49cef2e2c7a86b44597532ad464a9e3ba0dd0db4
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-06-22  Keith Miller  <keith_miller@apple.com>
2
3         We need to have a getDirectConcurrently for use in the compilers
4         https://bugs.webkit.org/show_bug.cgi?id=186954
5
6         Reviewed by Mark Lam.
7
8         It used to be that the propertyStorage of an object never shrunk
9         so if you called getDirect with some offset it would never be an
10         OOB read. However, this property storage can shrink when calling
11         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
12         holds the Structure's ConcurrentJSLock while shrinking. This patch,
13         adds a getDirectConcurrently that will safely try to load from the
14         butterfly.
15
16         * bytecode/ObjectPropertyConditionSet.cpp:
17         * bytecode/PropertyCondition.cpp:
18         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
19         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
20         * dfg/DFGGraph.cpp:
21         (JSC::DFG::Graph::tryGetConstantProperty):
22         * runtime/JSObject.h:
23         (JSC::JSObject::getDirectConcurrently const):
24
25 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
26
27         [WTF] Use Ref<> for the result type of non-failing factory functions
28         https://bugs.webkit.org/show_bug.cgi?id=186920
29
30         Reviewed by Darin Adler.
31
32         * dfg/DFGWorklist.cpp:
33         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
34         (JSC::DFG::Worklist::finishCreation):
35         * dfg/DFGWorklist.h:
36         * heap/Heap.cpp:
37         (JSC::Heap::Thread::Thread):
38         * heap/Heap.h:
39         * jit/JITWorklist.cpp:
40         (JSC::JITWorklist::Thread::Thread):
41         * jit/JITWorklist.h:
42         * runtime/VMTraps.cpp:
43         * runtime/VMTraps.h:
44         * wasm/WasmWorklist.cpp:
45         * wasm/WasmWorklist.h:
46
47 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
48
49         [WTF] Add user-defined literal for ASCIILiteral
50         https://bugs.webkit.org/show_bug.cgi?id=186839
51
52         Reviewed by Darin Adler.
53
54         * API/JSCallbackObjectFunctions.h:
55         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
56         (JSC::JSCallbackObject<Parent>::callbackGetter):
57         * API/JSObjectRef.cpp:
58         (JSObjectMakeFunctionWithCallback):
59         * API/JSTypedArray.cpp:
60         (JSObjectGetArrayBufferBytesPtr):
61         * API/JSValue.mm:
62         (valueToArray):
63         (valueToDictionary):
64         * API/ObjCCallbackFunction.mm:
65         (JSC::objCCallbackFunctionCallAsFunction):
66         (JSC::objCCallbackFunctionCallAsConstructor):
67         (JSC::ObjCCallbackFunctionImpl::call):
68         * API/glib/JSCCallbackFunction.cpp:
69         (JSC::JSCCallbackFunction::call):
70         (JSC::JSCCallbackFunction::construct):
71         * API/glib/JSCContext.cpp:
72         (jscContextJSValueToGValue):
73         * API/glib/JSCValue.cpp:
74         (jsc_value_object_define_property_accessor):
75         (jscValueFunctionCreate):
76         * builtins/BuiltinUtils.h:
77         * bytecode/CodeBlock.cpp:
78         (JSC::CodeBlock::nameForRegister):
79         * bytecompiler/BytecodeGenerator.cpp:
80         (JSC::BytecodeGenerator::emitEnumeration):
81         (JSC::BytecodeGenerator::emitIteratorNext):
82         (JSC::BytecodeGenerator::emitIteratorClose):
83         (JSC::BytecodeGenerator::emitDelegateYield):
84         * bytecompiler/NodesCodegen.cpp:
85         (JSC::FunctionCallValueNode::emitBytecode):
86         (JSC::PostfixNode::emitBytecode):
87         (JSC::PrefixNode::emitBytecode):
88         (JSC::AssignErrorNode::emitBytecode):
89         (JSC::ForInNode::emitBytecode):
90         (JSC::ForOfNode::emitBytecode):
91         (JSC::ClassExprNode::emitBytecode):
92         (JSC::ObjectPatternNode::bindValue const):
93         * dfg/DFGDriver.cpp:
94         (JSC::DFG::compileImpl):
95         * dfg/DFGOperations.cpp:
96         (JSC::DFG::newTypedArrayWithSize):
97         * dfg/DFGStrengthReductionPhase.cpp:
98         (JSC::DFG::StrengthReductionPhase::handleNode):
99         * inspector/ConsoleMessage.cpp:
100         (Inspector::ConsoleMessage::addToFrontend):
101         (Inspector::ConsoleMessage::clear):
102         * inspector/ContentSearchUtilities.cpp:
103         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
104         * inspector/InjectedScript.cpp:
105         (Inspector::InjectedScript::InjectedScript):
106         (Inspector::InjectedScript::evaluate):
107         (Inspector::InjectedScript::callFunctionOn):
108         (Inspector::InjectedScript::evaluateOnCallFrame):
109         (Inspector::InjectedScript::getFunctionDetails):
110         (Inspector::InjectedScript::functionDetails):
111         (Inspector::InjectedScript::getPreview):
112         (Inspector::InjectedScript::getProperties):
113         (Inspector::InjectedScript::getDisplayableProperties):
114         (Inspector::InjectedScript::getInternalProperties):
115         (Inspector::InjectedScript::getCollectionEntries):
116         (Inspector::InjectedScript::saveResult):
117         (Inspector::InjectedScript::wrapCallFrames const):
118         (Inspector::InjectedScript::wrapObject const):
119         (Inspector::InjectedScript::wrapJSONString const):
120         (Inspector::InjectedScript::wrapTable const):
121         (Inspector::InjectedScript::previewValue const):
122         (Inspector::InjectedScript::setExceptionValue):
123         (Inspector::InjectedScript::clearExceptionValue):
124         (Inspector::InjectedScript::findObjectById const):
125         (Inspector::InjectedScript::inspectObject):
126         (Inspector::InjectedScript::releaseObject):
127         (Inspector::InjectedScript::releaseObjectGroup):
128         * inspector/InjectedScriptBase.cpp:
129         (Inspector::InjectedScriptBase::makeEvalCall):
130         * inspector/InjectedScriptManager.cpp:
131         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
132         * inspector/InjectedScriptModule.cpp:
133         (Inspector::InjectedScriptModule::ensureInjected):
134         * inspector/InspectorBackendDispatcher.cpp:
135         (Inspector::BackendDispatcher::dispatch):
136         (Inspector::BackendDispatcher::sendResponse):
137         (Inspector::BackendDispatcher::sendPendingErrors):
138         * inspector/JSGlobalObjectConsoleClient.cpp:
139         (Inspector::JSGlobalObjectConsoleClient::profile):
140         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
141         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
142         * inspector/JSGlobalObjectInspectorController.cpp:
143         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
144         * inspector/JSInjectedScriptHost.cpp:
145         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
146         (Inspector::JSInjectedScriptHost::subtype):
147         (Inspector::JSInjectedScriptHost::getInternalProperties):
148         * inspector/JSJavaScriptCallFrame.cpp:
149         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
150         (Inspector::JSJavaScriptCallFrame::type const):
151         * inspector/ScriptArguments.cpp:
152         (Inspector::ScriptArguments::getFirstArgumentAsString):
153         * inspector/ScriptCallStackFactory.cpp:
154         (Inspector::extractSourceInformationFromException):
155         * inspector/agents/InspectorAgent.cpp:
156         (Inspector::InspectorAgent::InspectorAgent):
157         * inspector/agents/InspectorConsoleAgent.cpp:
158         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
159         (Inspector::InspectorConsoleAgent::clearMessages):
160         (Inspector::InspectorConsoleAgent::count):
161         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
162         * inspector/agents/InspectorDebuggerAgent.cpp:
163         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
164         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
165         (Inspector::buildObjectForBreakpointCookie):
166         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
167         (Inspector::parseLocation):
168         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
169         (Inspector::InspectorDebuggerAgent::setBreakpoint):
170         (Inspector::InspectorDebuggerAgent::continueToLocation):
171         (Inspector::InspectorDebuggerAgent::searchInContent):
172         (Inspector::InspectorDebuggerAgent::getScriptSource):
173         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
174         (Inspector::InspectorDebuggerAgent::resume):
175         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
176         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
177         (Inspector::InspectorDebuggerAgent::didParseSource):
178         (Inspector::InspectorDebuggerAgent::assertPaused):
179         * inspector/agents/InspectorHeapAgent.cpp:
180         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
181         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
182         (Inspector::InspectorHeapAgent::getPreview):
183         (Inspector::InspectorHeapAgent::getRemoteObject):
184         * inspector/agents/InspectorRuntimeAgent.cpp:
185         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
186         (Inspector::InspectorRuntimeAgent::callFunctionOn):
187         (Inspector::InspectorRuntimeAgent::getPreview):
188         (Inspector::InspectorRuntimeAgent::getProperties):
189         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
190         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
191         (Inspector::InspectorRuntimeAgent::saveResult):
192         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
193         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
194         * inspector/agents/InspectorScriptProfilerAgent.cpp:
195         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
196         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
197         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
198         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
199         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
200         * inspector/scripts/codegen/cpp_generator_templates.py:
201         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
202         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
203         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
204         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
205         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
206         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
207         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
208         (CppProtocolTypesImplementationGenerator):
209         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
210         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
211         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
212         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
213         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
214         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
215         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
216         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
217         * inspector/scripts/codegen/objc_generator_templates.py:
218         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
219         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
220         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
221         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
222         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
223         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
224         * inspector/scripts/tests/generic/expected/enum-values.json-result:
225         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
226         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
227         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
228         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
229         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
230         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
231         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
232         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
233         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
234         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
235         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
236         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
237         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
238         * interpreter/CallFrame.cpp:
239         (JSC::CallFrame::friendlyFunctionName):
240         * interpreter/Interpreter.cpp:
241         (JSC::Interpreter::execute):
242         * interpreter/StackVisitor.cpp:
243         (JSC::StackVisitor::Frame::functionName const):
244         (JSC::StackVisitor::Frame::sourceURL const):
245         * jit/JIT.cpp:
246         (JSC::JIT::doMainThreadPreparationBeforeCompile):
247         * jit/JITOperations.cpp:
248         * jsc.cpp:
249         (resolvePath):
250         (GlobalObject::moduleLoaderImportModule):
251         (GlobalObject::moduleLoaderResolve):
252         (functionDescribeArray):
253         (functionRun):
254         (functionLoad):
255         (functionCheckSyntax):
256         (functionDollarEvalScript):
257         (functionDollarAgentStart):
258         (functionDollarAgentReceiveBroadcast):
259         (functionDollarAgentBroadcast):
260         (functionTransferArrayBuffer):
261         (functionLoadModule):
262         (functionSamplingProfilerStackTraces):
263         (functionAsyncTestStart):
264         (functionWebAssemblyMemoryMode):
265         (runWithOptions):
266         * parser/Lexer.cpp:
267         (JSC::Lexer<T>::invalidCharacterMessage const):
268         (JSC::Lexer<T>::parseString):
269         (JSC::Lexer<T>::parseComplexEscape):
270         (JSC::Lexer<T>::parseStringSlowCase):
271         (JSC::Lexer<T>::parseTemplateLiteral):
272         (JSC::Lexer<T>::lex):
273         * parser/Parser.cpp:
274         (JSC::Parser<LexerType>::parseInner):
275         * parser/Parser.h:
276         (JSC::Parser::setErrorMessage):
277         * runtime/AbstractModuleRecord.cpp:
278         (JSC::AbstractModuleRecord::finishCreation):
279         * runtime/ArrayBuffer.cpp:
280         (JSC::errorMesasgeForTransfer):
281         * runtime/ArrayBufferSharingMode.h:
282         (JSC::arrayBufferSharingModeName):
283         * runtime/ArrayConstructor.cpp:
284         (JSC::constructArrayWithSizeQuirk):
285         (JSC::isArraySlowInline):
286         * runtime/ArrayPrototype.cpp:
287         (JSC::setLength):
288         (JSC::shift):
289         (JSC::unshift):
290         (JSC::arrayProtoFuncPop):
291         (JSC::arrayProtoFuncReverse):
292         (JSC::arrayProtoFuncUnShift):
293         * runtime/AtomicsObject.cpp:
294         (JSC::atomicsFuncWait):
295         (JSC::atomicsFuncWake):
296         * runtime/BigIntConstructor.cpp:
297         (JSC::BigIntConstructor::finishCreation):
298         (JSC::toBigInt):
299         (JSC::callBigIntConstructor):
300         * runtime/BigIntObject.cpp:
301         (JSC::BigIntObject::toStringName):
302         * runtime/BigIntPrototype.cpp:
303         (JSC::bigIntProtoFuncToString):
304         (JSC::bigIntProtoFuncValueOf):
305         * runtime/CommonSlowPaths.cpp:
306         (JSC::SLOW_PATH_DECL):
307         * runtime/ConsoleClient.cpp:
308         (JSC::ConsoleClient::printConsoleMessageWithArguments):
309         * runtime/ConsoleObject.cpp:
310         (JSC::valueOrDefaultLabelString):
311         (JSC::consoleProtoFuncTime):
312         (JSC::consoleProtoFuncTimeEnd):
313         * runtime/DatePrototype.cpp:
314         (JSC::formatLocaleDate):
315         (JSC::formateDateInstance):
316         (JSC::DatePrototype::finishCreation):
317         (JSC::dateProtoFuncToISOString):
318         (JSC::dateProtoFuncToJSON):
319         * runtime/Error.cpp:
320         (JSC::createNotEnoughArgumentsError):
321         (JSC::throwSyntaxError):
322         (JSC::createTypeError):
323         (JSC::createOutOfMemoryError):
324         * runtime/Error.h:
325         (JSC::throwVMError):
326         * runtime/ErrorConstructor.cpp:
327         (JSC::ErrorConstructor::finishCreation):
328         * runtime/ErrorInstance.cpp:
329         (JSC::ErrorInstance::sanitizedToString):
330         * runtime/ErrorPrototype.cpp:
331         (JSC::ErrorPrototype::finishCreation):
332         (JSC::errorProtoFuncToString):
333         * runtime/ExceptionFuzz.cpp:
334         (JSC::doExceptionFuzzing):
335         * runtime/ExceptionHelpers.cpp:
336         (JSC::TerminatedExecutionError::defaultValue):
337         (JSC::createStackOverflowError):
338         (JSC::createNotAConstructorError):
339         (JSC::createNotAFunctionError):
340         (JSC::createNotAnObjectError):
341         * runtime/GetterSetter.cpp:
342         (JSC::callSetter):
343         * runtime/IntlCollator.cpp:
344         (JSC::sortLocaleData):
345         (JSC::searchLocaleData):
346         (JSC::IntlCollator::initializeCollator):
347         (JSC::IntlCollator::compareStrings):
348         (JSC::IntlCollator::usageString):
349         (JSC::IntlCollator::sensitivityString):
350         (JSC::IntlCollator::caseFirstString):
351         (JSC::IntlCollator::resolvedOptions):
352         * runtime/IntlCollator.h:
353         * runtime/IntlCollatorConstructor.cpp:
354         (JSC::IntlCollatorConstructor::finishCreation):
355         * runtime/IntlCollatorPrototype.cpp:
356         (JSC::IntlCollatorPrototypeGetterCompare):
357         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
358         * runtime/IntlDateTimeFormat.cpp:
359         (JSC::defaultTimeZone):
360         (JSC::canonicalizeTimeZoneName):
361         (JSC::IntlDTFInternal::localeData):
362         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
363         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
364         (JSC::IntlDateTimeFormat::weekdayString):
365         (JSC::IntlDateTimeFormat::eraString):
366         (JSC::IntlDateTimeFormat::yearString):
367         (JSC::IntlDateTimeFormat::monthString):
368         (JSC::IntlDateTimeFormat::dayString):
369         (JSC::IntlDateTimeFormat::hourString):
370         (JSC::IntlDateTimeFormat::minuteString):
371         (JSC::IntlDateTimeFormat::secondString):
372         (JSC::IntlDateTimeFormat::timeZoneNameString):
373         (JSC::IntlDateTimeFormat::resolvedOptions):
374         (JSC::IntlDateTimeFormat::format):
375         (JSC::IntlDateTimeFormat::partTypeString):
376         (JSC::IntlDateTimeFormat::formatToParts):
377         * runtime/IntlDateTimeFormat.h:
378         * runtime/IntlDateTimeFormatConstructor.cpp:
379         (JSC::IntlDateTimeFormatConstructor::finishCreation):
380         * runtime/IntlDateTimeFormatPrototype.cpp:
381         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
382         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
383         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
384         * runtime/IntlNumberFormat.cpp:
385         (JSC::IntlNumberFormat::initializeNumberFormat):
386         (JSC::IntlNumberFormat::formatNumber):
387         (JSC::IntlNumberFormat::styleString):
388         (JSC::IntlNumberFormat::currencyDisplayString):
389         (JSC::IntlNumberFormat::resolvedOptions):
390         (JSC::IntlNumberFormat::partTypeString):
391         (JSC::IntlNumberFormat::formatToParts):
392         * runtime/IntlNumberFormat.h:
393         * runtime/IntlNumberFormatConstructor.cpp:
394         (JSC::IntlNumberFormatConstructor::finishCreation):
395         * runtime/IntlNumberFormatPrototype.cpp:
396         (JSC::IntlNumberFormatPrototypeGetterFormat):
397         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
398         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
399         * runtime/IntlObject.cpp:
400         (JSC::grandfatheredLangTag):
401         (JSC::canonicalizeLocaleList):
402         (JSC::resolveLocale):
403         (JSC::supportedLocales):
404         * runtime/IntlPluralRules.cpp:
405         (JSC::IntlPluralRules::initializePluralRules):
406         (JSC::IntlPluralRules::resolvedOptions):
407         (JSC::IntlPluralRules::select):
408         * runtime/IntlPluralRulesConstructor.cpp:
409         (JSC::IntlPluralRulesConstructor::finishCreation):
410         * runtime/IntlPluralRulesPrototype.cpp:
411         (JSC::IntlPluralRulesPrototypeFuncSelect):
412         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
413         * runtime/IteratorOperations.cpp:
414         (JSC::iteratorNext):
415         (JSC::iteratorClose):
416         (JSC::hasIteratorMethod):
417         (JSC::iteratorMethod):
418         * runtime/JSArray.cpp:
419         (JSC::JSArray::tryCreateUninitializedRestricted):
420         (JSC::JSArray::defineOwnProperty):
421         (JSC::JSArray::put):
422         (JSC::JSArray::setLengthWithArrayStorage):
423         (JSC::JSArray::appendMemcpy):
424         (JSC::JSArray::pop):
425         * runtime/JSArray.h:
426         * runtime/JSArrayBufferConstructor.cpp:
