6ef876a8240809c5217033abef28470b106a2948
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-10  Commit Queue  <commit-queue@webkit.org>
2
3         Unreviewed, rolling out r249721.
4         https://bugs.webkit.org/show_bug.cgi?id=201667
5
6         Discovering existing bug (Requested by yusukesuzuki on
7         #webkit).
8
9         Reverted changeset:
10
11         "[JSC] 32bit bitwide operation with all-one (-1) is wrong in
12         B3"
13         https://bugs.webkit.org/show_bug.cgi?id=201634
14         https://trac.webkit.org/changeset/249721
15
16 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
17
18         [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
19         https://bugs.webkit.org/show_bug.cgi?id=201664
20         <rdar://problem/52126927>
21
22         Reviewed by Tadeu Zagallo.
23
24         We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result.
25         This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters.
26         Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread,
27         we can see half-baked JITData structure which holds garbage pointers.
28
29         But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons.
30
31         1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are
32            called while taking this exact same lock, so dead-lock can happen.
33         2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT
34            compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock.
35
36         Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that
37         JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread.
38
39         * bytecode/CodeBlock.cpp:
40         (JSC::CodeBlock::ensureJITDataSlow):
41
42 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
43
44         [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
45         https://bugs.webkit.org/show_bug.cgi?id=198253
46
47         Reviewed by Mark Lam.
48
49         ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
50         When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
51         it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
52
53         In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
54
55         * parser/ResultType.h:
56         (JSC::ResultType::bigIntOrInt32Type):
57
58 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
59
60         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
61         https://bugs.webkit.org/show_bug.cgi?id=201634
62
63         Reviewed by Mark Lam.
64
65         Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
66         For example, in BitAnd strength reduction,
67
68             1034             // Turn this: BitAnd(value, all-ones)
69             1035             // Into this: value.
70             1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
71             1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
72             1038                 replaceWithIdentity(m_value->child(0));
73             1039                 break;
74             1040             }
75
76         We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
77
78             262 inline bool Value::isInt(int64_t value) const
79             263 {
80             264     return hasInt() && asInt() == value;
81             265 }
82
83         So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
84
85             257 inline int64_t Value::asInt() const
86             258 {
87             259     return hasInt32() ? asInt32() : asInt64();
88             260 }
89
90         So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
91         We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
92
93         We also fix the following optimization.
94
95             // Turn this: BitAnd(Op(value, constant1), constant2)
96             //     where !(constant1 & constant2)
97             //       and Op is BitOr or BitXor
98             // into this: BitAnd(value, constant2)
99
100         Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
101
102             // Turn this: BitAnd(BitXor(x, allOnes), c)
103             // Into this: BitXor(BitOr(x, ~c), allOnes)
104
105         We add 32bit version of B3 tests for these optimizations.
106
107         * b3/B3LowerToAir.cpp:
108         * b3/B3ReduceStrength.cpp:
109         * b3/testb3.h:
110         * b3/testb3_2.cpp:
111         (testBitAndNotNot32):
112         (testBitAndNotImm):
113         (testBitAndNotImm32):
114         (testBitOrAndAndArgs32):
115         (testBitOrAndSameArgs32):
116         (testBitOrNotNot32):
117         (testBitOrNotImm32):
118         (addBitTests):
119         * b3/testb3_3.cpp:
120         (testBitXorAndAndArgs32):
121         (testBitXorAndSameArgs32):
122
123 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
124
125         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
126         https://bugs.webkit.org/show_bug.cgi?id=189043
127
128         Reviewed by Keith Miller.
129
130         This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
131         And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
132         using Wasm::StreamingParser.
133
134         Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
135         create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
136         and instantiateStreaming.
137
138         * JavaScriptCore.xcodeproj/project.pbxproj:
139         * Sources.txt:
140         * tools/JSDollarVM.cpp:
141         (JSC::WasmStreamingParser::WasmStreamingParser):
142         * wasm/WasmAirIRGenerator.cpp:
143         (JSC::Wasm::parseAndCompileAir):
144         * wasm/WasmAirIRGenerator.h:
145         * wasm/WasmB3IRGenerator.cpp:
146         (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
147         * wasm/WasmB3IRGenerator.h:
148         * wasm/WasmBBQPlan.cpp:
149         (JSC::Wasm::BBQPlan::BBQPlan):
150         (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
151         (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
152         (JSC::Wasm::BBQPlan::compileFunctions):
153         (JSC::Wasm::BBQPlan::complete):
154         * wasm/WasmBBQPlan.h:
155         * wasm/WasmModuleParser.cpp: Removed.
156         * wasm/WasmModuleParser.h: Removed.
157         * wasm/WasmOMGForOSREntryPlan.cpp:
158         (JSC::Wasm::OMGForOSREntryPlan::work):
159         * wasm/WasmOMGPlan.cpp:
160         (JSC::Wasm::OMGPlan::work):
161         * wasm/WasmPlan.cpp:
162         (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
163         * wasm/WasmSectionParser.cpp:
164         (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
165         * wasm/WasmStreamingParser.cpp:
166         (JSC::Wasm::StreamingParser::StreamingParser):
167         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
168         (JSC::Wasm::StreamingParser::parseFunctionPayload):
169         (JSC::Wasm::StreamingParser::parseSectionPayload):
170         (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
171         * wasm/WasmStreamingParser.h:
172         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
173         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
174         (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
175         which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
176         at appropriate timings.
177         * wasm/WasmValidate.cpp:
178         (JSC::Wasm::validateFunction):
179         * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.
180
181 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
182
183         [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
184         https://bugs.webkit.org/show_bug.cgi?id=201622
185
186         Reviewed by Mark Lam.
187
188         CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
189         this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
190         the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.
191
192         * bytecode/CodeBlock.cpp:
193         (JSC::CodeBlock::finishCreation):
194         (JSC::CodeBlock::setConstantRegisters):
195         * bytecode/CodeBlock.h:
196         (JSC::CodeBlock::addConstant):
197         (JSC::CodeBlock::addConstantLazily):
198         * dfg/DFGDesiredWatchpoints.cpp:
199         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
200         (JSC::DFG::SymbolTableAdaptor::add):
201         (JSC::DFG::FunctionExecutableAdaptor::add):
202         * dfg/DFGGraph.cpp:
203         (JSC::DFG::Graph::registerFrozenValues):
204         * dfg/DFGJITFinalizer.cpp:
205         (JSC::DFG::JITFinalizer::finalizeCommon):
206         * dfg/DFGLazyJSValue.cpp:
207         (JSC::DFG::LazyJSValue::emit const):
208
209 2019-09-09  Robin Morisset  <rmorisset@apple.com>
210
211         [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
212         https://bugs.webkit.org/show_bug.cgi?id=197305
213
214         Reviewed by Keith Miller.
215
216         Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
217         Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).
218
219         This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
220         Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).
221
222         The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
223         So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.
224
225         No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.
226
227         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
228
229 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
230
231         [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
232         https://bugs.webkit.org/show_bug.cgi?id=201613
233
234         Reviewed by Mark Lam.
235
236         We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
237         since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
238         issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
239         misleading, it is like "instructions-requires-llint-finalize").
240
241         * bytecode/CodeBlock.cpp:
242         (JSC::CodeBlock::propagateTransitions):
243         (JSC::CodeBlock::finalizeLLIntInlineCaches):
244         * bytecode/UnlinkedCodeBlock.cpp:
245         (JSC::UnlinkedCodeBlock::applyModification):
246         (JSC::UnlinkedCodeBlock::shrinkToFit):
247         * bytecode/UnlinkedCodeBlock.h:
248         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
249         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
250         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
251         * bytecompiler/BytecodeGenerator.cpp:
252         (JSC::BytecodeGenerator::emitResolveScope):
253         (JSC::BytecodeGenerator::emitGetFromScope):
254         (JSC::BytecodeGenerator::emitPutToScope):
255         (JSC::BytecodeGenerator::emitGetById):
256         (JSC::BytecodeGenerator::emitDirectGetById):
257         (JSC::BytecodeGenerator::emitPutById):
258         (JSC::BytecodeGenerator::emitDirectPutById):
259         (JSC::BytecodeGenerator::emitCreateThis):
260         (JSC::BytecodeGenerator::emitToThis):
261         * runtime/CachedTypes.cpp:
262         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
263         (JSC::CachedCodeBlock<CodeBlockType>::encode):
264
265 2019-09-07  Keith Miller  <keith_miller@apple.com>
266
267         OSR entry into wasm misses some contexts
268         https://bugs.webkit.org/show_bug.cgi?id=201569
269
270         Reviewed by Yusuke Suzuki.
271
272         This patch fixes an issue where we could fail to capture some of
273         our contexts when OSR entering into wasm code. Before we would
274         only capture the state of the block immediately surrounding the
275         entrance loop block header. We actually need to capture all
276         enclosed stacks.
277
278         Additionally, we don't need to use variables for all the captured
279         values. We can use a Phi and insert an upsilon just below the
280         captured value.
281
282         * interpreter/CallFrame.h:
283         * jsc.cpp:
284         (GlobalObject::finishCreation):
285         (functionCallerIsOMGCompiled):
286         * wasm/WasmAirIRGenerator.cpp:
287         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
288         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
289         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
290         (JSC::Wasm::AirIRGenerator::addLoop):
291         * wasm/WasmB3IRGenerator.cpp:
292         (JSC::Wasm::B3IRGenerator::createStack):
293         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
294         (JSC::Wasm::B3IRGenerator::addConstant):
295         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
296         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
297         (JSC::Wasm::B3IRGenerator::addLoop):
298         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
299         (JSC::Wasm::dumpExpressionStack):
300         (JSC::Wasm::B3IRGenerator::dump):
301         (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
302         (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
303         (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
304         (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
305         (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
306         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
307         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
308         (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
309         (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
310         (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
311         (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
312         (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
313         * wasm/WasmFunctionParser.h:
314         (JSC::Wasm::FunctionParser::controlStack):
315
316 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
317
318         [JSC] Promise resolve/reject functions should be created more efficiently
319         https://bugs.webkit.org/show_bug.cgi?id=201488
320
321         Reviewed by Mark Lam.
322
323         While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
324         Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
325         for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
326         Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.
327
328         In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
329         to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
330         anonymous-builtin-function creation faster.
331
332         We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
333         The simple microbenchmark shows 1.7x improvement.
334
335                                               ToT                     Patched
336
337             promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster
338
339         * dfg/DFGSpeculativeJIT.cpp:
340         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
341         * ftl/FTLLowerDFGToB3.cpp:
342         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
343         * runtime/FunctionRareData.cpp:
344         (JSC::FunctionRareData::create):
345         (JSC::FunctionRareData::FunctionRareData):
346         * runtime/FunctionRareData.h:
347         * runtime/JSFunction.cpp:
348         (JSC::JSFunction::finishCreation):
349         (JSC::JSFunction::allocateRareData):
350         (JSC::JSFunction::allocateAndInitializeRareData):
351         * runtime/JSFunctionInlines.h:
352         (JSC::JSFunction::hasReifiedName const):
353
354 2019-09-07  Mark Lam  <mark.lam@apple.com>
355
356         performJITMemcpy() source buffer should not be in the Gigacage.
357         https://bugs.webkit.org/show_bug.cgi?id=201577
358         <rdar://problem/55142606>
359
360         Reviewed by Michael Saboff.
361
362         Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
363         buffer is not in the Gigacage.
364
365         * jit/ExecutableAllocator.h:
366         (JSC::performJITMemcpy):
367
368 2019-09-07  Mark Lam  <mark.lam@apple.com>
369
370         The jsc shell should allow disabling of the Gigacage for testing purposes.
371         https://bugs.webkit.org/show_bug.cgi?id=201579
372
373         Reviewed by Michael Saboff.
374
375         Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
376         this env var is present and it has a falsy value, then do not
377         forbidDisablingPrimitiveGigacage() in the jsc shell.
378
379         * jsc.cpp:
380         (jscmain):
381
382 2019-09-06  Mark Lam  <mark.lam@apple.com>
383
384         Harden protection of the Gigacage Config parameters.
385         https://bugs.webkit.org/show_bug.cgi?id=201570
386         <rdar://problem/55134229>
387
388         Reviewed by Saam Barati.
389
390         Just renaming some function names here.
391
392         * assembler/testmasm.cpp:
393         (JSC::testCagePreservesPACFailureBit):
394         * jit/AssemblyHelpers.h:
395         (JSC::AssemblyHelpers::cageConditionally):
396         * jsc.cpp:
397         (jscmain):
398
399 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
400
401         Math.round() produces wrong result for value prior to 0.5
402         https://bugs.webkit.org/show_bug.cgi?id=185115
403
404         Reviewed by Saam Barati.
405
406         Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
407         This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.
408
409         Specifically:
410           - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
411             so taking the difference between ceil(value)` and `value` is problematic.
412           - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
413             (by falling back to jsRound). This patch gives baseline a legitimate implementation too.
414
415         * dfg/DFGSpeculativeJIT.cpp:
416         (JSC::DFG::SpeculativeJIT::compileArithRounding):
417         * ftl/FTLLowerDFGToB3.cpp:
418         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
419         * jit/ThunkGenerators.cpp:
420         (JSC::roundThunkGenerator):
421         * runtime/MathCommon.cpp:
422
423 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
424
425         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
426         https://bugs.webkit.org/show_bug.cgi?id=201366
427
428         Reviewed by Saam Barati.
429
430         It is possible for the log buffer to be full right as someone is trying to
431         log a function prologue. In such a case the machine stack has already been
432         updated to include the new JavaScript call frame, but the prologue packet
433         cannot be included in the update because the log is full. This would mean
434         that the update fails to rationalize the machine stack with the shadow
435         log / stack. Namely, the current JavaScript call frame is unable to
436         find a matching prologue (the one we are holding to include after the update)
437         and inserts a questionable value into the stack; and in the process
438         missing and removing real potential tail calls.
439
440         For example:
441         
442             "use strict";
443             function third() { return 1; }
444             function second() { return third(); }
445             function first() { return second(); }
446             function start() { return first(); }
447
448         If the the log fills up just as we are entering `b` then we may have a list
449         full log of packets looking like:
450
451           Shadow Log:
452             ...
453             { prologue-packet: entering `start` ... }
454             { prologue-packet: entering `first` ... }
455             { tail-packet: leaving `first` with a tail call }
456
457           Incoming Packet:
458             { prologue-packet: entering `second` ... }
459
460           Current JS Stack:
461             second
462             start
463
464         Since the Current JavaScript stack already has `second`, if we process the
465         log without the prologue for `second` then we push a confused entry on the
466         shadow stack and clear the log such that we eventually lose the tail-call
467         information for `first` to `second`.
468
469         This patch solves this issue by providing enough extra space in the log
470         to always process the incoming packet when that forces an update. This way
471         clients can continue to behave exactly as they are.
472
473         --
474
475         We also document a corner case in some circumstances where the shadow
476         log may currently be insufficient to know how to reconcile:
477         
478         For example:
479
480             "use strict";
481             function third() { return 1; }
482             function second() { return third(); }
483             function first() { return second(); }
484             function doNothingTail() { return Math.random() }
485             function start() {
486                 for (i=0;i<1000;++i) doNothingTail();
487                 return first();
488             }
489
490         In this case the ShadowChicken log may be processed multiple times due
491         to the many calls to `doNothingTail` / `Math.random()`. When calling the
492         Native function no prologue packet is emitted, so it is unclear that we
493         temporarly go deeper and come back out on the stack, so the log appears
494         to have lots of doNothingTail calls reusing the same frame:
495
496           Shadow Log:
497             ...
498             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
499             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
500             , [125] tail-packet:{frame = 0x7ffeef8971f0}
501             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
502             , [127] tail-packet:{frame = 0x7ffeef8971f0}
503             ...
504             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
505             , [141] tail-packet:{frame = 0x7ffeef8971f0}
506             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
507             , [143] tail-packet:{frame = 0x7ffeef8971f0}
508             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
509             , [145] tail-packet:{frame = 0x7ffeef8971f0}
510             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
511             ...
512
513         This log would seem to be indistinguishable from real tail recursion, such as:
514
515             "use strict";
516             function third() { return 1; }
517             function second() { return third(); }
518             function first() { return second(); }
519             function doNothingTail(n) {
520                 return n ? doNothingTail(n-1) : first();
521             }
522             function start() {
523                 return doNothingTail(1000);
524             }
525
526         Likewise there are more cases where the shadow log appears to be ambiguous with determining
527         the appropriate parent call frame with intermediate function calls. In practice this may
528         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
529         It seems likely we would only show additional frames that did in fact happen serially
530         between JavaScript call frames, but may not actually be the proper parent frames
531         heirachy in the stack.
532
533         * interpreter/ShadowChicken.cpp:
534         (JSC::ShadowChicken::Packet::dump const):
535         (JSC::ShadowChicken::Frame::dump const):
536         (JSC::ShadowChicken::dump const):
537         Improved debugging output. Especially for functions.
538
539         (JSC::ShadowChicken::ShadowChicken):
540         Make space in the log for 1 additional packet to process when we slow log.
541
542         (JSC::ShadowChicken::log):
543         Include this packet in our update.
544
545         (JSC::ShadowChicken::update):
546         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
547
548 2019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
549
550         Unreviewed, rolling out r249566.
551
552         Causes inspector layout test crashes under GuardMalloc
553
554         Reverted changeset:
555
556         "Tail Deleted Frames shown in Web Inspector are sometimes
557         incorrect (Shadow Chicken)"
558         https://bugs.webkit.org/show_bug.cgi?id=201366
559         https://trac.webkit.org/changeset/249566
560
561 2019-09-06  Guillaume Emont  <guijemont@igalia.com>
562
563         testmasm: save r6 in JIT'ed code on ARM_THUMB2
564         https://bugs.webkit.org/show_bug.cgi?id=201138
565
566         Reviewed by Mark Lam.
567
568         MacroAssemblerArmv7 uses r6 as a temporary register, and it is a
569         callee-saved register. The JITs use
570         AssemblyHelpers::emitSaveCalleeSaves() and friends to save
571         callee-saved registers, but there is no such mechanism in testmasm,
572         which seems to make the assumption that the macroassembler does not
573         use callee-saved registers (which I guess is true for all other
574         architectures, but not for Armv7).
575
576         This issue means that testmasm crashes on Armv7 since code generated
577         by gcc uses r6, and it gets modified by JIT'ed code.
578
579         This change makes sure that we save and restore r6 for all code
580         compiled by testmasm on Armv7.
581
582         * assembler/testmasm.cpp:
583         (JSC::emitFunctionPrologue):
584         (JSC::emitFunctionEpilogue):
585         (JSC::testSimple):
586         (JSC::testGetEffectiveAddress):
587         (JSC::testBranchTruncateDoubleToInt32):
588         (JSC::testBranchTestBit32RegReg):
589         (JSC::testBranchTestBit32RegImm):
590         (JSC::testBranchTestBit32AddrImm):
591         (JSC::testBranchTestBit64RegReg):
592         (JSC::testBranchTestBit64RegImm):
593         (JSC::testBranchTestBit64AddrImm):
594         (JSC::testCompareDouble):
595         (JSC::testMul32WithImmediates):
596         (JSC::testMul32SignExtend):
597         (JSC::testCompareFloat):
598         (JSC::testProbeReadsArgumentRegisters):
599         (JSC::testProbeWritesArgumentRegisters):
600         (JSC::testProbePreservesGPRS):
601         (JSC::testProbeModifiesStackPointer):
602         (JSC::testProbeModifiesProgramCounter):
603         (JSC::testProbeModifiesStackValues):
604         (JSC::testByteSwap):
605         (JSC::testMoveDoubleConditionally32):
606         (JSC::testMoveDoubleConditionally64):
607         (JSC::testCagePreservesPACFailureBit):
608
609 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
610
611         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
612         https://bugs.webkit.org/show_bug.cgi?id=201366
613
614         Reviewed by Saam Barati.
615
616         It is possible for the log buffer to be full right as someone is trying to
617         log a function prologue. In such a case the machine stack has already been
618         updated to include the new JavaScript call frame, but the prologue packet
619         cannot be included in the update because the log is full. This would mean
620         that the update fails to rationalize the machine stack with the shadow
621         log / stack. Namely, the current JavaScript call frame is unable to
622         find a matching prologue (the one we are holding to include after the update)
623         and inserts a questionable value into the stack; and in the process
624         missing and removing real potential tail calls.
