[JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
4         https://bugs.webkit.org/show_bug.cgi?id=186602
5
6         Reviewed by Saam Barati.
7
8         JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
9         change the part of the butterfly, length etc. We prove that our procedure is safe, and
10         drop the cellLock() here.
11
12         * runtime/JSObject.cpp:
13         (JSC::JSObject::convertContiguousToArrayStorage):
14
15 2018-07-20  Saam Barati  <sbarati@apple.com>
16
17         CompareEq should be using KnownOtherUse instead of OtherUse
18         https://bugs.webkit.org/show_bug.cgi?id=186814
19         <rdar://problem/39720030>
20
21         Reviewed by Filip Pizlo.
22
23         CompareEq in fixup phase was doing this:
24         insertCheck(child, OtherUse)
25         setUseKind(child, OtherUse)
26         And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
27         lead to edge verification crashing because a phase may optimize the check out
28         by removing the node. However, AI may not be privy to that optimization, and
29         AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
30         backend to actually emit a check here, but it does not.
31         
32         This exact pattern is why we have KnownXYZ use kinds. This patch introduces
33         KnownOtherUse and changes the above pattern to be:
34         insertCheck(child, OtherUse)
35         setUseKind(child, KnownOtherUse)
36
37         * dfg/DFGFixupPhase.cpp:
38         (JSC::DFG::FixupPhase::fixupNode):
39         * dfg/DFGSafeToExecute.h:
40         (JSC::DFG::SafeToExecuteEdge::operator()):
41         * dfg/DFGSpeculativeJIT.cpp:
42         (JSC::DFG::SpeculativeJIT::speculate):
43         * dfg/DFGUseKind.cpp:
44         (WTF::printInternal):
45         * dfg/DFGUseKind.h:
46         (JSC::DFG::typeFilterFor):
47         (JSC::DFG::shouldNotHaveTypeCheck):
48         (JSC::DFG::checkMayCrashIfInputIsEmpty):
49         * dfg/DFGWatchpointCollectionPhase.cpp:
50         (JSC::DFG::WatchpointCollectionPhase::handle):
51         * ftl/FTLCapabilities.cpp:
52         (JSC::FTL::canCompile):
53         * ftl/FTLLowerDFGToB3.cpp:
54         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
55         (JSC::FTL::DFG::LowerDFGToB3::speculate):
56
57 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
58
59         [JSC] A bit performance improvement for Object.assign by cleaning up code
60         https://bugs.webkit.org/show_bug.cgi?id=187852
61
62         Reviewed by Saam Barati.
63
64         We clean up Object.assign code a bit.
65
66         1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
67         2. canDoFastPath is not necessary. Restructuring the code to clean up things.
68
69         It improves the performance a bit.
70
71                                     baseline                  patched
72
73         object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
74
75         * runtime/ObjectConstructor.cpp:
76         (JSC::objectConstructorAssign):
77
78 2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>
79
80         [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
81         https://bugs.webkit.org/show_bug.cgi?id=187798
82
83         Reviewed by Michael Catanzaro.
84
85         Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
86         jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
87         functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
88         patch adds JSAPIWrapperGlobalObject or that.
89
90         * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
91         (jsAPIWrapperGlobalObjectHandleOwner):
92         (JSAPIWrapperGlobalObjectHandleOwner::finalize):
93         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
94         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
95         (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
96         (JSC::JSAPIWrapperGlobalObject::finishCreation):
97         (JSC::JSAPIWrapperGlobalObject::visitChildren):
98         * API/glib/JSAPIWrapperGlobalObject.h: Added.
99         (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
100         (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
101         * API/glib/JSCClass.cpp:
102         (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
103         (wrappedObjectClass): Return the class of a wrapped object.
104         (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
105         scope extension global object is used instead.
106         (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
107         (setProperty): Ditto.
108         (hasProperty): Ditto.
109         (deleteProperty): Ditto.
110         (getPropertyNames): Ditto.
111         (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
112         * API/glib/JSCClassPrivate.h:
113         * API/glib/JSCContext.cpp:
114         (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
115         (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
116         * API/glib/JSCContext.h:
117         * API/glib/JSCContextPrivate.h:
118         * API/glib/JSCWrapperMap.cpp:
119         (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
120         when a JSCClass is used to create the JSAPIWrapperGlobalObject.
121         (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
122         * API/glib/JSCWrapperMap.h:
123         * GLib.cmake:
124
125 2018-07-19  Saam Barati  <sbarati@apple.com>
126
127         Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
128         https://bugs.webkit.org/show_bug.cgi?id=187836
129         <rdar://problem/42409527>
130
131         Reviewed by Mark Lam.
132
133         We have crash reports that we're crashing on source->getDirect in Object.assign's
134         fast path. Mark investigated this and determined we end up with a nullptr for
135         butterfly. This is curious, because source's Structure indicated that it has
136         out of line properties. My leading hypothesis for this at the moment is a bit
137         handwavy, but it's essentially:
138         - We end up firing a watchpoint when assigning to the target (this can happen
139         if a watchpoint was set up for storing to that particular field)
140         - When we fire that watchpoint, we end up doing some kind work on the source,
141         perhaps causing it to flattenDictionaryStructure. Therefore, we end up
142         mutating source.
143         
144         I'm not super convinced this is what we're running into, but just by reading
145         the code, I think it needs to be something similar to this. Seeing if this change
146         fixes the crasher will give us good data to determine if something like this is
147         happening or if the bug is something else entirely.
148
149         * runtime/ObjectConstructor.cpp:
150         (JSC::objectConstructorAssign):
151
152 2018-07-19  Commit Queue  <commit-queue@webkit.org>
153
154         Unreviewed, rolling out r233998.
155         https://bugs.webkit.org/show_bug.cgi?id=187815
156
157         Not needed. (Requested by mlam|a on #webkit).
158
159         Reverted changeset:
160
161         "Temporarily mitigate a bug where a source provider is null
162         when it shouldn't be."
163         https://bugs.webkit.org/show_bug.cgi?id=187812
164         https://trac.webkit.org/changeset/233998
165
166 2018-07-19  Mark Lam  <mark.lam@apple.com>
167
168         Temporarily mitigate a bug where a source provider is null when it shouldn't be.
169         https://bugs.webkit.org/show_bug.cgi?id=187812
170         <rdar://problem/41192691>
171
172         Reviewed by Michael Saboff.
173
174         Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
175
176         * runtime/Error.cpp:
177         (JSC::addErrorInfo):
178
179 2018-07-19  Keith Rollin  <krollin@apple.com>
180
181         Adjust WEBCORE_EXPORT annotations for LTO
182         https://bugs.webkit.org/show_bug.cgi?id=187781
183         <rdar://problem/42351124>
184
185         Reviewed by Alex Christensen.
186
187         Continuation of Bug 186944. This bug addresses issues not caught
188         during the first pass of adjustments. The initial work focussed on
189         macOS; this one addresses issues found when building for iOS. From
190         186944:
191
192         Adjust a number of places that result in WebKit's
193         'check-for-weak-vtables-and-externals' script reporting weak external
194         symbols:
195
196             ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
197             ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
198             ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
199             ...
200
201         These cases are caused by inline methods being marked with WTF_EXPORT
202         (or related macro) or with an inline function being in a class marked
203         as such, and when enabling LTO builds.
204
205         For the most part, address these by removing the WEBCORE_EXPORT
206         annotation from inline methods. In some cases, move the implementation
207         out-of-line because it's the class that has the WEBCORE_EXPORT on it
208         and removing the annotation from the class would be too disruptive.
209         Finally, in other cases, move the implementation out-of-line because
210         check-for-weak-vtables-and-externals still complains when keeping the
211         implementation inline and removing the annotation; this seems to
212         typically (but not always) happen with destructors.
213
214         * inspector/remote/RemoteAutomationTarget.cpp:
215         (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
216         * inspector/remote/RemoteAutomationTarget.h:
217         * inspector/remote/RemoteInspector.cpp:
218         (Inspector::RemoteInspector::Client::~Client):
219         * inspector/remote/RemoteInspector.h:
220
221 2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
222
223         Unreviewed, check scope after performing getPropertySlot in JSON.stringify
224         https://bugs.webkit.org/show_bug.cgi?id=187807
225
226         Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
227         that we know that exception occurrence and handle it well.
228
229         * runtime/JSONObject.cpp:
230         (JSC::Stringifier::Holder::appendNextProperty):
231
232 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
233
234         [JSC] Reduce size of AST nodes
235         https://bugs.webkit.org/show_bug.cgi?id=187689
236
237         Reviewed by Mark Lam.
238
239         We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
240         of ParserArena at peak state.
241
242         1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
243         devirtualize a call to the function which are implemented in a final class.
244
245         2. Use default member initializers more.
246
247         3. And use `nullptr` instead of `0`.
248
249         4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
250         of classes in multiple inheritance. In particular, StatementNode is decreased from 48
251         to 40. This decreases the sizes of all the derived Statement nodes.
252
253         * parser/NodeConstructors.h:
254         (JSC::Node::Node):
255         (JSC::StatementNode::StatementNode):
256         (JSC::ElementNode::ElementNode):
257         (JSC::ArrayNode::ArrayNode):
258         (JSC::PropertyListNode::PropertyListNode):
259         (JSC::ObjectLiteralNode::ObjectLiteralNode):
260         (JSC::ArgumentListNode::ArgumentListNode):
261         (JSC::ArgumentsNode::ArgumentsNode):
262         (JSC::NewExprNode::NewExprNode):
263         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
264         (JSC::BinaryOpNode::BinaryOpNode):
265         (JSC::LogicalOpNode::LogicalOpNode):
266         (JSC::CommaNode::CommaNode):
267         (JSC::SourceElements::SourceElements):
268         (JSC::ClauseListNode::ClauseListNode):
269         * parser/Nodes.cpp:
270         (JSC::FunctionMetadataNode::FunctionMetadataNode):
271         (JSC::FunctionMetadataNode::operator== const):
272         (JSC::FunctionMetadataNode::dump const):
273         * parser/Nodes.h:
274         (JSC::BooleanNode::value): Deleted.
275         (JSC::StringNode::value): Deleted.
276         (JSC::TemplateExpressionListNode::value): Deleted.
277         (JSC::TemplateExpressionListNode::next): Deleted.
278         (JSC::TemplateStringNode::cooked): Deleted.
279         (JSC::TemplateStringNode::raw): Deleted.
280         (JSC::TemplateStringListNode::value): Deleted.
281         (JSC::TemplateStringListNode::next): Deleted.
282         (JSC::TemplateLiteralNode::templateStrings const): Deleted.
283         (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
284         (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
285         (JSC::ResolveNode::identifier const): Deleted.
286         (JSC::ElementNode::elision const): Deleted.
287         (JSC::ElementNode::value): Deleted.
288         (JSC::ElementNode::next): Deleted.
289         (JSC::ArrayNode::elements const): Deleted.
290         (JSC::PropertyNode::expressionName const): Deleted.
291         (JSC::PropertyNode::name const): Deleted.
292         (JSC::PropertyNode::type const): Deleted.
293         (JSC::PropertyNode::needsSuperBinding const): Deleted.
294         (JSC::PropertyNode::isClassProperty const): Deleted.
295         (JSC::PropertyNode::isStaticClassProperty const): Deleted.
296         (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
297         (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
298         (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
299         (JSC::PropertyNode::putType const): Deleted.
300         (JSC::BracketAccessorNode::base const): Deleted.
301         (JSC::BracketAccessorNode::subscript const): Deleted.
302         (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
303         (JSC::DotAccessorNode::base const): Deleted.
304         (JSC::DotAccessorNode::identifier const): Deleted.
305         (JSC::SpreadExpressionNode::expression const): Deleted.
306         (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
307         (JSC::BytecodeIntrinsicNode::type const): Deleted.
308         (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
309         (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
310         (JSC::TypeOfResolveNode::identifier const): Deleted.
311         (JSC::BitwiseNotNode::expr): Deleted.
312         (JSC::BitwiseNotNode::expr const): Deleted.
313         (JSC::AssignResolveNode::identifier const): Deleted.
314         (JSC::ExprStatementNode::expr const): Deleted.
315         (JSC::ForOfNode::isForAwait const): Deleted.
316         (JSC::ReturnNode::value): Deleted.
317         (JSC::ProgramNode::startColumn const): Deleted.
318         (JSC::ProgramNode::endColumn const): Deleted.
319         (JSC::EvalNode::startColumn const): Deleted.
320         (JSC::EvalNode::endColumn const): Deleted.
321         (JSC::ModuleProgramNode::startColumn const): Deleted.
322         (JSC::ModuleProgramNode::endColumn const): Deleted.
323         (JSC::ModuleProgramNode::moduleScopeData): Deleted.
324         (JSC::ModuleNameNode::moduleName): Deleted.
325         (JSC::ImportSpecifierNode::importedName): Deleted.
326         (JSC::ImportSpecifierNode::localName): Deleted.
327         (JSC::ImportSpecifierListNode::specifiers const): Deleted.
328         (JSC::ImportSpecifierListNode::append): Deleted.
329         (JSC::ImportDeclarationNode::specifierList const): Deleted.
330         (JSC::ImportDeclarationNode::moduleName const): Deleted.
331         (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
332         (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
333         (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
334         (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
335         (JSC::ExportSpecifierNode::exportedName): Deleted.
336         (JSC::ExportSpecifierNode::localName): Deleted.
337         (JSC::ExportSpecifierListNode::specifiers const): Deleted.
338         (JSC::ExportSpecifierListNode::append): Deleted.
339         (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
340         (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
341         (JSC::ArrayPatternNode::appendIndex): Deleted.
342         (JSC::ObjectPatternNode::appendEntry): Deleted.
343         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
344         (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
345         (JSC::DestructuringAssignmentNode::bindings): Deleted.
346         (JSC::FunctionParameters::size const): Deleted.
347         (JSC::FunctionParameters::append): Deleted.
348         (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
349         (JSC::FuncDeclNode::metadata): Deleted.
350         (JSC::CaseClauseNode::expr const): Deleted.
351         (JSC::CaseClauseNode::setStartOffset): Deleted.
352         (JSC::ClauseListNode::getClause const): Deleted.
353         (JSC::ClauseListNode::getNext const): Deleted.
354         * runtime/ExceptionHelpers.cpp:
355         * runtime/JSObject.cpp:
356
357 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
358
359         JSON.stringify should emit non own properties if second array argument includes
360         https://bugs.webkit.org/show_bug.cgi?id=187724
361
362         Reviewed by Mark Lam.
363
364         According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
365         instead of [[GetOwnProperty]]. It means that we would look up a properties defined
366         in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
367         by using EnumerableOwnPropertyNames typically, we can pass replacer array including
368         property names which does not reside in the own properties. Or we can modify the
369         own properties by deleting properties while JSON.stringify is calling a getter. So,
370         using [[Get]] instead of [[GetOwnProperty]] is user-visible.
371
372         This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
373         The performance of Kraken/json-stringify-tinderbox is neutral.
374
375         [1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
376
377         * runtime/JSONObject.cpp:
378         (JSC::Stringifier::toJSON):
379         (JSC::Stringifier::toJSONImpl):
380         (JSC::Stringifier::appendStringifiedValue):
381         (JSC::Stringifier::Holder::Holder):
382         (JSC::Stringifier::Holder::appendNextProperty):
383
384 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
385
386         [JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
387         https://bugs.webkit.org/show_bug.cgi?id=187755
388
389         Reviewed by Mark Lam.
390
391         JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
392         But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
393         makes one test262 test failed.
394
395         This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
396         to align these checks to the spec's order.
397
398         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
399
400         * runtime/JSONObject.cpp:
401         (JSC::Stringifier::Stringifier):
402
403 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
404
405         [JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
406         https://bugs.webkit.org/show_bug.cgi?id=187752
407
408         Reviewed by Mark Lam.
409
410         JSON.stringify has an implicit root wrapper object since we would like to call replacer
411         with a wrapper object and a property name. While we always create this wrapper object,
412         it is unnecessary if the given replacer is not callable.
413
414         This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
415         allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.
416
417                                            baseline                  patched
418
419         json-stringify-tinderbox        39.730+-0.590      ^      38.853+-0.266         ^ definitely 1.0226x faster
420
421         * runtime/JSONObject.cpp:
422         (JSC::Stringifier::isCallableReplacer const):
423         (JSC::Stringifier::Stringifier):
424         (JSC::Stringifier::stringify):
425         (JSC::Stringifier::appendStringifiedValue):
426
427 2018-07-18  Carlos Garcia Campos  <cgarcia@igalia.com>
428
429         [GLIB] Add jsc_context_check_syntax() to GLib API
430         https://bugs.webkit.org/show_bug.cgi?id=187694
431
432         Reviewed by Yusuke Suzuki.
433
434         A new function to be able to check for syntax errors without actually evaluating the code.
435
436         * API/glib/JSCContext.cpp:
437         (jsc_context_check_syntax):
438         * API/glib/JSCContext.h:
439         * API/glib/docs/jsc-glib-4.0-sections.txt:
440
441 2018-07-17  Keith Miller  <keith_miller@apple.com>
442
443         Revert r233630 since it broke internal wasm benchmarks
444         https://bugs.webkit.org/show_bug.cgi?id=187746
445
446         Unreviewed revert.
447
448         This patch seems to have broken internal Wasm benchmarks. This
449         issue is likely due to an underlying bug but let's rollout while
450         we investigate.