427         (JSC::JSArrayBufferConstructor::finishCreation):
428         * runtime/JSArrayBufferPrototype.cpp:
429         (JSC::arrayBufferProtoFuncSlice):
430         (JSC::arrayBufferProtoGetterFuncByteLength):
431         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
432         * runtime/JSArrayBufferView.cpp:
433         (JSC::JSArrayBufferView::toStringName):
434         * runtime/JSArrayInlines.h:
435         (JSC::JSArray::pushInline):
436         * runtime/JSBigInt.cpp:
437         (JSC::JSBigInt::divide):
438         (JSC::JSBigInt::remainder):
439         (JSC::JSBigInt::toNumber const):
440         * runtime/JSCJSValue.cpp:
441         (JSC::JSValue::putToPrimitive):
442         (JSC::JSValue::putToPrimitiveByIndex):
443         (JSC::JSValue::toStringSlowCase const):
444         * runtime/JSCJSValueInlines.h:
445         (JSC::toPreferredPrimitiveType):
446         * runtime/JSDataView.cpp:
447         (JSC::JSDataView::create):
448         (JSC::JSDataView::put):
449         (JSC::JSDataView::defineOwnProperty):
450         * runtime/JSDataViewPrototype.cpp:
451         (JSC::getData):
452         (JSC::setData):
453         * runtime/JSFunction.cpp:
454         (JSC::JSFunction::callerGetter):
455         (JSC::JSFunction::put):
456         (JSC::JSFunction::defineOwnProperty):
457         * runtime/JSGenericTypedArrayView.h:
458         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
459         (JSC::constructGenericTypedArrayViewWithArguments):
460         (JSC::constructGenericTypedArrayView):
461         * runtime/JSGenericTypedArrayViewInlines.h:
462         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
463         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
464         (JSC::speciesConstruct):
465         (JSC::genericTypedArrayViewProtoFuncSet):
466         (JSC::genericTypedArrayViewProtoFuncIndexOf):
467         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
468         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
469         * runtime/JSGlobalObject.cpp:
470         (JSC::JSGlobalObject::init):
471         * runtime/JSGlobalObjectDebuggable.cpp:
472         (JSC::JSGlobalObjectDebuggable::name const):
473         * runtime/JSGlobalObjectFunctions.cpp:
474         (JSC::encode):
475         (JSC::decode):
476         (JSC::globalFuncProtoSetter):
477         * runtime/JSGlobalObjectFunctions.h:
478         * runtime/JSMap.cpp:
479         (JSC::JSMap::toStringName):
480         * runtime/JSModuleEnvironment.cpp:
481         (JSC::JSModuleEnvironment::put):
482         * runtime/JSModuleNamespaceObject.cpp:
483         (JSC::JSModuleNamespaceObject::put):
484         (JSC::JSModuleNamespaceObject::putByIndex):
485         (JSC::JSModuleNamespaceObject::defineOwnProperty):
486         * runtime/JSONObject.cpp:
487         (JSC::Stringifier::appendStringifiedValue):
488         (JSC::JSONProtoFuncParse):
489         (JSC::JSONProtoFuncStringify):
490         * runtime/JSObject.cpp:
491         (JSC::getClassPropertyNames):
492         (JSC::JSObject::calculatedClassName):
493         (JSC::ordinarySetSlow):
494         (JSC::JSObject::putInlineSlow):
495         (JSC::JSObject::setPrototypeWithCycleCheck):
496         (JSC::callToPrimitiveFunction):
497         (JSC::JSObject::ordinaryToPrimitive const):
498         (JSC::JSObject::defaultHasInstance):
499         (JSC::JSObject::defineOwnIndexedProperty):
500         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
501         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
502         (JSC::validateAndApplyPropertyDescriptor):
503         * runtime/JSObject.h:
504         * runtime/JSObjectInlines.h:
505         (JSC::JSObject::putInlineForJSObject):
506         * runtime/JSPromiseConstructor.cpp:
507         (JSC::JSPromiseConstructor::finishCreation):
508         * runtime/JSSet.cpp:
509         (JSC::JSSet::toStringName):
510         * runtime/JSSymbolTableObject.h:
511         (JSC::symbolTablePut):
512         * runtime/JSTypedArrayViewConstructor.cpp:
513         (JSC::constructTypedArrayView):
514         * runtime/JSTypedArrayViewPrototype.cpp:
515         (JSC::typedArrayViewPrivateFuncLength):
516         (JSC::typedArrayViewProtoFuncSet):
517         (JSC::typedArrayViewProtoFuncCopyWithin):
518         (JSC::typedArrayViewProtoFuncLastIndexOf):
519         (JSC::typedArrayViewProtoFuncIndexOf):
520         (JSC::typedArrayViewProtoFuncJoin):
521         (JSC::typedArrayViewProtoGetterFuncBuffer):
522         (JSC::typedArrayViewProtoGetterFuncLength):
523         (JSC::typedArrayViewProtoGetterFuncByteLength):
524         (JSC::typedArrayViewProtoGetterFuncByteOffset):
525         (JSC::typedArrayViewProtoFuncReverse):
526         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
527         (JSC::typedArrayViewProtoFuncSlice):
528         (JSC::JSTypedArrayViewPrototype::finishCreation):
529         * runtime/JSWeakMap.cpp:
530         (JSC::JSWeakMap::toStringName):
531         * runtime/JSWeakSet.cpp:
532         (JSC::JSWeakSet::toStringName):
533         * runtime/LiteralParser.cpp:
534         (JSC::LiteralParser<CharType>::Lexer::lex):
535         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
536         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
537         (JSC::LiteralParser<CharType>::parse):
538         * runtime/LiteralParser.h:
539         (JSC::LiteralParser::getErrorMessage):
540         * runtime/Lookup.cpp:
541         (JSC::reifyStaticAccessor):
542         * runtime/Lookup.h:
543         (JSC::putEntry):
544         * runtime/MapPrototype.cpp:
545         (JSC::getMap):
546         * runtime/NullSetterFunction.cpp:
547         (JSC::NullSetterFunctionInternal::callReturnUndefined):
548         * runtime/NumberPrototype.cpp:
549         (JSC::numberProtoFuncToExponential):
550         (JSC::numberProtoFuncToFixed):
551         (JSC::numberProtoFuncToPrecision):
552         (JSC::extractToStringRadixArgument):
553         * runtime/ObjectConstructor.cpp:
554         (JSC::objectConstructorSetPrototypeOf):
555         (JSC::objectConstructorAssign):
556         (JSC::objectConstructorValues):
557         (JSC::toPropertyDescriptor):
558         (JSC::objectConstructorDefineProperty):
559         (JSC::objectConstructorDefineProperties):
560         (JSC::objectConstructorCreate):
561         (JSC::objectConstructorSeal):
562         (JSC::objectConstructorFreeze):
563         * runtime/ObjectPrototype.cpp:
564         (JSC::objectProtoFuncDefineGetter):
565         (JSC::objectProtoFuncDefineSetter):
566         * runtime/Operations.cpp:
567         (JSC::jsAddSlowCase):
568         * runtime/Operations.h:
569         (JSC::jsSub):
570         (JSC::jsMul):
571         * runtime/ProgramExecutable.cpp:
572         (JSC::ProgramExecutable::initializeGlobalProperties):
573         * runtime/ProxyConstructor.cpp:
574         (JSC::makeRevocableProxy):
575         (JSC::proxyRevocableConstructorThrowError):
576         (JSC::ProxyConstructor::finishCreation):
577         (JSC::constructProxyObject):
578         * runtime/ProxyObject.cpp:
579         (JSC::ProxyObject::toStringName):
580         (JSC::ProxyObject::finishCreation):
581         (JSC::performProxyGet):
582         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
583         (JSC::ProxyObject::performHasProperty):
584         (JSC::ProxyObject::performPut):
585         (JSC::performProxyCall):
586         (JSC::performProxyConstruct):
587         (JSC::ProxyObject::performDelete):
588         (JSC::ProxyObject::performPreventExtensions):
589         (JSC::ProxyObject::performIsExtensible):
590         (JSC::ProxyObject::performDefineOwnProperty):
591         (JSC::ProxyObject::performGetOwnPropertyNames):
592         (JSC::ProxyObject::performSetPrototype):
593         (JSC::ProxyObject::performGetPrototype):
594         * runtime/ReflectObject.cpp:
595         (JSC::reflectObjectConstruct):
596         (JSC::reflectObjectDefineProperty):
597         (JSC::reflectObjectGet):
598         (JSC::reflectObjectGetOwnPropertyDescriptor):
599         (JSC::reflectObjectGetPrototypeOf):
600         (JSC::reflectObjectIsExtensible):
601         (JSC::reflectObjectOwnKeys):
602         (JSC::reflectObjectPreventExtensions):
603         (JSC::reflectObjectSet):
604         (JSC::reflectObjectSetPrototypeOf):
605         * runtime/RegExpConstructor.cpp:
606         (JSC::RegExpConstructor::finishCreation):
607         (JSC::toFlags):
608         * runtime/RegExpObject.cpp:
609         (JSC::RegExpObject::defineOwnProperty):
610         * runtime/RegExpObject.h:
611         * runtime/RegExpPrototype.cpp:
612         (JSC::regExpProtoFuncCompile):
613         (JSC::regExpProtoGetterGlobal):
614         (JSC::regExpProtoGetterIgnoreCase):
615         (JSC::regExpProtoGetterMultiline):
616         (JSC::regExpProtoGetterDotAll):
617         (JSC::regExpProtoGetterSticky):
618         (JSC::regExpProtoGetterUnicode):
619         (JSC::regExpProtoGetterFlags):
620         (JSC::regExpProtoGetterSourceInternal):
621         (JSC::regExpProtoGetterSource):
622         * runtime/RuntimeType.cpp:
623         (JSC::runtimeTypeAsString):
624         * runtime/SamplingProfiler.cpp:
625         (JSC::SamplingProfiler::StackFrame::displayName):
626         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
627         * runtime/ScriptExecutable.cpp:
628         (JSC::ScriptExecutable::prepareForExecutionImpl):
629         * runtime/SetPrototype.cpp:
630         (JSC::getSet):
631         * runtime/SparseArrayValueMap.cpp:
632         (JSC::SparseArrayValueMap::putEntry):
633         (JSC::SparseArrayValueMap::putDirect):
634         (JSC::SparseArrayEntry::put):
635         * runtime/StackFrame.cpp:
636         (JSC::StackFrame::sourceURL const):
637         (JSC::StackFrame::functionName const):
638         * runtime/StringConstructor.cpp:
639         (JSC::stringFromCodePoint):
640         * runtime/StringObject.cpp:
641         (JSC::StringObject::put):
642         (JSC::StringObject::putByIndex):
643         * runtime/StringPrototype.cpp:
644         (JSC::StringPrototype::finishCreation):
645         (JSC::toLocaleCase):
646         (JSC::stringProtoFuncNormalize):
647         * runtime/Symbol.cpp:
648         (JSC::Symbol::toNumber const):
649         * runtime/SymbolConstructor.cpp:
650         (JSC::symbolConstructorKeyFor):
651         * runtime/SymbolObject.cpp:
652         (JSC::SymbolObject::toStringName):
653         * runtime/SymbolPrototype.cpp:
654         (JSC::SymbolPrototype::finishCreation):
655         * runtime/TypeSet.cpp:
656         (JSC::TypeSet::dumpTypes const):
657         (JSC::TypeSet::displayName const):
658         (JSC::StructureShape::leastCommonAncestor):
659         * runtime/TypeSet.h:
660         (JSC::StructureShape::setConstructorName):
661         * runtime/VM.cpp:
662         (JSC::VM::dumpTypeProfilerData):
663         * runtime/WeakMapPrototype.cpp:
664         (JSC::getWeakMap):
665         (JSC::protoFuncWeakMapSet):
666         * runtime/WeakSetPrototype.cpp:
667         (JSC::getWeakSet):
668         (JSC::protoFuncWeakSetAdd):
669         * tools/JSDollarVM.cpp:
670         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
671         (WTF::DOMJITGetterComplex::customGetter):
672         (JSC::functionSetImpureGetterDelegate):
673         (JSC::functionCreateElement):
674         (JSC::functionGetHiddenValue):
675         (JSC::functionSetHiddenValue):
676         (JSC::functionFindTypeForExpression):
677         (JSC::functionReturnTypeFor):
678         (JSC::functionLoadGetterFromGetterSetter):
679         * wasm/WasmB3IRGenerator.cpp:
680         (JSC::Wasm::B3IRGenerator::fail const):
681         * wasm/WasmIndexOrName.cpp:
682         (JSC::Wasm::makeString):
683         * wasm/WasmParser.h:
684         (JSC::Wasm::FailureHelper::makeString):
685         (JSC::Wasm::Parser::fail const):
686         * wasm/WasmPlan.cpp:
687         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
688         * wasm/WasmValidate.cpp:
689         (JSC::Wasm::Validate::fail const):
690         * wasm/js/JSWebAssemblyCodeBlock.cpp:
691         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
692         * wasm/js/JSWebAssemblyHelpers.h:
693         (JSC::toNonWrappingUint32):
694         (JSC::getWasmBufferFromValue):
695         * wasm/js/JSWebAssemblyInstance.cpp:
696         (JSC::JSWebAssemblyInstance::create):
697         * wasm/js/JSWebAssemblyMemory.cpp:
698         (JSC::JSWebAssemblyMemory::grow):
699         * wasm/js/WasmToJS.cpp:
700         (JSC::Wasm::handleBadI64Use):
701         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
702         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
703         * wasm/js/WebAssemblyInstanceConstructor.cpp:
704         (JSC::constructJSWebAssemblyInstance):
705         (JSC::WebAssemblyInstanceConstructor::finishCreation):
706         * wasm/js/WebAssemblyInstancePrototype.cpp:
707         (JSC::getInstance):
708         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
709         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
710         * wasm/js/WebAssemblyMemoryConstructor.cpp:
711         (JSC::constructJSWebAssemblyMemory):
712         (JSC::WebAssemblyMemoryConstructor::finishCreation):
713         * wasm/js/WebAssemblyMemoryPrototype.cpp:
714         (JSC::getMemory):
715         * wasm/js/WebAssemblyModuleConstructor.cpp:
716         (JSC::webAssemblyModuleCustomSections):
717         (JSC::webAssemblyModuleImports):
718         (JSC::webAssemblyModuleExports):
719         (JSC::WebAssemblyModuleConstructor::finishCreation):
720         * wasm/js/WebAssemblyModuleRecord.cpp:
721         (JSC::WebAssemblyModuleRecord::link):
722         (JSC::dataSegmentFail):
723         (JSC::WebAssemblyModuleRecord::evaluate):
724         * wasm/js/WebAssemblyPrototype.cpp:
725         (JSC::resolve):
726         (JSC::webAssemblyInstantiateFunc):
727         (JSC::webAssemblyInstantiateStreamingInternal):
728         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
729         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
730         * wasm/js/WebAssemblyTableConstructor.cpp:
731         (JSC::constructJSWebAssemblyTable):
732         (JSC::WebAssemblyTableConstructor::finishCreation):
733         * wasm/js/WebAssemblyTablePrototype.cpp:
734         (JSC::getTable):
735         (JSC::webAssemblyTableProtoFuncGrow):
736         (JSC::webAssemblyTableProtoFuncGet):
737         (JSC::webAssemblyTableProtoFuncSet):
738
739 2018-06-22  Keith Miller  <keith_miller@apple.com>
740
741         unshift should zero unused property storage
742         https://bugs.webkit.org/show_bug.cgi?id=186960
743
744         Reviewed by Saam Barati.
745
746         Also, this patch adds the zeroed unused property storage assertion
747         to one more place it was missing.
748
749         * runtime/JSArray.cpp:
750         (JSC::JSArray::unshiftCountSlowCase):
751         * runtime/JSObjectInlines.h:
752         (JSC::JSObject::putDirectInternal):
753
754 2018-06-22  Mark Lam  <mark.lam@apple.com>
755
756         PropertyCondition::isValidValueForAttributes() should also consider deleted values.
757         https://bugs.webkit.org/show_bug.cgi?id=186943
758         <rdar://problem/41370337>
759
760         Reviewed by Saam Barati.
761
762         PropertyCondition::isValidValueForAttributes() should check if the passed in value
763         is a deleted one before it does a jsDynamicCast on it.
764
765         * bytecode/PropertyCondition.cpp:
766         (JSC::PropertyCondition::isValidValueForAttributes):
767         * runtime/JSCJSValueInlines.h:
768         - removed an unnecessary #if.
769
770 2018-06-22  Keith Miller  <keith_miller@apple.com>
771
772         performProxyCall should toThis the value passed to its handler
773         https://bugs.webkit.org/show_bug.cgi?id=186951
774
775         Reviewed by Mark Lam.
776
777         * runtime/ProxyObject.cpp:
778         (JSC::performProxyCall):
779
780 2018-06-22  Saam Barati  <sbarati@apple.com>
781
782         ensureWritableX should only convert away from CoW when it will succeed
783         https://bugs.webkit.org/show_bug.cgi?id=186898
784
785         Reviewed by Keith Miller.
786
787         Otherwise, when we OSR exit, we'll end up profiling the array after
788         it has been converted away from CoW. It's better for the ArrayProfile
789         to see the array as it's still in CoW mode.
790         
791         This patch also renames ensureWritableX to tryMakeWritableX since these
792         were never really "ensure" operations -- they may fail and return null.
793
794         * dfg/DFGOperations.cpp:
795         * runtime/JSObject.cpp:
796         (JSC::JSObject::tryMakeWritableInt32Slow):
797         (JSC::JSObject::tryMakeWritableDoubleSlow):
798         (JSC::JSObject::tryMakeWritableContiguousSlow):
799         (JSC::JSObject::ensureWritableInt32Slow): Deleted.
800         (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
801         (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
802         * runtime/JSObject.h:
803         (JSC::JSObject::tryMakeWritableInt32):
804         (JSC::JSObject::tryMakeWritableDouble):
805         (JSC::JSObject::tryMakeWritableContiguous):
806         (JSC::JSObject::ensureWritableInt32): Deleted.
807         (JSC::JSObject::ensureWritableDouble): Deleted.
808         (JSC::JSObject::ensureWritableContiguous): Deleted.
809
810 2018-06-22  Keith Miller  <keith_miller@apple.com>
811
812         We should call visitChildren on Base not the exact typename
813         https://bugs.webkit.org/show_bug.cgi?id=186928
814
815         Reviewed by Mark Lam.
816
817         A lot of places were not properly calling visitChildren on their
818         superclass. For most of them it didn't matter because they had
819         immortal structures. If code changed in the future this might
820         break things however.
821
822         Also, block off more of the MethodTable for GetterSetter objects.
823
824         * bytecode/CodeBlock.cpp:
825         (JSC::CodeBlock::visitChildren):
826         * bytecode/ExecutableToCodeBlockEdge.cpp:
827         (JSC::ExecutableToCodeBlockEdge::visitChildren):
828         * debugger/DebuggerScope.cpp:
829         (JSC::DebuggerScope::visitChildren):
830         * runtime/EvalExecutable.cpp:
831         (JSC::EvalExecutable::visitChildren):
832         * runtime/FunctionExecutable.cpp:
833         (JSC::FunctionExecutable::visitChildren):
834         * runtime/FunctionRareData.cpp:
835         (JSC::FunctionRareData::visitChildren):
836         * runtime/GenericArgumentsInlines.h:
837         (JSC::GenericArguments<Type>::visitChildren):
838         * runtime/GetterSetter.cpp:
839         (JSC::GetterSetter::visitChildren):
840         * runtime/GetterSetter.h:
841         * runtime/InferredType.cpp:
842         (JSC::InferredType::visitChildren):
843         * runtime/InferredTypeTable.cpp:
844         (JSC::InferredTypeTable::visitChildren):
845         * runtime/InferredValue.cpp:
846         (JSC::InferredValue::visitChildren):
847         * runtime/JSArrayBufferView.cpp:
848         (JSC::JSArrayBufferView::visitChildren):
849         * runtime/JSGenericTypedArrayViewInlines.h:
850         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
851         * runtime/ModuleProgramExecutable.cpp:
852         (JSC::ModuleProgramExecutable::visitChildren):
853         * runtime/ProgramExecutable.cpp:
854         (JSC::ProgramExecutable::visitChildren):
855         * runtime/ScopedArguments.cpp:
856         (JSC::ScopedArguments::visitChildren):
857         * runtime/ScopedArguments.h:
858         * runtime/Structure.cpp:
859         (JSC::Structure::visitChildren):
860         * runtime/StructureRareData.cpp:
861         (JSC::StructureRareData::visitChildren):
862         * runtime/SymbolTable.cpp:
863         (JSC::SymbolTable::visitChildren):
864
865 2018-06-20  Darin Adler  <darin@apple.com>
866
867         [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
868         https://bugs.webkit.org/show_bug.cgi?id=186875
869
870         Reviewed by Anders Carlsson.
871
872         * API/tests/testapi.mm:
873         (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
874
875 2018-06-22  Carlos Garcia Campos  <cgarcia@igalia.com>
876
877         [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
878         https://bugs.webkit.org/show_bug.cgi?id=186915
879
880         Reviewed by Žan Doberšek.
881
882         Update StartAutomationSession message handling to receive a dictionary of session capabilities.
883
884         * inspector/remote/glib/RemoteInspectorServer.cpp:
885         (Inspector::processSessionCapabilities): Helper method to process the session capabilities.
886
887 2018-06-21  Mark Lam  <mark.lam@apple.com>
888
889         WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
890         https://bugs.webkit.org/show_bug.cgi?id=185947
891         <rdar://problem/40131933>
892
893         Reviewed by Saam Barati.
894
895         Newer Clang versions (due to C++17 support) is not happy with how I implemented
896         conversions between CodeLocation types.  We'll fix this by adding a conversion
897         operator for converting between CodeLocation types.
