DateConversion::formatDateTime incorrectly formats negative years

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>

        DateConversion::formatDateTime incorrectly formats negative years
        https://bugs.webkit.org/show_bug.cgi?id=199964

        Reviewed by Ross Kirsling.

        Currently, year is always padded to max length of 4, including the minus sign "-".
        With this change, only absolute value of year is padded to max length of 4 and
        preceded by minus sign "-" if the year is negative.
        (steps 6-10 of https://tc39.es/ecma262/#sec-datestring)

        * runtime/DateConversion.cpp:
        (JSC::appendNumber):

2019-08-15  Mark Lam  <mark.lam@apple.com>

        More missing exception checks in String.prototype.
        https://bugs.webkit.org/show_bug.cgi?id=200762
        <rdar://problem/54333896>

        Reviewed by Michael Saboff.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::operationStringProtoFuncReplaceRegExpString):
        (JSC::stringProtoFuncLastIndexOf):
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):

2019-08-15  Joseph Pecoraro  <pecoraro@apple.com>

        for-await-of has bad error message if used in non-async function
        https://bugs.webkit.org/show_bug.cgi?id=200758

        Reviewed by Ross Kirsling.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseForStatement):
        Improve error message.

2019-08-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Air does not appropriately propagate ConstFloatValue to stackmap
        https://bugs.webkit.org/show_bug.cgi?id=200759

        Reviewed by Saam Barati.

        In B3MoveConstant phase, we convert ConstFloatValue and ConstDoubleValue to memory access to the table
        to avoid large immediates *except for* stackmap argument case. This is because materializing constant doubles
        and floats as memory-access before passing it to stackmap is wasteful: the stackmap may not use it actually, or
        stackmap can do better job if it knows the parameter is constant.

        Based on the above operation, B3LowerToAir phase strongly assumes that all ConstFloatValue and ConstDoubleValue
        are removed except for the case used for parameter of stackmap. With r192377, B3LowerToAir catch this case, and
        propagate constant double value as ValueRep in stackmap. While B3LowerToAir does this correctly for ConstDoubleValue,
        we missed adding this support for ConstFloatValue.

        This patch adds r192377's support for ConstFloatValue to propagate ConstFloatValue correctly to the stackmap.
        This issue starts appearing since Wasm BBQ-B3 OSR starts putting ConstFloatValue to OSR-tier-up patchpoint.

        * b3/B3LowerToAir.cpp:
        * b3/B3ValueKey.h:
        (JSC::B3::ValueKey::ValueKey):
        (JSC::B3::ValueKey::floatValue const):
        * b3/B3ValueRep.h:
        (JSC::B3::ValueRep::constantFloat):
        (JSC::B3::ValueRep::floatValue const):
        * b3/testb3.h:
        * b3/testb3_1.cpp:
        (run):
        * b3/testb3_5.cpp:
        (testPatchpointManyWarmAnyImms):
        (testPatchpointManyColdAnyImms):
        (testPatchpointManyImms): Deleted.

2019-08-14  Keith Rollin  <krollin@apple.com>

        Remove support for macOS < 10.13
        https://bugs.webkit.org/show_bug.cgi?id=200694
        <rdar://problem/54278851>

        Reviewed by Youenn Fablet.

        Update conditionals that reference __MAC_OS_X_VERSION_MIN_REQUIRED and
        __MAC_OS_X_VERSION_MAX_ALLOWED, assuming that they both have values >=
        101300. This means that expressions like
        "__MAC_OS_X_VERSION_MIN_REQUIRED < 101300" are always False and
        "__MAC_OS_X_VERSION_MIN_REQUIRED >= 101300" are always True.

        * API/WebKitAvailability.h:

2019-08-14  Mark Lam  <mark.lam@apple.com>

        ProxyObject should not be allow to access its target's private properties.
        https://bugs.webkit.org/show_bug.cgi?id=200739
        <rdar://problem/53972768>

        Reviewed by Yusuke Suzuki.

        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::performPut):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performDefineOwnProperty):

2019-08-14  Mark Lam  <mark.lam@apple.com>

        Missing exception check in string compare.
        https://bugs.webkit.org/show_bug.cgi?id=200743
        <rdar://problem/53975356>

        Reviewed by Michael Saboff.

        * runtime/JSString.cpp:
        (JSC::JSString::equalSlowCase const):

2019-08-14  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, build fix for MacroAssemblerARM64E change
        https://bugs.webkit.org/show_bug.cgi?id=200703

        * assembler/MacroAssemblerARM64E.h:
        (JSC::MacroAssemblerARM64E::farJump):

2019-08-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Less contended MetaAllocator
        https://bugs.webkit.org/show_bug.cgi?id=200278

        Reviewed by Mark Lam.

        The profiler result of JetStream2/bomb-workers shows that we are having contention under MetaAllocator::currentStatistics.
        This function is called in ExecutableAllocator::memoryPressureMultiplier, and it is called from ExecutableCounter's threshold
        calculation. But MetaAllocator::currentStatistics takes a global lock inside MetaAllocator and causes contention. However,
        we do not need to have a lock actually: clients of MetaAllocator::currentStatistics typically use bytesReserved and bytesAllocated
        information. However, since our executable allocator is fixed-sized, bytesReserved is always the fixed size. So just reading bytesAllocated
        racily is enough.

        This patch attempts to reduce the contention by the following two things.

        1. Read bytesAllocated racily instead of calling MetaAllocator::currentStatistics. Then ExecutableCounter does not need to take a lock.
        2. page lifetime management APIs of MetaAllocator should take a second `count` parameter to batch the system calls.

        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::underMemoryPressure):
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        (JSC::ExecutableAllocator::allocate):
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::memoryStart): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::memoryEnd): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::isJITPC): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion): Deleted.

2019-08-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make PAC jump and return more explicit
        https://bugs.webkit.org/show_bug.cgi?id=200703

        Reviewed by Mark Lam.

        This patch refactors our macro assembler, mainly related to PAC.

        1. Make far-jump explicit by renaming `jump` to `farJump`.
        2. Remove unused makeTailRecursiveCall and tailRecursiveCall.
        3. Do not make `ARM64EAssembler::ret` as `retab`. MacroAssemblerARM64E should call `retab` explicitly instead.

        * assembler/ARM64EAssembler.h:
        (JSC::ARM64EAssembler::ret): Deleted.
        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::farJump):
        (JSC::MacroAssemblerARM64::makeTailRecursiveCall): Deleted.
        (JSC::MacroAssemblerARM64::tailRecursiveCall): Deleted.
        * assembler/MacroAssemblerARM64E.h:
        (JSC::MacroAssemblerARM64E::farJump):
        (JSC::MacroAssemblerARM64E::ret):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::farJump):
        (JSC::MacroAssemblerARMv7::relativeTableJump):
        (JSC::MacroAssemblerARMv7::tailRecursiveCall): Deleted.
        (JSC::MacroAssemblerARMv7::makeTailRecursiveCall): Deleted.
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::farJump):
        (JSC::MacroAssemblerMIPS::tailRecursiveCall): Deleted.
        (JSC::MacroAssemblerMIPS::makeTailRecursiveCall): Deleted.
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::farJump):
        (JSC::MacroAssemblerX86::jump): Deleted.
        (JSC::MacroAssemblerX86::tailRecursiveCall): Deleted.
        (JSC::MacroAssemblerX86::makeTailRecursiveCall): Deleted.
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::farJump):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::farJump):
        (JSC::MacroAssemblerX86_64::jump): Deleted.
        (JSC::MacroAssemblerX86_64::tailRecursiveCall): Deleted.
        (JSC::MacroAssemblerX86_64::makeTailRecursiveCall): Deleted.
        * b3/B3LowerMacros.cpp:
        * b3/testb3_6.cpp:
        (testInterpreter):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        (JSC::DFG::osrEntryThunkGenerator):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        * jit/ThunkGenerators.cpp:
        (JSC::slowPathFor):
        (JSC::virtualThunkFor):
        * llint/LLIntThunks.cpp:
        (JSC::LLInt::generateThunkWithJumpTo):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmThunks.cpp:
        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::emitThrowWasmToJSException):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):

2019-08-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove bad semicolon in generation of ObjC methods
        https://bugs.webkit.org/show_bug.cgi?id=200655

        Reviewed by Devin Rousso.

        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
        Do not include a semicolon in the method implementation.

        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
        Updated results.

2019-08-13  Saam Barati  <sbarati@apple.com>

        Add a way to opt out of kern TCSM for layout tests
        https://bugs.webkit.org/show_bug.cgi?id=200649
        <rdar://problem/51304923>

        Reviewed by Alexey Proskuryakov.

        * assembler/CPU.cpp:
        (JSC::isKernTCSMAvailable):
        * runtime/Options.h:

2019-08-13  Sam Weinig  <weinig@apple.com>

        Rename StringBuilder::append(UChar32) to StringBuilder::appendCharacter(UChar32) to avoid accidental change in behavior when replacing append with flexibleAppend
        https://bugs.webkit.org/show_bug.cgi?id=200675

        Reviewed by Darin Adler.

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::tryConsumeGroupName):
        (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression):
        Update for rename from StringBuilder::append(UChar32) to StringBuilder::appendCharacter(UChar32).

2019-08-13  Mark Lam  <mark.lam@apple.com>

        Add phase, block, and node numbers to left margin of DFG graph dumps.
        https://bugs.webkit.org/show_bug.cgi?id=200693

        Reviewed by Saam Barati.

        When scrolling through the DFG graph dumps, it's easy to get lost as to which phase
        or block one is looking at, especially if the blocks are long.  This patch adds
        node index, block number, and phase number on the left margin of the dumps.
        Here's a sample:

               53:     %Bd:Function                   = 0x1079fd960:[Function, {}, NonArray, Proto:0x1079d8000, Leaf]
               53:     %Bf:Function                   = 0x1079b0700:[Function, {name:100, prototype:101, length:102, stackTraceLimit:103}, NonArray, Proto:0x1079d8000, Leaf]
               53:     %Bj:Function                   = 0x1079fd5e0:[Function, {name:100, length:101, toString:102, apply:103, call:104, bind:105, Symbol.hasInstance:106, caller:107, arguments:108, constructor:109}, NonArray, Proto:0x1079c0000, Leaf]
               53:     %CV:JSGlobalLexicalEnvironment = 0x1079fd6c0:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]

               53: Phase liveness analysis changed the IR.

               54: Beginning DFG phase OSR availability analysis.
               54: Before OSR availability analysis:

               54: DFG for foo#DXMNag:[0x1079a4850->0x1079a4130->0x1079c7600, DFGFunctionCall, 204 (NeverInline)]:
               54:   Fixpoint state: FixpointConverged; Form: SSA; Unification state: GloballyUnified; Ref count state: ExactRefCount
               54:   Argument formats for entrypoint index: 0 : FlushedJSValue, FlushedCell, FlushedJSValue

             0 54: Block #0 (bc#0): (OSR target)
             0 54:   Execution count: 1.000000
             0 54:   Predecessors:
             0 54:   Successors:
             0 54:   Dominated by: #0
             0 54:   Dominates: #0
             0 54:   Dominance Frontier: 
             0 54:   Iterated Dominance Frontier: 
             0 54:   Backwards dominates by: #root #0
             0 54:   Backwards dominates: #0
             0 54:   Control equivalent to: #0
             0 54:   States: StructuresAreWatched
             0 54:   Live:
             0 54:   Values 
          0  0 54:   53:< 1:-> JSConstant(JS|UseAsOther, Other, Null, bc#0, ExitValid)
          1  0 54:   64:< 2:-> JSConstant(JS|UseAsOther, NonBoolInt32, Int32: 10, bc#0, ExitValid)
          2  0 54:    3:< 5:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid)
          3  0 54:   32:< 1:-> JSConstant(JS|UseAsOther, Bool, False, bc#0, ExitValid)
          4  0 54:   19:< 2:-> JSConstant(JS|UseAsOther, OtherObj, Weak:Object: 0x1079d4000 with butterfly 0x0 (Structure %CV:JSGlobalLexicalEnvironment), StructureID: 31423, bc#0, ExitValid)

        The numbers in the left margin before the ':' are node index (i.e. the index of the
        node in the block, not to be confused with node->index() which is the node ID), block
        number, and phase number respectively.  Now, we can scroll thru the dumps quickly
        and tell at a glance when we've scrolled passed the end of a phase, or block.
        These sets of numbers can also serve as a positional marker that we can search for
        to return to a node in the dump after scrolling away.

        Currently, these numbers are only added to the DFG part.  The FTL (from lowering
        to B3 onwards) does not have this feature yet.

        * dfg/DFGDesiredWatchpoints.cpp:
        (JSC::DFG::DesiredWatchpoints::dumpInContext const):
        * dfg/DFGDesiredWatchpoints.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dumpBlockHeader):
        (JSC::DFG::Prefix::dump const):
        * dfg/DFGGraph.h:
        (JSC::DFG::Prefix::Prefix):
        (JSC::DFG::Prefix::clearBlockIndex):
        (JSC::DFG::Prefix::clearNodeIndex):
        (JSC::DFG::Prefix::enable):
        (JSC::DFG::Prefix::disable):
        (JSC::DFG::Graph::prefix):
        (JSC::DFG::Graph::nextPhase):
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        * dfg/DFGPhase.h:
        (JSC::DFG::runAndLog):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGValueRepReductionPhase.cpp:
        (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):

2019-08-13  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r248533): JSC Command - Need to initializeMainThread() before processing config file
        https://bugs.webkit.org/show_bug.cgi?id=200677

        Reviewed by Mark Lam.

        We need to initialize the main thread before calling processConfigFile() since it uses RefCounted objects
        which have "is main thread" ASSERTS.

        * jsc.cpp:
        (jscmain):

2019-08-13  Devin Rousso  <drousso@apple.com>

        Web Inspector: Styles: show @supports CSS groupings
        https://bugs.webkit.org/show_bug.cgi?id=200419
        <rdar://problem/53971948>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/CSS.json:
        Rename `CSSMedia` to `Grouping` and remove the `sourceLine` value, as it was never populated
        and wasn't used by Web Inspector.

        * inspector/scripts/codegen/objc_generator_templates.py:
        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator.generate_output):
        Add support for including files at the end of <WebInspector/RWIProtocol.h> for compatibility
        statements so that changes to the Web Inspector protocol don't break other clients.

2019-08-13  Joseph Pecoraro  <pecoraro@apple.com>

        JSContext Inspector: Basic CommandLineAPI doesn't work
        https://bugs.webkit.org/show_bug.cgi?id=200659
        <rdar://problem/54245476>

        Reviewed by Brian Burg.

        * inspector/InjectedScriptSource.js:
        (BasicCommandLineAPI):
        Use `method` directly since it already has been setup nicely and doesn't
        need to be bound. Technically this allows someone to add properties to
        the CommandLineAPI methods in basic mode (`dir.property = 1`) but that
        seems harmless.

2019-08-12  Sam Weinig  <weinig@apple.com>

        Replace multiparameter overloads of append() in StringBuilder as a first step toward standardizinging on the flexibleAppend() implementation
        https://bugs.webkit.org/show_bug.cgi?id=200614

        Reviewed by Darin Adler.

        Renames StringBuilder::append(const LChar*, unsigned), StringBuilder::append(const UChar*, unsigned) and 
        StringBuilder::append(const char*, unsigned) to StringBuilder::appendCharacters(...).
        
        Renames StringBuilder::append(const String& string, unsigned offset, unsigned length) to 
        StringBuilder::appendSubstring(...).

