7a7797bda828de3060345e0a684fdf6b2f60f5a5
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
4         https://bugs.webkit.org/show_bug.cgi?id=186462
5
6         Reviewed by Saam Barati.
7
8         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
9         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
10         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
11
12         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
13         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
14         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
15         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
16         changed and we can safely use it. We arrange our existing code to use this protocol.
17
18         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
19         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
20
21         This patch improves SixSpeed/template_string_tag.es6.
22
23                                           baseline                  patched
24
25         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
26
27         * dfg/DFGAbstractInterpreterInlines.h:
28         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
29         * runtime/JSArray.cpp:
30         (JSC::JSArray::setLengthWithArrayStorage):
31         * runtime/JSObject.cpp:
32         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
33         (JSC::JSObject::deletePropertyByIndex):
34         (JSC::JSObject::getOwnPropertyNames):
35         (JSC::putIndexedDescriptor):
36         (JSC::JSObject::defineOwnIndexedProperty):
37         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
38         (JSC::JSObject::putIndexedDescriptor): Deleted.
39         * runtime/JSObject.h:
40         * runtime/SparseArrayValueMap.cpp:
41         (JSC::SparseArrayValueMap::SparseArrayValueMap):
42         (JSC::SparseArrayValueMap::add):
43         (JSC::SparseArrayValueMap::putDirect):
44         (JSC::SparseArrayValueMap::getConcurrently):
45         (JSC::SparseArrayEntry::get const):
46         (JSC::SparseArrayEntry::getConcurrently const):
47         (JSC::SparseArrayEntry::put):
48         (JSC::SparseArrayEntry::getNonSparseMode const):
49         (JSC::SparseArrayValueMap::visitChildren):
50         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
51         * runtime/SparseArrayValueMap.h:
52         (JSC::SparseArrayEntry::SparseArrayEntry):
53         (JSC::SparseArrayEntry::attributes const):
54         (JSC::SparseArrayEntry::forceSet):
55         (JSC::SparseArrayEntry::asValue):
56
57 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
58
59         We should support CreateThis in the FTL
60         https://bugs.webkit.org/show_bug.cgi?id=164904
61
62         Reviewed by Yusuke Suzuki.
63         
64         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
65         inference adventure.
66         
67         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
68         benchmark's extremely perverse way of winning at type inference:
69         
70         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
71           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
72           benchmark was falling back to other mechanisms...
73         
74         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
75           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
76           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
77           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
78           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
79           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
80           
81           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
82           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
83           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
84           helper because it had a CreateThis.
85         
86         - Compilations that inlined the construction helper would have gotten super lucky with
87           parse-time constant folding, so they knew what structure the input to the get_by_id would
88           have at parse time. This is only profitable if the get_by_id parsing computed a
89           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
90           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
91           cases, we would indeed get a finite number of cases. The parser would then prune those
92           cases to just one - based on its knowledge of the structure - and that would result in that
93           get_by_id being folded at parse time to a constant.
94         
95         - The subsequent op_call would inline based on parse-time knowledge of that constant.
96         
97         This patch comprehensively fixes these issues, as well as other issues that come up along the
98         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
99         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
100         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
101         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
102         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
103         attack raytrace's problem as a shortcoming of polyvariant profiling.
104         
105         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
106           subset of the inline stack that includes the IC we're profiling. For example, if we have
107           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
108           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
109           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
110           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
111           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
112           from polyvariant profling. Previously, the polyvariant profiler would only look at the
113           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
114           had inlined bar and then baz. It may not have done that, because those calls could have
115           required polyvariant profiling that was only available in the FTL.
116           
117         - A particularly interesting case is when some IC in foo-baseline is also available in
118           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
119           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
120           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
121           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
122           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
123           because it warns us of historical polymorphism. Historical polymorphism usually means
124           future polymorphism. IC status code already had some merging functionality, but I needed to
125           beef it up a lot to make this work right.
126         
127         - Inlining an inline cache now preserves as much information as profiling. One challenge of
128           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
129           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
130           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
131           say "I don't have such an IC". At this point the DFG compilation that included that IC that
132           gave us the information that we used to inline the IC is no longer alive. To keep us from
133           losing the information we learned about the IC, there is now a RecordedStatuses data
134           structure that preserves the statuses we use for inlining ICs. We also filter those
135           statuses according to things we learn from AI. This further reduces the risk of information
136           about an IC being forgotten.
137         
138         - Exit profiling now considers whether or not an exit happened from inline code. This
139           protects us in the case where the not-inlined version of an IC exited a lot because of
140           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
141           profiling data, we consider only inlined exits.
142         
143         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
144           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
145           surprising that we've had this bug.
146         
147         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
148         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
149         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
150         prototype access folding in the bytecode parser and constant folder. That would require some
151         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
152         have a test that captures raytrace's behavior in the case that the parser cannot fold the
153         get_by_id.
154         
155         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
156         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
157         compile time regression anytime we fill in FTL coverage.
158         
159         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
160         speeds up and that raytrace slows down, but these changes balance out and don't affect the
161         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
162         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
163         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
164         see a significant difference. In all three cases the difference is <0.5% with a high p value,
165         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
166         an insignificant infinitesimal slow-down.
167         
168         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
169         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
170         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
171
172         * CMakeLists.txt:
173         * JavaScriptCore.xcodeproj/project.pbxproj:
174         * Sources.txt:
175         * bytecode/ByValInfo.h:
176         * bytecode/BytecodeDumper.cpp:
177         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
178         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
179         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
180         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
181         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
182         (JSC::BytecodeDumper<Block>::printCallOp):
183         (JSC::BytecodeDumper<Block>::dumpBytecode):
184         (JSC::BytecodeDumper<Block>::dumpBlock):
185         * bytecode/BytecodeDumper.h:
186         * bytecode/CallLinkInfo.h:
187         * bytecode/CallLinkStatus.cpp:
188         (JSC::CallLinkStatus::computeFor):
189         (JSC::CallLinkStatus::computeExitSiteData):
190         (JSC::CallLinkStatus::computeFromCallLinkInfo):
191         (JSC::CallLinkStatus::accountForExits):
192         (JSC::CallLinkStatus::finalize):
193         (JSC::CallLinkStatus::filter):
194         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
195         * bytecode/CallLinkStatus.h:
196         (JSC::CallLinkStatus::operator bool const):
197         (JSC::CallLinkStatus::operator! const): Deleted.
198         * bytecode/CallVariant.cpp:
199         (JSC::CallVariant::finalize):
200         (JSC::CallVariant::filter):
201         * bytecode/CallVariant.h:
202         (JSC::CallVariant::operator bool const):
203         (JSC::CallVariant::operator! const): Deleted.
204         * bytecode/CodeBlock.cpp:
205         (JSC::CodeBlock::dumpBytecode):
206         (JSC::CodeBlock::propagateTransitions):
207         (JSC::CodeBlock::finalizeUnconditionally):
208         (JSC::CodeBlock::getICStatusMap):
209         (JSC::CodeBlock::resetJITData):
210         (JSC::CodeBlock::getStubInfoMap): Deleted.
211         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
212         (JSC::CodeBlock::getByValInfoMap): Deleted.
213         * bytecode/CodeBlock.h:
214         * bytecode/CodeOrigin.cpp:
215         (JSC::CodeOrigin::isApproximatelyEqualTo const):
216         (JSC::CodeOrigin::approximateHash const):
217         * bytecode/CodeOrigin.h:
218         (JSC::CodeOrigin::exitingInlineKind const):
219         * bytecode/DFGExitProfile.cpp:
220         (JSC::DFG::FrequentExitSite::dump const):
221         (JSC::DFG::ExitProfile::add):
222         * bytecode/DFGExitProfile.h:
223         (JSC::DFG::FrequentExitSite::FrequentExitSite):
224         (JSC::DFG::FrequentExitSite::operator== const):
225         (JSC::DFG::FrequentExitSite::subsumes const):
226         (JSC::DFG::FrequentExitSite::hash const):
227         (JSC::DFG::FrequentExitSite::inlineKind const):
228         (JSC::DFG::FrequentExitSite::withInlineKind const):
229         (JSC::DFG::QueryableExitProfile::hasExitSite const):
230         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
231         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
232         * bytecode/ExitFlag.cpp: Added.
233         (JSC::ExitFlag::dump const):
234         * bytecode/ExitFlag.h: Added.
235         (JSC::ExitFlag::ExitFlag):
236         (JSC::ExitFlag::operator| const):
237         (JSC::ExitFlag::operator|=):
238         (JSC::ExitFlag::operator& const):
239         (JSC::ExitFlag::operator&=):
240         (JSC::ExitFlag::operator bool const):
241         (JSC::ExitFlag::isSet const):
242         * bytecode/ExitingInlineKind.cpp: Added.
243         (WTF::printInternal):
244         * bytecode/ExitingInlineKind.h: Added.
245         * bytecode/GetByIdStatus.cpp:
246         (JSC::GetByIdStatus::computeFor):
247         (JSC::GetByIdStatus::computeForStubInfo):
248         (JSC::GetByIdStatus::slowVersion const):
249         (JSC::GetByIdStatus::markIfCheap):
250         (JSC::GetByIdStatus::finalize):
251         (JSC::GetByIdStatus::hasExitSite): Deleted.
252         * bytecode/GetByIdStatus.h:
253         * bytecode/GetByIdVariant.cpp:
254         (JSC::GetByIdVariant::markIfCheap):
255         (JSC::GetByIdVariant::finalize):
256         * bytecode/GetByIdVariant.h:
257         * bytecode/ICStatusMap.cpp: Added.
258         (JSC::ICStatusContext::get const):
259         (JSC::ICStatusContext::isInlined const):
260         (JSC::ICStatusContext::inlineKind const):
261         * bytecode/ICStatusMap.h: Added.
262         * bytecode/ICStatusUtils.cpp: Added.
263         (JSC::hasBadCacheExitSite):
264         * bytecode/ICStatusUtils.h:
265         * bytecode/InstanceOfStatus.cpp:
266         (JSC::InstanceOfStatus::computeFor):
267         * bytecode/InstanceOfStatus.h:
268         * bytecode/PolyProtoAccessChain.h:
269         * bytecode/PutByIdStatus.cpp:
270         (JSC::PutByIdStatus::hasExitSite):
271         (JSC::PutByIdStatus::computeFor):
272         (JSC::PutByIdStatus::slowVersion const):
273         (JSC::PutByIdStatus::markIfCheap):
274         (JSC::PutByIdStatus::finalize):
275         (JSC::PutByIdStatus::filter):
276         * bytecode/PutByIdStatus.h:
277         * bytecode/PutByIdVariant.cpp:
278         (JSC::PutByIdVariant::markIfCheap):
279         (JSC::PutByIdVariant::finalize):
280         * bytecode/PutByIdVariant.h:
281         (JSC::PutByIdVariant::structureSet const):
282         * bytecode/RecordedStatuses.cpp: Added.
283         (JSC::RecordedStatuses::operator=):
284         (JSC::RecordedStatuses::RecordedStatuses):
285         (JSC::RecordedStatuses::addCallLinkStatus):
286         (JSC::RecordedStatuses::addGetByIdStatus):
287         (JSC::RecordedStatuses::addPutByIdStatus):
288         (JSC::RecordedStatuses::markIfCheap):
289         (JSC::RecordedStatuses::finalizeWithoutDeleting):
290         (JSC::RecordedStatuses::finalize):
291         (JSC::RecordedStatuses::shrinkToFit):
292         * bytecode/RecordedStatuses.h: Added.
293         (JSC::RecordedStatuses::RecordedStatuses):
294         (JSC::RecordedStatuses::forEachVector):
295         * bytecode/StructureSet.cpp:
296         (JSC::StructureSet::markIfCheap const):
297         (JSC::StructureSet::isStillAlive const):
298         * bytecode/StructureSet.h:
299         * bytecode/TerminatedCodeOrigin.h: Added.
300         (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
301         (JSC::TerminatedCodeOriginHashTranslator::hash):
302         (JSC::TerminatedCodeOriginHashTranslator::equal):
303         * bytecode/Watchpoint.cpp:
304         (WTF::printInternal):
305         * bytecode/Watchpoint.h:
306         * dfg/DFGAbstractInterpreter.h:
307         * dfg/DFGAbstractInterpreterInlines.h:
308         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
309         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
310         * dfg/DFGByteCodeParser.cpp:
311         (JSC::DFG::ByteCodeParser::handleCall):
312         (JSC::DFG::ByteCodeParser::handleVarargsCall):
313         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
314         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
315         (JSC::DFG::ByteCodeParser::handleGetById):
316         (JSC::DFG::ByteCodeParser::handlePutById):
317         (JSC::DFG::ByteCodeParser::parseBlock):
318         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
319         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
320         (JSC::DFG::ByteCodeParser::parse):
321         * dfg/DFGClobberize.h:
322         (JSC::DFG::clobberize):
323         * dfg/DFGClobbersExitState.cpp:
324         (JSC::DFG::clobbersExitState):
325         * dfg/DFGCommonData.h:
326         * dfg/DFGConstantFoldingPhase.cpp:
327         (JSC::DFG::ConstantFoldingPhase::foldConstants):
328         * dfg/DFGDesiredWatchpoints.h:
329         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
330         * dfg/DFGDoesGC.cpp:
331         (JSC::DFG::doesGC):
332         * dfg/DFGFixupPhase.cpp:
333         (JSC::DFG::FixupPhase::fixupNode):
334         * dfg/DFGGraph.cpp:
335         (JSC::DFG::Graph::dump):
336         * dfg/DFGMayExit.cpp:
337         * dfg/DFGNode.h:
338         (JSC::DFG::Node::hasCallLinkStatus):
339         (JSC::DFG::Node::callLinkStatus):
340         (JSC::DFG::Node::hasGetByIdStatus):
341         (JSC::DFG::Node::getByIdStatus):
342         (JSC::DFG::Node::hasPutByIdStatus):
343         (JSC::DFG::Node::putByIdStatus):
344         * dfg/DFGNodeType.h:
345         * dfg/DFGOSRExitBase.cpp:
346         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
347         * dfg/DFGObjectAllocationSinkingPhase.cpp:
348         * dfg/DFGPlan.cpp:
349         (JSC::DFG::Plan::reallyAdd):
350         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
351         (JSC::DFG::Plan::finalizeInGC):
352         * dfg/DFGPlan.h:
353         * dfg/DFGPredictionPropagationPhase.cpp:
354         * dfg/DFGSafeToExecute.h:
355         (JSC::DFG::safeToExecute):
356         * dfg/DFGSpeculativeJIT32_64.cpp:
357         (JSC::DFG::SpeculativeJIT::compile):
358         * dfg/DFGSpeculativeJIT64.cpp:
359         (JSC::DFG::SpeculativeJIT::compile):
360         * dfg/DFGStrengthReductionPhase.cpp:
361         (JSC::DFG::StrengthReductionPhase::handleNode):
362         * dfg/DFGWorklist.cpp:
363         (JSC::DFG::Worklist::removeDeadPlans):
364         * ftl/FTLAbstractHeapRepository.h:
365         * ftl/FTLCapabilities.cpp:
366         (JSC::FTL::canCompile):
367         * ftl/FTLLowerDFGToB3.cpp:
368         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
369         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
370         (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
371         * jit/PolymorphicCallStubRoutine.cpp:
372         (JSC::PolymorphicCallStubRoutine::hasEdges const):
373         (JSC::PolymorphicCallStubRoutine::edges const):
374         * jit/PolymorphicCallStubRoutine.h:
375         * profiler/ProfilerBytecodeSequence.cpp:
376         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
377         * runtime/FunctionRareData.cpp:
378         (JSC::FunctionRareData::initializeObjectAllocationProfile):
379         * runtime/Options.h:
380
381 2018-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
382
383         [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
384         https://bugs.webkit.org/show_bug.cgi?id=187472
385
386         Reviewed by Mark Lam.
387
388         std::function allocates memory from standard malloc instead of bmalloc. Instead of
389         using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
390
391         This patch attempts to replace std::function with the above WTF function types.
392         If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
393         is really efficient. Otherwise, we should use WTF::Function.
394         For recurring use cases, we can use RecursableLambda.
395
396         * assembler/MacroAssembler.cpp:
397         (JSC::stdFunctionCallback):
398         (JSC::MacroAssembler::probe):
399         * assembler/MacroAssembler.h:
400         * b3/air/AirDisassembler.cpp:
401         (JSC::B3::Air::Disassembler::dump):
402         * b3/air/AirDisassembler.h:
403         * bytecompiler/BytecodeGenerator.cpp:
404         (JSC::BytecodeGenerator::BytecodeGenerator):
405         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
406         (JSC::BytecodeGenerator::emitEnumeration):
407         * bytecompiler/BytecodeGenerator.h:
408         * bytecompiler/NodesCodegen.cpp:
409         (JSC::ArrayNode::emitBytecode):
410         (JSC::ApplyFunctionCallDotNode::emitBytecode):
411         (JSC::ForOfNode::emitBytecode):
412         * dfg/DFGSpeculativeJIT.cpp:
413         (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
414         (JSC::DFG::SpeculativeJIT::compileMathIC):
415         * dfg/DFGSpeculativeJIT.h:
416         * dfg/DFGSpeculativeJIT64.cpp:
417         (JSC::DFG::SpeculativeJIT::compile):
418         * dfg/DFGValidate.cpp:
419         * ftl/FTLCompile.cpp:
420         (JSC::FTL::compile):
421         * heap/HeapSnapshotBuilder.cpp:
422         (JSC::HeapSnapshotBuilder::json):
423         * heap/HeapSnapshotBuilder.h:
424         * interpreter/StackVisitor.cpp:
425         (JSC::StackVisitor::Frame::dump const):
426         * interpreter/StackVisitor.h:
427         * runtime/PromiseDeferredTimer.h:
428         * runtime/VM.cpp:
429         (JSC::VM::whenIdle):
430         (JSC::enableProfilerWithRespectToCount):
431         (JSC::disableProfilerWithRespectToCount):
432         * runtime/VM.h:
433         * runtime/VMEntryScope.cpp:
434         (JSC::VMEntryScope::addDidPopListener):
435         * runtime/VMEntryScope.h:
436         * tools/HeapVerifier.cpp:
437         (JSC::HeapVerifier::verifyCellList):
438         (JSC::HeapVerifier::validateCell):
439         (JSC::HeapVerifier::validateJSCell):
440         * tools/HeapVerifier.h:
441
442 2018-07-20  Michael Saboff  <msaboff@apple.com>
443
444         DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
445         https://bugs.webkit.org/show_bug.cgi?id=187827
446         rdar://problem/42146858
447
448         Reviewed by Saam Barati.
449
450         When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
451         that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
452         We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
453         InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
454         putByIndex() path that doesn't change the shape.
455
456         * dfg/DFGArrayMode.h:
457         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
458
459 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
460
461         [DFG] Fold GetByVal if Array is CoW
462         https://bugs.webkit.org/show_bug.cgi?id=186459
463
464         Reviewed by Saam Barati.
465
466         CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
467         fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
468         is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
469
470         This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
471         to these constant arrays can be folded into an actual constant by this patch.
472
473                                            baseline                  patched
474
475         template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
476         template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster
477
478         * dfg/DFGAbstractInterpreterInlines.h:
479         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
480
481 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
482
483         [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
484         https://bugs.webkit.org/show_bug.cgi?id=186602
485
486         Reviewed by Saam Barati.
487
488         JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
489         change the part of the butterfly, length etc. We prove that our procedure is safe, and
490         drop the cellLock() here.
