[JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
4         https://bugs.webkit.org/show_bug.cgi?id=201664
5         <rdar://problem/52126927>
6
7         Reviewed by Tadeu Zagallo.
8
9         We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result.
10         This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters.
11         Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread,
12         we can see half-baked JITData structure which holds garbage pointers.
13
14         But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons.
15
16         1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are
17            called while taking this exact same lock, so dead-lock can happen.
18         2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT
19            compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock.
20
21         Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that
22         JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread.
23
24         * bytecode/CodeBlock.cpp:
25         (JSC::CodeBlock::ensureJITDataSlow):
26
27 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
28
29         [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
30         https://bugs.webkit.org/show_bug.cgi?id=198253
31
32         Reviewed by Mark Lam.
33
34         ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
35         When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
36         it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
37
38         In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
39
40         * parser/ResultType.h:
41         (JSC::ResultType::bigIntOrInt32Type):
42
43 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
44
45         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
46         https://bugs.webkit.org/show_bug.cgi?id=201634
47
48         Reviewed by Mark Lam.
49
50         Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
51         For example, in BitAnd strength reduction,
52
53             1034             // Turn this: BitAnd(value, all-ones)
54             1035             // Into this: value.
55             1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
56             1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
57             1038                 replaceWithIdentity(m_value->child(0));
58             1039                 break;
59             1040             }
60
61         We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
62
63             262 inline bool Value::isInt(int64_t value) const
64             263 {
65             264     return hasInt() && asInt() == value;
66             265 }
67
68         So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
69
70             257 inline int64_t Value::asInt() const
71             258 {
72             259     return hasInt32() ? asInt32() : asInt64();
73             260 }
74
75         So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
76         We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
77
78         We also fix the following optimization.
79
80             // Turn this: BitAnd(Op(value, constant1), constant2)
81             //     where !(constant1 & constant2)
82             //       and Op is BitOr or BitXor
83             // into this: BitAnd(value, constant2)
84
85         Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
86
87             // Turn this: BitAnd(BitXor(x, allOnes), c)
88             // Into this: BitXor(BitOr(x, ~c), allOnes)
89
90         We add 32bit version of B3 tests for these optimizations.
91
92         * b3/B3LowerToAir.cpp:
93         * b3/B3ReduceStrength.cpp:
94         * b3/testb3.h:
95         * b3/testb3_2.cpp:
96         (testBitAndNotNot32):
97         (testBitAndNotImm):
98         (testBitAndNotImm32):
99         (testBitOrAndAndArgs32):
100         (testBitOrAndSameArgs32):
101         (testBitOrNotNot32):
102         (testBitOrNotImm32):
103         (addBitTests):
104         * b3/testb3_3.cpp:
105         (testBitXorAndAndArgs32):
106         (testBitXorAndSameArgs32):
107
108 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
109
110         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
111         https://bugs.webkit.org/show_bug.cgi?id=189043
112
113         Reviewed by Keith Miller.
114
115         This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
116         And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
117         using Wasm::StreamingParser.
118
119         Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
120         create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
121         and instantiateStreaming.
122
123         * JavaScriptCore.xcodeproj/project.pbxproj:
124         * Sources.txt:
125         * tools/JSDollarVM.cpp:
126         (JSC::WasmStreamingParser::WasmStreamingParser):
127         * wasm/WasmAirIRGenerator.cpp:
128         (JSC::Wasm::parseAndCompileAir):
129         * wasm/WasmAirIRGenerator.h:
130         * wasm/WasmB3IRGenerator.cpp:
131         (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
132         * wasm/WasmB3IRGenerator.h:
133         * wasm/WasmBBQPlan.cpp:
134         (JSC::Wasm::BBQPlan::BBQPlan):
135         (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
136         (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
137         (JSC::Wasm::BBQPlan::compileFunctions):
138         (JSC::Wasm::BBQPlan::complete):
139         * wasm/WasmBBQPlan.h:
140         * wasm/WasmModuleParser.cpp: Removed.
141         * wasm/WasmModuleParser.h: Removed.
142         * wasm/WasmOMGForOSREntryPlan.cpp:
143         (JSC::Wasm::OMGForOSREntryPlan::work):
144         * wasm/WasmOMGPlan.cpp:
145         (JSC::Wasm::OMGPlan::work):
146         * wasm/WasmPlan.cpp:
147         (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
148         * wasm/WasmSectionParser.cpp:
149         (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
150         * wasm/WasmStreamingParser.cpp:
151         (JSC::Wasm::StreamingParser::StreamingParser):
152         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
153         (JSC::Wasm::StreamingParser::parseFunctionPayload):
154         (JSC::Wasm::StreamingParser::parseSectionPayload):
155         (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
156         * wasm/WasmStreamingParser.h:
157         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
158         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
159         (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
160         which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
161         at appropriate timings.
162         * wasm/WasmValidate.cpp:
163         (JSC::Wasm::validateFunction):
164         * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.
165
166 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
167
168         [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
169         https://bugs.webkit.org/show_bug.cgi?id=201622
170
171         Reviewed by Mark Lam.
172
173         CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
174         this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
175         the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.
176
177         * bytecode/CodeBlock.cpp:
178         (JSC::CodeBlock::finishCreation):
179         (JSC::CodeBlock::setConstantRegisters):
180         * bytecode/CodeBlock.h:
181         (JSC::CodeBlock::addConstant):
182         (JSC::CodeBlock::addConstantLazily):
183         * dfg/DFGDesiredWatchpoints.cpp:
184         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
185         (JSC::DFG::SymbolTableAdaptor::add):
186         (JSC::DFG::FunctionExecutableAdaptor::add):
187         * dfg/DFGGraph.cpp:
188         (JSC::DFG::Graph::registerFrozenValues):
189         * dfg/DFGJITFinalizer.cpp:
190         (JSC::DFG::JITFinalizer::finalizeCommon):
191         * dfg/DFGLazyJSValue.cpp:
192         (JSC::DFG::LazyJSValue::emit const):
193
194 2019-09-09  Robin Morisset  <rmorisset@apple.com>
195
196         [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
197         https://bugs.webkit.org/show_bug.cgi?id=197305
198
199         Reviewed by Keith Miller.
200
201         Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
202         Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).
203
204         This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
205         Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).
206
207         The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
208         So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.
209
210         No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.
211
212         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
213
214 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
215
216         [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
217         https://bugs.webkit.org/show_bug.cgi?id=201613
218
219         Reviewed by Mark Lam.
220
221         We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
222         since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
223         issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
224         misleading, it is like "instructions-requires-llint-finalize").
225
226         * bytecode/CodeBlock.cpp:
227         (JSC::CodeBlock::propagateTransitions):
228         (JSC::CodeBlock::finalizeLLIntInlineCaches):
229         * bytecode/UnlinkedCodeBlock.cpp:
230         (JSC::UnlinkedCodeBlock::applyModification):
231         (JSC::UnlinkedCodeBlock::shrinkToFit):
232         * bytecode/UnlinkedCodeBlock.h:
233         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
234         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
235         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
236         * bytecompiler/BytecodeGenerator.cpp:
237         (JSC::BytecodeGenerator::emitResolveScope):
238         (JSC::BytecodeGenerator::emitGetFromScope):
239         (JSC::BytecodeGenerator::emitPutToScope):
240         (JSC::BytecodeGenerator::emitGetById):
241         (JSC::BytecodeGenerator::emitDirectGetById):
242         (JSC::BytecodeGenerator::emitPutById):
243         (JSC::BytecodeGenerator::emitDirectPutById):
244         (JSC::BytecodeGenerator::emitCreateThis):
245         (JSC::BytecodeGenerator::emitToThis):
246         * runtime/CachedTypes.cpp:
247         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
248         (JSC::CachedCodeBlock<CodeBlockType>::encode):
249
250 2019-09-07  Keith Miller  <keith_miller@apple.com>
251
252         OSR entry into wasm misses some contexts
253         https://bugs.webkit.org/show_bug.cgi?id=201569
254
255         Reviewed by Yusuke Suzuki.
256
257         This patch fixes an issue where we could fail to capture some of
258         our contexts when OSR entering into wasm code. Before we would
259         only capture the state of the block immediately surrounding the
260         entrance loop block header. We actually need to capture all
261         enclosed stacks.
262
263         Additionally, we don't need to use variables for all the captured
264         values. We can use a Phi and insert an upsilon just below the
265         captured value.
266
267         * interpreter/CallFrame.h:
268         * jsc.cpp:
269         (GlobalObject::finishCreation):
270         (functionCallerIsOMGCompiled):
271         * wasm/WasmAirIRGenerator.cpp:
272         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
273         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
274         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
275         (JSC::Wasm::AirIRGenerator::addLoop):
276         * wasm/WasmB3IRGenerator.cpp:
277         (JSC::Wasm::B3IRGenerator::createStack):
278         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
279         (JSC::Wasm::B3IRGenerator::addConstant):
280         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
281         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
282         (JSC::Wasm::B3IRGenerator::addLoop):
283         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
284         (JSC::Wasm::dumpExpressionStack):
285         (JSC::Wasm::B3IRGenerator::dump):
286         (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
287         (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
288         (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
289         (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
290         (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
291         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
292         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
293         (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
294         (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
295         (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
296         (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
297         (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
298         * wasm/WasmFunctionParser.h:
299         (JSC::Wasm::FunctionParser::controlStack):
300
301 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
302
303         [JSC] Promise resolve/reject functions should be created more efficiently
304         https://bugs.webkit.org/show_bug.cgi?id=201488
305
306         Reviewed by Mark Lam.
307
308         While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
309         Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
310         for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
311         Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.
312
313         In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
314         to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
315         anonymous-builtin-function creation faster.
316
317         We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
318         The simple microbenchmark shows 1.7x improvement.
319
320                                               ToT                     Patched
321
322             promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster
323
324         * dfg/DFGSpeculativeJIT.cpp:
325         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
326         * ftl/FTLLowerDFGToB3.cpp:
327         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
328         * runtime/FunctionRareData.cpp:
329         (JSC::FunctionRareData::create):
330         (JSC::FunctionRareData::FunctionRareData):
331         * runtime/FunctionRareData.h:
332         * runtime/JSFunction.cpp:
333         (JSC::JSFunction::finishCreation):
334         (JSC::JSFunction::allocateRareData):
335         (JSC::JSFunction::allocateAndInitializeRareData):
336         * runtime/JSFunctionInlines.h:
337         (JSC::JSFunction::hasReifiedName const):
338
339 2019-09-07  Mark Lam  <mark.lam@apple.com>
340
341         performJITMemcpy() source buffer should not be in the Gigacage.
342         https://bugs.webkit.org/show_bug.cgi?id=201577
343         <rdar://problem/55142606>
344
345         Reviewed by Michael Saboff.
346
347         Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
348         buffer is not in the Gigacage.
349
350         * jit/ExecutableAllocator.h:
351         (JSC::performJITMemcpy):
352
353 2019-09-07  Mark Lam  <mark.lam@apple.com>
354
355         The jsc shell should allow disabling of the Gigacage for testing purposes.
356         https://bugs.webkit.org/show_bug.cgi?id=201579
357
358         Reviewed by Michael Saboff.
359
360         Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
361         this env var is present and it has a falsy value, then do not
362         forbidDisablingPrimitiveGigacage() in the jsc shell.
363
364         * jsc.cpp:
365         (jscmain):
366
367 2019-09-06  Mark Lam  <mark.lam@apple.com>
368
369         Harden protection of the Gigacage Config parameters.
370         https://bugs.webkit.org/show_bug.cgi?id=201570
371         <rdar://problem/55134229>
372
373         Reviewed by Saam Barati.
374
375         Just renaming some function names here.
376
377         * assembler/testmasm.cpp:
378         (JSC::testCagePreservesPACFailureBit):
379         * jit/AssemblyHelpers.h:
380         (JSC::AssemblyHelpers::cageConditionally):
381         * jsc.cpp:
382         (jscmain):
383
384 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
385
386         Math.round() produces wrong result for value prior to 0.5
387         https://bugs.webkit.org/show_bug.cgi?id=185115
388
389         Reviewed by Saam Barati.
390
391         Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
392         This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.
393
394         Specifically:
395           - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
396             so taking the difference between ceil(value)` and `value` is problematic.
397           - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
398             (by falling back to jsRound). This patch gives baseline a legitimate implementation too.
399
400         * dfg/DFGSpeculativeJIT.cpp:
401         (JSC::DFG::SpeculativeJIT::compileArithRounding):
402         * ftl/FTLLowerDFGToB3.cpp:
403         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
404         * jit/ThunkGenerators.cpp:
405         (JSC::roundThunkGenerator):
406         * runtime/MathCommon.cpp:
407
408 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
409
410         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
411         https://bugs.webkit.org/show_bug.cgi?id=201366
412
413         Reviewed by Saam Barati.
414
415         It is possible for the log buffer to be full right as someone is trying to
416         log a function prologue. In such a case the machine stack has already been
417         updated to include the new JavaScript call frame, but the prologue packet
418         cannot be included in the update because the log is full. This would mean
419         that the update fails to rationalize the machine stack with the shadow
420         log / stack. Namely, the current JavaScript call frame is unable to
421         find a matching prologue (the one we are holding to include after the update)
422         and inserts a questionable value into the stack; and in the process
423         missing and removing real potential tail calls.
424
425         For example:
426         
427             "use strict";
428             function third() { return 1; }
429             function second() { return third(); }
430             function first() { return second(); }
431             function start() { return first(); }
432
433         If the the log fills up just as we are entering `b` then we may have a list
434         full log of packets looking like:
435
436           Shadow Log:
437             ...
438             { prologue-packet: entering `start` ... }
439             { prologue-packet: entering `first` ... }
440             { tail-packet: leaving `first` with a tail call }
441
442           Incoming Packet:
443             { prologue-packet: entering `second` ... }
444
445           Current JS Stack:
446             second
447             start
448
449         Since the Current JavaScript stack already has `second`, if we process the
450         log without the prologue for `second` then we push a confused entry on the
451         shadow stack and clear the log such that we eventually lose the tail-call
452         information for `first` to `second`.
453
454         This patch solves this issue by providing enough extra space in the log
455         to always process the incoming packet when that forces an update. This way
456         clients can continue to behave exactly as they are.
457
458         --
459
460         We also document a corner case in some circumstances where the shadow
461         log may currently be insufficient to know how to reconcile:
462         
463         For example:
464
465             "use strict";
466             function third() { return 1; }
467             function second() { return third(); }
468             function first() { return second(); }
469             function doNothingTail() { return Math.random() }
470             function start() {
471                 for (i=0;i<1000;++i) doNothingTail();
472                 return first();
473             }
474
475         In this case the ShadowChicken log may be processed multiple times due
476         to the many calls to `doNothingTail` / `Math.random()`. When calling the
477         Native function no prologue packet is emitted, so it is unclear that we
478         temporarly go deeper and come back out on the stack, so the log appears
479         to have lots of doNothingTail calls reusing the same frame:
480
481           Shadow Log:
482             ...
483             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
484             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
485             , [125] tail-packet:{frame = 0x7ffeef8971f0}
486             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
487             , [127] tail-packet:{frame = 0x7ffeef8971f0}
488             ...
489             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
490             , [141] tail-packet:{frame = 0x7ffeef8971f0}
491             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
492             , [143] tail-packet:{frame = 0x7ffeef8971f0}
493             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
494             , [145] tail-packet:{frame = 0x7ffeef8971f0}
495             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
496             ...
497
498         This log would seem to be indistinguishable from real tail recursion, such as:
499
500             "use strict";
501             function third() { return 1; }
502             function second() { return third(); }
503             function first() { return second(); }
504             function doNothingTail(n) {
505                 return n ? doNothingTail(n-1) : first();
506             }
507             function start() {
508                 return doNothingTail(1000);
509             }
510
511         Likewise there are more cases where the shadow log appears to be ambiguous with determining
512         the appropriate parent call frame with intermediate function calls. In practice this may
513         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
514         It seems likely we would only show additional frames that did in fact happen serially
515         between JavaScript call frames, but may not actually be the proper parent frames
516         heirachy in the stack.
517
518         * interpreter/ShadowChicken.cpp:
519         (JSC::ShadowChicken::Packet::dump const):
520         (JSC::ShadowChicken::Frame::dump const):
521         (JSC::ShadowChicken::dump const):
522         Improved debugging output. Especially for functions.
523
524         (JSC::ShadowChicken::ShadowChicken):
525         Make space in the log for 1 additional packet to process when we slow log.
526
527         (JSC::ShadowChicken::log):
528         Include this packet in our update.
529
530         (JSC::ShadowChicken::update):
531         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
532
533 2019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
534
535         Unreviewed, rolling out r249566.
536
537         Causes inspector layout test crashes under GuardMalloc
538
539         Reverted changeset:
540
541         "Tail Deleted Frames shown in Web Inspector are sometimes
542         incorrect (Shadow Chicken)"
543         https://bugs.webkit.org/show_bug.cgi?id=201366
544         https://trac.webkit.org/changeset/249566
545
546 2019-09-06  Guillaume Emont  <guijemont@igalia.com>
547
548         testmasm: save r6 in JIT'ed code on ARM_THUMB2
549         https://bugs.webkit.org/show_bug.cgi?id=201138
550
551         Reviewed by Mark Lam.
552
553         MacroAssemblerArmv7 uses r6 as a temporary register, and it is a
554         callee-saved register. The JITs use
555         AssemblyHelpers::emitSaveCalleeSaves() and friends to save
556         callee-saved registers, but there is no such mechanism in testmasm,
557         which seems to make the assumption that the macroassembler does not
558         use callee-saved registers (which I guess is true for all other
559         architectures, but not for Armv7).