898
899         * assembler/CodeLocation.h:
900         (JSC::CodeLocationCommon::operator T):
901
902 2018-06-21  Saam Barati  <sbarati@apple.com>
903
904         Do some CoW cleanup
905         https://bugs.webkit.org/show_bug.cgi?id=186896
906
907         Reviewed by Mark Lam.
908
909         * bytecode/UnlinkedCodeBlock.h:
910         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
911         We don't need to WTFMove() ints
912
913         * dfg/DFGByteCodeParser.cpp:
914         (JSC::DFG::ByteCodeParser::parseBlock):
915         remove a TODO.
916
917         * runtime/JSObject.cpp:
918         (JSC::JSObject::putByIndex):
919         We were checking for isCopyOnWrite even after we converted away
920         from CoW in above code.
921         (JSC::JSObject::ensureWritableInt32Slow):
922         Model this in the same way the other ensureWritableXSlow are modeled.
923
924 2018-06-20  Keith Miller  <keith_miller@apple.com>
925
926         flattenDictionaryStruture needs to zero inline storage.
927         https://bugs.webkit.org/show_bug.cgi?id=186869
928
929         Reviewed by Saam Barati.
930
931         This patch also adds the assetion that unused property storage is
932         zero or JSValue() to putDirectInternal. Additionally, functions
933         have been added to $vm that flatten dictionary objects and return
934         the inline capacity of an object.
935
936         * runtime/JSObjectInlines.h:
937         (JSC::JSObject::putDirectInternal):
938         * runtime/Structure.cpp:
939         (JSC::Structure::flattenDictionaryStructure):
940         * tools/JSDollarVM.cpp:
941         (JSC::functionInlineCapacity):
942         (JSC::functionFlattenDictionaryObject):
943         (JSC::JSDollarVM::finishCreation):
944
945 2018-06-21  Mark Lam  <mark.lam@apple.com>
946
947         Use IsoCellSets to track Executables with clearable code.
948         https://bugs.webkit.org/show_bug.cgi?id=186877
949
950         Reviewed by Filip Pizlo.
951
952         Here’s an example of the results that this fix may yield: 
953         1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
954         2. Statistics on memory touched and memory freed by VM::deleteAllCode():
955
956            Visiting Executables:
957                                                         Old             New
958            Number of objects visited:                   70897           14264
959            Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
960            Number of memory pages visited:              3224            1602
961            Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)
962
963            Visitng UnlinkedFunctionExecutables:
964                                                         Old             New
965            Number of objects visited:                   105454          17231
966            Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
967            Number of memory pages visited:              4796            1349
968            Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)
969
970         ** The number of objects differ because the old code only visit unlinked
971            executables indirectly via linked executables, whereas the new behavior visit
972            all unlinked executables with deletable code directly.  This means:
973
974            a. we used to not visit unlinked executables that have not been linked yet
975               i.e. deleteAllCode() may not delete all code (especially code that is not
976               used).
977            b. we had to visit all linked executables to check if they of type
978               FunctionExecutable, before going on to visit their unlinked executable, and
979               this includes the ones that do not have deletable code.  This means that we
980               would touch more memory in the process.
981
982            Both of these these issues are now fixed with the new code.
983
984         This code was tested with manually inserted instrumentation to track the above
985         statistics.  It is not feasible to write an automated test for this without
986         leaving a lot of invasive instrumentation in the code.
987
988         * bytecode/UnlinkedFunctionExecutable.cpp:
989         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
990         * bytecode/UnlinkedFunctionExecutable.h:
991         * heap/CodeBlockSetInlines.h:
992         (JSC::CodeBlockSet::iterateViaSubspaces):
993         * heap/Heap.cpp:
994         (JSC::Heap::deleteAllCodeBlocks):
995         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
996         (JSC::Heap::deleteUnmarkedCompiledCode):
997         (JSC::Heap::clearUnmarkedExecutables): Deleted.
998         (JSC::Heap::addExecutable): Deleted.
999         * heap/Heap.h:
1000         * runtime/DirectEvalExecutable.h:
1001
1002         * runtime/ExecutableBase.cpp:
1003         (JSC::ExecutableBase::hasClearableCode const):
1004         - this is written based on the implementation of ExecutableBase::clearCode().
1005
1006         * runtime/ExecutableBase.h:
1007         * runtime/FunctionExecutable.h:
1008         * runtime/IndirectEvalExecutable.h:
1009         * runtime/ModuleProgramExecutable.h:
1010         * runtime/ProgramExecutable.h:
1011         * runtime/ScriptExecutable.cpp:
1012         (JSC::ScriptExecutable::clearCode):
1013         (JSC::ScriptExecutable::installCode):
1014         * runtime/ScriptExecutable.h:
1015         (JSC::ScriptExecutable::finishCreation):
1016         * runtime/VM.cpp:
1017         (JSC::VM::VM):
1018         * runtime/VM.h:
1019         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
1020         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
1021         (JSC::VM::forEachScriptExecutableSpace):
1022         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
1023         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
1024
1025 2018-06-21  Zan Dobersek  <zdobersek@igalia.com>
1026
1027         [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
1028         https://bugs.webkit.org/show_bug.cgi?id=186884
1029
1030         Reviewed by Carlos Garcia Campos.
1031
1032         Add a tuple array input parameter to the StartAutomationSession DBus
1033         message, representing a list of host-and-certificate pairs that have to
1034         be allowed for a given session. This array is then unpacked and used to
1035         fill out the certificates Vector object in the SessionCapabilities
1036         struct.
1037
1038         * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
1039         String pairs representing hosts and the certificate file paths.
1040         * inspector/remote/glib/RemoteInspectorServer.cpp:
1041
1042 2018-06-20  Keith Miller  <keith_miller@apple.com>
1043
1044         Expand concurrent GC assertion to accept JSValue() or 0
1045         https://bugs.webkit.org/show_bug.cgi?id=186855
1046
1047         Reviewed by Mark Lam.
1048
1049         We tend to set unused property slots to either JSValue() or 0
1050         depending on the context. On 64-bit these are the same but on
1051         32-bit JSValue() has a NaN tag. This patch makes it so we
1052         the accept either JSValue() or 0.
1053
1054         * runtime/JSObjectInlines.h:
1055         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1056
1057 2018-06-20  Guillaume Emont  <guijemont@igalia.com>
1058
1059         [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
1060         https://bugs.webkit.org/show_bug.cgi?id=186765
1061
1062         Reviewed by Michael Saboff.
1063
1064         This widens the check for 0 so that we handle that case more correctly.
1065
1066         * assembler/LinkBuffer.h:
1067         (JSC::LinkBuffer::executableOffsetFor):
1068
1069 2018-06-19  Keith Miller  <keith_miller@apple.com>
1070
1071         Fix broken assertion on 32-bit
1072         https://bugs.webkit.org/show_bug.cgi?id=186830
1073
1074         Reviewed by Mark Lam.
1075
1076         The assertion was intended to catch concurrent GC issues. We don't
1077         run them on 32-bit so we don't need this assertion there. The
1078         assertion was broken because zero is not JSValue() on 32-bit.
1079
1080         * runtime/JSObjectInlines.h:
1081         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1082
1083 2018-06-19  Keith Miller  <keith_miller@apple.com>
1084
1085         flattenDictionaryStructure needs to zero properties that have been compressed away
1086         https://bugs.webkit.org/show_bug.cgi?id=186828
1087
1088         Reviewed by Mark Lam.
1089
1090         This patch fixes a bunch of crashing Mozilla tests on the bots.
1091
1092         * runtime/Structure.cpp:
1093         (JSC::Structure::flattenDictionaryStructure):
1094
1095 2018-06-19  Saam Barati  <sbarati@apple.com>
1096
1097         DirectArguments::create needs to initialize to undefined instead of the empty value
1098         https://bugs.webkit.org/show_bug.cgi?id=186818
1099         <rdar://problem/38415177>
1100
1101         Reviewed by Filip Pizlo.
1102
1103         The bug here is that we will emit code that just loads from DirectArguments as
1104         long as the index is within the known capacity of the arguments object (op_get_from_arguments).
1105         The arguments object has at least enough capacity to hold the declared parameters.
1106         When we materialized this object in OSR exit, we initialized up to to the capacity
1107         with JSValue(). In OSR exit, though, we only filled up to the length of the
1108         object with actual values. So we'd end up with a DirectArguments object with
1109         capacity minus length slots of JSValue(). To fix this, we need initialize up to
1110         capacity with jsUndefined during construction. The invariant of this object is
1111         that the capacity minus length slots at the end are filled in with jsUndefined.
1112
1113         * runtime/DirectArguments.cpp:
1114         (JSC::DirectArguments::create):
1115
1116 2018-06-19  Michael Saboff  <msaboff@apple.com>
1117
1118         Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
1119         https://bugs.webkit.org/show_bug.cgi?id=186827
1120
1121         Reviewed by Saam Barati.
1122
1123         Need to set VM::lastStackTop before any possible calls to sanitizeStack().
1124
1125         * runtime/JSLock.cpp:
1126         (JSC::JSLock::didAcquireLock):
1127
1128 2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
1129
1130         ShadowChicken crashes with stack overflow in the LLInt
1131         https://bugs.webkit.org/show_bug.cgi?id=186540
1132         <rdar://problem/39682133>
1133
1134         Reviewed by Saam Barati.
1135
1136         Stack overflows in the LLInt were crashing in ShadowChicken when compiling
1137         with debug opcodes because it was accessing the scope of the incomplete top
1138         frame, which hadn't been set yet. Check that we have moved past the first
1139         opcode (enter) and that the scope is not undefined (enter will
1140         initialize it to undefined).
1141
1142         * interpreter/ShadowChicken.cpp:
1143         (JSC::ShadowChicken::update):
1144
1145 2018-06-19  Keith Miller  <keith_miller@apple.com>
1146
1147         constructArray variants should take the slow path for subclasses of Array
1148         https://bugs.webkit.org/show_bug.cgi?id=186812
1149
1150         Reviewed by Saam Barati and Mark Lam.
1151
1152         This patch fixes a crashing test in ObjectInitializationScope where we would
1153         allocate a new structure for an indexing type change while initializing
1154         a subclass of Array. Since the new array hasn't been fully initialized
1155         if the GC ran it would see garbage and we might crash.
1156
1157         * runtime/JSArray.cpp:
1158         (JSC::constructArray):
1159         (JSC::constructArrayNegativeIndexed):
1160         * runtime/JSArray.h:
1161         (JSC::constructArray): Deleted.
1162         (JSC::constructArrayNegativeIndexed): Deleted.
1163
1164 2018-06-19  Saam Barati  <sbarati@apple.com>
1165
1166         Wasm: Any function argument of type Void should be a validation error
1167         https://bugs.webkit.org/show_bug.cgi?id=186794
1168         <rdar://problem/41140257>
1169
1170         Reviewed by Keith Miller.
1171
1172         * wasm/WasmModuleParser.cpp:
1173         (JSC::Wasm::ModuleParser::parseType):
1174
1175 2018-06-18  Keith Miller  <keith_miller@apple.com>
1176
1177         JSImmutableButterfly should assert m_header is adjacent to the data
1178         https://bugs.webkit.org/show_bug.cgi?id=186795
1179
1180         Reviewed by Saam Barati.
1181
1182         * runtime/JSImmutableButterfly.cpp:
1183         * runtime/JSImmutableButterfly.h:
1184
1185 2018-06-18  Keith Miller  <keith_miller@apple.com>
1186
1187         Unreviewed, fix the build...
1188
1189         * runtime/JSArray.cpp:
1190         (JSC::JSArray::tryCreateUninitializedRestricted):
1191
1192 2018-06-18  Keith Miller  <keith_miller@apple.com>
1193
1194         Unreviewed, remove bad assertion.
1195
1196         * runtime/JSArray.cpp:
1197         (JSC::JSArray::tryCreateUninitializedRestricted):
1198
1199 2018-06-18  Keith Miller  <keith_miller@apple.com>
1200
1201         Properly zero unused property storage offsets
1202         https://bugs.webkit.org/show_bug.cgi?id=186692
1203
1204         Reviewed by Filip Pizlo.
1205
1206         Since the concurrent GC might see a property slot before the mutator has actually
1207         stored the value there, we need to ensure that slot doesn't have garbage in it.
1208
1209         Right now when calling constructConvertedArrayStorageWithoutCopyingElements
1210         or creating a RegExp matches array, we never cleared the unused
1211         property storage. ObjectIntializationScope has also been upgraded
1212         to look for our invariants around property storage. Additionally,
1213         a new assertion has been added to check for JSValue() when adding
1214         a new property.
1215
1216         We used to put undefined into deleted property offsets. To
1217         make things simpler, this patch causes us to store JSValue() there
1218         instead.
1219
1220         Lastly, this patch fixes an issue where we would initialize the
1221         array storage of RegExpMatchesArray twice. First with 0 and
1222         secondly with the actual result. Now we only zero memory between
1223         vector length and public length.
1224
1225         * runtime/Butterfly.h:
1226         (JSC::Butterfly::offsetOfVectorLength):
1227         * runtime/ButterflyInlines.h:
1228         (JSC::Butterfly::tryCreateUninitialized):
1229         (JSC::Butterfly::createUninitialized):
1230         (JSC::Butterfly::tryCreate):
1231         (JSC::Butterfly::create):
1232         (JSC::Butterfly::createOrGrowPropertyStorage):
1233         (JSC::Butterfly::createOrGrowArrayRight):
1234         (JSC::Butterfly::growArrayRight):
1235         (JSC::Butterfly::resizeArray):
1236         * runtime/JSArray.cpp:
1237         (JSC::JSArray::tryCreateUninitializedRestricted):
1238         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
1239         * runtime/JSArray.h:
1240         (JSC::tryCreateArrayButterfly):
1241         * runtime/JSObject.cpp:
1242         (JSC::JSObject::createArrayStorageButterfly):
1243         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1244         (JSC::JSObject::deleteProperty):
1245         (JSC::JSObject::shiftButterflyAfterFlattening):
1246         * runtime/JSObject.h:
1247         * runtime/JSObjectInlines.h:
1248         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1249         * runtime/ObjectInitializationScope.cpp:
1250         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
1251         * runtime/ObjectInitializationScope.h:
1252         (JSC::ObjectInitializationScope::release):
1253         * runtime/RegExpMatchesArray.h:
1254         (JSC::tryCreateUninitializedRegExpMatchesArray):
1255         (JSC::createRegExpMatchesArray):
1256
1257         * runtime/Butterfly.h:
1258         (JSC::Butterfly::offsetOfVectorLength):
1259         * runtime/ButterflyInlines.h:
1260         (JSC::Butterfly::tryCreateUninitialized):
1261         (JSC::Butterfly::createUninitialized):
1262         (JSC::Butterfly::tryCreate):
1263         (JSC::Butterfly::create):
1264         (JSC::Butterfly::createOrGrowPropertyStorage):
1265         (JSC::Butterfly::createOrGrowArrayRight):
1266         (JSC::Butterfly::growArrayRight):
1267         (JSC::Butterfly::resizeArray):
1268         * runtime/JSArray.cpp:
1269         (JSC::JSArray::tryCreateUninitializedRestricted):
1270         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
1271         * runtime/JSArray.h:
1272         (JSC::tryCreateArrayButterfly):
1273         * runtime/JSObject.cpp:
1274         (JSC::JSObject::createArrayStorageButterfly):
1275         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1276         (JSC::JSObject::deleteProperty):
1277         (JSC::JSObject::shiftButterflyAfterFlattening):
1278         * runtime/JSObject.h:
1279         * runtime/JSObjectInlines.h:
1280         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1281         * runtime/ObjectInitializationScope.cpp:
1282         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
1283         * runtime/RegExpMatchesArray.cpp:
1284         (JSC::createEmptyRegExpMatchesArray):
1285         * runtime/RegExpMatchesArray.h:
1286         (JSC::tryCreateUninitializedRegExpMatchesArray):
1287         (JSC::createRegExpMatchesArray):
1288
1289 2018-06-18  Tadeu Zagallo  <tzagallo@apple.com>
1290
1291         Share structure across instances of classes exported through the ObjC API
1292         https://bugs.webkit.org/show_bug.cgi?id=186579
1293         <rdar://problem/40969212>
1294
1295         Reviewed by Saam Barati.
1296
1297         A new structure was being created for each instance of exported ObjC
1298         classes due to setting the prototype in the structure for every object,
1299         since prototype transitions are not cached by the structure. Cache the
1300         Structure in the JSObjcClassInfo to avoid the transition.
1301
1302         * API/JSWrapperMap.mm:
1303         (-[JSObjCClassInfo wrapperForObject:inContext:]):
1304         (-[JSObjCClassInfo structureInContext:]):
1305         * API/tests/JSWrapperMapTests.h: Added.
1306         * API/tests/JSWrapperMapTests.mm: Added.
1307         (+[JSWrapperMapTests testStructureIdentity]):
1308         (runJSWrapperMapTests):
1309         * API/tests/testapi.mm:
1310         (testObjectiveCAPIMain):
1311         * JavaScriptCore.xcodeproj/project.pbxproj:
1312
1313 2018-06-18  Michael Saboff  <msaboff@apple.com>
1314
1315         Support Unicode 11 in RegExp
1316         https://bugs.webkit.org/show_bug.cgi?id=186685
1317
1318         Reviewed by Mark Lam.
1319
1320         Updated the UCD tables used to generate RegExp property tables to version 11.0.
1321
1322         * Scripts/generateYarrUnicodePropertyTables.py:
1323         * ucd/CaseFolding.txt:
1324         * ucd/DerivedBinaryProperties.txt:
1325         * ucd/DerivedCoreProperties.txt:
1326         * ucd/DerivedNormalizationProps.txt:
1327         * ucd/PropList.txt:
1328         * ucd/PropertyAliases.txt:
1329         * ucd/PropertyValueAliases.txt:
1330         * ucd/ScriptExtensions.txt:
1331         * ucd/Scripts.txt:
1332         * ucd/UnicodeData.txt:
1333         * ucd/emoji-data.txt:
1334
1335 2018-06-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
1336
1337         [WTF] Remove workarounds needed to support libstdc++-4
1338         https://bugs.webkit.org/show_bug.cgi?id=186762
1339
1340         Reviewed by Michael Catanzaro.
1341
1342         Revert r226299, r226300 r226301 and r226302.
1343
1344         * API/tests/TypedArrayCTest.cpp:
1345         (assertEqualsAsNumber):
1346
1347 2018-06-16  Michael Catanzaro  <mcatanzaro@igalia.com>
1348
1349         REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
1350         https://bugs.webkit.org/show_bug.cgi?id=182923
1351
1352         Reviewed by Mark Lam.
1353
1354         The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
1355         Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
1356
1357         * heap/MarkedBlock.h:
1358
1359 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1360
1361         [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
1362         https://bugs.webkit.org/show_bug.cgi?id=186723
1363
1364         Reviewed by Mark Lam.
1365
1366         Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
1367         to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
1368
1369         This patch improves SixSpeed/spread-literal.es5.
1370
1371                                      baseline                  patched
1372
1373         spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster
1374
1375         * runtime/JSArrayInlines.h:
1376         (JSC::JSArray::pushInline):
1377         * runtime/Structure.cpp:
1378         (JSC::Structure::nonPropertyTransitionSlow):
1379         (JSC::Structure::nonPropertyTransition): Deleted.
1380         * runtime/Structure.h:
1381         * runtime/StructureInlines.h:
1382         (JSC::Structure::nonPropertyTransition):
1383
1384 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1385
1386         [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
1387         https://bugs.webkit.org/show_bug.cgi?id=186721
1388
1389         Reviewed by Keith Miller.
1390
1391         We still have several other OSRExits, but this patch reduces that.
1392
1393         1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
1394         So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
1395
1396         2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
1397         non-appropriate.
1398
1399         These changes a bit fix Kraken/crypto-aes regression.
1400
1401                                       baseline                  patched
1402
1403         stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster
1404
1405
1406         * dfg/DFGByteCodeParser.cpp:
1407         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1408         * ftl/FTLOperations.cpp:
1409         (JSC::FTL::operationMaterializeObjectInOSR):
1410         * runtime/CommonSlowPaths.cpp:
1411         (JSC::SLOW_PATH_DECL):
1412
1413 2018-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1414
1415         [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
1416         https://bugs.webkit.org/show_bug.cgi?id=186460
1417
1418         Reviewed by Saam Barati.
1419
1420         Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
1421         We should return JSFixedArray for Spread. This patch adds a code generating
1422         a JSFixedArray from JSImmutableButterfly.