491
492         * runtime/JSObject.cpp:
493         (JSC::JSObject::convertContiguousToArrayStorage):
494
495 2018-07-20  Saam Barati  <sbarati@apple.com>
496
497         CompareEq should be using KnownOtherUse instead of OtherUse
498         https://bugs.webkit.org/show_bug.cgi?id=186814
499         <rdar://problem/39720030>
500
501         Reviewed by Filip Pizlo.
502
503         CompareEq in fixup phase was doing this:
504         insertCheck(child, OtherUse)
505         setUseKind(child, OtherUse)
506         And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
507         lead to edge verification crashing because a phase may optimize the check out
508         by removing the node. However, AI may not be privy to that optimization, and
509         AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
510         backend to actually emit a check here, but it does not.
511         
512         This exact pattern is why we have KnownXYZ use kinds. This patch introduces
513         KnownOtherUse and changes the above pattern to be:
514         insertCheck(child, OtherUse)
515         setUseKind(child, KnownOtherUse)
516
517         * dfg/DFGFixupPhase.cpp:
518         (JSC::DFG::FixupPhase::fixupNode):
519         * dfg/DFGSafeToExecute.h:
520         (JSC::DFG::SafeToExecuteEdge::operator()):
521         * dfg/DFGSpeculativeJIT.cpp:
522         (JSC::DFG::SpeculativeJIT::speculate):
523         * dfg/DFGUseKind.cpp:
524         (WTF::printInternal):
525         * dfg/DFGUseKind.h:
526         (JSC::DFG::typeFilterFor):
527         (JSC::DFG::shouldNotHaveTypeCheck):
528         (JSC::DFG::checkMayCrashIfInputIsEmpty):
529         * dfg/DFGWatchpointCollectionPhase.cpp:
530         (JSC::DFG::WatchpointCollectionPhase::handle):
531         * ftl/FTLCapabilities.cpp:
532         (JSC::FTL::canCompile):
533         * ftl/FTLLowerDFGToB3.cpp:
534         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
535         (JSC::FTL::DFG::LowerDFGToB3::speculate):
536
537 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
538
539         [JSC] A bit performance improvement for Object.assign by cleaning up code
540         https://bugs.webkit.org/show_bug.cgi?id=187852
541
542         Reviewed by Saam Barati.
543
544         We clean up Object.assign code a bit.
545
546         1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
547         2. canDoFastPath is not necessary. Restructuring the code to clean up things.
548
549         It improves the performance a bit.
550
551                                     baseline                  patched
552
553         object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
554
555         * runtime/ObjectConstructor.cpp:
556         (JSC::objectConstructorAssign):
557
558 2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>
559
560         [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
561         https://bugs.webkit.org/show_bug.cgi?id=187798
562
563         Reviewed by Michael Catanzaro.
564
565         Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
566         jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
567         functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
568         patch adds JSAPIWrapperGlobalObject or that.
569
570         * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
571         (jsAPIWrapperGlobalObjectHandleOwner):
572         (JSAPIWrapperGlobalObjectHandleOwner::finalize):
573         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
574         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
575         (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
576         (JSC::JSAPIWrapperGlobalObject::finishCreation):
577         (JSC::JSAPIWrapperGlobalObject::visitChildren):
578         * API/glib/JSAPIWrapperGlobalObject.h: Added.
579         (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
580         (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
581         * API/glib/JSCClass.cpp:
582         (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
583         (wrappedObjectClass): Return the class of a wrapped object.
584         (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
585         scope extension global object is used instead.
586         (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
587         (setProperty): Ditto.
588         (hasProperty): Ditto.
589         (deleteProperty): Ditto.
590         (getPropertyNames): Ditto.
591         (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
592         * API/glib/JSCClassPrivate.h:
593         * API/glib/JSCContext.cpp:
594         (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
595         (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
596         * API/glib/JSCContext.h:
597         * API/glib/JSCContextPrivate.h:
598         * API/glib/JSCWrapperMap.cpp:
599         (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
600         when a JSCClass is used to create the JSAPIWrapperGlobalObject.
601         (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
602         * API/glib/JSCWrapperMap.h:
603         * GLib.cmake:
604
605 2018-07-19  Saam Barati  <sbarati@apple.com>
606
607         Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
608         https://bugs.webkit.org/show_bug.cgi?id=187836
609         <rdar://problem/42409527>
610
611         Reviewed by Mark Lam.
612
613         We have crash reports that we're crashing on source->getDirect in Object.assign's
614         fast path. Mark investigated this and determined we end up with a nullptr for
615         butterfly. This is curious, because source's Structure indicated that it has
616         out of line properties. My leading hypothesis for this at the moment is a bit
617         handwavy, but it's essentially:
618         - We end up firing a watchpoint when assigning to the target (this can happen
619         if a watchpoint was set up for storing to that particular field)
620         - When we fire that watchpoint, we end up doing some kind work on the source,
621         perhaps causing it to flattenDictionaryStructure. Therefore, we end up
622         mutating source.
623         
624         I'm not super convinced this is what we're running into, but just by reading
625         the code, I think it needs to be something similar to this. Seeing if this change
626         fixes the crasher will give us good data to determine if something like this is
627         happening or if the bug is something else entirely.
628
629         * runtime/ObjectConstructor.cpp:
630         (JSC::objectConstructorAssign):
631
632 2018-07-19  Commit Queue  <commit-queue@webkit.org>
633
634         Unreviewed, rolling out r233998.
635         https://bugs.webkit.org/show_bug.cgi?id=187815
636
637         Not needed. (Requested by mlam|a on #webkit).
638
639         Reverted changeset:
640
641         "Temporarily mitigate a bug where a source provider is null
642         when it shouldn't be."
643         https://bugs.webkit.org/show_bug.cgi?id=187812
644         https://trac.webkit.org/changeset/233998
645
646 2018-07-19  Mark Lam  <mark.lam@apple.com>
647
648         Temporarily mitigate a bug where a source provider is null when it shouldn't be.
649         https://bugs.webkit.org/show_bug.cgi?id=187812
650         <rdar://problem/41192691>
651
652         Reviewed by Michael Saboff.
653
654         Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
655
656         * runtime/Error.cpp:
657         (JSC::addErrorInfo):
658
659 2018-07-19  Keith Rollin  <krollin@apple.com>
660
661         Adjust WEBCORE_EXPORT annotations for LTO
662         https://bugs.webkit.org/show_bug.cgi?id=187781
663         <rdar://problem/42351124>
664
665         Reviewed by Alex Christensen.
666
667         Continuation of Bug 186944. This bug addresses issues not caught
668         during the first pass of adjustments. The initial work focussed on
669         macOS; this one addresses issues found when building for iOS. From
670         186944:
671
672         Adjust a number of places that result in WebKit's
673         'check-for-weak-vtables-and-externals' script reporting weak external
674         symbols:
675
676             ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
677             ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
678             ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
679             ...
680
681         These cases are caused by inline methods being marked with WTF_EXPORT
682         (or related macro) or with an inline function being in a class marked
683         as such, and when enabling LTO builds.
684
685         For the most part, address these by removing the WEBCORE_EXPORT
686         annotation from inline methods. In some cases, move the implementation
687         out-of-line because it's the class that has the WEBCORE_EXPORT on it
688         and removing the annotation from the class would be too disruptive.
689         Finally, in other cases, move the implementation out-of-line because
690         check-for-weak-vtables-and-externals still complains when keeping the
691         implementation inline and removing the annotation; this seems to
692         typically (but not always) happen with destructors.
693
694         * inspector/remote/RemoteAutomationTarget.cpp:
695         (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
696         * inspector/remote/RemoteAutomationTarget.h:
697         * inspector/remote/RemoteInspector.cpp:
698         (Inspector::RemoteInspector::Client::~Client):
699         * inspector/remote/RemoteInspector.h:
700
701 2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
702
703         Unreviewed, check scope after performing getPropertySlot in JSON.stringify
704         https://bugs.webkit.org/show_bug.cgi?id=187807
705
706         Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
707         that we know that exception occurrence and handle it well.
708
709         * runtime/JSONObject.cpp:
710         (JSC::Stringifier::Holder::appendNextProperty):
711
712 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
713
714         [JSC] Reduce size of AST nodes
715         https://bugs.webkit.org/show_bug.cgi?id=187689
716
717         Reviewed by Mark Lam.
718
719         We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
720         of ParserArena at peak state.
721
722         1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
723         devirtualize a call to the function which are implemented in a final class.
724
725         2. Use default member initializers more.
726
727         3. And use `nullptr` instead of `0`.
728
729         4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
730         of classes in multiple inheritance. In particular, StatementNode is decreased from 48
731         to 40. This decreases the sizes of all the derived Statement nodes.
732
733         * parser/NodeConstructors.h:
734         (JSC::Node::Node):
735         (JSC::StatementNode::StatementNode):
736         (JSC::ElementNode::ElementNode):
737         (JSC::ArrayNode::ArrayNode):
738         (JSC::PropertyListNode::PropertyListNode):
739         (JSC::ObjectLiteralNode::ObjectLiteralNode):
740         (JSC::ArgumentListNode::ArgumentListNode):
741         (JSC::ArgumentsNode::ArgumentsNode):
742         (JSC::NewExprNode::NewExprNode):
743         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
744         (JSC::BinaryOpNode::BinaryOpNode):
745         (JSC::LogicalOpNode::LogicalOpNode):
746         (JSC::CommaNode::CommaNode):
747         (JSC::SourceElements::SourceElements):
748         (JSC::ClauseListNode::ClauseListNode):
749         * parser/Nodes.cpp:
750         (JSC::FunctionMetadataNode::FunctionMetadataNode):
751         (JSC::FunctionMetadataNode::operator== const):
752         (JSC::FunctionMetadataNode::dump const):
753         * parser/Nodes.h:
754         (JSC::BooleanNode::value): Deleted.
755         (JSC::StringNode::value): Deleted.
756         (JSC::TemplateExpressionListNode::value): Deleted.
757         (JSC::TemplateExpressionListNode::next): Deleted.
758         (JSC::TemplateStringNode::cooked): Deleted.
759         (JSC::TemplateStringNode::raw): Deleted.
760         (JSC::TemplateStringListNode::value): Deleted.
761         (JSC::TemplateStringListNode::next): Deleted.
762         (JSC::TemplateLiteralNode::templateStrings const): Deleted.
763         (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
764         (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
765         (JSC::ResolveNode::identifier const): Deleted.
766         (JSC::ElementNode::elision const): Deleted.
767         (JSC::ElementNode::value): Deleted.
768         (JSC::ElementNode::next): Deleted.
769         (JSC::ArrayNode::elements const): Deleted.
770         (JSC::PropertyNode::expressionName const): Deleted.
771         (JSC::PropertyNode::name const): Deleted.
772         (JSC::PropertyNode::type const): Deleted.
773         (JSC::PropertyNode::needsSuperBinding const): Deleted.
774         (JSC::PropertyNode::isClassProperty const): Deleted.
775         (JSC::PropertyNode::isStaticClassProperty const): Deleted.
776         (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
777         (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
778         (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
779         (JSC::PropertyNode::putType const): Deleted.
780         (JSC::BracketAccessorNode::base const): Deleted.
781         (JSC::BracketAccessorNode::subscript const): Deleted.
782         (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
783         (JSC::DotAccessorNode::base const): Deleted.
784         (JSC::DotAccessorNode::identifier const): Deleted.
785         (JSC::SpreadExpressionNode::expression const): Deleted.
786         (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
787         (JSC::BytecodeIntrinsicNode::type const): Deleted.
788         (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
789         (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
790         (JSC::TypeOfResolveNode::identifier const): Deleted.
791         (JSC::BitwiseNotNode::expr): Deleted.
792         (JSC::BitwiseNotNode::expr const): Deleted.
793         (JSC::AssignResolveNode::identifier const): Deleted.
794         (JSC::ExprStatementNode::expr const): Deleted.
795         (JSC::ForOfNode::isForAwait const): Deleted.
796         (JSC::ReturnNode::value): Deleted.
797         (JSC::ProgramNode::startColumn const): Deleted.
798         (JSC::ProgramNode::endColumn const): Deleted.
799         (JSC::EvalNode::startColumn const): Deleted.
800         (JSC::EvalNode::endColumn const): Deleted.
801         (JSC::ModuleProgramNode::startColumn const): Deleted.
802         (JSC::ModuleProgramNode::endColumn const): Deleted.
803         (JSC::ModuleProgramNode::moduleScopeData): Deleted.
804         (JSC::ModuleNameNode::moduleName): Deleted.
805         (JSC::ImportSpecifierNode::importedName): Deleted.
806         (JSC::ImportSpecifierNode::localName): Deleted.
807         (JSC::ImportSpecifierListNode::specifiers const): Deleted.
808         (JSC::ImportSpecifierListNode::append): Deleted.
809         (JSC::ImportDeclarationNode::specifierList const): Deleted.
810         (JSC::ImportDeclarationNode::moduleName const): Deleted.
811         (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
812         (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
813         (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
814         (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
815         (JSC::ExportSpecifierNode::exportedName): Deleted.
816         (JSC::ExportSpecifierNode::localName): Deleted.
817         (JSC::ExportSpecifierListNode::specifiers const): Deleted.
818         (JSC::ExportSpecifierListNode::append): Deleted.
819         (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
820         (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
821         (JSC::ArrayPatternNode::appendIndex): Deleted.
822         (JSC::ObjectPatternNode::appendEntry): Deleted.
823         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
824         (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
825         (JSC::DestructuringAssignmentNode::bindings): Deleted.
826         (JSC::FunctionParameters::size const): Deleted.
827         (JSC::FunctionParameters::append): Deleted.
828         (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
829         (JSC::FuncDeclNode::metadata): Deleted.
830         (JSC::CaseClauseNode::expr const): Deleted.
831         (JSC::CaseClauseNode::setStartOffset): Deleted.
832         (JSC::ClauseListNode::getClause const): Deleted.
833         (JSC::ClauseListNode::getNext const): Deleted.
834         * runtime/ExceptionHelpers.cpp:
835         * runtime/JSObject.cpp:
836
837 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
838
839         JSON.stringify should emit non own properties if second array argument includes
840         https://bugs.webkit.org/show_bug.cgi?id=187724
841
842         Reviewed by Mark Lam.
843
844         According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
845         instead of [[GetOwnProperty]]. It means that we would look up a properties defined
846         in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
847         by using EnumerableOwnPropertyNames typically, we can pass replacer array including
848         property names which does not reside in the own properties. Or we can modify the
849         own properties by deleting properties while JSON.stringify is calling a getter. So,
850         using [[Get]] instead of [[GetOwnProperty]] is user-visible.
851
852         This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
853         The performance of Kraken/json-stringify-tinderbox is neutral.
854
855         [1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
856
857         * runtime/JSONObject.cpp:
858         (JSC::Stringifier::toJSON):
859         (JSC::Stringifier::toJSONImpl):
860         (JSC::Stringifier::appendStringifiedValue):
861         (JSC::Stringifier::Holder::Holder):
862         (JSC::Stringifier::Holder::appendNextProperty):
863
864 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
865
866         [JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
867         https://bugs.webkit.org/show_bug.cgi?id=187755
868
869         Reviewed by Mark Lam.
870
871         JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
872         But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
873         makes one test262 test failed.
874
875         This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
876         to align these checks to the spec's order.
877
878         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
879
880         * runtime/JSONObject.cpp:
881         (JSC::Stringifier::Stringifier):
882
883 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
884
885         [JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
886         https://bugs.webkit.org/show_bug.cgi?id=187752
887
888         Reviewed by Mark Lam.
889
890         JSON.stringify has an implicit root wrapper object since we would like to call replacer
891         with a wrapper object and a property name. While we always create this wrapper object,
892         it is unnecessary if the given replacer is not callable.
893
894         This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
895         allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.
896
897                                            baseline                  patched
898
899         json-stringify-tinderbox        39.730+-0.590      ^      38.853+-0.266         ^ definitely 1.0226x faster
900
901         * runtime/JSONObject.cpp:
902         (JSC::Stringifier::isCallableReplacer const):
903         (JSC::Stringifier::Stringifier):
904         (JSC::Stringifier::stringify):
905         (JSC::Stringifier::appendStringifiedValue):
906
907 2018-07-18  Carlos Garcia Campos  <cgarcia@igalia.com>
908
909         [GLIB] Add jsc_context_check_syntax() to GLib API
910         https://bugs.webkit.org/show_bug.cgi?id=187694
911
912         Reviewed by Yusuke Suzuki.
913
914         A new function to be able to check for syntax errors without actually evaluating the code.
915
916         * API/glib/JSCContext.cpp:
917         (jsc_context_check_syntax):
918         * API/glib/JSCContext.h:
919         * API/glib/docs/jsc-glib-4.0-sections.txt:
920
921 2018-07-17  Keith Miller  <keith_miller@apple.com>
922
923         Revert r233630 since it broke internal wasm benchmarks
924         https://bugs.webkit.org/show_bug.cgi?id=187746
925
926         Unreviewed revert.
927
928         This patch seems to have broken internal Wasm benchmarks. This
929         issue is likely due to an underlying bug but let's rollout while
930         we investigate.
931
932         * bytecode/CodeType.h:
933         * bytecode/UnlinkedCodeBlock.cpp:
934         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
935         * bytecode/UnlinkedCodeBlock.h:
936         (JSC::UnlinkedCodeBlock::codeType const):
937         (JSC::UnlinkedCodeBlock::didOptimize const):
938         (JSC::UnlinkedCodeBlock::setDidOptimize):
939         * bytecode/VirtualRegister.h:
940         (JSC::VirtualRegister::VirtualRegister):
941         (): Deleted.
942
943 2018-07-17  Mark Lam  <mark.lam@apple.com>
944
945         CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
946         https://bugs.webkit.org/show_bug.cgi?id=187736
947         <rdar://problem/42114371>
948
949         Reviewed by Michael Saboff.
950
951         CodeBlock::baselineVersion() currently checks for a null replacement but does not
952         account for the fact that that the replacement can also be null due to the
953         executable having being purged of its codeBlocks due to a memory event (see
954         ExecutableBase::clearCode()).  This patch adds code to account for this.
955
956         * bytecode/CodeBlock.cpp:
957         (JSC::CodeBlock::baselineVersion):
958
959 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
960
961         [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
962         https://bugs.webkit.org/show_bug.cgi?id=187709
963
964         Reviewed by Mark Lam.
965
966         UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
967
968         * bytecode/UnlinkedCodeBlock.cpp:
969         (JSC::UnlinkedCodeBlock::shrinkToFit):
970
971 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
972
973         [JSC] Make SourceParseMode small
974         https://bugs.webkit.org/show_bug.cgi?id=187705
975
976         Reviewed by Mark Lam.
977
978         Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
979         Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
980         But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
981         within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
982
983         * parser/ParserModes.h:
984         (JSC::SourceParseModeSet::SourceParseModeSet):
985         (JSC::SourceParseModeSet::contains):
986         (JSC::SourceParseModeSet::mergeSourceParseModes):
987
988 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
989
990         [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
991         https://bugs.webkit.org/show_bug.cgi?id=187585
992
993         Reviewed by Darin Adler.
994
995         This patch fixes Generator and AsyncGenerator's prototype issues.
996
997         1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
998         We fix this by changing JSFunction::prototypeForConstruction.
999
1000         2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
1001         to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
1002         to fix `prototype` issues for AsyncGeneratorMethod.
1003
1004         * bytecompiler/BytecodeGenerator.cpp:
1005         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1006         (JSC::BytecodeGenerator::emitNewFunction):
1007         * bytecompiler/NodesCodegen.cpp:
1008         (JSC::FunctionNode::emitBytecode):
1009         * parser/ASTBuilder.h:
1010         (JSC::ASTBuilder::createFunctionMetadata):
1011         * parser/Parser.cpp:
1012         (JSC::getAsynFunctionBodyParseMode):
1013         (JSC::Parser<LexerType>::parseInner):
1014         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1015         * parser/ParserModes.h:
1016         (JSC::isAsyncGeneratorParseMode):
1017         (JSC::isAsyncGeneratorWrapperParseMode):
1018         (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
1019         * runtime/FunctionExecutable.h:
1020         * runtime/JSFunction.cpp:
1021         (JSC::JSFunction::prototypeForConstruction):
1022         (JSC::JSFunction::getOwnPropertySlot):
1023
1024 2018-07-16  Mark Lam  <mark.lam@apple.com>
1025
1026         jsc shell's noFTL utility test function should be more robust.