625
626         For example:
627         
628             "use strict";
629             function third() { return 1; }
630             function second() { return third(); }
631             function first() { return second(); }
632             function start() { return first(); }
633
634         If the the log fills up just as we are entering `b` then we may have a list
635         full log of packets looking like:
636
637           Shadow Log:
638             ...
639             { prologue-packet: entering `start` ... }
640             { prologue-packet: entering `first` ... }
641             { tail-packet: leaving `first` with a tail call }
642
643           Incoming Packet:
644             { prologue-packet: entering `second` ... }
645
646           Current JS Stack:
647             second
648             start
649
650         Since the Current JavaScript stack already has `second`, if we process the
651         log without the prologue for `second` then we push a confused entry on the
652         shadow stack and clear the log such that we eventually lose the tail-call
653         information for `first` to `second`.
654
655         This patch solves this issue by providing enough extra space in the log
656         to always process the incoming packet when that forces an update. This way
657         clients can continue to behave exactly as they are.
658
659         --
660
661         We also document a corner case in some circumstances where the shadow
662         log may currently be insufficient to know how to reconcile:
663         
664         For example:
665
666             "use strict";
667             function third() { return 1; }
668             function second() { return third(); }
669             function first() { return second(); }
670             function doNothingTail() { return Math.random() }
671             function start() {
672                 for (i=0;i<1000;++i) doNothingTail();
673                 return first();
674             }
675
676         In this case the ShadowChicken log may be processed multiple times due
677         to the many calls to `doNothingTail` / `Math.random()`. When calling the
678         Native function no prologue packet is emitted, so it is unclear that we
679         temporarly go deeper and come back out on the stack, so the log appears
680         to have lots of doNothingTail calls reusing the same frame:
681
682           Shadow Log:
683             ...
684             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
685             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
686             , [125] tail-packet:{frame = 0x7ffeef8971f0}
687             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
688             , [127] tail-packet:{frame = 0x7ffeef8971f0}
689             ...
690             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
691             , [141] tail-packet:{frame = 0x7ffeef8971f0}
692             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
693             , [143] tail-packet:{frame = 0x7ffeef8971f0}
694             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
695             , [145] tail-packet:{frame = 0x7ffeef8971f0}
696             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
697             ...
698
699         This log would seem to be indistinguishable from real tail recursion, such as:
700
701             "use strict";
702             function third() { return 1; }
703             function second() { return third(); }
704             function first() { return second(); }
705             function doNothingTail(n) {
706                 return n ? doNothingTail(n-1) : first();
707             }
708             function start() {
709                 return doNothingTail(1000);
710             }
711
712         Likewise there are more cases where the shadow log appears to be ambiguous with determining
713         the appropriate parent call frame with intermediate function calls. In practice this may
714         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
715         It seems likely we would only show additional frames that did in fact happen serially
716         between JavaScript call frames, but may not actually be the proper parent frames
717         heirachy in the stack.
718
719         * interpreter/ShadowChicken.cpp:
720         (JSC::ShadowChicken::Packet::dump const):
721         (JSC::ShadowChicken::Frame::dump const):
722         (JSC::ShadowChicken::dump const):
723         Improved debugging output. Especially for functions.
724
725         (JSC::ShadowChicken::ShadowChicken):
726         Make space in the log for 1 additional packet to process when we slow log.
727
728         (JSC::ShadowChicken::log):
729         Include this packet in our update.
730
731         (JSC::ShadowChicken::update):
732         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
733
734 2019-09-05  Mark Lam  <mark.lam@apple.com>
735
736         Refactor the Gigacage code to require less pointer casting.
737         https://bugs.webkit.org/show_bug.cgi?id=201521
738
739         Reviewed by Saam Barati.
740
741         Change LLInt's loadCagedJSValue() to skip the caging if Gigacage is not enabled
742         in the build.  This allows us to remove the unneeded stubs in WTF Gigacage.h.
743
744         * jit/AssemblyHelpers.h:
745         (JSC::AssemblyHelpers::cageConditionally):
746         * llint/LowLevelInterpreter.asm:
747         * llint/LowLevelInterpreter64.asm:
748         * runtime/VM.h:
749         (JSC::VM::gigacageAuxiliarySpace):
750
751 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
752
753         Unreviewed, follow-up after r249530 and r249509
754         https://bugs.webkit.org/show_bug.cgi?id=201495
755
756         Rename FTLOutput::weakPointer to alreadyRegisteredWeakPointer and alreadyRegisteredFrozenPointer.
757
758         * builtins/PromiseConstructor.js:
759         (nakedConstructor.Promise.resolve):
760         (nakedConstructor.Promise.reject):
761         (nakedConstructor.Promise):
762         (nakedConstructor.InternalPromise.resolve):
763         (nakedConstructor.InternalPromise.reject):
764         (nakedConstructor.InternalPromise):
765         * ftl/FTLLowerDFGToB3.cpp:
766         (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
767         (JSC::FTL::DFG::LowerDFGToB3::frozenPointer):
768         (JSC::FTL::DFG::LowerDFGToB3::weakStructure):
769         * ftl/FTLOutput.h:
770         (JSC::FTL::Output::alreadyRegisteredWeakPointer):
771         (JSC::FTL::Output::alreadyRegisteredFrozenPointer):
772         (JSC::FTL::Output::weakPointer): Deleted.
773
774 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
775
776         [JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl
777         https://bugs.webkit.org/show_bug.cgi?id=201513
778
779         Reviewed by Ross Kirsling.
780
781         This patch extracts JSPromise's internal fields mechanism as JSInternalFieldsObjectImpl, and make it reusable for the other objects.
782         It is preparation for using this internal fields mechanism for generators, async functions, async generators, array iterators and so on.
783
784         The profiler is telling many recompilation of Generator's resume function (including async generator's one). We are using properties
785         with private-symbols as a storage for internal state of generators. However, the spec defines that each generator from different generator-functions
786         has different [[Prototype]]. While we need to share one Generator.prototype.next function, generators tend to have different Structures due to
787         different [[Prototype]] and accessing internal fields with `get_by_id_direct` sadly becomes super megamorphic while it is not necessary.
788         And every time new Structure for new generator pops up, DFG/FTL code for generator resume function gets OSR exit or eventually this function gets
789         emits super generic code unfortunately. By using internal fields for storing these state, we can avoid this performance problem.
790
791         Bytecodes and corresponding DFG nodes are just renamed. JSPromise is now inheriting JSInternalFieldsObjectImpl, which can holds specified
792         number of internal fields. And op_get_internal_field / op_put_internal_field can access these internal fields.
793
794         * CMakeLists.txt:
795         * JavaScriptCore.xcodeproj/project.pbxproj:
796         * bytecode/BytecodeList.rb:
797         * bytecode/BytecodeUseDef.h:
798         (JSC::computeUsesForBytecodeOffset):
799         (JSC::computeDefsForBytecodeOffset):
800         * bytecode/CodeBlock.cpp:
801         (JSC::CodeBlock::finishCreation):
802         * bytecode/Opcode.h:
803         * bytecompiler/BytecodeGenerator.cpp:
804         (JSC::BytecodeGenerator::emitGetInternalField):
805         (JSC::BytecodeGenerator::emitPutInternalField):
806         (JSC::BytecodeGenerator::emitGetPromiseInternalField): Deleted.
807         (JSC::BytecodeGenerator::emitPutPromiseInternalField): Deleted.
808         * bytecompiler/BytecodeGenerator.h:
809         * bytecompiler/NodesCodegen.cpp:
810         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
811         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
812         * dfg/DFGAbstractInterpreterInlines.h:
813         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
814         * dfg/DFGByteCodeParser.cpp:
815         (JSC::DFG::ByteCodeParser::parseBlock):
816         * dfg/DFGCapabilities.cpp:
817         (JSC::DFG::capabilityLevel):
818         * dfg/DFGClobberize.h:
819         (JSC::DFG::clobberize):
820         * dfg/DFGDoesGC.cpp:
821         (JSC::DFG::doesGC):
822         * dfg/DFGFixupPhase.cpp:
823         (JSC::DFG::FixupPhase::fixupNode):
824         * dfg/DFGMayExit.cpp:
825         * dfg/DFGNode.h:
826         (JSC::DFG::Node::hasInternalFieldIndex):
827         (JSC::DFG::Node::hasHeapPrediction):
828         * dfg/DFGNodeType.h:
829         * dfg/DFGPredictionPropagationPhase.cpp:
830         * dfg/DFGSafeToExecute.h:
831         (JSC::DFG::safeToExecute):
832         * dfg/DFGSpeculativeJIT.cpp:
833         (JSC::DFG::SpeculativeJIT::compileGetInternalField):
834         (JSC::DFG::SpeculativeJIT::compilePutInternalField):
835         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
836         (JSC::DFG::SpeculativeJIT::compileNewPromise):
837         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): Deleted.
838         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): Deleted.
839         * dfg/DFGSpeculativeJIT.h:
840         * dfg/DFGSpeculativeJIT32_64.cpp:
841         (JSC::DFG::SpeculativeJIT::compile):
842         * dfg/DFGSpeculativeJIT64.cpp:
843         (JSC::DFG::SpeculativeJIT::compile):
844         * dfg/DFGStoreBarrierInsertionPhase.cpp:
845         * ftl/FTLAbstractHeapRepository.h:
846         * ftl/FTLCapabilities.cpp:
847         (JSC::FTL::canCompile):
848         * ftl/FTLLowerDFGToB3.cpp:
849         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
850         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
851         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
852         (JSC::FTL::DFG::LowerDFGToB3::compileGetInternalField):
853         (JSC::FTL::DFG::LowerDFGToB3::compilePutInternalField):
854         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): Deleted.
855         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): Deleted.
856         * jit/JIT.cpp:
857         (JSC::JIT::privateCompileMainPass):
858         * jit/JIT.h:
859         * jit/JITPropertyAccess.cpp:
860         (JSC::JIT::emit_op_get_internal_field):
861         (JSC::JIT::emit_op_put_internal_field):
862         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
863         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
864         * jit/JITPropertyAccess32_64.cpp:
865         (JSC::JIT::emit_op_get_internal_field):
866         (JSC::JIT::emit_op_put_internal_field):
867         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
868         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
869         * llint/LLIntOffsetsExtractor.cpp:
870         * llint/LowLevelInterpreter.asm:
871         * llint/LowLevelInterpreter32_64.asm:
872         * llint/LowLevelInterpreter64.asm:
873         * runtime/JSInternalFieldObjectImpl.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
874         (JSC::JSInternalFieldObjectImpl::allocationSize):
875         (JSC::JSInternalFieldObjectImpl::internalField const):
876         (JSC::JSInternalFieldObjectImpl::internalField):
877         (JSC::JSInternalFieldObjectImpl::offsetOfInternalFields):
878         (JSC::JSInternalFieldObjectImpl::offsetOfInternalField):
879         (JSC::JSInternalFieldObjectImpl::JSInternalFieldObjectImpl):
880         * runtime/JSInternalFieldObjectImplInlines.h: Added.
881         (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren):
882         * runtime/JSPromise.cpp:
883         (JSC::JSPromise::finishCreation):
884         (JSC::JSPromise::visitChildren):
885         (JSC::JSPromise::status const):
886         (JSC::JSPromise::result const):
887         (JSC::JSPromise::isHandled const):
888         * runtime/JSPromise.h:
889         (JSC::JSPromise::allocationSize): Deleted.
890         (JSC::JSPromise::offsetOfInternalFields): Deleted.
891         (JSC::JSPromise::offsetOfInternalField): Deleted.
892         (): Deleted.
893
894 2019-09-05  Commit Queue  <commit-queue@webkit.org>
895
896         Unreviewed, rolling out r247463.
897         https://bugs.webkit.org/show_bug.cgi?id=201515
898
899         JetStream2 code-load related regression (Requested by
900         yusukesuzuki on #webkit).
901
902         Reverted changeset:
903
904         "Keyword lookup can use memcmp to get around unaligned load
905         undefined behavior"
906         https://bugs.webkit.org/show_bug.cgi?id=199650
907         https://trac.webkit.org/changeset/247463
908
909 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
910
911         LazyClassStructure::setConstructor should not store the constructor to the global object
912         https://bugs.webkit.org/show_bug.cgi?id=201484
913         <rdar://problem/50400451>
914
915         Reviewed by Yusuke Suzuki.
916
917         LazyClassStructure::setConstructor sets the constructor as a property of the global object.
918         This became a problem when it started being used for WebAssembly constructors, such as Module
919         and Instance, since they are properties of the WebAssembly object, not the global object. That
920         resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
921         was first accessed. e.g.
922
923         globalThis.Module = x;
924         WebAssembly.Module;
925         globalThis.Module === WebAssembly.Module;
926
927         * runtime/LazyClassStructure.cpp:
928         (JSC::LazyClassStructure::Initializer::setConstructor):
929         * runtime/LazyClassStructure.h:
930         * runtime/Lookup.h:
931         (JSC::reifyStaticProperty):
932
933 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
934
935         [JSC] Do not use FTLOutput::weakPointer directly
936         https://bugs.webkit.org/show_bug.cgi?id=201495
937
938         Reviewed by Filip Pizlo.
939
940         FTLOutput::weakPointer does not register the cell as a weak pointer.
941         CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
942         While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
943         and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
944         For FrozenValue, we should use frozenPointer helper function.
945
946         * ftl/FTLLowerDFGToB3.cpp:
947         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
948         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
949
950 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
951
952         Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
953         https://bugs.webkit.org/show_bug.cgi?id=201373
954
955         * bytecode/BytecodeList.rb:
956         * bytecode/BytecodeUseDef.h:
957         (JSC::computeUsesForBytecodeOffset):
958         (JSC::computeDefsForBytecodeOffset):
959         * bytecompiler/BytecodeGenerator.cpp:
960         (JSC::BytecodeGenerator::BytecodeGenerator):
961         (JSC::BytecodeGenerator::emitLoopHint):
962         (JSC::BytecodeGenerator::emitCheckTraps):
963         * bytecompiler/BytecodeGenerator.h:
964         * dfg/DFGByteCodeParser.cpp:
965         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
966         (JSC::DFG::ByteCodeParser::parseBlock):
967         * dfg/DFGCapabilities.cpp:
968         (JSC::DFG::capabilityLevel):
969         * jit/JIT.cpp:
970         (JSC::JIT::emitEnterOptimizationCheck):
971         (JSC::JIT::privateCompileMainPass):
972         (JSC::JIT::privateCompileSlowCases):
973         * jit/JIT.h:
974         * jit/JITOpcodes.cpp:
975         (JSC::JIT::emit_op_enter):
976         (JSC::JIT::emit_op_loop_hint):
977         (JSC::JIT::emitSlow_op_loop_hint):
978         (JSC::JIT::emit_op_check_traps):
979         (JSC::JIT::emitSlow_op_check_traps):
980         (JSC::JIT::emitSlow_op_enter): Deleted.
981         * jit/JITOpcodes32_64.cpp:
982         (JSC::JIT::emit_op_enter):
983         * llint/LowLevelInterpreter.asm:
984         * llint/LowLevelInterpreter32_64.asm:
985         * llint/LowLevelInterpreter64.asm:
986         * runtime/CommonSlowPaths.cpp:
987         (JSC::SLOW_PATH_DECL):
988         * runtime/CommonSlowPaths.h:
989
990 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
991
992         Unreviewed, rebaseline builtin generator test results
993         https://bugs.webkit.org/show_bug.cgi?id=200898
994
995         Rebaseline the result files.
996
997         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
998         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
999         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1000         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1001         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1002         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1003         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1004         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1005         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1006         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1007         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1008         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1009         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1010
1011 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1012
1013         [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
1014         https://bugs.webkit.org/show_bug.cgi?id=201485
1015
1016         Reviewed by Tadeu Zagallo.
1017
1018         FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
1019         it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
1020         a race issue like,
1021
1022         1. While one thread is adding overrides information,
1023         2. Another thread is accessing this hash table.
1024
1025         This patch adds a lock to make sure that only one thread can access this registry.
1026
1027         * tools/FunctionOverrides.cpp:
1028         (JSC::FunctionOverrides::FunctionOverrides):
1029         (JSC::FunctionOverrides::reinstallOverrides):
1030         (JSC::FunctionOverrides::initializeOverrideFor):
1031         (JSC::FunctionOverrides::parseOverridesInFile):
1032         * tools/FunctionOverrides.h:
1033         (JSC::FunctionOverrides::clear):
1034
1035 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1036
1037         [JSC] Make Promise implementation faster
1038         https://bugs.webkit.org/show_bug.cgi?id=200898
1039
1040         Reviewed by Saam Barati.
1041
1042         This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.
1043
1044         1. Make JSPromise C++ friendly
1045
1046             Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
1047             This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
1048             fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
1049             fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
1050             supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
1051             this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].
1052
1053             We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
1054             This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.
1055
1056             Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
1057             is filed in [2].
1058
1059         2. Make JSPromise constructor JS friendly
1060
1061             The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
1062             calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
1063             If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
1064             Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
1065             construct is 100. We might want to investigate getting it inlined in the future[3].
1066
1067             We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
1068             annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
1069             do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
1070             us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
1071             which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
1072             JSPromise constructor fully in JS.
1073             With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].
1074
1075         3. DFG supports for JSPromise operations
1076
1077             This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
1078             and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
1079             promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
1080             When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
1081             used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
1082             can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
1083             in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
1084             structure is invalidated: `callee.prototype` is replaced.
1085
1086         4. Avoid creating unnecessary promises
1087
1088             Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
1089             For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
1090             intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
1091             take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
1092             in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
1093             check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.
1094
1095         5. Avoid creating resolving-functions and promise capabilities
1096
1097             Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
1098             patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
1099             created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
1100             and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
1101             The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
1102             `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
1103             This mechanism will be used to drop JSPromiseDeferred in a separate patch.
1104
1105         JetStream2/async-fs results.
1106             ToT:
1107                 Running async-fs:
1108                     Startup: 116.279
1109                     Worst Case: 151.515
1110                     Average: 176.630
1111                     Score: 145.996
1112                     Wall time: 0:01.149
1113
1114             Patched:
1115                 Running async-fs:
1116                     Startup: 166.667
1117                     Worst Case: 267.857
1118                     Average: 299.080
1119                     Score: 237.235
1120                     Wall time: 0:00.683
1121
1122         [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
1123         [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
1124         [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
1125         [4]: https://bugs.webkit.org/show_bug.cgi?id=201158
1126
1127         * CMakeLists.txt:
1128         * JavaScriptCore.xcodeproj/project.pbxproj:
1129         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
1130         (ConstructAbility):
1131         (ConstructorKind):
1132         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
1133         * Scripts/wkbuiltins/builtins_generator.py:
1134         (BuiltinsGenerator.generate_embedded_code_data_for_function):
1135         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
1136         * Scripts/wkbuiltins/builtins_model.py:
1137         (BuiltinFunction.__init__):
1138         (BuiltinFunction.fromString):
1139         * Scripts/wkbuiltins/builtins_templates.py:
1140         * builtins/AsyncFromSyncIteratorPrototype.js:
1141         (next.try):
1142         (next):
1143         (return.try):
1144         (return):
1145         (throw.try):
1146         (throw):
1147         * builtins/AsyncFunctionPrototype.js:
1148         (globalPrivate.asyncFunctionResume):
1149         * builtins/AsyncGeneratorPrototype.js:
1150         (globalPrivate.asyncGeneratorQueueIsEmpty):
1151         (globalPrivate.asyncGeneratorQueueEnqueue):
1152         (globalPrivate.asyncGeneratorQueueDequeue):
1153         (globalPrivate.asyncGeneratorReject):
1154         (globalPrivate.asyncGeneratorResolve):
1155         (globalPrivate.asyncGeneratorYield):
1156         (onRejected):
1157         (globalPrivate.awaitValue):
1158         (onFulfilled):
1159         (globalPrivate.doAsyncGeneratorBodyCall):
1160         (globalPrivate.asyncGeneratorResumeNext):
1161         (globalPrivate.asyncGeneratorEnqueue):
1162         (globalPrivate.asyncGeneratorDequeue): Deleted.