560
561         This issue means that testmasm crashes on Armv7 since code generated
562         by gcc uses r6, and it gets modified by JIT'ed code.
563
564         This change makes sure that we save and restore r6 for all code
565         compiled by testmasm on Armv7.
566
567         * assembler/testmasm.cpp:
568         (JSC::emitFunctionPrologue):
569         (JSC::emitFunctionEpilogue):
570         (JSC::testSimple):
571         (JSC::testGetEffectiveAddress):
572         (JSC::testBranchTruncateDoubleToInt32):
573         (JSC::testBranchTestBit32RegReg):
574         (JSC::testBranchTestBit32RegImm):
575         (JSC::testBranchTestBit32AddrImm):
576         (JSC::testBranchTestBit64RegReg):
577         (JSC::testBranchTestBit64RegImm):
578         (JSC::testBranchTestBit64AddrImm):
579         (JSC::testCompareDouble):
580         (JSC::testMul32WithImmediates):
581         (JSC::testMul32SignExtend):
582         (JSC::testCompareFloat):
583         (JSC::testProbeReadsArgumentRegisters):
584         (JSC::testProbeWritesArgumentRegisters):
585         (JSC::testProbePreservesGPRS):
586         (JSC::testProbeModifiesStackPointer):
587         (JSC::testProbeModifiesProgramCounter):
588         (JSC::testProbeModifiesStackValues):
589         (JSC::testByteSwap):
590         (JSC::testMoveDoubleConditionally32):
591         (JSC::testMoveDoubleConditionally64):
592         (JSC::testCagePreservesPACFailureBit):
593
594 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
595
596         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
597         https://bugs.webkit.org/show_bug.cgi?id=201366
598
599         Reviewed by Saam Barati.
600
601         It is possible for the log buffer to be full right as someone is trying to
602         log a function prologue. In such a case the machine stack has already been
603         updated to include the new JavaScript call frame, but the prologue packet
604         cannot be included in the update because the log is full. This would mean
605         that the update fails to rationalize the machine stack with the shadow
606         log / stack. Namely, the current JavaScript call frame is unable to
607         find a matching prologue (the one we are holding to include after the update)
608         and inserts a questionable value into the stack; and in the process
609         missing and removing real potential tail calls.
610
611         For example:
612         
613             "use strict";
614             function third() { return 1; }
615             function second() { return third(); }
616             function first() { return second(); }
617             function start() { return first(); }
618
619         If the the log fills up just as we are entering `b` then we may have a list
620         full log of packets looking like:
621
622           Shadow Log:
623             ...
624             { prologue-packet: entering `start` ... }
625             { prologue-packet: entering `first` ... }
626             { tail-packet: leaving `first` with a tail call }
627
628           Incoming Packet:
629             { prologue-packet: entering `second` ... }
630
631           Current JS Stack:
632             second
633             start
634
635         Since the Current JavaScript stack already has `second`, if we process the
636         log without the prologue for `second` then we push a confused entry on the
637         shadow stack and clear the log such that we eventually lose the tail-call
638         information for `first` to `second`.
639
640         This patch solves this issue by providing enough extra space in the log
641         to always process the incoming packet when that forces an update. This way
642         clients can continue to behave exactly as they are.
643
644         --
645
646         We also document a corner case in some circumstances where the shadow
647         log may currently be insufficient to know how to reconcile:
648         
649         For example:
650
651             "use strict";
652             function third() { return 1; }
653             function second() { return third(); }
654             function first() { return second(); }
655             function doNothingTail() { return Math.random() }
656             function start() {
657                 for (i=0;i<1000;++i) doNothingTail();
658                 return first();
659             }
660
661         In this case the ShadowChicken log may be processed multiple times due
662         to the many calls to `doNothingTail` / `Math.random()`. When calling the
663         Native function no prologue packet is emitted, so it is unclear that we
664         temporarly go deeper and come back out on the stack, so the log appears
665         to have lots of doNothingTail calls reusing the same frame:
666
667           Shadow Log:
668             ...
669             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
670             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
671             , [125] tail-packet:{frame = 0x7ffeef8971f0}
672             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
673             , [127] tail-packet:{frame = 0x7ffeef8971f0}
674             ...
675             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
676             , [141] tail-packet:{frame = 0x7ffeef8971f0}
677             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
678             , [143] tail-packet:{frame = 0x7ffeef8971f0}
679             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
680             , [145] tail-packet:{frame = 0x7ffeef8971f0}
681             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
682             ...
683
684         This log would seem to be indistinguishable from real tail recursion, such as:
685
686             "use strict";
687             function third() { return 1; }
688             function second() { return third(); }
689             function first() { return second(); }
690             function doNothingTail(n) {
691                 return n ? doNothingTail(n-1) : first();
692             }
693             function start() {
694                 return doNothingTail(1000);
695             }
696
697         Likewise there are more cases where the shadow log appears to be ambiguous with determining
698         the appropriate parent call frame with intermediate function calls. In practice this may
699         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
700         It seems likely we would only show additional frames that did in fact happen serially
701         between JavaScript call frames, but may not actually be the proper parent frames
702         heirachy in the stack.
703
704         * interpreter/ShadowChicken.cpp:
705         (JSC::ShadowChicken::Packet::dump const):
706         (JSC::ShadowChicken::Frame::dump const):
707         (JSC::ShadowChicken::dump const):
708         Improved debugging output. Especially for functions.
709
710         (JSC::ShadowChicken::ShadowChicken):
711         Make space in the log for 1 additional packet to process when we slow log.
712
713         (JSC::ShadowChicken::log):
714         Include this packet in our update.
715
716         (JSC::ShadowChicken::update):
717         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
718
719 2019-09-05  Mark Lam  <mark.lam@apple.com>
720
721         Refactor the Gigacage code to require less pointer casting.
722         https://bugs.webkit.org/show_bug.cgi?id=201521
723
724         Reviewed by Saam Barati.
725
726         Change LLInt's loadCagedJSValue() to skip the caging if Gigacage is not enabled
727         in the build.  This allows us to remove the unneeded stubs in WTF Gigacage.h.
728
729         * jit/AssemblyHelpers.h:
730         (JSC::AssemblyHelpers::cageConditionally):
731         * llint/LowLevelInterpreter.asm:
732         * llint/LowLevelInterpreter64.asm:
733         * runtime/VM.h:
734         (JSC::VM::gigacageAuxiliarySpace):
735
736 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
737
738         Unreviewed, follow-up after r249530 and r249509
739         https://bugs.webkit.org/show_bug.cgi?id=201495
740
741         Rename FTLOutput::weakPointer to alreadyRegisteredWeakPointer and alreadyRegisteredFrozenPointer.
742
743         * builtins/PromiseConstructor.js:
744         (nakedConstructor.Promise.resolve):
745         (nakedConstructor.Promise.reject):
746         (nakedConstructor.Promise):
747         (nakedConstructor.InternalPromise.resolve):
748         (nakedConstructor.InternalPromise.reject):
749         (nakedConstructor.InternalPromise):
750         * ftl/FTLLowerDFGToB3.cpp:
751         (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
752         (JSC::FTL::DFG::LowerDFGToB3::frozenPointer):
753         (JSC::FTL::DFG::LowerDFGToB3::weakStructure):
754         * ftl/FTLOutput.h:
755         (JSC::FTL::Output::alreadyRegisteredWeakPointer):
756         (JSC::FTL::Output::alreadyRegisteredFrozenPointer):
757         (JSC::FTL::Output::weakPointer): Deleted.
758
759 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
760
761         [JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl
762         https://bugs.webkit.org/show_bug.cgi?id=201513
763
764         Reviewed by Ross Kirsling.
765
766         This patch extracts JSPromise's internal fields mechanism as JSInternalFieldsObjectImpl, and make it reusable for the other objects.
767         It is preparation for using this internal fields mechanism for generators, async functions, async generators, array iterators and so on.
768
769         The profiler is telling many recompilation of Generator's resume function (including async generator's one). We are using properties
770         with private-symbols as a storage for internal state of generators. However, the spec defines that each generator from different generator-functions
771         has different [[Prototype]]. While we need to share one Generator.prototype.next function, generators tend to have different Structures due to
772         different [[Prototype]] and accessing internal fields with `get_by_id_direct` sadly becomes super megamorphic while it is not necessary.
773         And every time new Structure for new generator pops up, DFG/FTL code for generator resume function gets OSR exit or eventually this function gets
774         emits super generic code unfortunately. By using internal fields for storing these state, we can avoid this performance problem.
775
776         Bytecodes and corresponding DFG nodes are just renamed. JSPromise is now inheriting JSInternalFieldsObjectImpl, which can holds specified
777         number of internal fields. And op_get_internal_field / op_put_internal_field can access these internal fields.
778
779         * CMakeLists.txt:
780         * JavaScriptCore.xcodeproj/project.pbxproj:
781         * bytecode/BytecodeList.rb:
782         * bytecode/BytecodeUseDef.h:
783         (JSC::computeUsesForBytecodeOffset):
784         (JSC::computeDefsForBytecodeOffset):
785         * bytecode/CodeBlock.cpp:
786         (JSC::CodeBlock::finishCreation):
787         * bytecode/Opcode.h:
788         * bytecompiler/BytecodeGenerator.cpp:
789         (JSC::BytecodeGenerator::emitGetInternalField):
790         (JSC::BytecodeGenerator::emitPutInternalField):
791         (JSC::BytecodeGenerator::emitGetPromiseInternalField): Deleted.
792         (JSC::BytecodeGenerator::emitPutPromiseInternalField): Deleted.
793         * bytecompiler/BytecodeGenerator.h:
794         * bytecompiler/NodesCodegen.cpp:
795         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
796         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
797         * dfg/DFGAbstractInterpreterInlines.h:
798         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
799         * dfg/DFGByteCodeParser.cpp:
800         (JSC::DFG::ByteCodeParser::parseBlock):
801         * dfg/DFGCapabilities.cpp:
802         (JSC::DFG::capabilityLevel):
803         * dfg/DFGClobberize.h:
804         (JSC::DFG::clobberize):
805         * dfg/DFGDoesGC.cpp:
806         (JSC::DFG::doesGC):
807         * dfg/DFGFixupPhase.cpp:
808         (JSC::DFG::FixupPhase::fixupNode):
809         * dfg/DFGMayExit.cpp:
810         * dfg/DFGNode.h:
811         (JSC::DFG::Node::hasInternalFieldIndex):
812         (JSC::DFG::Node::hasHeapPrediction):
813         * dfg/DFGNodeType.h:
814         * dfg/DFGPredictionPropagationPhase.cpp:
815         * dfg/DFGSafeToExecute.h:
816         (JSC::DFG::safeToExecute):
817         * dfg/DFGSpeculativeJIT.cpp:
818         (JSC::DFG::SpeculativeJIT::compileGetInternalField):
819         (JSC::DFG::SpeculativeJIT::compilePutInternalField):
820         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
821         (JSC::DFG::SpeculativeJIT::compileNewPromise):
822         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): Deleted.
823         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): Deleted.
824         * dfg/DFGSpeculativeJIT.h:
825         * dfg/DFGSpeculativeJIT32_64.cpp:
826         (JSC::DFG::SpeculativeJIT::compile):
827         * dfg/DFGSpeculativeJIT64.cpp:
828         (JSC::DFG::SpeculativeJIT::compile):
829         * dfg/DFGStoreBarrierInsertionPhase.cpp:
830         * ftl/FTLAbstractHeapRepository.h:
831         * ftl/FTLCapabilities.cpp:
832         (JSC::FTL::canCompile):
833         * ftl/FTLLowerDFGToB3.cpp:
834         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
835         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
836         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
837         (JSC::FTL::DFG::LowerDFGToB3::compileGetInternalField):
838         (JSC::FTL::DFG::LowerDFGToB3::compilePutInternalField):
839         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): Deleted.
840         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): Deleted.
841         * jit/JIT.cpp:
842         (JSC::JIT::privateCompileMainPass):
843         * jit/JIT.h:
844         * jit/JITPropertyAccess.cpp:
845         (JSC::JIT::emit_op_get_internal_field):
846         (JSC::JIT::emit_op_put_internal_field):
847         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
848         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
849         * jit/JITPropertyAccess32_64.cpp:
850         (JSC::JIT::emit_op_get_internal_field):
851         (JSC::JIT::emit_op_put_internal_field):
852         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
853         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
854         * llint/LLIntOffsetsExtractor.cpp:
855         * llint/LowLevelInterpreter.asm:
856         * llint/LowLevelInterpreter32_64.asm:
857         * llint/LowLevelInterpreter64.asm:
858         * runtime/JSInternalFieldObjectImpl.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
859         (JSC::JSInternalFieldObjectImpl::allocationSize):
860         (JSC::JSInternalFieldObjectImpl::internalField const):
861         (JSC::JSInternalFieldObjectImpl::internalField):
862         (JSC::JSInternalFieldObjectImpl::offsetOfInternalFields):
863         (JSC::JSInternalFieldObjectImpl::offsetOfInternalField):
864         (JSC::JSInternalFieldObjectImpl::JSInternalFieldObjectImpl):
865         * runtime/JSInternalFieldObjectImplInlines.h: Added.
866         (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren):
867         * runtime/JSPromise.cpp:
868         (JSC::JSPromise::finishCreation):
869         (JSC::JSPromise::visitChildren):
870         (JSC::JSPromise::status const):
871         (JSC::JSPromise::result const):
872         (JSC::JSPromise::isHandled const):
873         * runtime/JSPromise.h:
874         (JSC::JSPromise::allocationSize): Deleted.
875         (JSC::JSPromise::offsetOfInternalFields): Deleted.
876         (JSC::JSPromise::offsetOfInternalField): Deleted.
877         (): Deleted.
878
879 2019-09-05  Commit Queue  <commit-queue@webkit.org>
880
881         Unreviewed, rolling out r247463.
882         https://bugs.webkit.org/show_bug.cgi?id=201515
883
884         JetStream2 code-load related regression (Requested by
885         yusukesuzuki on #webkit).
886
887         Reverted changeset:
888
889         "Keyword lookup can use memcmp to get around unaligned load
890         undefined behavior"
891         https://bugs.webkit.org/show_bug.cgi?id=199650
892         https://trac.webkit.org/changeset/247463
893
894 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
895
896         LazyClassStructure::setConstructor should not store the constructor to the global object
897         https://bugs.webkit.org/show_bug.cgi?id=201484
898         <rdar://problem/50400451>
899
900         Reviewed by Yusuke Suzuki.
901
902         LazyClassStructure::setConstructor sets the constructor as a property of the global object.
903         This became a problem when it started being used for WebAssembly constructors, such as Module
904         and Instance, since they are properties of the WebAssembly object, not the global object. That
905         resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
906         was first accessed. e.g.
907
908         globalThis.Module = x;
909         WebAssembly.Module;
910         globalThis.Module === WebAssembly.Module;
911
912         * runtime/LazyClassStructure.cpp:
913         (JSC::LazyClassStructure::Initializer::setConstructor):
914         * runtime/LazyClassStructure.h:
915         * runtime/Lookup.h:
916         (JSC::reifyStaticProperty):
917
918 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
919
920         [JSC] Do not use FTLOutput::weakPointer directly
921         https://bugs.webkit.org/show_bug.cgi?id=201495
922
923         Reviewed by Filip Pizlo.
924
925         FTLOutput::weakPointer does not register the cell as a weak pointer.
926         CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
927         While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
928         and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
929         For FrozenValue, we should use frozenPointer helper function.
930
931         * ftl/FTLLowerDFGToB3.cpp:
932         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
933         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
934
935 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
936
937         Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
938         https://bugs.webkit.org/show_bug.cgi?id=201373
939
940         * bytecode/BytecodeList.rb:
941         * bytecode/BytecodeUseDef.h:
942         (JSC::computeUsesForBytecodeOffset):
943         (JSC::computeDefsForBytecodeOffset):
944         * bytecompiler/BytecodeGenerator.cpp:
945         (JSC::BytecodeGenerator::BytecodeGenerator):
946         (JSC::BytecodeGenerator::emitLoopHint):
947         (JSC::BytecodeGenerator::emitCheckTraps):
948         * bytecompiler/BytecodeGenerator.h:
949         * dfg/DFGByteCodeParser.cpp:
950         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
951         (JSC::DFG::ByteCodeParser::parseBlock):
952         * dfg/DFGCapabilities.cpp:
953         (JSC::DFG::capabilityLevel):
954         * jit/JIT.cpp:
955         (JSC::JIT::emitEnterOptimizationCheck):
956         (JSC::JIT::privateCompileMainPass):
957         (JSC::JIT::privateCompileSlowCases):
958         * jit/JIT.h:
959         * jit/JITOpcodes.cpp:
960         (JSC::JIT::emit_op_enter):
961         (JSC::JIT::emit_op_loop_hint):
962         (JSC::JIT::emitSlow_op_loop_hint):
963         (JSC::JIT::emit_op_check_traps):
964         (JSC::JIT::emitSlow_op_check_traps):
965         (JSC::JIT::emitSlow_op_enter): Deleted.