1423
1424         Merging JSFixedArray into JSImmutableButterfly is possible future extension.
1425
1426         * ftl/FTLLowerDFGToB3.cpp:
1427         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1428         * runtime/JSFixedArray.h:
1429
1430 2018-06-15  Saam Barati  <sbarati@apple.com>
1431
1432         Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
1433         https://bugs.webkit.org/show_bug.cgi?id=186687
1434         <rdar://problem/40071332>
1435
1436         Reviewed by Keith Miller.
1437
1438         * API/JSVirtualMachinePrivate.h:
1439
1440 2018-06-15  Saam Barati  <sbarati@apple.com>
1441
1442         Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
1443         https://bugs.webkit.org/show_bug.cgi?id=186648
1444
1445         Reviewed by Michael Saboff.
1446
1447         This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
1448         regressed with my first version of ForceOSRExit CFG pruning. This patch makes
1449         ForceOSRExit CFG pruning more aggressive by not ignoring everything that
1450         can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
1451         if it's the plan's osr entry bytecode target. The goal is to get a speedometer
1452         2 speedup with this change on iOS.
1453
1454         * dfg/DFGByteCodeParser.cpp:
1455         (JSC::DFG::ByteCodeParser::parse):
1456
1457 2018-06-15  Michael Catanzaro  <mcatanzaro@igalia.com>
1458
1459         Unreviewed, rolling out r232816.
1460
1461         Suggested by Caitlin:
1462         "this patch clearly does get some things wrong, and it's not
1463         easy to find what those things are"
1464
1465         Reverted changeset:
1466
1467         "[LLInt] use loadp consistently for
1468         get_from_scope/put_to_scope"
1469         https://bugs.webkit.org/show_bug.cgi?id=132333
1470         https://trac.webkit.org/changeset/232816
1471
1472 2018-06-14  Michael Saboff  <msaboff@apple.com>
1473
1474         REGRESSION(232741): Crash running ARES-6
1475         https://bugs.webkit.org/show_bug.cgi?id=186630
1476
1477         Reviewed by Saam Barati.
1478
1479         The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
1480         treated edges between identical predecessor->successor pairs independently.
1481         This fixes the issue by handling such edges once, using the added intermediate
1482         pad for all instances of the edges between the same pairs.
1483
1484         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1485         (JSC::DFG::CriticalEdgeBreakingPhase::run):
1486         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
1487
1488 2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>
1489
1490         [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
1491         https://bugs.webkit.org/show_bug.cgi?id=186560
1492
1493         Reviewed by Brian Burg.
1494
1495         Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
1496         that always receives the session capabilities.
1497
1498         * inspector/remote/RemoteInspector.h:
1499         * inspector/remote/RemoteInspectorConstants.h:
1500         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1501         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
1502         WebKit here and fill the SessionCapabilities instead.
1503         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1504         (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
1505         * inspector/remote/glib/RemoteInspectorServer.cpp:
1506         (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
1507         * inspector/remote/glib/RemoteInspectorServer.h:
1508
1509 2018-06-13  Adrian Perez de Castro  <aperez@igalia.com>
1510
1511         [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
1512         https://bugs.webkit.org/show_bug.cgi?id=186588
1513
1514         Reviewed by Carlos Garcia Campos.
1515
1516         Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
1517         for resource paths, which avoids needing a switcheroo depending on the port.
1518
1519         * inspector/remote/glib/RemoteInspectorUtils.cpp:
1520
1521 2018-06-13  Caitlin Potter  <caitp@igalia.com>
1522
1523         [LLInt] use loadp consistently for get_from_scope/put_to_scope
1524         https://bugs.webkit.org/show_bug.cgi?id=132333
1525
1526         Reviewed by Mark Lam.
1527
1528         Using `loadis` for register indexes and `loadp` for constant scopes /
1529         symboltables makes sense, but is problematic for big-endian
1530         architectures.
1531
1532         Consistently treating the operand as a pointer simplifies determining
1533         how to access the operand, and helps avoid bad accesses and crashes on
1534         big-endian ports.
1535
1536         * bytecode/CodeBlock.cpp:
1537         (JSC::CodeBlock::finishCreation):
1538         * bytecode/Instruction.h:
1539         * jit/JITOperations.cpp:
1540         * llint/LLIntSlowPaths.cpp:
1541         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1542         * llint/LowLevelInterpreter32_64.asm:
1543         * llint/LowLevelInterpreter64.asm:
1544         * runtime/CommonSlowPaths.h:
1545         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1546         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1547
1548 2018-06-13  Keith Miller  <keith_miller@apple.com>
1549
1550         AutomaticThread should have a way to provide a thread name
1551         https://bugs.webkit.org/show_bug.cgi?id=186604
1552
1553         Reviewed by Filip Pizlo.
1554
1555         Add names for JSC's automatic threads.
1556
1557         * dfg/DFGWorklist.cpp:
1558         * heap/Heap.cpp:
1559         * jit/JITWorklist.cpp:
1560         * runtime/VMTraps.cpp:
1561         * wasm/WasmWorklist.cpp:
1562
1563 2018-06-13  Saam Barati  <sbarati@apple.com>
1564
1565         CFGSimplificationPhase should de-dupe jettisonedBlocks
1566         https://bugs.webkit.org/show_bug.cgi?id=186583
1567
1568         Reviewed by Filip Pizlo.
1569
1570         When making the predecessors list unique in r232741, it revealed a bug inside
1571         of CFG simplification, where we try to remove the same predecessor more than
1572         once from a blocks predecessors list. We built the list of blocks to remove
1573         from the list of successors, which is not unique, causing us to try to remove
1574         the same predecessor more than once. The solution here is to just add to this
1575         list of blocks to remove only if the block is not already in the list.
1576
1577         * dfg/DFGCFGSimplificationPhase.cpp:
1578         (JSC::DFG::CFGSimplificationPhase::run):
1579
1580 2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1581
1582         [JSC] Always use Nuke & Set procedure for x86
1583         https://bugs.webkit.org/show_bug.cgi?id=186592
1584
1585         Reviewed by Keith Miller.
1586
1587         We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
1588         By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
1589         threads.
1590
1591         * runtime/JSObject.cpp:
1592         (JSC::JSObject::convertContiguousToArrayStorage):
1593
1594 2018-06-12  Saam Barati  <sbarati@apple.com>
1595
1596         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
1597         https://bugs.webkit.org/show_bug.cgi?id=186071
1598
1599         Reviewed by Mark Lam.
1600
1601         * API/JSVirtualMachine.mm:
1602         (-[JSVirtualMachine shrinkFootprint]): Deleted.
1603         * API/JSVirtualMachinePrivate.h:
1604
1605 2018-06-11  Saam Barati  <sbarati@apple.com>
1606
1607         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
1608         https://bugs.webkit.org/show_bug.cgi?id=181409
1609         <rdar://problem/36383749>
1610
1611         Reviewed by Keith Miller.
1612
1613         This patch is me redoing r226655. This is a patch I wrote when
1614         profiling Speedometer. Fil rolled this change out in r230928. He
1615         showed this slowed down a sunspider tests by ~2x. This sunspider
1616         regression revealed a real performance bug in the original change:
1617         we would kill blocks that reached OSR entry targets, sometimes leading
1618         us to not do OSR entry into the DFG, since we could end up deleting
1619         entire loops from the CFG. The reason for this is that code that has run
1620         ~once and that reaches loops often has ForceOSRExits inside of it. The
1621         solution to this is to not perform this optimization on blocks that can
1622         reach OSR entry targets.
1623         
1624         The reason I'm redoing this patch is that it turns out Fil rolling
1625         out the change was a Speedometer 2 regression.
1626         
1627         This is a modified version of the original ChangeLog I wrote in r226655:
1628         
1629         When I was looking at profiler data for Speedometer, I noticed that one of
1630         the hottest functions in Speedometer is around 1100 bytecode operations long.
1631         Only about 100 of those bytecode ops ever execute. However, we ended up
1632         spending a lot of time compiling basic blocks that never executed. We often
1633         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
1634         This is the case when such a node never executes.
1635         
1636         This patch makes it so that anytime a block has a ForceOSRExit, and that block
1637         can not reach an OSR entry target, we replace its terminal node with an Unreachable
1638         node, and remove all nodes after the ForceOSRExit. This cuts down the graph
1639         size since it removes control flow edges from the CFG. This allows us to get
1640         rid of huge chunks of the CFG in certain programs. When doing this transformation,
1641         we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
1642         live-in to the ForceOSRExit.
1643         
1644         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
1645         does not get rid of all the CFG that it could. If we decide it's worth
1646         it, we could use additional inputs into this mechanism. For example, we could
1647         profile if a basic block ever executes inside the LLInt/Baseline, and
1648         remove parts of the CFG based on that.
1649         
1650         When running Speedometer with the concurrent JIT turned off, this patch
1651         improves DFG/FTL compile times by around 5%.
1652
1653         * dfg/DFGByteCodeParser.cpp:
1654         (JSC::DFG::ByteCodeParser::addToGraph):
1655         (JSC::DFG::ByteCodeParser::inlineCall):
1656         (JSC::DFG::ByteCodeParser::parse):
1657         * dfg/DFGGraph.cpp:
1658         (JSC::DFG::Graph::blocksInPostOrder):
1659
1660 2018-06-11  Saam Barati  <sbarati@apple.com>
1661
1662         The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
1663         https://bugs.webkit.org/show_bug.cgi?id=184829
1664
1665         Reviewed by Michael Saboff.
1666
1667         This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
1668         In B3/Air, this just meant writing a validation rule. In DFG, this meant
1669         ensuring this property when building up the predecessors list, and also adding
1670         a validation rule. The NaturalLoops algorithm relies on this property.
1671
1672         * b3/B3Validate.cpp:
1673         * b3/air/AirValidate.cpp:
1674         * b3/testb3.cpp:
1675         (JSC::B3::testLoopWithMultipleHeaderEdges):
1676         (JSC::B3::run):
1677         * dfg/DFGGraph.cpp:
1678         (JSC::DFG::Graph::handleSuccessor):
1679         * dfg/DFGValidate.cpp:
1680
1681 2018-06-11  Keith Miller  <keith_miller@apple.com>
1682
1683         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
1684         https://bugs.webkit.org/show_bug.cgi?id=186467
1685
1686         Reviewed by Simon Fraser.
1687
1688         This patch adds a LazyFireDetail that wraps ScopedLambda so that
1689         we don't actually malloc any strings for firing unless those
1690         Strings are actually going to be printed.
1691
1692         * bytecode/Watchpoint.h:
1693         (JSC::LazyFireDetail::LazyFireDetail):
1694         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
1695         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
1696         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
1697         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
1698         * runtime/ArrayPrototype.cpp:
1699         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1700
1701 2018-06-11  Mark Lam  <mark.lam@apple.com>
1702
1703         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
1704         https://bugs.webkit.org/show_bug.cgi?id=186451
1705         <rdar://problem/40875792>
1706
1707         Reviewed by Tim Horton.
1708
1709         Enhance setOptions() to be able to take a comma separated options string in
1710         addition to white space separated options strings.
1711
1712         * runtime/Options.cpp:
1713         (JSC::isSeparator):
1714         (JSC::Options::setOptions):
1715
1716 2018-06-11  Michael Saboff  <msaboff@apple.com>
1717
1718         JavaScriptCore: Disable 32-bit JIT on Windows
1719         https://bugs.webkit.org/show_bug.cgi?id=185989
1720
1721         Reviewed by Mark Lam.
1722
1723         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
1724
1725         * llint/LLIntData.h:
1726         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
1727         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
1728         have a case label because these aren't opcodes.
1729         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
1730         on the JIT being enabled.
1731         (JSC::recomputeDependentOptions):
1732
1733 2018-06-11  Michael Saboff  <msaboff@apple.com>
1734
1735         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
1736         https://bugs.webkit.org/show_bug.cgi?id=186477
1737
1738         Reviewed by Filip Pizlo.
1739
1740         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
1741         YARR interpreter nodes.  This caused us to overwrite other frame information.
1742
1743         Added frame offset debugging code to YARR interpreter.
1744
1745         * yarr/YarrInterpreter.cpp:
1746         (JSC::Yarr::ByteCompiler::emitDisjunction):
1747         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1748
1749 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1750
1751         [JSC] Array.prototype.sort should rejects null comparator
1752         https://bugs.webkit.org/show_bug.cgi?id=186458
1753
1754         Reviewed by Keith Miller.
1755
1756         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
1757         the behavior to Chrome and Firefox.
1758
1759         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
1760         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
1761         the spec issue.
1762
1763         * builtins/ArrayPrototype.js:
1764         (sort):
1765
1766 2018-06-09  Dan Bernstein  <mitz@apple.com>
1767
1768         [Xcode] Clean up and modernize some build setting definitions
1769         https://bugs.webkit.org/show_bug.cgi?id=186463
1770
1771         Reviewed by Sam Weinig.
1772
1773         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
1774           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
1775           is true for all supported Xcode versions.
1776         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
1777         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
1778           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
1779         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
1780         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
1781
1782 2018-06-09  Dan Bernstein  <mitz@apple.com>
1783
1784         Added missing file references to the Configuration group.
1785
1786         * JavaScriptCore.xcodeproj/project.pbxproj:
1787
1788 2018-06-08  Darin Adler  <darin@apple.com>
1789
1790         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
1791         https://bugs.webkit.org/show_bug.cgi?id=186436
1792
1793         Reviewed by Anders Carlsson.
1794
1795         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
1796         objc-internal.h and explicitly declaring the alternative.
1797
1798 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
1799
1800         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
1801         https://bugs.webkit.org/show_bug.cgi?id=186442
1802         <rdar://problem/40879364>
1803
1804         Reviewed by Tim Horton.
1805
1806         * Configurations/FeatureDefines.xcconfig:
1807
1808 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
1809
1810         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
1811         https://bugs.webkit.org/show_bug.cgi?id=186446
1812         <rdar://problem/40949995>
1813
1814         Reviewed by Mark Lam.
1815
1816         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
1817         boolean literals, but it would only work for false. Change it so that it
1818         takes the fast path for true, false, null and undefined.
1819
1820         * llint/LowLevelInterpreter.asm:
1821         * llint/LowLevelInterpreter64.asm:
1822
1823 2018-06-08  Brian Burg  <bburg@apple.com>
1824
1825         [Cocoa] Web Automation: include browser name and version in listing for automation targets
1826         https://bugs.webkit.org/show_bug.cgi?id=186204
1827         <rdar://problem/36950423>
1828
1829         Reviewed by Darin Adler.
1830
1831         Ask the client what the reported browser name and version should be, then
1832         send this as part of the listing for an automation target.
1833
1834         * inspector/remote/RemoteInspectorConstants.h:
1835         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1836         (Inspector::RemoteInspector::listingForAutomationTarget const):
1837
1838 2018-06-07  Chris Dumez  <cdumez@apple.com>
1839
1840         Add base class to get WeakPtrFactory member and avoid some boilerplate code
1841         https://bugs.webkit.org/show_bug.cgi?id=186407
1842
1843         Reviewed by Brent Fulgham.
1844
1845         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
1846         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
1847         This also gets rid of old-style createWeakPtr() methods in favor of the newer
1848         makeWeakPtr().
1849
1850         * wasm/WasmInstance.h:
1851         * wasm/WasmMemory.cpp:
1852         (JSC::Wasm::Memory::registerInstance):
1853
1854 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
1855
1856         Don't try to allocate JIT memory if we don't have the JIT entitlement
1857         https://bugs.webkit.org/show_bug.cgi?id=182605
1858         <rdar://problem/38271229>
1859
1860         Reviewed by Mark Lam.
1861
1862         Check that the current process has the correct entitlements before
1863         trying to allocate JIT memory to silence warnings.
1864
1865         * jit/ExecutableAllocator.cpp:
1866         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
1867         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
1868
1869 2018-06-07  Saam Barati  <sbarati@apple.com>
1870
1871         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
1872         https://bugs.webkit.org/show_bug.cgi?id=186386
1873
1874         Reviewed by Filip Pizlo.
1875
1876         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
1877
1878         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1879         (JSC::DFG::TierUpCheckInjectionPhase::run):
1880
1881 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
1882
1883         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
1884         https://bugs.webkit.org/show_bug.cgi?id=186237
1885
1886         Reviewed by Saam Barati.
1887
1888         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
1889         that means that we never notice that it fired if it fires between when the DFG decides to
1890         watch it and when it actually adds the watchpoint.
1891         
1892         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
1893         reason for being initialized blind: that's how we knew to ignore changes to the prototype
1894         before the first allocation. However, that functionality also arose out of the fact that the
1895         rare data is created lazily and usually won't exist until the first allocation.
1896         
1897         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
1898         object allocation profile.
1899         
1900         It's hard to repro this race, however it started causing spurious test failures for me after
1901         bug 164904.
1902
1903         * runtime/FunctionRareData.cpp:
1904         (JSC::FunctionRareData::FunctionRareData):
1905         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1906
1907 2018-06-07  Saam Barati  <sbarati@apple.com>
1908
1909         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
1910         https://bugs.webkit.org/show_bug.cgi?id=186218
1911         <rdar://problem/38449540>
1912
1913         Reviewed by Filip Pizlo.
1914
1915         This patch makes tierUpCommon a tad bit more sane. There are a few things
1916         that I did:
1917         - There were a few release asserts that were crashing. Those release asserts
1918         were incorrect. They were making assumptions about how the code and data
1919         structures were ordered that were wrong. This patch removes them. The code
1920         was using the loop hierarchy vector to make assumptions about which loop we
1921         were currently executing in, which is incorrect. The only information that
1922         can be used about where we're currently executing is the bytecode index we're
1923         at.
1924         - This makes it so that we go back to trying to compile outer loops before
1925         inner loops. JF accidentally reverted this behavior that Ben implemented.
1926         JF made it so that we just compiled the inner most loop. I make this
1927         functionality work by first triggering a compile for the outer most loop
1928         that the code is currently executing in and that can perform OSR entry.
1929         However, some programs can get stuck in inner loops. The code works by
1930         progressively asking inner loops to compile if program execution has not
1931         yet reached an outer loop.
1932
1933         * dfg/DFGOperations.cpp:
1934
1935 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
1936
1937         ArityFixup should adjust SP first on 32-bit platforms too
1938         https://bugs.webkit.org/show_bug.cgi?id=186351
1939
1940         Reviewed by Yusuke Suzuki.
1941
1942         * jit/ThunkGenerators.cpp:
1943         (JSC::arityFixupGenerator):
1944
1945 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1946
1947         [DFG] Compare operations do not respect negative zeros
1948         https://bugs.webkit.org/show_bug.cgi?id=183729
1949
1950         Reviewed by Saam Barati.
1951
1952         Compare operations do not respect negative zeros. So propagating this can
1953         reduce the size of the produced code for negative zero case. This pattern
1954         can be seen in Kraken stanford-crypto-aes.
1955
1956         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
1957         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
1958         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
1959
1960         * bytecode/SpeculatedType.cpp:
1961         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
1962         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
1963         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
1964         SpecDoubleReal.
1965
1966         * dfg/DFGBackwardsPropagationPhase.cpp:
1967         (JSC::DFG::BackwardsPropagationPhase::propagate):
1968
1969 2018-06-06  Saam Barati  <sbarati@apple.com>
1970
1971         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
1972         https://bugs.webkit.org/show_bug.cgi?id=186363
1973
1974         Rubber-stamped by Filip Pizlo.
1975
1976         The code was assuming that the object it was creating an OPC for always
1977         had a non-poly-proto structure. However, this assumption was wrong. For
1978         example, an object in the prototype chain could be poly proto. That type 
1979         of object graph would cause a crash in this code. This patch makes it so
1980         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
1981         object as we traverse the prototype chain.
1982
1983         * bytecode/ObjectPropertyConditionSet.cpp:
1984         (JSC::generateConditionsForInstanceOf):
1985
1986 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
1987
1988         Adjust compile and runtime flags to match shippable state of features
1989         https://bugs.webkit.org/show_bug.cgi?id=186319
1990         <rdar://problem/40352045>
1991
1992         Reviewed by Maciej Stachowiak, Jon Lee, and others.
1993
1994         This patch revises the compile time and runtime state for various features to match their
1995         suitability for end-user releases.
1996
1997         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
1998         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
1999         Cocoa builds.
2000         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
2001         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
2002         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
2003         at runtime for non-production builds.