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * runtime/ConfigFile.cpp:
        (JSC::ConfigFile::parse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
        * tools/FunctionOverrides.cpp:
        (JSC::parseClause):
        Update for renames.

2019-08-12  Adrian Perez de Castro  <aperez@igalia.com>

        [WPE][GTK] Fix building without unified sources
        https://bugs.webkit.org/show_bug.cgi?id=200641

        Reviewed by Žan Doberšek.

        * b3/B3PatchpointSpecial.cpp: Add missing inclusion of the B3ProcedureInlines.h header.
        * heap/SlotVisitor.cpp: Add missing inclusion of the BlockDirectoryInlines.h header.

2019-08-12  Yusuke Suzuki  <ysuzuki@apple.com>

        [WTF][JSC] Make JSC and WTF aggressively-fast-malloced
        https://bugs.webkit.org/show_bug.cgi?id=200611

        Reviewed by Saam Barati.

        This patch aggressively puts many classes into FastMalloc. In JSC side, we grep `std::make_unique` etc. to find potentially system-malloc-allocated classes.
        After this patch, all the JSC related allocations in JetStream2 cli is done from bmalloc. In the future, it would be nice that we add `WTF::makeUnique<T>` helper
        function and throw a compile error if `T` is not FastMalloc annotated[1].

        Putting WebKit classes in FastMalloc has many benefits.

        1. Simply, it is fast.
        2. vmmap can tell the amount of memory used for WebKit.
        3. bmalloc can isolate WebKit memory allocation from the rest of the world. This is useful since we can know more about what component is corrupting the memory
           from the memory corruption crash.

        [1]: https://bugs.webkit.org/show_bug.cgi?id=200620

        * API/ObjCCallbackFunction.mm:
        * assembler/AbstractMacroAssembler.h:
        * b3/B3PhiChildren.h:
        * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
        * b3/air/AirDisassembler.h:
        * bytecode/AccessCaseSnippetParams.h:
        * bytecode/CallVariant.h:
        * bytecode/DeferredSourceDump.h:
        * bytecode/ExecutionCounter.h:
        * bytecode/GetByIdStatus.h:
        * bytecode/GetByIdVariant.h:
        * bytecode/InByIdStatus.h:
        * bytecode/InByIdVariant.h:
        * bytecode/InstanceOfStatus.h:
        * bytecode/InstanceOfVariant.h:
        * bytecode/PutByIdStatus.h:
        * bytecode/PutByIdVariant.h:
        * bytecode/ValueProfile.h:
        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::newVariableAccessData):
        * dfg/DFGFlowIndexing.h:
        * dfg/DFGFlowMap.h:
        * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
        (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
        * dfg/DFGMaximalFlushInsertionPhase.cpp:
        (JSC::DFG::MaximalFlushInsertionPhase::newVariableAccessData):
        * dfg/DFGOSRExit.h:
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGVariableAccessData.h:
        * disassembler/ARM64/A64DOpcode.h:
        * inspector/remote/socket/RemoteInspectorMessageParser.h:
        * inspector/remote/socket/RemoteInspectorSocket.h:
        * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
        * jit/PCToCodeOriginMap.h:
        * runtime/BasicBlockLocation.h:
        * runtime/DoublePredictionFuzzerAgent.h:
        * runtime/JSRunLoopTimer.h:
        * runtime/PromiseDeferredTimer.h:
        (JSC::PromiseDeferredTimer::create): PromiseDeferredTimer should be allocated as `Ref<>` instead of `std::unique_ptr` since it is inheriting ThreadSafeRefCounted<>.
        Holding such a class with std::unique_ptr could lead to potentially dangerous operations (like, someone holds it with Ref<> while it is deleted by std::unique_ptr<>).
        * runtime/RandomizingFuzzerAgent.h:
        * runtime/SymbolTable.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        * tools/JSDollarVM.cpp:
        * tools/SigillCrashAnalyzer.cpp:
        * wasm/WasmFormat.h:
        * wasm/WasmMemory.cpp:
        * wasm/WasmSignature.h:
        * yarr/YarrJIT.h:

2019-08-12  Chris Dumez  <cdumez@apple.com>

        Add threading assertions to RefCounted
        https://bugs.webkit.org/show_bug.cgi?id=200507

        Reviewed by Ryosuke Niwa.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        Disable threading assertions for DFG::Plan::m_inlineCallFrames while the JSC team
        investigates.

2019-08-12  Chris Dumez  <cdumez@apple.com>

        Unreviewed, rolling out r248525.

        Revert new threading assertions while I work on fixing the
        issues they exposed

        Reverted changeset:

        "Add threading assertions to RefCounted"
        https://bugs.webkit.org/show_bug.cgi?id=200507
        https://trac.webkit.org/changeset/248525

2019-08-11  Chris Dumez  <cdumez@apple.com>

        Add threading assertions to RefCounted
        https://bugs.webkit.org/show_bug.cgi?id=200507

        Reviewed by Ryosuke Niwa.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        Disable threading assertions for DFG::Plan::m_inlineCallFrames while the JSC team
        investigates.

2019-08-09  Yusuke Suzuki  <ysuzuki@apple.com>

        Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive
        https://bugs.webkit.org/show_bug.cgi?id=199864

        Reviewed by Saam Barati.

        Our JSObject::put implementation is not correct in term of the spec. Our [[Put]] implementation is something like this.

            JSObject::put(object):
                if (can-do-fast-path(object))
                    return fast-path(object);
                // slow-path
                do {
                    object-put-check-and-setter-calls(object); // (1)
                    object = object->prototype;
                } while (is-object(object));
                return do-put(object);

        Since JSObject::put is registered in the methodTable, the derived classes can override it. Some of classes are adding
        extra checks to this put.

            Derived::put(object):
                if (do-extra-check(object))
                    fail
                return JSObject::put(object)

        The problem is that Derived::put is only called when the |this| object is the Derived class. When traversing [[Prototype]] in
        JSObject::put, at (1), we do not perform the extra checks added in Derived::put even if `object` is Derived one. This means that
        we skip the check.

        Currently, JSObject::put and WebCore checking mechanism are broken. JSObject::put should call getOwnPropertySlot at (1) to
        perform the additional checks. This behavior is matching against the spec. However, currently, our JSObject::getOwnPropertySlot
        does not propagate setter information. This is required to cache cacheable [[Put]] at (1) for CustomValue, CustomAccessor, and
        Accessors. We also need to reconsider how to integrate static property setters to this mechanism. So, basically, this involves
        large refactoring to renew our JSObject::put and JSObject::getOwnPropertySlot.

        To work-around for now, we add a new TypeInfo flag, HasPutPropertySecurityCheck . And adding this flag to DOM objects
        that implements the addition checks. We also add doPutPropertySecurityCheck method hook to perform the check in JSObject.
        When we found this flag at (1), we perform doPutPropertySecurityCheck to properly perform the checks.

        Since our JSObject::put code is old and it does not match against the spec now, we should refactor it largely. This is tracked separately in [1].

        [1]: https://bugs.webkit.org/show_bug.cgi?id=200562

        * runtime/ClassInfo.h:
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSCell.cpp:
        (JSC::JSCell::doPutPropertySecurityCheck):
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::putInlineSlow):
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/JSObject.h:
        (JSC::JSObject::doPutPropertySecurityCheck):
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::hasPutPropertySecurityCheck const):

2019-08-08  Per Arne Vollan  <pvollan@apple.com>

        [Win] Fix internal build
        https://bugs.webkit.org/show_bug.cgi?id=200519

        Reviewed by Alex Christensen.

        The script 'generate-js-builtins.py' cannot be found when building WebCore. Copy the JavaScriptCore Scripts
        folder after building JSC.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj:

2019-08-08  Devin Rousso  <drousso@apple.com>

        Web Inspector: Page: don't allow the domain to be disabled
        https://bugs.webkit.org/show_bug.cgi?id=200109

        Reviewed by Brian Burg.

        The `PageAgent` is relied on by many of the other agents, so much so that it doesn't make
        sense to support the ability to "disable" (as well as "enable") the agent.

        When the first frontend connects, we should treat the `PageAgent` as active and available.

        * inspector/protocol/Page.json:
        Remove `enable`/`disable`.

2019-08-08  Michael Saboff  <msaboff@apple.com>

        OpenSource MemoryFootprint API for JSC command line tool
        https://bugs.webkit.org/show_bug.cgi?id=200541

        Reviewed by Saam Barati.

        Use wtf/spi/darwin/ProcessMemoryFootprint.h instead of WebKitAdditions/MemoryFootprint.h
        for process memory stats.

        * jsc.cpp:
        (MemoryFootprint::MemoryFootprint):

2019-08-08  Devin Rousso  <drousso@apple.com>

        Web Inspector: rename `queryObjects` to `queryInstances` for clarity
        https://bugs.webkit.org/show_bug.cgi?id=200520

        Reviewed by Brian Burg.

        * inspector/InjectedScriptSource.js:
        (queryInstances): Added.
        (queryObjects):
        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::queryInstances): Added.
        (Inspector::JSInjectedScriptHost::queryObjects): Deleted.
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        (Inspector::jsInjectedScriptHostPrototypeFunctionQueryInstances): Added.
        (Inspector::jsInjectedScriptHostPrototypeFunctionQueryObjects): Deleted.

2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Add "jump if (not) undefined or null" bytecode ops
        https://bugs.webkit.org/show_bug.cgi?id=200480

        Reviewed by Saam Barati.

        This patch introduces fused jumps for op_is_undefined_or_null, which ignores "masquerade as undefined" behavior.

        This lets us fix a edge-case bug in RequireObjectCoercible (where `({ length } = document.all)` was a TypeError)
        and moreover provides a very useful optimization for the new ?. and ?? operators, which have semantics centered
        around op_jundefined_or_null and op_jnundefined_or_null, respectively.

        * bytecode/BytecodeList.rb:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/Opcode.h:
        (JSC::isBranch):
        * bytecode/PreciseJumpTargetsInlines.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::Label::setLocation):
        (JSC::BytecodeGenerator::emitJumpIfTrue):
        (JSC::BytecodeGenerator::emitJumpIfFalse):
        (JSC::BytecodeGenerator::emitRequireObjectCoercible):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_jundefined_or_null): Added.
        (JSC::JIT::emit_op_jnundefined_or_null): Added.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jundefined_or_null): Added.
        (JSC::JIT::emit_op_jnundefined_or_null): Added.
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2019-08-07  Devin Rousso  <drousso@apple.com>

        Rebase inspector generator tests.

        Rubber-stamped by Brian Burg.

        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:

2019-08-07  Caio Lima  <ticaiolima@gmail.com>

        High number of cache miss on localTimeOffset
        https://bugs.webkit.org/show_bug.cgi?id=200444

        Reviewed by Darin Adler.

        This patch is separating the `LocalTimeOffsetCache` for each
        `WTF::TimeType` to avoid constant cache miss on pathological cases
        where `gregorianDateTimeToMS` and `msToGregorianDateTime` are
        intercaleted with `inputTimeType ==  WTF::LocalTime`. Such case
        happens during execution of Facebook Messenger
        (https://www.messenger.com).

        * runtime/JSDateMath.cpp:
        (JSC::localTimeOffset):
        (JSC::gregorianDateTimeToMS):
        * runtime/VM.cpp:
        (JSC::VM::resetDateCache):
        * runtime/VM.h:
        (JSC::LocalTimeOffsetCache::LocalTimeOffsetCache):
        (JSC::LocalTimeOffsetCache::reset):

2019-08-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] sampling-profiler can see garbage Wasm::Callee* pointer which is HashTable deleted / empty values
        https://bugs.webkit.org/show_bug.cgi?id=200494

        Reviewed by Saam Barati.

        The sampling-profiler can see a garbage pointer which is like Wasm::Callee*. This can be filtered by HashSet<Callee*>.
        But this is safe only when the garbage pointer is not deleted / empty values. We saw occasional crash with JetStream2/tsf-wasm.
        This patch filters out these values with `HashSet<Callee*>::isValidValue`.

        * wasm/WasmCalleeRegistry.h:
        (JSC::Wasm::CalleeRegistry::isValidCallee):

2019-08-06  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r248289.
        https://bugs.webkit.org/show_bug.cgi?id=200488

        Broke internal builds (Requested by drousso on #webkit).

        Reverted changeset:

        "Web Inspector: Styles: show @supports CSS groupings"
        https://bugs.webkit.org/show_bug.cgi?id=200419
        https://trac.webkit.org/changeset/248289

2019-08-06  Devin Rousso  <drousso@apple.com>

        Web Inspector: allow comments in protocol JSON
        https://bugs.webkit.org/show_bug.cgi?id=200104

        Reviewed by Brian Burg.

        * inspector/scripts/generate-inspector-protocol-bindings.py:
        (generate_from_specification.load_specification):

        * inspector/scripts/tests/generic/should-strip-comments.json: Added.
        * inspector/scripts/tests/generic/expected/should-strip-comments.json-result: Added.

2019-08-06  Per Arne Vollan  <pvollan@apple.com>

        [Win] Fix AppleWin build
        https://bugs.webkit.org/show_bug.cgi?id=200455

        Reviewed by Alex Christensen.

        * CMakeLists.txt:
        * shell/CMakeLists.txt:

2019-08-05  Devin Rousso  <drousso@apple.com>

        Web Inspector: Styles: show @supports CSS groupings
        https://bugs.webkit.org/show_bug.cgi?id=200419

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/CSS.json:
        Rename `CSSMedia` to `Grouping` and remove the `sourceLine` value, as it was never populated
        and wasn't used by Web Inspector.

2019-08-05  Devin Rousso  <drousso@apple.com>

        Can't use $0, $1 etc when inspecting Google Docs pages because the content uses these for function names
        https://bugs.webkit.org/show_bug.cgi?id=195834

        Reviewed by Joseph Pecoraro.

        Allow the user to alias saved results by providing a different prefix (e.g. "$") from within
        Web Inspector. When changing the alias, all existing saved results will update to be
        reference-able from the new alias.

        * inspector/protocol/Runtime.json:
        Add `setSavedResultAlias` command.

        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::setSavedResultAlias): Added.

        * inspector/InjectedScriptHost.h:
        (Inspector::InjectedScriptHost::setSavedResultAlias): Added.
        (Inspector::InjectedScriptHost::savedResultAlias const): Added.
        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::savedResultAlias const): Added.
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        (Inspector::jsInjectedScriptHostPrototypeAttributeSavedResultAlias): Added.
        Store the saved result alias on the `InjectedScriptHost` since it is a shared object among
        all `InjectedScript`.

        * inspector/InjectedScriptSource.js:
        (BasicCommandLineAPI):

2019-08-05  Devin Rousso  <drousso@apple.com>

        Web Inspector: Timelines: disable related agents when the tab is closed
        https://bugs.webkit.org/show_bug.cgi?id=200118

        Reviewed by Joseph Pecoraro.

        Rework how `enable`/`disable` is used for timeline-related agents so that events are not sent
        and data isn't kept alive when the Timelines tab isn't enabled.

        * inspector/protocol/Timeline.json:
        Add `enable`/`disable` commands.

        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorHeapAgent::enable):
        (Inspector::InspectorHeapAgent::disable):

2019-08-05  Devin Rousso  <drousso@apple.com>

        Web Inspector: rename "Stylesheet" to "Style Sheet" to match spec text
        https://bugs.webkit.org/show_bug.cgi?id=200422

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Page.json:

2019-08-05  Michael Saboff  <msaboff@apple.com>

        JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
        https://bugs.webkit.org/show_bug.cgi?id=199997

        Reviewed by Saam Barati.