966         * jit/JITOpcodes32_64.cpp:
967         (JSC::JIT::emit_op_enter):
968         * llint/LowLevelInterpreter.asm:
969         * llint/LowLevelInterpreter32_64.asm:
970         * llint/LowLevelInterpreter64.asm:
971         * runtime/CommonSlowPaths.cpp:
972         (JSC::SLOW_PATH_DECL):
973         * runtime/CommonSlowPaths.h:
974
975 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
976
977         Unreviewed, rebaseline builtin generator test results
978         https://bugs.webkit.org/show_bug.cgi?id=200898
979
980         Rebaseline the result files.
981
982         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
983         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
984         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
985         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
986         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
987         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
988         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
989         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
990         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
991         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
992         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
993         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
994         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
995
996 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
997
998         [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
999         https://bugs.webkit.org/show_bug.cgi?id=201485
1000
1001         Reviewed by Tadeu Zagallo.
1002
1003         FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
1004         it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
1005         a race issue like,
1006
1007         1. While one thread is adding overrides information,
1008         2. Another thread is accessing this hash table.
1009
1010         This patch adds a lock to make sure that only one thread can access this registry.
1011
1012         * tools/FunctionOverrides.cpp:
1013         (JSC::FunctionOverrides::FunctionOverrides):
1014         (JSC::FunctionOverrides::reinstallOverrides):
1015         (JSC::FunctionOverrides::initializeOverrideFor):
1016         (JSC::FunctionOverrides::parseOverridesInFile):
1017         * tools/FunctionOverrides.h:
1018         (JSC::FunctionOverrides::clear):
1019
1020 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1021
1022         [JSC] Make Promise implementation faster
1023         https://bugs.webkit.org/show_bug.cgi?id=200898
1024
1025         Reviewed by Saam Barati.
1026
1027         This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.
1028
1029         1. Make JSPromise C++ friendly
1030
1031             Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
1032             This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
1033             fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
1034             fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
1035             supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
1036             this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].
1037
1038             We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
1039             This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.
1040
1041             Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
1042             is filed in [2].
1043
1044         2. Make JSPromise constructor JS friendly
1045
1046             The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
1047             calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
1048             If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
1049             Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
1050             construct is 100. We might want to investigate getting it inlined in the future[3].
1051
1052             We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
1053             annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
1054             do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
1055             us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
1056             which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
1057             JSPromise constructor fully in JS.
1058             With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].
1059
1060         3. DFG supports for JSPromise operations
1061
1062             This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
1063             and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
1064             promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
1065             When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
1066             used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
1067             can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
1068             in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
1069             structure is invalidated: `callee.prototype` is replaced.
1070
1071         4. Avoid creating unnecessary promises
1072
1073             Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
1074             For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
1075             intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
1076             take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
1077             in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
1078             check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.
1079
1080         5. Avoid creating resolving-functions and promise capabilities
1081
1082             Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
1083             patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
1084             created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
1085             and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
1086             The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
1087             `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
1088             This mechanism will be used to drop JSPromiseDeferred in a separate patch.
1089
1090         JetStream2/async-fs results.
1091             ToT:
1092                 Running async-fs:
1093                     Startup: 116.279
1094                     Worst Case: 151.515
1095                     Average: 176.630
1096                     Score: 145.996
1097                     Wall time: 0:01.149
1098
1099             Patched:
1100                 Running async-fs:
1101                     Startup: 166.667
1102                     Worst Case: 267.857
1103                     Average: 299.080
1104                     Score: 237.235
1105                     Wall time: 0:00.683
1106
1107         [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
1108         [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
1109         [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
1110         [4]: https://bugs.webkit.org/show_bug.cgi?id=201158
1111
1112         * CMakeLists.txt:
1113         * JavaScriptCore.xcodeproj/project.pbxproj:
1114         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
1115         (ConstructAbility):
1116         (ConstructorKind):
1117         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
1118         * Scripts/wkbuiltins/builtins_generator.py:
1119         (BuiltinsGenerator.generate_embedded_code_data_for_function):
1120         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
1121         * Scripts/wkbuiltins/builtins_model.py:
1122         (BuiltinFunction.__init__):
1123         (BuiltinFunction.fromString):
1124         * Scripts/wkbuiltins/builtins_templates.py:
1125         * builtins/AsyncFromSyncIteratorPrototype.js:
1126         (next.try):
1127         (next):
1128         (return.try):
1129         (return):
1130         (throw.try):
1131         (throw):
1132         * builtins/AsyncFunctionPrototype.js:
1133         (globalPrivate.asyncFunctionResume):
1134         * builtins/AsyncGeneratorPrototype.js:
1135         (globalPrivate.asyncGeneratorQueueIsEmpty):
1136         (globalPrivate.asyncGeneratorQueueEnqueue):
1137         (globalPrivate.asyncGeneratorQueueDequeue):
1138         (globalPrivate.asyncGeneratorReject):
1139         (globalPrivate.asyncGeneratorResolve):
1140         (globalPrivate.asyncGeneratorYield):
1141         (onRejected):
1142         (globalPrivate.awaitValue):
1143         (onFulfilled):
1144         (globalPrivate.doAsyncGeneratorBodyCall):
1145         (globalPrivate.asyncGeneratorResumeNext):
1146         (globalPrivate.asyncGeneratorEnqueue):
1147         (globalPrivate.asyncGeneratorDequeue): Deleted.
1148         (const.onRejected): Deleted.
1149         (const.onFulfilled): Deleted.
1150         (globalPrivate.asyncGeneratorResumeNext.): Deleted.
1151         * builtins/BuiltinExecutableCreator.h:
1152         * builtins/BuiltinExecutables.cpp:
1153         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1154         (JSC::BuiltinExecutables::createDefaultConstructor):
1155         (JSC::BuiltinExecutables::createBuiltinExecutable):
1156         (JSC::BuiltinExecutables::createExecutable):
1157         (JSC::createBuiltinExecutable): Deleted.
1158         * builtins/BuiltinExecutables.h:
1159         * builtins/BuiltinNames.h:
1160         * builtins/BuiltinUtils.h:
1161         * builtins/ModuleLoader.js:
1162         (forceFulfillPromise):
1163         * builtins/PromiseConstructor.js:
1164         (nakedConstructor.Promise.resolve):
1165         (nakedConstructor.Promise.reject):
1166         (nakedConstructor.Promise):
1167         (nakedConstructor.InternalPromise.resolve):
1168         (nakedConstructor.InternalPromise.reject):
1169         (nakedConstructor.InternalPromise):
1170         * builtins/PromiseOperations.js:
1171         (globalPrivate.newPromiseReaction):
1172         (globalPrivate.newPromiseCapability):
1173         (globalPrivate.newHandledRejectedPromise):
1174         (globalPrivate.triggerPromiseReactions):
1175         (globalPrivate.resolvePromise):
1176         (globalPrivate.rejectPromise):
1177         (globalPrivate.fulfillPromise):
1178         (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
1179         (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
1180         (globalPrivate.createResolvingFunctions.resolve):
1181         (globalPrivate.createResolvingFunctions.reject):
1182         (globalPrivate.createResolvingFunctions):
1183         (globalPrivate.promiseReactionJobWithoutPromise):
1184         (globalPrivate.resolveWithoutPromise):
1185         (globalPrivate.rejectWithoutPromise):
1186         (globalPrivate.fulfillWithoutPromise):
1187         (resolve):
1188         (reject):
1189         (globalPrivate.createResolvingFunctionsWithoutPromise):
1190         (globalPrivate.promiseReactionJob):
1191         (globalPrivate.promiseResolveThenableJobFast):
1192         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
1193         (globalPrivate.promiseResolveThenableJob):
1194         (globalPrivate.isPromise): Deleted.
1195         (globalPrivate.newPromiseCapability.executor): Deleted.
1196         (globalPrivate.initializePromise): Deleted.
1197         * builtins/PromisePrototype.js:
1198         (then):
1199         * bytecode/BytecodeIntrinsicRegistry.cpp:
1200         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1201         * bytecode/BytecodeIntrinsicRegistry.h:
1202         * bytecode/BytecodeList.rb:
1203         * bytecode/BytecodeUseDef.h:
1204         (JSC::computeUsesForBytecodeOffset):
1205         (JSC::computeDefsForBytecodeOffset):
1206         * bytecode/CodeBlock.cpp:
1207         (JSC::CodeBlock::finishCreation):
1208         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1209         * bytecode/Opcode.h:
1210         * bytecode/SpeculatedType.cpp:
1211         (JSC::dumpSpeculation):
1212         (JSC::speculationFromClassInfo):
1213         (JSC::speculationFromJSType):
1214         (JSC::speculationFromString):
1215         * bytecode/SpeculatedType.h:
1216         * bytecode/UnlinkedFunctionExecutable.h:
1217         * bytecompiler/BytecodeGenerator.cpp:
1218         (JSC::BytecodeGenerator::generate):
1219         (JSC::BytecodeGenerator::BytecodeGenerator):
1220         (JSC::BytecodeGenerator::emitGetPromiseInternalField):
1221         (JSC::BytecodeGenerator::emitPutPromiseInternalField):
1222         (JSC::BytecodeGenerator::emitCreatePromise):
1223         (JSC::BytecodeGenerator::emitNewPromise):
1224         (JSC::BytecodeGenerator::emitReturn):
1225         * bytecompiler/BytecodeGenerator.h:
1226         (JSC::BytecodeGenerator::promiseRegister):
1227         (JSC::BytecodeGenerator::emitIsPromise):
1228         (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
1229         * bytecompiler/NodesCodegen.cpp:
1230         (JSC::promiseInternalFieldIndex):
1231         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
1232         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
1233         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
1234         (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
1235         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
1236         (JSC::FunctionNode::emitBytecode):
1237         * dfg/DFGAbstractHeap.h:
1238         * dfg/DFGAbstractInterpreterInlines.h:
1239         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1240         * dfg/DFGByteCodeParser.cpp:
1241         (JSC::DFG::ByteCodeParser::parseBlock):
1242         * dfg/DFGCapabilities.cpp:
1243         (JSC::DFG::capabilityLevel):
1244         * dfg/DFGClobberize.h:
1245         (JSC::DFG::clobberize):
1246         * dfg/DFGClobbersExitState.cpp:
1247         (JSC::DFG::clobbersExitState):
1248         * dfg/DFGConstantFoldingPhase.cpp:
1249         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1250         * dfg/DFGDoesGC.cpp:
1251         (JSC::DFG::doesGC):
1252         * dfg/DFGFixupPhase.cpp:
1253         (JSC::DFG::FixupPhase::fixupNode):
1254         * dfg/DFGGraph.cpp:
1255         (JSC::DFG::Graph::dump):
1256         * dfg/DFGHeapLocation.cpp:
1257         (WTF::printInternal):
1258         * dfg/DFGHeapLocation.h:
1259         * dfg/DFGMayExit.cpp:
1260         * dfg/DFGNode.h:
1261         (JSC::DFG::Node::convertToNewPromise):
1262         (JSC::DFG::Node::hasIsInternalPromise):
1263         (JSC::DFG::Node::isInternalPromise):
1264         (JSC::DFG::Node::hasInternalFieldIndex):
1265         (JSC::DFG::Node::internalFieldIndex):
1266         (JSC::DFG::Node::hasHeapPrediction):
1267         (JSC::DFG::Node::hasStructure):
1268         * dfg/DFGNodeType.h:
1269         * dfg/DFGOperations.cpp:
1270         * dfg/DFGOperations.h:
1271         * dfg/DFGPredictionPropagationPhase.cpp:
1272         * dfg/DFGPromotedHeapLocation.cpp:
1273         (WTF::printInternal):
1274         * dfg/DFGPromotedHeapLocation.h:
1275         * dfg/DFGSafeToExecute.h:
1276         (JSC::DFG::SafeToExecuteEdge::operator()):
1277         (JSC::DFG::safeToExecute):
1278         * dfg/DFGSpeculativeJIT.cpp:
1279         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1280         (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
1281         (JSC::DFG::SpeculativeJIT::speculate):
1282         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
1283         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
1284         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1285         (JSC::DFG::SpeculativeJIT::compileNewPromise):
1286         * dfg/DFGSpeculativeJIT.h:
1287         * dfg/DFGSpeculativeJIT32_64.cpp:
1288         (JSC::DFG::SpeculativeJIT::compile):
1289         * dfg/DFGSpeculativeJIT64.cpp:
1290         (JSC::DFG::SpeculativeJIT::compile):
1291         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1292         * dfg/DFGUseKind.cpp:
1293         (WTF::printInternal):
1294         * dfg/DFGUseKind.h:
1295         (JSC::DFG::typeFilterFor):
1296         (JSC::DFG::isCell):
1297         * ftl/FTLAbstractHeapRepository.h:
1298         * ftl/FTLCapabilities.cpp:
1299         (JSC::FTL::canCompile):
1300         * ftl/FTLLowerDFGToB3.cpp:
1301         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1302         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1303         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
1304         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1305         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
1306         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
1307         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1308         (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
1309         * jit/JIT.cpp:
1310         (JSC::JIT::privateCompileMainPass):
1311         (JSC::JIT::privateCompileSlowCases):
1312         * jit/JIT.h:
1313         * jit/JITOperations.cpp:
1314         * jit/JITOperations.h:
1315         * jit/JITPropertyAccess.cpp:
1316         (JSC::JIT::emit_op_get_promise_internal_field):
1317         (JSC::JIT::emit_op_put_promise_internal_field):
1318         * jit/JITPropertyAccess32_64.cpp:
1319         (JSC::JIT::emit_op_get_promise_internal_field):
1320         (JSC::JIT::emit_op_put_promise_internal_field):
1321         * llint/LowLevelInterpreter.asm:
1322         * llint/LowLevelInterpreter32_64.asm:
1323         * llint/LowLevelInterpreter64.asm:
1324         * parser/Parser.cpp:
1325         (JSC::Parser<LexerType>::Parser):
1326         (JSC::Parser<LexerType>::parseFunctionInfo):
1327         * parser/Parser.h:
1328         (JSC::parse):
1329         * parser/ParserModes.h:
1330         * runtime/CommonSlowPaths.cpp:
1331         (JSC::SLOW_PATH_DECL):
1332         * runtime/CommonSlowPaths.h:
1333         * runtime/ConstructAbility.h:
1334         * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
1335         * runtime/FunctionRareData.cpp:
1336         (JSC::FunctionRareData::FunctionRareData):
1337         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1338         (JSC::FunctionRareData::clear):
1339         * runtime/FunctionRareData.h:
1340         * runtime/InternalFunction.cpp:
1341         (JSC::InternalFunction::createSubclassStructureSlow):
1342         * runtime/InternalFunction.h:
1343         (JSC::InternalFunction::createSubclassStructure):
1344         * runtime/JSCast.h:
1345         * runtime/JSGlobalObject.cpp:
1346         (JSC::enqueueJob):
1347         (JSC::JSGlobalObject::init):
1348         (JSC::JSGlobalObject::visitChildren):
1349         * runtime/JSGlobalObject.h:
1350         (JSC::JSGlobalObject::arrayProtoValuesFunction const):
1351         (JSC::JSGlobalObject::promiseProtoThenFunction const):
1352         (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
1353         * runtime/JSInternalPromise.cpp:
1354         (JSC::JSInternalPromise::createStructure):
1355         * runtime/JSInternalPromiseConstructor.cpp:
1356         (JSC::JSInternalPromiseConstructor::create):
1357         (JSC::JSInternalPromiseConstructor::createStructure):
1358         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
1359         (JSC::constructPromise): Deleted.
1360         * runtime/JSInternalPromiseConstructor.h:
1361         * runtime/JSInternalPromisePrototype.cpp:
1362         (JSC::JSInternalPromisePrototype::create):
1363         * runtime/JSMicrotask.cpp:
1364         (JSC::createJSMicrotask):
1365         (JSC::JSMicrotask::run):
1366         * runtime/JSMicrotask.h:
1367         * runtime/JSPromise.cpp:
1368         (JSC::JSPromise::createStructure):
1369         (JSC::JSPromise::finishCreation):
1370         (JSC::JSPromise::visitChildren):
1371         (JSC::JSPromise::status const):
1372         (JSC::JSPromise::result const):
1373         (JSC::JSPromise::isHandled const):
1374         (JSC::JSPromise::initialize): Deleted.