1027         https://bugs.webkit.org/show_bug.cgi?id=187704
1028         <rdar://problem/42231988>
1029
1030         Reviewed by Michael Saboff and Keith Miller.
1031
1032         * jsc.cpp:
1033         (functionNoFTL):
1034         - only setNeverFTLOptimize() if the function is actually a JS function.
1035
1036 2018-07-15  Carlos Garcia Campos  <cgarcia@igalia.com>
1037
1038         [GLIB] Add API to evaluate code using a given object to store global symbols
1039         https://bugs.webkit.org/show_bug.cgi?id=187639
1040
1041         Reviewed by Michael Catanzaro.
1042
1043         Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
1044         evaluated script are added as properties to the new object instead of to the context global object. This is
1045         similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
1046         scope for assignments, so we have to create a new context and get its global object. This patch also updates
1047         jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
1048         jsc_context_evaluate_in_object().
1049
1050         * API/glib/JSCContext.cpp:
1051         (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
1052         (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
1053         (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
1054         (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
1055         scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
1056         * API/glib/JSCContext.h:
1057         * API/glib/docs/jsc-glib-4.0-sections.txt:
1058
1059 2018-07-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1060
1061         [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
1062         https://bugs.webkit.org/show_bug.cgi?id=187561
1063
1064         Reviewed by Darin Adler.
1065
1066         This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
1067         We clean up 32bit put_by_val code.
1068
1069         1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
1070         aligns 32bit implementation to 64bit implementation.
1071
1072         2. We add CoW array checking, which is done in 64bit implementation.
1073
1074         * jit/JITPropertyAccess.cpp:
1075         (JSC::JIT::emit_op_put_by_val):
1076         * jit/JITPropertyAccess32_64.cpp:
1077         (JSC::JIT::emit_op_put_by_val):
1078         (JSC::JIT::emitSlow_op_put_by_val):
1079
1080 2018-07-12  Mark Lam  <mark.lam@apple.com>
1081
1082         Need to handle CodeBlock::replacement() being null.
1083         https://bugs.webkit.org/show_bug.cgi?id=187569
1084         <rdar://problem/41468692>
1085
1086         Reviewed by Saam Barati.
1087
1088         CodeBlock::replacement() may return a nullptr.  Some of our code already checks
1089         for this while others do not.  We should add null checks in all the places that
1090         need it.
1091
1092         * bytecode/CodeBlock.cpp:
1093         (JSC::CodeBlock::hasOptimizedReplacement):
1094         (JSC::CodeBlock::jettison):
1095         (JSC::CodeBlock::numberOfDFGCompiles):
1096         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
1097         * dfg/DFGOperations.cpp:
1098         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1099         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
1100         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1101         * jit/JITOperations.cpp:
1102
1103 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1104
1105         [JSC] Thread VM& to JSCell::methodTable(VM&)
1106         https://bugs.webkit.org/show_bug.cgi?id=187548
1107
1108         Reviewed by Saam Barati.
1109
1110         This patch threads VM& to methodTable(VM&) and remove methodTable().
1111         We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
1112
1113         * API/APICast.h:
1114         (toJS):
1115         * API/JSCallbackObject.h:
1116         * API/JSCallbackObjectFunctions.h:
1117         (JSC::JSCallbackObject<Parent>::className):
1118         * bytecode/CodeBlock.cpp:
1119         (JSC::CodeBlock::estimatedSize):
1120         * bytecode/CodeBlock.h:
1121         * bytecode/UnlinkedCodeBlock.cpp:
1122         (JSC::UnlinkedCodeBlock::estimatedSize):
1123         * bytecode/UnlinkedCodeBlock.h:
1124         * debugger/DebuggerScope.cpp:
1125         (JSC::DebuggerScope::className):
1126         * debugger/DebuggerScope.h:
1127         * heap/Heap.cpp:
1128         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
1129         (JSC::GatherHeapSnapshotData::operator() const):
1130         (JSC::Heap::gatherExtraHeapSnapshotData):
1131         * heap/HeapSnapshotBuilder.cpp:
1132         (JSC::HeapSnapshotBuilder::json):
1133         * runtime/ArrayPrototype.cpp:
1134         (JSC::arrayProtoFuncToString):
1135         * runtime/ClassInfo.h:
1136         * runtime/DirectArguments.cpp:
1137         (JSC::DirectArguments::estimatedSize):
1138         * runtime/DirectArguments.h:
1139         * runtime/HashMapImpl.cpp:
1140         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
1141         * runtime/HashMapImpl.h:
1142         * runtime/JSArrayBuffer.cpp:
1143         (JSC::JSArrayBuffer::estimatedSize):
1144         * runtime/JSArrayBuffer.h:
1145         * runtime/JSBigInt.cpp:
1146         (JSC::JSBigInt::estimatedSize):
1147         * runtime/JSBigInt.h:
1148         * runtime/JSCell.cpp:
1149         (JSC::JSCell::dump const):
1150         (JSC::JSCell::estimatedSizeInBytes const):
1151         (JSC::JSCell::estimatedSize):
1152         (JSC::JSCell::className):
1153         * runtime/JSCell.h:
1154         * runtime/JSCellInlines.h:
1155         * runtime/JSGenericTypedArrayView.h:
1156         * runtime/JSGenericTypedArrayViewInlines.h:
1157         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
1158         * runtime/JSObject.cpp:
1159         (JSC::JSObject::estimatedSize):
1160         (JSC::JSObject::className):
1161         (JSC::JSObject::toStringName):
1162         (JSC::JSObject::calculatedClassName):
1163         * runtime/JSObject.h:
1164         * runtime/JSProxy.cpp:
1165         (JSC::JSProxy::className):
1166         * runtime/JSProxy.h:
1167         * runtime/JSString.cpp:
1168         (JSC::JSString::estimatedSize):
1169         * runtime/JSString.h:
1170         * runtime/RegExp.cpp:
1171         (JSC::RegExp::estimatedSize):
1172         * runtime/RegExp.h:
1173         * runtime/WeakMapImpl.cpp:
1174         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
1175         * runtime/WeakMapImpl.h:
1176
1177 2018-07-11  Commit Queue  <commit-queue@webkit.org>
1178
1179         Unreviewed, rolling out r233714.
1180         https://bugs.webkit.org/show_bug.cgi?id=187579
1181
1182         it made tests time out (Requested by pizlo on #webkit).
1183
1184         Reverted changeset:
1185
1186         "Change the reoptimization backoff base to 1.3 from 2"
1187         https://bugs.webkit.org/show_bug.cgi?id=187540
1188         https://trac.webkit.org/changeset/233714
1189
1190 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1191
1192         [GLIB] Add API to allow creating variadic functions
1193         https://bugs.webkit.org/show_bug.cgi?id=187517
1194
1195         Reviewed by Michael Catanzaro.
1196
1197         Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
1198         jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
1199
1200         * API/glib/JSCCallbackFunction.cpp:
1201         (JSC::JSCCallbackFunction::create): Make the parameters optional.
1202         (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
1203         (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
1204         JSCValue for the arguments.
1205         (JSC::JSCCallbackFunction::construct): Ditto.
1206         * API/glib/JSCCallbackFunction.h:
1207         * API/glib/JSCClass.cpp:
1208         (jscClassCreateConstructor): Make the parameters optional.
1209         (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
1210         (jscClassAddMethod): Make the parameters optional.
1211         (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
1212         * API/glib/JSCClass.h:
1213         * API/glib/JSCValue.cpp:
1214         (jsc_value_object_define_property_accessor): Update now that parameters are optional.
1215         (jscValueFunctionCreate): Make the parameters optional.
1216         (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
1217         * API/glib/JSCValue.h:
1218         * API/glib/docs/jsc-glib-4.0-sections.txt:
1219
1220 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1221
1222         [GLIB] Add jsc_context_get_global_object() to GLib API
1223         https://bugs.webkit.org/show_bug.cgi?id=187515
1224
1225         Reviewed by Michael Catanzaro.
1226
1227         This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
1228         object. However, getting the global object could be useful in some cases, for example to give it a well known
1229         name like 'window' in browsers and GJS.
1230
1231         * API/glib/JSCContext.cpp:
1232         (jsc_context_get_global_object):
1233         * API/glib/JSCContext.h:
1234         * API/glib/docs/jsc-glib-4.0-sections.txt:
1235
1236 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1237
1238         [GLIB] Handle G_TYPE_STRV in glib API
1239         https://bugs.webkit.org/show_bug.cgi?id=187512
1240
1241         Reviewed by Michael Catanzaro.
1242
1243         Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
1244
1245         * API/glib/JSCContext.cpp:
1246         (jscContextGValueToJSValue):
1247         (jscContextJSValueToGValue):
1248         * API/glib/JSCValue.cpp:
1249         (jsc_value_new_array_from_strv):
1250         * API/glib/JSCValue.h:
1251         * API/glib/docs/jsc-glib-4.0-sections.txt:
1252
1253 2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1254
1255         Iterator of Array.keys() returns object in wrong order
1256         https://bugs.webkit.org/show_bug.cgi?id=185197
1257
1258         Reviewed by Keith Miller.
1259
1260         * builtins/ArrayIteratorPrototype.js:
1261         (globalPrivate.arrayIteratorValueNext):
1262         (globalPrivate.arrayIteratorKeyNext):
1263         (globalPrivate.arrayIteratorKeyValueNext):
1264         * builtins/AsyncFromSyncIteratorPrototype.js:
1265         * builtins/AsyncGeneratorPrototype.js:
1266         (globalPrivate.asyncGeneratorResolve):
1267         * builtins/GeneratorPrototype.js:
1268         (globalPrivate.generatorResume):
1269         * builtins/MapIteratorPrototype.js:
1270         (globalPrivate.mapIteratorNext):
1271         * builtins/SetIteratorPrototype.js:
1272         (globalPrivate.setIteratorNext):
1273         * builtins/StringIteratorPrototype.js:
1274         (next):
1275         * runtime/IteratorOperations.cpp:
1276         (JSC::createIteratorResultObjectStructure):
1277         (JSC::createIteratorResultObject):
1278
1279 2018-07-10  Mark Lam  <mark.lam@apple.com>
1280
1281         constructArray() should always allocate the requested length.
1282         https://bugs.webkit.org/show_bug.cgi?id=187543
1283         <rdar://problem/41947884>
1284
1285         Reviewed by Saam Barati.
1286
1287         Currently, it does not when we're having a bad time.  We fix this by switching
1288         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
1289         If we detect that a structure transition is possible before we can initialize
1290         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
1291         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
1292
1293         Also enhanced the DisallowScope and ObjectInitializationScope to support this
1294         eager initialization when needed.
1295
1296         * dfg/DFGOperations.cpp:
1297         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
1298           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
1299           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
1300           generated code, which will appear as a generic null pointer dereference.
1301
1302         * runtime/ArrayPrototype.cpp:
1303         (JSC::concatAppendOne):
1304         - the code here clearly wants to check for an allocation failure.  Switched to
1305           using JSArray::tryCreate() instead of JSArray::create().
1306
1307         * runtime/DisallowScope.h:
1308         (JSC::DisallowScope::disable):
1309         * runtime/JSArray.cpp:
1310         (JSC::JSArray::tryCreateUninitializedRestricted):
1311         (JSC::JSArray::eagerlyInitializeButterfly):
1312         (JSC::constructArray):
1313         * runtime/JSArray.h:
1314         * runtime/ObjectInitializationScope.cpp:
1315         (JSC::ObjectInitializationScope::notifyInitialized):
1316         * runtime/ObjectInitializationScope.h:
1317         (JSC::ObjectInitializationScope::notifyInitialized):
1318
1319 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1320
1321         [JSC] Remove getTypedArrayImpl
1322         https://bugs.webkit.org/show_bug.cgi?id=187338
1323
1324         Reviewed by Mark Lam.
1325
1326         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
1327         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
1328         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
1329
1330         * runtime/ClassInfo.h:
1331         * runtime/GenericTypedArrayView.h:
1332         (JSC::GenericTypedArrayView::data const): Deleted.
1333         (JSC::GenericTypedArrayView::set): Deleted.
1334         (JSC::GenericTypedArrayView::setRange): Deleted.
1335         (JSC::GenericTypedArrayView::zeroRange): Deleted.
1336         (JSC::GenericTypedArrayView::zeroFill): Deleted.
1337         (JSC::GenericTypedArrayView::length const): Deleted.
1338         (JSC::GenericTypedArrayView::item const): Deleted.
1339         (JSC::GenericTypedArrayView::set const): Deleted.
1340         (JSC::GenericTypedArrayView::setNative const): Deleted.
1341         (JSC::GenericTypedArrayView::getRange): Deleted.
1342         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
1343         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
1344         * runtime/JSArrayBufferView.cpp:
1345         (JSC::JSArrayBufferView::possiblySharedImpl):
1346         * runtime/JSArrayBufferView.h:
1347         * runtime/JSArrayBufferViewInlines.h:
1348         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
1349         * runtime/JSCell.cpp:
1350         (JSC::JSCell::getTypedArrayImpl): Deleted.
1351         * runtime/JSCell.h:
1352         * runtime/JSDataView.cpp:
1353         (JSC::JSDataView::getTypedArrayImpl): Deleted.
1354         * runtime/JSDataView.h:
1355         * runtime/JSGenericTypedArrayView.h:
1356         * runtime/JSGenericTypedArrayViewInlines.h:
1357         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
1358
1359 2018-07-10  Keith Miller  <keith_miller@apple.com>
1360
1361         hasOwnProperty returns true for out of bounds property index on TypedArray
1362         https://bugs.webkit.org/show_bug.cgi?id=187520
1363
1364         Reviewed by Saam Barati.
1365
1366         * runtime/JSGenericTypedArrayViewInlines.h:
1367         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1368
1369 2018-07-10  Michael Saboff  <msaboff@apple.com>
1370
1371         DFG JIT: compileMathIC produces incorrect machine code
1372         https://bugs.webkit.org/show_bug.cgi?id=187537
1373
1374         Reviewed by Saam Barati.
1375
1376         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
1377         fall back to the fast path generator which handles such cases.
1378
1379         * jit/JITMulGenerator.cpp:
1380         (JSC::JITMulGenerator::generateInline):
1381
1382 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
1383
1384         Change the reoptimization backoff base to 1.3 from 2
1385         https://bugs.webkit.org/show_bug.cgi?id=187540
1386
1387         Reviewed by Saam Barati.
1388         
1389         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
1390         
1391         I also have data that hints that a backoff base of 1 might be even better, but I think that
1392         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
1393
1394         * bytecode/CodeBlock.cpp:
1395         (JSC::CodeBlock::reoptimizationRetryCounter const):
1396         (JSC::CodeBlock::countReoptimization):
1397         (JSC::CodeBlock::adjustedCounterValue):
1398         * runtime/Options.cpp:
1399         (JSC::recomputeDependentOptions):
1400         * runtime/Options.h:
1401
1402 2018-07-10  Mark Lam  <mark.lam@apple.com>
1403
1404         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
1405         https://bugs.webkit.org/show_bug.cgi?id=187362
1406         <rdar://problem/42027210>
1407
1408         Reviewed by Saam Barati.
1409
1410         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
1411         value to use for initializing unused properties.  Updated an assertion to account
1412         for this.
1413
1414         * runtime/ObjectInitializationScope.cpp:
1415         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
1416
1417 2018-07-10  Michael Saboff  <msaboff@apple.com>
1418
1419         YARR: . doesn't match non-BMP Unicode characters in some cases
1420         https://bugs.webkit.org/show_bug.cgi?id=187248
1421
1422         Reviewed by Geoffrey Garen.
1423
1424         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
1425         characters did not take into account that the character class is inverted.  In this case, we
1426         represent '.' as "not a newline" using the newline character class with an inverted check.
1427         Clearly that includes non-BMP characters.
1428
1429         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
1430         inverted use of that character class.
1431
1432         * yarr/YarrJIT.cpp:
1433         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1434
1435 2018-07-09  Mark Lam  <mark.lam@apple.com>
1436
1437         Add --traceLLIntExecution and --traceLLIntSlowPath options.
1438         https://bugs.webkit.org/show_bug.cgi?id=187479
1439
1440         Reviewed by Yusuke Suzuki and Saam Barati.
1441
1442         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
1443
1444         The details:
1445         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
1446         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
1447            This makes it such that enabling LLINT_TRACING doesn't means that we'll
1448            continually spammed with logging until we rebuild.
1449         3. Fixed slow path LLINT tracing to work with exception check validation.
1450
1451         * llint/LLIntCommon.h:
1452         * llint/LLIntExceptions.cpp:
1453         (JSC::LLInt::returnToThrow):
1454         (JSC::LLInt::callToThrow):
1455         * llint/LLIntOfflineAsmConfig.h:
1456         * llint/LLIntSlowPaths.cpp:
1457         (JSC::LLInt::slowPathLog):
1458         (JSC::LLInt::slowPathLn):
1459         (JSC::LLInt::slowPathLogF):
1460         (JSC::LLInt::slowPathLogLn):
1461         (JSC::LLInt::llint_trace_operand):
1462         (JSC::LLInt::llint_trace_value):
1463         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1464         (JSC::LLInt::traceFunctionPrologue):
1465         (JSC::LLInt::handleHostCall):
1466         (JSC::LLInt::setUpCall):
1467         * llint/LLIntSlowPaths.h:
1468         * llint/LowLevelInterpreter.asm:
1469         * runtime/CommonSlowPathsExceptions.cpp:
1470         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1471         * runtime/Options.cpp:
1472         (JSC::Options::isAvailable):
1473         * runtime/Options.h:
1474
1475 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1476
1477         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
1478         https://bugs.webkit.org/show_bug.cgi?id=187477
1479
1480         Reviewed by Mark Lam.
1481
1482         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
1483         However, it is not necessary since JSCells can be reside in a constant buffer.
1484         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
1485         vector from RareData.
1486
1487         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
1488
1489         * bytecode/BytecodeDumper.cpp:
1490         (JSC::BytecodeDumper<Block>::dumpBytecode):
1491         (JSC::BytecodeDumper<Block>::dumpBlock):
1492         (JSC::regexpToSourceString): Deleted.
1493         (JSC::regexpName): Deleted.
1494         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
1495         * bytecode/BytecodeDumper.h:
1496         * bytecode/CodeBlock.h:
1497         (JSC::CodeBlock::regexp const): Deleted.
1498         (JSC::CodeBlock::numberOfRegExps const): Deleted.
1499         * bytecode/UnlinkedCodeBlock.cpp:
1500         (JSC::UnlinkedCodeBlock::visitChildren):
1501         (JSC::UnlinkedCodeBlock::shrinkToFit):
1502         * bytecode/UnlinkedCodeBlock.h:
1503         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
1504         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
1505         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
1506         * bytecompiler/BytecodeGenerator.cpp:
1507         (JSC::BytecodeGenerator::emitNewRegExp):
1508         (JSC::BytecodeGenerator::addRegExp): Deleted.