        No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
        and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
        CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
        and not for SpecEmpty.  If we added a check for the SpecEmpty in the ASSERT, there are cases where
        it won't be set.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):

2019-08-03  Devin Rousso  <drousso@apple.com>

        Web Inspector: DOM: add a special breakpoint for "All Events"
        https://bugs.webkit.org/show_bug.cgi?id=200285

        Reviewed by Joseph Pecoraro.

        Similar to the existing "All Requests" breakpoint, there should be a way to set a breakpoint
        that would pause for any DOM event, regardless of the event's name. This is useful for
        situations where the event name isn't known, or where one simply wants to pause on the next
        entry to the event loop.

        Along these lines, make the "requestAnimationFrame", "setTimeout", and "setInterval"
        event breakpoints into special breakpoints that can be added/removed via the create
        breakpoint context menu. This simplifies the process for setting these breakpoints, and also
        makes them more discoverable (most people wouldn't consider them to be "events").

        * inspector/protocol/Debugger.json:
         - Rename the `EventListener` pause reason to `Listener`.
         - Split the `Timer` pause reason into `Interval` and `Timeout`.

        * inspector/protocol/DOMDebugger.json:
         - Split the `timer` type into `interval` and `timeout`.
         - Make `eventName` optional for `addEventBreakpoint`/`removeEventBreakpoint`. When omitted,
           the corresponding breakpoint that is added/removed is treated as a global breakpoint that
           applies to all events of that type (e.g. a global `listener` breakpoint would pause for
           any event that is fired).

2019-08-02  Keith Miller  <keith_miller@apple.com>

        Address comments on r248178
        https://bugs.webkit.org/show_bug.cgi?id=200411

        Reviewed by Saam Barati.

        * b3/B3Opcode.h:
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::tuples const):
        * b3/B3Validate.cpp:
        * b3/testb3_1.cpp:
        (main):

2019-08-02  Mark Lam  <mark.lam@apple.com>

        [ARM64E] Harden the diversity of the DOMJIT::Signature::unsafeFunction pointer.
        https://bugs.webkit.org/show_bug.cgi?id=200292
        <rdar://problem/53706881>

        Reviewed by Geoffrey Garen.

        Previously, DOMJIT::Signature::functionWithoutTypeCheck was signed as a C function
        pointer.  We can do better by signing it like a vtbl function pointer.

        No new tests needed.  The DOMJIT mechanism is covered by existing tests.

        I also manually confirmed that DOMJIT::Signature::functionWithoutTypeCheck is signed
        exactly as expected by reading its bits out of memory (not letting Clang have a
        chance to resign it into a C function pointer) and comparing it against manually
        signed bits with the expected diversifier.

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::CFunctionPtr::CFunctionPtr):
        (JSC::CFunctionPtr::get const):
        (JSC::CFunctionPtr::address const):
        (JSC::CFunctionPtr::operator bool const):
        (JSC::CFunctionPtr::operator! const):
        (JSC::CFunctionPtr::operator== const):
        (JSC::CFunctionPtr::operator!= const):

        - Introduce a CFunctionPtr abstraction that is used to hold pointers to C functions.
          It can instantiated in 4 ways:

          1. The default constructor.
          2. A constructor that takes a nullptr_t.

             These 2 forms will instantiate a CFunctionPtr with a nullptr.

          3. A constructor that takes the name of a function.
          4. A constructor that takes a function pointer.

              Form 3 already knows that we're initializing with a real function, and
              that Clang will give it to use signed as a C function pointer.  So, it
              doesn't do any assertions.  This form is useful for initializing CFunctionPtrs
              embedded in const data structures.

              Form 4 is an explicit constructor that takes an arbitrary function
              pointer, but does not know if that pointer is already signed as a C function
              pointer.  Hence, this form will do a RELEASE_ASSERT that the given function
              pointer is actually signed as a C function pointer.

          Once instantiated, we are guaranteed that a C function pointer is either null
          or contains a signed C function pointer.

        * domjit/DOMJITSignature.h:
        (JSC::DOMJIT::Signature::Signature):
        - Sign functionWithoutTypeCheck as WTF_VTBL_FUNCPTR_PTRAUTH(DOMJITFunctionPtrTag).

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCallDOM):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        - Use the new CFunctionPtr to document that the retrieved signature->functionWithoutTypeCheck
          is signed as a C function pointer.

        * runtime/ClassInfo.h:
        - Update MethodTable to sign its function pointers using the new WTF_VTBL_FUNCPTR_PTRAUTH_STR
          to be consistent.  No longer need to roll its own PTRAUTH macro.

        * runtime/JSCPtrTag.h:
        - Add DOMJITFunctionPtrTag.

        * tools/JSDollarVM.cpp:
        - Update to work with the new DOMJIT::Signature constructor.

2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Support WebAssembly in SamplingProfiler
        https://bugs.webkit.org/show_bug.cgi?id=200329

        Reviewed by Saam Barati.

        The sampling profiler support is critical to investigate what is actually time-consuming. This patch adds the sampling profiler support for Wasm functions
        to list up hot Wasm functions with compilation mode (BBQ or OMG). This allows us to investigate the hot functions in JetStream2 wasm tests.

        In order to retrieve wasm function information from the sampling profiler safely, we need to know whether the given Wasm CalleeBits is valid in the call frame.
        To achieve this, we start collecting valid Wasm::Callee pointers in a global hash set. Previously, each Wasm::Callee registered its code region to a hash set
        for wasm fault signal handler to know whether the faulted program-counter is in wasm region. We reuse and change this mechanism. Instead of registering code region,
        we register Wasm::Callee* to a hash set. The sampling profiler reuses this hash set to determine whether the given bits is a valid Wasm::Callee.

        The sampling profiler retrieves the information safely from valid Wasm::Callee* pointer. It is possible that this Wasm::Callee is about to be dead: ref-count is 0,
        now in the middle of the destructor of Wasm::Callee. Even in that case, fields of Wasm::Callee are still valid and can be accessed since destroying these fields happens
        after we unregister Wasm::Callee from the global hash set.

        We retrieve Wasm::IndexOrName and Wasm::CompilationMode. Copying them does not involve any allocations, locking etc. So we can safely copy them while some of threads are suspended.

        This patch also fixes the issue that we never called `unregisterCode` while every Wasm::Calllee registers its code region through `registerCode`.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/SamplingProfiler.cpp:
        (JSC::FrameWalker::FrameWalker):
        (JSC::FrameWalker::recordJSFrame):
        (JSC::CFrameWalker::CFrameWalker):
        (JSC::SamplingProfiler::takeSample):
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        (JSC::SamplingProfiler::StackFrame::displayName):
        (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
        (JSC::SamplingProfiler::StackFrame::functionStartLine):
        (JSC::SamplingProfiler::StackFrame::functionStartColumn):
        (JSC::SamplingProfiler::StackFrame::sourceID):
        (JSC::SamplingProfiler::StackFrame::url):
        (JSC::SamplingProfiler::reportTopBytecodes):
        (WTF::printInternal):
        * runtime/SamplingProfiler.h:
        * tools/JSDollarVM.cpp:
        (JSC::functionIsWasmSupported):
        (JSC::JSDollarVM::finishCreation):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmBBQPlanInlines.h:
        (JSC::Wasm::BBQPlan::initializeCallees):
        * wasm/WasmCallee.cpp:
        (JSC::Wasm::Callee::Callee):
        (JSC::Wasm::Callee::~Callee):
        * wasm/WasmCallee.h:
        (JSC::Wasm::Callee::create): Deleted.
        (JSC::Wasm::Callee::entrypoint const): Deleted.
        (JSC::Wasm::Callee::calleeSaveRegisters): Deleted.
        (JSC::Wasm::Callee::indexOrName const): Deleted.
        * wasm/WasmCalleeRegistry.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
        (JSC::Wasm::CalleeRegistry::initialize):
        (JSC::Wasm::CalleeRegistry::singleton):
        * wasm/WasmCalleeRegistry.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp.
        (JSC::Wasm::CalleeRegistry::getLock):
        (JSC::Wasm::CalleeRegistry::registerCallee):
        (JSC::Wasm::CalleeRegistry::unregisterCallee):
        (JSC::Wasm::CalleeRegistry::isValidCallee):
        * wasm/WasmCompilationMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
        (JSC::Wasm::makeString):
        * wasm/WasmCompilationMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):
        (JSC::Wasm::enableFastMemory):
        (JSC::Wasm::registerCode): Deleted.
        (JSC::Wasm::unregisterCode): Deleted.
        * wasm/WasmFaultSignalHandler.h:
        * wasm/WasmIndexOrName.h:
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::work):

2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] LazyJSValue should be robust for empty JSValue
        https://bugs.webkit.org/show_bug.cgi?id=200388

        Reviewed by Saam Barati.

        If the Switch DFG node is preceded by ForceOSRExit or something that invalidates the basic block,
        it can take a FrozenValue as a child which includes empty value instead of string, number etc.
        If this Switch node is kept and we reached to DFGCFGSimplificationPhase, it will use this FrozenValue.
        However, LazyJSValue using this FrozenValue strongly assumes that FrozenValue is never holding empty value.
        But this assumption is wrong. This patch makes LazyJSValue robust for empty value.

        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::tryGetStringImpl const):
        (JSC::DFG::LazyJSValue::tryGetString const):
        (JSC::DFG::LazyJSValue::strictEqual const):
        (JSC::DFG::LazyJSValue::switchLookupValue const):

2019-08-02  Devin Rousso  <drousso@apple.com>

        Web Inspector: Storage: disable related agents when the tab is closed
        https://bugs.webkit.org/show_bug.cgi?id=200117

        Reviewed by Joseph Pecoraro.

        Rework how `enable`/`disable` is used for storage-related agents so that events are not sent
        and data isn't kept alive when the Storage tab isn't enabled.

        * inspector/protocol/ApplicationCache.json:
        Add `disable` command.

2019-08-01  Keith Miller  <keith_miller@apple.com>

        B3 should support tuple types
        https://bugs.webkit.org/show_bug.cgi?id=200327

        Reviewed by Filip Pizlo.

        As part of the Wasm multi-value proposal, we need to teach B3 that
        patchpoints can return more than one value.  This is done by
        adding a new B3::Type called Tuple. Unlike, other B3 types Tuple
        is actually an encoded index into a numeric B3::Type vector on the
        procedure. This lets us distinguish any two tuples from each
        other, moreover, it's possible to get the vector of types with
        just the B3::Tuple type and the procedure.

        Since most B3 operations only expect to see a single numeric child
        there is a new Opcode, Extract, that takes yields the some, fixed,
        entry from a tuple value. Extract would be the only other change
        needed to make tuples work in B3 except that some optimizations
        expect to be able to take any non-Void value and stick it into a
        Variable of the same type. This means both Get/Set from a variable
        have to support Tuples as well. For simplicity and consistency,
        the ability to accept tuples is also applied to Phi and Upsilon.

        In order to lower a Tuple, B3Lowering needs to have a Tmp for each
        nested type in a Tuple. While we could reuse the existing
        IndexedTables to hold the extra information we need to lower
        Tuples, we instead use a two new HashTables for Value->Tmp(s) and
        Phi->Tmp(s). It's expected that Tuples will be sufficiently
        uncommon the overhead of tracking everything together would be
        prohibitive. On the other hand, we don't worry about this for
        Variables because we don't expect those to make it to lowering.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * b3/B3Bank.h:
        (JSC::B3::bankForType):
        * b3/B3CheckValue.cpp:
        (JSC::B3::CheckValue::CheckValue):
        * b3/B3ExtractValue.cpp: Copied from Source/JavaScriptCore/b3/B3ProcedureInlines.h.
        (JSC::B3::ExtractValue::~ExtractValue):
        (JSC::B3::ExtractValue::dumpMeta const):
        * b3/B3ExtractValue.h: Copied from Source/JavaScriptCore/b3/B3FixSSA.h.
        * b3/B3FixSSA.h:
        * b3/B3LowerMacros.cpp:
        * b3/B3LowerMacrosAfterOptimizations.cpp:
        * b3/B3LowerToAir.cpp:
        * b3/B3NativeTraits.h:
        * b3/B3Opcode.cpp:
        (JSC::B3::invertedCompare):
        (WTF::printInternal):
        * b3/B3Opcode.h:
        (JSC::B3::opcodeForConstant):
        * b3/B3PatchpointSpecial.cpp:
        (JSC::B3::PatchpointSpecial::forEachArg):
        (JSC::B3::PatchpointSpecial::isValid):
        (JSC::B3::PatchpointSpecial::admitsStack):
        (JSC::B3::PatchpointSpecial::generate):
        * b3/B3PatchpointValue.cpp:
        (JSC::B3::PatchpointValue::dumpMeta const):
        (JSC::B3::PatchpointValue::PatchpointValue):
        * b3/B3PatchpointValue.h:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::addTuple):
        (JSC::B3::Procedure::isValidTuple const):
        (JSC::B3::Procedure::tupleForType const):
        (JSC::B3::Procedure::addIntConstant):
        (JSC::B3::Procedure::addConstant):
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::returnCount const):
        * b3/B3ProcedureInlines.h:
        (JSC::B3::Procedure::extractFromTuple const):
        * b3/B3ReduceStrength.cpp:
        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::isValidImpl):
        (JSC::B3::StackmapSpecial::isArgValidForType):
        (JSC::B3::StackmapSpecial::isArgValidForRep):
        (JSC::B3::StackmapSpecial::isArgValidForValue): Deleted.
        * b3/B3StackmapSpecial.h:
        * b3/B3StackmapValue.h:
        * b3/B3Type.cpp:
        (WTF::printInternal):
        * b3/B3Type.h:
        (JSC::B3::Type::Type):
        (JSC::B3::Type::tupleFromIndex):
        (JSC::B3::Type::kind const):
        (JSC::B3::Type::tupleIndex const):
        (JSC::B3::Type::hash const):
        (JSC::B3::Type::operator== const):
        (JSC::B3::Type::operator!= const):
        (JSC::B3::Type::isInt const):
        (JSC::B3::Type::isFloat const):
        (JSC::B3::Type::isNumeric const):
        (JSC::B3::Type::isTuple const):
        (JSC::B3::sizeofType):
        (JSC::B3::isInt): Deleted.
        (JSC::B3::isFloat): Deleted.
        * b3/B3TypeMap.h:
        (JSC::B3::TypeMap::at):
        * b3/B3Validate.cpp:
        * b3/B3Value.cpp:
        (JSC::B3::Value::isRounded const):
        (JSC::B3::Value::effects const):
        (JSC::B3::Value::typeFor):
        * b3/B3Value.h:
        * b3/B3ValueInlines.h:
        * b3/B3ValueKey.cpp:
        (JSC::B3::ValueKey::intConstant):
        * b3/B3ValueKey.h:
        (JSC::B3::ValueKey::hash const):
        * b3/B3ValueRep.h:
        * b3/B3Width.h:
        (JSC::B3::widthForType):
        * b3/air/AirArg.cpp:
        (JSC::B3::Air::Arg::canRepresent const):
        * b3/air/AirArg.h:
        * b3/air/AirCCallingConvention.cpp:
        (JSC::B3::Air::cCallResult):
        * b3/air/AirLowerMacros.cpp:
        (JSC::B3::Air::lowerMacros):
        * b3/testb3.h:
        (populateWithInterestingValues):
        * b3/testb3_1.cpp:
        (run):
        * b3/testb3_3.cpp:
        (testStorePartial8BitRegisterOnX86):
        * b3/testb3_5.cpp:
        (testPatchpointWithRegisterResult):
        (testPatchpointWithStackArgumentResult):
        (testPatchpointWithAnyResult):
        * b3/testb3_6.cpp:
        (testPatchpointDoubleRegs):
        (testSomeEarlyRegister):
        * b3/testb3_7.cpp:
        (testShuffleDoesntTrashCalleeSaves):
        (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead):
        (testSimpleTuplePair):
        (testSimpleTuplePairUnused):
        (testSimpleTuplePairStack):
        (tailDupedTuplePair):
        (tuplePairVariableLoop):
        (tupleNestedLoop):
        (addTupleTests):
        * b3/testb3_8.cpp:
        (testLoad):
        (addLoadTests):
        * ftl/FTLAbbreviatedTypes.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
        (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
        (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
        (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
        (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
        (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::emitPatchpoint):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallingConvention::marshallArgument const):
        (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
        (JSC::Wasm::CallingConvention::setupCall const):
        (JSC::Wasm::CallingConventionAir::setupCall const):

2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use "destroy" function directly for JSWebAssemblyCodeBlock and WebAssemblyFunction
        https://bugs.webkit.org/show_bug.cgi?id=200385

        Reviewed by Mark Lam.