1163         (const.onRejected): Deleted.
1164         (const.onFulfilled): Deleted.
1165         (globalPrivate.asyncGeneratorResumeNext.): Deleted.
1166         * builtins/BuiltinExecutableCreator.h:
1167         * builtins/BuiltinExecutables.cpp:
1168         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1169         (JSC::BuiltinExecutables::createDefaultConstructor):
1170         (JSC::BuiltinExecutables::createBuiltinExecutable):
1171         (JSC::BuiltinExecutables::createExecutable):
1172         (JSC::createBuiltinExecutable): Deleted.
1173         * builtins/BuiltinExecutables.h:
1174         * builtins/BuiltinNames.h:
1175         * builtins/BuiltinUtils.h:
1176         * builtins/ModuleLoader.js:
1177         (forceFulfillPromise):
1178         * builtins/PromiseConstructor.js:
1179         (nakedConstructor.Promise.resolve):
1180         (nakedConstructor.Promise.reject):
1181         (nakedConstructor.Promise):
1182         (nakedConstructor.InternalPromise.resolve):
1183         (nakedConstructor.InternalPromise.reject):
1184         (nakedConstructor.InternalPromise):
1185         * builtins/PromiseOperations.js:
1186         (globalPrivate.newPromiseReaction):
1187         (globalPrivate.newPromiseCapability):
1188         (globalPrivate.newHandledRejectedPromise):
1189         (globalPrivate.triggerPromiseReactions):
1190         (globalPrivate.resolvePromise):
1191         (globalPrivate.rejectPromise):
1192         (globalPrivate.fulfillPromise):
1193         (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
1194         (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
1195         (globalPrivate.createResolvingFunctions.resolve):
1196         (globalPrivate.createResolvingFunctions.reject):
1197         (globalPrivate.createResolvingFunctions):
1198         (globalPrivate.promiseReactionJobWithoutPromise):
1199         (globalPrivate.resolveWithoutPromise):
1200         (globalPrivate.rejectWithoutPromise):
1201         (globalPrivate.fulfillWithoutPromise):
1202         (resolve):
1203         (reject):
1204         (globalPrivate.createResolvingFunctionsWithoutPromise):
1205         (globalPrivate.promiseReactionJob):
1206         (globalPrivate.promiseResolveThenableJobFast):
1207         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
1208         (globalPrivate.promiseResolveThenableJob):
1209         (globalPrivate.isPromise): Deleted.
1210         (globalPrivate.newPromiseCapability.executor): Deleted.
1211         (globalPrivate.initializePromise): Deleted.
1212         * builtins/PromisePrototype.js:
1213         (then):
1214         * bytecode/BytecodeIntrinsicRegistry.cpp:
1215         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1216         * bytecode/BytecodeIntrinsicRegistry.h:
1217         * bytecode/BytecodeList.rb:
1218         * bytecode/BytecodeUseDef.h:
1219         (JSC::computeUsesForBytecodeOffset):
1220         (JSC::computeDefsForBytecodeOffset):
1221         * bytecode/CodeBlock.cpp:
1222         (JSC::CodeBlock::finishCreation):
1223         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1224         * bytecode/Opcode.h:
1225         * bytecode/SpeculatedType.cpp:
1226         (JSC::dumpSpeculation):
1227         (JSC::speculationFromClassInfo):
1228         (JSC::speculationFromJSType):
1229         (JSC::speculationFromString):
1230         * bytecode/SpeculatedType.h:
1231         * bytecode/UnlinkedFunctionExecutable.h:
1232         * bytecompiler/BytecodeGenerator.cpp:
1233         (JSC::BytecodeGenerator::generate):
1234         (JSC::BytecodeGenerator::BytecodeGenerator):
1235         (JSC::BytecodeGenerator::emitGetPromiseInternalField):
1236         (JSC::BytecodeGenerator::emitPutPromiseInternalField):
1237         (JSC::BytecodeGenerator::emitCreatePromise):
1238         (JSC::BytecodeGenerator::emitNewPromise):
1239         (JSC::BytecodeGenerator::emitReturn):
1240         * bytecompiler/BytecodeGenerator.h:
1241         (JSC::BytecodeGenerator::promiseRegister):
1242         (JSC::BytecodeGenerator::emitIsPromise):
1243         (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
1244         * bytecompiler/NodesCodegen.cpp:
1245         (JSC::promiseInternalFieldIndex):
1246         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
1247         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
1248         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
1249         (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
1250         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
1251         (JSC::FunctionNode::emitBytecode):
1252         * dfg/DFGAbstractHeap.h:
1253         * dfg/DFGAbstractInterpreterInlines.h:
1254         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1255         * dfg/DFGByteCodeParser.cpp:
1256         (JSC::DFG::ByteCodeParser::parseBlock):
1257         * dfg/DFGCapabilities.cpp:
1258         (JSC::DFG::capabilityLevel):
1259         * dfg/DFGClobberize.h:
1260         (JSC::DFG::clobberize):
1261         * dfg/DFGClobbersExitState.cpp:
1262         (JSC::DFG::clobbersExitState):
1263         * dfg/DFGConstantFoldingPhase.cpp:
1264         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1265         * dfg/DFGDoesGC.cpp:
1266         (JSC::DFG::doesGC):
1267         * dfg/DFGFixupPhase.cpp:
1268         (JSC::DFG::FixupPhase::fixupNode):
1269         * dfg/DFGGraph.cpp:
1270         (JSC::DFG::Graph::dump):
1271         * dfg/DFGHeapLocation.cpp:
1272         (WTF::printInternal):
1273         * dfg/DFGHeapLocation.h:
1274         * dfg/DFGMayExit.cpp:
1275         * dfg/DFGNode.h:
1276         (JSC::DFG::Node::convertToNewPromise):
1277         (JSC::DFG::Node::hasIsInternalPromise):
1278         (JSC::DFG::Node::isInternalPromise):
1279         (JSC::DFG::Node::hasInternalFieldIndex):
1280         (JSC::DFG::Node::internalFieldIndex):
1281         (JSC::DFG::Node::hasHeapPrediction):
1282         (JSC::DFG::Node::hasStructure):
1283         * dfg/DFGNodeType.h:
1284         * dfg/DFGOperations.cpp:
1285         * dfg/DFGOperations.h:
1286         * dfg/DFGPredictionPropagationPhase.cpp:
1287         * dfg/DFGPromotedHeapLocation.cpp:
1288         (WTF::printInternal):
1289         * dfg/DFGPromotedHeapLocation.h:
1290         * dfg/DFGSafeToExecute.h:
1291         (JSC::DFG::SafeToExecuteEdge::operator()):
1292         (JSC::DFG::safeToExecute):
1293         * dfg/DFGSpeculativeJIT.cpp:
1294         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1295         (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
1296         (JSC::DFG::SpeculativeJIT::speculate):
1297         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
1298         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
1299         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1300         (JSC::DFG::SpeculativeJIT::compileNewPromise):
1301         * dfg/DFGSpeculativeJIT.h:
1302         * dfg/DFGSpeculativeJIT32_64.cpp:
1303         (JSC::DFG::SpeculativeJIT::compile):
1304         * dfg/DFGSpeculativeJIT64.cpp:
1305         (JSC::DFG::SpeculativeJIT::compile):
1306         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1307         * dfg/DFGUseKind.cpp:
1308         (WTF::printInternal):
1309         * dfg/DFGUseKind.h:
1310         (JSC::DFG::typeFilterFor):
1311         (JSC::DFG::isCell):
1312         * ftl/FTLAbstractHeapRepository.h:
1313         * ftl/FTLCapabilities.cpp:
1314         (JSC::FTL::canCompile):
1315         * ftl/FTLLowerDFGToB3.cpp:
1316         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1317         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1318         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
1319         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1320         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
1321         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
1322         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1323         (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
1324         * jit/JIT.cpp:
1325         (JSC::JIT::privateCompileMainPass):
1326         (JSC::JIT::privateCompileSlowCases):
1327         * jit/JIT.h:
1328         * jit/JITOperations.cpp:
1329         * jit/JITOperations.h:
1330         * jit/JITPropertyAccess.cpp:
1331         (JSC::JIT::emit_op_get_promise_internal_field):
1332         (JSC::JIT::emit_op_put_promise_internal_field):
1333         * jit/JITPropertyAccess32_64.cpp:
1334         (JSC::JIT::emit_op_get_promise_internal_field):
1335         (JSC::JIT::emit_op_put_promise_internal_field):
1336         * llint/LowLevelInterpreter.asm:
1337         * llint/LowLevelInterpreter32_64.asm:
1338         * llint/LowLevelInterpreter64.asm:
1339         * parser/Parser.cpp:
1340         (JSC::Parser<LexerType>::Parser):
1341         (JSC::Parser<LexerType>::parseFunctionInfo):
1342         * parser/Parser.h:
1343         (JSC::parse):
1344         * parser/ParserModes.h:
1345         * runtime/CommonSlowPaths.cpp:
1346         (JSC::SLOW_PATH_DECL):
1347         * runtime/CommonSlowPaths.h:
1348         * runtime/ConstructAbility.h:
1349         * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
1350         * runtime/FunctionRareData.cpp:
1351         (JSC::FunctionRareData::FunctionRareData):
1352         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1353         (JSC::FunctionRareData::clear):
1354         * runtime/FunctionRareData.h:
1355         * runtime/InternalFunction.cpp:
1356         (JSC::InternalFunction::createSubclassStructureSlow):
1357         * runtime/InternalFunction.h:
1358         (JSC::InternalFunction::createSubclassStructure):
1359         * runtime/JSCast.h:
1360         * runtime/JSGlobalObject.cpp:
1361         (JSC::enqueueJob):
1362         (JSC::JSGlobalObject::init):
1363         (JSC::JSGlobalObject::visitChildren):
1364         * runtime/JSGlobalObject.h:
1365         (JSC::JSGlobalObject::arrayProtoValuesFunction const):
1366         (JSC::JSGlobalObject::promiseProtoThenFunction const):
1367         (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
1368         * runtime/JSInternalPromise.cpp:
1369         (JSC::JSInternalPromise::createStructure):
1370         * runtime/JSInternalPromiseConstructor.cpp:
1371         (JSC::JSInternalPromiseConstructor::create):
1372         (JSC::JSInternalPromiseConstructor::createStructure):
1373         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
1374         (JSC::constructPromise): Deleted.
1375         * runtime/JSInternalPromiseConstructor.h:
1376         * runtime/JSInternalPromisePrototype.cpp:
1377         (JSC::JSInternalPromisePrototype::create):
1378         * runtime/JSMicrotask.cpp:
1379         (JSC::createJSMicrotask):
1380         (JSC::JSMicrotask::run):
1381         * runtime/JSMicrotask.h:
1382         * runtime/JSPromise.cpp:
1383         (JSC::JSPromise::createStructure):
1384         (JSC::JSPromise::finishCreation):
1385         (JSC::JSPromise::visitChildren):
1386         (JSC::JSPromise::status const):
1387         (JSC::JSPromise::result const):
1388         (JSC::JSPromise::isHandled const):
1389         (JSC::JSPromise::initialize): Deleted.
1390         * runtime/JSPromise.h:
1391         (JSC::JSPromise::allocationSize):
1392         (JSC::JSPromise::offsetOfInternalFields):
1393         (JSC::JSPromise::offsetOfInternalField):
1394         * runtime/JSPromiseConstructor.cpp:
1395         (JSC::JSPromiseConstructor::create):
1396         (JSC::JSPromiseConstructor::createStructure):
1397         (JSC::JSPromiseConstructor::JSPromiseConstructor):
1398         (JSC::JSPromiseConstructor::finishCreation):
1399         (JSC::constructPromise): Deleted.
1400         (JSC::callPromise): Deleted.
1401         * runtime/JSPromiseConstructor.h:
1402         * runtime/JSPromisePrototype.cpp:
1403         (JSC::JSPromisePrototype::create):
1404         (JSC::JSPromisePrototype::finishCreation):
1405         (JSC::JSPromisePrototype::addOwnInternalSlots):
1406         * runtime/JSPromisePrototype.h:
1407         * runtime/JSType.cpp:
1408         (WTF::printInternal):
1409         * runtime/JSType.h:
1410
1411 2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>
1412
1413         Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
1414         https://bugs.webkit.org/show_bug.cgi?id=201262
1415         <rdar://problem/13108764>
1416
1417         Reviewed by Devin Rousso.
1418
1419         When interception is enabled, Network requests that match any of the configured
1420         interception patterns will be paused on the backend and allowed to be modified
1421         by the frontend.
1422
1423         Currently the only time a network request can be intercepted is during the
1424         HTTP response. However, this intercepting interface is mean to extend to
1425         HTTP requests as well.
1426
1427         When a response is to be intercepted a new event is sent to the frontend:
1428
1429           `Network.responseIntercepted` event
1430
1431         With a `requestId` to identify that network request. The frontend
1432         must respond with one of the following commands to continue:
1433
1434           `Network.interceptContinue`     - proceed with the response unmodified
1435           `Network.interceptWithResponse` - provide a response
1436
1437         The response is paused in the meantime.
1438
1439         * inspector/protocol/Network.json:
1440         New interfaces for intercepting network responses and suppling override content.
1441
1442         * Scripts/generate-combined-inspector-json.py:
1443         * inspector/scripts/generate-inspector-protocol-bindings.py:
1444         (generate_from_specification.load_specification):
1445         Complete allowing comments in JSON protocol files.
1446
1447         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1448         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
1449         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1450         Allow optional enums in ObjC interfaces.
1451
1452 2019-09-03  Mark Lam  <mark.lam@apple.com>
1453
1454         Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread().
1455         https://bugs.webkit.org/show_bug.cgi?id=201449
1456
1457         Reviewed by Yusuke Suzuki.
1458
1459         Using !isMainThread() in the assertion also disables the assertion for the mutator
1460         of worker threads.  This is not what we intended.
1461
1462         * runtime/StructureInlines.h:
1463         (JSC::Structure::storedPrototype const):
1464         (JSC::Structure::storedPrototypeObject const):
1465
1466 2019-09-04  Mark Lam  <mark.lam@apple.com>
1467
1468         Disambiguate a symbol used in JSDollarVM.
1469         https://bugs.webkit.org/show_bug.cgi?id=201466
1470         <rdar://problem/51826672>
1471
1472         Reviewed by Tadeu Zagallo.
1473
1474         This was causing a build issue on some internal build.
1475
1476         * tools/JSDollarVM.cpp:
1477
1478 2019-09-03  Mark Lam  <mark.lam@apple.com>
1479
1480         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
1481         https://bugs.webkit.org/show_bug.cgi?id=201309
1482         <rdar://problem/54832121>
1483
1484         Reviewed by Yusuke Suzuki.
1485
1486         * dfg/DFGAbstractInterpreterInlines.h:
1487         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1488         * runtime/JSArrayBufferView.h:
1489         * runtime/JSArrayBufferViewInlines.h:
1490         (JSC::JSArrayBufferView::possiblySharedBufferImpl):
1491         (JSC::JSArrayBufferView::possiblySharedBuffer):
1492         (JSC::JSArrayBufferView::byteOffsetImpl):
1493         (JSC::JSArrayBufferView::byteOffset):
1494         (JSC::JSArrayBufferView::byteOffsetConcurrently):
1495
1496 2019-09-03  Devin Rousso  <drousso@apple.com>
1497
1498         Web Inspector: implement blackboxing of script resources
1499         https://bugs.webkit.org/show_bug.cgi?id=17240
1500         <rdar://problem/5732847>
1501
1502         Reviewed by Joseph Pecoraro.
1503
1504         When a script is blackboxed and the debugger attempts to pause in that script, the pause
1505         reason/data will be saved and execution will continue until it has left the blackboxed
1506         script. Once outside, execution is paused with the saved reason/data.
1507
1508         This is especially useful when debugging issues using libraries/frameworks, as it allows the
1509         developer to "skip" the internal logic of the library/framework and instead focus only on
1510         how they're using it.
1511
1512         * inspector/protocol/Debugger.json:
1513         Add `setShouldBlackboxURL` command.
1514
1515         * inspector/agents/InspectorDebuggerAgent.h:
1516         * inspector/agents/InspectorDebuggerAgent.cpp:
1517         (Inspector::InspectorDebuggerAgent):
1518         (Inspector::InspectorDebuggerAgent::enable):
1519         (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added.
1520         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1521         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
1522         (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added.
1523         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
1524         (Inspector::InspectorDebuggerAgent::didParseSource):
1525         (Inspector::InspectorDebuggerAgent::didPause):
1526         (Inspector::InspectorDebuggerAgent::didContinue):
1527         (Inspector::InspectorDebuggerAgent::breakProgram):
1528         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
1529         (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added.
1530         (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted.
1531         Renamed "break" to "pause" to match `Debugger` naming.
1532
1533         * debugger/Debugger.h:
1534         * debugger/Debugger.cpp:
1535         (JSC::Debugger::pauseIfNeeded):
1536         (JSC::Debugger::setBlackboxType): Added.
1537         (JSC::Debugger::clearBlackbox): Added.
1538         (JSC::Debugger::isBlacklisted const): Deleted.
1539         (JSC::Debugger::addToBlacklist): Deleted.
1540         (JSC::Debugger::clearBlacklist): Deleted.
1541
1542 2019-09-03  Mark Lam  <mark.lam@apple.com>
1543
1544         Remove the need to pass performJITMemcpy as a pointer.
1545         https://bugs.webkit.org/show_bug.cgi?id=201413
1546
1547         Reviewed by Michael Saboff.
1548
1549         We want performJITMemcpy to always be inlined.  In this patch, we also clean up
1550         some template parameters to use enums instead of booleans to better document the
1551         intent of the code.
1552
1553         * assembler/ARM64Assembler.h:
1554         (JSC::ARM64Assembler::fillNops):
1555         (JSC::ARM64Assembler::linkJump):
1556         (JSC::ARM64Assembler::linkCall):
1557         (JSC::ARM64Assembler::relinkJump):
1558         (JSC::ARM64Assembler::relinkCall):
1559         (JSC::ARM64Assembler::link):
1560         (JSC::ARM64Assembler::linkJumpOrCall):
1561         (JSC::ARM64Assembler::linkCompareAndBranch):
1562         (JSC::ARM64Assembler::linkConditionalBranch):
1563         (JSC::ARM64Assembler::linkTestAndBranch):
1564         (JSC::ARM64Assembler::relinkJumpOrCall):
1565         (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted.
1566         (JSC::ARM64Assembler::CopyFunction::operator()): Deleted.
1567         * assembler/ARMv7Assembler.h:
1568         (JSC::ARMv7Assembler::fillNops):
1569         (JSC::ARMv7Assembler::link):
1570         (JSC::ARMv7Assembler::linkJumpT1):
1571         (JSC::ARMv7Assembler::linkJumpT2):
1572         (JSC::ARMv7Assembler::linkJumpT3):
1573         (JSC::ARMv7Assembler::linkJumpT4):
1574         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1575         (JSC::ARMv7Assembler::linkBX):
1576         (JSC::ARMv7Assembler::linkConditionalBX):
1577         * assembler/AbstractMacroAssembler.h:
1578         (JSC::AbstractMacroAssembler::emitNops):
1579         * assembler/LinkBuffer.cpp:
1580         (JSC::LinkBuffer::copyCompactAndLinkCode):
1581         * assembler/MIPSAssembler.h:
1582         (JSC::MIPSAssembler::fillNops):
1583         * assembler/MacroAssemblerARM64.h:
1584         (JSC::MacroAssemblerARM64::link):
1585         * assembler/MacroAssemblerARMv7.h:
1586         (JSC::MacroAssemblerARMv7::link):
1587         * assembler/X86Assembler.h:
1588         (JSC::X86Assembler::fillNops):
1589         * jit/ExecutableAllocator.h:
1590         (JSC::performJITMemcpy):
1591         * runtime/JSCPtrTag.h:
1592
1593 2019-09-03  Devin Rousso  <drousso@apple.com>
1594
1595         REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected
1596         https://bugs.webkit.org/show_bug.cgi?id=201201
1597         <rdar://problem/54771560>
1598
1599         Reviewed by Joseph Pecoraro.
1600
1601         * inspector/InjectedScriptSource.js:
1602         (let.InjectedScript.prototype.injectModule):
1603         (let.InjectedScript.prototype._evaluateOn):
1604         (CommandLineAPI):
1605         (let.InjectedScript.prototype.setInspectObject): Deleted.