2004
2005 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
2006
2007         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
2008         https://bugs.webkit.org/show_bug.cgi?id=186286
2009         <rdar://problem/40782992>
2010
2011         Reviewed by Dan Bernstein.
2012
2013         Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
2014         to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
2015         change this flag when preparing for a production release.
2016
2017         * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
2018         whether experimental features should be enabled, and use it to properly define the
2019         feature flag.
2020
2021 2018-06-05  Darin Adler  <darin@apple.com>
2022
2023         [Cocoa] Update some JavaScriptCore code to be more ready for ARC
2024         https://bugs.webkit.org/show_bug.cgi?id=186301
2025
2026         Reviewed by Anders Carlsson.
2027
2028         * API/JSContext.mm:
2029         (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
2030         (-[JSContext setName:]): Removed unnecessary call to copy, since the
2031         JSStringCreateWithCFString function already reads the characters out
2032         of the string and does not retain the string, so there is no need to
2033         make an immutable copy. And used __bridge for typecast.
2034         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2035         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2036         Ditto.
2037
2038         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
2039         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2040         Use CFBridgingRelease instead of autorelease for a CF dictionary that
2041         we return as an NSDictionary.
2042
2043 2018-06-04  Keith Miller  <keith_miller@apple.com>
2044
2045         Remove missing files from JavaScriptCore Xcode project
2046         https://bugs.webkit.org/show_bug.cgi?id=186297
2047
2048         Reviewed by Saam Barati.
2049
2050         * JavaScriptCore.xcodeproj/project.pbxproj:
2051
2052 2018-06-04  Keith Miller  <keith_miller@apple.com>
2053
2054         Add test for CoW conversions in the DFG/FTL
2055         https://bugs.webkit.org/show_bug.cgi?id=186295
2056
2057         Reviewed by Saam Barati.
2058
2059         Add a function to $vm that returns a JSString containing the
2060         dataLog dump of the indexingMode of an Object.
2061
2062         * tools/JSDollarVM.cpp:
2063         (JSC::functionIndexingMode):
2064         (JSC::JSDollarVM::finishCreation):
2065
2066 2018-06-04  Saam Barati  <sbarati@apple.com>
2067
2068         Set the activeLength of all ScratchBuffers to zero when exiting the VM
2069         https://bugs.webkit.org/show_bug.cgi?id=186284
2070         <rdar://problem/40780738>
2071
2072         Reviewed by Keith Miller.
2073
2074         Simon recently found instances where we leak global objects from the
2075         ScratchBuffer. Yusuke found that we forgot to set the active length
2076         back to zero when doing catch OSR entry in the DFG/FTL. His solution
2077         to this was adding a node that cleared the active length. This is
2078         a good node to have, but it's not a complete solution: the DFG/FTL
2079         could OSR exit before that node executes, which would cause us to leak
2080         the data in it.
2081         
2082         This patch makes it so that we set each scratch buffer's active length
2083         to zero on VM exit. This helps prevent leaks for JS code that eventually
2084         exits the VM (which is essentially all code on the web and all API users).
2085
2086         * runtime/VM.cpp:
2087         (JSC::VM::clearScratchBuffers):
2088         * runtime/VM.h:
2089         * runtime/VMEntryScope.cpp:
2090         (JSC::VMEntryScope::~VMEntryScope):
2091
2092 2018-06-04  Keith Miller  <keith_miller@apple.com>
2093
2094         JSLock should clear last exception when releasing the lock
2095         https://bugs.webkit.org/show_bug.cgi?id=186277
2096
2097         Reviewed by Mark Lam.
2098
2099         If we don't clear the last exception we essentially leak the
2100         object and everything referenced by it until another exception is
2101         thrown.
2102
2103         * runtime/JSLock.cpp:
2104         (JSC::JSLock::willReleaseLock):
2105
2106 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2107
2108         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
2109         https://bugs.webkit.org/show_bug.cgi?id=180248
2110
2111         Reviewed by Sam Weinig.
2112
2113         As a final step, this patch removes ListableHandler from JSC.
2114         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
2115
2116         * CMakeLists.txt:
2117         * JavaScriptCore.xcodeproj/project.pbxproj:
2118         * heap/Heap.h:
2119         * heap/ListableHandler.h: Removed.
2120
2121 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2122
2123         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
2124         https://bugs.webkit.org/show_bug.cgi?id=186223
2125
2126         Reviewed by Keith Miller.
2127
2128         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
2129         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
2130
2131         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
2132         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
2133         this ClearCatchLocals valid.
2134
2135         The existing tests for ExtractCatchLocal just pass.
2136
2137         * dfg/DFGAbstractHeap.h:
2138         * dfg/DFGAbstractInterpreterInlines.h:
2139         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2140         * dfg/DFGByteCodeParser.cpp:
2141         (JSC::DFG::ByteCodeParser::parseBlock):
2142         * dfg/DFGClobberize.h:
2143         (JSC::DFG::clobberize):
2144         * dfg/DFGDoesGC.cpp:
2145         (JSC::DFG::doesGC):
2146         * dfg/DFGFixupPhase.cpp:
2147         (JSC::DFG::FixupPhase::fixupNode):
2148         * dfg/DFGMayExit.cpp:
2149         * dfg/DFGNodeType.h:
2150         * dfg/DFGOSREntry.cpp:
2151         (JSC::DFG::prepareCatchOSREntry):
2152         * dfg/DFGPredictionPropagationPhase.cpp:
2153         * dfg/DFGSafeToExecute.h:
2154         (JSC::DFG::safeToExecute):
2155         * dfg/DFGSpeculativeJIT.cpp:
2156         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
2157         * dfg/DFGSpeculativeJIT.h:
2158         * dfg/DFGSpeculativeJIT32_64.cpp:
2159         (JSC::DFG::SpeculativeJIT::compile):
2160         * dfg/DFGSpeculativeJIT64.cpp:
2161         (JSC::DFG::SpeculativeJIT::compile):
2162         * ftl/FTLCapabilities.cpp:
2163         (JSC::FTL::canCompile):
2164         * ftl/FTLLowerDFGToB3.cpp:
2165         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2166         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
2167
2168 2018-06-02  Darin Adler  <darin@apple.com>
2169
2170         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
2171         https://bugs.webkit.org/show_bug.cgi?id=186227
2172
2173         Reviewed by Dan Bernstein.
2174
2175         * API/JSContext.mm:
2176         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
2177         * API/JSValue.mm:
2178         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
2179         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
2180         ARC-compatible, but more efficient.
2181         (valueToString): Use CFBridgingRelease instead of autorelease.
2182
2183 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
2184
2185         [ESNext][BigInt] Implement support for addition operations
2186         https://bugs.webkit.org/show_bug.cgi?id=179002
2187
2188         Reviewed by Yusuke Suzuki.
2189
2190         This patch is implementing support to BigInt Operands into binary "+"
2191         and binary "-" operators. Right now, we have limited support to DFG
2192         and FTL JIT layers, but we plan to fix this support in future
2193         patches.
2194
2195         * jit/JITOperations.cpp:
2196         * runtime/CommonSlowPaths.cpp:
2197         (JSC::SLOW_PATH_DECL):
2198         * runtime/JSBigInt.cpp:
2199         (JSC::JSBigInt::parseInt):
2200         (JSC::JSBigInt::stringToBigInt):
2201         (JSC::JSBigInt::toString):
2202         (JSC::JSBigInt::multiply):
2203         (JSC::JSBigInt::divide):
2204         (JSC::JSBigInt::remainder):
2205         (JSC::JSBigInt::add):
2206         (JSC::JSBigInt::sub):
2207         (JSC::JSBigInt::absoluteAdd):
2208         (JSC::JSBigInt::absoluteSub):
2209         (JSC::JSBigInt::toStringGeneric):
2210         (JSC::JSBigInt::allocateFor):
2211         (JSC::JSBigInt::toNumber const):
2212         (JSC::JSBigInt::getPrimitiveNumber const):
2213         * runtime/JSBigInt.h:
2214         * runtime/JSCJSValueInlines.h:
2215         * runtime/Operations.cpp:
2216         (JSC::jsAddSlowCase):
2217         * runtime/Operations.h:
2218         (JSC::jsSub):
2219
2220 2018-06-02  Commit Queue  <commit-queue@webkit.org>
2221
2222         Unreviewed, rolling out r232439.
2223         https://bugs.webkit.org/show_bug.cgi?id=186238
2224
2225         It breaks gtk-linux-32-release (Requested by caiolima on
2226         #webkit).
2227
2228         Reverted changeset:
2229
2230         "[ESNext][BigInt] Implement support for addition operations"
2231         https://bugs.webkit.org/show_bug.cgi?id=179002
2232         https://trac.webkit.org/changeset/232439
2233
2234 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2235
2236         Baseline op_jtrue emits an insane amount of code
2237         https://bugs.webkit.org/show_bug.cgi?id=185708
2238
2239         Reviewed by Filip Pizlo.
2240
2241         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
2242
2243         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
2244            to jump directly. This tightens the code.
2245
2246         2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
2247
2248         This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
2249
2250         [  12] jtrue             arg1, 6(->18)
2251               0x7f233170162c: mov 0x30(%rbp), %rax
2252               0x7f2331701630: mov %rax, %rsi
2253               0x7f2331701633: xor $0x6, %rsi
2254               0x7f2331701637: test $0xfffffffffffffffe, %rsi
2255               0x7f233170163e: jnz 0x7f2331701654
2256               0x7f2331701644: cmp $0x7, %eax
2257               0x7f2331701647: setz %sil
2258               0x7f233170164b: movzx %sil, %esi
2259               0x7f233170164f: jmp 0x7f2331701705
2260               0x7f2331701654: test %rax, %r14
2261               0x7f2331701657: jz 0x7f233170169c
2262               0x7f233170165d: cmp %r14, %rax
2263               0x7f2331701660: jb 0x7f2331701675
2264               0x7f2331701666: test %eax, %eax
2265               0x7f2331701668: setnz %sil
2266               0x7f233170166c: movzx %sil, %esi
2267               0x7f2331701670: jmp 0x7f2331701705
2268               0x7f2331701675: lea (%r14,%rax), %rsi
2269               0x7f2331701679: movq %rsi, %xmm0
2270               0x7f233170167e: xorps %xmm1, %xmm1
2271               0x7f2331701681: ucomisd %xmm1, %xmm0
2272               0x7f2331701685: jz 0x7f2331701695
2273               0x7f233170168b: mov $0x1, %esi
2274               0x7f2331701690: jmp 0x7f2331701705
2275               0x7f2331701695: xor %esi, %esi
2276               0x7f2331701697: jmp 0x7f2331701705
2277               0x7f233170169c: test %rax, %r15
2278               0x7f233170169f: jnz 0x7f2331701703
2279               0x7f23317016a5: cmp $0x1, 0x5(%rax)
2280               0x7f23317016a9: jnz 0x7f23317016c1
2281               0x7f23317016af: mov 0x8(%rax), %esi
2282               0x7f23317016b2: test %esi, %esi
2283               0x7f23317016b4: setnz %sil
2284               0x7f23317016b8: movzx %sil, %esi
2285               0x7f23317016bc: jmp 0x7f2331701705
2286               0x7f23317016c1: test $0x1, 0x6(%rax)
2287               0x7f23317016c5: jz 0x7f23317016f9
2288               0x7f23317016cb: mov (%rax), %esi
2289               0x7f23317016cd: mov $0x7f23315000c8, %rdx
2290               0x7f23317016d7: mov (%rdx), %rdx
2291               0x7f23317016da: mov (%rdx,%rsi,8), %rsi
2292               0x7f23317016de: mov $0x7f2330de0000, %rdx
2293               0x7f23317016e8: cmp %rdx, 0x18(%rsi)
2294               0x7f23317016ec: jnz 0x7f23317016f9
2295               0x7f23317016f2: xor %esi, %esi
2296               0x7f23317016f4: jmp 0x7f2331701705
2297               0x7f23317016f9: mov $0x1, %esi
2298               0x7f23317016fe: jmp 0x7f2331701705
2299               0x7f2331701703: xor %esi, %esi
2300               0x7f2331701705: test %esi, %esi
2301               0x7f2331701707: jnz 0x7f233170171b
2302
2303         [  12] jtrue             arg1, 6(->18)
2304               0x7f6c8710156c: mov 0x30(%rbp), %rax
2305               0x7f6c87101570: test %rax, %r15
2306               0x7f6c87101573: jnz 0x7f6c871015c8
2307               0x7f6c87101579: cmp $0x1, 0x5(%rax)
2308               0x7f6c8710157d: jnz 0x7f6c87101592
2309               0x7f6c87101583: cmp $0x0, 0x8(%rax)
2310               0x7f6c87101587: jnz 0x7f6c87101623
2311               0x7f6c8710158d: jmp 0x7f6c87101615
2312               0x7f6c87101592: test $0x1, 0x6(%rax)
2313               0x7f6c87101596: jz 0x7f6c87101623
2314               0x7f6c8710159c: mov (%rax), %esi
2315               0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
2316               0x7f6c871015a8: mov (%rdx), %rdx
2317               0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
2318               0x7f6c871015af: mov $0x7f6c867e0000, %rdx
2319               0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
2320               0x7f6c871015bd: jnz 0x7f6c87101623
2321               0x7f6c871015c3: jmp 0x7f6c87101615
2322               0x7f6c871015c8: cmp %r14, %rax
2323               0x7f6c871015cb: jb 0x7f6c871015de
2324               0x7f6c871015d1: test %eax, %eax
2325               0x7f6c871015d3: jnz 0x7f6c87101623
2326               0x7f6c871015d9: jmp 0x7f6c87101615
2327               0x7f6c871015de: test %rax, %r14
2328               0x7f6c871015e1: jz 0x7f6c87101602
2329               0x7f6c871015e7: lea (%r14,%rax), %rsi
2330               0x7f6c871015eb: movq %rsi, %xmm0
2331               0x7f6c871015f0: xorps %xmm1, %xmm1
2332               0x7f6c871015f3: ucomisd %xmm1, %xmm0
2333               0x7f6c871015f7: jz 0x7f6c87101615
2334               0x7f6c871015fd: jmp 0x7f6c87101623
2335               0x7f6c87101602: mov $0x7, %r11
2336               0x7f6c8710160c: cmp %r11, %rax
2337               0x7f6c8710160f: jz 0x7f6c87101623
2338
2339         * dfg/DFGSpeculativeJIT32_64.cpp:
2340         (JSC::DFG::SpeculativeJIT::emitBranch):
2341         * dfg/DFGSpeculativeJIT64.cpp:
2342         (JSC::DFG::SpeculativeJIT::emitBranch):
2343         * jit/AssemblyHelpers.cpp:
2344         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
2345         (JSC::AssemblyHelpers::branchIfValue):
2346         * jit/AssemblyHelpers.h:
2347         (JSC::AssemblyHelpers::branchIfTruthy):
2348         (JSC::AssemblyHelpers::branchIfFalsey):
2349         * jit/JIT.h:
2350         * jit/JITInlines.h:
2351         (JSC::JIT::addJump):
2352         * jit/JITOpcodes.cpp:
2353         (JSC::JIT::emit_op_jfalse):
2354         (JSC::JIT::emit_op_jtrue):
2355         * jit/JITOpcodes32_64.cpp:
2356         (JSC::JIT::emit_op_jfalse):
2357         (JSC::JIT::emit_op_jtrue):
2358
2359 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2360
2361         [JSC] Remove WeakReferenceHarvester
2362         https://bugs.webkit.org/show_bug.cgi?id=186102
2363
2364         Reviewed by Filip Pizlo.
2365
2366         After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
2367         Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
2368         by using output constraints & Subspace iteration.
2369
2370         This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
2371         output constraint set iterates marked JSWeakMap by using Subspace.
2372
2373         And we also add locking for JSWeakMap's rehash and output constraint visiting.
2374
2375         Attached microbenchmark does not show any regression.
2376
2377         * API/JSAPIWrapperObject.h:
2378         * CMakeLists.txt:
2379         * JavaScriptCore.xcodeproj/project.pbxproj:
2380         * heap/Heap.cpp:
2381         (JSC::Heap::endMarking):
2382         (JSC::Heap::addCoreConstraints):
2383         * heap/Heap.h:
2384         * heap/SlotVisitor.cpp:
2385         (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
2386         * heap/SlotVisitor.h:
2387         * heap/WeakReferenceHarvester.h: Removed.
2388         * runtime/WeakMapImpl.cpp:
2389         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
2390         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
2391         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
2392         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
2393         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
2394         * runtime/WeakMapImpl.h:
2395         (JSC::WeakMapImpl::WeakMapImpl):
2396         (JSC::WeakMapImpl::finishCreation):
2397         (JSC::WeakMapImpl::rehash):
2398         (JSC::WeakMapImpl::makeAndSetNewBuffer):
2399         (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
2400
2401 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2402
2403         [JSC] Object.create should have intrinsic
2404         https://bugs.webkit.org/show_bug.cgi?id=186200
2405
2406         Reviewed by Filip Pizlo.
2407
2408         Object.create is used in various JS code. `Object.create(null)` is particularly used
2409         to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
2410         call in ARES-6/Babylon code.
2411
2412         This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
2413         DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
2414         object is null. It offers significant performance boost for `Object.create(null)`.
2415
2416                                                          baseline                  patched
2417
2418         object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
2419         object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
2420         object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster
2421
2422         * dfg/DFGAbstractInterpreterInlines.h:
2423         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2424         * dfg/DFGByteCodeParser.cpp:
2425         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2426         * dfg/DFGClobberize.h:
2427         (JSC::DFG::clobberize):
2428         * dfg/DFGConstantFoldingPhase.cpp:
2429         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2430         * dfg/DFGDoesGC.cpp:
2431         (JSC::DFG::doesGC):
2432         * dfg/DFGFixupPhase.cpp:
2433         (JSC::DFG::FixupPhase::fixupNode):
2434         * dfg/DFGNode.h:
2435         (JSC::DFG::Node::convertToNewObject):
2436         * dfg/DFGNodeType.h:
2437         * dfg/DFGOperations.cpp:
2438         * dfg/DFGOperations.h:
2439         * dfg/DFGPredictionPropagationPhase.cpp:
2440         * dfg/DFGSafeToExecute.h:
2441         (JSC::DFG::safeToExecute):
2442         * dfg/DFGSpeculativeJIT.cpp:
2443         (JSC::DFG::SpeculativeJIT::compileObjectCreate):
2444         * dfg/DFGSpeculativeJIT.h:
2445         * dfg/DFGSpeculativeJIT32_64.cpp:
2446         (JSC::DFG::SpeculativeJIT::compile):
2447         * dfg/DFGSpeculativeJIT64.cpp:
2448         (JSC::DFG::SpeculativeJIT::compile):
2449         * ftl/FTLCapabilities.cpp:
2450         (JSC::FTL::canCompile):
2451         * ftl/FTLLowerDFGToB3.cpp:
2452         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2453         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
2454         * runtime/Intrinsic.cpp:
2455         (JSC::intrinsicName):
2456         * runtime/Intrinsic.h:
2457         * runtime/JSGlobalObject.cpp:
2458         (JSC::JSGlobalObject::init):
2459         (JSC::JSGlobalObject::visitChildren):
2460         * runtime/JSGlobalObject.h:
2461         (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
2462         * runtime/ObjectConstructor.cpp:
2463
2464 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
2465
2466         [ESNext][BigInt] Implement support for addition operations
2467         https://bugs.webkit.org/show_bug.cgi?id=179002
2468
2469         Reviewed by Yusuke Suzuki.
2470
2471         This patch is implementing support to BigInt Operands into binary "+"
2472         and binary "-" operators. Right now, we have limited support to DFG
2473         and FTL JIT layers, but we plan to fix this support in future
2474         patches.