        These CellTypes are not using classInfo stored in the cells, so we can just call JSWebAssemblyCodeBlock::destroy
        and WebAssemblyFunction::destroy directly.

        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
        (JSC::JSWebAssemblyCodeBlockDestroyFunc::operator() const):
        * wasm/js/WebAssemblyFunctionHeapCellType.cpp:
        (JSC::WebAssemblyFunctionDestroyFunc::operator() const):

2019-08-02  Mark Lam  <mark.lam@apple.com>

        Gardening: build fix.
        https://bugs.webkit.org/show_bug.cgi?id=200149
        <rdar://problem/53570112>

        Not reviewed.

        * assembler/CPU.cpp:
        (JSC::hwPhysicalCPUMax):

2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>

        GetterSetter type confusion during DFG compilation
        https://bugs.webkit.org/show_bug.cgi?id=199903

        Reviewed by Mark Lam.

        In AI, we are strongly assuming that GetGetter's child constant value should be GetterSetter if it exists.
        However, this can be wrong since nobody ensures that. AI assumed so because the control-flow and preceding
        CheckStructure ensures that. But this preceding check can be eliminated if the node becomes (at runtime) unreachable.

        Let's consider the following graph.

            129:<!0:->     PutByOffset(KnownCell:@115, KnownCell:@115, Check:Untyped:@124, MustGen, id5{length}, 0, W:NamedProperties(5), ClobbersExit, bc#154, ExitValid)
            130:<!0:->     PutStructure(KnownCell:@115, MustGen, %C8:Object -> %C3:Object, ID:7726, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#154, ExitInvalid)
            ...
            158:<!0:->     GetLocal(Check:Untyped:@197, JS|MustGen|UseAsOther, Final, loc7(R<Final>/FlushedCell), R:Stack(-8), bc#187, ExitValid)  predicting Final
            210:< 1:->     DoubleRep(Check:NotCell:@158, Double|PureInt, BytecodeDouble, Exits, bc#187, ExitValid)
            ...
            162:<!0:->     CheckStructure(Cell:@158, MustGen, [%Ad:Object], R:JSCell_structureID, Exits, bc#192, ExitValid)
            163:< 1:->     GetGetterSetterByOffset(KnownCell:@158, KnownCell:@158, JS|UseAsOther, OtherCell, id5{length}, 0, R:NamedProperties(5), Exits, bc#192, ExitValid)
            164:< 1:->     GetGetter(KnownCell:@163, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid)

        At @163 and @164, AI proves that @158's AbstractValue is None because @210's edge filters out Cells @158 is a cell. But we do not invalidate graph status as "Invalid" even if edge filters out all possible value.
        This is because the result of edge can be None in a valid program. For example, we can put a dependency edge between a consuming node and a producing node, where the producing node is just like a check and it
        does not produce a value actually. So, @163 and @164 are not invalidated. This is totally fine in our compiler pipeline right now.

        But after that, global CSE phase found that @115 and @158 are same and @129 dominates @158. As a result, we can replace GetGetter child's @163 with @124. Since CheckStructure is already removed (and now, at runtime,
        @163 and @164 are never executed), we do not have any structure guarantee on @158 and the result of @163. This means that @163's CSE result can be non-GetterSetter value.

            124:< 2:->     JSConstant(JS|UseAsOther, Final, Weak:Object: 0x1199e82a0 with butterfly 0x0 (Structure %B4:Object), StructureID: 49116, bc#0, ExitValid)
            ...
            126:< 2:->     GetGetter(KnownCell:Kill:@124, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid)

        AI filters out @124's non-cell values. But @126 can get non-GetterSetter cell at AI phase. But our AI code is like the following.


            JSValue base = forNode(node->child1()).m_value;
            if (base) {
                GetterSetter* getterSetter = jsCast<GetterSetter*>(base);
                ...

        Then, jsCast casts the above object with GetterSetter accidentally.

        In general, DFG AI can get a proven constant value, which could not be shown at runtime. This happens if the processing node is unreachable at runtime while the graph is not invalid yet, because preceding edge
        filters already filter out all the possible execution. DFG AI already considered about this possibility, and it attempts to fold a node into a constant only when the constant input matches against the expected one.
        But several DFG nodes are not handling this correctly: GetGetter, GetSetter, and SkipScope.

        In this patch, we use `jsDynamicCast` to ensure that the constant input matches against the expected (foldable) one, and fold it only when the expectation is met.
        We also remove DFG::Node::castConstant and its use. We should not rely on the constant folded value based on graph's control-flow.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::castConstant): Deleted.
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):

2019-08-01  Mark Lam  <mark.lam@apple.com>

        Add crash diagnostics for debugging unexpected zapped cells.
        https://bugs.webkit.org/show_bug.cgi?id=200149
        <rdar://problem/53570112>

        Reviewed by Yusuke Suzuki.

        Add a check for zapped cells in SlotVisitor::appendToMarkStack() and
        SlotVisitor::visitChildren().  If a zapped cell is detected, we will crash with
        some diagnostic info.

        To facilitate this, we've made the following changes:
        1. Changed FreeCell to preserve the 1st 8 bytes.  This is fine to do because all
           cells are at least 16 bytes long.
        2. Changed HeapCell::zap() to only zap the structureID.  Leave the rest of the
           cell header info intact (including the cell JSType).
        3. Changed HeapCell::zap() to record the reason for zapping the cell.  We stash
           the reason immediately after the first 8 bytes.  This is the same location as
           FreeCell::scrambledNext.  However, since a cell is not expected to be zapped
           and on the free list at the same time, it is also fine to do this.
        4. Added a few utility functions to MarkedBlock for checking if a cell points
           into the block.
        5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes.
        6. Added some comments to document the hashes of known subspaces.
        7. Added Options::dumpZappedCellCrashData() to make this check conditional.
           We use this option to disable this check for slower machines so that their
           PLT5 performance is not impacted.

        * assembler/CPU.cpp:
        (JSC::hwL3CacheSize):
        (JSC::hwPhysicalCPUMax):
        * assembler/CPU.h:
        (JSC::hwL3CacheSize):
        (JSC::hwPhysicalCPUMax):
        * heap/FreeList.h:
        (JSC::FreeCell::offsetOfScrambledNext):
        * heap/HeapCell.h:
        (JSC::HeapCell::zap):
        (JSC::HeapCell::isZapped const):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::stopAllocating):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::Handle::start const):
        (JSC::MarkedBlock::Handle::end const):
        (JSC::MarkedBlock::Handle::contains const):
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::specializedSweep):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::forEachSubspace):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::visitChildren):
        (JSC::SlotVisitor::reportZappedCellAndCrash):
        * heap/SlotVisitor.h:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
        * runtime/Options.cpp:
        (JSC::Options::initialize):
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * tools/JSDollarVM.cpp:
        (JSC::functionDumpSubspaceHashes):
        (JSC::JSDollarVM::finishCreation):
        * tools/VMInspector.cpp:
        (JSC::VMInspector::dumpSubspaceHashes):
        * tools/VMInspector.h:

2019-08-01  Keith Miller  <keith_miller@apple.com>

        Fix bug in testMulImm32SignExtend
        https://bugs.webkit.org/show_bug.cgi?id=200358

        Reviewed by Mark Lam.

        Also, have it run in more configurations.

        * b3/testb3_2.cpp:
        (testMulImm32SignExtend):
        * b3/testb3_3.cpp:
        (addArgTests):

2019-07-31  Mark Lam  <mark.lam@apple.com>

        Rename DOMJIT safe/unsafeFunction to functionWithTypeChecks and functionWithoutTypeChecks.
        https://bugs.webkit.org/show_bug.cgi?id=200323

        Reviewed by Yusuke Suzuki.

        The DOMJIT has a notion of a safeFunction and an unsafeFunction.  The safeFunction
        is effectively the same as the unsafeFunction with added type check.  The DFG/FTL
        will emit code to call the unsafeFunction if it has already emitted the needed
        type check or proven that it isn't needed.  Otherwise, the DFG/FTL will emit
        code to call the safeFunction (which does its own type check) instead.

        This patch renames these functions to better describe their difference.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCallDOM):
        * domjit/DOMJITSignature.h:
        (JSC::DOMJIT::Signature::Signature):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        * tools/JSDollarVM.cpp:
        (JSC::DOMJITFunctionObject::functionWithTypeCheck):
        (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
        (JSC::DOMJITFunctionObject::finishCreation):
        (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
        (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
        (JSC::DOMJITCheckSubClassObject::finishCreation):
        (JSC::DOMJITFunctionObject::safeFunction): Deleted.
        (JSC::DOMJITFunctionObject::unsafeFunction): Deleted.
        (JSC::DOMJITCheckSubClassObject::safeFunction): Deleted.
        (JSC::DOMJITCheckSubClassObject::unsafeFunction): Deleted.

2019-07-31  Alex Christensen  <achristensen@webkit.org>

        Begin organizing b3 tests
        https://bugs.webkit.org/show_bug.cgi?id=200330

        Reviewed by Keith Miller.

        * b3/testb3.h:
        * b3/testb3_1.cpp:
        (run):
        (zero): Deleted.
        (negativeZero): Deleted.
        * b3/testb3_2.cpp:
        (testBitXorTreeArgs):
        (testBitXorTreeArgsEven):
        (testBitXorTreeArgImm):
        (testBitAndTreeArg32):
        (testBitOrTreeArg32):
        (testBitAndArgs):
        (testBitAndSameArg):
        (testBitAndNotNot):
        (testBitAndNotImm):
        (testBitAndImms):
        (testBitAndArgImm):
        (testBitAndImmArg):
        (testBitAndBitAndArgImmImm):
        (testBitAndImmBitAndArgImm):
        (testBitAndArgs32):
        (testBitAndSameArg32):
        (testBitAndImms32):
        (testBitAndArgImm32):
        (testBitAndImmArg32):
        (testBitAndBitAndArgImmImm32):
        (testBitAndImmBitAndArgImm32):
        (testBitAndWithMaskReturnsBooleans):
        (testBitAndArgDouble):
        (testBitAndArgsDouble):
        (testBitAndArgImmDouble):
        (testBitAndImmsDouble):
        (testBitAndArgFloat):
        (testBitAndArgsFloat):
        (testBitAndArgImmFloat):
        (testBitAndImmsFloat):
        (testBitAndArgsFloatWithUselessDoubleConversion):
        (testBitOrArgs):
        (testBitOrSameArg):
        (testBitOrAndAndArgs):
        (testBitOrAndSameArgs):
        (testBitOrNotNot):
        (testBitOrNotImm):
        (testBitOrImms):
        (testBitOrArgImm):
        (testBitOrImmArg):
        (testBitOrBitOrArgImmImm):
        (testBitOrImmBitOrArgImm):
        (testBitOrArgs32):
        (testBitOrSameArg32):
        (testBitOrImms32):
        (testBitOrArgImm32):
        (testBitOrImmArg32):
        (addBitTests):
        * b3/testb3_3.cpp:
        (testSShrArgs):
        (testSShrImms):
        (testSShrArgImm):
        (testSShrArg32):
        (testSShrArgs32):
        (testSShrImms32):
        (testSShrArgImm32):
        (testZShrArgs):
        (testZShrImms):
        (testZShrArgImm):
        (testZShrArg32):
        (testZShrArgs32):
        (testZShrImms32):
        (testZShrArgImm32):
        (zero):
        (negativeZero):
        (addArgTests):
        (addCallTests):
        (addShrTests):
        * b3/testb3_4.cpp:
        (addSExtTests):
        * b3/testb3_6.cpp:
        (testSShrShl32):
        (testSShrShl64):
        (addSShrShTests):

2019-07-31  Devin Rousso  <drousso@apple.com>

        Web Inspector: Debugger: support emulateUserGesture parameter in Debugger.evaluateOnCallFrame
        https://bugs.webkit.org/show_bug.cgi?id=200272

        Reviewed by Joseph Pecoraro.

        When paused, evaluating in the console should still respect the "Emulate User Gesture" checkbox.

        * inspector/protocol/Debugger.json:
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):

2019-07-31  Alex Christensen  <achristensen@webkit.org>

        Split testb3 into multiple files
        https://bugs.webkit.org/show_bug.cgi?id=200326

