[JSC] Optimize layout of RegExp to reduce padding
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Optimize layout of RegExp to reduce padding
4         https://bugs.webkit.org/show_bug.cgi?id=187438
5
6         Reviewed by Mark Lam.
7
8         Reduce the size of RegExp from 168 to 144.
9
10         * runtime/RegExp.cpp:
11         (JSC::RegExp::RegExp):
12         * runtime/RegExp.h:
13         * runtime/RegExpKey.h:
14         * yarr/YarrErrorCode.h:
15
16 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
17
18         [JSC] Optimize layout of ValueProfile to reduce padding
19         https://bugs.webkit.org/show_bug.cgi?id=187439
20
21         Reviewed by Mark Lam.
22
23         Reduce the size of ValueProfile from 40 to 32 by reordering members.
24
25         * bytecode/ValueProfile.h:
26         (JSC::ValueProfileBase::ValueProfileBase):
27
28 2018-07-05  Saam Barati  <sbarati@apple.com>
29
30         ProgramExecutable may be collected as we checkSyntax on it
31         https://bugs.webkit.org/show_bug.cgi?id=187359
32         <rdar://problem/41832135>
33
34         Reviewed by Mark Lam.
35
36         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
37         the ProgramExecutable itself may be collected. The fix here is to make a copy
38         of the field instead of passing in a reference inside of ParserError::toErrorObject.
39         
40         No new tests here as this was already caught by our iOS JSC testers.
41
42         * parser/ParserError.h:
43         (JSC::ParserError::toErrorObject):
44
45 2018-07-04  Tim Horton  <timothy_horton@apple.com>
46
47         Introduce PLATFORM(IOSMAC)
48         https://bugs.webkit.org/show_bug.cgi?id=187315
49
50         Reviewed by Dan Bernstein.
51
52         * Configurations/Base.xcconfig:
53         * Configurations/FeatureDefines.xcconfig:
54
55 2018-07-03  Mark Lam  <mark.lam@apple.com>
56
57         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
58         https://bugs.webkit.org/show_bug.cgi?id=187255
59         <rdar://problem/41785257>
60
61         Reviewed by Saam Barati.
62
63         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
64         too: basically, do what the 64-bit code is doing.  At present, this change only
65         serves to pacify an assertion.  It is not needed for correctness because the
66         concurrent GC is not used on 32-bit builds.
67
68         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
69         test.
70
71         * jit/JITOpcodes32_64.cpp:
72         (JSC::JIT::emit_op_create_this):
73
74 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
75
76         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
77         https://bugs.webkit.org/show_bug.cgi?id=187290
78
79         Reviewed by Saam Barati.
80
81         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
82         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
83         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
84         easily calculated from JSType.
85         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
86
87         * runtime/ClassInfo.h:
88         * runtime/JSArrayBufferView.cpp:
89         (JSC::elementSize):
90         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
91         * runtime/JSArrayBufferView.h:
92         * runtime/JSArrayBufferViewInlines.h:
93         (JSC::JSArrayBufferView::possiblySharedBuffer):
94         * runtime/JSCell.cpp:
95         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
96         * runtime/JSCell.h:
97         * runtime/JSDataView.cpp:
98         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
99         * runtime/JSDataView.h:
100         * runtime/JSGenericTypedArrayView.h:
101         * runtime/JSGenericTypedArrayViewInlines.h:
102         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
103
104 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
105
106         Regular expressions with ".?" expressions at the start and the end match the entire string
107         https://bugs.webkit.org/show_bug.cgi?id=119191
108
109         Reviewed by Michael Saboff.
110
111         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
112         for "abc" first and then processing the leading and trailing dot stars
113         to find the beginning and the end of the match. However, it erroneously
114         enabled this optimization for regular expressions whose leading or
115         trailing dots had quantifiers that were not of arbitrary length, e.g.,
116         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
117         match the entire string when it shouldn't. This patch disables the
118         optimization for those cases.
119
120         * yarr/YarrPattern.cpp:
121         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
122
123 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
124
125         RegExp.exec returns wrong value with a long integer quantifier
126         https://bugs.webkit.org/show_bug.cgi?id=187042
127
128         Reviewed by Saam Barati.
129
130         Prior to this patch, the Yarr parser checked for integer overflow when
131         parsing quantifiers in regular expressions by adding one digit at a time
132         to a number and checking if the result got larger. This is wrong;
133         The parser would fail to detect overflow when parsing, for example,
134         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
135
136         Another issue was that once it detected overflow, it stopped consuming
137         the remaining digits. Since it didn't find the closing bracket, it
138         parsed the quantifier as a normal string instead.
139
140         This patch fixes these issues by reading all the digits and checking for
141         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
142         returns the largest possible value (quantifyInfinite in this case). This
143         matches Chrome [1], Firefox [2], and Edge [3].
144
145         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
146         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
147         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
148
149         * yarr/YarrParser.h:
150         (JSC::Yarr::Parser::consumeNumber):
151
152 2018-07-02  Keith Miller  <keith_miller@apple.com>
153
154         InstanceOf IC should do generic if the prototype is not an object.
155         https://bugs.webkit.org/show_bug.cgi?id=187250
156
157         Reviewed by Mark Lam.
158
159         The old code was wrong for two reasons. First, the AccessCase expected that
160         the prototype value would be non-null. Second, we would end up returning
161         false instead of throwing an exception.
162
163         * jit/Repatch.cpp:
164         (JSC::tryCacheInstanceOf):
165
166 2018-07-01  Mark Lam  <mark.lam@apple.com>
167
168         Builtins and host functions should get their own structures.
169         https://bugs.webkit.org/show_bug.cgi?id=187211
170         <rdar://problem/41646336>
171
172         Reviewed by Saam Barati.
173
174         JSFunctions do lazy reification of properties, but ordinary functions applies
175         different rules of property reification than builtin and host functions.  Hence,
176         we should give builtins and host functions their own structures.
177
178         * runtime/JSFunction.cpp:
179         (JSC::JSFunction::selectStructureForNewFuncExp):
180         (JSC::JSFunction::create):
181         (JSC::JSFunction::getOwnPropertySlot):
182         * runtime/JSGlobalObject.cpp:
183         (JSC::JSGlobalObject::init):
184         (JSC::JSGlobalObject::visitChildren):
185         * runtime/JSGlobalObject.h:
186         (JSC::JSGlobalObject::hostFunctionStructure const):
187         (JSC::JSGlobalObject::arrowFunctionStructure const):
188         (JSC::JSGlobalObject::sloppyFunctionStructure const):
189         (JSC::JSGlobalObject::strictFunctionStructure const):
190
191 2018-07-01  David Kilzer  <ddkilzer@apple.com>
192
193         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
194         <https://webkit.org/b/187233>
195
196         Reviewed by Mark Lam.
197
198         * b3/air/AirEliminateDeadCode.cpp:
199         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
200         * parser/ParserTokens.h:
201         (JSC::JSTextPosition::JSTextPosition): Add struct member
202         initialization. Simplify default constructor.
203         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
204         union to the beginning to make it easy to zero out all fields.
205         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
206         initialization.  Simplify default constructor.  Note that
207         `endOffset` was not being initialized previously.
208         (JSC::JSTextPosition::JSToken): Add struct member initialization
209         where necessary.
210         * runtime/IntlObject.cpp:
211         (JSC::MatcherResult): Add struct member initialization.
212
213 2018-06-23  Darin Adler  <darin@apple.com>
214
215         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
216         https://bugs.webkit.org/show_bug.cgi?id=186973
217
218         Reviewed by Dan Bernstein.
219
220         * API/JSContext.mm:
221         (WeakContextRef::WeakContextRef): Deleted.
222         (WeakContextRef::~WeakContextRef): Deleted.
223         (WeakContextRef::get): Deleted.
224         (WeakContextRef::set): Deleted.
225
226         * API/JSContextInternal.h: Removed unneeded header guards since this is
227         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
228         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
229         since neither is used outside the class implementation.
230
231         * API/JSManagedValue.mm:
232         (-[JSManagedValue initWithValue:]): Use a bridging cast.
233         (-[JSManagedValue dealloc]): Ditto.
234         (-[JSManagedValue didAddOwner:]): Ditto.
235         (-[JSManagedValue didRemoveOwner:]): Ditto.
236         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
237         (JSManagedValueHandleOwner::finalize): Ditto.
238         * API/JSValue.mm:
239         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
240         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
241         (-[JSValue valueForProperty:]): Ditto.
242         (-[JSValue setValue:forProperty:]): Ditto.
243         (-[JSValue deleteProperty:]): Ditto.
244         (-[JSValue hasProperty:]): Ditto.
245         (-[JSValue invokeMethod:withArguments:]): Ditto.
246         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
247         (valueToArray): Ditto.
248         (valueToDictionary): Ditto.
249         (objectToValueWithoutCopy): Ditto.
250         (objectToValue): Ditto.
251         * API/JSVirtualMachine.mm:
252         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
253         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
254         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
255         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
256         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
257         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
258         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
259         (scanExternalObjectGraph): Ditto.
260         (scanExternalRememberedSet): Ditto.
261         * API/JSWrapperMap.mm:
262         (makeWrapper): Ditto.
263         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
264         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
265         (tryUnwrapObjcObject): Ditto.
266         * API/ObjCCallbackFunction.mm:
267         (blockSignatureContainsClass): Ditto.
268         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
269         sure we will be keeping this the same way under ARC.
270         (objCCallbackFunctionForBlock): Use a bridging cast.
271
272         * API/ObjcRuntimeExtras.h:
273         (protocolImplementsProtocol): Use a more specific type that includes the
274         explicit __unsafe_unretained for copied protocol lists.
275         (forEachProtocolImplementingProtocol): Ditto.
276
277         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
278         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
279         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
280
281         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
282         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
283         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
284         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
285         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
286
287 2018-06-30  Adam Barth  <abarth@webkit.org>
288
289         Port JavaScriptCore to OS(FUCHSIA)
290         https://bugs.webkit.org/show_bug.cgi?id=187223
291
292         Reviewed by Daniel Bates.
293
294         * assembler/ARM64Assembler.h:
295         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
296         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
297         (JSC::MachineContext::stackPointerImpl):
298         (JSC::MachineContext::framePointerImpl):
299         (JSC::MachineContext::instructionPointerImpl):
300         (JSC::MachineContext::argumentPointer<1>):
301         (JSC::MachineContext::llintInstructionPointer):
302
303 2018-06-30  David Kilzer  <ddkilzer@apple.com>
304
305         Fix clang static analyzer warnings: Garbage return value
306         <https://webkit.org/b/187224>
307
308         Reviewed by Eric Carlson.
309
310         * bytecode/UnlinkedCodeBlock.cpp:
311         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
312         - Use brace initialization for local variables.
313         * debugger/DebuggerCallFrame.cpp:
314         (class JSC::LineAndColumnFunctor):
315         - Use class member initialization for member variables.
316
317 2018-06-29  Saam Barati  <sbarati@apple.com>
318
319         Unreviewed. Try to fix Windows build after r233377
320
321         * builtins/BuiltinExecutables.cpp:
322         (JSC::BuiltinExecutables::createExecutable):
323
324 2018-06-29  Saam Barati  <sbarati@apple.com>
325
326         Don't use tracePoints in JS/Wasm entry
327         https://bugs.webkit.org/show_bug.cgi?id=187196
328
329         Reviewed by Mark Lam.
330
331         This puts VM entry and Wasm entry tracePoints behind a runtime
332         option. This is a ~4x speedup on a soon to be released Wasm
333         benchmark. tracePoints should basically never run more than 50
334         times a second. Entering the VM and entering Wasm are user controlled,
335         and can happen hundreds of thousands of times in a second. Depending
336         on how the Wasm/JS code is structured, this can be disastrous for
337         performance.
338
339         * runtime/Options.h:
340         * runtime/VMEntryScope.cpp:
341         (JSC::VMEntryScope::VMEntryScope):
342         (JSC::VMEntryScope::~VMEntryScope):
343         * wasm/WasmBBQPlan.cpp:
344         (JSC::Wasm::BBQPlan::compileFunctions):
345         * wasm/js/WebAssemblyFunction.cpp:
346         (JSC::callWebAssemblyFunction):
347
348 2018-06-29  Saam Barati  <sbarati@apple.com>
349
350         We shouldn't recurse into the parser when gathering metadata about various function offsets
351         https://bugs.webkit.org/show_bug.cgi?id=184074
352         <rdar://problem/37165897>
353
354         Reviewed by Mark Lam.
355
356         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
357         for that builtin. This required calling into the parser. However, the parser
358         may throw a stack overflow. We were not able to recover from that. The only
359         reason we called into the parser here is that we were gathering text offsets
360         and various metadata for things in the builtin function. This patch writes a
361         mini parser that figures this information out without calling into the full
362         parser. (I've also added a debug assert that verifies the mini parser stays in
363         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
364         always succeeds.
365
366         * builtins/AsyncFromSyncIteratorPrototype.js:
367         (globalPrivate.createAsyncFromSyncIterator):
368         (globalPrivate.AsyncFromSyncIteratorConstructor):
369         * builtins/BuiltinExecutables.cpp:
370         (JSC::BuiltinExecutables::createExecutable):
371         * builtins/GlobalOperations.js:
372         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
373         (globalPrivate.speciesConstructor):
374         (globalPrivate.copyDataProperties):
375         (globalPrivate.copyDataPropertiesNoExclusions):
376         * builtins/PromiseOperations.js:
377         (globalPrivate.newHandledRejectedPromise):
378         * builtins/RegExpPrototype.js:
379         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
380         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
381         * builtins/StringPrototype.js:
382         (globalPrivate.hasObservableSideEffectsForStringReplace):
383         (globalPrivate.getDefaultCollator):
384         * parser/Nodes.cpp:
385         (JSC::FunctionMetadataNode::FunctionMetadataNode):
386         (JSC::FunctionMetadataNode::operator== const):
387         (JSC::FunctionMetadataNode::dump const):
388         * parser/Nodes.h:
389         * parser/Parser.h:
390         (JSC::parse):
391         * parser/ParserError.h:
392         (JSC::ParserError::type const):
393         * parser/ParserTokens.h:
394         (JSC::JSTextPosition::operator== const):
395         (JSC::JSTextPosition::operator!= const):
396         * parser/SourceCode.h:
397         (JSC::SourceCode::operator== const):
398         (JSC::SourceCode::operator!= const):
399         (JSC::SourceCode::subExpression const):
400         (JSC::SourceCode::subExpression): Deleted.
401
402 2018-06-28  Michael Saboff  <msaboff@apple.com>
403   
404         IsoCellSet::sweepToFreeList() not safe when Full GC in process
405         https://bugs.webkit.org/show_bug.cgi?id=187157
406
407         Reviewed by Mark Lam.
408
409         * heap/IsoCellSet.cpp:
410         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
411         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
412         or not we are in the process of marking during a full GC.
413         * heap/MarkedBlock.h:
414         * heap/MarkedBlockInlines.h:
415         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
416
417 2018-06-27  Saam Barati  <sbarati@apple.com>
418
419         Add some more register state information when we crash in repatchPutById
420         https://bugs.webkit.org/show_bug.cgi?id=187112
421
422         Reviewed by Mark Lam.
423
424         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
425         with an offset that is different than what the put tells us.
426
427         * jit/Repatch.cpp:
428         (JSC::tryCachePutByID):
429
430 2018-06-27  Mark Lam  <mark.lam@apple.com>
431
432         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
433         https://bugs.webkit.org/show_bug.cgi?id=187119
434
435         Reviewed by Keith Miller.
436
437         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
438         should be checking for codeBlock instead of !codeBlock
439         before using the codeBlock.
440
441         I also renamed some other "print" functions to use "dump" instead
442         to match their underlying C++ code that they will call e.g.
443         CodeBlock::dumpSource().
444
445         * tools/JSDollarVM.cpp:
446         (WTF::JSDollarVMCallFrame::finishCreation):
447         (JSC::functionDumpSourceFor):
448         (JSC::functionDumpBytecodeFor):
449         (JSC::doPrint):
450         (JSC::functionDataLog):
451         (JSC::functionPrint):
452         (JSC::functionDumpCallFrame):
453         (JSC::functionDumpStack):
454         (JSC::JSDollarVM::finishCreation):
455         (JSC::functionPrintSourceFor): Deleted.
456         (JSC::functionPrintBytecodeFor): Deleted.
457         (JSC::doPrintln): Deleted.
458         (JSC::functionPrintln): Deleted.
459         (JSC::functionPrintCallFrame): Deleted.
460         (JSC::functionPrintStack): Deleted.