1375         * runtime/JSPromise.h:
1376         (JSC::JSPromise::allocationSize):
1377         (JSC::JSPromise::offsetOfInternalFields):
1378         (JSC::JSPromise::offsetOfInternalField):
1379         * runtime/JSPromiseConstructor.cpp:
1380         (JSC::JSPromiseConstructor::create):
1381         (JSC::JSPromiseConstructor::createStructure):
1382         (JSC::JSPromiseConstructor::JSPromiseConstructor):
1383         (JSC::JSPromiseConstructor::finishCreation):
1384         (JSC::constructPromise): Deleted.
1385         (JSC::callPromise): Deleted.
1386         * runtime/JSPromiseConstructor.h:
1387         * runtime/JSPromisePrototype.cpp:
1388         (JSC::JSPromisePrototype::create):
1389         (JSC::JSPromisePrototype::finishCreation):
1390         (JSC::JSPromisePrototype::addOwnInternalSlots):
1391         * runtime/JSPromisePrototype.h:
1392         * runtime/JSType.cpp:
1393         (WTF::printInternal):
1394         * runtime/JSType.h:
1395
1396 2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>
1397
1398         Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
1399         https://bugs.webkit.org/show_bug.cgi?id=201262
1400         <rdar://problem/13108764>
1401
1402         Reviewed by Devin Rousso.
1403
1404         When interception is enabled, Network requests that match any of the configured
1405         interception patterns will be paused on the backend and allowed to be modified
1406         by the frontend.
1407
1408         Currently the only time a network request can be intercepted is during the
1409         HTTP response. However, this intercepting interface is mean to extend to
1410         HTTP requests as well.
1411
1412         When a response is to be intercepted a new event is sent to the frontend:
1413
1414           `Network.responseIntercepted` event
1415
1416         With a `requestId` to identify that network request. The frontend
1417         must respond with one of the following commands to continue:
1418
1419           `Network.interceptContinue`     - proceed with the response unmodified
1420           `Network.interceptWithResponse` - provide a response
1421
1422         The response is paused in the meantime.
1423
1424         * inspector/protocol/Network.json:
1425         New interfaces for intercepting network responses and suppling override content.
1426
1427         * Scripts/generate-combined-inspector-json.py:
1428         * inspector/scripts/generate-inspector-protocol-bindings.py:
1429         (generate_from_specification.load_specification):
1430         Complete allowing comments in JSON protocol files.
1431
1432         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1433         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
1434         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1435         Allow optional enums in ObjC interfaces.
1436
1437 2019-09-03  Mark Lam  <mark.lam@apple.com>
1438
1439         Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread().
1440         https://bugs.webkit.org/show_bug.cgi?id=201449
1441
1442         Reviewed by Yusuke Suzuki.
1443
1444         Using !isMainThread() in the assertion also disables the assertion for the mutator
1445         of worker threads.  This is not what we intended.
1446
1447         * runtime/StructureInlines.h:
1448         (JSC::Structure::storedPrototype const):
1449         (JSC::Structure::storedPrototypeObject const):
1450
1451 2019-09-04  Mark Lam  <mark.lam@apple.com>
1452
1453         Disambiguate a symbol used in JSDollarVM.
1454         https://bugs.webkit.org/show_bug.cgi?id=201466
1455         <rdar://problem/51826672>
1456
1457         Reviewed by Tadeu Zagallo.
1458
1459         This was causing a build issue on some internal build.
1460
1461         * tools/JSDollarVM.cpp:
1462
1463 2019-09-03  Mark Lam  <mark.lam@apple.com>
1464
1465         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
1466         https://bugs.webkit.org/show_bug.cgi?id=201309
1467         <rdar://problem/54832121>
1468
1469         Reviewed by Yusuke Suzuki.
1470
1471         * dfg/DFGAbstractInterpreterInlines.h:
1472         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1473         * runtime/JSArrayBufferView.h:
1474         * runtime/JSArrayBufferViewInlines.h:
1475         (JSC::JSArrayBufferView::possiblySharedBufferImpl):
1476         (JSC::JSArrayBufferView::possiblySharedBuffer):
1477         (JSC::JSArrayBufferView::byteOffsetImpl):
1478         (JSC::JSArrayBufferView::byteOffset):
1479         (JSC::JSArrayBufferView::byteOffsetConcurrently):
1480
1481 2019-09-03  Devin Rousso  <drousso@apple.com>
1482
1483         Web Inspector: implement blackboxing of script resources
1484         https://bugs.webkit.org/show_bug.cgi?id=17240
1485         <rdar://problem/5732847>
1486
1487         Reviewed by Joseph Pecoraro.
1488
1489         When a script is blackboxed and the debugger attempts to pause in that script, the pause
1490         reason/data will be saved and execution will continue until it has left the blackboxed
1491         script. Once outside, execution is paused with the saved reason/data.
1492
1493         This is especially useful when debugging issues using libraries/frameworks, as it allows the
1494         developer to "skip" the internal logic of the library/framework and instead focus only on
1495         how they're using it.
1496
1497         * inspector/protocol/Debugger.json:
1498         Add `setShouldBlackboxURL` command.
1499
1500         * inspector/agents/InspectorDebuggerAgent.h:
1501         * inspector/agents/InspectorDebuggerAgent.cpp:
1502         (Inspector::InspectorDebuggerAgent):
1503         (Inspector::InspectorDebuggerAgent::enable):
1504         (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added.
1505         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1506         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
1507         (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added.
1508         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
1509         (Inspector::InspectorDebuggerAgent::didParseSource):
1510         (Inspector::InspectorDebuggerAgent::didPause):
1511         (Inspector::InspectorDebuggerAgent::didContinue):
1512         (Inspector::InspectorDebuggerAgent::breakProgram):
1513         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
1514         (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added.
1515         (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted.
1516         Renamed "break" to "pause" to match `Debugger` naming.
1517
1518         * debugger/Debugger.h:
1519         * debugger/Debugger.cpp:
1520         (JSC::Debugger::pauseIfNeeded):
1521         (JSC::Debugger::setBlackboxType): Added.
1522         (JSC::Debugger::clearBlackbox): Added.
1523         (JSC::Debugger::isBlacklisted const): Deleted.
1524         (JSC::Debugger::addToBlacklist): Deleted.
1525         (JSC::Debugger::clearBlacklist): Deleted.
1526
1527 2019-09-03  Mark Lam  <mark.lam@apple.com>
1528
1529         Remove the need to pass performJITMemcpy as a pointer.
1530         https://bugs.webkit.org/show_bug.cgi?id=201413
1531
1532         Reviewed by Michael Saboff.
1533
1534         We want performJITMemcpy to always be inlined.  In this patch, we also clean up
1535         some template parameters to use enums instead of booleans to better document the
1536         intent of the code.
1537
1538         * assembler/ARM64Assembler.h:
1539         (JSC::ARM64Assembler::fillNops):
1540         (JSC::ARM64Assembler::linkJump):
1541         (JSC::ARM64Assembler::linkCall):
1542         (JSC::ARM64Assembler::relinkJump):
1543         (JSC::ARM64Assembler::relinkCall):
1544         (JSC::ARM64Assembler::link):
1545         (JSC::ARM64Assembler::linkJumpOrCall):
1546         (JSC::ARM64Assembler::linkCompareAndBranch):
1547         (JSC::ARM64Assembler::linkConditionalBranch):
1548         (JSC::ARM64Assembler::linkTestAndBranch):
1549         (JSC::ARM64Assembler::relinkJumpOrCall):
1550         (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted.
1551         (JSC::ARM64Assembler::CopyFunction::operator()): Deleted.
1552         * assembler/ARMv7Assembler.h:
1553         (JSC::ARMv7Assembler::fillNops):
1554         (JSC::ARMv7Assembler::link):
1555         (JSC::ARMv7Assembler::linkJumpT1):
1556         (JSC::ARMv7Assembler::linkJumpT2):
1557         (JSC::ARMv7Assembler::linkJumpT3):
1558         (JSC::ARMv7Assembler::linkJumpT4):
1559         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1560         (JSC::ARMv7Assembler::linkBX):
1561         (JSC::ARMv7Assembler::linkConditionalBX):
1562         * assembler/AbstractMacroAssembler.h:
1563         (JSC::AbstractMacroAssembler::emitNops):
1564         * assembler/LinkBuffer.cpp:
1565         (JSC::LinkBuffer::copyCompactAndLinkCode):
1566         * assembler/MIPSAssembler.h:
1567         (JSC::MIPSAssembler::fillNops):
1568         * assembler/MacroAssemblerARM64.h:
1569         (JSC::MacroAssemblerARM64::link):
1570         * assembler/MacroAssemblerARMv7.h:
1571         (JSC::MacroAssemblerARMv7::link):
1572         * assembler/X86Assembler.h:
1573         (JSC::X86Assembler::fillNops):
1574         * jit/ExecutableAllocator.h:
1575         (JSC::performJITMemcpy):
1576         * runtime/JSCPtrTag.h:
1577
1578 2019-09-03  Devin Rousso  <drousso@apple.com>
1579
1580         REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected
1581         https://bugs.webkit.org/show_bug.cgi?id=201201
1582         <rdar://problem/54771560>
1583
1584         Reviewed by Joseph Pecoraro.
1585
1586         * inspector/InjectedScriptSource.js:
1587         (let.InjectedScript.prototype.injectModule):
1588         (let.InjectedScript.prototype._evaluateOn):
1589         (CommandLineAPI):
1590         (let.InjectedScript.prototype.setInspectObject): Deleted.
1591         (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted.
1592         (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted.
1593         (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted.
1594         (InjectedScript.CommandLineAPI): Deleted.
1595         Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects
1596         directly, instead of having them call functions.
1597
1598         * inspector/InjectedScriptModule.cpp:
1599         (Inspector::InjectedScriptModule::ensureInjected):
1600         Make sure to reset `hadException` to `false` before making another call.
1601
1602 2019-09-03  Yusuke Suzuki  <ysuzuki@apple.com>
1603
1604         [JSC] Remove BytecodeGenerator::emitPopScope
1605         https://bugs.webkit.org/show_bug.cgi?id=201395
1606
1607         Reviewed by Saam Barati.
1608
1609         Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions.
1610
1611         * bytecompiler/BytecodeGenerator.cpp:
1612         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1613         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1614         (JSC::BytecodeGenerator::emitPopWithScope):
1615         (JSC::BytecodeGenerator::emitPopScope): Deleted.
1616         * bytecompiler/BytecodeGenerator.h:
1617
1618 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
1619
1620         [JSC] Merge op_check_traps into op_enter and op_loop_hint
1621         https://bugs.webkit.org/show_bug.cgi?id=201373
1622
1623         Reviewed by Mark Lam.
1624
1625         This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations.
1626         But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in
1627         op_enter and op_loop_hint.
1628
1629         While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint),
1630         since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy.
1631
1632         We also inline op_enter's slow path's write-barrier emission in LLInt.
1633
1634         * bytecode/BytecodeList.rb:
1635         * bytecode/BytecodeUseDef.h:
1636         (JSC::computeUsesForBytecodeOffset):
1637         (JSC::computeDefsForBytecodeOffset):
1638         * bytecompiler/BytecodeGenerator.cpp:
1639         (JSC::BytecodeGenerator::BytecodeGenerator):
1640         (JSC::BytecodeGenerator::emitLoopHint):
1641         (JSC::BytecodeGenerator::emitCheckTraps): Deleted.
1642         * bytecompiler/BytecodeGenerator.h:
1643         * dfg/DFGByteCodeParser.cpp:
1644         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1645         (JSC::DFG::ByteCodeParser::parseBlock):
1646         * dfg/DFGCapabilities.cpp:
1647         (JSC::DFG::capabilityLevel):
1648         * jit/JIT.cpp:
1649         (JSC::JIT::privateCompileMainPass):
1650         (JSC::JIT::privateCompileSlowCases):
1651         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
1652         * jit/JIT.h:
1653         * jit/JITOpcodes.cpp:
1654         (JSC::JIT::emit_op_loop_hint):
1655         (JSC::JIT::emitSlow_op_loop_hint):
1656         (JSC::JIT::emit_op_enter):
1657         (JSC::JIT::emitSlow_op_enter):
1658         (JSC::JIT::emit_op_check_traps): Deleted.
1659         (JSC::JIT::emitSlow_op_check_traps): Deleted.
1660         * jit/JITOpcodes32_64.cpp:
1661         (JSC::JIT::emit_op_enter): Deleted.
1662         * llint/LowLevelInterpreter.asm:
1663         * llint/LowLevelInterpreter32_64.asm:
1664         * llint/LowLevelInterpreter64.asm:
1665         * runtime/CommonSlowPaths.cpp:
1666         * runtime/CommonSlowPaths.h:
1667
1668 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
1669
1670         [JSC] Fix testb3 debug failures
1671         https://bugs.webkit.org/show_bug.cgi?id=201382
1672
1673         Reviewed by Mark Lam.
1674
1675         Fix testb3 debug failures due to incorrect types of operations like pointer + int32.
1676
1677         * b3/testb3_8.cpp:
1678         (testByteCopyLoop):
1679         (testByteCopyLoopStartIsLoopDependent):
1680         (testByteCopyLoopBoundIsLoopDependent):
1681
1682 2019-09-01  Mark Lam  <mark.lam@apple.com>
1683
1684         Speculative build fix for ARMv7 and MIPS.
1685         https://bugs.webkit.org/show_bug.cgi?id=201389
1686
1687         Not reviewed.
1688
1689         * bytecode/CodeBlock.cpp:
1690         (JSC::CodeBlock::jettison):
1691
1692 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1693
1694         [JSC] LLInt op should not emit the same code three times
1695         https://bugs.webkit.org/show_bug.cgi?id=201370
1696
1697         Reviewed by Mark Lam.
1698
1699         LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue.
1700         But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once.
1701
1702         * llint/LowLevelInterpreter.asm:
1703
1704 2019-08-30  Mark Lam  <mark.lam@apple.com>
1705
1706         Remove some obsolete statements that have no effect.
1707         https://bugs.webkit.org/show_bug.cgi?id=201357
1708
1709         Reviewed by Saam Barati.
1710
1711         This patch removes 3 statements that look like this:
1712
1713             result->butterfly(); // Ensure that the butterfly is in to-space.
1714
1715         The statement just reads a field and does nothing with it.  This is a no-op
1716         logic-wise, and the comment that accompanies it is obsolete.
1717
1718         * dfg/DFGOperations.cpp:
1719
1720 2019-08-30  Mark Lam  <mark.lam@apple.com>
1721
1722         Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
1723         https://bugs.webkit.org/show_bug.cgi?id=201345
1724
1725         Reviewed by Yusuke Suzuki.
1726
1727         This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
1728         the wrong pointer for capture the cell headerWord and zapReason.  As a result,
1729         we get junk for those 2 values.
1730
1731         Previously, we were only capturing the upper 32-bits of the cell header slot,
1732         and the lower 32-bit of the next slot in the zapped cell.  We now capture the
1733         full 64-bits of both slots.  If the second slot did not contain a zapReason as we
1734         expect, the upper 32-bits might give us a clue as to what type of value the slot
1735         contains.
1736
1737         This patch also adds capturing of the found MarkedBlock address for the zapped
1738         cell, as well as some state bit values.
1739
1740         * heap/SlotVisitor.cpp:
1741         (JSC::SlotVisitor::reportZappedCellAndCrash):
1742
1743 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1744
1745         [JSC] Generate new.target register only when it is used
1746         https://bugs.webkit.org/show_bug.cgi?id=201335
1747
1748         Reviewed by Mark Lam.
1749
1750         Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register
1751         only when it is actually required.
1752
1753         * bytecompiler/BytecodeGenerator.cpp:
1754         (JSC::BytecodeGenerator::BytecodeGenerator):
1755         * bytecompiler/BytecodeGenerator.h:
1756         (JSC::BytecodeGenerator::newTarget):
1757         * parser/Nodes.h:
1758         (JSC::ScopeNode::needsNewTargetRegisterForThisScope const):
1759
1760 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1761
1762         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
1763         https://bugs.webkit.org/show_bug.cgi?id=201331
1764
1765         Reviewed by Mark Lam.
1766
1767         SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
1768         For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.
1769
1770             1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
1771             2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable
1772
1773         Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
1774         This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
1775         by profiled CodeBlock.
1776
1777         * bytecode/CodeBlock.h:
1778         (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
1779         * bytecode/JumpTable.h:
1780         (JSC::SimpleJumpTable::cloneNonJITPart const):
1781         (JSC::SimpleJumpTable::clear):
1782         * dfg/DFGByteCodeParser.cpp:
1783         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1784
1785 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1786
1787         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
1788         https://bugs.webkit.org/show_bug.cgi?id=201332
1789
1790         Reviewed by Mark Lam.
1791
1792         When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
1793         that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
1794         does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.
