[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>

        [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
        https://bugs.webkit.org/show_bug.cgi?id=188589

        Reviewed by Mark Lam.
        And reviewed by Yusuke Suzuki for Hironori's change.

        Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
        UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".

        - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
        - We make GPRReg and FPRReg int8_t enums.
        - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
        - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
          if `enum : int8_t` is used instead of `enum`.

        * assembler/ARM64Assembler.h:
        * assembler/ARMAssembler.h:
        * assembler/ARMv7Assembler.h:
        * assembler/MIPSAssembler.h:
        * assembler/MacroAssembler.h:
        * assembler/X86Assembler.h:
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::clampArrayToSize):
        * jit/FPRInfo.h:
        * jit/GPRInfo.h:
        (JSC::JSValueRegs::JSValueRegs):
        (JSC::JSValueRegs::tagGPR const):
        (JSC::JSValueRegs::payloadGPR const):
        (JSC::JSValueSource::JSValueSource):
        (JSC::JSValueSource::unboxedCell):
        (JSC::JSValueSource::operator bool const):
        (JSC::JSValueSource::base const):
        (JSC::JSValueSource::tagGPR const):
        (JSC::JSValueSource::payloadGPR const):
        (JSC::JSValueSource::hasKnownTag const):

2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] alignas for RegisterState should respect alignof(RegisterState) too
        https://bugs.webkit.org/show_bug.cgi?id=188686

        Reviewed by Saam Barati.

        RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
        for `alignof` for RegisterState.

        * heap/RegisterState.h:

2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
        https://bugs.webkit.org/show_bug.cgi?id=188571

        Reviewed by Saam Barati.

        UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
        allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
        without considering alignment of them. This patch adds DisjunctionContext::allocationSize
        and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
        The size is always rounded to `sizeof(void*)` so that these classes are always allocated
        with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
        than or equal to `sizeof(void*)` by `static_assert`.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
        (JSC::Yarr::Interpreter::allocDisjunctionContext):
        (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
        (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
        (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
        (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
        (JSC::Yarr::Interpreter::Interpreter):
        (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.

2018-08-15  Keith Miller  <keith_miller@apple.com>

        Remove evernote hacks
        https://bugs.webkit.org/show_bug.cgi?id=188591

        Reviewed by Joseph Pecoraro.

        The hack was added in 2012 and the evernote app seems to work now.
        It's probably not needed anymore.

        * API/JSValueRef.cpp:
        (JSValueUnprotect):
        (evernoteHackNeeded): Deleted.

2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>

        Unreviewed, rolling out r234874 and r234876.

        WinCairo port can't compile

        Reverted changesets:

        "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
        https://bugs.webkit.org/show_bug.cgi?id=188589
        https://trac.webkit.org/changeset/234874

        "Unreviewed, attempt to fix CLoop build"
        https://bugs.webkit.org/show_bug.cgi?id=188589
        https://trac.webkit.org/changeset/234876

2018-08-14  Saam barati  <sbarati@apple.com>

        HashMap<Ref<P>, V> asserts when V is not zero for its empty value
        https://bugs.webkit.org/show_bug.cgi?id=188582

        Reviewed by Sam Weinig.

        * runtime/SparseArrayValueMap.h:

2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Unreviewed, attempt to fix CLoop build
        https://bugs.webkit.org/show_bug.cgi?id=188589

        * assembler/MacroAssembler.h:

2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
        https://bugs.webkit.org/show_bug.cgi?id=188589

        Reviewed by Mark Lam.

        Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
        UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".

        1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
        2. We make GPRReg and FPRReg int8_t enums.
        3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.

        * assembler/ARM64Assembler.h:
        * assembler/ARMAssembler.h:
        * assembler/ARMv7Assembler.h:
        * assembler/MIPSAssembler.h:
        * assembler/X86Assembler.h:
        * jit/FPRInfo.h:
        * jit/GPRInfo.h:
        (JSC::JSValueRegs::JSValueRegs):
        (JSC::JSValueRegs::tagGPR const):
        (JSC::JSValueRegs::payloadGPR const):
        (JSC::JSValueSource::JSValueSource):
        (JSC::JSValueSource::unboxedCell):
        (JSC::JSValueSource::operator bool const):
        (JSC::JSValueSource::base const):
        (JSC::JSValueSource::tagGPR const):
        (JSC::JSValueSource::payloadGPR const):
        (JSC::JSValueSource::hasKnownTag const):

2018-08-14  Keith Miller  <keith_miller@apple.com>

        Add missing availability macro.
        https://bugs.webkit.org/show_bug.cgi?id=188563

        Reviewed by Mark Lam.

        * API/JSValueRef.h:

2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
        https://bugs.webkit.org/show_bug.cgi?id=188560

        Reviewed by Keith Miller.

        While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
        it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
        uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
        `m_wasSeenInJIT { false }`.

        * bytecode/GetByIdStatus.h:

2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
        https://bugs.webkit.org/show_bug.cgi?id=188557

        Reviewed by Mark Lam.

        DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
        processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
        in UBSan's result.

        * dfg/DFGPredictionPropagationPhase.cpp:

2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Should not rotate constant with 64
        https://bugs.webkit.org/show_bug.cgi?id=188556

        Reviewed by Mark Lam.

        To defend against JIT splaying, we rotate a constant with a randomly generated seed.
        But if a seed becomes 64, the following code performs `value << 64` where value's type
        is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
        range of [0, 64) not to generate code causing UBs. This is found by UBSan.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::generateRotationSeed):
        (JSC::MacroAssembler::rotationBlindConstant):

2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>

        Disable JIT on IA-32 without SSE2
        https://bugs.webkit.org/show_bug.cgi?id=188476

        Reviewed by Michael Catanzaro.

        Including missing header (MacroAssembler.h) in case of other
        operating systems than Windows too.

        * runtime/Options.cpp:

2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>

        Disable JIT on IA-32 without SSE2
        https://bugs.webkit.org/show_bug.cgi?id=188476

        Reviewed by Yusuke Suzuki.

        On IA-32 CPUs without SSE2 most of the webpages cannot load
        if the JIT is turned on.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: console.log fires getters for deep properties
        https://bugs.webkit.org/show_bug.cgi?id=187542
        <rdar://problem/42873158>

        Reviewed by Saam Barati.

        * inspector/InjectedScriptSource.js:
        (RemoteObject.prototype._isPreviewableObject):
        Avoid getters/setters when checking for simple properties to preview.
        Here we avoid invoking `object[property]` if it could be a user getter.

2018-08-10  Keith Miller  <keith_miller@apple.com>

        Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
        https://bugs.webkit.org/show_bug.cgi?id=185127

        Reviewed by Saam Barati.

        Previously, we would truncate the indicies passed to slice to an
        int. This meant that the value was not getting properly clamped
        later.

        This patch also removes a non-spec compliant check that slice was
        passed at least one argument.

        * runtime/ArrayBuffer.cpp:
        (JSC::ArrayBuffer::clampValue):
        (JSC::ArrayBuffer::clampIndex const):
        (JSC::ArrayBuffer::slice const):
        * runtime/ArrayBuffer.h:
        (JSC::ArrayBuffer::clampValue): Deleted.
        (JSC::ArrayBuffer::clampIndex const): Deleted.
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferProtoFuncSlice):

2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Date.UTC should not return NaN with only Year param
        https://bugs.webkit.org/show_bug.cgi?id=188378

        Reviewed by Keith Miller.

        Date.UTC requires one argument for |year|. But the other ones are optional.
        This patch fix this handling.

        * runtime/DateConstructor.cpp:
        (JSC::millisecondsFromComponents):

2018-08-08  Keith Miller  <keith_miller@apple.com>

        Array.prototype.sort should call @toLength instead of ">>> 0"
        https://bugs.webkit.org/show_bug.cgi?id=188430

        Reviewed by Saam Barati.

        Also add a new function to $vm that will fetch a private
        property. This can be useful for running builtin helper functions.

        * builtins/ArrayPrototype.js:
        (sort):
        * tools/JSDollarVM.cpp:
        (JSC::functionGetPrivateProperty):
        (JSC::JSDollarVM::finishCreation):

2018-08-08  Keith Miller  <keith_miller@apple.com>

        Array.prototype.sort should throw TypeError if param is a not callable object
        https://bugs.webkit.org/show_bug.cgi?id=188382

        Reviewed by Saam Barati.

        Improve spec compatability by checking if the Array.prototype.sort comparator is a function
        before doing anything else.

        Also, refactor the various helper functions to use let instead of var.

        * builtins/ArrayPrototype.js:
        (sort.stringComparator):
        (sort.compactSparse):
        (sort.compactSlow):
        (sort.compact):
        (sort.merge):
        (sort.mergeSort):
        (sort.bucketSort):
        (sort.comparatorSort):
        (sort.stringSort):
        (sort):

2018-08-08  Michael Saboff  <msaboff@apple.com>

        Yarr JIT should include annotations with dumpDisassembly=true
        https://bugs.webkit.org/show_bug.cgi?id=188415

        Reviewed by Yusuke Suzuki.

        Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
        Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
        then the backtracking code through the YarrPattern ops in reverse order, the disassembler
        needs to do the same think.

        Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
        out simple methods for what was needed by the YarrDisassembler.

        Here is abbreviated sample output after this change.

        Generated JIT code for 8-bit regular expression /ab*c/:
            Code at [0x469561c03720, 0x469561c03840):
                0x469561c03720: push %rbp
                0x469561c03721: mov %rsp, %rbp
                ...
                0x469561c03762: sub $0x40, %rsp
             == Matching ==
           0:OpBodyAlternativeBegin minimum size 2
                0x469561c03766: add $0x2, %esi
                0x469561c03769: cmp %edx, %esi
                0x469561c0376b: ja 0x469561c037fa
           1:OpTerm TypePatternCharacter 'a'
                0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
                0x469561c03776: cmp $0x61, %eax
                0x469561c03779: jnz 0x469561c037e9
           2:OpTerm TypePatternCharacter 'b' {0,...} greedy
                0x469561c0377f: xor %r9d, %r9d
                0x469561c03782: cmp %edx, %esi
                0x469561c03784: jz 0x469561c037a2
                ...
                0x469561c0379d: jmp 0x469561c03782
                0x469561c037a2: mov %r9, 0x8(%rsp)
           3:OpTerm TypePatternCharacter 'c'
                0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
                0x469561c037ac: cmp $0x63, %eax
                0x469561c037af: jnz 0x469561c037d1
           4:OpBodyAlternativeEnd
                0x469561c037b5: add $0x40, %rsp
                ...
                0x469561c037cf: pop %rbp
                0x469561c037d0: ret
             == Backtracking ==
           4:OpBodyAlternativeEnd
           3:OpTerm TypePatternCharacter 'c'
           2:OpTerm TypePatternCharacter 'b' {0,...} greedy
                0x469561c037d1: mov 0x8(%rsp), %r9
                ...
                0x469561c037e4: jmp 0x469561c037a2
           1:OpTerm TypePatternCharacter 'a'
           0:OpBodyAlternativeBegin minimum size 2
                0x469561c037e9: mov %rsi, %rax
                ...
                0x469561c0382f: pop %rbp
                0x469561c03830: ret

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileMatchOnly):
        * yarr/YarrDisassembler.cpp: Added.
        (JSC::Yarr::YarrDisassembler::indentString):
        (JSC::Yarr::YarrDisassembler::YarrDisassembler):
        (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
        (JSC::Yarr::YarrDisassembler::dump):
        (JSC::Yarr::YarrDisassembler::dumpHeader):
        (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
        (JSC::Yarr::YarrDisassembler::dumpForInstructions):
        (JSC::Yarr::YarrDisassembler::dumpDisassembly):
        * yarr/YarrDisassembler.h: Added.
        (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
        (JSC::Yarr::YarrDisassembler::setStartOfCode):
        (JSC::Yarr::YarrDisassembler::setForGenerate):
        (JSC::Yarr::YarrDisassembler::setForBacktrack):
        (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
        (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
        (JSC::Yarr::YarrDisassembler::setEndOfCode):
        (JSC::Yarr::YarrDisassembler::indentString):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generate):
        (JSC::Yarr::YarrGenerator::backtrack):
        (JSC::Yarr::YarrGenerator::YarrGenerator):
        (JSC::Yarr::YarrGenerator::compile):
        (JSC::Yarr::jitCompile):
        * yarr/YarrJIT.h:
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::dumpCharacterClass):
        (JSC::Yarr::PatternTerm::dump):
        (JSC::Yarr::YarrPattern::dumpPatternString):
        (JSC::Yarr::YarrPattern::dumpPattern):
        * yarr/YarrPattern.h:

2018-08-05  Darin Adler  <darin@apple.com>

        [Cocoa] More tweaks and refactoring to prepare for ARC
        https://bugs.webkit.org/show_bug.cgi?id=188245

        Reviewed by Dan Bernstein.

        * API/JSValue.mm: Use __unsafe_unretained.
        (JSContainerConvertor::convert): Use auto for compatibility with the above.
        * API/JSWrapperMap.mm:
        (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
        (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.

        * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.

2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
        https://bugs.webkit.org/show_bug.cgi?id=188328

        Reviewed by Saam Barati.

        Shrinking the size of PropertyCondition can improve memory consumption by a lot.
        For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
        and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
        as a member field.

        This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
        PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
        are within 48bit, we can put PropertyCondition::Kind in this unused bits.
        To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
        folds a pointer and 1byte type into 64bit data.

        This change shrinks PropertyCondition from 24bytes to 16bytes.

        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::dumpInContext const):
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
        (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
        (JSC::PropertyCondition::isStillValid const):
        (JSC::PropertyCondition::isWatchableWhenValid const):
        * bytecode/PropertyCondition.h:
        (JSC::PropertyCondition::PropertyCondition):
        (JSC::PropertyCondition::presenceWithoutBarrier):
        (JSC::PropertyCondition::absenceWithoutBarrier):
        (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
        (JSC::PropertyCondition::equivalenceWithoutBarrier):
        (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
        (JSC::PropertyCondition::operator bool const):
        (JSC::PropertyCondition::kind const):
        (JSC::PropertyCondition::uid const):
        (JSC::PropertyCondition::hasOffset const):
        (JSC::PropertyCondition::hasAttributes const):
        (JSC::PropertyCondition::hasPrototype const):
        (JSC::PropertyCondition::hasRequiredValue const):
        (JSC::PropertyCondition::hash const):
        (JSC::PropertyCondition::operator== const):
        (JSC::PropertyCondition::isHashTableDeletedValue const):
        (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):

2018-08-07  Mark Lam  <mark.lam@apple.com>

        Use a more specific PtrTag for PlatformRegisters PC and LR.
        https://bugs.webkit.org/show_bug.cgi?id=188366
        <rdar://problem/42984123>

        Reviewed by Keith Miller.