461         * tools/VMInspector.cpp:
462         (JSC::DumpFrameFunctor::DumpFrameFunctor):
463         (JSC::DumpFrameFunctor::operator() const):
464         (JSC::VMInspector::dumpCallFrame):
465         (JSC::VMInspector::dumpStack):
466         (JSC::VMInspector::dumpValue):
467         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
468         (JSC::PrintFrameFunctor::operator() const): Deleted.
469         (JSC::VMInspector::printCallFrame): Deleted.
470         (JSC::VMInspector::printStack): Deleted.
471         (JSC::VMInspector::printValue): Deleted.
472         * tools/VMInspector.h:
473
474 2018-06-27  Keith Miller  <keith_miller@apple.com>
475
476         Add logging to try to diagnose where we get a null structure.
477         https://bugs.webkit.org/show_bug.cgi?id=187106
478
479         Reviewed by Mark Lam.
480
481         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
482         structure crash.
483
484         This code should be removed when we fix <rdar://problem/33451840>
485
486         * runtime/JSObject.cpp:
487         (JSC::callToPrimitiveFunction):
488         * runtime/JSObject.h:
489         (JSC::JSObject::getPropertySlot):
490
491 2018-06-27  Mark Lam  <mark.lam@apple.com>
492
493         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
494         https://bugs.webkit.org/show_bug.cgi?id=187091
495         <rdar://problem/41395624>
496
497         Reviewed by Yusuke Suzuki.
498
499         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
500         take their slow paths, the slow path would jump back to the fast path right after
501         the emitted code which clears the unused property values.  As a result, the
502         unused properties are not initialized.  We've fixed this by adding the slow path
503         generators before we emit the code to clear the unused properties.
504
505         * dfg/DFGSpeculativeJIT.cpp:
506         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
507         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
508
509 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
510
511         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
512         https://bugs.webkit.org/show_bug.cgi?id=185943
513
514         Reviewed by Mark Lam.
515
516         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
517         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
518         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
519         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
520
521         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
522         but it should be done in a separate patch since it would be performance sensitive.
523
524         * bytecompiler/NodesCodegen.cpp:
525         (JSC::ArrayPatternNode::emitDirectBinding):
526
527 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
528
529         [JSC] Pass VM& to functions more
530         https://bugs.webkit.org/show_bug.cgi?id=186241
531
532         Reviewed by Mark Lam.
533
534         This patch threads VM& to functions requiring VM& more.
535
536         * API/JSObjectRef.cpp:
537         (JSObjectIsConstructor):
538         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
539         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
540         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
541         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
542         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
543         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
544         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
545         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
546         * bytecode/CodeBlockJettisoningWatchpoint.h:
547         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
548         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
549         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
550         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
551         * bytecode/StructureStubClearingWatchpoint.cpp:
552         (JSC::StructureStubClearingWatchpoint::fireInternal):
553         * bytecode/StructureStubClearingWatchpoint.h:
554         * bytecode/Watchpoint.cpp:
555         (JSC::Watchpoint::fire):
556         (JSC::WatchpointSet::fireAllWatchpoints):
557         * bytecode/Watchpoint.h:
558         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
559         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
560         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
561         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
562         (JSC::DFG::AdaptiveStructureWatchpoint::install):
563         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
564         * dfg/DFGAdaptiveStructureWatchpoint.h:
565         * dfg/DFGDesiredWatchpoints.cpp:
566         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
567         * llint/LLIntSlowPaths.cpp:
568         (JSC::LLInt::setupGetByIdPrototypeCache):
569         * runtime/ArrayPrototype.cpp:
570         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
571         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
572         * runtime/ECMAScriptSpecInternalFunctions.cpp:
573         (JSC::esSpecIsConstructor):
574         * runtime/FunctionRareData.cpp:
575         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
576         * runtime/FunctionRareData.h:
577         * runtime/InferredStructureWatchpoint.cpp:
578         (JSC::InferredStructureWatchpoint::fireInternal):
579         * runtime/InferredStructureWatchpoint.h:
580         * runtime/InternalFunction.cpp:
581         (JSC::InternalFunction::createSubclassStructureSlow):
582         * runtime/InternalFunction.h:
583         (JSC::InternalFunction::createSubclassStructure):
584         * runtime/JSCJSValue.h:
585         * runtime/JSCJSValueInlines.h:
586         (JSC::JSValue::isConstructor const):
587         * runtime/JSCell.h:
588         * runtime/JSCellInlines.h:
589         (JSC::JSCell::isConstructor):
590         (JSC::JSCell::methodTable const):
591         * runtime/JSGlobalObject.cpp:
592         (JSC::JSGlobalObject::init):
593         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
594         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
595         * runtime/ProxyObject.cpp:
596         (JSC::ProxyObject::finishCreation):
597         * runtime/ReflectObject.cpp:
598         (JSC::reflectObjectConstruct):
599         * runtime/StructureRareData.cpp:
600         (JSC::StructureRareData::setObjectToStringValue):
601         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
602         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
603         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
604
605 2018-06-26  Mark Lam  <mark.lam@apple.com>
606
607         eval() is wrong about the LiteralParser never throwing any exceptions.
608         https://bugs.webkit.org/show_bug.cgi?id=187074
609         <rdar://problem/41461099>
610
611         Reviewed by Saam Barati.
612
613         Added the missing exception check, and removed an erroneous assertion.
614
615         * interpreter/Interpreter.cpp:
616         (JSC::eval):
617
618 2018-06-26  Saam Barati  <sbarati@apple.com>
619
620         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
621         https://bugs.webkit.org/show_bug.cgi?id=186878
622         <rdar://problem/40568659>
623
624         Reviewed by Filip Pizlo.
625
626         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
627         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
628         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
629         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
630         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
631         conservative scan knows to treat it like a butterfly in when we we may be
632         pointing into the middle of it.
633         
634         The way we were crashing on the stress GC bots is that our conservative marking
635         won't do cell visiting for things that are Auxiliary. This meant that if the
636         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
637         that JSImmutableButterfly would not be visited. This is now fixed.
638
639         * bytecompiler/NodesCodegen.cpp:
640         (JSC::ArrayNode::emitBytecode):
641         * debugger/Debugger.cpp:
642         * heap/ConservativeRoots.cpp:
643         (JSC::ConservativeRoots::genericAddPointer):
644         * heap/Heap.cpp:
645         (JSC::GatherHeapSnapshotData::operator() const):
646         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
647         (JSC::Heap::globalObjectCount):
648         (JSC::Heap::objectTypeCounts):
649         (JSC::Heap::deleteAllCodeBlocks):
650         * heap/HeapCell.cpp:
651         (WTF::printInternal):
652         * heap/HeapCell.h:
653         (JSC::isJSCellKind):
654         (JSC::hasInteriorPointers):
655         * heap/HeapUtil.h:
656         (JSC::HeapUtil::findGCObjectPointersForMarking):
657         (JSC::HeapUtil::isPointerGCObjectJSCell):
658         * heap/MarkedBlock.cpp:
659         (JSC::MarkedBlock::Handle::didAddToDirectory):
660         * heap/SlotVisitor.cpp:
661         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
662         * runtime/JSGlobalObject.cpp:
663         * runtime/JSImmutableButterfly.h:
664         (JSC::JSImmutableButterfly::subspaceFor):
665         * runtime/VM.cpp:
666         (JSC::VM::VM):
667         * runtime/VM.h:
668         * tools/CellProfile.h:
669         (JSC::CellProfile::CellProfile):
670         (JSC::CellProfile::isJSCell const):
671         * tools/HeapVerifier.cpp:
672         (JSC::HeapVerifier::validateCell):
673
674 2018-06-26  Mark Lam  <mark.lam@apple.com>
675
676         Skip some unnecessary work in Interpreter::getStackTrace().
677         https://bugs.webkit.org/show_bug.cgi?id=187070
678
679         Reviewed by Michael Saboff.
680
681         * interpreter/Interpreter.cpp:
682         (JSC::Interpreter::getStackTrace):
683
684 2018-06-26  Mark Lam  <mark.lam@apple.com>
685
686         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
687         https://bugs.webkit.org/show_bug.cgi?id=187060
688         <rdar://problem/41452767>
689
690         Reviewed by Keith Miller.
691
692         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
693         write conversion.  Hence, we can return early after the conversion if the vector
694         length is already sufficient to cover the requested length.
695
696         * runtime/JSObject.cpp:
697         (JSC::JSObject::ensureLengthSlow):
698
699 2018-06-26  Commit Queue  <commit-queue@webkit.org>
700
701         Unreviewed, rolling out r233184.
702         https://bugs.webkit.org/show_bug.cgi?id=187059
703
704         "It regressed JetStream between 5-8%" (Requested by saamyjoon
705         on #webkit).
706
707         Reverted changeset:
708
709         "JSImmutableButterfly can't be allocated from a subspace with
710         HeapCell::Kind::Auxiliary"
711         https://bugs.webkit.org/show_bug.cgi?id=186878
712         https://trac.webkit.org/changeset/233184
713
714 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
715
716         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
717         https://bugs.webkit.org/show_bug.cgi?id=187051
718
719         Reviewed by Mark Lam.
720
721         Revert r233065 changes over UnlinkedCodeBlock.h to allow
722         clang-3.8 to be able to compile this back (with libstdc++5)
723
724         * bytecode/UnlinkedCodeBlock.h:
725         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
726
727 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
728
729         Fix testapi build when DFG_JIT is disabled
730         https://bugs.webkit.org/show_bug.cgi?id=187038
731
732         Reviewed by Mark Lam.
733
734         r233158 added a new API and tests for configuring the number of JIT threads, but
735         the API is only available when DFG_JIT is enabled and so should the tests.
736
737         * API/tests/testapi.mm:
738         (runJITThreadLimitTests):
739
740 2018-06-25  Saam Barati  <sbarati@apple.com>
741
742         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
743         https://bugs.webkit.org/show_bug.cgi?id=186878
744         <rdar://problem/40568659>
745
746         Reviewed by Mark Lam.
747
748         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
749         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
750         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
751         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
752         bots is that our conservative marking won't do cell marking for things that
753         are Auxiliary. This means that if the stack is the only thing pointing to a
754         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
755         not be visited. This patch fixes this bug. This patch also extends our conservative
756         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
757
758         * bytecompiler/NodesCodegen.cpp:
759         (JSC::ArrayNode::emitBytecode):
760         * heap/HeapUtil.h:
761         (JSC::HeapUtil::findGCObjectPointersForMarking):
762         * runtime/JSImmutableButterfly.h:
763         (JSC::JSImmutableButterfly::subspaceFor):
764
765 2018-06-25  Mark Lam  <mark.lam@apple.com>
766
767         constructArray() should set m_numValuesInVector to the specified length.
768         https://bugs.webkit.org/show_bug.cgi?id=187010
769         <rdar://problem/41392167>
770
771         Reviewed by Filip Pizlo.
772
773         Its client will fill in the storage vector with some values using initializeIndex()
774         and expects m_numValuesInVector to be set to the length i.e. the number of values
775         to be initialized.
776
777         * runtime/JSArray.cpp:
778         (JSC::constructArray):
779
780 2018-06-25  Mark Lam  <mark.lam@apple.com>
781
782         Add missing exception check in RegExpObjectInlines.h's collectMatches.
783         https://bugs.webkit.org/show_bug.cgi?id=187006
784         <rdar://problem/41418412>
785
786         Reviewed by Keith Miller.
787
788         * runtime/RegExpObjectInlines.h:
789         (JSC::collectMatches):
790
791 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
792
793         Add API for configuring the number of threads used by DFG and FTL
794         https://bugs.webkit.org/show_bug.cgi?id=186859
795         <rdar://problem/41093519>
796
797         Reviewed by Filip Pizlo.
798
799         Add new private APIs for limiting the number of threads to be used by
800         the DFG and FTL compilers. It was already possible to configure the
801         limit through JSC Options, but now it can be changed at runtime, even
802         in the case when the VM is already running.
803
804         Add a test for both cases: when trying to configure the limit before
805         and after the Worklist has been created, but in order to simulate the
806         first scenario, we must guarantee that the test runs at the very
807         beginning, so I also added a check for that.
808
809         * API/JSVirtualMachine.mm:
810         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
811         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
812         * API/JSVirtualMachinePrivate.h:
813         * API/tests/testapi.mm:
814         (runJITThreadLimitTests):
815         (testObjectiveCAPIMain):
816         * dfg/DFGWorklist.cpp:
817         (JSC::DFG::Worklist::finishCreation):
818         (JSC::DFG::Worklist::createNewThread):
819         (JSC::DFG::Worklist::setNumberOfThreads):
820         * dfg/DFGWorklist.h:
821
822 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
823
824         [JSC] Remove unnecessary PLATFORM guards
825         https://bugs.webkit.org/show_bug.cgi?id=186995
826
827         Reviewed by Mark Lam.
828
829         * assembler/AssemblerCommon.h:
830         (JSC::isIOS):
831         Add constexpr.
832
833         * inspector/JSGlobalObjectInspectorController.cpp:
834         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
835         StackFrame works in all the platforms. If StackFrame::demangle failed,
836         it just returns std::nullopt. And it is correctly handled in this code.
837
838 2018-06-23  Mark Lam  <mark.lam@apple.com>
839
840         Add more debugging features to $vm.
841         https://bugs.webkit.org/show_bug.cgi?id=186947
842
843         Reviewed by Keith Miller.
844
845         Adding the following features:
846
847             // We now have println in addition to print.
848             // println automatically adds a '\n' at the end.
849             $vm.println("Hello");
850
851             // We can now capture some info about a stack frame.
852             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
853             var callerCallerFrame = $vm.callFrame(2);
854
855             // We can inspect the following values associated with the frame:
856             if (currentFrame.valid) {
857                 $vm.println("name is ", currentFrame.name));
858
859                 // Note: For a WASM frame, all of these will be undefined.
860                 $vm.println("callee is ", $vm.value(currentFrame.callee));
861                 $vm.println("codeBlock is ", currentFrame.codeBlock);
862                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
863                 $vm.println("executable is ", currentFrame.executable);
864             }
865
866             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
867             // to dataLog its JSValue instead of its toString() result.
868
869             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
870             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
871             // toString on a non-object.
872
873             // Does what it says about enabling/disabling debugger mode.
874             $vm.enableDebuggerModeWhenIdle();
875             $vm.disableDebuggerModeWhenIdle();
876
877         * tools/JSDollarVM.cpp:
878         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
879         (WTF::JSDollarVMCallFrame::createStructure):
880         (WTF::JSDollarVMCallFrame::create):
881         (WTF::JSDollarVMCallFrame::finishCreation):
882         (WTF::JSDollarVMCallFrame::addProperty):
883         (JSC::functionCallFrame):
884         (JSC::functionCodeBlockForFrame):
885         (JSC::codeBlockFromArg):
886         (JSC::doPrintln):
887         (JSC::functionPrint):
888         (JSC::functionPrintln):
889         (JSC::changeDebuggerModeWhenIdle):
890         (JSC::functionEnableDebuggerModeWhenIdle):
891         (JSC::functionDisableDebuggerModeWhenIdle):
892         (JSC::JSDollarVM::finishCreation):
893
894 2018-06-22  Keith Miller  <keith_miller@apple.com>
895
896         We need to have a getDirectConcurrently for use in the compilers
897         https://bugs.webkit.org/show_bug.cgi?id=186954
898
899         Reviewed by Mark Lam.
900
901         It used to be that the propertyStorage of an object never shrunk
902         so if you called getDirect with some offset it would never be an
903         OOB read. However, this property storage can shrink when calling
904         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
905         holds the Structure's ConcurrentJSLock while shrinking. This patch,
906         adds a getDirectConcurrently that will safely try to load from the
907         butterfly.
