         ExecState* argument.  This is intentional so that resolveRope() does not throw
2628         in the event of an OutOfMemory error.  Hence, JSRopeString::resolveRope() should
2629         get the VM from the cell instead of via the ExecState.
2630
2631         Also removed an obsolete and unused field in JSString.
2632
2633         * runtime/JSString.cpp:
2634         (JSC::JSRopeString::resolveRope const):
2635         (JSC::JSRopeString::outOfMemory const):
2636         * runtime/JSString.h:
2637         (JSC::JSString::tryGetValue const):
2638
2639 2018-09-21  Michael Saboff  <msaboff@apple.com>
2640
2641         Add functions to measure memory footprint to JSC
2642         https://bugs.webkit.org/show_bug.cgi?id=189768
2643
2644         Reviewed by Saam Barati.
2645
2646         Rolling this back in again.
2647
2648         Provide system memory metrics for the current process to aid in memory reduction measurement and
2649         tuning using native JS tests.
2650
2651         * jsc.cpp:
2652         (MemoryFootprint::now):
2653         (MemoryFootprint::resetPeak):
2654         (GlobalObject::finishCreation):
2655         (JSCMemoryFootprint::JSCMemoryFootprint):
2656         (JSCMemoryFootprint::createStructure):
2657         (JSCMemoryFootprint::create):
2658         (JSCMemoryFootprint::finishCreation):
2659         (JSCMemoryFootprint::addProperty):
2660         (functionResetMemoryPeak):
2661
2662 2018-09-21  Keith Miller  <keith_miller@apple.com>
2663
2664         Add Promise SPI
2665         https://bugs.webkit.org/show_bug.cgi?id=189809
2666
2667         Reviewed by Saam Barati.
2668
2669         The Patch adds new SPI to create promises. It's mostly SPI because
2670         I want to see how internal users react to it before we make it
2671         public.
2672
2673         This patch adds a couple of new Obj-C SPI methods. The first
2674         creates a new promise using the same API that JS does where the
2675         user provides an executor callback. If an exception is raised
2676         in/to that callback the promise is automagically rejected. The
2677         other methods create a pre-resolved or rejected promise as this
2678         appears to be a common way to initialize a promise.
2679
2680         I was also considering adding a second version of executor API
2681         where it would catch specific Obj-C exceptions. This would work by
2682         taking a Class paramter and checking isKindOfClass: on the
2683         exception. I decided against this as nothing else in our API
2684         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2685         corrupt state if an Obj-C exception unwinds through JS frames.
2686
2687         This patch adds a new C function that will create a "deferred"
2688         promise. A deferred promise is a style of creating promise/futures
2689         where the resolve and reject functions are passed as outputs of a
2690         function. I went with this style for the C SPI because we don't have
2691         any concept of forwarding exceptions in the C API.
2692
2693         In order to make the C API work I refactored a bit of the promise code
2694         so that we can call a static method on JSDeferredPromise and just get
2695         the components without allocating an extra cell wrapper.
2696
2697         * API/JSContext.mm:
2698         (+[JSContext currentCallee]):
2699         * API/JSObjectRef.cpp:
2700         (JSObjectMakeDeferredPromise):
2701         * API/JSObjectRefPrivate.h:
2702         * API/JSValue.mm:
2703         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2704         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2705         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2706         * API/JSValuePrivate.h: Added.
2707         * API/JSVirtualMachine.mm:
2708         * API/JSVirtualMachinePrivate.h:
2709         * API/tests/testapi.c:
2710         (main):
2711         * API/tests/testapi.cpp:
2712         (APIContext::operator JSC::ExecState*):
2713         (TestAPI::failed const):
2714         (TestAPI::check):
2715         (TestAPI::basicSymbol):
2716         (TestAPI::symbolsTypeof):
2717         (TestAPI::symbolsGetPropertyForKey):
2718         (TestAPI::symbolsSetPropertyForKey):
2719         (TestAPI::symbolsHasPropertyForKey):
2720         (TestAPI::symbolsDeletePropertyForKey):
2721         (TestAPI::promiseResolveTrue):
2722         (TestAPI::promiseRejectTrue):
2723         (testCAPIViaCpp):
2724         (TestAPI::run): Deleted.