        Also fixed a bug in linkRegister(), which was previously returning the PC instead
        of LR.  It now returns LR.

        * runtime/JSCPtrTag.h:
        * runtime/MachineContext.h:
        (JSC::MachineContext::instructionPointer):
        (JSC::MachineContext::linkRegister):
        * runtime/VMTraps.cpp:
        (JSC::SignalContext::SignalContext):
        * tools/SigillCrashAnalyzer.cpp:
        (JSC::SignalContext::SignalContext):

2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>

        Hardcoded LFENCE instruction
        https://bugs.webkit.org/show_bug.cgi?id=188145

        Reviewed by Filip Pizlo.

        Remove lfence instruction because it is crashing systems without SSE2 and
        this is not the way how WebKit mitigates Spectre.

        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):
        (JSC::JSLock::willReleaseLock):

2018-08-04  David Kilzer  <ddkilzer@apple.com>

        REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
        <https://webkit.org/b/188331>

        Reviewed by Yusuke Suzuki.

        * runtime/TemplateObjectDescriptor.h:
        (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
        Use `m_rawstrings` instead of `rawStrings` to calculate hash.

2018-08-03  Saam Barati  <sbarati@apple.com>

        Give the `jsc` shell the JIT entitlement
        https://bugs.webkit.org/show_bug.cgi?id=188324
        <rdar://problem/42885806>

        Reviewed by Dan Bernstein.

        This should help us in ensuring the system jsc is able to JIT.

        * Configurations/JSC.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * allow-jit-macOS.entitlements: Added.

2018-08-03  Alex Christensen  <achristensen@webkit.org>

        Fix spelling of "overridden"
        https://bugs.webkit.org/show_bug.cgi?id=188315

        Reviewed by Darin Adler.

        * API/JSExport.h:
        * inspector/InjectedScriptSource.js:

2018-08-02  Saam Barati  <sbarati@apple.com>

        Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
        https://bugs.webkit.org/show_bug.cgi?id=188271
        <rdar://problem/42850884>

        Reviewed by Michael Saboff.

        This patch defends against the instructionPointer containing garbage bits.
        See radar for details.

        * runtime/MachineContext.h:
        (JSC::MachineContext::instructionPointer):
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::takeSample):
        * runtime/VMTraps.cpp:
        (JSC::SignalContext::SignalContext):
        (JSC::SignalContext::tryCreate):
        * tools/CodeProfiling.cpp:
        (JSC::profilingTimer):
        * tools/SigillCrashAnalyzer.cpp:
        (JSC::SignalContext::SignalContext):
        (JSC::SignalContext::tryCreate):
        (JSC::SignalContext::dump):
        (JSC::installCrashHandler):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):

2018-08-02  David Fenton  <david_fenton@apple.com>

        Unreviewed, rolling out r234489.

        Caused 50+ crashes and 60+ API failures on iOS

        Reverted changeset:

        "[WTF] Rename String::format to String::deprecatedFormat"
        https://bugs.webkit.org/show_bug.cgi?id=188191
        https://trac.webkit.org/changeset/234489

2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        Add self.queueMicrotask(f) on DOMWindow
        https://bugs.webkit.org/show_bug.cgi?id=188212

        Reviewed by Ryosuke Niwa.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * runtime/JSGlobalObject.cpp:
        (JSC::enqueueJob):
        * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
        (JSC::createJSMicrotask):
        Export them to WebCore.

        (JSC::JSMicrotask::run):
        * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
        Add another version of JSMicrotask which does not have arguments.

2018-08-01  Tomas Popela  <tpopela@redhat.com>

        [WTF] Rename String::format to String::deprecatedFormat
        https://bugs.webkit.org/show_bug.cgi?id=188191

        Reviewed by Darin Adler.

        It should be replaced with string concatenation.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::nameForRegister):
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeCall):
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::getPropertyValue):
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::enable):
        (Inspector::InspectorConsoleAgent::stopTiming):
        * jsc.cpp:
        (FunctionJSCStackFunctor::operator() const):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::invalidCharacterMessage const):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        * runtime/IntlObject.cpp:
        (JSC::canonicalizeLocaleList):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::Lexer::lex):
        (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
        (JSC::LiteralParser<CharType>::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::getErrorMessage):

2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>

        [INTL] Allow "unknown" formatToParts types
        https://bugs.webkit.org/show_bug.cgi?id=188176

        Reviewed by Darin Adler.

        Originally extra unexpected field types were marked as "literal", since
        the spec did not account for these. The ECMA 402 spec has since been updated
        to specify "unknown" should be used in these cases.

        Currently there is no known way to reach these cases, so no tests can
        account for them. Theoretically they shoudn't exist, but they are specified,
        just to be safe. Marking them as "unknown" instead of "literal" hopefully
        will make such cases easy to identify if they ever happen.

        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::partTypeString):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::partTypeString):

2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>

        [INTL] Implement hourCycle in DateTimeFormat
        https://bugs.webkit.org/show_bug.cgi?id=188006

        Reviewed by Darin Adler.

        Implemented hourCycle, updating both the skeleton and the final pattern.
        Changed resolveLocale to assume undefined options are not given and null
        strings actually mean null, which removes the tag extension.

        * runtime/CommonIdentifiers.h:
        * runtime/IntlCollator.cpp:
        (JSC::IntlCollator::initializeCollator):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDTFInternal::localeData):
        (JSC::IntlDateTimeFormat::setFormatsFromPattern):
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        (JSC::IntlDateTimeFormat::resolvedOptions):
        * runtime/IntlDateTimeFormat.h:
        * runtime/IntlObject.cpp:
        (JSC::resolveLocale):

2018-08-01  Keith Miller  <keith_miller@apple.com>

        JSArrayBuffer should have its own JSType
        https://bugs.webkit.org/show_bug.cgi?id=188231

        Reviewed by Saam Barati.

        * runtime/JSArrayBuffer.cpp:
        (JSC::JSArrayBuffer::createStructure):
        * runtime/JSCast.h:
        * runtime/JSType.h:

2018-07-31  Keith Miller  <keith_miller@apple.com>

        Unreviewed 32-bit build fix...

        * dfg/DFGSpeculativeJIT32_64.cpp:

2018-07-31  Keith Miller  <keith_miller@apple.com>

        Long compiling JSC files should not be unified
        https://bugs.webkit.org/show_bug.cgi?id=188205

        Reviewed by Saam Barati.

        The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
        to compile. Unifying them means touching anything in the same
        bundle as those files takes a long time to incrementally build.
        This patch separates those files so they build standalone.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * dfg/DFGSpeculativeJIT64.cpp:

2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
        https://bugs.webkit.org/show_bug.cgi?id=188201

        Reviewed by Keith Miller.

        We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
        When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
        new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
        never becomes broken state. This patch removes unnecessary locking.

        * runtime/JSObject.cpp:
        (JSC::JSObject::visitButterflyImpl):

2018-07-31  Guillaume Emont  <guijemont@igalia.com>

        [JSC] Remove gcc warnings for 32-bit platforms
        https://bugs.webkit.org/show_bug.cgi?id=187803

        Reviewed by Yusuke Suzuki.

        * assembler/MacroAssemblerPrinter.cpp:
        (JSC::Printer::printPCRegister):
        (JSC::Printer::printRegisterID):
        (JSC::Printer::printAddress):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateNumber):
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::calculatePokeOffset):
        * runtime/Options.cpp:
        (JSC::parse):

2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>

        watchOS engineering build is broken after r234227
        https://bugs.webkit.org/show_bug.cgi?id=188180

        Reviewed by Keith Miller.

        In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
        postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
        `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
        `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.

        To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
        entirely, since there's no relevant version to replace them with.

        * postprocess-headers.sh:

2018-07-30  Keith Miller  <keith_miller@apple.com>

        Clarify conversion rules for JSValue property access API
        https://bugs.webkit.org/show_bug.cgi?id=188179

        Reviewed by Geoffrey Garen.

        * API/JSValue.h:

2018-07-30  Keith Miller  <keith_miller@apple.com>

        Rename some JSC API functions/types.
        https://bugs.webkit.org/show_bug.cgi?id=188173

        Reviewed by Saam Barati.

        * API/JSObjectRef.cpp:
        (JSObjectHasPropertyForKey):
        (JSObjectGetPropertyForKey):
        (JSObjectSetPropertyForKey):
        (JSObjectDeletePropertyForKey):
        (JSObjectHasPropertyKey): Deleted.
        (JSObjectGetPropertyKey): Deleted.
        (JSObjectSetPropertyKey): Deleted.
        (JSObjectDeletePropertyKey): Deleted.
        * API/JSObjectRef.h:
        * API/JSValue.h:
        * API/JSValue.mm:
        (-[JSValue valueForProperty:]):
        (-[JSValue setValue:forProperty:]):
        (-[JSValue deleteProperty:]):
        (-[JSValue hasProperty:]):
        (-[JSValue defineProperty:descriptor:]):
        * API/tests/testapi.cpp:
        (TestAPI::run):

2018-07-30  Mark Lam  <mark.lam@apple.com>

        Add a debugging utility to dump the memory layout of a JSCell.
        https://bugs.webkit.org/show_bug.cgi?id=188157

        Reviewed by Yusuke Suzuki.

        This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
        dump the memory contents of a cell and if present, its butterfly for debugging
        purposes.

        Example usage for JS code when JSC_useDollarVM=true:

            $vm.dumpCell(obj);

        Example usage from C++ code or from lldb: 

            (lldb) p JSC::VMInspector::dumpCellMemory(obj)

        Some examples of dumps:

            <0x104bc8260, Object>
              [0] 0x104bc8260 : 0x010016000000016c header
                structureID 364 0x16c structure 0x104b721b0
                indexingTypeAndMisc 0 0x0 NonArray
                type 22 0x16
                flags 0 0x0
                cellState 1
              [1] 0x104bc8268 : 0x0000000000000000 butterfly
              [2] 0x104bc8270 : 0xffff000000000007
              [3] 0x104bc8278 : 0xffff000000000008

            <0x104bb4360, Array>
              [0] 0x104bb4360 : 0x0108210b00000171 header
                structureID 369 0x171 structure 0x104b723e0
                indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
                type 33 0x21
                flags 8 0x8
                cellState 1
              [1] 0x104bb4368 : 0x00000008000f4718 butterfly
                base 0x8000f46e0
                hasIndexingHeader YES hasAnyArrayStorage YES
                publicLength 4 vectorLength 7 indexBias 2
                preCapacity 2 propertyCapacity 4
                  <--- preCapacity
                  [0] 0x8000f46e0 : 0x0000000000000000
                  [1] 0x8000f46e8 : 0x0000000000000000
                  <--- propertyCapacity
                  [2] 0x8000f46f0 : 0x0000000000000000
                  [3] 0x8000f46f8 : 0x0000000000000000
                  [4] 0x8000f4700 : 0xffff00000000000d
                  [5] 0x8000f4708 : 0xffff00000000000c
                  <--- indexingHeader
                  [6] 0x8000f4710 : 0x0000000700000004
                  <--- butterfly
                  <--- arrayStorage
                  [7] 0x8000f4718 : 0x0000000000000000
                  [8] 0x8000f4720 : 0x0000000400000002
                  <--- indexedProperties
                  [9] 0x8000f4728 : 0xffff000000000008
                  [10] 0x8000f4730 : 0xffff000000000009
                  [11] 0x8000f4738 : 0xffff000000000005
                  [12] 0x8000f4740 : 0xffff000000000006
                  [13] 0x8000f4748 : 0x0000000000000000
                  [14] 0x8000f4750 : 0x0000000000000000
                  [15] 0x8000f4758 : 0x0000000000000000
                  <--- unallocated capacity
                  [16] 0x8000f4760 : 0x0000000000000000
                  [17] 0x8000f4768 : 0x0000000000000000
                  [18] 0x8000f4770 : 0x0000000000000000
                  [19] 0x8000f4778 : 0x0000000000000000

        * runtime/JSObject.h:
        * tools/JSDollarVM.cpp:
        (JSC::functionDumpCell):
        (JSC::JSDollarVM::finishCreation):
        * tools/VMInspector.cpp:
        (JSC::VMInspector::dumpCellMemory):
        (JSC::IndentationScope::IndentationScope):
        (JSC::IndentationScope::~IndentationScope):
        (JSC::VMInspector::dumpCellMemoryToStream):
        * tools/VMInspector.h:

2018-07-27  Mark Lam  <mark.lam@apple.com>

        Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
        https://bugs.webkit.org/show_bug.cgi?id=188123
        <rdar://problem/42672268>

        Reviewed by Keith Miller.

        1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
           padding space in VM and Heap, and should not cost any measurable perf to
           initialize and update.

        2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():

           worldState tells us the value we failed the assertion on.

           m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
           that led us here.

           VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.

           VM::isEntered() tells us if the current VM is currently executing JS code.

           Some of this data may be redundant, but the redundancy is intentional so that
           we can double check what is really happening at the time of crash.

        * heap/Heap.cpp:
        (JSC::asInt):
        (JSC::Heap::checkConn):
        (JSC::Heap::changePhase):
        * heap/Heap.h:
        * runtime/VM.cpp:
        (JSC::VM::nextID):
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::numberOfIDs):
        (JSC::VM::id const):
        (JSC::VM::isEntered const):

2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Record CoW status in ArrayProfile correctly
        https://bugs.webkit.org/show_bug.cgi?id=187949

        Reviewed by Saam Barati.

        In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
        This is important since our OSR exit compiler records m_observedArrayModes by calculating
        ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
        our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
        Array::Generic DFG nodes.