1795
1796         * dfg/DFGByteCodeParser.cpp:
1797         (JSC::DFG::ByteCodeParser::handleInlining):
1798
1799 2019-08-29  Devin Rousso  <drousso@apple.com>
1800
1801         Web Inspector: Debugger: async event listener stack traces should be available in Workers
1802         https://bugs.webkit.org/show_bug.cgi?id=200903
1803
1804         Reviewed by Joseph Pecoraro.
1805
1806         * inspector/agents/InspectorDebuggerAgent.h:
1807         (Inspector::InspectorDebuggerAgent::enabled): Added.
1808         * inspector/agents/InspectorDebuggerAgent.cpp:
1809         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
1810         (Inspector::InspectorDebuggerAgent::enable):
1811         (Inspector::InspectorDebuggerAgent::disable):
1812         Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`.
1813
1814 2019-08-29  Keith Rollin  <krollin@apple.com>
1815
1816         Update .xcconfig symbols to reflect the current set of past and future product versions.
1817         https://bugs.webkit.org/show_bug.cgi?id=200720
1818         <rdar://problem/54305032>
1819
1820         Reviewed by Alex Christensen.
1821
1822         Remove version symbols related to old OS's we no longer support,
1823         ensure that version symbols are defined for OS's we do support.
1824
1825         * Configurations/Base.xcconfig:
1826         * Configurations/DebugRelease.xcconfig:
1827         * Configurations/Version.xcconfig:
1828
1829 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1830
1831         [JSC] Repatch should construct CallCases and CasesValue at the same time
1832         https://bugs.webkit.org/show_bug.cgi?id=201325
1833
1834         Reviewed by Saam Barati.
1835
1836         In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`.
1837         If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too.
1838
1839         * jit/Repatch.cpp:
1840         (JSC::linkPolymorphicCall):
1841
1842 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1843
1844         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
1845         https://bugs.webkit.org/show_bug.cgi?id=198650
1846
1847         Reviewed by Saam Barati.
1848
1849         Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties.
1850         This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this
1851         interpreter interpret the control-flow edge that AI proved that is never taken.
1852         AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But
1853         ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis
1854         done in ObjectAllocationSinking.
1855
1856         Let's see the example.
1857
1858             BB#0
1859                 35: NewObject([%AM:Object])
1860                 ...
1861                 47: Branch(ConstantTrue, T:#1, F:#2)
1862
1863             BB#1 // This basic block is never taken due to @47's jump.
1864                 ...
1865                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
1866                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
1867                 ...
1868                 XX: Jump(#2)
1869
1870             BB#2
1871                 ...
1872                 92: CheckStructure(@35, [%Dx:Object])
1873                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
1874                 ...
1875
1876         AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant.
1877         AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92.
1878         After AI removes @92, ObjectAllocationSinking starts looking into this graph.
1879
1880             BB#0
1881                 35: NewObject([%AM:Object])
1882                 ...
1883                 47: Branch(ConstantTrue, T:#1, F:#2)
1884
1885             BB#1 // This basic block is never taken due to @47's jump.
1886                 ...
1887                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
1888                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
1889                 ...
1890                 XX: Jump(#2)
1891
1892             BB#2
1893                 ...
1894                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
1895                 ...
1896                 YY: Jump(#3)
1897
1898             BB#3
1899                 ...
1900                 ZZ: <HERE> want to materialize @35's sunk object.
1901
1902         Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in
1903         BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and
1904         insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original
1905         one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking
1906         phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes
1907         conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property.
1908         So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug
1909         assertion.
1910
1911             187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >)
1912
1913         This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data.
1914         In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime.
1915
1916         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1917
1918 2019-08-29  Devin Rousso  <drousso@apple.com>
1919
1920         Web Inspector: DOMDebugger: support event breakpoints in Worker contexts
1921         https://bugs.webkit.org/show_bug.cgi?id=200651
1922
1923         Reviewed by Joseph Pecoraro.
1924
1925         * inspector/protocol/DOMDebugger.json:
1926         Make the domain available in "worker" contexts as well.
1927
1928 2019-08-29  Keith Rollin  <krollin@apple.com>
1929
1930         Remove 32-bit macOS support
1931         https://bugs.webkit.org/show_bug.cgi?id=201282
1932         <rdar://problem/54821667>
1933
1934         Reviewed by Anders Carlsson.
1935
1936         WebKit doesn’t support 32-bit Mac any more, so remove checks and code
1937         for that platform.
1938
1939         * API/JSBase.h:
1940         * runtime/VM.h:
1941
1942 2019-08-29  Keith Rollin  <krollin@apple.com>
1943
1944         Remove support for macOS < 10.13 (part 3)
1945         https://bugs.webkit.org/show_bug.cgi?id=201224
1946         <rdar://problem/54795934>
1947
1948         Reviewed by Darin Adler.
1949
1950         Remove symbols in WebKitTargetConditionals.xcconfig related to macOS
1951         10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes
1952         like _MACOS_SINCE_1013.
1953
1954         * Configurations/WebKitTargetConditionals.xcconfig:
1955
1956 2019-08-29  Mark Lam  <mark.lam@apple.com>
1957
1958         Remove a bad assertion in ByteCodeParser::inlineCall().
1959         https://bugs.webkit.org/show_bug.cgi?id=201292
1960         <rdar://problem/54121659>
1961
1962         Reviewed by Michael Saboff.
1963
1964         In the DFG bytecode parser, we've already computed the inlining cost of a candidate
1965         inlining target, and determine that it is worth inlining before invoking
1966         ByteCodeParser::inlineCall().  However, in ByteCodeParser::inlineCall(), it
1967         recomputes the inlining cost again only for the purpose of asserting that it isn't
1968         too high.
1969
1970         Not consider a badly written test that does the following:
1971
1972             function bar() {
1973                 ...
1974                 foo(); // Call in a hot loop here.
1975                 ...
1976             }
1977
1978             bar(); // <===== foo is inlineable into bar here.
1979             noInline(foo); // <===== Change mind, and make foo not inlineable.
1980             bar();
1981
1982         With this bad test, the following racy scenario can occur:
1983
1984         1. the first invocation of bar() gets hot, and a concurrent compile is kicked off.
1985         2. the compiler thread computes foo()'s inliningCost() and determines that it is
1986            worthy to be inlined, and will imminently call inlineCall().
1987         3. the mutator calls the noInline() test utility on foo(), thereby making it NOT
1988            inlineable.
1989         4. the compiler thread calls inlineCall().  In inlineCall(), it re-computes the
1990            inliningCost for foo() and now finds that it is not inlineable.  An assertion
1991            failure follows.
1992
1993         Technically, the test is in error because noInline() shouldn't be used that way.
1994         However, fuzzers that are not clued into noInline()'s proper usage may generate
1995         code like this.
1996
1997         On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the
1998         inlining cost and asserting on it.  The only reason inlineCall() is invoked is
1999         because it was already previously determined that a target function is inlineable
2000         based on its inlining cost.  Today, in practice, I don't think we have any real
2001         world condition where the mutator can affect the inlining cost of a target
2002         function midway through execution.  So, this assertion isn't a problem if no one
2003         writes a test that abuses noInline().  However, should things change such that the
2004         mutator is able to affect the inlining cost of a target function, then it is
2005         incorrect for the compiler to assume that the inlining cost is immutable.  Once
2006         the compiler decides to inline a function, it should just follow through.
2007
2008         This patch removes this assertion in ByteCodeParser::inlineCall().  It is an
2009         annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the
2010         ability to affect the inlining cost of a target function.
2011
2012         * dfg/DFGByteCodeParser.cpp:
2013         (JSC::DFG::ByteCodeParser::inlineCall):
2014
2015 2019-08-28  Mark Lam  <mark.lam@apple.com>
2016
2017         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
2018         https://bugs.webkit.org/show_bug.cgi?id=201281
2019         <rdar://problem/54028228>
2020
2021         Reviewed by Yusuke Suzuki and Saam Barati.
2022
2023         This (see title above) is already the preferred idiom used in most places in our
2024         compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2025         compileStringCharAt().  Consider the following:
2026
2027             bool prototypeChainIsSane = false;
2028             if (globalObject->stringPrototypeChainIsSane()) {
2029                 ...
2030                 m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
2031                 m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));
2032
2033                 prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
2034             }
2035
2036         What's essential for correctness here is that the stringPrototype and objectPrototype
2037         structures be loaded before the loads in the second stringPrototypeChainIsSane()
2038         check.  Without a loadLoadFence before the second stringPrototypeChainIsSane()
2039         check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom
2040         for doing this right is to pre-load the structures first, do a loadLoadFence, and
2041         then do the IsSane check just once after e.g.
2042
2043             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
2044             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);
2045
2046             if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2047                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2048                 && globalObject->arrayPrototypeChainIsSane()) {
2049
2050                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
2051                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
2052                 ...
2053             }
2054
2055         This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2056         compileStringCharAt() to follow the same idiom.
2057
2058         We also fix a bad assertion in Structure::storedPrototype() and
2059         Structure::storedPrototypeObject().  The assertion is only correct when those
2060         methods are called from the mutator thread.  The assertion has been updated to
2061         only check its test condition if the current thread is the mutator thread.
2062
2063         * dfg/DFGSpeculativeJIT.cpp:
2064         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2065         * ftl/FTLLowerDFGToB3.cpp:
2066         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2067         * runtime/StructureInlines.h:
2068         (JSC::Structure::storedPrototype const):
2069         (JSC::Structure::storedPrototypeObject const):
2070
2071 2019-08-28  Mark Lam  <mark.lam@apple.com>
2072
2073         Placate exception check validation in DFG's operationHasGenericProperty().
2074         https://bugs.webkit.org/show_bug.cgi?id=201245
2075         <rdar://problem/54777512>
2076
2077         Reviewed by Robin Morisset.
2078
2079         * dfg/DFGOperations.cpp:
2080
2081 2019-08-28  Ross Kirsling  <ross.kirsling@sony.com>
2082
2083         Unreviewed. Restabilize non-unified build.
2084
2085         * runtime/PropertySlot.h:
2086
2087 2019-08-28  Mark Lam  <mark.lam@apple.com>
2088
2089         Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.
2090         https://bugs.webkit.org/show_bug.cgi?id=201006
2091         <rdar://problem/52053991>
2092
2093         Reviewed by Yusuke Suzuki.
2094
2095         We already ensured that it is not possible to overflow in Wasm::FunctionParser's
2096         parse().  It is unnecessary and misleading to do those overflow checks in
2097         AirIRGenerator and B3IRGenerator.  The only check that is necessary is that
2098         m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory
2099         situation.
2100
2101         This patch changes these unnecessary checks to assertions instead.
2102
2103         * wasm/WasmAirIRGenerator.cpp:
2104         (JSC::Wasm::AirIRGenerator::addLocal):
2105         * wasm/WasmB3IRGenerator.cpp:
2106         (JSC::Wasm::B3IRGenerator::addLocal):
2107         * wasm/WasmValidate.cpp:
2108         (JSC::Wasm::Validate::addLocal):
2109
2110 2019-08-28  Keith Rollin  <krollin@apple.com>
2111
2112         Remove support for macOS < 10.13 (part 2)
2113         https://bugs.webkit.org/show_bug.cgi?id=201197
2114         <rdar://problem/54759985>
2115
2116         Update conditionals that reference WK_MACOS_1013 and suffixes like
2117         _MACOS_SINCE_1013, assuming that we're always building on 10.13 or
2118         later and that these conditionals are always True or False.
2119
2120         See Bug 200694 for earlier changes in this area.
2121
2122         Reviewed by Darin Adler.
2123
2124         * Configurations/FeatureDefines.xcconfig:
2125
2126 2019-08-28  Mark Lam  <mark.lam@apple.com>
2127
2128         Gardening: Rebase test results after r249175.
2129         https://bugs.webkit.org/show_bug.cgi?id=201172
2130
2131         Not reviewed.
2132
2133         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2134         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2135         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2136         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2137         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2138         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2139         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2140
2141 2019-08-27  Michael Saboff  <msaboff@apple.com>
2142
2143         Update PACCage changes for builds without Gigacage, but with signed pointers
2144         https://bugs.webkit.org/show_bug.cgi?id=201202
2145
2146         Reviewed by Saam Barati.
2147
2148         Factored out the untagging of pointers and added that to both the Gigacage enabled
2149         and disabled code paths.  Did this for the LLInt as well as the JITs.
2150
2151         * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list.
2152         * dfg/DFGSpeculativeJIT.cpp:
2153         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
2154         * ftl/FTLLowerDFGToB3.cpp:
2155         (JSC::FTL::DFG::LowerDFGToB3::caged):
2156         * llint/LowLevelInterpreter64.asm:
2157
2158 2019-08-27  Mark Lam  <mark.lam@apple.com>
2159
2160         Refactor to use VM& instead of VM* at as many places as possible.
2161         https://bugs.webkit.org/show_bug.cgi?id=201172
2162
2163         Reviewed by Yusuke Suzuki.
2164
2165         Using VM& documents more clearly that the VM pointer is expected to never be null
2166         in most cases.  There are a few places where it can be null (e.g JSLock, and
2167         DFG::Plan).  Those will be left using a VM*.
2168
2169         Also converted some uses of ExecState* to using VM& instead since the ExecState*
2170         is only there to fetch the VM pointer.  Doing this also reduces the number of
2171         times we have to compute VM* from ExecState*.
2172
2173         This patch is not exhaustive in converting to use VM&, but applies the change to
2174         many commonly used pieces of code for a start.