2725         * API/tests/testapi.mm:
2726         (testObjectiveCAPIMain):
2727         (promiseWithExecutor):
2728         (promiseRejectOnJSException):
2729         (promiseCreateResolved):
2730         (promiseCreateRejected):
2731         (parallelPromiseResolveTest):
2732         (testObjectiveCAPI):
2733         * JavaScriptCore.xcodeproj/project.pbxproj:
2734         * runtime/JSInternalPromiseDeferred.cpp:
2735         (JSC::JSInternalPromiseDeferred::create):
2736         * runtime/JSPromise.h:
2737         * runtime/JSPromiseConstructor.cpp:
2738         (JSC::constructPromise):
2739         * runtime/JSPromiseDeferred.cpp:
2740         (JSC::JSPromiseDeferred::createDeferredData):
2741         (JSC::JSPromiseDeferred::create):
2742         (JSC::JSPromiseDeferred::finishCreation):
2743         (JSC::newPromiseCapability): Deleted.
2744         * runtime/JSPromiseDeferred.h:
2745         (JSC::JSPromiseDeferred::promise const):
2746         (JSC::JSPromiseDeferred::resolve const):
2747         (JSC::JSPromiseDeferred::reject const):
2748
2749 2018-09-21  Truitt Savell  <tsavell@apple.com>
2750
2751         Rebaseline tests after changes in https://trac.webkit.org/changeset/236321/webkit
2752         https://bugs.webkit.org/show_bug.cgi?id=156674
2753
2754         Unreviewed Test Gardening
2755
2756         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2757         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2758
2759 2018-09-21  Mike Gorse  <mgorse@suse.com>
2760
2761         Build tools should work when the /usr/bin/python is python3
2762         https://bugs.webkit.org/show_bug.cgi?id=156674
2763
2764         Reviewed by Michael Catanzaro.
2765
2766         * Scripts/cssmin.py:
2767         * Scripts/generate-js-builtins.py:
2768         (do_open):
2769         (generate_bindings_for_builtins_files):
2770         * Scripts/generateIntlCanonicalizeLanguage.py:
2771         * Scripts/jsmin.py:
2772         (JavascriptMinify.minify.write):
2773         (JavascriptMinify):
2774         (JavascriptMinify.minify):
2775         * Scripts/make-js-file-arrays.py:
2776         (chunk):
2777         (main):
2778         * Scripts/wkbuiltins/__init__.py:
2779         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2780         (generate_section_for_global_private_code_name_macro):
2781         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_header.py:
2782         (BuiltinsInternalsWrapperHeaderGenerator.__init__):
2783         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:
2784         (BuiltinsInternalsWrapperImplementationGenerator.__init__):
2785         * Scripts/wkbuiltins/builtins_model.py:
2786         (BuiltinFunction.__lt__):
2787         (BuiltinsCollection.copyrights):
2788         (BuiltinsCollection._parse_functions):
2789         * disassembler/udis86/ud_opcode.py:
2790         (UdOpcodeTables.pprint.printWalk):
2791         * generate-bytecode-files:
2792         * inspector/scripts/codegen/__init__.py:
2793         * inspector/scripts/codegen/cpp_generator.py:
2794         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2795         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
2796         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2797         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
2798         (CppBackendDispatcherHeaderGenerator.generate_output):
2799         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2800         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2801         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
2802         (CppBackendDispatcherImplementationGenerator.generate_output):
2803         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2804         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
2805         (CppFrontendDispatcherHeaderGenerator.generate_output):
2806         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2807         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
2808         (CppFrontendDispatcherImplementationGenerator.generate_output):
2809         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2810         (CppProtocolTypesHeaderGenerator.generate_output):
2811         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2812         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2813         (CppProtocolTypesImplementationGenerator.generate_output):
2814         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2815         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods):
2816         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2817         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
2818         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
2819         * inspector/scripts/codegen/generate_js_backend_commands.py:
2820         (JSBackendCommandsGenerator.should_generate_domain):
2821         (JSBackendCommandsGenerator.domains_to_generate):
2822         (JSBackendCommandsGenerator.generate_output):
2823         (JSBackendCommandsGenerator.generate_domain):
2824         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2825         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
2826         (ObjCBackendDispatcherHeaderGenerator.generate_output):
2827         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2828         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
2829         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2830         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2831         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2832         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2833         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2834         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
2835         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2836         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2837         * inspector/scripts/codegen/generate_objc_header.py:
2838         (ObjCHeaderGenerator.generate_output):
2839         (ObjCHeaderGenerator._generate_type_interface):
2840         * inspector/scripts/codegen/generate_objc_internal_header.py:
2841         (ObjCInternalHeaderGenerator.generate_output):
2842         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2843         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
2844         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
2845         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2846         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
2847         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2848         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
2849         (ObjCProtocolTypesImplementationGenerator.generate_output):
2850         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
2851         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
2852         * inspector/scripts/codegen/generator.py:
2853         (Generator.non_supplemental_domains):
2854         (Generator.open_fields):
2855         (Generator.calculate_types_requiring_shape_assertions):
2856         (Generator._traverse_and_assign_enum_values):
2857         (Generator.stylized_name_for_enum_value):
2858         * inspector/scripts/codegen/models.py:
2859         (find_duplicates):
2860         * inspector/scripts/codegen/objc_generator.py:
2861         * wasm/generateWasm.py:
2862         (opcodeIterator):
2863         * yarr/generateYarrCanonicalizeUnicode:
2864         * yarr/generateYarrUnicodePropertyTables.py:
2865         * yarr/hasher.py:
2866         (stringHash):