908
909         * bytecode/ObjectPropertyConditionSet.cpp:
910         * bytecode/PropertyCondition.cpp:
911         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
912         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
913         * dfg/DFGGraph.cpp:
914         (JSC::DFG::Graph::tryGetConstantProperty):
915         * runtime/JSObject.h:
916         (JSC::JSObject::getDirectConcurrently const):
917
918 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
919
920         [WTF] Use Ref<> for the result type of non-failing factory functions
921         https://bugs.webkit.org/show_bug.cgi?id=186920
922
923         Reviewed by Darin Adler.
924
925         * dfg/DFGWorklist.cpp:
926         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
927         (JSC::DFG::Worklist::finishCreation):
928         * dfg/DFGWorklist.h:
929         * heap/Heap.cpp:
930         (JSC::Heap::Thread::Thread):
931         * heap/Heap.h:
932         * jit/JITWorklist.cpp:
933         (JSC::JITWorklist::Thread::Thread):
934         * jit/JITWorklist.h:
935         * runtime/VMTraps.cpp:
936         * runtime/VMTraps.h:
937         * wasm/WasmWorklist.cpp:
938         * wasm/WasmWorklist.h:
939
940 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
941
942         [WTF] Add user-defined literal for ASCIILiteral
943         https://bugs.webkit.org/show_bug.cgi?id=186839
944
945         Reviewed by Darin Adler.
946
947         * API/JSCallbackObjectFunctions.h:
948         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
949         (JSC::JSCallbackObject<Parent>::callbackGetter):
950         * API/JSObjectRef.cpp:
951         (JSObjectMakeFunctionWithCallback):
952         * API/JSTypedArray.cpp:
953         (JSObjectGetArrayBufferBytesPtr):
954         * API/JSValue.mm:
955         (valueToArray):
956         (valueToDictionary):
957         * API/ObjCCallbackFunction.mm:
958         (JSC::objCCallbackFunctionCallAsFunction):
959         (JSC::objCCallbackFunctionCallAsConstructor):
960         (JSC::ObjCCallbackFunctionImpl::call):
961         * API/glib/JSCCallbackFunction.cpp:
962         (JSC::JSCCallbackFunction::call):
963         (JSC::JSCCallbackFunction::construct):
964         * API/glib/JSCContext.cpp:
965         (jscContextJSValueToGValue):
966         * API/glib/JSCValue.cpp:
967         (jsc_value_object_define_property_accessor):
968         (jscValueFunctionCreate):
969         * builtins/BuiltinUtils.h:
970         * bytecode/CodeBlock.cpp:
971         (JSC::CodeBlock::nameForRegister):
972         * bytecompiler/BytecodeGenerator.cpp:
973         (JSC::BytecodeGenerator::emitEnumeration):
974         (JSC::BytecodeGenerator::emitIteratorNext):
975         (JSC::BytecodeGenerator::emitIteratorClose):
976         (JSC::BytecodeGenerator::emitDelegateYield):
977         * bytecompiler/NodesCodegen.cpp:
978         (JSC::FunctionCallValueNode::emitBytecode):
979         (JSC::PostfixNode::emitBytecode):
980         (JSC::PrefixNode::emitBytecode):
981         (JSC::AssignErrorNode::emitBytecode):
982         (JSC::ForInNode::emitBytecode):
983         (JSC::ForOfNode::emitBytecode):
984         (JSC::ClassExprNode::emitBytecode):
985         (JSC::ObjectPatternNode::bindValue const):
986         * dfg/DFGDriver.cpp:
987         (JSC::DFG::compileImpl):
988         * dfg/DFGOperations.cpp:
989         (JSC::DFG::newTypedArrayWithSize):
990         * dfg/DFGStrengthReductionPhase.cpp:
991         (JSC::DFG::StrengthReductionPhase::handleNode):
992         * inspector/ConsoleMessage.cpp:
993         (Inspector::ConsoleMessage::addToFrontend):
994         (Inspector::ConsoleMessage::clear):
995         * inspector/ContentSearchUtilities.cpp:
996         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
997         * inspector/InjectedScript.cpp:
998         (Inspector::InjectedScript::InjectedScript):
999         (Inspector::InjectedScript::evaluate):
1000         (Inspector::InjectedScript::callFunctionOn):
1001         (Inspector::InjectedScript::evaluateOnCallFrame):
1002         (Inspector::InjectedScript::getFunctionDetails):
1003         (Inspector::InjectedScript::functionDetails):
1004         (Inspector::InjectedScript::getPreview):
1005         (Inspector::InjectedScript::getProperties):
1006         (Inspector::InjectedScript::getDisplayableProperties):
1007         (Inspector::InjectedScript::getInternalProperties):
1008         (Inspector::InjectedScript::getCollectionEntries):
1009         (Inspector::InjectedScript::saveResult):
1010         (Inspector::InjectedScript::wrapCallFrames const):
1011         (Inspector::InjectedScript::wrapObject const):
1012         (Inspector::InjectedScript::wrapJSONString const):
1013         (Inspector::InjectedScript::wrapTable const):
1014         (Inspector::InjectedScript::previewValue const):
1015         (Inspector::InjectedScript::setExceptionValue):
1016         (Inspector::InjectedScript::clearExceptionValue):
1017         (Inspector::InjectedScript::findObjectById const):
1018         (Inspector::InjectedScript::inspectObject):
1019         (Inspector::InjectedScript::releaseObject):
1020         (Inspector::InjectedScript::releaseObjectGroup):
1021         * inspector/InjectedScriptBase.cpp:
1022         (Inspector::InjectedScriptBase::makeEvalCall):
1023         * inspector/InjectedScriptManager.cpp:
1024         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1025         * inspector/InjectedScriptModule.cpp:
1026         (Inspector::InjectedScriptModule::ensureInjected):
1027         * inspector/InspectorBackendDispatcher.cpp:
1028         (Inspector::BackendDispatcher::dispatch):
1029         (Inspector::BackendDispatcher::sendResponse):
1030         (Inspector::BackendDispatcher::sendPendingErrors):
1031         * inspector/JSGlobalObjectConsoleClient.cpp:
1032         (Inspector::JSGlobalObjectConsoleClient::profile):
1033         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
1034         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
1035         * inspector/JSGlobalObjectInspectorController.cpp:
1036         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1037         * inspector/JSInjectedScriptHost.cpp:
1038         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1039         (Inspector::JSInjectedScriptHost::subtype):
1040         (Inspector::JSInjectedScriptHost::getInternalProperties):
1041         * inspector/JSJavaScriptCallFrame.cpp:
1042         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1043         (Inspector::JSJavaScriptCallFrame::type const):
1044         * inspector/ScriptArguments.cpp:
1045         (Inspector::ScriptArguments::getFirstArgumentAsString):
1046         * inspector/ScriptCallStackFactory.cpp:
1047         (Inspector::extractSourceInformationFromException):
1048         * inspector/agents/InspectorAgent.cpp:
1049         (Inspector::InspectorAgent::InspectorAgent):
1050         * inspector/agents/InspectorConsoleAgent.cpp:
1051         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
1052         (Inspector::InspectorConsoleAgent::clearMessages):
1053         (Inspector::InspectorConsoleAgent::count):
1054         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
1055         * inspector/agents/InspectorDebuggerAgent.cpp:
1056         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
1057         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
1058         (Inspector::buildObjectForBreakpointCookie):
1059         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1060         (Inspector::parseLocation):
1061         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1062         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1063         (Inspector::InspectorDebuggerAgent::continueToLocation):
1064         (Inspector::InspectorDebuggerAgent::searchInContent):
1065         (Inspector::InspectorDebuggerAgent::getScriptSource):
1066         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1067         (Inspector::InspectorDebuggerAgent::resume):
1068         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
1069         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1070         (Inspector::InspectorDebuggerAgent::didParseSource):
1071         (Inspector::InspectorDebuggerAgent::assertPaused):
1072         * inspector/agents/InspectorHeapAgent.cpp:
1073         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
1074         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
1075         (Inspector::InspectorHeapAgent::getPreview):
1076         (Inspector::InspectorHeapAgent::getRemoteObject):
1077         * inspector/agents/InspectorRuntimeAgent.cpp:
1078         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
1079         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1080         (Inspector::InspectorRuntimeAgent::getPreview):
1081         (Inspector::InspectorRuntimeAgent::getProperties):
1082         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1083         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1084         (Inspector::InspectorRuntimeAgent::saveResult):
1085         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1086         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1087         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1088         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
1089         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1090         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
1091         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1092         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
1093         * inspector/scripts/codegen/cpp_generator_templates.py:
1094         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1095         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1096         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1097         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1098         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1099         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1100         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1101         (CppProtocolTypesImplementationGenerator):
1102         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1103         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1104         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
1105         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1106         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1107         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1108         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1109         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
1110         * inspector/scripts/codegen/objc_generator_templates.py:
1111         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1112         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1113         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1114         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1115         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1116         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1117         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1118         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1119         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1120         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1121         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1122         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1123         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1124         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1125         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1126         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1127         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1128         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1129         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1130         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1131         * interpreter/CallFrame.cpp:
1132         (JSC::CallFrame::friendlyFunctionName):
1133         * interpreter/Interpreter.cpp:
1134         (JSC::Interpreter::execute):
1135         * interpreter/StackVisitor.cpp:
1136         (JSC::StackVisitor::Frame::functionName const):
1137         (JSC::StackVisitor::Frame::sourceURL const):
1138         * jit/JIT.cpp:
1139         (JSC::JIT::doMainThreadPreparationBeforeCompile):
1140         * jit/JITOperations.cpp:
1141         * jsc.cpp:
1142         (resolvePath):
1143         (GlobalObject::moduleLoaderImportModule):
1144         (GlobalObject::moduleLoaderResolve):
1145         (functionDescribeArray):
1146         (functionRun):
1147         (functionLoad):
1148         (functionCheckSyntax):
1149         (functionDollarEvalScript):
1150         (functionDollarAgentStart):
1151         (functionDollarAgentReceiveBroadcast):
1152         (functionDollarAgentBroadcast):
1153         (functionTransferArrayBuffer):
1154         (functionLoadModule):
1155         (functionSamplingProfilerStackTraces):
1156         (functionAsyncTestStart):
1157         (functionWebAssemblyMemoryMode):
1158         (runWithOptions):
1159         * parser/Lexer.cpp:
1160         (JSC::Lexer<T>::invalidCharacterMessage const):
1161         (JSC::Lexer<T>::parseString):
1162         (JSC::Lexer<T>::parseComplexEscape):
1163         (JSC::Lexer<T>::parseStringSlowCase):
1164         (JSC::Lexer<T>::parseTemplateLiteral):
1165         (JSC::Lexer<T>::lex):
1166         * parser/Parser.cpp:
1167         (JSC::Parser<LexerType>::parseInner):
1168         * parser/Parser.h:
1169         (JSC::Parser::setErrorMessage):
1170         * runtime/AbstractModuleRecord.cpp:
1171         (JSC::AbstractModuleRecord::finishCreation):
1172         * runtime/ArrayBuffer.cpp:
1173         (JSC::errorMesasgeForTransfer):
1174         * runtime/ArrayBufferSharingMode.h:
1175         (JSC::arrayBufferSharingModeName):
1176         * runtime/ArrayConstructor.cpp:
1177         (JSC::constructArrayWithSizeQuirk):
1178         (JSC::isArraySlowInline):
1179         * runtime/ArrayPrototype.cpp:
1180         (JSC::setLength):
1181         (JSC::shift):
1182         (JSC::unshift):
1183         (JSC::arrayProtoFuncPop):
1184         (JSC::arrayProtoFuncReverse):
1185         (JSC::arrayProtoFuncUnShift):
1186         * runtime/AtomicsObject.cpp:
1187         (JSC::atomicsFuncWait):
1188         (JSC::atomicsFuncWake):
1189         * runtime/BigIntConstructor.cpp:
1190         (JSC::BigIntConstructor::finishCreation):
1191         (JSC::toBigInt):
1192         (JSC::callBigIntConstructor):
1193         * runtime/BigIntObject.cpp:
1194         (JSC::BigIntObject::toStringName):
1195         * runtime/BigIntPrototype.cpp:
1196         (JSC::bigIntProtoFuncToString):
1197         (JSC::bigIntProtoFuncValueOf):
1198         * runtime/CommonSlowPaths.cpp:
1199         (JSC::SLOW_PATH_DECL):
1200         * runtime/ConsoleClient.cpp:
1201         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1202         * runtime/ConsoleObject.cpp:
1203         (JSC::valueOrDefaultLabelString):
1204         (JSC::consoleProtoFuncTime):
1205         (JSC::consoleProtoFuncTimeEnd):
1206         * runtime/DatePrototype.cpp:
1207         (JSC::formatLocaleDate):
1208         (JSC::formateDateInstance):
1209         (JSC::DatePrototype::finishCreation):
1210         (JSC::dateProtoFuncToISOString):
1211         (JSC::dateProtoFuncToJSON):
1212         * runtime/Error.cpp:
1213         (JSC::createNotEnoughArgumentsError):
1214         (JSC::throwSyntaxError):
1215         (JSC::createTypeError):
1216         (JSC::createOutOfMemoryError):
1217         * runtime/Error.h:
1218         (JSC::throwVMError):
1219         * runtime/ErrorConstructor.cpp:
1220         (JSC::ErrorConstructor::finishCreation):
1221         * runtime/ErrorInstance.cpp:
1222         (JSC::ErrorInstance::sanitizedToString):
1223         * runtime/ErrorPrototype.cpp:
1224         (JSC::ErrorPrototype::finishCreation):
1225         (JSC::errorProtoFuncToString):
1226         * runtime/ExceptionFuzz.cpp:
1227         (JSC::doExceptionFuzzing):
1228         * runtime/ExceptionHelpers.cpp:
1229         (JSC::TerminatedExecutionError::defaultValue):
1230         (JSC::createStackOverflowError):
1231         (JSC::createNotAConstructorError):
1232         (JSC::createNotAFunctionError):
1233         (JSC::createNotAnObjectError):
1234         * runtime/GetterSetter.cpp:
1235         (JSC::callSetter):
1236         * runtime/IntlCollator.cpp:
1237         (JSC::sortLocaleData):
1238         (JSC::searchLocaleData):
1239         (JSC::IntlCollator::initializeCollator):
1240         (JSC::IntlCollator::compareStrings):
1241         (JSC::IntlCollator::usageString):
1242         (JSC::IntlCollator::sensitivityString):
1243         (JSC::IntlCollator::caseFirstString):
1244         (JSC::IntlCollator::resolvedOptions):
1245         * runtime/IntlCollator.h:
1246         * runtime/IntlCollatorConstructor.cpp:
1247         (JSC::IntlCollatorConstructor::finishCreation):
1248         * runtime/IntlCollatorPrototype.cpp:
1249         (JSC::IntlCollatorPrototypeGetterCompare):
1250         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1251         * runtime/IntlDateTimeFormat.cpp:
1252         (JSC::defaultTimeZone):
1253         (JSC::canonicalizeTimeZoneName):
1254         (JSC::IntlDTFInternal::localeData):
1255         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
1256         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1257         (JSC::IntlDateTimeFormat::weekdayString):
1258         (JSC::IntlDateTimeFormat::eraString):
1259         (JSC::IntlDateTimeFormat::yearString):
1260         (JSC::IntlDateTimeFormat::monthString):
1261         (JSC::IntlDateTimeFormat::dayString):
1262         (JSC::IntlDateTimeFormat::hourString):
1263         (JSC::IntlDateTimeFormat::minuteString):
1264         (JSC::IntlDateTimeFormat::secondString):