        Reviewed by Keith Miller.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/testb3.cpp: Removed.
        * b3/testb3.h: Added.
        (hiddenTruthBecauseNoReturnIsStupid):
        (usage):
        (shouldBeVerbose):
        (compileProc):
        (invoke):
        (compileAndRun):
        (lowerToAirForTesting):
        (checkDisassembly):
        (checkUsesInstruction):
        (checkDoesNotUseInstruction):
        (populateWithInterestingValues):
        (floatingPointOperands):
        (int64Operands):
        (int32Operands):
        (add32):
        (modelLoad):
        (float>):
        (double>):
        * b3/testb3_1.cpp: Added.
        (zero):
        (negativeZero):
        (shouldRun):
        (testRotR):
        (testRotL):
        (testRotRWithImmShift):
        (testRotLWithImmShift):
        (testComputeDivisionMagic):
        (run):
        (main):
        (dllLauncherEntryPoint):
        * b3/testb3_2.cpp: Added.
        (test42):
        (testLoad42):
        (testLoadAcq42):
        (testLoadWithOffsetImpl):
        (testLoadOffsetImm9Max):
        (testLoadOffsetImm9MaxPlusOne):
        (testLoadOffsetImm9MaxPlusTwo):
        (testLoadOffsetImm9Min):
        (testLoadOffsetImm9MinMinusOne):
        (testLoadOffsetScaledUnsignedImm12Max):
        (testLoadOffsetScaledUnsignedOverImm12Max):
        (testBitXorTreeArgs):
        (testBitXorTreeArgsEven):
        (testBitXorTreeArgImm):
        (testAddTreeArg32):
        (testMulTreeArg32):
        (testBitAndTreeArg32):
        (testBitOrTreeArg32):
        (testArg):
        (testReturnConst64):
        (testReturnVoid):
        (testAddArg):
        (testAddArgs):
        (testAddArgImm):
        (testAddImmArg):
        (testAddArgMem):
        (testAddMemArg):
        (testAddImmMem):
        (testAddArg32):
        (testAddArgs32):
        (testAddArgMem32):
        (testAddMemArg32):
        (testAddImmMem32):
        (testAddNeg1):
        (testAddNeg2):
        (testAddArgZeroImmZDef):
        (testAddLoadTwice):
        (testAddArgDouble):
        (testAddArgsDouble):
        (testAddArgImmDouble):
        (testAddImmArgDouble):
        (testAddImmsDouble):
        (testAddArgFloat):
        (testAddArgsFloat):
        (testAddFPRArgsFloat):
        (testAddArgImmFloat):
        (testAddImmArgFloat):
        (testAddImmsFloat):
        (testAddArgFloatWithUselessDoubleConversion):
        (testAddArgsFloatWithUselessDoubleConversion):
        (testAddArgsFloatWithEffectfulDoubleConversion):
        (testAddMulMulArgs):
        (testMulArg):
        (testMulArgStore):
        (testMulAddArg):
        (testMulArgs):
        (testMulArgNegArg):
        (testMulNegArgArg):
        (testMulArgImm):
        (testMulImmArg):
        (testMulArgs32):
        (testMulArgs32SignExtend):
        (testMulImm32SignExtend):
        (testMulLoadTwice):
        (testMulAddArgsLeft):
        (testMulAddArgsRight):
        (testMulAddArgsLeft32):
        (testMulAddArgsRight32):
        (testMulSubArgsLeft):
        (testMulSubArgsRight):
        (testMulSubArgsLeft32):
        (testMulSubArgsRight32):
        (testMulNegArgs):
        (testMulNegArgs32):
        (testMulArgDouble):
        (testMulArgsDouble):
        (testMulArgImmDouble):
        (testMulImmArgDouble):
        (testMulImmsDouble):
        (testMulArgFloat):
        (testMulArgsFloat):
        (testMulArgImmFloat):
        (testMulImmArgFloat):
        (testMulImmsFloat):
        (testMulArgFloatWithUselessDoubleConversion):
        (testMulArgsFloatWithUselessDoubleConversion):
        (testMulArgsFloatWithEffectfulDoubleConversion):
        (testDivArgDouble):
        (testDivArgsDouble):
        (testDivArgImmDouble):
        (testDivImmArgDouble):
        (testDivImmsDouble):
        (testDivArgFloat):
        (testDivArgsFloat):
        (testDivArgImmFloat):
        (testDivImmArgFloat):
        (testDivImmsFloat):
        (testModArgDouble):
        (testModArgsDouble):
        (testModArgImmDouble):
        (testModImmArgDouble):
        (testModImmsDouble):
        (testModArgFloat):
        (testModArgsFloat):
        (testModArgImmFloat):
        (testModImmArgFloat):
        (testModImmsFloat):
        (testDivArgFloatWithUselessDoubleConversion):
        (testDivArgsFloatWithUselessDoubleConversion):
        (testDivArgsFloatWithEffectfulDoubleConversion):
        (testUDivArgsInt32):
        (testUDivArgsInt64):
        (testUModArgsInt32):
        (testUModArgsInt64):
        (testSubArg):
        (testSubArgs):
        (testSubArgImm):
        (testSubNeg):
        (testNegSub):
        (testNegValueSubOne):
        (testSubSub):
        (testSubSub2):
        (testSubAdd):
        (testSubFirstNeg):
        (testSubImmArg):
        (testSubArgMem):
        (testSubMemArg):
        (testSubImmMem):
        (testSubMemImm):
        (testSubArgs32):
        (testSubArgImm32):
        (testSubImmArg32):
        (testSubMemArg32):
        (testSubArgMem32):
        (testSubImmMem32):
        (testSubMemImm32):
        (testNegValueSubOne32):
        (testNegMulArgImm):
        (testSubMulMulArgs):
        (testSubArgDouble):
        (testSubArgsDouble):
        (testSubArgImmDouble):
        (testSubImmArgDouble):
        (testSubImmsDouble):
        (testSubArgFloat):
        (testSubArgsFloat):
        (testSubArgImmFloat):
        (testSubImmArgFloat):
        (testSubImmsFloat):
        (testSubArgFloatWithUselessDoubleConversion):
        (testSubArgsFloatWithUselessDoubleConversion):
        (testSubArgsFloatWithEffectfulDoubleConversion):
        (testTernarySubInstructionSelection):
        (testNegDouble):
        (testNegFloat):
        (testNegFloatWithUselessDoubleConversion):
        (testBitAndArgs):
        (testBitAndSameArg):
        (testBitAndNotNot):
        (testBitAndNotImm):
        (testBitAndImms):
        (testBitAndArgImm):
        (testBitAndImmArg):
        (testBitAndBitAndArgImmImm):
        (testBitAndImmBitAndArgImm):
        (testBitAndArgs32):
        (testBitAndSameArg32):
        (testBitAndImms32):
        (testBitAndArgImm32):
        (testBitAndImmArg32):
        (testBitAndBitAndArgImmImm32):
        (testBitAndImmBitAndArgImm32):
        (testBitAndWithMaskReturnsBooleans):
        (bitAndDouble):
        (testBitAndArgDouble):
        (testBitAndArgsDouble):
        (testBitAndArgImmDouble):
        (testBitAndImmsDouble):
        (bitAndFloat):
        (testBitAndArgFloat):
        (testBitAndArgsFloat):
        (testBitAndArgImmFloat):
        (testBitAndImmsFloat):
        (testBitAndArgsFloatWithUselessDoubleConversion):
        (testBitOrArgs):
        (testBitOrSameArg):
        (testBitOrAndAndArgs):
        (testBitOrAndSameArgs):
        (testBitOrNotNot):
        (testBitOrNotImm):
        (testBitOrImms):
        (testBitOrArgImm):
        (testBitOrImmArg):
        (testBitOrBitOrArgImmImm):
        (testBitOrImmBitOrArgImm):
        (testBitOrArgs32):
        (testBitOrSameArg32):
        (testBitOrImms32):
        (testBitOrArgImm32):
        (testBitOrImmArg32):
        * b3/testb3_3.cpp: Added.
        (testBitOrBitOrArgImmImm32):
        (testBitOrImmBitOrArgImm32):
        (bitOrDouble):
        (testBitOrArgDouble):
        (testBitOrArgsDouble):
        (testBitOrArgImmDouble):
        (testBitOrImmsDouble):
        (bitOrFloat):
        (testBitOrArgFloat):
        (testBitOrArgsFloat):
        (testBitOrArgImmFloat):
        (testBitOrImmsFloat):
        (testBitOrArgsFloatWithUselessDoubleConversion):
        (testBitXorArgs):
        (testBitXorSameArg):
        (testBitXorAndAndArgs):
        (testBitXorAndSameArgs):
        (testBitXorImms):
        (testBitXorArgImm):
        (testBitXorImmArg):
        (testBitXorBitXorArgImmImm):
        (testBitXorImmBitXorArgImm):
        (testBitXorArgs32):
        (testBitXorSameArg32):
        (testBitXorImms32):
        (testBitXorArgImm32):
        (testBitXorImmArg32):
        (testBitXorBitXorArgImmImm32):
        (testBitXorImmBitXorArgImm32):
        (testBitNotArg):
        (testBitNotImm):
        (testBitNotMem):
        (testBitNotArg32):
        (testBitNotImm32):
        (testBitNotMem32):
        (testNotOnBooleanAndBranch32):
        (testBitNotOnBooleanAndBranch32):
        (testShlArgs):
        (testShlImms):
        (testShlArgImm):
        (testShlSShrArgImm):
        (testShlArg32):
        (testShlArgs32):
        (testShlImms32):
        (testShlArgImm32):
        (testShlZShrArgImm32):
        (testSShrArgs):
        (testSShrImms):
        (testSShrArgImm):
        (testSShrArg32):
        (testSShrArgs32):
        (testSShrImms32):
        (testSShrArgImm32):
        (testZShrArgs):
        (testZShrImms):
        (testZShrArgImm):
        (testZShrArg32):
        (testZShrArgs32):
        (testZShrImms32):
        (testZShrArgImm32):
        (countLeadingZero):
        (testClzArg64):
        (testClzMem64):
        (testClzArg32):
        (testClzMem32):
        (testAbsArg):
        (testAbsImm):
        (testAbsMem):
        (testAbsAbsArg):
        (testAbsNegArg):
        (testAbsBitwiseCastArg):
        (testBitwiseCastAbsBitwiseCastArg):
        (testAbsArgWithUselessDoubleConversion):
        (testAbsArgWithEffectfulDoubleConversion):
        (testCeilArg):
        (testCeilImm):
        (testCeilMem):
        (testCeilCeilArg):
        (testFloorCeilArg):
        (testCeilIToD64):
        (testCeilIToD32):
        (testCeilArgWithUselessDoubleConversion):
        (testCeilArgWithEffectfulDoubleConversion):
        (testFloorArg):
        (testFloorImm):
        (testFloorMem):
        (testFloorFloorArg):
        (testCeilFloorArg):
        (testFloorIToD64):
        (testFloorIToD32):
        (testFloorArgWithUselessDoubleConversion):
        (testFloorArgWithEffectfulDoubleConversion):
        (correctSqrt):
        (testSqrtArg):
        (testSqrtImm):
        (testSqrtMem):
        (testSqrtArgWithUselessDoubleConversion):
        (testSqrtArgWithEffectfulDoubleConversion):
        (testCompareTwoFloatToDouble):
        (testCompareOneFloatToDouble):
        (testCompareFloatToDoubleThroughPhi):
        (testDoubleToFloatThroughPhi):
        (testReduceFloatToDoubleValidates):
        (testDoubleProducerPhiToFloatConversion):
        (testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
        (testDoubleProducerPhiWithNonFloatConst):
        (testDoubleArgToInt64BitwiseCast):
        (testDoubleImmToInt64BitwiseCast):
        (testTwoBitwiseCastOnDouble):
        (testBitwiseCastOnDoubleInMemory):
        (testBitwiseCastOnDoubleInMemoryIndexed):
        (testInt64BArgToDoubleBitwiseCast):
        (testInt64BImmToDoubleBitwiseCast):
        (testTwoBitwiseCastOnInt64):
        (testBitwiseCastOnInt64InMemory):
        (testBitwiseCastOnInt64InMemoryIndexed):
        (testFloatImmToInt32BitwiseCast):
        (testBitwiseCastOnFloatInMemory):
        (testInt32BArgToFloatBitwiseCast):
        (testInt32BImmToFloatBitwiseCast):
        (testTwoBitwiseCastOnInt32):
        (testBitwiseCastOnInt32InMemory):
        (testConvertDoubleToFloatArg):
        (testConvertDoubleToFloatImm):
        (testConvertDoubleToFloatMem):
        (testConvertFloatToDoubleArg):
        (testConvertFloatToDoubleImm):
        (testConvertFloatToDoubleMem):
        (testConvertDoubleToFloatToDoubleToFloat):
        (testLoadFloatConvertDoubleConvertFloatStoreFloat):
        (testFroundArg):
        (testFroundMem):
        (testIToD64Arg):
        (testIToF64Arg):
        (testIToD32Arg):
        (testIToF32Arg):
        (testIToD64Mem):
        (testIToF64Mem):
        (testIToD32Mem):
        (testIToF32Mem):
        (testIToD64Imm):
        (testIToF64Imm):
        (testIToD32Imm):
        (testIToF32Imm):
        (testIToDReducedToIToF64Arg):
        (testIToDReducedToIToF32Arg):
        (testStore32):
        (testStoreConstant):
        (testStoreConstantPtr):
        (testStore8Arg):
        (testStore8Imm):
        (testStorePartial8BitRegisterOnX86):
        (testStore16Arg):
        (testStore16Imm):
        (testTrunc):
        (testAdd1):
        (testAdd1Ptr):
        (testNeg32):
        (testNegPtr):
        (testStoreAddLoad32):
        * b3/testb3_4.cpp: Added.
        (testStoreRelAddLoadAcq32):
        (testStoreAddLoadImm32):
        (testStoreAddLoad8):
        (testStoreRelAddLoadAcq8):
        (testStoreRelAddFenceLoadAcq8):
        (testStoreAddLoadImm8):
        (testStoreAddLoad16):
        (testStoreRelAddLoadAcq16):
        (testStoreAddLoadImm16):
        (testStoreAddLoad64):
        (testStoreRelAddLoadAcq64):
        (testStoreAddLoadImm64):
        (testStoreAddLoad32Index):
        (testStoreAddLoadImm32Index):
        (testStoreAddLoad8Index):
        (testStoreAddLoadImm8Index):
        (testStoreAddLoad16Index):
        (testStoreAddLoadImm16Index):
        (testStoreAddLoad64Index):
        (testStoreAddLoadImm64Index):
        (testStoreSubLoad):
        (testStoreAddLoadInterference):
        (testStoreAddAndLoad):
        (testStoreNegLoad32):
        (testStoreNegLoadPtr):
        (testAdd1Uncommuted):
        (testLoadOffset):
        (testLoadOffsetNotConstant):
        (testLoadOffsetUsingAdd):
        (testLoadOffsetUsingAddInterference):
        (testLoadOffsetUsingAddNotConstant):
        (testLoadAddrShift):
        (testFramePointer):
        (testOverrideFramePointer):
        (testStackSlot):
        (testLoadFromFramePointer):
        (testStoreLoadStackSlot):
        (testStoreFloat):
        (testStoreDoubleConstantAsFloat):
        (testSpillGP):
        (testSpillFP):
        (testInt32ToDoublePartialRegisterStall):
        (testInt32ToDoublePartialRegisterWithoutStall):
        (testBranch):
        (testBranchPtr):
        (testDiamond):
        (testBranchNotEqual):
        (testBranchNotEqualCommute):
        (testBranchNotEqualNotEqual):
        (testBranchEqual):
        (testBranchEqualEqual):
        (testBranchEqualCommute):
        (testBranchEqualEqual1):
        (testBranchEqualOrUnorderedArgs):
        (testBranchNotEqualAndOrderedArgs):
        (testBranchEqualOrUnorderedDoubleArgImm):
        (testBranchEqualOrUnorderedFloatArgImm):
        (testBranchEqualOrUnorderedDoubleImms):
        (testBranchEqualOrUnorderedFloatImms):
        (testBranchEqualOrUnorderedFloatWithUselessDoubleConversion):
        (testBranchFold):
        (testDiamondFold):
        (testBranchNotEqualFoldPtr):
        (testBranchEqualFoldPtr):
        (testBranchLoadPtr):
        (testBranchLoad32):
        (testBranchLoad8S):
        (testBranchLoad8Z):
        (testBranchLoad16S):
        (testBranchLoad16Z):
        (testBranch8WithLoad8ZIndex):
        (testComplex):
        (testBranchBitTest32TmpImm):
        (testBranchBitTest32AddrImm):
        (testBranchBitTest32TmpTmp):
        (testBranchBitTest64TmpTmp):
        (testBranchBitTest64AddrTmp):
        (testBranchBitTestNegation):
        (testBranchBitTestNegation2):
        (testSimplePatchpoint):
        (testSimplePatchpointWithoutOuputClobbersGPArgs):
        (testSimplePatchpointWithOuputClobbersGPArgs):
        (testSimplePatchpointWithoutOuputClobbersFPArgs):
        (testSimplePatchpointWithOuputClobbersFPArgs):
        (testPatchpointWithEarlyClobber):
        (testPatchpointCallArg):
        (testPatchpointFixedRegister):
        (testPatchpointAny):
        (testPatchpointGPScratch):
        (testPatchpointFPScratch):
        (testPatchpointLotsOfLateAnys):
        (testPatchpointAnyImm):
        * b3/testb3_5.cpp: Added.
        (testPatchpointManyImms):
        (testPatchpointWithRegisterResult):
        (testPatchpointWithStackArgumentResult):
        (testPatchpointWithAnyResult):
        (testSimpleCheck):
        (testCheckFalse):
        (testCheckTrue):
        (testCheckLessThan):
        (testCheckMegaCombo):
        (testCheckTrickyMegaCombo):
        (testCheckTwoMegaCombos):
        (testCheckTwoNonRedundantMegaCombos):
        (testCheckAddImm):
        (testCheckAddImmCommute):
        (testCheckAddImmSomeRegister):
        (testCheckAdd):
        (testCheckAdd64):
        (testCheckAddFold):
        (testCheckAddFoldFail):
        (testCheckAddArgumentAliasing64):
        (testCheckAddArgumentAliasing32):
        (testCheckAddSelfOverflow64):
        (testCheckAddSelfOverflow32):
        (testCheckSubImm):
        (testCheckSubBadImm):
        (testCheckSub):
        (doubleSub):
        (testCheckSub64):
        (testCheckSubFold):
        (testCheckSubFoldFail):
        (testCheckNeg):
        (testCheckNeg64):
        (testCheckMul):
        (testCheckMulMemory):
        (testCheckMul2):
        (testCheckMul64):
        (testCheckMulFold):
        (testCheckMulFoldFail):
        (testCheckMulArgumentAliasing64):
        (testCheckMulArgumentAliasing32):
        (testCheckMul64SShr):
        (genericTestCompare):
        (modelCompare):
        (testCompareLoad):
        (testCompareImpl):
        (testCompare):
        (testEqualDouble):
        (simpleFunction):
        (testCallSimple):
        (testCallRare):
        (testCallRareLive):
        (testCallSimplePure):
        (functionWithHellaArguments):
        (testCallFunctionWithHellaArguments):
        (functionWithHellaArguments2):
        (testCallFunctionWithHellaArguments2):
        (functionWithHellaArguments3):
        (testCallFunctionWithHellaArguments3):
        (testReturnDouble):
        (testReturnFloat):
        (simpleFunctionDouble):
        (testCallSimpleDouble):
        (simpleFunctionFloat):
        (testCallSimpleFloat):
        (functionWithHellaDoubleArguments):
        (testCallFunctionWithHellaDoubleArguments):
        (functionWithHellaFloatArguments):
        (testCallFunctionWithHellaFloatArguments):
        (testLinearScanWithCalleeOnStack):
        (testChillDiv):
        (testChillDivTwice):
        (testChillDiv64):
        (testModArg):
        (testModArgs):
        (testModImms):
        (testModArg32):
        (testModArgs32):
        (testModImms32):
        (testChillModArg):
        (testChillModArgs):
        (testChillModImms):
        (testChillModArg32):
        (testChillModArgs32):
        (testChillModImms32):
        (testLoopWithMultipleHeaderEdges):
        (testSwitch):
        (testSwitchSameCaseAsDefault):
        (testSwitchChillDiv):
        (testSwitchTargettingSameBlock):
        (testSwitchTargettingSameBlockFoldPathConstant):
        (testTruncFold):
        (testZExt32):
        (testZExt32Fold):
        (testSExt32):
        (testSExt32Fold):
        (testTruncZExt32):
        (testTruncSExt32):
        (testSExt8):
        (testSExt8Fold):
        (testSExt8SExt8):
        (testSExt8SExt16):
        (testSExt8BitAnd):
        (testBitAndSExt8):
        (testSExt16):
        (testSExt16Fold):
        (testSExt16SExt16):
        (testSExt16SExt8):
        (testSExt16BitAnd):
        (testBitAndSExt16):
        (testSExt32BitAnd):
        * b3/testb3_6.cpp: Added.
        (testBitAndSExt32):
        (testBasicSelect):
        (testSelectTest):
        (testSelectCompareDouble):
        (testSelectCompareFloat):
        (testSelectCompareFloatToDouble):
        (testSelectDouble):
        (testSelectDoubleTest):
        (testSelectDoubleCompareDouble):
        (testSelectDoubleCompareFloat):
        (testSelectFloatCompareFloat):
        (testSelectDoubleCompareDoubleWithAliasing):
        (testSelectFloatCompareFloatWithAliasing):
        (testSelectFold):
        (testSelectInvert):
        (testCheckSelect):
        (testCheckSelectCheckSelect):
        (testCheckSelectAndCSE):
        (b3Pow):
        (testPowDoubleByIntegerLoop):
        (testTruncOrHigh):
        (testTruncOrLow):
        (testBitAndOrHigh):
        (testBitAndOrLow):
        (testBranch64Equal):
        (testBranch64EqualImm):
        (testBranch64EqualMem):
        (testBranch64EqualMemImm):
        (testStore8Load8Z):
        (testStore16Load16Z):
        (testSShrShl32):
        (testSShrShl64):
        (testTrivialInfiniteLoop):
        (testFoldPathEqual):
        (testLShiftSelf32):
        (testRShiftSelf32):
        (testURShiftSelf32):
        (testLShiftSelf64):
        (testRShiftSelf64):
        (testURShiftSelf64):
        (testPatchpointDoubleRegs):
        (testSpillDefSmallerThanUse):
        (testSpillUseLargerThanDef):
        (testLateRegister):
        (interpreterPrint):
        (testInterpreter):
        (testReduceStrengthCheckBottomUseInAnotherBlock):
        (testResetReachabilityDanglingReference):
        (testEntrySwitchSimple):
        (testEntrySwitchNoEntrySwitch):
        (testEntrySwitchWithCommonPaths):
        (testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
        (testEntrySwitchLoop):
        (testSomeEarlyRegister):
        (testBranchBitAndImmFusion):
        (testTerminalPatchpointThatNeedsToBeSpilled):
        (testTerminalPatchpointThatNeedsToBeSpilled2):
        (testPatchpointTerminalReturnValue):
        (testMemoryFence):
        (testStoreFence):
        (testLoadFence):
        (testTrappingLoad):
        (testTrappingStore):
        (testTrappingLoadAddStore):
        (testTrappingLoadDCE):
        (testTrappingStoreElimination):
        (testMoveConstants):
        (testPCOriginMapDoesntInsertNops):
        * b3/testb3_7.cpp: Added.
        (testPinRegisters):
        (testX86LeaAddAddShlLeft):
        (testX86LeaAddAddShlRight):
        (testX86LeaAddAdd):
        (testX86LeaAddShlRight):
        (testX86LeaAddShlLeftScale1):
        (testX86LeaAddShlLeftScale2):
        (testX86LeaAddShlLeftScale4):
        (testX86LeaAddShlLeftScale8):
        (testAddShl32):
        (testAddShl64):
        (testAddShl65):
        (testReduceStrengthReassociation):
        (testLoadBaseIndexShift2):
        (testLoadBaseIndexShift32):
        (testOptimizeMaterialization):
        (generateLoop):
        (makeArrayForLoops):
        (generateLoopNotBackwardsDominant):
        (oneFunction):
        (noOpFunction):
        (testLICMPure):
        (testLICMPureSideExits):
        (testLICMPureWritesPinned):
        (testLICMPureWrites):
        (testLICMReadsLocalState):
        (testLICMReadsPinned):
        (testLICMReads):
        (testLICMPureNotBackwardsDominant):
        (testLICMPureFoiledByChild):
        (testLICMPureNotBackwardsDominantFoiledByChild):
        (testLICMExitsSideways):
        (testLICMWritesLocalState):
        (testLICMWrites):
        (testLICMFence):
        (testLICMWritesPinned):
        (testLICMControlDependent):
        (testLICMControlDependentNotBackwardsDominant):
        (testLICMControlDependentSideExits):
        (testLICMReadsPinnedWritesPinned):
        (testLICMReadsWritesDifferentHeaps):
        (testLICMReadsWritesOverlappingHeaps):
        (testLICMDefaultCall):
        (testDepend32):
        (testDepend64):
        (testWasmBoundsCheck):
        (testWasmAddress):
        (testFastTLSLoad):
        (testFastTLSStore):
        (doubleEq):
        (doubleNeq):
        (doubleGt):
        (doubleGte):
        (doubleLt):
        (doubleLte):
        (testDoubleLiteralComparison):
        (testFloatEqualOrUnorderedFolding):
        (testFloatEqualOrUnorderedFoldingNaN):
        (testFloatEqualOrUnorderedDontFold):
        (functionNineArgs):
        (testShuffleDoesntTrashCalleeSaves):
        (testDemotePatchpointTerminal):
        (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead):
        (testInfiniteLoopDoesntCauseBadHoisting):
        * b3/testb3_8.cpp: Added.
        (testAtomicWeakCAS):
        (testAtomicStrongCAS):
        (testAtomicXchg):
        (addAtomicTests):
        (testLoad):
        (addLoadTests):