451
452         * bytecode/CodeType.h:
453         * bytecode/UnlinkedCodeBlock.cpp:
454         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
455         * bytecode/UnlinkedCodeBlock.h:
456         (JSC::UnlinkedCodeBlock::codeType const):
457         (JSC::UnlinkedCodeBlock::didOptimize const):
458         (JSC::UnlinkedCodeBlock::setDidOptimize):
459         * bytecode/VirtualRegister.h:
460         (JSC::VirtualRegister::VirtualRegister):
461         (): Deleted.
462
463 2018-07-17  Mark Lam  <mark.lam@apple.com>
464
465         CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
466         https://bugs.webkit.org/show_bug.cgi?id=187736
467         <rdar://problem/42114371>
468
469         Reviewed by Michael Saboff.
470
471         CodeBlock::baselineVersion() currently checks for a null replacement but does not
472         account for the fact that that the replacement can also be null due to the
473         executable having being purged of its codeBlocks due to a memory event (see
474         ExecutableBase::clearCode()).  This patch adds code to account for this.
475
476         * bytecode/CodeBlock.cpp:
477         (JSC::CodeBlock::baselineVersion):
478
479 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
480
481         [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
482         https://bugs.webkit.org/show_bug.cgi?id=187709
483
484         Reviewed by Mark Lam.
485
486         UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
487
488         * bytecode/UnlinkedCodeBlock.cpp:
489         (JSC::UnlinkedCodeBlock::shrinkToFit):
490
491 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
492
493         [JSC] Make SourceParseMode small
494         https://bugs.webkit.org/show_bug.cgi?id=187705
495
496         Reviewed by Mark Lam.
497
498         Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
499         Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
500         But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
501         within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
502
503         * parser/ParserModes.h:
504         (JSC::SourceParseModeSet::SourceParseModeSet):
505         (JSC::SourceParseModeSet::contains):
506         (JSC::SourceParseModeSet::mergeSourceParseModes):
507
508 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
509
510         [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
511         https://bugs.webkit.org/show_bug.cgi?id=187585
512
513         Reviewed by Darin Adler.
514
515         This patch fixes Generator and AsyncGenerator's prototype issues.
516
517         1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
518         We fix this by changing JSFunction::prototypeForConstruction.
519
520         2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
521         to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
522         to fix `prototype` issues for AsyncGeneratorMethod.
523
524         * bytecompiler/BytecodeGenerator.cpp:
525         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
526         (JSC::BytecodeGenerator::emitNewFunction):
527         * bytecompiler/NodesCodegen.cpp:
528         (JSC::FunctionNode::emitBytecode):
529         * parser/ASTBuilder.h:
530         (JSC::ASTBuilder::createFunctionMetadata):
531         * parser/Parser.cpp:
532         (JSC::getAsynFunctionBodyParseMode):
533         (JSC::Parser<LexerType>::parseInner):
534         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
535         * parser/ParserModes.h:
536         (JSC::isAsyncGeneratorParseMode):
537         (JSC::isAsyncGeneratorWrapperParseMode):
538         (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
539         * runtime/FunctionExecutable.h:
540         * runtime/JSFunction.cpp:
541         (JSC::JSFunction::prototypeForConstruction):
542         (JSC::JSFunction::getOwnPropertySlot):
543
544 2018-07-16  Mark Lam  <mark.lam@apple.com>
545
546         jsc shell's noFTL utility test function should be more robust.
547         https://bugs.webkit.org/show_bug.cgi?id=187704
548         <rdar://problem/42231988>
549
550         Reviewed by Michael Saboff and Keith Miller.
551
552         * jsc.cpp:
553         (functionNoFTL):
554         - only setNeverFTLOptimize() if the function is actually a JS function.
555
556 2018-07-15  Carlos Garcia Campos  <cgarcia@igalia.com>
557
558         [GLIB] Add API to evaluate code using a given object to store global symbols
559         https://bugs.webkit.org/show_bug.cgi?id=187639
560
561         Reviewed by Michael Catanzaro.
562
563         Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
564         evaluated script are added as properties to the new object instead of to the context global object. This is
565         similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
566         scope for assignments, so we have to create a new context and get its global object. This patch also updates
567         jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
568         jsc_context_evaluate_in_object().
569
570         * API/glib/JSCContext.cpp:
571         (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
572         (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
573         (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
574         (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
575         scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
576         * API/glib/JSCContext.h:
577         * API/glib/docs/jsc-glib-4.0-sections.txt:
578
579 2018-07-13  Yusuke Suzuki  <utatane.tea@gmail.com>
580
581         [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
582         https://bugs.webkit.org/show_bug.cgi?id=187561
583
584         Reviewed by Darin Adler.
585
586         This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
587         We clean up 32bit put_by_val code.
588
589         1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
590         aligns 32bit implementation to 64bit implementation.
591
592         2. We add CoW array checking, which is done in 64bit implementation.
593
594         * jit/JITPropertyAccess.cpp:
595         (JSC::JIT::emit_op_put_by_val):
596         * jit/JITPropertyAccess32_64.cpp:
597         (JSC::JIT::emit_op_put_by_val):
598         (JSC::JIT::emitSlow_op_put_by_val):
599
600 2018-07-12  Mark Lam  <mark.lam@apple.com>
601
602         Need to handle CodeBlock::replacement() being null.
603         https://bugs.webkit.org/show_bug.cgi?id=187569
604         <rdar://problem/41468692>
605
606         Reviewed by Saam Barati.
607
608         CodeBlock::replacement() may return a nullptr.  Some of our code already checks
609         for this while others do not.  We should add null checks in all the places that
610         need it.
611
612         * bytecode/CodeBlock.cpp:
613         (JSC::CodeBlock::hasOptimizedReplacement):
614         (JSC::CodeBlock::jettison):
615         (JSC::CodeBlock::numberOfDFGCompiles):
616         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
617         * dfg/DFGOperations.cpp:
618         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
619         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
620         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
621         * jit/JITOperations.cpp:
622
623 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
624
625         [JSC] Thread VM& to JSCell::methodTable(VM&)
626         https://bugs.webkit.org/show_bug.cgi?id=187548
627
628         Reviewed by Saam Barati.
629
630         This patch threads VM& to methodTable(VM&) and remove methodTable().
631         We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
632
633         * API/APICast.h:
634         (toJS):
635         * API/JSCallbackObject.h:
636         * API/JSCallbackObjectFunctions.h:
637         (JSC::JSCallbackObject<Parent>::className):
638         * bytecode/CodeBlock.cpp:
639         (JSC::CodeBlock::estimatedSize):
640         * bytecode/CodeBlock.h:
641         * bytecode/UnlinkedCodeBlock.cpp:
642         (JSC::UnlinkedCodeBlock::estimatedSize):
643         * bytecode/UnlinkedCodeBlock.h:
644         * debugger/DebuggerScope.cpp:
645         (JSC::DebuggerScope::className):
646         * debugger/DebuggerScope.h:
647         * heap/Heap.cpp:
648         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
649         (JSC::GatherHeapSnapshotData::operator() const):
650         (JSC::Heap::gatherExtraHeapSnapshotData):
651         * heap/HeapSnapshotBuilder.cpp:
652         (JSC::HeapSnapshotBuilder::json):
653         * runtime/ArrayPrototype.cpp:
654         (JSC::arrayProtoFuncToString):
655         * runtime/ClassInfo.h:
656         * runtime/DirectArguments.cpp:
657         (JSC::DirectArguments::estimatedSize):
658         * runtime/DirectArguments.h:
659         * runtime/HashMapImpl.cpp:
660         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
661         * runtime/HashMapImpl.h:
662         * runtime/JSArrayBuffer.cpp:
663         (JSC::JSArrayBuffer::estimatedSize):
664         * runtime/JSArrayBuffer.h:
665         * runtime/JSBigInt.cpp:
666         (JSC::JSBigInt::estimatedSize):
667         * runtime/JSBigInt.h:
668         * runtime/JSCell.cpp:
669         (JSC::JSCell::dump const):
670         (JSC::JSCell::estimatedSizeInBytes const):
671         (JSC::JSCell::estimatedSize):
672         (JSC::JSCell::className):
673         * runtime/JSCell.h:
674         * runtime/JSCellInlines.h:
675         * runtime/JSGenericTypedArrayView.h:
676         * runtime/JSGenericTypedArrayViewInlines.h:
677         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
678         * runtime/JSObject.cpp:
679         (JSC::JSObject::estimatedSize):
680         (JSC::JSObject::className):
681         (JSC::JSObject::toStringName):
682         (JSC::JSObject::calculatedClassName):
683         * runtime/JSObject.h:
684         * runtime/JSProxy.cpp:
685         (JSC::JSProxy::className):
686         * runtime/JSProxy.h:
687         * runtime/JSString.cpp:
688         (JSC::JSString::estimatedSize):
689         * runtime/JSString.h:
690         * runtime/RegExp.cpp:
691         (JSC::RegExp::estimatedSize):
692         * runtime/RegExp.h:
693         * runtime/WeakMapImpl.cpp:
694         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
695         * runtime/WeakMapImpl.h:
696
697 2018-07-11  Commit Queue  <commit-queue@webkit.org>
698
699         Unreviewed, rolling out r233714.
700         https://bugs.webkit.org/show_bug.cgi?id=187579
701
702         it made tests time out (Requested by pizlo on #webkit).
703
704         Reverted changeset:
705
706         "Change the reoptimization backoff base to 1.3 from 2"
707         https://bugs.webkit.org/show_bug.cgi?id=187540
708         https://trac.webkit.org/changeset/233714
709
710 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
711
712         [GLIB] Add API to allow creating variadic functions
713         https://bugs.webkit.org/show_bug.cgi?id=187517
714
715         Reviewed by Michael Catanzaro.
716
717         Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
718         jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
719
720         * API/glib/JSCCallbackFunction.cpp:
721         (JSC::JSCCallbackFunction::create): Make the parameters optional.
722         (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
723         (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
724         JSCValue for the arguments.
725         (JSC::JSCCallbackFunction::construct): Ditto.
726         * API/glib/JSCCallbackFunction.h:
727         * API/glib/JSCClass.cpp:
728         (jscClassCreateConstructor): Make the parameters optional.
729         (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
730         (jscClassAddMethod): Make the parameters optional.
731         (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
732         * API/glib/JSCClass.h:
733         * API/glib/JSCValue.cpp:
734         (jsc_value_object_define_property_accessor): Update now that parameters are optional.
735         (jscValueFunctionCreate): Make the parameters optional.
736         (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
737         * API/glib/JSCValue.h:
738         * API/glib/docs/jsc-glib-4.0-sections.txt:
739
740 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
741
742         [GLIB] Add jsc_context_get_global_object() to GLib API
743         https://bugs.webkit.org/show_bug.cgi?id=187515
744
745         Reviewed by Michael Catanzaro.
746
747         This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
748         object. However, getting the global object could be useful in some cases, for example to give it a well known
749         name like 'window' in browsers and GJS.
750
751         * API/glib/JSCContext.cpp:
752         (jsc_context_get_global_object):
753         * API/glib/JSCContext.h:
754         * API/glib/docs/jsc-glib-4.0-sections.txt:
755
756 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
757
758         [GLIB] Handle G_TYPE_STRV in glib API
759         https://bugs.webkit.org/show_bug.cgi?id=187512
760
761         Reviewed by Michael Catanzaro.
762
763         Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
764
765         * API/glib/JSCContext.cpp:
766         (jscContextGValueToJSValue):
767         (jscContextJSValueToGValue):
768         * API/glib/JSCValue.cpp:
769         (jsc_value_new_array_from_strv):
770         * API/glib/JSCValue.h:
771         * API/glib/docs/jsc-glib-4.0-sections.txt:
772
773 2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
774
775         Iterator of Array.keys() returns object in wrong order
776         https://bugs.webkit.org/show_bug.cgi?id=185197
777
778         Reviewed by Keith Miller.
779
780         * builtins/ArrayIteratorPrototype.js:
781         (globalPrivate.arrayIteratorValueNext):
782         (globalPrivate.arrayIteratorKeyNext):
783         (globalPrivate.arrayIteratorKeyValueNext):
784         * builtins/AsyncFromSyncIteratorPrototype.js:
785         * builtins/AsyncGeneratorPrototype.js:
786         (globalPrivate.asyncGeneratorResolve):
787         * builtins/GeneratorPrototype.js:
788         (globalPrivate.generatorResume):
789         * builtins/MapIteratorPrototype.js:
790         (globalPrivate.mapIteratorNext):
791         * builtins/SetIteratorPrototype.js:
792         (globalPrivate.setIteratorNext):
793         * builtins/StringIteratorPrototype.js:
794         (next):
795         * runtime/IteratorOperations.cpp:
796         (JSC::createIteratorResultObjectStructure):
797         (JSC::createIteratorResultObject):
798
799 2018-07-10  Mark Lam  <mark.lam@apple.com>
800
801         constructArray() should always allocate the requested length.
802         https://bugs.webkit.org/show_bug.cgi?id=187543
803         <rdar://problem/41947884>
804
805         Reviewed by Saam Barati.
806
807         Currently, it does not when we're having a bad time.  We fix this by switching
808         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
809         If we detect that a structure transition is possible before we can initialize
810         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
811         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
812
813         Also enhanced the DisallowScope and ObjectInitializationScope to support this
814         eager initialization when needed.
815
816         * dfg/DFGOperations.cpp:
817         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
818           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
819           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
820           generated code, which will appear as a generic null pointer dereference.
821
822         * runtime/ArrayPrototype.cpp:
823         (JSC::concatAppendOne):
824         - the code here clearly wants to check for an allocation failure.  Switched to
825           using JSArray::tryCreate() instead of JSArray::create().
826
827         * runtime/DisallowScope.h:
828         (JSC::DisallowScope::disable):
829         * runtime/JSArray.cpp:
830         (JSC::JSArray::tryCreateUninitializedRestricted):
831         (JSC::JSArray::eagerlyInitializeButterfly):
832         (JSC::constructArray):
833         * runtime/JSArray.h:
834         * runtime/ObjectInitializationScope.cpp:
835         (JSC::ObjectInitializationScope::notifyInitialized):
836         * runtime/ObjectInitializationScope.h:
837         (JSC::ObjectInitializationScope::notifyInitialized):
838
839 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
840
841         [JSC] Remove getTypedArrayImpl
842         https://bugs.webkit.org/show_bug.cgi?id=187338
843
844         Reviewed by Mark Lam.
845
846         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
847         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
848         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
849
850         * runtime/ClassInfo.h:
851         * runtime/GenericTypedArrayView.h:
852         (JSC::GenericTypedArrayView::data const): Deleted.
853         (JSC::GenericTypedArrayView::set): Deleted.
854         (JSC::GenericTypedArrayView::setRange): Deleted.
855         (JSC::GenericTypedArrayView::zeroRange): Deleted.
856         (JSC::GenericTypedArrayView::zeroFill): Deleted.
857         (JSC::GenericTypedArrayView::length const): Deleted.
858         (JSC::GenericTypedArrayView::item const): Deleted.
859         (JSC::GenericTypedArrayView::set const): Deleted.
860         (JSC::GenericTypedArrayView::setNative const): Deleted.
861         (JSC::GenericTypedArrayView::getRange): Deleted.
862         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
863         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
864         * runtime/JSArrayBufferView.cpp:
865         (JSC::JSArrayBufferView::possiblySharedImpl):
866         * runtime/JSArrayBufferView.h:
867         * runtime/JSArrayBufferViewInlines.h:
868         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
869         * runtime/JSCell.cpp:
870         (JSC::JSCell::getTypedArrayImpl): Deleted.
871         * runtime/JSCell.h:
872         * runtime/JSDataView.cpp:
873         (JSC::JSDataView::getTypedArrayImpl): Deleted.
874         * runtime/JSDataView.h:
875         * runtime/JSGenericTypedArrayView.h:
876         * runtime/JSGenericTypedArrayViewInlines.h:
877         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
878
879 2018-07-10  Keith Miller  <keith_miller@apple.com>
880
881         hasOwnProperty returns true for out of bounds property index on TypedArray
882         https://bugs.webkit.org/show_bug.cgi?id=187520
883
884         Reviewed by Saam Barati.
885
886         * runtime/JSGenericTypedArrayViewInlines.h:
887         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
888
889 2018-07-10  Michael Saboff  <msaboff@apple.com>
890
891         DFG JIT: compileMathIC produces incorrect machine code
892         https://bugs.webkit.org/show_bug.cgi?id=187537
893
894         Reviewed by Saam Barati.
895
896         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
897         fall back to the fast path generator which handles such cases.