1265         (JSC::IntlDateTimeFormat::timeZoneNameString):
1266         (JSC::IntlDateTimeFormat::resolvedOptions):
1267         (JSC::IntlDateTimeFormat::format):
1268         (JSC::IntlDateTimeFormat::partTypeString):
1269         (JSC::IntlDateTimeFormat::formatToParts):
1270         * runtime/IntlDateTimeFormat.h:
1271         * runtime/IntlDateTimeFormatConstructor.cpp:
1272         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1273         * runtime/IntlDateTimeFormatPrototype.cpp:
1274         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1275         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1276         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1277         * runtime/IntlNumberFormat.cpp:
1278         (JSC::IntlNumberFormat::initializeNumberFormat):
1279         (JSC::IntlNumberFormat::formatNumber):
1280         (JSC::IntlNumberFormat::styleString):
1281         (JSC::IntlNumberFormat::currencyDisplayString):
1282         (JSC::IntlNumberFormat::resolvedOptions):
1283         (JSC::IntlNumberFormat::partTypeString):
1284         (JSC::IntlNumberFormat::formatToParts):
1285         * runtime/IntlNumberFormat.h:
1286         * runtime/IntlNumberFormatConstructor.cpp:
1287         (JSC::IntlNumberFormatConstructor::finishCreation):
1288         * runtime/IntlNumberFormatPrototype.cpp:
1289         (JSC::IntlNumberFormatPrototypeGetterFormat):
1290         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1291         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1292         * runtime/IntlObject.cpp:
1293         (JSC::grandfatheredLangTag):
1294         (JSC::canonicalizeLocaleList):
1295         (JSC::resolveLocale):
1296         (JSC::supportedLocales):
1297         * runtime/IntlPluralRules.cpp:
1298         (JSC::IntlPluralRules::initializePluralRules):
1299         (JSC::IntlPluralRules::resolvedOptions):
1300         (JSC::IntlPluralRules::select):
1301         * runtime/IntlPluralRulesConstructor.cpp:
1302         (JSC::IntlPluralRulesConstructor::finishCreation):
1303         * runtime/IntlPluralRulesPrototype.cpp:
1304         (JSC::IntlPluralRulesPrototypeFuncSelect):
1305         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1306         * runtime/IteratorOperations.cpp:
1307         (JSC::iteratorNext):
1308         (JSC::iteratorClose):
1309         (JSC::hasIteratorMethod):
1310         (JSC::iteratorMethod):
1311         * runtime/JSArray.cpp:
1312         (JSC::JSArray::tryCreateUninitializedRestricted):
1313         (JSC::JSArray::defineOwnProperty):
1314         (JSC::JSArray::put):
1315         (JSC::JSArray::setLengthWithArrayStorage):
1316         (JSC::JSArray::appendMemcpy):
1317         (JSC::JSArray::pop):
1318         * runtime/JSArray.h:
1319         * runtime/JSArrayBufferConstructor.cpp:
1320         (JSC::JSArrayBufferConstructor::finishCreation):
1321         * runtime/JSArrayBufferPrototype.cpp:
1322         (JSC::arrayBufferProtoFuncSlice):
1323         (JSC::arrayBufferProtoGetterFuncByteLength):
1324         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1325         * runtime/JSArrayBufferView.cpp:
1326         (JSC::JSArrayBufferView::toStringName):
1327         * runtime/JSArrayInlines.h:
1328         (JSC::JSArray::pushInline):
1329         * runtime/JSBigInt.cpp:
1330         (JSC::JSBigInt::divide):
1331         (JSC::JSBigInt::remainder):
1332         (JSC::JSBigInt::toNumber const):
1333         * runtime/JSCJSValue.cpp:
1334         (JSC::JSValue::putToPrimitive):
1335         (JSC::JSValue::putToPrimitiveByIndex):
1336         (JSC::JSValue::toStringSlowCase const):
1337         * runtime/JSCJSValueInlines.h:
1338         (JSC::toPreferredPrimitiveType):
1339         * runtime/JSDataView.cpp:
1340         (JSC::JSDataView::create):
1341         (JSC::JSDataView::put):
1342         (JSC::JSDataView::defineOwnProperty):
1343         * runtime/JSDataViewPrototype.cpp:
1344         (JSC::getData):
1345         (JSC::setData):
1346         * runtime/JSFunction.cpp:
1347         (JSC::JSFunction::callerGetter):
1348         (JSC::JSFunction::put):
1349         (JSC::JSFunction::defineOwnProperty):
1350         * runtime/JSGenericTypedArrayView.h:
1351         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1352         (JSC::constructGenericTypedArrayViewWithArguments):
1353         (JSC::constructGenericTypedArrayView):
1354         * runtime/JSGenericTypedArrayViewInlines.h:
1355         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1356         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1357         (JSC::speciesConstruct):
1358         (JSC::genericTypedArrayViewProtoFuncSet):
1359         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1360         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1361         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1362         * runtime/JSGlobalObject.cpp:
1363         (JSC::JSGlobalObject::init):
1364         * runtime/JSGlobalObjectDebuggable.cpp:
1365         (JSC::JSGlobalObjectDebuggable::name const):
1366         * runtime/JSGlobalObjectFunctions.cpp:
1367         (JSC::encode):
1368         (JSC::decode):
1369         (JSC::globalFuncProtoSetter):
1370         * runtime/JSGlobalObjectFunctions.h:
1371         * runtime/JSMap.cpp:
1372         (JSC::JSMap::toStringName):
1373         * runtime/JSModuleEnvironment.cpp:
1374         (JSC::JSModuleEnvironment::put):
1375         * runtime/JSModuleNamespaceObject.cpp:
1376         (JSC::JSModuleNamespaceObject::put):
1377         (JSC::JSModuleNamespaceObject::putByIndex):
1378         (JSC::JSModuleNamespaceObject::defineOwnProperty):
1379         * runtime/JSONObject.cpp:
1380         (JSC::Stringifier::appendStringifiedValue):
1381         (JSC::JSONProtoFuncParse):
1382         (JSC::JSONProtoFuncStringify):
1383         * runtime/JSObject.cpp:
1384         (JSC::getClassPropertyNames):
1385         (JSC::JSObject::calculatedClassName):
1386         (JSC::ordinarySetSlow):
1387         (JSC::JSObject::putInlineSlow):
1388         (JSC::JSObject::setPrototypeWithCycleCheck):
1389         (JSC::callToPrimitiveFunction):
1390         (JSC::JSObject::ordinaryToPrimitive const):
1391         (JSC::JSObject::defaultHasInstance):
1392         (JSC::JSObject::defineOwnIndexedProperty):
1393         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1394         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1395         (JSC::validateAndApplyPropertyDescriptor):
1396         * runtime/JSObject.h:
1397         * runtime/JSObjectInlines.h:
1398         (JSC::JSObject::putInlineForJSObject):
1399         * runtime/JSPromiseConstructor.cpp:
1400         (JSC::JSPromiseConstructor::finishCreation):
1401         * runtime/JSSet.cpp:
1402         (JSC::JSSet::toStringName):
1403         * runtime/JSSymbolTableObject.h:
1404         (JSC::symbolTablePut):
1405         * runtime/JSTypedArrayViewConstructor.cpp:
1406         (JSC::constructTypedArrayView):
1407         * runtime/JSTypedArrayViewPrototype.cpp:
1408         (JSC::typedArrayViewPrivateFuncLength):
1409         (JSC::typedArrayViewProtoFuncSet):
1410         (JSC::typedArrayViewProtoFuncCopyWithin):
1411         (JSC::typedArrayViewProtoFuncLastIndexOf):
1412         (JSC::typedArrayViewProtoFuncIndexOf):
1413         (JSC::typedArrayViewProtoFuncJoin):
1414         (JSC::typedArrayViewProtoGetterFuncBuffer):
1415         (JSC::typedArrayViewProtoGetterFuncLength):
1416         (JSC::typedArrayViewProtoGetterFuncByteLength):
1417         (JSC::typedArrayViewProtoGetterFuncByteOffset):
1418         (JSC::typedArrayViewProtoFuncReverse):
1419         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
1420         (JSC::typedArrayViewProtoFuncSlice):
1421         (JSC::JSTypedArrayViewPrototype::finishCreation):
1422         * runtime/JSWeakMap.cpp:
1423         (JSC::JSWeakMap::toStringName):
1424         * runtime/JSWeakSet.cpp:
1425         (JSC::JSWeakSet::toStringName):
1426         * runtime/LiteralParser.cpp:
1427         (JSC::LiteralParser<CharType>::Lexer::lex):
1428         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
1429         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
1430         (JSC::LiteralParser<CharType>::parse):
1431         * runtime/LiteralParser.h:
1432         (JSC::LiteralParser::getErrorMessage):
1433         * runtime/Lookup.cpp:
1434         (JSC::reifyStaticAccessor):
1435         * runtime/Lookup.h:
1436         (JSC::putEntry):
1437         * runtime/MapPrototype.cpp:
1438         (JSC::getMap):
1439         * runtime/NullSetterFunction.cpp:
1440         (JSC::NullSetterFunctionInternal::callReturnUndefined):
1441         * runtime/NumberPrototype.cpp:
1442         (JSC::numberProtoFuncToExponential):
1443         (JSC::numberProtoFuncToFixed):
1444         (JSC::numberProtoFuncToPrecision):
1445         (JSC::extractToStringRadixArgument):
1446         * runtime/ObjectConstructor.cpp:
1447         (JSC::objectConstructorSetPrototypeOf):
1448         (JSC::objectConstructorAssign):
1449         (JSC::objectConstructorValues):
1450         (JSC::toPropertyDescriptor):
1451         (JSC::objectConstructorDefineProperty):
1452         (JSC::objectConstructorDefineProperties):
1453         (JSC::objectConstructorCreate):
1454         (JSC::objectConstructorSeal):
1455         (JSC::objectConstructorFreeze):
1456         * runtime/ObjectPrototype.cpp:
1457         (JSC::objectProtoFuncDefineGetter):
1458         (JSC::objectProtoFuncDefineSetter):
1459         * runtime/Operations.cpp:
1460         (JSC::jsAddSlowCase):
1461         * runtime/Operations.h:
1462         (JSC::jsSub):
1463         (JSC::jsMul):
1464         * runtime/ProgramExecutable.cpp:
1465         (JSC::ProgramExecutable::initializeGlobalProperties):
1466         * runtime/ProxyConstructor.cpp:
1467         (JSC::makeRevocableProxy):
1468         (JSC::proxyRevocableConstructorThrowError):
1469         (JSC::ProxyConstructor::finishCreation):
1470         (JSC::constructProxyObject):
1471         * runtime/ProxyObject.cpp:
1472         (JSC::ProxyObject::toStringName):
1473         (JSC::ProxyObject::finishCreation):
1474         (JSC::performProxyGet):
1475         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1476         (JSC::ProxyObject::performHasProperty):
1477         (JSC::ProxyObject::performPut):
1478         (JSC::performProxyCall):
1479         (JSC::performProxyConstruct):
1480         (JSC::ProxyObject::performDelete):
1481         (JSC::ProxyObject::performPreventExtensions):
1482         (JSC::ProxyObject::performIsExtensible):
1483         (JSC::ProxyObject::performDefineOwnProperty):
1484         (JSC::ProxyObject::performGetOwnPropertyNames):
1485         (JSC::ProxyObject::performSetPrototype):
1486         (JSC::ProxyObject::performGetPrototype):
1487         * runtime/ReflectObject.cpp:
1488         (JSC::reflectObjectConstruct):
1489         (JSC::reflectObjectDefineProperty):
1490         (JSC::reflectObjectGet):
1491         (JSC::reflectObjectGetOwnPropertyDescriptor):
1492         (JSC::reflectObjectGetPrototypeOf):
1493         (JSC::reflectObjectIsExtensible):
1494         (JSC::reflectObjectOwnKeys):
1495         (JSC::reflectObjectPreventExtensions):
1496         (JSC::reflectObjectSet):
1497         (JSC::reflectObjectSetPrototypeOf):
1498         * runtime/RegExpConstructor.cpp:
1499         (JSC::RegExpConstructor::finishCreation):
1500         (JSC::toFlags):
1501         * runtime/RegExpObject.cpp:
1502         (JSC::RegExpObject::defineOwnProperty):
1503         * runtime/RegExpObject.h:
1504         * runtime/RegExpPrototype.cpp:
1505         (JSC::regExpProtoFuncCompile):
1506         (JSC::regExpProtoGetterGlobal):
1507         (JSC::regExpProtoGetterIgnoreCase):
1508         (JSC::regExpProtoGetterMultiline):
1509         (JSC::regExpProtoGetterDotAll):
1510         (JSC::regExpProtoGetterSticky):
1511         (JSC::regExpProtoGetterUnicode):
1512         (JSC::regExpProtoGetterFlags):
1513         (JSC::regExpProtoGetterSourceInternal):
1514         (JSC::regExpProtoGetterSource):
1515         * runtime/RuntimeType.cpp:
1516         (JSC::runtimeTypeAsString):
1517         * runtime/SamplingProfiler.cpp:
1518         (JSC::SamplingProfiler::StackFrame::displayName):
1519         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
1520         * runtime/ScriptExecutable.cpp:
1521         (JSC::ScriptExecutable::prepareForExecutionImpl):
1522         * runtime/SetPrototype.cpp:
1523         (JSC::getSet):
1524         * runtime/SparseArrayValueMap.cpp:
1525         (JSC::SparseArrayValueMap::putEntry):
1526         (JSC::SparseArrayValueMap::putDirect):
1527         (JSC::SparseArrayEntry::put):
1528         * runtime/StackFrame.cpp:
1529         (JSC::StackFrame::sourceURL const):
1530         (JSC::StackFrame::functionName const):
1531         * runtime/StringConstructor.cpp:
1532         (JSC::stringFromCodePoint):
1533         * runtime/StringObject.cpp:
1534         (JSC::StringObject::put):
1535         (JSC::StringObject::putByIndex):
1536         * runtime/StringPrototype.cpp:
1537         (JSC::StringPrototype::finishCreation):
1538         (JSC::toLocaleCase):
1539         (JSC::stringProtoFuncNormalize):
1540         * runtime/Symbol.cpp:
1541         (JSC::Symbol::toNumber const):
1542         * runtime/SymbolConstructor.cpp:
1543         (JSC::symbolConstructorKeyFor):
1544         * runtime/SymbolObject.cpp:
1545         (JSC::SymbolObject::toStringName):
1546         * runtime/SymbolPrototype.cpp:
1547         (JSC::SymbolPrototype::finishCreation):
1548         * runtime/TypeSet.cpp:
1549         (JSC::TypeSet::dumpTypes const):
1550         (JSC::TypeSet::displayName const):
1551         (JSC::StructureShape::leastCommonAncestor):
1552         * runtime/TypeSet.h:
1553         (JSC::StructureShape::setConstructorName):
1554         * runtime/VM.cpp:
1555         (JSC::VM::dumpTypeProfilerData):
1556         * runtime/WeakMapPrototype.cpp:
1557         (JSC::getWeakMap):
1558         (JSC::protoFuncWeakMapSet):
1559         * runtime/WeakSetPrototype.cpp:
1560         (JSC::getWeakSet):
1561         (JSC::protoFuncWeakSetAdd):
1562         * tools/JSDollarVM.cpp:
1563         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
1564         (WTF::DOMJITGetterComplex::customGetter):
1565         (JSC::functionSetImpureGetterDelegate):
1566         (JSC::functionCreateElement):
1567         (JSC::functionGetHiddenValue):
1568         (JSC::functionSetHiddenValue):
1569         (JSC::functionFindTypeForExpression):
1570         (JSC::functionReturnTypeFor):
1571         (JSC::functionLoadGetterFromGetterSetter):
1572         * wasm/WasmB3IRGenerator.cpp:
1573         (JSC::Wasm::B3IRGenerator::fail const):
1574         * wasm/WasmIndexOrName.cpp:
1575         (JSC::Wasm::makeString):
1576         * wasm/WasmParser.h:
1577         (JSC::Wasm::FailureHelper::makeString):
1578         (JSC::Wasm::Parser::fail const):
1579         * wasm/WasmPlan.cpp:
1580         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
1581         * wasm/WasmValidate.cpp:
1582         (JSC::Wasm::Validate::fail const):
1583         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1584         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1585         * wasm/js/JSWebAssemblyHelpers.h:
1586         (JSC::toNonWrappingUint32):
1587         (JSC::getWasmBufferFromValue):
1588         * wasm/js/JSWebAssemblyInstance.cpp:
1589         (JSC::JSWebAssemblyInstance::create):
1590         * wasm/js/JSWebAssemblyMemory.cpp:
1591         (JSC::JSWebAssemblyMemory::grow):
1592         * wasm/js/WasmToJS.cpp:
1593         (JSC::Wasm::handleBadI64Use):
1594         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1595         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
1596         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1597         (JSC::constructJSWebAssemblyInstance):
1598         (JSC::WebAssemblyInstanceConstructor::finishCreation):
1599         * wasm/js/WebAssemblyInstancePrototype.cpp:
1600         (JSC::getInstance):
1601         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1602         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
1603         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1604         (JSC::constructJSWebAssemblyMemory):
1605         (JSC::WebAssemblyMemoryConstructor::finishCreation):
1606         * wasm/js/WebAssemblyMemoryPrototype.cpp:
1607         (JSC::getMemory):
1608         * wasm/js/WebAssemblyModuleConstructor.cpp:
1609         (JSC::webAssemblyModuleCustomSections):
1610         (JSC::webAssemblyModuleImports):
1611         (JSC::webAssemblyModuleExports):
1612         (JSC::WebAssemblyModuleConstructor::finishCreation):
1613         * wasm/js/WebAssemblyModuleRecord.cpp:
1614         (JSC::WebAssemblyModuleRecord::link):
1615         (JSC::dataSegmentFail):
1616         (JSC::WebAssemblyModuleRecord::evaluate):
1617         * wasm/js/WebAssemblyPrototype.cpp:
1618         (JSC::resolve):
1619         (JSC::webAssemblyInstantiateFunc):
1620         (JSC::webAssemblyInstantiateStreamingInternal):
1621         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1622         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
1623         * wasm/js/WebAssemblyTableConstructor.cpp:
1624         (JSC::constructJSWebAssemblyTable):
1625         (JSC::WebAssemblyTableConstructor::finishCreation):
1626         * wasm/js/WebAssemblyTablePrototype.cpp:
1627         (JSC::getTable):
1628         (JSC::webAssemblyTableProtoFuncGrow):
1629         (JSC::webAssemblyTableProtoFuncGet):
1630         (JSC::webAssemblyTableProtoFuncSet):
1631
1632 2018-06-22  Keith Miller  <keith_miller@apple.com>
1633
1634         unshift should zero unused property storage
1635         https://bugs.webkit.org/show_bug.cgi?id=186960
1636
1637         Reviewed by Saam Barati.
1638
1639         Also, this patch adds the zeroed unused property storage assertion
1640         to one more place it was missing.