        * bytecode/ArrayProfile.h:
        (JSC::asArrayModes):
        (JSC::ArrayProfile::ArrayProfile):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::compileExit):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * runtime/IndexingType.h:

2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>

        [INTL] Remove INTL sub-feature compile flags
        https://bugs.webkit.org/show_bug.cgi?id=188081

        Reviewed by Michael Catanzaro.

        Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
        The runtime flags are still present, and should be relied on instead.
        The defines for ICU features have also been updated to match HAVE() style.

        * Configurations/FeatureDefines.xcconfig:
        * runtime/IntlPluralRules.cpp:
        (JSC::IntlPluralRules::resolvedOptions):
        (JSC::IntlPluralRules::select):
        * runtime/IntlPluralRules.h:
        * runtime/Options.h:

2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Dump IndexingMode in Structure
        https://bugs.webkit.org/show_bug.cgi?id=188085

        Reviewed by Keith Miller.

        Dump IndexingMode instead of IndexingType.

        * runtime/Structure.cpp:
        (JSC::Structure::dump const):

2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>

        String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
        https://bugs.webkit.org/show_bug.cgi?id=187963

        Reviewed by Alex Christensen.

        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::dispatch):
        * jsc.cpp:
        (ModuleName::ModuleName):
        (resolvePath):
        * runtime/IntlObject.cpp:
        (JSC::canonicalizeLanguageTag):
        (JSC::removeUnicodeLocaleExtension):
        Update split/splitAllowingEmptyEntries usage.

2018-07-26  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r234181 and r234189.
        https://bugs.webkit.org/show_bug.cgi?id=188075

        These are not needed right now (Requested by thorton on
        #webkit).

        Reverted changesets:

        "Enable Web Content Filtering on watchOS"
        https://bugs.webkit.org/show_bug.cgi?id=187979
        https://trac.webkit.org/changeset/234181

        "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
        https://bugs.webkit.org/show_bug.cgi?id=187985
        https://trac.webkit.org/changeset/234189

2018-07-26  Mark Lam  <mark.lam@apple.com>

        arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
        https://bugs.webkit.org/show_bug.cgi?id=188065
        <rdar://problem/42515726>

        Reviewed by Saam Barati.

        * runtime/ArrayPrototype.cpp:
        (JSC::clearElement):
        (JSC::copyElements):
        (JSC::arrayProtoPrivateFuncConcatMemcpy):

2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>

        JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
        https://bugs.webkit.org/show_bug.cgi?id=167991

        Reviewed by Michael Catanzaro.

        Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
        Checked locale.isEmpty() before returning it from defaultLocale, so there should be
        no more cases where you might have an invalid locale come back from resolveLocale.

        * runtime/IntlObject.cpp:
        (JSC::convertICULocaleToBCP47LanguageTag):
        (JSC::defaultLocale):
        (JSC::lookupMatcher):
        * runtime/IntlObject.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::intlCollatorAvailableLocales):
        (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
        (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
        (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):

2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>

        REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
        https://bugs.webkit.org/show_bug.cgi?id=188040

        Unreviewed build fix for AppleWin port.

        * API/tests/testapi.c: Disabled warning C4204.
        (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.

2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>

        [JSC API] We should support the symbol type in our C/Obj-C API
        https://bugs.webkit.org/show_bug.cgi?id=175836

        Unreviewed build fix for Windows port.

        r234227 introduced a compilation error unresolved external symbol
        "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.

        Windows ports are compiling testapi.c as C++ by using /TP switch.

        * API/tests/testapi.c:
        (main): Removed `::` prefix of ::SetErrorMode Windows API.
        (dllLauncherEntryPoint): Converted into C style.
        * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c

2018-07-25  Keith Miller  <keith_miller@apple.com>

        [JSC API] We should support the symbol type in our C/Obj-C API
        https://bugs.webkit.org/show_bug.cgi?id=175836

        Reviewed by Filip Pizlo.

        This patch makes the following API additions:
        1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
        2) Create a symbol on both APIs.
        3) Get/Set/Delete/Define property now take ids in the Obj-C API.
        4) Add Get/Set/Delete in the C API.

        We can do 3 because it is both binary and source compatable with
        the existing API. I added (4) because the current property access
        APIs only have the ability to get Strings. It was possible to
        merge symbols into JSStringRef but that felt confusing and exposes
        implementation details of our engine. The new functions match the
        same meaning that they have in JS, thus should be forward
        compatible with any future language extensions.

        Lastly, this patch adds the same availability preproccessing phase
        in WebCore to JavaScriptCore, which enables TBA features for
        testing on previous releases.

        * API/APICast.h:
        * API/JSBasePrivate.h:
        * API/JSContext.h:
        * API/JSContextPrivate.h:
        * API/JSContextRef.h:
        * API/JSContextRefInternal.h:
        * API/JSContextRefPrivate.h:
        * API/JSManagedValue.h:
        * API/JSObjectRef.cpp:
        (JSObjectHasPropertyKey):
        (JSObjectGetPropertyKey):
        (JSObjectSetPropertyKey):
        (JSObjectDeletePropertyKey):
        * API/JSObjectRef.h:
        * API/JSRemoteInspector.h:
        * API/JSTypedArray.h:
        * API/JSValue.h:
        * API/JSValue.mm:
        (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
        (performPropertyOperation):
        (-[JSValue valueForProperty:valueForProperty:]):
        (-[JSValue setValue:forProperty:setValue:forProperty:]):
        (-[JSValue deleteProperty:deleteProperty:]):
        (-[JSValue hasProperty:hasProperty:]):
        (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
        (-[JSValue isSymbol]):
        (-[JSValue objectForKeyedSubscript:]):
        (-[JSValue setObject:forKeyedSubscript:]):
        (-[JSValue valueForProperty:]): Deleted.
        (-[JSValue setValue:forProperty:]): Deleted.
        (-[JSValue deleteProperty:]): Deleted.
        (-[JSValue hasProperty:]): Deleted.
        (-[JSValue defineProperty:descriptor:]): Deleted.
        * API/JSValueRef.cpp:
        (JSValueGetType):
        (JSValueIsSymbol):
        (JSValueMakeSymbol):
        * API/JSValueRef.h:
        * API/WebKitAvailability.h:
        * API/tests/CurrentThisInsideBlockGetterTest.mm:
        * API/tests/CustomGlobalObjectClassTest.c:
        * API/tests/DateTests.mm:
        * API/tests/JSExportTests.mm:
        * API/tests/JSNode.c:
        * API/tests/JSNodeList.c:
        * API/tests/Node.c:
        * API/tests/NodeList.c:
        * API/tests/minidom.c:
        * API/tests/testapi.c:
        (main):
        * API/tests/testapi.cpp: Added.
        (APIString::APIString):
        (APIString::~APIString):
        (APIString::operator JSStringRef):
        (APIContext::APIContext):
        (APIContext::~APIContext):
        (APIContext::operator JSGlobalContextRef):
        (APIVector::APIVector):
        (APIVector::~APIVector):
        (APIVector::append):
        (testCAPIViaCpp):
        (TestAPI::evaluateScript):
        (TestAPI::callFunction):
        (TestAPI::functionReturnsTrue):
        (TestAPI::check):
        (TestAPI::checkJSAndAPIMatch):
        (TestAPI::interestingObjects):
        (TestAPI::interestingKeys):
        (TestAPI::run):
        * API/tests/testapi.mm:
        (testObjectiveCAPIMain):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * config.h:
        * postprocess-headers.sh:
        * shell/CMakeLists.txt:
        * testmem/testmem.mm:

2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>

        [INTL] Call Typed Array elements toLocaleString with locale and options
        https://bugs.webkit.org/show_bug.cgi?id=185796

        Reviewed by Keith Miller.

        Improve ECMA 402 compliance of typed array toLocaleString, passing along
        the locale and options to element toLocaleString calls.

        * builtins/TypedArrayPrototype.js:
        (toLocaleString):

2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>

        [INTL] Intl constructor lengths should be configurable
        https://bugs.webkit.org/show_bug.cgi?id=187960

        Reviewed by Saam Barati.

        Removed DontDelete from Intl constructor lengths.
        Fixed DateTimeFormat formatToParts length.

        * runtime/IntlCollatorConstructor.cpp:
        (JSC::IntlCollatorConstructor::finishCreation):
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::IntlDateTimeFormatConstructor::finishCreation):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototype::finishCreation):
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::IntlNumberFormatConstructor::finishCreation):
        * runtime/IntlPluralRulesConstructor.cpp:
        (JSC::IntlPluralRulesConstructor::finishCreation):

2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>

        runJITThreadLimitTests is failing
        https://bugs.webkit.org/show_bug.cgi?id=187886
        <rdar://problem/42561966>

        Unreviewed build fix for MSVC.

        MSVC doen't support ternary operator without second operand.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::getNumberOfDFGCompilerThreads):
        (JSC::DFG::getNumberOfFTLCompilerThreads):

2018-07-24  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r234183.
        https://bugs.webkit.org/show_bug.cgi?id=187983

        cause regression in Kraken gaussian blur and desaturate
        (Requested by yusukesuzuki on #webkit).

        Reverted changeset:

        "[JSC] Record CoW status in ArrayProfile"
        https://bugs.webkit.org/show_bug.cgi?id=187949
        https://trac.webkit.org/changeset/234183

2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Record CoW status in ArrayProfile
        https://bugs.webkit.org/show_bug.cgi?id=187949

        Reviewed by Saam Barati.

        Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
        Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
        in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
        seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
        CoW arrays.

        In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
        speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.

        This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.

                                      baseline                  patched

        stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
        stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster

        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
        * bytecode/ArrayProfile.h:
        (JSC::asArrayModes):
        We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.

        (JSC::ArrayProfile::ArrayProfile):
        (JSC::ArrayProfile::addressOfObservedIndexingModes):
        (JSC::ArrayProfile::observedIndexingModes const):
        Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
        So storing the union of seen IndexingMode in `unsigned` instead.

        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::fromObserved):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::withProfile const):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITInlines.h:
        (JSC::JIT::emitArrayProfilingSiteWithCell):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2018-07-24  Tim Horton  <timothy_horton@apple.com>

        Enable Web Content Filtering on watchOS
        https://bugs.webkit.org/show_bug.cgi?id=187979
        <rdar://problem/42559346>

        Reviewed by Wenson Hsieh.

        * Configurations/FeatureDefines.xcconfig:

2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>

        Don't modify Options when setting JIT thread limits
        https://bugs.webkit.org/show_bug.cgi?id=187886

        Reviewed by Filip Pizlo.

        Previously, when setting the JIT thread limit prior to the worklist
        initialization, it'd be set via Options, which didn't work if Options
        hadn't been initialized yet. Change it to use a static variable in the
        Worklist instead.

        * API/JSVirtualMachine.mm:
        (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
        (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
        * API/tests/testapi.mm:
        (testObjectiveCAPIMain):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::getNumberOfDFGCompilerThreads):
        (JSC::DFG::getNumberOfFTLCompilerThreads):
        (JSC::DFG::setNumberOfDFGCompilerThreads):
        (JSC::DFG::setNumberOfFTLCompilerThreads):
        (JSC::DFG::ensureGlobalDFGWorklist):
        (JSC::DFG::ensureGlobalFTLWorklist):
        * dfg/DFGWorklist.h:

2018-07-24  Mark Lam  <mark.lam@apple.com>

        Refactoring: make DFG::Plan a class.
        https://bugs.webkit.org/show_bug.cgi?id=187968

        Reviewed by Saam Barati.

        This patch makes all the DFG::Plan fields private, and provide accessor methods
        for them.  This makes it easier to reason about how these fields are used and
        modified.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleVarargsCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
        (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::run):
        (JSC::DFG::CFAPhase::injectOSR):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommonData.cpp:
        (JSC::DFG::CommonData::notifyCompilingStructureTransition):
        * dfg/DFGCommonData.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGFinalizer.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::watchCondition):
        (JSC::DFG::Graph::inferredTypeFor):
        (JSC::DFG::Graph::requiredRegisterCountForExit):
        (JSC::DFG::Graph::registerFrozenValues):
        (JSC::DFG::Graph::registerStructure):
        (JSC::DFG::Graph::registerAndWatchStructureTransition):
        (JSC::DFG::Graph::assertIsRegistered):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::compilation):
        (JSC::DFG::Graph::identifiers):
        (JSC::DFG::Graph::watchpoints):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::disassemble):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addWeakReference):
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        (JSC::DFG::JITFinalizer::finalizeCommon):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        * dfg/DFGPhase.h:
        (JSC::DFG::runAndLog):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::computeCompileTimes const):
        (JSC::DFG::Plan::reportCompileTimes const):
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::isStillValid):
        (JSC::DFG::Plan::reallyAdd):
        (JSC::DFG::Plan::notifyCompiling):
        (JSC::DFG::Plan::notifyReady):
        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
        (JSC::DFG::Plan::finalizeAndNotifyCallback):
        (JSC::DFG::Plan::key):
        (JSC::DFG::Plan::checkLivenessAndVisitChildren):
        (JSC::DFG::Plan::finalizeInGC):
        (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
        (JSC::DFG::Plan::cancel):
        (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
        * dfg/DFGPlan.h:
        (JSC::DFG::Plan::canTierUpAndOSREnter const):
        (JSC::DFG::Plan::vm const):
        (JSC::DFG::Plan::codeBlock):
        (JSC::DFG::Plan::mode const):
        (JSC::DFG::Plan::osrEntryBytecodeIndex const):
        (JSC::DFG::Plan::mustHandleValues const):
        (JSC::DFG::Plan::threadData const):
        (JSC::DFG::Plan::compilation const):
        (JSC::DFG::Plan::finalizer const):
        (JSC::DFG::Plan::setFinalizer):
        (JSC::DFG::Plan::inlineCallFrames const):
        (JSC::DFG::Plan::watchpoints):
        (JSC::DFG::Plan::identifiers):
        (JSC::DFG::Plan::weakReferences):
        (JSC::DFG::Plan::transitions):
        (JSC::DFG::Plan::recordedStatuses):
        (JSC::DFG::Plan::willTryToTierUp const):
        (JSC::DFG::Plan::setWillTryToTierUp):
        (JSC::DFG::Plan::tierUpInLoopHierarchy):
        (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
        (JSC::DFG::Plan::stage const):
        (JSC::DFG::Plan::callback const):
        (JSC::DFG::Plan::setCallback):
        * dfg/DFGPlanInlines.h:
        (JSC::DFG::Plan::iterateCodeBlocksForGC):
        * dfg/DFGPreciseLocalClobberize.h:
        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
        * dfg/DFGPredictionInjectionPhase.cpp:
        (JSC::DFG::PredictionInjectionPhase::run):
        * dfg/DFGSafepoint.cpp:
        (JSC::DFG::Safepoint::Safepoint):
        (JSC::DFG::Safepoint::~Safepoint):
        (JSC::DFG::Safepoint::begin):
        * dfg/DFGSafepoint.h:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::isActiveForVM const):
        (JSC::DFG::Worklist::compilationState):
        (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
        (JSC::DFG::Worklist::removeAllReadyPlansForVM):
        (JSC::DFG::Worklist::completeAllReadyPlansForVM):
        (JSC::DFG::Worklist::visitWeakReferences):
        (JSC::DFG::Worklist::removeDeadPlans):
        (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
        * dfg/DFGWorklistInlines.h:
        (JSC::DFG::Worklist::iterateCodeBlocksForGC):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLFail.cpp:
        (JSC::FTL::fail):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeCommon):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
        (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
        (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):

2018-07-24  Saam Barati  <sbarati@apple.com>

        Make VM::canUseJIT an inlined function
        https://bugs.webkit.org/show_bug.cgi?id=187583

        Reviewed by Mark Lam.