2867
2868 2018-09-21  Tomas Popela  <tpopela@redhat.com>
2869
2870         [ARM] Build broken on armv7hl after r235517
2871         https://bugs.webkit.org/show_bug.cgi?id=189831
2872
2873         Reviewed by Yusuke Suzuki.
2874
2875         Add missing implementation of patchebleBranch8() for traditional ARM.
2876
2877         * assembler/MacroAssemblerARM.h:
2878         (JSC::MacroAssemblerARM::patchableBranch8):
2879
2880 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
2881
2882         Unreviewed, rolling out r236293.
2883
2884         Internal build still broken.
2885
2886         Reverted changeset:
2887
2888         "Add functions to measure memory footprint to JSC"
2889         https://bugs.webkit.org/show_bug.cgi?id=189768
2890         https://trac.webkit.org/changeset/236293
2891
2892 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2893
2894         [JSC] Heap::reportExtraMemoryVisited shows contention if we have many JSString
2895         https://bugs.webkit.org/show_bug.cgi?id=189558
2896
2897         Reviewed by Mark Lam.
2898
2899         When running web-tooling-benchmark postcss test on Linux JSCOnly port, we get the following result in `perf report`.
2900
2901             10.95%  AutomaticThread  libJavaScriptCore.so.1.0.0  [.] JSC::Heap::reportExtraMemoryVisited
2902
2903         This is because postcss produces bunch of JSString, which require reportExtraMemoryVisited calls in JSString::visitChildren.
2904         And since reportExtraMemoryVisited attempts to update atomic counter, if we have bunch of marking threads, it becomes super contended.
2905
2906         This patch reduces the frequency of updating the atomic counter. Each SlotVisitor has per-SlotVisitor m_extraMemorySize counter.
2907         And we propagate this value to the global atomic counter when rebalance happens.
2908
2909         We also reduce HeapCell::heap() access by using `vm.heap`.
2910
2911         * heap/SlotVisitor.cpp:
2912         (JSC::SlotVisitor::didStartMarking):
2913         (JSC::SlotVisitor::propagateExternalMemoryVisitedIfNecessary):
2914         (JSC::SlotVisitor::drain):
2915         (JSC::SlotVisitor::performIncrementOfDraining):
2916         * heap/SlotVisitor.h:
2917         * heap/SlotVisitorInlines.h:
2918         (JSC::SlotVisitor::reportExtraMemoryVisited):
2919         * runtime/JSString.cpp:
2920         (JSC::JSRopeString::resolveRopeToAtomicString const):
2921         (JSC::JSRopeString::resolveRope const):
2922         * runtime/JSString.h:
2923         (JSC::JSString::finishCreation):
2924         * wasm/js/JSWebAssemblyInstance.cpp:
2925         (JSC::JSWebAssemblyInstance::finishCreation):
2926         * wasm/js/JSWebAssemblyMemory.cpp:
2927         (JSC::JSWebAssemblyMemory::finishCreation):
2928
2929 2018-09-20  Michael Saboff  <msaboff@apple.com>
2930
2931         Add functions to measure memory footprint to JSC
2932         https://bugs.webkit.org/show_bug.cgi?id=189768
2933
2934         Reviewed by Saam Barati.
2935
2936         Rolling this back in.
2937
2938         Provide system memory metrics for the current process to aid in memory reduction measurement and
2939         tuning using native JS tests.