2475
2476         * jit/JITOperations.cpp:
2477         * runtime/CommonSlowPaths.cpp:
2478         (JSC::SLOW_PATH_DECL):
2479         * runtime/JSBigInt.cpp:
2480         (JSC::JSBigInt::parseInt):
2481         (JSC::JSBigInt::stringToBigInt):
2482         (JSC::JSBigInt::toString):
2483         (JSC::JSBigInt::multiply):
2484         (JSC::JSBigInt::divide):
2485         (JSC::JSBigInt::remainder):
2486         (JSC::JSBigInt::add):
2487         (JSC::JSBigInt::sub):
2488         (JSC::JSBigInt::absoluteAdd):
2489         (JSC::JSBigInt::absoluteSub):
2490         (JSC::JSBigInt::toStringGeneric):
2491         (JSC::JSBigInt::allocateFor):
2492         (JSC::JSBigInt::toNumber const):
2493         (JSC::JSBigInt::getPrimitiveNumber const):
2494         * runtime/JSBigInt.h:
2495         * runtime/JSCJSValueInlines.h:
2496         * runtime/Operations.cpp:
2497         (JSC::jsAddSlowCase):
2498         * runtime/Operations.h:
2499         (JSC::jsSub):
2500
2501 2018-06-01  Wenson Hsieh  <wenson_hsieh@apple.com>
2502
2503         Fix the watchOS build after r232385
2504         https://bugs.webkit.org/show_bug.cgi?id=186203
2505
2506         Reviewed by Keith Miller.
2507
2508         Add a missing header include for JSImmutableButterfly.
2509
2510         * runtime/ArrayPrototype.cpp:
2511
2512 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2513
2514         [JSC] Add Symbol.prototype.description getter
2515         https://bugs.webkit.org/show_bug.cgi?id=186053
2516
2517         Reviewed by Keith Miller.
2518
2519         Symbol.prototype.description accessor  is now stage 3[1].
2520         This adds a getter to retrieve [[Description]] value from Symbol.
2521         Previously, Symbol#toString() returns `Symbol(${description})` value.
2522         So users need to extract `description` part if they want it.
2523
2524         [1]: https://tc39.github.io/proposal-Symbol-description/
2525
2526         * runtime/Symbol.cpp:
2527         (JSC::Symbol::description const):
2528         * runtime/Symbol.h:
2529         * runtime/SymbolPrototype.cpp:
2530         (JSC::tryExtractSymbol):
2531         (JSC::symbolProtoGetterDescription):
2532         (JSC::symbolProtoFuncToString):
2533         (JSC::symbolProtoFuncValueOf):
2534
2535 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2536
2537         [JSC] Correct values and members of JSBigInt appropriately
2538         https://bugs.webkit.org/show_bug.cgi?id=186196
2539
2540         Reviewed by Darin Adler.
2541
2542         This patch cleans up a bit to select more appropriate values and members of JSBigInt.
2543
2544         1. JSBigInt's structure should be StructureIsImmortal.
2545         2. JSBigInt::allocationSize should be annotated with `inline`.
2546         3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
2547         4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
2548
2549         * runtime/JSBigInt.cpp:
2550         (JSC::JSBigInt::allocationSize):
2551         (JSC::JSBigInt::allocateFor):
2552         (JSC::JSBigInt::compareToDouble):
2553         (JSC::JSBigInt::visitChildren): Deleted.
2554         (JSC::JSBigInt::finishCreation): Deleted.
2555         * runtime/JSBigInt.h:
2556
2557 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2558
2559         [DFG] InById should be converted to MatchStructure
2560         https://bugs.webkit.org/show_bug.cgi?id=185803
2561
2562         Reviewed by Keith Miller.
2563
2564         MatchStructure is introduced for instanceof optimization. But this node
2565         is also useful for InById node. This patch converts InById to MatchStructure
2566         node with CheckStructures if possible by using InByIdStatus.
2567
2568         Added microbenchmarks show improvements.
2569
2570                                    baseline                  patched
2571
2572         in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
2573         in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster
2574
2575         * JavaScriptCore.xcodeproj/project.pbxproj:
2576         * Sources.txt:
2577         * bytecode/InByIdStatus.cpp: Added.
2578         (JSC::InByIdStatus::appendVariant):
2579         (JSC::InByIdStatus::computeFor):
2580         (JSC::InByIdStatus::hasExitSite):
2581         (JSC::InByIdStatus::computeForStubInfo):
2582         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2583         (JSC::InByIdStatus::filter):
2584         (JSC::InByIdStatus::dump const):
2585         * bytecode/InByIdStatus.h: Added.
2586         (JSC::InByIdStatus::InByIdStatus):
2587         (JSC::InByIdStatus::state const):
2588         (JSC::InByIdStatus::isSet const):
2589         (JSC::InByIdStatus::operator bool const):
2590         (JSC::InByIdStatus::isSimple const):
2591         (JSC::InByIdStatus::numVariants const):
2592         (JSC::InByIdStatus::variants const):
2593         (JSC::InByIdStatus::at const):
2594         (JSC::InByIdStatus::operator[] const):
2595         (JSC::InByIdStatus::takesSlowPath const):
2596         * bytecode/InByIdVariant.cpp: Added.
2597         (JSC::InByIdVariant::InByIdVariant):
2598         (JSC::InByIdVariant::attemptToMerge):
2599         (JSC::InByIdVariant::dump const):
2600         (JSC::InByIdVariant::dumpInContext const):
2601         * bytecode/InByIdVariant.h: Added.
2602         (JSC::InByIdVariant::isSet const):
2603         (JSC::InByIdVariant::operator bool const):
2604         (JSC::InByIdVariant::structureSet const):
2605         (JSC::InByIdVariant::structureSet):
2606         (JSC::InByIdVariant::conditionSet const):
2607         (JSC::InByIdVariant::offset const):
2608         (JSC::InByIdVariant::isHit const):
2609         * bytecode/PolyProtoAccessChain.h:
2610         * dfg/DFGByteCodeParser.cpp:
2611         (JSC::DFG::ByteCodeParser::parseBlock):
2612
2613 2018-06-01  Keith Miller  <keith_miller@apple.com>
2614
2615         move should only emit the move if it's actually needed
2616         https://bugs.webkit.org/show_bug.cgi?id=186123
2617
2618         Reviewed by Saam Barati.
2619
2620         This patch relpaces move with moveToDestinationIfNeeded. This
2621         will prevent us from emiting moves to the same location. The old
2622         move, has been renamed to emitMove and made private.
2623
2624         * bytecompiler/BytecodeGenerator.cpp:
2625         (JSC::BytecodeGenerator::BytecodeGenerator):
2626         (JSC::BytecodeGenerator::emitMove):
2627         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
2628         (JSC::BytecodeGenerator::emitGetAsyncIterator):
2629         (JSC::BytecodeGenerator::move): Deleted.
2630         * bytecompiler/BytecodeGenerator.h:
2631         (JSC::BytecodeGenerator::move):
2632         (JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted.
2633         * bytecompiler/NodesCodegen.cpp:
2634         (JSC::ThisNode::emitBytecode):
2635         (JSC::SuperNode::emitBytecode):
2636         (JSC::NewTargetNode::emitBytecode):
2637         (JSC::ResolveNode::emitBytecode):
2638         (JSC::TaggedTemplateNode::emitBytecode):
2639         (JSC::ArrayNode::emitBytecode):
2640         (JSC::ObjectLiteralNode::emitBytecode):
2641         (JSC::EvalFunctionCallNode::emitBytecode):
2642         (JSC::FunctionCallResolveNode::emitBytecode):
2643         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
2644         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
2645         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
2646         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
2647         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
2648         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2649         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
2650         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
2651         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
2652         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
2653         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
2654         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
2655         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
2656         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
2657         (JSC::CallFunctionCallDotNode::emitBytecode):
2658         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2659         (JSC::emitPostIncOrDec):
2660         (JSC::PostfixNode::emitBracket):
2661         (JSC::PostfixNode::emitDot):
2662         (JSC::PrefixNode::emitResolve):
2663         (JSC::PrefixNode::emitBracket):
2664         (JSC::PrefixNode::emitDot):
2665         (JSC::LogicalOpNode::emitBytecode):
2666         (JSC::ReadModifyResolveNode::emitBytecode):
2667         (JSC::AssignResolveNode::emitBytecode):
2668         (JSC::AssignDotNode::emitBytecode):
2669         (JSC::AssignBracketNode::emitBytecode):
2670         (JSC::FunctionNode::emitBytecode):
2671         (JSC::ClassExprNode::emitBytecode):
2672         (JSC::DestructuringAssignmentNode::emitBytecode):
2673         (JSC::ArrayPatternNode::emitDirectBinding):
2674         (JSC::ObjectPatternNode::bindValue const):
2675         (JSC::AssignmentElementNode::bindValue const):
2676         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2677
2678 2018-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2679
2680         [Baseline] Store constant directly in emit_op_mov
2681         https://bugs.webkit.org/show_bug.cgi?id=186182
2682
2683         Reviewed by Saam Barati.
2684
2685         In the old code, we first move a constant to a register and store it to the specified address.
2686         But in 64bit JSC, we can directly store a constant to the specified address. This reduces the
2687         generated code size. Since the old code was emitting a constant in a code anyway, this change
2688         never increases the size of the generated code.
2689
2690         * jit/JITInlines.h:
2691         (JSC::JIT::emitGetVirtualRegister):
2692         We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded
2693         from the stack. If we transfer values in registers without loading values from the stack, it
2694         breaks this assumption.
2695
2696         * jit/JITOpcodes.cpp:
2697         (JSC::JIT::emit_op_mov):
2698
2699 2018-05-31  Caio Lima  <ticaiolima@gmail.com>
2700
2701         [ESNext][BigInt] Implement support for "=<" and ">=" relational operation
2702         https://bugs.webkit.org/show_bug.cgi?id=185929
2703
2704         Reviewed by Yusuke Suzuki.
2705
2706         This patch is introducing support to BigInt operands into ">=" and
2707         "<=" operators.
2708         Here we introduce ```bigIntCompareResult``` that is a helper function
2709         to reuse code between "less than" and "less than or equal" operators.
2710
2711         * runtime/JSBigInt.h:
2712         * runtime/Operations.h:
2713         (JSC::bigIntCompareResult):
2714         (JSC::bigIntCompare):
2715         (JSC::jsLess):
2716         (JSC::jsLessEq):
2717         (JSC::bigIntCompareLess): Deleted.
2718
2719 2018-05-31  Saam Barati  <sbarati@apple.com>
2720
2721         Cache toString results for CoW arrays
2722         https://bugs.webkit.org/show_bug.cgi?id=186160
2723
2724         Reviewed by Keith Miller.
2725
2726         This patch makes it so that we cache the result of toString on
2727         arrays with a CoW butterfly. This cache lives on Heap and is
2728         cleared after every GC. We only cache the toString result when
2729         the CoW butterfly doesn't have a hole (currently, all CoW arrays
2730         have a hole, but this isn't an invariant we want to rely on). The
2731         reason for this is that if there is a hole, the value may be loaded
2732         from the prototype, and the cache may produce a stale result.
2733         
2734         This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
2735         progression on ARES.
2736
2737         * heap/Heap.cpp:
2738         (JSC::Heap::finalize):
2739         (JSC::Heap::addCoreConstraints):
2740         * heap/Heap.h:
2741         * runtime/ArrayPrototype.cpp:
2742         (JSC::canUseFastJoin):
2743         (JSC::holesMustForwardToPrototype):
2744         (JSC::isHole):
2745         (JSC::containsHole):
2746         (JSC::fastJoin):
2747         (JSC::arrayProtoFuncToString):
2748
2749 2018-05-31  Saam Barati  <sbarati@apple.com>
2750
2751         PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
2752         https://bugs.webkit.org/show_bug.cgi?id=186169
2753
2754         Reviewed by Mark Lam.
2755
2756         If we don't do this, the CFA validation rule about StructureID being
2757         clobbered but AI not clobbering or folding a clobber will cause us
2758         to crash. Simon was running into this yesterday on arstechnica.com.
2759         I couldn't come up with a test case for this, but it's obvious
2760         what the issue is by looking at the IR dump at the time of the crash.
2761
2762         * dfg/DFGAbstractInterpreterInlines.h:
2763         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2764
2765 2018-05-31  Saam Barati  <sbarati@apple.com>
2766
2767         JSImmutableButterfly should align its variable storage
2768         https://bugs.webkit.org/show_bug.cgi?id=186159
2769
2770         Reviewed by Mark Lam.
2771
2772         I'm also making the use of reinterpret_cast and bitwise_cast consistent
2773         inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
2774
2775         * runtime/JSImmutableButterfly.h:
2776         (JSC::JSImmutableButterfly::toButterfly const):
2777         (JSC::JSImmutableButterfly::fromButterfly):
2778         (JSC::JSImmutableButterfly::offsetOfData):
2779         (JSC::JSImmutableButterfly::allocationSize):
2780
2781 2018-05-31  Keith Miller  <keith_miller@apple.com>
2782
2783         DFGArrayModes needs to know more about CoW arrays
2784         https://bugs.webkit.org/show_bug.cgi?id=186162
2785
2786         Reviewed by Filip Pizlo.
2787
2788         This patch fixes two issues in DFGArrayMode.
2789
2790         1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
2791         2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
2792         to vend an accurate original structure.
2793
2794         Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
2795         we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
2796         action it is expecting when being dumped.
2797
2798         * bytecode/ArrayProfile.h:
2799         (JSC::hasSeenWritableArray):
2800         * dfg/DFGArrayMode.cpp:
2801         (JSC::DFG::ArrayMode::fromObserved):
2802         (JSC::DFG::ArrayMode::refine const):
2803         (JSC::DFG::ArrayMode::originalArrayStructure const):
2804         (JSC::DFG::arrayActionToString):
2805         (JSC::DFG::arrayClassToString):
2806         (JSC::DFG::ArrayMode::dump const):
2807         (WTF::printInternal):
2808         * dfg/DFGArrayMode.h:
2809         (JSC::DFG::ArrayMode::withProfile const):
2810         (JSC::DFG::ArrayMode::isJSArray const):
2811         (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
2812         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
2813         * dfg/DFGByteCodeParser.cpp:
2814         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2815         (JSC::DFG::ByteCodeParser::parseBlock):
2816         * dfg/DFGFixupPhase.cpp:
2817         (JSC::DFG::FixupPhase::fixupNode):
2818         * dfg/DFGSpeculativeJIT.cpp:
2819         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2820         * ftl/FTLLowerDFGToB3.cpp:
2821         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
2822
2823 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2824
2825         [JSC] Pass VM& parameter as much as possible
2826         https://bugs.webkit.org/show_bug.cgi?id=186085
2827
2828         Reviewed by Saam Barati.
2829
2830         JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
2831         For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
2832         If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
2833         This patch attempts to pass VM& parameter to such functions as much as possible.
2834
2835         * API/APICast.h:
2836         (toJS):
2837         (toJSForGC):
2838         * API/JSCallbackObjectFunctions.h:
2839         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
2840         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
2841         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2842         * API/JSObjectRef.cpp:
2843         (JSObjectIsConstructor):
2844         * API/JSTypedArray.cpp:
2845         (JSObjectGetTypedArrayBuffer):
2846         * API/JSValueRef.cpp:
2847         (JSValueIsInstanceOfConstructor):
2848         * bindings/ScriptFunctionCall.cpp:
2849         (Deprecated::ScriptFunctionCall::call):
2850         * bindings/ScriptValue.cpp:
2851         (Inspector::jsToInspectorValue):
2852         * bytecode/AccessCase.cpp:
2853         (JSC::AccessCase::generateImpl):
2854         * bytecode/CodeBlock.cpp:
2855         (JSC::CodeBlock::CodeBlock):
2856         * bytecode/ObjectAllocationProfileInlines.h:
2857         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2858         * bytecode/ObjectPropertyConditionSet.cpp:
2859         (JSC::generateConditionsForInstanceOf):
2860         * bytecode/PropertyCondition.cpp:
2861         (JSC::PropertyCondition::isWatchableWhenValid const):
2862         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
2863         * bytecode/StructureStubClearingWatchpoint.cpp:
2864         (JSC::StructureStubClearingWatchpoint::fireInternal):
2865         * debugger/Debugger.cpp:
2866         (JSC::Debugger::detach):
2867         * debugger/DebuggerScope.cpp:
2868         (JSC::DebuggerScope::create):
2869         (JSC::DebuggerScope::put):
2870         (JSC::DebuggerScope::deleteProperty):
2871         (JSC::DebuggerScope::getOwnPropertyNames):
2872         (JSC::DebuggerScope::defineOwnProperty):
2873         * dfg/DFGAbstractInterpreterInlines.h:
2874         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2875         * dfg/DFGAbstractValue.cpp:
2876         (JSC::DFG::AbstractValue::mergeOSREntryValue):
2877         * dfg/DFGArgumentsEliminationPhase.cpp:
2878         * dfg/DFGArrayMode.cpp:
2879         (JSC::DFG::ArrayMode::refine const):
2880         * dfg/DFGByteCodeParser.cpp:
2881         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2882         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
2883         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2884         (JSC::DFG::ByteCodeParser::check):
2885         * dfg/DFGConstantFoldingPhase.cpp:
2886         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2887         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2888         * dfg/DFGFixupPhase.cpp:
2889         (JSC::DFG::FixupPhase::fixupNode):
2890         * dfg/DFGGraph.cpp:
2891         (JSC::DFG::Graph::tryGetConstantProperty):
2892         * dfg/DFGOperations.cpp:
2893         * dfg/DFGSpeculativeJIT.cpp:
2894         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2895         * dfg/DFGStrengthReductionPhase.cpp:
2896         (JSC::DFG::StrengthReductionPhase::handleNode):
2897         * ftl/FTLLowerDFGToB3.cpp:
2898         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2899         * ftl/FTLOperations.cpp:
2900         (JSC::FTL::operationPopulateObjectInOSR):
2901         * inspector/InjectedScriptManager.cpp:
2902         (Inspector::InjectedScriptManager::createInjectedScript):
2903         * inspector/JSJavaScriptCallFrame.cpp:
2904         (Inspector::JSJavaScriptCallFrame::caller const):
2905         (Inspector::JSJavaScriptCallFrame::scopeChain const):
2906         * interpreter/CallFrame.cpp:
2907         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
2908         * interpreter/Interpreter.cpp:
2909         (JSC::Interpreter::executeProgram):
2910         (JSC::Interpreter::executeCall):
2911         (JSC::Interpreter::executeConstruct):
2912         (JSC::Interpreter::execute):
2913         (JSC::Interpreter::executeModuleProgram):
2914         * jit/JITOperations.cpp:
2915         (JSC::getByVal):
2916         * jit/Repatch.cpp:
2917         (JSC::tryCacheInByID):
2918         * jsc.cpp:
2919         (functionDollarAgentReceiveBroadcast):
2920         (functionHasCustomProperties):
2921         * llint/LLIntSlowPaths.cpp:
2922         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2923         (JSC::LLInt::setupGetByIdPrototypeCache):
2924         (JSC::LLInt::getByVal):
2925         (JSC::LLInt::handleHostCall):
2926         (JSC::LLInt::llint_throw_stack_overflow_error):
2927         * runtime/AbstractModuleRecord.cpp:
2928         (JSC::AbstractModuleRecord::finishCreation):
2929         * runtime/ArrayConstructor.cpp:
2930         (JSC::constructArrayWithSizeQuirk):
2931         * runtime/ArrayPrototype.cpp:
2932         (JSC::speciesWatchpointIsValid):
2933         (JSC::arrayProtoFuncToString):
2934         (JSC::arrayProtoFuncToLocaleString):
2935         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
2936         * runtime/AsyncFunctionConstructor.cpp:
2937         (JSC::callAsyncFunctionConstructor):
2938         (JSC::constructAsyncFunctionConstructor):
2939         * runtime/AsyncGeneratorFunctionConstructor.cpp:
2940         (JSC::callAsyncGeneratorFunctionConstructor):
2941         (JSC::constructAsyncGeneratorFunctionConstructor):