1641
1642         * runtime/JSArray.cpp:
1643         (JSC::JSArray::unshiftCountSlowCase):
1644         * runtime/JSObjectInlines.h:
1645         (JSC::JSObject::putDirectInternal):
1646
1647 2018-06-22  Mark Lam  <mark.lam@apple.com>
1648
1649         PropertyCondition::isValidValueForAttributes() should also consider deleted values.
1650         https://bugs.webkit.org/show_bug.cgi?id=186943
1651         <rdar://problem/41370337>
1652
1653         Reviewed by Saam Barati.
1654
1655         PropertyCondition::isValidValueForAttributes() should check if the passed in value
1656         is a deleted one before it does a jsDynamicCast on it.
1657
1658         * bytecode/PropertyCondition.cpp:
1659         (JSC::PropertyCondition::isValidValueForAttributes):
1660         * runtime/JSCJSValueInlines.h:
1661         - removed an unnecessary #if.
1662
1663 2018-06-22  Keith Miller  <keith_miller@apple.com>
1664
1665         performProxyCall should toThis the value passed to its handler
1666         https://bugs.webkit.org/show_bug.cgi?id=186951
1667
1668         Reviewed by Mark Lam.
1669
1670         * runtime/ProxyObject.cpp:
1671         (JSC::performProxyCall):
1672
1673 2018-06-22  Saam Barati  <sbarati@apple.com>
1674
1675         ensureWritableX should only convert away from CoW when it will succeed
1676         https://bugs.webkit.org/show_bug.cgi?id=186898
1677
1678         Reviewed by Keith Miller.
1679
1680         Otherwise, when we OSR exit, we'll end up profiling the array after
1681         it has been converted away from CoW. It's better for the ArrayProfile
1682         to see the array as it's still in CoW mode.
1683         
1684         This patch also renames ensureWritableX to tryMakeWritableX since these
1685         were never really "ensure" operations -- they may fail and return null.
1686
1687         * dfg/DFGOperations.cpp:
1688         * runtime/JSObject.cpp:
1689         (JSC::JSObject::tryMakeWritableInt32Slow):
1690         (JSC::JSObject::tryMakeWritableDoubleSlow):
1691         (JSC::JSObject::tryMakeWritableContiguousSlow):
1692         (JSC::JSObject::ensureWritableInt32Slow): Deleted.
1693         (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
1694         (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
1695         * runtime/JSObject.h:
1696         (JSC::JSObject::tryMakeWritableInt32):
1697         (JSC::JSObject::tryMakeWritableDouble):
1698         (JSC::JSObject::tryMakeWritableContiguous):
1699         (JSC::JSObject::ensureWritableInt32): Deleted.
1700         (JSC::JSObject::ensureWritableDouble): Deleted.
1701         (JSC::JSObject::ensureWritableContiguous): Deleted.
1702
1703 2018-06-22  Keith Miller  <keith_miller@apple.com>
1704
1705         We should call visitChildren on Base not the exact typename
1706         https://bugs.webkit.org/show_bug.cgi?id=186928
1707
1708         Reviewed by Mark Lam.
1709
1710         A lot of places were not properly calling visitChildren on their
1711         superclass. For most of them it didn't matter because they had
1712         immortal structures. If code changed in the future this might
1713         break things however.
1714
1715         Also, block off more of the MethodTable for GetterSetter objects.
1716
1717         * bytecode/CodeBlock.cpp:
1718         (JSC::CodeBlock::visitChildren):
1719         * bytecode/ExecutableToCodeBlockEdge.cpp:
1720         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1721         * debugger/DebuggerScope.cpp:
1722         (JSC::DebuggerScope::visitChildren):
1723         * runtime/EvalExecutable.cpp:
1724         (JSC::EvalExecutable::visitChildren):
1725         * runtime/FunctionExecutable.cpp:
1726         (JSC::FunctionExecutable::visitChildren):
1727         * runtime/FunctionRareData.cpp:
1728         (JSC::FunctionRareData::visitChildren):
1729         * runtime/GenericArgumentsInlines.h:
1730         (JSC::GenericArguments<Type>::visitChildren):
1731         * runtime/GetterSetter.cpp:
1732         (JSC::GetterSetter::visitChildren):
1733         * runtime/GetterSetter.h:
1734         * runtime/InferredType.cpp:
1735         (JSC::InferredType::visitChildren):
1736         * runtime/InferredTypeTable.cpp:
1737         (JSC::InferredTypeTable::visitChildren):
1738         * runtime/InferredValue.cpp:
1739         (JSC::InferredValue::visitChildren):
1740         * runtime/JSArrayBufferView.cpp:
1741         (JSC::JSArrayBufferView::visitChildren):
1742         * runtime/JSGenericTypedArrayViewInlines.h:
1743         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1744         * runtime/ModuleProgramExecutable.cpp:
1745         (JSC::ModuleProgramExecutable::visitChildren):
1746         * runtime/ProgramExecutable.cpp:
1747         (JSC::ProgramExecutable::visitChildren):
1748         * runtime/ScopedArguments.cpp:
1749         (JSC::ScopedArguments::visitChildren):
1750         * runtime/ScopedArguments.h:
1751         * runtime/Structure.cpp:
1752         (JSC::Structure::visitChildren):
1753         * runtime/StructureRareData.cpp:
1754         (JSC::StructureRareData::visitChildren):
1755         * runtime/SymbolTable.cpp:
1756         (JSC::SymbolTable::visitChildren):
1757
1758 2018-06-20  Darin Adler  <darin@apple.com>
1759
1760         [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
1761         https://bugs.webkit.org/show_bug.cgi?id=186875
1762
1763         Reviewed by Anders Carlsson.
1764
1765         * API/tests/testapi.mm:
1766         (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
1767
1768 2018-06-22  Carlos Garcia Campos  <cgarcia@igalia.com>
1769
1770         [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
1771         https://bugs.webkit.org/show_bug.cgi?id=186915
1772
1773         Reviewed by Žan Doberšek.
1774
1775         Update StartAutomationSession message handling to receive a dictionary of session capabilities.
1776
1777         * inspector/remote/glib/RemoteInspectorServer.cpp:
1778         (Inspector::processSessionCapabilities): Helper method to process the session capabilities.
1779
1780 2018-06-21  Mark Lam  <mark.lam@apple.com>
1781
1782         WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
1783         https://bugs.webkit.org/show_bug.cgi?id=185947
1784         <rdar://problem/40131933>
1785
1786         Reviewed by Saam Barati.
1787
1788         Newer Clang versions (due to C++17 support) is not happy with how I implemented
1789         conversions between CodeLocation types.  We'll fix this by adding a conversion
1790         operator for converting between CodeLocation types.
1791
1792         * assembler/CodeLocation.h:
1793         (JSC::CodeLocationCommon::operator T):
1794
1795 2018-06-21  Saam Barati  <sbarati@apple.com>
1796
1797         Do some CoW cleanup
1798         https://bugs.webkit.org/show_bug.cgi?id=186896
1799
1800         Reviewed by Mark Lam.
1801
1802         * bytecode/UnlinkedCodeBlock.h:
1803         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
1804         We don't need to WTFMove() ints
1805
1806         * dfg/DFGByteCodeParser.cpp:
1807         (JSC::DFG::ByteCodeParser::parseBlock):
1808         remove a TODO.
1809
1810         * runtime/JSObject.cpp:
1811         (JSC::JSObject::putByIndex):
1812         We were checking for isCopyOnWrite even after we converted away
1813         from CoW in above code.
1814         (JSC::JSObject::ensureWritableInt32Slow):
1815         Model this in the same way the other ensureWritableXSlow are modeled.
1816
1817 2018-06-20  Keith Miller  <keith_miller@apple.com>
1818
1819         flattenDictionaryStruture needs to zero inline storage.
1820         https://bugs.webkit.org/show_bug.cgi?id=186869
1821
1822         Reviewed by Saam Barati.
1823
1824         This patch also adds the assetion that unused property storage is
1825         zero or JSValue() to putDirectInternal. Additionally, functions
1826         have been added to $vm that flatten dictionary objects and return
1827         the inline capacity of an object.
1828
1829         * runtime/JSObjectInlines.h:
1830         (JSC::JSObject::putDirectInternal):
1831         * runtime/Structure.cpp:
1832         (JSC::Structure::flattenDictionaryStructure):
1833         * tools/JSDollarVM.cpp:
1834         (JSC::functionInlineCapacity):
1835         (JSC::functionFlattenDictionaryObject):
1836         (JSC::JSDollarVM::finishCreation):
1837
1838 2018-06-21  Mark Lam  <mark.lam@apple.com>
1839
1840         Use IsoCellSets to track Executables with clearable code.
1841         https://bugs.webkit.org/show_bug.cgi?id=186877
1842
1843         Reviewed by Filip Pizlo.
1844
1845         Here’s an example of the results that this fix may yield: 
1846         1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
1847         2. Statistics on memory touched and memory freed by VM::deleteAllCode():
1848
1849            Visiting Executables:
1850                                                         Old             New
1851            Number of objects visited:                   70897           14264
1852            Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
1853            Number of memory pages visited:              3224            1602
1854            Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)
1855
1856            Visitng UnlinkedFunctionExecutables:
1857                                                         Old             New
1858            Number of objects visited:                   105454          17231
1859            Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
1860            Number of memory pages visited:              4796            1349
1861            Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)
1862
1863         ** The number of objects differ because the old code only visit unlinked
1864            executables indirectly via linked executables, whereas the new behavior visit
1865            all unlinked executables with deletable code directly.  This means:
1866
1867            a. we used to not visit unlinked executables that have not been linked yet
1868               i.e. deleteAllCode() may not delete all code (especially code that is not
1869               used).
1870            b. we had to visit all linked executables to check if they of type
1871               FunctionExecutable, before going on to visit their unlinked executable, and
1872               this includes the ones that do not have deletable code.  This means that we
1873               would touch more memory in the process.
1874
1875            Both of these these issues are now fixed with the new code.
1876
1877         This code was tested with manually inserted instrumentation to track the above
1878         statistics.  It is not feasible to write an automated test for this without
1879         leaving a lot of invasive instrumentation in the code.
1880
1881         * bytecode/UnlinkedFunctionExecutable.cpp:
1882         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1883         * bytecode/UnlinkedFunctionExecutable.h:
1884         * heap/CodeBlockSetInlines.h:
1885         (JSC::CodeBlockSet::iterateViaSubspaces):
1886         * heap/Heap.cpp:
1887         (JSC::Heap::deleteAllCodeBlocks):
1888         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1889         (JSC::Heap::deleteUnmarkedCompiledCode):
1890         (JSC::Heap::clearUnmarkedExecutables): Deleted.
1891         (JSC::Heap::addExecutable): Deleted.
1892         * heap/Heap.h:
1893         * runtime/DirectEvalExecutable.h:
1894
1895         * runtime/ExecutableBase.cpp:
1896         (JSC::ExecutableBase::hasClearableCode const):
1897         - this is written based on the implementation of ExecutableBase::clearCode().
1898
1899         * runtime/ExecutableBase.h:
1900         * runtime/FunctionExecutable.h:
1901         * runtime/IndirectEvalExecutable.h:
1902         * runtime/ModuleProgramExecutable.h:
1903         * runtime/ProgramExecutable.h:
1904         * runtime/ScriptExecutable.cpp:
1905         (JSC::ScriptExecutable::clearCode):
1906         (JSC::ScriptExecutable::installCode):
1907         * runtime/ScriptExecutable.h:
1908         (JSC::ScriptExecutable::finishCreation):
1909         * runtime/VM.cpp:
1910         (JSC::VM::VM):
1911         * runtime/VM.h:
1912         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
1913         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
1914         (JSC::VM::forEachScriptExecutableSpace):
1915         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
1916         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
1917
1918 2018-06-21  Zan Dobersek  <zdobersek@igalia.com>
1919
1920         [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
1921         https://bugs.webkit.org/show_bug.cgi?id=186884
1922
1923         Reviewed by Carlos Garcia Campos.
1924
1925         Add a tuple array input parameter to the StartAutomationSession DBus
1926         message, representing a list of host-and-certificate pairs that have to
1927         be allowed for a given session. This array is then unpacked and used to
1928         fill out the certificates Vector object in the SessionCapabilities
1929         struct.
1930
1931         * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
1932         String pairs representing hosts and the certificate file paths.
1933         * inspector/remote/glib/RemoteInspectorServer.cpp:
1934
1935 2018-06-20  Keith Miller  <keith_miller@apple.com>
1936
1937         Expand concurrent GC assertion to accept JSValue() or 0
1938         https://bugs.webkit.org/show_bug.cgi?id=186855
1939
1940         Reviewed by Mark Lam.
1941
1942         We tend to set unused property slots to either JSValue() or 0
1943         depending on the context. On 64-bit these are the same but on
1944         32-bit JSValue() has a NaN tag. This patch makes it so we
1945         the accept either JSValue() or 0.
1946
1947         * runtime/JSObjectInlines.h:
1948         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1949
1950 2018-06-20  Guillaume Emont  <guijemont@igalia.com>
1951
1952         [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
1953         https://bugs.webkit.org/show_bug.cgi?id=186765
1954
1955         Reviewed by Michael Saboff.
1956
1957         This widens the check for 0 so that we handle that case more correctly.
1958
1959         * assembler/LinkBuffer.h:
1960         (JSC::LinkBuffer::executableOffsetFor):
1961
1962 2018-06-19  Keith Miller  <keith_miller@apple.com>
1963
1964         Fix broken assertion on 32-bit
1965         https://bugs.webkit.org/show_bug.cgi?id=186830
1966
1967         Reviewed by Mark Lam.
1968
1969         The assertion was intended to catch concurrent GC issues. We don't
1970         run them on 32-bit so we don't need this assertion there. The
1971         assertion was broken because zero is not JSValue() on 32-bit.
1972
1973         * runtime/JSObjectInlines.h:
1974         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1975
1976 2018-06-19  Keith Miller  <keith_miller@apple.com>
1977
1978         flattenDictionaryStructure needs to zero properties that have been compressed away
1979         https://bugs.webkit.org/show_bug.cgi?id=186828
1980
1981         Reviewed by Mark Lam.
1982
1983         This patch fixes a bunch of crashing Mozilla tests on the bots.
1984
1985         * runtime/Structure.cpp:
1986         (JSC::Structure::flattenDictionaryStructure):
1987
1988 2018-06-19  Saam Barati  <sbarati@apple.com>
1989
1990         DirectArguments::create needs to initialize to undefined instead of the empty value
1991         https://bugs.webkit.org/show_bug.cgi?id=186818
1992         <rdar://problem/38415177>
1993
1994         Reviewed by Filip Pizlo.
1995
1996         The bug here is that we will emit code that just loads from DirectArguments as
1997         long as the index is within the known capacity of the arguments object (op_get_from_arguments).
1998         The arguments object has at least enough capacity to hold the declared parameters.
1999         When we materialized this object in OSR exit, we initialized up to to the capacity
2000         with JSValue(). In OSR exit, though, we only filled up to the length of the
2001         object with actual values. So we'd end up with a DirectArguments object with
2002         capacity minus length slots of JSValue(). To fix this, we need initialize up to
2003         capacity with jsUndefined during construction. The invariant of this object is
2004         that the capacity minus length slots at the end are filled in with jsUndefined.
2005
2006         * runtime/DirectArguments.cpp:
2007         (JSC::DirectArguments::create):
2008
2009 2018-06-19  Michael Saboff  <msaboff@apple.com>
2010
2011         Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
2012         https://bugs.webkit.org/show_bug.cgi?id=186827
2013
2014         Reviewed by Saam Barati.
2015
2016         Need to set VM::lastStackTop before any possible calls to sanitizeStack().
2017
2018         * runtime/JSLock.cpp:
2019         (JSC::JSLock::didAcquireLock):
2020
2021 2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
2022
2023         ShadowChicken crashes with stack overflow in the LLInt
2024         https://bugs.webkit.org/show_bug.cgi?id=186540
2025         <rdar://problem/39682133>
2026
2027         Reviewed by Saam Barati.
2028
2029         Stack overflows in the LLInt were crashing in ShadowChicken when compiling
2030         with debug opcodes because it was accessing the scope of the incomplete top
2031         frame, which hadn't been set yet. Check that we have moved past the first
2032         opcode (enter) and that the scope is not undefined (enter will
2033         initialize it to undefined).
2034
2035         * interpreter/ShadowChicken.cpp:
2036         (JSC::ShadowChicken::update):
2037
2038 2018-06-19  Keith Miller  <keith_miller@apple.com>
2039
2040         constructArray variants should take the slow path for subclasses of Array
2041         https://bugs.webkit.org/show_bug.cgi?id=186812
2042
2043         Reviewed by Saam Barati and Mark Lam.
2044
2045         This patch fixes a crashing test in ObjectInitializationScope where we would
2046         allocate a new structure for an indexing type change while initializing
2047         a subclass of Array. Since the new array hasn't been fully initialized
2048         if the GC ran it would see garbage and we might crash.