2175
2176         Also fixed a missing exception check in JSString::toIdentifier() and
2177         JSValue::toPropertyKey() exposed by this patch.
2178
2179         * API/APICast.h:
2180         (toJS):
2181         * API/JSAPIGlobalObject.mm:
2182         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
2183         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
2184         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
2185         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
2186         (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
2187         * API/JSCallbackConstructor.cpp:
2188         (JSC::JSCallbackConstructor::finishCreation):
2189         * API/JSCallbackObjectFunctions.h:
2190         (JSC::JSCallbackObject<Parent>::asCallbackObject):
2191         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
2192         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
2193         (JSC::JSCallbackObject<Parent>::putByIndex):
2194         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
2195         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2196         * API/JSContext.mm:
2197         (-[JSContext dependencyIdentifiersForModuleJSScript:]):
2198         * API/JSObjectRef.cpp:
2199         (JSObjectMakeFunction):
2200         (classInfoPrivate):
2201         (JSObjectGetPrivate):
2202         (JSObjectSetPrivate):
2203         (JSObjectCopyPropertyNames):
2204         (JSPropertyNameAccumulatorAddName):
2205         (JSObjectGetProxyTarget):
2206         * API/JSScriptRef.cpp:
2207         (parseScript):
2208         * API/JSValueRef.cpp:
2209         (JSValueMakeString):
2210         * API/OpaqueJSString.cpp:
2211         (OpaqueJSString::identifier const):
2212         * API/glib/JSCContext.cpp:
2213         (jsc_context_check_syntax):
2214         * KeywordLookupGenerator.py:
2215         (Trie.printSubTreeAsC):
2216         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py:
2217         (BuiltinsWrapperHeaderGenerator.generate_constructor):
2218         * Scripts/wkbuiltins/builtins_templates.py:
2219         * bindings/ScriptFunctionCall.cpp:
2220         (Deprecated::ScriptCallArgumentHandler::appendArgument):
2221         (Deprecated::ScriptFunctionCall::call):
2222         * bindings/ScriptValue.cpp:
2223         (Inspector::jsToInspectorValue):
2224         * builtins/BuiltinExecutables.cpp:
2225         (JSC::BuiltinExecutables::createExecutable):
2226         * builtins/BuiltinNames.cpp:
2227         (JSC::BuiltinNames::BuiltinNames):
2228         * builtins/BuiltinNames.h:
2229         (JSC::BuiltinNames::getPublicName const):
2230         * bytecode/BytecodeDumper.cpp:
2231         (JSC::BytecodeDumper<Block>::vm const):
2232         * bytecode/BytecodeDumper.h:
2233         * bytecode/BytecodeGeneratorification.cpp:
2234         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2235         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
2236         (JSC::BytecodeGeneratorification::run):
2237         * bytecode/BytecodeIntrinsicRegistry.cpp:
2238         (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue):
2239         (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue):
2240         * bytecode/CallVariant.h:
2241         (JSC::CallVariant::internalFunction const):
2242         (JSC::CallVariant::function const):
2243         (JSC::CallVariant::isClosureCall const):
2244         (JSC::CallVariant::executable const):
2245         (JSC::CallVariant::functionExecutable const):
2246         (JSC::CallVariant::nativeExecutable const):
2247         * bytecode/CodeBlock.cpp:
2248         (JSC::CodeBlock::dumpSource):
2249         (JSC::CodeBlock::CodeBlock):
2250         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
2251         (JSC::CodeBlock::setNumParameters):
2252         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2253         (JSC::CodeBlock::unlinkIncomingCalls):
2254         (JSC::CodeBlock::replacement):
2255         (JSC::CodeBlock::computeCapabilityLevel):
2256         (JSC::CodeBlock::noticeIncomingCall):
2257         (JSC::CodeBlock::nameForRegister):
2258         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2259         * bytecode/CodeBlock.h:
2260         (JSC::CodeBlock::vm const):
2261         (JSC::CodeBlock::numberOfArgumentValueProfiles):
2262         (JSC::CodeBlock::valueProfileForArgument):
2263         * bytecode/DeferredSourceDump.cpp:
2264         (JSC::DeferredSourceDump::DeferredSourceDump):
2265         * bytecode/EvalCodeBlock.h:
2266         * bytecode/FunctionCodeBlock.h:
2267         * bytecode/GetByIdStatus.cpp:
2268         (JSC::GetByIdStatus::computeFromLLInt):
2269         * bytecode/GlobalCodeBlock.h:
2270         (JSC::GlobalCodeBlock::GlobalCodeBlock):
2271         * bytecode/ModuleProgramCodeBlock.h:
2272         * bytecode/ObjectAllocationProfileInlines.h:
2273         (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
2274         * bytecode/PolyProtoAccessChain.cpp:
2275         (JSC::PolyProtoAccessChain::create):
2276         * bytecode/ProgramCodeBlock.h:
2277         * bytecode/PropertyCondition.cpp:
2278         (JSC::PropertyCondition::isWatchableWhenValid const):
2279         * bytecode/PutByIdStatus.cpp:
2280         (JSC::PutByIdStatus::computeFromLLInt):
2281         * bytecode/StructureStubInfo.cpp:
2282         (JSC::StructureStubInfo::initGetByIdSelf):
2283         (JSC::StructureStubInfo::initPutByIdReplace):
2284         (JSC::StructureStubInfo::initInByIdSelf):
2285         (JSC::StructureStubInfo::addAccessCase):
2286         (JSC::StructureStubInfo::visitWeakReferences):
2287         * bytecode/UnlinkedCodeBlock.cpp:
2288         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2289         * bytecode/UnlinkedCodeBlock.h:
2290         (JSC::UnlinkedCodeBlock::addSetConstant):
2291         (JSC::UnlinkedCodeBlock::addConstant):
2292         (JSC::UnlinkedCodeBlock::addFunctionDecl):
2293         (JSC::UnlinkedCodeBlock::addFunctionExpr):
2294         * bytecode/UnlinkedEvalCodeBlock.h:
2295         * bytecode/UnlinkedFunctionCodeBlock.h:
2296         * bytecode/UnlinkedFunctionExecutable.cpp:
2297         (JSC::generateUnlinkedFunctionCodeBlock):
2298         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2299         * bytecode/UnlinkedFunctionExecutable.h:
2300         * bytecode/UnlinkedGlobalCodeBlock.h:
2301         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
2302         * bytecode/UnlinkedModuleProgramCodeBlock.h:
2303         * bytecode/UnlinkedProgramCodeBlock.h:
2304         * bytecompiler/BytecodeGenerator.cpp:
2305         (JSC::BytecodeGenerator::BytecodeGenerator):
2306         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2307         (JSC::BytecodeGenerator::emitDirectPutById):
2308         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
2309         (JSC::BytecodeGenerator::addBigIntConstant):
2310         (JSC::BytecodeGenerator::addTemplateObjectConstant):
2311         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
2312         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
2313         * bytecompiler/BytecodeGenerator.h:
2314         (JSC::BytecodeGenerator::vm const):
2315         (JSC::BytecodeGenerator::propertyNames const):
2316         (JSC::BytecodeGenerator::emitNodeInTailPosition):
2317         (JSC::BytecodeGenerator::emitDefineClassElements):
2318         (JSC::BytecodeGenerator::emitNodeInConditionContext):
2319         * bytecompiler/NodesCodegen.cpp:
2320         (JSC::RegExpNode::emitBytecode):
2321         (JSC::ArrayNode::emitBytecode):
2322         (JSC::FunctionCallResolveNode::emitBytecode):
2323         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
2324         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
2325         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2326         (JSC::InstanceOfNode::emitBytecode):
2327         * debugger/Debugger.cpp:
2328         * debugger/DebuggerParseData.cpp:
2329         (JSC::gatherDebuggerParseData):
2330         * debugger/DebuggerScope.cpp:
2331         (JSC::DebuggerScope::next):
2332         (JSC::DebuggerScope::name const):
2333         (JSC::DebuggerScope::location const):
2334         * dfg/DFGDesiredIdentifiers.cpp:
2335         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2336         * dfg/DFGDesiredWatchpoints.cpp:
2337         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2338         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
2339         * dfg/DFGFrozenValue.h:
2340         (JSC::DFG::FrozenValue::FrozenValue):
2341         * dfg/DFGGraph.cpp:
2342         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
2343         * dfg/DFGJITCompiler.cpp:
2344         (JSC::DFG::JITCompiler::linkOSRExits):
2345         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2346         (JSC::DFG::JITCompiler::link):
2347         (JSC::DFG::emitStackOverflowCheck):
2348         (JSC::DFG::JITCompiler::compileFunction):
2349         (JSC::DFG::JITCompiler::exceptionCheck):
2350         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
2351         * dfg/DFGJITCompiler.h:
2352         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
2353         (JSC::DFG::JITCompiler::fastExceptionCheck):
2354         (JSC::DFG::JITCompiler::vm):
2355         * dfg/DFGLazyJSValue.cpp:
2356         (JSC::DFG::LazyJSValue::getValue const):
2357         (JSC::DFG::LazyJSValue::emit const):
2358         * dfg/DFGOSREntry.cpp:
2359         (JSC::DFG::prepareOSREntry):
2360         * dfg/DFGOSRExit.cpp:
2361         (JSC::DFG::OSRExit::compileOSRExit):
2362         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2363         * dfg/DFGOSRExitCompilerCommon.h:
2364         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
2365         * dfg/DFGOperations.cpp:
2366         (JSC::DFG::newTypedArrayWithSize):
2367         (JSC::DFG::binaryOp):
2368         (JSC::DFG::bitwiseBinaryOp):
2369         * dfg/DFGPlan.cpp:
2370         (JSC::DFG::Plan::Plan):
2371         * dfg/DFGSpeculativeJIT.cpp:
2372         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2373         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2374         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2375         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
2376         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2377         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2378         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
2379         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
2380         (JSC::DFG::SpeculativeJIT::emitStringBranch):
2381         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
2382         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
2383         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
2384         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2385         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2386         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2387         (JSC::DFG::SpeculativeJIT::compileSpread):
2388         (JSC::DFG::SpeculativeJIT::compileNewArray):
2389         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2390         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2391         (JSC::DFG::SpeculativeJIT::compileArrayPush):
2392         (JSC::DFG::SpeculativeJIT::compileTypeOf):
2393         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2394         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2395         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
2396         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2397         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2398         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2399         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
2400         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2401         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2402         (JSC::DFG::SpeculativeJIT::compileStringReplace):
2403         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
2404         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
2405         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
2406         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
2407         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2408         (JSC::DFG::SpeculativeJIT::compileNewObject):
2409         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
2410         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
2411         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2412         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2413         (JSC::DFG::SpeculativeJIT::compileProfileType):
2414         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2415         * dfg/DFGSpeculativeJIT.h:
2416         (JSC::DFG::SpeculativeJIT::vm):
2417         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
2418         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2419         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2420         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
2421         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2422         * dfg/DFGSpeculativeJIT32_64.cpp:
2423         (JSC::DFG::SpeculativeJIT::emitCall):
2424         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2425         (JSC::DFG::SpeculativeJIT::emitBranch):
2426         (JSC::DFG::SpeculativeJIT::compile):
2427         * dfg/DFGSpeculativeJIT64.cpp:
2428         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2429         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2430         (JSC::DFG::SpeculativeJIT::emitCall):
2431         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2432         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2433         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2434         (JSC::DFG::SpeculativeJIT::emitBranch):
2435         (JSC::DFG::SpeculativeJIT::compile):
2436         * dfg/DFGThunks.cpp:
2437         (JSC::DFG::osrExitThunkGenerator):
2438         (JSC::DFG::osrExitGenerationThunkGenerator):
2439         (JSC::DFG::osrEntryThunkGenerator):
2440         * dfg/DFGThunks.h:
2441         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2442         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
2443         * dfg/DFGWorklist.cpp:
2444         (JSC::DFG::Worklist::visitWeakReferences):
2445         * dynbench.cpp:
2446         (main):
2447         * ftl/FTLLowerDFGToB3.cpp:
2448         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2449         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2450         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2451         * ftl/FTLThunks.cpp:
2452         (JSC::FTL::genericGenerationThunkGenerator):
2453         (JSC::FTL::osrExitGenerationThunkGenerator):
2454         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2455         * ftl/FTLThunks.h:
2456         * heap/CellContainer.h:
2457         * heap/CellContainerInlines.h:
2458         (JSC::CellContainer::vm const):
2459         (JSC::CellContainer::heap const):
2460         * heap/CompleteSubspace.cpp:
2461         (JSC::CompleteSubspace::tryAllocateSlow):
2462         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
2463         * heap/GCActivityCallback.h:
2464         * heap/GCAssertions.h:
2465         * heap/HandleSet.cpp:
2466         (JSC::HandleSet::HandleSet):
2467         * heap/HandleSet.h:
2468         (JSC::HandleSet::vm):
2469         * heap/Heap.cpp:
2470         (JSC::Heap::Heap):
2471         (JSC::Heap::lastChanceToFinalize):
2472         (JSC::Heap::releaseDelayedReleasedObjects):
2473         (JSC::Heap::protect):
2474         (JSC::Heap::unprotect):
2475         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
2476         (JSC::Heap::finalizeUnconditionalFinalizers):
2477         (JSC::Heap::completeAllJITPlans):
2478         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
2479         (JSC::Heap::gatherJSStackRoots):
2480         (JSC::Heap::gatherScratchBufferRoots):
2481         (JSC::Heap::removeDeadCompilerWorklistEntries):
2482         (JSC::Heap::isAnalyzingHeap const):
2483         (JSC::Heap::gatherExtraHeapData):
2484         (JSC::Heap::protectedObjectTypeCounts):
2485         (JSC::Heap::objectTypeCounts):
2486         (JSC::Heap::deleteAllCodeBlocks):
2487         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2488         (JSC::Heap::deleteUnmarkedCompiledCode):
2489         (JSC::Heap::checkConn):
2490         (JSC::Heap::runEndPhase):
2491         (JSC::Heap::stopThePeriphery):
2492         (JSC::Heap::finalize):
2493         (JSC::Heap::requestCollection):
2494         (JSC::Heap::sweepInFinalize):
2495         (JSC::Heap::sweepArrayBuffers):
2496         (JSC::Heap::deleteSourceProviderCaches):
2497         (JSC::Heap::didFinishCollection):
2498         (JSC::Heap::addCoreConstraints):
2499         * heap/Heap.h:
2500         * heap/HeapCell.h:
2501         * heap/HeapCellInlines.h:
2502         (JSC::HeapCell::heap const):
2503         (JSC::HeapCell::vm const):
2504         * heap/HeapInlines.h:
2505         (JSC::Heap::vm const):
2506         * heap/IsoSubspacePerVM.cpp:
2507         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
2508         * heap/LargeAllocation.cpp:
2509         (JSC::LargeAllocation::sweep):
2510         (JSC::LargeAllocation::assertValidCell const):
2511         * heap/LargeAllocation.h:
2512         (JSC::LargeAllocation::vm const):
2513         * heap/LocalAllocator.cpp:
2514         (JSC::LocalAllocator::allocateSlowCase):
2515         * heap/MarkedBlock.cpp:
2516         (JSC::MarkedBlock::Handle::Handle):
2517         (JSC::MarkedBlock::aboutToMarkSlow):
2518         (JSC::MarkedBlock::assertMarksNotStale):
2519         (JSC::MarkedBlock::areMarksStale):
2520         (JSC::MarkedBlock::isMarked):
2521         (JSC::MarkedBlock::assertValidCell const):
2522         * heap/MarkedBlock.h:
2523         (JSC::MarkedBlock::Handle::vm const):
2524         (JSC::MarkedBlock::vm const):
2525         * heap/MarkedBlockInlines.h:
2526         (JSC::MarkedBlock::heap const):
2527         (JSC::MarkedBlock::Handle::specializedSweep):
2528         * heap/SlotVisitor.cpp:
2529         (JSC::validate):
2530         * heap/SlotVisitorInlines.h:
2531         (JSC::SlotVisitor::vm):