1606         (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted.
1607         (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted.
1608         (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted.
1609         (InjectedScript.CommandLineAPI): Deleted.
1610         Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects
1611         directly, instead of having them call functions.
1612
1613         * inspector/InjectedScriptModule.cpp:
1614         (Inspector::InjectedScriptModule::ensureInjected):
1615         Make sure to reset `hadException` to `false` before making another call.
1616
1617 2019-09-03  Yusuke Suzuki  <ysuzuki@apple.com>
1618
1619         [JSC] Remove BytecodeGenerator::emitPopScope
1620         https://bugs.webkit.org/show_bug.cgi?id=201395
1621
1622         Reviewed by Saam Barati.
1623
1624         Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions.
1625
1626         * bytecompiler/BytecodeGenerator.cpp:
1627         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1628         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1629         (JSC::BytecodeGenerator::emitPopWithScope):
1630         (JSC::BytecodeGenerator::emitPopScope): Deleted.
1631         * bytecompiler/BytecodeGenerator.h:
1632
1633 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
1634
1635         [JSC] Merge op_check_traps into op_enter and op_loop_hint
1636         https://bugs.webkit.org/show_bug.cgi?id=201373
1637
1638         Reviewed by Mark Lam.
1639
1640         This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations.
1641         But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in
1642         op_enter and op_loop_hint.
1643
1644         While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint),
1645         since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy.
1646
1647         We also inline op_enter's slow path's write-barrier emission in LLInt.
1648
1649         * bytecode/BytecodeList.rb:
1650         * bytecode/BytecodeUseDef.h:
1651         (JSC::computeUsesForBytecodeOffset):
1652         (JSC::computeDefsForBytecodeOffset):
1653         * bytecompiler/BytecodeGenerator.cpp:
1654         (JSC::BytecodeGenerator::BytecodeGenerator):
1655         (JSC::BytecodeGenerator::emitLoopHint):
1656         (JSC::BytecodeGenerator::emitCheckTraps): Deleted.
1657         * bytecompiler/BytecodeGenerator.h:
1658         * dfg/DFGByteCodeParser.cpp:
1659         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1660         (JSC::DFG::ByteCodeParser::parseBlock):
1661         * dfg/DFGCapabilities.cpp:
1662         (JSC::DFG::capabilityLevel):
1663         * jit/JIT.cpp:
1664         (JSC::JIT::privateCompileMainPass):
1665         (JSC::JIT::privateCompileSlowCases):
1666         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
1667         * jit/JIT.h:
1668         * jit/JITOpcodes.cpp:
1669         (JSC::JIT::emit_op_loop_hint):
1670         (JSC::JIT::emitSlow_op_loop_hint):
1671         (JSC::JIT::emit_op_enter):
1672         (JSC::JIT::emitSlow_op_enter):
1673         (JSC::JIT::emit_op_check_traps): Deleted.
1674         (JSC::JIT::emitSlow_op_check_traps): Deleted.
1675         * jit/JITOpcodes32_64.cpp:
1676         (JSC::JIT::emit_op_enter): Deleted.
1677         * llint/LowLevelInterpreter.asm:
1678         * llint/LowLevelInterpreter32_64.asm:
1679         * llint/LowLevelInterpreter64.asm:
1680         * runtime/CommonSlowPaths.cpp:
1681         * runtime/CommonSlowPaths.h:
1682
1683 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
1684
1685         [JSC] Fix testb3 debug failures
1686         https://bugs.webkit.org/show_bug.cgi?id=201382
1687
1688         Reviewed by Mark Lam.
1689
1690         Fix testb3 debug failures due to incorrect types of operations like pointer + int32.
1691
1692         * b3/testb3_8.cpp:
1693         (testByteCopyLoop):
1694         (testByteCopyLoopStartIsLoopDependent):
1695         (testByteCopyLoopBoundIsLoopDependent):
1696
1697 2019-09-01  Mark Lam  <mark.lam@apple.com>
1698
1699         Speculative build fix for ARMv7 and MIPS.
1700         https://bugs.webkit.org/show_bug.cgi?id=201389
1701
1702         Not reviewed.
1703
1704         * bytecode/CodeBlock.cpp:
1705         (JSC::CodeBlock::jettison):
1706
1707 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1708
1709         [JSC] LLInt op should not emit the same code three times
1710         https://bugs.webkit.org/show_bug.cgi?id=201370
1711
1712         Reviewed by Mark Lam.
1713
1714         LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue.
1715         But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once.
1716
1717         * llint/LowLevelInterpreter.asm:
1718
1719 2019-08-30  Mark Lam  <mark.lam@apple.com>
1720
1721         Remove some obsolete statements that have no effect.
1722         https://bugs.webkit.org/show_bug.cgi?id=201357
1723
1724         Reviewed by Saam Barati.
1725
1726         This patch removes 3 statements that look like this:
1727
1728             result->butterfly(); // Ensure that the butterfly is in to-space.
1729
1730         The statement just reads a field and does nothing with it.  This is a no-op
1731         logic-wise, and the comment that accompanies it is obsolete.
1732
1733         * dfg/DFGOperations.cpp:
1734
1735 2019-08-30  Mark Lam  <mark.lam@apple.com>
1736
1737         Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
1738         https://bugs.webkit.org/show_bug.cgi?id=201345
1739
1740         Reviewed by Yusuke Suzuki.
1741
1742         This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
1743         the wrong pointer for capture the cell headerWord and zapReason.  As a result,
1744         we get junk for those 2 values.
1745
1746         Previously, we were only capturing the upper 32-bits of the cell header slot,
1747         and the lower 32-bit of the next slot in the zapped cell.  We now capture the
1748         full 64-bits of both slots.  If the second slot did not contain a zapReason as we
1749         expect, the upper 32-bits might give us a clue as to what type of value the slot
1750         contains.
1751
1752         This patch also adds capturing of the found MarkedBlock address for the zapped
1753         cell, as well as some state bit values.
1754
1755         * heap/SlotVisitor.cpp:
1756         (JSC::SlotVisitor::reportZappedCellAndCrash):
1757
1758 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1759
1760         [JSC] Generate new.target register only when it is used
1761         https://bugs.webkit.org/show_bug.cgi?id=201335
1762
1763         Reviewed by Mark Lam.
1764
1765         Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register
1766         only when it is actually required.
1767
1768         * bytecompiler/BytecodeGenerator.cpp:
1769         (JSC::BytecodeGenerator::BytecodeGenerator):
1770         * bytecompiler/BytecodeGenerator.h:
1771         (JSC::BytecodeGenerator::newTarget):
1772         * parser/Nodes.h:
1773         (JSC::ScopeNode::needsNewTargetRegisterForThisScope const):
1774
1775 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1776
1777         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
1778         https://bugs.webkit.org/show_bug.cgi?id=201331
1779
1780         Reviewed by Mark Lam.
1781
1782         SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
1783         For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.
1784
1785             1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
1786             2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable
1787
1788         Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
1789         This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
1790         by profiled CodeBlock.
1791
1792         * bytecode/CodeBlock.h:
1793         (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
1794         * bytecode/JumpTable.h:
1795         (JSC::SimpleJumpTable::cloneNonJITPart const):
1796         (JSC::SimpleJumpTable::clear):
1797         * dfg/DFGByteCodeParser.cpp:
1798         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1799
1800 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1801
1802         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
1803         https://bugs.webkit.org/show_bug.cgi?id=201332
1804
1805         Reviewed by Mark Lam.
1806
1807         When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
1808         that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
1809         does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.
1810
1811         * dfg/DFGByteCodeParser.cpp:
1812         (JSC::DFG::ByteCodeParser::handleInlining):
1813
1814 2019-08-29  Devin Rousso  <drousso@apple.com>
1815
1816         Web Inspector: Debugger: async event listener stack traces should be available in Workers
1817         https://bugs.webkit.org/show_bug.cgi?id=200903
1818
1819         Reviewed by Joseph Pecoraro.
1820
1821         * inspector/agents/InspectorDebuggerAgent.h:
1822         (Inspector::InspectorDebuggerAgent::enabled): Added.
1823         * inspector/agents/InspectorDebuggerAgent.cpp:
1824         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
1825         (Inspector::InspectorDebuggerAgent::enable):
1826         (Inspector::InspectorDebuggerAgent::disable):
1827         Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`.
1828
1829 2019-08-29  Keith Rollin  <krollin@apple.com>
1830
1831         Update .xcconfig symbols to reflect the current set of past and future product versions.
1832         https://bugs.webkit.org/show_bug.cgi?id=200720
1833         <rdar://problem/54305032>
1834
1835         Reviewed by Alex Christensen.
1836
1837         Remove version symbols related to old OS's we no longer support,
1838         ensure that version symbols are defined for OS's we do support.
1839
1840         * Configurations/Base.xcconfig:
1841         * Configurations/DebugRelease.xcconfig:
1842         * Configurations/Version.xcconfig:
1843
1844 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1845
1846         [JSC] Repatch should construct CallCases and CasesValue at the same time
1847         https://bugs.webkit.org/show_bug.cgi?id=201325
1848
1849         Reviewed by Saam Barati.
1850
1851         In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`.
1852         If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too.
1853
1854         * jit/Repatch.cpp:
1855         (JSC::linkPolymorphicCall):
1856
1857 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1858
1859         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
1860         https://bugs.webkit.org/show_bug.cgi?id=198650
1861
1862         Reviewed by Saam Barati.
1863
1864         Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties.
1865         This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this
1866         interpreter interpret the control-flow edge that AI proved that is never taken.
1867         AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But
1868         ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis
1869         done in ObjectAllocationSinking.
1870
1871         Let's see the example.
1872
1873             BB#0
1874                 35: NewObject([%AM:Object])
1875                 ...
1876                 47: Branch(ConstantTrue, T:#1, F:#2)
1877
1878             BB#1 // This basic block is never taken due to @47's jump.
1879                 ...
1880                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
1881                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
1882                 ...
1883                 XX: Jump(#2)
1884
1885             BB#2
1886                 ...
1887                 92: CheckStructure(@35, [%Dx:Object])
1888                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
1889                 ...
1890
1891         AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant.
1892         AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92.
1893         After AI removes @92, ObjectAllocationSinking starts looking into this graph.
1894
1895             BB#0
1896                 35: NewObject([%AM:Object])
1897                 ...
1898                 47: Branch(ConstantTrue, T:#1, F:#2)
1899
1900             BB#1 // This basic block is never taken due to @47's jump.
1901                 ...
1902                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
1903                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
1904                 ...
1905                 XX: Jump(#2)
1906
1907             BB#2
1908                 ...
1909                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
1910                 ...
1911                 YY: Jump(#3)
1912
1913             BB#3
1914                 ...
1915                 ZZ: <HERE> want to materialize @35's sunk object.
1916
1917         Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in
1918         BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and
1919         insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original
1920         one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking
1921         phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes
1922         conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property.
1923         So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug
1924         assertion.
1925
1926             187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >)
1927
1928         This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data.
1929         In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime.
1930
1931         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1932
1933 2019-08-29  Devin Rousso  <drousso@apple.com>
1934
1935         Web Inspector: DOMDebugger: support event breakpoints in Worker contexts
1936         https://bugs.webkit.org/show_bug.cgi?id=200651
1937
1938         Reviewed by Joseph Pecoraro.
1939
1940         * inspector/protocol/DOMDebugger.json:
1941         Make the domain available in "worker" contexts as well.
1942
1943 2019-08-29  Keith Rollin  <krollin@apple.com>
1944
1945         Remove 32-bit macOS support
1946         https://bugs.webkit.org/show_bug.cgi?id=201282
1947         <rdar://problem/54821667>
1948
1949         Reviewed by Anders Carlsson.
1950
1951         WebKit doesn’t support 32-bit Mac any more, so remove checks and code
1952         for that platform.
1953
1954         * API/JSBase.h:
1955         * runtime/VM.h:
1956
1957 2019-08-29  Keith Rollin  <krollin@apple.com>
1958
1959         Remove support for macOS < 10.13 (part 3)
1960         https://bugs.webkit.org/show_bug.cgi?id=201224
1961         <rdar://problem/54795934>
1962
1963         Reviewed by Darin Adler.
1964
1965         Remove symbols in WebKitTargetConditionals.xcconfig related to macOS
1966         10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes
1967         like _MACOS_SINCE_1013.
1968
1969         * Configurations/WebKitTargetConditionals.xcconfig:
1970
1971 2019-08-29  Mark Lam  <mark.lam@apple.com>
1972
1973         Remove a bad assertion in ByteCodeParser::inlineCall().
1974         https://bugs.webkit.org/show_bug.cgi?id=201292
1975         <rdar://problem/54121659>
1976
1977         Reviewed by Michael Saboff.
1978
1979         In the DFG bytecode parser, we've already computed the inlining cost of a candidate
1980         inlining target, and determine that it is worth inlining before invoking
1981         ByteCodeParser::inlineCall().  However, in ByteCodeParser::inlineCall(), it
1982         recomputes the inlining cost again only for the purpose of asserting that it isn't
1983         too high.
1984
1985         Not consider a badly written test that does the following:
1986
1987             function bar() {
1988                 ...
1989                 foo(); // Call in a hot loop here.
1990                 ...
1991             }
1992
1993             bar(); // <===== foo is inlineable into bar here.
1994             noInline(foo); // <===== Change mind, and make foo not inlineable.
1995             bar();
1996
1997         With this bad test, the following racy scenario can occur:
1998
1999         1. the first invocation of bar() gets hot, and a concurrent compile is kicked off.
2000         2. the compiler thread computes foo()'s inliningCost() and determines that it is
2001            worthy to be inlined, and will imminently call inlineCall().
2002         3. the mutator calls the noInline() test utility on foo(), thereby making it NOT
2003            inlineable.
2004         4. the compiler thread calls inlineCall().  In inlineCall(), it re-computes the
2005            inliningCost for foo() and now finds that it is not inlineable.  An assertion
2006            failure follows.
2007
2008         Technically, the test is in error because noInline() shouldn't be used that way.
2009         However, fuzzers that are not clued into noInline()'s proper usage may generate
2010         code like this.
2011
2012         On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the
2013         inlining cost and asserting on it.  The only reason inlineCall() is invoked is
2014         because it was already previously determined that a target function is inlineable
2015         based on its inlining cost.  Today, in practice, I don't think we have any real
2016         world condition where the mutator can affect the inlining cost of a target
2017         function midway through execution.  So, this assertion isn't a problem if no one
2018         writes a test that abuses noInline().  However, should things change such that the
2019         mutator is able to affect the inlining cost of a target function, then it is
2020         incorrect for the compiler to assume that the inlining cost is immutable.  Once
2021         the compiler decides to inline a function, it should just follow through.
2022
2023         This patch removes this assertion in ByteCodeParser::inlineCall().  It is an
2024         annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the
2025         ability to affect the inlining cost of a target function.
2026
2027         * dfg/DFGByteCodeParser.cpp:
2028         (JSC::DFG::ByteCodeParser::inlineCall):
2029
2030 2019-08-28  Mark Lam  <mark.lam@apple.com>
2031
2032         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
2033         https://bugs.webkit.org/show_bug.cgi?id=201281
2034         <rdar://problem/54028228>
2035
2036         Reviewed by Yusuke Suzuki and Saam Barati.
2037
2038         This (see title above) is already the preferred idiom used in most places in our
2039         compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2040         compileStringCharAt().  Consider the following:
2041
2042             bool prototypeChainIsSane = false;
2043             if (globalObject->stringPrototypeChainIsSane()) {
2044                 ...
2045                 m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
2046                 m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));
2047
2048                 prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
2049             }
2050
2051         What's essential for correctness here is that the stringPrototype and objectPrototype
2052         structures be loaded before the loads in the second stringPrototypeChainIsSane()
2053         check.  Without a loadLoadFence before the second stringPrototypeChainIsSane()
2054         check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom
2055         for doing this right is to pre-load the structures first, do a loadLoadFence, and
2056         then do the IsSane check just once after e.g.
2057
2058             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
2059             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);
2060
2061             if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2062                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2063                 && globalObject->arrayPrototypeChainIsSane()) {
2064
2065                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
2066                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
2067                 ...
2068             }
2069
2070         This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2071         compileStringCharAt() to follow the same idiom.
2072
2073         We also fix a bad assertion in Structure::storedPrototype() and
2074         Structure::storedPrototypeObject().  The assertion is only correct when those
2075         methods are called from the mutator thread.  The assertion has been updated to
2076         only check its test condition if the current thread is the mutator thread.
2077
2078         * dfg/DFGSpeculativeJIT.cpp:
2079         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2080         * ftl/FTLLowerDFGToB3.cpp:
2081         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2082         * runtime/StructureInlines.h:
2083         (JSC::Structure::storedPrototype const):
2084         (JSC::Structure::storedPrototypeObject const):
2085
2086 2019-08-28  Mark Lam  <mark.lam@apple.com>
2087
2088         Placate exception check validation in DFG's operationHasGenericProperty().
2089         https://bugs.webkit.org/show_bug.cgi?id=201245
2090         <rdar://problem/54777512>
2091
2092         Reviewed by Robin Morisset.
2093
2094         * dfg/DFGOperations.cpp:
2095
2096 2019-08-28  Ross Kirsling  <ross.kirsling@sony.com>
2097
2098         Unreviewed. Restabilize non-unified build.
2099
2100         * runtime/PropertySlot.h:
2101
2102 2019-08-28  Mark Lam  <mark.lam@apple.com>
2103
2104         Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.
2105         https://bugs.webkit.org/show_bug.cgi?id=201006
2106         <rdar://problem/52053991>
2107
2108         Reviewed by Yusuke Suzuki.
2109
2110         We already ensured that it is not possible to overflow in Wasm::FunctionParser's
2111         parse().  It is unnecessary and misleading to do those overflow checks in
2112         AirIRGenerator and B3IRGenerator.  The only check that is necessary is that
2113         m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory
2114         situation.
2115
2116         This patch changes these unnecessary checks to assertions instead.
2117
2118         * wasm/WasmAirIRGenerator.cpp:
2119         (JSC::Wasm::AirIRGenerator::addLocal):
2120         * wasm/WasmB3IRGenerator.cpp:
2121         (JSC::Wasm::B3IRGenerator::addLocal):
2122         * wasm/WasmValidate.cpp:
2123         (JSC::Wasm::Validate::addLocal):
2124
2125 2019-08-28  Keith Rollin  <krollin@apple.com>
2126
2127         Remove support for macOS < 10.13 (part 2)
2128         https://bugs.webkit.org/show_bug.cgi?id=201197
2129         <rdar://problem/54759985>
2130
2131         Update conditionals that reference WK_MACOS_1013 and suffixes like
2132         _MACOS_SINCE_1013, assuming that we're always building on 10.13 or
2133         later and that these conditionals are always True or False.
2134
2135         See Bug 200694 for earlier changes in this area.
2136
2137         Reviewed by Darin Adler.
2138
2139         * Configurations/FeatureDefines.xcconfig:
2140
2141 2019-08-28  Mark Lam  <mark.lam@apple.com>
2142
2143         Gardening: Rebase test results after r249175.
2144         https://bugs.webkit.org/show_bug.cgi?id=201172
2145
2146         Not reviewed.
2147
2148         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2149         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2150         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2151         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2152         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2153         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2154         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2155
2156 2019-08-27  Michael Saboff  <msaboff@apple.com>
2157
2158         Update PACCage changes for builds without Gigacage, but with signed pointers
2159         https://bugs.webkit.org/show_bug.cgi?id=201202
2160
2161         Reviewed by Saam Barati.
2162
2163         Factored out the untagging of pointers and added that to both the Gigacage enabled
2164         and disabled code paths.  Did this for the LLInt as well as the JITs.