        We know the answer to this query in initializeThreading after initializing
        the executable allocator. This patch makes it so that we just hold this value
        in a static variable and have an inlined function that just returns the value
        of that static variable.

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/VM.cpp:
        (JSC::VM::computeCanUseJIT):
        (JSC::VM::canUseJIT): Deleted.
        * runtime/VM.h:
        (JSC::VM::canUseJIT):

2018-07-24  Mark Lam  <mark.lam@apple.com>

        Placate exception check verification after recent changes.
        https://bugs.webkit.org/show_bug.cgi?id=187961
        <rdar://problem/42545394>

        Reviewed by Saam Barati.

        * runtime/IntlObject.cpp:
        (JSC::intlNumberOption):

2018-07-23  Saam Barati  <sbarati@apple.com>

        need to didFoldClobberWorld when we constant fold GetByVal
        https://bugs.webkit.org/show_bug.cgi?id=187917
        <rdar://problem/42505095>

        Reviewed by Yusuke Suzuki.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>

        [INTL] Language tags are not canonicalized
        https://bugs.webkit.org/show_bug.cgi?id=185836

        Reviewed by Keith Miller.

        Canonicalize language tags, replacing deprecated tag parts with the
        preferred values. Remove broken support for algorithmic numbering systems,
        that can cause an error in icu, and are not supported in other engines.

        Generate the lookup functions from the language-subtag-registry.

        Also initialize the UNumberFormat in initializeNumberFormat so any
        failures are thrown immediately instead of failing to format later.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Scripts/generateIntlCanonicalizeLanguage.py: Added.
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):
        (JSC::IntlNumberFormat::formatNumber):
        (JSC::IntlNumberFormat::formatToParts):
        (JSC::IntlNumberFormat::createNumberFormat): Deleted.
        * runtime/IntlNumberFormat.h:
        * runtime/IntlObject.cpp:
        (JSC::intlNumberOption):
        (JSC::intlDefaultNumberOption):
        (JSC::preferredLanguage):
        (JSC::preferredRegion):
        (JSC::canonicalLangTag):
        (JSC::canonicalizeLanguageTag):
        (JSC::defaultLocale):
        (JSC::removeUnicodeLocaleExtension):
        (JSC::numberingSystemsForLocale):
        (JSC::grandfatheredLangTag): Deleted.
        * runtime/IntlObject.h:
        * runtime/IntlPluralRules.cpp:
        (JSC::IntlPluralRules::initializePluralRules):
        * runtime/JSGlobalObject.cpp:
        (JSC::addMissingScriptLocales):
        (JSC::JSGlobalObject::intlCollatorAvailableLocales):
        (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
        (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
        (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
        * ucd/language-subtag-registry.txt: Added.

2018-07-23  Mark Lam  <mark.lam@apple.com>

        Add some asserts to help diagnose a crash.
        https://bugs.webkit.org/show_bug.cgi?id=187915
        <rdar://problem/42508166>

        Reviewed by Michael Saboff.

        Add some asserts to verify that an CodeBlock alternative should always have a
        non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
        CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
        so that we'll retain the state of the variables that failed the assertion (again
        to help with diagnosis).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::setAlternative):
        (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):

2018-07-23  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix no-JIT build.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/InByIdStatus.cpp:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):

2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
        https://bugs.webkit.org/show_bug.cgi?id=187891

        Reviewed by Saam Barati.

        When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
        two variants are mergeable but they have "Miss" status. We make merging failed if
        the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
        if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
        which patch have more chances to merge variants.

        This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
        is not related since it does not use this check in Transition case.

        * bytecode/GetByIdVariant.cpp:
        (JSC::GetByIdVariant::attemptToMerge):
        * bytecode/InByIdVariant.cpp:
        (JSC::InByIdVariant::attemptToMerge):

2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Fold GetByVal if the indexed value is non configurable and non writable
        https://bugs.webkit.org/show_bug.cgi?id=186462

        Reviewed by Saam Barati.

        Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
        property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
        Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.

        This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
        concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
        and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
        attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
        changed and we can safely use it. We arrange our existing code to use this protocol.

        Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
        since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.

        This patch improves SixSpeed/template_string_tag.es6.

                                          baseline                  patched

        template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * runtime/JSArray.cpp:
        (JSC::JSArray::setLengthWithArrayStorage):
        * runtime/JSObject.cpp:
        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::putIndexedDescriptor):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
        (JSC::JSObject::putIndexedDescriptor): Deleted.
        * runtime/JSObject.h:
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::SparseArrayValueMap):
        (JSC::SparseArrayValueMap::add):
        (JSC::SparseArrayValueMap::putDirect):
        (JSC::SparseArrayValueMap::getConcurrently):
        (JSC::SparseArrayEntry::get const):
        (JSC::SparseArrayEntry::getConcurrently const):
        (JSC::SparseArrayEntry::put):
        (JSC::SparseArrayEntry::getNonSparseMode const):
        (JSC::SparseArrayValueMap::visitChildren):
        (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
        * runtime/SparseArrayValueMap.h:
        (JSC::SparseArrayEntry::SparseArrayEntry):
        (JSC::SparseArrayEntry::attributes const):
        (JSC::SparseArrayEntry::forceSet):
        (JSC::SparseArrayEntry::asValue):

2018-06-02  Filip Pizlo  <fpizlo@apple.com>

        We should support CreateThis in the FTL
        https://bugs.webkit.org/show_bug.cgi?id=164904

        Reviewed by Yusuke Suzuki.
        
        This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
        inference adventure.
        
        CreateThis in the FTL was a massive regression in raytrace because it disturbed that
        benchmark's extremely perverse way of winning at type inference:
        
        - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
          the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
          benchmark was falling back to other mechanisms...
        
        - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
          see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
          GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
          that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
          The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
          is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
          
          Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
          into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
          baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
          helper because it had a CreateThis.
        
        - Compilations that inlined the construction helper would have gotten super lucky with
          parse-time constant folding, so they knew what structure the input to the get_by_id would
          have at parse time. This is only profitable if the get_by_id parsing computed a
          GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
          the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
          cases, we would indeed get a finite number of cases. The parser would then prune those
          cases to just one - based on its knowledge of the structure - and that would result in that
          get_by_id being folded at parse time to a constant.
        
        - The subsequent op_call would inline based on parse-time knowledge of that constant.
        
        This patch comprehensively fixes these issues, as well as other issues that come up along the
        way. The short version is that raytrace was revealing sloppiness in our use of profiling for
        type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
        i.e. the profiling that considers call context. I was encouraged to do this by the fact that
        even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
        Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
        attack raytrace's problem as a shortcoming of polyvariant profiling.
        
        - Polyvariant profiling now consults every DFG or FTL code block that participated in any
          subset of the inline stack that includes the IC we're profiling. For example, if we have
          an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
          compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
          up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
          a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
          polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
          from polyvariant profling. Previously, the polyvariant profiler would only look at the
          previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
          had inlined bar and then baz. It may not have done that, because those calls could have
          required polyvariant profiling that was only available in the FTL.
          
        - A particularly interesting case is when some IC in foo-baseline is also available in
          foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
          In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
          the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
          find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
          merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
          because it warns us of historical polymorphism. Historical polymorphism usually means
          future polymorphism. IC status code already had some merging functionality, but I needed to
          beef it up a lot to make this work right.
        
        - Inlining an inline cache now preserves as much information as profiling. One challenge of
          polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
          inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
          (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
          say "I don't have such an IC". At this point the DFG compilation that included that IC that
          gave us the information that we used to inline the IC is no longer alive. To keep us from
          losing the information we learned about the IC, there is now a RecordedStatuses data
          structure that preserves the statuses we use for inlining ICs. We also filter those
          statuses according to things we learn from AI. This further reduces the risk of information
          about an IC being forgotten.
        
        - Exit profiling now considers whether or not an exit happened from inline code. This
          protects us in the case where the not-inlined version of an IC exited a lot because of
          polymorphism that doesn't exist in the inlined version. So, when using polyvariant
          profiling data, we consider only inlined exits.
        
        - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
          would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
          surprising that we've had this bug.
        
        Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
        microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
        Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
        prototype access folding in the bytecode parser and constant folder. That would require some
        significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
        have a test that captures raytrace's behavior in the case that the parser cannot fold the
        get_by_id.
        
        This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
        recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
        compile time regression anytime we fill in FTL coverage.
        
        This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
        speeds up and that raytrace slows down, but these changes balance out and don't affect the
        overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
        or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
        0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
        see a significant difference. In all three cases the difference is <0.5% with a high p value,
        with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
        an insignificant infinitesimal slow-down.
        
        Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
        eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
        flow in a polymorphic constructor while having a bad time, and we'll still compile it.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/ByValInfo.h:
        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
        (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
        (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
        (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
        (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
        (JSC::BytecodeDumper<Block>::printCallOp):
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        (JSC::BytecodeDumper<Block>::dumpBlock):
        * bytecode/BytecodeDumper.h:
        * bytecode/CallLinkInfo.h:
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        (JSC::CallLinkStatus::computeExitSiteData):
        (JSC::CallLinkStatus::computeFromCallLinkInfo):
        (JSC::CallLinkStatus::accountForExits):
        (JSC::CallLinkStatus::finalize):
        (JSC::CallLinkStatus::filter):
        (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::operator bool const):
        (JSC::CallLinkStatus::operator! const): Deleted.
        * bytecode/CallVariant.cpp:
        (JSC::CallVariant::finalize):
        (JSC::CallVariant::filter):
        * bytecode/CallVariant.h:
        (JSC::CallVariant::operator bool const):
        (JSC::CallVariant::operator! const): Deleted.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::getICStatusMap):
        (JSC::CodeBlock::resetJITData):
        (JSC::CodeBlock::getStubInfoMap): Deleted.
        (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
        (JSC::CodeBlock::getByValInfoMap): Deleted.
        * bytecode/CodeBlock.h:
        * bytecode/CodeOrigin.cpp:
        (JSC::CodeOrigin::isApproximatelyEqualTo const):
        (JSC::CodeOrigin::approximateHash const):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::exitingInlineKind const):
        * bytecode/DFGExitProfile.cpp:
        (JSC::DFG::FrequentExitSite::dump const):
        (JSC::DFG::ExitProfile::add):
        * bytecode/DFGExitProfile.h:
        (JSC::DFG::FrequentExitSite::FrequentExitSite):
        (JSC::DFG::FrequentExitSite::operator== const):
        (JSC::DFG::FrequentExitSite::subsumes const):
        (JSC::DFG::FrequentExitSite::hash const):
        (JSC::DFG::FrequentExitSite::inlineKind const):
        (JSC::DFG::FrequentExitSite::withInlineKind const):
        (JSC::DFG::QueryableExitProfile::hasExitSite const):
        (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
        (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
        * bytecode/ExitFlag.cpp: Added.
        (JSC::ExitFlag::dump const):
        * bytecode/ExitFlag.h: Added.
        (JSC::ExitFlag::ExitFlag):
        (JSC::ExitFlag::operator| const):
        (JSC::ExitFlag::operator|=):
        (JSC::ExitFlag::operator& const):
        (JSC::ExitFlag::operator&=):
        (JSC::ExitFlag::operator bool const):
        (JSC::ExitFlag::isSet const):
        * bytecode/ExitingInlineKind.cpp: Added.
        (WTF::printInternal):
        * bytecode/ExitingInlineKind.h: Added.
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        (JSC::GetByIdStatus::computeForStubInfo):
        (JSC::GetByIdStatus::slowVersion const):
        (JSC::GetByIdStatus::markIfCheap):
        (JSC::GetByIdStatus::finalize):
        (JSC::GetByIdStatus::hasExitSite): Deleted.
        * bytecode/GetByIdStatus.h:
        * bytecode/GetByIdVariant.cpp:
        (JSC::GetByIdVariant::markIfCheap):
        (JSC::GetByIdVariant::finalize):
        * bytecode/GetByIdVariant.h:
        * bytecode/ICStatusMap.cpp: Added.
        (JSC::ICStatusContext::get const):
        (JSC::ICStatusContext::isInlined const):
        (JSC::ICStatusContext::inlineKind const):
        * bytecode/ICStatusMap.h: Added.
        * bytecode/ICStatusUtils.cpp: Added.
        (JSC::hasBadCacheExitSite):
        * bytecode/ICStatusUtils.h:
        * bytecode/InstanceOfStatus.cpp:
        (JSC::InstanceOfStatus::computeFor):
        * bytecode/InstanceOfStatus.h:
        * bytecode/PolyProtoAccessChain.h:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::hasExitSite):
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::slowVersion const):
        (JSC::PutByIdStatus::markIfCheap):
        (JSC::PutByIdStatus::finalize):
        (JSC::PutByIdStatus::filter):
        * bytecode/PutByIdStatus.h:
        * bytecode/PutByIdVariant.cpp:
        (JSC::PutByIdVariant::markIfCheap):
        (JSC::PutByIdVariant::finalize):
        * bytecode/PutByIdVariant.h:
        (JSC::PutByIdVariant::structureSet const):
        * bytecode/RecordedStatuses.cpp: Added.
        (JSC::RecordedStatuses::operator=):
        (JSC::RecordedStatuses::RecordedStatuses):
        (JSC::RecordedStatuses::addCallLinkStatus):
        (JSC::RecordedStatuses::addGetByIdStatus):
        (JSC::RecordedStatuses::addPutByIdStatus):
        (JSC::RecordedStatuses::markIfCheap):
        (JSC::RecordedStatuses::finalizeWithoutDeleting):
        (JSC::RecordedStatuses::finalize):
        (JSC::RecordedStatuses::shrinkToFit):
        * bytecode/RecordedStatuses.h: Added.
        (JSC::RecordedStatuses::RecordedStatuses):
        (JSC::RecordedStatuses::forEachVector):
        * bytecode/StructureSet.cpp:
        (JSC::StructureSet::markIfCheap const):
        (JSC::StructureSet::isStillAlive const):
        * bytecode/StructureSet.h:
        * bytecode/TerminatedCodeOrigin.h: Added.
        (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
        (JSC::TerminatedCodeOriginHashTranslator::hash):
        (JSC::TerminatedCodeOriginHashTranslator::equal):
        * bytecode/Watchpoint.cpp:
        (WTF::printInternal):
        * bytecode/Watchpoint.h:
        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleVarargsCall):
        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
        (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGClobbersExitState.cpp:
        (JSC::DFG::clobbersExitState):
        * dfg/DFGCommonData.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDesiredWatchpoints.h:
        (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGMayExit.cpp:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasCallLinkStatus):
        (JSC::DFG::Node::callLinkStatus):
        (JSC::DFG::Node::hasGetByIdStatus):
        (JSC::DFG::Node::getByIdStatus):
        (JSC::DFG::Node::hasPutByIdStatus):
        (JSC::DFG::Node::putByIdStatus):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRExitBase.cpp:
        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::reallyAdd):
        (JSC::DFG::Plan::checkLivenessAndVisitChildren):
        (JSC::DFG::Plan::finalizeInGC):
        * dfg/DFGPlan.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::removeDeadPlans):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
        * jit/PolymorphicCallStubRoutine.cpp:
        (JSC::PolymorphicCallStubRoutine::hasEdges const):
        (JSC::PolymorphicCallStubRoutine::edges const):
        * jit/PolymorphicCallStubRoutine.h:
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::BytecodeSequence):
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::initializeObjectAllocationProfile):
        * runtime/Options.h:

2018-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
        https://bugs.webkit.org/show_bug.cgi?id=187472

        Reviewed by Mark Lam.

        std::function allocates memory from standard malloc instead of bmalloc. Instead of
        using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.

        This patch attempts to replace std::function with the above WTF function types.
        If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
        is really efficient. Otherwise, we should use WTF::Function.
        For recurring use cases, we can use RecursableLambda.

        * assembler/MacroAssembler.cpp:
        (JSC::stdFunctionCallback):
        (JSC::MacroAssembler::probe):
        * assembler/MacroAssembler.h:
        * b3/air/AirDisassembler.cpp:
        (JSC::B3::Air::Disassembler::dump):
        * b3/air/AirDisassembler.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
        (JSC::BytecodeGenerator::emitEnumeration):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
        (JSC::DFG::SpeculativeJIT::compileMathIC):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::json):
        * heap/HeapSnapshotBuilder.h:
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::dump const):
        * interpreter/StackVisitor.h:
        * runtime/PromiseDeferredTimer.h:
        * runtime/VM.cpp:
        (JSC::VM::whenIdle):
        (JSC::enableProfilerWithRespectToCount):
        (JSC::disableProfilerWithRespectToCount):
        * runtime/VM.h:
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::addDidPopListener):
        * runtime/VMEntryScope.h:
        * tools/HeapVerifier.cpp:
        (JSC::HeapVerifier::verifyCellList):
        (JSC::HeapVerifier::validateCell):
        (JSC::HeapVerifier::validateJSCell):
        * tools/HeapVerifier.h:

2018-07-20  Michael Saboff  <msaboff@apple.com>

        DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
        https://bugs.webkit.org/show_bug.cgi?id=187827
        rdar://problem/42146858

        Reviewed by Saam Barati.

        When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
        that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
        We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
        InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
        putByIndex() path that doesn't change the shape.

        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):

2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Fold GetByVal if Array is CoW
        https://bugs.webkit.org/show_bug.cgi?id=186459

        Reviewed by Saam Barati.

        CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
        fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
        is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.

        This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
        to these constant arrays can be folded into an actual constant by this patch.

                                           baseline                  patched

        template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
        template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
        https://bugs.webkit.org/show_bug.cgi?id=186602

        Reviewed by Saam Barati.

        JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
        change the part of the butterfly, length etc. We prove that our procedure is safe, and
        drop the cellLock() here.

        * runtime/JSObject.cpp:
        (JSC::JSObject::convertContiguousToArrayStorage):

2018-07-20  Saam Barati  <sbarati@apple.com>

        CompareEq should be using KnownOtherUse instead of OtherUse
        https://bugs.webkit.org/show_bug.cgi?id=186814
        <rdar://problem/39720030>

        Reviewed by Filip Pizlo.

        CompareEq in fixup phase was doing this:
        insertCheck(child, OtherUse)
        setUseKind(child, OtherUse)
        And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
        lead to edge verification crashing because a phase may optimize the check out
        by removing the node. However, AI may not be privy to that optimization, and
        AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
        backend to actually emit a check here, but it does not.
        
        This exact pattern is why we have KnownXYZ use kinds. This patch introduces
        KnownOtherUse and changes the above pattern to be:
        insertCheck(child, OtherUse)
        setUseKind(child, KnownOtherUse)

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::shouldNotHaveTypeCheck):
        (JSC::DFG::checkMayCrashIfInputIsEmpty):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
        (JSC::FTL::DFG::LowerDFGToB3::speculate):

2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] A bit performance improvement for Object.assign by cleaning up code
        https://bugs.webkit.org/show_bug.cgi?id=187852

        Reviewed by Saam Barati.

        We clean up Object.assign code a bit.

        1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
        2. canDoFastPath is not necessary. Restructuring the code to clean up things.

        It improves the performance a bit.

                                    baseline                  patched

        object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorAssign):

2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
        https://bugs.webkit.org/show_bug.cgi?id=187798

        Reviewed by Michael Catanzaro.

        Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
        jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
        functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
        patch adds JSAPIWrapperGlobalObject or that.

        * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
        (jsAPIWrapperGlobalObjectHandleOwner):
        (JSAPIWrapperGlobalObjectHandleOwner::finalize):
        (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
        (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
        (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
        (JSC::JSAPIWrapperGlobalObject::finishCreation):
        (JSC::JSAPIWrapperGlobalObject::visitChildren):
        * API/glib/JSAPIWrapperGlobalObject.h: Added.
        (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
        (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
        * API/glib/JSCClass.cpp:
        (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
        (wrappedObjectClass): Return the class of a wrapped object.
        (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
        scope extension global object is used instead.
        (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
        (setProperty): Ditto.
        (hasProperty): Ditto.
        (deleteProperty): Ditto.
        (getPropertyNames): Ditto.
        (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
        * API/glib/JSCClassPrivate.h:
        * API/glib/JSCContext.cpp:
        (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
        (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
        * API/glib/JSCContext.h:
        * API/glib/JSCContextPrivate.h:
        * API/glib/JSCWrapperMap.cpp:
        (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
        when a JSCClass is used to create the JSAPIWrapperGlobalObject.
        (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
        * API/glib/JSCWrapperMap.h:
        * GLib.cmake:

2018-07-19  Saam Barati  <sbarati@apple.com>

        Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
        https://bugs.webkit.org/show_bug.cgi?id=187836
        <rdar://problem/42409527>

        Reviewed by Mark Lam.

        We have crash reports that we're crashing on source->getDirect in Object.assign's
        fast path. Mark investigated this and determined we end up with a nullptr for
        butterfly. This is curious, because source's Structure indicated that it has
        out of line properties. My leading hypothesis for this at the moment is a bit
        handwavy, but it's essentially:
        - We end up firing a watchpoint when assigning to the target (this can happen
        if a watchpoint was set up for storing to that particular field)
        - When we fire that watchpoint, we end up doing some kind work on the source,
        perhaps causing it to flattenDictionaryStructure. Therefore, we end up
        mutating source.
        
        I'm not super convinced this is what we're running into, but just by reading
        the code, I think it needs to be something similar to this. Seeing if this change
        fixes the crasher will give us good data to determine if something like this is
        happening or if the bug is something else entirely.

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorAssign):

2018-07-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r233998.
        https://bugs.webkit.org/show_bug.cgi?id=187815

        Not needed. (Requested by mlam|a on #webkit).

        Reverted changeset:

        "Temporarily mitigate a bug where a source provider is null
        when it shouldn't be."
        https://bugs.webkit.org/show_bug.cgi?id=187812
        https://trac.webkit.org/changeset/233998

2018-07-19  Mark Lam  <mark.lam@apple.com>

        Temporarily mitigate a bug where a source provider is null when it shouldn't be.
        https://bugs.webkit.org/show_bug.cgi?id=187812
        <rdar://problem/41192691>

        Reviewed by Michael Saboff.

        Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.

        * runtime/Error.cpp:
        (JSC::addErrorInfo):

2018-07-19  Keith Rollin  <krollin@apple.com>

        Adjust WEBCORE_EXPORT annotations for LTO
        https://bugs.webkit.org/show_bug.cgi?id=187781
        <rdar://problem/42351124>

        Reviewed by Alex Christensen.

        Continuation of Bug 186944. This bug addresses issues not caught
        during the first pass of adjustments. The initial work focussed on
        macOS; this one addresses issues found when building for iOS. From
        186944:

        Adjust a number of places that result in WebKit's
        'check-for-weak-vtables-and-externals' script reporting weak external
        symbols:

            ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
            ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
            ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
            ...

        These cases are caused by inline methods being marked with WTF_EXPORT
        (or related macro) or with an inline function being in a class marked
        as such, and when enabling LTO builds.

        For the most part, address these by removing the WEBCORE_EXPORT
        annotation from inline methods. In some cases, move the implementation
        out-of-line because it's the class that has the WEBCORE_EXPORT on it
        and removing the annotation from the class would be too disruptive.
        Finally, in other cases, move the implementation out-of-line because
        check-for-weak-vtables-and-externals still complains when keeping the
        implementation inline and removing the annotation; this seems to
        typically (but not always) happen with destructors.

        * inspector/remote/RemoteAutomationTarget.cpp:
        (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
        * inspector/remote/RemoteAutomationTarget.h:
        * inspector/remote/RemoteInspector.cpp:
        (Inspector::RemoteInspector::Client::~Client):
        * inspector/remote/RemoteInspector.h:

2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, check scope after performing getPropertySlot in JSON.stringify
        https://bugs.webkit.org/show_bug.cgi?id=187807

        Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
        that we know that exception occurrence and handle it well.

        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Holder::appendNextProperty):

2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Reduce size of AST nodes
        https://bugs.webkit.org/show_bug.cgi?id=187689

        Reviewed by Mark Lam.

        We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
        of ParserArena at peak state.

        1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
        devirtualize a call to the function which are implemented in a final class.

        2. Use default member initializers more.

        3. And use `nullptr` instead of `0`.

        4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
        of classes in multiple inheritance. In particular, StatementNode is decreased from 48
        to 40. This decreases the sizes of all the derived Statement nodes.