2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Emit write barrier after storing instead of before storing
        https://bugs.webkit.org/show_bug.cgi?id=200193

        Reviewed by Saam Barati.

        I reviewed tricky GC-related code including visitChildren and manual writeBarrier, and I found that we have several problems with write-barriers.

        1. Some write-barriers are emitted before stores happen

            Some code like LazyProperty emits write-barrier before we store the value. This is wrong since JSC has concurrent collector. Let's consider the situation like this.

                1. Cell "A" is not marked yet
                2. Write-barrier is emitted onto "A"
                3. Concurrent collector scans "A"
                4. Store to "A"'s field happens
                5. (4)'s field is not rescaned

            We should emit write-barrier after stores. This patch places write-barriers after stores happen.

        2. Should emit write-barrier after the stored fields are reachable from the owner.

            We have code that is logically the same to the following.

                ```
                auto data = std::make_unique<XXX>();
                data->m_field.set(vm, owner, value);

                storeStoreBarrier();
                owner->m_data = WTFMove(data);
                ```

            This is not correct. When write-barrier is emitted, the owner cannot reach to the field that is stored.
            The actual example is AccessCase. We are emitting write-barriers with owner when creating AccessCase, but this is not
            effective until this AccessCase is chained to StructureStubInfo, which is reachable from CodeBlock.

            I don't think this is actually an issue because currently AccessCase generation is guarded by CodeBlock->m_lock. And CodeBlock::visitChildren takes this lock.
            But emitting a write-barrier at the right place is still better. This patch places write-barriers when StructureStubInfo::addAccessCase is called.

        Speculative GC fix, it was hard to reproduce the crash since we need to control concurrent collector and main thread's scheduling in an instruction-level.

        * bytecode/BytecodeList.rb:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::addAccessCase):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::considerCaching):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setupGetByIdPrototypeCache):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/LazyPropertyInlines.h:
        (JSC::ElementType>::setMayBeNull):
        * runtime/RegExpCachedResult.h:
        (JSC::RegExpCachedResult::record):

2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
        https://bugs.webkit.org/show_bug.cgi?id=200192

        Reviewed by Saam Barati.

        StructureChain has a bit tricky write barrier / mutator fence to use UniqueArray for its underlying storage.
        But, since the size of StructureChain is fixed at initialization, we should allocate an underlying storage from auxiliary memory and
        set it in its constructor instead of finishCreation. We can store values in the finishCreation so that we do not need to have
        a hacky write-barrier and mutator fence. Furthermore, we can make StructureChain non-destructible.

        This patch leverages auxiliary buffer for the implementation of StructureChain. And it also adds a test that stresses StructureChain creation.

        * runtime/StructureChain.cpp:
        (JSC::StructureChain::StructureChain):
        (JSC::StructureChain::create):
        (JSC::StructureChain::finishCreation):
        (JSC::StructureChain::visitChildren):
        (JSC::StructureChain::destroy): Deleted.
        * runtime/StructureChain.h:

2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Increment bytecode age only when SlotVisitor is first-visit
        https://bugs.webkit.org/show_bug.cgi?id=200196

        Reviewed by Robin Morisset.

        WriteBarrier can cause multiple visits for the same UnlinkedCodeBlock. But this does not mean that we are having multiple cycles of GC.
        We should increment the age of the UnlinkedCodeBlock only when the SlotVisitor is saying that this is the first visit.

        In practice,this almost never happens. Multiple visits can happen only when the marked UnlinkedCodeBlock gets a write-barrier. But, mutation
        of UnlinkedCodeBlock is rare or none after it is initialized. I ran all the JSTests and I cannot find any tests that get re-visiting of UnlinkedCodeBlock.
        This patch extends JSTests/stress/reparsing-unlinked-codeblock.js to ensure that UnlinkedCodeBlockJettisoning feature is working after this change.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::visitChildren):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::isFirstVisit const):
        * parser/Parser.cpp:
        * parser/Parser.h:
        (JSC::parse):
        (JSC::parseFunctionForFunctionConstructor):
        * runtime/Options.h:
        * tools/JSDollarVM.cpp:
        (JSC::functionParseCount):
        (JSC::JSDollarVM::finishCreation):

2019-07-28  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r247886.
        https://bugs.webkit.org/show_bug.cgi?id=200214

        "Causes PLT5 regression on some machines" (Requested by mlam|a
        on #webkit).

        Reverted changeset:

        "Add crash diagnostics for debugging unexpected zapped cells."
        https://bugs.webkit.org/show_bug.cgi?id=200149
        https://trac.webkit.org/changeset/247886

2019-07-27  Justin Michaud  <justin_michaud@apple.com>

        [X86] Emit BT instruction for shift + mask in B3
        https://bugs.webkit.org/show_bug.cgi?id=199891

        Reviewed by Keith Miller.

        - Add a new BranchTestBit air opcode, matching the intel bt instruction
        - Select this instruction for the following patterns:
          if (a & (1<<b))
          if ((a>>b)&1)
          if ((~a>>b)&1)
          if (~a & (1<<b))
        - 15% perf progression on the nonconstant microbenchmark, neutral otherwise.
        - Note: we cannot fuse loads when we have bitBase=Load, bitOffset=Tmp, since the X86 instruction has 
          different behaviour in this mode. It will read past the current dword/qword instead of wrapping around.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchTestBit32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branchTestBit64):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::bt_ir):
        (JSC::X86Assembler::bt_im):
        (JSC::X86Assembler::btw_ir):
        (JSC::X86Assembler::btw_im):
        * assembler/testmasm.cpp:
        (JSC::int64Operands):
        (JSC::testBranchTestBit32RegReg):
        (JSC::testBranchTestBit32RegImm):
        (JSC::testBranchTestBit32AddrImm):
        (JSC::testBranchTestBit64RegReg):
        (JSC::testBranchTestBit64RegImm):
        (JSC::testBranchTestBit64AddrImm):
        (JSC::run):
        * b3/B3LowerToAir.cpp:
        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp:
        (JSC::B3::testBranchBitTest32TmpImm):
        (JSC::B3::testBranchBitTest32AddrImm):
        (JSC::B3::testBranchBitTest32TmpTmp):
        (JSC::B3::testBranchBitTest64TmpTmp):
        (JSC::B3::testBranchBitTest64AddrTmp):
        (JSC::B3::run):

2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Potential GC fix for JSPropertyNameEnumerator
        https://bugs.webkit.org/show_bug.cgi?id=200151

        Reviewed by Mark Lam.

        We have been seeing some JSPropertyNameEnumerator::visitChildren crashes for a long time. The crash frequency itself is not high, but it has existed for a long time.
        The crash happens when visiting m_propertyNames. It is also possible that this crash is caused by random corruption somewhere, but JSPropertyNameEnumerator
        has some tricky (and potentially dangerous) implementations anyway.

        1. JSPropertyNameEnumerator have Vector<WriteBarrier<JSString>> and it is extended in finishCreation with a lock.
           We should use Auxiliary memory for this use case. And we should set this memory in the constructor so that
           we do not extend it in finishCreation, and we do not need a lock.
        2. JSPropertyNameEnumerator gets StructureID before allocating JSPropertyNameEnumerator. This is potentially dangerous because the conservative scan
           cannot find the Structure* since we could only have StructureID. Since allocation code happens after StructureID is retrieved, it is possible that
           the allocation causes GC and Structure* is collected.