898
899         * jit/JITMulGenerator.cpp:
900         (JSC::JITMulGenerator::generateInline):
901
902 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
903
904         Change the reoptimization backoff base to 1.3 from 2
905         https://bugs.webkit.org/show_bug.cgi?id=187540
906
907         Reviewed by Saam Barati.
908         
909         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
910         
911         I also have data that hints that a backoff base of 1 might be even better, but I think that
912         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
913
914         * bytecode/CodeBlock.cpp:
915         (JSC::CodeBlock::reoptimizationRetryCounter const):
916         (JSC::CodeBlock::countReoptimization):
917         (JSC::CodeBlock::adjustedCounterValue):
918         * runtime/Options.cpp:
919         (JSC::recomputeDependentOptions):
920         * runtime/Options.h:
921
922 2018-07-10  Mark Lam  <mark.lam@apple.com>
923
924         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
925         https://bugs.webkit.org/show_bug.cgi?id=187362
926         <rdar://problem/42027210>
927
928         Reviewed by Saam Barati.
929
930         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
931         value to use for initializing unused properties.  Updated an assertion to account
932         for this.
933
934         * runtime/ObjectInitializationScope.cpp:
935         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
936
937 2018-07-10  Michael Saboff  <msaboff@apple.com>
938
939         YARR: . doesn't match non-BMP Unicode characters in some cases
940         https://bugs.webkit.org/show_bug.cgi?id=187248
941
942         Reviewed by Geoffrey Garen.
943
944         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
945         characters did not take into account that the character class is inverted.  In this case, we
946         represent '.' as "not a newline" using the newline character class with an inverted check.
947         Clearly that includes non-BMP characters.
948
949         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
950         inverted use of that character class.
951
952         * yarr/YarrJIT.cpp:
953         (JSC::Yarr::YarrGenerator::optimizeAlternative):
954
955 2018-07-09  Mark Lam  <mark.lam@apple.com>
956
957         Add --traceLLIntExecution and --traceLLIntSlowPath options.
958         https://bugs.webkit.org/show_bug.cgi?id=187479
959
960         Reviewed by Yusuke Suzuki and Saam Barati.
961
962         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
963
964         The details:
965         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
966         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
967            This makes it such that enabling LLINT_TRACING doesn't means that we'll
968            continually spammed with logging until we rebuild.
969         3. Fixed slow path LLINT tracing to work with exception check validation.
970
971         * llint/LLIntCommon.h:
972         * llint/LLIntExceptions.cpp:
973         (JSC::LLInt::returnToThrow):
974         (JSC::LLInt::callToThrow):
975         * llint/LLIntOfflineAsmConfig.h:
976         * llint/LLIntSlowPaths.cpp:
977         (JSC::LLInt::slowPathLog):
978         (JSC::LLInt::slowPathLn):
979         (JSC::LLInt::slowPathLogF):
980         (JSC::LLInt::slowPathLogLn):
981         (JSC::LLInt::llint_trace_operand):
982         (JSC::LLInt::llint_trace_value):
983         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
984         (JSC::LLInt::traceFunctionPrologue):
985         (JSC::LLInt::handleHostCall):
986         (JSC::LLInt::setUpCall):
987         * llint/LLIntSlowPaths.h:
988         * llint/LowLevelInterpreter.asm:
989         * runtime/CommonSlowPathsExceptions.cpp:
990         (JSC::CommonSlowPaths::interpreterThrowInCaller):
991         * runtime/Options.cpp:
992         (JSC::Options::isAvailable):
993         * runtime/Options.h:
994
995 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
996
997         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
998         https://bugs.webkit.org/show_bug.cgi?id=187477
999
1000         Reviewed by Mark Lam.
1001
1002         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
1003         However, it is not necessary since JSCells can be reside in a constant buffer.
1004         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
1005         vector from RareData.
1006
1007         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
1008
1009         * bytecode/BytecodeDumper.cpp:
1010         (JSC::BytecodeDumper<Block>::dumpBytecode):
1011         (JSC::BytecodeDumper<Block>::dumpBlock):
1012         (JSC::regexpToSourceString): Deleted.
1013         (JSC::regexpName): Deleted.
1014         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
1015         * bytecode/BytecodeDumper.h:
1016         * bytecode/CodeBlock.h:
1017         (JSC::CodeBlock::regexp const): Deleted.
1018         (JSC::CodeBlock::numberOfRegExps const): Deleted.
1019         * bytecode/UnlinkedCodeBlock.cpp:
1020         (JSC::UnlinkedCodeBlock::visitChildren):
1021         (JSC::UnlinkedCodeBlock::shrinkToFit):
1022         * bytecode/UnlinkedCodeBlock.h:
1023         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
1024         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
1025         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
1026         * bytecompiler/BytecodeGenerator.cpp:
1027         (JSC::BytecodeGenerator::emitNewRegExp):
1028         (JSC::BytecodeGenerator::addRegExp): Deleted.
1029         * bytecompiler/BytecodeGenerator.h:
1030         * dfg/DFGByteCodeParser.cpp:
1031         (JSC::DFG::ByteCodeParser::parseBlock):
1032         * jit/JITOpcodes.cpp:
1033         (JSC::JIT::emit_op_new_regexp):
1034         * llint/LLIntSlowPaths.cpp:
1035         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1036         * runtime/JSCJSValue.cpp:
1037         (JSC::JSValue::dumpInContextAssumingStructure const):
1038         * runtime/RegExp.cpp:
1039         (JSC::regexpToSourceString):
1040         (JSC::RegExp::dumpToStream):
1041         * runtime/RegExp.h:
1042
1043 2018-07-09  Brian Burg  <bburg@apple.com>
1044
1045         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
1046         https://bugs.webkit.org/show_bug.cgi?id=187350
1047         <rdar://problem/41728249>
1048
1049         Reviewed by Matt Baker.
1050
1051         Add a new command that toggles whether or not to blackbox internal scripts.
1052         If blackboxed, the scripts will not be shown to the frontend and the debugger will
1053         not pause in source frames from blackboxed scripts. Sometimes we want to break into
1054         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
1055         that injects scripts.
1056
1057         * inspector/agents/InspectorDebuggerAgent.cpp:
1058         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
1059         (Inspector::InspectorDebuggerAgent::didParseSource):
1060         * inspector/agents/InspectorDebuggerAgent.h:
1061         * inspector/protocol/Debugger.json:
1062
1063 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1064
1065         [JSC] Make some data members of UnlinkedCodeBlock private
1066         https://bugs.webkit.org/show_bug.cgi?id=187467
1067
1068         Reviewed by Mark Lam.
1069
1070         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
1071         We also remove m_numCapturedVars since it is no longer used.
1072
1073         * bytecode/CodeBlock.cpp:
1074         (JSC::CodeBlock::CodeBlock):
1075         * bytecode/CodeBlock.h:
1076         * bytecode/UnlinkedCodeBlock.cpp:
1077         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1078         * bytecode/UnlinkedCodeBlock.h:
1079
1080 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1081
1082         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
1083         https://bugs.webkit.org/show_bug.cgi?id=187465
1084
1085         Reviewed by Keith Miller.
1086
1087         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
1088         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
1089
1090         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
1091         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
1092         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
1093         from 104 to 96 since it inherits ProxyableAccessCase.
1094
1095         * bytecode/AccessCase.h:
1096         (JSC::AccessCase::viaProxy const):
1097         (JSC::AccessCase::AccessCase):
1098         * bytecode/ProxyableAccessCase.cpp:
1099         (JSC::ProxyableAccessCase::ProxyableAccessCase):
1100         * bytecode/ProxyableAccessCase.h:
1101
1102 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1103
1104         Unreviewed, build fix for debug builds after r233630
1105         https://bugs.webkit.org/show_bug.cgi?id=187441
1106
1107         * jit/JIT.cpp:
1108         (JSC::JIT::frameRegisterCountFor):
1109         * llint/LLIntEntrypoint.cpp:
1110         (JSC::LLInt::frameRegisterCountFor):
1111
1112 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1113
1114         [JSC] Optimize layout of CodeBlock to reduce padding
1115         https://bugs.webkit.org/show_bug.cgi?id=187441
1116
1117         Reviewed by Mark Lam.
1118
1119         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
1120         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
1121         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
1122
1123         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
1124
1125         * bytecode/BytecodeDumper.cpp:
1126         (JSC::BytecodeDumper<Block>::dumpBlock):
1127         * bytecode/BytecodeUseDef.h:
1128         (JSC::computeDefsForBytecodeOffset):
1129         * bytecode/CodeBlock.cpp:
1130         (JSC::CodeBlock::CodeBlock):
1131         * bytecode/CodeBlock.h:
1132         (JSC::CodeBlock::numVars const):
1133         * bytecode/UnlinkedCodeBlock.h:
1134         (JSC::UnlinkedCodeBlock::numVars const):
1135         * dfg/DFGByteCodeParser.cpp:
1136         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1137         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
1138         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1139         (JSC::DFG::ByteCodeParser::inlineCall):
1140         (JSC::DFG::ByteCodeParser::handleGetById):
1141         (JSC::DFG::ByteCodeParser::handlePutById):
1142         (JSC::DFG::ByteCodeParser::parseBlock):
1143         * dfg/DFGGraph.h:
1144         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
1145         * dfg/DFGOSREntrypointCreationPhase.cpp:
1146         (JSC::DFG::OSREntrypointCreationPhase::run):
1147         * dfg/DFGVariableEventStream.cpp:
1148         (JSC::DFG::VariableEventStream::reconstruct const):
1149         * ftl/FTLOSREntry.cpp:
1150         (JSC::FTL::prepareOSREntry):
1151         * ftl/FTLState.cpp:
1152         (JSC::FTL::State::State):
1153         * interpreter/Interpreter.cpp:
1154         (JSC::Interpreter::dumpRegisters):
1155         * jit/JIT.cpp:
1156         (JSC::JIT::frameRegisterCountFor):
1157         * jit/JITOpcodes.cpp:
1158         (JSC::JIT::emit_op_enter):
1159         * jit/JITOpcodes32_64.cpp:
1160         (JSC::JIT::emit_op_enter):
1161         * jit/JITOperations.cpp:
1162         * llint/LLIntEntrypoint.cpp:
1163         (JSC::LLInt::frameRegisterCountFor):
1164         * llint/LLIntSlowPaths.cpp:
1165         (JSC::LLInt::traceFunctionPrologue):
1166         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1167         * runtime/JSCJSValue.h:
1168
1169 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1170
1171         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
1172         https://bugs.webkit.org/show_bug.cgi?id=187448
1173
1174         Reviewed by Saam Barati.
1175
1176         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
1177         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
1178
1179         * bytecode/CodeType.h:
1180         * bytecode/UnlinkedCodeBlock.cpp:
1181         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1182         * bytecode/UnlinkedCodeBlock.h:
1183         (JSC::UnlinkedCodeBlock::codeType const):
1184         (JSC::UnlinkedCodeBlock::didOptimize const):
1185         (JSC::UnlinkedCodeBlock::setDidOptimize):
1186         * bytecode/VirtualRegister.h:
1187
1188 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1189
1190         [JSC] Optimize padding of InferredTypeTable by using cellLock
1191         https://bugs.webkit.org/show_bug.cgi?id=187447
1192
1193         Reviewed by Mark Lam.
1194
1195         Use cellLock() in InferredTypeTable to guard changes of internal structures.
1196         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
1197         reduce the size of InferredTypeTable from 40 to 32.
1198
1199         * runtime/InferredTypeTable.cpp:
1200         (JSC::InferredTypeTable::visitChildren):
1201         (JSC::InferredTypeTable::get):
1202         (JSC::InferredTypeTable::willStoreValue):
1203         (JSC::InferredTypeTable::makeTop):
1204         * runtime/InferredTypeTable.h:
1205         Using enum class and using. And remove `isEmpty()` since it is not used.
1206
1207         * runtime/Structure.h:
1208
1209 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1210
1211         [JSC] Optimize layout of SourceProvider to reduce padding
1212         https://bugs.webkit.org/show_bug.cgi?id=187440
1213
1214         Reviewed by Mark Lam.
1215
1216         Arrange members of SourceProvider to reduce the size from 80 to 72.
1217
1218         * parser/SourceProvider.cpp:
1219         (JSC::SourceProvider::SourceProvider):
1220         * parser/SourceProvider.h:
1221
1222 2018-07-08  Mark Lam  <mark.lam@apple.com>
1223
1224         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
1225         https://bugs.webkit.org/show_bug.cgi?id=187444
1226         <rdar://problem/41282849>
1227
1228         Reviewed by Saam Barati.
1229
1230         PropertyTable supports C++ iteration by offering begin() and end() methods, and
1231         an iterator class.  The begin() methods and the iterator operator++() method uses
1232         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
1233         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
1234         pointer from being incremented past the end of the table.  As a result, we can
1235         iterate past the end of the table.  Note that the C++ iteration protocol tests
1236         for the iterator not being equal to the end() value.  It does not do a <= test.
1237         If the iterator ever shoots past end, the loop will effectively not terminate.
1238
1239         This issue can manifest if and only if the last entry in the table is a deleted
1240         one, and the key field of the PropertyMapEntry shaped space at the end of the
1241         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
1242         value.
1243
1244         No test because manifesting this issue requires uncontrollable happenstance where
1245         memory just beyond the end of the table looks like a deleted entry.
1246
1247         * runtime/PropertyMapHashTable.h:
1248         (JSC::PropertyTable::begin):
1249         (JSC::PropertyTable::end):
1250         (JSC::PropertyTable::begin const):
1251         (JSC::PropertyTable::end const):
1252         (JSC::PropertyTable::skipDeletedEntries):
1253
1254 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1255
1256         [JSC] Optimize layout of SymbolTable to reduce padding
1257         https://bugs.webkit.org/show_bug.cgi?id=187437
1258
1259         Reviewed by Mark Lam.
1260
1261         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
1262
1263         * runtime/SymbolTable.h:
1264
1265 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1266
1267         [JSC] Optimize layout of RegExp to reduce padding
1268         https://bugs.webkit.org/show_bug.cgi?id=187438
1269
1270         Reviewed by Mark Lam.
1271
1272         Reduce the size of RegExp from 168 to 144.
1273
1274         * runtime/RegExp.cpp:
1275         (JSC::RegExp::RegExp):
1276         * runtime/RegExp.h:
1277         * runtime/RegExpKey.h:
1278         * yarr/YarrErrorCode.h:
1279
1280 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1281
1282         [JSC] Optimize layout of ValueProfile to reduce padding
1283         https://bugs.webkit.org/show_bug.cgi?id=187439
1284
1285         Reviewed by Mark Lam.
1286
1287         Reduce the size of ValueProfile from 40 to 32 by reordering members.
1288
1289         * bytecode/ValueProfile.h:
1290         (JSC::ValueProfileBase::ValueProfileBase):
1291
1292 2018-07-05  Saam Barati  <sbarati@apple.com>
1293
1294         ProgramExecutable may be collected as we checkSyntax on it
1295         https://bugs.webkit.org/show_bug.cgi?id=187359
1296         <rdar://problem/41832135>
1297
1298         Reviewed by Mark Lam.
1299
1300         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
1301         the ProgramExecutable itself may be collected. The fix here is to make a copy
1302         of the field instead of passing in a reference inside of ParserError::toErrorObject.
1303         
1304         No new tests here as this was already caught by our iOS JSC testers.
1305
1306         * parser/ParserError.h:
1307         (JSC::ParserError::toErrorObject):
1308
1309 2018-07-04  Tim Horton  <timothy_horton@apple.com>
1310
1311         Introduce PLATFORM(IOSMAC)
1312         https://bugs.webkit.org/show_bug.cgi?id=187315
1313
1314         Reviewed by Dan Bernstein.
1315
1316         * Configurations/Base.xcconfig:
1317         * Configurations/FeatureDefines.xcconfig:
1318
1319 2018-07-03  Mark Lam  <mark.lam@apple.com>
1320
1321         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
1322         https://bugs.webkit.org/show_bug.cgi?id=187255
1323         <rdar://problem/41785257>
1324
1325         Reviewed by Saam Barati.
1326
1327         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
1328         too: basically, do what the 64-bit code is doing.  At present, this change only
1329         serves to pacify an assertion.  It is not needed for correctness because the
1330         concurrent GC is not used on 32-bit builds.
1331
1332         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
1333         test.
1334
1335         * jit/JITOpcodes32_64.cpp:
1336         (JSC::JIT::emit_op_create_this):
1337
1338 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1339
1340         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
1341         https://bugs.webkit.org/show_bug.cgi?id=187290
1342
1343         Reviewed by Saam Barati.
1344
1345         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
1346         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
1347         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
1348         easily calculated from JSType.