        * parser/NodeConstructors.h:
        (JSC::Node::Node):
        (JSC::StatementNode::StatementNode):
        (JSC::ElementNode::ElementNode):
        (JSC::ArrayNode::ArrayNode):
        (JSC::PropertyListNode::PropertyListNode):
        (JSC::ObjectLiteralNode::ObjectLiteralNode):
        (JSC::ArgumentListNode::ArgumentListNode):
        (JSC::ArgumentsNode::ArgumentsNode):
        (JSC::NewExprNode::NewExprNode):
        (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
        (JSC::BinaryOpNode::BinaryOpNode):
        (JSC::LogicalOpNode::LogicalOpNode):
        (JSC::CommaNode::CommaNode):
        (JSC::SourceElements::SourceElements):
        (JSC::ClauseListNode::ClauseListNode):
        * parser/Nodes.cpp:
        (JSC::FunctionMetadataNode::FunctionMetadataNode):
        (JSC::FunctionMetadataNode::operator== const):
        (JSC::FunctionMetadataNode::dump const):
        * parser/Nodes.h:
        (JSC::BooleanNode::value): Deleted.
        (JSC::StringNode::value): Deleted.
        (JSC::TemplateExpressionListNode::value): Deleted.
        (JSC::TemplateExpressionListNode::next): Deleted.
        (JSC::TemplateStringNode::cooked): Deleted.
        (JSC::TemplateStringNode::raw): Deleted.
        (JSC::TemplateStringListNode::value): Deleted.
        (JSC::TemplateStringListNode::next): Deleted.
        (JSC::TemplateLiteralNode::templateStrings const): Deleted.
        (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
        (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
        (JSC::ResolveNode::identifier const): Deleted.
        (JSC::ElementNode::elision const): Deleted.
        (JSC::ElementNode::value): Deleted.
        (JSC::ElementNode::next): Deleted.
        (JSC::ArrayNode::elements const): Deleted.
        (JSC::PropertyNode::expressionName const): Deleted.
        (JSC::PropertyNode::name const): Deleted.
        (JSC::PropertyNode::type const): Deleted.
        (JSC::PropertyNode::needsSuperBinding const): Deleted.
        (JSC::PropertyNode::isClassProperty const): Deleted.
        (JSC::PropertyNode::isStaticClassProperty const): Deleted.
        (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
        (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
        (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
        (JSC::PropertyNode::putType const): Deleted.
        (JSC::BracketAccessorNode::base const): Deleted.
        (JSC::BracketAccessorNode::subscript const): Deleted.
        (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
        (JSC::DotAccessorNode::base const): Deleted.
        (JSC::DotAccessorNode::identifier const): Deleted.
        (JSC::SpreadExpressionNode::expression const): Deleted.
        (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
        (JSC::BytecodeIntrinsicNode::type const): Deleted.
        (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
        (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
        (JSC::TypeOfResolveNode::identifier const): Deleted.
        (JSC::BitwiseNotNode::expr): Deleted.
        (JSC::BitwiseNotNode::expr const): Deleted.
        (JSC::AssignResolveNode::identifier const): Deleted.
        (JSC::ExprStatementNode::expr const): Deleted.
        (JSC::ForOfNode::isForAwait const): Deleted.
        (JSC::ReturnNode::value): Deleted.
        (JSC::ProgramNode::startColumn const): Deleted.
        (JSC::ProgramNode::endColumn const): Deleted.
        (JSC::EvalNode::startColumn const): Deleted.
        (JSC::EvalNode::endColumn const): Deleted.
        (JSC::ModuleProgramNode::startColumn const): Deleted.
        (JSC::ModuleProgramNode::endColumn const): Deleted.
        (JSC::ModuleProgramNode::moduleScopeData): Deleted.
        (JSC::ModuleNameNode::moduleName): Deleted.
        (JSC::ImportSpecifierNode::importedName): Deleted.
        (JSC::ImportSpecifierNode::localName): Deleted.
        (JSC::ImportSpecifierListNode::specifiers const): Deleted.
        (JSC::ImportSpecifierListNode::append): Deleted.
        (JSC::ImportDeclarationNode::specifierList const): Deleted.
        (JSC::ImportDeclarationNode::moduleName const): Deleted.
        (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
        (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
        (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
        (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
        (JSC::ExportSpecifierNode::exportedName): Deleted.
        (JSC::ExportSpecifierNode::localName): Deleted.
        (JSC::ExportSpecifierListNode::specifiers const): Deleted.
        (JSC::ExportSpecifierListNode::append): Deleted.
        (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
        (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
        (JSC::ArrayPatternNode::appendIndex): Deleted.
        (JSC::ObjectPatternNode::appendEntry): Deleted.
        (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
        (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
        (JSC::DestructuringAssignmentNode::bindings): Deleted.
        (JSC::FunctionParameters::size const): Deleted.
        (JSC::FunctionParameters::append): Deleted.
        (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
        (JSC::FuncDeclNode::metadata): Deleted.
        (JSC::CaseClauseNode::expr const): Deleted.
        (JSC::CaseClauseNode::setStartOffset): Deleted.
        (JSC::ClauseListNode::getClause const): Deleted.
        (JSC::ClauseListNode::getNext const): Deleted.
        * runtime/ExceptionHelpers.cpp:
        * runtime/JSObject.cpp:

2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        JSON.stringify should emit non own properties if second array argument includes
        https://bugs.webkit.org/show_bug.cgi?id=187724

        Reviewed by Mark Lam.

        According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
        instead of [[GetOwnProperty]]. It means that we would look up a properties defined
        in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
        by using EnumerableOwnPropertyNames typically, we can pass replacer array including
        property names which does not reside in the own properties. Or we can modify the
        own properties by deleting properties while JSON.stringify is calling a getter. So,
        using [[Get]] instead of [[GetOwnProperty]] is user-visible.

        This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
        The performance of Kraken/json-stringify-tinderbox is neutral.

        [1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty

        * runtime/JSONObject.cpp:
        (JSC::Stringifier::toJSON):
        (JSC::Stringifier::toJSONImpl):
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Stringifier::Holder::Holder):
        (JSC::Stringifier::Holder::appendNextProperty):

2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
        https://bugs.webkit.org/show_bug.cgi?id=187755

        Reviewed by Mark Lam.

        JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
        But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
        makes one test262 test failed.

        This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
        to align these checks to the spec's order.

        [1]: https://tc39.github.io/ecma262/#sec-json.stringify

        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Stringifier):

2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
        https://bugs.webkit.org/show_bug.cgi?id=187752

        Reviewed by Mark Lam.

        JSON.stringify has an implicit root wrapper object since we would like to call replacer
        with a wrapper object and a property name. While we always create this wrapper object,
        it is unnecessary if the given replacer is not callable.

        This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
        allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.

                                           baseline                  patched

        json-stringify-tinderbox        39.730+-0.590      ^      38.853+-0.266         ^ definitely 1.0226x faster

        * runtime/JSONObject.cpp:
        (JSC::Stringifier::isCallableReplacer const):
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::stringify):
        (JSC::Stringifier::appendStringifiedValue):

2018-07-18  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] Add jsc_context_check_syntax() to GLib API
        https://bugs.webkit.org/show_bug.cgi?id=187694

        Reviewed by Yusuke Suzuki.

        A new function to be able to check for syntax errors without actually evaluating the code.

        * API/glib/JSCContext.cpp:
        (jsc_context_check_syntax):
        * API/glib/JSCContext.h:
        * API/glib/docs/jsc-glib-4.0-sections.txt:

2018-07-17  Keith Miller  <keith_miller@apple.com>

        Revert r233630 since it broke internal wasm benchmarks
        https://bugs.webkit.org/show_bug.cgi?id=187746

        Unreviewed revert.

        This patch seems to have broken internal Wasm benchmarks. This
        issue is likely due to an underlying bug but let's rollout while
        we investigate.

        * bytecode/CodeType.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::codeType const):
        (JSC::UnlinkedCodeBlock::didOptimize const):
        (JSC::UnlinkedCodeBlock::setDidOptimize):
        * bytecode/VirtualRegister.h:
        (JSC::VirtualRegister::VirtualRegister):
        (): Deleted.

2018-07-17  Mark Lam  <mark.lam@apple.com>

        CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
        https://bugs.webkit.org/show_bug.cgi?id=187736
        <rdar://problem/42114371>

        Reviewed by Michael Saboff.

        CodeBlock::baselineVersion() currently checks for a null replacement but does not
        account for the fact that that the replacement can also be null due to the
        executable having being purged of its codeBlocks due to a memory event (see
        ExecutableBase::clearCode()).  This patch adds code to account for this.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::baselineVersion):

2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
        https://bugs.webkit.org/show_bug.cgi?id=187709

        Reviewed by Mark Lam.

        UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::shrinkToFit):

2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Make SourceParseMode small
        https://bugs.webkit.org/show_bug.cgi?id=187705

        Reviewed by Mark Lam.

        Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
        Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
        But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
        within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.

        * parser/ParserModes.h:
        (JSC::SourceParseModeSet::SourceParseModeSet):
        (JSC::SourceParseModeSet::contains):
        (JSC::SourceParseModeSet::mergeSourceParseModes):

2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
        https://bugs.webkit.org/show_bug.cgi?id=187585

        Reviewed by Darin Adler.

        This patch fixes Generator and AsyncGenerator's prototype issues.

        1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
        We fix this by changing JSFunction::prototypeForConstruction.

        2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
        to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
        to fix `prototype` issues for AsyncGeneratorMethod.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
        (JSC::BytecodeGenerator::emitNewFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionMetadata):
        * parser/Parser.cpp:
        (JSC::getAsynFunctionBodyParseMode):
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
        * parser/ParserModes.h:
        (JSC::isAsyncGeneratorParseMode):
        (JSC::isAsyncGeneratorWrapperParseMode):
        (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
        * runtime/FunctionExecutable.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::prototypeForConstruction):
        (JSC::JSFunction::getOwnPropertySlot):

2018-07-16  Mark Lam  <mark.lam@apple.com>

        jsc shell's noFTL utility test function should be more robust.
        https://bugs.webkit.org/show_bug.cgi?id=187704
        <rdar://problem/42231988>

        Reviewed by Michael Saboff and Keith Miller.

        * jsc.cpp:
        (functionNoFTL):
        - only setNeverFTLOptimize() if the function is actually a JS function.

2018-07-15  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] Add API to evaluate code using a given object to store global symbols
        https://bugs.webkit.org/show_bug.cgi?id=187639

        Reviewed by Michael Catanzaro.

        Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
        evaluated script are added as properties to the new object instead of to the context global object. This is
        similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
        scope for assignments, so we have to create a new context and get its global object. This patch also updates
        jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
        jsc_context_evaluate_in_object().

        * API/glib/JSCContext.cpp:
        (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
        (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
        (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
        (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
        scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
        * API/glib/JSCContext.h:
        * API/glib/docs/jsc-glib-4.0-sections.txt:

2018-07-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
        https://bugs.webkit.org/show_bug.cgi?id=187561

        Reviewed by Darin Adler.

        This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
        We clean up 32bit put_by_val code.

        1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
        aligns 32bit implementation to 64bit implementation.

        2. We add CoW array checking, which is done in 64bit implementation.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_val):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):

2018-07-12  Mark Lam  <mark.lam@apple.com>

        Need to handle CodeBlock::replacement() being null.
        https://bugs.webkit.org/show_bug.cgi?id=187569
        <rdar://problem/41468692>

        Reviewed by Saam Barati.

        CodeBlock::replacement() may return a nullptr.  Some of our code already checks
        for this while others do not.  We should add null checks in all the places that
        need it.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::hasOptimizedReplacement):
        (JSC::CodeBlock::jettison):
        (JSC::CodeBlock::numberOfDFGCompiles):
        (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
        * dfg/DFGOperations.cpp:
        * dfg/DFGToFTLDeferredCompilationCallback.cpp:
        (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
        (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
        * jit/JITOperations.cpp:

2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Thread VM& to JSCell::methodTable(VM&)
        https://bugs.webkit.org/show_bug.cgi?id=187548

        Reviewed by Saam Barati.

        This patch threads VM& to methodTable(VM&) and remove methodTable().
        We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.

        * API/APICast.h:
        (toJS):
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::className):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::estimatedSize):
        * bytecode/CodeBlock.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::estimatedSize):
        * bytecode/UnlinkedCodeBlock.h:
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::className):
        * debugger/DebuggerScope.h:
        * heap/Heap.cpp:
        (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
        (JSC::GatherHeapSnapshotData::operator() const):
        (JSC::Heap::gatherExtraHeapSnapshotData):
        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::json):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        * runtime/ClassInfo.h:
        * runtime/DirectArguments.cpp:
        (JSC::DirectArguments::estimatedSize):
        * runtime/DirectArguments.h:
        * runtime/HashMapImpl.cpp:
        (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
        * runtime/HashMapImpl.h:
        * runtime/JSArrayBuffer.cpp:
        (JSC::JSArrayBuffer::estimatedSize):
        * runtime/JSArrayBuffer.h:
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::estimatedSize):
        * runtime/JSBigInt.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::dump const):
        (JSC::JSCell::estimatedSizeInBytes const):
        (JSC::JSCell::estimatedSize):
        (JSC::JSCell::className):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
        * runtime/JSObject.cpp:
        (JSC::JSObject::estimatedSize):
        (JSC::JSObject::className):
        (JSC::JSObject::toStringName):
        (JSC::JSObject::calculatedClassName):
        * runtime/JSObject.h:
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::className):
        * runtime/JSProxy.h:
        * runtime/JSString.cpp:
        (JSC::JSString::estimatedSize):
        * runtime/JSString.h:
        * runtime/RegExp.cpp:
        (JSC::RegExp::estimatedSize):
        * runtime/RegExp.h:
        * runtime/WeakMapImpl.cpp:
        (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
        * runtime/WeakMapImpl.h:

2018-07-11  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r233714.
        https://bugs.webkit.org/show_bug.cgi?id=187579

        it made tests time out (Requested by pizlo on #webkit).

        Reverted changeset:

        "Change the reoptimization backoff base to 1.3 from 2"
        https://bugs.webkit.org/show_bug.cgi?id=187540
        https://trac.webkit.org/changeset/233714

2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] Add API to allow creating variadic functions
        https://bugs.webkit.org/show_bug.cgi?id=187517

        Reviewed by Michael Catanzaro.

        Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
        jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.

        * API/glib/JSCCallbackFunction.cpp:
        (JSC::JSCCallbackFunction::create): Make the parameters optional.
        (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
        (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
        JSCValue for the arguments.
        (JSC::JSCCallbackFunction::construct): Ditto.
        * API/glib/JSCCallbackFunction.h:
        * API/glib/JSCClass.cpp:
        (jscClassCreateConstructor): Make the parameters optional.
        (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
        (jscClassAddMethod): Make the parameters optional.
        (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
        * API/glib/JSCClass.h:
        * API/glib/JSCValue.cpp:
        (jsc_value_object_define_property_accessor): Update now that parameters are optional.
        (jscValueFunctionCreate): Make the parameters optional.
        (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
        * API/glib/JSCValue.h:
        * API/glib/docs/jsc-glib-4.0-sections.txt:

2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] Add jsc_context_get_global_object() to GLib API
        https://bugs.webkit.org/show_bug.cgi?id=187515

        Reviewed by Michael Catanzaro.

        This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
        object. However, getting the global object could be useful in some cases, for example to give it a well known
        name like 'window' in browsers and GJS.

        * API/glib/JSCContext.cpp:
        (jsc_context_get_global_object):
        * API/glib/JSCContext.h:
        * API/glib/docs/jsc-glib-4.0-sections.txt:

2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] Handle G_TYPE_STRV in glib API
        https://bugs.webkit.org/show_bug.cgi?id=187512

        Reviewed by Michael Catanzaro.

        Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.

        * API/glib/JSCContext.cpp:
        (jscContextGValueToJSValue):
        (jscContextJSValueToGValue):
        * API/glib/JSCValue.cpp:
        (jsc_value_new_array_from_strv):
        * API/glib/JSCValue.h:
        * API/glib/docs/jsc-glib-4.0-sections.txt:

2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        Iterator of Array.keys() returns object in wrong order
        https://bugs.webkit.org/show_bug.cgi?id=185197

        Reviewed by Keith Miller.