2049
2050         * runtime/JSArray.cpp:
2051         (JSC::constructArray):
2052         (JSC::constructArrayNegativeIndexed):
2053         * runtime/JSArray.h:
2054         (JSC::constructArray): Deleted.
2055         (JSC::constructArrayNegativeIndexed): Deleted.
2056
2057 2018-06-19  Saam Barati  <sbarati@apple.com>
2058
2059         Wasm: Any function argument of type Void should be a validation error
2060         https://bugs.webkit.org/show_bug.cgi?id=186794
2061         <rdar://problem/41140257>
2062
2063         Reviewed by Keith Miller.
2064
2065         * wasm/WasmModuleParser.cpp:
2066         (JSC::Wasm::ModuleParser::parseType):
2067
2068 2018-06-18  Keith Miller  <keith_miller@apple.com>
2069
2070         JSImmutableButterfly should assert m_header is adjacent to the data
2071         https://bugs.webkit.org/show_bug.cgi?id=186795
2072
2073         Reviewed by Saam Barati.
2074
2075         * runtime/JSImmutableButterfly.cpp:
2076         * runtime/JSImmutableButterfly.h:
2077
2078 2018-06-18  Keith Miller  <keith_miller@apple.com>
2079
2080         Unreviewed, fix the build...
2081
2082         * runtime/JSArray.cpp:
2083         (JSC::JSArray::tryCreateUninitializedRestricted):
2084
2085 2018-06-18  Keith Miller  <keith_miller@apple.com>
2086
2087         Unreviewed, remove bad assertion.
2088
2089         * runtime/JSArray.cpp:
2090         (JSC::JSArray::tryCreateUninitializedRestricted):
2091
2092 2018-06-18  Keith Miller  <keith_miller@apple.com>
2093
2094         Properly zero unused property storage offsets
2095         https://bugs.webkit.org/show_bug.cgi?id=186692
2096
2097         Reviewed by Filip Pizlo.
2098
2099         Since the concurrent GC might see a property slot before the mutator has actually
2100         stored the value there, we need to ensure that slot doesn't have garbage in it.
2101
2102         Right now when calling constructConvertedArrayStorageWithoutCopyingElements
2103         or creating a RegExp matches array, we never cleared the unused
2104         property storage. ObjectIntializationScope has also been upgraded
2105         to look for our invariants around property storage. Additionally,
2106         a new assertion has been added to check for JSValue() when adding
2107         a new property.
2108
2109         We used to put undefined into deleted property offsets. To
2110         make things simpler, this patch causes us to store JSValue() there
2111         instead.
2112
2113         Lastly, this patch fixes an issue where we would initialize the
2114         array storage of RegExpMatchesArray twice. First with 0 and
2115         secondly with the actual result. Now we only zero memory between
2116         vector length and public length.
2117
2118         * runtime/Butterfly.h:
2119         (JSC::Butterfly::offsetOfVectorLength):
2120         * runtime/ButterflyInlines.h:
2121         (JSC::Butterfly::tryCreateUninitialized):
2122         (JSC::Butterfly::createUninitialized):
2123         (JSC::Butterfly::tryCreate):
2124         (JSC::Butterfly::create):
2125         (JSC::Butterfly::createOrGrowPropertyStorage):
2126         (JSC::Butterfly::createOrGrowArrayRight):
2127         (JSC::Butterfly::growArrayRight):
2128         (JSC::Butterfly::resizeArray):
2129         * runtime/JSArray.cpp:
2130         (JSC::JSArray::tryCreateUninitializedRestricted):
2131         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2132         * runtime/JSArray.h:
2133         (JSC::tryCreateArrayButterfly):
2134         * runtime/JSObject.cpp:
2135         (JSC::JSObject::createArrayStorageButterfly):
2136         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2137         (JSC::JSObject::deleteProperty):
2138         (JSC::JSObject::shiftButterflyAfterFlattening):
2139         * runtime/JSObject.h:
2140         * runtime/JSObjectInlines.h:
2141         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2142         * runtime/ObjectInitializationScope.cpp:
2143         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2144         * runtime/ObjectInitializationScope.h:
2145         (JSC::ObjectInitializationScope::release):
2146         * runtime/RegExpMatchesArray.h:
2147         (JSC::tryCreateUninitializedRegExpMatchesArray):
2148         (JSC::createRegExpMatchesArray):
2149
2150         * runtime/Butterfly.h:
2151         (JSC::Butterfly::offsetOfVectorLength):
2152         * runtime/ButterflyInlines.h:
2153         (JSC::Butterfly::tryCreateUninitialized):
2154         (JSC::Butterfly::createUninitialized):
2155         (JSC::Butterfly::tryCreate):
2156         (JSC::Butterfly::create):
2157         (JSC::Butterfly::createOrGrowPropertyStorage):
2158         (JSC::Butterfly::createOrGrowArrayRight):
2159         (JSC::Butterfly::growArrayRight):
2160         (JSC::Butterfly::resizeArray):
2161         * runtime/JSArray.cpp:
2162         (JSC::JSArray::tryCreateUninitializedRestricted):
2163         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2164         * runtime/JSArray.h:
2165         (JSC::tryCreateArrayButterfly):
2166         * runtime/JSObject.cpp:
2167         (JSC::JSObject::createArrayStorageButterfly):
2168         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2169         (JSC::JSObject::deleteProperty):
2170         (JSC::JSObject::shiftButterflyAfterFlattening):
2171         * runtime/JSObject.h:
2172         * runtime/JSObjectInlines.h:
2173         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2174         * runtime/ObjectInitializationScope.cpp:
2175         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2176         * runtime/RegExpMatchesArray.cpp:
2177         (JSC::createEmptyRegExpMatchesArray):
2178         * runtime/RegExpMatchesArray.h:
2179         (JSC::tryCreateUninitializedRegExpMatchesArray):
2180         (JSC::createRegExpMatchesArray):
2181
2182 2018-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2183
2184         Share structure across instances of classes exported through the ObjC API
2185         https://bugs.webkit.org/show_bug.cgi?id=186579
2186         <rdar://problem/40969212>
2187
2188         Reviewed by Saam Barati.
2189
2190         A new structure was being created for each instance of exported ObjC
2191         classes due to setting the prototype in the structure for every object,
2192         since prototype transitions are not cached by the structure. Cache the
2193         Structure in the JSObjcClassInfo to avoid the transition.
2194
2195         * API/JSWrapperMap.mm:
2196         (-[JSObjCClassInfo wrapperForObject:inContext:]):
2197         (-[JSObjCClassInfo structureInContext:]):
2198         * API/tests/JSWrapperMapTests.h: Added.
2199         * API/tests/JSWrapperMapTests.mm: Added.
2200         (+[JSWrapperMapTests testStructureIdentity]):
2201         (runJSWrapperMapTests):
2202         * API/tests/testapi.mm:
2203         (testObjectiveCAPIMain):
2204         * JavaScriptCore.xcodeproj/project.pbxproj:
2205
2206 2018-06-18  Michael Saboff  <msaboff@apple.com>
2207
2208         Support Unicode 11 in RegExp
2209         https://bugs.webkit.org/show_bug.cgi?id=186685
2210
2211         Reviewed by Mark Lam.
2212
2213         Updated the UCD tables used to generate RegExp property tables to version 11.0.
2214
2215         * Scripts/generateYarrUnicodePropertyTables.py:
2216         * ucd/CaseFolding.txt:
2217         * ucd/DerivedBinaryProperties.txt:
2218         * ucd/DerivedCoreProperties.txt:
2219         * ucd/DerivedNormalizationProps.txt:
2220         * ucd/PropList.txt:
2221         * ucd/PropertyAliases.txt:
2222         * ucd/PropertyValueAliases.txt:
2223         * ucd/ScriptExtensions.txt:
2224         * ucd/Scripts.txt:
2225         * ucd/UnicodeData.txt:
2226         * ucd/emoji-data.txt:
2227
2228 2018-06-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2229
2230         [WTF] Remove workarounds needed to support libstdc++-4
2231         https://bugs.webkit.org/show_bug.cgi?id=186762
2232
2233         Reviewed by Michael Catanzaro.
2234
2235         Revert r226299, r226300 r226301 and r226302.
2236
2237         * API/tests/TypedArrayCTest.cpp:
2238         (assertEqualsAsNumber):
2239
2240 2018-06-16  Michael Catanzaro  <mcatanzaro@igalia.com>
2241
2242         REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
2243         https://bugs.webkit.org/show_bug.cgi?id=182923
2244
2245         Reviewed by Mark Lam.
2246
2247         The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
2248         Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
2249
2250         * heap/MarkedBlock.h:
2251
2252 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2253
2254         [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
2255         https://bugs.webkit.org/show_bug.cgi?id=186723
2256
2257         Reviewed by Mark Lam.
2258
2259         Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
2260         to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
2261
2262         This patch improves SixSpeed/spread-literal.es5.
2263
2264                                      baseline                  patched
2265
2266         spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster
2267
2268         * runtime/JSArrayInlines.h:
2269         (JSC::JSArray::pushInline):
2270         * runtime/Structure.cpp:
2271         (JSC::Structure::nonPropertyTransitionSlow):
2272         (JSC::Structure::nonPropertyTransition): Deleted.
2273         * runtime/Structure.h:
2274         * runtime/StructureInlines.h:
2275         (JSC::Structure::nonPropertyTransition):
2276
2277 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2278
2279         [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
2280         https://bugs.webkit.org/show_bug.cgi?id=186721
2281
2282         Reviewed by Keith Miller.
2283
2284         We still have several other OSRExits, but this patch reduces that.
2285
2286         1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
2287         So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
2288
2289         2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
2290         non-appropriate.
2291
2292         These changes a bit fix Kraken/crypto-aes regression.
2293
2294                                       baseline                  patched
2295
2296         stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster
2297
2298
2299         * dfg/DFGByteCodeParser.cpp:
2300         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2301         * ftl/FTLOperations.cpp:
2302         (JSC::FTL::operationMaterializeObjectInOSR):
2303         * runtime/CommonSlowPaths.cpp:
2304         (JSC::SLOW_PATH_DECL):
2305
2306 2018-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2307
2308         [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
2309         https://bugs.webkit.org/show_bug.cgi?id=186460
2310
2311         Reviewed by Saam Barati.
2312
2313         Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
2314         We should return JSFixedArray for Spread. This patch adds a code generating
2315         a JSFixedArray from JSImmutableButterfly.
2316
2317         Merging JSFixedArray into JSImmutableButterfly is possible future extension.
2318
2319         * ftl/FTLLowerDFGToB3.cpp:
2320         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2321         * runtime/JSFixedArray.h:
2322
2323 2018-06-15  Saam Barati  <sbarati@apple.com>
2324
2325         Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
2326         https://bugs.webkit.org/show_bug.cgi?id=186687
2327         <rdar://problem/40071332>
2328
2329         Reviewed by Keith Miller.
2330
2331         * API/JSVirtualMachinePrivate.h:
2332
2333 2018-06-15  Saam Barati  <sbarati@apple.com>
2334
2335         Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
2336         https://bugs.webkit.org/show_bug.cgi?id=186648
2337
2338         Reviewed by Michael Saboff.
2339
2340         This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
2341         regressed with my first version of ForceOSRExit CFG pruning. This patch makes
2342         ForceOSRExit CFG pruning more aggressive by not ignoring everything that
2343         can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
2344         if it's the plan's osr entry bytecode target. The goal is to get a speedometer
2345         2 speedup with this change on iOS.
2346
2347         * dfg/DFGByteCodeParser.cpp:
2348         (JSC::DFG::ByteCodeParser::parse):
2349
2350 2018-06-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2351
2352         Unreviewed, rolling out r232816.
2353
2354         Suggested by Caitlin:
2355         "this patch clearly does get some things wrong, and it's not
2356         easy to find what those things are"
2357
2358         Reverted changeset:
2359
2360         "[LLInt] use loadp consistently for
2361         get_from_scope/put_to_scope"
2362         https://bugs.webkit.org/show_bug.cgi?id=132333
2363         https://trac.webkit.org/changeset/232816
2364
2365 2018-06-14  Michael Saboff  <msaboff@apple.com>
2366
2367         REGRESSION(232741): Crash running ARES-6
2368         https://bugs.webkit.org/show_bug.cgi?id=186630
2369
2370         Reviewed by Saam Barati.
2371
2372         The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
2373         treated edges between identical predecessor->successor pairs independently.
2374         This fixes the issue by handling such edges once, using the added intermediate
2375         pad for all instances of the edges between the same pairs.
2376
2377         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2378         (JSC::DFG::CriticalEdgeBreakingPhase::run):
2379         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
2380
2381 2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>
2382
2383         [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
2384         https://bugs.webkit.org/show_bug.cgi?id=186560
2385
2386         Reviewed by Brian Burg.
2387
2388         Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
2389         that always receives the session capabilities.
2390
2391         * inspector/remote/RemoteInspector.h:
2392         * inspector/remote/RemoteInspectorConstants.h:
2393         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2394         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
2395         WebKit here and fill the SessionCapabilities instead.
2396         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2397         (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
2398         * inspector/remote/glib/RemoteInspectorServer.cpp:
2399         (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
2400         * inspector/remote/glib/RemoteInspectorServer.h:
2401
2402 2018-06-13  Adrian Perez de Castro  <aperez@igalia.com>
2403
2404         [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
2405         https://bugs.webkit.org/show_bug.cgi?id=186588
2406
2407         Reviewed by Carlos Garcia Campos.
2408
2409         Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
2410         for resource paths, which avoids needing a switcheroo depending on the port.
2411
2412         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2413
2414 2018-06-13  Caitlin Potter  <caitp@igalia.com>
2415
2416         [LLInt] use loadp consistently for get_from_scope/put_to_scope
2417         https://bugs.webkit.org/show_bug.cgi?id=132333
2418
2419         Reviewed by Mark Lam.
2420
2421         Using `loadis` for register indexes and `loadp` for constant scopes /
2422         symboltables makes sense, but is problematic for big-endian
2423         architectures.
2424
2425         Consistently treating the operand as a pointer simplifies determining
2426         how to access the operand, and helps avoid bad accesses and crashes on
2427         big-endian ports.
2428
2429         * bytecode/CodeBlock.cpp:
2430         (JSC::CodeBlock::finishCreation):
2431         * bytecode/Instruction.h:
2432         * jit/JITOperations.cpp:
2433         * llint/LLIntSlowPaths.cpp:
2434         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2435         * llint/LowLevelInterpreter32_64.asm:
2436         * llint/LowLevelInterpreter64.asm:
2437         * runtime/CommonSlowPaths.h:
2438         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2439         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2440
2441 2018-06-13  Keith Miller  <keith_miller@apple.com>
2442
2443         AutomaticThread should have a way to provide a thread name
2444         https://bugs.webkit.org/show_bug.cgi?id=186604
2445
2446         Reviewed by Filip Pizlo.
2447
2448         Add names for JSC's automatic threads.
2449
2450         * dfg/DFGWorklist.cpp:
2451         * heap/Heap.cpp:
2452         * jit/JITWorklist.cpp:
2453         * runtime/VMTraps.cpp:
2454         * wasm/WasmWorklist.cpp:
2455
2456 2018-06-13  Saam Barati  <sbarati@apple.com>
2457
2458         CFGSimplificationPhase should de-dupe jettisonedBlocks
2459         https://bugs.webkit.org/show_bug.cgi?id=186583
2460
2461         Reviewed by Filip Pizlo.
2462
2463         When making the predecessors list unique in r232741, it revealed a bug inside
2464         of CFG simplification, where we try to remove the same predecessor more than
2465         once from a blocks predecessors list. We built the list of blocks to remove
2466         from the list of successors, which is not unique, causing us to try to remove
2467         the same predecessor more than once. The solution here is to just add to this
2468         list of blocks to remove only if the block is not already in the list.
2469
2470         * dfg/DFGCFGSimplificationPhase.cpp:
2471         (JSC::DFG::CFGSimplificationPhase::run):
2472
2473 2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2474
2475         [JSC] Always use Nuke & Set procedure for x86
2476         https://bugs.webkit.org/show_bug.cgi?id=186592
2477
2478         Reviewed by Keith Miller.
2479
2480         We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
2481         By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
2482         threads.
2483
2484         * runtime/JSObject.cpp:
2485         (JSC::JSObject::convertContiguousToArrayStorage):
2486
2487 2018-06-12  Saam Barati  <sbarati@apple.com>
2488
2489         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
2490         https://bugs.webkit.org/show_bug.cgi?id=186071
2491
2492         Reviewed by Mark Lam.
2493
2494         * API/JSVirtualMachine.mm:
2495         (-[JSVirtualMachine shrinkFootprint]): Deleted.