2940
2941         * jsc.cpp:
2942         (MemoryFootprint::now):
2943         (MemoryFootprint::resetPeak):
2944         (GlobalObject::finishCreation):
2945         (JSCMemoryFootprint::JSCMemoryFootprint):
2946         (JSCMemoryFootprint::createStructure):
2947         (JSCMemoryFootprint::create):
2948         (JSCMemoryFootprint::finishCreation):
2949         (JSCMemoryFootprint::addProperty):
2950         (functionResetMemoryPeak):
2951
2952 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
2953
2954         Unreviewed, rolling out r236235.
2955
2956         Breaks internal builds.
2957
2958         Reverted changeset:
2959
2960         "Add functions to measure memory footprint to JSC"
2961         https://bugs.webkit.org/show_bug.cgi?id=189768
2962         https://trac.webkit.org/changeset/236235
2963
2964 2018-09-20  Fujii Hironori  <Hironori.Fujii@sony.com>
2965
2966         [Win][Clang] JITMathIC.h: error: missing 'template' keyword prior to dependent template name 'retagged'
2967         https://bugs.webkit.org/show_bug.cgi?id=189730
2968
2969         Reviewed by Saam Barati.
2970
2971         Clang for Windows can't compile the workaround for MSVC quirk in generateOutOfLine.
2972
2973         * jit/JITMathIC.h:
2974         (generateOutOfLine): Append "&& !COMPILER(CLANG)" to "#if COMPILER(MSVC)".
2975
2976 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2977
2978         [JSC] Optimize Array#indexOf in C++ runtime
2979         https://bugs.webkit.org/show_bug.cgi?id=189507
2980
2981         Reviewed by Saam Barati.
2982
2983         C++ Array#indexOf runtime function takes so much time in babylon benchmark in
2984         web-tooling-benchmark. While our DFG and FTL has Array#indexOf optimization
2985         and actually it is working well, C++ Array#indexOf is called significant amount
2986         of time before tiering up, and it takes 6.74% of jsc main thread samples according
2987         to perf command in Linux. This is because C++ Array#indexOf is too generic and
2988         misses the chance to optimize JSArray cases.
2989
2990         This patch adds JSArray fast path for Array#indexOf. If we know that indexed
2991         access to the given JSArray is non-observable and indexing type is good for the fast
2992         path, we go to the fast path. This makes sampling of Array#indexOf 3.83% in
2993         babylon web-tooling-benchmark.
2994
2995         * runtime/ArrayPrototype.cpp:
2996         (JSC::arrayProtoFuncIndexOf):
2997         * runtime/JSArray.h:
2998         * runtime/JSArrayInlines.h:
2999         (JSC::JSArray::canDoFastIndexedAccess):
3000         (JSC::toLength):
3001         * runtime/JSCJSValueInlines.h:
3002         (JSC::JSValue::JSValue):
3003         * runtime/JSGlobalObject.h:
3004         * runtime/JSGlobalObjectInlines.h:
3005         (JSC::JSGlobalObject::isArrayPrototypeIndexedAccessFastAndNonObservable):
3006         (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
3007         * runtime/MathCommon.h:
3008         (JSC::canBeStrictInt32):
3009         (JSC::canBeInt32):
3010
3011 2018-09-19  Michael Saboff  <msaboff@apple.com>
3012
3013         Add functions to measure memory footprint to JSC
3014         https://bugs.webkit.org/show_bug.cgi?id=189768
3015
3016         Reviewed by Saam Barati.
3017
3018         Provide system memory metrics for the current process to aid in memory reduction measurement and
3019         tuning using native JS tests.
3020
3021         * jsc.cpp:
3022         (MemoryFootprint::now):
3023         (MemoryFootprint::resetPeak):
3024         (GlobalObject::finishCreation):
3025         (JSCMemoryFootprint::JSCMemoryFootprint):
3026         (JSCMemoryFootprint::createStructure):
3027         (JSCMemoryFootprint::create):
3028         (JSCMemoryFootprint::finishCreation):
3029         (JSCMemoryFootprint::addProperty):
3030         (functionResetMemoryPeak):
3031
3032 2018-09-19  Saam barati  <sbarati@apple.com>
3033
3034         CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
3035         https://bugs.webkit.org/show_bug.cgi?id=189703
3036
3037         Reviewed by Mark Lam.
3038
3039         This fixes a crash that a TypeProfiler change revealed.
3040
3041         * dfg/DFGSpeculativeJIT64.cpp:
3042         (JSC::DFG::SpeculativeJIT::compile):