2942         * runtime/BooleanConstructor.cpp:
2943         (JSC::constructWithBooleanConstructor):
2944         * runtime/ClonedArguments.cpp:
2945         (JSC::ClonedArguments::createEmpty):
2946         (JSC::ClonedArguments::createWithInlineFrame):
2947         (JSC::ClonedArguments::createWithMachineFrame):
2948         (JSC::ClonedArguments::createByCopyingFrom):
2949         (JSC::ClonedArguments::getOwnPropertySlot):
2950         (JSC::ClonedArguments::materializeSpecials):
2951         * runtime/CommonSlowPaths.cpp:
2952         (JSC::SLOW_PATH_DECL):
2953         * runtime/CommonSlowPaths.h:
2954         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2955         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2956         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
2957         * runtime/ConstructData.cpp:
2958         (JSC::construct):
2959         * runtime/DateConstructor.cpp:
2960         (JSC::constructWithDateConstructor):
2961         * runtime/DatePrototype.cpp:
2962         (JSC::dateProtoFuncToJSON):
2963         * runtime/DirectArguments.cpp:
2964         (JSC::DirectArguments::overrideThings):
2965         * runtime/Error.cpp:
2966         (JSC::getStackTrace):
2967         * runtime/ErrorConstructor.cpp:
2968         (JSC::Interpreter::constructWithErrorConstructor):
2969         (JSC::Interpreter::callErrorConstructor):
2970         * runtime/FunctionConstructor.cpp:
2971         (JSC::constructWithFunctionConstructor):
2972         (JSC::callFunctionConstructor):
2973         * runtime/GeneratorFunctionConstructor.cpp:
2974         (JSC::callGeneratorFunctionConstructor):
2975         (JSC::constructGeneratorFunctionConstructor):
2976         * runtime/GenericArgumentsInlines.h:
2977         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2978         * runtime/InferredStructureWatchpoint.cpp:
2979         (JSC::InferredStructureWatchpoint::fireInternal):
2980         * runtime/InferredType.cpp:
2981         (JSC::InferredType::removeStructure):
2982         * runtime/InferredType.h:
2983         * runtime/InferredTypeInlines.h:
2984         (JSC::InferredType::finalizeUnconditionally):
2985         * runtime/IntlCollator.cpp:
2986         (JSC::IntlCollator::initializeCollator):
2987         * runtime/IntlCollatorConstructor.cpp:
2988         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
2989         * runtime/IntlCollatorPrototype.cpp:
2990         (JSC::IntlCollatorPrototypeGetterCompare):
2991         * runtime/IntlDateTimeFormat.cpp:
2992         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2993         (JSC::IntlDateTimeFormat::formatToParts):
2994         * runtime/IntlDateTimeFormatConstructor.cpp:
2995         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
2996         * runtime/IntlDateTimeFormatPrototype.cpp:
2997         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2998         * runtime/IntlNumberFormat.cpp:
2999         (JSC::IntlNumberFormat::initializeNumberFormat):
3000         (JSC::IntlNumberFormat::formatToParts):
3001         * runtime/IntlNumberFormatConstructor.cpp:
3002         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
3003         * runtime/IntlNumberFormatPrototype.cpp:
3004         (JSC::IntlNumberFormatPrototypeGetterFormat):
3005         * runtime/IntlObject.cpp:
3006         (JSC::canonicalizeLocaleList):
3007         (JSC::defaultLocale):
3008         (JSC::lookupSupportedLocales):
3009         (JSC::intlObjectFuncGetCanonicalLocales):
3010         * runtime/IntlPluralRules.cpp:
3011         (JSC::IntlPluralRules::initializePluralRules):
3012         (JSC::IntlPluralRules::resolvedOptions):
3013         * runtime/IntlPluralRulesConstructor.cpp:
3014         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
3015         * runtime/IteratorOperations.cpp:
3016         (JSC::iteratorNext):
3017         (JSC::iteratorClose):
3018         (JSC::iteratorForIterable):
3019         * runtime/JSArray.cpp:
3020         (JSC::JSArray::shiftCountWithArrayStorage):
3021         (JSC::JSArray::unshiftCountWithArrayStorage):
3022         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
3023         * runtime/JSArrayBufferConstructor.cpp:
3024         (JSC::JSArrayBufferConstructor::finishCreation):
3025         (JSC::constructArrayBuffer):
3026         * runtime/JSArrayBufferPrototype.cpp:
3027         (JSC::arrayBufferProtoFuncSlice):
3028         * runtime/JSArrayBufferView.cpp:
3029         (JSC::JSArrayBufferView::unsharedJSBuffer):
3030         (JSC::JSArrayBufferView::possiblySharedJSBuffer):
3031         * runtime/JSAsyncFunction.cpp:
3032         (JSC::JSAsyncFunction::createImpl):
3033         (JSC::JSAsyncFunction::create):
3034         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
3035         * runtime/JSAsyncGeneratorFunction.cpp:
3036         (JSC::JSAsyncGeneratorFunction::createImpl):
3037         (JSC::JSAsyncGeneratorFunction::create):
3038         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
3039         * runtime/JSBoundFunction.cpp:
3040         (JSC::boundThisNoArgsFunctionCall):
3041         (JSC::boundFunctionCall):
3042         (JSC::boundThisNoArgsFunctionConstruct):
3043         (JSC::boundFunctionConstruct):
3044         (JSC::getBoundFunctionStructure):
3045         (JSC::JSBoundFunction::create):
3046         (JSC::JSBoundFunction::boundArgsCopy):
3047         * runtime/JSCJSValue.cpp:
3048         (JSC::JSValue::putToPrimitive):
3049         * runtime/JSCellInlines.h:
3050         (JSC::JSCell::setStructure):
3051         (JSC::JSCell::methodTable const):
3052         (JSC::JSCell::toBoolean const):
3053         * runtime/JSFunction.h:
3054         (JSC::JSFunction::createImpl):
3055         * runtime/JSGeneratorFunction.cpp:
3056         (JSC::JSGeneratorFunction::createImpl):
3057         (JSC::JSGeneratorFunction::create):
3058         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
3059         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3060         (JSC::constructGenericTypedArrayViewWithArguments):
3061         (JSC::constructGenericTypedArrayView):
3062         * runtime/JSGenericTypedArrayViewInlines.h:
3063         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
3064         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
3065         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
3066         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3067         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3068         (JSC::genericTypedArrayViewProtoFuncSlice):
3069         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
3070         * runtime/JSGlobalObject.cpp:
3071         (JSC::JSGlobalObject::init):
3072         (JSC::JSGlobalObject::exposeDollarVM):
3073         (JSC::JSGlobalObject::finishCreation):
3074         * runtime/JSGlobalObject.h:
3075         * runtime/JSGlobalObjectFunctions.cpp:
3076         (JSC::globalFuncEval):
3077         * runtime/JSInternalPromise.cpp:
3078         (JSC::JSInternalPromise::then):
3079         * runtime/JSInternalPromiseConstructor.cpp:
3080         (JSC::constructPromise):
3081         * runtime/JSJob.cpp:
3082         (JSC::JSJobMicrotask::run):
3083         * runtime/JSLexicalEnvironment.cpp:
3084         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
3085         (JSC::JSLexicalEnvironment::put):
3086         * runtime/JSMap.cpp:
3087         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
3088         * runtime/JSMapIterator.cpp:
3089         (JSC::JSMapIterator::createPair):
3090         * runtime/JSModuleLoader.cpp:
3091         (JSC::JSModuleLoader::provideFetch):
3092         (JSC::JSModuleLoader::loadAndEvaluateModule):
3093         (JSC::JSModuleLoader::loadModule):
3094         (JSC::JSModuleLoader::linkAndEvaluateModule):
3095         (JSC::JSModuleLoader::requestImportModule):
3096         * runtime/JSONObject.cpp:
3097         (JSC::JSONProtoFuncParse):
3098         * runtime/JSObject.cpp:
3099         (JSC::JSObject::putInlineSlow):
3100         (JSC::JSObject::putByIndex):
3101         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3102         (JSC::JSObject::createInitialIndexedStorage):
3103         (JSC::JSObject::createArrayStorage):
3104         (JSC::JSObject::convertUndecidedToArrayStorage):
3105         (JSC::JSObject::convertInt32ToArrayStorage):
3106         (JSC::JSObject::convertDoubleToArrayStorage):
3107         (JSC::JSObject::convertContiguousToArrayStorage):
3108         (JSC::JSObject::convertFromCopyOnWrite):
3109         (JSC::JSObject::ensureWritableInt32Slow):
3110         (JSC::JSObject::ensureWritableDoubleSlow):
3111         (JSC::JSObject::ensureWritableContiguousSlow):
3112         (JSC::JSObject::ensureArrayStorageSlow):
3113         (JSC::JSObject::setPrototypeDirect):
3114         (JSC::JSObject::deleteProperty):
3115         (JSC::callToPrimitiveFunction):
3116         (JSC::JSObject::hasInstance):
3117         (JSC::JSObject::getOwnNonIndexPropertyNames):
3118         (JSC::JSObject::preventExtensions):
3119         (JSC::JSObject::isExtensible):
3120         (JSC::JSObject::reifyAllStaticProperties):
3121         (JSC::JSObject::fillGetterPropertySlot):
3122         (JSC::JSObject::defineOwnIndexedProperty):
3123         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3124         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3125         (JSC::JSObject::putByIndexBeyondVectorLength):
3126         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3127         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3128         (JSC::JSObject::getNewVectorLength):
3129         (JSC::JSObject::increaseVectorLength):
3130         (JSC::JSObject::reallocateAndShrinkButterfly):
3131         (JSC::JSObject::shiftButterflyAfterFlattening):
3132         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
3133         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
3134         (JSC::JSObject::needsSlowPutIndexing const):
3135         (JSC::JSObject::suggestedArrayStorageTransition const):
3136         * runtime/JSObject.h:
3137         (JSC::JSObject::mayInterceptIndexedAccesses):
3138         (JSC::JSObject::hasIndexingHeader const):
3139         (JSC::JSObject::hasCustomProperties):
3140         (JSC::JSObject::hasGetterSetterProperties):
3141         (JSC::JSObject::hasCustomGetterSetterProperties):
3142         (JSC::JSObject::isExtensibleImpl):
3143         (JSC::JSObject::isStructureExtensible):
3144         (JSC::JSObject::indexingShouldBeSparse):
3145         (JSC::JSObject::staticPropertiesReified):
3146         (JSC::JSObject::globalObject const):
3147         (JSC::JSObject::finishCreation):
3148         (JSC::JSNonFinalObject::finishCreation):
3149         (JSC::getCallData):
3150         (JSC::getConstructData):
3151         (JSC::JSObject::getOwnNonIndexPropertySlot):
3152         (JSC::JSObject::putOwnDataProperty):
3153         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
3154         (JSC::JSObject::butterflyPreCapacity):
3155         (JSC::JSObject::butterflyTotalSize):
3156         * runtime/JSObjectInlines.h:
3157         (JSC::JSObject::putDirectInternal):
3158         * runtime/JSPromise.cpp:
3159         (JSC::JSPromise::initialize):
3160         (JSC::JSPromise::resolve):
3161         * runtime/JSPromiseConstructor.cpp:
3162         (JSC::constructPromise):
3163         * runtime/JSPromiseDeferred.cpp:
3164         (JSC::newPromiseCapability):
3165         (JSC::callFunction):
3166         * runtime/JSScope.cpp:
3167         (JSC::abstractAccess):
3168         * runtime/JSScope.h:
3169         (JSC::JSScope::globalObject): Deleted.
3170         Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
3171
3172         * runtime/JSSet.cpp:
3173         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
3174         * runtime/JSSetIterator.cpp:
3175         (JSC::JSSetIterator::createPair):
3176         * runtime/JSStringIterator.cpp:
3177         (JSC::JSStringIterator::clone):
3178         * runtime/Lookup.cpp:
3179         (JSC::reifyStaticAccessor):
3180         (JSC::setUpStaticFunctionSlot):
3181         * runtime/Lookup.h:
3182         (JSC::getStaticPropertySlotFromTable):
3183         (JSC::replaceStaticPropertySlot):
3184         (JSC::reifyStaticProperty):
3185         * runtime/MapConstructor.cpp:
3186         (JSC::constructMap):
3187         * runtime/NumberConstructor.cpp:
3188         (JSC::NumberConstructor::finishCreation):
3189         * runtime/ObjectConstructor.cpp:
3190         (JSC::constructObject):
3191         (JSC::objectConstructorAssign):
3192         (JSC::toPropertyDescriptor):
3193         * runtime/ObjectPrototype.cpp:
3194         (JSC::objectProtoFuncDefineGetter):
3195         (JSC::objectProtoFuncDefineSetter):
3196         (JSC::objectProtoFuncToLocaleString):
3197         * runtime/Operations.cpp:
3198         (JSC::jsIsFunctionType): Deleted.
3199         Replace it with JSValue::isFunction(VM&).
3200
3201         * runtime/Operations.h:
3202         * runtime/ProgramExecutable.cpp:
3203         (JSC::ProgramExecutable::initializeGlobalProperties):
3204         * runtime/RegExpConstructor.cpp:
3205         (JSC::constructWithRegExpConstructor):
3206         (JSC::callRegExpConstructor):
3207         * runtime/SamplingProfiler.cpp:
3208         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3209         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
3210         * runtime/ScopedArguments.cpp:
3211         (JSC::ScopedArguments::overrideThings):
3212         * runtime/ScriptExecutable.cpp:
3213         (JSC::ScriptExecutable::newCodeBlockFor):
3214         (JSC::ScriptExecutable::prepareForExecutionImpl):
3215         * runtime/SetConstructor.cpp:
3216         (JSC::constructSet):
3217         * runtime/SparseArrayValueMap.cpp:
3218         (JSC::SparseArrayValueMap::putEntry):
3219         (JSC::SparseArrayValueMap::putDirect):
3220         * runtime/StringConstructor.cpp:
3221         (JSC::constructWithStringConstructor):
3222         * runtime/StringPrototype.cpp:
3223         (JSC::replaceUsingRegExpSearch):
3224         (JSC::replaceUsingStringSearch):
3225         (JSC::stringProtoFuncIterator):
3226         * runtime/Structure.cpp:
3227         (JSC::Structure::materializePropertyTable):
3228         (JSC::Structure::willStoreValueSlow):
3229         * runtime/StructureCache.cpp:
3230         (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
3231         * runtime/StructureInlines.h:
3232         (JSC::Structure::get):
3233         * runtime/WeakMapConstructor.cpp:
3234         (JSC::constructWeakMap):
3235         * runtime/WeakSetConstructor.cpp:
3236         (JSC::constructWeakSet):
3237         * tools/HeapVerifier.cpp:
3238         (JSC::HeapVerifier::reportCell):
3239         * tools/JSDollarVM.cpp:
3240         (JSC::functionGlobalObjectForObject):
3241         (JSC::JSDollarVM::finishCreation):
3242         * wasm/js/JSWebAssemblyInstance.cpp:
3243         (JSC::JSWebAssemblyInstance::finalizeCreation):
3244         * wasm/js/WasmToJS.cpp:
3245         (JSC::Wasm::handleBadI64Use):
3246         (JSC::Wasm::wasmToJSException):
3247         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3248         (JSC::constructJSWebAssemblyCompileError):
3249         (JSC::callJSWebAssemblyCompileError):
3250         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3251         (JSC::constructJSWebAssemblyLinkError):
3252         (JSC::callJSWebAssemblyLinkError):
3253         * wasm/js/WebAssemblyModuleRecord.cpp:
3254         (JSC::WebAssemblyModuleRecord::evaluate):
3255         * wasm/js/WebAssemblyPrototype.cpp:
3256         (JSC::instantiate):
3257         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3258         (JSC::constructJSWebAssemblyRuntimeError):
3259         (JSC::callJSWebAssemblyRuntimeError):
3260         * wasm/js/WebAssemblyToJSCallee.cpp:
3261         (JSC::WebAssemblyToJSCallee::create):
3262
3263 2018-05-30  Saam Barati  <sbarati@apple.com>
3264
3265         DFG combined liveness needs to say that the machine CodeBlock's arguments are live
3266         https://bugs.webkit.org/show_bug.cgi?id=186121
3267         <rdar://problem/39377796>
3268
3269         Reviewed by Keith Miller.
3270
3271         DFG's combined liveness was reporting that the machine CodeBlock's |this|
3272         argument was dead at certain points in the program. However, a CodeBlock's
3273         arguments are considered live for the entire function. This fixes a bug
3274         where object allocation sinking phase skipped materializing an allocation
3275         because it thought that the argument it was associated with, |this|, was dead.
3276
3277         * dfg/DFGCombinedLiveness.cpp:
3278         (JSC::DFG::liveNodesAtHead):
3279
3280 2018-05-30  Daniel Bates  <dabates@apple.com>
3281
3282         Web Inspector: Annotate Same-Site cookies
3283         https://bugs.webkit.org/show_bug.cgi?id=184897
3284         <rdar://problem/35178209>
3285
3286         Reviewed by Brian Burg.
3287
3288         Update protocol to include cookie Same-Site policy.
3289
3290         * inspector/protocol/Page.json:
3291
3292 2018-05-29  Keith Miller  <keith_miller@apple.com>
3293
3294         Error instances should not strongly hold onto StackFrames
3295         https://bugs.webkit.org/show_bug.cgi?id=185996
3296
3297         Reviewed by Mark Lam.
3298
3299         Previously, we would hold onto all the StackFrames until the the user
3300         looked at one of the properties on the Error object. This patch makes us
3301         only weakly retain the StackFrames and collect all the information
3302         if we are about to collect any frame.
3303
3304         This patch also adds a method to $vm that returns the heaps count
3305         of live global objects.
3306
3307         * heap/Heap.cpp:
3308         (JSC::Heap::finalizeUnconditionalFinalizers):
3309         * interpreter/Interpreter.cpp:
3310         (JSC::Interpreter::stackTraceAsString):
3311         * interpreter/Interpreter.h:
3312         * runtime/Error.cpp:
3313         (JSC::addErrorInfo):
3314         * runtime/ErrorInstance.cpp:
3315         (JSC::ErrorInstance::finalizeUnconditionally):
3316         (JSC::ErrorInstance::computeErrorInfo):
3317         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
3318         (JSC::ErrorInstance::visitChildren): Deleted.
3319         * runtime/ErrorInstance.h:
3320         (JSC::ErrorInstance::subspaceFor):
3321         * runtime/JSFunction.cpp:
3322         (JSC::getCalculatedDisplayName):
3323         * runtime/StackFrame.h:
3324         (JSC::StackFrame::isMarked const):
3325         * runtime/VM.cpp:
3326         (JSC::VM::VM):
3327         * runtime/VM.h:
3328         * tools/JSDollarVM.cpp:
3329         (JSC::functionGlobalObjectCount):
3330         (JSC::JSDollarVM::finishCreation):
3331
3332 2018-05-30  Keith Miller  <keith_miller@apple.com>
3333
3334         LLInt get_by_id prototype caching doesn't properly handle changes
3335         https://bugs.webkit.org/show_bug.cgi?id=186112
3336
3337         Reviewed by Filip Pizlo.
3338
3339         The caching would sometimes fail to track that a prototype had changed
3340         and wouldn't update its set of watchpoints.
3341
3342         * bytecode/CodeBlock.cpp:
3343         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3344         * bytecode/CodeBlock.h:
3345         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3346         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
3347         * bytecode/ObjectPropertyConditionSet.h:
3348         (JSC::ObjectPropertyConditionSet::size const):
3349         * bytecode/Watchpoint.h:
3350         (JSC::Watchpoint::Watchpoint): Deleted.
3351         * llint/LLIntSlowPaths.cpp:
3352         (JSC::LLInt::setupGetByIdPrototypeCache):
3353
3354 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
3355
3356         [ESNext][BigInt] Implement support for "%" operation
3357         https://bugs.webkit.org/show_bug.cgi?id=184327
3358
3359         Reviewed by Yusuke Suzuki.
3360
3361         We are introducing the support of BigInt into remainder (a.k.a mod)
3362         operation.
3363
3364         * runtime/CommonSlowPaths.cpp:
3365         (JSC::SLOW_PATH_DECL):
3366         * runtime/JSBigInt.cpp:
3367         (JSC::JSBigInt::remainder):
3368         (JSC::JSBigInt::rightTrim):
3369         * runtime/JSBigInt.h:
3370
3371 2018-05-30  Saam Barati  <sbarati@apple.com>
3372
3373         AI for Atomics.load() is too conservative in always clobbering world
3374         https://bugs.webkit.org/show_bug.cgi?id=185738
3375         <rdar://problem/40342214>
3376
3377         Reviewed by Yusuke Suzuki.
3378
3379         It fails the assertion that Fil added for catching disagreements between
3380         AI and clobberize. This patch fixes that. You'd run into this if you
3381         manually enabled SAB in a build and ran any SAB tests.
3382
3383         * dfg/DFGAbstractInterpreterInlines.h:
3384         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3385
3386 2018-05-30  Michael Saboff  <msaboff@apple.com>
3387
3388         REGRESSION(r232212): Broke Win32 Builds
3389         https://bugs.webkit.org/show_bug.cgi?id=186061
3390
3391         Reviewed by Yusuke Suzuki.
3392
3393         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
3394         instead of LowLevelInterpreterWin.asm.