2165
2166         * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list.
2167         * dfg/DFGSpeculativeJIT.cpp:
2168         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
2169         * ftl/FTLLowerDFGToB3.cpp:
2170         (JSC::FTL::DFG::LowerDFGToB3::caged):
2171         * llint/LowLevelInterpreter64.asm:
2172
2173 2019-08-27  Mark Lam  <mark.lam@apple.com>
2174
2175         Refactor to use VM& instead of VM* at as many places as possible.
2176         https://bugs.webkit.org/show_bug.cgi?id=201172
2177
2178         Reviewed by Yusuke Suzuki.
2179
2180         Using VM& documents more clearly that the VM pointer is expected to never be null
2181         in most cases.  There are a few places where it can be null (e.g JSLock, and
2182         DFG::Plan).  Those will be left using a VM*.
2183
2184         Also converted some uses of ExecState* to using VM& instead since the ExecState*
2185         is only there to fetch the VM pointer.  Doing this also reduces the number of
2186         times we have to compute VM* from ExecState*.
2187
2188         This patch is not exhaustive in converting to use VM&, but applies the change to
2189         many commonly used pieces of code for a start.
2190
2191         Also fixed a missing exception check in JSString::toIdentifier() and
2192         JSValue::toPropertyKey() exposed by this patch.
2193
2194         * API/APICast.h:
2195         (toJS):
2196         * API/JSAPIGlobalObject.mm:
2197         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
2198         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
2199         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
2200         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
2201         (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
2202         * API/JSCallbackConstructor.cpp:
2203         (JSC::JSCallbackConstructor::finishCreation):
2204         * API/JSCallbackObjectFunctions.h:
2205         (JSC::JSCallbackObject<Parent>::asCallbackObject):
2206         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
2207         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
2208         (JSC::JSCallbackObject<Parent>::putByIndex):
2209         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
2210         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2211         * API/JSContext.mm:
2212         (-[JSContext dependencyIdentifiersForModuleJSScript:]):
2213         * API/JSObjectRef.cpp:
2214         (JSObjectMakeFunction):
2215         (classInfoPrivate):
2216         (JSObjectGetPrivate):
2217         (JSObjectSetPrivate):
2218         (JSObjectCopyPropertyNames):
2219         (JSPropertyNameAccumulatorAddName):
2220         (JSObjectGetProxyTarget):
2221         * API/JSScriptRef.cpp:
2222         (parseScript):
2223         * API/JSValueRef.cpp:
2224         (JSValueMakeString):
2225         * API/OpaqueJSString.cpp:
2226         (OpaqueJSString::identifier const):
2227         * API/glib/JSCContext.cpp:
2228         (jsc_context_check_syntax):
2229         * KeywordLookupGenerator.py:
2230         (Trie.printSubTreeAsC):
2231         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py:
2232         (BuiltinsWrapperHeaderGenerator.generate_constructor):
2233         * Scripts/wkbuiltins/builtins_templates.py:
2234         * bindings/ScriptFunctionCall.cpp:
2235         (Deprecated::ScriptCallArgumentHandler::appendArgument):
2236         (Deprecated::ScriptFunctionCall::call):
2237         * bindings/ScriptValue.cpp:
2238         (Inspector::jsToInspectorValue):
2239         * builtins/BuiltinExecutables.cpp:
2240         (JSC::BuiltinExecutables::createExecutable):
2241         * builtins/BuiltinNames.cpp:
2242         (JSC::BuiltinNames::BuiltinNames):
2243         * builtins/BuiltinNames.h:
2244         (JSC::BuiltinNames::getPublicName const):
2245         * bytecode/BytecodeDumper.cpp:
2246         (JSC::BytecodeDumper<Block>::vm const):
2247         * bytecode/BytecodeDumper.h:
2248         * bytecode/BytecodeGeneratorification.cpp:
2249         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2250         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
2251         (JSC::BytecodeGeneratorification::run):
2252         * bytecode/BytecodeIntrinsicRegistry.cpp:
2253         (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue):
2254         (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue):
2255         * bytecode/CallVariant.h:
2256         (JSC::CallVariant::internalFunction const):
2257         (JSC::CallVariant::function const):
2258         (JSC::CallVariant::isClosureCall const):
2259         (JSC::CallVariant::executable const):
2260         (JSC::CallVariant::functionExecutable const):
2261         (JSC::CallVariant::nativeExecutable const):
2262         * bytecode/CodeBlock.cpp:
2263         (JSC::CodeBlock::dumpSource):
2264         (JSC::CodeBlock::CodeBlock):
2265         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
2266         (JSC::CodeBlock::setNumParameters):
2267         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2268         (JSC::CodeBlock::unlinkIncomingCalls):
2269         (JSC::CodeBlock::replacement):
2270         (JSC::CodeBlock::computeCapabilityLevel):
2271         (JSC::CodeBlock::noticeIncomingCall):
2272         (JSC::CodeBlock::nameForRegister):
2273         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2274         * bytecode/CodeBlock.h:
2275         (JSC::CodeBlock::vm const):
2276         (JSC::CodeBlock::numberOfArgumentValueProfiles):
2277         (JSC::CodeBlock::valueProfileForArgument):
2278         * bytecode/DeferredSourceDump.cpp:
2279         (JSC::DeferredSourceDump::DeferredSourceDump):
2280         * bytecode/EvalCodeBlock.h:
2281         * bytecode/FunctionCodeBlock.h:
2282         * bytecode/GetByIdStatus.cpp:
2283         (JSC::GetByIdStatus::computeFromLLInt):
2284         * bytecode/GlobalCodeBlock.h:
2285         (JSC::GlobalCodeBlock::GlobalCodeBlock):
2286         * bytecode/ModuleProgramCodeBlock.h:
2287         * bytecode/ObjectAllocationProfileInlines.h:
2288         (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
2289         * bytecode/PolyProtoAccessChain.cpp:
2290         (JSC::PolyProtoAccessChain::create):
2291         * bytecode/ProgramCodeBlock.h:
2292         * bytecode/PropertyCondition.cpp:
2293         (JSC::PropertyCondition::isWatchableWhenValid const):
2294         * bytecode/PutByIdStatus.cpp:
2295         (JSC::PutByIdStatus::computeFromLLInt):
2296         * bytecode/StructureStubInfo.cpp:
2297         (JSC::StructureStubInfo::initGetByIdSelf):
2298         (JSC::StructureStubInfo::initPutByIdReplace):
2299         (JSC::StructureStubInfo::initInByIdSelf):
2300         (JSC::StructureStubInfo::addAccessCase):
2301         (JSC::StructureStubInfo::visitWeakReferences):
2302         * bytecode/UnlinkedCodeBlock.cpp:
2303         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2304         * bytecode/UnlinkedCodeBlock.h:
2305         (JSC::UnlinkedCodeBlock::addSetConstant):
2306         (JSC::UnlinkedCodeBlock::addConstant):
2307         (JSC::UnlinkedCodeBlock::addFunctionDecl):
2308         (JSC::UnlinkedCodeBlock::addFunctionExpr):
2309         * bytecode/UnlinkedEvalCodeBlock.h:
2310         * bytecode/UnlinkedFunctionCodeBlock.h:
2311         * bytecode/UnlinkedFunctionExecutable.cpp:
2312         (JSC::generateUnlinkedFunctionCodeBlock):
2313         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2314         * bytecode/UnlinkedFunctionExecutable.h:
2315         * bytecode/UnlinkedGlobalCodeBlock.h:
2316         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
2317         * bytecode/UnlinkedModuleProgramCodeBlock.h:
2318         * bytecode/UnlinkedProgramCodeBlock.h:
2319         * bytecompiler/BytecodeGenerator.cpp:
2320         (JSC::BytecodeGenerator::BytecodeGenerator):
2321         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2322         (JSC::BytecodeGenerator::emitDirectPutById):
2323         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
2324         (JSC::BytecodeGenerator::addBigIntConstant):
2325         (JSC::BytecodeGenerator::addTemplateObjectConstant):
2326         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
2327         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
2328         * bytecompiler/BytecodeGenerator.h:
2329         (JSC::BytecodeGenerator::vm const):
2330         (JSC::BytecodeGenerator::propertyNames const):
2331         (JSC::BytecodeGenerator::emitNodeInTailPosition):
2332         (JSC::BytecodeGenerator::emitDefineClassElements):
2333         (JSC::BytecodeGenerator::emitNodeInConditionContext):
2334         * bytecompiler/NodesCodegen.cpp:
2335         (JSC::RegExpNode::emitBytecode):
2336         (JSC::ArrayNode::emitBytecode):
2337         (JSC::FunctionCallResolveNode::emitBytecode):
2338         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
2339         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
2340         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2341         (JSC::InstanceOfNode::emitBytecode):
2342         * debugger/Debugger.cpp:
2343         * debugger/DebuggerParseData.cpp:
2344         (JSC::gatherDebuggerParseData):
2345         * debugger/DebuggerScope.cpp:
2346         (JSC::DebuggerScope::next):
2347         (JSC::DebuggerScope::name const):
2348         (JSC::DebuggerScope::location const):
2349         * dfg/DFGDesiredIdentifiers.cpp:
2350         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2351         * dfg/DFGDesiredWatchpoints.cpp:
2352         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2353         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
2354         * dfg/DFGFrozenValue.h:
2355         (JSC::DFG::FrozenValue::FrozenValue):
2356         * dfg/DFGGraph.cpp:
2357         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
2358         * dfg/DFGJITCompiler.cpp:
2359         (JSC::DFG::JITCompiler::linkOSRExits):
2360         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2361         (JSC::DFG::JITCompiler::link):
2362         (JSC::DFG::emitStackOverflowCheck):
2363         (JSC::DFG::JITCompiler::compileFunction):
2364         (JSC::DFG::JITCompiler::exceptionCheck):
2365         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
2366         * dfg/DFGJITCompiler.h:
2367         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
2368         (JSC::DFG::JITCompiler::fastExceptionCheck):
2369         (JSC::DFG::JITCompiler::vm):
2370         * dfg/DFGLazyJSValue.cpp:
2371         (JSC::DFG::LazyJSValue::getValue const):
2372         (JSC::DFG::LazyJSValue::emit const):
2373         * dfg/DFGOSREntry.cpp:
2374         (JSC::DFG::prepareOSREntry):
2375         * dfg/DFGOSRExit.cpp:
2376         (JSC::DFG::OSRExit::compileOSRExit):
2377         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2378         * dfg/DFGOSRExitCompilerCommon.h:
2379         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
2380         * dfg/DFGOperations.cpp:
2381         (JSC::DFG::newTypedArrayWithSize):
2382         (JSC::DFG::binaryOp):
2383         (JSC::DFG::bitwiseBinaryOp):
2384         * dfg/DFGPlan.cpp:
2385         (JSC::DFG::Plan::Plan):
2386         * dfg/DFGSpeculativeJIT.cpp:
2387         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2388         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2389         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2390         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
2391         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2392         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2393         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
2394         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
2395         (JSC::DFG::SpeculativeJIT::emitStringBranch):
2396         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
2397         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
2398         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
2399         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2400         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2401         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2402         (JSC::DFG::SpeculativeJIT::compileSpread):
2403         (JSC::DFG::SpeculativeJIT::compileNewArray):
2404         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2405         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2406         (JSC::DFG::SpeculativeJIT::compileArrayPush):
2407         (JSC::DFG::SpeculativeJIT::compileTypeOf):
2408         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2409         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2410         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
2411         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2412         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2413         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2414         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
2415         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2416         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2417         (JSC::DFG::SpeculativeJIT::compileStringReplace):
2418         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
2419         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
2420         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
2421         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
2422         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2423         (JSC::DFG::SpeculativeJIT::compileNewObject):
2424         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
2425         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
2426         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2427         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2428         (JSC::DFG::SpeculativeJIT::compileProfileType):
2429         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2430         * dfg/DFGSpeculativeJIT.h:
2431         (JSC::DFG::SpeculativeJIT::vm):
2432         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
2433         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2434         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2435         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
2436         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2437         * dfg/DFGSpeculativeJIT32_64.cpp:
2438         (JSC::DFG::SpeculativeJIT::emitCall):
2439         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2440         (JSC::DFG::SpeculativeJIT::emitBranch):
2441         (JSC::DFG::SpeculativeJIT::compile):
2442         * dfg/DFGSpeculativeJIT64.cpp:
2443         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2444         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2445         (JSC::DFG::SpeculativeJIT::emitCall):
2446         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2447         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2448         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2449         (JSC::DFG::SpeculativeJIT::emitBranch):
2450         (JSC::DFG::SpeculativeJIT::compile):
2451         * dfg/DFGThunks.cpp:
2452         (JSC::DFG::osrExitThunkGenerator):
2453         (JSC::DFG::osrExitGenerationThunkGenerator):
2454         (JSC::DFG::osrEntryThunkGenerator):
2455         * dfg/DFGThunks.h:
2456         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2457         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
2458         * dfg/DFGWorklist.cpp:
2459         (JSC::DFG::Worklist::visitWeakReferences):
2460         * dynbench.cpp:
2461         (main):
2462         * ftl/FTLLowerDFGToB3.cpp:
2463         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2464         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2465         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2466         * ftl/FTLThunks.cpp:
2467         (JSC::FTL::genericGenerationThunkGenerator):
2468         (JSC::FTL::osrExitGenerationThunkGenerator):
2469         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2470         * ftl/FTLThunks.h:
2471         * heap/CellContainer.h:
2472         * heap/CellContainerInlines.h:
2473         (JSC::CellContainer::vm const):
2474         (JSC::CellContainer::heap const):
2475         * heap/CompleteSubspace.cpp:
2476         (JSC::CompleteSubspace::tryAllocateSlow):
2477         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
2478         * heap/GCActivityCallback.h:
2479         * heap/GCAssertions.h:
2480         * heap/HandleSet.cpp:
2481         (JSC::HandleSet::HandleSet):
2482         * heap/HandleSet.h:
2483         (JSC::HandleSet::vm):
2484         * heap/Heap.cpp:
2485         (JSC::Heap::Heap):
2486         (JSC::Heap::lastChanceToFinalize):
2487         (JSC::Heap::releaseDelayedReleasedObjects):
2488         (JSC::Heap::protect):
2489         (JSC::Heap::unprotect):
2490         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
2491         (JSC::Heap::finalizeUnconditionalFinalizers):
2492         (JSC::Heap::completeAllJITPlans):
2493         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
2494         (JSC::Heap::gatherJSStackRoots):
2495         (JSC::Heap::gatherScratchBufferRoots):
2496         (JSC::Heap::removeDeadCompilerWorklistEntries):
2497         (JSC::Heap::isAnalyzingHeap const):
2498         (JSC::Heap::gatherExtraHeapData):
2499         (JSC::Heap::protectedObjectTypeCounts):
2500         (JSC::Heap::objectTypeCounts):
2501         (JSC::Heap::deleteAllCodeBlocks):
2502         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2503         (JSC::Heap::deleteUnmarkedCompiledCode):
2504         (JSC::Heap::checkConn):
2505         (JSC::Heap::runEndPhase):
2506         (JSC::Heap::stopThePeriphery):
2507         (JSC::Heap::finalize):
2508         (JSC::Heap::requestCollection):
2509         (JSC::Heap::sweepInFinalize):
2510         (JSC::Heap::sweepArrayBuffers):
2511         (JSC::Heap::deleteSourceProviderCaches):
2512         (JSC::Heap::didFinishCollection):
2513         (JSC::Heap::addCoreConstraints):
2514         * heap/Heap.h:
2515         * heap/HeapCell.h:
2516         * heap/HeapCellInlines.h:
2517         (JSC::HeapCell::heap const):
2518         (JSC::HeapCell::vm const):
2519         * heap/HeapInlines.h:
2520         (JSC::Heap::vm const):
2521         * heap/IsoSubspacePerVM.cpp:
2522         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
2523         * heap/LargeAllocation.cpp:
2524         (JSC::LargeAllocation::sweep):
2525         (JSC::LargeAllocation::assertValidCell const):
2526         * heap/LargeAllocation.h:
2527         (JSC::LargeAllocation::vm const):
2528         * heap/LocalAllocator.cpp:
2529         (JSC::LocalAllocator::allocateSlowCase):
2530         * heap/MarkedBlock.cpp:
2531         (JSC::MarkedBlock::Handle::Handle):
2532         (JSC::MarkedBlock::aboutToMarkSlow):
2533         (JSC::MarkedBlock::assertMarksNotStale):
2534         (JSC::MarkedBlock::areMarksStale):
2535         (JSC::MarkedBlock::isMarked):
2536         (JSC::MarkedBlock::assertValidCell const):
2537         * heap/MarkedBlock.h:
2538         (JSC::MarkedBlock::Handle::vm const):
2539         (JSC::MarkedBlock::vm const):
2540         * heap/MarkedBlockInlines.h:
2541         (JSC::MarkedBlock::heap const):
2542         (JSC::MarkedBlock::Handle::specializedSweep):
2543         * heap/SlotVisitor.cpp:
2544         (JSC::validate):
2545         * heap/SlotVisitorInlines.h:
2546         (JSC::SlotVisitor::vm):
2547         (JSC::SlotVisitor::vm const):
2548         * heap/StopIfNecessaryTimer.cpp:
2549         (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
2550         * heap/StopIfNecessaryTimer.h:
2551         * heap/Strong.h:
2552         (JSC::Strong::operator=):
2553         * heap/WeakSet.h:
2554         (JSC::WeakSet::WeakSet):
2555         (JSC::WeakSet::vm const):
2556         * inspector/JSInjectedScriptHost.cpp:
2557         (Inspector::JSInjectedScriptHost::savedResultAlias const):
2558         (Inspector::JSInjectedScriptHost::internalConstructorName):
2559         (Inspector::JSInjectedScriptHost::subtype):
2560         (Inspector::JSInjectedScriptHost::functionDetails):
2561         (Inspector::constructInternalProperty):
2562         (Inspector::JSInjectedScriptHost::getInternalProperties):