1349         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
1350
1351         * runtime/ClassInfo.h:
1352         * runtime/JSArrayBufferView.cpp:
1353         (JSC::elementSize):
1354         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
1355         * runtime/JSArrayBufferView.h:
1356         * runtime/JSArrayBufferViewInlines.h:
1357         (JSC::JSArrayBufferView::possiblySharedBuffer):
1358         * runtime/JSCell.cpp:
1359         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
1360         * runtime/JSCell.h:
1361         * runtime/JSDataView.cpp:
1362         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
1363         * runtime/JSDataView.h:
1364         * runtime/JSGenericTypedArrayView.h:
1365         * runtime/JSGenericTypedArrayViewInlines.h:
1366         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
1367
1368 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1369
1370         Regular expressions with ".?" expressions at the start and the end match the entire string
1371         https://bugs.webkit.org/show_bug.cgi?id=119191
1372
1373         Reviewed by Michael Saboff.
1374
1375         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
1376         for "abc" first and then processing the leading and trailing dot stars
1377         to find the beginning and the end of the match. However, it erroneously
1378         enabled this optimization for regular expressions whose leading or
1379         trailing dots had quantifiers that were not of arbitrary length, e.g.,
1380         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
1381         match the entire string when it shouldn't. This patch disables the
1382         optimization for those cases.
1383
1384         * yarr/YarrPattern.cpp:
1385         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
1386
1387 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1388
1389         RegExp.exec returns wrong value with a long integer quantifier
1390         https://bugs.webkit.org/show_bug.cgi?id=187042
1391
1392         Reviewed by Saam Barati.
1393
1394         Prior to this patch, the Yarr parser checked for integer overflow when
1395         parsing quantifiers in regular expressions by adding one digit at a time
1396         to a number and checking if the result got larger. This is wrong;
1397         The parser would fail to detect overflow when parsing, for example,
1398         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
1399
1400         Another issue was that once it detected overflow, it stopped consuming
1401         the remaining digits. Since it didn't find the closing bracket, it
1402         parsed the quantifier as a normal string instead.
1403
1404         This patch fixes these issues by reading all the digits and checking for
1405         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
1406         returns the largest possible value (quantifyInfinite in this case). This
1407         matches Chrome [1], Firefox [2], and Edge [3].
1408
1409         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
1410         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
1411         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
1412
1413         * yarr/YarrParser.h:
1414         (JSC::Yarr::Parser::consumeNumber):
1415
1416 2018-07-02  Keith Miller  <keith_miller@apple.com>
1417
1418         InstanceOf IC should do generic if the prototype is not an object.
1419         https://bugs.webkit.org/show_bug.cgi?id=187250
1420
1421         Reviewed by Mark Lam.
1422
1423         The old code was wrong for two reasons. First, the AccessCase expected that
1424         the prototype value would be non-null. Second, we would end up returning
1425         false instead of throwing an exception.
1426
1427         * jit/Repatch.cpp:
1428         (JSC::tryCacheInstanceOf):
1429
1430 2018-07-01  Mark Lam  <mark.lam@apple.com>
1431
1432         Builtins and host functions should get their own structures.
1433         https://bugs.webkit.org/show_bug.cgi?id=187211
1434         <rdar://problem/41646336>
1435
1436         Reviewed by Saam Barati.
1437
1438         JSFunctions do lazy reification of properties, but ordinary functions applies
1439         different rules of property reification than builtin and host functions.  Hence,
1440         we should give builtins and host functions their own structures.
1441
1442         * runtime/JSFunction.cpp:
1443         (JSC::JSFunction::selectStructureForNewFuncExp):
1444         (JSC::JSFunction::create):
1445         (JSC::JSFunction::getOwnPropertySlot):
1446         * runtime/JSGlobalObject.cpp:
1447         (JSC::JSGlobalObject::init):
1448         (JSC::JSGlobalObject::visitChildren):
1449         * runtime/JSGlobalObject.h:
1450         (JSC::JSGlobalObject::hostFunctionStructure const):
1451         (JSC::JSGlobalObject::arrowFunctionStructure const):
1452         (JSC::JSGlobalObject::sloppyFunctionStructure const):
1453         (JSC::JSGlobalObject::strictFunctionStructure const):
1454
1455 2018-07-01  David Kilzer  <ddkilzer@apple.com>
1456
1457         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
1458         <https://webkit.org/b/187233>
1459
1460         Reviewed by Mark Lam.
1461
1462         * b3/air/AirEliminateDeadCode.cpp:
1463         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
1464         * parser/ParserTokens.h:
1465         (JSC::JSTextPosition::JSTextPosition): Add struct member
1466         initialization. Simplify default constructor.
1467         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
1468         union to the beginning to make it easy to zero out all fields.
1469         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
1470         initialization.  Simplify default constructor.  Note that
1471         `endOffset` was not being initialized previously.
1472         (JSC::JSTextPosition::JSToken): Add struct member initialization
1473         where necessary.
1474         * runtime/IntlObject.cpp:
1475         (JSC::MatcherResult): Add struct member initialization.
1476
1477 2018-06-23  Darin Adler  <darin@apple.com>
1478
1479         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
1480         https://bugs.webkit.org/show_bug.cgi?id=186973
1481
1482         Reviewed by Dan Bernstein.
1483
1484         * API/JSContext.mm:
1485         (WeakContextRef::WeakContextRef): Deleted.
1486         (WeakContextRef::~WeakContextRef): Deleted.
1487         (WeakContextRef::get): Deleted.
1488         (WeakContextRef::set): Deleted.
1489
1490         * API/JSContextInternal.h: Removed unneeded header guards since this is
1491         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
1492         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
1493         since neither is used outside the class implementation.
1494
1495         * API/JSManagedValue.mm:
1496         (-[JSManagedValue initWithValue:]): Use a bridging cast.
1497         (-[JSManagedValue dealloc]): Ditto.
1498         (-[JSManagedValue didAddOwner:]): Ditto.
1499         (-[JSManagedValue didRemoveOwner:]): Ditto.
1500         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
1501         (JSManagedValueHandleOwner::finalize): Ditto.
1502         * API/JSValue.mm:
1503         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
1504         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
1505         (-[JSValue valueForProperty:]): Ditto.
1506         (-[JSValue setValue:forProperty:]): Ditto.
1507         (-[JSValue deleteProperty:]): Ditto.
1508         (-[JSValue hasProperty:]): Ditto.
1509         (-[JSValue invokeMethod:withArguments:]): Ditto.
1510         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
1511         (valueToArray): Ditto.
1512         (valueToDictionary): Ditto.
1513         (objectToValueWithoutCopy): Ditto.
1514         (objectToValue): Ditto.
1515         * API/JSVirtualMachine.mm:
1516         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
1517         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
1518         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
1519         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
1520         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
1521         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
1522         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
1523         (scanExternalObjectGraph): Ditto.
1524         (scanExternalRememberedSet): Ditto.
1525         * API/JSWrapperMap.mm:
1526         (makeWrapper): Ditto.
1527         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
1528         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
1529         (tryUnwrapObjcObject): Ditto.
1530         * API/ObjCCallbackFunction.mm:
1531         (blockSignatureContainsClass): Ditto.
1532         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
1533         sure we will be keeping this the same way under ARC.
1534         (objCCallbackFunctionForBlock): Use a bridging cast.
1535
1536         * API/ObjcRuntimeExtras.h:
1537         (protocolImplementsProtocol): Use a more specific type that includes the
1538         explicit __unsafe_unretained for copied protocol lists.
1539         (forEachProtocolImplementingProtocol): Ditto.
1540
1541         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1542         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
1543         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
1544
1545         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
1546         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
1547         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
1548         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
1549         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
1550
1551 2018-06-30  Adam Barth  <abarth@webkit.org>
1552
1553         Port JavaScriptCore to OS(FUCHSIA)
1554         https://bugs.webkit.org/show_bug.cgi?id=187223
1555
1556         Reviewed by Daniel Bates.
1557
1558         * assembler/ARM64Assembler.h:
1559         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
1560         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
1561         (JSC::MachineContext::stackPointerImpl):
1562         (JSC::MachineContext::framePointerImpl):
1563         (JSC::MachineContext::instructionPointerImpl):
1564         (JSC::MachineContext::argumentPointer<1>):
1565         (JSC::MachineContext::llintInstructionPointer):
1566
1567 2018-06-30  David Kilzer  <ddkilzer@apple.com>
1568
1569         Fix clang static analyzer warnings: Garbage return value
1570         <https://webkit.org/b/187224>
1571
1572         Reviewed by Eric Carlson.
1573
1574         * bytecode/UnlinkedCodeBlock.cpp:
1575         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
1576         - Use brace initialization for local variables.
1577         * debugger/DebuggerCallFrame.cpp:
1578         (class JSC::LineAndColumnFunctor):
1579         - Use class member initialization for member variables.
1580
1581 2018-06-29  Saam Barati  <sbarati@apple.com>
1582
1583         Unreviewed. Try to fix Windows build after r233377
1584
1585         * builtins/BuiltinExecutables.cpp:
1586         (JSC::BuiltinExecutables::createExecutable):
1587
1588 2018-06-29  Saam Barati  <sbarati@apple.com>
1589
1590         Don't use tracePoints in JS/Wasm entry
1591         https://bugs.webkit.org/show_bug.cgi?id=187196
1592
1593         Reviewed by Mark Lam.
1594
1595         This puts VM entry and Wasm entry tracePoints behind a runtime
1596         option. This is a ~4x speedup on a soon to be released Wasm
1597         benchmark. tracePoints should basically never run more than 50
1598         times a second. Entering the VM and entering Wasm are user controlled,
1599         and can happen hundreds of thousands of times in a second. Depending
1600         on how the Wasm/JS code is structured, this can be disastrous for
1601         performance.
1602
1603         * runtime/Options.h:
1604         * runtime/VMEntryScope.cpp:
1605         (JSC::VMEntryScope::VMEntryScope):
1606         (JSC::VMEntryScope::~VMEntryScope):
1607         * wasm/WasmBBQPlan.cpp:
1608         (JSC::Wasm::BBQPlan::compileFunctions):
1609         * wasm/js/WebAssemblyFunction.cpp:
1610         (JSC::callWebAssemblyFunction):
1611
1612 2018-06-29  Saam Barati  <sbarati@apple.com>
1613
1614         We shouldn't recurse into the parser when gathering metadata about various function offsets
1615         https://bugs.webkit.org/show_bug.cgi?id=184074
1616         <rdar://problem/37165897>
1617
1618         Reviewed by Mark Lam.
1619
1620         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
1621         for that builtin. This required calling into the parser. However, the parser
1622         may throw a stack overflow. We were not able to recover from that. The only
1623         reason we called into the parser here is that we were gathering text offsets
1624         and various metadata for things in the builtin function. This patch writes a
1625         mini parser that figures this information out without calling into the full
1626         parser. (I've also added a debug assert that verifies the mini parser stays in
1627         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
1628         always succeeds.
1629
1630         * builtins/AsyncFromSyncIteratorPrototype.js:
1631         (globalPrivate.createAsyncFromSyncIterator):
1632         (globalPrivate.AsyncFromSyncIteratorConstructor):
1633         * builtins/BuiltinExecutables.cpp:
1634         (JSC::BuiltinExecutables::createExecutable):
1635         * builtins/GlobalOperations.js:
1636         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
1637         (globalPrivate.speciesConstructor):
1638         (globalPrivate.copyDataProperties):
1639         (globalPrivate.copyDataPropertiesNoExclusions):
1640         * builtins/PromiseOperations.js:
1641         (globalPrivate.newHandledRejectedPromise):
1642         * builtins/RegExpPrototype.js:
1643         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
1644         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
1645         * builtins/StringPrototype.js:
1646         (globalPrivate.hasObservableSideEffectsForStringReplace):
1647         (globalPrivate.getDefaultCollator):
1648         * parser/Nodes.cpp:
1649         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1650         (JSC::FunctionMetadataNode::operator== const):
1651         (JSC::FunctionMetadataNode::dump const):
1652         * parser/Nodes.h:
1653         * parser/Parser.h:
1654         (JSC::parse):
1655         * parser/ParserError.h:
1656         (JSC::ParserError::type const):
1657         * parser/ParserTokens.h:
1658         (JSC::JSTextPosition::operator== const):
1659         (JSC::JSTextPosition::operator!= const):
1660         * parser/SourceCode.h:
1661         (JSC::SourceCode::operator== const):
1662         (JSC::SourceCode::operator!= const):
1663         (JSC::SourceCode::subExpression const):
1664         (JSC::SourceCode::subExpression): Deleted.
1665
1666 2018-06-28  Michael Saboff  <msaboff@apple.com>
1667   
1668         IsoCellSet::sweepToFreeList() not safe when Full GC in process
1669         https://bugs.webkit.org/show_bug.cgi?id=187157
1670
1671         Reviewed by Mark Lam.
1672
1673         * heap/IsoCellSet.cpp:
1674         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
1675         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
1676         or not we are in the process of marking during a full GC.
1677         * heap/MarkedBlock.h:
1678         * heap/MarkedBlockInlines.h:
1679         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
1680
1681 2018-06-27  Saam Barati  <sbarati@apple.com>
1682
1683         Add some more register state information when we crash in repatchPutById
1684         https://bugs.webkit.org/show_bug.cgi?id=187112
1685
1686         Reviewed by Mark Lam.
1687
1688         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
1689         with an offset that is different than what the put tells us.
1690
1691         * jit/Repatch.cpp:
1692         (JSC::tryCachePutByID):
1693
1694 2018-06-27  Mark Lam  <mark.lam@apple.com>
1695
1696         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
1697         https://bugs.webkit.org/show_bug.cgi?id=187119
1698
1699         Reviewed by Keith Miller.
1700
1701         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
1702         should be checking for codeBlock instead of !codeBlock
1703         before using the codeBlock.
1704
1705         I also renamed some other "print" functions to use "dump" instead
1706         to match their underlying C++ code that they will call e.g.
1707         CodeBlock::dumpSource().
1708
1709         * tools/JSDollarVM.cpp:
1710         (WTF::JSDollarVMCallFrame::finishCreation):
1711         (JSC::functionDumpSourceFor):
1712         (JSC::functionDumpBytecodeFor):
1713         (JSC::doPrint):
1714         (JSC::functionDataLog):
1715         (JSC::functionPrint):
1716         (JSC::functionDumpCallFrame):
1717         (JSC::functionDumpStack):
1718         (JSC::JSDollarVM::finishCreation):
1719         (JSC::functionPrintSourceFor): Deleted.
1720         (JSC::functionPrintBytecodeFor): Deleted.
1721         (JSC::doPrintln): Deleted.
1722         (JSC::functionPrintln): Deleted.
1723         (JSC::functionPrintCallFrame): Deleted.
1724         (JSC::functionPrintStack): Deleted.
1725         * tools/VMInspector.cpp:
1726         (JSC::DumpFrameFunctor::DumpFrameFunctor):
1727         (JSC::DumpFrameFunctor::operator() const):
1728         (JSC::VMInspector::dumpCallFrame):
1729         (JSC::VMInspector::dumpStack):
1730         (JSC::VMInspector::dumpValue):
1731         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
1732         (JSC::PrintFrameFunctor::operator() const): Deleted.
1733         (JSC::VMInspector::printCallFrame): Deleted.
1734         (JSC::VMInspector::printStack): Deleted.
1735         (JSC::VMInspector::printValue): Deleted.
1736         * tools/VMInspector.h:
1737
1738 2018-06-27  Keith Miller  <keith_miller@apple.com>
1739
1740         Add logging to try to diagnose where we get a null structure.
1741         https://bugs.webkit.org/show_bug.cgi?id=187106
1742
1743         Reviewed by Mark Lam.
1744
1745         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
1746         structure crash.
1747
1748         This code should be removed when we fix <rdar://problem/33451840>
1749
1750         * runtime/JSObject.cpp:
1751         (JSC::callToPrimitiveFunction):
1752         * runtime/JSObject.h:
1753         (JSC::JSObject::getPropertySlot):
1754
1755 2018-06-27  Mark Lam  <mark.lam@apple.com>
1756
1757         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
1758         https://bugs.webkit.org/show_bug.cgi?id=187091
1759         <rdar://problem/41395624>
1760
1761         Reviewed by Yusuke Suzuki.
1762
1763         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
1764         take their slow paths, the slow path would jump back to the fast path right after
1765         the emitted code which clears the unused property values.  As a result, the
1766         unused properties are not initialized.  We've fixed this by adding the slow path
1767         generators before we emit the code to clear the unused properties.
1768
1769         * dfg/DFGSpeculativeJIT.cpp:
1770         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1771         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1772
1773 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1774
1775         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
1776         https://bugs.webkit.org/show_bug.cgi?id=185943
1777
1778         Reviewed by Mark Lam.
1779
1780         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
1781         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
1782         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
1783         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
1784
1785         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
1786         but it should be done in a separate patch since it would be performance sensitive.