3395
3396         * CMakeLists.txt:
3397
3398 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
3399
3400         [MIPS] Fix build on MIPS32r1
3401         https://bugs.webkit.org/show_bug.cgi?id=185944
3402
3403         Reviewed by Yusuke Suzuki.
3404
3405         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
3406         on MIPS32r1.
3407
3408         * offlineasm/mips.rb:
3409
3410 2018-05-29  Saam Barati  <sbarati@apple.com>
3411
3412         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
3413         https://bugs.webkit.org/show_bug.cgi?id=186064
3414
3415         Reviewed by Mark Lam.
3416
3417         shrinkFootprint was implemented as:
3418         ```
3419         sanitizeStackForVM(this);
3420         deleteAllCode(DeleteAllCodeIfNotCollecting);
3421         heap.collectNow(Synchronousness::Sync);
3422         WTF::releaseFastMallocFreeMemory();
3423         ```
3424         
3425         However, for correctness reasons, deleteAllCode is implemented to do
3426         work when the VM is idle: no JS is running on the stack. This means
3427         that if shrinkFootprint is called when JS is running on the stack, it
3428         ends up freeing less memory than it could have if it waited to run until
3429         the VM goes idle.
3430         
3431         This patch makes it so we wait until idle before doing work. I'm seeing a
3432         10% footprint progression when testing this against a client of the JSC SPI.
3433         
3434         Because this is a semantic change in how the SPI works, this patch
3435         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
3436         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
3437         Once that happens, we will delete shrinkFootprint. Until then,
3438         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
3439
3440         * API/JSVirtualMachine.mm:
3441         (-[JSVirtualMachine shrinkFootprint]):
3442         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
3443         * API/JSVirtualMachinePrivate.h:
3444         * runtime/VM.cpp:
3445         (JSC::VM::shrinkFootprintWhenIdle):
3446         (JSC::VM::shrinkFootprint): Deleted.
3447         * runtime/VM.h:
3448
3449 2018-05-29  Saam Barati  <sbarati@apple.com>
3450
3451         shrinkFootprint needs to request a full collection
3452         https://bugs.webkit.org/show_bug.cgi?id=186069
3453
3454         Reviewed by Mark Lam.
3455
3456         * runtime/VM.cpp:
3457         (JSC::VM::shrinkFootprint):
3458
3459 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
3460
3461         [ESNext][BigInt] Implement support for "<" and ">" relational operation
3462         https://bugs.webkit.org/show_bug.cgi?id=185379
3463
3464         Reviewed by Yusuke Suzuki.
3465
3466         This patch is changing the ``jsLess``` operation to follow the
3467         semantics of Abstract Relational Comparison[1] that supports BigInt.
3468         For that, we create 2 new helper functions ```bigIntCompareLess``` and
3469         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
3470         compared.
3471
3472         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
3473
3474         * runtime/JSBigInt.cpp:
3475         (JSC::JSBigInt::unequalSign):
3476         (JSC::JSBigInt::absoluteGreater):
3477         (JSC::JSBigInt::absoluteLess):
3478         (JSC::JSBigInt::compare):
3479         (JSC::JSBigInt::absoluteCompare):
3480         * runtime/JSBigInt.h:
3481         * runtime/JSCJSValueInlines.h:
3482         (JSC::JSValue::isPrimitive const):
3483         * runtime/Operations.h:
3484         (JSC::bigIntCompareLess):
3485         (JSC::toPrimitiveNumeric):
3486         (JSC::jsLess):
3487
3488 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3489
3490         [Baseline] Merge loading functionalities
3491         https://bugs.webkit.org/show_bug.cgi?id=185907
3492
3493         Reviewed by Saam Barati.
3494
3495         This patch unifies emitXXXLoad functions in 32bit and 64bit.
3496
3497         * jit/JITInlines.h:
3498         (JSC::JIT::emitDoubleGetByVal):
3499         * jit/JITPropertyAccess.cpp:
3500         (JSC::JIT::emitDoubleLoad):
3501         (JSC::JIT::emitContiguousLoad):
3502         (JSC::JIT::emitArrayStorageLoad):
3503         (JSC::JIT::emitIntTypedArrayGetByVal):
3504         (JSC::JIT::emitFloatTypedArrayGetByVal):
3505         Define register usage first, and share the same code in 32bit and 64bit.
3506
3507         * jit/JITPropertyAccess32_64.cpp:
3508         (JSC::JIT::emitSlow_op_put_by_val):
3509         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
3510         We can remove this special handling.
3511
3512         (JSC::JIT::emitContiguousLoad): Deleted.
3513         (JSC::JIT::emitDoubleLoad): Deleted.
3514         (JSC::JIT::emitArrayStorageLoad): Deleted.
3515
3516 2018-05-29  Saam Barati  <sbarati@apple.com>
3517
3518         JSC should put bmalloc's scavenger into mini mode
3519         https://bugs.webkit.org/show_bug.cgi?id=185988
3520
3521         Reviewed by Michael Saboff.
3522
3523         When we InitializeThreading, we'll now enable bmalloc's mini mode
3524         if the VM is in mini mode. This is an 8-10% progression on the footprint
3525         at end score in run-testmem, making it a 4-5% memory score progression.
3526         It's between a 0-1% regression in its time score.
3527
3528         * runtime/InitializeThreading.cpp:
3529         (JSC::initializeThreading):
3530
3531 2018-05-29  Caitlin Potter  <caitp@igalia.com>
3532
3533         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
3534         https://bugs.webkit.org/show_bug.cgi?id=184267
3535
3536         Reviewed by Saam Barati.
3537
3538         Before this patch, the fast case for Array.prototype.concat was taken if
3539         there was a single argument passed to the function, which is either a
3540         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
3541         This incorrectly prevented Proxy objects from being spread when
3542         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
3543
3544         * builtins/ArrayPrototype.js:
3545         (concat):
3546
3547 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3548
3549         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
3550         https://bugs.webkit.org/show_bug.cgi?id=186022
3551
3552         Reviewed by Darin Adler.
3553
3554         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
3555         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
3556         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
3557         in asm.
3558
3559         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
3560         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
3561         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
3562         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
3563         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
3564         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
3565
3566         This patch also fixes naming convention for constant values.
3567
3568         * runtime/JSBigInt.cpp:
3569         (JSC::JSBigInt::digitMul):
3570         (JSC::JSBigInt::digitDiv):
3571         * runtime/JSBigInt.h:
3572
3573 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3574
3575         [WTF] Add clz32 / clz64 for MSVC
3576         https://bugs.webkit.org/show_bug.cgi?id=186023
3577
3578         Reviewed by Daniel Bates.
3579
3580         Move clz32 and clz64 to WTF.
3581
3582         * runtime/MathCommon.h:
3583         (JSC::clz32): Deleted.
3584         (JSC::clz64): Deleted.
3585
3586 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
3587
3588         [ESNext][BigInt] Implement "+" and "-" unary operation
3589         https://bugs.webkit.org/show_bug.cgi?id=182214
3590
3591         Reviewed by Yusuke Suzuki.
3592
3593         This Patch is implementing support to "-" unary operation on BigInt.
3594         It is also changing the logic of ASTBuilder::makeNegateNode to
3595         calculate BigInt literals with properly sign, avoiding
3596         unecessary operation. It required a refactoring into
3597         JSBigInt::parseInt to consider the sign as parameter.
3598
3599         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
3600         operations. With the introduction of BigInt, it is not true
3601         that every negate operation returns a Number. As ArithNegate is a
3602         node that considers its result is always a Number, like all other
3603         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
3604         speculation indicates that the operand is a BigInt.
3605         This design is following the same distinction between ArithAdd and
3606         ValueAdd. Also, this new node will make simpler the introduction of
3607         optimizations when we create speculation paths for BigInt in future
3608         patches.
3609
3610         In the case of "+" unary operation on BigInt, the current semantic we already have
3611         is correctly, since it needs to throw TypeError because of ToNumber call[1].
3612         In such case, we are adding tests to verify other edge cases.
3613
3614         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
3615
3616         * bytecompiler/BytecodeGenerator.cpp:
3617         (JSC::BytecodeGenerator::addBigIntConstant):
3618         * bytecompiler/BytecodeGenerator.h:
3619         * bytecompiler/NodesCodegen.cpp:
3620         (JSC::BigIntNode::jsValue const):
3621         * dfg/DFGAbstractInterpreterInlines.h:
3622         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3623         * dfg/DFGByteCodeParser.cpp:
3624         (JSC::DFG::ByteCodeParser::makeSafe):
3625         (JSC::DFG::ByteCodeParser::parseBlock):
3626         * dfg/DFGClobberize.h:
3627         (JSC::DFG::clobberize):
3628         * dfg/DFGDoesGC.cpp:
3629         (JSC::DFG::doesGC):
3630         * dfg/DFGFixupPhase.cpp:
3631         (JSC::DFG::FixupPhase::fixupNode):
3632         * dfg/DFGNode.h:
3633         (JSC::DFG::Node::arithNodeFlags):
3634         * dfg/DFGNodeType.h:
3635         * dfg/DFGPredictionPropagationPhase.cpp:
3636         * dfg/DFGSafeToExecute.h:
3637         (JSC::DFG::safeToExecute):
3638         * dfg/DFGSpeculativeJIT.cpp:
3639         (JSC::DFG::SpeculativeJIT::compileValueNegate):
3640         (JSC::DFG::SpeculativeJIT::compileArithNegate):
3641         * dfg/DFGSpeculativeJIT.h:
3642         * dfg/DFGSpeculativeJIT32_64.cpp:
3643         (JSC::DFG::SpeculativeJIT::compile):
3644         * dfg/DFGSpeculativeJIT64.cpp:
3645         (JSC::DFG::SpeculativeJIT::compile):
3646         * ftl/FTLCapabilities.cpp:
3647         (JSC::FTL::canCompile):
3648         * ftl/FTLLowerDFGToB3.cpp:
3649         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3650         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
3651         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
3652         * jit/JITOperations.cpp:
3653         * parser/ASTBuilder.h:
3654         (JSC::ASTBuilder::createBigIntWithSign):
3655         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
3656         (JSC::ASTBuilder::makeNegateNode):
3657         * parser/NodeConstructors.h:
3658         (JSC::BigIntNode::BigIntNode):
3659         * parser/Nodes.h:
3660         * runtime/CommonSlowPaths.cpp:
3661         (JSC::updateArithProfileForUnaryArithOp):
3662         (JSC::SLOW_PATH_DECL):
3663         * runtime/JSBigInt.cpp:
3664         (JSC::JSBigInt::parseInt):
3665         * runtime/JSBigInt.h:
3666         * runtime/JSCJSValueInlines.h:
3667         (JSC::JSValue::strictEqualSlowCaseInline):
3668
3669 2018-05-27  Dan Bernstein  <mitz@apple.com>
3670
3671         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
3672
3673         * jit/JITOperations.cpp:
3674
3675 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3676
3677         [JSC] Rename Array#flatten to flat
3678         https://bugs.webkit.org/show_bug.cgi?id=186012
3679
3680         Reviewed by Saam Barati.
3681
3682         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
3683         conflicts with the mootools' function name.
3684
3685         * builtins/ArrayPrototype.js:
3686         (globalPrivate.flatIntoArray):
3687         (flat):
3688         (globalPrivate.flatIntoArrayWithCallback):
3689         (flatMap):
3690         (globalPrivate.flattenIntoArray): Deleted.
3691         (flatten): Deleted.
3692         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
3693         * runtime/ArrayPrototype.cpp:
3694         (JSC::ArrayPrototype::finishCreation):
3695
3696 2018-05-25  Mark Lam  <mark.lam@apple.com>
3697
3698         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
3699         https://bugs.webkit.org/show_bug.cgi?id=185995
3700         <rdar://problem/40173142>
3701
3702         Reviewed by Saam Barati.
3703
3704         This is because there's no guarantee that any of the loop bodies will be
3705         executed.  Hence, there's no guarantee that the TDZ variables will have been
3706         initialized after each loop body.
3707
3708         * bytecompiler/BytecodeGenerator.cpp:
3709         (JSC::BytecodeGenerator::preserveTDZStack):
3710         (JSC::BytecodeGenerator::restoreTDZStack):
3711         * bytecompiler/BytecodeGenerator.h:
3712         * bytecompiler/NodesCodegen.cpp:
3713         (JSC::ForInNode::emitBytecode):
3714
3715 2018-05-25  Mark Lam  <mark.lam@apple.com>
3716
3717         MachineContext's instructionPointer() should handle null PCs correctly.
3718         https://bugs.webkit.org/show_bug.cgi?id=186004
3719         <rdar://problem/40570067>
3720
3721         Reviewed by Saam Barati.
3722
3723         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
3724         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
3725         assert accordingly with a debug ASSERT.  This is inconsequential for release
3726         builds, but to avoid this assertion failure, we should check for a null PC and
3727         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
3728         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
3729
3730         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
3731         for null pointers, but I rather not do that yet.  In general,
3732         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
3733         leave it that way for now.
3734
3735         Note: this assertion failure only manifests when we have signal traps enabled,
3736         and encounter a null pointer deref.
3737
3738         * runtime/MachineContext.h:
3739         (JSC::MachineContext::instructionPointer):
3740
3741 2018-05-25  Mark Lam  <mark.lam@apple.com>
3742
3743         Enforce invariant that GetterSetter objects are invariant.
3744         https://bugs.webkit.org/show_bug.cgi?id=185968
3745         <rdar://problem/40541416>
3746
3747         Reviewed by Saam Barati.
3748
3749         The code already assumes the invariant that GetterSetter objects are immutable.
3750         For example, the use of @tryGetById in builtins expect this invariant to be true.
3751         The existing code mostly enforces this except for one case: JSObject's
3752         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
3753         object.
3754
3755         This patch enforces this invariant by removing the setGetter and setSetter methods
3756         of GetterSetter, and requiring the getter/setter callback functions to be
3757         specified at construction time.
3758
3759         * jit/JITOperations.cpp:
3760         * llint/LLIntSlowPaths.cpp:
3761         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3762         * runtime/GetterSetter.cpp:
3763         (JSC::GetterSetter::withGetter): Deleted.
3764         (JSC::GetterSetter::withSetter): Deleted.
3765         * runtime/GetterSetter.h:
3766         * runtime/JSGlobalObject.cpp:
3767         (JSC::JSGlobalObject::init):
3768         * runtime/JSObject.cpp:
3769         (JSC::JSObject::putIndexedDescriptor):
3770         (JSC::JSObject::putDirectNativeIntrinsicGetter):
3771         (JSC::putDescriptor):
3772         (JSC::validateAndApplyPropertyDescriptor):
3773         * runtime/JSTypedArrayViewPrototype.cpp:
3774         (JSC::JSTypedArrayViewPrototype::finishCreation):
3775         * runtime/Lookup.cpp:
3776         (JSC::reifyStaticAccessor):
3777         * runtime/PropertyDescriptor.cpp:
3778         (JSC::PropertyDescriptor::slowGetterSetter):
3779
3780 2018-05-25  Saam Barati  <sbarati@apple.com>
3781
3782         Make JSC have a mini mode that kicks in when the JIT is disabled
3783         https://bugs.webkit.org/show_bug.cgi?id=185931
3784
3785         Reviewed by Mark Lam.
3786
3787         This patch makes JSC have a mini VM mode. This currently only kicks in
3788         when the process can't JIT. Mini VM now means a few things:
3789         - We always use a 1.27x heap growth factor. This number was the best tradeoff
3790           between memory use progression and time regression in run-testmem. We may
3791           want to tune this more in the future as we make other mini VM changes.
3792         - We always sweep synchronously.
3793         - We disable generational GC.
3794         
3795         I'm going to continue to extend what mini VM mode means in future changes.
3796         
3797         This patch is a 50% memory progression and an ~8-9% time regression
3798         on run-testmem when running in mini VM mode with the JIT disabled.
3799
3800         * heap/Heap.cpp:
3801         (JSC::Heap::collectNow):
3802         (JSC::Heap::finalize):
3803         (JSC::Heap::useGenerationalGC):
3804         (JSC::Heap::shouldSweepSynchronously):
3805         (JSC::Heap::shouldDoFullCollection):
3806         * heap/Heap.h:
3807         * runtime/Options.h:
3808         * runtime/VM.cpp:
3809         (JSC::VM::isInMiniMode):
3810         * runtime/VM.h:
3811
3812 2018-05-25  Saam Barati  <sbarati@apple.com>
3813
3814         Have a memory test where we can validate JSCs mini memory mode
3815         https://bugs.webkit.org/show_bug.cgi?id=185932
3816
3817         Reviewed by Mark Lam.
3818
3819         This patch adds the testmem CLI. It takes as input a file to run
3820         and the number of iterations to run it (by default it runs it
3821         20 times). Each iteration runs in a new JSContext. Each JSContext
3822         belongs to a VM that is created once. When finished, the CLI dumps
3823         out the peak memory usage of the process, the memory usage at the end
3824         of running all the iterations of the process, and the total time it
3825         took to run all the iterations.
3826
3827         * JavaScriptCore.xcodeproj/project.pbxproj:
3828         * testmem: Added.
3829         * testmem/testmem.mm: Added.
3830         (description):
3831         (Footprint::now):
3832         (main):
3833
3834 2018-05-25  David Kilzer  <ddkilzer@apple.com>
3835
3836         Fix issues with -dealloc methods found by clang static analyzer
3837         <https://webkit.org/b/185887>
3838
3839         Reviewed by Joseph Pecoraro.
3840
3841         * API/JSValue.mm:
3842         (-[JSValue dealloc]):
3843         (-[JSValue description]):
3844         - Move method implementations from (Internal) category to the
3845           main category since these are public API.  This fixes the
3846           false positive warning about a missing -dealloc method.
3847
3848 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3849
3850         [Baseline] Remove a hack for DCE removal of NewFunction
3851         https://bugs.webkit.org/show_bug.cgi?id=185945
3852
3853         Reviewed by Saam Barati.
3854
3855         This `undefined` check in baseline is originally introduced in r177871. The problem was,
3856         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
3857         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
3858         retrieve this into the stack since the scope is not referenced from anywhere.
3859
3860         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
3861         implementation. But rather than that, just emitting `Phantom` for this scope is clean
3862         and consistent to the other DFG nodes like GetClosureVar.
3863
3864         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
3865         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
3866         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
3867         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
3868         since it conservatively guards the scope, and it does not introduce any additional overhead
3869         compared to the current status.
3870
3871         * dfg/DFGByteCodeParser.cpp:
3872         (JSC::DFG::ByteCodeParser::parseBlock):
3873         * jit/JITOpcodes.cpp:
3874         (JSC::JIT::emitNewFuncExprCommon):
3875
3876 2018-05-23  Keith Miller  <keith_miller@apple.com>
3877
3878         Expose $vm if window.internals is exposed
3879         https://bugs.webkit.org/show_bug.cgi?id=185900
3880
3881         Reviewed by Mark Lam.
3882
3883         This is useful for testing vm internals when running LayoutTests.
3884
3885         * runtime/JSGlobalObject.cpp:
3886         (JSC::JSGlobalObject::init):
3887         (JSC::JSGlobalObject::visitChildren):
3888         (JSC::JSGlobalObject::exposeDollarVM):
3889         * runtime/JSGlobalObject.h:
3890
3891 2018-05-23  Keith Miller  <keith_miller@apple.com>
3892
3893         Define length on CoW array should properly convert to writable
3894         https://bugs.webkit.org/show_bug.cgi?id=185927
3895
3896         Reviewed by Yusuke Suzuki.
3897
3898         * runtime/JSArray.cpp:
3899         (JSC::JSArray::setLength):
3900
3901 2018-05-23  Keith Miller  <keith_miller@apple.com>
3902
3903         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
3904         https://bugs.webkit.org/show_bug.cgi?id=185923
3905
3906         Reviewed by Saam Barati.
3907
3908         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
3909         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
3910
3911         Block 1:
3912         @1: GetLocal(loc42, FlushedInt32);
3913         @2: PutStructure(Check: Cell: @1);
3914         @3: Jump(Block 1);
3915
3916         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
3917         the type of an local cannot change without writing to it.
3918
3919         This fixes a crash in destructuring-rest-element.js
3920
3921         * dfg/DFGInPlaceAbstractState.cpp:
3922         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3923
3924 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
3925
3926         Speed up JetStream/base64
3927         https://bugs.webkit.org/show_bug.cgi?id=185914