2563         (Inspector::JSInjectedScriptHost::weakMapEntries):
2564         (Inspector::JSInjectedScriptHost::weakSetEntries):
2565         (Inspector::JSInjectedScriptHost::iteratorEntries):
2566         (Inspector::JSInjectedScriptHost::queryInstances):
2567         (Inspector::JSInjectedScriptHost::queryHolders):
2568         * inspector/JSJavaScriptCallFrame.cpp:
2569         (Inspector::valueForScopeLocation):
2570         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2571         (Inspector::JSJavaScriptCallFrame::functionName const):
2572         (Inspector::JSJavaScriptCallFrame::type const):
2573         * inspector/ScriptCallStackFactory.cpp:
2574         (Inspector::extractSourceInformationFromException):
2575         * inspector/agents/InspectorAuditAgent.cpp:
2576         (Inspector::InspectorAuditAgent::populateAuditObject):
2577         * inspector/agents/InspectorHeapAgent.cpp:
2578         (Inspector::InspectorHeapAgent::gc):
2579         * interpreter/FrameTracers.h:
2580         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2581         * interpreter/Interpreter.cpp:
2582         (JSC::Interpreter::executeProgram):
2583         (JSC::Interpreter::prepareForRepeatCall):
2584         (JSC::Interpreter::execute):
2585         (JSC::Interpreter::executeModuleProgram):
2586         * interpreter/StackVisitor.cpp:
2587         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2588         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2589         * jit/AssemblyHelpers.cpp:
2590         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2591         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
2592         (JSC::AssemblyHelpers::branchIfValue):
2593         * jit/AssemblyHelpers.h:
2594         (JSC::AssemblyHelpers::vm):
2595         * jit/JIT.cpp:
2596         (JSC::JIT::JIT):
2597         (JSC::JIT::emitEnterOptimizationCheck):
2598         (JSC::JIT::privateCompileMainPass):
2599         (JSC::JIT::privateCompileExceptionHandlers):
2600         * jit/JIT.h:
2601         * jit/JITCall.cpp:
2602         (JSC::JIT::compileCallEvalSlowCase):
2603         * jit/JITCall32_64.cpp:
2604         (JSC::JIT::compileCallEvalSlowCase):
2605         * jit/JITExceptions.cpp:
2606         (JSC::genericUnwind):
2607         * jit/JITExceptions.h:
2608         * jit/JITInlineCacheGenerator.cpp:
2609         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2610         * jit/JITOpcodes.cpp:
2611         (JSC::JIT::emit_op_is_undefined):
2612         (JSC::JIT::emit_op_jfalse):
2613         (JSC::JIT::emit_op_jeq_null):
2614         (JSC::JIT::emit_op_jneq_null):
2615         (JSC::JIT::emit_op_jtrue):
2616         (JSC::JIT::emit_op_throw):
2617         (JSC::JIT::emit_op_catch):
2618         (JSC::JIT::emit_op_eq_null):
2619         (JSC::JIT::emit_op_neq_null):
2620         (JSC::JIT::emitSlow_op_loop_hint):
2621         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2622         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2623         * jit/JITOpcodes32_64.cpp:
2624         (JSC::JIT::emit_op_jfalse):
2625         (JSC::JIT::emit_op_jtrue):
2626         (JSC::JIT::emit_op_throw):
2627         (JSC::JIT::emit_op_catch):
2628         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2629         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2630         * jit/JITOperations.cpp:
2631         (JSC::operationNewFunctionCommon):
2632         (JSC::tryGetByValOptimize):
2633         * jit/JITPropertyAccess.cpp:
2634         (JSC::JIT::emitWriteBarrier):
2635         * jit/JITThunks.cpp:
2636         (JSC::JITThunks::ctiNativeCall):
2637         (JSC::JITThunks::ctiNativeConstruct):
2638         (JSC::JITThunks::ctiNativeTailCall):
2639         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
2640         (JSC::JITThunks::ctiInternalFunctionCall):
2641         (JSC::JITThunks::ctiInternalFunctionConstruct):
2642         (JSC::JITThunks::ctiStub):
2643         (JSC::JITThunks::hostFunctionStub):
2644         * jit/JITThunks.h:
2645         * jit/JITWorklist.cpp:
2646         (JSC::JITWorklist::Plan::vm):
2647         (JSC::JITWorklist::completeAllForVM):
2648         (JSC::JITWorklist::poll):
2649         (JSC::JITWorklist::compileLater):
2650         (JSC::JITWorklist::compileNow):
2651         * jit/Repatch.cpp:
2652         (JSC::readPutICCallTarget):
2653         (JSC::ftlThunkAwareRepatchCall):
2654         (JSC::linkSlowFor):
2655         (JSC::linkFor):
2656         (JSC::linkDirectFor):
2657         (JSC::revertCall):
2658         (JSC::unlinkFor):
2659         (JSC::linkVirtualFor):
2660         (JSC::linkPolymorphicCall):
2661         * jit/SpecializedThunkJIT.h:
2662         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
2663         * jit/ThunkGenerator.h:
2664         * jit/ThunkGenerators.cpp:
2665         (JSC::throwExceptionFromCallSlowPathGenerator):
2666         (JSC::slowPathFor):
2667         (JSC::linkCallThunkGenerator):
2668         (JSC::linkPolymorphicCallThunkGenerator):
2669         (JSC::virtualThunkFor):
2670         (JSC::nativeForGenerator):
2671         (JSC::nativeCallGenerator):
2672         (JSC::nativeTailCallGenerator):
2673         (JSC::nativeTailCallWithoutSavedTagsGenerator):
2674         (JSC::nativeConstructGenerator):
2675         (JSC::internalFunctionCallGenerator):
2676         (JSC::internalFunctionConstructGenerator):
2677         (JSC::arityFixupGenerator):
2678         (JSC::unreachableGenerator):
2679         (JSC::stringGetByValGenerator):
2680         (JSC::charToString):
2681         (JSC::charCodeAtThunkGenerator):
2682         (JSC::charAtThunkGenerator):
2683         (JSC::fromCharCodeThunkGenerator):
2684         (JSC::clz32ThunkGenerator):
2685         (JSC::sqrtThunkGenerator):
2686         (JSC::floorThunkGenerator):
2687         (JSC::ceilThunkGenerator):
2688         (JSC::truncThunkGenerator):
2689         (JSC::roundThunkGenerator):
2690         (JSC::expThunkGenerator):
2691         (JSC::logThunkGenerator):
2692         (JSC::absThunkGenerator):
2693         (JSC::imulThunkGenerator):
2694         (JSC::randomThunkGenerator):
2695         (JSC::boundThisNoArgsFunctionCallGenerator):
2696         * jit/ThunkGenerators.h:
2697         * jsc.cpp:
2698         (GlobalObject::finishCreation):
2699         (GlobalObject::addFunction):
2700         (GlobalObject::moduleLoaderImportModule):
2701         (GlobalObject::moduleLoaderResolve):
2702         (GlobalObject::moduleLoaderCreateImportMetaProperties):
2703         (functionDescribe):
2704         (functionDescribeArray):
2705         (JSCMemoryFootprint::addProperty):
2706         (functionRun):
2707         (functionRunString):
2708         (functionReadFile):
2709         (functionCallerSourceOrigin):
2710         (functionReadline):
2711         (functionDollarCreateRealm):
2712         (functionDollarEvalScript):
2713         (functionDollarAgentGetReport):
2714         (functionWaitForReport):
2715         (functionJSCOptions):
2716         (functionCheckModuleSyntax):
2717         (functionGenerateHeapSnapshotForGCDebugging):
2718         (functionWebAssemblyMemoryMode):
2719         (dumpException):
2720         (checkUncaughtException):
2721         * llint/LLIntSlowPaths.cpp:
2722         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2723         (JSC::LLInt::handleHostCall):
2724         * parser/ASTBuilder.h:
2725         (JSC::ASTBuilder::ASTBuilder):
2726         (JSC::ASTBuilder::createResolve):
2727         (JSC::ASTBuilder::createGetterOrSetterProperty):
2728         (JSC::ASTBuilder::createProperty):
2729         (JSC::ASTBuilder::createFuncDeclStatement):
2730         (JSC::ASTBuilder::makeFunctionCallNode):
2731         * parser/Lexer.cpp:
2732         (JSC::Lexer<T>::Lexer):
2733         (JSC::Lexer<LChar>::parseIdentifier):
2734         (JSC::Lexer<UChar>::parseIdentifier):
2735         * parser/Lexer.h:
2736         (JSC::Lexer<T>::lexExpectIdentifier):
2737         * parser/ModuleAnalyzer.cpp:
2738         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2739         * parser/ModuleAnalyzer.h:
2740         (JSC::ModuleAnalyzer::vm):
2741         * parser/Parser.cpp:
2742         (JSC::Parser<LexerType>::Parser):
2743         (JSC::Parser<LexerType>::parseInner):
2744         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2745         (JSC::Parser<LexerType>::parseSourceElements):
2746         (JSC::Parser<LexerType>::parseModuleSourceElements):
2747         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
2748         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2749         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2750         (JSC::Parser<LexerType>::parseSingleFunction):
2751         (JSC::Parser<LexerType>::parseStatementListItem):
2752         (JSC::Parser<LexerType>::parseObjectRestAssignmentElement):
2753         (JSC::Parser<LexerType>::parseAssignmentElement):
2754         (JSC::Parser<LexerType>::parseDestructuringPattern):
2755         (JSC::Parser<LexerType>::parseForStatement):
2756         (JSC::Parser<LexerType>::parseBreakStatement):
2757         (JSC::Parser<LexerType>::parseContinueStatement):
2758         (JSC::Parser<LexerType>::parseStatement):
2759         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2760         (JSC::Parser<LexerType>::createGeneratorParameters):
2761         (JSC::Parser<LexerType>::parseFunctionInfo):
2762         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2763         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2764         (JSC::Parser<LexerType>::parseClassDeclaration):
2765         (JSC::Parser<LexerType>::parseClass):
2766         (JSC::Parser<LexerType>::parseImportClauseItem):
2767         (JSC::Parser<LexerType>::parseImportDeclaration):
2768         (JSC::Parser<LexerType>::parseExportSpecifier):
2769         (JSC::Parser<LexerType>::parseExportDeclaration):
2770         (JSC::Parser<LexerType>::parseAssignmentExpression):
2771         (JSC::Parser<LexerType>::parseProperty):
2772         (JSC::Parser<LexerType>::parseGetterSetter):
2773         (JSC::Parser<LexerType>::parseObjectLiteral):
2774         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
2775         (JSC::Parser<LexerType>::parseClassExpression):
2776         (JSC::Parser<LexerType>::parseFunctionExpression):
2777         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2778         (JSC::Parser<LexerType>::parsePrimaryExpression):
2779         (JSC::Parser<LexerType>::parseMemberExpression):
2780         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
2781         (JSC::Parser<LexerType>::parseUnaryExpression):
2782         * parser/Parser.h:
2783         (JSC::isArguments):
2784         (JSC::isEval):
2785         (JSC::isEvalOrArgumentsIdentifier):
2786         (JSC::Scope::Scope):
2787         (JSC::Scope::declareParameter):
2788         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
2789         (JSC::Scope::collectFreeVariables):
2790         (JSC::Parser::canRecurse):
2791         (JSC::parse):
2792         (JSC::parseFunctionForFunctionConstructor):
2793         * parser/ParserArena.h:
2794         (JSC::IdentifierArena::makeIdentifier):
2795         (JSC::IdentifierArena::makeEmptyIdentifier):
2796         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
2797         (JSC::IdentifierArena::makeNumericIdentifier):
2798         * parser/SyntaxChecker.h:
2799         (JSC::SyntaxChecker::SyntaxChecker):
2800         (JSC::SyntaxChecker::createProperty):
2801         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2802         * profiler/ProfilerBytecode.cpp:
2803         (JSC::Profiler::Bytecode::toJS const):
2804         * profiler/ProfilerBytecodeSequence.cpp:
2805         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
2806         * profiler/ProfilerBytecodes.cpp:
2807         (JSC::Profiler::Bytecodes::toJS const):
2808         * profiler/ProfilerCompilation.cpp:
2809         (JSC::Profiler::Compilation::toJS const):
2810         * profiler/ProfilerCompiledBytecode.cpp:
2811         (JSC::Profiler::CompiledBytecode::toJS const):
2812         * profiler/ProfilerEvent.cpp:
2813         (JSC::Profiler::Event::toJS const):
2814         * profiler/ProfilerOSRExit.cpp:
2815         (JSC::Profiler::OSRExit::toJS const):
2816         * profiler/ProfilerOSRExitSite.cpp:
2817         (JSC::Profiler::OSRExitSite::toJS const):
2818         * profiler/ProfilerUID.cpp:
2819         (JSC::Profiler::UID::toJS const):
2820         * runtime/AbstractModuleRecord.cpp:
2821         (JSC::AbstractModuleRecord::finishCreation):
2822         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2823         (JSC::AbstractModuleRecord::resolveExportImpl):
2824         (JSC::getExportedNames):
2825         (JSC::AbstractModuleRecord::getModuleNamespace):
2826         * runtime/ArrayBufferNeuteringWatchpointSet.cpp:
2827         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
2828         * runtime/ArrayIteratorPrototype.cpp:
2829         (JSC::ArrayIteratorPrototype::finishCreation):
2830         * runtime/ArrayPrototype.cpp:
2831         (JSC::fastJoin):
2832         (JSC::arrayProtoFuncToLocaleString):
2833         (JSC::slowJoin):
2834         (JSC::arrayProtoFuncJoin):
2835         (JSC::arrayProtoFuncPush):
2836         * runtime/AsyncFunctionPrototype.cpp:
2837         (JSC::AsyncFunctionPrototype::finishCreation):
2838         * runtime/AsyncGeneratorFunctionPrototype.cpp:
2839         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
2840         * runtime/AsyncGeneratorPrototype.cpp:
2841         (JSC::AsyncGeneratorPrototype::finishCreation):
2842         * runtime/AtomicsObject.cpp:
2843         (JSC::AtomicsObject::finishCreation):
2844         (JSC::atomicsFuncWait):
2845         (JSC::operationAtomicsAdd):
2846         (JSC::operationAtomicsAnd):
2847         (JSC::operationAtomicsCompareExchange):
2848         (JSC::operationAtomicsExchange):
2849         (JSC::operationAtomicsIsLockFree):
2850         (JSC::operationAtomicsLoad):
2851         (JSC::operationAtomicsOr):
2852         (JSC::operationAtomicsStore):
2853         (JSC::operationAtomicsSub):
2854         (JSC::operationAtomicsXor):
2855         * runtime/BigIntPrototype.cpp:
2856         (JSC::BigIntPrototype::finishCreation):
2857         (JSC::bigIntProtoFuncToString):
2858         * runtime/CachedTypes.cpp:
2859         (JSC::CachedUniquedStringImplBase::decode const):
2860         (JSC::CachedIdentifier::decode const):
2861         (JSC::CachedJSValue::decode const):
2862         * runtime/CodeCache.cpp:
2863         (JSC::CodeCacheMap::pruneSlowCase):
2864         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2865         * runtime/CodeCache.h:
2866         (JSC::generateUnlinkedCodeBlockImpl):
2867         * runtime/CommonIdentifiers.cpp:
2868         (JSC::CommonIdentifiers::CommonIdentifiers):
2869         * runtime/CommonIdentifiers.h:
2870         * runtime/CommonSlowPaths.cpp:
2871         (JSC::SLOW_PATH_DECL):
2872         * runtime/Completion.cpp:
2873         (JSC::checkSyntaxInternal):
2874         (JSC::checkModuleSyntax):
2875         (JSC::loadAndEvaluateModule):
2876         (JSC::loadModule):
2877         * runtime/DateConstructor.cpp:
2878         (JSC::callDate):
2879         * runtime/DatePrototype.cpp:
2880         (JSC::formatLocaleDate):
2881         (JSC::formateDateInstance):
2882         (JSC::DatePrototype::finishCreation):
2883         (JSC::dateProtoFuncToISOString):
2884         * runtime/Error.cpp:
2885         (JSC::addErrorInfo):
2886         * runtime/ErrorInstance.cpp:
2887         (JSC::appendSourceToError):
2888         (JSC::ErrorInstance::finishCreation):
2889         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2890         * runtime/ErrorPrototype.cpp:
2891         (JSC::ErrorPrototype::finishCreation):
2892         (JSC::errorProtoFuncToString):
2893         * runtime/ExceptionHelpers.cpp:
2894         (JSC::TerminatedExecutionError::defaultValue):
2895         * runtime/FunctionPrototype.cpp:
2896         (JSC::functionProtoFuncToString):
2897         * runtime/FunctionRareData.cpp:
2898         (JSC::FunctionRareData::clear):
2899         * runtime/GeneratorFunctionPrototype.cpp:
2900         (JSC::GeneratorFunctionPrototype::finishCreation):
2901         * runtime/GeneratorPrototype.cpp:
2902         (JSC::GeneratorPrototype::finishCreation):
2903         * runtime/GenericArgumentsInlines.h:
2904         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2905         * runtime/GetterSetter.h:
2906         * runtime/Identifier.cpp:
2907         (JSC::Identifier::add):
2908         (JSC::Identifier::add8):
2909         (JSC::Identifier::from):
2910         (JSC::Identifier::checkCurrentAtomStringTable):
2911         * runtime/Identifier.h:
2912         (JSC::Identifier::fromString):
2913         (JSC::Identifier::createLCharFromUChar):
2914         (JSC::Identifier::Identifier):
2915         (JSC::Identifier::add):
2916         * runtime/IdentifierInlines.h:
2917         (JSC::Identifier::Identifier):
2918         (JSC::Identifier::add):
2919         (JSC::Identifier::fromUid):
2920         (JSC::Identifier::fromString):
2921         (JSC::identifierToJSValue):
2922         (JSC::identifierToSafePublicJSValue):
2923         * runtime/InternalFunction.cpp:
2924         (JSC::InternalFunction::finishCreation):
2925         * runtime/IntlCollator.cpp:
2926         (JSC::IntlCollator::resolvedOptions):
2927         * runtime/IntlCollatorPrototype.cpp:
2928         (JSC::IntlCollatorPrototype::finishCreation):
2929         * runtime/IntlDateTimeFormat.cpp:
2930         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
2931         (JSC::IntlDateTimeFormat::resolvedOptions):
2932         (JSC::IntlDateTimeFormat::format):
2933         (JSC::IntlDateTimeFormat::formatToParts):
2934         * runtime/IntlDateTimeFormatPrototype.cpp:
2935         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2936         * runtime/IntlNumberFormat.cpp:
2937         (JSC::IntlNumberFormat::initializeNumberFormat):
2938         (JSC::IntlNumberFormat::formatNumber):
2939         (JSC::IntlNumberFormat::resolvedOptions):
2940         (JSC::IntlNumberFormat::formatToParts):
2941         * runtime/IntlNumberFormatPrototype.cpp:
2942         (JSC::IntlNumberFormatPrototype::finishCreation):
2943         * runtime/IntlObject.cpp:
2944         (JSC::lookupSupportedLocales):
2945         (JSC::supportedLocales):
2946         (JSC::intlObjectFuncGetCanonicalLocales):
2947         * runtime/IntlPluralRules.cpp:
2948         (JSC::IntlPluralRules::initializePluralRules):
2949         (JSC::IntlPluralRules::resolvedOptions):
2950         (JSC::IntlPluralRules::select):
2951         * runtime/IntlPluralRulesPrototype.cpp:
2952         (JSC::IntlPluralRulesPrototype::finishCreation):
2953         * runtime/JSArray.h:
2954         (JSC::asArray):
2955         (JSC::isJSArray):
2956         * runtime/JSArrayBufferPrototype.cpp:
2957         (JSC::JSArrayBufferPrototype::finishCreation):
2958         * runtime/JSArrayBufferView.cpp:
2959         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
2960         * runtime/JSCJSValue.cpp:
2961         (JSC::JSValue::putToPrimitiveByIndex):
2962         (JSC::JSValue::dumpForBacktrace const):
2963         (JSC::JSValue::toStringSlowCase const):
2964         * runtime/JSCJSValueInlines.h:
2965         (JSC::JSValue::toPropertyKey const):
2966         (JSC::JSValue::get const):
2967         * runtime/JSCast.h:
2968         (JSC::jsCast):
2969         * runtime/JSCell.cpp:
2970         (JSC::JSCell::dump const):
2971         (JSC::JSCell::dumpToStream):
2972         (JSC::JSCell::putByIndex):
2973         * runtime/JSCellInlines.h:
2974         (JSC::JSCell::structure const):
2975         (JSC::ExecState::vm const):
2976         (JSC::tryAllocateCellHelper):
2977         * runtime/JSDataViewPrototype.cpp:
2978         (JSC::JSDataViewPrototype::finishCreation):
2979         * runtime/JSFixedArray.cpp:
2980         (JSC::JSFixedArray::dumpToStream):
2981         * runtime/JSFunction.cpp:
2982         (JSC::JSFunction::finishCreation):
2983         (JSC::RetrieveCallerFunctionFunctor::operator() const):
2984         (JSC::JSFunction::reifyName):
2985         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2986         (JSC::JSFunction::assertTypeInfoFlagInvariants):
2987         * runtime/JSGenericTypedArrayViewInlines.h:
2988         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
2989         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
2990         * runtime/JSGlobalObject.cpp:
2991         (JSC::JSGlobalObject::init):
2992         (JSC::JSGlobalObject::exposeDollarVM):
2993         * runtime/JSGlobalObjectFunctions.cpp:
2994         (JSC::encode):
2995         (JSC::decode):
2996         (JSC::globalFuncEscape):
2997         (JSC::globalFuncUnescape):
2998         (JSC::globalFuncBuiltinDescribe):
2999         * runtime/JSLexicalEnvironment.cpp:
3000         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
3001         * runtime/JSModuleEnvironment.cpp:
3002         (JSC::JSModuleEnvironment::getOwnPropertySlot):
3003         (JSC::JSModuleEnvironment::put):
3004         (JSC::JSModuleEnvironment::deleteProperty):
3005         * runtime/JSModuleLoader.cpp:
3006         (JSC::JSModuleLoader::finishCreation):
3007         (JSC::JSModuleLoader::requestImportModule):
3008         (JSC::moduleLoaderParseModule):
3009         (JSC::moduleLoaderRequestedModules):
3010         * runtime/JSModuleNamespaceObject.cpp:
3011         (JSC::JSModuleNamespaceObject::finishCreation):
3012         (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
3013         * runtime/JSModuleRecord.cpp:
3014         (JSC::JSModuleRecord::instantiateDeclarations):
3015         * runtime/JSONObject.cpp:
3016         (JSC::JSONObject::finishCreation):
3017         (JSC::PropertyNameForFunctionCall::value const):
3018         (JSC::Stringifier::Stringifier):
3019         (JSC::Stringifier::stringify):
3020         (JSC::Stringifier::Holder::appendNextProperty):
3021         (JSC::Walker::walk):
3022         * runtime/JSObject.cpp:
3023         (JSC::getClassPropertyNames):
3024         (JSC::JSObject::getOwnPropertySlotByIndex):
3025         (JSC::JSObject::putByIndex):
3026         (JSC::JSObject::deletePropertyByIndex):
3027         (JSC::JSObject::toString const):
3028         (JSC::JSObject::reifyAllStaticProperties):
3029         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3030         * runtime/JSObject.h:
3031         (JSC::JSObject::putByIndexInline):
3032         (JSC::JSObject::butterflyPreCapacity):
3033         (JSC::JSObject::butterflyTotalSize):
3034         (JSC::makeIdentifier):
3035         * runtime/JSPromisePrototype.cpp:
3036         (JSC::JSPromisePrototype::finishCreation):
3037         * runtime/JSPropertyNameEnumerator.cpp:
3038         (JSC::JSPropertyNameEnumerator::finishCreation):
3039         * runtime/JSPropertyNameEnumerator.h:
3040         (JSC::propertyNameEnumerator):
3041         * runtime/JSRunLoopTimer.cpp:
3042         (JSC::JSRunLoopTimer::JSRunLoopTimer):
3043         * runtime/JSRunLoopTimer.h:
3044         * runtime/JSString.cpp:
3045         (JSC::JSString::dumpToStream):
3046         (JSC::JSRopeString::resolveRopeWithFunction const):
3047         (JSC::jsStringWithCacheSlowCase):
3048         * runtime/JSString.h:
3049         (JSC::jsEmptyString):
3050         (JSC::jsSingleCharacterString):
3051         (JSC::jsNontrivialString):
3052         (JSC::JSString::toIdentifier const):
3053         (JSC::JSString::toAtomString const):
3054         (JSC::JSString::toExistingAtomString const):
3055         (JSC::JSString::value const):
3056         (JSC::JSString::tryGetValue const):
3057         (JSC::JSString::getIndex):
3058         (JSC::jsString):
3059         (JSC::jsSubstring):
3060         (JSC::jsOwnedString):
3061         (JSC::jsStringWithCache):
3062         (JSC::JSRopeString::unsafeView const):
3063         (JSC::JSRopeString::viewWithUnderlyingString const):
3064         (JSC::JSString::unsafeView const):
3065         * runtime/JSStringInlines.h:
3066         (JSC::jsMakeNontrivialString):
3067         (JSC::repeatCharacter):
3068         * runtime/JSStringJoiner.cpp:
3069         (JSC::JSStringJoiner::join):
3070         * runtime/JSSymbolTableObject.cpp:
3071         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3072         * runtime/JSTemplateObjectDescriptor.cpp:
3073         (JSC::JSTemplateObjectDescriptor::createTemplateObject):
3074         * runtime/JSTypedArrayViewPrototype.cpp:
3075         (JSC::typedArrayViewProtoGetterFuncToStringTag):
3076         * runtime/LazyClassStructure.cpp:
3077         (JSC::LazyClassStructure::Initializer::setConstructor):
3078         * runtime/LazyProperty.h:
3079         (JSC::LazyProperty::Initializer::Initializer):
3080         * runtime/LiteralParser.cpp:
3081         (JSC::LiteralParser<CharType>::tryJSONPParse):
3082         (JSC::LiteralParser<CharType>::makeIdentifier):
3083         (JSC::LiteralParser<CharType>::parse):
3084         * runtime/Lookup.h:
3085         (JSC::reifyStaticProperties):
3086         * runtime/MapIteratorPrototype.cpp:
3087         (JSC::MapIteratorPrototype::finishCreation):
3088         * runtime/MapPrototype.cpp:
3089         (JSC::MapPrototype::finishCreation):
3090         * runtime/MathObject.cpp:
3091         (JSC::MathObject::finishCreation):
3092         * runtime/NumberConstructor.cpp:
3093         (JSC::NumberConstructor::finishCreation):
3094         * runtime/NumberPrototype.cpp:
3095         (JSC::numberProtoFuncToExponential):
3096         (JSC::numberProtoFuncToFixed):
3097         (JSC::numberProtoFuncToPrecision):
3098         (JSC::int32ToStringInternal):
3099         (JSC::numberToStringInternal):
3100         (JSC::int52ToString):
3101         * runtime/ObjectConstructor.cpp:
3102         (JSC::objectConstructorGetOwnPropertyDescriptors):
3103         (JSC::objectConstructorAssign):
3104         (JSC::objectConstructorValues):
3105         (JSC::defineProperties):
3106         (JSC::setIntegrityLevel):
3107         (JSC::testIntegrityLevel):
3108         (JSC::ownPropertyKeys):
3109         * runtime/ObjectPrototype.cpp:
3110         (JSC::objectProtoFuncToString):
3111         * runtime/Operations.h:
3112         (JSC::jsString):
3113         (JSC::jsStringFromRegisterArray):
3114         (JSC::jsStringFromArguments):
3115         * runtime/ProgramExecutable.cpp:
3116         (JSC::ProgramExecutable::initializeGlobalProperties):
3117         * runtime/PromiseDeferredTimer.cpp:
3118         (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
3119         (JSC::PromiseDeferredTimer::hasPendingPromise):
3120         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
3121         (JSC::PromiseDeferredTimer::cancelPendingPromise):
3122         * runtime/PropertyNameArray.h:
3123         (JSC::PropertyNameArray::PropertyNameArray):
3124         (JSC::PropertyNameArray::vm):
3125         * runtime/PropertySlot.h:
3126         (JSC::PropertySlot::getValue const):
3127         * runtime/ProxyObject.cpp:
3128         (JSC::performProxyGet):
3129         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3130         (JSC::ProxyObject::performHasProperty):
3131         (JSC::ProxyObject::getOwnPropertySlotByIndex):
3132         (JSC::ProxyObject::performPut):
3133         (JSC::ProxyObject::putByIndexCommon):
3134         (JSC::ProxyObject::performDelete):
3135         (JSC::ProxyObject::deletePropertyByIndex):
3136         (JSC::ProxyObject::performDefineOwnProperty):
3137         (JSC::ProxyObject::performGetOwnPropertyNames):
3138         * runtime/RegExpGlobalData.cpp:
3139         (JSC::RegExpGlobalData::getBackref):
3140         (JSC::RegExpGlobalData::getLastParen):
3141         * runtime/RegExpMatchesArray.cpp:
3142         (JSC::createEmptyRegExpMatchesArray):
3143         * runtime/RegExpMatchesArray.h:
3144         (JSC::createRegExpMatchesArray):
3145         * runtime/RegExpPrototype.cpp:
3146         (JSC::regExpProtoGetterFlags):
3147         (JSC::regExpProtoGetterSourceInternal):
3148         (JSC::regExpProtoGetterSource):
3149         * runtime/RegExpStringIteratorPrototype.cpp:
3150         (JSC::RegExpStringIteratorPrototype::finishCreation):
3151         * runtime/SamplingProfiler.cpp:
3152         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3153         * runtime/ScriptExecutable.cpp:
3154         (JSC::ScriptExecutable::installCode):
3155         (JSC::ScriptExecutable::newCodeBlockFor):
3156         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
3157         (JSC::setupJIT):
3158         * runtime/SetIteratorPrototype.cpp:
3159         (JSC::SetIteratorPrototype::finishCreation):
3160         * runtime/SetPrototype.cpp:
3161         (JSC::SetPrototype::finishCreation):
3162         * runtime/StackFrame.cpp:
3163         (JSC::StackFrame::computeLineAndColumn const):
3164         * runtime/StringConstructor.cpp:
3165         (JSC::stringFromCharCode):
3166         (JSC::stringFromCodePoint):
3167         (JSC::stringConstructor):
3168         (JSC::callStringConstructor):
3169         * runtime/StringIteratorPrototype.cpp:
3170         (JSC::StringIteratorPrototype::finishCreation):
3171         * runtime/StringObject.cpp:
3172         (JSC::StringObject::getOwnPropertySlotByIndex):
3173         (JSC::StringObject::getOwnPropertyNames):
3174         * runtime/StringObject.h:
3175         (JSC::StringObject::create):
3176         (JSC::jsStringWithReuse):
3177         (JSC::jsSubstring):
3178         * runtime/StringPrototype.cpp:
3179         (JSC::StringPrototype::finishCreation):
3180         (JSC::StringPrototype::create):
3181         (JSC::jsSpliceSubstrings):
3182         (JSC::jsSpliceSubstringsWithSeparators):
3183         (JSC::replaceUsingRegExpSearch):
3184         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
3185         (JSC::operationStringProtoFuncReplaceRegExpString):
3186         (JSC::replaceUsingStringSearch):
3187         (JSC::operationStringProtoFuncReplaceGeneric):
3188         (JSC::stringProtoFuncCharAt):
3189         (JSC::stringProtoFuncSplitFast):
3190         (JSC::stringProtoFuncSubstr):
3191         (JSC::stringProtoFuncToLowerCase):
3192         (JSC::stringProtoFuncToUpperCase):
3193         (JSC::toLocaleCase):
3194         (JSC::trimString):
3195         (JSC::normalize):
3196         * runtime/StringPrototypeInlines.h:
3197         (JSC::stringSlice):
3198         * runtime/StringRecursionChecker.cpp:
3199         (JSC::StringRecursionChecker::emptyString):
3200         * runtime/Structure.cpp:
3201         (JSC::Structure::didTransitionFromThisStructure const):
3202         * runtime/StructureInlines.h:
3203         (JSC::Structure::didReplaceProperty):
3204         (JSC::Structure::shouldConvertToPolyProto):
3205         * runtime/SymbolConstructor.cpp:
3206         (JSC::symbolConstructorKeyFor):
3207         * runtime/SymbolPrototype.cpp:
3208         (JSC::SymbolPrototype::finishCreation):
3209         (JSC::symbolProtoGetterDescription):
3210         (JSC::symbolProtoFuncToString):
3211         * runtime/SymbolTable.cpp:
3212         (JSC::SymbolTable::setRareDataCodeBlock):
3213         * runtime/TestRunnerUtils.cpp:
3214         (JSC::getExecutableForFunction):
3215         * runtime/VM.cpp:
3216         (JSC::VM::VM):
3217         (JSC::VM::getHostFunction):
3218         (JSC::VM::getCTIInternalFunctionTrampolineFor):
3219         (JSC::VM::shrinkFootprintWhenIdle):
3220         (JSC::logSanitizeStack):
3221         (JSC::sanitizeStackForVM):
3222         (JSC::VM::emptyPropertyNameEnumeratorSlow):
3223         * runtime/VM.h:
3224         (JSC::VM::getCTIStub):
3225         (JSC::WeakSet::heap const):
3226         * runtime/VMTraps.cpp:
3227         * runtime/WeakMapPrototype.cpp:
3228         (JSC::WeakMapPrototype::finishCreation):
3229         * runtime/WeakObjectRefPrototype.cpp:
3230         (JSC::WeakObjectRefPrototype::finishCreation):
3231         * runtime/WeakSetPrototype.cpp:
3232         (JSC::WeakSetPrototype::finishCreation):
3233         * tools/HeapVerifier.cpp:
3234         (JSC::HeapVerifier::printVerificationHeader):
3235         (JSC::HeapVerifier::verifyCellList):
3236         (JSC::HeapVerifier::validateJSCell):
3237         (JSC::HeapVerifier::reportCell):
3238         * tools/JSDollarVM.cpp:
3239         (JSC::JSDollarVMCallFrame::finishCreation):
3240         (JSC::JSDollarVMCallFrame::addProperty):
3241         (JSC::CustomGetter::getOwnPropertySlot):
3242         (JSC::CustomGetter::customGetter):
3243         (JSC::CustomGetter::customGetterAcessor):
3244         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
3245         (JSC::DOMJITGetter::finishCreation):
3246         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
3247         (JSC::DOMJITGetterComplex::finishCreation):
3248         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
3249         (JSC::DOMJITFunctionObject::finishCreation):
3250         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
3251         (JSC::DOMJITCheckSubClassObject::finishCreation):
3252         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
3253         (JSC::DOMJITGetterBaseJSObject::finishCreation):
3254         (JSC::customSetAccessor):
3255         (JSC::customSetValue):
3256         (JSC::JSTestCustomGetterSetter::finishCreation):
3257         (JSC::WasmStreamingParser::finishCreation):
3258         (JSC::getExecutableForFunction):
3259         (JSC::functionCodeBlockFor):
3260         (JSC::functionIndexingMode):
3261         (JSC::functionValue):
3262         (JSC::functionCreateBuiltin):
3263         (JSC::functionGetPrivateProperty):
3264         (JSC::JSDollarVM::finishCreation):
3265         (JSC::JSDollarVM::addFunction):
3266         (JSC::JSDollarVM::addConstructibleFunction):
3267         * tools/VMInspector.cpp:
3268         (JSC::VMInspector::dumpRegisters):
3269         (JSC::VMInspector::dumpCellMemoryToStream):
3270         * wasm/WasmInstance.cpp:
3271         (JSC::Wasm::Instance::setGlobal):
3272         (JSC::Wasm::Instance::setFunctionWrapper):
3273         (JSC::Wasm::setWasmTableElement):
3274         (JSC::Wasm::doWasmRefFunc):
3275         * wasm/WasmTable.cpp:
3276         (JSC::Wasm::Table::set):
3277         (JSC::Wasm::FuncRefTable::setFunction):
3278         * wasm/js/JSWebAssembly.cpp:
3279         (JSC::resolve):
3280         * wasm/js/JSWebAssemblyInstance.cpp:
3281         (JSC::JSWebAssemblyInstance::create):
3282         * wasm/js/WasmToJS.cpp:
3283         (JSC::Wasm::handleBadI64Use):
3284         (JSC::Wasm::wasmToJS):
3285         (JSC::Wasm::wasmToJSException):
3286         * wasm/js/WebAssemblyFunction.cpp:
3287         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
3288         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3289         (JSC::constructJSWebAssemblyMemory):
3290         * wasm/js/WebAssemblyModuleConstructor.cpp:
3291         (JSC::webAssemblyModuleImports):
3292         (JSC::webAssemblyModuleExports):
3293         * wasm/js/WebAssemblyModuleRecord.cpp:
3294         (JSC::WebAssemblyModuleRecord::finishCreation):
3295         (JSC::WebAssemblyModuleRecord::link):
3296         * wasm/js/WebAssemblyTableConstructor.cpp:
3297         (JSC::constructJSWebAssemblyTable):
3298
3299 2019-08-27  Devin Rousso  <drousso@apple.com>
3300
3301         Web Inspector: don't attach properties to `injectedScript` for the CommandLineAPI
3302         https://bugs.webkit.org/show_bug.cgi?id=201193
3303
3304         Reviewed by Joseph Pecoraro.
3305
3306         For some reason, adding `injectedScript._inspectObject` inside CommandLineAPIModuleSource.js
3307         causes inspector/debugger/tail-deleted-frames-this-value.html to fail.
3308
3309         We should have a similar approach to adding command line api getters and functions, in that
3310         the CommandLineAPIModuleSource.js calls a function with a callback.
3311
3312         * inspector/InjectedScriptSource.js:
3313         (InjectedScript.prototype.inspectObject):
3314         (InjectedScript.prototype.setInspectObject): Added.
3315         (InjectedScript.prototype._evaluateOn):
3316
3317 2019-08-27  Mark Lam  <mark.lam@apple.com>
3318
3319         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
3320         https://bugs.webkit.org/show_bug.cgi?id=201196
3321         <rdar://problem/54703775>
3322
3323         Reviewed by Yusuke Suzuki.
3324
3325         * runtime/FunctionConstructor.cpp:
3326         (JSC::constructFunctionSkippingEvalEnabledCheck):
3327
3328 2019-08-27  Keith Miller  <keith_miller@apple.com>
3329
3330         When dumping Air Graphs BBQ should dump patchpoints.
3331         https://bugs.webkit.org/show_bug.cgi?id=201167
3332
3333         Reviewed by Filip Pizlo.
3334
3335         * wasm/WasmAirIRGenerator.cpp:
3336         (JSC::Wasm::AirIRGenerator:: const):
3337         (JSC::Wasm::AirIRGenerator::addPatchpoint):
3338         (JSC::Wasm::parseAndCompileAir):
3339
3340 2019-08-27  Basuke Suzuki  <Basuke.Suzuki@sony.com>
3341
3342         [RemoteInspector][Socket] Restructuring the components of Socket implementation
3343         https://bugs.webkit.org/show_bug.cgi?id=201079
3344
3345         Reviewed by Ross Kirsling.
3346
3347         Since the change for WeakPtr on r248386, our port start assertion failure on the usage of
3348         RemoteInspectorSocketEndpoint. We have to send a message to connection client, but if that
3349         has to be done in the same thread which weakPtr generated, it's a little bit stronger
3350         restriction for us to handle. In this restructure, we are stopping to use weakPtr to
3351         resolve circular dependency, but using a reference with invalidation method because
3352         everything is under our control.
3353
3354         - Make SocketEndpoint a singleton. This class represents a central place to handle socket
3355           connections and there's no need to instantiate more than one in a process. Once every
3356           connection goes away, it just start sleeping until next connection is created. Very low
3357           resource usage when it is idle.
3358         - Move Socket::Connection structure from global definition to SocketEndpoint local
3359           structure. It is directly used in SocketEndpoint privately.
3360         - Move responsibility to handle message encoding/decoding task from SocketEndpoint to
3361           ConnectionClient. Make SocketEndpoint as plain socket handling as possible to keep it
3362           simple to exist long span.
3363         - Extract an interface from ConnectionClient as SocketEndpoint::Client which is required
3364           to work with SocketEndpoint. Now SocketEndpoint is very independent from others.
3365           SocketEndpoint::Client is the required parameter to create a connection.
3366
3367         Many responsibilities are moved into ConnectionClient which was a thin interface for
3368         communication between RemoteInspector, RemoteInspectorServer and RemoteInspectorClient.
3369         It now handles followings:
3370         - life cycle of connection: create, listen and close or invalidation
3371         - sending and receiving data packed in a message.
3372
3373         RemoteInspector and RemoteInspectorServer are now free from creation of SocketEndpoint.
3374         All communication to SocketEndpoint id now the duty of super class.
3375
3376         * inspector/remote/RemoteInspector.h:
3377         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
3378         (Inspector::RemoteInspectorConnectionClient::~RemoteInspectorConnectionClient): Make all connection invalidated.
3379         (Inspector::RemoteInspectorConnectionClient::connectInet): Add itself as a listener of socket.
3380         (Inspector::RemoteInspectorConnectionClient::listenInet): Ditto.
3381         (Inspector::RemoteInspectorConnectionClient::createClient): Ditto.
3382         (Inspector::RemoteInspectorConnectionClient::send): Add message processing.
3383         (Inspector::RemoteInspectorConnectionClient::didReceive): Ditto.
3384         (Inspector::RemoteInspectorConnectionClient::extractEvent): Extracted from send.
3385         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
3386         * inspector/remote/socket/RemoteInspectorMessageParser.cpp:
3387         (Inspector::MessageParser::MessageParser):
3388         (Inspector::MessageParser::pushReceivedData):
3389         (Inspector::MessageParser::parse):
3390         * inspector/remote/socket/RemoteInspectorMessageParser.h:
3391         (Inspector::MessageParser::MessageParser):
3392         (Inspector::MessageParser::Function<void):
3393         * inspector/remote/socket/RemoteInspectorServer.cpp:
3394         (Inspector::RemoteInspectorServer::connect): Remove direct communication to Socket Endpoint.