2496         * API/JSVirtualMachinePrivate.h:
2497
2498 2018-06-11  Saam Barati  <sbarati@apple.com>
2499
2500         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
2501         https://bugs.webkit.org/show_bug.cgi?id=181409
2502         <rdar://problem/36383749>
2503
2504         Reviewed by Keith Miller.
2505
2506         This patch is me redoing r226655. This is a patch I wrote when
2507         profiling Speedometer. Fil rolled this change out in r230928. He
2508         showed this slowed down a sunspider tests by ~2x. This sunspider
2509         regression revealed a real performance bug in the original change:
2510         we would kill blocks that reached OSR entry targets, sometimes leading
2511         us to not do OSR entry into the DFG, since we could end up deleting
2512         entire loops from the CFG. The reason for this is that code that has run
2513         ~once and that reaches loops often has ForceOSRExits inside of it. The
2514         solution to this is to not perform this optimization on blocks that can
2515         reach OSR entry targets.
2516         
2517         The reason I'm redoing this patch is that it turns out Fil rolling
2518         out the change was a Speedometer 2 regression.
2519         
2520         This is a modified version of the original ChangeLog I wrote in r226655:
2521         
2522         When I was looking at profiler data for Speedometer, I noticed that one of
2523         the hottest functions in Speedometer is around 1100 bytecode operations long.
2524         Only about 100 of those bytecode ops ever execute. However, we ended up
2525         spending a lot of time compiling basic blocks that never executed. We often
2526         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
2527         This is the case when such a node never executes.
2528         
2529         This patch makes it so that anytime a block has a ForceOSRExit, and that block
2530         can not reach an OSR entry target, we replace its terminal node with an Unreachable
2531         node, and remove all nodes after the ForceOSRExit. This cuts down the graph
2532         size since it removes control flow edges from the CFG. This allows us to get
2533         rid of huge chunks of the CFG in certain programs. When doing this transformation,
2534         we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
2535         live-in to the ForceOSRExit.
2536         
2537         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
2538         does not get rid of all the CFG that it could. If we decide it's worth
2539         it, we could use additional inputs into this mechanism. For example, we could
2540         profile if a basic block ever executes inside the LLInt/Baseline, and
2541         remove parts of the CFG based on that.
2542         
2543         When running Speedometer with the concurrent JIT turned off, this patch
2544         improves DFG/FTL compile times by around 5%.
2545
2546         * dfg/DFGByteCodeParser.cpp:
2547         (JSC::DFG::ByteCodeParser::addToGraph):
2548         (JSC::DFG::ByteCodeParser::inlineCall):
2549         (JSC::DFG::ByteCodeParser::parse):
2550         * dfg/DFGGraph.cpp:
2551         (JSC::DFG::Graph::blocksInPostOrder):
2552
2553 2018-06-11  Saam Barati  <sbarati@apple.com>
2554
2555         The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
2556         https://bugs.webkit.org/show_bug.cgi?id=184829
2557
2558         Reviewed by Michael Saboff.
2559
2560         This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
2561         In B3/Air, this just meant writing a validation rule. In DFG, this meant
2562         ensuring this property when building up the predecessors list, and also adding
2563         a validation rule. The NaturalLoops algorithm relies on this property.
2564
2565         * b3/B3Validate.cpp:
2566         * b3/air/AirValidate.cpp:
2567         * b3/testb3.cpp:
2568         (JSC::B3::testLoopWithMultipleHeaderEdges):
2569         (JSC::B3::run):
2570         * dfg/DFGGraph.cpp:
2571         (JSC::DFG::Graph::handleSuccessor):
2572         * dfg/DFGValidate.cpp:
2573
2574 2018-06-11  Keith Miller  <keith_miller@apple.com>
2575
2576         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
2577         https://bugs.webkit.org/show_bug.cgi?id=186467
2578
2579         Reviewed by Simon Fraser.
2580
2581         This patch adds a LazyFireDetail that wraps ScopedLambda so that
2582         we don't actually malloc any strings for firing unless those
2583         Strings are actually going to be printed.
2584
2585         * bytecode/Watchpoint.h:
2586         (JSC::LazyFireDetail::LazyFireDetail):
2587         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2588         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
2589         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2590         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2591         * runtime/ArrayPrototype.cpp:
2592         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2593
2594 2018-06-11  Mark Lam  <mark.lam@apple.com>
2595
2596         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
2597         https://bugs.webkit.org/show_bug.cgi?id=186451
2598         <rdar://problem/40875792>
2599
2600         Reviewed by Tim Horton.
2601
2602         Enhance setOptions() to be able to take a comma separated options string in
2603         addition to white space separated options strings.
2604
2605         * runtime/Options.cpp:
2606         (JSC::isSeparator):
2607         (JSC::Options::setOptions):
2608
2609 2018-06-11  Michael Saboff  <msaboff@apple.com>
2610
2611         JavaScriptCore: Disable 32-bit JIT on Windows
2612         https://bugs.webkit.org/show_bug.cgi?id=185989
2613
2614         Reviewed by Mark Lam.
2615
2616         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
2617
2618         * llint/LLIntData.h:
2619         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
2620         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
2621         have a case label because these aren't opcodes.
2622         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
2623         on the JIT being enabled.
2624         (JSC::recomputeDependentOptions):
2625
2626 2018-06-11  Michael Saboff  <msaboff@apple.com>
2627
2628         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
2629         https://bugs.webkit.org/show_bug.cgi?id=186477
2630
2631         Reviewed by Filip Pizlo.
2632
2633         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
2634         YARR interpreter nodes.  This caused us to overwrite other frame information.
2635
2636         Added frame offset debugging code to YARR interpreter.
2637
2638         * yarr/YarrInterpreter.cpp:
2639         (JSC::Yarr::ByteCompiler::emitDisjunction):
2640         (JSC::Yarr::ByteCompiler::dumpDisjunction):
2641
2642 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2643
2644         [JSC] Array.prototype.sort should rejects null comparator
2645         https://bugs.webkit.org/show_bug.cgi?id=186458
2646
2647         Reviewed by Keith Miller.
2648
2649         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
2650         the behavior to Chrome and Firefox.
2651
2652         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
2653         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
2654         the spec issue.
2655
2656         * builtins/ArrayPrototype.js:
2657         (sort):
2658
2659 2018-06-09  Dan Bernstein  <mitz@apple.com>
2660
2661         [Xcode] Clean up and modernize some build setting definitions
2662         https://bugs.webkit.org/show_bug.cgi?id=186463
2663
2664         Reviewed by Sam Weinig.
2665
2666         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
2667           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
2668           is true for all supported Xcode versions.
2669         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
2670         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
2671           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
2672         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
2673         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
2674
2675 2018-06-09  Dan Bernstein  <mitz@apple.com>
2676
2677         Added missing file references to the Configuration group.
2678
2679         * JavaScriptCore.xcodeproj/project.pbxproj:
2680
2681 2018-06-08  Darin Adler  <darin@apple.com>
2682
2683         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
2684         https://bugs.webkit.org/show_bug.cgi?id=186436
2685
2686         Reviewed by Anders Carlsson.
2687
2688         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
2689         objc-internal.h and explicitly declaring the alternative.
2690
2691 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
2692
2693         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
2694         https://bugs.webkit.org/show_bug.cgi?id=186442
2695         <rdar://problem/40879364>
2696
2697         Reviewed by Tim Horton.
2698
2699         * Configurations/FeatureDefines.xcconfig:
2700
2701 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
2702
2703         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
2704         https://bugs.webkit.org/show_bug.cgi?id=186446
2705         <rdar://problem/40949995>
2706
2707         Reviewed by Mark Lam.
2708
2709         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
2710         boolean literals, but it would only work for false. Change it so that it
2711         takes the fast path for true, false, null and undefined.
2712
2713         * llint/LowLevelInterpreter.asm:
2714         * llint/LowLevelInterpreter64.asm:
2715
2716 2018-06-08  Brian Burg  <bburg@apple.com>
2717
2718         [Cocoa] Web Automation: include browser name and version in listing for automation targets
2719         https://bugs.webkit.org/show_bug.cgi?id=186204
2720         <rdar://problem/36950423>
2721
2722         Reviewed by Darin Adler.
2723
2724         Ask the client what the reported browser name and version should be, then
2725         send this as part of the listing for an automation target.
2726
2727         * inspector/remote/RemoteInspectorConstants.h:
2728         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2729         (Inspector::RemoteInspector::listingForAutomationTarget const):
2730
2731 2018-06-07  Chris Dumez  <cdumez@apple.com>
2732
2733         Add base class to get WeakPtrFactory member and avoid some boilerplate code
2734         https://bugs.webkit.org/show_bug.cgi?id=186407
2735
2736         Reviewed by Brent Fulgham.
2737
2738         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
2739         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
2740         This also gets rid of old-style createWeakPtr() methods in favor of the newer
2741         makeWeakPtr().
2742
2743         * wasm/WasmInstance.h:
2744         * wasm/WasmMemory.cpp:
2745         (JSC::Wasm::Memory::registerInstance):
2746
2747 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2748
2749         Don't try to allocate JIT memory if we don't have the JIT entitlement
2750         https://bugs.webkit.org/show_bug.cgi?id=182605
2751         <rdar://problem/38271229>
2752
2753         Reviewed by Mark Lam.
2754
2755         Check that the current process has the correct entitlements before
2756         trying to allocate JIT memory to silence warnings.
2757
2758         * jit/ExecutableAllocator.cpp:
2759         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
2760         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
2761
2762 2018-06-07  Saam Barati  <sbarati@apple.com>
2763
2764         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
2765         https://bugs.webkit.org/show_bug.cgi?id=186386
2766
2767         Reviewed by Filip Pizlo.
2768
2769         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
2770
2771         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2772         (JSC::DFG::TierUpCheckInjectionPhase::run):
2773
2774 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
2775
2776         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
2777         https://bugs.webkit.org/show_bug.cgi?id=186237
2778
2779         Reviewed by Saam Barati.
2780
2781         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
2782         that means that we never notice that it fired if it fires between when the DFG decides to
2783         watch it and when it actually adds the watchpoint.
2784         
2785         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
2786         reason for being initialized blind: that's how we knew to ignore changes to the prototype
2787         before the first allocation. However, that functionality also arose out of the fact that the
2788         rare data is created lazily and usually won't exist until the first allocation.
2789         
2790         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
2791         object allocation profile.
2792         
2793         It's hard to repro this race, however it started causing spurious test failures for me after
2794         bug 164904.
2795
2796         * runtime/FunctionRareData.cpp:
2797         (JSC::FunctionRareData::FunctionRareData):
2798         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2799
2800 2018-06-07  Saam Barati  <sbarati@apple.com>
2801
2802         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
2803         https://bugs.webkit.org/show_bug.cgi?id=186218
2804         <rdar://problem/38449540>
2805
2806         Reviewed by Filip Pizlo.
2807
2808         This patch makes tierUpCommon a tad bit more sane. There are a few things
2809         that I did:
2810         - There were a few release asserts that were crashing. Those release asserts
2811         were incorrect. They were making assumptions about how the code and data
2812         structures were ordered that were wrong. This patch removes them. The code
2813         was using the loop hierarchy vector to make assumptions about which loop we
2814         were currently executing in, which is incorrect. The only information that
2815         can be used about where we're currently executing is the bytecode index we're
2816         at.
2817         - This makes it so that we go back to trying to compile outer loops before
2818         inner loops. JF accidentally reverted this behavior that Ben implemented.
2819         JF made it so that we just compiled the inner most loop. I make this
2820         functionality work by first triggering a compile for the outer most loop
2821         that the code is currently executing in and that can perform OSR entry.
2822         However, some programs can get stuck in inner loops. The code works by
2823         progressively asking inner loops to compile if program execution has not
2824         yet reached an outer loop.
2825
2826         * dfg/DFGOperations.cpp:
2827
2828 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
2829
2830         ArityFixup should adjust SP first on 32-bit platforms too
2831         https://bugs.webkit.org/show_bug.cgi?id=186351
2832
2833         Reviewed by Yusuke Suzuki.
2834
2835         * jit/ThunkGenerators.cpp:
2836         (JSC::arityFixupGenerator):
2837
2838 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2839
2840         [DFG] Compare operations do not respect negative zeros
2841         https://bugs.webkit.org/show_bug.cgi?id=183729
2842
2843         Reviewed by Saam Barati.
2844
2845         Compare operations do not respect negative zeros. So propagating this can
2846         reduce the size of the produced code for negative zero case. This pattern
2847         can be seen in Kraken stanford-crypto-aes.
2848
2849         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
2850         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
2851         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
2852
2853         * bytecode/SpeculatedType.cpp:
2854         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2855         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
2856         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
2857         SpecDoubleReal.
2858
2859         * dfg/DFGBackwardsPropagationPhase.cpp:
2860         (JSC::DFG::BackwardsPropagationPhase::propagate):
2861
2862 2018-06-06  Saam Barati  <sbarati@apple.com>
2863
2864         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
2865         https://bugs.webkit.org/show_bug.cgi?id=186363
2866
2867         Rubber-stamped by Filip Pizlo.
2868
2869         The code was assuming that the object it was creating an OPC for always
2870         had a non-poly-proto structure. However, this assumption was wrong. For
2871         example, an object in the prototype chain could be poly proto. That type 
2872         of object graph would cause a crash in this code. This patch makes it so
2873         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
2874         object as we traverse the prototype chain.
2875
2876         * bytecode/ObjectPropertyConditionSet.cpp:
2877         (JSC::generateConditionsForInstanceOf):
2878
2879 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
2880
2881         Adjust compile and runtime flags to match shippable state of features
2882         https://bugs.webkit.org/show_bug.cgi?id=186319
2883         <rdar://problem/40352045>
2884
2885         Reviewed by Maciej Stachowiak, Jon Lee, and others.
2886
2887         This patch revises the compile time and runtime state for various features to match their
2888         suitability for end-user releases.
2889
2890         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
2891         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
2892         Cocoa builds.
2893         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
2894         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
2895         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
2896         at runtime for non-production builds.
2897
2898 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
2899
2900         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
2901         https://bugs.webkit.org/show_bug.cgi?id=186286
2902         <rdar://problem/40782992>
2903
2904         Reviewed by Dan Bernstein.
2905
2906         Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
2907         to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
2908         change this flag when preparing for a production release.
2909
2910         * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
2911         whether experimental features should be enabled, and use it to properly define the
2912         feature flag.
2913
2914 2018-06-05  Darin Adler  <darin@apple.com>
2915
2916         [Cocoa] Update some JavaScriptCore code to be more ready for ARC
2917         https://bugs.webkit.org/show_bug.cgi?id=186301
2918
2919         Reviewed by Anders Carlsson.
2920
2921         * API/JSContext.mm:
2922         (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
2923         (-[JSContext setName:]): Removed unnecessary call to copy, since the
2924         JSStringCreateWithCFString function already reads the characters out
2925         of the string and does not retain the string, so there is no need to
2926         make an immutable copy. And used __bridge for typecast.
2927         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2928         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2929         Ditto.
2930
2931         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
2932         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2933         Use CFBridgingRelease instead of autorelease for a CF dictionary that
2934         we return as an NSDictionary.
2935
2936 2018-06-04  Keith Miller  <keith_miller@apple.com>
2937
2938         Remove missing files from JavaScriptCore Xcode project
2939         https://bugs.webkit.org/show_bug.cgi?id=186297
2940
2941         Reviewed by Saam Barati.
2942
2943         * JavaScriptCore.xcodeproj/project.pbxproj:
2944
2945 2018-06-04  Keith Miller  <keith_miller@apple.com>
2946
2947         Add test for CoW conversions in the DFG/FTL
2948         https://bugs.webkit.org/show_bug.cgi?id=186295
2949
2950         Reviewed by Saam Barati.
2951
2952         Add a function to $vm that returns a JSString containing the
2953         dataLog dump of the indexingMode of an Object.
2954
2955         * tools/JSDollarVM.cpp:
2956         (JSC::functionIndexingMode):
2957         (JSC::JSDollarVM::finishCreation):
2958
2959 2018-06-04  Saam Barati  <sbarati@apple.com>
2960
2961         Set the activeLength of all ScratchBuffers to zero when exiting the VM
2962         https://bugs.webkit.org/show_bug.cgi?id=186284
2963         <rdar://problem/40780738>
2964
2965         Reviewed by Keith Miller.
2966
2967         Simon recently found instances where we leak global objects from the
2968         ScratchBuffer. Yusuke found that we forgot to set the active length
2969         back to zero when doing catch OSR entry in the DFG/FTL. His solution
2970         to this was adding a node that cleared the active length. This is
2971         a good node to have, but it's not a complete solution: the DFG/FTL
2972         could OSR exit before that node executes, which would cause us to leak
2973         the data in it.