1787
1788         * bytecompiler/NodesCodegen.cpp:
1789         (JSC::ArrayPatternNode::emitDirectBinding):
1790
1791 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1792
1793         [JSC] Pass VM& to functions more
1794         https://bugs.webkit.org/show_bug.cgi?id=186241
1795
1796         Reviewed by Mark Lam.
1797
1798         This patch threads VM& to functions requiring VM& more.
1799
1800         * API/JSObjectRef.cpp:
1801         (JSObjectIsConstructor):
1802         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
1803         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
1804         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
1805         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
1806         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
1807         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
1808         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
1809         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
1810         * bytecode/CodeBlockJettisoningWatchpoint.h:
1811         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1812         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
1813         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1814         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
1815         * bytecode/StructureStubClearingWatchpoint.cpp:
1816         (JSC::StructureStubClearingWatchpoint::fireInternal):
1817         * bytecode/StructureStubClearingWatchpoint.h:
1818         * bytecode/Watchpoint.cpp:
1819         (JSC::Watchpoint::fire):
1820         (JSC::WatchpointSet::fireAllWatchpoints):
1821         * bytecode/Watchpoint.h:
1822         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
1823         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
1824         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
1825         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
1826         (JSC::DFG::AdaptiveStructureWatchpoint::install):
1827         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
1828         * dfg/DFGAdaptiveStructureWatchpoint.h:
1829         * dfg/DFGDesiredWatchpoints.cpp:
1830         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
1831         * llint/LLIntSlowPaths.cpp:
1832         (JSC::LLInt::setupGetByIdPrototypeCache):
1833         * runtime/ArrayPrototype.cpp:
1834         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1835         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1836         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1837         (JSC::esSpecIsConstructor):
1838         * runtime/FunctionRareData.cpp:
1839         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
1840         * runtime/FunctionRareData.h:
1841         * runtime/InferredStructureWatchpoint.cpp:
1842         (JSC::InferredStructureWatchpoint::fireInternal):
1843         * runtime/InferredStructureWatchpoint.h:
1844         * runtime/InternalFunction.cpp:
1845         (JSC::InternalFunction::createSubclassStructureSlow):
1846         * runtime/InternalFunction.h:
1847         (JSC::InternalFunction::createSubclassStructure):
1848         * runtime/JSCJSValue.h:
1849         * runtime/JSCJSValueInlines.h:
1850         (JSC::JSValue::isConstructor const):
1851         * runtime/JSCell.h:
1852         * runtime/JSCellInlines.h:
1853         (JSC::JSCell::isConstructor):
1854         (JSC::JSCell::methodTable const):
1855         * runtime/JSGlobalObject.cpp:
1856         (JSC::JSGlobalObject::init):
1857         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
1858         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
1859         * runtime/ProxyObject.cpp:
1860         (JSC::ProxyObject::finishCreation):
1861         * runtime/ReflectObject.cpp:
1862         (JSC::reflectObjectConstruct):
1863         * runtime/StructureRareData.cpp:
1864         (JSC::StructureRareData::setObjectToStringValue):
1865         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
1866         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1867         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1868
1869 2018-06-26  Mark Lam  <mark.lam@apple.com>
1870
1871         eval() is wrong about the LiteralParser never throwing any exceptions.
1872         https://bugs.webkit.org/show_bug.cgi?id=187074
1873         <rdar://problem/41461099>
1874
1875         Reviewed by Saam Barati.
1876
1877         Added the missing exception check, and removed an erroneous assertion.
1878
1879         * interpreter/Interpreter.cpp:
1880         (JSC::eval):
1881
1882 2018-06-26  Saam Barati  <sbarati@apple.com>
1883
1884         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
1885         https://bugs.webkit.org/show_bug.cgi?id=186878
1886         <rdar://problem/40568659>
1887
1888         Reviewed by Filip Pizlo.
1889
1890         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
1891         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
1892         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
1893         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
1894         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
1895         conservative scan knows to treat it like a butterfly in when we we may be
1896         pointing into the middle of it.
1897         
1898         The way we were crashing on the stress GC bots is that our conservative marking
1899         won't do cell visiting for things that are Auxiliary. This meant that if the
1900         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
1901         that JSImmutableButterfly would not be visited. This is now fixed.
1902
1903         * bytecompiler/NodesCodegen.cpp:
1904         (JSC::ArrayNode::emitBytecode):
1905         * debugger/Debugger.cpp:
1906         * heap/ConservativeRoots.cpp:
1907         (JSC::ConservativeRoots::genericAddPointer):
1908         * heap/Heap.cpp:
1909         (JSC::GatherHeapSnapshotData::operator() const):
1910         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
1911         (JSC::Heap::globalObjectCount):
1912         (JSC::Heap::objectTypeCounts):
1913         (JSC::Heap::deleteAllCodeBlocks):
1914         * heap/HeapCell.cpp:
1915         (WTF::printInternal):
1916         * heap/HeapCell.h:
1917         (JSC::isJSCellKind):
1918         (JSC::hasInteriorPointers):
1919         * heap/HeapUtil.h:
1920         (JSC::HeapUtil::findGCObjectPointersForMarking):
1921         (JSC::HeapUtil::isPointerGCObjectJSCell):
1922         * heap/MarkedBlock.cpp:
1923         (JSC::MarkedBlock::Handle::didAddToDirectory):
1924         * heap/SlotVisitor.cpp:
1925         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1926         * runtime/JSGlobalObject.cpp:
1927         * runtime/JSImmutableButterfly.h:
1928         (JSC::JSImmutableButterfly::subspaceFor):
1929         * runtime/VM.cpp:
1930         (JSC::VM::VM):
1931         * runtime/VM.h:
1932         * tools/CellProfile.h:
1933         (JSC::CellProfile::CellProfile):
1934         (JSC::CellProfile::isJSCell const):
1935         * tools/HeapVerifier.cpp:
1936         (JSC::HeapVerifier::validateCell):
1937
1938 2018-06-26  Mark Lam  <mark.lam@apple.com>
1939
1940         Skip some unnecessary work in Interpreter::getStackTrace().
1941         https://bugs.webkit.org/show_bug.cgi?id=187070
1942
1943         Reviewed by Michael Saboff.
1944
1945         * interpreter/Interpreter.cpp:
1946         (JSC::Interpreter::getStackTrace):
1947
1948 2018-06-26  Mark Lam  <mark.lam@apple.com>
1949
1950         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
1951         https://bugs.webkit.org/show_bug.cgi?id=187060
1952         <rdar://problem/41452767>
1953
1954         Reviewed by Keith Miller.
1955
1956         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
1957         write conversion.  Hence, we can return early after the conversion if the vector
1958         length is already sufficient to cover the requested length.
1959
1960         * runtime/JSObject.cpp:
1961         (JSC::JSObject::ensureLengthSlow):
1962
1963 2018-06-26  Commit Queue  <commit-queue@webkit.org>
1964
1965         Unreviewed, rolling out r233184.
1966         https://bugs.webkit.org/show_bug.cgi?id=187059
1967
1968         "It regressed JetStream between 5-8%" (Requested by saamyjoon
1969         on #webkit).
1970
1971         Reverted changeset:
1972
1973         "JSImmutableButterfly can't be allocated from a subspace with
1974         HeapCell::Kind::Auxiliary"
1975         https://bugs.webkit.org/show_bug.cgi?id=186878
1976         https://trac.webkit.org/changeset/233184
1977
1978 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
1979
1980         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
1981         https://bugs.webkit.org/show_bug.cgi?id=187051
1982
1983         Reviewed by Mark Lam.
1984
1985         Revert r233065 changes over UnlinkedCodeBlock.h to allow
1986         clang-3.8 to be able to compile this back (with libstdc++5)
1987
1988         * bytecode/UnlinkedCodeBlock.h:
1989         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
1990
1991 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
1992
1993         Fix testapi build when DFG_JIT is disabled
1994         https://bugs.webkit.org/show_bug.cgi?id=187038
1995
1996         Reviewed by Mark Lam.
1997
1998         r233158 added a new API and tests for configuring the number of JIT threads, but
1999         the API is only available when DFG_JIT is enabled and so should the tests.
2000
2001         * API/tests/testapi.mm:
2002         (runJITThreadLimitTests):
2003
2004 2018-06-25  Saam Barati  <sbarati@apple.com>
2005
2006         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
2007         https://bugs.webkit.org/show_bug.cgi?id=186878
2008         <rdar://problem/40568659>
2009
2010         Reviewed by Mark Lam.
2011
2012         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
2013         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
2014         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
2015         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
2016         bots is that our conservative marking won't do cell marking for things that
2017         are Auxiliary. This means that if the stack is the only thing pointing to a
2018         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
2019         not be visited. This patch fixes this bug. This patch also extends our conservative
2020         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
2021
2022         * bytecompiler/NodesCodegen.cpp:
2023         (JSC::ArrayNode::emitBytecode):
2024         * heap/HeapUtil.h:
2025         (JSC::HeapUtil::findGCObjectPointersForMarking):
2026         * runtime/JSImmutableButterfly.h:
2027         (JSC::JSImmutableButterfly::subspaceFor):
2028
2029 2018-06-25  Mark Lam  <mark.lam@apple.com>
2030
2031         constructArray() should set m_numValuesInVector to the specified length.
2032         https://bugs.webkit.org/show_bug.cgi?id=187010
2033         <rdar://problem/41392167>
2034
2035         Reviewed by Filip Pizlo.
2036
2037         Its client will fill in the storage vector with some values using initializeIndex()
2038         and expects m_numValuesInVector to be set to the length i.e. the number of values
2039         to be initialized.
2040
2041         * runtime/JSArray.cpp:
2042         (JSC::constructArray):
2043
2044 2018-06-25  Mark Lam  <mark.lam@apple.com>
2045
2046         Add missing exception check in RegExpObjectInlines.h's collectMatches.
2047         https://bugs.webkit.org/show_bug.cgi?id=187006
2048         <rdar://problem/41418412>
2049
2050         Reviewed by Keith Miller.
2051
2052         * runtime/RegExpObjectInlines.h:
2053         (JSC::collectMatches):
2054
2055 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
2056
2057         Add API for configuring the number of threads used by DFG and FTL
2058         https://bugs.webkit.org/show_bug.cgi?id=186859
2059         <rdar://problem/41093519>
2060
2061         Reviewed by Filip Pizlo.
2062
2063         Add new private APIs for limiting the number of threads to be used by
2064         the DFG and FTL compilers. It was already possible to configure the
2065         limit through JSC Options, but now it can be changed at runtime, even
2066         in the case when the VM is already running.
2067
2068         Add a test for both cases: when trying to configure the limit before
2069         and after the Worklist has been created, but in order to simulate the
2070         first scenario, we must guarantee that the test runs at the very
2071         beginning, so I also added a check for that.
2072
2073         * API/JSVirtualMachine.mm:
2074         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
2075         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
2076         * API/JSVirtualMachinePrivate.h:
2077         * API/tests/testapi.mm:
2078         (runJITThreadLimitTests):
2079         (testObjectiveCAPIMain):
2080         * dfg/DFGWorklist.cpp:
2081         (JSC::DFG::Worklist::finishCreation):
2082         (JSC::DFG::Worklist::createNewThread):
2083         (JSC::DFG::Worklist::setNumberOfThreads):
2084         * dfg/DFGWorklist.h:
2085
2086 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2087
2088         [JSC] Remove unnecessary PLATFORM guards
2089         https://bugs.webkit.org/show_bug.cgi?id=186995
2090
2091         Reviewed by Mark Lam.
2092
2093         * assembler/AssemblerCommon.h:
2094         (JSC::isIOS):
2095         Add constexpr.
2096
2097         * inspector/JSGlobalObjectInspectorController.cpp:
2098         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2099         StackFrame works in all the platforms. If StackFrame::demangle failed,
2100         it just returns std::nullopt. And it is correctly handled in this code.
2101
2102 2018-06-23  Mark Lam  <mark.lam@apple.com>
2103
2104         Add more debugging features to $vm.
2105         https://bugs.webkit.org/show_bug.cgi?id=186947
2106
2107         Reviewed by Keith Miller.
2108
2109         Adding the following features:
2110
2111             // We now have println in addition to print.
2112             // println automatically adds a '\n' at the end.
2113             $vm.println("Hello");
2114
2115             // We can now capture some info about a stack frame.
2116             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
2117             var callerCallerFrame = $vm.callFrame(2);
2118
2119             // We can inspect the following values associated with the frame:
2120             if (currentFrame.valid) {
2121                 $vm.println("name is ", currentFrame.name));
2122
2123                 // Note: For a WASM frame, all of these will be undefined.
2124                 $vm.println("callee is ", $vm.value(currentFrame.callee));
2125                 $vm.println("codeBlock is ", currentFrame.codeBlock);
2126                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
2127                 $vm.println("executable is ", currentFrame.executable);
2128             }
2129
2130             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
2131             // to dataLog its JSValue instead of its toString() result.
2132
2133             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
2134             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
2135             // toString on a non-object.
2136
2137             // Does what it says about enabling/disabling debugger mode.
2138             $vm.enableDebuggerModeWhenIdle();
2139             $vm.disableDebuggerModeWhenIdle();
2140
2141         * tools/JSDollarVM.cpp:
2142         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
2143         (WTF::JSDollarVMCallFrame::createStructure):
2144         (WTF::JSDollarVMCallFrame::create):
2145         (WTF::JSDollarVMCallFrame::finishCreation):
2146         (WTF::JSDollarVMCallFrame::addProperty):
2147         (JSC::functionCallFrame):
2148         (JSC::functionCodeBlockForFrame):
2149         (JSC::codeBlockFromArg):
2150         (JSC::doPrintln):
2151         (JSC::functionPrint):
2152         (JSC::functionPrintln):
2153         (JSC::changeDebuggerModeWhenIdle):
2154         (JSC::functionEnableDebuggerModeWhenIdle):
2155         (JSC::functionDisableDebuggerModeWhenIdle):
2156         (JSC::JSDollarVM::finishCreation):
2157
2158 2018-06-22  Keith Miller  <keith_miller@apple.com>
2159
2160         We need to have a getDirectConcurrently for use in the compilers
2161         https://bugs.webkit.org/show_bug.cgi?id=186954
2162
2163         Reviewed by Mark Lam.
2164
2165         It used to be that the propertyStorage of an object never shrunk
2166         so if you called getDirect with some offset it would never be an
2167         OOB read. However, this property storage can shrink when calling
2168         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
2169         holds the Structure's ConcurrentJSLock while shrinking. This patch,
2170         adds a getDirectConcurrently that will safely try to load from the
2171         butterfly.
2172
2173         * bytecode/ObjectPropertyConditionSet.cpp:
2174         * bytecode/PropertyCondition.cpp:
2175         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2176         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
2177         * dfg/DFGGraph.cpp:
2178         (JSC::DFG::Graph::tryGetConstantProperty):
2179         * runtime/JSObject.h:
2180         (JSC::JSObject::getDirectConcurrently const):
2181
2182 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2183
2184         [WTF] Use Ref<> for the result type of non-failing factory functions
2185         https://bugs.webkit.org/show_bug.cgi?id=186920
2186
2187         Reviewed by Darin Adler.
2188
2189         * dfg/DFGWorklist.cpp:
2190         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
2191         (JSC::DFG::Worklist::finishCreation):
2192         * dfg/DFGWorklist.h:
2193         * heap/Heap.cpp:
2194         (JSC::Heap::Thread::Thread):
2195         * heap/Heap.h:
2196         * jit/JITWorklist.cpp:
2197         (JSC::JITWorklist::Thread::Thread):
2198         * jit/JITWorklist.h:
2199         * runtime/VMTraps.cpp:
2200         * runtime/VMTraps.h:
2201         * wasm/WasmWorklist.cpp:
2202         * wasm/WasmWorklist.h:
2203
2204 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2205
2206         [WTF] Add user-defined literal for ASCIILiteral
2207         https://bugs.webkit.org/show_bug.cgi?id=186839
2208
2209         Reviewed by Darin Adler.
2210
2211         * API/JSCallbackObjectFunctions.h:
2212         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2213         (JSC::JSCallbackObject<Parent>::callbackGetter):
2214         * API/JSObjectRef.cpp:
2215         (JSObjectMakeFunctionWithCallback):
2216         * API/JSTypedArray.cpp:
2217         (JSObjectGetArrayBufferBytesPtr):
2218         * API/JSValue.mm:
2219         (valueToArray):
2220         (valueToDictionary):
2221         * API/ObjCCallbackFunction.mm:
2222         (JSC::objCCallbackFunctionCallAsFunction):
2223         (JSC::objCCallbackFunctionCallAsConstructor):
2224         (JSC::ObjCCallbackFunctionImpl::call):
2225         * API/glib/JSCCallbackFunction.cpp:
2226         (JSC::JSCCallbackFunction::call):
2227         (JSC::JSCCallbackFunction::construct):
2228         * API/glib/JSCContext.cpp:
2229         (jscContextJSValueToGValue):
2230         * API/glib/JSCValue.cpp:
2231         (jsc_value_object_define_property_accessor):
2232         (jscValueFunctionCreate):
2233         * builtins/BuiltinUtils.h:
2234         * bytecode/CodeBlock.cpp:
2235         (JSC::CodeBlock::nameForRegister):
2236         * bytecompiler/BytecodeGenerator.cpp:
2237         (JSC::BytecodeGenerator::emitEnumeration):
2238         (JSC::BytecodeGenerator::emitIteratorNext):
2239         (JSC::BytecodeGenerator::emitIteratorClose):
2240         (JSC::BytecodeGenerator::emitDelegateYield):
2241         * bytecompiler/NodesCodegen.cpp:
2242         (JSC::FunctionCallValueNode::emitBytecode):
2243         (JSC::PostfixNode::emitBytecode):
2244         (JSC::PrefixNode::emitBytecode):
2245         (JSC::AssignErrorNode::emitBytecode):
2246         (JSC::ForInNode::emitBytecode):
2247         (JSC::ForOfNode::emitBytecode):
2248         (JSC::ClassExprNode::emitBytecode):
2249         (JSC::ObjectPatternNode::bindValue const):
2250         * dfg/DFGDriver.cpp:
2251         (JSC::DFG::compileImpl):
2252         * dfg/DFGOperations.cpp:
2253         (JSC::DFG::newTypedArrayWithSize):
2254         * dfg/DFGStrengthReductionPhase.cpp:
2255         (JSC::DFG::StrengthReductionPhase::handleNode):
2256         * inspector/ConsoleMessage.cpp:
2257         (Inspector::ConsoleMessage::addToFrontend):
2258         (Inspector::ConsoleMessage::clear):
2259         * inspector/ContentSearchUtilities.cpp:
2260         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
2261         * inspector/InjectedScript.cpp:
2262         (Inspector::InjectedScript::InjectedScript):
2263         (Inspector::InjectedScript::evaluate):
2264         (Inspector::InjectedScript::callFunctionOn):
2265         (Inspector::InjectedScript::evaluateOnCallFrame):
2266         (Inspector::InjectedScript::getFunctionDetails):
2267         (Inspector::InjectedScript::functionDetails):
2268         (Inspector::InjectedScript::getPreview):
2269         (Inspector::InjectedScript::getProperties):
2270         (Inspector::InjectedScript::getDisplayableProperties):
2271         (Inspector::InjectedScript::getInternalProperties):
2272         (Inspector::InjectedScript::getCollectionEntries):
2273         (Inspector::InjectedScript::saveResult):
2274         (Inspector::InjectedScript::wrapCallFrames const):
2275         (Inspector::InjectedScript::wrapObject const):
2276         (Inspector::InjectedScript::wrapJSONString const):
2277         (Inspector::InjectedScript::wrapTable const):
2278         (Inspector::InjectedScript::previewValue const):
2279         (Inspector::InjectedScript::setExceptionValue):
2280         (Inspector::InjectedScript::clearExceptionValue):
2281         (Inspector::InjectedScript::findObjectById const):
2282         (Inspector::InjectedScript::inspectObject):
2283         (Inspector::InjectedScript::releaseObject):
2284         (Inspector::InjectedScript::releaseObjectGroup):
2285         * inspector/InjectedScriptBase.cpp:
2286         (Inspector::InjectedScriptBase::makeEvalCall):
2287         * inspector/InjectedScriptManager.cpp:
2288         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2289         * inspector/InjectedScriptModule.cpp:
2290         (Inspector::InjectedScriptModule::ensureInjected):
2291         * inspector/InspectorBackendDispatcher.cpp:
2292         (Inspector::BackendDispatcher::dispatch):
2293         (Inspector::BackendDispatcher::sendResponse):
2294         (Inspector::BackendDispatcher::sendPendingErrors):
2295         * inspector/JSGlobalObjectConsoleClient.cpp:
2296         (Inspector::JSGlobalObjectConsoleClient::profile):
2297         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
2298         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
2299         * inspector/JSGlobalObjectInspectorController.cpp:
2300         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2301         * inspector/JSInjectedScriptHost.cpp:
2302         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2303         (Inspector::JSInjectedScriptHost::subtype):
2304         (Inspector::JSInjectedScriptHost::getInternalProperties):
2305         * inspector/JSJavaScriptCallFrame.cpp:
2306         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2307         (Inspector::JSJavaScriptCallFrame::type const):
2308         * inspector/ScriptArguments.cpp:
2309         (Inspector::ScriptArguments::getFirstArgumentAsString):
2310         * inspector/ScriptCallStackFactory.cpp:
2311         (Inspector::extractSourceInformationFromException):
2312         * inspector/agents/InspectorAgent.cpp:
2313         (Inspector::InspectorAgent::InspectorAgent):
2314         * inspector/agents/InspectorConsoleAgent.cpp:
2315         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
2316         (Inspector::InspectorConsoleAgent::clearMessages):
2317         (Inspector::InspectorConsoleAgent::count):
2318         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
2319         * inspector/agents/InspectorDebuggerAgent.cpp:
2320         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
2321         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
2322         (Inspector::buildObjectForBreakpointCookie):
2323         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2324         (Inspector::parseLocation):
2325         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2326         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2327         (Inspector::InspectorDebuggerAgent::continueToLocation):
2328         (Inspector::InspectorDebuggerAgent::searchInContent):
2329         (Inspector::InspectorDebuggerAgent::getScriptSource):
2330         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
2331         (Inspector::InspectorDebuggerAgent::resume):
2332         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
2333         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
2334         (Inspector::InspectorDebuggerAgent::didParseSource):
2335         (Inspector::InspectorDebuggerAgent::assertPaused):
2336         * inspector/agents/InspectorHeapAgent.cpp:
2337         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
2338         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
2339         (Inspector::InspectorHeapAgent::getPreview):
2340         (Inspector::InspectorHeapAgent::getRemoteObject):
2341         * inspector/agents/InspectorRuntimeAgent.cpp:
2342         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
2343         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2344         (Inspector::InspectorRuntimeAgent::getPreview):
2345         (Inspector::InspectorRuntimeAgent::getProperties):
2346         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2347         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2348         (Inspector::InspectorRuntimeAgent::saveResult):
2349         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2350         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2351         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2352         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
2353         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2354         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
2355         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2356         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
2357         * inspector/scripts/codegen/cpp_generator_templates.py:
2358         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2359         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
2360         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2361         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2362         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2363         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2364         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2365         (CppProtocolTypesImplementationGenerator):
2366         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2367         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2368         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
2369         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2370         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2371         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
2372         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2373         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
2374         * inspector/scripts/codegen/objc_generator_templates.py:
2375         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2376         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2377         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2378         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2379         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2380         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2381         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2382         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2383         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2384         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2385         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2386         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2387         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2388         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2389         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2390         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2391         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2392         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2393         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2394         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2395         * interpreter/CallFrame.cpp:
2396         (JSC::CallFrame::friendlyFunctionName):
2397         * interpreter/Interpreter.cpp:
2398         (JSC::Interpreter::execute):
2399         * interpreter/StackVisitor.cpp:
2400         (JSC::StackVisitor::Frame::functionName const):
2401         (JSC::StackVisitor::Frame::sourceURL const):
2402         * jit/JIT.cpp:
2403         (JSC::JIT::doMainThreadPreparationBeforeCompile):
2404         * jit/JITOperations.cpp:
2405         * jsc.cpp:
2406         (resolvePath):
2407         (GlobalObject::moduleLoaderImportModule):
2408         (GlobalObject::moduleLoaderResolve):
2409         (functionDescribeArray):
2410         (functionRun):
2411         (functionLoad):
2412         (functionCheckSyntax):
2413         (functionDollarEvalScript):
2414         (functionDollarAgentStart):
2415         (functionDollarAgentReceiveBroadcast):
2416         (functionDollarAgentBroadcast):
2417         (functionTransferArrayBuffer):
2418         (functionLoadModule):
2419         (functionSamplingProfilerStackTraces):
2420         (functionAsyncTestStart):
2421         (functionWebAssemblyMemoryMode):
2422         (runWithOptions):
2423         * parser/Lexer.cpp:
2424         (JSC::Lexer<T>::invalidCharacterMessage const):
2425         (JSC::Lexer<T>::parseString):
2426         (JSC::Lexer<T>::parseComplexEscape):
2427         (JSC::Lexer<T>::parseStringSlowCase):
2428         (JSC::Lexer<T>::parseTemplateLiteral):
2429         (JSC::Lexer<T>::lex):
2430         * parser/Parser.cpp:
2431         (JSC::Parser<LexerType>::parseInner):
2432         * parser/Parser.h:
2433         (JSC::Parser::setErrorMessage):
2434         * runtime/AbstractModuleRecord.cpp:
2435         (JSC::AbstractModuleRecord::finishCreation):
2436         * runtime/ArrayBuffer.cpp:
2437         (JSC::errorMesasgeForTransfer):
2438         * runtime/ArrayBufferSharingMode.h:
2439         (JSC::arrayBufferSharingModeName):
2440         * runtime/ArrayConstructor.cpp:
2441         (JSC::constructArrayWithSizeQuirk):
2442         (JSC::isArraySlowInline):
2443         * runtime/ArrayPrototype.cpp:
2444         (JSC::setLength):
2445         (JSC::shift):
2446         (JSC::unshift):
2447         (JSC::arrayProtoFuncPop):
2448         (JSC::arrayProtoFuncReverse):
2449         (JSC::arrayProtoFuncUnShift):
2450         * runtime/AtomicsObject.cpp:
2451         (JSC::atomicsFuncWait):
2452         (JSC::atomicsFuncWake):
2453         * runtime/BigIntConstructor.cpp:
2454         (JSC::BigIntConstructor::finishCreation):
2455         (JSC::toBigInt):
2456         (JSC::callBigIntConstructor):
2457         * runtime/BigIntObject.cpp:
2458         (JSC::BigIntObject::toStringName):
2459         * runtime/BigIntPrototype.cpp:
2460         (JSC::bigIntProtoFuncToString):
2461         (JSC::bigIntProtoFuncValueOf):
2462         * runtime/CommonSlowPaths.cpp:
2463         (JSC::SLOW_PATH_DECL):
2464         * runtime/ConsoleClient.cpp:
2465         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2466         * runtime/ConsoleObject.cpp:
2467         (JSC::valueOrDefaultLabelString):
2468         (JSC::consoleProtoFuncTime):
2469         (JSC::consoleProtoFuncTimeEnd):
2470         * runtime/DatePrototype.cpp:
2471         (JSC::formatLocaleDate):
2472         (JSC::formateDateInstance):
2473         (JSC::DatePrototype::finishCreation):
2474         (JSC::dateProtoFuncToISOString):
2475         (JSC::dateProtoFuncToJSON):
2476         * runtime/Error.cpp:
2477         (JSC::createNotEnoughArgumentsError):
2478         (JSC::throwSyntaxError):
2479         (JSC::createTypeError):
2480         (JSC::createOutOfMemoryError):
2481         * runtime/Error.h:
2482         (JSC::throwVMError):
2483         * runtime/ErrorConstructor.cpp:
2484         (JSC::ErrorConstructor::finishCreation):
2485         * runtime/ErrorInstance.cpp:
2486         (JSC::ErrorInstance::sanitizedToString):
2487         * runtime/ErrorPrototype.cpp:
2488         (JSC::ErrorPrototype::finishCreation):
2489         (JSC::errorProtoFuncToString):
2490         * runtime/ExceptionFuzz.cpp:
2491         (JSC::doExceptionFuzzing):
2492         * runtime/ExceptionHelpers.cpp:
2493         (JSC::TerminatedExecutionError::defaultValue):
2494         (JSC::createStackOverflowError):
2495         (JSC::createNotAConstructorError):
2496         (JSC::createNotAFunctionError):
2497         (JSC::createNotAnObjectError):
2498         * runtime/GetterSetter.cpp:
2499         (JSC::callSetter):
2500         * runtime/IntlCollator.cpp:
2501         (JSC::sortLocaleData):
2502         (JSC::searchLocaleData):
2503         (JSC::IntlCollator::initializeCollator):
2504         (JSC::IntlCollator::compareStrings):
2505         (JSC::IntlCollator::usageString):
2506         (JSC::IntlCollator::sensitivityString):
2507         (JSC::IntlCollator::caseFirstString):
2508         (JSC::IntlCollator::resolvedOptions):
2509         * runtime/IntlCollator.h:
2510         * runtime/IntlCollatorConstructor.cpp:
2511         (JSC::IntlCollatorConstructor::finishCreation):
2512         * runtime/IntlCollatorPrototype.cpp:
2513         (JSC::IntlCollatorPrototypeGetterCompare):
2514         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2515         * runtime/IntlDateTimeFormat.cpp:
2516         (JSC::defaultTimeZone):
2517         (JSC::canonicalizeTimeZoneName):
2518         (JSC::IntlDTFInternal::localeData):
2519         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
2520         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2521         (JSC::IntlDateTimeFormat::weekdayString):
2522         (JSC::IntlDateTimeFormat::eraString):
2523         (JSC::IntlDateTimeFormat::yearString):
2524         (JSC::IntlDateTimeFormat::monthString):
2525         (JSC::IntlDateTimeFormat::dayString):
2526         (JSC::IntlDateTimeFormat::hourString):
2527         (JSC::IntlDateTimeFormat::minuteString):
2528         (JSC::IntlDateTimeFormat::secondString):
2529         (JSC::IntlDateTimeFormat::timeZoneNameString):
2530         (JSC::IntlDateTimeFormat::resolvedOptions):
2531         (JSC::IntlDateTimeFormat::format):
2532         (JSC::IntlDateTimeFormat::partTypeString):
2533         (JSC::IntlDateTimeFormat::formatToParts):
2534         * runtime/IntlDateTimeFormat.h:
2535         * runtime/IntlDateTimeFormatConstructor.cpp:
2536         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2537         * runtime/IntlDateTimeFormatPrototype.cpp:
2538         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2539         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
2540         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2541         * runtime/IntlNumberFormat.cpp:
2542         (JSC::IntlNumberFormat::initializeNumberFormat):
2543         (JSC::IntlNumberFormat::formatNumber):
2544         (JSC::IntlNumberFormat::styleString):
2545         (JSC::IntlNumberFormat::currencyDisplayString):
2546         (JSC::IntlNumberFormat::resolvedOptions):
2547         (JSC::IntlNumberFormat::partTypeString):
2548         (JSC::IntlNumberFormat::formatToParts):
2549         * runtime/IntlNumberFormat.h:
2550         * runtime/IntlNumberFormatConstructor.cpp:
2551         (JSC::IntlNumberFormatConstructor::finishCreation):
2552         * runtime/IntlNumberFormatPrototype.cpp:
2553         (JSC::IntlNumberFormatPrototypeGetterFormat):
2554         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
2555         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2556         * runtime/IntlObject.cpp:
2557         (JSC::grandfatheredLangTag):