3043
3044 2018-09-19  Saam barati  <sbarati@apple.com>
3045
3046         AI rule for MultiPutByOffset executes its effects in the wrong order
3047         https://bugs.webkit.org/show_bug.cgi?id=189757
3048         <rdar://problem/43535257>
3049
3050         Reviewed by Michael Saboff.
3051
3052         The AI rule for MultiPutByOffset was executing effects in the wrong order.
3053         It first executed the transition effects and the effects on the base, and
3054         then executed the filtering effects on the value being stored. However, you
3055         can end up with the wrong type when the base and the value being stored
3056         are the same. E.g, in a program like `o.f = o`. These effects need to happen
3057         in the opposite order, modeling what happens in the runtime executing of
3058         MultiPutByOffset.
3059
3060         * dfg/DFGAbstractInterpreterInlines.h:
3061         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3062
3063 2018-09-18  Mark Lam  <mark.lam@apple.com>
3064
3065         Ensure that ForInContexts are invalidated if their loop local is over-written.
3066         https://bugs.webkit.org/show_bug.cgi?id=189571
3067         <rdar://problem/44402277>
3068
3069         Reviewed by Saam Barati.
3070
3071         Instead of hunting down every place in the BytecodeGenerator that potentially
3072         needs to invalidate an enclosing ForInContext (if one exists), we simply iterate
3073         the bytecode range of the loop body when the ForInContext is popped, and
3074         invalidate the context if we ever find the loop temp variable over-written.
3075
3076         This has 2 benefits:
3077         1. It ensures that every type of opcode that can write to the loop temp will be
3078            handled appropriately, not just the op_mov that we've hunted down.
3079         2. It avoids us having to check the BytecodeGenerator's m_forInContextStack
3080            every time we emit an op_mov (or other opcodes that can write to a local)
3081            even when we're not inside a for-in loop.
3082
3083         JSC benchmarks show that that this change is performance neutral.
3084
3085         * bytecompiler/BytecodeGenerator.cpp:
3086         (JSC::BytecodeGenerator::pushIndexedForInScope):
3087         (JSC::BytecodeGenerator::popIndexedForInScope):
3088         (JSC::BytecodeGenerator::pushStructureForInScope):
3089         (JSC::BytecodeGenerator::popStructureForInScope):
3090         (JSC::ForInContext::finalize):
3091         (JSC::StructureForInContext::finalize):
3092         (JSC::IndexedForInContext::finalize):
3093         (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted.
3094         * bytecompiler/BytecodeGenerator.h:
3095         (JSC::ForInContext::ForInContext):
3096         (JSC::ForInContext::bodyBytecodeStartOffset const):
3097         (JSC::StructureForInContext::StructureForInContext):
3098         (JSC::IndexedForInContext::IndexedForInContext):
3099         * bytecompiler/NodesCodegen.cpp:
3100         (JSC::PostfixNode::emitResolve):
3101         (JSC::PrefixNode::emitResolve):
3102         (JSC::ReadModifyResolveNode::emitBytecode):
3103         (JSC::AssignResolveNode::emitBytecode):
3104         (JSC::EmptyLetExpression::emitBytecode):
3105         (JSC::ForInNode::emitLoopHeader):
3106         (JSC::ForOfNode::emitBytecode):
3107         (JSC::BindingNode::bindValue const):
3108         (JSC::AssignmentElementNode::bindValue const):
3109         * runtime/CommonSlowPaths.cpp:
3110         (JSC::SLOW_PATH_DECL):
3111
3112 2018-09-17  Devin Rousso  <drousso@apple.com>
3113
3114         Web Inspector: generate CSSKeywordCompletions from backend values
3115         https://bugs.webkit.org/show_bug.cgi?id=189041
3116
3117         Reviewed by Joseph Pecoraro.
3118
3119         * inspector/protocol/CSS.json:
3120         Include an optional `aliases` array and `inherited` boolean for `CSSPropertyInfo`.
3121
3122 2018-09-17  Saam barati  <sbarati@apple.com>
3123
3124         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3125         https://bugs.webkit.org/show_bug.cgi?id=189676
3126         <rdar://problem/39682897>
3127
3128         Reviewed by Michael Saboff.
3129
3130         Because the incoming value may be TDZ, CheckStructure may end up crashing.
3131         Since the Type Profile does not currently record TDZ values in any of its
3132         data structures, this is not a semantic change in how it will show you data.
3133         It just fixes crashes when we emit a CheckStructure and the incoming value
3134         is TDZ.