        * builtins/ArrayIteratorPrototype.js:
        (globalPrivate.arrayIteratorValueNext):
        (globalPrivate.arrayIteratorKeyNext):
        (globalPrivate.arrayIteratorKeyValueNext):
        * builtins/AsyncFromSyncIteratorPrototype.js:
        * builtins/AsyncGeneratorPrototype.js:
        (globalPrivate.asyncGeneratorResolve):
        * builtins/GeneratorPrototype.js:
        (globalPrivate.generatorResume):
        * builtins/MapIteratorPrototype.js:
        (globalPrivate.mapIteratorNext):
        * builtins/SetIteratorPrototype.js:
        (globalPrivate.setIteratorNext):
        * builtins/StringIteratorPrototype.js:
        (next):
        * runtime/IteratorOperations.cpp:
        (JSC::createIteratorResultObjectStructure):
        (JSC::createIteratorResultObject):

2018-07-10  Mark Lam  <mark.lam@apple.com>

        constructArray() should always allocate the requested length.
        https://bugs.webkit.org/show_bug.cgi?id=187543
        <rdar://problem/41947884>

        Reviewed by Saam Barati.

        Currently, it does not when we're having a bad time.  We fix this by switching
        back to using tryCreateUninitializedRestricted() exclusively in constructArray().
        If we detect that a structure transition is possible before we can initialize
        the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
        We will introduce JSArray::eagerlyInitializeButterfly() to handle this.

        Also enhanced the DisallowScope and ObjectInitializationScope to support this
        eager initialization when needed.

        * dfg/DFGOperations.cpp:
        - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
          the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
          it clearer that we encountered an OutOfMemory condition instead of failing in FTL
          generated code, which will appear as a generic null pointer dereference.

        * runtime/ArrayPrototype.cpp:
        (JSC::concatAppendOne):
        - the code here clearly wants to check for an allocation failure.  Switched to
          using JSArray::tryCreate() instead of JSArray::create().

        * runtime/DisallowScope.h:
        (JSC::DisallowScope::disable):
        * runtime/JSArray.cpp:
        (JSC::JSArray::tryCreateUninitializedRestricted):
        (JSC::JSArray::eagerlyInitializeButterfly):
        (JSC::constructArray):
        * runtime/JSArray.h:
        * runtime/ObjectInitializationScope.cpp:
        (JSC::ObjectInitializationScope::notifyInitialized):
        * runtime/ObjectInitializationScope.h:
        (JSC::ObjectInitializationScope::notifyInitialized):

2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove getTypedArrayImpl
        https://bugs.webkit.org/show_bug.cgi?id=187338

        Reviewed by Mark Lam.

        getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
        are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
        This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.

        * runtime/ClassInfo.h:
        * runtime/GenericTypedArrayView.h:
        (JSC::GenericTypedArrayView::data const): Deleted.
        (JSC::GenericTypedArrayView::set): Deleted.
        (JSC::GenericTypedArrayView::setRange): Deleted.
        (JSC::GenericTypedArrayView::zeroRange): Deleted.
        (JSC::GenericTypedArrayView::zeroFill): Deleted.
        (JSC::GenericTypedArrayView::length const): Deleted.
        (JSC::GenericTypedArrayView::item const): Deleted.
        (JSC::GenericTypedArrayView::set const): Deleted.
        (JSC::GenericTypedArrayView::setNative const): Deleted.
        (JSC::GenericTypedArrayView::getRange): Deleted.
        (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
        (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::possiblySharedImpl):
        * runtime/JSArrayBufferView.h:
        * runtime/JSArrayBufferViewInlines.h:
        (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
        * runtime/JSCell.cpp:
        (JSC::JSCell::getTypedArrayImpl): Deleted.
        * runtime/JSCell.h:
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::getTypedArrayImpl): Deleted.
        * runtime/JSDataView.h:
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.

2018-07-10  Keith Miller  <keith_miller@apple.com>

        hasOwnProperty returns true for out of bounds property index on TypedArray
        https://bugs.webkit.org/show_bug.cgi?id=187520

        Reviewed by Saam Barati.

        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):

2018-07-10  Michael Saboff  <msaboff@apple.com>

        DFG JIT: compileMathIC produces incorrect machine code
        https://bugs.webkit.org/show_bug.cgi?id=187537

        Reviewed by Saam Barati.

        Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
        fall back to the fast path generator which handles such cases.

        * jit/JITMulGenerator.cpp:
        (JSC::JITMulGenerator::generateInline):

2018-07-10  Filip Pizlo  <fpizlo@apple.com>

        Change the reoptimization backoff base to 1.3 from 2
        https://bugs.webkit.org/show_bug.cgi?id=187540

        Reviewed by Saam Barati.
        
        I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
        
        I also have data that hints that a backoff base of 1 might be even better, but I think that
        we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::reoptimizationRetryCounter const):
        (JSC::CodeBlock::countReoptimization):
        (JSC::CodeBlock::adjustedCounterValue):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2018-07-10  Mark Lam  <mark.lam@apple.com>

        [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
        https://bugs.webkit.org/show_bug.cgi?id=187362
        <rdar://problem/42027210>

        Reviewed by Saam Barati.

        On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
        value to use for initializing unused properties.  Updated an assertion to account
        for this.

        * runtime/ObjectInitializationScope.cpp:
        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):

2018-07-10  Michael Saboff  <msaboff@apple.com>

        YARR: . doesn't match non-BMP Unicode characters in some cases
        https://bugs.webkit.org/show_bug.cgi?id=187248

        Reviewed by Geoffrey Garen.

        The safety check in optimizeAlternative() for moving character classes that only consist of BMP
        characters did not take into account that the character class is inverted.  In this case, we
        represent '.' as "not a newline" using the newline character class with an inverted check.
        Clearly that includes non-BMP characters.

        The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
        inverted use of that character class.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::optimizeAlternative):

2018-07-09  Mark Lam  <mark.lam@apple.com>

        Add --traceLLIntExecution and --traceLLIntSlowPath options.
        https://bugs.webkit.org/show_bug.cgi?id=187479

        Reviewed by Yusuke Suzuki and Saam Barati.

        These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.

        The details:
        1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
        2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
           This makes it such that enabling LLINT_TRACING doesn't means that we'll
           continually spammed with logging until we rebuild.
        3. Fixed slow path LLINT tracing to work with exception check validation.

        * llint/LLIntCommon.h:
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::slowPathLog):
        (JSC::LLInt::slowPathLn):
        (JSC::LLInt::slowPathLogF):
        (JSC::LLInt::slowPathLogLn):
        (JSC::LLInt::llint_trace_operand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPathsExceptions.cpp:
        (JSC::CommonSlowPaths::interpreterThrowInCaller):
        * runtime/Options.cpp:
        (JSC::Options::isAvailable):
        * runtime/Options.h:

2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=187477

        Reviewed by Mark Lam.

        Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
        However, it is not necessary since JSCells can be reside in a constant buffer.
        This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
        vector from RareData.

        We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.

        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        (JSC::BytecodeDumper<Block>::dumpBlock):
        (JSC::regexpToSourceString): Deleted.
        (JSC::regexpName): Deleted.
        (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
        * bytecode/BytecodeDumper.h:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::regexp const): Deleted.
        (JSC::CodeBlock::numberOfRegExps const): Deleted.
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::visitChildren):
        (JSC::UnlinkedCodeBlock::shrinkToFit):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
        (JSC::UnlinkedCodeBlock::regexp const): Deleted.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewRegExp):
        (JSC::BytecodeGenerator::addRegExp): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_regexp):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContextAssumingStructure const):
        * runtime/RegExp.cpp:
        (JSC::regexpToSourceString):
        (JSC::RegExp::dumpToStream):
        * runtime/RegExp.h:

2018-07-09  Brian Burg  <bburg@apple.com>

        REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
        https://bugs.webkit.org/show_bug.cgi?id=187350
        <rdar://problem/41728249>

        Reviewed by Matt Baker.

        Add a new command that toggles whether or not to blackbox internal scripts.
        If blackboxed, the scripts will not be shown to the frontend and the debugger will
        not pause in source frames from blackboxed scripts. Sometimes we want to break into
        those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
        that injects scripts.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/protocol/Debugger.json:

2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Make some data members of UnlinkedCodeBlock private
        https://bugs.webkit.org/show_bug.cgi?id=187467

        Reviewed by Mark Lam.

        This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
        We also remove m_numCapturedVars since it is no longer used.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:

2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
        https://bugs.webkit.org/show_bug.cgi?id=187465

        Reviewed by Keith Miller.

        ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
        of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.

        This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
        in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
        of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
        from 104 to 96 since it inherits ProxyableAccessCase.

        * bytecode/AccessCase.h:
        (JSC::AccessCase::viaProxy const):
        (JSC::AccessCase::AccessCase):
        * bytecode/ProxyableAccessCase.cpp:
        (JSC::ProxyableAccessCase::ProxyableAccessCase):
        * bytecode/ProxyableAccessCase.h:

2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for debug builds after r233630
        https://bugs.webkit.org/show_bug.cgi?id=187441

        * jit/JIT.cpp:
        (JSC::JIT::frameRegisterCountFor):
        * llint/LLIntEntrypoint.cpp:
        (JSC::LLInt::frameRegisterCountFor):

2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of CodeBlock to reduce padding
        https://bugs.webkit.org/show_bug.cgi?id=187441

        Reviewed by Mark Lam.

        Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
        We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
        Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.

        We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.

        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::dumpBlock):
        * bytecode/BytecodeUseDef.h:
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numVars const):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::numVars const):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        (JSC::DFG::ByteCodeParser::inlineCall):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct const):
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        * jit/JIT.cpp:
        (JSC::JIT::frameRegisterCountFor):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_enter):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_enter):
        * jit/JITOperations.cpp:
        * llint/LLIntEntrypoint.cpp:
        (JSC::LLInt::frameRegisterCountFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSCJSValue.h:

2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize padding of UnlinkedCodeBlock to shrink
        https://bugs.webkit.org/show_bug.cgi?id=187448

        Reviewed by Saam Barati.

        We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
        These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.

        * bytecode/CodeType.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::codeType const):
        (JSC::UnlinkedCodeBlock::didOptimize const):
        (JSC::UnlinkedCodeBlock::setDidOptimize):
        * bytecode/VirtualRegister.h:

2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize padding of InferredTypeTable by using cellLock
        https://bugs.webkit.org/show_bug.cgi?id=187447

        Reviewed by Mark Lam.

        Use cellLock() in InferredTypeTable to guard changes of internal structures.
        This is the same usage to SparseArrayValueMap. By using cellLock(), we can
        reduce the size of InferredTypeTable from 40 to 32.

        * runtime/InferredTypeTable.cpp:
        (JSC::InferredTypeTable::visitChildren):
        (JSC::InferredTypeTable::get):
        (JSC::InferredTypeTable::willStoreValue):
        (JSC::InferredTypeTable::makeTop):
        * runtime/InferredTypeTable.h:
        Using enum class and using. And remove `isEmpty()` since it is not used.

        * runtime/Structure.h:

2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of SourceProvider to reduce padding
        https://bugs.webkit.org/show_bug.cgi?id=187440

        Reviewed by Mark Lam.

        Arrange members of SourceProvider to reduce the size from 80 to 72.

        * parser/SourceProvider.cpp:
        (JSC::SourceProvider::SourceProvider):
        * parser/SourceProvider.h:

2018-07-08  Mark Lam  <mark.lam@apple.com>

        PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
        https://bugs.webkit.org/show_bug.cgi?id=187444
        <rdar://problem/41282849>

        Reviewed by Saam Barati.

        PropertyTable supports C++ iteration by offering begin() and end() methods, and
        an iterator class.  The begin() methods and the iterator operator++() method uses
        PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
        However, PropertyTable::skipDeletedEntries() does not prevent the iteration
        pointer from being incremented past the end of the table.  As a result, we can
        iterate past the end of the table.  Note that the C++ iteration protocol tests
        for the iterator not being equal to the end() value.  It does not do a <= test.
        If the iterator ever shoots past end, the loop will effectively not terminate.

        This issue can manifest if and only if the last entry in the table is a deleted
        one, and the key field of the PropertyMapEntry shaped space at the end of the
        table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
        value.

        No test because manifesting this issue requires uncontrollable happenstance where
        memory just beyond the end of the table looks like a deleted entry.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::begin):
        (JSC::PropertyTable::end):
        (JSC::PropertyTable::begin const):
        (JSC::PropertyTable::end const):
        (JSC::PropertyTable::skipDeletedEntries):

2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of SymbolTable to reduce padding
        https://bugs.webkit.org/show_bug.cgi?id=187437

        Reviewed by Mark Lam.

        Arrange the layout of SymbolTable to reduce the size from 88 to 72.

        * runtime/SymbolTable.h:

2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of RegExp to reduce padding
        https://bugs.webkit.org/show_bug.cgi?id=187438

        Reviewed by Mark Lam.

        Reduce the size of RegExp from 168 to 144.

        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        * runtime/RegExp.h:
        * runtime/RegExpKey.h:
        * yarr/YarrErrorCode.h:

2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of ValueProfile to reduce padding
        https://bugs.webkit.org/show_bug.cgi?id=187439

        Reviewed by Mark Lam.

        Reduce the size of ValueProfile from 40 to 32 by reordering members.

        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::ValueProfileBase):

2018-07-05  Saam Barati  <sbarati@apple.com>

        ProgramExecutable may be collected as we checkSyntax on it
        https://bugs.webkit.org/show_bug.cgi?id=187359
        <rdar://problem/41832135>

        Reviewed by Mark Lam.

        The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
        the ProgramExecutable itself may be collected. The fix here is to make a copy
        of the field instead of passing in a reference inside of ParserError::toErrorObject.
        
        No new tests here as this was already caught by our iOS JSC testers.

        * parser/ParserError.h:
        (JSC::ParserError::toErrorObject):

2018-07-04  Tim Horton  <timothy_horton@apple.com>

        Introduce PLATFORM(IOSMAC)
        https://bugs.webkit.org/show_bug.cgi?id=187315

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:
        * Configurations/FeatureDefines.xcconfig:

2018-07-03  Mark Lam  <mark.lam@apple.com>

        [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
        https://bugs.webkit.org/show_bug.cgi?id=187255
        <rdar://problem/41785257>

        Reviewed by Saam Barati.

        The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
        too: basically, do what the 64-bit code is doing.  At present, this change only
        serves to pacify an assertion.  It is not needed for correctness because the
        concurrent GC is not used on 32-bit builds.