2558         (JSC::canonicalizeLocaleList):
2559         (JSC::resolveLocale):
2560         (JSC::supportedLocales):
2561         * runtime/IntlPluralRules.cpp:
2562         (JSC::IntlPluralRules::initializePluralRules):
2563         (JSC::IntlPluralRules::resolvedOptions):
2564         (JSC::IntlPluralRules::select):
2565         * runtime/IntlPluralRulesConstructor.cpp:
2566         (JSC::IntlPluralRulesConstructor::finishCreation):
2567         * runtime/IntlPluralRulesPrototype.cpp:
2568         (JSC::IntlPluralRulesPrototypeFuncSelect):
2569         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
2570         * runtime/IteratorOperations.cpp:
2571         (JSC::iteratorNext):
2572         (JSC::iteratorClose):
2573         (JSC::hasIteratorMethod):
2574         (JSC::iteratorMethod):
2575         * runtime/JSArray.cpp:
2576         (JSC::JSArray::tryCreateUninitializedRestricted):
2577         (JSC::JSArray::defineOwnProperty):
2578         (JSC::JSArray::put):
2579         (JSC::JSArray::setLengthWithArrayStorage):
2580         (JSC::JSArray::appendMemcpy):
2581         (JSC::JSArray::pop):
2582         * runtime/JSArray.h:
2583         * runtime/JSArrayBufferConstructor.cpp:
2584         (JSC::JSArrayBufferConstructor::finishCreation):
2585         * runtime/JSArrayBufferPrototype.cpp:
2586         (JSC::arrayBufferProtoFuncSlice):
2587         (JSC::arrayBufferProtoGetterFuncByteLength):
2588         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
2589         * runtime/JSArrayBufferView.cpp:
2590         (JSC::JSArrayBufferView::toStringName):
2591         * runtime/JSArrayInlines.h:
2592         (JSC::JSArray::pushInline):
2593         * runtime/JSBigInt.cpp:
2594         (JSC::JSBigInt::divide):
2595         (JSC::JSBigInt::remainder):
2596         (JSC::JSBigInt::toNumber const):
2597         * runtime/JSCJSValue.cpp:
2598         (JSC::JSValue::putToPrimitive):
2599         (JSC::JSValue::putToPrimitiveByIndex):
2600         (JSC::JSValue::toStringSlowCase const):
2601         * runtime/JSCJSValueInlines.h:
2602         (JSC::toPreferredPrimitiveType):
2603         * runtime/JSDataView.cpp:
2604         (JSC::JSDataView::create):
2605         (JSC::JSDataView::put):
2606         (JSC::JSDataView::defineOwnProperty):
2607         * runtime/JSDataViewPrototype.cpp:
2608         (JSC::getData):
2609         (JSC::setData):
2610         * runtime/JSFunction.cpp:
2611         (JSC::JSFunction::callerGetter):
2612         (JSC::JSFunction::put):
2613         (JSC::JSFunction::defineOwnProperty):
2614         * runtime/JSGenericTypedArrayView.h:
2615         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2616         (JSC::constructGenericTypedArrayViewWithArguments):
2617         (JSC::constructGenericTypedArrayView):
2618         * runtime/JSGenericTypedArrayViewInlines.h:
2619         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2620         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2621         (JSC::speciesConstruct):
2622         (JSC::genericTypedArrayViewProtoFuncSet):
2623         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2624         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2625         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2626         * runtime/JSGlobalObject.cpp:
2627         (JSC::JSGlobalObject::init):
2628         * runtime/JSGlobalObjectDebuggable.cpp:
2629         (JSC::JSGlobalObjectDebuggable::name const):
2630         * runtime/JSGlobalObjectFunctions.cpp:
2631         (JSC::encode):
2632         (JSC::decode):
2633         (JSC::globalFuncProtoSetter):
2634         * runtime/JSGlobalObjectFunctions.h:
2635         * runtime/JSMap.cpp:
2636         (JSC::JSMap::toStringName):
2637         * runtime/JSModuleEnvironment.cpp:
2638         (JSC::JSModuleEnvironment::put):
2639         * runtime/JSModuleNamespaceObject.cpp:
2640         (JSC::JSModuleNamespaceObject::put):
2641         (JSC::JSModuleNamespaceObject::putByIndex):
2642         (JSC::JSModuleNamespaceObject::defineOwnProperty):
2643         * runtime/JSONObject.cpp:
2644         (JSC::Stringifier::appendStringifiedValue):
2645         (JSC::JSONProtoFuncParse):
2646         (JSC::JSONProtoFuncStringify):
2647         * runtime/JSObject.cpp:
2648         (JSC::getClassPropertyNames):
2649         (JSC::JSObject::calculatedClassName):
2650         (JSC::ordinarySetSlow):
2651         (JSC::JSObject::putInlineSlow):
2652         (JSC::JSObject::setPrototypeWithCycleCheck):
2653         (JSC::callToPrimitiveFunction):
2654         (JSC::JSObject::ordinaryToPrimitive const):
2655         (JSC::JSObject::defaultHasInstance):
2656         (JSC::JSObject::defineOwnIndexedProperty):
2657         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2658         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2659         (JSC::validateAndApplyPropertyDescriptor):
2660         * runtime/JSObject.h:
2661         * runtime/JSObjectInlines.h:
2662         (JSC::JSObject::putInlineForJSObject):
2663         * runtime/JSPromiseConstructor.cpp:
2664         (JSC::JSPromiseConstructor::finishCreation):
2665         * runtime/JSSet.cpp:
2666         (JSC::JSSet::toStringName):
2667         * runtime/JSSymbolTableObject.h:
2668         (JSC::symbolTablePut):
2669         * runtime/JSTypedArrayViewConstructor.cpp:
2670         (JSC::constructTypedArrayView):
2671         * runtime/JSTypedArrayViewPrototype.cpp:
2672         (JSC::typedArrayViewPrivateFuncLength):
2673         (JSC::typedArrayViewProtoFuncSet):
2674         (JSC::typedArrayViewProtoFuncCopyWithin):
2675         (JSC::typedArrayViewProtoFuncLastIndexOf):
2676         (JSC::typedArrayViewProtoFuncIndexOf):
2677         (JSC::typedArrayViewProtoFuncJoin):
2678         (JSC::typedArrayViewProtoGetterFuncBuffer):
2679         (JSC::typedArrayViewProtoGetterFuncLength):
2680         (JSC::typedArrayViewProtoGetterFuncByteLength):
2681         (JSC::typedArrayViewProtoGetterFuncByteOffset):
2682         (JSC::typedArrayViewProtoFuncReverse):
2683         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
2684         (JSC::typedArrayViewProtoFuncSlice):
2685         (JSC::JSTypedArrayViewPrototype::finishCreation):
2686         * runtime/JSWeakMap.cpp:
2687         (JSC::JSWeakMap::toStringName):
2688         * runtime/JSWeakSet.cpp:
2689         (JSC::JSWeakSet::toStringName):
2690         * runtime/LiteralParser.cpp:
2691         (JSC::LiteralParser<CharType>::Lexer::lex):
2692         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2693         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
2694         (JSC::LiteralParser<CharType>::parse):
2695         * runtime/LiteralParser.h:
2696         (JSC::LiteralParser::getErrorMessage):
2697         * runtime/Lookup.cpp:
2698         (JSC::reifyStaticAccessor):
2699         * runtime/Lookup.h:
2700         (JSC::putEntry):
2701         * runtime/MapPrototype.cpp:
2702         (JSC::getMap):
2703         * runtime/NullSetterFunction.cpp:
2704         (JSC::NullSetterFunctionInternal::callReturnUndefined):
2705         * runtime/NumberPrototype.cpp:
2706         (JSC::numberProtoFuncToExponential):
2707         (JSC::numberProtoFuncToFixed):
2708         (JSC::numberProtoFuncToPrecision):
2709         (JSC::extractToStringRadixArgument):
2710         * runtime/ObjectConstructor.cpp:
2711         (JSC::objectConstructorSetPrototypeOf):
2712         (JSC::objectConstructorAssign):
2713         (JSC::objectConstructorValues):
2714         (JSC::toPropertyDescriptor):
2715         (JSC::objectConstructorDefineProperty):
2716         (JSC::objectConstructorDefineProperties):
2717         (JSC::objectConstructorCreate):
2718         (JSC::objectConstructorSeal):
2719         (JSC::objectConstructorFreeze):
2720         * runtime/ObjectPrototype.cpp:
2721         (JSC::objectProtoFuncDefineGetter):
2722         (JSC::objectProtoFuncDefineSetter):
2723         * runtime/Operations.cpp:
2724         (JSC::jsAddSlowCase):
2725         * runtime/Operations.h:
2726         (JSC::jsSub):
2727         (JSC::jsMul):
2728         * runtime/ProgramExecutable.cpp:
2729         (JSC::ProgramExecutable::initializeGlobalProperties):
2730         * runtime/ProxyConstructor.cpp:
2731         (JSC::makeRevocableProxy):
2732         (JSC::proxyRevocableConstructorThrowError):
2733         (JSC::ProxyConstructor::finishCreation):
2734         (JSC::constructProxyObject):
2735         * runtime/ProxyObject.cpp:
2736         (JSC::ProxyObject::toStringName):
2737         (JSC::ProxyObject::finishCreation):
2738         (JSC::performProxyGet):
2739         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2740         (JSC::ProxyObject::performHasProperty):
2741         (JSC::ProxyObject::performPut):
2742         (JSC::performProxyCall):
2743         (JSC::performProxyConstruct):
2744         (JSC::ProxyObject::performDelete):
2745         (JSC::ProxyObject::performPreventExtensions):
2746         (JSC::ProxyObject::performIsExtensible):
2747         (JSC::ProxyObject::performDefineOwnProperty):
2748         (JSC::ProxyObject::performGetOwnPropertyNames):
2749         (JSC::ProxyObject::performSetPrototype):
2750         (JSC::ProxyObject::performGetPrototype):
2751         * runtime/ReflectObject.cpp:
2752         (JSC::reflectObjectConstruct):
2753         (JSC::reflectObjectDefineProperty):
2754         (JSC::reflectObjectGet):
2755         (JSC::reflectObjectGetOwnPropertyDescriptor):
2756         (JSC::reflectObjectGetPrototypeOf):
2757         (JSC::reflectObjectIsExtensible):
2758         (JSC::reflectObjectOwnKeys):
2759         (JSC::reflectObjectPreventExtensions):
2760         (JSC::reflectObjectSet):
2761         (JSC::reflectObjectSetPrototypeOf):
2762         * runtime/RegExpConstructor.cpp:
2763         (JSC::RegExpConstructor::finishCreation):
2764         (JSC::toFlags):
2765         * runtime/RegExpObject.cpp:
2766         (JSC::RegExpObject::defineOwnProperty):
2767         * runtime/RegExpObject.h:
2768         * runtime/RegExpPrototype.cpp:
2769         (JSC::regExpProtoFuncCompile):
2770         (JSC::regExpProtoGetterGlobal):
2771         (JSC::regExpProtoGetterIgnoreCase):
2772         (JSC::regExpProtoGetterMultiline):
2773         (JSC::regExpProtoGetterDotAll):
2774         (JSC::regExpProtoGetterSticky):
2775         (JSC::regExpProtoGetterUnicode):
2776         (JSC::regExpProtoGetterFlags):
2777         (JSC::regExpProtoGetterSourceInternal):
2778         (JSC::regExpProtoGetterSource):
2779         * runtime/RuntimeType.cpp:
2780         (JSC::runtimeTypeAsString):
2781         * runtime/SamplingProfiler.cpp:
2782         (JSC::SamplingProfiler::StackFrame::displayName):
2783         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
2784         * runtime/ScriptExecutable.cpp:
2785         (JSC::ScriptExecutable::prepareForExecutionImpl):
2786         * runtime/SetPrototype.cpp:
2787         (JSC::getSet):
2788         * runtime/SparseArrayValueMap.cpp:
2789         (JSC::SparseArrayValueMap::putEntry):
2790         (JSC::SparseArrayValueMap::putDirect):
2791         (JSC::SparseArrayEntry::put):
2792         * runtime/StackFrame.cpp:
2793         (JSC::StackFrame::sourceURL const):
2794         (JSC::StackFrame::functionName const):
2795         * runtime/StringConstructor.cpp:
2796         (JSC::stringFromCodePoint):
2797         * runtime/StringObject.cpp:
2798         (JSC::StringObject::put):
2799         (JSC::StringObject::putByIndex):
2800         * runtime/StringPrototype.cpp:
2801         (JSC::StringPrototype::finishCreation):
2802         (JSC::toLocaleCase):
2803         (JSC::stringProtoFuncNormalize):
2804         * runtime/Symbol.cpp:
2805         (JSC::Symbol::toNumber const):
2806         * runtime/SymbolConstructor.cpp:
2807         (JSC::symbolConstructorKeyFor):
2808         * runtime/SymbolObject.cpp:
2809         (JSC::SymbolObject::toStringName):
2810         * runtime/SymbolPrototype.cpp:
2811         (JSC::SymbolPrototype::finishCreation):
2812         * runtime/TypeSet.cpp:
2813         (JSC::TypeSet::dumpTypes const):
2814         (JSC::TypeSet::displayName const):
2815         (JSC::StructureShape::leastCommonAncestor):
2816         * runtime/TypeSet.h:
2817         (JSC::StructureShape::setConstructorName):
2818         * runtime/VM.cpp:
2819         (JSC::VM::dumpTypeProfilerData):
2820         * runtime/WeakMapPrototype.cpp:
2821         (JSC::getWeakMap):
2822         (JSC::protoFuncWeakMapSet):
2823         * runtime/WeakSetPrototype.cpp:
2824         (JSC::getWeakSet):
2825         (JSC::protoFuncWeakSetAdd):
2826         * tools/JSDollarVM.cpp:
2827         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2828         (WTF::DOMJITGetterComplex::customGetter):
2829         (JSC::functionSetImpureGetterDelegate):
2830         (JSC::functionCreateElement):
2831         (JSC::functionGetHiddenValue):
2832         (JSC::functionSetHiddenValue):
2833         (JSC::functionFindTypeForExpression):
2834         (JSC::functionReturnTypeFor):
2835         (JSC::functionLoadGetterFromGetterSetter):
2836         * wasm/WasmB3IRGenerator.cpp:
2837         (JSC::Wasm::B3IRGenerator::fail const):
2838         * wasm/WasmIndexOrName.cpp:
2839         (JSC::Wasm::makeString):
2840         * wasm/WasmParser.h:
2841         (JSC::Wasm::FailureHelper::makeString):
2842         (JSC::Wasm::Parser::fail const):
2843         * wasm/WasmPlan.cpp:
2844         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
2845         * wasm/WasmValidate.cpp:
2846         (JSC::Wasm::Validate::fail const):
2847         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2848         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2849         * wasm/js/JSWebAssemblyHelpers.h:
2850         (JSC::toNonWrappingUint32):
2851         (JSC::getWasmBufferFromValue):
2852         * wasm/js/JSWebAssemblyInstance.cpp:
2853         (JSC::JSWebAssemblyInstance::create):
2854         * wasm/js/JSWebAssemblyMemory.cpp:
2855         (JSC::JSWebAssemblyMemory::grow):
2856         * wasm/js/WasmToJS.cpp:
2857         (JSC::Wasm::handleBadI64Use):
2858         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2859         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
2860         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2861         (JSC::constructJSWebAssemblyInstance):
2862         (JSC::WebAssemblyInstanceConstructor::finishCreation):
2863         * wasm/js/WebAssemblyInstancePrototype.cpp:
2864         (JSC::getInstance):
2865         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2866         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
2867         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2868         (JSC::constructJSWebAssemblyMemory):
2869         (JSC::WebAssemblyMemoryConstructor::finishCreation):
2870         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2871         (JSC::getMemory):
2872         * wasm/js/WebAssemblyModuleConstructor.cpp:
2873         (JSC::webAssemblyModuleCustomSections):
2874         (JSC::webAssemblyModuleImports):
2875         (JSC::webAssemblyModuleExports):
2876         (JSC::WebAssemblyModuleConstructor::finishCreation):
2877         * wasm/js/WebAssemblyModuleRecord.cpp:
2878         (JSC::WebAssemblyModuleRecord::link):
2879         (JSC::dataSegmentFail):
2880         (JSC::WebAssemblyModuleRecord::evaluate):
2881         * wasm/js/WebAssemblyPrototype.cpp:
2882         (JSC::resolve):
2883         (JSC::webAssemblyInstantiateFunc):
2884         (JSC::webAssemblyInstantiateStreamingInternal):
2885         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2886         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
2887         * wasm/js/WebAssemblyTableConstructor.cpp:
2888         (JSC::constructJSWebAssemblyTable):
2889         (JSC::WebAssemblyTableConstructor::finishCreation):
2890         * wasm/js/WebAssemblyTablePrototype.cpp:
2891         (JSC::getTable):
2892         (JSC::webAssemblyTableProtoFuncGrow):
2893         (JSC::webAssemblyTableProtoFuncGet):
2894         (JSC::webAssemblyTableProtoFuncSet):
2895
2896 2018-06-22  Keith Miller  <keith_miller@apple.com>
2897
2898         unshift should zero unused property storage
2899         https://bugs.webkit.org/show_bug.cgi?id=186960
2900
2901         Reviewed by Saam Barati.
2902
2903         Also, this patch adds the zeroed unused property storage assertion
2904         to one more place it was missing.
2905
2906         * runtime/JSArray.cpp:
2907         (JSC::JSArray::unshiftCountSlowCase):
2908         * runtime/JSObjectInlines.h:
2909         (JSC::JSObject::putDirectInternal):
2910
2911 2018-06-22  Mark Lam  <mark.lam@apple.com>
2912
2913         PropertyCondition::isValidValueForAttributes() should also consider deleted values.
2914         https://bugs.webkit.org/show_bug.cgi?id=186943
2915         <rdar://problem/41370337>
2916
2917         Reviewed by Saam Barati.
2918
2919         PropertyCondition::isValidValueForAttributes() should check if the passed in value
2920         is a deleted one before it does a jsDynamicCast on it.
2921
2922         * bytecode/PropertyCondition.cpp:
2923         (JSC::PropertyCondition::isValidValueForAttributes):
2924         * runtime/JSCJSValueInlines.h:
2925         - removed an unnecessary #if.
2926
2927 2018-06-22  Keith Miller  <keith_miller@apple.com>
2928
2929         performProxyCall should toThis the value passed to its handler
2930         https://bugs.webkit.org/show_bug.cgi?id=186951
2931
2932         Reviewed by Mark Lam.
2933
2934         * runtime/ProxyObject.cpp:
2935         (JSC::performProxyCall):
2936
2937 2018-06-22  Saam Barati  <sbarati@apple.com>
2938
2939         ensureWritableX should only convert away from CoW when it will succeed
2940         https://bugs.webkit.org/show_bug.cgi?id=186898
2941
2942         Reviewed by Keith Miller.
2943
2944         Otherwise, when we OSR exit, we'll end up profiling the array after
2945         it has been converted away from CoW. It's better for the ArrayProfile
2946         to see the array as it's still in CoW mode.
2947         
2948         This patch also renames ensureWritableX to tryMakeWritableX since these
2949         were never really "ensure" operations -- they may fail and return null.
2950
2951         * dfg/DFGOperations.cpp:
2952         * runtime/JSObject.cpp:
2953         (JSC::JSObject::tryMakeWritableInt32Slow):
2954         (JSC::JSObject::tryMakeWritableDoubleSlow):
2955         (JSC::JSObject::tryMakeWritableContiguousSlow):
2956         (JSC::JSObject::ensureWritableInt32Slow): Deleted.