3135
3136         * dfg/DFGFixupPhase.cpp:
3137         (JSC::DFG::FixupPhase::fixupNode):
3138         * dfg/DFGNode.h:
3139         (JSC::DFG::Node::convertToCheckStructureOrEmpty):
3140
3141 2018-09-17  Darin Adler  <darin@apple.com>
3142
3143         Use OpaqueJSString rather than JSRetainPtr inside WebKit
3144         https://bugs.webkit.org/show_bug.cgi?id=189652
3145
3146         Reviewed by Saam Barati.
3147
3148         * API/JSCallbackObjectFunctions.h: Removed an uneeded include of
3149         JSStringRef.h.
3150
3151         * API/JSContext.mm:
3152         (-[JSContext evaluateScript:withSourceURL:]): Use OpaqueJSString::create rather
3153         than JSStringCreateWithCFString, simplifying the code and also obviating the
3154         need for explicit JSStringRelease.
3155         (-[JSContext setName:]): Ditto.
3156
3157         * API/JSStringRef.cpp:
3158         (JSStringIsEqualToUTF8CString): Use adoptRef rather than explicit JSStringRelease.
3159         It seems that additional optimization is possible, obviating the need to allocate
3160         an OpaqueJSString, but that's true almost everywhere else in this patch, too.
3161
3162         * API/JSValue.mm:
3163         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Use
3164         OpaqueJSString::create and adoptRef as appropriate.
3165         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
3166         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Ditto.
3167         (performPropertyOperation): Ditto.
3168         (-[JSValue invokeMethod:withArguments:]): Ditto.
3169         (valueToObjectWithoutCopy): Ditto.
3170         (containerValueToObject): Ditto.
3171         (valueToString): Ditto.
3172         (objectToValueWithoutCopy): Ditto.
3173         (objectToValue): Ditto.
3174
3175 2018-09-08  Darin Adler  <darin@apple.com>
3176
3177         Streamline JSRetainPtr, fix leaks of JSString and JSGlobalContext
3178         https://bugs.webkit.org/show_bug.cgi?id=189455
3179
3180         Reviewed by Keith Miller.
3181
3182         * API/JSObjectRef.cpp:
3183         (OpaqueJSPropertyNameArray): Use Ref<OpaqueJSString> instead of
3184         JSRetainPtr<JSStringRef>.
3185         (JSObjectCopyPropertyNames): Remove now-unneeded use of leakRef and
3186         adopt constructor.
3187         (JSPropertyNameArrayGetNameAtIndex): Use ptr() instead of get() since
3188         the array elements are now Ref.
3189
3190         * API/JSRetainPtr.h: While JSRetainPtr is written as a template,
3191         it only works for two specific unrelated types, JSStringRef and
3192         JSGlobalContextRef. Simplified the default constructor using data
3193         member initialization. Prepared to make the adopt constructor private
3194         (got everything compiling that way, then made it public again so that
3195         Apple internal software will still build). Got rid of unneeded
3196         templated constructor and assignment operator, since it's not relevant
3197         since there is no inheritance between JSRetainPtr template types.
3198         Added WARN_UNUSED_RETURN to leakRef as in RefPtr and RetainPtr.
3199         Added move constructor and move assignment operator for slightly better
3200         performance. Simplified implementations of various member functions
3201         so they are more obviously correct, by using leakPtr in more of them
3202         and using std::exchange to make the flow of values more obvious.
3203
3204         * API/JSValue.mm:
3205         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Added a
3206         missing JSStringRelease to fix a leak.
3207
3208         * API/tests/CustomGlobalObjectClassTest.c:
3209         (customGlobalObjectClassTest): Added a JSGlobalContextRelease to fix a leak.
3210         (globalObjectSetPrototypeTest): Ditto.
3211         (globalObjectPrivatePropertyTest): Ditto.
3212
3213         * API/tests/ExecutionTimeLimitTest.cpp:
3214         (testResetAfterTimeout): Added a call to JSStringRelease to fix a leak.
3215         (testExecutionTimeLimit): Ditto, lots more.
3216
3217         * API/tests/FunctionOverridesTest.cpp:
3218         (testFunctionOverrides): Added a call to JSStringRelease to fix a leak.
3219
3220         * API/tests/JSObjectGetProxyTargetTest.cpp:
3221         (testJSObjectGetProxyTarget): Added a call to JSGlobalContextRelease to fix
3222         a leak.
3223
3224         * API/tests/PingPongStackOverflowTest.cpp:
3225         (testPingPongStackOverflow): Added calls to JSGlobalContextRelease and
3226         JSStringRelease to fix leaks.
3227
3228         * API/tests/testapi.c:
3229         (throwException): Added. Helper function for repeated idiom where we want
3230         to throw an exception, but with additional JSStringRelease calls so we don't
3231         have to leak just to keep the code simpler to read.