1509         * bytecompiler/BytecodeGenerator.h:
1510         * dfg/DFGByteCodeParser.cpp:
1511         (JSC::DFG::ByteCodeParser::parseBlock):
1512         * jit/JITOpcodes.cpp:
1513         (JSC::JIT::emit_op_new_regexp):
1514         * llint/LLIntSlowPaths.cpp:
1515         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1516         * runtime/JSCJSValue.cpp:
1517         (JSC::JSValue::dumpInContextAssumingStructure const):
1518         * runtime/RegExp.cpp:
1519         (JSC::regexpToSourceString):
1520         (JSC::RegExp::dumpToStream):
1521         * runtime/RegExp.h:
1522
1523 2018-07-09  Brian Burg  <bburg@apple.com>
1524
1525         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
1526         https://bugs.webkit.org/show_bug.cgi?id=187350
1527         <rdar://problem/41728249>
1528
1529         Reviewed by Matt Baker.
1530
1531         Add a new command that toggles whether or not to blackbox internal scripts.
1532         If blackboxed, the scripts will not be shown to the frontend and the debugger will
1533         not pause in source frames from blackboxed scripts. Sometimes we want to break into
1534         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
1535         that injects scripts.
1536
1537         * inspector/agents/InspectorDebuggerAgent.cpp:
1538         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
1539         (Inspector::InspectorDebuggerAgent::didParseSource):
1540         * inspector/agents/InspectorDebuggerAgent.h:
1541         * inspector/protocol/Debugger.json:
1542
1543 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1544
1545         [JSC] Make some data members of UnlinkedCodeBlock private
1546         https://bugs.webkit.org/show_bug.cgi?id=187467
1547
1548         Reviewed by Mark Lam.
1549
1550         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
1551         We also remove m_numCapturedVars since it is no longer used.
1552
1553         * bytecode/CodeBlock.cpp:
1554         (JSC::CodeBlock::CodeBlock):
1555         * bytecode/CodeBlock.h:
1556         * bytecode/UnlinkedCodeBlock.cpp:
1557         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1558         * bytecode/UnlinkedCodeBlock.h:
1559
1560 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1561
1562         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
1563         https://bugs.webkit.org/show_bug.cgi?id=187465
1564
1565         Reviewed by Keith Miller.
1566
1567         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
1568         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
1569
1570         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
1571         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
1572         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
1573         from 104 to 96 since it inherits ProxyableAccessCase.
1574
1575         * bytecode/AccessCase.h:
1576         (JSC::AccessCase::viaProxy const):
1577         (JSC::AccessCase::AccessCase):
1578         * bytecode/ProxyableAccessCase.cpp:
1579         (JSC::ProxyableAccessCase::ProxyableAccessCase):
1580         * bytecode/ProxyableAccessCase.h:
1581
1582 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1583
1584         Unreviewed, build fix for debug builds after r233630
1585         https://bugs.webkit.org/show_bug.cgi?id=187441
1586
1587         * jit/JIT.cpp:
1588         (JSC::JIT::frameRegisterCountFor):
1589         * llint/LLIntEntrypoint.cpp:
1590         (JSC::LLInt::frameRegisterCountFor):
1591
1592 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1593
1594         [JSC] Optimize layout of CodeBlock to reduce padding
1595         https://bugs.webkit.org/show_bug.cgi?id=187441
1596
1597         Reviewed by Mark Lam.
1598
1599         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
1600         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
1601         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
1602
1603         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
1604
1605         * bytecode/BytecodeDumper.cpp:
1606         (JSC::BytecodeDumper<Block>::dumpBlock):
1607         * bytecode/BytecodeUseDef.h:
1608         (JSC::computeDefsForBytecodeOffset):
1609         * bytecode/CodeBlock.cpp:
1610         (JSC::CodeBlock::CodeBlock):
1611         * bytecode/CodeBlock.h:
1612         (JSC::CodeBlock::numVars const):
1613         * bytecode/UnlinkedCodeBlock.h:
1614         (JSC::UnlinkedCodeBlock::numVars const):
1615         * dfg/DFGByteCodeParser.cpp:
1616         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1617         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
1618         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1619         (JSC::DFG::ByteCodeParser::inlineCall):
1620         (JSC::DFG::ByteCodeParser::handleGetById):
1621         (JSC::DFG::ByteCodeParser::handlePutById):
1622         (JSC::DFG::ByteCodeParser::parseBlock):
1623         * dfg/DFGGraph.h:
1624         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
1625         * dfg/DFGOSREntrypointCreationPhase.cpp:
1626         (JSC::DFG::OSREntrypointCreationPhase::run):
1627         * dfg/DFGVariableEventStream.cpp:
1628         (JSC::DFG::VariableEventStream::reconstruct const):
1629         * ftl/FTLOSREntry.cpp:
1630         (JSC::FTL::prepareOSREntry):
1631         * ftl/FTLState.cpp:
1632         (JSC::FTL::State::State):
1633         * interpreter/Interpreter.cpp:
1634         (JSC::Interpreter::dumpRegisters):
1635         * jit/JIT.cpp:
1636         (JSC::JIT::frameRegisterCountFor):
1637         * jit/JITOpcodes.cpp:
1638         (JSC::JIT::emit_op_enter):
1639         * jit/JITOpcodes32_64.cpp:
1640         (JSC::JIT::emit_op_enter):
1641         * jit/JITOperations.cpp:
1642         * llint/LLIntEntrypoint.cpp:
1643         (JSC::LLInt::frameRegisterCountFor):
1644         * llint/LLIntSlowPaths.cpp:
1645         (JSC::LLInt::traceFunctionPrologue):
1646         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1647         * runtime/JSCJSValue.h:
1648
1649 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1650
1651         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
1652         https://bugs.webkit.org/show_bug.cgi?id=187448
1653
1654         Reviewed by Saam Barati.
1655
1656         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
1657         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
1658
1659         * bytecode/CodeType.h:
1660         * bytecode/UnlinkedCodeBlock.cpp:
1661         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1662         * bytecode/UnlinkedCodeBlock.h:
1663         (JSC::UnlinkedCodeBlock::codeType const):
1664         (JSC::UnlinkedCodeBlock::didOptimize const):
1665         (JSC::UnlinkedCodeBlock::setDidOptimize):
1666         * bytecode/VirtualRegister.h:
1667
1668 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1669
1670         [JSC] Optimize padding of InferredTypeTable by using cellLock
1671         https://bugs.webkit.org/show_bug.cgi?id=187447
1672
1673         Reviewed by Mark Lam.
1674
1675         Use cellLock() in InferredTypeTable to guard changes of internal structures.
1676         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
1677         reduce the size of InferredTypeTable from 40 to 32.
1678
1679         * runtime/InferredTypeTable.cpp:
1680         (JSC::InferredTypeTable::visitChildren):
1681         (JSC::InferredTypeTable::get):
1682         (JSC::InferredTypeTable::willStoreValue):
1683         (JSC::InferredTypeTable::makeTop):
1684         * runtime/InferredTypeTable.h:
1685         Using enum class and using. And remove `isEmpty()` since it is not used.
1686
1687         * runtime/Structure.h:
1688
1689 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1690
1691         [JSC] Optimize layout of SourceProvider to reduce padding
1692         https://bugs.webkit.org/show_bug.cgi?id=187440
1693
1694         Reviewed by Mark Lam.
1695
1696         Arrange members of SourceProvider to reduce the size from 80 to 72.
1697
1698         * parser/SourceProvider.cpp:
1699         (JSC::SourceProvider::SourceProvider):
1700         * parser/SourceProvider.h:
1701
1702 2018-07-08  Mark Lam  <mark.lam@apple.com>
1703
1704         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
1705         https://bugs.webkit.org/show_bug.cgi?id=187444
1706         <rdar://problem/41282849>
1707
1708         Reviewed by Saam Barati.
1709
1710         PropertyTable supports C++ iteration by offering begin() and end() methods, and
1711         an iterator class.  The begin() methods and the iterator operator++() method uses
1712         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
1713         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
1714         pointer from being incremented past the end of the table.  As a result, we can
1715         iterate past the end of the table.  Note that the C++ iteration protocol tests
1716         for the iterator not being equal to the end() value.  It does not do a <= test.
1717         If the iterator ever shoots past end, the loop will effectively not terminate.
1718
1719         This issue can manifest if and only if the last entry in the table is a deleted
1720         one, and the key field of the PropertyMapEntry shaped space at the end of the
1721         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
1722         value.
1723
1724         No test because manifesting this issue requires uncontrollable happenstance where
1725         memory just beyond the end of the table looks like a deleted entry.
1726
1727         * runtime/PropertyMapHashTable.h:
1728         (JSC::PropertyTable::begin):
1729         (JSC::PropertyTable::end):
1730         (JSC::PropertyTable::begin const):
1731         (JSC::PropertyTable::end const):
1732         (JSC::PropertyTable::skipDeletedEntries):
1733
1734 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1735
1736         [JSC] Optimize layout of SymbolTable to reduce padding
1737         https://bugs.webkit.org/show_bug.cgi?id=187437
1738
1739         Reviewed by Mark Lam.
1740
1741         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
1742
1743         * runtime/SymbolTable.h:
1744
1745 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1746
1747         [JSC] Optimize layout of RegExp to reduce padding
1748         https://bugs.webkit.org/show_bug.cgi?id=187438
1749
1750         Reviewed by Mark Lam.
1751
1752         Reduce the size of RegExp from 168 to 144.
1753
1754         * runtime/RegExp.cpp:
1755         (JSC::RegExp::RegExp):
1756         * runtime/RegExp.h:
1757         * runtime/RegExpKey.h:
1758         * yarr/YarrErrorCode.h:
1759
1760 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1761
1762         [JSC] Optimize layout of ValueProfile to reduce padding
1763         https://bugs.webkit.org/show_bug.cgi?id=187439
1764
1765         Reviewed by Mark Lam.
1766
1767         Reduce the size of ValueProfile from 40 to 32 by reordering members.
1768
1769         * bytecode/ValueProfile.h:
1770         (JSC::ValueProfileBase::ValueProfileBase):
1771
1772 2018-07-05  Saam Barati  <sbarati@apple.com>
1773
1774         ProgramExecutable may be collected as we checkSyntax on it
1775         https://bugs.webkit.org/show_bug.cgi?id=187359
1776         <rdar://problem/41832135>
1777
1778         Reviewed by Mark Lam.
1779
1780         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
1781         the ProgramExecutable itself may be collected. The fix here is to make a copy
1782         of the field instead of passing in a reference inside of ParserError::toErrorObject.
1783         
1784         No new tests here as this was already caught by our iOS JSC testers.
1785
1786         * parser/ParserError.h:
1787         (JSC::ParserError::toErrorObject):
1788
1789 2018-07-04  Tim Horton  <timothy_horton@apple.com>
1790
1791         Introduce PLATFORM(IOSMAC)
1792         https://bugs.webkit.org/show_bug.cgi?id=187315
1793
1794         Reviewed by Dan Bernstein.
1795
1796         * Configurations/Base.xcconfig:
1797         * Configurations/FeatureDefines.xcconfig:
1798
1799 2018-07-03  Mark Lam  <mark.lam@apple.com>
1800
1801         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
1802         https://bugs.webkit.org/show_bug.cgi?id=187255
1803         <rdar://problem/41785257>
1804
1805         Reviewed by Saam Barati.
1806
1807         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
1808         too: basically, do what the 64-bit code is doing.  At present, this change only
1809         serves to pacify an assertion.  It is not needed for correctness because the
1810         concurrent GC is not used on 32-bit builds.
1811
1812         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
1813         test.
1814
1815         * jit/JITOpcodes32_64.cpp:
1816         (JSC::JIT::emit_op_create_this):
1817
1818 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1819
1820         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
1821         https://bugs.webkit.org/show_bug.cgi?id=187290
1822
1823         Reviewed by Saam Barati.
1824
1825         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
1826         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
1827         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
1828         easily calculated from JSType.
1829         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
1830
1831         * runtime/ClassInfo.h:
1832         * runtime/JSArrayBufferView.cpp:
1833         (JSC::elementSize):
1834         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
1835         * runtime/JSArrayBufferView.h:
1836         * runtime/JSArrayBufferViewInlines.h:
1837         (JSC::JSArrayBufferView::possiblySharedBuffer):
1838         * runtime/JSCell.cpp:
1839         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
1840         * runtime/JSCell.h:
1841         * runtime/JSDataView.cpp:
1842         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
1843         * runtime/JSDataView.h:
1844         * runtime/JSGenericTypedArrayView.h:
1845         * runtime/JSGenericTypedArrayViewInlines.h:
1846         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
1847
1848 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1849
1850         Regular expressions with ".?" expressions at the start and the end match the entire string
1851         https://bugs.webkit.org/show_bug.cgi?id=119191
1852
1853         Reviewed by Michael Saboff.
1854
1855         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
1856         for "abc" first and then processing the leading and trailing dot stars
1857         to find the beginning and the end of the match. However, it erroneously
1858         enabled this optimization for regular expressions whose leading or
1859         trailing dots had quantifiers that were not of arbitrary length, e.g.,
1860         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
1861         match the entire string when it shouldn't. This patch disables the
1862         optimization for those cases.
1863
1864         * yarr/YarrPattern.cpp:
1865         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
1866
1867 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1868
1869         RegExp.exec returns wrong value with a long integer quantifier
1870         https://bugs.webkit.org/show_bug.cgi?id=187042
1871
1872         Reviewed by Saam Barati.
1873
1874         Prior to this patch, the Yarr parser checked for integer overflow when
1875         parsing quantifiers in regular expressions by adding one digit at a time
1876         to a number and checking if the result got larger. This is wrong;
1877         The parser would fail to detect overflow when parsing, for example,
1878         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
1879
1880         Another issue was that once it detected overflow, it stopped consuming
1881         the remaining digits. Since it didn't find the closing bracket, it
1882         parsed the quantifier as a normal string instead.
1883
1884         This patch fixes these issues by reading all the digits and checking for
1885         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
1886         returns the largest possible value (quantifyInfinite in this case). This
1887         matches Chrome [1], Firefox [2], and Edge [3].
1888
1889         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
1890         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
1891         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
1892
1893         * yarr/YarrParser.h:
1894         (JSC::Yarr::Parser::consumeNumber):
1895
1896 2018-07-02  Keith Miller  <keith_miller@apple.com>
1897
1898         InstanceOf IC should do generic if the prototype is not an object.
1899         https://bugs.webkit.org/show_bug.cgi?id=187250
1900
1901         Reviewed by Mark Lam.
1902
1903         The old code was wrong for two reasons. First, the AccessCase expected that
1904         the prototype value would be non-null. Second, we would end up returning
1905         false instead of throwing an exception.
1906
1907         * jit/Repatch.cpp:
1908         (JSC::tryCacheInstanceOf):
1909
1910 2018-07-01  Mark Lam  <mark.lam@apple.com>
1911
1912         Builtins and host functions should get their own structures.
1913         https://bugs.webkit.org/show_bug.cgi?id=187211
1914         <rdar://problem/41646336>
1915
1916         Reviewed by Saam Barati.
1917
1918         JSFunctions do lazy reification of properties, but ordinary functions applies
1919         different rules of property reification than builtin and host functions.  Hence,
1920         we should give builtins and host functions their own structures.
1921
1922         * runtime/JSFunction.cpp:
1923         (JSC::JSFunction::selectStructureForNewFuncExp):
1924         (JSC::JSFunction::create):
1925         (JSC::JSFunction::getOwnPropertySlot):
1926         * runtime/JSGlobalObject.cpp:
1927         (JSC::JSGlobalObject::init):
1928         (JSC::JSGlobalObject::visitChildren):
1929         * runtime/JSGlobalObject.h:
1930         (JSC::JSGlobalObject::hostFunctionStructure const):
1931         (JSC::JSGlobalObject::arrowFunctionStructure const):
1932         (JSC::JSGlobalObject::sloppyFunctionStructure const):
1933         (JSC::JSGlobalObject::strictFunctionStructure const):
1934
1935 2018-07-01  David Kilzer  <ddkilzer@apple.com>
1936
1937         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
1938         <https://webkit.org/b/187233>
1939
1940         Reviewed by Mark Lam.
1941
1942         * b3/air/AirEliminateDeadCode.cpp:
1943         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
1944         * parser/ParserTokens.h:
1945         (JSC::JSTextPosition::JSTextPosition): Add struct member
1946         initialization. Simplify default constructor.
1947         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
1948         union to the beginning to make it easy to zero out all fields.
1949         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
1950         initialization.  Simplify default constructor.  Note that
1951         `endOffset` was not being initialized previously.
1952         (JSC::JSTextPosition::JSToken): Add struct member initialization
1953         where necessary.
1954         * runtime/IntlObject.cpp:
1955         (JSC::MatcherResult): Add struct member initialization.
1956
1957 2018-06-23  Darin Adler  <darin@apple.com>
1958
1959         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
1960         https://bugs.webkit.org/show_bug.cgi?id=186973
1961
1962         Reviewed by Dan Bernstein.
1963
1964         * API/JSContext.mm:
1965         (WeakContextRef::WeakContextRef): Deleted.
1966         (WeakContextRef::~WeakContextRef): Deleted.
1967         (WeakContextRef::get): Deleted.
1968         (WeakContextRef::set): Deleted.
1969
1970         * API/JSContextInternal.h: Removed unneeded header guards since this is
1971         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
1972         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
1973         since neither is used outside the class implementation.
1974
1975         * API/JSManagedValue.mm:
1976         (-[JSManagedValue initWithValue:]): Use a bridging cast.
1977         (-[JSManagedValue dealloc]): Ditto.
1978         (-[JSManagedValue didAddOwner:]): Ditto.
1979         (-[JSManagedValue didRemoveOwner:]): Ditto.
1980         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
1981         (JSManagedValueHandleOwner::finalize): Ditto.
1982         * API/JSValue.mm:
1983         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
1984         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
1985         (-[JSValue valueForProperty:]): Ditto.
1986         (-[JSValue setValue:forProperty:]): Ditto.
1987         (-[JSValue deleteProperty:]): Ditto.
1988         (-[JSValue hasProperty:]): Ditto.
1989         (-[JSValue invokeMethod:withArguments:]): Ditto.
1990         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
1991         (valueToArray): Ditto.
1992         (valueToDictionary): Ditto.
1993         (objectToValueWithoutCopy): Ditto.
1994         (objectToValue): Ditto.
1995         * API/JSVirtualMachine.mm:
1996         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
1997         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
1998         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
1999         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
2000         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
2001         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
2002         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
2003         (scanExternalObjectGraph): Ditto.
2004         (scanExternalRememberedSet): Ditto.
2005         * API/JSWrapperMap.mm:
2006         (makeWrapper): Ditto.
2007         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
2008         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
2009         (tryUnwrapObjcObject): Ditto.
2010         * API/ObjCCallbackFunction.mm:
2011         (blockSignatureContainsClass): Ditto.
2012         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
2013         sure we will be keeping this the same way under ARC.
2014         (objCCallbackFunctionForBlock): Use a bridging cast.
2015
2016         * API/ObjcRuntimeExtras.h:
2017         (protocolImplementsProtocol): Use a more specific type that includes the
2018         explicit __unsafe_unretained for copied protocol lists.
2019         (forEachProtocolImplementingProtocol): Ditto.
2020
2021         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2022         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
2023         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
2024
2025         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
2026         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
2027         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
2028         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
2029         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
2030
2031 2018-06-30  Adam Barth  <abarth@webkit.org>
2032
2033         Port JavaScriptCore to OS(FUCHSIA)
2034         https://bugs.webkit.org/show_bug.cgi?id=187223
2035
2036         Reviewed by Daniel Bates.
2037
2038         * assembler/ARM64Assembler.h:
2039         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
2040         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
2041         (JSC::MachineContext::stackPointerImpl):
2042         (JSC::MachineContext::framePointerImpl):
2043         (JSC::MachineContext::instructionPointerImpl):
2044         (JSC::MachineContext::argumentPointer<1>):
2045         (JSC::MachineContext::llintInstructionPointer):
2046
2047 2018-06-30  David Kilzer  <ddkilzer@apple.com>
2048
2049         Fix clang static analyzer warnings: Garbage return value
2050         <https://webkit.org/b/187224>
2051
2052         Reviewed by Eric Carlson.
2053
2054         * bytecode/UnlinkedCodeBlock.cpp:
2055         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
2056         - Use brace initialization for local variables.