2974         
2975         This patch makes it so that we set each scratch buffer's active length
2976         to zero on VM exit. This helps prevent leaks for JS code that eventually
2977         exits the VM (which is essentially all code on the web and all API users).
2978
2979         * runtime/VM.cpp:
2980         (JSC::VM::clearScratchBuffers):
2981         * runtime/VM.h:
2982         * runtime/VMEntryScope.cpp:
2983         (JSC::VMEntryScope::~VMEntryScope):
2984
2985 2018-06-04  Keith Miller  <keith_miller@apple.com>
2986
2987         JSLock should clear last exception when releasing the lock
2988         https://bugs.webkit.org/show_bug.cgi?id=186277
2989
2990         Reviewed by Mark Lam.
2991
2992         If we don't clear the last exception we essentially leak the
2993         object and everything referenced by it until another exception is
2994         thrown.
2995
2996         * runtime/JSLock.cpp:
2997         (JSC::JSLock::willReleaseLock):
2998
2999 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3000
3001         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
3002         https://bugs.webkit.org/show_bug.cgi?id=180248
3003
3004         Reviewed by Sam Weinig.
3005
3006         As a final step, this patch removes ListableHandler from JSC.
3007         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
3008
3009         * CMakeLists.txt:
3010         * JavaScriptCore.xcodeproj/project.pbxproj:
3011         * heap/Heap.h:
3012         * heap/ListableHandler.h: Removed.
3013
3014 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3015
3016         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
3017         https://bugs.webkit.org/show_bug.cgi?id=186223
3018
3019         Reviewed by Keith Miller.
3020
3021         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
3022         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
3023
3024         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
3025         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
3026         this ClearCatchLocals valid.
3027
3028         The existing tests for ExtractCatchLocal just pass.
3029
3030         * dfg/DFGAbstractHeap.h:
3031         * dfg/DFGAbstractInterpreterInlines.h:
3032         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3033         * dfg/DFGByteCodeParser.cpp:
3034         (JSC::DFG::ByteCodeParser::parseBlock):
3035         * dfg/DFGClobberize.h:
3036         (JSC::DFG::clobberize):
3037         * dfg/DFGDoesGC.cpp:
3038         (JSC::DFG::doesGC):
3039         * dfg/DFGFixupPhase.cpp:
3040         (JSC::DFG::FixupPhase::fixupNode):
3041         * dfg/DFGMayExit.cpp:
3042         * dfg/DFGNodeType.h:
3043         * dfg/DFGOSREntry.cpp:
3044         (JSC::DFG::prepareCatchOSREntry):
3045         * dfg/DFGPredictionPropagationPhase.cpp:
3046         * dfg/DFGSafeToExecute.h:
3047         (JSC::DFG::safeToExecute):
3048         * dfg/DFGSpeculativeJIT.cpp:
3049         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
3050         * dfg/DFGSpeculativeJIT.h:
3051         * dfg/DFGSpeculativeJIT32_64.cpp:
3052         (JSC::DFG::SpeculativeJIT::compile):
3053         * dfg/DFGSpeculativeJIT64.cpp:
3054         (JSC::DFG::SpeculativeJIT::compile):
3055         * ftl/FTLCapabilities.cpp:
3056         (JSC::FTL::canCompile):
3057         * ftl/FTLLowerDFGToB3.cpp:
3058         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3059         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
3060
3061 2018-06-02  Darin Adler  <darin@apple.com>
3062
3063         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
3064         https://bugs.webkit.org/show_bug.cgi?id=186227
3065
3066         Reviewed by Dan Bernstein.
3067
3068         * API/JSContext.mm:
3069         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
3070         * API/JSValue.mm:
3071         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
3072         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
3073         ARC-compatible, but more efficient.
3074         (valueToString): Use CFBridgingRelease instead of autorelease.
3075
3076 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
3077
3078         [ESNext][BigInt] Implement support for addition operations
3079         https://bugs.webkit.org/show_bug.cgi?id=179002
3080
3081         Reviewed by Yusuke Suzuki.
3082
3083         This patch is implementing support to BigInt Operands into binary "+"
3084         and binary "-" operators. Right now, we have limited support to DFG
3085         and FTL JIT layers, but we plan to fix this support in future
3086         patches.
3087
3088         * jit/JITOperations.cpp:
3089         * runtime/CommonSlowPaths.cpp:
3090         (JSC::SLOW_PATH_DECL):
3091         * runtime/JSBigInt.cpp:
3092         (JSC::JSBigInt::parseInt):
3093         (JSC::JSBigInt::stringToBigInt):
3094         (JSC::JSBigInt::toString):
3095         (JSC::JSBigInt::multiply):
3096         (JSC::JSBigInt::divide):
3097         (JSC::JSBigInt::remainder):
3098         (JSC::JSBigInt::add):
3099         (JSC::JSBigInt::sub):
3100         (JSC::JSBigInt::absoluteAdd):
3101         (JSC::JSBigInt::absoluteSub):
3102         (JSC::JSBigInt::toStringGeneric):
3103         (JSC::JSBigInt::allocateFor):
3104         (JSC::JSBigInt::toNumber const):
3105         (JSC::JSBigInt::getPrimitiveNumber const):
3106         * runtime/JSBigInt.h:
3107         * runtime/JSCJSValueInlines.h:
3108         * runtime/Operations.cpp:
3109         (JSC::jsAddSlowCase):
3110         * runtime/Operations.h:
3111         (JSC::jsSub):
3112
3113 2018-06-02  Commit Queue  <commit-queue@webkit.org>
3114
3115         Unreviewed, rolling out r232439.
3116         https://bugs.webkit.org/show_bug.cgi?id=186238
3117
3118         It breaks gtk-linux-32-release (Requested by caiolima on
3119         #webkit).
3120
3121         Reverted changeset:
3122
3123         "[ESNext][BigInt] Implement support for addition operations"
3124         https://bugs.webkit.org/show_bug.cgi?id=179002
3125         https://trac.webkit.org/changeset/232439
3126
3127 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3128
3129         Baseline op_jtrue emits an insane amount of code
3130         https://bugs.webkit.org/show_bug.cgi?id=185708
3131
3132         Reviewed by Filip Pizlo.
3133
3134         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
3135
3136         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
3137            to jump directly. This tightens the code.
3138
3139         2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
3140
3141         This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
3142
3143         [  12] jtrue             arg1, 6(->18)
3144               0x7f233170162c: mov 0x30(%rbp), %rax
3145               0x7f2331701630: mov %rax, %rsi
3146               0x7f2331701633: xor $0x6, %rsi
3147               0x7f2331701637: test $0xfffffffffffffffe, %rsi
3148               0x7f233170163e: jnz 0x7f2331701654
3149               0x7f2331701644: cmp $0x7, %eax
3150               0x7f2331701647: setz %sil
3151               0x7f233170164b: movzx %sil, %esi
3152               0x7f233170164f: jmp 0x7f2331701705
3153               0x7f2331701654: test %rax, %r14
3154               0x7f2331701657: jz 0x7f233170169c
3155               0x7f233170165d: cmp %r14, %rax
3156               0x7f2331701660: jb 0x7f2331701675
3157               0x7f2331701666: test %eax, %eax
3158               0x7f2331701668: setnz %sil
3159               0x7f233170166c: movzx %sil, %esi
3160               0x7f2331701670: jmp 0x7f2331701705
3161               0x7f2331701675: lea (%r14,%rax), %rsi
3162               0x7f2331701679: movq %rsi, %xmm0
3163               0x7f233170167e: xorps %xmm1, %xmm1
3164               0x7f2331701681: ucomisd %xmm1, %xmm0
3165               0x7f2331701685: jz 0x7f2331701695
3166               0x7f233170168b: mov $0x1, %esi
3167               0x7f2331701690: jmp 0x7f2331701705
3168               0x7f2331701695: xor %esi, %esi
3169               0x7f2331701697: jmp 0x7f2331701705
3170               0x7f233170169c: test %rax, %r15
3171               0x7f233170169f: jnz 0x7f2331701703
3172               0x7f23317016a5: cmp $0x1, 0x5(%rax)
3173               0x7f23317016a9: jnz 0x7f23317016c1
3174               0x7f23317016af: mov 0x8(%rax), %esi
3175               0x7f23317016b2: test %esi, %esi
3176               0x7f23317016b4: setnz %sil
3177               0x7f23317016b8: movzx %sil, %esi
3178               0x7f23317016bc: jmp 0x7f2331701705
3179               0x7f23317016c1: test $0x1, 0x6(%rax)
3180               0x7f23317016c5: jz 0x7f23317016f9
3181               0x7f23317016cb: mov (%rax), %esi
3182               0x7f23317016cd: mov $0x7f23315000c8, %rdx
3183               0x7f23317016d7: mov (%rdx), %rdx
3184               0x7f23317016da: mov (%rdx,%rsi,8), %rsi
3185               0x7f23317016de: mov $0x7f2330de0000, %rdx
3186               0x7f23317016e8: cmp %rdx, 0x18(%rsi)
3187               0x7f23317016ec: jnz 0x7f23317016f9
3188               0x7f23317016f2: xor %esi, %esi
3189               0x7f23317016f4: jmp 0x7f2331701705
3190               0x7f23317016f9: mov $0x1, %esi
3191               0x7f23317016fe: jmp 0x7f2331701705
3192               0x7f2331701703: xor %esi, %esi
3193               0x7f2331701705: test %esi, %esi
3194               0x7f2331701707: jnz 0x7f233170171b
3195
3196         [  12] jtrue             arg1, 6(->18)
3197               0x7f6c8710156c: mov 0x30(%rbp), %rax
3198               0x7f6c87101570: test %rax, %r15
3199               0x7f6c87101573: jnz 0x7f6c871015c8
3200               0x7f6c87101579: cmp $0x1, 0x5(%rax)
3201               0x7f6c8710157d: jnz 0x7f6c87101592
3202               0x7f6c87101583: cmp $0x0, 0x8(%rax)
3203               0x7f6c87101587: jnz 0x7f6c87101623
3204               0x7f6c8710158d: jmp 0x7f6c87101615
3205               0x7f6c87101592: test $0x1, 0x6(%rax)
3206               0x7f6c87101596: jz 0x7f6c87101623
3207               0x7f6c8710159c: mov (%rax), %esi
3208               0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
3209               0x7f6c871015a8: mov (%rdx), %rdx
3210               0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
3211               0x7f6c871015af: mov $0x7f6c867e0000, %rdx
3212               0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
3213               0x7f6c871015bd: jnz 0x7f6c87101623
3214               0x7f6c871015c3: jmp 0x7f6c87101615
3215               0x7f6c871015c8: cmp %r14, %rax
3216               0x7f6c871015cb: jb 0x7f6c871015de
3217               0x7f6c871015d1: test %eax, %eax
3218               0x7f6c871015d3: jnz 0x7f6c87101623
3219               0x7f6c871015d9: jmp 0x7f6c87101615
3220               0x7f6c871015de: test %rax, %r14
3221               0x7f6c871015e1: jz 0x7f6c87101602
3222               0x7f6c871015e7: lea (%r14,%rax), %rsi
3223               0x7f6c871015eb: movq %rsi, %xmm0
3224               0x7f6c871015f0: xorps %xmm1, %xmm1
3225               0x7f6c871015f3: ucomisd %xmm1, %xmm0
3226               0x7f6c871015f7: jz 0x7f6c87101615
3227               0x7f6c871015fd: jmp 0x7f6c87101623
3228               0x7f6c87101602: mov $0x7, %r11
3229               0x7f6c8710160c: cmp %r11, %rax
3230               0x7f6c8710160f: jz 0x7f6c87101623
3231
3232         * dfg/DFGSpeculativeJIT32_64.cpp:
3233         (JSC::DFG::SpeculativeJIT::emitBranch):
3234         * dfg/DFGSpeculativeJIT64.cpp:
3235         (JSC::DFG::SpeculativeJIT::emitBranch):
3236         * jit/AssemblyHelpers.cpp:
3237         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
3238         (JSC::AssemblyHelpers::branchIfValue):
3239         * jit/AssemblyHelpers.h:
3240         (JSC::AssemblyHelpers::branchIfTruthy):
3241         (JSC::AssemblyHelpers::branchIfFalsey):
3242         * jit/JIT.h:
3243         * jit/JITInlines.h:
3244         (JSC::JIT::addJump):
3245         * jit/JITOpcodes.cpp:
3246         (JSC::JIT::emit_op_jfalse):
3247         (JSC::JIT::emit_op_jtrue):
3248         * jit/JITOpcodes32_64.cpp:
3249         (JSC::JIT::emit_op_jfalse):
3250         (JSC::JIT::emit_op_jtrue):
3251
3252 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3253
3254         [JSC] Remove WeakReferenceHarvester
3255         https://bugs.webkit.org/show_bug.cgi?id=186102
3256
3257         Reviewed by Filip Pizlo.
3258
3259         After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
3260         Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
3261         by using output constraints & Subspace iteration.
3262
3263         This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
3264         output constraint set iterates marked JSWeakMap by using Subspace.
3265
3266         And we also add locking for JSWeakMap's rehash and output constraint visiting.
3267
3268         Attached microbenchmark does not show any regression.
3269
3270         * API/JSAPIWrapperObject.h:
3271         * CMakeLists.txt:
3272         * JavaScriptCore.xcodeproj/project.pbxproj:
3273         * heap/Heap.cpp:
3274         (JSC::Heap::endMarking):
3275         (JSC::Heap::addCoreConstraints):
3276         * heap/Heap.h:
3277         * heap/SlotVisitor.cpp:
3278         (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
3279         * heap/SlotVisitor.h:
3280         * heap/WeakReferenceHarvester.h: Removed.
3281         * runtime/WeakMapImpl.cpp:
3282         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
3283         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
3284         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
3285         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
3286         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
3287         * runtime/WeakMapImpl.h:
3288         (JSC::WeakMapImpl::WeakMapImpl):
3289         (JSC::WeakMapImpl::finishCreation):
3290         (JSC::WeakMapImpl::rehash):
3291         (JSC::WeakMapImpl::makeAndSetNewBuffer):
3292         (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
3293
3294 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3295
3296         [JSC] Object.create should have intrinsic
3297         https://bugs.webkit.org/show_bug.cgi?id=186200
3298
3299         Reviewed by Filip Pizlo.
3300
3301         Object.create is used in various JS code. `Object.create(null)` is particularly used
3302         to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
3303         call in ARES-6/Babylon code.
3304
3305         This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
3306         DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
3307         object is null. It offers significant performance boost for `Object.create(null)`.
3308
3309                                                          baseline                  patched
3310
3311         object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
3312         object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
3313         object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster
3314
3315         * dfg/DFGAbstractInterpreterInlines.h:
3316         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3317         * dfg/DFGByteCodeParser.cpp:
3318         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3319         * dfg/DFGClobberize.h:
3320         (JSC::DFG::clobberize):
3321         * dfg/DFGConstantFoldingPhase.cpp:
3322         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3323         * dfg/DFGDoesGC.cpp:
3324         (JSC::DFG::doesGC):
3325         * dfg/DFGFixupPhase.cpp:
3326         (JSC::DFG::FixupPhase::fixupNode):
3327         * dfg/DFGNode.h:
3328         (JSC::DFG::Node::convertToNewObject):
3329         * dfg/DFGNodeType.h:
3330         * dfg/DFGOperations.cpp:
3331         * dfg/DFGOperations.h:
3332         * dfg/DFGPredictionPropagationPhase.cpp:
3333         * dfg/DFGSafeToExecute.h:
3334         (JSC::DFG::safeToExecute):
3335         * dfg/DFGSpeculativeJIT.cpp:
3336         (JSC::DFG::SpeculativeJIT::compileObjectCreate):
3337         * dfg/DFGSpeculativeJIT.h:
3338         * dfg/DFGSpeculativeJIT32_64.cpp:
3339         (JSC::DFG::SpeculativeJIT::compile):
3340         * dfg/DFGSpeculativeJIT64.cpp:
3341         (JSC::DFG::SpeculativeJIT::compile):
3342         * ftl/FTLCapabilities.cpp:
3343         (JSC::FTL::canCompile):
3344         * ftl/FTLLowerDFGToB3.cpp:
3345         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3346         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
3347         * runtime/Intrinsic.cpp:
3348         (JSC::intrinsicName):
3349         * runtime/Intrinsic.h:
3350         * runtime/JSGlobalObject.cpp:
3351         (JSC::JSGlobalObject::init):
3352         (JSC::JSGlobalObject::visitChildren):
3353         * runtime/JSGlobalObject.h:
3354         (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
3355         * runtime/ObjectConstructor.cpp:
3356
3357 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
3358
3359         [ESNext][BigInt] Implement support for addition operations
3360         https://bugs.webkit.org/show_bug.cgi?id=179002