3232         (MyObject_getProperty): Use throwException.
3233         (MyObject_setProperty): Ditto.
3234         (MyObject_deleteProperty): Ditto.
3235         (isValueEqualToString): Added. Helper function for an idiom where we check
3236         if something is a string and then if it's equal to a particular string
3237         constant, but a version that has an additional JSStringRelease call so we
3238         don't have to leak just to keep the code simpler to read.
3239         (MyObject_callAsFunction): Use isValueEqualToString and throwException.
3240         (MyObject_callAsConstructor): Ditto.
3241         (MyObject_hasInstance): Ditto.
3242         (globalContextNameTest): Added a JSGlobalContextRelease to fix a leak.
3243         (testMarkingConstraintsAndHeapFinalizers): Ditto.
3244
3245 2018-09-14  Saam barati  <sbarati@apple.com>
3246
3247         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3248         https://bugs.webkit.org/show_bug.cgi?id=189628
3249         <rdar://problem/39481690>
3250
3251         Reviewed by Mark Lam.
3252
3253         An Availability may point to a Node. And that Node may be removed from
3254         the graph, e.g, it's freed and its memory is no longer owned by Graph.
3255         This patch makes it so we no longer dump this metadata by default. If
3256         this metadata is interesting to you, you'll need to go in and change
3257         Graph::dump to dump the needed metadata.
3258
3259         * dfg/DFGGraph.cpp:
3260         (JSC::DFG::Graph::dump):
3261
3262 2018-09-14  Mark Lam  <mark.lam@apple.com>
3263
3264         Refactor some ForInContext code for better encapsulation.
3265         https://bugs.webkit.org/show_bug.cgi?id=189626
3266         <rdar://problem/44466415>
3267
3268         Reviewed by Keith Miller.
3269
3270         1. Add a ForInContext::m_type field to store the context type.  This does not
3271            increase the class size, but eliminates the need for a virtual call to get the
3272            type.
3273
3274            Note: we still need a virtual destructor because we'll be mingling
3275            IndexedForInContexts and StructureForInContexts in the BytecodeGenerator::m_forInContextStack.
3276
3277         2. Add ForInContext::isIndexedForInContext() and ForInContext::isStructureForInContext()
3278            convenience methods.
3279
3280         3. Add ForInContext::asIndexedForInContext() and ForInContext::asStructureForInContext()
3281            to do the casting to the subclass types.  This ensures that we'll properly
3282            assert that the casting is legal.
3283
3284         * bytecompiler/BytecodeGenerator.cpp:
3285         (JSC::BytecodeGenerator::emitGetByVal):
3286         (JSC::BytecodeGenerator::popIndexedForInScope):
3287         (JSC::BytecodeGenerator::popStructureForInScope):
3288         * bytecompiler/BytecodeGenerator.h:
3289         (JSC::ForInContext::type const):
3290         (JSC::ForInContext::isIndexedForInContext const):
3291         (JSC::ForInContext::isStructureForInContext const):
3292         (JSC::ForInContext::asIndexedForInContext):
3293         (JSC::ForInContext::asStructureForInContext):
3294         (JSC::ForInContext::ForInContext):
3295         (JSC::StructureForInContext::StructureForInContext):
3296         (JSC::IndexedForInContext::IndexedForInContext):
3297         (JSC::ForInContext::~ForInContext): Deleted.
3298
3299 2018-09-14  Devin Rousso  <webkit@devinrousso.com>
3300
3301         Web Inspector: Record actions performed on ImageBitmapRenderingContext
3302         https://bugs.webkit.org/show_bug.cgi?id=181341
3303
3304         Reviewed by Joseph Pecoraro.
3305
3306         * inspector/protocol/Recording.json:
3307         * inspector/scripts/codegen/generator.py:
3308
3309 2018-09-14  Mike Gorse  <mgorse@suse.com>
3310
3311         builtins directory causes name conflict on Python 3
3312         https://bugs.webkit.org/show_bug.cgi?id=189552
3313
3314         Reviewed by Michael Catanzaro.
3315
3316         * CMakeLists.txt: builtins -> wkbuiltins.
3317         * DerivedSources.make: builtins -> wkbuiltins.
3318         * Scripts/generate-js-builtins.py: import wkbuiltins, rather than
3319           builtins.
3320         * Scripts/wkbuiltins/__init__.py: Renamed from Source/JavaScriptCore/Scripts/builtins/__init__.py.
