3f993f216f4e8cb7092076de57d4e77000302f54
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-13  Mark Lam  <mark.lam@apple.com>
2
3         We should assert $vm is enabled on entry and exit in its functions.
4         https://bugs.webkit.org/show_bug.cgi?id=201762
5         <rdar://problem/55338742>
6
7         Rubber-stamped by Michael Saboff.
8
9         1. Also do the same for FunctionOverrides.
10         2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this.
11         3. Also added assertions to lambda functions in $vm.
12
13         * tools/FunctionOverrides.cpp:
14         (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope):
15         (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope):
16         (JSC::FunctionOverrides::overrides):
17         (JSC::FunctionOverrides::FunctionOverrides):
18         (JSC::FunctionOverrides::reinstallOverrides):
19         (JSC::initializeOverrideInfo):
20         (JSC::FunctionOverrides::initializeOverrideFor):
21         (JSC::parseClause):
22         (JSC::FunctionOverrides::parseOverridesInFile):
23         * tools/JSDollarVM.cpp:
24         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
25         (JSC::JSDollarVMCallFrame::createStructure):
26         (JSC::JSDollarVMCallFrame::create):
27         (JSC::JSDollarVMCallFrame::finishCreation):
28         (JSC::JSDollarVMCallFrame::addProperty):
29         (JSC::Element::Element):
30         (JSC::Element::create):
31         (JSC::Element::visitChildren):
32         (JSC::Element::createStructure):
33         (JSC::Root::Root):
34         (JSC::Root::setElement):
35         (JSC::Root::create):
36         (JSC::Root::createStructure):
37         (JSC::Root::visitChildren):
38         (JSC::SimpleObject::SimpleObject):
39         (JSC::SimpleObject::create):
40         (JSC::SimpleObject::visitChildren):
41         (JSC::SimpleObject::createStructure):
42         (JSC::ImpureGetter::ImpureGetter):
43         (JSC::ImpureGetter::createStructure):
44         (JSC::ImpureGetter::create):
45         (JSC::ImpureGetter::finishCreation):
46         (JSC::ImpureGetter::getOwnPropertySlot):
47         (JSC::ImpureGetter::visitChildren):
48         (JSC::CustomGetter::CustomGetter):
49         (JSC::CustomGetter::createStructure):
50         (JSC::CustomGetter::create):
51         (JSC::CustomGetter::getOwnPropertySlot):
52         (JSC::CustomGetter::customGetter):
53         (JSC::CustomGetter::customGetterAcessor):
54         (JSC::RuntimeArray::create):
55         (JSC::RuntimeArray::destroy):
56         (JSC::RuntimeArray::getOwnPropertySlot):
57         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
58         (JSC::RuntimeArray::createPrototype):
59         (JSC::RuntimeArray::createStructure):
60         (JSC::RuntimeArray::finishCreation):
61         (JSC::RuntimeArray::RuntimeArray):
62         (JSC::RuntimeArray::lengthGetter):
63         (JSC::DOMJITNode::DOMJITNode):
64         (JSC::DOMJITNode::createStructure):
65         (JSC::DOMJITNode::checkSubClassSnippet):
66         (JSC::DOMJITNode::create):
67         (JSC::DOMJITGetter::DOMJITGetter):
68         (JSC::DOMJITGetter::createStructure):
69         (JSC::DOMJITGetter::create):
70         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
71         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
72         (JSC::DOMJITGetter::customGetter):
73         (JSC::DOMJITGetter::finishCreation):
74         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
75         (JSC::DOMJITGetterComplex::createStructure):
76         (JSC::DOMJITGetterComplex::create):
77         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
78         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
79         (JSC::DOMJITGetterComplex::functionEnableException):
80         (JSC::DOMJITGetterComplex::customGetter):
81         (JSC::DOMJITGetterComplex::finishCreation):
82         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
83         (JSC::DOMJITFunctionObject::createStructure):
84         (JSC::DOMJITFunctionObject::create):
85         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
86         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
87         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
88         (JSC::DOMJITFunctionObject::finishCreation):
89         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
90         (JSC::DOMJITCheckSubClassObject::createStructure):
91         (JSC::DOMJITCheckSubClassObject::create):
92         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
93         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
94         (JSC::DOMJITCheckSubClassObject::finishCreation):
95         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
96         (JSC::DOMJITGetterBaseJSObject::createStructure):
97         (JSC::DOMJITGetterBaseJSObject::create):
98         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
99         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
100         (JSC::DOMJITGetterBaseJSObject::customGetter):
101         (JSC::DOMJITGetterBaseJSObject::finishCreation):
102         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
103         (JSC::JSTestCustomGetterSetter::create):
104         (JSC::JSTestCustomGetterSetter::createStructure):
105         (JSC::customSetAccessor):
106         (JSC::customSetValue):
107         (JSC::JSTestCustomGetterSetter::finishCreation):
108         (JSC::Element::handleOwner):
109         (JSC::Element::finishCreation):
110         (JSC::WasmStreamingParser::WasmStreamingParser):
111         (JSC::WasmStreamingParser::create):
112         (JSC::WasmStreamingParser::createStructure):
113         (JSC::WasmStreamingParser::finishCreation):
114         (JSC::functionWasmStreamingParserAddBytes):
115         (JSC::functionWasmStreamingParserFinalize):
116         (JSC::functionCrash):
117         (JSC::functionBreakpoint):
118         (JSC::functionDFGTrue):
119         (JSC::functionFTLTrue):
120         (JSC::functionCpuMfence):
121         (JSC::functionCpuRdtsc):
122         (JSC::functionCpuCpuid):
123         (JSC::functionCpuPause):
124         (JSC::functionCpuClflush):
125         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
126         (JSC::getExecutableForFunction):
127         (JSC::functionLLintTrue):
128         (JSC::functionJITTrue):
129         (JSC::functionNoInline):
130         (JSC::functionGC):
131         (JSC::functionEdenGC):
132         (JSC::functionDumpSubspaceHashes):
133         (JSC::functionCallFrame):
134         (JSC::functionCodeBlockForFrame):
135         (JSC::codeBlockFromArg):
136         (JSC::functionCodeBlockFor):
137         (JSC::functionDumpSourceFor):
138         (JSC::functionDumpBytecodeFor):
139         (JSC::doPrint):
140         (JSC::functionDataLog):
141         (JSC::functionPrint):
142         (JSC::functionDumpCallFrame):
143         (JSC::functionDumpStack):
144         (JSC::functionDumpRegisters):
145         (JSC::functionDumpCell):
146         (JSC::functionIndexingMode):
147         (JSC::functionInlineCapacity):
148         (JSC::functionValue):
149         (JSC::functionGetPID):
150         (JSC::functionHaveABadTime):
151         (JSC::functionIsHavingABadTime):
152         (JSC::functionCreateGlobalObject):
153         (JSC::functionCreateProxy):
154         (JSC::functionCreateRuntimeArray):
155         (JSC::functionCreateNullRopeString):
156         (JSC::functionCreateImpureGetter):
157         (JSC::functionCreateCustomGetterObject):
158         (JSC::functionCreateDOMJITNodeObject):
159         (JSC::functionCreateDOMJITGetterObject):
160         (JSC::functionCreateDOMJITGetterComplexObject):
161         (JSC::functionCreateDOMJITFunctionObject):
162         (JSC::functionCreateDOMJITCheckSubClassObject):
163         (JSC::functionCreateDOMJITGetterBaseJSObject):
164         (JSC::functionCreateWasmStreamingParser):
165         (JSC::functionSetImpureGetterDelegate):
166         (JSC::functionCreateBuiltin):
167         (JSC::functionGetPrivateProperty):
168         (JSC::functionCreateRoot):
169         (JSC::functionCreateElement):
170         (JSC::functionGetElement):
171         (JSC::functionCreateSimpleObject):
172         (JSC::functionGetHiddenValue):
173         (JSC::functionSetHiddenValue):
174         (JSC::functionShadowChickenFunctionsOnStack):
175         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
176         (JSC::functionFindTypeForExpression):
177         (JSC::functionReturnTypeFor):
178         (JSC::functionFlattenDictionaryObject):
179         (JSC::functionDumpBasicBlockExecutionRanges):
180         (JSC::functionHasBasicBlockExecuted):
181         (JSC::functionBasicBlockExecutionCount):
182         (JSC::functionEnableExceptionFuzz):
183         (JSC::changeDebuggerModeWhenIdle):
184         (JSC::functionEnableDebuggerModeWhenIdle):
185         (JSC::functionDisableDebuggerModeWhenIdle):
186         (JSC::functionDeleteAllCodeWhenIdle):
187         (JSC::functionGlobalObjectCount):
188         (JSC::functionGlobalObjectForObject):
189         (JSC::functionGetGetterSetter):
190         (JSC::functionLoadGetterFromGetterSetter):
191         (JSC::functionCreateCustomTestGetterSetter):
192         (JSC::functionDeltaBetweenButterflies):
193         (JSC::functionTotalGCTime):
194         (JSC::functionParseCount):
195         (JSC::functionIsWasmSupported):
196         (JSC::JSDollarVM::finishCreation):
197         (JSC::JSDollarVM::addFunction):
198         (JSC::JSDollarVM::addConstructibleFunction):
199         * tools/JSDollarVM.h:
200         (JSC::DollarVMAssertScope::DollarVMAssertScope):
201         (JSC::DollarVMAssertScope::~DollarVMAssertScope):
202
203 2019-09-13  Joseph Pecoraro  <pecoraro@apple.com>
204
205         Web Inspector: Formatter: Pretty Print HTML resources (including inline <script>/<style>)
206         https://bugs.webkit.org/show_bug.cgi?id=201535
207         <rdar://problem/29119232>
208
209         Reviewed by Devin Rousso.
210
211         * debugger/Debugger.cpp:
212         (JSC::Debugger::resolveBreakpoint):
213         When resolving a breakpoint inside of an inline <script> we need to adjust
214         based on the starting position of the <script> in the HTML resource.
215
216 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
217
218         [JSC] X86Registers.h callee-save register definition is wrong
219         https://bugs.webkit.org/show_bug.cgi?id=201756
220
221         Reviewed by Mark Lam.
222
223         I think nobody is using X86 JIT backend, but it is simply wrong.
224         edi and esi should be callee-save.
225
226         * assembler/X86Registers.h:
227
228 2019-09-12  Mark Lam  <mark.lam@apple.com>
229
230         Harden JSC against the abuse of runtime options.
231         https://bugs.webkit.org/show_bug.cgi?id=201597
232         <rdar://problem/55167068>
233
234         Reviewed by Filip Pizlo.
235
236         Linux parts contributed by Carlos Garcia Campos <cgarcia@igalia.com>.
237
238         1. Introduce a JSC::Config struct that will be protected as ReadOnly once the
239            first VM instance is constructed.  The end of the VM constructor calls
240            Config::permanentlyFreeze() which will make the Config ReadOnly.
241
242            Note: this is currently only supported for OS(DARWIN) and OS(LINUX).
243            OS(WINDOWS) will need to implement some missing pieces before it can enable
244            this hardening (see FIXME in JSCConfig.cpp).
245
246            The hardening strategy here is to put immutable global values into the Config.
247            Any modifications that need to be made to these values must be done before the
248            first VM instance is done instantiating.  This ensures that no script will
249            ever run while the Config is still writable.
250
251            Also, the policy for this hardening is that a process is opted in by default.
252            If there's a valid need to disable this hardening (e.g. for some test
253            environments), the relevant process will need to opt itself out by calling
254            Config::configureForTesting().
255
256            The jsc shell, WK2 UI and WebContent processes are opted in by default.
257            Only test processes may be opt out.
258
259         2. Put all JSC::Options in the Config.  This enforces the invariant that options
260            can only be changed before we instantiate a VM.  Once a VM is instantiated,
261            the options are immutable.
262
263         3. Remove functionForceGCSlowPaths() from the jsc shell.  Setting
264            Options::forceGCSlowPaths this way is no longer allowed.
265
266         4. Re-factored the Options code (Options.h) into:
267            - OptionEntry.h: the data structure that stores the option values.
268            - OptionsList.h: the list of options.
269            - Options.h: the Options singleton object which is the interface for accessing options.
270
271            Renamed the JSC_OPTIONS macro to FOR_EACH_JSC_OPTION, because
272            "FOR_EACH_JSC_OPTION(SET_OPTION_VALUE)" reads a lot better than
273            "JSC_OPTIONS(FOR_EACH_OPTION)".
274
275         5. Change testapi to call Config::configureForTesting().  Parts of testapi makes
276            use of setting options in its tests.  Hence, this hardening is disabled for
277            testapi.
278
279            Note: the jsc shell does enable this hardening.
280
281         6. Put ExecutableAllocator's immutable globals in the Config.
282
283         7. RELEASE_ASSERT that restrictedOptionsEnabled in order to use the
284            FunctionOverrides test utility.
285
286         8. RELEASE_ASSERT that Options::useDollarVM() is enabled in order to use the $vm.
287
288            We must RELEASE_ASSERT(Options::useDollarVM()) in all JSDollarVM functions
289            that are non-trivial at an eye's glance.  This includes (but is not limited to):
290                constructors
291                create() factory
292                createStructure() factory
293                finishCreation()
294                HOST_CALL or operation functions
295                Constructors and methods of utility and test classes
296
297            The only exception are some constexpr constructors used for instantiating
298            globals (since these must have trivial constructors) e.g. DOMJITAttribute.
299            Instead, these constructors should always be ALWAYS_INLINE.
300
301         * API/glib/JSCOptions.cpp:
302         (jscOptionsSetValue):
303         (jscOptionsGetValue):
304         (jsc_options_foreach):
305         (jsc_options_get_option_group):
306         * API/tests/testapi.c:
307         (main):
308         * API/tests/testapi.cpp:
309         (configureJSCForTesting):
310         * CMakeLists.txt:
311         * JavaScriptCore.xcodeproj/project.pbxproj:
312         * Sources.txt:
313         * jit/ExecutableAllocator.cpp:
314         (JSC::isJITEnabled):
315         (JSC::ExecutableAllocator::setJITEnabled):
316         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
317         (JSC::ExecutableAllocator::isValid const):
318         (JSC::ExecutableAllocator::underMemoryPressure):
319         (JSC::ExecutableAllocator::memoryPressureMultiplier):
320         (JSC::ExecutableAllocator::allocate):
321         (JSC::ExecutableAllocator::isValidExecutableMemory):
322         (JSC::ExecutableAllocator::getLock const):
323         (JSC::ExecutableAllocator::committedByteCount):
324         (JSC::ExecutableAllocator::dumpProfile):
325         (JSC::startOfFixedExecutableMemoryPoolImpl):
326         (JSC::endOfFixedExecutableMemoryPoolImpl):
327         (JSC::isJITPC):
328         (JSC::dumpJITMemory):
329         (JSC::ExecutableAllocator::initialize):
330         (JSC::ExecutableAllocator::singleton):
331         * jit/ExecutableAllocator.h:
332         (JSC::performJITMemcpy):
333         * jsc.cpp:
334         (GlobalObject::finishCreation):
335         (functionJSCOptions):
336         (jscmain):
337         (functionForceGCSlowPaths): Deleted.
338         * runtime/ConfigFile.cpp:
339         (JSC::ConfigFile::parse):
340         * runtime/InitializeThreading.cpp:
341         (JSC::initializeThreading):
342         * runtime/JSCConfig.cpp: Added.
343         (JSC::Config::disableFreezingForTesting):
344         (JSC::Config::enableRestrictedOptions):
345         (JSC::Config::permanentlyFreeze):
346         * runtime/JSCConfig.h: Added.
347         (JSC::Config::configureForTesting):
348         * runtime/JSGlobalObject.cpp:
349         (JSC::JSGlobalObject::exposeDollarVM):
350         * runtime/OptionEntry.h: Added.
351         (JSC::OptionRange::operator= ):
352         (JSC::OptionRange::rangeString const):
353         * runtime/Options.cpp:
354         (JSC::Options::isAvailable):
355         (JSC::scaleJITPolicy):
356         (JSC::Options::initialize):
357         (JSC::Options::setOptions):
358         (JSC::Options::setOptionWithoutAlias):
359         (JSC::Options::setAliasedOption):
360         (JSC::Option::dump const):
361         (JSC::Option::operator== const):
362         (): Deleted.
363         (JSC::Options::enableRestrictedOptions): Deleted.
364         * runtime/Options.h:
365         (JSC::Option::Option):
366         (JSC::Option::defaultOption const):
367         (JSC::Option::boolVal):
368         (JSC::Option::unsignedVal):
369         (JSC::Option::doubleVal):
370         (JSC::Option::int32Val):
371         (JSC::Option::optionRangeVal):
372         (JSC::Option::optionStringVal):
373         (JSC::Option::gcLogLevelVal):
374         (JSC::OptionRange::operator= ): Deleted.
375         (JSC::OptionRange::rangeString const): Deleted.
376         * runtime/OptionsList.h: Added.