2532         (JSC::SlotVisitor::vm const):
2533         * heap/StopIfNecessaryTimer.cpp:
2534         (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
2535         * heap/StopIfNecessaryTimer.h:
2536         * heap/Strong.h:
2537         (JSC::Strong::operator=):
2538         * heap/WeakSet.h:
2539         (JSC::WeakSet::WeakSet):
2540         (JSC::WeakSet::vm const):
2541         * inspector/JSInjectedScriptHost.cpp:
2542         (Inspector::JSInjectedScriptHost::savedResultAlias const):
2543         (Inspector::JSInjectedScriptHost::internalConstructorName):
2544         (Inspector::JSInjectedScriptHost::subtype):
2545         (Inspector::JSInjectedScriptHost::functionDetails):
2546         (Inspector::constructInternalProperty):
2547         (Inspector::JSInjectedScriptHost::getInternalProperties):
2548         (Inspector::JSInjectedScriptHost::weakMapEntries):
2549         (Inspector::JSInjectedScriptHost::weakSetEntries):
2550         (Inspector::JSInjectedScriptHost::iteratorEntries):
2551         (Inspector::JSInjectedScriptHost::queryInstances):
2552         (Inspector::JSInjectedScriptHost::queryHolders):
2553         * inspector/JSJavaScriptCallFrame.cpp:
2554         (Inspector::valueForScopeLocation):
2555         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2556         (Inspector::JSJavaScriptCallFrame::functionName const):
2557         (Inspector::JSJavaScriptCallFrame::type const):
2558         * inspector/ScriptCallStackFactory.cpp:
2559         (Inspector::extractSourceInformationFromException):
2560         * inspector/agents/InspectorAuditAgent.cpp:
2561         (Inspector::InspectorAuditAgent::populateAuditObject):
2562         * inspector/agents/InspectorHeapAgent.cpp:
2563         (Inspector::InspectorHeapAgent::gc):
2564         * interpreter/FrameTracers.h:
2565         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2566         * interpreter/Interpreter.cpp:
2567         (JSC::Interpreter::executeProgram):
2568         (JSC::Interpreter::prepareForRepeatCall):
2569         (JSC::Interpreter::execute):
2570         (JSC::Interpreter::executeModuleProgram):
2571         * interpreter/StackVisitor.cpp:
2572         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2573         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2574         * jit/AssemblyHelpers.cpp:
2575         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2576         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
2577         (JSC::AssemblyHelpers::branchIfValue):
2578         * jit/AssemblyHelpers.h:
2579         (JSC::AssemblyHelpers::vm):
2580         * jit/JIT.cpp:
2581         (JSC::JIT::JIT):
2582         (JSC::JIT::emitEnterOptimizationCheck):
2583         (JSC::JIT::privateCompileMainPass):
2584         (JSC::JIT::privateCompileExceptionHandlers):
2585         * jit/JIT.h:
2586         * jit/JITCall.cpp:
2587         (JSC::JIT::compileCallEvalSlowCase):
2588         * jit/JITCall32_64.cpp:
2589         (JSC::JIT::compileCallEvalSlowCase):
2590         * jit/JITExceptions.cpp:
2591         (JSC::genericUnwind):
2592         * jit/JITExceptions.h:
2593         * jit/JITInlineCacheGenerator.cpp:
2594         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2595         * jit/JITOpcodes.cpp:
2596         (JSC::JIT::emit_op_is_undefined):
2597         (JSC::JIT::emit_op_jfalse):
2598         (JSC::JIT::emit_op_jeq_null):
2599         (JSC::JIT::emit_op_jneq_null):
2600         (JSC::JIT::emit_op_jtrue):
2601         (JSC::JIT::emit_op_throw):
2602         (JSC::JIT::emit_op_catch):
2603         (JSC::JIT::emit_op_eq_null):
2604         (JSC::JIT::emit_op_neq_null):
2605         (JSC::JIT::emitSlow_op_loop_hint):
2606         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2607         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2608         * jit/JITOpcodes32_64.cpp:
2609         (JSC::JIT::emit_op_jfalse):
2610         (JSC::JIT::emit_op_jtrue):
2611         (JSC::JIT::emit_op_throw):
2612         (JSC::JIT::emit_op_catch):
2613         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2614         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2615         * jit/JITOperations.cpp:
2616         (JSC::operationNewFunctionCommon):
2617         (JSC::tryGetByValOptimize):
2618         * jit/JITPropertyAccess.cpp:
2619         (JSC::JIT::emitWriteBarrier):
2620         * jit/JITThunks.cpp:
2621         (JSC::JITThunks::ctiNativeCall):
2622         (JSC::JITThunks::ctiNativeConstruct):
2623         (JSC::JITThunks::ctiNativeTailCall):
2624         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
2625         (JSC::JITThunks::ctiInternalFunctionCall):
2626         (JSC::JITThunks::ctiInternalFunctionConstruct):
2627         (JSC::JITThunks::ctiStub):
2628         (JSC::JITThunks::hostFunctionStub):
2629         * jit/JITThunks.h:
2630         * jit/JITWorklist.cpp:
2631         (JSC::JITWorklist::Plan::vm):
2632         (JSC::JITWorklist::completeAllForVM):
2633         (JSC::JITWorklist::poll):
2634         (JSC::JITWorklist::compileLater):
2635         (JSC::JITWorklist::compileNow):
2636         * jit/Repatch.cpp:
2637         (JSC::readPutICCallTarget):
2638         (JSC::ftlThunkAwareRepatchCall):
2639         (JSC::linkSlowFor):
2640         (JSC::linkFor):
2641         (JSC::linkDirectFor):
2642         (JSC::revertCall):
2643         (JSC::unlinkFor):
2644         (JSC::linkVirtualFor):
2645         (JSC::linkPolymorphicCall):
2646         * jit/SpecializedThunkJIT.h:
2647         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
2648         * jit/ThunkGenerator.h:
2649         * jit/ThunkGenerators.cpp:
2650         (JSC::throwExceptionFromCallSlowPathGenerator):
2651         (JSC::slowPathFor):
2652         (JSC::linkCallThunkGenerator):
2653         (JSC::linkPolymorphicCallThunkGenerator):
2654         (JSC::virtualThunkFor):
2655         (JSC::nativeForGenerator):
2656         (JSC::nativeCallGenerator):
2657         (JSC::nativeTailCallGenerator):
2658         (JSC::nativeTailCallWithoutSavedTagsGenerator):
2659         (JSC::nativeConstructGenerator):
2660         (JSC::internalFunctionCallGenerator):
2661         (JSC::internalFunctionConstructGenerator):
2662         (JSC::arityFixupGenerator):
2663         (JSC::unreachableGenerator):
2664         (JSC::stringGetByValGenerator):
2665         (JSC::charToString):
2666         (JSC::charCodeAtThunkGenerator):
2667         (JSC::charAtThunkGenerator):
2668         (JSC::fromCharCodeThunkGenerator):
2669         (JSC::clz32ThunkGenerator):
2670         (JSC::sqrtThunkGenerator):
2671         (JSC::floorThunkGenerator):
2672         (JSC::ceilThunkGenerator):
2673         (JSC::truncThunkGenerator):
2674         (JSC::roundThunkGenerator):
2675         (JSC::expThunkGenerator):
2676         (JSC::logThunkGenerator):
2677         (JSC::absThunkGenerator):
2678         (JSC::imulThunkGenerator):
2679         (JSC::randomThunkGenerator):
2680         (JSC::boundThisNoArgsFunctionCallGenerator):
2681         * jit/ThunkGenerators.h:
2682         * jsc.cpp:
2683         (GlobalObject::finishCreation):
2684         (GlobalObject::addFunction):
2685         (GlobalObject::moduleLoaderImportModule):
2686         (GlobalObject::moduleLoaderResolve):
2687         (GlobalObject::moduleLoaderCreateImportMetaProperties):
2688         (functionDescribe):
2689         (functionDescribeArray):
2690         (JSCMemoryFootprint::addProperty):
2691         (functionRun):
2692         (functionRunString):
2693         (functionReadFile):
2694         (functionCallerSourceOrigin):
2695         (functionReadline):
2696         (functionDollarCreateRealm):
2697         (functionDollarEvalScript):
2698         (functionDollarAgentGetReport):
2699         (functionWaitForReport):
2700         (functionJSCOptions):
2701         (functionCheckModuleSyntax):
2702         (functionGenerateHeapSnapshotForGCDebugging):
2703         (functionWebAssemblyMemoryMode):
2704         (dumpException):
2705         (checkUncaughtException):
2706         * llint/LLIntSlowPaths.cpp:
2707         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2708         (JSC::LLInt::handleHostCall):
2709         * parser/ASTBuilder.h:
2710         (JSC::ASTBuilder::ASTBuilder):
2711         (JSC::ASTBuilder::createResolve):
2712         (JSC::ASTBuilder::createGetterOrSetterProperty):
2713         (JSC::ASTBuilder::createProperty):
2714         (JSC::ASTBuilder::createFuncDeclStatement):
2715         (JSC::ASTBuilder::makeFunctionCallNode):
2716         * parser/Lexer.cpp:
2717         (JSC::Lexer<T>::Lexer):
2718         (JSC::Lexer<LChar>::parseIdentifier):
2719         (JSC::Lexer<UChar>::parseIdentifier):
2720         * parser/Lexer.h:
2721         (JSC::Lexer<T>::lexExpectIdentifier):
2722         * parser/ModuleAnalyzer.cpp:
2723         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2724         * parser/ModuleAnalyzer.h:
2725         (JSC::ModuleAnalyzer::vm):
2726         * parser/Parser.cpp:
2727         (JSC::Parser<LexerType>::Parser):
2728         (JSC::Parser<LexerType>::parseInner):
2729         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2730         (JSC::Parser<LexerType>::parseSourceElements):
2731         (JSC::Parser<LexerType>::parseModuleSourceElements):
2732         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
2733         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2734         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2735         (JSC::Parser<LexerType>::parseSingleFunction):
2736         (JSC::Parser<LexerType>::parseStatementListItem):
2737         (JSC::Parser<LexerType>::parseObjectRestAssignmentElement):
2738         (JSC::Parser<LexerType>::parseAssignmentElement):
2739         (JSC::Parser<LexerType>::parseDestructuringPattern):
2740         (JSC::Parser<LexerType>::parseForStatement):
2741         (JSC::Parser<LexerType>::parseBreakStatement):
2742         (JSC::Parser<LexerType>::parseContinueStatement):
2743         (JSC::Parser<LexerType>::parseStatement):
2744         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2745         (JSC::Parser<LexerType>::createGeneratorParameters):
2746         (JSC::Parser<LexerType>::parseFunctionInfo):
2747         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2748         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2749         (JSC::Parser<LexerType>::parseClassDeclaration):
2750         (JSC::Parser<LexerType>::parseClass):
2751         (JSC::Parser<LexerType>::parseImportClauseItem):
2752         (JSC::Parser<LexerType>::parseImportDeclaration):
2753         (JSC::Parser<LexerType>::parseExportSpecifier):
2754         (JSC::Parser<LexerType>::parseExportDeclaration):
2755         (JSC::Parser<LexerType>::parseAssignmentExpression):
2756         (JSC::Parser<LexerType>::parseProperty):
2757         (JSC::Parser<LexerType>::parseGetterSetter):
2758         (JSC::Parser<LexerType>::parseObjectLiteral):
2759         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
2760         (JSC::Parser<LexerType>::parseClassExpression):
2761         (JSC::Parser<LexerType>::parseFunctionExpression):
2762         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2763         (JSC::Parser<LexerType>::parsePrimaryExpression):
2764         (JSC::Parser<LexerType>::parseMemberExpression):
2765         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
2766         (JSC::Parser<LexerType>::parseUnaryExpression):
2767         * parser/Parser.h:
2768         (JSC::isArguments):
2769         (JSC::isEval):
2770         (JSC::isEvalOrArgumentsIdentifier):
2771         (JSC::Scope::Scope):
2772         (JSC::Scope::declareParameter):
2773         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
2774         (JSC::Scope::collectFreeVariables):
2775         (JSC::Parser::canRecurse):
2776         (JSC::parse):
2777         (JSC::parseFunctionForFunctionConstructor):
2778         * parser/ParserArena.h:
2779         (JSC::IdentifierArena::makeIdentifier):
2780         (JSC::IdentifierArena::makeEmptyIdentifier):
2781         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
2782         (JSC::IdentifierArena::makeNumericIdentifier):
2783         * parser/SyntaxChecker.h:
2784         (JSC::SyntaxChecker::SyntaxChecker):
2785         (JSC::SyntaxChecker::createProperty):
2786         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2787         * profiler/ProfilerBytecode.cpp:
2788         (JSC::Profiler::Bytecode::toJS const):
2789         * profiler/ProfilerBytecodeSequence.cpp:
2790         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
2791         * profiler/ProfilerBytecodes.cpp:
2792         (JSC::Profiler::Bytecodes::toJS const):
2793         * profiler/ProfilerCompilation.cpp:
2794         (JSC::Profiler::Compilation::toJS const):
2795         * profiler/ProfilerCompiledBytecode.cpp:
2796         (JSC::Profiler::CompiledBytecode::toJS const):
2797         * profiler/ProfilerEvent.cpp:
2798         (JSC::Profiler::Event::toJS const):
2799         * profiler/ProfilerOSRExit.cpp:
2800         (JSC::Profiler::OSRExit::toJS const):
2801         * profiler/ProfilerOSRExitSite.cpp:
2802         (JSC::Profiler::OSRExitSite::toJS const):
2803         * profiler/ProfilerUID.cpp:
2804         (JSC::Profiler::UID::toJS const):
2805         * runtime/AbstractModuleRecord.cpp:
2806         (JSC::AbstractModuleRecord::finishCreation):
2807         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2808         (JSC::AbstractModuleRecord::resolveExportImpl):
2809         (JSC::getExportedNames):
2810         (JSC::AbstractModuleRecord::getModuleNamespace):
2811         * runtime/ArrayBufferNeuteringWatchpointSet.cpp:
2812         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
2813         * runtime/ArrayIteratorPrototype.cpp:
2814         (JSC::ArrayIteratorPrototype::finishCreation):
2815         * runtime/ArrayPrototype.cpp:
2816         (JSC::fastJoin):
2817         (JSC::arrayProtoFuncToLocaleString):
2818         (JSC::slowJoin):
2819         (JSC::arrayProtoFuncJoin):
2820         (JSC::arrayProtoFuncPush):
2821         * runtime/AsyncFunctionPrototype.cpp:
2822         (JSC::AsyncFunctionPrototype::finishCreation):
2823         * runtime/AsyncGeneratorFunctionPrototype.cpp:
2824         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
2825         * runtime/AsyncGeneratorPrototype.cpp:
2826         (JSC::AsyncGeneratorPrototype::finishCreation):
2827         * runtime/AtomicsObject.cpp:
2828         (JSC::AtomicsObject::finishCreation):
2829         (JSC::atomicsFuncWait):
2830         (JSC::operationAtomicsAdd):
2831         (JSC::operationAtomicsAnd):
2832         (JSC::operationAtomicsCompareExchange):
2833         (JSC::operationAtomicsExchange):
2834         (JSC::operationAtomicsIsLockFree):
2835         (JSC::operationAtomicsLoad):
2836         (JSC::operationAtomicsOr):
2837         (JSC::operationAtomicsStore):
2838         (JSC::operationAtomicsSub):
2839         (JSC::operationAtomicsXor):
2840         * runtime/BigIntPrototype.cpp:
2841         (JSC::BigIntPrototype::finishCreation):
2842         (JSC::bigIntProtoFuncToString):
2843         * runtime/CachedTypes.cpp:
2844         (JSC::CachedUniquedStringImplBase::decode const):
2845         (JSC::CachedIdentifier::decode const):
2846         (JSC::CachedJSValue::decode const):
2847         * runtime/CodeCache.cpp:
2848         (JSC::CodeCacheMap::pruneSlowCase):
2849         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2850         * runtime/CodeCache.h:
2851         (JSC::generateUnlinkedCodeBlockImpl):
2852         * runtime/CommonIdentifiers.cpp:
2853         (JSC::CommonIdentifiers::CommonIdentifiers):
2854         * runtime/CommonIdentifiers.h:
2855         * runtime/CommonSlowPaths.cpp:
2856         (JSC::SLOW_PATH_DECL):
2857         * runtime/Completion.cpp:
2858         (JSC::checkSyntaxInternal):
2859         (JSC::checkModuleSyntax):
2860         (JSC::loadAndEvaluateModule):
2861         (JSC::loadModule):
2862         * runtime/DateConstructor.cpp:
2863         (JSC::callDate):
2864         * runtime/DatePrototype.cpp:
2865         (JSC::formatLocaleDate):
2866         (JSC::formateDateInstance):
2867         (JSC::DatePrototype::finishCreation):
2868         (JSC::dateProtoFuncToISOString):
2869         * runtime/Error.cpp:
2870         (JSC::addErrorInfo):
2871         * runtime/ErrorInstance.cpp:
2872         (JSC::appendSourceToError):
2873         (JSC::ErrorInstance::finishCreation):
2874         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2875         * runtime/ErrorPrototype.cpp:
2876         (JSC::ErrorPrototype::finishCreation):
2877         (JSC::errorProtoFuncToString):
2878         * runtime/ExceptionHelpers.cpp:
2879         (JSC::TerminatedExecutionError::defaultValue):
2880         * runtime/FunctionPrototype.cpp:
2881         (JSC::functionProtoFuncToString):
2882         * runtime/FunctionRareData.cpp:
2883         (JSC::FunctionRareData::clear):
2884         * runtime/GeneratorFunctionPrototype.cpp:
2885         (JSC::GeneratorFunctionPrototype::finishCreation):
2886         * runtime/GeneratorPrototype.cpp:
2887         (JSC::GeneratorPrototype::finishCreation):
2888         * runtime/GenericArgumentsInlines.h:
2889         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2890         * runtime/GetterSetter.h:
2891         * runtime/Identifier.cpp:
2892         (JSC::Identifier::add):
2893         (JSC::Identifier::add8):
2894         (JSC::Identifier::from):
2895         (JSC::Identifier::checkCurrentAtomStringTable):
2896         * runtime/Identifier.h:
2897         (JSC::Identifier::fromString):
2898         (JSC::Identifier::createLCharFromUChar):
2899         (JSC::Identifier::Identifier):
2900         (JSC::Identifier::add):
2901         * runtime/IdentifierInlines.h:
2902         (JSC::Identifier::Identifier):
2903         (JSC::Identifier::add):
2904         (JSC::Identifier::fromUid):
2905         (JSC::Identifier::fromString):
2906         (JSC::identifierToJSValue):
2907         (JSC::identifierToSafePublicJSValue):
2908         * runtime/InternalFunction.cpp:
2909         (JSC::InternalFunction::finishCreation):
2910         * runtime/IntlCollator.cpp:
2911         (JSC::IntlCollator::resolvedOptions):
2912         * runtime/IntlCollatorPrototype.cpp:
2913         (JSC::IntlCollatorPrototype::finishCreation):
2914         * runtime/IntlDateTimeFormat.cpp:
2915         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
2916         (JSC::IntlDateTimeFormat::resolvedOptions):
2917         (JSC::IntlDateTimeFormat::format):
2918         (JSC::IntlDateTimeFormat::formatToParts):
2919         * runtime/IntlDateTimeFormatPrototype.cpp:
2920         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2921         * runtime/IntlNumberFormat.cpp:
2922         (JSC::IntlNumberFormat::initializeNumberFormat):
2923         (JSC::IntlNumberFormat::formatNumber):
2924         (JSC::IntlNumberFormat::resolvedOptions):
2925         (JSC::IntlNumberFormat::formatToParts):
2926         * runtime/IntlNumberFormatPrototype.cpp:
2927         (JSC::IntlNumberFormatPrototype::finishCreation):
2928         * runtime/IntlObject.cpp:
2929         (JSC::lookupSupportedLocales):
2930         (JSC::supportedLocales):
2931         (JSC::intlObjectFuncGetCanonicalLocales):
2932         * runtime/IntlPluralRules.cpp:
2933         (JSC::IntlPluralRules::initializePluralRules):
2934         (JSC::IntlPluralRules::resolvedOptions):
2935         (JSC::IntlPluralRules::select):
2936         * runtime/IntlPluralRulesPrototype.cpp:
2937         (JSC::IntlPluralRulesPrototype::finishCreation):
2938         * runtime/JSArray.h:
2939         (JSC::asArray):
2940         (JSC::isJSArray):
2941         * runtime/JSArrayBufferPrototype.cpp:
2942         (JSC::JSArrayBufferPrototype::finishCreation):
2943         * runtime/JSArrayBufferView.cpp:
2944         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
2945         * runtime/JSCJSValue.cpp:
2946         (JSC::JSValue::putToPrimitiveByIndex):
2947         (JSC::JSValue::dumpForBacktrace const):
2948         (JSC::JSValue::toStringSlowCase const):
2949         * runtime/JSCJSValueInlines.h:
2950         (JSC::JSValue::toPropertyKey const):
2951         (JSC::JSValue::get const):
2952         * runtime/JSCast.h:
2953         (JSC::jsCast):
2954         * runtime/JSCell.cpp:
2955         (JSC::JSCell::dump const):
2956         (JSC::JSCell::dumpToStream):
2957         (JSC::JSCell::putByIndex):
2958         * runtime/JSCellInlines.h:
2959         (JSC::JSCell::structure const):
2960         (JSC::ExecState::vm const):
2961         (JSC::tryAllocateCellHelper):
2962         * runtime/JSDataViewPrototype.cpp:
2963         (JSC::JSDataViewPrototype::finishCreation):
2964         * runtime/JSFixedArray.cpp:
2965         (JSC::JSFixedArray::dumpToStream):
2966         * runtime/JSFunction.cpp:
2967         (JSC::JSFunction::finishCreation):
2968         (JSC::RetrieveCallerFunctionFunctor::operator() const):
2969         (JSC::JSFunction::reifyName):
2970         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2971         (JSC::JSFunction::assertTypeInfoFlagInvariants):
2972         * runtime/JSGenericTypedArrayViewInlines.h:
2973         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
2974         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
2975         * runtime/JSGlobalObject.cpp:
2976         (JSC::JSGlobalObject::init):
2977         (JSC::JSGlobalObject::exposeDollarVM):
2978         * runtime/JSGlobalObjectFunctions.cpp:
2979         (JSC::encode):
2980         (JSC::decode):
2981         (JSC::globalFuncEscape):
2982         (JSC::globalFuncUnescape):
2983         (JSC::globalFuncBuiltinDescribe):
2984         * runtime/JSLexicalEnvironment.cpp:
2985         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2986         * runtime/JSModuleEnvironment.cpp:
2987         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2988         (JSC::JSModuleEnvironment::put):
2989         (JSC::JSModuleEnvironment::deleteProperty):
2990         * runtime/JSModuleLoader.cpp:
2991         (JSC::JSModuleLoader::finishCreation):
2992         (JSC::JSModuleLoader::requestImportModule):
2993         (JSC::moduleLoaderParseModule):
2994         (JSC::moduleLoaderRequestedModules):
2995         * runtime/JSModuleNamespaceObject.cpp:
2996         (JSC::JSModuleNamespaceObject::finishCreation):
2997         (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
2998         * runtime/JSModuleRecord.cpp:
2999         (JSC::JSModuleRecord::instantiateDeclarations):
3000         * runtime/JSONObject.cpp:
3001         (JSC::JSONObject::finishCreation):
3002         (JSC::PropertyNameForFunctionCall::value const):
3003         (JSC::Stringifier::Stringifier):
3004         (JSC::Stringifier::stringify):
3005         (JSC::Stringifier::Holder::appendNextProperty):
3006         (JSC::Walker::walk):
3007         * runtime/JSObject.cpp:
3008         (JSC::getClassPropertyNames):
3009         (JSC::JSObject::getOwnPropertySlotByIndex):
3010         (JSC::JSObject::putByIndex):
3011         (JSC::JSObject::deletePropertyByIndex):
3012         (JSC::JSObject::toString const):
3013         (JSC::JSObject::reifyAllStaticProperties):
3014         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3015         * runtime/JSObject.h:
3016         (JSC::JSObject::putByIndexInline):
3017         (JSC::JSObject::butterflyPreCapacity):
3018         (JSC::JSObject::butterflyTotalSize):
3019         (JSC::makeIdentifier):
3020         * runtime/JSPromisePrototype.cpp:
3021         (JSC::JSPromisePrototype::finishCreation):
3022         * runtime/JSPropertyNameEnumerator.cpp:
3023         (JSC::JSPropertyNameEnumerator::finishCreation):
3024         * runtime/JSPropertyNameEnumerator.h:
3025         (JSC::propertyNameEnumerator):
3026         * runtime/JSRunLoopTimer.cpp:
3027         (JSC::JSRunLoopTimer::JSRunLoopTimer):
3028         * runtime/JSRunLoopTimer.h:
3029         * runtime/JSString.cpp:
3030         (JSC::JSString::dumpToStream):
3031         (JSC::JSRopeString::resolveRopeWithFunction const):
3032         (JSC::jsStringWithCacheSlowCase):
3033         * runtime/JSString.h:
3034         (JSC::jsEmptyString):
3035         (JSC::jsSingleCharacterString):
3036         (JSC::jsNontrivialString):
3037         (JSC::JSString::toIdentifier const):
3038         (JSC::JSString::toAtomString const):
3039         (JSC::JSString::toExistingAtomString const):
3040         (JSC::JSString::value const):
3041         (JSC::JSString::tryGetValue const):
3042         (JSC::JSString::getIndex):
3043         (JSC::jsString):
3044         (JSC::jsSubstring):
3045         (JSC::jsOwnedString):
3046         (JSC::jsStringWithCache):
3047         (JSC::JSRopeString::unsafeView const):
3048         (JSC::JSRopeString::viewWithUnderlyingString const):
3049         (JSC::JSString::unsafeView const):
3050         * runtime/JSStringInlines.h:
3051         (JSC::jsMakeNontrivialString):
3052         (JSC::repeatCharacter):
3053         * runtime/JSStringJoiner.cpp:
3054         (JSC::JSStringJoiner::join):
3055         * runtime/JSSymbolTableObject.cpp:
3056         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3057         * runtime/JSTemplateObjectDescriptor.cpp:
3058         (JSC::JSTemplateObjectDescriptor::createTemplateObject):
3059         * runtime/JSTypedArrayViewPrototype.cpp:
3060         (JSC::typedArrayViewProtoGetterFuncToStringTag):
3061         * runtime/LazyClassStructure.cpp:
3062         (JSC::LazyClassStructure::Initializer::setConstructor):
3063         * runtime/LazyProperty.h:
3064         (JSC::LazyProperty::Initializer::Initializer):
3065         * runtime/LiteralParser.cpp:
3066         (JSC::LiteralParser<CharType>::tryJSONPParse):
3067         (JSC::LiteralParser<CharType>::makeIdentifier):
3068         (JSC::LiteralParser<CharType>::parse):
3069         * runtime/Lookup.h:
3070         (JSC::reifyStaticProperties):
3071         * runtime/MapIteratorPrototype.cpp:
3072         (JSC::MapIteratorPrototype::finishCreation):
3073         * runtime/MapPrototype.cpp:
3074         (JSC::MapPrototype::finishCreation):
3075         * runtime/MathObject.cpp:
3076         (JSC::MathObject::finishCreation):
3077         * runtime/NumberConstructor.cpp:
3078         (JSC::NumberConstructor::finishCreation):
3079         * runtime/NumberPrototype.cpp:
3080         (JSC::numberProtoFuncToExponential):
3081         (JSC::numberProtoFuncToFixed):
3082         (JSC::numberProtoFuncToPrecision):
3083         (JSC::int32ToStringInternal):
3084         (JSC::numberToStringInternal):
3085         (JSC::int52ToString):
3086         * runtime/ObjectConstructor.cpp:
3087         (JSC::objectConstructorGetOwnPropertyDescriptors):
3088         (JSC::objectConstructorAssign):
3089         (JSC::objectConstructorValues):
3090         (JSC::defineProperties):
3091         (JSC::setIntegrityLevel):
3092         (JSC::testIntegrityLevel):
3093         (JSC::ownPropertyKeys):
3094         * runtime/ObjectPrototype.cpp:
3095         (JSC::objectProtoFuncToString):
3096         * runtime/Operations.h:
3097         (JSC::jsString):
3098         (JSC::jsStringFromRegisterArray):
3099         (JSC::jsStringFromArguments):
3100         * runtime/ProgramExecutable.cpp:
3101         (JSC::ProgramExecutable::initializeGlobalProperties):
3102         * runtime/PromiseDeferredTimer.cpp:
3103         (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
3104         (JSC::PromiseDeferredTimer::hasPendingPromise):
3105         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
3106         (JSC::PromiseDeferredTimer::cancelPendingPromise):
3107         * runtime/PropertyNameArray.h:
3108         (JSC::PropertyNameArray::PropertyNameArray):
3109         (JSC::PropertyNameArray::vm):
3110         * runtime/PropertySlot.h:
3111         (JSC::PropertySlot::getValue const):
3112         * runtime/ProxyObject.cpp:
3113         (JSC::performProxyGet):
3114         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3115         (JSC::ProxyObject::performHasProperty):
3116         (JSC::ProxyObject::getOwnPropertySlotByIndex):
3117         (JSC::ProxyObject::performPut):
3118         (JSC::ProxyObject::putByIndexCommon):
3119         (JSC::ProxyObject::performDelete):
3120         (JSC::ProxyObject::deletePropertyByIndex):
3121         (JSC::ProxyObject::performDefineOwnProperty):
3122         (JSC::ProxyObject::performGetOwnPropertyNames):
3123         * runtime/RegExpGlobalData.cpp:
3124         (JSC::RegExpGlobalData::getBackref):
3125         (JSC::RegExpGlobalData::getLastParen):
3126         * runtime/RegExpMatchesArray.cpp:
3127         (JSC::createEmptyRegExpMatchesArray):
3128         * runtime/RegExpMatchesArray.h:
3129         (JSC::createRegExpMatchesArray):
3130         * runtime/RegExpPrototype.cpp:
3131         (JSC::regExpProtoGetterFlags):
3132         (JSC::regExpProtoGetterSourceInternal):
3133         (JSC::regExpProtoGetterSource):
3134         * runtime/RegExpStringIteratorPrototype.cpp:
3135         (JSC::RegExpStringIteratorPrototype::finishCreation):
3136         * runtime/SamplingProfiler.cpp:
3137         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3138         * runtime/ScriptExecutable.cpp:
3139         (JSC::ScriptExecutable::installCode):
3140         (JSC::ScriptExecutable::newCodeBlockFor):
3141         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
3142         (JSC::setupJIT):
3143         * runtime/SetIteratorPrototype.cpp:
3144         (JSC::SetIteratorPrototype::finishCreation):
3145         * runtime/SetPrototype.cpp:
3146         (JSC::SetPrototype::finishCreation):
3147         * runtime/StackFrame.cpp:
3148         (JSC::StackFrame::computeLineAndColumn const):
3149         * runtime/StringConstructor.cpp:
3150         (JSC::stringFromCharCode):
3151         (JSC::stringFromCodePoint):
3152         (JSC::stringConstructor):
3153         (JSC::callStringConstructor):
3154         * runtime/StringIteratorPrototype.cpp:
3155         (JSC::StringIteratorPrototype::finishCreation):
3156         * runtime/StringObject.cpp:
3157         (JSC::StringObject::getOwnPropertySlotByIndex):
3158         (JSC::StringObject::getOwnPropertyNames):
3159         * runtime/StringObject.h:
3160         (JSC::StringObject::create):
3161         (JSC::jsStringWithReuse):
3162         (JSC::jsSubstring):
3163         * runtime/StringPrototype.cpp:
3164         (JSC::StringPrototype::finishCreation):
3165         (JSC::StringPrototype::create):
3166         (JSC::jsSpliceSubstrings):
3167         (JSC::jsSpliceSubstringsWithSeparators):
3168         (JSC::replaceUsingRegExpSearch):
3169         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
3170         (JSC::operationStringProtoFuncReplaceRegExpString):
3171         (JSC::replaceUsingStringSearch):
3172         (JSC::operationStringProtoFuncReplaceGeneric):
3173         (JSC::stringProtoFuncCharAt):
3174         (JSC::stringProtoFuncSplitFast):
3175         (JSC::stringProtoFuncSubstr):
3176         (JSC::stringProtoFuncToLowerCase):
3177         (JSC::stringProtoFuncToUpperCase):
3178         (JSC::toLocaleCase):
3179         (JSC::trimString):
3180         (JSC::normalize):
3181         * runtime/StringPrototypeInlines.h:
3182         (JSC::stringSlice):
3183         * runtime/StringRecursionChecker.cpp:
3184         (JSC::StringRecursionChecker::emptyString):
3185         * runtime/Structure.cpp:
3186         (JSC::Structure::didTransitionFromThisStructure const):
3187         * runtime/StructureInlines.h:
3188         (JSC::Structure::didReplaceProperty):
3189         (JSC::Structure::shouldConvertToPolyProto):
3190         * runtime/SymbolConstructor.cpp:
3191         (JSC::symbolConstructorKeyFor):
3192         * runtime/SymbolPrototype.cpp:
3193         (JSC::SymbolPrototype::finishCreation):
3194         (JSC::symbolProtoGetterDescription):
3195         (JSC::symbolProtoFuncToString):
3196         * runtime/SymbolTable.cpp:
3197         (JSC::SymbolTable::setRareDataCodeBlock):
3198         * runtime/TestRunnerUtils.cpp:
3199         (JSC::getExecutableForFunction):
3200         * runtime/VM.cpp:
3201         (JSC::VM::VM):
3202         (JSC::VM::getHostFunction):
3203         (JSC::VM::getCTIInternalFunctionTrampolineFor):
3204         (JSC::VM::shrinkFootprintWhenIdle):
3205         (JSC::logSanitizeStack):
3206         (JSC::sanitizeStackForVM):
3207         (JSC::VM::emptyPropertyNameEnumeratorSlow):
3208         * runtime/VM.h:
3209         (JSC::VM::getCTIStub):
3210         (JSC::WeakSet::heap const):
3211         * runtime/VMTraps.cpp:
3212         * runtime/WeakMapPrototype.cpp:
3213         (JSC::WeakMapPrototype::finishCreation):
3214         * runtime/WeakObjectRefPrototype.cpp:
3215         (JSC::WeakObjectRefPrototype::finishCreation):
3216         * runtime/WeakSetPrototype.cpp:
3217         (JSC::WeakSetPrototype::finishCreation):
3218         * tools/HeapVerifier.cpp:
3219         (JSC::HeapVerifier::printVerificationHeader):
3220         (JSC::HeapVerifier::verifyCellList):
3221         (JSC::HeapVerifier::validateJSCell):
3222         (JSC::HeapVerifier::reportCell):
3223         * tools/JSDollarVM.cpp:
3224         (JSC::JSDollarVMCallFrame::finishCreation):
3225         (JSC::JSDollarVMCallFrame::addProperty):
3226         (JSC::CustomGetter::getOwnPropertySlot):
3227         (JSC::CustomGetter::customGetter):
3228         (JSC::CustomGetter::customGetterAcessor):
3229         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
3230         (JSC::DOMJITGetter::finishCreation):
3231         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
3232         (JSC::DOMJITGetterComplex::finishCreation):
3233         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
3234         (JSC::DOMJITFunctionObject::finishCreation):
3235         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
3236         (JSC::DOMJITCheckSubClassObject::finishCreation):
3237         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
3238         (JSC::DOMJITGetterBaseJSObject::finishCreation):
3239         (JSC::customSetAccessor):
3240         (JSC::customSetValue):
3241         (JSC::JSTestCustomGetterSetter::finishCreation):
3242         (JSC::WasmStreamingParser::finishCreation):
3243         (JSC::getExecutableForFunction):
3244         (JSC::functionCodeBlockFor):
3245         (JSC::functionIndexingMode):
3246         (JSC::functionValue):
3247         (JSC::functionCreateBuiltin):
3248         (JSC::functionGetPrivateProperty):
3249         (JSC::JSDollarVM::finishCreation):
3250         (JSC::JSDollarVM::addFunction):
3251         (JSC::JSDollarVM::addConstructibleFunction):
3252         * tools/VMInspector.cpp:
3253         (JSC::VMInspector::dumpRegisters):
3254         (JSC::VMInspector::dumpCellMemoryToStream):
3255         * wasm/WasmInstance.cpp:
3256         (JSC::Wasm::Instance::setGlobal):
3257         (JSC::Wasm::Instance::setFunctionWrapper):
3258         (JSC::Wasm::setWasmTableElement):
3259         (JSC::Wasm::doWasmRefFunc):
3260         * wasm/WasmTable.cpp:
3261         (JSC::Wasm::Table::set):
3262         (JSC::Wasm::FuncRefTable::setFunction):
3263         * wasm/js/JSWebAssembly.cpp:
3264         (JSC::resolve):
3265         * wasm/js/JSWebAssemblyInstance.cpp:
3266         (JSC::JSWebAssemblyInstance::create):
3267         * wasm/js/WasmToJS.cpp:
3268         (JSC::Wasm::handleBadI64Use):
3269         (JSC::Wasm::wasmToJS):
3270         (JSC::Wasm::wasmToJSException):
3271         * wasm/js/WebAssemblyFunction.cpp:
3272         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
3273         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3274         (JSC::constructJSWebAssemblyMemory):
3275         * wasm/js/WebAssemblyModuleConstructor.cpp:
3276         (JSC::webAssemblyModuleImports):
3277         (JSC::webAssemblyModuleExports):
3278         * wasm/js/WebAssemblyModuleRecord.cpp:
3279         (JSC::WebAssemblyModuleRecord::finishCreation):
3280         (JSC::WebAssemblyModuleRecord::link):
3281         * wasm/js/WebAssemblyTableConstructor.cpp:
3282         (JSC::constructJSWebAssemblyTable):
3283
3284 2019-08-27  Devin Rousso  <drousso@apple.com>
3285
3286         Web Inspector: don't attach properties to `injectedScript` for the CommandLineAPI
3287         https://bugs.webkit.org/show_bug.cgi?id=201193
3288
3289         Reviewed by Joseph Pecoraro.
3290
3291         For some reason, adding `injectedScript._inspectObject` inside CommandLineAPIModuleSource.js
3292         causes inspector/debugger/tail-deleted-frames-this-value.html to fail.
3293
3294         We should have a similar approach to adding command line api getters and functions, in that
3295         the CommandLineAPIModuleSource.js calls a function with a callback.