2057         * debugger/DebuggerCallFrame.cpp:
2058         (class JSC::LineAndColumnFunctor):
2059         - Use class member initialization for member variables.
2060
2061 2018-06-29  Saam Barati  <sbarati@apple.com>
2062
2063         Unreviewed. Try to fix Windows build after r233377
2064
2065         * builtins/BuiltinExecutables.cpp:
2066         (JSC::BuiltinExecutables::createExecutable):
2067
2068 2018-06-29  Saam Barati  <sbarati@apple.com>
2069
2070         Don't use tracePoints in JS/Wasm entry
2071         https://bugs.webkit.org/show_bug.cgi?id=187196
2072
2073         Reviewed by Mark Lam.
2074
2075         This puts VM entry and Wasm entry tracePoints behind a runtime
2076         option. This is a ~4x speedup on a soon to be released Wasm
2077         benchmark. tracePoints should basically never run more than 50
2078         times a second. Entering the VM and entering Wasm are user controlled,
2079         and can happen hundreds of thousands of times in a second. Depending
2080         on how the Wasm/JS code is structured, this can be disastrous for
2081         performance.
2082
2083         * runtime/Options.h:
2084         * runtime/VMEntryScope.cpp:
2085         (JSC::VMEntryScope::VMEntryScope):
2086         (JSC::VMEntryScope::~VMEntryScope):
2087         * wasm/WasmBBQPlan.cpp:
2088         (JSC::Wasm::BBQPlan::compileFunctions):
2089         * wasm/js/WebAssemblyFunction.cpp:
2090         (JSC::callWebAssemblyFunction):
2091
2092 2018-06-29  Saam Barati  <sbarati@apple.com>
2093
2094         We shouldn't recurse into the parser when gathering metadata about various function offsets
2095         https://bugs.webkit.org/show_bug.cgi?id=184074
2096         <rdar://problem/37165897>
2097
2098         Reviewed by Mark Lam.
2099
2100         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
2101         for that builtin. This required calling into the parser. However, the parser
2102         may throw a stack overflow. We were not able to recover from that. The only
2103         reason we called into the parser here is that we were gathering text offsets
2104         and various metadata for things in the builtin function. This patch writes a
2105         mini parser that figures this information out without calling into the full
2106         parser. (I've also added a debug assert that verifies the mini parser stays in
2107         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
2108         always succeeds.
2109
2110         * builtins/AsyncFromSyncIteratorPrototype.js:
2111         (globalPrivate.createAsyncFromSyncIterator):
2112         (globalPrivate.AsyncFromSyncIteratorConstructor):
2113         * builtins/BuiltinExecutables.cpp:
2114         (JSC::BuiltinExecutables::createExecutable):
2115         * builtins/GlobalOperations.js:
2116         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
2117         (globalPrivate.speciesConstructor):
2118         (globalPrivate.copyDataProperties):
2119         (globalPrivate.copyDataPropertiesNoExclusions):
2120         * builtins/PromiseOperations.js:
2121         (globalPrivate.newHandledRejectedPromise):
2122         * builtins/RegExpPrototype.js:
2123         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
2124         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
2125         * builtins/StringPrototype.js:
2126         (globalPrivate.hasObservableSideEffectsForStringReplace):
2127         (globalPrivate.getDefaultCollator):
2128         * parser/Nodes.cpp:
2129         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2130         (JSC::FunctionMetadataNode::operator== const):
2131         (JSC::FunctionMetadataNode::dump const):
2132         * parser/Nodes.h:
2133         * parser/Parser.h:
2134         (JSC::parse):
2135         * parser/ParserError.h:
2136         (JSC::ParserError::type const):
2137         * parser/ParserTokens.h:
2138         (JSC::JSTextPosition::operator== const):
2139         (JSC::JSTextPosition::operator!= const):
2140         * parser/SourceCode.h:
2141         (JSC::SourceCode::operator== const):
2142         (JSC::SourceCode::operator!= const):
2143         (JSC::SourceCode::subExpression const):
2144         (JSC::SourceCode::subExpression): Deleted.
2145
2146 2018-06-28  Michael Saboff  <msaboff@apple.com>
2147   
2148         IsoCellSet::sweepToFreeList() not safe when Full GC in process
2149         https://bugs.webkit.org/show_bug.cgi?id=187157
2150
2151         Reviewed by Mark Lam.
2152
2153         * heap/IsoCellSet.cpp:
2154         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
2155         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
2156         or not we are in the process of marking during a full GC.
2157         * heap/MarkedBlock.h:
2158         * heap/MarkedBlockInlines.h:
2159         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
2160
2161 2018-06-27  Saam Barati  <sbarati@apple.com>
2162
2163         Add some more register state information when we crash in repatchPutById
2164         https://bugs.webkit.org/show_bug.cgi?id=187112
2165
2166         Reviewed by Mark Lam.
2167
2168         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
2169         with an offset that is different than what the put tells us.
2170
2171         * jit/Repatch.cpp:
2172         (JSC::tryCachePutByID):
2173
2174 2018-06-27  Mark Lam  <mark.lam@apple.com>
2175
2176         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
2177         https://bugs.webkit.org/show_bug.cgi?id=187119
2178
2179         Reviewed by Keith Miller.
2180
2181         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
2182         should be checking for codeBlock instead of !codeBlock
2183         before using the codeBlock.
2184
2185         I also renamed some other "print" functions to use "dump" instead
2186         to match their underlying C++ code that they will call e.g.
2187         CodeBlock::dumpSource().
2188
2189         * tools/JSDollarVM.cpp:
2190         (WTF::JSDollarVMCallFrame::finishCreation):
2191         (JSC::functionDumpSourceFor):
2192         (JSC::functionDumpBytecodeFor):
2193         (JSC::doPrint):
2194         (JSC::functionDataLog):
2195         (JSC::functionPrint):
2196         (JSC::functionDumpCallFrame):
2197         (JSC::functionDumpStack):
2198         (JSC::JSDollarVM::finishCreation):
2199         (JSC::functionPrintSourceFor): Deleted.
2200         (JSC::functionPrintBytecodeFor): Deleted.
2201         (JSC::doPrintln): Deleted.
2202         (JSC::functionPrintln): Deleted.
2203         (JSC::functionPrintCallFrame): Deleted.
2204         (JSC::functionPrintStack): Deleted.
2205         * tools/VMInspector.cpp:
2206         (JSC::DumpFrameFunctor::DumpFrameFunctor):
2207         (JSC::DumpFrameFunctor::operator() const):
2208         (JSC::VMInspector::dumpCallFrame):
2209         (JSC::VMInspector::dumpStack):
2210         (JSC::VMInspector::dumpValue):
2211         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
2212         (JSC::PrintFrameFunctor::operator() const): Deleted.
2213         (JSC::VMInspector::printCallFrame): Deleted.
2214         (JSC::VMInspector::printStack): Deleted.
2215         (JSC::VMInspector::printValue): Deleted.
2216         * tools/VMInspector.h:
2217
2218 2018-06-27  Keith Miller  <keith_miller@apple.com>
2219
2220         Add logging to try to diagnose where we get a null structure.
2221         https://bugs.webkit.org/show_bug.cgi?id=187106
2222
2223         Reviewed by Mark Lam.
2224
2225         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
2226         structure crash.
2227
2228         This code should be removed when we fix <rdar://problem/33451840>
2229
2230         * runtime/JSObject.cpp:
2231         (JSC::callToPrimitiveFunction):
2232         * runtime/JSObject.h:
2233         (JSC::JSObject::getPropertySlot):
2234
2235 2018-06-27  Mark Lam  <mark.lam@apple.com>
2236
2237         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
2238         https://bugs.webkit.org/show_bug.cgi?id=187091
2239         <rdar://problem/41395624>
2240
2241         Reviewed by Yusuke Suzuki.
2242
2243         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
2244         take their slow paths, the slow path would jump back to the fast path right after
2245         the emitted code which clears the unused property values.  As a result, the
2246         unused properties are not initialized.  We've fixed this by adding the slow path
2247         generators before we emit the code to clear the unused properties.
2248
2249         * dfg/DFGSpeculativeJIT.cpp:
2250         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2251         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2252
2253 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2254
2255         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
2256         https://bugs.webkit.org/show_bug.cgi?id=185943
2257
2258         Reviewed by Mark Lam.
2259
2260         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
2261         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
2262         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
2263         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
2264
2265         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
2266         but it should be done in a separate patch since it would be performance sensitive.
2267
2268         * bytecompiler/NodesCodegen.cpp:
2269         (JSC::ArrayPatternNode::emitDirectBinding):
2270
2271 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2272
2273         [JSC] Pass VM& to functions more
2274         https://bugs.webkit.org/show_bug.cgi?id=186241
2275
2276         Reviewed by Mark Lam.
2277
2278         This patch threads VM& to functions requiring VM& more.
2279
2280         * API/JSObjectRef.cpp:
2281         (JSObjectIsConstructor):
2282         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2283         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
2284         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2285         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
2286         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
2287         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2288         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2289         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
2290         * bytecode/CodeBlockJettisoningWatchpoint.h:
2291         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2292         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
2293         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2294         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2295         * bytecode/StructureStubClearingWatchpoint.cpp:
2296         (JSC::StructureStubClearingWatchpoint::fireInternal):
2297         * bytecode/StructureStubClearingWatchpoint.h:
2298         * bytecode/Watchpoint.cpp:
2299         (JSC::Watchpoint::fire):
2300         (JSC::WatchpointSet::fireAllWatchpoints):
2301         * bytecode/Watchpoint.h:
2302         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2303         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
2304         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2305         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2306         (JSC::DFG::AdaptiveStructureWatchpoint::install):
2307         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2308         * dfg/DFGAdaptiveStructureWatchpoint.h:
2309         * dfg/DFGDesiredWatchpoints.cpp:
2310         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
2311         * llint/LLIntSlowPaths.cpp:
2312         (JSC::LLInt::setupGetByIdPrototypeCache):
2313         * runtime/ArrayPrototype.cpp:
2314         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
2315         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2316         * runtime/ECMAScriptSpecInternalFunctions.cpp:
2317         (JSC::esSpecIsConstructor):
2318         * runtime/FunctionRareData.cpp:
2319         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
2320         * runtime/FunctionRareData.h:
2321         * runtime/InferredStructureWatchpoint.cpp:
2322         (JSC::InferredStructureWatchpoint::fireInternal):
2323         * runtime/InferredStructureWatchpoint.h:
2324         * runtime/InternalFunction.cpp:
2325         (JSC::InternalFunction::createSubclassStructureSlow):
2326         * runtime/InternalFunction.h:
2327         (JSC::InternalFunction::createSubclassStructure):
2328         * runtime/JSCJSValue.h:
2329         * runtime/JSCJSValueInlines.h:
2330         (JSC::JSValue::isConstructor const):
2331         * runtime/JSCell.h:
2332         * runtime/JSCellInlines.h:
2333         (JSC::JSCell::isConstructor):
2334         (JSC::JSCell::methodTable const):
2335         * runtime/JSGlobalObject.cpp:
2336         (JSC::JSGlobalObject::init):
2337         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2338         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
2339         * runtime/ProxyObject.cpp:
2340         (JSC::ProxyObject::finishCreation):
2341         * runtime/ReflectObject.cpp:
2342         (JSC::reflectObjectConstruct):
2343         * runtime/StructureRareData.cpp:
2344         (JSC::StructureRareData::setObjectToStringValue):
2345         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
2346         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2347         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
2348
2349 2018-06-26  Mark Lam  <mark.lam@apple.com>
2350
2351         eval() is wrong about the LiteralParser never throwing any exceptions.
2352         https://bugs.webkit.org/show_bug.cgi?id=187074
2353         <rdar://problem/41461099>
2354
2355         Reviewed by Saam Barati.
2356
2357         Added the missing exception check, and removed an erroneous assertion.
2358
2359         * interpreter/Interpreter.cpp:
2360         (JSC::eval):
2361
2362 2018-06-26  Saam Barati  <sbarati@apple.com>
2363
2364         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
2365         https://bugs.webkit.org/show_bug.cgi?id=186878
2366         <rdar://problem/40568659>
2367
2368         Reviewed by Filip Pizlo.
2369
2370         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
2371         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
2372         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
2373         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
2374         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
2375         conservative scan knows to treat it like a butterfly in when we we may be
2376         pointing into the middle of it.
2377         
2378         The way we were crashing on the stress GC bots is that our conservative marking
2379         won't do cell visiting for things that are Auxiliary. This meant that if the
2380         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
2381         that JSImmutableButterfly would not be visited. This is now fixed.
2382
2383         * bytecompiler/NodesCodegen.cpp:
2384         (JSC::ArrayNode::emitBytecode):
2385         * debugger/Debugger.cpp:
2386         * heap/ConservativeRoots.cpp:
2387         (JSC::ConservativeRoots::genericAddPointer):
2388         * heap/Heap.cpp:
2389         (JSC::GatherHeapSnapshotData::operator() const):
2390         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
2391         (JSC::Heap::globalObjectCount):
2392         (JSC::Heap::objectTypeCounts):
2393         (JSC::Heap::deleteAllCodeBlocks):
2394         * heap/HeapCell.cpp:
2395         (WTF::printInternal):
2396         * heap/HeapCell.h:
2397         (JSC::isJSCellKind):
2398         (JSC::hasInteriorPointers):
2399         * heap/HeapUtil.h:
2400         (JSC::HeapUtil::findGCObjectPointersForMarking):
2401         (JSC::HeapUtil::isPointerGCObjectJSCell):
2402         * heap/MarkedBlock.cpp:
2403         (JSC::MarkedBlock::Handle::didAddToDirectory):
2404         * heap/SlotVisitor.cpp:
2405         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
2406         * runtime/JSGlobalObject.cpp:
2407         * runtime/JSImmutableButterfly.h:
2408         (JSC::JSImmutableButterfly::subspaceFor):
2409         * runtime/VM.cpp:
2410         (JSC::VM::VM):
2411         * runtime/VM.h:
2412         * tools/CellProfile.h:
2413         (JSC::CellProfile::CellProfile):
2414         (JSC::CellProfile::isJSCell const):
2415         * tools/HeapVerifier.cpp:
2416         (JSC::HeapVerifier::validateCell):
2417
2418 2018-06-26  Mark Lam  <mark.lam@apple.com>
2419
2420         Skip some unnecessary work in Interpreter::getStackTrace().
2421         https://bugs.webkit.org/show_bug.cgi?id=187070
2422
2423         Reviewed by Michael Saboff.
2424
2425         * interpreter/Interpreter.cpp:
2426         (JSC::Interpreter::getStackTrace):
2427
2428 2018-06-26  Mark Lam  <mark.lam@apple.com>
2429
2430         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
2431         https://bugs.webkit.org/show_bug.cgi?id=187060
2432         <rdar://problem/41452767>
2433
2434         Reviewed by Keith Miller.
2435
2436         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
2437         write conversion.  Hence, we can return early after the conversion if the vector
2438         length is already sufficient to cover the requested length.
2439
2440         * runtime/JSObject.cpp:
2441         (JSC::JSObject::ensureLengthSlow):
2442
2443 2018-06-26  Commit Queue  <commit-queue@webkit.org>
2444
2445         Unreviewed, rolling out r233184.
2446         https://bugs.webkit.org/show_bug.cgi?id=187059
2447
2448         "It regressed JetStream between 5-8%" (Requested by saamyjoon
2449         on #webkit).
2450
2451         Reverted changeset:
2452
2453         "JSImmutableButterfly can't be allocated from a subspace with
2454         HeapCell::Kind::Auxiliary"
2455         https://bugs.webkit.org/show_bug.cgi?id=186878
2456         https://trac.webkit.org/changeset/233184
2457
2458 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2459
2460         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
2461         https://bugs.webkit.org/show_bug.cgi?id=187051
2462
2463         Reviewed by Mark Lam.
2464
2465         Revert r233065 changes over UnlinkedCodeBlock.h to allow
2466         clang-3.8 to be able to compile this back (with libstdc++5)
2467
2468         * bytecode/UnlinkedCodeBlock.h:
2469         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
2470
2471 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
2472
2473         Fix testapi build when DFG_JIT is disabled
2474         https://bugs.webkit.org/show_bug.cgi?id=187038
2475
2476         Reviewed by Mark Lam.
2477
2478         r233158 added a new API and tests for configuring the number of JIT threads, but
2479         the API is only available when DFG_JIT is enabled and so should the tests.
2480
2481         * API/tests/testapi.mm:
2482         (runJITThreadLimitTests):
2483
2484 2018-06-25  Saam Barati  <sbarati@apple.com>
2485
2486         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
2487         https://bugs.webkit.org/show_bug.cgi?id=186878
2488         <rdar://problem/40568659>
2489
2490         Reviewed by Mark Lam.
2491
2492         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
2493         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
2494         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
2495         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
2496         bots is that our conservative marking won't do cell marking for things that
2497         are Auxiliary. This means that if the stack is the only thing pointing to a
2498         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
2499         not be visited. This patch fixes this bug. This patch also extends our conservative
2500         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
2501
2502         * bytecompiler/NodesCodegen.cpp:
2503         (JSC::ArrayNode::emitBytecode):
2504         * heap/HeapUtil.h:
2505         (JSC::HeapUtil::findGCObjectPointersForMarking):
2506         * runtime/JSImmutableButterfly.h:
2507         (JSC::JSImmutableButterfly::subspaceFor):
2508
2509 2018-06-25  Mark Lam  <mark.lam@apple.com>
2510
2511         constructArray() should set m_numValuesInVector to the specified length.
2512         https://bugs.webkit.org/show_bug.cgi?id=187010
2513         <rdar://problem/41392167>
2514
2515         Reviewed by Filip Pizlo.
2516
2517         Its client will fill in the storage vector with some values using initializeIndex()
2518         and expects m_numValuesInVector to be set to the length i.e. the number of values
2519         to be initialized.
2520
2521         * runtime/JSArray.cpp:
2522         (JSC::constructArray):
2523
2524 2018-06-25  Mark Lam  <mark.lam@apple.com>
2525
2526         Add missing exception check in RegExpObjectInlines.h's collectMatches.
2527         https://bugs.webkit.org/show_bug.cgi?id=187006
2528         <rdar://problem/41418412>
2529
2530         Reviewed by Keith Miller.
2531
2532         * runtime/RegExpObjectInlines.h:
2533         (JSC::collectMatches):
2534
2535 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
2536
2537         Add API for configuring the number of threads used by DFG and FTL
2538         https://bugs.webkit.org/show_bug.cgi?id=186859
2539         <rdar://problem/41093519>
2540
2541         Reviewed by Filip Pizlo.
2542
2543         Add new private APIs for limiting the number of threads to be used by
2544         the DFG and FTL compilers. It was already possible to configure the
2545         limit through JSC Options, but now it can be changed at runtime, even
2546         in the case when the VM is already running.
2547
2548         Add a test for both cases: when trying to configure the limit before
2549         and after the Worklist has been created, but in order to simulate the
2550         first scenario, we must guarantee that the test runs at the very
2551         beginning, so I also added a check for that.