377         (JSC::countNumberOfJSCOptions):
378         * runtime/VM.cpp:
379         (JSC::VM::VM):
380         * tools/FunctionOverrides.cpp:
381         (JSC::FunctionOverrides::FunctionOverrides):
382         (JSC::FunctionOverrides::reinstallOverrides):
383         (JSC::FunctionOverrides::initializeOverrideFor):
384         (JSC::FunctionOverrides::parseOverridesInFile):
385         * tools/JSDollarVM.cpp:
386         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
387         (JSC::JSDollarVMCallFrame::createStructure):
388         (JSC::JSDollarVMCallFrame::create):
389         (JSC::JSDollarVMCallFrame::finishCreation):
390         (JSC::JSDollarVMCallFrame::addProperty):
391         (JSC::Element::Element):
392         (JSC::Element::create):
393         (JSC::Element::createStructure):
394         (JSC::Root::Root):
395         (JSC::Root::create):
396         (JSC::Root::createStructure):
397         (JSC::SimpleObject::SimpleObject):
398         (JSC::SimpleObject::create):
399         (JSC::SimpleObject::createStructure):
400         (JSC::ImpureGetter::ImpureGetter):
401         (JSC::ImpureGetter::createStructure):
402         (JSC::ImpureGetter::create):
403         (JSC::ImpureGetter::finishCreation):
404         (JSC::ImpureGetter::getOwnPropertySlot):
405         (JSC::CustomGetter::CustomGetter):
406         (JSC::CustomGetter::createStructure):
407         (JSC::CustomGetter::create):
408         (JSC::CustomGetter::getOwnPropertySlot):
409         (JSC::CustomGetter::customGetter):
410         (JSC::CustomGetter::customGetterAcessor):
411         (JSC::RuntimeArray::create):
412         (JSC::RuntimeArray::destroy):
413         (JSC::RuntimeArray::getOwnPropertySlot):
414         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
415         (JSC::RuntimeArray::createPrototype):
416         (JSC::RuntimeArray::createStructure):
417         (JSC::RuntimeArray::finishCreation):
418         (JSC::RuntimeArray::RuntimeArray):
419         (JSC::RuntimeArray::lengthGetter):
420         (JSC::DOMJITNode::DOMJITNode):
421         (JSC::DOMJITNode::createStructure):
422         (JSC::DOMJITNode::checkSubClassSnippet):
423         (JSC::DOMJITNode::create):
424         (JSC::DOMJITGetter::DOMJITGetter):
425         (JSC::DOMJITGetter::createStructure):
426         (JSC::DOMJITGetter::create):
427         (JSC::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
428         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
429         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
430         (JSC::DOMJITGetter::customGetter):
431         (JSC::DOMJITGetter::finishCreation):
432         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
433         (JSC::DOMJITGetterComplex::createStructure):
434         (JSC::DOMJITGetterComplex::create):
435         (JSC::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
436         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
437         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
438         (JSC::DOMJITGetterComplex::functionEnableException):
439         (JSC::DOMJITGetterComplex::customGetter):
440         (JSC::DOMJITGetterComplex::finishCreation):
441         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
442         (JSC::DOMJITFunctionObject::createStructure):
443         (JSC::DOMJITFunctionObject::create):
444         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
445         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
446         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
447         (JSC::DOMJITFunctionObject::finishCreation):
448         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
449         (JSC::DOMJITCheckSubClassObject::createStructure):
450         (JSC::DOMJITCheckSubClassObject::create):
451         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
452         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
453         (JSC::DOMJITCheckSubClassObject::finishCreation):
454         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
455         (JSC::DOMJITGetterBaseJSObject::createStructure):
456         (JSC::DOMJITGetterBaseJSObject::create):
457         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
458         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
459         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
460         (JSC::DOMJITGetterBaseJSObject::customGetter):
461         (JSC::DOMJITGetterBaseJSObject::finishCreation):
462         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
463         (JSC::JSTestCustomGetterSetter::create):
464         (JSC::JSTestCustomGetterSetter::createStructure):
465         (JSC::customSetAccessor):
466         (JSC::customSetValue):
467         (JSC::JSTestCustomGetterSetter::finishCreation):
468         (JSC::Element::handleOwner):
469         (JSC::Element::finishCreation):
470         (JSC::WasmStreamingParser::WasmStreamingParser):
471         (JSC::WasmStreamingParser::create):
472         (JSC::WasmStreamingParser::createStructure):
473         (JSC::WasmStreamingParser::finishCreation):
474         (JSC::functionWasmStreamingParserAddBytes):
475         (JSC::functionWasmStreamingParserFinalize):
476         (JSC::functionCrash):
477         (JSC::functionBreakpoint):
478         (JSC::functionDFGTrue):
479         (JSC::functionFTLTrue):
480         (JSC::functionCpuMfence):
481         (JSC::functionCpuRdtsc):
482         (JSC::functionCpuCpuid):
483         (JSC::functionCpuPause):
484         (JSC::functionCpuClflush):
485         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
486         (JSC::getExecutableForFunction):
487         (JSC::functionLLintTrue):
488         (JSC::functionJITTrue):
489         (JSC::functionNoInline):
490         (JSC::functionGC):
491         (JSC::functionEdenGC):
492         (JSC::functionDumpSubspaceHashes):
493         (JSC::functionCallFrame):
494         (JSC::functionCodeBlockForFrame):
495         (JSC::codeBlockFromArg):
496         (JSC::functionCodeBlockFor):
497         (JSC::functionDumpSourceFor):
498         (JSC::functionDumpBytecodeFor):
499         (JSC::doPrint):
500         (JSC::functionDataLog):
501         (JSC::functionPrint):
502         (JSC::functionDumpCallFrame):
503         (JSC::functionDumpStack):
504         (JSC::functionDumpRegisters):
505         (JSC::functionDumpCell):
506         (JSC::functionIndexingMode):
507         (JSC::functionInlineCapacity):
508         (JSC::functionValue):
509         (JSC::functionGetPID):
510         (JSC::functionHaveABadTime):
511         (JSC::functionIsHavingABadTime):
512         (JSC::functionCreateGlobalObject):
513         (JSC::functionCreateProxy):
514         (JSC::functionCreateRuntimeArray):
515         (JSC::functionCreateNullRopeString):
516         (JSC::functionCreateImpureGetter):
517         (JSC::functionCreateCustomGetterObject):
518         (JSC::functionCreateDOMJITNodeObject):
519         (JSC::functionCreateDOMJITGetterObject):
520         (JSC::functionCreateDOMJITGetterComplexObject):
521         (JSC::functionCreateDOMJITFunctionObject):
522         (JSC::functionCreateDOMJITCheckSubClassObject):
523         (JSC::functionCreateDOMJITGetterBaseJSObject):
524         (JSC::functionCreateWasmStreamingParser):
525         (JSC::functionSetImpureGetterDelegate):
526         (JSC::functionCreateBuiltin):
527         (JSC::functionGetPrivateProperty):
528         (JSC::functionCreateRoot):
529         (JSC::functionCreateElement):
530         (JSC::functionGetElement):
531         (JSC::functionCreateSimpleObject):
532         (JSC::functionGetHiddenValue):
533         (JSC::functionSetHiddenValue):
534         (JSC::functionShadowChickenFunctionsOnStack):
535         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
536         (JSC::functionFindTypeForExpression):
537         (JSC::functionReturnTypeFor):
538         (JSC::functionFlattenDictionaryObject):
539         (JSC::functionDumpBasicBlockExecutionRanges):
540         (JSC::functionHasBasicBlockExecuted):
541         (JSC::functionBasicBlockExecutionCount):
542         (JSC::functionEnableExceptionFuzz):
543         (JSC::changeDebuggerModeWhenIdle):
544         (JSC::functionEnableDebuggerModeWhenIdle):
545         (JSC::functionDisableDebuggerModeWhenIdle):
546         (JSC::functionDeleteAllCodeWhenIdle):
547         (JSC::functionGlobalObjectCount):
548         (JSC::functionGlobalObjectForObject):
549         (JSC::functionGetGetterSetter):
550         (JSC::functionLoadGetterFromGetterSetter):
551         (JSC::functionCreateCustomTestGetterSetter):
552         (JSC::functionDeltaBetweenButterflies):
553         (JSC::functionTotalGCTime):
554         (JSC::functionParseCount):
555         (JSC::functionIsWasmSupported):
556         (JSC::JSDollarVM::finishCreation):
557         (JSC::JSDollarVM::addFunction):
558         (JSC::JSDollarVM::addConstructibleFunction):
559         * tools/JSDollarVM.h:
560
561 2019-09-11  Devin Rousso  <drousso@apple.com>
562
563         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
564         https://bugs.webkit.org/show_bug.cgi?id=201650
565
566         Reviewed by Joseph Pecoraro.
567
568         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
569
570         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
571         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
572         `-webkit-canvas` client of a `WebGPUDevice`.
573
574         * inspector/protocol/Canvas.json:
575          - Add `powerPreference` key to `ContextAttributes` type.
576          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
577          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
578          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
579            really a "canvas".
580
581 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
582
583         [JSC] Add StringCodePointAt intrinsic
584         https://bugs.webkit.org/show_bug.cgi?id=201673
585
586         Reviewed by Michael Saboff.
587
588         JetStream2/UniPoker executes String#codePointAt frequently. We should handle it in ThunkGenerator, DFG, and FTL like we are doing so for String#charCodeAt.
589         This patch adds these supports for String#codePointAt to get ~10% score improvement in JetStream2/UniPoker.
590
591         In ThunkGenerator, we add a thunk for String#codePointAt, which accelerates LLInt and Baseline. In DFG, we handle this as StringCodePointAt node, and emit
592         inlined code in DFG and FTL. The characteristics of StringCodePointAt node is basically the same to StringCharAt. It has String array-mode, so it emits
593         preceding CheckArray. This ensures that (1) StringCodePointAt node itself does not do GC since the string is always resolved, and (2) we can skip the rope
594         check. This thing is just the same to the existing StringCharCodeAt mechanism.
595
596         * dfg/DFGAbstractInterpreterInlines.h:
597         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
598         * dfg/DFGBackwardsPropagationPhase.cpp:
599         (JSC::DFG::BackwardsPropagationPhase::propagate):
600         * dfg/DFGByteCodeParser.cpp:
601         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
602         * dfg/DFGClobberize.h:
603         (JSC::DFG::clobberize):
604         * dfg/DFGDoesGC.cpp:
605         (JSC::DFG::doesGC):
606         * dfg/DFGFixupPhase.cpp:
607         (JSC::DFG::FixupPhase::fixupNode):
608         * dfg/DFGNode.h:
609         (JSC::DFG::Node::hasArrayMode):
610         * dfg/DFGNodeType.h:
611         * dfg/DFGPredictionPropagationPhase.cpp:
612         * dfg/DFGSafeToExecute.h:
613         (JSC::DFG::safeToExecute):
614         * dfg/DFGSpeculativeJIT.h:
615         * dfg/DFGSpeculativeJIT32_64.cpp:
616         (JSC::DFG::SpeculativeJIT::compile):
617         * dfg/DFGSpeculativeJIT64.cpp:
618         (JSC::DFG::SpeculativeJIT::compile):
619         (JSC::DFG::SpeculativeJIT::compileStringCodePointAt):
620         * ftl/FTLCapabilities.cpp:
621         (JSC::FTL::canCompile):
622         * ftl/FTLLowerDFGToB3.cpp:
623         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
624         (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt):
625         * jit/JITInlines.h:
626         (JSC::JIT::emitLoadCharacterString):
627         * jit/ThunkGenerators.cpp:
628         (JSC::stringGetByValGenerator):
629         (JSC::stringCharLoad):
630         (JSC::stringPrototypeCodePointAtThunkGenerator):
631         * jit/ThunkGenerators.h:
632         * runtime/Intrinsic.cpp:
633         (JSC::intrinsicName):
634         * runtime/Intrinsic.h:
635         * runtime/StringPrototype.cpp:
636         (JSC::StringPrototype::finishCreation):
637         * runtime/VM.cpp:
638         (JSC::thunkGeneratorForIntrinsic):
639
640 2019-09-11  Michael Saboff  <msaboff@apple.com>
641
642         JSC crashes due to stack overflow while building RegExp
643         https://bugs.webkit.org/show_bug.cgi?id=201649
644
645         Reviewed by Yusuke Suzuki.
646
647         Check for running out of stack when we are optimizing RegExp containing BOL terms or
648         other deep copying of disjunctions.
649
650         * yarr/YarrPattern.cpp:
651         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
652         (JSC::Yarr::YarrPatternConstructor::copyTerm):
653         (JSC::Yarr::YarrPatternConstructor::error):
654         (JSC::Yarr::YarrPattern::compile):
655
656 2019-09-11  Truitt Savell  <tsavell@apple.com>
657
658         Unreviewed, rolling out r249753.
659
660         caused inspector/canvas/shaderProgram-add-remove-webgl.html to
661         crash on all Mac platforms.
662
663         Reverted changeset:
664
665         "Web Inspector: Canvas: instrument WebGPUDevice instead of
666         GPUCanvasContext"
667         https://bugs.webkit.org/show_bug.cgi?id=201650
668         https://trac.webkit.org/changeset/249753
669
670 2019-09-10  Devin Rousso  <drousso@apple.com>
671
672         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
673         https://bugs.webkit.org/show_bug.cgi?id=201650
674
675         Reviewed by Joseph Pecoraro.
676
677         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
678
679         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
680         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
681         `-webkit-canvas` client of a `WebGPUDevice`.
682
683         * inspector/protocol/Canvas.json:
684          - Add `powerPreference` key to `ContextAttributes` type.
685          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
686          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
687          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
688            really a "canvas".
689
690 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
691
692         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
693         https://bugs.webkit.org/show_bug.cgi?id=201634
694
695         Reviewed by Mark Lam and Robin Morisset.
696
697         This patch includes two things. One is fixing 32bit bitwise operation with allOne constants. Another is fixing the existing bug in BitAnd strength reduction.
698
699         1. 32bit bitwise operation with allOne constants
700
701             Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
702             For example, in BitAnd strength reduction,
703
704                 1034             // Turn this: BitAnd(value, all-ones)
705                 1035             // Into this: value.
706                 1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
707                 1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
708                 1038                 replaceWithIdentity(m_value->child(0));
709                 1039                 break;
710                 1040             }
711
712             We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
713
714                 262 inline bool Value::isInt(int64_t value) const
715                 263 {
716                 264     return hasInt() && asInt() == value;
717                 265 }
718
719             So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
720
721                 257 inline int64_t Value::asInt() const
722                 258 {
723                 259     return hasInt32() ? asInt32() : asInt64();
724                 260 }
725
726             So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
727             We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
728
729         2. BitAnd and BitOr strength reduction bug
730
731             We also fix the following optimization.
732
733                 // Turn this: BitAnd(Op(value, constant1), constant2)
734                 //     where !(constant1 & constant2)
735                 //       and Op is BitOr or BitXor
736                 // into this: BitAnd(value, constant2)
737
738             Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
739
740                 // Turn this: BitAnd(BitXor(x, allOnes), c)
741                 // Into this: BitXor(BitOr(x, ~c), allOnes)
742
743             And we also found that this not-used optimization has a bug not inserting a newly produced constant B3::Value. This patch also fixes it.
744
745         For both, this patch adds tests. And (2) fix can be ensured that the testb3 does not crash with validate-graph option.
746
747         * b3/B3LowerToAir.cpp:
748         * b3/B3ReduceStrength.cpp:
749         * b3/testb3.h:
750         * b3/testb3_2.cpp:
751         (testBitAndNotNot32):
752         (testBitAndNotImm):
753         (testBitAndNotImm32):
754         (testBitOrAndAndArgs32):
755         (testBitOrAndSameArgs32):
756         (testBitOrNotNot32):
757         (testBitOrNotImm32):
758         (addBitTests):
759         * b3/testb3_3.cpp:
760         (testBitXorAndAndArgs32):
761         (testBitXorAndSameArgs32):
762
763 2019-09-10  Commit Queue  <commit-queue@webkit.org>
764
765         Unreviewed, rolling out r249721.
766         https://bugs.webkit.org/show_bug.cgi?id=201667
767
768         Discovering existing bug (Requested by yusukesuzuki on
769         #webkit).
770
771         Reverted changeset:
772
773         "[JSC] 32bit bitwide operation with all-one (-1) is wrong in
774         B3"
775         https://bugs.webkit.org/show_bug.cgi?id=201634
776         https://trac.webkit.org/changeset/249721
777
778 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
779
780         [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
781         https://bugs.webkit.org/show_bug.cgi?id=201664
782         <rdar://problem/52126927>
783
784         Reviewed by Tadeu Zagallo.
785
786         We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result.
787         This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters.
788         Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread,
789         we can see half-baked JITData structure which holds garbage pointers.
790
791         But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons.
792
793         1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are
794            called while taking this exact same lock, so dead-lock can happen.
795         2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT
796            compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock.
797
798         Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that
799         JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread.
800
801         * bytecode/CodeBlock.cpp:
802         (JSC::CodeBlock::ensureJITDataSlow):
803
804 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
805
806         [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
807         https://bugs.webkit.org/show_bug.cgi?id=198253
808
809         Reviewed by Mark Lam.
810
811         ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
812         When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
813         it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
814
815         In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
816
817         * parser/ResultType.h:
818         (JSC::ResultType::bigIntOrInt32Type):
819
820 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
821
822         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
823         https://bugs.webkit.org/show_bug.cgi?id=201634
824
825         Reviewed by Mark Lam.
826
827         Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
828         For example, in BitAnd strength reduction,
829
830             1034             // Turn this: BitAnd(value, all-ones)
831             1035             // Into this: value.
832             1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
833             1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
834             1038                 replaceWithIdentity(m_value->child(0));
835             1039                 break;
836             1040             }
837
838         We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
839
840             262 inline bool Value::isInt(int64_t value) const
841             263 {
842             264     return hasInt() && asInt() == value;
843             265 }
844
845         So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
846
847             257 inline int64_t Value::asInt() const
848             258 {
849             259     return hasInt32() ? asInt32() : asInt64();
850             260 }
851
852         So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
853         We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
854
855         We also fix the following optimization.
856
857             // Turn this: BitAnd(Op(value, constant1), constant2)
858             //     where !(constant1 & constant2)
859             //       and Op is BitOr or BitXor
860             // into this: BitAnd(value, constant2)
861
862         Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
863
864             // Turn this: BitAnd(BitXor(x, allOnes), c)
865             // Into this: BitXor(BitOr(x, ~c), allOnes)
866
867         We add 32bit version of B3 tests for these optimizations.
868
869         * b3/B3LowerToAir.cpp:
870         * b3/B3ReduceStrength.cpp:
871         * b3/testb3.h:
872         * b3/testb3_2.cpp:
873         (testBitAndNotNot32):
874         (testBitAndNotImm):
875         (testBitAndNotImm32):
876         (testBitOrAndAndArgs32):
877         (testBitOrAndSameArgs32):
878         (testBitOrNotNot32):
879         (testBitOrNotImm32):
880         (addBitTests):
881         * b3/testb3_3.cpp:
882         (testBitXorAndAndArgs32):
883         (testBitXorAndSameArgs32):
884
885 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
886
887         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
888         https://bugs.webkit.org/show_bug.cgi?id=189043
889
890         Reviewed by Keith Miller.
891
892         This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
893         And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
894         using Wasm::StreamingParser.
895
896         Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
897         create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
898         and instantiateStreaming.
899
900         * JavaScriptCore.xcodeproj/project.pbxproj:
901         * Sources.txt:
902         * tools/JSDollarVM.cpp:
903         (JSC::WasmStreamingParser::WasmStreamingParser):
904         * wasm/WasmAirIRGenerator.cpp:
905         (JSC::Wasm::parseAndCompileAir):
906         * wasm/WasmAirIRGenerator.h:
907         * wasm/WasmB3IRGenerator.cpp:
908         (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
909         * wasm/WasmB3IRGenerator.h:
910         * wasm/WasmBBQPlan.cpp:
911         (JSC::Wasm::BBQPlan::BBQPlan):
912         (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
913         (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
914         (JSC::Wasm::BBQPlan::compileFunctions):
915         (JSC::Wasm::BBQPlan::complete):
916         * wasm/WasmBBQPlan.h:
917         * wasm/WasmModuleParser.cpp: Removed.
918         * wasm/WasmModuleParser.h: Removed.
919         * wasm/WasmOMGForOSREntryPlan.cpp:
920         (JSC::Wasm::OMGForOSREntryPlan::work):
921         * wasm/WasmOMGPlan.cpp:
922         (JSC::Wasm::OMGPlan::work):
923         * wasm/WasmPlan.cpp:
924         (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
925         * wasm/WasmSectionParser.cpp:
926         (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
927         * wasm/WasmStreamingParser.cpp:
928         (JSC::Wasm::StreamingParser::StreamingParser):
929         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
930         (JSC::Wasm::StreamingParser::parseFunctionPayload):
931         (JSC::Wasm::StreamingParser::parseSectionPayload):
932         (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
933         * wasm/WasmStreamingParser.h:
934         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
935         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
936         (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
937         which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
938         at appropriate timings.
939         * wasm/WasmValidate.cpp:
940         (JSC::Wasm::validateFunction):
941         * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.
942
943 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
944
945         [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
946         https://bugs.webkit.org/show_bug.cgi?id=201622
947
948         Reviewed by Mark Lam.
949
950         CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
951         this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
952         the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.
953
954         * bytecode/CodeBlock.cpp:
955         (JSC::CodeBlock::finishCreation):
956         (JSC::CodeBlock::setConstantRegisters):
957         * bytecode/CodeBlock.h:
958         (JSC::CodeBlock::addConstant):
959         (JSC::CodeBlock::addConstantLazily):
960         * dfg/DFGDesiredWatchpoints.cpp:
961         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
962         (JSC::DFG::SymbolTableAdaptor::add):
963         (JSC::DFG::FunctionExecutableAdaptor::add):
964         * dfg/DFGGraph.cpp:
965         (JSC::DFG::Graph::registerFrozenValues):
966         * dfg/DFGJITFinalizer.cpp:
967         (JSC::DFG::JITFinalizer::finalizeCommon):
968         * dfg/DFGLazyJSValue.cpp:
969         (JSC::DFG::LazyJSValue::emit const):
970
971 2019-09-09  Robin Morisset  <rmorisset@apple.com>
972
973         [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
974         https://bugs.webkit.org/show_bug.cgi?id=197305
975
976         Reviewed by Keith Miller.
977
978         Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
979         Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).
980
981         This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
982         Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).
983
984         The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
985         So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.
986
987         No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.
988
989         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
990
991 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
992
993         [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
994         https://bugs.webkit.org/show_bug.cgi?id=201613
995
996         Reviewed by Mark Lam.
997
998         We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
999         since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
1000         issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
1001         misleading, it is like "instructions-requires-llint-finalize").