        In this patch, we align JSPropertyNameEnumerator implementation to the modern one to avoid using Vector<WriteBarrier<JSString>>. And we can make JSPropertyNameEnumerator
        a non-destructible cell. Since JSCell's destructor is one of the cause of various issues, we should avoid it if we can.

        No behavior change. This patch adds a test stressing JSPropertyNameEnumerator.

        * dfg/DFGOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::JSPropertyNameEnumerator::create):
        (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
        (JSC::JSPropertyNameEnumerator::finishCreation):
        (JSC::JSPropertyNameEnumerator::visitChildren):
        (JSC::JSPropertyNameEnumerator::destroy): Deleted.
        * runtime/JSPropertyNameEnumerator.h:
        * runtime/VM.cpp:
        (JSC::VM::emptyPropertyNameEnumeratorSlow):
        * runtime/VM.h:
        (JSC::VM::emptyPropertyNameEnumerator):

2019-07-26  Mark Lam  <mark.lam@apple.com>

        Add crash diagnostics for debugging unexpected zapped cells.
        https://bugs.webkit.org/show_bug.cgi?id=200149
        <rdar://problem/53570112>

        Reviewed by Yusuke Suzuki, Saam Barati, and Michael Saboff.

        Add a check for zapped cells in SlotVisitor::appendToMarkStack() and
        SlotVisitor::visitChildren().  If a zapped cell is detected, we will crash with
        some diagnostic info.

        To facilitate this, we've made the following changes:
        1. Changed FreeCell to preserve the 1st 8 bytes.  This is fine to do because all
           cells are at least 16 bytes long.
        2. Changed HeapCell::zap() to only zap the structureID.  Leave the rest of the
           cell header info intact (including the cell JSType).
        3. Changed HeapCell::zap() to record the reason for zapping the cell.  We stash
           the reason immediately after the first 8 bytes.  This is the same location as
           FreeCell::scrambledNext.  However, since a cell is not expected to be zapped
           and on the free list at the same time, it is also fine to do this.
        4. Added a few utility functions to MarkedBlock for checking if a cell points
           into the block.
        5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes.
        6. Added some comments to document the hashes of known subspaces.

        * heap/FreeList.h:
        (JSC::FreeCell::offsetOfScrambledNext):
        * heap/HeapCell.h:
        (JSC::HeapCell::zap):
        (JSC::HeapCell::isZapped const):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::stopAllocating):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::Handle::start const):
        (JSC::MarkedBlock::Handle::end const):
        (JSC::MarkedBlock::Handle::contains const):
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::specializedSweep):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::forEachSubspace):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::visitChildren):
        (JSC::SlotVisitor::reportZappedCellAndCrash):
        * heap/SlotVisitor.h:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * tools/JSDollarVM.cpp:
        (JSC::functionDumpSubspaceHashes):
        (JSC::JSDollarVM::finishCreation):
        * tools/VMInspector.cpp:
        (JSC::VMInspector::dumpSubspaceHashes):
        * tools/VMInspector.h:

2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use unalignedLoad for JSRopeString fiber accesses
        https://bugs.webkit.org/show_bug.cgi?id=200148

        Reviewed by Mark Lam.

        JSRopeString always have some subsequent bytes that can be accessible because MarkedBlock has Footer.
        We use WTF::unalignedLoad to get fibers. And it will be converted to one load CPU instruction.

        * heap/MarkedBlock.h:
        * runtime/JSString.h:

2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>

        Legacy numeric literals should not permit separators or BigInt
        https://bugs.webkit.org/show_bug.cgi?id=199984

        Reviewed by Keith Miller.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::parseOctal):
        (JSC::Lexer<T>::parseDecimal):

2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, build fix due to C++17's std::invoke_result_t
        https://bugs.webkit.org/show_bug.cgi?id=200139

        Use std::result_of for now until all the supported environments implement it.

        * heap/IsoSubspace.h:

2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Ensure PackedCellPtr only takes non-large-allocation pointers
        https://bugs.webkit.org/show_bug.cgi?id=200139

        Reviewed by Mark Lam.

        PackedCellPtr will compact a pointer by leveraging the fact that JSCell pointers are 16byte aligned.
        But this fact only holds when the JSCell is not large allocation. Currently, we are using PackedCellPtr
        only for the cell types which meets the above requirement. But we would like to ensure that statically.

        In this patch, we add additional static/runtime assertions to ensure this invariant. We accept a cell
        type of either (1) it is "final" annotated and sizeof(T) is <= MarkedSpace::largeCutoff or (2) it
        is allocated from IsoSubspace.

        This patch does not change any behaviors. It just adds extra static/runtime assertions.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::subspaceFor):
        * bytecode/CodeBlockJettisoningWatchpoint.h:
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
        * dfg/DFGAdaptiveStructureWatchpoint.h:
        * heap/IsoSubspace.h:
        * heap/PackedCellPtr.h:
        (JSC::PackedCellPtr::PackedCellPtr):
        * runtime/FunctionRareData.h:
        (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
        * runtime/ObjectToStringAdaptiveStructureWatchpoint.h:

2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make visitChildren implementation more idiomatic
        https://bugs.webkit.org/show_bug.cgi?id=200121

        Reviewed by Mark Lam.

        This patch makes visitChildren implementations more idiomatic: cast, assert, and calling Base::visitChildren.
        While this does not find interesting issues, it is still nice to have consistent implementations.
        StructureChain::visitChildren missed Base::visitChildren, but it does not have much effect since StructureChain
        is immortal cell.

        * bytecode/ExecutableToCodeBlockEdge.cpp:
        (JSC::ExecutableToCodeBlockEdge::visitChildren):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::visitChildren):
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::visitChildren):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::visitChildren):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
        * runtime/JSImmutableButterfly.cpp:
        (JSC::JSImmutableButterfly::visitChildren):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::visitChildren):
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::visitChildren):
        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::JSPropertyNameEnumerator::visitChildren):
        * runtime/JSString.cpp:
        (JSC::JSString::visitChildren):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::visitChildren):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildren):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::visitChildren):
        * tools/JSDollarVM.cpp:
        (JSC::Root::visitChildren):
        (JSC::ImpureGetter::visitChildren):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::visitChildren):

2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>

        [ESNext] Implement nullish coalescing
        https://bugs.webkit.org/show_bug.cgi?id=200072

        Reviewed by Darin Adler.

        Implement the nullish coalescing proposal, which has now reached Stage 3 at TC39.

        This introduces a ?? operator which:
          - acts like || but checks for nullishness instead of truthiness
          - has a precedence lower than || (or any other binary operator)
          - must be disambiguated with parentheses when combined with || or &&

        * bytecompiler/NodesCodegen.cpp:
        (JSC::CoalesceNode::emitBytecode): Added.
        Bytecode must use OpIsUndefinedOrNull and not OpNeqNull because of document.all.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::makeBinaryNode):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
        * parser/NodeConstructors.h:
        (JSC::CoalesceNode::CoalesceNode): Added.
        * parser/Nodes.h:
        Introduce new token and AST node.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseBinaryExpression):
        Implement early error.

        * parser/ParserTokens.h:
        Since this patch needs to shift the value of every binary operator token anyway,
        let's only bother to increment their LSBs when we actually have a precedence conflict.

        * parser/ResultType.h:
        (JSC::ResultType::definitelyIsNull const): Added.
        (JSC::ResultType::mightBeUndefinedOrNull const): Added.
        (JSC::ResultType::forCoalesce): Added.
        We can do better than forLogicalOp here; let's be as accurate as possible.

        * runtime/Options.h:
        Add runtime feature flag.

2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>

        Three checks are missing in Proxy internal methods
        https://bugs.webkit.org/show_bug.cgi?id=198630

        Reviewed by Darin Adler.

        Add three missing checks in Proxy internal methods.
        These checks are necessary to maintain the invariants of the essential internal methods.
        (https://github.com/tc39/ecma262/pull/666)

        1. [[GetOwnProperty]] shouldn't return non-configurable and non-writable descriptor when the target's property is writable.
        2. [[Delete]] should return `false` when the target has property and is not extensible.
        3. [[DefineOwnProperty]] should return `true` for a non-writable input descriptor when the target's property is non-configurable and writable.

        Shipping in SpiderMonkey since https://hg.mozilla.org/integration/autoland/rev/3a06bc818bc4 (version 69)
        Shipping in V8 since https://chromium.googlesource.com/v8/v8.git/+/e846ad9fa5109428be50b1989314e0e4e7267919

        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::performInternalMethodGetOwnProperty): Add writability check.
        (JSC::ProxyObject::performDelete): Add extensibility check.
        (JSC::ProxyObject::performDefineOwnProperty): Add writability check.

2019-07-24  Mark Lam  <mark.lam@apple.com>

        Remove some unused code.
        https://bugs.webkit.org/show_bug.cgi?id=200101

        Reviewed by Yusuke Suzuki.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::zap): Deleted.
        * heap/MarkedBlock.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendToMutatorMarkStack): Deleted.
        * heap/SlotVisitor.h:

2019-07-24  Mark Lam  <mark.lam@apple.com>

        performJITMemcpy should be PACed with a non-zero diversifier when passed and called via a pointer.
        https://bugs.webkit.org/show_bug.cgi?id=200100
        <rdar://problem/53474939>

        Reviewed by Yusuke Suzuki.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::CopyFunction::CopyFunction):
        (JSC::ARM64Assembler::CopyFunction::operator()):
        - I choose to use ptrauth_auth_function() here instead of retagCodePtr() because
          retagCodePtr() would auth, assert, and re-pac the pointer.  This is needed in
          general because retagCodePtr() doesn't know that you will consume the pointer
          immediately (and therefore crash imminently if a failed auth is encountered).
          Since we know here that we will call with the auth'ed pointer immediately, we
          can skip the assert.

          This also has the benefit of letting Clang do a peephole optimization to emit
          a blrab instruction with the intended diversifier, instead of emitting multiple
          instructions to auth the pointer into a C function, and then using a blraaz to
          do a C function call.

        (JSC::ARM64Assembler::linkJumpOrCall):
        (JSC::ARM64Assembler::linkCompareAndBranch):
        (JSC::ARM64Assembler::linkConditionalBranch):
        (JSC::ARM64Assembler::linkTestAndBranch):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        * runtime/JSCPtrTag.h:

2019-07-24  Devin Rousso  <drousso@apple.com>

        Web Inspector: print the target of `console.screenshot` last so the target is the closest item to the image
        https://bugs.webkit.org/show_bug.cgi?id=199308

        Reviewed by Joseph Pecoraro.

        * inspector/ConsoleMessage.h:
        (Inspector::ConsoleMessage::arguments const):

        * inspector/ScriptArguments.h:
        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::getFirstArgumentAsString const): Added.
        (Inspector::ScriptArguments::getFirstArgumentAsString): Deleted.

2019-07-23  Justin Michaud  <justin_michaud@apple.com>

        Sometimes we miss removable CheckInBounds
        https://bugs.webkit.org/show_bug.cgi?id=200018

        Reviewed by Saam Barati.

        We failed to remove the CheckInBounds bounds because we did not see that the index was nonnegative. This is because we do not see the relationship between the two
        separate zero constants that appear in the IR for the given test case. This patch re-adds the hack to de-duplicate m_zero that was removed in 
        <https://trac.webkit.org/changeset/241228/webkit>.

        * dfg/DFGIntegerRangeOptimizationPhase.cpp:

2019-07-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [bmalloc] Each IsoPage gets 1MB VA because VMHeap::tryAllocateLargeChunk rounds up
        https://bugs.webkit.org/show_bug.cgi?id=200024

        Reviewed by Saam Barati.

        Discussed and we decided to use this VM tag for IsoHeap instead of CLoop stack.

        * interpreter/CLoopStack.cpp:
        (JSC::CLoopStack::CLoopStack):

2019-07-22  Saam Barati  <sbarati@apple.com>

        Turn off Wasm fast memory on iOS
        https://bugs.webkit.org/show_bug.cgi?id=200016
        <rdar://problem/53417726>

        Reviewed by Yusuke Suzuki.

        We turned them on when we disabled Gigacage on iOS. However, we re-enabled
        Gigacage on iOS, but forgot to turn wasm fast memories back off.

        * runtime/Options.h:

2019-07-22  Ross Kirsling  <ross.kirsling@sony.com>

        Unreviewed non-unified build fix.

        * runtime/CachedTypes.h:

2019-07-20  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make DFG Local CSE and AI conservative for huge basic block
        https://bugs.webkit.org/show_bug.cgi?id=199929
        <rdar://problem/49309924>

        Reviewed by Filip Pizlo.

        In CNN page, the main thread hangs several seconds. On less-powerful devices (like iPhone7), it hangs for ~11 seconds. This is not an acceptable behavior.
        The reason of this is that the DFG compiler takes too long time in the compilation for a particular function. It takes 8765 ms even in powerful x64 machine!
        DFG compiler is concurrent one. However, when GC requires all the peripheral threads to be stopped, the main thread needs to wait for the DFG compiler's stop.
        DFG compiler stops at GC safepoints, and they are inserted between DFG phases. So, if some of DFG phases take very long time, the main thread is blocked during that.
        As a result, the main thread is blocked due to this pathological compilation.

        By measuring the time taken in each DFG phase, we found that our AI and CSE phase have a problem having quadratic complexity for # of DFG nodes in a basic block.
        In this patch, we add a threshold for # of DFG nodes in a basic block. If a basic block exceeds this threshold, we use conservative but O(1) algorithm for AI and Local CSE phase.
        We did not add this threshold for Global CSE since FTL has another bytecode cost threshold which prevents us from compiling the large functions. But on the other hand,
        DFG should compile them because DFG is intended to be a fast compiler even for a bit larger CodeBlock.

        We first attempted to reduce the threshold for DFG compilation. We are using 100000 bytecode cost for DFG compilation and it is very large. However, we found that bytecode cost
        is not the problem in CNN page. The problematic function has 67904 cost, and it takes 8765 ms in x64 machine. However, JetStream2/octane-zlib has 61949 function and it only takes
        ~400 ms. This difference comes from the # of DFG nodes in a basic block. The problematic function has 43297 DFG nodes in one basic block and it makes AI and Local CSE super time-consuming.
        Rather than relying on the bytecode cost which a bit indirectly related to this pathological compile-time, we should look into # of DFG nodes in a basic block which is more directly
        related to this problem. And we also found that 61949's Octane-zlib function is very critical for performance. This fact makes a bit hard to pick a right threshold: 67904 causes the problem,
        and 61949 must be compiled. This is why this patch is introducing conservative analysis instead of adjusting the threshold for DFG.

        This patch has two changes.

        1. DFG AI has structure transition tracking which has quadratic complexity

        Structure transition tracking takes very long time since its complexity is O(N^2) where N is # of DFG nodes in a basic block.
        CNN has very pathological script and it shows 43297 DFG nodes. We should reduce the complexity of this algorithm.
        For now, we just say "structures are clobbered" if # of DFG nodes in a basic block exceeds the threshold (20000).
        We could improve the current algorithm from O(N^2) to O(2N) without being conservative, and I'm tracking this in [1].

        2. DFG Local CSE has quadratic complexity

        Local CSE's clobbering iterates all the impure heap values to remove the clobbered one. Since # of impure heap values tend to be proportional to # of DFG nodes we visited,
        each CSE for a basic block gets O(N^2) complexity. To avoid this, we introduce HugeMap. This has the same interface to LargeMap and SmallMap in CSE, but its clobbering
        implementation just clears the map completely. We can further make this O(N) without introducing conservative behavior by using epochs. For now, we do not see such a huge basic block in
        JetStream2 and Speedometer2 so I'll track it in a separate bug[2].