3395         (Inspector::RemoteInspectorServer::listenForTargets): Ditto.
3396         (Inspector::RemoteInspectorServer::sendWebInspectorEvent): Ditto.
3397         (Inspector::RemoteInspectorServer::start): Ditto.
3398         * inspector/remote/socket/RemoteInspectorServer.h:
3399         * inspector/remote/socket/RemoteInspectorSocket.cpp:
3400         (Inspector::RemoteInspector::sendWebInspectorEvent): Remove direct communication to Socket Endpoint.
3401         (Inspector::RemoteInspector::start): Ditto.
3402         (Inspector::RemoteInspector::stopInternal): Ditto.
3403         (Inspector::RemoteInspector::pushListingsNow): Change the target of validity check to ID.
3404         (Inspector::RemoteInspector::pushListingsSoon): Ditto.
3405         (Inspector::RemoteInspector::sendMessageToRemote): Ditto.
3406         * inspector/remote/socket/RemoteInspectorSocket.h: Move Connection structure to RemoteInspectorSocketEndpoint.
3407         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
3408         (Inspector::RemoteInspectorSocketEndpoint::singleton): Added.
3409         (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint): Use hard-coded thread name.
3410         (Inspector::RemoteInspectorSocketEndpoint::connectInet): Accept RemoteInspectorSocketEndpoint::Client as listener.
3411         (Inspector::RemoteInspectorSocketEndpoint::listenInet): Ditto.
3412         (Inspector::RemoteInspectorSocketEndpoint::createClient): Ditto.
3413         (Inspector::RemoteInspectorSocketEndpoint::invalidateClient): Added. Invalidate all connection from the client.
3414         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled): Remove message parser handling.
3415         (Inspector::RemoteInspectorSocketEndpoint::send): Remove message packing.
3416         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
3417         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
3418         (Inspector::RemoteInspectorSocketEndpoint::Connection::Connection):
3419
3420 2019-08-26  Devin Rousso  <drousso@apple.com>
3421
3422         Web Inspector: use more C++ keywords for defining agents
3423         https://bugs.webkit.org/show_bug.cgi?id=200959
3424
3425         Reviewed by Joseph Pecoraro.
3426
3427          - make constructors `protected` when the agent isn't meant to be constructed directly
3428          - add `virtual` destructors that are defined in the *.cpp so forward-declarations work
3429          - use `final` wherever possible
3430          - add comments to indicate where any virtual functions come from
3431
3432         * inspector/agents/InspectorAgent.h:
3433         * inspector/agents/InspectorAgent.cpp:
3434         * inspector/agents/InspectorAuditAgent.h:
3435         * inspector/agents/InspectorAuditAgent.cpp:
3436         * inspector/agents/InspectorConsoleAgent.h:
3437         * inspector/agents/InspectorConsoleAgent.cpp:
3438         * inspector/agents/InspectorDebuggerAgent.h:
3439         * inspector/agents/InspectorDebuggerAgent.cpp:
3440         * inspector/agents/InspectorHeapAgent.h:
3441         * inspector/agents/InspectorHeapAgent.cpp:
3442         * inspector/agents/InspectorRuntimeAgent.h:
3443         * inspector/agents/InspectorScriptProfilerAgent.h:
3444         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3445         * inspector/agents/InspectorTargetAgent.h:
3446         * inspector/agents/InspectorTargetAgent.cpp:
3447         * inspector/agents/JSGlobalObjectAuditAgent.h:
3448         * inspector/agents/JSGlobalObjectAuditAgent.cpp:
3449         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3450         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3451         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3452         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3453
3454 2019-08-26  Devin Rousso  <drousso@apple.com>
3455
3456         Web Inspector: unify agent command error messages
3457         https://bugs.webkit.org/show_bug.cgi?id=200950
3458
3459         Reviewed by Joseph Pecoraro.
3460
3461         Different agents can sometimes have different error messages for commands that have a
3462         similar intended effect.  We should make our error messages more similar.
3463
3464         * inspector/JSGlobalObjectConsoleClient.cpp:
3465         * inspector/agents/InspectorAgent.cpp:
3466         * inspector/agents/InspectorAuditAgent.cpp:
3467         * inspector/agents/InspectorConsoleAgent.cpp:
3468         * inspector/agents/InspectorDebuggerAgent.cpp:
3469         * inspector/agents/InspectorHeapAgent.cpp:
3470         * inspector/agents/InspectorRuntimeAgent.cpp:
3471         * inspector/agents/InspectorTargetAgent.cpp:
3472         * inspector/agents/JSGlobalObjectAuditAgent.cpp:
3473         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3474         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3475         Elide function lists to avoid an extremely large ChangeLog entry.
3476
3477 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
3478
3479         [JSC] Ensure x?.y ?? z is fast
3480         https://bugs.webkit.org/show_bug.cgi?id=200875
3481
3482         Reviewed by Yusuke Suzuki.
3483
3484         We anticipate `x?.y ?? z` to quickly become a common idiom in JS. With a little bytecode rearrangement,
3485         we can avoid the "load undefined and check it" dance in the middle and just turn this into two jumps.
3486
3487         Before:
3488                 (get x)
3489           ----- jundefined_or_null
3490           |     (get y)
3491           | --- jmp
3492           > |   (load undefined)
3493             > - jnundefined_or_null
3494               | (get z)
3495               > end
3496
3497         After:
3498                 (get x)
3499             --- jundefined_or_null
3500             |   (get y)
3501             | - jnundefined_or_null
3502             > | (get z)
3503               > end
3504
3505         * bytecompiler/BytecodeGenerator.cpp:
3506         (JSC::BytecodeGenerator::popOptionalChainTarget): Added specialization.
3507         * bytecompiler/BytecodeGenerator.h:
3508         * bytecompiler/NodesCodegen.cpp:
3509         (JSC::CoalesceNode::emitBytecode):
3510         (JSC::OptionalChainNode::emitBytecode):
3511         * parser/ASTBuilder.h:
3512         (JSC::ASTBuilder::makeDeleteNode):
3513         (JSC::ASTBuilder::makeCoalesceNode): Added.
3514         (JSC::ASTBuilder::makeBinaryNode):
3515         * parser/NodeConstructors.h:
3516         (JSC::CoalesceNode::CoalesceNode):
3517         * parser/Nodes.h:
3518         (JSC::ExpressionNode::isDeleteNode const): Added. (Replaces OptionalChainNode::m_isDelete.)
3519
3520 2019-08-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3521
3522         Missing media controls when WebKit is built with Python3
3523         https://bugs.webkit.org/show_bug.cgi?id=194367
3524
3525         Reviewed by Carlos Garcia Campos.
3526
3527         The JavaScript minifier script jsmin.py expects a text stream
3528         with text type as input, but the script make-js-file-arrays.py
3529         was passing to it a FileIO() object. So, when the jsmin script
3530         called read() over this object, python3 was returning a type of
3531         bytes, but for python2 it returns type str.
3532
3533         This caused two problems: first that jsmin failed to do any minifying
3534         because it was comparing strings with a variable of type bytes.
3535         The second major problem was in the write() function, when the
3536         jsmin script tried to convert a byte character to text by calling
3537         str() on it. Because what this does is not to convert from byte
3538         type to string, but to simply generate a string with the format b'c'.
3539         So the jsmin script was returning back as minified JS complete
3540         garbage in the form of "b't'b'h'b'h'b'i" for python3.
3541
3542         Therefore, when WebKit was built with python3 this broke everything
3543         that depended on the embedded JS code that make-js-file-arrays.py
3544         was supposed to generate, like the media controls and the WebDriver
3545         atoms.
3546
3547         Fix this by reworking the code in make-js-file-arrays script to
3548         read the data from the file using a TextIOWrapper in python 3
3549         with decoding for 'utf-8'. This ensures that the jsmin receives
3550         a text type. For python2 keep using the same FileIO class.
3551
3552         On the jsmin.py script remove the problematic call to str() inside
3553         the write() function when running with python3.
3554         On top of that, add an extra check in jsmin.py script to make it
3555         fail if the character type read is not the one expected. This
3556         will cause the build to fail instead of failing silently like
3557         now. I did some tests and the runtime cost of this extra check
3558         is almost zero.
3559
3560         * Scripts/jsmin.py:
3561         (JavascriptMinify.minify.write):
3562         (JavascriptMinify):
3563         * Scripts/make-js-file-arrays.py:
3564         (main):
3565
3566 2019-08-23  Devin Rousso  <drousso@apple.com>
3567
3568         Web Inspector: create additional command line api functions for other console methods
3569         https://bugs.webkit.org/show_bug.cgi?id=200971
3570
3571         Reviewed by Joseph Pecoraro.
3572
3573         Expose all `console.*` functions in the command line API, since they're all already able to
3574         be referenced via the `console` object.
3575
3576         Provide a simpler interface for other injected scripts to modify the command line API.
3577
3578         * inspector/InjectedScriptModule.cpp:
3579         (Inspector::InjectedScriptModule::ensureInjected):
3580
3581         * inspector/InjectedScriptSource.js:
3582         (InjectedScript.prototype.inspectObject):
3583         (InjectedScript.prototype.addCommandLineAPIGetter): Added.
3584         (InjectedScript.prototype.addCommandLineAPIMethod): Added.
3585         (InjectedScript.prototype.hasInjectedModule): Added.
3586         (InjectedScript.prototype.injectModule):
3587         (InjectedScript.prototype._evaluateOn):
3588         (InjectedScript.CommandLineAPI): Added.
3589         (InjectedScript.prototype.module): Deleted.
3590         (InjectedScript.prototype._savedResult): Deleted.
3591         (bind): Deleted.
3592         (BasicCommandLineAPI): Deleted.
3593         (clear): Deleted.
3594         (table): Deleted.
3595         (profile): Deleted.
3596         (profileEnd): Deleted.
3597         (keys): Deleted.
3598         (values): Deleted.
3599         (queryInstances): Deleted.
3600         (queryObjects): Deleted.
3601         (queryHolders): Deleted.
3602
3603 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
3604
3605         Remove MaximalFlushInsertionPhase
3606         https://bugs.webkit.org/show_bug.cgi?id=201036
3607
3608         Reviewed by Saam Barati.
3609
3610         Maximal flush has found too many false positives recently, so we decided it's finally time
3611         to remove it instead of hacking it to fix the most recent false positive.
3612
3613         The most recent false positive was caused by a LoadVarargs followed by a SetArgumentDefinitely
3614         for the argument count that was being flushed in a much later block. Now, since that block was
3615         the head of a loop, and there was a SetLocal in the same block to the same variable, this
3616         generated a Phi of both values, which then led to the unification of their VariableAccessData
3617         in the unification phase. This caused AI to assign the Int52 type to argument count, which
3618         broke the AI’s assumption that it should always be an Int32.
3619
3620         * JavaScriptCore.xcodeproj/project.pbxproj:
3621         * Sources.txt:
3622         * dfg/DFGByteCodeParser.cpp:
3623         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
3624         * dfg/DFGMaximalFlushInsertionPhase.cpp: Removed.
3625         * dfg/DFGMaximalFlushInsertionPhase.h: Removed.
3626         * dfg/DFGPlan.cpp:
3627         (JSC::DFG::Plan::compileInThreadImpl):
3628         * runtime/Options.cpp:
3629         (JSC::recomputeDependentOptions):
3630         * runtime/Options.h:
3631
3632 2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>
3633
3634         Unreviewed WinCairo build fix following r249058.
3635
3636         * API/tests/testapi.cpp:
3637         (TestAPI::callFunction):
3638         WinCairo chokes on `JSValueRef args[sizeof...(arguments)]` when there are no arguments, but AppleWin does not...
3639         MSVC must have changed somehow.
3640
3641 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
3642
3643         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
3644         https://bugs.webkit.org/show_bug.cgi?id=200952
3645
3646         Reviewed by Saam Barati.
3647
3648         The c call that we emitted was incorrect. If we had an int argument that was supposed to be placed in GPR0 by this loop,
3649         we would clobber it while making the call (among many other possible registers). To fix this, we just inline the call 
3650         to isWebassemblyHostFunction.
3651
3652         * wasm/js/WebAssemblyFunction.cpp:
3653         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
3654
3655 2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>
3656
3657         JSC should have public API for unhandled promise rejections
3658         https://bugs.webkit.org/show_bug.cgi?id=197172
3659
3660         Reviewed by Keith Miller.
3661
3662         This patch makes it possible to register a unhandled promise rejection callback via the JSC API.
3663         Since there is no event loop in such an environment, this callback fires off of the microtask queue.
3664         The callback receives the promise and rejection reason as arguments and its return value is ignored.
3665
3666         * API/JSContextRef.cpp:
3667         (JSGlobalContextSetUnhandledRejectionCallback): Added.
3668         * API/JSContextRefPrivate.h:
3669         Add new C++ API call.
3670
3671         * API/tests/testapi.cpp:
3672         (TestAPI::promiseResolveTrue): Clean up test output.
3673         (TestAPI::promiseRejectTrue): Clean up test output.
3674         (TestAPI::promiseUnhandledRejection): Added.
3675         (TestAPI::promiseUnhandledRejectionFromUnhandledRejectionCallback): Added.
3676         (TestAPI::promiseEarlyHandledRejections): Added.
3677         (testCAPIViaCpp):
3678         Add new C++ API test.
3679
3680         * jsc.cpp:
3681         (GlobalObject::finishCreation):
3682         (functionSetUnhandledRejectionCallback): Added.
3683         Add corresponding global to JSC shell.
3684
3685         * runtime/JSGlobalObject.h:
3686         (JSC::JSGlobalObject::setUnhandledRejectionCallback): Added.
3687         (JSC::JSGlobalObject::unhandledRejectionCallback const): Added.
3688         Keep a strong reference to the callback.
3689
3690         * runtime/JSGlobalObjectFunctions.cpp:
3691         (JSC::globalFuncHostPromiseRejectionTracker):
3692         Add default behavior.
3693
3694         * runtime/VM.cpp:
3695         (JSC::VM::callPromiseRejectionCallback): Added.
3696         (JSC::VM::didExhaustMicrotaskQueue): Added.
3697         (JSC::VM::promiseRejected): Added.
3698         (JSC::VM::drainMicrotasks):
3699         When microtask queue is exhausted, deal with any pending unhandled rejections
3700         (in a manner based on RejectedPromiseTracker's reportUnhandledRejections),
3701         then make sure this didn't cause any new microtasks to be added to the queue.
3702
3703         * runtime/VM.h:
3704         Store unhandled rejections.
3705         (This collection will always be empty in the presence of WebCore.)
3706
3707 2019-08-22  Mark Lam  <mark.lam@apple.com>
3708
3709         VirtualRegister::dump() can use more informative CallFrame header slot names.
3710         https://bugs.webkit.org/show_bug.cgi?id=201062
3711
3712         Reviewed by Tadeu Zagallo.
3713
3714         For example, it currently dumps head3 instead of callee.  This patch changes the
3715         dump as follows (for 64-bit addressing):
3716             head0 => callerFrame
3717             head1 => returnPC
3718             head2 => codeBlock
3719             head3 => callee
3720             head4 => argumentCount
3721
3722         Now, one might be wondering when would bytecode ever access callerFrame and
3723         returnPC?  The answer is never.  However, I don't think its the role of the
3724         dumper to catch a bug where these header slots are being used.  The dumper's role
3725         is to clearly report them so that we can see that these unexpected values are
3726         being used.
3727
3728         * bytecode/VirtualRegister.cpp:
3729         (JSC::VirtualRegister::dump const):
3730
3731 2019-08-22  Andy Estes  <aestes@apple.com>
3732
3733         [watchOS] Disable Content Filtering in the simulator build
3734         https://bugs.webkit.org/show_bug.cgi?id=201047
3735
3736         Reviewed by Tim Horton.
3737
3738         * Configurations/FeatureDefines.xcconfig:
3739
3740 2019-08-22  Adrian Perez de Castro  <aperez@igalia.com>
3741
3742         [GTK][WPE] Fixes for non-unified builds after r248547
3743         https://bugs.webkit.org/show_bug.cgi?id=201044
3744
3745         Reviewed by Philippe Normand.
3746
3747         * b3/B3ReduceLoopStrength.cpp: Add missing inclusions of B3BasicBlockInlines.h,
3748         B3InsertionSet.h, and B3NaturalLoops.h
3749         * wasm/WasmOMGForOSREntryPlan.h: Include WasmCallee.h instead of forward-declaring
3750         BBQCallee in order to avoid build failure due to incomplete definition on template
3751         expansions.
3752
3753 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
3754
3755         Add missing exception check in canonicalizeLocaleList
3756         https://bugs.webkit.org/show_bug.cgi?id=201021
3757
3758         Reviewed by Mark Lam.
3759
3760         * runtime/IntlObject.cpp:
3761         (JSC::canonicalizeLocaleList):
3762
3763 2019-08-17  Darin Adler  <darin@apple.com>
3764
3765         Use makeString and multi-argument StringBuilder::append instead of less efficient multiple appends
3766         https://bugs.webkit.org/show_bug.cgi?id=200862
3767
3768         Reviewed by Ryosuke Niwa.
3769
3770         * runtime/ExceptionHelpers.cpp:
3771         (JSC::createUndefinedVariableError): Got rid of unnecessary local variable.
3772         (JSC::notAFunctionSourceAppender): Use single append instead of multiple.
3773         Eliminate unneeded and unconventional use of makeString on a single string literal.
3774         (JSC::invalidParameterInstanceofNotFunctionSourceAppender): Ditto.
3775         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender): Ditto.
3776         (JSC::createInvalidFunctionApplyParameterError): Ditto.
3777         (JSC::createInvalidInParameterError): Ditto.
3778         (JSC::createInvalidInstanceofParameterErrorNotFunction): Ditto.
3779         (JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction): Ditto.
3780
3781         * runtime/FunctionConstructor.cpp:
3782         (JSC::constructFunctionSkippingEvalEnabledCheck): Use single append instead of multiple.
3783         * runtime/Options.cpp:
3784         (JSC::Options::dumpOption): Ditto.
3785         * runtime/TypeProfiler.cpp:
3786         (JSC::TypeProfiler::typeInformationForExpressionAtOffset): Ditto.
3787         * runtime/TypeSet.cpp:
3788         (JSC::StructureShape::stringRepresentation): Ditto. Also use a modern for loop.
3789
3790 2019-08-21  Mark Lam  <mark.lam@apple.com>
3791
3792         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
3793         https://bugs.webkit.org/show_bug.cgi?id=201016
3794         <rdar://problem/54579911>
3795
3796         Reviewed by Yusuke Suzuki.
3797
3798         Currently, Wasm::FunctionParser is allowing
3799
3800             maxFunctionParams + maxFunctionLocals * maxFunctionLocals
3801
3802         ... locals, which is 0x9502FCE8.  It should be enforcing max locals of
3803         maxFunctionLocals instead.
3804
3805         * wasm/WasmFunctionParser.h:
3806         (JSC::Wasm::FunctionParser<Context>::parse):
3807
3808 2019-08-21  Michael Saboff  <msaboff@apple.com>
3809
3810         [JSC] incorrent JIT lead to StackOverflow
3811         https://bugs.webkit.org/show_bug.cgi?id=197823
3812
3813         Reviewed by Tadeu Zagallo.
3814
3815         Added stack overflow check to the bound function thunk generator.  Added a new C++ operation
3816         throwStackOverflowErrorFromThunk() to throw the error.
3817         
3818         * jit/JITOperations.cpp:
3819         * jit/JITOperations.h:
3820         * jit/ThunkGenerators.cpp:
3821         (JSC::boundThisNoArgsFunctionCallGenerator):
3822
3823 2019-08-21  Devin Rousso  <drousso@apple.com>
3824
3825         Web Inspector: Page: re-add enable/disable after r248454
3826         https://bugs.webkit.org/show_bug.cgi?id=200947
3827
3828         Reviewed by Joseph Pecoraro.
3829
3830         We shouldn't design the agent system with only Web Inspector in mind. Other clients may want
3831         to have different functionality, not being told about frames creation/updates/destruction.
3832         In these cases, we should have graceful error message failures for other agents that rely on
3833         the Page agent.