2552
2553         * API/JSVirtualMachine.mm:
2554         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
2555         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
2556         * API/JSVirtualMachinePrivate.h:
2557         * API/tests/testapi.mm:
2558         (runJITThreadLimitTests):
2559         (testObjectiveCAPIMain):
2560         * dfg/DFGWorklist.cpp:
2561         (JSC::DFG::Worklist::finishCreation):
2562         (JSC::DFG::Worklist::createNewThread):
2563         (JSC::DFG::Worklist::setNumberOfThreads):
2564         * dfg/DFGWorklist.h:
2565
2566 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2567
2568         [JSC] Remove unnecessary PLATFORM guards
2569         https://bugs.webkit.org/show_bug.cgi?id=186995
2570
2571         Reviewed by Mark Lam.
2572
2573         * assembler/AssemblerCommon.h:
2574         (JSC::isIOS):
2575         Add constexpr.
2576
2577         * inspector/JSGlobalObjectInspectorController.cpp:
2578         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2579         StackFrame works in all the platforms. If StackFrame::demangle failed,
2580         it just returns std::nullopt. And it is correctly handled in this code.
2581
2582 2018-06-23  Mark Lam  <mark.lam@apple.com>
2583
2584         Add more debugging features to $vm.
2585         https://bugs.webkit.org/show_bug.cgi?id=186947
2586
2587         Reviewed by Keith Miller.
2588
2589         Adding the following features:
2590
2591             // We now have println in addition to print.
2592             // println automatically adds a '\n' at the end.
2593             $vm.println("Hello");
2594
2595             // We can now capture some info about a stack frame.
2596             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
2597             var callerCallerFrame = $vm.callFrame(2);
2598
2599             // We can inspect the following values associated with the frame:
2600             if (currentFrame.valid) {
2601                 $vm.println("name is ", currentFrame.name));
2602
2603                 // Note: For a WASM frame, all of these will be undefined.
2604                 $vm.println("callee is ", $vm.value(currentFrame.callee));
2605                 $vm.println("codeBlock is ", currentFrame.codeBlock);
2606                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
2607                 $vm.println("executable is ", currentFrame.executable);
2608             }
2609
2610             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
2611             // to dataLog its JSValue instead of its toString() result.
2612
2613             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
2614             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
2615             // toString on a non-object.
2616
2617             // Does what it says about enabling/disabling debugger mode.
2618             $vm.enableDebuggerModeWhenIdle();
2619             $vm.disableDebuggerModeWhenIdle();
2620
2621         * tools/JSDollarVM.cpp:
2622         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
2623         (WTF::JSDollarVMCallFrame::createStructure):
2624         (WTF::JSDollarVMCallFrame::create):
2625         (WTF::JSDollarVMCallFrame::finishCreation):
2626         (WTF::JSDollarVMCallFrame::addProperty):
2627         (JSC::functionCallFrame):
2628         (JSC::functionCodeBlockForFrame):
2629         (JSC::codeBlockFromArg):
2630         (JSC::doPrintln):
2631         (JSC::functionPrint):
2632         (JSC::functionPrintln):
2633         (JSC::changeDebuggerModeWhenIdle):
2634         (JSC::functionEnableDebuggerModeWhenIdle):
2635         (JSC::functionDisableDebuggerModeWhenIdle):
2636         (JSC::JSDollarVM::finishCreation):
2637
2638 2018-06-22  Keith Miller  <keith_miller@apple.com>
2639
2640         We need to have a getDirectConcurrently for use in the compilers
2641         https://bugs.webkit.org/show_bug.cgi?id=186954
2642
2643         Reviewed by Mark Lam.
2644
2645         It used to be that the propertyStorage of an object never shrunk
2646         so if you called getDirect with some offset it would never be an
2647         OOB read. However, this property storage can shrink when calling
2648         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
2649         holds the Structure's ConcurrentJSLock while shrinking. This patch,
2650         adds a getDirectConcurrently that will safely try to load from the
2651         butterfly.
2652
2653         * bytecode/ObjectPropertyConditionSet.cpp:
2654         * bytecode/PropertyCondition.cpp:
2655         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2656         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
2657         * dfg/DFGGraph.cpp:
2658         (JSC::DFG::Graph::tryGetConstantProperty):
2659         * runtime/JSObject.h:
2660         (JSC::JSObject::getDirectConcurrently const):
2661
2662 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2663
2664         [WTF] Use Ref<> for the result type of non-failing factory functions
2665         https://bugs.webkit.org/show_bug.cgi?id=186920
2666
2667         Reviewed by Darin Adler.
2668
2669         * dfg/DFGWorklist.cpp:
2670         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
2671         (JSC::DFG::Worklist::finishCreation):
2672         * dfg/DFGWorklist.h:
2673         * heap/Heap.cpp:
2674         (JSC::Heap::Thread::Thread):
2675         * heap/Heap.h:
2676         * jit/JITWorklist.cpp:
2677         (JSC::JITWorklist::Thread::Thread):
2678         * jit/JITWorklist.h:
2679         * runtime/VMTraps.cpp:
2680         * runtime/VMTraps.h:
2681         * wasm/WasmWorklist.cpp:
2682         * wasm/WasmWorklist.h:
2683
2684 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2685
2686         [WTF] Add user-defined literal for ASCIILiteral
2687         https://bugs.webkit.org/show_bug.cgi?id=186839
2688
2689         Reviewed by Darin Adler.
2690
2691         * API/JSCallbackObjectFunctions.h:
2692         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2693         (JSC::JSCallbackObject<Parent>::callbackGetter):
2694         * API/JSObjectRef.cpp:
2695         (JSObjectMakeFunctionWithCallback):
2696         * API/JSTypedArray.cpp:
2697         (JSObjectGetArrayBufferBytesPtr):
2698         * API/JSValue.mm:
2699         (valueToArray):
2700         (valueToDictionary):
2701         * API/ObjCCallbackFunction.mm:
2702         (JSC::objCCallbackFunctionCallAsFunction):
2703         (JSC::objCCallbackFunctionCallAsConstructor):
2704         (JSC::ObjCCallbackFunctionImpl::call):
2705         * API/glib/JSCCallbackFunction.cpp:
2706         (JSC::JSCCallbackFunction::call):
2707         (JSC::JSCCallbackFunction::construct):
2708         * API/glib/JSCContext.cpp:
2709         (jscContextJSValueToGValue):
2710         * API/glib/JSCValue.cpp:
2711         (jsc_value_object_define_property_accessor):
2712         (jscValueFunctionCreate):
2713         * builtins/BuiltinUtils.h:
2714         * bytecode/CodeBlock.cpp:
2715         (JSC::CodeBlock::nameForRegister):
2716         * bytecompiler/BytecodeGenerator.cpp:
2717         (JSC::BytecodeGenerator::emitEnumeration):
2718         (JSC::BytecodeGenerator::emitIteratorNext):
2719         (JSC::BytecodeGenerator::emitIteratorClose):
2720         (JSC::BytecodeGenerator::emitDelegateYield):
2721         * bytecompiler/NodesCodegen.cpp:
2722         (JSC::FunctionCallValueNode::emitBytecode):
2723         (JSC::PostfixNode::emitBytecode):
2724         (JSC::PrefixNode::emitBytecode):
2725         (JSC::AssignErrorNode::emitBytecode):
2726         (JSC::ForInNode::emitBytecode):
2727         (JSC::ForOfNode::emitBytecode):
2728         (JSC::ClassExprNode::emitBytecode):
2729         (JSC::ObjectPatternNode::bindValue const):
2730         * dfg/DFGDriver.cpp:
2731         (JSC::DFG::compileImpl):
2732         * dfg/DFGOperations.cpp:
2733         (JSC::DFG::newTypedArrayWithSize):
2734         * dfg/DFGStrengthReductionPhase.cpp:
2735         (JSC::DFG::StrengthReductionPhase::handleNode):
2736         * inspector/ConsoleMessage.cpp:
2737         (Inspector::ConsoleMessage::addToFrontend):
2738         (Inspector::ConsoleMessage::clear):
2739         * inspector/ContentSearchUtilities.cpp:
2740         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
2741         * inspector/InjectedScript.cpp:
2742         (Inspector::InjectedScript::InjectedScript):
2743         (Inspector::InjectedScript::evaluate):
2744         (Inspector::InjectedScript::callFunctionOn):
2745         (Inspector::InjectedScript::evaluateOnCallFrame):
2746         (Inspector::InjectedScript::getFunctionDetails):
2747         (Inspector::InjectedScript::functionDetails):
2748         (Inspector::InjectedScript::getPreview):
2749         (Inspector::InjectedScript::getProperties):
2750         (Inspector::InjectedScript::getDisplayableProperties):
2751         (Inspector::InjectedScript::getInternalProperties):
2752         (Inspector::InjectedScript::getCollectionEntries):
2753         (Inspector::InjectedScript::saveResult):
2754         (Inspector::InjectedScript::wrapCallFrames const):
2755         (Inspector::InjectedScript::wrapObject const):
2756         (Inspector::InjectedScript::wrapJSONString const):
2757         (Inspector::InjectedScript::wrapTable const):
2758         (Inspector::InjectedScript::previewValue const):
2759         (Inspector::InjectedScript::setExceptionValue):
2760         (Inspector::InjectedScript::clearExceptionValue):
2761         (Inspector::InjectedScript::findObjectById const):
2762         (Inspector::InjectedScript::inspectObject):
2763         (Inspector::InjectedScript::releaseObject):
2764         (Inspector::InjectedScript::releaseObjectGroup):
2765         * inspector/InjectedScriptBase.cpp:
2766         (Inspector::InjectedScriptBase::makeEvalCall):
2767         * inspector/InjectedScriptManager.cpp:
2768         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2769         * inspector/InjectedScriptModule.cpp:
2770         (Inspector::InjectedScriptModule::ensureInjected):
2771         * inspector/InspectorBackendDispatcher.cpp:
2772         (Inspector::BackendDispatcher::dispatch):
2773         (Inspector::BackendDispatcher::sendResponse):
2774         (Inspector::BackendDispatcher::sendPendingErrors):
2775         * inspector/JSGlobalObjectConsoleClient.cpp:
2776         (Inspector::JSGlobalObjectConsoleClient::profile):
2777         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
2778         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
2779         * inspector/JSGlobalObjectInspectorController.cpp:
2780         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2781         * inspector/JSInjectedScriptHost.cpp:
2782         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2783         (Inspector::JSInjectedScriptHost::subtype):
2784         (Inspector::JSInjectedScriptHost::getInternalProperties):
2785         * inspector/JSJavaScriptCallFrame.cpp:
2786         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2787         (Inspector::JSJavaScriptCallFrame::type const):
2788         * inspector/ScriptArguments.cpp:
2789         (Inspector::ScriptArguments::getFirstArgumentAsString):
2790         * inspector/ScriptCallStackFactory.cpp:
2791         (Inspector::extractSourceInformationFromException):
2792         * inspector/agents/InspectorAgent.cpp:
2793         (Inspector::InspectorAgent::InspectorAgent):
2794         * inspector/agents/InspectorConsoleAgent.cpp:
2795         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
2796         (Inspector::InspectorConsoleAgent::clearMessages):
2797         (Inspector::InspectorConsoleAgent::count):
2798         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
2799         * inspector/agents/InspectorDebuggerAgent.cpp:
2800         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
2801         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
2802         (Inspector::buildObjectForBreakpointCookie):
2803         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2804         (Inspector::parseLocation):
2805         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2806         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2807         (Inspector::InspectorDebuggerAgent::continueToLocation):
2808         (Inspector::InspectorDebuggerAgent::searchInContent):
2809         (Inspector::InspectorDebuggerAgent::getScriptSource):
2810         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
2811         (Inspector::InspectorDebuggerAgent::resume):
2812         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
2813         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
2814         (Inspector::InspectorDebuggerAgent::didParseSource):
2815         (Inspector::InspectorDebuggerAgent::assertPaused):
2816         * inspector/agents/InspectorHeapAgent.cpp:
2817         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
2818         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
2819         (Inspector::InspectorHeapAgent::getPreview):
2820         (Inspector::InspectorHeapAgent::getRemoteObject):
2821         * inspector/agents/InspectorRuntimeAgent.cpp:
2822         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
2823         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2824         (Inspector::InspectorRuntimeAgent::getPreview):
2825         (Inspector::InspectorRuntimeAgent::getProperties):
2826         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2827         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2828         (Inspector::InspectorRuntimeAgent::saveResult):
2829         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2830         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2831         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2832         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
2833         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2834         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
2835         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2836         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
2837         * inspector/scripts/codegen/cpp_generator_templates.py:
2838         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2839         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
2840         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2841         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2842         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2843         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2844         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2845         (CppProtocolTypesImplementationGenerator):
2846         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2847         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2848         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
2849         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2850         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2851         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
2852         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2853         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
2854         * inspector/scripts/codegen/objc_generator_templates.py:
2855         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2856         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2857         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2858         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2859         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2860         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2861         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2862         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2863         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2864         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2865         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2866         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2867         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2868         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2869         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2870         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2871         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2872         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2873         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2874         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2875         * interpreter/CallFrame.cpp:
2876         (JSC::CallFrame::friendlyFunctionName):
2877         * interpreter/Interpreter.cpp:
2878         (JSC::Interpreter::execute):
2879         * interpreter/StackVisitor.cpp:
2880         (JSC::StackVisitor::Frame::functionName const):
2881         (JSC::StackVisitor::Frame::sourceURL const):
2882         * jit/JIT.cpp:
2883         (JSC::JIT::doMainThreadPreparationBeforeCompile):
2884         * jit/JITOperations.cpp:
2885         * jsc.cpp:
2886         (resolvePath):
2887         (GlobalObject::moduleLoaderImportModule):
2888         (GlobalObject::moduleLoaderResolve):
2889         (functionDescribeArray):
2890         (functionRun):
2891         (functionLoad):
2892         (functionCheckSyntax):
2893         (functionDollarEvalScript):
2894         (functionDollarAgentStart):
2895         (functionDollarAgentReceiveBroadcast):
2896         (functionDollarAgentBroadcast):
2897         (functionTransferArrayBuffer):
2898         (functionLoadModule):
2899         (functionSamplingProfilerStackTraces):
2900         (functionAsyncTestStart):
2901         (functionWebAssemblyMemoryMode):
2902         (runWithOptions):
2903         * parser/Lexer.cpp:
2904         (JSC::Lexer<T>::invalidCharacterMessage const):
2905         (JSC::Lexer<T>::parseString):
2906         (JSC::Lexer<T>::parseComplexEscape):
2907         (JSC::Lexer<T>::parseStringSlowCase):
2908         (JSC::Lexer<T>::parseTemplateLiteral):
2909         (JSC::Lexer<T>::lex):
2910         * parser/Parser.cpp:
2911         (JSC::Parser<LexerType>::parseInner):
2912         * parser/Parser.h:
2913         (JSC::Parser::setErrorMessage):
2914         * runtime/AbstractModuleRecord.cpp:
2915         (JSC::AbstractModuleRecord::finishCreation):
2916         * runtime/ArrayBuffer.cpp:
2917         (JSC::errorMesasgeForTransfer):
2918         * runtime/ArrayBufferSharingMode.h:
2919         (JSC::arrayBufferSharingModeName):
2920         * runtime/ArrayConstructor.cpp:
2921         (JSC::constructArrayWithSizeQuirk):
2922         (JSC::isArraySlowInline):
2923         * runtime/ArrayPrototype.cpp:
2924         (JSC::setLength):
2925         (JSC::shift):
2926         (JSC::unshift):
2927         (JSC::arrayProtoFuncPop):
2928         (JSC::arrayProtoFuncReverse):
2929         (JSC::arrayProtoFuncUnShift):
2930         * runtime/AtomicsObject.cpp:
2931         (JSC::atomicsFuncWait):
2932         (JSC::atomicsFuncWake):
2933         * runtime/BigIntConstructor.cpp:
2934         (JSC::BigIntConstructor::finishCreation):
2935         (JSC::toBigInt):
2936         (JSC::callBigIntConstructor):
2937         * runtime/BigIntObject.cpp:
2938         (JSC::BigIntObject::toStringName):
2939         * runtime/BigIntPrototype.cpp:
2940         (JSC::bigIntProtoFuncToString):
2941         (JSC::bigIntProtoFuncValueOf):
2942         * runtime/CommonSlowPaths.cpp:
2943         (JSC::SLOW_PATH_DECL):
2944         * runtime/ConsoleClient.cpp:
2945         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2946         * runtime/ConsoleObject.cpp:
2947         (JSC::valueOrDefaultLabelString):
2948         (JSC::consoleProtoFuncTime):
2949         (JSC::consoleProtoFuncTimeEnd):
2950         * runtime/DatePrototype.cpp:
2951         (JSC::formatLocaleDate):
2952         (JSC::formateDateInstance):
2953         (JSC::DatePrototype::finishCreation):
2954         (JSC::dateProtoFuncToISOString):
2955         (JSC::dateProtoFuncToJSON):
2956         * runtime/Error.cpp:
2957         (JSC::createNotEnoughArgumentsError):
2958         (JSC::throwSyntaxError):
2959         (JSC::createTypeError):
2960         (JSC::createOutOfMemoryError):
2961         * runtime/Error.h:
2962         (JSC::throwVMError):
2963         * runtime/ErrorConstructor.cpp:
2964         (JSC::ErrorConstructor::finishCreation):
2965         * runtime/ErrorInstance.cpp:
2966         (JSC::ErrorInstance::sanitizedToString):
2967         * runtime/ErrorPrototype.cpp:
2968         (JSC::ErrorPrototype::finishCreation):
2969         (JSC::errorProtoFuncToString):
2970         * runtime/ExceptionFuzz.cpp:
2971         (JSC::doExceptionFuzzing):
2972         * runtime/ExceptionHelpers.cpp:
2973         (JSC::TerminatedExecutionError::defaultValue):
2974         (JSC::createStackOverflowError):
2975         (JSC::createNotAConstructorError):
2976         (JSC::createNotAFunctionError):
2977         (JSC::createNotAnObjectError):
2978         * runtime/GetterSetter.cpp:
2979         (JSC::callSetter):
2980         * runtime/IntlCollator.cpp:
2981         (JSC::sortLocaleData):
2982         (JSC::searchLocaleData):
2983         (JSC::IntlCollator::initializeCollator):
2984         (JSC::IntlCollator::compareStrings):
2985         (JSC::IntlCollator::usageString):
2986         (JSC::IntlCollator::sensitivityString):
2987         (JSC::IntlCollator::caseFirstString):
2988         (JSC::IntlCollator::resolvedOptions):
2989         * runtime/IntlCollator.h:
2990         * runtime/IntlCollatorConstructor.cpp:
2991         (JSC::IntlCollatorConstructor::finishCreation):
2992         * runtime/IntlCollatorPrototype.cpp:
2993         (JSC::IntlCollatorPrototypeGetterCompare):
2994         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2995         * runtime/IntlDateTimeFormat.cpp:
2996         (JSC::defaultTimeZone):
2997         (JSC::canonicalizeTimeZoneName):
2998         (JSC::IntlDTFInternal::localeData):
2999         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
3000         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3001         (JSC::IntlDateTimeFormat::weekdayString):
3002         (JSC::IntlDateTimeFormat::eraString):
3003         (JSC::IntlDateTimeFormat::yearString):
3004         (JSC::IntlDateTimeFormat::monthString):
3005         (JSC::IntlDateTimeFormat::dayString):
3006         (JSC::IntlDateTimeFormat::hourString):
3007         (JSC::IntlDateTimeFormat::minuteString):
3008         (JSC::IntlDateTimeFormat::secondString):
3009         (JSC::IntlDateTimeFormat::timeZoneNameString):
3010         (JSC::IntlDateTimeFormat::resolvedOptions):
3011         (JSC::IntlDateTimeFormat::format):
3012         (JSC::IntlDateTimeFormat::partTypeString):
3013         (JSC::IntlDateTimeFormat::formatToParts):
3014         * runtime/IntlDateTimeFormat.h:
3015         * runtime/IntlDateTimeFormatConstructor.cpp:
3016         (JSC::IntlDateTimeFormatConstructor::finishCreation):
3017         * runtime/IntlDateTimeFormatPrototype.cpp:
3018         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
3019         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
3020         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
3021         * runtime/IntlNumberFormat.cpp:
3022         (JSC::IntlNumberFormat::initializeNumberFormat):
3023         (JSC::IntlNumberFormat::formatNumber):
3024         (JSC::IntlNumberFormat::styleString):
3025         (JSC::IntlNumberFormat::currencyDisplayString):
3026         (JSC::IntlNumberFormat::resolvedOptions):
3027         (JSC::IntlNumberFormat::partTypeString):
3028         (JSC::IntlNumberFormat::formatToParts):
3029         * runtime/IntlNumberFormat.h:
3030         * runtime/IntlNumberFormatConstructor.cpp:
3031         (JSC::IntlNumberFormatConstructor::finishCreation):
3032         * runtime/IntlNumberFormatPrototype.cpp:
3033         (JSC::IntlNumberFormatPrototypeGetterFormat):
3034         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
3035         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
3036         * runtime/IntlObject.cpp:
3037         (JSC::grandfatheredLangTag):
3038         (JSC::canonicalizeLocaleList):
3039         (JSC::resolveLocale):
3040         (JSC::supportedLocales):
3041         * runtime/IntlPluralRules.cpp:
3042         (JSC::IntlPluralRules::initializePluralRules):
3043         (JSC::IntlPluralRules::resolvedOptions):
3044         (JSC::IntlPluralRules::select):
3045         * runtime/IntlPluralRulesConstructor.cpp:
3046         (JSC::IntlPluralRulesConstructor::finishCreation):
3047         * runtime/IntlPluralRulesPrototype.cpp:
3048         (JSC::IntlPluralRulesPrototypeFuncSelect):
3049         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
3050         * runtime/IteratorOperations.cpp:
3051         (JSC::iteratorNext):
3052         (JSC::iteratorClose):
3053         (JSC::hasIteratorMethod):
3054         (JSC::iteratorMethod):
3055         * runtime/JSArray.cpp:
3056         (JSC::JSArray::tryCreateUninitializedRestricted):
3057         (JSC::JSArray::defineOwnProperty):
3058         (JSC::JSArray::put):
3059         (JSC::JSArray::setLengthWithArrayStorage):
3060         (JSC::JSArray::appendMemcpy):
3061         (JSC::JSArray::pop):
3062         * runtime/JSArray.h:
3063         * runtime/JSArrayBufferConstructor.cpp:
3064         (JSC::JSArrayBufferConstructor::finishCreation):
3065         * runtime/JSArrayBufferPrototype.cpp:
3066         (JSC::arrayBufferProtoFuncSlice):
3067         (JSC::arrayBufferProtoGetterFuncByteLength):
3068         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
3069         * runtime/JSArrayBufferView.cpp:
3070         (JSC::JSArrayBufferView::toStringName):
3071         * runtime/JSArrayInlines.h:
3072         (JSC::JSArray::pushInline):
3073         * runtime/JSBigInt.cpp:
3074         (JSC::JSBigInt::divide):
3075         (JSC::JSBigInt::remainder):
3076         (JSC::JSBigInt::toNumber const):
3077         * runtime/JSCJSValue.cpp:
3078         (JSC::JSValue::putToPrimitive):
3079         (JSC::JSValue::putToPrimitiveByIndex):
3080         (JSC::JSValue::toStringSlowCase const):
3081         * runtime/JSCJSValueInlines.h:
3082         (JSC::toPreferredPrimitiveType):
3083         * runtime/JSDataView.cpp:
3084         (JSC::JSDataView::create):
3085         (JSC::JSDataView::put):
3086         (JSC::JSDataView::defineOwnProperty):
3087         * runtime/JSDataViewPrototype.cpp:
3088         (JSC::getData):
3089         (JSC::setData):
3090         * runtime/JSFunction.cpp:
3091         (JSC::JSFunction::callerGetter):
3092         (JSC::JSFunction::put):
3093         (JSC::JSFunction::defineOwnProperty):
3094         * runtime/JSGenericTypedArrayView.h:
3095         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3096         (JSC::constructGenericTypedArrayViewWithArguments):
3097         (JSC::constructGenericTypedArrayView):
3098         * runtime/JSGenericTypedArrayViewInlines.h:
3099         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
3100         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3101         (JSC::speciesConstruct):
3102         (JSC::genericTypedArrayViewProtoFuncSet):
3103         (JSC::genericTypedArrayViewProtoFuncIndexOf):
3104         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
3105         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
3106         * runtime/JSGlobalObject.cpp:
3107         (JSC::JSGlobalObject::init):
3108         * runtime/JSGlobalObjectDebuggable.cpp:
3109         (JSC::JSGlobalObjectDebuggable::name const):
3110         * runtime/JSGlobalObjectFunctions.cpp:
3111         (JSC::encode):
3112         (JSC::decode):
3113         (JSC::globalFuncProtoSetter):
3114         * runtime/JSGlobalObjectFunctions.h:
3115         * runtime/JSMap.cpp:
3116         (JSC::JSMap::toStringName):
3117         * runtime/JSModuleEnvironment.cpp:
3118         (JSC::JSModuleEnvironment::put):
3119         * runtime/JSModuleNamespaceObject.cpp:
3120         (JSC::JSModuleNamespaceObject::put):
3121         (JSC::JSModuleNamespaceObject::putByIndex):
3122         (JSC::JSModuleNamespaceObject::defineOwnProperty):
3123         * runtime/JSONObject.cpp:
3124         (JSC::Stringifier::appendStringifiedValue):
3125         (JSC::JSONProtoFuncParse):
3126         (JSC::JSONProtoFuncStringify):
3127         * runtime/JSObject.cpp:
3128         (JSC::getClassPropertyNames):
3129         (JSC::JSObject::calculatedClassName):
3130         (JSC::ordinarySetSlow):
3131         (JSC::JSObject::putInlineSlow):
3132         (JSC::JSObject::setPrototypeWithCycleCheck):
3133         (JSC::callToPrimitiveFunction):
3134         (JSC::JSObject::ordinaryToPrimitive const):
3135         (JSC::JSObject::defaultHasInstance):
3136         (JSC::JSObject::defineOwnIndexedProperty):
3137         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3138         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3139         (JSC::validateAndApplyPropertyDescriptor):
3140         * runtime/JSObject.h:
3141         * runtime/JSObjectInlines.h:
3142         (JSC::JSObject::putInlineForJSObject):
3143         * runtime/JSPromiseConstructor.cpp:
3144         (JSC::JSPromiseConstructor::finishCreation):
3145         * runtime/JSSet.cpp:
3146         (JSC::JSSet::toStringName):
3147         * runtime/JSSymbolTableObject.h:
3148         (JSC::symbolTablePut):
3149         * runtime/JSTypedArrayViewConstructor.cpp:
3150         (JSC::constructTypedArrayView):
3151         * runtime/JSTypedArrayViewPrototype.cpp:
3152         (JSC::typedArrayViewPrivateFuncLength):
3153         (JSC::typedArrayViewProtoFuncSet):
3154         (JSC::typedArrayViewProtoFuncCopyWithin):
3155         (JSC::typedArrayViewProtoFuncLastIndexOf):
3156         (JSC::typedArrayViewProtoFuncIndexOf):
3157         (JSC::typedArrayViewProtoFuncJoin):
3158         (JSC::typedArrayViewProtoGetterFuncBuffer):
3159         (JSC::typedArrayViewProtoGetterFuncLength):
3160         (JSC::typedArrayViewProtoGetterFuncByteLength):
3161         (JSC::typedArrayViewProtoGetterFuncByteOffset):
3162         (JSC::typedArrayViewProtoFuncReverse):
3163         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
3164         (JSC::typedArrayViewProtoFuncSlice):
3165         (JSC::JSTypedArrayViewPrototype::finishCreation):
3166         * runtime/JSWeakMap.cpp:
3167         (JSC::JSWeakMap::toStringName):
3168         * runtime/JSWeakSet.cpp:
3169         (JSC::JSWeakSet::toStringName):
3170         * runtime/LiteralParser.cpp:
3171         (JSC::LiteralParser<CharType>::Lexer::lex):
3172         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
3173         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
3174         (JSC::LiteralParser<CharType>::parse):
3175         * runtime/LiteralParser.h:
3176         (JSC::LiteralParser::getErrorMessage):
3177         * runtime/Lookup.cpp:
3178         (JSC::reifyStaticAccessor):
3179         * runtime/Lookup.h:
3180         (JSC::putEntry):
3181         * runtime/MapPrototype.cpp:
3182         (JSC::getMap):
3183         * runtime/NullSetterFunction.cpp:
3184         (JSC::NullSetterFunctionInternal::callReturnUndefined):
3185         * runtime/NumberPrototype.cpp:
3186         (JSC::numberProtoFuncToExponential):
3187         (JSC::numberProtoFuncToFixed):
3188         (JSC::numberProtoFuncToPrecision):
3189         (JSC::extractToStringRadixArgument):
3190         * runtime/ObjectConstructor.cpp:
3191         (JSC::objectConstructorSetPrototypeOf):
3192         (JSC::objectConstructorAssign):
3193         (JSC::objectConstructorValues):
3194         (JSC::toPropertyDescriptor):
3195         (JSC::objectConstructorDefineProperty):
3196         (JSC::objectConstructorDefineProperties):
3197         (JSC::objectConstructorCreate):
3198         (JSC::objectConstructorSeal):
3199         (JSC::objectConstructorFreeze):
3200         * runtime/ObjectPrototype.cpp:
3201         (JSC::objectProtoFuncDefineGetter):
3202         (JSC::objectProtoFuncDefineSetter):
3203         * runtime/Operations.cpp:
3204         (JSC::jsAddSlowCase):
3205         * runtime/Operations.h:
3206         (JSC::jsSub):
3207         (JSC::jsMul):
3208         * runtime/ProgramExecutable.cpp:
3209         (JSC::ProgramExecutable::initializeGlobalProperties):
3210         * runtime/ProxyConstructor.cpp:
3211         (JSC::makeRevocableProxy):
3212         (JSC::proxyRevocableConstructorThrowError):
3213         (JSC::ProxyConstructor::finishCreation):
3214         (JSC::constructProxyObject):
3215         * runtime/ProxyObject.cpp:
3216         (JSC::ProxyObject::toStringName):
3217         (JSC::ProxyObject::finishCreation):
3218         (JSC::performProxyGet):
3219         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3220         (JSC::ProxyObject::performHasProperty):
3221         (JSC::ProxyObject::performPut):
3222         (JSC::performProxyCall):
3223         (JSC::performProxyConstruct):
3224         (JSC::ProxyObject::performDelete):
3225         (JSC::ProxyObject::performPreventExtensions):
3226         (JSC::ProxyObject::performIsExtensible):
3227         (JSC::ProxyObject::performDefineOwnProperty):
3228         (JSC::ProxyObject::performGetOwnPropertyNames):
3229         (JSC::ProxyObject::performSetPrototype):
3230         (JSC::ProxyObject::performGetPrototype):
3231         * runtime/ReflectObject.cpp:
3232         (JSC::reflectObjectConstruct):
3233         (JSC::reflectObjectDefineProperty):
3234         (JSC::reflectObjectGet):
3235         (JSC::reflectObjectGetOwnPropertyDescriptor):
3236         (JSC::reflectObjectGetPrototypeOf):
3237         (JSC::reflectObjectIsExtensible):
3238         (JSC::reflectObjectOwnKeys):
3239         (JSC::reflectObjectPreventExtensions):
3240         (JSC::reflectObjectSet):
3241         (JSC::reflectObjectSetPrototypeOf):
3242         * runtime/RegExpConstructor.cpp:
3243         (JSC::RegExpConstructor::finishCreation):
3244         (JSC::toFlags):
3245         * runtime/RegExpObject.cpp:
3246         (JSC::RegExpObject::defineOwnProperty):
3247         * runtime/RegExpObject.h:
3248         * runtime/RegExpPrototype.cpp:
3249         (JSC::regExpProtoFuncCompile):
3250         (JSC::regExpProtoGetterGlobal):
3251         (JSC::regExpProtoGetterIgnoreCase):
3252         (JSC::regExpProtoGetterMultiline):
3253         (JSC::regExpProtoGetterDotAll):
3254         (JSC::regExpProtoGetterSticky):
3255         (JSC::regExpProtoGetterUnicode):
3256         (JSC::regExpProtoGetterFlags):
3257         (JSC::regExpProtoGetterSourceInternal):
3258         (JSC::regExpProtoGetterSource):
3259         * runtime/RuntimeType.cpp:
3260         (JSC::runtimeTypeAsString):
3261         * runtime/SamplingProfiler.cpp:
3262         (JSC::SamplingProfiler::StackFrame::displayName):
3263         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
3264         * runtime/ScriptExecutable.cpp:
3265         (JSC::ScriptExecutable::prepareForExecutionImpl):
3266         * runtime/SetPrototype.cpp:
3267         (JSC::getSet):
3268         * runtime/SparseArrayValueMap.cpp:
3269         (JSC::SparseArrayValueMap::putEntry):
3270         (JSC::SparseArrayValueMap::putDirect):
3271         (JSC::SparseArrayEntry::put):
3272         * runtime/StackFrame.cpp:
3273         (JSC::StackFrame::sourceURL const):
3274         (JSC::StackFrame::functionName const):
3275         * runtime/StringConstructor.cpp:
3276         (JSC::stringFromCodePoint):
3277         * runtime/StringObject.cpp:
3278         (JSC::StringObject::put):
3279         (JSC::StringObject::putByIndex):
3280         * runtime/StringPrototype.cpp:
3281         (JSC::StringPrototype::finishCreation):
3282         (JSC::toLocaleCase):
3283         (JSC::stringProtoFuncNormalize):
3284         * runtime/Symbol.cpp:
3285         (JSC::Symbol::toNumber const):
3286         * runtime/SymbolConstructor.cpp:
3287         (JSC::symbolConstructorKeyFor):
3288         * runtime/SymbolObject.cpp:
3289         (JSC::SymbolObject::toStringName):
3290         * runtime/SymbolPrototype.cpp:
3291         (JSC::SymbolPrototype::finishCreation):
3292         * runtime/TypeSet.cpp:
3293         (JSC::TypeSet::dumpTypes const):
3294         (JSC::TypeSet::displayName const):
3295         (JSC::StructureShape::leastCommonAncestor):
3296         * runtime/TypeSet.h:
3297         (JSC::StructureShape::setConstructorName):
3298         * runtime/VM.cpp:
3299         (JSC::VM::dumpTypeProfilerData):
3300         * runtime/WeakMapPrototype.cpp:
3301         (JSC::getWeakMap):
3302         (JSC::protoFuncWeakMapSet):
3303         * runtime/WeakSetPrototype.cpp:
3304         (JSC::getWeakSet):
3305         (JSC::protoFuncWeakSetAdd):
3306         * tools/JSDollarVM.cpp:
3307         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
3308         (WTF::DOMJITGetterComplex::customGetter):
3309         (JSC::functionSetImpureGetterDelegate):
3310         (JSC::functionCreateElement):
3311         (JSC::functionGetHiddenValue):
3312         (JSC::functionSetHiddenValue):
3313         (JSC::functionFindTypeForExpression):
3314         (JSC::functionReturnTypeFor):
3315         (JSC::functionLoadGetterFromGetterSetter):
3316         * wasm/WasmB3IRGenerator.cpp:
3317         (JSC::Wasm::B3IRGenerator::fail const):
3318         * wasm/WasmIndexOrName.cpp:
3319         (JSC::Wasm::makeString):
3320         * wasm/WasmParser.h:
3321         (JSC::Wasm::FailureHelper::makeString):
3322         (JSC::Wasm::Parser::fail const):
3323         * wasm/WasmPlan.cpp:
3324         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
3325         * wasm/WasmValidate.cpp:
3326         (JSC::Wasm::Validate::fail const):
3327         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3328         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3329         * wasm/js/JSWebAssemblyHelpers.h:
3330         (JSC::toNonWrappingUint32):
3331         (JSC::getWasmBufferFromValue):
3332         * wasm/js/JSWebAssemblyInstance.cpp:
3333         (JSC::JSWebAssemblyInstance::create):
3334         * wasm/js/JSWebAssemblyMemory.cpp:
3335         (JSC::JSWebAssemblyMemory::grow):
3336         * wasm/js/WasmToJS.cpp:
3337         (JSC::Wasm::handleBadI64Use):
3338         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3339         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
3340         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3341         (JSC::constructJSWebAssemblyInstance):
3342         (JSC::WebAssemblyInstanceConstructor::finishCreation):
3343         * wasm/js/WebAssemblyInstancePrototype.cpp:
3344         (JSC::getInstance):
3345         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3346         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
3347         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3348         (JSC::constructJSWebAssemblyMemory):
3349         (JSC::WebAssemblyMemoryConstructor::finishCreation):
3350         * wasm/js/WebAssemblyMemoryPrototype.cpp:
3351         (JSC::getMemory):
3352         * wasm/js/WebAssemblyModuleConstructor.cpp:
3353         (JSC::webAssemblyModuleCustomSections):
3354         (JSC::webAssemblyModuleImports):
3355         (JSC::webAssemblyModuleExports):
3356         (JSC::WebAssemblyModuleConstructor::finishCreation):
3357         * wasm/js/WebAssemblyModuleRecord.cpp:
3358         (JSC::WebAssemblyModuleRecord::link):
3359         (JSC::dataSegmentFail):
3360         (JSC::WebAssemblyModuleRecord::evaluate):
3361         * wasm/js/WebAssemblyPrototype.cpp:
3362         (JSC::resolve):
3363         (JSC::webAssemblyInstantiateFunc):
3364         (JSC::webAssemblyInstantiateStreamingInternal):
3365         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3366         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
3367         * wasm/js/WebAssemblyTableConstructor.cpp:
3368         (JSC::constructJSWebAssemblyTable):
3369         (JSC::WebAssemblyTableConstructor::finishCreation):
3370         * wasm/js/WebAssemblyTablePrototype.cpp:
3371         (JSC::getTable):
3372         (JSC::webAssemblyTableProtoFuncGrow):
3373         (JSC::webAssemblyTableProtoFuncGet):
3374         (JSC::webAssemblyTableProtoFuncSet):
3375
3376 2018-06-22  Keith Miller  <keith_miller@apple.com>
3377
3378         unshift should zero unused property storage
3379         https://bugs.webkit.org/show_bug.cgi?id=186960
3380
3381         Reviewed by Saam Barati.
3382
3383         Also, this patch adds the zeroed unused property storage assertion
3384         to one more place it was missing.
3385
3386         * runtime/JSArray.cpp:
3387         (JSC::JSArray::unshiftCountSlowCase):
3388         * runtime/JSObjectInlines.h:
3389         (JSC::JSObject::putDirectInternal):
3390
3391 2018-06-22  Mark Lam  <mark.lam@apple.com>
3392
3393         PropertyCondition::isValidValueForAttributes() should also consider deleted values.
3394         https://bugs.webkit.org/show_bug.cgi?id=186943
3395         <rdar://problem/41370337>
3396
3397         Reviewed by Saam Barati.
3398
3399         PropertyCondition::isValidValueForAttributes() should check if the passed in value
3400         is a deleted one before it does a jsDynamicCast on it.
3401
3402         * bytecode/PropertyCondition.cpp:
3403         (JSC::PropertyCondition::isValidValueForAttributes):
3404         * runtime/JSCJSValueInlines.h:
3405         - removed an unnecessary #if.