2957         (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
2958         (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
2959         * runtime/JSObject.h:
2960         (JSC::JSObject::tryMakeWritableInt32):
2961         (JSC::JSObject::tryMakeWritableDouble):
2962         (JSC::JSObject::tryMakeWritableContiguous):
2963         (JSC::JSObject::ensureWritableInt32): Deleted.
2964         (JSC::JSObject::ensureWritableDouble): Deleted.
2965         (JSC::JSObject::ensureWritableContiguous): Deleted.
2966
2967 2018-06-22  Keith Miller  <keith_miller@apple.com>
2968
2969         We should call visitChildren on Base not the exact typename
2970         https://bugs.webkit.org/show_bug.cgi?id=186928
2971
2972         Reviewed by Mark Lam.
2973
2974         A lot of places were not properly calling visitChildren on their
2975         superclass. For most of them it didn't matter because they had
2976         immortal structures. If code changed in the future this might
2977         break things however.
2978
2979         Also, block off more of the MethodTable for GetterSetter objects.
2980
2981         * bytecode/CodeBlock.cpp:
2982         (JSC::CodeBlock::visitChildren):
2983         * bytecode/ExecutableToCodeBlockEdge.cpp:
2984         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2985         * debugger/DebuggerScope.cpp:
2986         (JSC::DebuggerScope::visitChildren):
2987         * runtime/EvalExecutable.cpp:
2988         (JSC::EvalExecutable::visitChildren):
2989         * runtime/FunctionExecutable.cpp:
2990         (JSC::FunctionExecutable::visitChildren):
2991         * runtime/FunctionRareData.cpp:
2992         (JSC::FunctionRareData::visitChildren):
2993         * runtime/GenericArgumentsInlines.h:
2994         (JSC::GenericArguments<Type>::visitChildren):
2995         * runtime/GetterSetter.cpp:
2996         (JSC::GetterSetter::visitChildren):
2997         * runtime/GetterSetter.h:
2998         * runtime/InferredType.cpp:
2999         (JSC::InferredType::visitChildren):
3000         * runtime/InferredTypeTable.cpp:
3001         (JSC::InferredTypeTable::visitChildren):
3002         * runtime/InferredValue.cpp:
3003         (JSC::InferredValue::visitChildren):
3004         * runtime/JSArrayBufferView.cpp:
3005         (JSC::JSArrayBufferView::visitChildren):
3006         * runtime/JSGenericTypedArrayViewInlines.h:
3007         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3008         * runtime/ModuleProgramExecutable.cpp:
3009         (JSC::ModuleProgramExecutable::visitChildren):
3010         * runtime/ProgramExecutable.cpp:
3011         (JSC::ProgramExecutable::visitChildren):
3012         * runtime/ScopedArguments.cpp:
3013         (JSC::ScopedArguments::visitChildren):
3014         * runtime/ScopedArguments.h:
3015         * runtime/Structure.cpp:
3016         (JSC::Structure::visitChildren):
3017         * runtime/StructureRareData.cpp:
3018         (JSC::StructureRareData::visitChildren):
3019         * runtime/SymbolTable.cpp:
3020         (JSC::SymbolTable::visitChildren):
3021
3022 2018-06-20  Darin Adler  <darin@apple.com>
3023
3024         [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
3025         https://bugs.webkit.org/show_bug.cgi?id=186875
3026
3027         Reviewed by Anders Carlsson.
3028
3029         * API/tests/testapi.mm:
3030         (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
3031
3032 2018-06-22  Carlos Garcia Campos  <cgarcia@igalia.com>
3033
3034         [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
3035         https://bugs.webkit.org/show_bug.cgi?id=186915
3036
3037         Reviewed by Žan Doberšek.
3038
3039         Update StartAutomationSession message handling to receive a dictionary of session capabilities.
3040
3041         * inspector/remote/glib/RemoteInspectorServer.cpp:
3042         (Inspector::processSessionCapabilities): Helper method to process the session capabilities.
3043
3044 2018-06-21  Mark Lam  <mark.lam@apple.com>
3045
3046         WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
3047         https://bugs.webkit.org/show_bug.cgi?id=185947
3048         <rdar://problem/40131933>
3049
3050         Reviewed by Saam Barati.
3051
3052         Newer Clang versions (due to C++17 support) is not happy with how I implemented
3053         conversions between CodeLocation types.  We'll fix this by adding a conversion
3054         operator for converting between CodeLocation types.
3055
3056         * assembler/CodeLocation.h:
3057         (JSC::CodeLocationCommon::operator T):
3058
3059 2018-06-21  Saam Barati  <sbarati@apple.com>
3060
3061         Do some CoW cleanup
3062         https://bugs.webkit.org/show_bug.cgi?id=186896
3063
3064         Reviewed by Mark Lam.
3065
3066         * bytecode/UnlinkedCodeBlock.h:
3067         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
3068         We don't need to WTFMove() ints
3069
3070         * dfg/DFGByteCodeParser.cpp:
3071         (JSC::DFG::ByteCodeParser::parseBlock):
3072         remove a TODO.
3073
3074         * runtime/JSObject.cpp:
3075         (JSC::JSObject::putByIndex):
3076         We were checking for isCopyOnWrite even after we converted away
3077         from CoW in above code.
3078         (JSC::JSObject::ensureWritableInt32Slow):
3079         Model this in the same way the other ensureWritableXSlow are modeled.
3080
3081 2018-06-20  Keith Miller  <keith_miller@apple.com>
3082
3083         flattenDictionaryStruture needs to zero inline storage.
3084         https://bugs.webkit.org/show_bug.cgi?id=186869
3085
3086         Reviewed by Saam Barati.
3087
3088         This patch also adds the assetion that unused property storage is
3089         zero or JSValue() to putDirectInternal. Additionally, functions
3090         have been added to $vm that flatten dictionary objects and return
3091         the inline capacity of an object.
3092
3093         * runtime/JSObjectInlines.h:
3094         (JSC::JSObject::putDirectInternal):
3095         * runtime/Structure.cpp:
3096         (JSC::Structure::flattenDictionaryStructure):
3097         * tools/JSDollarVM.cpp:
3098         (JSC::functionInlineCapacity):
3099         (JSC::functionFlattenDictionaryObject):
3100         (JSC::JSDollarVM::finishCreation):
3101
3102 2018-06-21  Mark Lam  <mark.lam@apple.com>
3103
3104         Use IsoCellSets to track Executables with clearable code.
3105         https://bugs.webkit.org/show_bug.cgi?id=186877
3106
3107         Reviewed by Filip Pizlo.
3108
3109         Here’s an example of the results that this fix may yield: 
3110         1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
3111         2. Statistics on memory touched and memory freed by VM::deleteAllCode():
3112
3113            Visiting Executables:
3114                                                         Old             New
3115            Number of objects visited:                   70897           14264
3116            Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
3117            Number of memory pages visited:              3224            1602
3118            Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)
3119
3120            Visitng UnlinkedFunctionExecutables:
3121                                                         Old             New
3122            Number of objects visited:                   105454          17231
3123            Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
3124            Number of memory pages visited:              4796            1349
3125            Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)
3126
3127         ** The number of objects differ because the old code only visit unlinked
3128            executables indirectly via linked executables, whereas the new behavior visit
3129            all unlinked executables with deletable code directly.  This means:
3130
3131            a. we used to not visit unlinked executables that have not been linked yet
3132               i.e. deleteAllCode() may not delete all code (especially code that is not
3133               used).
3134            b. we had to visit all linked executables to check if they of type
3135               FunctionExecutable, before going on to visit their unlinked executable, and
3136               this includes the ones that do not have deletable code.  This means that we
3137               would touch more memory in the process.
3138
3139            Both of these these issues are now fixed with the new code.
3140
3141         This code was tested with manually inserted instrumentation to track the above
3142         statistics.  It is not feasible to write an automated test for this without
3143         leaving a lot of invasive instrumentation in the code.
3144
3145         * bytecode/UnlinkedFunctionExecutable.cpp:
3146         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3147         * bytecode/UnlinkedFunctionExecutable.h:
3148         * heap/CodeBlockSetInlines.h:
3149         (JSC::CodeBlockSet::iterateViaSubspaces):
3150         * heap/Heap.cpp:
3151         (JSC::Heap::deleteAllCodeBlocks):
3152         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
3153         (JSC::Heap::deleteUnmarkedCompiledCode):
3154         (JSC::Heap::clearUnmarkedExecutables): Deleted.
3155         (JSC::Heap::addExecutable): Deleted.
3156         * heap/Heap.h:
3157         * runtime/DirectEvalExecutable.h:
3158
3159         * runtime/ExecutableBase.cpp:
3160         (JSC::ExecutableBase::hasClearableCode const):
3161         - this is written based on the implementation of ExecutableBase::clearCode().
3162
3163         * runtime/ExecutableBase.h:
3164         * runtime/FunctionExecutable.h:
3165         * runtime/IndirectEvalExecutable.h:
3166         * runtime/ModuleProgramExecutable.h:
3167         * runtime/ProgramExecutable.h:
3168         * runtime/ScriptExecutable.cpp:
3169         (JSC::ScriptExecutable::clearCode):
3170         (JSC::ScriptExecutable::installCode):
3171         * runtime/ScriptExecutable.h:
3172         (JSC::ScriptExecutable::finishCreation):
3173         * runtime/VM.cpp:
3174         (JSC::VM::VM):
3175         * runtime/VM.h:
3176         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
3177         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
3178         (JSC::VM::forEachScriptExecutableSpace):
3179         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
3180         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
3181
3182 2018-06-21  Zan Dobersek  <zdobersek@igalia.com>
3183
3184         [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
3185         https://bugs.webkit.org/show_bug.cgi?id=186884
3186
3187         Reviewed by Carlos Garcia Campos.
3188
3189         Add a tuple array input parameter to the StartAutomationSession DBus
3190         message, representing a list of host-and-certificate pairs that have to
3191         be allowed for a given session. This array is then unpacked and used to
3192         fill out the certificates Vector object in the SessionCapabilities
3193         struct.
3194
3195         * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
3196         String pairs representing hosts and the certificate file paths.
3197         * inspector/remote/glib/RemoteInspectorServer.cpp:
3198
3199 2018-06-20  Keith Miller  <keith_miller@apple.com>
3200
3201         Expand concurrent GC assertion to accept JSValue() or 0
3202         https://bugs.webkit.org/show_bug.cgi?id=186855
3203
3204         Reviewed by Mark Lam.
3205
3206         We tend to set unused property slots to either JSValue() or 0
3207         depending on the context. On 64-bit these are the same but on
3208         32-bit JSValue() has a NaN tag. This patch makes it so we
3209         the accept either JSValue() or 0.
3210
3211         * runtime/JSObjectInlines.h:
3212         (JSC::JSObject::prepareToPutDirectWithoutTransition):
3213
3214 2018-06-20  Guillaume Emont  <guijemont@igalia.com>
3215
3216         [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
3217         https://bugs.webkit.org/show_bug.cgi?id=186765
3218
3219         Reviewed by Michael Saboff.
3220
3221         This widens the check for 0 so that we handle that case more correctly.
3222
3223         * assembler/LinkBuffer.h:
3224         (JSC::LinkBuffer::executableOffsetFor):
3225
3226 2018-06-19  Keith Miller  <keith_miller@apple.com>
3227
3228         Fix broken assertion on 32-bit
3229         https://bugs.webkit.org/show_bug.cgi?id=186830
3230
3231         Reviewed by Mark Lam.
3232
3233         The assertion was intended to catch concurrent GC issues. We don't
3234         run them on 32-bit so we don't need this assertion there. The
3235         assertion was broken because zero is not JSValue() on 32-bit.
3236
3237         * runtime/JSObjectInlines.h:
3238         (JSC::JSObject::prepareToPutDirectWithoutTransition):
3239
3240 2018-06-19  Keith Miller  <keith_miller@apple.com>
3241
3242         flattenDictionaryStructure needs to zero properties that have been compressed away
3243         https://bugs.webkit.org/show_bug.cgi?id=186828
3244
3245         Reviewed by Mark Lam.
3246
3247         This patch fixes a bunch of crashing Mozilla tests on the bots.
3248
3249         * runtime/Structure.cpp:
3250         (JSC::Structure::flattenDictionaryStructure):
3251
3252 2018-06-19  Saam Barati  <sbarati@apple.com>
3253
3254         DirectArguments::create needs to initialize to undefined instead of the empty value
3255         https://bugs.webkit.org/show_bug.cgi?id=186818
3256         <rdar://problem/38415177>
3257
3258         Reviewed by Filip Pizlo.
3259
3260         The bug here is that we will emit code that just loads from DirectArguments as
3261         long as the index is within the known capacity of the arguments object (op_get_from_arguments).
3262         The arguments object has at least enough capacity to hold the declared parameters.
3263         When we materialized this object in OSR exit, we initialized up to to the capacity
3264         with JSValue(). In OSR exit, though, we only filled up to the length of the
3265         object with actual values. So we'd end up with a DirectArguments object with
3266         capacity minus length slots of JSValue(). To fix this, we need initialize up to
3267         capacity with jsUndefined during construction. The invariant of this object is
3268         that the capacity minus length slots at the end are filled in with jsUndefined.
3269
3270         * runtime/DirectArguments.cpp:
3271         (JSC::DirectArguments::create):
3272
3273 2018-06-19  Michael Saboff  <msaboff@apple.com>
3274
3275         Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
3276         https://bugs.webkit.org/show_bug.cgi?id=186827
3277
3278         Reviewed by Saam Barati.
3279
3280         Need to set VM::lastStackTop before any possible calls to sanitizeStack().
3281
3282         * runtime/JSLock.cpp:
3283         (JSC::JSLock::didAcquireLock):
3284
3285 2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
3286
3287         ShadowChicken crashes with stack overflow in the LLInt
3288         https://bugs.webkit.org/show_bug.cgi?id=186540
3289         <rdar://problem/39682133>
3290
3291         Reviewed by Saam Barati.
3292
3293         Stack overflows in the LLInt were crashing in ShadowChicken when compiling
3294         with debug opcodes because it was accessing the scope of the incomplete top
3295         frame, which hadn't been set yet. Check that we have moved past the first
3296         opcode (enter) and that the scope is not undefined (enter will
3297         initialize it to undefined).
3298
3299         * interpreter/ShadowChicken.cpp:
3300         (JSC::ShadowChicken::update):
3301
3302 2018-06-19  Keith Miller  <keith_miller@apple.com>
3303
3304         constructArray variants should take the slow path for subclasses of Array
3305         https://bugs.webkit.org/show_bug.cgi?id=186812
3306
3307         Reviewed by Saam Barati and Mark Lam.
3308
3309         This patch fixes a crashing test in ObjectInitializationScope where we would
3310         allocate a new structure for an indexing type change while initializing
3311         a subclass of Array. Since the new array hasn't been fully initialized
3312         if the GC ran it would see garbage and we might crash.
3313
3314         * runtime/JSArray.cpp:
3315         (JSC::constructArray):
3316         (JSC::constructArrayNegativeIndexed):
3317         * runtime/JSArray.h:
3318         (JSC::constructArray): Deleted.
3319         (JSC::constructArrayNegativeIndexed): Deleted.
3320
3321 2018-06-19  Saam Barati  <sbarati@apple.com>
3322
3323         Wasm: Any function argument of type Void should be a validation error
3324         https://bugs.webkit.org/show_bug.cgi?id=186794
3325         <rdar://problem/41140257>
3326
3327         Reviewed by Keith Miller.
3328
3329         * wasm/WasmModuleParser.cpp:
3330         (JSC::Wasm::ModuleParser::parseType):
3331
3332 2018-06-18  Keith Miller  <keith_miller@apple.com>
3333
3334         JSImmutableButterfly should assert m_header is adjacent to the data
3335         https://bugs.webkit.org/show_bug.cgi?id=186795
3336
3337         Reviewed by Saam Barati.
3338
3339         * runtime/JSImmutableButterfly.cpp:
3340         * runtime/JSImmutableButterfly.h:
3341
3342 2018-06-18  Keith Miller  <keith_miller@apple.com>
3343
3344         Unreviewed, fix the build...
3345
3346         * runtime/JSArray.cpp:
3347         (JSC::JSArray::tryCreateUninitializedRestricted):
3348
3349 2018-06-18  Keith Miller  <keith_miller@apple.com>
3350
3351         Unreviewed, remove bad assertion.
3352
3353         * runtime/JSArray.cpp:
3354         (JSC::JSArray::tryCreateUninitializedRestricted):
3355
3356 2018-06-18  Keith Miller  <keith_miller@apple.com>
3357
3358         Properly zero unused property storage offsets
3359         https://bugs.webkit.org/show_bug.cgi?id=186692
3360
3361         Reviewed by Filip Pizlo.
3362
3363         Since the concurrent GC might see a property slot before the mutator has actually