1002
1003         * bytecode/CodeBlock.cpp:
1004         (JSC::CodeBlock::propagateTransitions):
1005         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1006         * bytecode/UnlinkedCodeBlock.cpp:
1007         (JSC::UnlinkedCodeBlock::applyModification):
1008         (JSC::UnlinkedCodeBlock::shrinkToFit):
1009         * bytecode/UnlinkedCodeBlock.h:
1010         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
1011         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
1012         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
1013         * bytecompiler/BytecodeGenerator.cpp:
1014         (JSC::BytecodeGenerator::emitResolveScope):
1015         (JSC::BytecodeGenerator::emitGetFromScope):
1016         (JSC::BytecodeGenerator::emitPutToScope):
1017         (JSC::BytecodeGenerator::emitGetById):
1018         (JSC::BytecodeGenerator::emitDirectGetById):
1019         (JSC::BytecodeGenerator::emitPutById):
1020         (JSC::BytecodeGenerator::emitDirectPutById):
1021         (JSC::BytecodeGenerator::emitCreateThis):
1022         (JSC::BytecodeGenerator::emitToThis):
1023         * runtime/CachedTypes.cpp:
1024         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1025         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1026
1027 2019-09-07  Keith Miller  <keith_miller@apple.com>
1028
1029         OSR entry into wasm misses some contexts
1030         https://bugs.webkit.org/show_bug.cgi?id=201569
1031
1032         Reviewed by Yusuke Suzuki.
1033
1034         This patch fixes an issue where we could fail to capture some of
1035         our contexts when OSR entering into wasm code. Before we would
1036         only capture the state of the block immediately surrounding the
1037         entrance loop block header. We actually need to capture all
1038         enclosed stacks.
1039
1040         Additionally, we don't need to use variables for all the captured
1041         values. We can use a Phi and insert an upsilon just below the
1042         captured value.
1043
1044         * interpreter/CallFrame.h:
1045         * jsc.cpp:
1046         (GlobalObject::finishCreation):
1047         (functionCallerIsOMGCompiled):
1048         * wasm/WasmAirIRGenerator.cpp:
1049         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1050         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
1051         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
1052         (JSC::Wasm::AirIRGenerator::addLoop):
1053         * wasm/WasmB3IRGenerator.cpp:
1054         (JSC::Wasm::B3IRGenerator::createStack):
1055         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1056         (JSC::Wasm::B3IRGenerator::addConstant):
1057         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
1058         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
1059         (JSC::Wasm::B3IRGenerator::addLoop):
1060         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
1061         (JSC::Wasm::dumpExpressionStack):
1062         (JSC::Wasm::B3IRGenerator::dump):
1063         (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
1064         (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
1065         (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
1066         (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
1067         (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
1068         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
1069         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
1070         (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
1071         (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
1072         (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
1073         (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
1074         (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
1075         * wasm/WasmFunctionParser.h:
1076         (JSC::Wasm::FunctionParser::controlStack):
1077
1078 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
1079
1080         [JSC] Promise resolve/reject functions should be created more efficiently
1081         https://bugs.webkit.org/show_bug.cgi?id=201488
1082
1083         Reviewed by Mark Lam.
1084
1085         While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
1086         Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
1087         for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
1088         Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.
1089
1090         In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
1091         to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
1092         anonymous-builtin-function creation faster.
1093
1094         We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
1095         The simple microbenchmark shows 1.7x improvement.
1096
1097                                               ToT                     Patched
1098
1099             promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster
1100
1101         * dfg/DFGSpeculativeJIT.cpp:
1102         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1103         * ftl/FTLLowerDFGToB3.cpp:
1104         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1105         * runtime/FunctionRareData.cpp:
1106         (JSC::FunctionRareData::create):
1107         (JSC::FunctionRareData::FunctionRareData):
1108         * runtime/FunctionRareData.h:
1109         * runtime/JSFunction.cpp:
1110         (JSC::JSFunction::finishCreation):
1111         (JSC::JSFunction::allocateRareData):
1112         (JSC::JSFunction::allocateAndInitializeRareData):
1113         * runtime/JSFunctionInlines.h:
1114         (JSC::JSFunction::hasReifiedName const):
1115
1116 2019-09-07  Mark Lam  <mark.lam@apple.com>
1117
1118         performJITMemcpy() source buffer should not be in the Gigacage.
1119         https://bugs.webkit.org/show_bug.cgi?id=201577
1120         <rdar://problem/55142606>
1121
1122         Reviewed by Michael Saboff.
1123
1124         Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
1125         buffer is not in the Gigacage.
1126
1127         * jit/ExecutableAllocator.h:
1128         (JSC::performJITMemcpy):
1129
1130 2019-09-07  Mark Lam  <mark.lam@apple.com>
1131
1132         The jsc shell should allow disabling of the Gigacage for testing purposes.
1133         https://bugs.webkit.org/show_bug.cgi?id=201579
1134
1135         Reviewed by Michael Saboff.
1136
1137         Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
1138         this env var is present and it has a falsy value, then do not
1139         forbidDisablingPrimitiveGigacage() in the jsc shell.
1140
1141         * jsc.cpp:
1142         (jscmain):
1143
1144 2019-09-06  Mark Lam  <mark.lam@apple.com>
1145
1146         Harden protection of the Gigacage Config parameters.
1147         https://bugs.webkit.org/show_bug.cgi?id=201570
1148         <rdar://problem/55134229>
1149
1150         Reviewed by Saam Barati.
1151
1152         Just renaming some function names here.
1153
1154         * assembler/testmasm.cpp:
1155         (JSC::testCagePreservesPACFailureBit):
1156         * jit/AssemblyHelpers.h:
1157         (JSC::AssemblyHelpers::cageConditionally):
1158         * jsc.cpp:
1159         (jscmain):
1160
1161 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
1162
1163         Math.round() produces wrong result for value prior to 0.5
1164         https://bugs.webkit.org/show_bug.cgi?id=185115
1165
1166         Reviewed by Saam Barati.
1167
1168         Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
1169         This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.
1170
1171         Specifically:
1172           - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
1173             so taking the difference between ceil(value)` and `value` is problematic.
1174           - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
1175             (by falling back to jsRound). This patch gives baseline a legitimate implementation too.
1176
1177         * dfg/DFGSpeculativeJIT.cpp:
1178         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1179         * ftl/FTLLowerDFGToB3.cpp:
1180         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1181         * jit/ThunkGenerators.cpp:
1182         (JSC::roundThunkGenerator):
1183         * runtime/MathCommon.cpp:
1184
1185 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
1186
1187         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
1188         https://bugs.webkit.org/show_bug.cgi?id=201366
1189
1190         Reviewed by Saam Barati.
1191
1192         It is possible for the log buffer to be full right as someone is trying to
1193         log a function prologue. In such a case the machine stack has already been
1194         updated to include the new JavaScript call frame, but the prologue packet
1195         cannot be included in the update because the log is full. This would mean
1196         that the update fails to rationalize the machine stack with the shadow
1197         log / stack. Namely, the current JavaScript call frame is unable to
1198         find a matching prologue (the one we are holding to include after the update)
1199         and inserts a questionable value into the stack; and in the process
1200         missing and removing real potential tail calls.
1201
1202         For example:
1203         
1204             "use strict";
1205             function third() { return 1; }
1206             function second() { return third(); }
1207             function first() { return second(); }
1208             function start() { return first(); }
1209
1210         If the the log fills up just as we are entering `b` then we may have a list
1211         full log of packets looking like:
1212
1213           Shadow Log:
1214             ...
1215             { prologue-packet: entering `start` ... }
1216             { prologue-packet: entering `first` ... }
1217             { tail-packet: leaving `first` with a tail call }
1218
1219           Incoming Packet:
1220             { prologue-packet: entering `second` ... }
1221
1222           Current JS Stack:
1223             second
1224             start
1225
1226         Since the Current JavaScript stack already has `second`, if we process the
1227         log without the prologue for `second` then we push a confused entry on the
1228         shadow stack and clear the log such that we eventually lose the tail-call
1229         information for `first` to `second`.
1230
1231         This patch solves this issue by providing enough extra space in the log
1232         to always process the incoming packet when that forces an update. This way
1233         clients can continue to behave exactly as they are.
1234
1235         --
1236
1237         We also document a corner case in some circumstances where the shadow
1238         log may currently be insufficient to know how to reconcile:
1239         
1240         For example:
1241
1242             "use strict";
1243             function third() { return 1; }
1244             function second() { return third(); }
1245             function first() { return second(); }
1246             function doNothingTail() { return Math.random() }
1247             function start() {
1248                 for (i=0;i<1000;++i) doNothingTail();
1249                 return first();
1250             }
1251
1252         In this case the ShadowChicken log may be processed multiple times due
1253         to the many calls to `doNothingTail` / `Math.random()`. When calling the
1254         Native function no prologue packet is emitted, so it is unclear that we
1255         temporarly go deeper and come back out on the stack, so the log appears
1256         to have lots of doNothingTail calls reusing the same frame:
1257
1258           Shadow Log:
1259             ...
1260             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
1261             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1262             , [125] tail-packet:{frame = 0x7ffeef8971f0}
1263             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1264             , [127] tail-packet:{frame = 0x7ffeef8971f0}
1265             ...
1266             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1267             , [141] tail-packet:{frame = 0x7ffeef8971f0}
1268             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1269             , [143] tail-packet:{frame = 0x7ffeef8971f0}
1270             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
1271             , [145] tail-packet:{frame = 0x7ffeef8971f0}
1272             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
1273             ...
1274
1275         This log would seem to be indistinguishable from real tail recursion, such as:
1276
1277             "use strict";
1278             function third() { return 1; }
1279             function second() { return third(); }
1280             function first() { return second(); }
1281             function doNothingTail(n) {
1282                 return n ? doNothingTail(n-1) : first();
1283             }
1284             function start() {
1285                 return doNothingTail(1000);
1286             }
1287
1288         Likewise there are more cases where the shadow log appears to be ambiguous with determining
1289         the appropriate parent call frame with intermediate function calls. In practice this may
1290         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
1291         It seems likely we would only show additional frames that did in fact happen serially
1292         between JavaScript call frames, but may not actually be the proper parent frames
1293         heirachy in the stack.
1294
1295         * interpreter/ShadowChicken.cpp:
1296         (JSC::ShadowChicken::Packet::dump const):
1297         (JSC::ShadowChicken::Frame::dump const):
1298         (JSC::ShadowChicken::dump const):
1299         Improved debugging output. Especially for functions.
1300
1301         (JSC::ShadowChicken::ShadowChicken):
1302         Make space in the log for 1 additional packet to process when we slow log.
1303
1304         (JSC::ShadowChicken::log):
1305         Include this packet in our update.
1306
1307         (JSC::ShadowChicken::update):
1308         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
1309
1310 2019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
1311
1312         Unreviewed, rolling out r249566.
1313
1314         Causes inspector layout test crashes under GuardMalloc
1315
1316         Reverted changeset:
1317
1318         "Tail Deleted Frames shown in Web Inspector are sometimes
1319         incorrect (Shadow Chicken)"
1320         https://bugs.webkit.org/show_bug.cgi?id=201366
1321         https://trac.webkit.org/changeset/249566
1322
1323 2019-09-06  Guillaume Emont  <guijemont@igalia.com>
1324
1325         testmasm: save r6 in JIT'ed code on ARM_THUMB2
1326         https://bugs.webkit.org/show_bug.cgi?id=201138
1327
1328         Reviewed by Mark Lam.
1329
1330         MacroAssemblerArmv7 uses r6 as a temporary register, and it is a
1331         callee-saved register. The JITs use
1332         AssemblyHelpers::emitSaveCalleeSaves() and friends to save
1333         callee-saved registers, but there is no such mechanism in testmasm,
1334         which seems to make the assumption that the macroassembler does not
1335         use callee-saved registers (which I guess is true for all other
1336         architectures, but not for Armv7).
1337
1338         This issue means that testmasm crashes on Armv7 since code generated
1339         by gcc uses r6, and it gets modified by JIT'ed code.
1340
1341         This change makes sure that we save and restore r6 for all code
1342         compiled by testmasm on Armv7.
1343
1344         * assembler/testmasm.cpp:
1345         (JSC::emitFunctionPrologue):
1346         (JSC::emitFunctionEpilogue):
1347         (JSC::testSimple):
1348         (JSC::testGetEffectiveAddress):
1349         (JSC::testBranchTruncateDoubleToInt32):
1350         (JSC::testBranchTestBit32RegReg):
1351         (JSC::testBranchTestBit32RegImm):
1352         (JSC::testBranchTestBit32AddrImm):
1353         (JSC::testBranchTestBit64RegReg):
1354         (JSC::testBranchTestBit64RegImm):
1355         (JSC::testBranchTestBit64AddrImm):
1356         (JSC::testCompareDouble):
1357         (JSC::testMul32WithImmediates):
1358         (JSC::testMul32SignExtend):
1359         (JSC::testCompareFloat):
1360         (JSC::testProbeReadsArgumentRegisters):
1361         (JSC::testProbeWritesArgumentRegisters):
1362         (JSC::testProbePreservesGPRS):
1363         (JSC::testProbeModifiesStackPointer):
1364         (JSC::testProbeModifiesProgramCounter):
1365         (JSC::testProbeModifiesStackValues):
1366         (JSC::testByteSwap):
1367         (JSC::testMoveDoubleConditionally32):
1368         (JSC::testMoveDoubleConditionally64):
1369         (JSC::testCagePreservesPACFailureBit):
1370
1371 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
1372
1373         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
1374         https://bugs.webkit.org/show_bug.cgi?id=201366
1375
1376         Reviewed by Saam Barati.
1377
1378         It is possible for the log buffer to be full right as someone is trying to
1379         log a function prologue. In such a case the machine stack has already been
1380         updated to include the new JavaScript call frame, but the prologue packet
1381         cannot be included in the update because the log is full. This would mean
1382         that the update fails to rationalize the machine stack with the shadow
1383         log / stack. Namely, the current JavaScript call frame is unable to
1384         find a matching prologue (the one we are holding to include after the update)
1385         and inserts a questionable value into the stack; and in the process
1386         missing and removing real potential tail calls.
1387
1388         For example:
1389         
1390             "use strict";
1391             function third() { return 1; }
1392             function second() { return third(); }
1393             function first() { return second(); }
1394             function start() { return first(); }
1395
1396         If the the log fills up just as we are entering `b` then we may have a list
1397         full log of packets looking like:
1398
1399           Shadow Log:
1400             ...
1401             { prologue-packet: entering `start` ... }
1402             { prologue-packet: entering `first` ... }
1403             { tail-packet: leaving `first` with a tail call }
1404
1405           Incoming Packet:
1406             { prologue-packet: entering `second` ... }
1407
1408           Current JS Stack:
1409             second
1410             start
1411
1412         Since the Current JavaScript stack already has `second`, if we process the
1413         log without the prologue for `second` then we push a confused entry on the
1414         shadow stack and clear the log such that we eventually lose the tail-call
1415         information for `first` to `second`.
1416
1417         This patch solves this issue by providing enough extra space in the log
1418         to always process the incoming packet when that forces an update. This way
1419         clients can continue to behave exactly as they are.
1420
1421         --
1422
1423         We also document a corner case in some circumstances where the shadow
1424         log may currently be insufficient to know how to reconcile:
1425         
1426         For example:
1427
1428             "use strict";
1429             function third() { return 1; }
1430             function second() { return third(); }
1431             function first() { return second(); }
1432             function doNothingTail() { return Math.random() }
1433             function start() {
1434                 for (i=0;i<1000;++i) doNothingTail();
1435                 return first();
1436             }
1437
1438         In this case the ShadowChicken log may be processed multiple times due
1439         to the many calls to `doNothingTail` / `Math.random()`. When calling the
1440         Native function no prologue packet is emitted, so it is unclear that we
1441         temporarly go deeper and come back out on the stack, so the log appears
1442         to have lots of doNothingTail calls reusing the same frame:
1443
1444           Shadow Log:
1445             ...
1446             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
1447             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1448             , [125] tail-packet:{frame = 0x7ffeef8971f0}
1449             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1450             , [127] tail-packet:{frame = 0x7ffeef8971f0}
1451             ...
1452             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1453             , [141] tail-packet:{frame = 0x7ffeef8971f0}
1454             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1455             , [143] tail-packet:{frame = 0x7ffeef8971f0}
1456             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
1457             , [145] tail-packet:{frame = 0x7ffeef8971f0}
1458             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
1459             ...
1460
1461         This log would seem to be indistinguishable from real tail recursion, such as:
1462
1463             "use strict";
1464             function third() { return 1; }
1465             function second() { return third(); }
1466             function first() { return second(); }
1467             function doNothingTail(n) {
1468                 return n ? doNothingTail(n-1) : first();
1469             }
1470             function start() {
1471                 return doNothingTail(1000);
1472             }
1473
1474         Likewise there are more cases where the shadow log appears to be ambiguous with determining
1475         the appropriate parent call frame with intermediate function calls. In practice this may
1476         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
1477         It seems likely we would only show additional frames that did in fact happen serially
1478         between JavaScript call frames, but may not actually be the proper parent frames
1479         heirachy in the stack.
1480
1481         * interpreter/ShadowChicken.cpp:
1482         (JSC::ShadowChicken::Packet::dump const):
1483         (JSC::ShadowChicken::Frame::dump const):
1484         (JSC::ShadowChicken::dump const):
1485         Improved debugging output. Especially for functions.
1486
1487         (JSC::ShadowChicken::ShadowChicken):
1488         Make space in the log for 1 additional packet to process when we slow log.
1489
1490         (JSC::ShadowChicken::log):
1491         Include this packet in our update.
1492
1493         (JSC::ShadowChicken::update):
1494         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
1495
1496 2019-09-05  Mark Lam  <mark.lam@apple.com>
1497
1498         Refactor the Gigacage code to require less pointer casting.
1499         https://bugs.webkit.org/show_bug.cgi?id=201521
1500
1501         Reviewed by Saam Barati.
1502
1503         Change LLInt's loadCagedJSValue() to skip the caging if Gigacage is not enabled
1504         in the build.  This allows us to remove the unneeded stubs in WTF Gigacage.h.
1505
1506         * jit/AssemblyHelpers.h:
1507         (JSC::AssemblyHelpers::cageConditionally):
1508         * llint/LowLevelInterpreter.asm:
1509         * llint/LowLevelInterpreter64.asm:
1510         * runtime/VM.h:
1511         (JSC::VM::gigacageAuxiliarySpace):
1512
1513 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1514
1515         Unreviewed, follow-up after r249530 and r249509
1516         https://bugs.webkit.org/show_bug.cgi?id=201495
1517
1518         Rename FTLOutput::weakPointer to alreadyRegisteredWeakPointer and alreadyRegisteredFrozenPointer.
1519
1520         * builtins/PromiseConstructor.js:
1521         (nakedConstructor.Promise.resolve):
1522         (nakedConstructor.Promise.reject):
1523         (nakedConstructor.Promise):
1524         (nakedConstructor.InternalPromise.resolve):
1525         (nakedConstructor.InternalPromise.reject):
1526         (nakedConstructor.InternalPromise):
1527         * ftl/FTLLowerDFGToB3.cpp:
1528         (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
1529         (JSC::FTL::DFG::LowerDFGToB3::frozenPointer):
1530         (JSC::FTL::DFG::LowerDFGToB3::weakStructure):
1531         * ftl/FTLOutput.h:
1532         (JSC::FTL::Output::alreadyRegisteredWeakPointer):
1533         (JSC::FTL::Output::alreadyRegisteredFrozenPointer):
1534         (JSC::FTL::Output::weakPointer): Deleted.
1535
1536 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1537
1538         [JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl
1539         https://bugs.webkit.org/show_bug.cgi?id=201513
1540
1541         Reviewed by Ross Kirsling.
1542
1543         This patch extracts JSPromise's internal fields mechanism as JSInternalFieldsObjectImpl, and make it reusable for the other objects.