3406
3407 2018-06-22  Keith Miller  <keith_miller@apple.com>
3408
3409         performProxyCall should toThis the value passed to its handler
3410         https://bugs.webkit.org/show_bug.cgi?id=186951
3411
3412         Reviewed by Mark Lam.
3413
3414         * runtime/ProxyObject.cpp:
3415         (JSC::performProxyCall):
3416
3417 2018-06-22  Saam Barati  <sbarati@apple.com>
3418
3419         ensureWritableX should only convert away from CoW when it will succeed
3420         https://bugs.webkit.org/show_bug.cgi?id=186898
3421
3422         Reviewed by Keith Miller.
3423
3424         Otherwise, when we OSR exit, we'll end up profiling the array after
3425         it has been converted away from CoW. It's better for the ArrayProfile
3426         to see the array as it's still in CoW mode.
3427         
3428         This patch also renames ensureWritableX to tryMakeWritableX since these
3429         were never really "ensure" operations -- they may fail and return null.
3430
3431         * dfg/DFGOperations.cpp:
3432         * runtime/JSObject.cpp:
3433         (JSC::JSObject::tryMakeWritableInt32Slow):
3434         (JSC::JSObject::tryMakeWritableDoubleSlow):
3435         (JSC::JSObject::tryMakeWritableContiguousSlow):
3436         (JSC::JSObject::ensureWritableInt32Slow): Deleted.
3437         (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
3438         (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
3439         * runtime/JSObject.h:
3440         (JSC::JSObject::tryMakeWritableInt32):
3441         (JSC::JSObject::tryMakeWritableDouble):
3442         (JSC::JSObject::tryMakeWritableContiguous):
3443         (JSC::JSObject::ensureWritableInt32): Deleted.
3444         (JSC::JSObject::ensureWritableDouble): Deleted.
3445         (JSC::JSObject::ensureWritableContiguous): Deleted.
3446
3447 2018-06-22  Keith Miller  <keith_miller@apple.com>
3448
3449         We should call visitChildren on Base not the exact typename
3450         https://bugs.webkit.org/show_bug.cgi?id=186928
3451
3452         Reviewed by Mark Lam.
3453
3454         A lot of places were not properly calling visitChildren on their
3455         superclass. For most of them it didn't matter because they had
3456         immortal structures. If code changed in the future this might
3457         break things however.
3458
3459         Also, block off more of the MethodTable for GetterSetter objects.
3460
3461         * bytecode/CodeBlock.cpp:
3462         (JSC::CodeBlock::visitChildren):
3463         * bytecode/ExecutableToCodeBlockEdge.cpp:
3464         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3465         * debugger/DebuggerScope.cpp:
3466         (JSC::DebuggerScope::visitChildren):
3467         * runtime/EvalExecutable.cpp:
3468         (JSC::EvalExecutable::visitChildren):
3469         * runtime/FunctionExecutable.cpp:
3470         (JSC::FunctionExecutable::visitChildren):
3471         * runtime/FunctionRareData.cpp:
3472         (JSC::FunctionRareData::visitChildren):
3473         * runtime/GenericArgumentsInlines.h:
3474         (JSC::GenericArguments<Type>::visitChildren):
3475         * runtime/GetterSetter.cpp:
3476         (JSC::GetterSetter::visitChildren):
3477         * runtime/GetterSetter.h:
3478         * runtime/InferredType.cpp:
3479         (JSC::InferredType::visitChildren):
3480         * runtime/InferredTypeTable.cpp:
3481         (JSC::InferredTypeTable::visitChildren):
3482         * runtime/InferredValue.cpp:
3483         (JSC::InferredValue::visitChildren):
3484         * runtime/JSArrayBufferView.cpp:
3485         (JSC::JSArrayBufferView::visitChildren):
3486         * runtime/JSGenericTypedArrayViewInlines.h:
3487         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3488         * runtime/ModuleProgramExecutable.cpp:
3489         (JSC::ModuleProgramExecutable::visitChildren):
3490         * runtime/ProgramExecutable.cpp:
3491         (JSC::ProgramExecutable::visitChildren):
3492         * runtime/ScopedArguments.cpp:
3493         (JSC::ScopedArguments::visitChildren):
3494         * runtime/ScopedArguments.h:
3495         * runtime/Structure.cpp:
3496         (JSC::Structure::visitChildren):
3497         * runtime/StructureRareData.cpp:
3498         (JSC::StructureRareData::visitChildren):
3499         * runtime/SymbolTable.cpp:
3500         (JSC::SymbolTable::visitChildren):
3501
3502 2018-06-20  Darin Adler  <darin@apple.com>
3503
3504         [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
3505         https://bugs.webkit.org/show_bug.cgi?id=186875
3506
3507         Reviewed by Anders Carlsson.
3508
3509         * API/tests/testapi.mm:
3510         (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
3511
3512 2018-06-22  Carlos Garcia Campos  <cgarcia@igalia.com>
3513
3514         [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
3515         https://bugs.webkit.org/show_bug.cgi?id=186915
3516
3517         Reviewed by Žan Doberšek.
3518
3519         Update StartAutomationSession message handling to receive a dictionary of session capabilities.
3520
3521         * inspector/remote/glib/RemoteInspectorServer.cpp:
3522         (Inspector::processSessionCapabilities): Helper method to process the session capabilities.
3523
3524 2018-06-21  Mark Lam  <mark.lam@apple.com>
3525
3526         WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
3527         https://bugs.webkit.org/show_bug.cgi?id=185947
3528         <rdar://problem/40131933>
3529
3530         Reviewed by Saam Barati.
3531
3532         Newer Clang versions (due to C++17 support) is not happy with how I implemented
3533         conversions between CodeLocation types.  We'll fix this by adding a conversion
3534         operator for converting between CodeLocation types.
3535
3536         * assembler/CodeLocation.h:
3537         (JSC::CodeLocationCommon::operator T):
3538
3539 2018-06-21  Saam Barati  <sbarati@apple.com>
3540
3541         Do some CoW cleanup
3542         https://bugs.webkit.org/show_bug.cgi?id=186896
3543
3544         Reviewed by Mark Lam.
3545
3546         * bytecode/UnlinkedCodeBlock.h:
3547         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
3548         We don't need to WTFMove() ints
3549
3550         * dfg/DFGByteCodeParser.cpp:
3551         (JSC::DFG::ByteCodeParser::parseBlock):
3552         remove a TODO.
3553
3554         * runtime/JSObject.cpp:
3555         (JSC::JSObject::putByIndex):
3556         We were checking for isCopyOnWrite even after we converted away
3557         from CoW in above code.
3558         (JSC::JSObject::ensureWritableInt32Slow):
3559         Model this in the same way the other ensureWritableXSlow are modeled.
3560
3561 2018-06-20  Keith Miller  <keith_miller@apple.com>
3562
3563         flattenDictionaryStruture needs to zero inline storage.
3564         https://bugs.webkit.org/show_bug.cgi?id=186869
3565
3566         Reviewed by Saam Barati.
3567
3568         This patch also adds the assetion that unused property storage is
3569         zero or JSValue() to putDirectInternal. Additionally, functions
3570         have been added to $vm that flatten dictionary objects and return
3571         the inline capacity of an object.
3572
3573         * runtime/JSObjectInlines.h:
3574         (JSC::JSObject::putDirectInternal):
3575         * runtime/Structure.cpp:
3576         (JSC::Structure::flattenDictionaryStructure):
3577         * tools/JSDollarVM.cpp:
3578         (JSC::functionInlineCapacity):
3579         (JSC::functionFlattenDictionaryObject):
3580         (JSC::JSDollarVM::finishCreation):
3581
3582 2018-06-21  Mark Lam  <mark.lam@apple.com>
3583
3584         Use IsoCellSets to track Executables with clearable code.
3585         https://bugs.webkit.org/show_bug.cgi?id=186877
3586
3587         Reviewed by Filip Pizlo.
3588
3589         Here’s an example of the results that this fix may yield: 
3590         1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
3591         2. Statistics on memory touched and memory freed by VM::deleteAllCode():
3592
3593            Visiting Executables:
3594                                                         Old             New
3595            Number of objects visited:                   70897           14264
3596            Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
3597            Number of memory pages visited:              3224            1602
3598            Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)
3599
3600            Visitng UnlinkedFunctionExecutables:
3601                                                         Old             New
3602            Number of objects visited:                   105454          17231
3603            Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
3604            Number of memory pages visited:              4796            1349
3605            Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)
3606
3607         ** The number of objects differ because the old code only visit unlinked
3608            executables indirectly via linked executables, whereas the new behavior visit
3609            all unlinked executables with deletable code directly.  This means:
3610
3611            a. we used to not visit unlinked executables that have not been linked yet
3612               i.e. deleteAllCode() may not delete all code (especially code that is not
3613               used).
3614            b. we had to visit all linked executables to check if they of type
3615               FunctionExecutable, before going on to visit their unlinked executable, and
3616               this includes the ones that do not have deletable code.  This means that we
3617               would touch more memory in the process.
3618
3619            Both of these these issues are now fixed with the new code.
3620
3621         This code was tested with manually inserted instrumentation to track the above
3622         statistics.  It is not feasible to write an automated test for this without
3623         leaving a lot of invasive instrumentation in the code.
3624
3625         * bytecode/UnlinkedFunctionExecutable.cpp:
3626         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3627         * bytecode/UnlinkedFunctionExecutable.h:
3628         * heap/CodeBlockSetInlines.h:
3629         (JSC::CodeBlockSet::iterateViaSubspaces):
3630         * heap/Heap.cpp:
3631         (JSC::Heap::deleteAllCodeBlocks):
3632         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
3633         (JSC::Heap::deleteUnmarkedCompiledCode):
3634         (JSC::Heap::clearUnmarkedExecutables): Deleted.
3635         (JSC::Heap::addExecutable): Deleted.
3636         * heap/Heap.h:
3637         * runtime/DirectEvalExecutable.h:
3638
3639         * runtime/ExecutableBase.cpp:
3640         (JSC::ExecutableBase::hasClearableCode const):
3641         - this is written based on the implementation of ExecutableBase::clearCode().
3642
3643         * runtime/ExecutableBase.h:
3644         * runtime/FunctionExecutable.h:
3645         * runtime/IndirectEvalExecutable.h:
3646         * runtime/ModuleProgramExecutable.h:
3647         * runtime/ProgramExecutable.h:
3648         * runtime/ScriptExecutable.cpp:
3649         (JSC::ScriptExecutable::clearCode):
3650         (JSC::ScriptExecutable::installCode):
3651         * runtime/ScriptExecutable.h:
3652         (JSC::ScriptExecutable::finishCreation):
3653         * runtime/VM.cpp:
3654         (JSC::VM::VM):
3655         * runtime/VM.h:
3656         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
3657         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
3658         (JSC::VM::forEachScriptExecutableSpace):
3659         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
3660         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
3661
3662 2018-06-21  Zan Dobersek  <zdobersek@igalia.com>
3663
3664         [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
3665         https://bugs.webkit.org/show_bug.cgi?id=186884
3666
3667         Reviewed by Carlos Garcia Campos.
3668
3669         Add a tuple array input parameter to the StartAutomationSession DBus
3670         message, representing a list of host-and-certificate pairs that have to
3671         be allowed for a given session. This array is then unpacked and used to
3672         fill out the certificates Vector object in the SessionCapabilities
3673         struct.
3674
3675         * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
3676         String pairs representing hosts and the certificate file paths.
3677         * inspector/remote/glib/RemoteInspectorServer.cpp:
3678
3679 2018-06-20  Keith Miller  <keith_miller@apple.com>
3680
3681         Expand concurrent GC assertion to accept JSValue() or 0
3682         https://bugs.webkit.org/show_bug.cgi?id=186855
3683
3684         Reviewed by Mark Lam.
3685
3686         We tend to set unused property slots to either JSValue() or 0
3687         depending on the context. On 64-bit these are the same but on
3688         32-bit JSValue() has a NaN tag. This patch makes it so we
3689         the accept either JSValue() or 0.
3690
3691         * runtime/JSObjectInlines.h:
3692         (JSC::JSObject::prepareToPutDirectWithoutTransition):
3693
3694 2018-06-20  Guillaume Emont  <guijemont@igalia.com>
3695
3696         [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
3697         https://bugs.webkit.org/show_bug.cgi?id=186765
3698
3699         Reviewed by Michael Saboff.
3700
3701         This widens the check for 0 so that we handle that case more correctly.
3702
3703         * assembler/LinkBuffer.h:
3704         (JSC::LinkBuffer::executableOffsetFor):
3705
3706 2018-06-19  Keith Miller  <keith_miller@apple.com>
3707
3708         Fix broken assertion on 32-bit
3709         https://bugs.webkit.org/show_bug.cgi?id=186830
3710
3711         Reviewed by Mark Lam.
3712
3713         The assertion was intended to catch concurrent GC issues. We don't
3714         run them on 32-bit so we don't need this assertion there. The
3715         assertion was broken because zero is not JSValue() on 32-bit.
3716
3717         * runtime/JSObjectInlines.h:
3718         (JSC::JSObject::prepareToPutDirectWithoutTransition):
3719
3720 2018-06-19  Keith Miller  <keith_miller@apple.com>
3721
3722         flattenDictionaryStructure needs to zero properties that have been compressed away
3723         https://bugs.webkit.org/show_bug.cgi?id=186828
3724
3725         Reviewed by Mark Lam.
3726
3727         This patch fixes a bunch of crashing Mozilla tests on the bots.
3728
3729         * runtime/Structure.cpp:
3730         (JSC::Structure::flattenDictionaryStructure):
3731
3732 2018-06-19  Saam Barati  <sbarati@apple.com>
3733
3734         DirectArguments::create needs to initialize to undefined instead of the empty value
3735         https://bugs.webkit.org/show_bug.cgi?id=186818
3736         <rdar://problem/38415177>
3737
3738         Reviewed by Filip Pizlo.
3739
3740         The bug here is that we will emit code that just loads from DirectArguments as
3741         long as the index is within the known capacity of the arguments object (op_get_from_arguments).
3742         The arguments object has at least enough capacity to hold the declared parameters.
3743         When we materialized this object in OSR exit, we initialized up to to the capacity
3744         with JSValue(). In OSR exit, though, we only filled up to the length of the
3745         object with actual values. So we'd end up with a DirectArguments object with
3746         capacity minus length slots of JSValue(). To fix this, we need initialize up to
3747         capacity with jsUndefined during construction. The invariant of this object is
3748         that the capacity minus length slots at the end are filled in with jsUndefined.
3749
3750         * runtime/DirectArguments.cpp:
3751         (JSC::DirectArguments::create):
3752
3753 2018-06-19  Michael Saboff  <msaboff@apple.com>
3754
3755         Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
3756         https://bugs.webkit.org/show_bug.cgi?id=186827
3757
3758         Reviewed by Saam Barati.
3759
3760         Need to set VM::lastStackTop before any possible calls to sanitizeStack().
3761
3762         * runtime/JSLock.cpp:
3763         (JSC::JSLock::didAcquireLock):
3764
3765 2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
3766
3767         ShadowChicken crashes with stack overflow in the LLInt
3768         https://bugs.webkit.org/show_bug.cgi?id=186540
3769         <rdar://problem/39682133>
3770
3771         Reviewed by Saam Barati.
3772
3773         Stack overflows in the LLInt were crashing in ShadowChicken when compiling
3774         with debug opcodes because it was accessing the scope of the incomplete top
3775         frame, which hadn't been set yet. Check that we have moved past the first
3776         opcode (enter) and that the scope is not undefined (enter will
3777         initialize it to undefined).
3778
3779         * interpreter/ShadowChicken.cpp:
3780         (JSC::ShadowChicken::update):
3781
3782 2018-06-19  Keith Miller  <keith_miller@apple.com>
3783
3784         constructArray variants should take the slow path for subclasses of Array
3785         https://bugs.webkit.org/show_bug.cgi?id=186812
3786
3787         Reviewed by Saam Barati and Mark Lam.
3788
3789         This patch fixes a crashing test in ObjectInitializationScope where we would
3790         allocate a new structure for an indexing type change while initializing
3791         a subclass of Array. Since the new array hasn't been fully initialized
3792         if the GC ran it would see garbage and we might crash.
3793
3794         * runtime/JSArray.cpp:
3795         (JSC::constructArray):
3796         (JSC::constructArrayNegativeIndexed):
3797         * runtime/JSArray.h:
3798         (JSC::constructArray): Deleted.
3799         (JSC::constructArrayNegativeIndexed): Deleted.
3800
3801 2018-06-19  Saam Barati  <sbarati@apple.com>
3802
3803         Wasm: Any function argument of type Void should be a validation error
3804         https://bugs.webkit.org/show_bug.cgi?id=186794
3805         <rdar://problem/41140257>
3806
3807         Reviewed by Keith Miller.
3808
3809         * wasm/WasmModuleParser.cpp:
3810         (JSC::Wasm::ModuleParser::parseType):
3811
3812 2018-06-18  Keith Miller  <keith_miller@apple.com>
3813
3814         JSImmutableButterfly should assert m_header is adjacent to the data
3815         https://bugs.webkit.org/show_bug.cgi?id=186795
3816
3817         Reviewed by Saam Barati.
3818
3819         * runtime/JSImmutableButterfly.cpp:
3820         * runtime/JSImmutableButterfly.h:
3821
3822 2018-06-18  Keith Miller  <keith_miller@apple.com>
3823
3824         Unreviewed, fix the build...
3825
3826         * runtime/JSArray.cpp:
3827         (JSC::JSArray::tryCreateUninitializedRestricted):
3828
3829 2018-06-18  Keith Miller  <keith_miller@apple.com>
3830
3831         Unreviewed, remove bad assertion.
3832
3833         * runtime/JSArray.cpp:
3834         (JSC::JSArray::tryCreateUninitializedRestricted):
3835
3836 2018-06-18  Keith Miller  <keith_miller@apple.com>
3837
3838         Properly zero unused property storage offsets
3839         https://bugs.webkit.org/show_bug.cgi?id=186692
3840
3841         Reviewed by Filip Pizlo.
3842
3843         Since the concurrent GC might see a property slot before the mutator has actually
3844         stored the value there, we need to ensure that slot doesn't have garbage in it.
3845
3846         Right now when calling constructConvertedArrayStorageWithoutCopyingElements
3847         or creating a RegExp matches array, we never cleared the unused
3848         property storage. ObjectIntializationScope has also been upgraded
3849         to look for our invariants around property storage. Additionally,
3850         a new assertion has been added to check for JSValue() when adding
3851         a new property.
3852
3853         We used to put undefined into deleted property offsets. To
3854         make things simpler, this patch causes us to store JSValue() there
3855         instead.
3856
3857         Lastly, this patch fixes an issue where we would initialize the
3858         array storage of RegExpMatchesArray twice. First with 0 and
3859         secondly with the actual result. Now we only zero memory between
3860         vector length and public length.
3861
3862         * runtime/Butterfly.h:
3863         (JSC::Butterfly::offsetOfVectorLength):
3864         * runtime/ButterflyInlines.h:
3865         (JSC::Butterfly::tryCreateUninitialized):
3866         (JSC::Butterfly::createUninitialized):
3867         (JSC::Butterfly::tryCreate):
3868         (JSC::Butterfly::create):
3869         (JSC::Butterfly::createOrGrowPropertyStorage):
3870         (JSC::Butterfly::createOrGrowArrayRight):
3871         (JSC::Butterfly::growArrayRight):
3872         (JSC::Butterfly::resizeArray):
3873         * runtime/JSArray.cpp:
3874         (JSC::JSArray::tryCreateUninitializedRestricted):
3875         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
3876         * runtime/JSArray.h:
3877         (JSC::tryCreateArrayButterfly):
3878         * runtime/JSObject.cpp:
<