        This patch reduces the compilation time from ~11 seconds to ~200 ms.

        [1]: https://bugs.webkit.org/show_bug.cgi?id=199959
        [2]: https://bugs.webkit.org/show_bug.cgi?id=200014

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
        * dfg/DFGCSEPhase.cpp:
        * runtime/Options.h:

2019-07-22  Zhifei Fang  <zhifei_fang@apple.com>

        Need to skip test cache directory data vault for non internal build
        https://bugs.webkit.org/show_bug.cgi?id=199951

        Reviewed by Alexey Proskuryakov.

        * API/tests/testapi.mm:
        (testBytecodeCacheValidation): "Cache directory `/private/tmp` is not a data vault" this error message will only be created for internal build see JSScript.mm:97

2019-07-17  Antoine Quint  <graouts@apple.com>

        Disable Pointer Events prior to watchOS 6
        https://bugs.webkit.org/show_bug.cgi?id=199890
        <rdar://problem/53206113>

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig:

2019-07-17  Keith Miller  <keith_miller@apple.com>

        Force useLLInt to true on arm64_32
        https://bugs.webkit.org/show_bug.cgi?id=199882
        <rdar://problem/53207586>

        Reviewed by Yusuke Suzuki.

        Some jsc tests set useLLInt=false but on arm64_32 we don't support the JIT.
        This causes the option coherency checker to get angry. We should force
        useLLInt=true on arm64_32 unless useJIT=true.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2019-07-17  Christopher Reid  <chris.reid@sony.com>

        Bytecode cache should use FileSystem
        https://bugs.webkit.org/show_bug.cgi?id=199759

        Reviewed by Yusuke Suzuki.

        Update bytecode cache to use platform generic FileSystem calls.

        * API/JSScript.mm:
        * CMakeLists.txt:
        * jsc.cpp:
        * runtime/CachePayload.cpp:
        * runtime/CachePayload.h:
        * runtime/CachedBytecode.h:
        * runtime/CachedTypes.cpp:
        * runtime/CachedTypes.h:
        * runtime/CodeCache.cpp:
        * runtime/CodeCache.h:
        * runtime/Completion.cpp:
        * runtime/Completion.h:

2019-07-17  Mark Lam  <mark.lam@apple.com>

        ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
        https://bugs.webkit.org/show_bug.cgi?id=199821
        <rdar://problem/52452328>

        Reviewed by Filip Pizlo.

        Excluding the ArgumentsEliminationPhase, PutStack nodes are converted from SetLocal
        nodes in the SSAConversionPhase.  SetLocal nodes are always preceded by MovHint nodes,
        and the SSAConversionPhase always inserts a KillStack node before a MovHint node.
        Hence, a PutStack node is always preceded by a KillStack node.

        However, the ArgumentsEliminationPhase can convert LoadVarargs nodes into a series
        of one or more PutStacks nodes, and it prepends MovHint nodes before the PutStack
        nodes.  However, it neglects to prepend KillStack nodes as well.  Since the
        ArgumentsEliminationPhase runs after the SSAConversionPhase, the PutStack nodes
        added during ArgumentsElimination will not be preceded by KillStack nodes.

        This patch fixes this by inserting a KillStack in the ArgumentsEliminationPhase
        before it inserts a MovHint and a PutStack node.

        Consider this test case which can manifest the above issue as a crash:

            function inlinee(value) {
                ...
                let tmp = value + 1;
            }

            function reflect() {
                return inlinee.apply(undefined, arguments);
            }

            function test(arr) {
                let object = inlinee.apply(undefined, arr);   // Uses a lot of SetArgumentMaybe nodes.
                reflect();    // Calls with a LoadVararg, which gets converted into a PutStack of a constant.
            }

        In this test case, we have a scenario where a SetArgumentMaybe's stack
        slot is reused as the stack slot for a PutStack later.  Here, the PutStack will
        put a constant undefined value.  Coincidentally, the SetArgumentMaybe may also
        initialize that stack slot to a constant undefined value.  Note that by the time
        the PutStack executes, the SetArgumentMaybe's stack slot is dead.  The liveness of
        these 2 values are distinct.

        However, because we were missing a KillStack before the PutStack, OSR availability
        analysis gets misled into thinking that the PutStack constant value is still in the
        stack slot because the value left there by the SetArgumentMaybe hasn't been killed
        off yet.  As a result, OSR exit code will attempt to recover the PutStack's undefined
        constant by loading from the stack slot instead of materializing it.  Since
        SetArgumentMaybe may not actually initialize the stack slot, we get a crash in OSR
        exit when we try to recover the PutStack constant value from the stack slot, and
        end up using what ever junk value we read from there.

        Fixing the ArgumentsEliminationPhase to insert KillStack before the PutStack
        removes this conflation of the PutStack's constant value with the SetArgumentMaybe's
        constant value in the same stack slot.  And, OSR availability analysis will no
        longer be misled to load the PutStack's constant value from the stack, but will
        materialize the constant instead.

        * dfg/DFGArgumentsEliminationPhase.cpp:

2019-07-17  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r247505.
        https://bugs.webkit.org/show_bug.cgi?id=199871

        "Caused failed ASSERT in stress test" (Requested by creid on
        #webkit).

        Reverted changeset:

        "Bytecode cache should use FileSystem"
        https://bugs.webkit.org/show_bug.cgi?id=199759
        https://trac.webkit.org/changeset/247505

2019-07-16  Christopher Reid  <chris.reid@sony.com>

        Bytecode cache should use FileSystem
        https://bugs.webkit.org/show_bug.cgi?id=199759

        Reviewed by Yusuke Suzuki.

        Update bytecode cache to use platform generic FileSystem calls.

        * API/JSScript.mm:
        * CMakeLists.txt:
        * jsc.cpp:
        * runtime/CachePayload.cpp:
        * runtime/CachePayload.h:
        * runtime/CachedBytecode.h:
        * runtime/CachedTypes.cpp:
        * runtime/CachedTypes.h:
        * runtime/CodeCache.cpp:
        * runtime/CodeCache.h:
        * runtime/Completion.cpp:
        * runtime/Completion.h:

2019-07-16  Joonghun Park  <pjh0718@gmail.com>

        [GTK] Fix a build warning in JavaScriptCore/API/tests/testapi.c
        https://bugs.webkit.org/show_bug.cgi?id=199824

        Reviewed by Alex Christensen.

        * API/tests/testapi.c:
        (main):

2019-07-15  Keith Miller  <keith_miller@apple.com>

        JSGlobalObject type macros should support feature flags and WeakRef should have one
        https://bugs.webkit.org/show_bug.cgi?id=199601

        Reviewed by Mark Lam.

        This patch refactors the various builtin type macros to have a
        parameter, which is the feature flag enabling it.  Since most
        builtin types are enabled by default this patch adds a new global
        bool typeExposedByDefault for clarity. Note, because static hash
        tables have no concept of feature flags we can't use feature flags
        with lazy properties. This is probably not a big deal as features
        that are off by default won't be allocated anywhere we care about
        memory usage anyway.

        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::stringObjectStructure const):
        (JSC::JSGlobalObject::bigIntObjectStructure const): Deleted.
        * runtime/Options.h:
        * wasm/js/JSWebAssembly.cpp:

2019-07-15  Keith Miller  <keith_miller@apple.com>

        A Possible Issue of Object.create method
        https://bugs.webkit.org/show_bug.cgi?id=199744

        Reviewed by Yusuke Suzuki.

        We should call toObject on the properties argument if it was not undefined.
        See: https://tc39.es/ecma262/#sec-object.create

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorCreate):

2019-07-15  Saagar Jha  <saagarjha@apple.com>

        Keyword lookup can use memcmp to get around unaligned load undefined behavior
        https://bugs.webkit.org/show_bug.cgi?id=199650

        Reviewed by Yusuke Suzuki.

        Replace KeywordLookup's hand-rolled "memcmp" with the standard version, which reduces the need to deal with
        endianness and unaligned loads.

        * KeywordLookupGenerator.py:
        (Trie.printSubTreeAsC): Use memcmp instead of macros to test for matches.
        (Trie.printAsC): Unspecialize Lexer::parseKeyword as templating over the character type reduces the amount of
        code we need to generate and moves this task out of the Python script and into the C++ compiler.

2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Improve wasm wpt test results by fixing miscellaneous issues
        https://bugs.webkit.org/show_bug.cgi?id=199783

        Reviewed by Mark Lam.

        This patch fixes miscellaneous issues in our Wasm JS API implementation to improve WPT score.
        I picked trivial ones in this patch to make this easily reviewable.

        1. Remove WebAssemblyPrototype. It does not exist in the spec. Merging WebAssemblyPrototype into JSWebAssembly.
        2. Fix various attributes. It does not match to the usual JSC builtin's convention. But this change
           is correct because they are changed to be matched against WebIDL definition, and WebAssembly implementation
           follows WebIDL. In the future, we could move WebCore WebIDL things into WTF layer and even use (or leverage
           some of utility functions) in our WebAssembly JS API implementation.
        3. Fix how we interpret "present" in WebAssembly spec. This does not mean [[HasProperty]] result. It follows to
           WebIDL spec, and it means that [[Get]] result is not undefined.
        4. Add argument count check to Module.customSections, which is required because the method is defined in WebIDL.
        5. Fix toNonWrappingUint32 to match it to WebIDL's conversion rule.

        * CMakeLists.txt:
        * DerivedSources-input.xcfilelist:
        * DerivedSources-output.xcfilelist:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * builtins/WebAssembly.js: Renamed from Source/JavaScriptCore/builtins/WebAssemblyPrototype.js.
        * jit/Repatch.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSModuleLoader.cpp:
        (JSC::moduleLoaderParseModule):
        * wasm/js/JSWebAssembly.cpp:
        (JSC::JSWebAssembly::create):
        (JSC::JSWebAssembly::finishCreation):
        (JSC::reject):
        (JSC::webAssemblyModuleValidateAsyncInternal):
        (JSC::webAssemblyCompileFunc):
        (JSC::resolve):
        (JSC::JSWebAssembly::webAssemblyModuleValidateAsync):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::JSWebAssembly::instantiate):
        (JSC::webAssemblyModuleInstantinateAsyncInternal):
        (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync):
        (JSC::webAssemblyInstantiateFunc):
        (JSC::webAssemblyValidateFunc):
        (JSC::webAssemblyCompileStreamingInternal):
        (JSC::webAssemblyInstantiateStreamingInternal):
        * wasm/js/JSWebAssembly.h:
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::toNonWrappingUint32):
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::WebAssemblyInstanceConstructor::finishCreation):
        * wasm/js/WebAssemblyInstancePrototype.cpp:
        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
        (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        (JSC::WebAssemblyMemoryConstructor::finishCreation):
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::webAssemblyModuleCustomSections):
        (JSC::WebAssemblyModuleConstructor::finishCreation):
        * wasm/js/WebAssemblyPrototype.cpp: Removed.
        * wasm/js/WebAssemblyPrototype.h: Removed.
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
        (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):
        (JSC::WebAssemblyTableConstructor::finishCreation):
        * wasm/js/WebAssemblyTablePrototype.cpp:

2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>

        Unreviewed, rolling out r247440.

        Broke builds

        Reverted changeset:

        "[JSC] Improve wasm wpt test results by fixing miscellaneous
        issues"
        https://bugs.webkit.org/show_bug.cgi?id=199783
        https://trac.webkit.org/changeset/247440

2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Improve wasm wpt test results by fixing miscellaneous issues
        https://bugs.webkit.org/show_bug.cgi?id=199783

        Reviewed by Mark Lam.

        This patch fixes miscellaneous issues in our Wasm JS API implementation to improve WPT score.
        I picked trivial ones in this patch to make this easily reviewable.

        1. Remove WebAssemblyPrototype. It does not exist in the spec. Merging WebAssemblyPrototype into JSWebAssembly.
        2. Fix various attributes. It does not match to the usual JSC builtin's convention. But this change
           is correct because they are changed to be matched against WebIDL definition, and WebAssembly implementation
           follows WebIDL. In the future, we could move WebCore WebIDL things into WTF layer and even use (or leverage
           some of utility functions) in our WebAssembly JS API implementation.
        3. Fix how we interpret "present" in WebAssembly spec. This does not mean [[HasProperty]] result. It follows to
           WebIDL spec, and it means that [[Get]] result is not undefined.
        4. Add argument count check to Module.customSections, which is required because the method is defined in WebIDL.
        5. Fix toNonWrappingUint32 to match it to WebIDL's conversion rule.

        * CMakeLists.txt:
        * DerivedSources-input.xcfilelist:
        * DerivedSources-output.xcfilelist:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * builtins/WebAssembly.js: Renamed from Source/JavaScriptCore/builtins/WebAssemblyPrototype.js.
        * jit/Repatch.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSModuleLoader.cpp:
        (JSC::moduleLoaderParseModule):
        * wasm/js/JSWebAssembly.cpp:
        (JSC::JSWebAssembly::create):
        (JSC::JSWebAssembly::finishCreation):
        (JSC::reject):
        (JSC::webAssemblyModuleValidateAsyncInternal):
        (JSC::webAssemblyCompileFunc):
        (JSC::resolve):
        (JSC::JSWebAssembly::webAssemblyModuleValidateAsync):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::JSWebAssembly::instantiate):
        (JSC::webAssemblyModuleInstantinateAsyncInternal):
        (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync):
        (JSC::webAssemblyInstantiateFunc):
        (JSC::webAssemblyValidateFunc):
        (JSC::webAssemblyCompileStreamingInternal):
        (JSC::webAssemblyInstantiateStreamingInternal):
        * wasm/js/JSWebAssembly.h:
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::toNonWrappingUint32):
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::WebAssemblyInstanceConstructor::finishCreation):
        * wasm/js/WebAssemblyInstancePrototype.cpp:
        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
        (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        (JSC::WebAssemblyMemoryConstructor::finishCreation):
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::webAssemblyModuleCustomSections):
        (JSC::WebAssemblyModuleConstructor::finishCreation):
        * wasm/js/WebAssemblyPrototype.cpp: Removed.
        * wasm/js/WebAssemblyPrototype.h: Removed.
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
        (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):
        (JSC::WebAssemblyTableConstructor::finishCreation):
        * wasm/js/WebAssemblyTablePrototype.cpp:

2019-07-15  Youenn Fablet  <youenn@apple.com>

        Enable a debug WebRTC mode without any encryption
        https://bugs.webkit.org/show_bug.cgi?id=199177
        <rdar://problem/52074986>

        Reviewed by Eric Carlson.

        * inspector/protocol/Page.json:

2019-07-15  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, attempt to fix production builds after r247403.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2019-07-15  Tadeu Zagallo  <tzagallo@apple.com>

        Concurrent GC should not rely on current phase to determine if it's safe to steal conn
        https://bugs.webkit.org/show_bug.cgi?id=199786
        <rdar://problem/52505197>

        Reviewed by Saam Barati.

        In r246507, we fixed a race condition in the concurrent GC where the mutator might steal
        the conn from the collector thread while it transitions from the End phase to NotRunning.
        However, that fix was not sufficient. In the case that the mutator steals the conn, and the
        execution interleaves long enough for the mutator to progress to a different collection phase,
        the collector will resume in a phase other than NotRunning, and hence the check added to
        NotRunning will not suffice. To fix that, we add a new variable to track whether the collector
        thread is running (m_collectorThreadIsRunning) and use it to determine whether it's safe to
        steal the conn, rather than relying on m_currentPhase.

        * heap/Heap.cpp:
    &n