1544         It is preparation for using this internal fields mechanism for generators, async functions, async generators, array iterators and so on.
1545
1546         The profiler is telling many recompilation of Generator's resume function (including async generator's one). We are using properties
1547         with private-symbols as a storage for internal state of generators. However, the spec defines that each generator from different generator-functions
1548         has different [[Prototype]]. While we need to share one Generator.prototype.next function, generators tend to have different Structures due to
1549         different [[Prototype]] and accessing internal fields with `get_by_id_direct` sadly becomes super megamorphic while it is not necessary.
1550         And every time new Structure for new generator pops up, DFG/FTL code for generator resume function gets OSR exit or eventually this function gets
1551         emits super generic code unfortunately. By using internal fields for storing these state, we can avoid this performance problem.
1552
1553         Bytecodes and corresponding DFG nodes are just renamed. JSPromise is now inheriting JSInternalFieldsObjectImpl, which can holds specified
1554         number of internal fields. And op_get_internal_field / op_put_internal_field can access these internal fields.
1555
1556         * CMakeLists.txt:
1557         * JavaScriptCore.xcodeproj/project.pbxproj:
1558         * bytecode/BytecodeList.rb:
1559         * bytecode/BytecodeUseDef.h:
1560         (JSC::computeUsesForBytecodeOffset):
1561         (JSC::computeDefsForBytecodeOffset):
1562         * bytecode/CodeBlock.cpp:
1563         (JSC::CodeBlock::finishCreation):
1564         * bytecode/Opcode.h:
1565         * bytecompiler/BytecodeGenerator.cpp:
1566         (JSC::BytecodeGenerator::emitGetInternalField):
1567         (JSC::BytecodeGenerator::emitPutInternalField):
1568         (JSC::BytecodeGenerator::emitGetPromiseInternalField): Deleted.
1569         (JSC::BytecodeGenerator::emitPutPromiseInternalField): Deleted.
1570         * bytecompiler/BytecodeGenerator.h:
1571         * bytecompiler/NodesCodegen.cpp:
1572         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
1573         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
1574         * dfg/DFGAbstractInterpreterInlines.h:
1575         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1576         * dfg/DFGByteCodeParser.cpp:
1577         (JSC::DFG::ByteCodeParser::parseBlock):
1578         * dfg/DFGCapabilities.cpp:
1579         (JSC::DFG::capabilityLevel):
1580         * dfg/DFGClobberize.h:
1581         (JSC::DFG::clobberize):
1582         * dfg/DFGDoesGC.cpp:
1583         (JSC::DFG::doesGC):
1584         * dfg/DFGFixupPhase.cpp:
1585         (JSC::DFG::FixupPhase::fixupNode):
1586         * dfg/DFGMayExit.cpp:
1587         * dfg/DFGNode.h:
1588         (JSC::DFG::Node::hasInternalFieldIndex):
1589         (JSC::DFG::Node::hasHeapPrediction):
1590         * dfg/DFGNodeType.h:
1591         * dfg/DFGPredictionPropagationPhase.cpp:
1592         * dfg/DFGSafeToExecute.h:
1593         (JSC::DFG::safeToExecute):
1594         * dfg/DFGSpeculativeJIT.cpp:
1595         (JSC::DFG::SpeculativeJIT::compileGetInternalField):
1596         (JSC::DFG::SpeculativeJIT::compilePutInternalField):
1597         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1598         (JSC::DFG::SpeculativeJIT::compileNewPromise):
1599         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): Deleted.
1600         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): Deleted.
1601         * dfg/DFGSpeculativeJIT.h:
1602         * dfg/DFGSpeculativeJIT32_64.cpp:
1603         (JSC::DFG::SpeculativeJIT::compile):
1604         * dfg/DFGSpeculativeJIT64.cpp:
1605         (JSC::DFG::SpeculativeJIT::compile):
1606         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1607         * ftl/FTLAbstractHeapRepository.h:
1608         * ftl/FTLCapabilities.cpp:
1609         (JSC::FTL::canCompile):
1610         * ftl/FTLLowerDFGToB3.cpp:
1611         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1612         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
1613         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1614         (JSC::FTL::DFG::LowerDFGToB3::compileGetInternalField):
1615         (JSC::FTL::DFG::LowerDFGToB3::compilePutInternalField):
1616         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): Deleted.
1617         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): Deleted.
1618         * jit/JIT.cpp:
1619         (JSC::JIT::privateCompileMainPass):
1620         * jit/JIT.h:
1621         * jit/JITPropertyAccess.cpp:
1622         (JSC::JIT::emit_op_get_internal_field):
1623         (JSC::JIT::emit_op_put_internal_field):
1624         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
1625         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
1626         * jit/JITPropertyAccess32_64.cpp:
1627         (JSC::JIT::emit_op_get_internal_field):
1628         (JSC::JIT::emit_op_put_internal_field):
1629         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
1630         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
1631         * llint/LLIntOffsetsExtractor.cpp:
1632         * llint/LowLevelInterpreter.asm:
1633         * llint/LowLevelInterpreter32_64.asm:
1634         * llint/LowLevelInterpreter64.asm:
1635         * runtime/JSInternalFieldObjectImpl.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
1636         (JSC::JSInternalFieldObjectImpl::allocationSize):
1637         (JSC::JSInternalFieldObjectImpl::internalField const):
1638         (JSC::JSInternalFieldObjectImpl::internalField):
1639         (JSC::JSInternalFieldObjectImpl::offsetOfInternalFields):
1640         (JSC::JSInternalFieldObjectImpl::offsetOfInternalField):
1641         (JSC::JSInternalFieldObjectImpl::JSInternalFieldObjectImpl):
1642         * runtime/JSInternalFieldObjectImplInlines.h: Added.
1643         (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren):
1644         * runtime/JSPromise.cpp:
1645         (JSC::JSPromise::finishCreation):
1646         (JSC::JSPromise::visitChildren):
1647         (JSC::JSPromise::status const):
1648         (JSC::JSPromise::result const):
1649         (JSC::JSPromise::isHandled const):
1650         * runtime/JSPromise.h:
1651         (JSC::JSPromise::allocationSize): Deleted.
1652         (JSC::JSPromise::offsetOfInternalFields): Deleted.
1653         (JSC::JSPromise::offsetOfInternalField): Deleted.
1654         (): Deleted.
1655
1656 2019-09-05  Commit Queue  <commit-queue@webkit.org>
1657
1658         Unreviewed, rolling out r247463.
1659         https://bugs.webkit.org/show_bug.cgi?id=201515
1660
1661         JetStream2 code-load related regression (Requested by
1662         yusukesuzuki on #webkit).
1663
1664         Reverted changeset:
1665
1666         "Keyword lookup can use memcmp to get around unaligned load
1667         undefined behavior"
1668         https://bugs.webkit.org/show_bug.cgi?id=199650
1669         https://trac.webkit.org/changeset/247463
1670
1671 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
1672
1673         LazyClassStructure::setConstructor should not store the constructor to the global object
1674         https://bugs.webkit.org/show_bug.cgi?id=201484
1675         <rdar://problem/50400451>
1676
1677         Reviewed by Yusuke Suzuki.
1678
1679         LazyClassStructure::setConstructor sets the constructor as a property of the global object.
1680         This became a problem when it started being used for WebAssembly constructors, such as Module
1681         and Instance, since they are properties of the WebAssembly object, not the global object. That
1682         resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
1683         was first accessed. e.g.
1684
1685         globalThis.Module = x;
1686         WebAssembly.Module;
1687         globalThis.Module === WebAssembly.Module;
1688
1689         * runtime/LazyClassStructure.cpp:
1690         (JSC::LazyClassStructure::Initializer::setConstructor):
1691         * runtime/LazyClassStructure.h:
1692         * runtime/Lookup.h:
1693         (JSC::reifyStaticProperty):
1694
1695 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1696
1697         [JSC] Do not use FTLOutput::weakPointer directly
1698         https://bugs.webkit.org/show_bug.cgi?id=201495
1699
1700         Reviewed by Filip Pizlo.
1701
1702         FTLOutput::weakPointer does not register the cell as a weak pointer.
1703         CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
1704         While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
1705         and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
1706         For FrozenValue, we should use frozenPointer helper function.
1707
1708         * ftl/FTLLowerDFGToB3.cpp:
1709         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1710         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1711
1712 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1713
1714         Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
1715         https://bugs.webkit.org/show_bug.cgi?id=201373
1716
1717         * bytecode/BytecodeList.rb:
1718         * bytecode/BytecodeUseDef.h:
1719         (JSC::computeUsesForBytecodeOffset):
1720         (JSC::computeDefsForBytecodeOffset):
1721         * bytecompiler/BytecodeGenerator.cpp:
1722         (JSC::BytecodeGenerator::BytecodeGenerator):
1723         (JSC::BytecodeGenerator::emitLoopHint):
1724         (JSC::BytecodeGenerator::emitCheckTraps):
1725         * bytecompiler/BytecodeGenerator.h:
1726         * dfg/DFGByteCodeParser.cpp:
1727         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1728         (JSC::DFG::ByteCodeParser::parseBlock):
1729         * dfg/DFGCapabilities.cpp:
1730         (JSC::DFG::capabilityLevel):
1731         * jit/JIT.cpp:
1732         (JSC::JIT::emitEnterOptimizationCheck):
1733         (JSC::JIT::privateCompileMainPass):
1734         (JSC::JIT::privateCompileSlowCases):
1735         * jit/JIT.h:
1736         * jit/JITOpcodes.cpp:
1737         (JSC::JIT::emit_op_enter):
1738         (JSC::JIT::emit_op_loop_hint):
1739         (JSC::JIT::emitSlow_op_loop_hint):
1740         (JSC::JIT::emit_op_check_traps):
1741         (JSC::JIT::emitSlow_op_check_traps):
1742         (JSC::JIT::emitSlow_op_enter): Deleted.
1743         * jit/JITOpcodes32_64.cpp:
1744         (JSC::JIT::emit_op_enter):
1745         * llint/LowLevelInterpreter.asm:
1746         * llint/LowLevelInterpreter32_64.asm:
1747         * llint/LowLevelInterpreter64.asm:
1748         * runtime/CommonSlowPaths.cpp:
1749         (JSC::SLOW_PATH_DECL):
1750         * runtime/CommonSlowPaths.h:
1751
1752 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1753
1754         Unreviewed, rebaseline builtin generator test results
1755         https://bugs.webkit.org/show_bug.cgi?id=200898
1756
1757         Rebaseline the result files.
1758
1759         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1760         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1761         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1762         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1763         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1764         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1765         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1766         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1767         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1768         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1769         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1770         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1771         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1772
1773 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1774
1775         [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
1776         https://bugs.webkit.org/show_bug.cgi?id=201485
1777
1778         Reviewed by Tadeu Zagallo.
1779
1780         FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
1781         it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
1782         a race issue like,
1783
1784         1. While one thread is adding overrides information,
1785         2. Another thread is accessing this hash table.
1786
1787         This patch adds a lock to make sure that only one thread can access this registry.
1788
1789         * tools/FunctionOverrides.cpp:
1790         (JSC::FunctionOverrides::FunctionOverrides):
1791         (JSC::FunctionOverrides::reinstallOverrides):
1792         (JSC::FunctionOverrides::initializeOverrideFor):
1793         (JSC::FunctionOverrides::parseOverridesInFile):
1794         * tools/FunctionOverrides.h:
1795         (JSC::FunctionOverrides::clear):
1796
1797 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1798
1799         [JSC] Make Promise implementation faster
1800         https://bugs.webkit.org/show_bug.cgi?id=200898
1801
1802         Reviewed by Saam Barati.
1803
1804         This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.
1805
1806         1. Make JSPromise C++ friendly
1807
1808             Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
1809             This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
1810             fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
1811             fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
1812             supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
1813             this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].
1814
1815             We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
1816             This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.
1817
1818             Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
1819             is filed in [2].
1820
1821         2. Make JSPromise constructor JS friendly
1822
1823             The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
1824             calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
1825             If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
1826             Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
1827             construct is 100. We might want to investigate getting it inlined in the future[3].
1828
1829             We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
1830             annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
1831             do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
1832             us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
1833             which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
1834             JSPromise constructor fully in JS.
1835             With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].
1836
1837         3. DFG supports for JSPromise operations
1838
1839             This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
1840             and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
1841             promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
1842             When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
1843             used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
1844             can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
1845             in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
1846             structure is invalidated: `callee.prototype` is replaced.
1847
1848         4. Avoid creating unnecessary promises
1849
1850             Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
1851             For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
1852             intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
1853             take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
1854             in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
1855             check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.
1856
1857         5. Avoid creating resolving-functions and promise capabilities
1858
1859             Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
1860             patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
1861             created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
1862             and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
1863             The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
1864             `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
1865             This mechanism will be used to drop JSPromiseDeferred in a separate patch.
1866
1867         JetStream2/async-fs results.
1868             ToT:
1869                 Running async-fs:
1870                     Startup: 116.279
1871                     Worst Case: 151.515
1872                     Average: 176.630
1873                     Score: 145.996
1874                     Wall time: 0:01.149
1875
1876             Patched:
1877                 Running async-fs:
1878                     Startup: 166.667
1879                     Worst Case: 267.857
1880                     Average: 299.080
1881                     Score: 237.235
1882                     Wall time: 0:00.683
1883
1884         [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
1885         [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
1886         [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
1887         [4]: https://bugs.webkit.org/show_bug.cgi?id=201158
1888
1889         * CMakeLists.txt:
1890         * JavaScriptCore.xcodeproj/project.pbxproj:
1891         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
1892         (ConstructAbility):
1893         (ConstructorKind):
1894         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
1895         * Scripts/wkbuiltins/builtins_generator.py:
1896         (BuiltinsGenerator.generate_embedded_code_data_for_function):
1897         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
1898         * Scripts/wkbuiltins/builtins_model.py:
1899         (BuiltinFunction.__init__):
1900         (BuiltinFunction.fromString):
1901         * Scripts/wkbuiltins/builtins_templates.py:
1902         * builtins/AsyncFromSyncIteratorPrototype.js:
1903         (next.try):
1904         (next):
1905         (return.try):
1906         (return):
1907         (throw.try):
1908         (throw):
1909         * builtins/AsyncFunctionPrototype.js:
1910         (globalPrivate.asyncFunctionResume):
1911         * builtins/AsyncGeneratorPrototype.js:
1912         (globalPrivate.asyncGeneratorQueueIsEmpty):
1913         (globalPrivate.asyncGeneratorQueueEnqueue):
1914         (globalPrivate.asyncGeneratorQueueDequeue):
1915         (globalPrivate.asyncGeneratorReject):
1916         (globalPrivate.asyncGeneratorResolve):
1917         (globalPrivate.asyncGeneratorYield):
1918         (onRejected):
1919         (globalPrivate.awaitValue):
1920         (onFulfilled):
1921         (globalPrivate.doAsyncGeneratorBodyCall):
1922         (globalPrivate.asyncGeneratorResumeNext):
1923         (globalPrivate.asyncGeneratorEnqueue):
1924         (globalPrivate.asyncGeneratorDequeue): Deleted.
1925         (const.onRejected): Deleted.
1926         (const.onFulfilled): Deleted.
1927         (globalPrivate.asyncGeneratorResumeNext.): Deleted.
1928         * builtins/BuiltinExecutableCreator.h:
1929         * builtins/BuiltinExecutables.cpp:
1930         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1931         (JSC::BuiltinExecutables::createDefaultConstructor):
1932         (JSC::BuiltinExecutables::createBuiltinExecutable):
1933         (JSC::BuiltinExecutables::createExecutable):
1934         (JSC::createBuiltinExecutable): Deleted.
1935         * builtins/BuiltinExecutables.h:
1936         * builtins/BuiltinNames.h:
1937         * builtins/BuiltinUtils.h:
1938         * builtins/ModuleLoader.js:
1939         (forceFulfillPromise):
1940         * builtins/PromiseConstructor.js:
1941         (nakedConstructor.Promise.resolve):
1942         (nakedConstructor.Promise.reject):
1943         (nakedConstructor.Promise):
1944         (nakedConstructor.InternalPromise.resolve):
1945         (nakedConstructor.InternalPromise.reject):
1946         (nakedConstructor.InternalPromise):
1947         * builtins/PromiseOperations.js:
1948         (globalPrivate.newPromiseReaction):
1949         (globalPrivate.newPromiseCapability):
1950         (globalPrivate.newHandledRejectedPromise):
1951         (globalPrivate.triggerPromiseReactions):
1952         (globalPrivate.resolvePromise):
1953         (globalPrivate.rejectPromise):
1954         (globalPrivate.fulfillPromise):
1955         (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
1956         (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
1957         (globalPrivate.createResolvingFunctions.resolve):
1958         (globalPrivate.createResolvingFunctions.reject):
1959         (globalPrivate.createResolvingFunctions):
1960         (globalPrivate.promiseReactionJobWithoutPromise):
1961         (globalPrivate.resolveWithoutPromise):
1962         (globalPrivate.rejectWithoutPromise):
1963         (globalPrivate.fulfillWithoutPromise):
1964         (resolve):
1965         (reject):
1966         (globalPrivate.createResolvingFunctionsWithoutPromise):
1967         (globalPrivate.promiseReactionJob):
1968         (globalPrivate.promiseResolveThenableJobFast):
1969         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
1970         (globalPrivate.promiseResolveThenableJob):
1971         (globalPrivate.isPromise): Deleted.
1972         (globalPrivate.newPromiseCapability.executor): Deleted.
1973         (globalPrivate.initializePromise): Deleted.
1974         * builtins/PromisePrototype.js:
1975         (then):
1976         * bytecode/BytecodeIntrinsicRegistry.cpp:
1977         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1978         * bytecode/BytecodeIntrinsicRegistry.h:
1979         * bytecode/BytecodeList.rb:
1980         * bytecode/BytecodeUseDef.h:
1981         (JSC::computeUsesForBytecodeOffset):
1982         (JSC::computeDefsForBytecodeOffset):
1983         * bytecode/CodeBlock.cpp:
1984         (JSC::CodeBlock::finishCreation):
1985         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1986         * bytecode/Opcode.h:
1987         * bytecode/SpeculatedType.cpp:
1988         (JSC::dumpSpeculation):
1989         (JSC::speculationFromClassInfo):
1990         (JSC::speculationFromJSType):
1991         (JSC::speculationFromString):
1992         * bytecode/SpeculatedType.h:
1993         * bytecode/UnlinkedFunctionExecutable.h:
1994         * bytecompiler/BytecodeGenerator.cpp:
1995         (JSC::BytecodeGenerator::generate):
1996         (JSC::BytecodeGenerator::BytecodeGenerator):
1997         (JSC::BytecodeGenerator::emitGetPromiseInternalField):
1998         (JSC::BytecodeGenerator::emitPutPromiseInternalField):
1999         (JSC::BytecodeGenerator::emitCreatePromise):
2000         (JSC::BytecodeGenerator::emitNewPromise):
2001         (JSC::BytecodeGenerator::emitReturn):
2002         * bytecompiler/BytecodeGenerator.h:
2003         (JSC::BytecodeGenerator::promiseRegister):
2004         (JSC::BytecodeGenerator::emitIsPromise):
2005         (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
2006         * bytecompiler/NodesCodegen.cpp:
2007         (JSC::promiseInternalFieldIndex):
2008         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
2009         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
2010         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
2011         (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
2012         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
2013         (JSC::FunctionNode::emitBytecode):
2014         * dfg/DFGAbstractHeap.h:
2015         * dfg/DFGAbstractInterpreterInlines.h:
2016         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2017         * dfg/DFGByteCodeParser.cpp:
2018         (JSC::DFG::ByteCodeParser::parseBlock):
2019         * dfg/DFGCapabilities.cpp:
2020         (JSC::DFG::capabilityLevel):
2021         * dfg/DFGClobberize.h:
2022         (JSC::DFG::clobberize):
2023         * dfg/DFGClobbersExitState.cpp:
2024         (JSC::DFG::clobbersExitState):
2025         * dfg/DFGConstantFoldingPhase.cpp:
2026         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2027         * dfg/DFGDoesGC.cpp:
2028         (JSC::DFG::doesGC):
2029         * dfg/DFGFixupPhase.cpp:
2030         (JSC::DFG::FixupPhase::fixupNode):
2031         * dfg/DFGGraph.cpp:
2032         (JSC::DFG::Graph::dump):
2033         * dfg/DFGHeapLocation.cpp:
2034         (WTF::printInternal):
2035         * dfg/DFGHeapLocation.h:
2036         * dfg/DFGMayExit.cpp:
2037         * dfg/DFGNode.h:
2038         (JSC::DFG::Node::convertToNewPromise):
2039         (JSC::DFG::Node::hasIsInternalPromise):
2040         (JSC::DFG::Node::isInternalPromise):
2041         (JSC::DFG::Node::hasInternalFieldIndex):
2042         (JSC::DFG::Node::internalFieldIndex):
2043         (JSC::DFG::Node::hasHeapPrediction):
2044         (JSC::DFG::Node::hasStructure):
2045         * dfg/DFGNodeType.h:
2046         * dfg/DFGOperations.cpp:
2047         * dfg/DFGOperations.h:
2048         * dfg/DFGPredictionPropagationPhase.cpp:
2049         * dfg/DFGPromotedHeapLocation.cpp:
2050         (WTF::printInternal):
2051         * dfg/DFGPromotedHeapLocation.h:
2052         * dfg/DFGSafeToExecute.h:
2053         (JSC::DFG::SafeToExecuteEdge::operator()):
2054         (JSC::DFG::safeToExecute):
2055         * dfg/DFGSpeculativeJIT.cpp:
2056         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2057         (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
2058         (JSC::DFG::SpeculativeJIT::speculate):
2059         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
2060         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
2061         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
2062         (JSC::DFG::SpeculativeJIT::compileNewPromise):
2063         * dfg/DFGSpeculativeJIT.h:
2064         * dfg/DFGSpeculativeJIT32_64.cpp:
2065         (JSC::DFG::SpeculativeJIT::compile):
2066         * dfg/DFGSpeculativeJIT64.cpp:
2067         (JSC::DFG::SpeculativeJIT::compile):
2068         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2069         * dfg/DFGUseKind.cpp:
2070         (WTF::printInternal):
2071         * dfg/DFGUseKind.h:
2072         (JSC::DFG::typeFilterFor):
2073         (JSC::DFG::isCell):
2074         * ftl/FTLAbstractHeapRepository.h:
2075         * ftl/FTLCapabilities.cpp:
2076         (JSC::FTL::canCompile):
2077         * ftl/FTLLowerDFGToB3.cpp:
2078         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2079         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2080         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
2081         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
2082         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
2083         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
2084         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2085         (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
2086         * jit/JIT.cpp:
2087         (JSC::JIT::privateCompileMainPass):
2088         (JSC::JIT::privateCompileSlowCases):
2089         * jit/JIT.h:
2090         * jit/JITOperations.cpp:
2091         * jit/JITOperations.h:
2092         * jit/JITPropertyAccess.cpp:
2093         (JSC::JIT::emit_op_get_promise_internal_field):
2094         (JSC::JIT::emit_op_put_promise_internal_field):
2095         * jit/JITPropertyAccess32_64.cpp:
2096         (JSC::JIT::emit_op_get_promise_internal_field):
2097         (JSC::JIT::emit_op_put_promise_internal_field):
2098         * llint/LowLevelInterpreter.asm:
2099         * llint/LowLevelInterpreter32_64.asm:
2100         * llint/LowLevelInterpreter64.asm:
2101         * parser/Parser.cpp:
2102         (JSC::Parser<LexerType>::Parser):
2103         (JSC::Parser<LexerType>::parseFunctionInfo):
2104         * parser/Parser.h:
2105         (JSC::parse):
2106         * parser/ParserModes.h:
2107         * runtime/CommonSlowPaths.cpp:
2108         (JSC::SLOW_PATH_DECL):
2109         * runtime/CommonSlowPaths.h:
2110         * runtime/ConstructAbility.h:
2111         * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
2112         * runtime/FunctionRareData.cpp:
2113         (JSC::FunctionRareData::FunctionRareData):
2114         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2115         (JSC::FunctionRareData::clear):
2116         * runtime/FunctionRareData.h:
2117         * runtime/InternalFunction.cpp:
2118         (JSC::InternalFunction::createSubclassStructureSlow):
2119         * runtime/InternalFunction.h:
2120         (JSC::InternalFunction::createSubclassStructure):
2121         * runtime/JSCast.h:
2122         * runtime/JSGlobalObject.cpp:
2123         (JSC::enqueueJob):
2124         (JSC::JSGlobalObject::init):
2125         (JSC::JSGlobalObject::visitChildren):
2126         * runtime/JSGlobalObject.h:
2127         (JSC::JSGlobalObject::arrayProtoValuesFunction const):
2128         (JSC::JSGlobalObject::promiseProtoThenFunction const):
2129         (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
2130         * runtime/JSInternalPromise.cpp:
2131         (JSC::JSInternalPromise::createStructure):
2132         * runtime/JSInternalPromiseConstructor.cpp:
2133         (JSC::JSInternalPromiseConstructor::create):
2134         (JSC::JSInternalPromiseConstructor::createStructure):
2135         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
2136         (JSC::constructPromise): Deleted.
2137         * runtime/JSInternalPromiseConstructor.h:
2138         * runtime/JSInternalPromisePrototype.cpp:
2139         (JSC::JSInternalPromisePrototype::create):
2140         * runtime/JSMicrotask.cpp:
2141         (JSC::createJSMicrotask):
2142         (JSC::JSMicrotask::run):
2143         * runtime/JSMicrotask.h:
2144         * runtime/JSPromise.cpp:
2145         (JSC::JSPromise::createStructure):
2146         (JSC::JSPromise::finishCreation):
2147         (JSC::JSPromise::visitChildren):
2148         (JSC::JSPromise::status const):
2149         (JSC::JSPromise::result const):
2150         (JSC::JSPromise::isHandled const):
2151         (JSC::JSPromise::initialize): Deleted.
2152         * runtime/JSPromise.h:
2153         (JSC::JSPromise::allocationSize):
2154         (JSC::JSPromise::offsetOfInternalFields):
2155         (JSC::JSPromise::offsetOfInternalField):
2156         * runtime/JSPromiseConstructor.cpp:
2157         (JSC::JSPromiseConstructor::create):
2158         (JSC::JSPromiseConstructor::createStructure):
2159         (JSC::JSPromiseConstructor::JSPromiseConstructor):
2160         (JSC::JSPromiseConstructor::finishCreation):
2161         (JSC::constructPromise): Deleted.
2162         (JSC::callPromise): Deleted.
2163         * runtime/JSPromiseConstructor.h:
2164         * runtime/JSPromisePrototype.cpp:
2165         (JSC::JSPromisePrototype::create):
2166         (JSC::JSPromisePrototype::finishCreation):
2167         (JSC::JSPromisePrototype::addOwnInternalSlots):
2168         * runtime/JSPromisePrototype.h:
2169         * runtime/JSType.cpp:
2170         (WTF::printInternal):
2171         * runtime/JSType.h:
2172
2173 2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>
2174
2175         Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
2176         https://bugs.webkit.org/show_bug.cgi?id=201262
2177         <rdar://problem/13108764>
2178
2179         Reviewed by Devin Rousso.
2180
2181         When interception is enabled, Network requests that match any of the configured
2182         interception patterns will be paused on the backend and allowed to be modified
2183         by the frontend.
2184
2185         Currently the only time a network request can be intercepted is during the
2186         HTTP response. However, this intercepting interface is mean to extend to
2187         HTTP requests as well.
2188
2189         When a response is to be intercepted a new event is sent to the frontend:
2190
2191           `Network.responseIntercepted` event
2192
2193         With a `requestId` to identify that network request. The frontend
2194         must respond with one of the following commands to continue:
2195
2196           `Network.interceptContinue`     - proceed with the response unmodified
2197           `Network.interceptWithResponse` - provide a response
2198
2199         The response is paused in the meantime.
2200
2201         * inspector/protocol/Network.json:
2202         New interfaces for intercepting network responses and suppling override content.
2203
2204         * Scripts/generate-combined-inspector-json.py:
2205         * inspector/scripts/generate-inspector-protocol-bindings.py:
2206         (generate_from_specification.load_specification):
2207         Complete allowing comments in JSON protocol files.
2208
2209         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2210         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
2211         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2212         Allow optional enums in ObjC interfaces.
2213
2214 2019-09-03  Mark Lam  <mark.lam@apple.com>
2215
2216         Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread().
2217         https://bugs.webkit.org/show_bug.cgi?id=201449
2218
2219         Reviewed by Yusuke Suzuki.
2220
2221         Using !isMainThread() in the assertion also disables the assertion for the mutator
2222         of worker threads.  This is not what we intended.
2223
2224         * runtime/StructureInlines.h:
2225         (JSC::Structure::storedPrototype const):
2226         (JSC::Structure::storedPrototypeObject const):
2227
2228 2019-09-04  Mark Lam  <mark.lam@apple.com>
2229
2230         Disambiguate a symbol used in JSDollarVM.
2231         https://bugs.webkit.org/show_bug.cgi?id=201466
2232         <rdar://problem/51826672>
2233
2234         Reviewed by Tadeu Zagallo.
2235
2236         This was causing a build issue on some internal build.
2237
2238         * tools/JSDollarVM.cpp:
2239
2240 2019-09-03  Mark Lam  <mark.lam@apple.com>
2241
2242         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
2243         https://bugs.webkit.org/show_bug.cgi?id=201309
2244         <rdar://problem/54832121>
2245
2246         Reviewed by Yusuke Suzuki.
2247
2248         * dfg/DFGAbstractInterpreterInlines.h:
2249         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2250         * runtime/JSArrayBufferView.h:
2251         * runtime/JSArrayBufferViewInlines.h:
2252         (JSC::JSArrayBufferView::possiblySharedBufferImpl):
2253         (JSC::JSArrayBufferView::possiblySharedBuffer):
2254         (JSC::JSArrayBufferView::byteOffsetImpl):
2255         (JSC::JSArrayBufferView::byteOffset):
2256         (JSC::JSArrayBufferView::byteOffsetConcurrently):
2257
2258 2019-09-03  Devin Rousso  <drousso@apple.com>
2259
2260         Web Inspector: implement blackboxing of script resources
2261         https://bugs.webkit.org/show_bug.cgi?id=17240
2262         <rdar://problem/5732847>
2263
2264         Reviewed by Joseph Pecoraro.
2265
2266         When a script is blackboxed and the debugger attempts to pause in that script, the pause
2267         reason/data will be saved and execution will continue until it has left the blackboxed
2268         script. Once outside, execution is paused with the saved reason/data.
2269
2270         This is especially useful when debugging issues using libraries/frameworks, as it allows the
2271         developer to "skip" the internal logic of the library/framework and instead focus only on
2272         how they're using it.
2273
2274         * inspector/protocol/Debugger.json:
2275         Add `setShouldBlackboxURL` command.
2276
2277         * inspector/agents/InspectorDebuggerAgent.h:
2278         * inspector/agents/InspectorDebuggerAgent.cpp:
2279         (Inspector::InspectorDebuggerAgent):
2280         (Inspector::InspectorDebuggerAgent::enable):
2281         (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added.
2282         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2283         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
2284         (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added.
2285         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
2286         (Inspector::InspectorDebuggerAgent::didParseSource):
2287         (Inspector::InspectorDebuggerAgent::didPause):
2288         (Inspector::InspectorDebuggerAgent::didContinue):
2289         (Inspector::InspectorDebuggerAgent::breakProgram):
2290         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
2291         (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added.
2292         (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted.
2293         Renamed "break" to "pause" to match `Debugger` naming.
2294
2295         * debugger/Debugger.h:
2296         * debugger/Debugger.cpp:
2297         (JSC::Debugger::pauseIfNeeded):
2298         (JSC::Debugger::setBlackboxType): Added.
2299         (JSC::Debugger::clearBlackbox): Added.
2300         (JSC::Debugger::isBlacklisted const): Deleted.
2301         (JSC::Debugger::addToBlacklist): Deleted.
2302         (JSC::Debugger::clearBlacklist): Deleted.
2303
2304 2019-09-03  Mark Lam  <mark.lam@apple.com>
2305
2306         Remove the need to pass performJITMemcpy as a pointer.
2307         https://bugs.webkit.org/show_bug.cgi?id=201413
2308
2309         Reviewed by Michael Saboff.
2310
2311         We want performJITMemcpy to always be inlined.  In this patch, we also clean up
2312         some template parameters to use enums instead of booleans to better document the
2313         intent of the code.
2314
2315         * assembler/ARM64Assembler.h:
2316         (JSC::ARM64Assembler::fillNops):
2317         (JSC::ARM64Assembler::linkJump):
2318         (JSC::ARM64Assembler::linkCall):
2319         (JSC::ARM64Assembler::relinkJump):
2320         (JSC::ARM64Assembler::relinkCall):
2321         (JSC::ARM64Assembler::link):
2322         (JSC::ARM64Assembler::linkJumpOrCall):
2323         (JSC::ARM64Assembler::linkCompareAndBranch):
2324         (JSC::ARM64Assembler::linkConditionalBranch):
2325         (JSC::ARM64Assembler::linkTestAndBranch):
2326         (JSC::ARM64Assembler::relinkJumpOrCall):
2327         (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted.
2328         (JSC::ARM64Assembler::CopyFunction::operator()): Deleted.
2329         * assembler/ARMv7Assembler.h:
2330         (JSC::ARMv7Assembler::fillNops):
2331         (JSC::ARMv7Assembler::link):
2332         (JSC::ARMv7Assembler::linkJumpT1):
2333         (JSC::ARMv7Assembler::linkJumpT2):
2334         (JSC::ARMv7Assembler::linkJumpT3):
2335         (JSC::ARMv7Assembler::linkJumpT4):
2336         (JSC::ARMv7Assembler::linkConditionalJumpT4):
2337         (JSC::ARMv7Assembler::linkBX):
2338         (JSC::ARMv7Assembler::linkConditionalBX):
2339         * assembler/AbstractMacroAssembler.h:
2340         (JSC::AbstractMacroAssembler::emitNops):
2341         * assembler/LinkBuffer.cpp:
2342         (JSC::LinkBuffer::copyCompactAndLinkCode):
2343         * assembler/MIPSAssembler.h:
2344         (JSC::MIPSAssembler::fillNops):
2345         * assembler/MacroAssemblerARM64.h:
2346         (JSC::MacroAssemblerARM64::link):
2347         * assembler/MacroAssemblerARMv7.h:
2348         (JSC::MacroAssemblerARMv7::link):
2349         * assembler/X86Assembler.h:
2350         (JSC::X86Assembler::fillNops):
2351         * jit/ExecutableAllocator.h:
2352         (JSC::performJITMemcpy):
2353         * runtime/JSCPtrTag.h:
2354
2355 2019-09-03  Devin Rousso  <drousso@apple.com>
2356
2357         REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected
2358         https://bugs.webkit.org/show_bug.cgi?id=201201
2359         <rdar://problem/54771560>
2360
2361         Reviewed by Joseph Pecoraro.
2362
2363         * inspector/InjectedScriptSource.js:
2364         (let.InjectedScript.prototype.injectModule):
2365         (let.InjectedScript.prototype._evaluateOn):
2366         (CommandLineAPI):
2367         (let.InjectedScript.prototype.setInspectObject): Deleted.
2368         (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted.
2369         (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted.
2370         (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted.
2371         (InjectedScript.CommandLineAPI): Deleted.
2372         Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects
2373         directly, instead of having them call functions.
2374
2375         * inspector/InjectedScriptModule.cpp:
2376         (Inspector::InjectedScriptModule::ensureInjected):
2377         Make sure to reset `hadException` to `false` before making another call.
2378
2379 2019-09-03  Yusuke Suzuki  <ysuzuki@apple.com>
2380
2381         [JSC] Remove BytecodeGenerator::emitPopScope
2382         https://bugs.webkit.org/show_bug.cgi?id=201395
2383
2384         Reviewed by Saam Barati.
2385
2386         Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions.
2387
2388         * bytecompiler/BytecodeGenerator.cpp:
2389         (JSC::BytecodeGenerator::popLexicalScopeInternal):
2390         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2391         (JSC::BytecodeGenerator::emitPopWithScope):
2392         (JSC::BytecodeGenerator::emitPopScope): Deleted.
2393         * bytecompiler/BytecodeGenerator.h:
2394
2395 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
2396
2397         [JSC] Merge op_check_traps into op_enter and op_loop_hint
2398         https://bugs.webkit.org/show_bug.cgi?id=201373
2399
2400         Reviewed by Mark Lam.
2401
2402         This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations.
2403         But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in
2404         op_enter and op_loop_hint.
2405
2406         While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint),
2407         since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy.
2408
2409         We also inline op_enter's slow path's write-barrier emission in LLInt.
2410
2411         * bytecode/BytecodeList.rb:
2412         * bytecode/BytecodeUseDef.h:
2413         (JSC::computeUsesForBytecodeOffset):
2414         (JSC::computeDefsForBytecodeOffset):
2415         * bytecompiler/BytecodeGenerator.cpp:
2416         (JSC::BytecodeGenerator::BytecodeGenerator):
2417         (JSC::BytecodeGenerator::emitLoopHint):
2418         (JSC::BytecodeGenerator::emitCheckTraps): Deleted.
2419         * bytecompiler/BytecodeGenerator.h:
2420         * dfg/DFGByteCodeParser.cpp:
2421         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2422         (JSC::DFG::ByteCodeParser::parseBlock):
2423         * dfg/DFGCapabilities.cpp:
2424         (JSC::DFG::capabilityLevel):
2425         * jit/JIT.cpp:
2426         (JSC::JIT::privateCompileMainPass):
2427         (JSC::JIT::privateCompileSlowCases):
2428         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
2429         * jit/JIT.h:
2430         * jit/JITOpcodes.cpp:
2431         (JSC::JIT::emit_op_loop_hint):
2432         (JSC::JIT::emitSlow_op_loop_hint):
2433         (JSC::JIT::emit_op_enter):
2434         (JSC::JIT::emitSlow_op_enter):
2435         (JSC::JIT::emit_op_check_traps): Deleted.
2436         (JSC::JIT::emitSlow_op_check_traps): Deleted.
2437         * jit/JITOpcodes32_64.cpp:
2438         (JSC::JIT::emit_op_enter): Deleted.
2439         * llint/LowLevelInterpreter.asm:
2440         * llint/LowLevelInterpreter32_64.asm:
2441         * llint/LowLevelInterpreter64.asm:
2442         * runtime/CommonSlowPaths.cpp:
2443         * runtime/CommonSlowPaths.h:
2444
2445 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
2446
2447         [JSC] Fix testb3 debug failures
2448         https://bugs.webkit.org/show_bug.cgi?id=201382
2449
2450         Reviewed by Mark Lam.
2451
2452         Fix testb3 debug failures due to incorrect types of operations like pointer + int32.
2453
2454         * b3/testb3_8.cpp:
2455         (testByteCopyLoop):
2456         (testByteCopyLoopStartIsLoopDependent):
2457         (testByteCopyLoopBoundIsLoopDependent):
2458
2459 2019-09-01  Mark Lam  <mark.lam@apple.com>
2460
2461         Speculative build fix for ARMv7 and MIPS.
2462         https://bugs.webkit.org/show_bug.cgi?id=201389
2463
2464         Not reviewed.
2465
2466         * bytecode/CodeBlock.cpp:
2467         (JSC::CodeBlock::jettison):
2468
2469 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2470
2471         [JSC] LLInt op should not emit the same code three times
2472         https://bugs.webkit.org/show_bug.cgi?id=201370
2473
2474         Reviewed by Mark Lam.
2475
2476         LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue.
2477         But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once.
2478
2479         * llint/LowLevelInterpreter.asm:
2480
2481 2019-08-30  Mark Lam  <mark.lam@apple.com>
2482
2483         Remove some obsolete statements that have no effect.
2484         https://bugs.webkit.org/show_bug.cgi?id=201357
2485
2486         Reviewed by Saam Barati.
2487
2488         This patch removes 3 statements that look like this:
2489
2490             result->butterfly(); // Ensure that the butterfly is in to-space.
2491
2492         The statement just reads a field and does nothing with it.  This is a no-op
2493         logic-wise, and the comment that accompanies it is obsolete.
2494
2495         * dfg/DFGOperations.cpp:
2496
2497 2019-08-30  Mark Lam  <mark.lam@apple.com>
2498
2499         Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
2500         https://bugs.webkit.org/show_bug.cgi?id=201345
2501
2502         Reviewed by Yusuke Suzuki.
2503
2504         This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
2505         the wrong pointer for capture the cell headerWord and zapReason.  As a result,
2506         we get junk for those 2 values.
2507
2508         Previously, we were only capturing the upper 32-bits of the cell header slot,
2509         and the lower 32-bit of the next slot in the zapped cell.  We now capture the
2510         full 64-bits of both slots.  If the second slot did not contain a zapReason as we
2511         expect, the upper 32-bits might give us a clue as to what type of value the slot
2512         contains.
2513
2514         This patch also adds capturing of the found MarkedBlock address for the zapped
2515         cell, as well as some state bit values.
2516
2517         * heap/SlotVisitor.cpp:
2518         (JSC::SlotVisitor::reportZappedCellAndCrash):
2519
2520 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2521
2522         [JSC] Generate new.target register only when it is used
2523         https://bugs.webkit.org/show_bug.cgi?id=201335
2524
2525         Reviewed by Mark Lam.
2526
2527         Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register
2528         only when it is actually required.
2529
2530         * bytecompiler/BytecodeGenerator.cpp:
2531         (JSC::BytecodeGenerator::BytecodeGenerator):
2532         * bytecompiler/BytecodeGenerator.h:
2533         (JSC::BytecodeGenerator::newTarget):
2534         * parser/Nodes.h:
2535         (JSC::ScopeNode::needsNewTargetRegisterForThisScope const):
2536
2537 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2538
2539         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
2540         https://bugs.webkit.org/show_bug.cgi?id=201331
2541
2542         Reviewed by Mark Lam.
2543
2544         SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
2545         For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.
2546
2547             1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
2548             2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable
2549
2550         Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
2551         This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
2552         by profiled CodeBlock.
2553
2554         * bytecode/CodeBlock.h:
2555         (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
2556         * bytecode/JumpTable.h:
2557         (JSC::SimpleJumpTable::cloneNonJITPart const):
2558         (JSC::SimpleJumpTable::clear):
2559         * dfg/DFGByteCodeParser.cpp:
2560         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2561
2562 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2563
2564         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
2565         https://bugs.webkit.org/show_bug.cgi?id=201332
2566
2567         Reviewed by Mark Lam.
2568
2569         When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
2570         that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
2571         does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.
2572
2573         * dfg/DFGByteCodeParser.cpp:
2574         (JSC::DFG::ByteCodeParser::handleInlining):
2575
2576 2019-08-29  Devin Rousso  <drousso@apple.com>
2577
2578         Web Inspector: Debugger: async event listener stack traces should be available in Workers
2579         https://bugs.webkit.org/show_bug.cgi?id=200903
2580
2581         Reviewed by Joseph Pecoraro.
2582
2583         * inspector/agents/InspectorDebuggerAgent.h:
2584         (Inspector::InspectorDebuggerAgent::enabled): Added.
2585         * inspector/agents/InspectorDebuggerAgent.cpp:
2586         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
2587         (Inspector::InspectorDebuggerAgent::enable):
2588         (Inspector::InspectorDebuggerAgent::disable):
2589         Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`.
2590
2591 2019-08-29  Keith Rollin  <krollin@apple.com>
2592
2593         Update .xcconfig symbols to reflect the current set of past and future product versions.
2594         https://bugs.webkit.org/show_bug.cgi?id=200720
2595         <rdar://problem/54305032>
2596
2597         Reviewed by Alex Christensen.
2598
2599         Remove version symbols related to old OS's we no longer support,
2600         ensure that version symbols are defined for OS's we do support.
2601
2602         * Configurations/Base.xcconfig:
2603         * Configurations/DebugRelease.xcconfig:
2604         * Configurations/Version.xcconfig:
2605
2606 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
2607
2608         [JSC] Repatch should construct CallCases and CasesValue at the same time
2609         https://bugs.webkit.org/show_bug.cgi?id=201325
2610
2611         Reviewed by Saam Barati.
2612
2613         In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`.
2614         If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too.
2615
2616         * jit/Repatch.cpp:
2617         (JSC::linkPolymorphicCall):
2618
2619 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
2620
2621         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
2622         https://bugs.webkit.org/show_bug.cgi?id=198650
2623
2624         Reviewed by Saam Barati.
2625
2626         Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties.
2627         This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this
2628         interpreter interpret the control-flow edge that AI proved that is never taken.
2629         AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But
2630         ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis
2631         done in ObjectAllocationSinking.
2632
2633         Let's see the example.
2634
2635             BB#0
2636                 35: NewObject([%AM:Object])
2637                 ...
2638                 47: Branch(ConstantTrue, T:#1, F:#2)
2639
2640             BB#1 // This basic block is never taken due to @47's jump.
2641                 ...
2642                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
2643                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
2644                 ...
2645                 XX: Jump(#2)
2646
2647             BB#2
2648                 ...
2649                 92: CheckStructure(@35, [%Dx:Object])
2650                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
2651                 ...
2652
2653         AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant.
2654         AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92.
2655         After AI removes @92, ObjectAllocationSinking starts looking into this graph.
2656
2657             BB#0
2658                 35: NewObject([%AM:Object])
2659                 ...
2660                 47: Branch(ConstantTrue, T:#1, F:#2)
2661
2662             BB#1 // This basic block is never taken due to @47's jump.
2663                 ...
2664                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
2665                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
2666                 ...
2667                 XX: Jump(#2)
2668
2669             BB#2
2670                 ...
2671                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
2672                 ...
2673                 YY: Jump(#3)
2674
2675             BB#3
2676                 ...
2677                 ZZ: <HERE> want to materialize @35's sunk object.
2678
2679         Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in
2680         BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and
2681         insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original
2682         one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking
2683         phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes
2684         conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property.
2685         So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug
2686         assertion.
2687
2688             187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >)
2689
2690         This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data.
2691         In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime.
2692
2693         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2694
2695 2019-08-29  Devin Rousso  <drousso@apple.com>
2696
2697         Web Inspector: DOMDebugger: support event breakpoints in Worker contexts
2698         https://bugs.webkit.org/show_bug.cgi?id=200651
2699
2700         Reviewed by Joseph Pecoraro.
2701
2702         * inspector/protocol/DOMDebugger.json:
2703         Make the domain available in "worker" contexts as well.
2704
2705 2019-08-29  Keith Rollin  <krollin@apple.com>
2706
2707         Remove 32-bit macOS support
2708         https://bugs.webkit.org/show_bug.cgi?id=201282
2709         <rdar://problem/54821667>
2710
2711         Reviewed by Anders Carlsson.
2712
2713         WebKit doesn’t support 32-bit Mac any more, so remove checks and code
2714         for that platform.
2715
2716         * API/JSBase.h:
2717         * runtime/VM.h:
2718
2719 2019-08-29  Keith Rollin  <krollin@apple.com>
2720
2721         Remove support for macOS < 10.13 (part 3)
2722         https://bugs.webkit.org/show_bug.cgi?id=201224
2723         <rdar://problem/54795934>
2724
2725         Reviewed by Darin Adler.
2726
2727         Remove symbols in WebKitTargetConditionals.xcconfig related to macOS
2728         10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes
2729         like _MACOS_SINCE_1013.
2730
2731         * Configurations/WebKitTargetConditionals.xcconfig:
2732
2733 2019-08-29  Mark Lam  <mark.lam@apple.com>
2734
2735         Remove a bad assertion in ByteCodeParser::inlineCall().
2736         https://bugs.webkit.org/show_bug.cgi?id=201292
2737         <rdar://problem/54121659>
2738
2739         Reviewed by Michael Saboff.
2740
2741         In the DFG bytecode parser, we've already computed the inlining cost of a candidate
2742         inlining target, and determine that it is worth inlining before invoking
2743         ByteCodeParser::inlineCall().  However, in ByteCodeParser::inlineCall(), it
2744         recomputes the inlining cost again only for the purpose of asserting that it isn't
2745         too high.
2746
2747         Not consider a badly written test that does the following:
2748
2749             function bar() {
2750                 ...
2751                 foo(); // Call in a hot loop here.
2752                 ...
2753             }
2754
2755             bar(); // <===== foo is inlineable into bar here.
2756             noInline(foo); // <===== Change mind, and make foo not inlineable.
2757             bar();
2758
2759         With this bad test, the following racy scenario can occur:
2760
2761         1. the first invocation of bar() gets hot, and a concurrent compile is kicked off.
2762         2. the compiler thread computes foo()'s inliningCost() and determines that it is
2763            worthy to be inlined, and will imminently call inlineCall().
2764         3. the mutator calls the noInline() test utility on foo(), thereby making it NOT
2765            inlineable.
2766         4. the compiler thread calls inlineCall().  In inlineCall(), it re-computes the
2767            inliningCost for foo() and now finds that it is not inlineable.  An assertion
2768            failure follows.
2769
2770         Technically, the test is in error because noInline() shouldn't be used that way.
2771         However, fuzzers that are not clued into noInline()'s proper usage may generate
2772         code like this.
2773
2774         On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the
2775         inlining cost and asserting on it.  The only reason inlineCall() is invoked is
2776         because it was already previously determined that a target function is inlineable
2777         based on its inlining cost.  Today, in practice, I don't think we have any real
2778         world condition where the mutator can affect the inlining cost of a target
2779         function midway through execution.  So, this assertion isn't a problem if no one
2780         writes a test that abuses noInline().  However, should things change such that the
2781         mutator is able to affect the inlining cost of a target function, then it is
2782         incorrect for the compiler to assume that the inlining cost is immutable.  Once
2783         the compiler decides to inline a function, it should just follow through.
2784
2785         This patch removes this assertion in ByteCodeParser::inlineCall().  It is an
2786         annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the
2787         ability to affect the inlining cost of a target function.
2788
2789         * dfg/DFGByteCodeParser.cpp:
2790         (JSC::DFG::ByteCodeParser::inlineCall):
2791
2792 2019-08-28  Mark Lam  <mark.lam@apple.com>
2793
2794         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
2795         https://bugs.webkit.org/show_bug.cgi?id=201281
2796         <rdar://problem/54028228>
2797
2798         Reviewed by Yusuke Suzuki and Saam Barati.
2799
2800         This (see title above) is already the preferred idiom used in most places in our
2801         compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2802         compileStringCharAt().  Consider the following:
2803
2804             bool prototypeChainIsSane = false;
2805             if (globalObject->stringPrototypeChainIsSane()) {
2806                 ...
2807                 m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
2808                 m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));
2809
2810                 prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
2811             }
2812
2813         What's essential for correctness here is that the stringPrototype and objectPrototype
2814         structures be loaded before the loads in the second stringPrototypeChainIsSane()
2815         check.  Without a loadLoadFence before the second stringPrototypeChainIsSane()
2816         check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom
2817         for doing this right is to pre-load the structures first, do a loadLoadFence, and
2818         then do the IsSane check just once after e.g.
2819
2820             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
2821             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);
2822
2823             if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2824                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2825                 && globalObject->arrayPrototypeChainIsSane()) {
2826
2827                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
2828                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
2829                 ...
2830             }
2831
2832         This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2833         compileStringCharAt() to follow the same idiom.
2834
2835         We also fix a bad assertion in Structure::storedPrototype() and
2836         Structure::storedPrototypeObject().  The assertion is only correct when those
2837         methods are called from the mutator thread.  The assertion has been updated to
2838         only check its test condition if the current thread is the mutator thread.
2839
2840         * dfg/DFGSpeculativeJIT.cpp:
2841         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2842         * ftl/FTLLowerDFGToB3.cpp:
2843         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2844         * runtime/StructureInlines.h:
2845         (JSC::Structure::storedPrototype const):
2846         (JSC::Structure::storedPrototypeObject const):
2847
2848 2019-08-28  Mark Lam  <mark.lam@apple.com>
2849
2850         Placate exception check validation in DFG's operationHasGenericProperty().
2851         https://bugs.webkit.org/show_bug.cgi?id=201245
2852         <rdar://problem/54777512>
2853
2854         Reviewed by Robin Morisset.
2855
2856         * dfg/DFGOperations.cpp:
2857
2858 2019-08-28  Ross Kirsling  <ross.kirsling@sony.com>
2859
2860         Unreviewed. Restabilize non-unified build.
2861
2862         * runtime/PropertySlot.h:
2863
2864 2019-08-28  Mark Lam  <mark.lam@apple.com>
2865
2866         Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.
2867         https://bugs.webkit.org/show_bug.cgi?id=201006
2868         <rdar://problem/52053991>
2869
2870         Reviewed by Yusuke Suzuki.
2871
2872         We already ensured that it is not possible to overflow in Wasm::FunctionParser's
2873         parse().  It is unnecessary and misleading to do those overflow checks in
2874         AirIRGenerator and B3IRGenerator.  The only check that is necessary is that
2875         m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory
2876         situation.
2877
2878         This patch changes these unnecessary checks to assertions instead.
2879
2880         * wasm/WasmAirIRGenerator.cpp:
2881         (JSC::Wasm::AirIRGenerator::addLocal):
2882         * wasm/WasmB3IRGenerator.cpp:
2883         (JSC::Wasm::B3IRGenerator::addLocal):
2884         * wasm/WasmValidate.cpp:
2885         (JSC::Wasm::Validate::addLocal):
2886
2887 2019-08-28  Keith Rollin  <krollin@apple.com>
2888
2889         Remove support for macOS < 10.13 (part 2)
2890         https://bugs.webkit.org/show_bug.cgi?id=201197
2891         <rdar://problem/54759985>
2892
2893         Update conditionals that reference WK_MACOS_1013 and suffixes like
2894         _MACOS_SINCE_1013, assuming that we're always building on 10.13 or
2895         later and that these conditionals are always True or False.
2896
2897         See Bug 200694 for earlier changes in this area.
2898
2899         Reviewed by Darin Adler.
2900
2901         * Configurations/FeatureDefines.xcconfig:
2902
2903 2019-08-28  Mark Lam  <mark.lam@apple.com>
2904
2905         Gardening: Rebase test results after r249175.
2906         https://bugs.webkit.org/show_bug.cgi?id=201172
2907
2908         Not reviewed.
2909
2910         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2911         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2912         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2913         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2914         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2915         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2916         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2917
2918 2019-08-27  Michael Saboff  <msaboff@apple.com>
2919
2920         Update PACCage changes for builds without Gigacage, but with signed pointers
2921         https://bugs.webkit.org/show_bug.cgi?id=201202
2922
2923         Reviewed by Saam Barati.
2924
2925         Factored out the untagging of pointers and added that to both the Gigacage enabled
2926         and disabled code paths.  Did this for the LLInt as well as the JITs.
2927
2928         * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list.
2929         * dfg/DFGSpeculativeJIT.cpp:
2930         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
2931         * ftl/FTLLowerDFGToB3.cpp:
2932         (JSC::FTL::DFG::LowerDFGToB3::caged):
2933         * llint/LowLevelInterpreter64.asm:
2934
2935 2019-08-27  Mark Lam  <mark.lam@apple.com>
2936
2937         Refactor to use VM& instead of VM* at as many places as possible.
2938         https://bugs.webkit.org/show_bug.cgi?id=201172
2939
2940         Reviewed by Yusuke Suzuki.
2941
2942         Using VM& documents more clearly that the VM pointer is expected to never be null
2943         in most cases.  There are a few places where it can be null (e.g JSLock, and
2944         DFG::Plan).  Those will be left using a VM*.
2945
2946         Also converted some uses of ExecState* to using VM& instead since the ExecState*
2947         is only there to fetch the VM pointer.  Doing this also reduces the number of
2948         times we have to compute VM* from ExecState*.
2949
2950         This patch is not exhaustive in converting to use VM&, but applies the change to
2951         many commonly used pieces of code for a start.
2952
2953         Also fixed a missing exception check in JSString::toIdentifier() and
2954         JSValue::toPropertyKey() exposed by this patch.
2955
2956         * API/APICast.h:
2957         (toJS):
2958         * API/JSAPIGlobalObject.mm:
2959         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
2960         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
2961         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
2962         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
2963         (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
2964         * API/JSCallbackConstructor.cpp:
2965         (JSC::JSCallbackConstructor::finishCreation):
2966         * API/JSCallbackObjectFunctions.h:
2967         (JSC::JSCallbackObject<Parent>::asCallbackObject):
2968         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
2969         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
2970         (JSC::JSCallbackObject<Parent>::putByIndex):
2971         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
2972         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2973         * API/JSContext.mm:
2974         (-[JSContext dependencyIdentifiersForModuleJSScript:]):
2975         * API/JSObjectRef.cpp:
2976         (JSObjectMakeFunction):
2977         (classInfoPrivate):
2978         (JSObjectGetPrivate):
2979         (JSObjectSetPrivate):
2980         (JSObjectCopyPropertyNames):
2981         (JSPropertyNameAccumulatorAddName):
2982         (JSObjectGetProxyTarget):
2983         * API/JSScriptRef.cpp:
2984         (parseScript):
2985         * API/JSValueRef.cpp:
2986         (JSValueMakeString):
2987         * API/OpaqueJSString.cpp:
2988         (OpaqueJSString::identifier const):
2989         * API/glib/JSCContext.cpp:
2990         (jsc_context_check_syntax):
2991         * KeywordLookupGenerator.py:
2992         (Trie.printSubTreeAsC):
2993         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py:
2994         (BuiltinsWrapperHeaderGenerator.generate_constructor):
2995         * Scripts/wkbuiltins/builtins_templates.py:
2996         * bindings/ScriptFunctionCall.cpp:
2997         (Deprecated::ScriptCallArgumentHandler::appendArgument):
2998         (Deprecated::ScriptFunctionCall::call):
2999         * bindings/ScriptValue.cpp:
3000         (Inspector::jsToInspectorValue):
3001         * builtins/BuiltinExecutables.cpp:
3002         (JSC::BuiltinExecutables::createExecutable):
3003         * builtins/BuiltinNames.cpp:
3004         (JSC::BuiltinNames::BuiltinNames):
3005         * builtins/BuiltinNames.h:
3006         (JSC::BuiltinNames::getPublicName const):
3007         * bytecode/BytecodeDumper.cpp:
3008         (JSC::BytecodeDumper<Block>::vm const):
3009         * bytecode/BytecodeDumper.h:
3010         * bytecode/BytecodeGeneratorification.cpp:
3011         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3012         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
3013         (JSC::BytecodeGeneratorification::run):
3014         * bytecode/BytecodeIntrinsicRegistry.cpp:
3015         (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue):
3016         (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue):
3017         * bytecode/CallVariant.h:
3018         (JSC::CallVariant::internalFunction const):
3019         (JSC::CallVariant::function const):
3020         (JSC::CallVariant::isClosureCall const):
3021         (JSC::CallVariant::executable const):
3022         (JSC::CallVariant::functionExecutable const):
3023         (JSC::CallVariant::nativeExecutable const):
3024         * bytecode/CodeBlock.cpp:
3025         (JSC::CodeBlock::dumpSource):
3026         (JSC::CodeBlock::CodeBlock):
3027         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
3028         (JSC::CodeBlock::setNumParameters):
3029         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
3030         (JSC::CodeBlock::unlinkIncomingCalls):
3031         (JSC::CodeBlock::replacement):
3032         (JSC::CodeBlock::computeCapabilityLevel):
3033         (JSC::CodeBlock::noticeIncomingCall):
3034         (JSC::CodeBlock::nameForRegister):
3035         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3036         * bytecode/CodeBlock.h:
3037         (JSC::CodeBlock::vm const):
3038         (JSC::CodeBlock::numberOfArgumentValueProfiles):
3039         (JSC::CodeBlock::valueProfileForArgument):
3040         * bytecode/DeferredSourceDump.cpp:
3041         (JSC::DeferredSourceDump::DeferredSourceDump):
3042         * bytecode/EvalCodeBlock.h:
3043         * bytecode/FunctionCodeBlock.h:
3044         * bytecode/GetByIdStatus.cpp:
3045         (JSC::GetByIdStatus::computeFromLLInt):
3046         * bytecode/GlobalCodeBlock.h:
3047         (JSC::GlobalCodeBlock::GlobalCodeBlock):
3048         * bytecode/ModuleProgramCodeBlock.h:
3049         * bytecode/ObjectAllocationProfileInlines.h:
3050         (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
3051         * bytecode/PolyProtoAccessChain.cpp:
3052         (JSC::PolyProtoAccessChain::create):
3053         * bytecode/ProgramCodeBlock.h:
3054         * bytecode/PropertyCondition.cpp:
3055         (JSC::PropertyCondition::isWatchableWhenValid const):
3056         * bytecode/PutByIdStatus.cpp:
3057         (JSC::PutByIdStatus::computeFromLLInt):
3058         * bytecode/StructureStubInfo.cpp:
3059         (JSC::StructureStubInfo::initGetByIdSelf):
3060         (JSC::StructureStubInfo::initPutByIdReplace):
3061         (JSC::StructureStubInfo::initInByIdSelf):
3062         (JSC::StructureStubInfo::addAccessCase):
3063         (JSC::StructureStubInfo::visitWeakReferences):
3064         * bytecode/UnlinkedCodeBlock.cpp:
3065         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3066         * bytecode/UnlinkedCodeBlock.h:
3067         (JSC::UnlinkedCodeBlock::addSetConstant):
3068         (JSC::UnlinkedCodeBlock::addConstant):
3069         (JSC::UnlinkedCodeBlock::addFunctionDecl):
3070         (JSC::UnlinkedCodeBlock::addFunctionExpr):
3071         * bytecode/UnlinkedEvalCodeBlock.h:
3072         * bytecode/UnlinkedFunctionCodeBlock.h:
3073         * bytecode/UnlinkedFunctionExecutable.cpp:
3074         (JSC::generateUnlinkedFunctionCodeBlock):
3075         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3076         * bytecode/UnlinkedFunctionExecutable.h:
3077         * bytecode/UnlinkedGlobalCodeBlock.h:
3078         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
3079         * bytecode/UnlinkedModuleProgramCodeBlock.h:
3080         * bytecode/UnlinkedProgramCodeBlock.h:
3081         * bytecompiler/BytecodeGenerator.cpp:
3082         (JSC::BytecodeGenerator::BytecodeGenerator):
3083         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
3084         (JSC::BytecodeGenerator::emitDirectPutById):
3085         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
3086         (JSC::BytecodeGenerator::addBigIntConstant):
3087         (JSC::BytecodeGenerator::addTemplateObjectConstant):
3088         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
3089         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
3090         * bytecompiler/BytecodeGenerator.h:
3091         (JSC::BytecodeGenerator::vm const):
3092         (JSC::BytecodeGenerator::propertyNames const):
3093         (JSC::BytecodeGenerator::emitNodeInTailPosition):
3094         (JSC::BytecodeGenerator::emitDefineClassElements):
3095         (JSC::BytecodeGenerator::emitNodeInConditionContext):
3096         * bytecompiler/NodesCodegen.cpp:
3097         (JSC::RegExpNode::emitBytecode):
3098         (JSC::ArrayNode::emitBytecode):
3099         (JSC::FunctionCallResolveNode::emitBytecode):
3100         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
3101         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3102         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
3103         (JSC::InstanceOfNode::emitBytecode):
3104         * debugger/Debugger.cpp:
3105         * debugger/DebuggerParseData.cpp:
3106         (JSC::gatherDebuggerParseData):
3107         * debugger/DebuggerScope.cpp:
3108         (JSC::DebuggerScope::next):
3109         (JSC::DebuggerScope::name const):
3110         (JSC::DebuggerScope::location const):
3111         * dfg/DFGDesiredIdentifiers.cpp:
3112         (JSC::DFG::DesiredIdentifiers::reallyAdd):
3113         * dfg/DFGDesiredWatchpoints.cpp:
3114         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
3115         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
3116         * dfg/DFGFrozenValue.h:
3117         (JSC::DFG::FrozenValue::FrozenValue):
3118         * dfg/DFGGraph.cpp:
3119         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
3120         * dfg/DFGJITCompiler.cpp:
3121         (JSC::DFG::JITCompiler::linkOSRExits):
3122         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3123         (JSC::DFG::JITCompiler::link):
3124         (JSC::DFG::emitStackOverflowCheck):
3125         (JSC::DFG::JITCompiler::compileFunction):
3126         (JSC::DFG::JITCompiler::exceptionCheck):
3127         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
3128         * dfg/DFGJITCompiler.h:
3129         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
3130         (JSC::DFG::JITCompiler::fastExceptionCheck):
3131         (JSC::DFG::JITCompiler::vm):
3132         * dfg/DFGLazyJSValue.cpp:
3133         (JSC::DFG::LazyJSValue::getValue const):
3134         (JSC::DFG::LazyJSValue::emit const):
3135         * dfg/DFGOSREntry.cpp:
3136         (JSC::DFG::prepareOSREntry):
3137         * dfg/DFGOSRExit.cpp:
3138         (JSC::DFG::OSRExit::compileOSRExit):
3139         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
3140         * dfg/DFGOSRExitCompilerCommon.h:
3141         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
3142         * dfg/DFGOperations.cpp:
3143         (JSC::DFG::newTypedArrayWithSize):
3144         (JSC::DFG::binaryOp):
3145         (JSC::DFG::bitwiseBinaryOp):
3146         * dfg/DFGPlan.cpp:
3147         (JSC::DFG::Plan::Plan):
3148         * dfg/DFGSpeculativeJIT.cpp:
3149         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3150         (JSC::DFG::SpeculativeJIT::compileStringSlice):
3151         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3152         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
3153         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3154         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
3155         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
3156         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
3157         (JSC::DFG::SpeculativeJIT::emitStringBranch):
3158         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
3159         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
3160         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
3161         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3162         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3163         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3164         (JSC::DFG::SpeculativeJIT::compileSpread):
3165         (JSC::DFG::SpeculativeJIT::compileNewArray):
3166         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3167         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3168         (JSC::DFG::SpeculativeJIT::compileArrayPush):
3169         (JSC::DFG::SpeculativeJIT::compileTypeOf):
3170         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3171         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3172         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
3173         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3174         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3175         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3176         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3177         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
3178         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
3179         (JSC::DFG::SpeculativeJIT::compileStringReplace):
3180         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
3181         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
3182         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
3183         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
3184         (JSC::DFG::SpeculativeJIT::compileCreateThis):
3185         (JSC::DFG::SpeculativeJIT::compileNewObject):
3186         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
3187         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
3188         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
3189         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3190         (JSC::DFG::SpeculativeJIT::compileProfileType):
3191         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3192         * dfg/DFGSpeculativeJIT.h:
3193         (JSC::DFG::SpeculativeJIT::vm):
3194         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
3195         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
3196         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3197         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
3198         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
3199         * dfg/DFGSpeculativeJIT32_64.cpp:
3200         (JSC::DFG::SpeculativeJIT::emitCall):
3201         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3202         (JSC::DFG::SpeculativeJIT::emitBranch):
3203         (JSC::DFG::SpeculativeJIT::compile):
3204         * dfg/DFGSpeculativeJIT64.cpp:
3205         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
3206         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
3207         (JSC::DFG::SpeculativeJIT::emitCall):
3208         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3209         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3210         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3211         (JSC::DFG::SpeculativeJIT::emitBranch):
3212         (JSC::DFG::SpeculativeJIT::compile):
3213         * dfg/DFGThunks.cpp:
3214         (JSC::DFG::osrExitThunkGenerator):
3215         (JSC::DFG::osrExitGenerationThunkGenerator):
3216         (JSC::DFG::osrEntryThunkGenerator):
3217         * dfg/DFGThunks.h:
3218         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3219         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
3220         * dfg/DFGWorklist.cpp:
3221         (JSC::DFG::Worklist::visitWeakReferences):
3222         * dynbench.cpp:
3223         (main):
3224         * ftl/FTLLowerDFGToB3.cpp:
3225         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3226         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
3227         (JSC::FTL::DFG::LowerDFGToB3::boolify):
3228         * ftl/FTLThunks.cpp:
3229         (JSC::FTL::genericGenerationThunkGenerator):
3230         (JSC::FTL::osrExitGenerationThunkGenerator):
3231         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3232         * ftl/FTLThunks.h:
3233         * heap/CellContainer.h:
3234         * heap/CellContainerInlines.h:
3235         (JSC::CellContainer::vm const):
3236         (JSC::CellContainer::heap const):
3237         * heap/CompleteSubspace.cpp:
3238         (JSC::CompleteSubspace::tryAllocateSlow):
3239         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
3240         * heap/GCActivityCallback.h:
3241         * heap/GCAssertions.h:
3242         * heap/HandleSet.cpp:
3243         (JSC::HandleSet::HandleSet):
3244         * heap/HandleSet.h:
3245         (JSC::HandleSet::vm):
3246         * heap/Heap.cpp:
3247         (JSC::Heap::Heap):
3248         (JSC::Heap::lastChanceToFinalize):
3249         (JSC::Heap::releaseDelayedReleasedObjects):
3250         (JSC::Heap::protect):
3251         (JSC::Heap::unprotect):
3252         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
3253         (JSC::Heap::finalizeUnconditionalFinalizers):
3254         (JSC::Heap::completeAllJITPlans):
3255         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
3256         (JSC::Heap::gatherJSStackRoots):
3257         (JSC::Heap::gatherScratchBufferRoots):
3258         (JSC::Heap::removeDeadCompilerWorklistEntries):
3259         (JSC::Heap::isAnalyzingHeap const):
3260         (JSC::Heap::gatherExtraHeapData):
3261         (JSC::Heap::protectedObjectTypeCounts):
3262         (JSC::Heap::objectTypeCounts):
3263         (JSC::Heap::deleteAllCodeBlocks):
3264         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
3265         (JSC::Heap::deleteUnmarkedCompiledCode):
3266         (JSC::Heap::checkConn):
3267         (JSC::Heap::runEndPhase):
3268         (JSC::Heap::stopThePeriphery):
3269         (JSC::Heap::finalize):
3270         (JSC::Heap::requestCollection):
3271         (JSC::Heap::sweepInFinalize):
3272         (JSC::Heap::sweepArrayBuffers):
3273         (JSC::Heap::deleteSourceProviderCaches):
3274         (JSC::Heap::didFinishCollection):
3275         (JSC::Heap::addCoreConstraints):
3276         * heap/Heap.h:
3277         * heap/HeapCell.h:
3278         * heap/HeapCellInlines.h:
3279         (JSC::HeapCell::heap const):
3280         (JSC::HeapCell::vm const):
3281         * heap/HeapInlines.h:
3282         (JSC::Heap::vm const):
3283         * heap/IsoSubspacePerVM.cpp:
3284         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
3285         * heap/LargeAllocation.cpp:
3286         (JSC::LargeAllocation::sweep):
3287         (JSC::LargeAllocation::assertValidCell const):
3288         * heap/LargeAllocation.h:
3289         (JSC::LargeAllocation::vm const):
3290         * heap/LocalAllocator.cpp:
3291         (JSC::LocalAllocator::allocateSlowCase):
3292         * heap/MarkedBlock.cpp:
3293         (JSC::MarkedBlock::Handle::Handle):
3294         (JSC::MarkedBlock::aboutToMarkSlow):
3295         (JSC::MarkedBlock::assertMarksNotStale):
3296         (JSC::MarkedBlock::areMarksStale):
3297         (JSC::MarkedBlock::isMarked):
3298         (JSC::MarkedBlock::assertValidCell const):
3299         * heap/MarkedBlock.h:
3300         (JSC::MarkedBlock::Handle::vm const):
3301         (JSC::MarkedBlock::vm const):
3302         * heap/MarkedBlockInlines.h:
3303         (JSC::MarkedBlock::heap const):
3304         (JSC::MarkedBlock::Handle::specializedSweep):
3305         * heap/SlotVisitor.cpp:
3306         (JSC::validate):
3307         * heap/SlotVisitorInlines.h:
3308         (JSC::SlotVisitor::vm):
3309         (JSC::SlotVisitor::vm const):
3310         * heap/StopIfNecessaryTimer.cpp:
3311         (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
3312         * heap/StopIfNecessaryTimer.h:
3313         * heap/Strong.h:
3314         (JSC::Strong::operator=):
3315         * heap/WeakSet.h:
3316         (JSC::WeakSet::WeakSet):
3317         (JSC::WeakSet::vm const):
3318         * inspector/JSInjectedScriptHost.cpp:
3319         (Inspector::JSInjectedScriptHost::savedResultAlias const):
3320         (Inspector::JSInjectedScriptHost::internalConstructorName):
3321         (Inspector::JSInjectedScriptHost::subtype):
3322         (Inspector::JSInjectedScriptHost::functionDetails):
3323         (Inspector::constructInternalProperty):
3324         (Inspector::JSInjectedScriptHost::getInternalProperties):
3325         (Inspector::JSInjectedScriptHost::weakMapEntries):
3326         (Inspector::JSInjectedScriptHost::weakSetEntries):
3327         (Inspector::JSInjectedScriptHost::iteratorEntries):
3328         (Inspector::JSInjectedScriptHost::queryInstances):
3329         (Inspector::JSInjectedScriptHost::queryHolders):
3330         * inspector/JSJavaScriptCallFrame.cpp:
3331         (Inspector::valueForScopeLocation):
3332         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
3333         (Inspector::JSJavaScriptCallFrame::functionName const):
3334         (Inspector::JSJavaScriptCallFrame::type const):
3335         * inspector/ScriptCallStackFactory.cpp:
3336         (Inspector::extractSourceInformationFromException):
3337         * inspector/agents/InspectorAuditAgent.cpp:
3338         (Inspector::InspectorAuditAgent::populateAuditObject):
3339         * inspector/agents/InspectorHeapAgent.cpp:
3340         (Inspector::InspectorHeapAgent::gc):
3341         * interpreter/FrameTracers.h:
3342         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
3343         * interpreter/Interpreter.cpp:
3344         (JSC::Interpreter::executeProgram):
3345         (JSC::Interpreter::prepareForRepeatCall):
3346         (JSC::Interpreter::execute):
3347         (JSC::Interpreter::executeModuleProgram):
3348         * interpreter/StackVisitor.cpp:
3349         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
3350         (JSC::StackVisitor::Frame::computeLineAndColumn const):
3351         * jit/AssemblyHelpers.cpp:
3352         (JSC::AssemblyHelpers::emitDumbVirtualCall):
3353         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
3354         (JSC::AssemblyHelpers::branchIfValue):
3355         * jit/AssemblyHelpers.h:
3356         (JSC::AssemblyHelpers::vm):
3357         * jit/JIT.cpp:
3358         (JSC::JIT::JIT):
3359         (JSC::JIT::emitEnterOptimizationCheck):
3360         (JSC::JIT::privateCompileMainPass):
3361         (JSC::JIT::privateCompileExceptionHandlers):
3362         * jit/JIT.h:
3363         * jit/JITCall.cpp:
3364         (JSC::JIT::compileCallEvalSlowCase):
3365         * jit/JITCall32_64.cpp:
3366         (JSC::JIT::compileCallEvalSlowCase):
3367         * jit/JITExceptions.cpp:
3368         (JSC::genericUnwind):
3369         * jit/JITExceptions.h:
3370         * jit/JITInlineCacheGenerator.cpp:
3371         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3372         * jit/JITOpcodes.cpp:
3373         (JSC::JIT::emit_op_is_undefined):
3374         (JSC::JIT::emit_op_jfalse):
3375         (JSC::JIT::emit_op_jeq_null):
3376         (JSC::JIT::emit_op_jneq_null):
3377         (JSC::JIT::emit_op_jtrue):
3378         (JSC::JIT::emit_op_throw):
3379         (JSC::JIT::emit_op_catch):
3380         (JSC::JIT::emit_op_eq_null):
3381         (JSC::JIT::emit_op_neq_null):
3382         (JSC::JIT::emitSlow_op_loop_hint):
3383         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3384         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3385         * jit/JITOpcodes32_64.cpp:
3386         (JSC::JIT::emit_op_jfalse):
3387         (JSC::JIT::emit_op_jtrue):
3388         (JSC::JIT::emit_op_throw):
3389         (JSC::JIT::emit_op_catch):
3390         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3391         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3392         * jit/JITOperations.cpp:
3393         (JSC::operationNewFunctionCommon):
3394         (JSC::tryGetByValOptimize):
3395         * jit/JITPropertyAccess.cpp:
3396         (JSC::JIT::emitWriteBarrier):
3397         * jit/JITThunks.cpp:
3398         (JSC::JITThunks::ctiNativeCall):
3399         (JSC::JITThunks::ctiNativeConstruct):
3400         (JSC::JITThunks::ctiNativeTailCall):
3401         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
3402         (JSC::JITThunks::ctiInternalFunctionCall):
3403         (JSC::JITThunks::ctiInternalFunctionConstruct):
3404         (JSC::JITThunks::ctiStub):
3405         (JSC::JITThunks::hostFunctionStub):
3406         * jit/JITThunks.h:
3407         * jit/JITWorklist.cpp:
3408         (JSC::JITWorklist::Plan::vm):
3409         (JSC::JITWorklist::completeAllForVM):
3410         (JSC::JITWorklist::poll):
3411         (JSC::JITWorklist::compileLater):
3412         (JSC::JITWorklist::compileNow):
3413         * jit/Repatch.cpp:
3414         (JSC::readPutICCallTarget):
3415         (JSC::ftlThunkAwareRepatchCall):
3416         (JSC::linkSlowFor):
3417         (JSC::linkFor):
3418         (JSC::linkDirectFor):
3419         (JSC::revertCall):
3420         (JSC::unlinkFor):
3421         (JSC::linkVirtualFor):
3422         (JSC::linkPolymorphicCall):
3423         * jit/SpecializedThunkJIT.h:
3424         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
3425         * jit/ThunkGenerator.h:
3426         * jit/ThunkGenerators.cpp:
3427         (JSC::throwExceptionFromCallSlowPathGenerator):
3428         (JSC::slowPathFor):
3429         (JSC::linkCallThunkGenerator):
3430         (JSC::linkPolymorphicCallThunkGenerator):
3431         (JSC::virtualThunkFor):
3432         (JSC::nativeForGenerator):
3433         (JSC::nativeCallGenerator):
3434         (JSC::nativeTailCallGenerator):
3435         (JSC::nativeTailCallWithoutSavedTagsGenerator):
3436         (JSC::nativeConstructGenerator):
3437         (JSC::internalFunctionCallGenerator):
3438         (JSC::internalFunctionConstructGenerator):
3439         (JSC::arityFixupGenerator):
3440         (JSC::unreachableGenerator):
3441         (JSC::stringGetByValGenerator):
3442         (JSC::charToString):
3443         (JSC::charCodeAtThunkGenerator):
3444         (JSC::charAtThunkGenerator):
3445         (JSC::fromCharCodeThunkGenerator):
3446         (JSC::clz32ThunkGenerator):
3447         (JSC::sqrtThunkGenerator):
3448         (JSC::floorThunkGenerator):
3449         (JSC::ceilThunkGenerator):
3450         (JSC::truncThunkGenerator):
3451         (JSC::roundThunkGenerator):
3452         (JSC::expThunkGenerator):
3453         (JSC::logThunkGenerator):
3454         (JSC::absThunkGenerator):
3455         (JSC::imulThunkGenerator):
3456         (JSC::randomThunkGenerator):
3457         (JSC::boundThisNoArgsFunctionCallGenerator):
3458         * jit/ThunkGenerators.h:
3459         * jsc.cpp:
3460         (GlobalObject::finishCreation):
3461         (GlobalObject::addFunction):
3462         (GlobalObject::moduleLoaderImportModule):
3463         (GlobalObject::moduleLoaderResolve):
3464         (GlobalObject::moduleLoaderCreateImportMetaProperties):
3465         (functionDescribe):
3466         (functionDescribeArray):
3467         (JSCMemoryFootprint::addProperty):
3468         (functionRun):
3469         (functionRunString):
3470         (functionReadFile):
3471         (functionCallerSourceOrigin):
3472         (functionReadline):
3473         (functionDollarCreateRealm):
3474         (functionDollarEvalScript):
3475         (functionDollarAgentGetReport):
3476         (functionWaitForReport):
3477         (functionJSCOptions):
3478         (functionCheckModuleSyntax):
3479         (functionGenerateHeapSnapshotForGCDebugging):
3480         (functionWebAssemblyMemoryMode):
3481         (dumpException):
3482         (checkUncaughtException):
3483         * llint/LLIntSlowPaths.cpp:
3484         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3485         (JSC::LLInt::handleHostCall):
3486         * parser/ASTBuilder.h:
3487         (JSC::ASTBuilder::ASTBuilder):
3488         (JSC::ASTBuilder::createResolve):
3489         (JSC::ASTBuilder::createGetterOrSetterProperty):
3490         (JSC::ASTBuilder::createProperty):
3491         (JSC::ASTBuilder::createFuncDeclStatement):
3492         (JSC::ASTBuilder::makeFunctionCallNode):
3493         * parser/Lexer.cpp:
3494         (JSC::Lexer<T>::Lexer):
3495         (JSC::Lexer<LChar>::parseIdentifier):
3496         (JSC::Lexer<UChar>::parseIdentifier):
3497         * parser/Lexer.h:
3498         (JSC::Lexer<T>::lexExpectIdentifier):
3499         * parser/ModuleAnalyzer.cpp:
3500         (JSC::ModuleAnalyzer::ModuleAnalyzer):
3501         * parser/ModuleAnalyzer.h:
3502         (JSC::ModuleAnalyzer::vm):
3503         * parser/Parser.cpp:
3504         (JSC::Parser<LexerType>::Parser):
3505         (JSC::Parser<LexerType>::parseInner):
3506         (JSC::Parser<LexerType>::isArrowFunctionParameters):
3507         (JSC::Parser<LexerType>::parseSourceElements):
3508         (JSC::Parser<LexerType>::parseModuleSourceElements):
3509         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
3510         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
3511         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
3512         (JSC::Parser<LexerType>::parseSingleFunction):
3513         (JSC::Parser<LexerType>::parseStatementListItem):
3514         (JSC::Parser<LexerType>::parseObjectRestAssignmentElement):
3515         (JSC::Parser<LexerType>::parseAssignmentElement):
3516         (JSC::Parser<LexerType>::parseDestructuringPattern):
3517         (JSC::Parser<LexerType>::parseForStatement):
3518         (JSC::Parser<LexerType>::parseBreakStatement):
3519         (JSC::Parser<LexerType>::parseContinueStatement):
3520         (JSC::Parser<LexerType>::parseStatement):
3521         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
3522         (JSC::Parser<LexerType>::createGeneratorParameters):
3523         (JSC::Parser<LexerType>::parseFunctionInfo):
3524         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3525         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
3526         (JSC::Parser<LexerType>::parseClassDeclaration):
3527         (JSC::Parser<LexerType>::parseClass):
3528         (JSC::Parser<LexerType>::parseImportClauseItem):
3529         (JSC::Parser<LexerType>::parseImportDeclaration):
3530         (JSC::Parser<LexerType>::parseExportSpecifier):
3531         (JSC::Parser<LexerType>::parseExportDeclaration):
3532         (JSC::Parser<LexerType>::parseAssignmentExpression):
3533         (JSC::Parser<LexerType>::parseProperty):
3534         (JSC::Parser<LexerType>::parseGetterSetter):
3535         (JSC::Parser<LexerType>::parseObjectLiteral):
3536         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
3537         (JSC::Parser<LexerType>::parseClassExpression):
3538         (JSC::Parser<LexerType>::parseFunctionExpression):
3539         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
3540         (JSC::Parser<LexerType>::parsePrimaryExpression):
3541         (JSC::Parser<LexerType>::parseMemberExpression):
3542         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3543         (JSC::Parser<LexerType>::parseUnaryExpression):
3544         * parser/Parser.h:
3545         (JSC::isArguments):
3546         (JSC::isEval):
3547         (JSC::isEvalOrArgumentsIdentifier):
3548         (JSC::Scope::Scope):
3549         (JSC::Scope::declareParameter):
3550         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
3551         (JSC::Scope::collectFreeVariables):
3552         (JSC::Parser::canRecurse):
3553         (JSC::parse):
3554         (JSC::parseFunctionForFunctionConstructor):
3555         * parser/ParserArena.h:
3556         (JSC::IdentifierArena::makeIdentifier):
3557         (JSC::IdentifierArena::makeEmptyIdentifier):
3558         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
3559         (JSC::IdentifierArena::makeNumericIdentifier):
3560         * parser/SyntaxChecker.h:
3561         (JSC::SyntaxChecker::SyntaxChecker):
3562         (JSC::SyntaxChecker::createProperty):
3563         (JSC::SyntaxChecker::createGetterOrSetterProperty):
3564         * profiler/ProfilerBytecode.cpp:
3565         (JSC::Profiler::Bytecode::toJS const):
3566         * profiler/ProfilerBytecodeSequence.cpp:
3567         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
3568         * profiler/ProfilerBytecodes.cpp:
3569         (JSC::Profiler::Bytecodes::toJS const):
3570         * profiler/ProfilerCompilation.cpp:
3571         (JSC::Profiler::Compilation::toJS const):
3572         * profiler/ProfilerCompiledBytecode.cpp:
3573         (JSC::Profiler::CompiledBytecode::toJS const):
3574         * profiler/ProfilerEvent.cpp:
3575         (JSC::Profiler::Event::toJS const):
3576         * profiler/ProfilerOSRExit.cpp:
3577         (JSC::Profiler::OSRExit::toJS const):
3578         * profiler/ProfilerOSRExitSite.cpp:
3579         (JSC::Profiler::OSRExitSite::toJS const):
3580         * profiler/ProfilerUID.cpp:
3581         (JSC::Profiler::UID::toJS const):
3582         * runtime/AbstractModuleRecord.cpp:
3583         (JSC::AbstractModuleRecord::finishCreation):
3584         (JSC::AbstractModuleRecord::hostResolveImportedModule):
3585         (JSC::AbstractModuleRecord::resolveExportImpl):
3586         (JSC::getExportedNames):
3587         (JSC::AbstractModuleRecord::getModuleNamespace):
3588         * runtime/ArrayBufferNeuteringWatchpointSet.cpp:
3589         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
3590         * runtime/ArrayIteratorPrototype.cpp:
3591         (JSC::ArrayIteratorPrototype::finishCreation):
3592         * runtime/ArrayPrototype.cpp:
3593         (JSC::fastJoin):
3594         (JSC::arrayProtoFuncToLocaleString):
3595         (JSC::slowJoin):
3596         (JSC::arrayProtoFuncJoin):
3597         (JSC::arrayProtoFuncPush):
3598         * runtime/AsyncFunctionPrototype.cpp:
3599         (JSC::AsyncFunctionPrototype::finishCreation):
3600         * runtime/AsyncGeneratorFunctionPrototype.cpp:
3601         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
3602         * runtime/AsyncGeneratorPrototype.cpp:
3603         (JSC::AsyncGeneratorPrototype::finishCreation):
3604         * runtime/AtomicsObject.cpp:
3605         (JSC::AtomicsObject::finishCreation):
3606         (JSC::atomicsFuncWait):
3607         (JSC::operationAtomicsAdd):
3608         (JSC::operationAtomicsAnd):
3609         (JSC::operationAtomicsCompareExchange):
3610         (JSC::operationAtomicsExchange):
3611         (JSC::operationAtomicsIsLockFree):
3612         (JSC::operationAtomicsLoad):
3613         (JSC::operationAtomicsOr):
3614         (JSC::operationAtomicsStore):
3615         (JSC::operationAtomicsSub):
3616         (JSC::operationAtomicsXor):
3617         * runtime/BigIntPrototype.cpp:
3618         (JSC::BigIntPrototype::finishCreation):
3619         (JSC::bigIntProtoFuncToString):
3620         * runtime/CachedTypes.cpp:
3621         (JSC::CachedUniquedStringImplBase::decode const):
3622         (JSC::CachedIdentifier::decode const):
3623         (JSC::CachedJSValue::decode const):
3624         * runtime/CodeCache.cpp:
3625         (JSC::CodeCacheMap::pruneSlowCase):
3626         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3627         * runtime/CodeCache.h:
3628         (JSC::generateUnlinkedCodeBlockImpl):
3629         * runtime/CommonIdentifiers.cpp:
3630         (JSC::CommonIdentifiers::CommonIdentifiers):
3631         * runtime/CommonIdentifiers.h:
3632         * runtime/CommonSlowPaths.cpp:
3633         (JSC::SLOW_PATH_DECL):
3634         * runtime/Completion.cpp:
3635         (JSC::checkSyntaxInternal):
3636         (JSC::checkModuleSyntax):
3637         (JSC::loadAndEvaluateModule):
3638         (JSC::loadModule):
3639         * runtime/DateConstructor.cpp:
3640         (JSC::callDate):
3641         * runtime/DatePrototype.cpp:
3642         (JSC::formatLocaleDate):
3643         (JSC::formateDateInstance):
3644         (JSC::DatePrototype::finishCreation):
3645         (JSC::dateProtoFuncToISOString):
3646         * runtime/Error.cpp:
3647         (JSC::addErrorInfo):
3648         * runtime/ErrorInstance.cpp:
3649         (JSC::appendSourceToError):
3650         (JSC::ErrorInstance::finishCreation):
3651         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
3652         * runtime/ErrorPrototype.cpp:
3653         (JSC::ErrorPrototype::finishCreation):
3654         (JSC::errorProtoFuncToString):
3655         * runtime/ExceptionHelpers.cpp:
3656         (JSC::TerminatedExecutionError::defaultValue):
3657         * runtime/FunctionPrototype.cpp:
3658         (JSC::functionProtoFuncToString):
3659         * runtime/FunctionRareData.cpp:
3660         (JSC::FunctionRareData::clear):
3661         * runtime/GeneratorFunctionPrototype.cpp:
3662         (JSC::GeneratorFunctionPrototype::finishCreation):
3663         * runtime/GeneratorPrototype.cpp:
3664         (JSC::GeneratorPrototype::finishCreation):
3665         * runtime/GenericArgumentsInlines.h:
3666         (JSC::GenericArguments<Type>::getOwnPropertyNames):
3667         * runtime/GetterSetter.h:
3668         * runtime/Identifier.cpp:
3669         (JSC::Identifier::add):
3670         (JSC::Identifier::add8):
3671         (JSC::Identifier::from):
3672         (JSC::Identifier::checkCurrentAtomStringTable):
3673         * runtime/Identifier.h:
3674         (JSC::Identifier::fromString):
3675         (JSC::Identifier::createLCharFromUChar):
3676         (JSC::Identifier::Identifier):
3677         (JSC::Identifier::add):
3678         * runtime/IdentifierInlines.h:
3679         (JSC::Identifier::Identifier):
3680         (JSC::Identifier::add):
3681         (JSC::Identifier::fromUid):
3682         (JSC::Identifier::fromString):
3683         (JSC::identifierToJSValue):
3684         (JSC::identifierToSafePublicJSValue):
3685         * runtime/InternalFunction.cpp:
3686         (JSC::InternalFunction::finishCreation):
3687         * runtime/IntlCollator.cpp:
3688         (JSC::IntlCollator::resolvedOptions):
3689         * runtime/IntlCollatorPrototype.cpp:
3690         (JSC::IntlCollatorPrototype::finishCreation):
3691         * runtime/IntlDateTimeFormat.cpp:
3692         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
3693         (JSC::IntlDateTimeFormat::resolvedOptions):
3694         (JSC::IntlDateTimeFormat::format):
3695         (JSC::IntlDateTimeFormat::formatToParts):
3696         * runtime/IntlDateTimeFormatPrototype.cpp:
3697         (JSC::IntlDateTimeFormatPrototype::finishCreation):
3698         * runtime/IntlNumberFormat.cpp:
3699         (JSC::IntlNumberFormat::initializeNumberFormat):
3700         (JSC::IntlNumberFormat::formatNumber):
3701         (JSC::IntlNumberFormat::resolvedOptions):
3702         (JSC::IntlNumberFormat::formatToParts):
3703         * runtime/IntlNumberFormatPrototype.cpp:
3704         (JSC::IntlNumberFormatPrototype::finishCreation):
3705         * runtime/IntlObject.cpp:
3706         (JSC::lookupSupportedLocales):
3707         (JSC::supportedLocales):
3708         (JSC::intlObjectFuncGetCanonicalLocales):
3709         * runtime/IntlPluralRules.cpp:
3710         (JSC::IntlPluralRules::initializePluralRules):
3711         (JSC::IntlPluralRules::resolvedOptions):
3712         (JSC::IntlPluralRules::select):
3713         * runtime/IntlPluralRulesPrototype.cpp:
3714         (JSC::IntlPluralRulesPrototype::finishCreation):
3715         * runtime/JSArray.h:
3716         (JSC::asArray):
3717         (JSC::isJSArray):
3718         * runtime/JSArrayBufferPrototype.cpp:
3719         (JSC::JSArrayBufferPrototype::finishCreation):
3720         * runtime/JSArrayBufferView.cpp:
3721         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
3722         * runtime/JSCJSValue.cpp:
3723         (JSC::JSValue::putToPrimitiveByIndex):
3724         (JSC::JSValue::dumpForBacktrace const):
3725         (JSC::JSValue::toStringSlowCase const):
3726         * runtime/JSCJSValueInlines.h:
3727         (JSC::JSValue::toPropertyKey const):
3728         (JSC::JSValue::get const):
3729         * runtime/JSCast.h:
3730         (JSC::jsCast):
3731         * runtime/JSCell.cpp:
3732         (JSC::JSCell::dump const):
3733         (JSC::JSCell::dumpToStream):
3734         (JSC::JSCell::putByIndex):
3735         * runtime/JSCellInlines.h:
3736         (JSC::JSCell::structure const):
3737         (JSC::ExecState::vm const):
3738         (JSC::tryAllocateCellHelper):
3739         * runtime/JSDataViewPrototype.cpp:
3740         (JSC::JSDataViewPrototype::finishCreation):
3741         * runtime/JSFixedArray.cpp:
3742         (JSC::JSFixedArray::dumpToStream):
3743         * runtime/JSFunction.cpp:
3744         (JSC::JSFunction::finishCreation):
3745         (JSC::RetrieveCallerFunctionFunctor::operator() const):
3746         (JSC::JSFunction::reifyName):
3747         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
3748         (JSC::JSFunction::assertTypeInfoFlagInvariants):
3749         * runtime/JSGenericTypedArrayViewInlines.h:
3750         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
3751         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
3752         * runtime/JSGlobalObject.cpp:
3753         (JSC::JSGlobalObject::init):
3754         (JSC::JSGlobalObject::exposeDollarVM):
3755         * runtime/JSGlobalObjectFunctions.cpp:
3756         (JSC::encode):
3757         (JSC::decode):
3758         (JSC::globalFuncEscape):
3759         (JSC::globalFuncUnescape):
3760         (JSC::globalFuncBuiltinDescribe):
3761         * runtime/JSLexicalEnvironment.cpp:
3762         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
3763         * runtime/JSModuleEnvironment.cpp:
3764         (JSC::JSModuleEnvironment::getOwnPropertySlot):
3765         (JSC::JSModuleEnvironment::put):
3766         (JSC::JSModuleEnvironment::deleteProperty):
3767         * runtime/JSModuleLoader.cpp:
3768         (JSC::JSModuleLoader::finishCreation):
3769         (JSC::JSModuleLoader::requestImportModule):
3770         (JSC::moduleLoaderParseModule):
3771         (JSC::moduleLoaderRequestedModules):
3772         * runtime/JSModuleNamespaceObject.cpp:
3773         (JSC::JSModuleNamespaceObject::finishCreation):
3774         (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
3775         * runtime/JSModuleRecord.cpp:
3776         (JSC::JSModuleRecord::instantiateDeclarations):
3777         * runtime/JSONObject.cpp:
3778         (JSC::JSONObject::finishCreation):
3779         (JSC::PropertyNameForFunctionCall::value const):
3780         (JSC::Stringifier::Stringifier):
3781         (JSC::Stringifier::stringify):
3782         (JSC::Stringifier::Holder::appendNextProperty):
3783         (JSC::Walker::walk):
3784         * runtime/JSObject.cpp:
3785         (JSC::getClassPropertyNames):
3786         (JSC::JSObject::getOwnPropertySlotByIndex):
3787         (JSC::JSObject::putByIndex):
3788         (JSC::JSObject::deletePropertyByIndex):
3789         (JSC::JSObject::toString const):
3790         (JSC::JSObject::reifyAllStaticProperties):
3791         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3792         * runtime/JSObject.h:
3793         (JSC::JSObject::putByIndexInline):
3794         (JSC::JSObject::butterflyPreCapacity):
3795         (JSC::JSObject::butterflyTotalSize):
3796         (JSC::makeIdentifier):
3797         * runtime/JSPromisePrototype.cpp:
3798         (JSC::JSPromisePrototype::finishCreation):
3799         * runtime/JSPropertyNameEnumerator.cpp:
3800         (JSC::JSPropertyNameEnumerator::finishCreation):
3801         * runtime/JSPropertyNameEnumerator.h:
3802         (JSC::propertyNameEnumerator):
3803         * runtime/JSRunLoopTimer.cpp:
3804         (JSC::JSRunLoopTimer::JSRunLoopTimer):
3805         * runtime/JSRunLoopTimer.h:
3806         * runtime/JSString.cpp:
3807         (JSC::JSString::dumpToStream):
3808         (JSC::JSRopeString::resolveRopeWithFunction const):
3809         (JSC::jsStringWithCacheSlowCase):
3810         * runtime/JSString.h:
3811         (JSC::jsEmptyString):
3812         (JSC::jsSingleCharacterString):
3813         (JSC::jsNontrivialString):
3814         (JSC::JSString::toIdentifier const):
3815         (JSC::JSString::toAtomString const):
3816         (JSC::JSString::toExistingAtomString const):
3817         (JSC::JSString::value const):
3818         (JSC::JSString::tryGetValue const):
3819         (JSC::JSString::getIndex):
3820         (JSC::jsString):
3821         (JSC::jsSubstring):
3822         (JSC::jsOwnedString):
3823         (JSC::jsStringWithCache):
3824         (JSC::JSRopeString::unsafeView const):
3825         (JSC::JSRopeString::viewWithUnderlyingString const):
3826         (JSC::JSString::unsafeView const):
3827         * runtime/JSStringInlines.h:
3828         (JSC::jsMakeNontrivialString):
3829         (JSC::repeatCharacter):
3830         * runtime/JSStringJoiner.cpp:
3831         (JSC::JSStringJoiner::join):
3832         * runtime/JSSymbolTableObject.cpp:
3833         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):