        This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
        test.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_this):

2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
        https://bugs.webkit.org/show_bug.cgi?id=187290

        Reviewed by Saam Barati.

        slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
        we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
        is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
        easily calculated from JSType.
        This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.

        * runtime/ClassInfo.h:
        * runtime/JSArrayBufferView.cpp:
        (JSC::elementSize):
        (JSC::JSArrayBufferView::slowDownAndWasteMemory):
        * runtime/JSArrayBufferView.h:
        * runtime/JSArrayBufferViewInlines.h:
        (JSC::JSArrayBufferView::possiblySharedBuffer):
        * runtime/JSCell.cpp:
        (JSC::JSCell::slowDownAndWasteMemory): Deleted.
        * runtime/JSCell.h:
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
        * runtime/JSDataView.h:
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.

2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Regular expressions with ".?" expressions at the start and the end match the entire string
        https://bugs.webkit.org/show_bug.cgi?id=119191

        Reviewed by Michael Saboff.

        r90962 optimized regular expressions in the form of /.*abc.*/ by looking
        for "abc" first and then processing the leading and trailing dot stars
        to find the beginning and the end of the match. However, it erroneously
        enabled this optimization for regular expressions whose leading or
        trailing dots had quantifiers that were not of arbitrary length, e.g.,
        /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
        match the entire string when it shouldn't. This patch disables the
        optimization for those cases.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):

2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        RegExp.exec returns wrong value with a long integer quantifier
        https://bugs.webkit.org/show_bug.cgi?id=187042

        Reviewed by Saam Barati.

        Prior to this patch, the Yarr parser checked for integer overflow when
        parsing quantifiers in regular expressions by adding one digit at a time
        to a number and checking if the result got larger. This is wrong;
        The parser would fail to detect overflow when parsing, for example,
        10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.

        Another issue was that once it detected overflow, it stopped consuming
        the remaining digits. Since it didn't find the closing bracket, it
        parsed the quantifier as a normal string instead.

        This patch fixes these issues by reading all the digits and checking for
        overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
        returns the largest possible value (quantifyInfinite in this case). This
        matches Chrome [1], Firefox [2], and Edge [3].

        [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
        [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
        [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::consumeNumber):

2018-07-02  Keith Miller  <keith_miller@apple.com>

        InstanceOf IC should do generic if the prototype is not an object.
        https://bugs.webkit.org/show_bug.cgi?id=187250

        Reviewed by Mark Lam.

        The old code was wrong for two reasons. First, the AccessCase expected that
        the prototype value would be non-null. Second, we would end up returning
        false instead of throwing an exception.

        * jit/Repatch.cpp:
        (JSC::tryCacheInstanceOf):

2018-07-01  Mark Lam  <mark.lam@apple.com>

        Builtins and host functions should get their own structures.
        https://bugs.webkit.org/show_bug.cgi?id=187211
        <rdar://problem/41646336>

        Reviewed by Saam Barati.

        JSFunctions do lazy reification of properties, but ordinary functions applies
        different rules of property reification than builtin and host functions.  Hence,
        we should give builtins and host functions their own structures.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::selectStructureForNewFuncExp):
        (JSC::JSFunction::create):
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::hostFunctionStructure const):
        (JSC::JSGlobalObject::arrowFunctionStructure const):
        (JSC::JSGlobalObject::sloppyFunctionStructure const):
        (JSC::JSGlobalObject::strictFunctionStructure const):

2018-07-01  David Kilzer  <ddkilzer@apple.com>

        JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
        <https://webkit.org/b/187233>

        Reviewed by Mark Lam.

        * b3/air/AirEliminateDeadCode.cpp:
        (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
        * parser/ParserTokens.h:
        (JSC::JSTextPosition::JSTextPosition): Add struct member
        initialization. Simplify default constructor.
        (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
        union to the beginning to make it easy to zero out all fields.
        (JSC::JSTokenLocation::JSTokenLocation): Add struct member
        initialization.  Simplify default constructor.  Note that
        `endOffset` was not being initialized previously.
        (JSC::JSTextPosition::JSToken): Add struct member initialization
        where necessary.
        * runtime/IntlObject.cpp:
        (JSC::MatcherResult): Add struct member initialization.

2018-06-23  Darin Adler  <darin@apple.com>

        [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=186973

        Reviewed by Dan Bernstein.

        * API/JSContext.mm:
        (WeakContextRef::WeakContextRef): Deleted.
        (WeakContextRef::~WeakContextRef): Deleted.
        (WeakContextRef::get): Deleted.
        (WeakContextRef::set): Deleted.

        * API/JSContextInternal.h: Removed unneeded header guards since this is
        an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
        of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
        since neither is used outside the class implementation.

        * API/JSManagedValue.mm:
        (-[JSManagedValue initWithValue:]): Use a bridging cast.
        (-[JSManagedValue dealloc]): Ditto.
        (-[JSManagedValue didAddOwner:]): Ditto.
        (-[JSManagedValue didRemoveOwner:]): Ditto.
        (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
        (JSManagedValueHandleOwner::finalize): Ditto.
        * API/JSValue.mm:
        (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
        (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
        (-[JSValue valueForProperty:]): Ditto.
        (-[JSValue setValue:forProperty:]): Ditto.
        (-[JSValue deleteProperty:]): Ditto.
        (-[JSValue hasProperty:]): Ditto.
        (-[JSValue invokeMethod:withArguments:]): Ditto.
        (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
        (valueToArray): Ditto.
        (valueToDictionary): Ditto.
        (objectToValueWithoutCopy): Ditto.
        (objectToValue): Ditto.
        * API/JSVirtualMachine.mm:
        (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
        (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
        (-[JSVirtualMachine isOldExternalObject:]): Ditto.
        (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
        (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
        (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
        (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
        (scanExternalObjectGraph): Ditto.
        (scanExternalRememberedSet): Ditto.
        * API/JSWrapperMap.mm:
        (makeWrapper): Ditto.
        (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
        (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
        (tryUnwrapObjcObject): Ditto.
        * API/ObjCCallbackFunction.mm:
        (blockSignatureContainsClass): Ditto.
        (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
        sure we will be keeping this the same way under ARC.
        (objCCallbackFunctionForBlock): Use a bridging cast.

        * API/ObjcRuntimeExtras.h:
        (protocolImplementsProtocol): Use a more specific type that includes the
        explicit __unsafe_unretained for copied protocol lists.
        (forEachProtocolImplementingProtocol): Ditto.

        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
        (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
        (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.

        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
        CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
        (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
        (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
        (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.

2018-06-30  Adam Barth  <abarth@webkit.org>

        Port JavaScriptCore to OS(FUCHSIA)
        https://bugs.webkit.org/show_bug.cgi?id=187223

        Reviewed by Daniel Bates.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
        * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
        (JSC::MachineContext::stackPointerImpl):
        (JSC::MachineContext::framePointerImpl):
        (JSC::MachineContext::instructionPointerImpl):
        (JSC::MachineContext::argumentPointer<1>):
        (JSC::MachineContext::llintInstructionPointer):

2018-06-30  David Kilzer  <ddkilzer@apple.com>

        Fix clang static analyzer warnings: Garbage return value
        <https://webkit.org/b/187224>

        Reviewed by Eric Carlson.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
        - Use brace initialization for local variables.
        * debugger/DebuggerCallFrame.cpp:
        (class JSC::LineAndColumnFunctor):
        - Use class member initialization for member variables.

2018-06-29  Saam Barati  <sbarati@apple.com>

        Unreviewed. Try to fix Windows build after r233377

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutable):

2018-06-29  Saam Barati  <sbarati@apple.com>

        Don't use tracePoints in JS/Wasm entry
        https://bugs.webkit.org/show_bug.cgi?id=187196

        Reviewed by Mark Lam.

        This puts VM entry and Wasm entry tracePoints behind a runtime
        option. This is a ~4x speedup on a soon to be released Wasm
        benchmark. tracePoints should basically never run more than 50
        times a second. Entering the VM and entering Wasm are user controlled,
        and can happen hundreds of thousands of times in a second. Depending
        on how the Wasm/JS code is structured, this can be disastrous for
        performance.

        * runtime/Options.h:
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        (JSC::VMEntryScope::~VMEntryScope):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::compileFunctions):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):

2018-06-29  Saam Barati  <sbarati@apple.com>

        We shouldn't recurse into the parser when gathering metadata about various function offsets
        https://bugs.webkit.org/show_bug.cgi?id=184074
        <rdar://problem/37165897>

        Reviewed by Mark Lam.

        Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
        for that builtin. This required calling into the parser. However, the parser
        may throw a stack overflow. We were not able to recover from that. The only
        reason we called into the parser here is that we were gathering text offsets
        and various metadata for things in the builtin function. This patch writes a
        mini parser that figures this information out without calling into the full
        parser. (I've also added a debug assert that verifies the mini parser stays in
        sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
        always succeeds.

        * builtins/AsyncFromSyncIteratorPrototype.js:
        (globalPrivate.createAsyncFromSyncIterator):
        (globalPrivate.AsyncFromSyncIteratorConstructor):
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutable):
        * builtins/GlobalOperations.js:
        (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
        (globalPrivate.speciesConstructor):
        (globalPrivate.copyDataProperties):
        (globalPrivate.copyDataPropertiesNoExclusions):
        * builtins/PromiseOperations.js:
        (globalPrivate.newHandledRejectedPromise):
        * builtins/RegExpPrototype.js:
        (globalPrivate.hasObservableSideEffectsForRegExpMatch):
        (globalPrivate.hasObservableSideEffectsForRegExpSplit):
        * builtins/StringPrototype.js:
        (globalPrivate.hasObservableSideEffectsForStringReplace):
        (globalPrivate.getDefaultCollator):
        * parser/Nodes.cpp:
        (JSC::FunctionMetadataNode::FunctionMetadataNode):
        (JSC::FunctionMetadataNode::operator== const):
        (JSC::FunctionMetadataNode::dump const):
        * parser/Nodes.h:
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserError.h:
        (JSC::ParserError::type const):
        * parser/ParserTokens.h:
        (JSC::JSTextPosition::operator== const):
        (JSC::JSTextPosition::operator!= const):
        * parser/SourceCode.h:
        (JSC::SourceCode::operator== const):
        (JSC::SourceCode::operator!= const):
        (JSC::SourceCode::subExpression const):
        (JSC::SourceCode::subExpression): Deleted.

2018-06-28  Michael Saboff  <msaboff@apple.com>
  
        IsoCellSet::sweepToFreeList() not safe when Full GC in process
        https://bugs.webkit.org/show_bug.cgi?id=187157

        Reviewed by Mark Lam.

        * heap/IsoCellSet.cpp:
        (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
        is in MarkedBlock::Handle::specializedSweep where it takes into account whether
        or not we are in the process of marking during a full GC.
        * heap/MarkedBlock.h:
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.

2018-06-27  Saam Barati  <sbarati@apple.com>

        Add some more register state information when we crash in repatchPutById
        https://bugs.webkit.org/show_bug.cgi?id=187112

        Reviewed by Mark Lam.

        This will help us gather info when we end up seeing a ObjectPropertyConditionSet
        with an offset that is different than what the put tells us.

        * jit/Repatch.cpp:
        (JSC::tryCachePutByID):

2018-06-27  Mark Lam  <mark.lam@apple.com>

        Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
        https://bugs.webkit.org/show_bug.cgi?id=187119

        Reviewed by Keith Miller.

        $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
        should be checking for codeBlock instead of !codeBlock
        before using the codeBlock.

        I also renamed some other "print" functions to use "dump" instead
        to match their underlying C++ code that they will call e.g.
        CodeBlock::dumpSource().

        * tools/JSDollarVM.cpp:
        (WTF::JSDollarVMCallFrame::finishCreation):
        (JSC::functionDumpSourceFor):
        (JSC::functionDumpBytecodeFor):
        (JSC::doPrint):
        (JSC::functionDataLog):
        (JSC::functionPrint):
        (JSC::functionDumpCallFrame):
        (JSC::functionDumpStack):
        (JSC::JSDollarVM::finishCreation):
        (JSC::functionPrintSourceFor): Deleted.
        (JSC::functionPrintBytecodeFor): Deleted.
        (JSC::doPrintln): Deleted.
        (JSC::functionPrintln): Deleted.
        (JSC::functionPrintCallFrame): Deleted.
        (JSC::functionPrintStack): Deleted.
        * tools/VMInspector.cpp:
        (JSC::DumpFrameFunctor::DumpFrameFunctor):
        (JSC::DumpFrameFunctor::operator() const):
        (JSC::VMInspector::dumpCallFrame):
        (JSC::VMInspector::dumpStack):
        (JSC::VMInspector::dumpValue):
        (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
        (JSC::PrintFrameFunctor::operator() const): Deleted.
        (JSC::VMInspector::printCallFrame): Deleted.
        (JSC::VMInspector::printStack): Deleted.
        (JSC::VMInspector::printValue): Deleted.
        * tools/VMInspector.h:

2018-06-27  Keith Miller  <keith_miller@apple.com>

        Add logging to try to diagnose where we get a null structure.
        https://bugs.webkit.org/show_bug.cgi?id=187106

        Reviewed by Mark Lam.

        Add a logging to JSObject::toPrimitive to help diagnose a nullptr
        structure crash.

        This code should be removed when we fix <rdar://problem/33451840>

        * runtime/JSObject.cpp:
        (JSC::callToPrimitiveFunction):
        * runtime/JSObject.h:
        (JSC::JSObject::getPropertySlot):

2018-06-27  Mark Lam  <mark.lam@apple.com>

        DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
        https://bugs.webkit.org/show_bug.cgi?id=187091
        <rdar://problem/41395624>

        Reviewed by Yusuke Suzuki.

        Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
        take their slow paths, the slow path would jump back to the fast path right after
        the emitted code which clears the unused property values.  As a result, the
        unused properties are not initialized.  We've fixed this by adding the slow path
        generators before we emit the code to clear the unused properties.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):

2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
        https://bugs.webkit.org/show_bug.cgi?id=185943

        Reviewed by Mark Lam.

        ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
        the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
        the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
        This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.

        ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
        but it should be done in a separate patch since it would be performance s