3321         * Scripts/wkbuiltins/builtins_generate_combined_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_header.py.
3322         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py.
3323         * Scripts/wkbuiltins/builtins_generate_separate_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_header.py.
3324         * Scripts/wkbuiltins/builtins_generate_separate_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py.
3325         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_header.py.
3326         * Scripts/wkbuiltins/builtins_generate_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_implementation.py.
3327         * Scripts/wkbuiltins/builtins_generator.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generator.py.
3328         * Scripts/wkbuiltins/builtins_model.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_model.py.
3329         * Scripts/wkbuiltins/builtins_templates.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_templates.py.
3330         * Scripts/wkbuiltins/wkbuiltins.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins.py.
3331         * JavaScriptCore.xcodeproj/project.pbxproj: Update for the renaming.
3332
3333 2018-09-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3334
3335         [WebAssembly] Inline WasmContext accessor functions
3336         https://bugs.webkit.org/show_bug.cgi?id=189416
3337
3338         Reviewed by Saam Barati.
3339
3340         WasmContext accessor functions are very small while it resides in the critical path of
3341         JS to Wasm function call. This patch makes them inline to improve performance.
3342         This change improves a small benchmark (calling JS to Wasm function 1e7 times) from 320ms to 270ms.
3343
3344         * JavaScriptCore.xcodeproj/project.pbxproj:
3345         * Sources.txt:
3346         * interpreter/CallFrame.cpp:
3347         * jit/AssemblyHelpers.cpp:
3348         * wasm/WasmB3IRGenerator.cpp:
3349         * wasm/WasmContextInlines.h: Renamed from Source/JavaScriptCore/wasm/WasmContext.cpp.
3350         (JSC::Wasm::Context::useFastTLS):
3351         (JSC::Wasm::Context::load const):
3352         (JSC::Wasm::Context::store):
3353         * wasm/WasmMemoryInformation.cpp:
3354         * wasm/WasmModuleParser.cpp: Include <wtf/SHA1.h> due to changes of unified source combinations.
3355         * wasm/js/JSToWasm.cpp:
3356         * wasm/js/WebAssemblyFunction.cpp:
3357
3358 2018-09-12  David Kilzer  <ddkilzer@apple.com>
3359
3360         Move JavaScriptCore files to match Xcode project hierarchy
3361         <https://webkit.org/b/189574>
3362
3363         Reviewed by Filip Pizlo.
3364
3365         * API/JSAPIValueWrapper.cpp: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.cpp.
3366         * API/JSAPIValueWrapper.h: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.h.
3367         * CMakeLists.txt: Update for new path to
3368         generateYarrUnicodePropertyTables.py, hasher.py and
3369         JSAPIValueWrapper.h.
3370         * DerivedSources.make: Ditto. Add missing dependency on
3371         hasher.py captured by CMakeLists.txt.
3372         * JavaScriptCore.xcodeproj/project.pbxproj: Update for new file
3373         reference paths. Add hasher.py library to project.
3374         * Sources.txt: Update for new path to
3375         JSAPIValueWrapper.cpp.
3376         * runtime/JSImmutableButterfly.h: Add missing includes
3377         after changes to Sources.txt and regenerating unified
3378         sources.
3379         * runtime/RuntimeType.h: Ditto.
3380         * yarr/generateYarrUnicodePropertyTables.py: Rename from Source/JavaScriptCore/Scripts/generateYarrUnicodePropertyTables.py.
3381         * yarr/hasher.py: Rename from Source/JavaScriptCore/Scripts/hasher.py.
3382
3383 2018-09-12  David Kilzer  <ddkilzer@apple.com>
3384
3385         Let Xcode have its way with the JavaScriptCore project
3386
3387         * JavaScriptCore.xcodeproj/project.pbxproj:
3388
3389 2018-09-12  Guillaume Emont  <guijemont@igalia.com>
3390
3391         Add IGNORE_WARNING_.* macros
3392         https://bugs.webkit.org/show_bug.cgi?id=188996
3393
3394         Reviewed by Michael Catanzaro.
3395
3396         * API/JSCallbackObject.h:
3397         * API/tests/testapi.c:
3398         * assembler/LinkBuffer.h:
3399         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3400         * b3/B3LowerToAir.cpp:
3401         * b3/B3Opcode.cpp:
3402         * b3/B3Type.h:
3403         * b3/B3TypeMap.h:
3404         * b3/B3Width.h:
3405         * b3/air/AirArg.cpp:
3406         * b3/air/AirArg.h: