[JSC] Do not use FTLOutput::weakPointer directly
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Do not use FTLOutput::weakPointer directly
4         https://bugs.webkit.org/show_bug.cgi?id=201495
5
6         Reviewed by Filip Pizlo.
7
8         FTLOutput::weakPointer does not register the cell as a weak pointer.
9         CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
10         While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
11         and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
12         For FrozenValue, we should use frozenPointer helper function.
13
14         * ftl/FTLLowerDFGToB3.cpp:
15         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
16         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
17
18 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
19
20         Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
21         https://bugs.webkit.org/show_bug.cgi?id=201373
22
23         * bytecode/BytecodeList.rb:
24         * bytecode/BytecodeUseDef.h:
25         (JSC::computeUsesForBytecodeOffset):
26         (JSC::computeDefsForBytecodeOffset):
27         * bytecompiler/BytecodeGenerator.cpp:
28         (JSC::BytecodeGenerator::BytecodeGenerator):
29         (JSC::BytecodeGenerator::emitLoopHint):
30         (JSC::BytecodeGenerator::emitCheckTraps):
31         * bytecompiler/BytecodeGenerator.h:
32         * dfg/DFGByteCodeParser.cpp:
33         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
34         (JSC::DFG::ByteCodeParser::parseBlock):
35         * dfg/DFGCapabilities.cpp:
36         (JSC::DFG::capabilityLevel):
37         * jit/JIT.cpp:
38         (JSC::JIT::emitEnterOptimizationCheck):
39         (JSC::JIT::privateCompileMainPass):
40         (JSC::JIT::privateCompileSlowCases):
41         * jit/JIT.h:
42         * jit/JITOpcodes.cpp:
43         (JSC::JIT::emit_op_enter):
44         (JSC::JIT::emit_op_loop_hint):
45         (JSC::JIT::emitSlow_op_loop_hint):
46         (JSC::JIT::emit_op_check_traps):
47         (JSC::JIT::emitSlow_op_check_traps):
48         (JSC::JIT::emitSlow_op_enter): Deleted.
49         * jit/JITOpcodes32_64.cpp:
50         (JSC::JIT::emit_op_enter):
51         * llint/LowLevelInterpreter.asm:
52         * llint/LowLevelInterpreter32_64.asm:
53         * llint/LowLevelInterpreter64.asm:
54         * runtime/CommonSlowPaths.cpp:
55         (JSC::SLOW_PATH_DECL):
56         * runtime/CommonSlowPaths.h:
57
58 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
59
60         Unreviewed, rebaseline builtin generator test results
61         https://bugs.webkit.org/show_bug.cgi?id=200898
62
63         Rebaseline the result files.
64
65         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
66         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
67         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
68         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
69         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
70         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
71         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
72         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
73         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
74         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
75         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
76         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
77         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
78
79 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
80
81         [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
82         https://bugs.webkit.org/show_bug.cgi?id=201485
83
84         Reviewed by Tadeu Zagallo.
85
86         FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
87         it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
88         a race issue like,
89
90         1. While one thread is adding overrides information,
91         2. Another thread is accessing this hash table.
92
93         This patch adds a lock to make sure that only one thread can access this registry.
94
95         * tools/FunctionOverrides.cpp:
96         (JSC::FunctionOverrides::FunctionOverrides):
97         (JSC::FunctionOverrides::reinstallOverrides):
98         (JSC::FunctionOverrides::initializeOverrideFor):
99         (JSC::FunctionOverrides::parseOverridesInFile):
100         * tools/FunctionOverrides.h:
101         (JSC::FunctionOverrides::clear):
102
103 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
104
105         [JSC] Make Promise implementation faster
106         https://bugs.webkit.org/show_bug.cgi?id=200898
107
108         Reviewed by Saam Barati.
109
110         This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.
111
112         1. Make JSPromise C++ friendly
113
114             Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
115             This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
116             fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
117             fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
118             supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
119             this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].
120
121             We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
122             This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.
123
124             Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
125             is filed in [2].
126
127         2. Make JSPromise constructor JS friendly
128
129             The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
130             calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
131             If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
132             Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
133             construct is 100. We might want to investigate getting it inlined in the future[3].
134
135             We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
136             annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
137             do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
138             us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
139             which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
140             JSPromise constructor fully in JS.
141             With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].
142
143         3. DFG supports for JSPromise operations
144
145             This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
146             and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
147             promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
148             When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
149             used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
150             can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
151             in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
152             structure is invalidated: `callee.prototype` is replaced.
153
154         4. Avoid creating unnecessary promises
155
156             Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
157             For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
158             intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
159             take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
160             in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
161             check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.
162
163         5. Avoid creating resolving-functions and promise capabilities
164
165             Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
166             patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
167             created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
168             and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
169             The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
170             `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
171             This mechanism will be used to drop JSPromiseDeferred in a separate patch.
172
173         JetStream2/async-fs results.
174             ToT:
175                 Running async-fs:
176                     Startup: 116.279
177                     Worst Case: 151.515
178                     Average: 176.630
179                     Score: 145.996
180                     Wall time: 0:01.149
181
182             Patched:
183                 Running async-fs:
184                     Startup: 166.667
185                     Worst Case: 267.857
186                     Average: 299.080
187                     Score: 237.235
188                     Wall time: 0:00.683
189
190         [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
191         [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
192         [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
193         [4]: https://bugs.webkit.org/show_bug.cgi?id=201158
194
195         * CMakeLists.txt:
196         * JavaScriptCore.xcodeproj/project.pbxproj:
197         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
198         (ConstructAbility):
199         (ConstructorKind):
200         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
201         * Scripts/wkbuiltins/builtins_generator.py:
202         (BuiltinsGenerator.generate_embedded_code_data_for_function):
203         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
204         * Scripts/wkbuiltins/builtins_model.py:
205         (BuiltinFunction.__init__):
206         (BuiltinFunction.fromString):
207         * Scripts/wkbuiltins/builtins_templates.py:
208         * builtins/AsyncFromSyncIteratorPrototype.js:
209         (next.try):
210         (next):
211         (return.try):
212         (return):
213         (throw.try):
214         (throw):
215         * builtins/AsyncFunctionPrototype.js:
216         (globalPrivate.asyncFunctionResume):
217         * builtins/AsyncGeneratorPrototype.js:
218         (globalPrivate.asyncGeneratorQueueIsEmpty):
219         (globalPrivate.asyncGeneratorQueueEnqueue):
220         (globalPrivate.asyncGeneratorQueueDequeue):
221         (globalPrivate.asyncGeneratorReject):
222         (globalPrivate.asyncGeneratorResolve):
223         (globalPrivate.asyncGeneratorYield):
224         (onRejected):
225         (globalPrivate.awaitValue):
226         (onFulfilled):
227         (globalPrivate.doAsyncGeneratorBodyCall):
228         (globalPrivate.asyncGeneratorResumeNext):
229         (globalPrivate.asyncGeneratorEnqueue):
230         (globalPrivate.asyncGeneratorDequeue): Deleted.
231         (const.onRejected): Deleted.
232         (const.onFulfilled): Deleted.
233         (globalPrivate.asyncGeneratorResumeNext.): Deleted.
234         * builtins/BuiltinExecutableCreator.h:
235         * builtins/BuiltinExecutables.cpp:
236         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
237         (JSC::BuiltinExecutables::createDefaultConstructor):
238         (JSC::BuiltinExecutables::createBuiltinExecutable):
239         (JSC::BuiltinExecutables::createExecutable):
240         (JSC::createBuiltinExecutable): Deleted.
241         * builtins/BuiltinExecutables.h:
242         * builtins/BuiltinNames.h:
243         * builtins/BuiltinUtils.h:
244         * builtins/ModuleLoader.js:
245         (forceFulfillPromise):
246         * builtins/PromiseConstructor.js:
247         (nakedConstructor.Promise.resolve):
248         (nakedConstructor.Promise.reject):
249         (nakedConstructor.Promise):
250         (nakedConstructor.InternalPromise.resolve):
251         (nakedConstructor.InternalPromise.reject):
252         (nakedConstructor.InternalPromise):
253         * builtins/PromiseOperations.js:
254         (globalPrivate.newPromiseReaction):
255         (globalPrivate.newPromiseCapability):
256         (globalPrivate.newHandledRejectedPromise):
257         (globalPrivate.triggerPromiseReactions):
258         (globalPrivate.resolvePromise):
259         (globalPrivate.rejectPromise):
260         (globalPrivate.fulfillPromise):
261         (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
262         (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
263         (globalPrivate.createResolvingFunctions.resolve):
264         (globalPrivate.createResolvingFunctions.reject):
265         (globalPrivate.createResolvingFunctions):
266         (globalPrivate.promiseReactionJobWithoutPromise):
267         (globalPrivate.resolveWithoutPromise):
268         (globalPrivate.rejectWithoutPromise):
269         (globalPrivate.fulfillWithoutPromise):
270         (resolve):
271         (reject):
272         (globalPrivate.createResolvingFunctionsWithoutPromise):
273         (globalPrivate.promiseReactionJob):
274         (globalPrivate.promiseResolveThenableJobFast):
275         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
276         (globalPrivate.promiseResolveThenableJob):
277         (globalPrivate.isPromise): Deleted.
278         (globalPrivate.newPromiseCapability.executor): Deleted.
279         (globalPrivate.initializePromise): Deleted.
280         * builtins/PromisePrototype.js:
281         (then):
282         * bytecode/BytecodeIntrinsicRegistry.cpp:
283         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
284         * bytecode/BytecodeIntrinsicRegistry.h:
285         * bytecode/BytecodeList.rb:
286         * bytecode/BytecodeUseDef.h:
287         (JSC::computeUsesForBytecodeOffset):
288         (JSC::computeDefsForBytecodeOffset):
289         * bytecode/CodeBlock.cpp:
290         (JSC::CodeBlock::finishCreation):
291         (JSC::CodeBlock::finalizeLLIntInlineCaches):
292         * bytecode/Opcode.h:
293         * bytecode/SpeculatedType.cpp:
294         (JSC::dumpSpeculation):
295         (JSC::speculationFromClassInfo):
296         (JSC::speculationFromJSType):
297         (JSC::speculationFromString):
298         * bytecode/SpeculatedType.h:
299         * bytecode/UnlinkedFunctionExecutable.h:
300         * bytecompiler/BytecodeGenerator.cpp:
301         (JSC::BytecodeGenerator::generate):
302         (JSC::BytecodeGenerator::BytecodeGenerator):
303         (JSC::BytecodeGenerator::emitGetPromiseInternalField):
304         (JSC::BytecodeGenerator::emitPutPromiseInternalField):
305         (JSC::BytecodeGenerator::emitCreatePromise):
306         (JSC::BytecodeGenerator::emitNewPromise):
307         (JSC::BytecodeGenerator::emitReturn):
308         * bytecompiler/BytecodeGenerator.h:
309         (JSC::BytecodeGenerator::promiseRegister):
310         (JSC::BytecodeGenerator::emitIsPromise):
311         (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
312         * bytecompiler/NodesCodegen.cpp:
313         (JSC::promiseInternalFieldIndex):
314         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
315         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
316         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
317         (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
318         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
319         (JSC::FunctionNode::emitBytecode):
320         * dfg/DFGAbstractHeap.h:
321         * dfg/DFGAbstractInterpreterInlines.h:
322         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
323         * dfg/DFGByteCodeParser.cpp:
324         (JSC::DFG::ByteCodeParser::parseBlock):
325         * dfg/DFGCapabilities.cpp:
326         (JSC::DFG::capabilityLevel):
327         * dfg/DFGClobberize.h:
328         (JSC::DFG::clobberize):
329         * dfg/DFGClobbersExitState.cpp:
330         (JSC::DFG::clobbersExitState):
331         * dfg/DFGConstantFoldingPhase.cpp:
332         (JSC::DFG::ConstantFoldingPhase::foldConstants):
333         * dfg/DFGDoesGC.cpp:
334         (JSC::DFG::doesGC):
335         * dfg/DFGFixupPhase.cpp:
336         (JSC::DFG::FixupPhase::fixupNode):
337         * dfg/DFGGraph.cpp:
338         (JSC::DFG::Graph::dump):
339         * dfg/DFGHeapLocation.cpp:
340         (WTF::printInternal):
341         * dfg/DFGHeapLocation.h:
342         * dfg/DFGMayExit.cpp:
343         * dfg/DFGNode.h:
344         (JSC::DFG::Node::convertToNewPromise):
345         (JSC::DFG::Node::hasIsInternalPromise):
346         (JSC::DFG::Node::isInternalPromise):
347         (JSC::DFG::Node::hasInternalFieldIndex):
348         (JSC::DFG::Node::internalFieldIndex):
349         (JSC::DFG::Node::hasHeapPrediction):
350         (JSC::DFG::Node::hasStructure):
351         * dfg/DFGNodeType.h:
352         * dfg/DFGOperations.cpp:
353         * dfg/DFGOperations.h:
354         * dfg/DFGPredictionPropagationPhase.cpp:
355         * dfg/DFGPromotedHeapLocation.cpp:
356         (WTF::printInternal):
357         * dfg/DFGPromotedHeapLocation.h:
358         * dfg/DFGSafeToExecute.h:
359         (JSC::DFG::SafeToExecuteEdge::operator()):
360         (JSC::DFG::safeToExecute):
361         * dfg/DFGSpeculativeJIT.cpp:
362         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
363         (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
364         (JSC::DFG::SpeculativeJIT::speculate):
365         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
366         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
367         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
368         (JSC::DFG::SpeculativeJIT::compileNewPromise):
369         * dfg/DFGSpeculativeJIT.h:
370         * dfg/DFGSpeculativeJIT32_64.cpp:
371         (JSC::DFG::SpeculativeJIT::compile):
372         * dfg/DFGSpeculativeJIT64.cpp:
373         (JSC::DFG::SpeculativeJIT::compile):
374         * dfg/DFGStoreBarrierInsertionPhase.cpp:
375         * dfg/DFGUseKind.cpp:
376         (WTF::printInternal):
377         * dfg/DFGUseKind.h:
378         (JSC::DFG::typeFilterFor):
379         (JSC::DFG::isCell):
380         * ftl/FTLAbstractHeapRepository.h:
381         * ftl/FTLCapabilities.cpp:
382         (JSC::FTL::canCompile):
383         * ftl/FTLLowerDFGToB3.cpp:
384         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
385         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
386         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
387         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
388         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
389         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
390         (JSC::FTL::DFG::LowerDFGToB3::speculate):
391         (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
392         * jit/JIT.cpp:
393         (JSC::JIT::privateCompileMainPass):
394         (JSC::JIT::privateCompileSlowCases):
395         * jit/JIT.h:
396         * jit/JITOperations.cpp:
397         * jit/JITOperations.h:
398         * jit/JITPropertyAccess.cpp:
399         (JSC::JIT::emit_op_get_promise_internal_field):
400         (JSC::JIT::emit_op_put_promise_internal_field):
401         * jit/JITPropertyAccess32_64.cpp:
402         (JSC::JIT::emit_op_get_promise_internal_field):
403         (JSC::JIT::emit_op_put_promise_internal_field):
404         * llint/LowLevelInterpreter.asm:
405         * llint/LowLevelInterpreter32_64.asm:
406         * llint/LowLevelInterpreter64.asm:
407         * parser/Parser.cpp:
408         (JSC::Parser<LexerType>::Parser):
409         (JSC::Parser<LexerType>::parseFunctionInfo):
410         * parser/Parser.h:
411         (JSC::parse):
412         * parser/ParserModes.h:
413         * runtime/CommonSlowPaths.cpp:
414         (JSC::SLOW_PATH_DECL):
415         * runtime/CommonSlowPaths.h:
416         * runtime/ConstructAbility.h:
417         * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
418         * runtime/FunctionRareData.cpp:
419         (JSC::FunctionRareData::FunctionRareData):
420         (JSC::FunctionRareData::initializeObjectAllocationProfile):
421         (JSC::FunctionRareData::clear):
422         * runtime/FunctionRareData.h:
423         * runtime/InternalFunction.cpp:
424         (JSC::InternalFunction::createSubclassStructureSlow):
425         * runtime/InternalFunction.h:
426         (JSC::InternalFunction::createSubclassStructure):
427         * runtime/JSCast.h:
428         * runtime/JSGlobalObject.cpp:
429         (JSC::enqueueJob):
430         (JSC::JSGlobalObject::init):
431         (JSC::JSGlobalObject::visitChildren):
432         * runtime/JSGlobalObject.h:
433         (JSC::JSGlobalObject::arrayProtoValuesFunction const):
434         (JSC::JSGlobalObject::promiseProtoThenFunction const):
435         (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
436         * runtime/JSInternalPromise.cpp:
437         (JSC::JSInternalPromise::createStructure):
438         * runtime/JSInternalPromiseConstructor.cpp:
439         (JSC::JSInternalPromiseConstructor::create):
440         (JSC::JSInternalPromiseConstructor::createStructure):
441         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
442         (JSC::constructPromise): Deleted.
443         * runtime/JSInternalPromiseConstructor.h:
444         * runtime/JSInternalPromisePrototype.cpp:
445         (JSC::JSInternalPromisePrototype::create):
446         * runtime/JSMicrotask.cpp:
447         (JSC::createJSMicrotask):
448         (JSC::JSMicrotask::run):
449         * runtime/JSMicrotask.h:
450         * runtime/JSPromise.cpp:
451         (JSC::JSPromise::createStructure):
452         (JSC::JSPromise::finishCreation):
453         (JSC::JSPromise::visitChildren):
454         (JSC::JSPromise::status const):
455         (JSC::JSPromise::result const):
456         (JSC::JSPromise::isHandled const):
457         (JSC::JSPromise::initialize): Deleted.
458         * runtime/JSPromise.h:
459         (JSC::JSPromise::allocationSize):
460         (JSC::JSPromise::offsetOfInternalFields):
461         (JSC::JSPromise::offsetOfInternalField):
462         * runtime/JSPromiseConstructor.cpp:
463         (JSC::JSPromiseConstructor::create):
464         (JSC::JSPromiseConstructor::createStructure):
465         (JSC::JSPromiseConstructor::JSPromiseConstructor):
466         (JSC::JSPromiseConstructor::finishCreation):
467         (JSC::constructPromise): Deleted.
468         (JSC::callPromise): Deleted.
469         * runtime/JSPromiseConstructor.h:
470         * runtime/JSPromisePrototype.cpp:
471         (JSC::JSPromisePrototype::create):
472         (JSC::JSPromisePrototype::finishCreation):
473         (JSC::JSPromisePrototype::addOwnInternalSlots):
474         * runtime/JSPromisePrototype.h:
475         * runtime/JSType.cpp:
476         (WTF::printInternal):
477         * runtime/JSType.h:
478
479 2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>
480
481         Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
482         https://bugs.webkit.org/show_bug.cgi?id=201262
483         <rdar://problem/13108764>
484
485         Reviewed by Devin Rousso.
486
487         When interception is enabled, Network requests that match any of the configured
488         interception patterns will be paused on the backend and allowed to be modified
489         by the frontend.
490
491         Currently the only time a network request can be intercepted is during the
492         HTTP response. However, this intercepting interface is mean to extend to
493         HTTP requests as well.
494
495         When a response is to be intercepted a new event is sent to the frontend:
496
497           `Network.responseIntercepted` event
498
499         With a `requestId` to identify that network request. The frontend
500         must respond with one of the following commands to continue:
501
502           `Network.interceptContinue`     - proceed with the response unmodified
503           `Network.interceptWithResponse` - provide a response
504
505         The response is paused in the meantime.
506
507         * inspector/protocol/Network.json:
508         New interfaces for intercepting network responses and suppling override content.
509
510         * Scripts/generate-combined-inspector-json.py:
511         * inspector/scripts/generate-inspector-protocol-bindings.py:
512         (generate_from_specification.load_specification):
513         Complete allowing comments in JSON protocol files.
514
515         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
516         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
517         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
518         Allow optional enums in ObjC interfaces.
519
520 2019-09-03  Mark Lam  <mark.lam@apple.com>
521
522         Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread().
523         https://bugs.webkit.org/show_bug.cgi?id=201449
524
525         Reviewed by Yusuke Suzuki.
526
527         Using !isMainThread() in the assertion also disables the assertion for the mutator
528         of worker threads.  This is not what we intended.
529
530         * runtime/StructureInlines.h:
531         (JSC::Structure::storedPrototype const):
532         (JSC::Structure::storedPrototypeObject const):
533
534 2019-09-04  Mark Lam  <mark.lam@apple.com>
535
536         Disambiguate a symbol used in JSDollarVM.
537         https://bugs.webkit.org/show_bug.cgi?id=201466
538         <rdar://problem/51826672>
539
540         Reviewed by Tadeu Zagallo.
541
542         This was causing a build issue on some internal build.
543
544         * tools/JSDollarVM.cpp:
545
546 2019-09-03  Mark Lam  <mark.lam@apple.com>
547
548         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
549         https://bugs.webkit.org/show_bug.cgi?id=201309
550         <rdar://problem/54832121>
551
552         Reviewed by Yusuke Suzuki.
553
554         * dfg/DFGAbstractInterpreterInlines.h:
555         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
556         * runtime/JSArrayBufferView.h:
557         * runtime/JSArrayBufferViewInlines.h:
558         (JSC::JSArrayBufferView::possiblySharedBufferImpl):
559         (JSC::JSArrayBufferView::possiblySharedBuffer):
560         (JSC::JSArrayBufferView::byteOffsetImpl):
561         (JSC::JSArrayBufferView::byteOffset):
562         (JSC::JSArrayBufferView::byteOffsetConcurrently):
563
564 2019-09-03  Devin Rousso  <drousso@apple.com>
565
566         Web Inspector: implement blackboxing of script resources
567         https://bugs.webkit.org/show_bug.cgi?id=17240
568         <rdar://problem/5732847>
569
570         Reviewed by Joseph Pecoraro.
571
572         When a script is blackboxed and the debugger attempts to pause in that script, the pause
573         reason/data will be saved and execution will continue until it has left the blackboxed
574         script. Once outside, execution is paused with the saved reason/data.
575
576         This is especially useful when debugging issues using libraries/frameworks, as it allows the
577         developer to "skip" the internal logic of the library/framework and instead focus only on
578         how they're using it.
579
580         * inspector/protocol/Debugger.json:
581         Add `setShouldBlackboxURL` command.
582
583         * inspector/agents/InspectorDebuggerAgent.h:
584         * inspector/agents/InspectorDebuggerAgent.cpp:
585         (Inspector::InspectorDebuggerAgent):
586         (Inspector::InspectorDebuggerAgent::enable):
587         (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added.
588         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
589         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
590         (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added.
591         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
592         (Inspector::InspectorDebuggerAgent::didParseSource):
593         (Inspector::InspectorDebuggerAgent::didPause):
594         (Inspector::InspectorDebuggerAgent::didContinue):
595         (Inspector::InspectorDebuggerAgent::breakProgram):
596         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
597         (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added.
598         (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted.
599         Renamed "break" to "pause" to match `Debugger` naming.
600
601         * debugger/Debugger.h:
602         * debugger/Debugger.cpp:
603         (JSC::Debugger::pauseIfNeeded):
604         (JSC::Debugger::setBlackboxType): Added.
605         (JSC::Debugger::clearBlackbox): Added.
606         (JSC::Debugger::isBlacklisted const): Deleted.
607         (JSC::Debugger::addToBlacklist): Deleted.
608         (JSC::Debugger::clearBlacklist): Deleted.
609
610 2019-09-03  Mark Lam  <mark.lam@apple.com>
611
612         Remove the need to pass performJITMemcpy as a pointer.
613         https://bugs.webkit.org/show_bug.cgi?id=201413
614
615         Reviewed by Michael Saboff.
616
617         We want performJITMemcpy to always be inlined.  In this patch, we also clean up
618         some template parameters to use enums instead of booleans to better document the
619         intent of the code.
620
621         * assembler/ARM64Assembler.h:
622         (JSC::ARM64Assembler::fillNops):
623         (JSC::ARM64Assembler::linkJump):
624         (JSC::ARM64Assembler::linkCall):
625         (JSC::ARM64Assembler::relinkJump):
626         (JSC::ARM64Assembler::relinkCall):
627         (JSC::ARM64Assembler::link):
628         (JSC::ARM64Assembler::linkJumpOrCall):
629         (JSC::ARM64Assembler::linkCompareAndBranch):
630         (JSC::ARM64Assembler::linkConditionalBranch):
631         (JSC::ARM64Assembler::linkTestAndBranch):
632         (JSC::ARM64Assembler::relinkJumpOrCall):
633         (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted.
634         (JSC::ARM64Assembler::CopyFunction::operator()): Deleted.
635         * assembler/ARMv7Assembler.h:
636         (JSC::ARMv7Assembler::fillNops):
637         (JSC::ARMv7Assembler::link):
638         (JSC::ARMv7Assembler::linkJumpT1):
639         (JSC::ARMv7Assembler::linkJumpT2):
640         (JSC::ARMv7Assembler::linkJumpT3):
641         (JSC::ARMv7Assembler::linkJumpT4):
642         (JSC::ARMv7Assembler::linkConditionalJumpT4):
643         (JSC::ARMv7Assembler::linkBX):
644         (JSC::ARMv7Assembler::linkConditionalBX):
645         * assembler/AbstractMacroAssembler.h:
646         (JSC::AbstractMacroAssembler::emitNops):
647         * assembler/LinkBuffer.cpp:
648         (JSC::LinkBuffer::copyCompactAndLinkCode):
649         * assembler/MIPSAssembler.h:
650         (JSC::MIPSAssembler::fillNops):
651         * assembler/MacroAssemblerARM64.h:
652         (JSC::MacroAssemblerARM64::link):
653         * assembler/MacroAssemblerARMv7.h:
654         (JSC::MacroAssemblerARMv7::link):
655         * assembler/X86Assembler.h:
656         (JSC::X86Assembler::fillNops):
657         * jit/ExecutableAllocator.h:
658         (JSC::performJITMemcpy):
659         * runtime/JSCPtrTag.h:
660
661 2019-09-03  Devin Rousso  <drousso@apple.com>
662
663         REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected
664         https://bugs.webkit.org/show_bug.cgi?id=201201
665         <rdar://problem/54771560>
666
667         Reviewed by Joseph Pecoraro.
668
669         * inspector/InjectedScriptSource.js:
670         (let.InjectedScript.prototype.injectModule):
671         (let.InjectedScript.prototype._evaluateOn):
672         (CommandLineAPI):
673         (let.InjectedScript.prototype.setInspectObject): Deleted.
674         (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted.
675         (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted.
676         (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted.
677         (InjectedScript.CommandLineAPI): Deleted.
678         Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects
679         directly, instead of having them call functions.
680
681         * inspector/InjectedScriptModule.cpp:
682         (Inspector::InjectedScriptModule::ensureInjected):
683         Make sure to reset `hadException` to `false` before making another call.
684
685 2019-09-03  Yusuke Suzuki  <ysuzuki@apple.com>
686
687         [JSC] Remove BytecodeGenerator::emitPopScope
688         https://bugs.webkit.org/show_bug.cgi?id=201395
689
690         Reviewed by Saam Barati.
691
692         Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions.
693
694         * bytecompiler/BytecodeGenerator.cpp:
695         (JSC::BytecodeGenerator::popLexicalScopeInternal):
696         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
697         (JSC::BytecodeGenerator::emitPopWithScope):
698         (JSC::BytecodeGenerator::emitPopScope): Deleted.
699         * bytecompiler/BytecodeGenerator.h:
700
701 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
702
703         [JSC] Merge op_check_traps into op_enter and op_loop_hint
704         https://bugs.webkit.org/show_bug.cgi?id=201373
705
706         Reviewed by Mark Lam.
707
708         This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations.
709         But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in
710         op_enter and op_loop_hint.
711
712         While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint),
713         since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy.
714
715         We also inline op_enter's slow path's write-barrier emission in LLInt.
716
717         * bytecode/BytecodeList.rb:
718         * bytecode/BytecodeUseDef.h:
719         (JSC::computeUsesForBytecodeOffset):
720         (JSC::computeDefsForBytecodeOffset):
721         * bytecompiler/BytecodeGenerator.cpp:
722         (JSC::BytecodeGenerator::BytecodeGenerator):
723         (JSC::BytecodeGenerator::emitLoopHint):
724         (JSC::BytecodeGenerator::emitCheckTraps): Deleted.
725         * bytecompiler/BytecodeGenerator.h:
726         * dfg/DFGByteCodeParser.cpp:
727         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
728         (JSC::DFG::ByteCodeParser::parseBlock):
729         * dfg/DFGCapabilities.cpp:
730         (JSC::DFG::capabilityLevel):
731         * jit/JIT.cpp:
732         (JSC::JIT::privateCompileMainPass):
733         (JSC::JIT::privateCompileSlowCases):
734         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
735         * jit/JIT.h:
736         * jit/JITOpcodes.cpp:
737         (JSC::JIT::emit_op_loop_hint):
738         (JSC::JIT::emitSlow_op_loop_hint):
739         (JSC::JIT::emit_op_enter):
740         (JSC::JIT::emitSlow_op_enter):
741         (JSC::JIT::emit_op_check_traps): Deleted.
742         (JSC::JIT::emitSlow_op_check_traps): Deleted.
743         * jit/JITOpcodes32_64.cpp:
744         (JSC::JIT::emit_op_enter): Deleted.
745         * llint/LowLevelInterpreter.asm:
746         * llint/LowLevelInterpreter32_64.asm:
747         * llint/LowLevelInterpreter64.asm:
748         * runtime/CommonSlowPaths.cpp:
749         * runtime/CommonSlowPaths.h:
750
751 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
752
753         [JSC] Fix testb3 debug failures
754         https://bugs.webkit.org/show_bug.cgi?id=201382
755
756         Reviewed by Mark Lam.
757
758         Fix testb3 debug failures due to incorrect types of operations like pointer + int32.
759
760         * b3/testb3_8.cpp:
761         (testByteCopyLoop):
762         (testByteCopyLoopStartIsLoopDependent):
763         (testByteCopyLoopBoundIsLoopDependent):
764
765 2019-09-01  Mark Lam  <mark.lam@apple.com>
766
767         Speculative build fix for ARMv7 and MIPS.
768         https://bugs.webkit.org/show_bug.cgi?id=201389
769
770         Not reviewed.
771
772         * bytecode/CodeBlock.cpp:
773         (JSC::CodeBlock::jettison):
774
775 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
776
777         [JSC] LLInt op should not emit the same code three times
778         https://bugs.webkit.org/show_bug.cgi?id=201370
779
780         Reviewed by Mark Lam.
781
782         LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue.
783         But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once.
784
785         * llint/LowLevelInterpreter.asm:
786
787 2019-08-30  Mark Lam  <mark.lam@apple.com>
788
789         Remove some obsolete statements that have no effect.
790         https://bugs.webkit.org/show_bug.cgi?id=201357
791
792         Reviewed by Saam Barati.
793
794         This patch removes 3 statements that look like this:
795
796             result->butterfly(); // Ensure that the butterfly is in to-space.
797
798         The statement just reads a field and does nothing with it.  This is a no-op
799         logic-wise, and the comment that accompanies it is obsolete.
800
801         * dfg/DFGOperations.cpp:
802
803 2019-08-30  Mark Lam  <mark.lam@apple.com>
804
805         Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
806         https://bugs.webkit.org/show_bug.cgi?id=201345
807
808         Reviewed by Yusuke Suzuki.
809
810         This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
811         the wrong pointer for capture the cell headerWord and zapReason.  As a result,
812         we get junk for those 2 values.
813
814         Previously, we were only capturing the upper 32-bits of the cell header slot,
815         and the lower 32-bit of the next slot in the zapped cell.  We now capture the
816         full 64-bits of both slots.  If the second slot did not contain a zapReason as we
817         expect, the upper 32-bits might give us a clue as to what type of value the slot
818         contains.
819
820         This patch also adds capturing of the found MarkedBlock address for the zapped
821         cell, as well as some state bit values.
822
823         * heap/SlotVisitor.cpp:
824         (JSC::SlotVisitor::reportZappedCellAndCrash):
825
826 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
827
828         [JSC] Generate new.target register only when it is used
829         https://bugs.webkit.org/show_bug.cgi?id=201335
830
831         Reviewed by Mark Lam.
832
833         Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register
834         only when it is actually required.
835
836         * bytecompiler/BytecodeGenerator.cpp:
837         (JSC::BytecodeGenerator::BytecodeGenerator):
838         * bytecompiler/BytecodeGenerator.h:
839         (JSC::BytecodeGenerator::newTarget):
840         * parser/Nodes.h:
841         (JSC::ScopeNode::needsNewTargetRegisterForThisScope const):
842
843 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
844
845         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
846         https://bugs.webkit.org/show_bug.cgi?id=201331
847
848         Reviewed by Mark Lam.
849
850         SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
851         For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.
852
853             1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
854             2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable
855
856         Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
857         This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
858         by profiled CodeBlock.
859
860         * bytecode/CodeBlock.h:
861         (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
862         * bytecode/JumpTable.h:
863         (JSC::SimpleJumpTable::cloneNonJITPart const):
864         (JSC::SimpleJumpTable::clear):
865         * dfg/DFGByteCodeParser.cpp:
866         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
867
868 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
869
870         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
871         https://bugs.webkit.org/show_bug.cgi?id=201332
872
873         Reviewed by Mark Lam.
874
875         When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
876         that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
877         does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.
878
879         * dfg/DFGByteCodeParser.cpp:
880         (JSC::DFG::ByteCodeParser::handleInlining):
881
882 2019-08-29  Devin Rousso  <drousso@apple.com>
883
884         Web Inspector: Debugger: async event listener stack traces should be available in Workers
885         https://bugs.webkit.org/show_bug.cgi?id=200903
886
887         Reviewed by Joseph Pecoraro.
888
889         * inspector/agents/InspectorDebuggerAgent.h:
890         (Inspector::InspectorDebuggerAgent::enabled): Added.
891         * inspector/agents/InspectorDebuggerAgent.cpp:
892         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
893         (Inspector::InspectorDebuggerAgent::enable):
894         (Inspector::InspectorDebuggerAgent::disable):
895         Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`.
896
897 2019-08-29  Keith Rollin  <krollin@apple.com>
898
899         Update .xcconfig symbols to reflect the current set of past and future product versions.
900         https://bugs.webkit.org/show_bug.cgi?id=200720
901         <rdar://problem/54305032>
902
903         Reviewed by Alex Christensen.
904
905         Remove version symbols related to old OS's we no longer support,
906         ensure that version symbols are defined for OS's we do support.
907
908         * Configurations/Base.xcconfig:
909         * Configurations/DebugRelease.xcconfig:
910         * Configurations/Version.xcconfig:
911
912 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
913
914         [JSC] Repatch should construct CallCases and CasesValue at the same time
915         https://bugs.webkit.org/show_bug.cgi?id=201325
916
917         Reviewed by Saam Barati.
918
919         In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`.
920         If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too.
921
922         * jit/Repatch.cpp:
923         (JSC::linkPolymorphicCall):
924
925 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
926
927         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
928         https://bugs.webkit.org/show_bug.cgi?id=198650
929
930         Reviewed by Saam Barati.
931
932         Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties.
933         This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this
934         interpreter interpret the control-flow edge that AI proved that is never taken.
935         AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But
936         ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis
937         done in ObjectAllocationSinking.
938
939         Let's see the example.
940
941             BB#0
942                 35: NewObject([%AM:Object])
943                 ...
944                 47: Branch(ConstantTrue, T:#1, F:#2)
945
946             BB#1 // This basic block is never taken due to @47's jump.
947                 ...
948                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
949                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
950                 ...
951                 XX: Jump(#2)
952
953             BB#2
954                 ...
955                 92: CheckStructure(@35, [%Dx:Object])
956                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
957                 ...
958
959         AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant.
960         AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92.
961         After AI removes @92, ObjectAllocationSinking starts looking into this graph.
962
963             BB#0
964                 35: NewObject([%AM:Object])
965                 ...
966                 47: Branch(ConstantTrue, T:#1, F:#2)
967
968             BB#1 // This basic block is never taken due to @47's jump.
969                 ...
970                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
971                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
972                 ...
973                 XX: Jump(#2)
974
975             BB#2
976                 ...
977                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
978                 ...
979                 YY: Jump(#3)
980
981             BB#3
982                 ...
983                 ZZ: <HERE> want to materialize @35's sunk object.
984
985         Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in
986         BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and
987         insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original
988         one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking
989         phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes
990         conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property.
991         So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug
992         assertion.
993
994             187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >)
995
996         This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data.
997         In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime.
998
999         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1000
1001 2019-08-29  Devin Rousso  <drousso@apple.com>
1002
1003         Web Inspector: DOMDebugger: support event breakpoints in Worker contexts
1004         https://bugs.webkit.org/show_bug.cgi?id=200651
1005
1006         Reviewed by Joseph Pecoraro.
1007
1008         * inspector/protocol/DOMDebugger.json:
1009         Make the domain available in "worker" contexts as well.
1010
1011 2019-08-29  Keith Rollin  <krollin@apple.com>
1012
1013         Remove 32-bit macOS support
1014         https://bugs.webkit.org/show_bug.cgi?id=201282
1015         <rdar://problem/54821667>
1016
1017         Reviewed by Anders Carlsson.
1018
1019         WebKit doesn’t support 32-bit Mac any more, so remove checks and code
1020         for that platform.
1021
1022         * API/JSBase.h:
1023         * runtime/VM.h:
1024
1025 2019-08-29  Keith Rollin  <krollin@apple.com>
1026
1027         Remove support for macOS < 10.13 (part 3)
1028         https://bugs.webkit.org/show_bug.cgi?id=201224
1029         <rdar://problem/54795934>
1030
1031         Reviewed by Darin Adler.
1032
1033         Remove symbols in WebKitTargetConditionals.xcconfig related to macOS
1034         10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes
1035         like _MACOS_SINCE_1013.
1036
1037         * Configurations/WebKitTargetConditionals.xcconfig:
1038
1039 2019-08-29  Mark Lam  <mark.lam@apple.com>
1040
1041         Remove a bad assertion in ByteCodeParser::inlineCall().
1042         https://bugs.webkit.org/show_bug.cgi?id=201292
1043         <rdar://problem/54121659>
1044
1045         Reviewed by Michael Saboff.
1046
1047         In the DFG bytecode parser, we've already computed the inlining cost of a candidate
1048         inlining target, and determine that it is worth inlining before invoking
1049         ByteCodeParser::inlineCall().  However, in ByteCodeParser::inlineCall(), it
1050         recomputes the inlining cost again only for the purpose of asserting that it isn't
1051         too high.
1052
1053         Not consider a badly written test that does the following:
1054
1055             function bar() {
1056                 ...
1057                 foo(); // Call in a hot loop here.
1058                 ...
1059             }
1060
1061             bar(); // <===== foo is inlineable into bar here.
1062             noInline(foo); // <===== Change mind, and make foo not inlineable.
1063             bar();
1064
1065         With this bad test, the following racy scenario can occur:
1066
1067         1. the first invocation of bar() gets hot, and a concurrent compile is kicked off.
1068         2. the compiler thread computes foo()'s inliningCost() and determines that it is
1069            worthy to be inlined, and will imminently call inlineCall().
1070         3. the mutator calls the noInline() test utility on foo(), thereby making it NOT
1071            inlineable.
1072         4. the compiler thread calls inlineCall().  In inlineCall(), it re-computes the
1073            inliningCost for foo() and now finds that it is not inlineable.  An assertion
1074            failure follows.
1075
1076         Technically, the test is in error because noInline() shouldn't be used that way.
1077         However, fuzzers that are not clued into noInline()'s proper usage may generate
1078         code like this.
1079
1080         On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the
1081         inlining cost and asserting on it.  The only reason inlineCall() is invoked is
1082         because it was already previously determined that a target function is inlineable
1083         based on its inlining cost.  Today, in practice, I don't think we have any real
1084         world condition where the mutator can affect the inlining cost of a target
1085         function midway through execution.  So, this assertion isn't a problem if no one
1086         writes a test that abuses noInline().  However, should things change such that the
1087         mutator is able to affect the inlining cost of a target function, then it is
1088         incorrect for the compiler to assume that the inlining cost is immutable.  Once
1089         the compiler decides to inline a function, it should just follow through.
1090
1091         This patch removes this assertion in ByteCodeParser::inlineCall().  It is an
1092         annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the
1093         ability to affect the inlining cost of a target function.
1094
1095         * dfg/DFGByteCodeParser.cpp:
1096         (JSC::DFG::ByteCodeParser::inlineCall):
1097
1098 2019-08-28  Mark Lam  <mark.lam@apple.com>
1099
1100         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
1101         https://bugs.webkit.org/show_bug.cgi?id=201281
1102         <rdar://problem/54028228>
1103
1104         Reviewed by Yusuke Suzuki and Saam Barati.
1105
1106         This (see title above) is already the preferred idiom used in most places in our
1107         compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
1108         compileStringCharAt().  Consider the following:
1109
1110             bool prototypeChainIsSane = false;
1111             if (globalObject->stringPrototypeChainIsSane()) {
1112                 ...
1113                 m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
1114                 m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));
1115
1116                 prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
1117             }
1118
1119         What's essential for correctness here is that the stringPrototype and objectPrototype
1120         structures be loaded before the loads in the second stringPrototypeChainIsSane()
1121         check.  Without a loadLoadFence before the second stringPrototypeChainIsSane()
1122         check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom
1123         for doing this right is to pre-load the structures first, do a loadLoadFence, and
1124         then do the IsSane check just once after e.g.
1125
1126             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
1127             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);
1128
1129             if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
1130                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
1131                 && globalObject->arrayPrototypeChainIsSane()) {
1132
1133                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1134                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1135                 ...
1136             }
1137
1138         This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
1139         compileStringCharAt() to follow the same idiom.
1140
1141         We also fix a bad assertion in Structure::storedPrototype() and
1142         Structure::storedPrototypeObject().  The assertion is only correct when those
1143         methods are called from the mutator thread.  The assertion has been updated to
1144         only check its test condition if the current thread is the mutator thread.
1145
1146         * dfg/DFGSpeculativeJIT.cpp:
1147         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1148         * ftl/FTLLowerDFGToB3.cpp:
1149         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1150         * runtime/StructureInlines.h:
1151         (JSC::Structure::storedPrototype const):
1152         (JSC::Structure::storedPrototypeObject const):
1153
1154 2019-08-28  Mark Lam  <mark.lam@apple.com>
1155
1156         Placate exception check validation in DFG's operationHasGenericProperty().
1157         https://bugs.webkit.org/show_bug.cgi?id=201245
1158         <rdar://problem/54777512>
1159
1160         Reviewed by Robin Morisset.
1161
1162         * dfg/DFGOperations.cpp:
1163
1164 2019-08-28  Ross Kirsling  <ross.kirsling@sony.com>
1165
1166         Unreviewed. Restabilize non-unified build.
1167
1168         * runtime/PropertySlot.h:
1169
1170 2019-08-28  Mark Lam  <mark.lam@apple.com>
1171
1172         Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.
1173         https://bugs.webkit.org/show_bug.cgi?id=201006
1174         <rdar://problem/52053991>
1175
1176         Reviewed by Yusuke Suzuki.
1177
1178         We already ensured that it is not possible to overflow in Wasm::FunctionParser's
1179         parse().  It is unnecessary and misleading to do those overflow checks in
1180         AirIRGenerator and B3IRGenerator.  The only check that is necessary is that
1181         m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory
1182         situation.
1183
1184         This patch changes these unnecessary checks to assertions instead.
1185
1186         * wasm/WasmAirIRGenerator.cpp:
1187         (JSC::Wasm::AirIRGenerator::addLocal):
1188         * wasm/WasmB3IRGenerator.cpp:
1189         (JSC::Wasm::B3IRGenerator::addLocal):
1190         * wasm/WasmValidate.cpp:
1191         (JSC::Wasm::Validate::addLocal):
1192
1193 2019-08-28  Keith Rollin  <krollin@apple.com>
1194
1195         Remove support for macOS < 10.13 (part 2)
1196         https://bugs.webkit.org/show_bug.cgi?id=201197
1197         <rdar://problem/54759985>
1198
1199         Update conditionals that reference WK_MACOS_1013 and suffixes like
1200         _MACOS_SINCE_1013, assuming that we're always building on 10.13 or
1201         later and that these conditionals are always True or False.
1202
1203         See Bug 200694 for earlier changes in this area.
1204
1205         Reviewed by Darin Adler.
1206
1207         * Configurations/FeatureDefines.xcconfig:
1208
1209 2019-08-28  Mark Lam  <mark.lam@apple.com>
1210
1211         Gardening: Rebase test results after r249175.
1212         https://bugs.webkit.org/show_bug.cgi?id=201172
1213
1214         Not reviewed.
1215
1216         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1217         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1218         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1219         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1220         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1221         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1222         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1223
1224 2019-08-27  Michael Saboff  <msaboff@apple.com>
1225
1226         Update PACCage changes for builds without Gigacage, but with signed pointers
1227         https://bugs.webkit.org/show_bug.cgi?id=201202
1228
1229         Reviewed by Saam Barati.
1230
1231         Factored out the untagging of pointers and added that to both the Gigacage enabled
1232         and disabled code paths.  Did this for the LLInt as well as the JITs.
1233
1234         * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list.
1235         * dfg/DFGSpeculativeJIT.cpp:
1236         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1237         * ftl/FTLLowerDFGToB3.cpp:
1238         (JSC::FTL::DFG::LowerDFGToB3::caged):
1239         * llint/LowLevelInterpreter64.asm:
1240
1241 2019-08-27  Mark Lam  <mark.lam@apple.com>
1242
1243         Refactor to use VM& instead of VM* at as many places as possible.
1244         https://bugs.webkit.org/show_bug.cgi?id=201172
1245
1246         Reviewed by Yusuke Suzuki.
1247
1248         Using VM& documents more clearly that the VM pointer is expected to never be null
1249         in most cases.  There are a few places where it can be null (e.g JSLock, and
1250         DFG::Plan).  Those will be left using a VM*.
1251
1252         Also converted some uses of ExecState* to using VM& instead since the ExecState*
1253         is only there to fetch the VM pointer.  Doing this also reduces the number of
1254         times we have to compute VM* from ExecState*.
1255
1256         This patch is not exhaustive in converting to use VM&, but applies the change to
1257         many commonly used pieces of code for a start.
1258
1259         Also fixed a missing exception check in JSString::toIdentifier() and
1260         JSValue::toPropertyKey() exposed by this patch.
1261
1262         * API/APICast.h:
1263         (toJS):
1264         * API/JSAPIGlobalObject.mm:
1265         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
1266         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1267         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
1268         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
1269         (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
1270         * API/JSCallbackConstructor.cpp:
1271         (JSC::JSCallbackConstructor::finishCreation):
1272         * API/JSCallbackObjectFunctions.h:
1273         (JSC::JSCallbackObject<Parent>::asCallbackObject):
1274         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
1275         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
1276         (JSC::JSCallbackObject<Parent>::putByIndex):
1277         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
1278         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1279         * API/JSContext.mm:
1280         (-[JSContext dependencyIdentifiersForModuleJSScript:]):
1281         * API/JSObjectRef.cpp:
1282         (JSObjectMakeFunction):
1283         (classInfoPrivate):
1284         (JSObjectGetPrivate):
1285         (JSObjectSetPrivate):
1286         (JSObjectCopyPropertyNames):
1287         (JSPropertyNameAccumulatorAddName):
1288         (JSObjectGetProxyTarget):
1289         * API/JSScriptRef.cpp:
1290         (parseScript):
1291         * API/JSValueRef.cpp:
1292         (JSValueMakeString):
1293         * API/OpaqueJSString.cpp:
1294         (OpaqueJSString::identifier const):
1295         * API/glib/JSCContext.cpp:
1296         (jsc_context_check_syntax):
1297         * KeywordLookupGenerator.py:
1298         (Trie.printSubTreeAsC):
1299         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py:
1300         (BuiltinsWrapperHeaderGenerator.generate_constructor):
1301         * Scripts/wkbuiltins/builtins_templates.py:
1302         * bindings/ScriptFunctionCall.cpp:
1303         (Deprecated::ScriptCallArgumentHandler::appendArgument):
1304         (Deprecated::ScriptFunctionCall::call):
1305         * bindings/ScriptValue.cpp:
1306         (Inspector::jsToInspectorValue):
1307         * builtins/BuiltinExecutables.cpp:
1308         (JSC::BuiltinExecutables::createExecutable):
1309         * builtins/BuiltinNames.cpp:
1310         (JSC::BuiltinNames::BuiltinNames):
1311         * builtins/BuiltinNames.h:
1312         (JSC::BuiltinNames::getPublicName const):
1313         * bytecode/BytecodeDumper.cpp:
1314         (JSC::BytecodeDumper<Block>::vm const):
1315         * bytecode/BytecodeDumper.h:
1316         * bytecode/BytecodeGeneratorification.cpp:
1317         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
1318         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
1319         (JSC::BytecodeGeneratorification::run):
1320         * bytecode/BytecodeIntrinsicRegistry.cpp:
1321         (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue):
1322         (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue):
1323         * bytecode/CallVariant.h:
1324         (JSC::CallVariant::internalFunction const):
1325         (JSC::CallVariant::function const):
1326         (JSC::CallVariant::isClosureCall const):
1327         (JSC::CallVariant::executable const):
1328         (JSC::CallVariant::functionExecutable const):
1329         (JSC::CallVariant::nativeExecutable const):
1330         * bytecode/CodeBlock.cpp:
1331         (JSC::CodeBlock::dumpSource):
1332         (JSC::CodeBlock::CodeBlock):
1333         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1334         (JSC::CodeBlock::setNumParameters):
1335         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
1336         (JSC::CodeBlock::unlinkIncomingCalls):
1337         (JSC::CodeBlock::replacement):
1338         (JSC::CodeBlock::computeCapabilityLevel):
1339         (JSC::CodeBlock::noticeIncomingCall):
1340         (JSC::CodeBlock::nameForRegister):
1341         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1342         * bytecode/CodeBlock.h:
1343         (JSC::CodeBlock::vm const):
1344         (JSC::CodeBlock::numberOfArgumentValueProfiles):
1345         (JSC::CodeBlock::valueProfileForArgument):
1346         * bytecode/DeferredSourceDump.cpp:
1347         (JSC::DeferredSourceDump::DeferredSourceDump):
1348         * bytecode/EvalCodeBlock.h:
1349         * bytecode/FunctionCodeBlock.h:
1350         * bytecode/GetByIdStatus.cpp:
1351         (JSC::GetByIdStatus::computeFromLLInt):
1352         * bytecode/GlobalCodeBlock.h:
1353         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1354         * bytecode/ModuleProgramCodeBlock.h:
1355         * bytecode/ObjectAllocationProfileInlines.h:
1356         (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
1357         * bytecode/PolyProtoAccessChain.cpp:
1358         (JSC::PolyProtoAccessChain::create):
1359         * bytecode/ProgramCodeBlock.h:
1360         * bytecode/PropertyCondition.cpp:
1361         (JSC::PropertyCondition::isWatchableWhenValid const):
1362         * bytecode/PutByIdStatus.cpp:
1363         (JSC::PutByIdStatus::computeFromLLInt):
1364         * bytecode/StructureStubInfo.cpp:
1365         (JSC::StructureStubInfo::initGetByIdSelf):
1366         (JSC::StructureStubInfo::initPutByIdReplace):
1367         (JSC::StructureStubInfo::initInByIdSelf):
1368         (JSC::StructureStubInfo::addAccessCase):
1369         (JSC::StructureStubInfo::visitWeakReferences):
1370         * bytecode/UnlinkedCodeBlock.cpp:
1371         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1372         * bytecode/UnlinkedCodeBlock.h:
1373         (JSC::UnlinkedCodeBlock::addSetConstant):
1374         (JSC::UnlinkedCodeBlock::addConstant):
1375         (JSC::UnlinkedCodeBlock::addFunctionDecl):
1376         (JSC::UnlinkedCodeBlock::addFunctionExpr):
1377         * bytecode/UnlinkedEvalCodeBlock.h:
1378         * bytecode/UnlinkedFunctionCodeBlock.h:
1379         * bytecode/UnlinkedFunctionExecutable.cpp:
1380         (JSC::generateUnlinkedFunctionCodeBlock):
1381         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1382         * bytecode/UnlinkedFunctionExecutable.h:
1383         * bytecode/UnlinkedGlobalCodeBlock.h:
1384         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1385         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1386         * bytecode/UnlinkedProgramCodeBlock.h:
1387         * bytecompiler/BytecodeGenerator.cpp:
1388         (JSC::BytecodeGenerator::BytecodeGenerator):
1389         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1390         (JSC::BytecodeGenerator::emitDirectPutById):
1391         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1392         (JSC::BytecodeGenerator::addBigIntConstant):
1393         (JSC::BytecodeGenerator::addTemplateObjectConstant):
1394         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
1395         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
1396         * bytecompiler/BytecodeGenerator.h:
1397         (JSC::BytecodeGenerator::vm const):
1398         (JSC::BytecodeGenerator::propertyNames const):
1399         (JSC::BytecodeGenerator::emitNodeInTailPosition):
1400         (JSC::BytecodeGenerator::emitDefineClassElements):
1401         (JSC::BytecodeGenerator::emitNodeInConditionContext):
1402         * bytecompiler/NodesCodegen.cpp:
1403         (JSC::RegExpNode::emitBytecode):
1404         (JSC::ArrayNode::emitBytecode):
1405         (JSC::FunctionCallResolveNode::emitBytecode):
1406         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1407         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1408         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
1409         (JSC::InstanceOfNode::emitBytecode):
1410         * debugger/Debugger.cpp:
1411         * debugger/DebuggerParseData.cpp:
1412         (JSC::gatherDebuggerParseData):
1413         * debugger/DebuggerScope.cpp:
1414         (JSC::DebuggerScope::next):
1415         (JSC::DebuggerScope::name const):
1416         (JSC::DebuggerScope::location const):
1417         * dfg/DFGDesiredIdentifiers.cpp:
1418         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1419         * dfg/DFGDesiredWatchpoints.cpp:
1420         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
1421         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
1422         * dfg/DFGFrozenValue.h:
1423         (JSC::DFG::FrozenValue::FrozenValue):
1424         * dfg/DFGGraph.cpp:
1425         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
1426         * dfg/DFGJITCompiler.cpp:
1427         (JSC::DFG::JITCompiler::linkOSRExits):
1428         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1429         (JSC::DFG::JITCompiler::link):
1430         (JSC::DFG::emitStackOverflowCheck):
1431         (JSC::DFG::JITCompiler::compileFunction):
1432         (JSC::DFG::JITCompiler::exceptionCheck):
1433         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
1434         * dfg/DFGJITCompiler.h:
1435         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
1436         (JSC::DFG::JITCompiler::fastExceptionCheck):
1437         (JSC::DFG::JITCompiler::vm):
1438         * dfg/DFGLazyJSValue.cpp:
1439         (JSC::DFG::LazyJSValue::getValue const):
1440         (JSC::DFG::LazyJSValue::emit const):
1441         * dfg/DFGOSREntry.cpp:
1442         (JSC::DFG::prepareOSREntry):
1443         * dfg/DFGOSRExit.cpp:
1444         (JSC::DFG::OSRExit::compileOSRExit):
1445         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1446         * dfg/DFGOSRExitCompilerCommon.h:
1447         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
1448         * dfg/DFGOperations.cpp:
1449         (JSC::DFG::newTypedArrayWithSize):
1450         (JSC::DFG::binaryOp):
1451         (JSC::DFG::bitwiseBinaryOp):
1452         * dfg/DFGPlan.cpp:
1453         (JSC::DFG::Plan::Plan):
1454         * dfg/DFGSpeculativeJIT.cpp:
1455         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1456         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1457         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1458         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
1459         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1460         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1461         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
1462         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
1463         (JSC::DFG::SpeculativeJIT::emitStringBranch):
1464         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
1465         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1466         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
1467         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1468         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1469         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1470         (JSC::DFG::SpeculativeJIT::compileSpread):
1471         (JSC::DFG::SpeculativeJIT::compileNewArray):
1472         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1473         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1474         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1475         (JSC::DFG::SpeculativeJIT::compileTypeOf):
1476         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1477         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1478         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
1479         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1480         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1481         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1482         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1483         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
1484         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1485         (JSC::DFG::SpeculativeJIT::compileStringReplace):
1486         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
1487         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1488         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1489         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
1490         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1491         (JSC::DFG::SpeculativeJIT::compileNewObject):
1492         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
1493         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
1494         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
1495         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1496         (JSC::DFG::SpeculativeJIT::compileProfileType):
1497         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1498         * dfg/DFGSpeculativeJIT.h:
1499         (JSC::DFG::SpeculativeJIT::vm):
1500         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
1501         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1502         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1503         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
1504         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1505         * dfg/DFGSpeculativeJIT32_64.cpp:
1506         (JSC::DFG::SpeculativeJIT::emitCall):
1507         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1508         (JSC::DFG::SpeculativeJIT::emitBranch):
1509         (JSC::DFG::SpeculativeJIT::compile):
1510         * dfg/DFGSpeculativeJIT64.cpp:
1511         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1512         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1513         (JSC::DFG::SpeculativeJIT::emitCall):
1514         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1515         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1516         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1517         (JSC::DFG::SpeculativeJIT::emitBranch):
1518         (JSC::DFG::SpeculativeJIT::compile):
1519         * dfg/DFGThunks.cpp:
1520         (JSC::DFG::osrExitThunkGenerator):
1521         (JSC::DFG::osrExitGenerationThunkGenerator):
1522         (JSC::DFG::osrEntryThunkGenerator):
1523         * dfg/DFGThunks.h:
1524         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1525         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
1526         * dfg/DFGWorklist.cpp:
1527         (JSC::DFG::Worklist::visitWeakReferences):
1528         * dynbench.cpp:
1529         (main):
1530         * ftl/FTLLowerDFGToB3.cpp:
1531         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1532         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1533         (JSC::FTL::DFG::LowerDFGToB3::boolify):
1534         * ftl/FTLThunks.cpp:
1535         (JSC::FTL::genericGenerationThunkGenerator):
1536         (JSC::FTL::osrExitGenerationThunkGenerator):
1537         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1538         * ftl/FTLThunks.h:
1539         * heap/CellContainer.h:
1540         * heap/CellContainerInlines.h:
1541         (JSC::CellContainer::vm const):
1542         (JSC::CellContainer::heap const):
1543         * heap/CompleteSubspace.cpp:
1544         (JSC::CompleteSubspace::tryAllocateSlow):
1545         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
1546         * heap/GCActivityCallback.h:
1547         * heap/GCAssertions.h:
1548         * heap/HandleSet.cpp:
1549         (JSC::HandleSet::HandleSet):
1550         * heap/HandleSet.h:
1551         (JSC::HandleSet::vm):
1552         * heap/Heap.cpp:
1553         (JSC::Heap::Heap):
1554         (JSC::Heap::lastChanceToFinalize):
1555         (JSC::Heap::releaseDelayedReleasedObjects):
1556         (JSC::Heap::protect):
1557         (JSC::Heap::unprotect):
1558         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
1559         (JSC::Heap::finalizeUnconditionalFinalizers):
1560         (JSC::Heap::completeAllJITPlans):
1561         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
1562         (JSC::Heap::gatherJSStackRoots):
1563         (JSC::Heap::gatherScratchBufferRoots):
1564         (JSC::Heap::removeDeadCompilerWorklistEntries):
1565         (JSC::Heap::isAnalyzingHeap const):
1566         (JSC::Heap::gatherExtraHeapData):
1567         (JSC::Heap::protectedObjectTypeCounts):
1568         (JSC::Heap::objectTypeCounts):
1569         (JSC::Heap::deleteAllCodeBlocks):
1570         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1571         (JSC::Heap::deleteUnmarkedCompiledCode):
1572         (JSC::Heap::checkConn):
1573         (JSC::Heap::runEndPhase):
1574         (JSC::Heap::stopThePeriphery):
1575         (JSC::Heap::finalize):
1576         (JSC::Heap::requestCollection):
1577         (JSC::Heap::sweepInFinalize):
1578         (JSC::Heap::sweepArrayBuffers):
1579         (JSC::Heap::deleteSourceProviderCaches):
1580         (JSC::Heap::didFinishCollection):
1581         (JSC::Heap::addCoreConstraints):
1582         * heap/Heap.h:
1583         * heap/HeapCell.h:
1584         * heap/HeapCellInlines.h:
1585         (JSC::HeapCell::heap const):
1586         (JSC::HeapCell::vm const):
1587         * heap/HeapInlines.h:
1588         (JSC::Heap::vm const):
1589         * heap/IsoSubspacePerVM.cpp:
1590         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1591         * heap/LargeAllocation.cpp:
1592         (JSC::LargeAllocation::sweep):
1593         (JSC::LargeAllocation::assertValidCell const):
1594         * heap/LargeAllocation.h:
1595         (JSC::LargeAllocation::vm const):
1596         * heap/LocalAllocator.cpp:
1597         (JSC::LocalAllocator::allocateSlowCase):
1598         * heap/MarkedBlock.cpp:
1599         (JSC::MarkedBlock::Handle::Handle):
1600         (JSC::MarkedBlock::aboutToMarkSlow):
1601         (JSC::MarkedBlock::assertMarksNotStale):
1602         (JSC::MarkedBlock::areMarksStale):
1603         (JSC::MarkedBlock::isMarked):
1604         (JSC::MarkedBlock::assertValidCell const):
1605         * heap/MarkedBlock.h:
1606         (JSC::MarkedBlock::Handle::vm const):
1607         (JSC::MarkedBlock::vm const):
1608         * heap/MarkedBlockInlines.h:
1609         (JSC::MarkedBlock::heap const):
1610         (JSC::MarkedBlock::Handle::specializedSweep):
1611         * heap/SlotVisitor.cpp:
1612         (JSC::validate):
1613         * heap/SlotVisitorInlines.h:
1614         (JSC::SlotVisitor::vm):
1615         (JSC::SlotVisitor::vm const):
1616         * heap/StopIfNecessaryTimer.cpp:
1617         (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
1618         * heap/StopIfNecessaryTimer.h:
1619         * heap/Strong.h:
1620         (JSC::Strong::operator=):
1621         * heap/WeakSet.h:
1622         (JSC::WeakSet::WeakSet):
1623         (JSC::WeakSet::vm const):
1624         * inspector/JSInjectedScriptHost.cpp:
1625         (Inspector::JSInjectedScriptHost::savedResultAlias const):
1626         (Inspector::JSInjectedScriptHost::internalConstructorName):
1627         (Inspector::JSInjectedScriptHost::subtype):
1628         (Inspector::JSInjectedScriptHost::functionDetails):
1629         (Inspector::constructInternalProperty):
1630         (Inspector::JSInjectedScriptHost::getInternalProperties):
1631         (Inspector::JSInjectedScriptHost::weakMapEntries):
1632         (Inspector::JSInjectedScriptHost::weakSetEntries):
1633         (Inspector::JSInjectedScriptHost::iteratorEntries):
1634         (Inspector::JSInjectedScriptHost::queryInstances):
1635         (Inspector::JSInjectedScriptHost::queryHolders):
1636         * inspector/JSJavaScriptCallFrame.cpp:
1637         (Inspector::valueForScopeLocation):
1638         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
1639         (Inspector::JSJavaScriptCallFrame::functionName const):
1640         (Inspector::JSJavaScriptCallFrame::type const):
1641         * inspector/ScriptCallStackFactory.cpp:
1642         (Inspector::extractSourceInformationFromException):
1643         * inspector/agents/InspectorAuditAgent.cpp:
1644         (Inspector::InspectorAuditAgent::populateAuditObject):
1645         * inspector/agents/InspectorHeapAgent.cpp:
1646         (Inspector::InspectorHeapAgent::gc):
1647         * interpreter/FrameTracers.h:
1648         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1649         * interpreter/Interpreter.cpp:
1650         (JSC::Interpreter::executeProgram):
1651         (JSC::Interpreter::prepareForRepeatCall):
1652         (JSC::Interpreter::execute):
1653         (JSC::Interpreter::executeModuleProgram):
1654         * interpreter/StackVisitor.cpp:
1655         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1656         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1657         * jit/AssemblyHelpers.cpp:
1658         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1659         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1660         (JSC::AssemblyHelpers::branchIfValue):
1661         * jit/AssemblyHelpers.h:
1662         (JSC::AssemblyHelpers::vm):
1663         * jit/JIT.cpp:
1664         (JSC::JIT::JIT):
1665         (JSC::JIT::emitEnterOptimizationCheck):
1666         (JSC::JIT::privateCompileMainPass):
1667         (JSC::JIT::privateCompileExceptionHandlers):
1668         * jit/JIT.h:
1669         * jit/JITCall.cpp:
1670         (JSC::JIT::compileCallEvalSlowCase):
1671         * jit/JITCall32_64.cpp:
1672         (JSC::JIT::compileCallEvalSlowCase):
1673         * jit/JITExceptions.cpp:
1674         (JSC::genericUnwind):
1675         * jit/JITExceptions.h:
1676         * jit/JITInlineCacheGenerator.cpp:
1677         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1678         * jit/JITOpcodes.cpp:
1679         (JSC::JIT::emit_op_is_undefined):
1680         (JSC::JIT::emit_op_jfalse):
1681         (JSC::JIT::emit_op_jeq_null):
1682         (JSC::JIT::emit_op_jneq_null):
1683         (JSC::JIT::emit_op_jtrue):
1684         (JSC::JIT::emit_op_throw):
1685         (JSC::JIT::emit_op_catch):
1686         (JSC::JIT::emit_op_eq_null):
1687         (JSC::JIT::emit_op_neq_null):
1688         (JSC::JIT::emitSlow_op_loop_hint):
1689         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1690         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1691         * jit/JITOpcodes32_64.cpp:
1692         (JSC::JIT::emit_op_jfalse):
1693         (JSC::JIT::emit_op_jtrue):
1694         (JSC::JIT::emit_op_throw):
1695         (JSC::JIT::emit_op_catch):
1696         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1697         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1698         * jit/JITOperations.cpp:
1699         (JSC::operationNewFunctionCommon):
1700         (JSC::tryGetByValOptimize):
1701         * jit/JITPropertyAccess.cpp:
1702         (JSC::JIT::emitWriteBarrier):
1703         * jit/JITThunks.cpp:
1704         (JSC::JITThunks::ctiNativeCall):
1705         (JSC::JITThunks::ctiNativeConstruct):
1706         (JSC::JITThunks::ctiNativeTailCall):
1707         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1708         (JSC::JITThunks::ctiInternalFunctionCall):
1709         (JSC::JITThunks::ctiInternalFunctionConstruct):
1710         (JSC::JITThunks::ctiStub):
1711         (JSC::JITThunks::hostFunctionStub):
1712         * jit/JITThunks.h:
1713         * jit/JITWorklist.cpp:
1714         (JSC::JITWorklist::Plan::vm):
1715         (JSC::JITWorklist::completeAllForVM):
1716         (JSC::JITWorklist::poll):
1717         (JSC::JITWorklist::compileLater):
1718         (JSC::JITWorklist::compileNow):
1719         * jit/Repatch.cpp:
1720         (JSC::readPutICCallTarget):
1721         (JSC::ftlThunkAwareRepatchCall):
1722         (JSC::linkSlowFor):
1723         (JSC::linkFor):
1724         (JSC::linkDirectFor):
1725         (JSC::revertCall):
1726         (JSC::unlinkFor):
1727         (JSC::linkVirtualFor):
1728         (JSC::linkPolymorphicCall):
1729         * jit/SpecializedThunkJIT.h:
1730         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
1731         * jit/ThunkGenerator.h:
1732         * jit/ThunkGenerators.cpp:
1733         (JSC::throwExceptionFromCallSlowPathGenerator):
1734         (JSC::slowPathFor):
1735         (JSC::linkCallThunkGenerator):
1736         (JSC::linkPolymorphicCallThunkGenerator):
1737         (JSC::virtualThunkFor):
1738         (JSC::nativeForGenerator):
1739         (JSC::nativeCallGenerator):
1740         (JSC::nativeTailCallGenerator):
1741         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1742         (JSC::nativeConstructGenerator):
1743         (JSC::internalFunctionCallGenerator):
1744         (JSC::internalFunctionConstructGenerator):
1745         (JSC::arityFixupGenerator):
1746         (JSC::unreachableGenerator):
1747         (JSC::stringGetByValGenerator):
1748         (JSC::charToString):
1749         (JSC::charCodeAtThunkGenerator):
1750         (JSC::charAtThunkGenerator):
1751         (JSC::fromCharCodeThunkGenerator):
1752         (JSC::clz32ThunkGenerator):
1753         (JSC::sqrtThunkGenerator):
1754         (JSC::floorThunkGenerator):
1755         (JSC::ceilThunkGenerator):
1756         (JSC::truncThunkGenerator):
1757         (JSC::roundThunkGenerator):
1758         (JSC::expThunkGenerator):
1759         (JSC::logThunkGenerator):
1760         (JSC::absThunkGenerator):
1761         (JSC::imulThunkGenerator):
1762         (JSC::randomThunkGenerator):
1763         (JSC::boundThisNoArgsFunctionCallGenerator):
1764         * jit/ThunkGenerators.h:
1765         * jsc.cpp:
1766         (GlobalObject::finishCreation):
1767         (GlobalObject::addFunction):
1768         (GlobalObject::moduleLoaderImportModule):
1769         (GlobalObject::moduleLoaderResolve):
1770         (GlobalObject::moduleLoaderCreateImportMetaProperties):
1771         (functionDescribe):
1772         (functionDescribeArray):
1773         (JSCMemoryFootprint::addProperty):
1774         (functionRun):
1775         (functionRunString):
1776         (functionReadFile):
1777         (functionCallerSourceOrigin):
1778         (functionReadline):
1779         (functionDollarCreateRealm):
1780         (functionDollarEvalScript):
1781         (functionDollarAgentGetReport):
1782         (functionWaitForReport):
1783         (functionJSCOptions):
1784         (functionCheckModuleSyntax):
1785         (functionGenerateHeapSnapshotForGCDebugging):
1786         (functionWebAssemblyMemoryMode):
1787         (dumpException):
1788         (checkUncaughtException):
1789         * llint/LLIntSlowPaths.cpp:
1790         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1791         (JSC::LLInt::handleHostCall):
1792         * parser/ASTBuilder.h:
1793         (JSC::ASTBuilder::ASTBuilder):
1794         (JSC::ASTBuilder::createResolve):
1795         (JSC::ASTBuilder::createGetterOrSetterProperty):
1796         (JSC::ASTBuilder::createProperty):
1797         (JSC::ASTBuilder::createFuncDeclStatement):
1798         (JSC::ASTBuilder::makeFunctionCallNode):
1799         * parser/Lexer.cpp:
1800         (JSC::Lexer<T>::Lexer):
1801         (JSC::Lexer<LChar>::parseIdentifier):
1802         (JSC::Lexer<UChar>::parseIdentifier):
1803         * parser/Lexer.h:
1804         (JSC::Lexer<T>::lexExpectIdentifier):
1805         * parser/ModuleAnalyzer.cpp:
1806         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1807         * parser/ModuleAnalyzer.h:
1808         (JSC::ModuleAnalyzer::vm):
1809         * parser/Parser.cpp:
1810         (JSC::Parser<LexerType>::Parser):
1811         (JSC::Parser<LexerType>::parseInner):
1812         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1813         (JSC::Parser<LexerType>::parseSourceElements):
1814         (JSC::Parser<LexerType>::parseModuleSourceElements):
1815         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1816         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
1817         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1818         (JSC::Parser<LexerType>::parseSingleFunction):
1819         (JSC::Parser<LexerType>::parseStatementListItem):
1820         (JSC::Parser<LexerType>::parseObjectRestAssignmentElement):
1821         (JSC::Parser<LexerType>::parseAssignmentElement):
1822         (JSC::Parser<LexerType>::parseDestructuringPattern):
1823         (JSC::Parser<LexerType>::parseForStatement):
1824         (JSC::Parser<LexerType>::parseBreakStatement):
1825         (JSC::Parser<LexerType>::parseContinueStatement):
1826         (JSC::Parser<LexerType>::parseStatement):
1827         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
1828         (JSC::Parser<LexerType>::createGeneratorParameters):
1829         (JSC::Parser<LexerType>::parseFunctionInfo):
1830         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1831         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1832         (JSC::Parser<LexerType>::parseClassDeclaration):
1833         (JSC::Parser<LexerType>::parseClass):
1834         (JSC::Parser<LexerType>::parseImportClauseItem):
1835         (JSC::Parser<LexerType>::parseImportDeclaration):
1836         (JSC::Parser<LexerType>::parseExportSpecifier):
1837         (JSC::Parser<LexerType>::parseExportDeclaration):
1838         (JSC::Parser<LexerType>::parseAssignmentExpression):
1839         (JSC::Parser<LexerType>::parseProperty):
1840         (JSC::Parser<LexerType>::parseGetterSetter):
1841         (JSC::Parser<LexerType>::parseObjectLiteral):
1842         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
1843         (JSC::Parser<LexerType>::parseClassExpression):
1844         (JSC::Parser<LexerType>::parseFunctionExpression):
1845         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
1846         (JSC::Parser<LexerType>::parsePrimaryExpression):
1847         (JSC::Parser<LexerType>::parseMemberExpression):
1848         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1849         (JSC::Parser<LexerType>::parseUnaryExpression):
1850         * parser/Parser.h:
1851         (JSC::isArguments):
1852         (JSC::isEval):
1853         (JSC::isEvalOrArgumentsIdentifier):
1854         (JSC::Scope::Scope):
1855         (JSC::Scope::declareParameter):
1856         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1857         (JSC::Scope::collectFreeVariables):
1858         (JSC::Parser::canRecurse):
1859         (JSC::parse):
1860         (JSC::parseFunctionForFunctionConstructor):
1861         * parser/ParserArena.h:
1862         (JSC::IdentifierArena::makeIdentifier):
1863         (JSC::IdentifierArena::makeEmptyIdentifier):
1864         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
1865         (JSC::IdentifierArena::makeNumericIdentifier):
1866         * parser/SyntaxChecker.h:
1867         (JSC::SyntaxChecker::SyntaxChecker):
1868         (JSC::SyntaxChecker::createProperty):
1869         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1870         * profiler/ProfilerBytecode.cpp:
1871         (JSC::Profiler::Bytecode::toJS const):
1872         * profiler/ProfilerBytecodeSequence.cpp:
1873         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
1874         * profiler/ProfilerBytecodes.cpp:
1875         (JSC::Profiler::Bytecodes::toJS const):
1876         * profiler/ProfilerCompilation.cpp:
1877         (JSC::Profiler::Compilation::toJS const):
1878         * profiler/ProfilerCompiledBytecode.cpp:
1879         (JSC::Profiler::CompiledBytecode::toJS const):
1880         * profiler/ProfilerEvent.cpp:
1881         (JSC::Profiler::Event::toJS const):
1882         * profiler/ProfilerOSRExit.cpp:
1883         (JSC::Profiler::OSRExit::toJS const):
1884         * profiler/ProfilerOSRExitSite.cpp:
1885         (JSC::Profiler::OSRExitSite::toJS const):
1886         * profiler/ProfilerUID.cpp:
1887         (JSC::Profiler::UID::toJS const):
1888         * runtime/AbstractModuleRecord.cpp:
1889         (JSC::AbstractModuleRecord::finishCreation):
1890         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1891         (JSC::AbstractModuleRecord::resolveExportImpl):
1892         (JSC::getExportedNames):
1893         (JSC::AbstractModuleRecord::getModuleNamespace):
1894         * runtime/ArrayBufferNeuteringWatchpointSet.cpp:
1895         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
1896         * runtime/ArrayIteratorPrototype.cpp:
1897         (JSC::ArrayIteratorPrototype::finishCreation):
1898         * runtime/ArrayPrototype.cpp:
1899         (JSC::fastJoin):
1900         (JSC::arrayProtoFuncToLocaleString):
1901         (JSC::slowJoin):
1902         (JSC::arrayProtoFuncJoin):
1903         (JSC::arrayProtoFuncPush):
1904         * runtime/AsyncFunctionPrototype.cpp:
1905         (JSC::AsyncFunctionPrototype::finishCreation):
1906         * runtime/AsyncGeneratorFunctionPrototype.cpp:
1907         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
1908         * runtime/AsyncGeneratorPrototype.cpp:
1909         (JSC::AsyncGeneratorPrototype::finishCreation):
1910         * runtime/AtomicsObject.cpp:
1911         (JSC::AtomicsObject::finishCreation):
1912         (JSC::atomicsFuncWait):
1913         (JSC::operationAtomicsAdd):
1914         (JSC::operationAtomicsAnd):
1915         (JSC::operationAtomicsCompareExchange):
1916         (JSC::operationAtomicsExchange):
1917         (JSC::operationAtomicsIsLockFree):
1918         (JSC::operationAtomicsLoad):
1919         (JSC::operationAtomicsOr):
1920         (JSC::operationAtomicsStore):
1921         (JSC::operationAtomicsSub):
1922         (JSC::operationAtomicsXor):
1923         * runtime/BigIntPrototype.cpp:
1924         (JSC::BigIntPrototype::finishCreation):
1925         (JSC::bigIntProtoFuncToString):
1926         * runtime/CachedTypes.cpp:
1927         (JSC::CachedUniquedStringImplBase::decode const):
1928         (JSC::CachedIdentifier::decode const):
1929         (JSC::CachedJSValue::decode const):
1930         * runtime/CodeCache.cpp:
1931         (JSC::CodeCacheMap::pruneSlowCase):
1932         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1933         * runtime/CodeCache.h:
1934         (JSC::generateUnlinkedCodeBlockImpl):
1935         * runtime/CommonIdentifiers.cpp:
1936         (JSC::CommonIdentifiers::CommonIdentifiers):
1937         * runtime/CommonIdentifiers.h:
1938         * runtime/CommonSlowPaths.cpp:
1939         (JSC::SLOW_PATH_DECL):
1940         * runtime/Completion.cpp:
1941         (JSC::checkSyntaxInternal):
1942         (JSC::checkModuleSyntax):
1943         (JSC::loadAndEvaluateModule):
1944         (JSC::loadModule):
1945         * runtime/DateConstructor.cpp:
1946         (JSC::callDate):
1947         * runtime/DatePrototype.cpp:
1948         (JSC::formatLocaleDate):
1949         (JSC::formateDateInstance):
1950         (JSC::DatePrototype::finishCreation):
1951         (JSC::dateProtoFuncToISOString):
1952         * runtime/Error.cpp:
1953         (JSC::addErrorInfo):
1954         * runtime/ErrorInstance.cpp:
1955         (JSC::appendSourceToError):
1956         (JSC::ErrorInstance::finishCreation):
1957         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1958         * runtime/ErrorPrototype.cpp:
1959         (JSC::ErrorPrototype::finishCreation):
1960         (JSC::errorProtoFuncToString):
1961         * runtime/ExceptionHelpers.cpp:
1962         (JSC::TerminatedExecutionError::defaultValue):
1963         * runtime/FunctionPrototype.cpp:
1964         (JSC::functionProtoFuncToString):
1965         * runtime/FunctionRareData.cpp:
1966         (JSC::FunctionRareData::clear):
1967         * runtime/GeneratorFunctionPrototype.cpp:
1968         (JSC::GeneratorFunctionPrototype::finishCreation):
1969         * runtime/GeneratorPrototype.cpp:
1970         (JSC::GeneratorPrototype::finishCreation):
1971         * runtime/GenericArgumentsInlines.h:
1972         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1973         * runtime/GetterSetter.h:
1974         * runtime/Identifier.cpp:
1975         (JSC::Identifier::add):
1976         (JSC::Identifier::add8):
1977         (JSC::Identifier::from):
1978         (JSC::Identifier::checkCurrentAtomStringTable):
1979         * runtime/Identifier.h:
1980         (JSC::Identifier::fromString):
1981         (JSC::Identifier::createLCharFromUChar):
1982         (JSC::Identifier::Identifier):
1983         (JSC::Identifier::add):
1984         * runtime/IdentifierInlines.h:
1985         (JSC::Identifier::Identifier):
1986         (JSC::Identifier::add):
1987         (JSC::Identifier::fromUid):
1988         (JSC::Identifier::fromString):
1989         (JSC::identifierToJSValue):
1990         (JSC::identifierToSafePublicJSValue):
1991         * runtime/InternalFunction.cpp:
1992         (JSC::InternalFunction::finishCreation):
1993         * runtime/IntlCollator.cpp:
1994         (JSC::IntlCollator::resolvedOptions):
1995         * runtime/IntlCollatorPrototype.cpp:
1996         (JSC::IntlCollatorPrototype::finishCreation):
1997         * runtime/IntlDateTimeFormat.cpp:
1998         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
1999         (JSC::IntlDateTimeFormat::resolvedOptions):
2000         (JSC::IntlDateTimeFormat::format):
2001         (JSC::IntlDateTimeFormat::formatToParts):
2002         * runtime/IntlDateTimeFormatPrototype.cpp:
2003         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2004         * runtime/IntlNumberFormat.cpp:
2005         (JSC::IntlNumberFormat::initializeNumberFormat):
2006         (JSC::IntlNumberFormat::formatNumber):
2007         (JSC::IntlNumberFormat::resolvedOptions):
2008         (JSC::IntlNumberFormat::formatToParts):
2009         * runtime/IntlNumberFormatPrototype.cpp:
2010         (JSC::IntlNumberFormatPrototype::finishCreation):
2011         * runtime/IntlObject.cpp:
2012         (JSC::lookupSupportedLocales):
2013         (JSC::supportedLocales):
2014         (JSC::intlObjectFuncGetCanonicalLocales):
2015         * runtime/IntlPluralRules.cpp:
2016         (JSC::IntlPluralRules::initializePluralRules):
2017         (JSC::IntlPluralRules::resolvedOptions):
2018         (JSC::IntlPluralRules::select):
2019         * runtime/IntlPluralRulesPrototype.cpp:
2020         (JSC::IntlPluralRulesPrototype::finishCreation):
2021         * runtime/JSArray.h:
2022         (JSC::asArray):
2023         (JSC::isJSArray):
2024         * runtime/JSArrayBufferPrototype.cpp:
2025         (JSC::JSArrayBufferPrototype::finishCreation):
2026         * runtime/JSArrayBufferView.cpp:
2027         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
2028         * runtime/JSCJSValue.cpp:
2029         (JSC::JSValue::putToPrimitiveByIndex):
2030         (JSC::JSValue::dumpForBacktrace const):
2031         (JSC::JSValue::toStringSlowCase const):
2032         * runtime/JSCJSValueInlines.h:
2033         (JSC::JSValue::toPropertyKey const):
2034         (JSC::JSValue::get const):
2035         * runtime/JSCast.h:
2036         (JSC::jsCast):
2037         * runtime/JSCell.cpp:
2038         (JSC::JSCell::dump const):
2039         (JSC::JSCell::dumpToStream):
2040         (JSC::JSCell::putByIndex):
2041         * runtime/JSCellInlines.h:
2042         (JSC::JSCell::structure const):
2043         (JSC::ExecState::vm const):
2044         (JSC::tryAllocateCellHelper):
2045         * runtime/JSDataViewPrototype.cpp:
2046         (JSC::JSDataViewPrototype::finishCreation):
2047         * runtime/JSFixedArray.cpp:
2048         (JSC::JSFixedArray::dumpToStream):
2049         * runtime/JSFunction.cpp:
2050         (JSC::JSFunction::finishCreation):
2051         (JSC::RetrieveCallerFunctionFunctor::operator() const):
2052         (JSC::JSFunction::reifyName):
2053         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2054         (JSC::JSFunction::assertTypeInfoFlagInvariants):
2055         * runtime/JSGenericTypedArrayViewInlines.h:
2056         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
2057         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
2058         * runtime/JSGlobalObject.cpp:
2059         (JSC::JSGlobalObject::init):
2060         (JSC::JSGlobalObject::exposeDollarVM):
2061         * runtime/JSGlobalObjectFunctions.cpp:
2062         (JSC::encode):
2063         (JSC::decode):
2064         (JSC::globalFuncEscape):
2065         (JSC::globalFuncUnescape):
2066         (JSC::globalFuncBuiltinDescribe):
2067         * runtime/JSLexicalEnvironment.cpp:
2068         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2069         * runtime/JSModuleEnvironment.cpp:
2070         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2071         (JSC::JSModuleEnvironment::put):
2072         (JSC::JSModuleEnvironment::deleteProperty):
2073         * runtime/JSModuleLoader.cpp:
2074         (JSC::JSModuleLoader::finishCreation):
2075         (JSC::JSModuleLoader::requestImportModule):
2076         (JSC::moduleLoaderParseModule):
2077         (JSC::moduleLoaderRequestedModules):
2078         * runtime/JSModuleNamespaceObject.cpp:
2079         (JSC::JSModuleNamespaceObject::finishCreation):
2080         (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
2081         * runtime/JSModuleRecord.cpp:
2082         (JSC::JSModuleRecord::instantiateDeclarations):
2083         * runtime/JSONObject.cpp:
2084         (JSC::JSONObject::finishCreation):
2085         (JSC::PropertyNameForFunctionCall::value const):
2086         (JSC::Stringifier::Stringifier):
2087         (JSC::Stringifier::stringify):
2088         (JSC::Stringifier::Holder::appendNextProperty):
2089         (JSC::Walker::walk):
2090         * runtime/JSObject.cpp:
2091         (JSC::getClassPropertyNames):
2092         (JSC::JSObject::getOwnPropertySlotByIndex):
2093         (JSC::JSObject::putByIndex):
2094         (JSC::JSObject::deletePropertyByIndex):
2095         (JSC::JSObject::toString const):
2096         (JSC::JSObject::reifyAllStaticProperties):
2097         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2098         * runtime/JSObject.h:
2099         (JSC::JSObject::putByIndexInline):
2100         (JSC::JSObject::butterflyPreCapacity):
2101         (JSC::JSObject::butterflyTotalSize):
2102         (JSC::makeIdentifier):
2103         * runtime/JSPromisePrototype.cpp:
2104         (JSC::JSPromisePrototype::finishCreation):
2105         * runtime/JSPropertyNameEnumerator.cpp:
2106         (JSC::JSPropertyNameEnumerator::finishCreation):
2107         * runtime/JSPropertyNameEnumerator.h:
2108         (JSC::propertyNameEnumerator):
2109         * runtime/JSRunLoopTimer.cpp:
2110         (JSC::JSRunLoopTimer::JSRunLoopTimer):
2111         * runtime/JSRunLoopTimer.h:
2112         * runtime/JSString.cpp:
2113         (JSC::JSString::dumpToStream):
2114         (JSC::JSRopeString::resolveRopeWithFunction const):
2115         (JSC::jsStringWithCacheSlowCase):
2116         * runtime/JSString.h:
2117         (JSC::jsEmptyString):
2118         (JSC::jsSingleCharacterString):
2119         (JSC::jsNontrivialString):
2120         (JSC::JSString::toIdentifier const):
2121         (JSC::JSString::toAtomString const):
2122         (JSC::JSString::toExistingAtomString const):
2123         (JSC::JSString::value const):
2124         (JSC::JSString::tryGetValue const):
2125         (JSC::JSString::getIndex):
2126         (JSC::jsString):
2127         (JSC::jsSubstring):
2128         (JSC::jsOwnedString):
2129         (JSC::jsStringWithCache):
2130         (JSC::JSRopeString::unsafeView const):
2131         (JSC::JSRopeString::viewWithUnderlyingString const):
2132         (JSC::JSString::unsafeView const):
2133         * runtime/JSStringInlines.h:
2134         (JSC::jsMakeNontrivialString):
2135         (JSC::repeatCharacter):
2136         * runtime/JSStringJoiner.cpp:
2137         (JSC::JSStringJoiner::join):
2138         * runtime/JSSymbolTableObject.cpp:
2139         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2140         * runtime/JSTemplateObjectDescriptor.cpp:
2141         (JSC::JSTemplateObjectDescriptor::createTemplateObject):
2142         * runtime/JSTypedArrayViewPrototype.cpp:
2143         (JSC::typedArrayViewProtoGetterFuncToStringTag):
2144         * runtime/LazyClassStructure.cpp:
2145         (JSC::LazyClassStructure::Initializer::setConstructor):
2146         * runtime/LazyProperty.h:
2147         (JSC::LazyProperty::Initializer::Initializer):
2148         * runtime/LiteralParser.cpp:
2149         (JSC::LiteralParser<CharType>::tryJSONPParse):
2150         (JSC::LiteralParser<CharType>::makeIdentifier):
2151         (JSC::LiteralParser<CharType>::parse):
2152         * runtime/Lookup.h:
2153         (JSC::reifyStaticProperties):
2154         * runtime/MapIteratorPrototype.cpp:
2155         (JSC::MapIteratorPrototype::finishCreation):
2156         * runtime/MapPrototype.cpp:
2157         (JSC::MapPrototype::finishCreation):
2158         * runtime/MathObject.cpp:
2159         (JSC::MathObject::finishCreation):
2160         * runtime/NumberConstructor.cpp:
2161         (JSC::NumberConstructor::finishCreation):
2162         * runtime/NumberPrototype.cpp:
2163         (JSC::numberProtoFuncToExponential):
2164         (JSC::numberProtoFuncToFixed):
2165         (JSC::numberProtoFuncToPrecision):
2166         (JSC::int32ToStringInternal):
2167         (JSC::numberToStringInternal):
2168         (JSC::int52ToString):
2169         * runtime/ObjectConstructor.cpp:
2170         (JSC::objectConstructorGetOwnPropertyDescriptors):
2171         (JSC::objectConstructorAssign):
2172         (JSC::objectConstructorValues):
2173         (JSC::defineProperties):
2174         (JSC::setIntegrityLevel):
2175         (JSC::testIntegrityLevel):
2176         (JSC::ownPropertyKeys):
2177         * runtime/ObjectPrototype.cpp:
2178         (JSC::objectProtoFuncToString):
2179         * runtime/Operations.h:
2180         (JSC::jsString):
2181         (JSC::jsStringFromRegisterArray):
2182         (JSC::jsStringFromArguments):
2183         * runtime/ProgramExecutable.cpp:
2184         (JSC::ProgramExecutable::initializeGlobalProperties):
2185         * runtime/PromiseDeferredTimer.cpp:
2186         (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
2187         (JSC::PromiseDeferredTimer::hasPendingPromise):
2188         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
2189         (JSC::PromiseDeferredTimer::cancelPendingPromise):
2190         * runtime/PropertyNameArray.h:
2191         (JSC::PropertyNameArray::PropertyNameArray):
2192         (JSC::PropertyNameArray::vm):
2193         * runtime/PropertySlot.h:
2194         (JSC::PropertySlot::getValue const):
2195         * runtime/ProxyObject.cpp:
2196         (JSC::performProxyGet):
2197         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2198         (JSC::ProxyObject::performHasProperty):
2199         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2200         (JSC::ProxyObject::performPut):
2201         (JSC::ProxyObject::putByIndexCommon):
2202         (JSC::ProxyObject::performDelete):
2203         (JSC::ProxyObject::deletePropertyByIndex):
2204         (JSC::ProxyObject::performDefineOwnProperty):
2205         (JSC::ProxyObject::performGetOwnPropertyNames):
2206         * runtime/RegExpGlobalData.cpp:
2207         (JSC::RegExpGlobalData::getBackref):
2208         (JSC::RegExpGlobalData::getLastParen):
2209         * runtime/RegExpMatchesArray.cpp:
2210         (JSC::createEmptyRegExpMatchesArray):
2211         * runtime/RegExpMatchesArray.h:
2212         (JSC::createRegExpMatchesArray):
2213         * runtime/RegExpPrototype.cpp:
2214         (JSC::regExpProtoGetterFlags):
2215         (JSC::regExpProtoGetterSourceInternal):
2216         (JSC::regExpProtoGetterSource):
2217         * runtime/RegExpStringIteratorPrototype.cpp:
2218         (JSC::RegExpStringIteratorPrototype::finishCreation):
2219         * runtime/SamplingProfiler.cpp:
2220         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2221         * runtime/ScriptExecutable.cpp:
2222         (JSC::ScriptExecutable::installCode):
2223         (JSC::ScriptExecutable::newCodeBlockFor):
2224         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
2225         (JSC::setupJIT):
2226         * runtime/SetIteratorPrototype.cpp:
2227         (JSC::SetIteratorPrototype::finishCreation):
2228         * runtime/SetPrototype.cpp:
2229         (JSC::SetPrototype::finishCreation):
2230         * runtime/StackFrame.cpp:
2231         (JSC::StackFrame::computeLineAndColumn const):
2232         * runtime/StringConstructor.cpp:
2233         (JSC::stringFromCharCode):
2234         (JSC::stringFromCodePoint):
2235         (JSC::stringConstructor):
2236         (JSC::callStringConstructor):
2237         * runtime/StringIteratorPrototype.cpp:
2238         (JSC::StringIteratorPrototype::finishCreation):
2239         * runtime/StringObject.cpp:
2240         (JSC::StringObject::getOwnPropertySlotByIndex):
2241         (JSC::StringObject::getOwnPropertyNames):
2242         * runtime/StringObject.h:
2243         (JSC::StringObject::create):
2244         (JSC::jsStringWithReuse):
2245         (JSC::jsSubstring):
2246         * runtime/StringPrototype.cpp:
2247         (JSC::StringPrototype::finishCreation):
2248         (JSC::StringPrototype::create):
2249         (JSC::jsSpliceSubstrings):
2250         (JSC::jsSpliceSubstringsWithSeparators):
2251         (JSC::replaceUsingRegExpSearch):
2252         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
2253         (JSC::operationStringProtoFuncReplaceRegExpString):
2254         (JSC::replaceUsingStringSearch):
2255         (JSC::operationStringProtoFuncReplaceGeneric):
2256         (JSC::stringProtoFuncCharAt):
2257         (JSC::stringProtoFuncSplitFast):
2258         (JSC::stringProtoFuncSubstr):
2259         (JSC::stringProtoFuncToLowerCase):
2260         (JSC::stringProtoFuncToUpperCase):
2261         (JSC::toLocaleCase):
2262         (JSC::trimString):
2263         (JSC::normalize):
2264         * runtime/StringPrototypeInlines.h:
2265         (JSC::stringSlice):
2266         * runtime/StringRecursionChecker.cpp:
2267         (JSC::StringRecursionChecker::emptyString):
2268         * runtime/Structure.cpp:
2269         (JSC::Structure::didTransitionFromThisStructure const):
2270         * runtime/StructureInlines.h:
2271         (JSC::Structure::didReplaceProperty):
2272         (JSC::Structure::shouldConvertToPolyProto):
2273         * runtime/SymbolConstructor.cpp:
2274         (JSC::symbolConstructorKeyFor):
2275         * runtime/SymbolPrototype.cpp:
2276         (JSC::SymbolPrototype::finishCreation):
2277         (JSC::symbolProtoGetterDescription):
2278         (JSC::symbolProtoFuncToString):
2279         * runtime/SymbolTable.cpp:
2280         (JSC::SymbolTable::setRareDataCodeBlock):
2281         * runtime/TestRunnerUtils.cpp:
2282         (JSC::getExecutableForFunction):
2283         * runtime/VM.cpp:
2284         (JSC::VM::VM):
2285         (JSC::VM::getHostFunction):
2286         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2287         (JSC::VM::shrinkFootprintWhenIdle):
2288         (JSC::logSanitizeStack):
2289         (JSC::sanitizeStackForVM):
2290         (JSC::VM::emptyPropertyNameEnumeratorSlow):
2291         * runtime/VM.h:
2292         (JSC::VM::getCTIStub):
2293         (JSC::WeakSet::heap const):
2294         * runtime/VMTraps.cpp:
2295         * runtime/WeakMapPrototype.cpp:
2296         (JSC::WeakMapPrototype::finishCreation):
2297         * runtime/WeakObjectRefPrototype.cpp:
2298         (JSC::WeakObjectRefPrototype::finishCreation):
2299         * runtime/WeakSetPrototype.cpp:
2300         (JSC::WeakSetPrototype::finishCreation):
2301         * tools/HeapVerifier.cpp:
2302         (JSC::HeapVerifier::printVerificationHeader):
2303         (JSC::HeapVerifier::verifyCellList):
2304         (JSC::HeapVerifier::validateJSCell):
2305         (JSC::HeapVerifier::reportCell):
2306         * tools/JSDollarVM.cpp:
2307         (JSC::JSDollarVMCallFrame::finishCreation):
2308         (JSC::JSDollarVMCallFrame::addProperty):
2309         (JSC::CustomGetter::getOwnPropertySlot):
2310         (JSC::CustomGetter::customGetter):
2311         (JSC::CustomGetter::customGetterAcessor):
2312         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
2313         (JSC::DOMJITGetter::finishCreation):
2314         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2315         (JSC::DOMJITGetterComplex::finishCreation):
2316         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
2317         (JSC::DOMJITFunctionObject::finishCreation):
2318         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
2319         (JSC::DOMJITCheckSubClassObject::finishCreation):
2320         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2321         (JSC::DOMJITGetterBaseJSObject::finishCreation):
2322         (JSC::customSetAccessor):
2323         (JSC::customSetValue):
2324         (JSC::JSTestCustomGetterSetter::finishCreation):
2325         (JSC::WasmStreamingParser::finishCreation):
2326         (JSC::getExecutableForFunction):
2327         (JSC::functionCodeBlockFor):
2328         (JSC::functionIndexingMode):
2329         (JSC::functionValue):
2330         (JSC::functionCreateBuiltin):
2331         (JSC::functionGetPrivateProperty):
2332         (JSC::JSDollarVM::finishCreation):
2333         (JSC::JSDollarVM::addFunction):
2334         (JSC::JSDollarVM::addConstructibleFunction):
2335         * tools/VMInspector.cpp:
2336         (JSC::VMInspector::dumpRegisters):
2337         (JSC::VMInspector::dumpCellMemoryToStream):
2338         * wasm/WasmInstance.cpp:
2339         (JSC::Wasm::Instance::setGlobal):
2340         (JSC::Wasm::Instance::setFunctionWrapper):
2341         (JSC::Wasm::setWasmTableElement):
2342         (JSC::Wasm::doWasmRefFunc):
2343         * wasm/WasmTable.cpp:
2344         (JSC::Wasm::Table::set):
2345         (JSC::Wasm::FuncRefTable::setFunction):
2346         * wasm/js/JSWebAssembly.cpp:
2347         (JSC::resolve):
2348         * wasm/js/JSWebAssemblyInstance.cpp:
2349         (JSC::JSWebAssemblyInstance::create):
2350         * wasm/js/WasmToJS.cpp:
2351         (JSC::Wasm::handleBadI64Use):
2352         (JSC::Wasm::wasmToJS):
2353         (JSC::Wasm::wasmToJSException):
2354         * wasm/js/WebAssemblyFunction.cpp:
2355         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2356         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2357         (JSC::constructJSWebAssemblyMemory):
2358         * wasm/js/WebAssemblyModuleConstructor.cpp:
2359         (JSC::webAssemblyModuleImports):
2360         (JSC::webAssemblyModuleExports):
2361         * wasm/js/WebAssemblyModuleRecord.cpp:
2362         (JSC::WebAssemblyModuleRecord::finishCreation):
2363         (JSC::WebAssemblyModuleRecord::link):
2364         * wasm/js/WebAssemblyTableConstructor.cpp:
2365         (JSC::constructJSWebAssemblyTable):
2366
2367 2019-08-27  Devin Rousso  <drousso@apple.com>
2368
2369         Web Inspector: don't attach properties to `injectedScript` for the CommandLineAPI
2370         https://bugs.webkit.org/show_bug.cgi?id=201193
2371
2372         Reviewed by Joseph Pecoraro.
2373
2374         For some reason, adding `injectedScript._inspectObject` inside CommandLineAPIModuleSource.js
2375         causes inspector/debugger/tail-deleted-frames-this-value.html to fail.
2376
2377         We should have a similar approach to adding command line api getters and functions, in that
2378         the CommandLineAPIModuleSource.js calls a function with a callback.
2379
2380         * inspector/InjectedScriptSource.js:
2381         (InjectedScript.prototype.inspectObject):
2382         (InjectedScript.prototype.setInspectObject): Added.
2383         (InjectedScript.prototype._evaluateOn):
2384
2385 2019-08-27  Mark Lam  <mark.lam@apple.com>
2386
2387         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
2388         https://bugs.webkit.org/show_bug.cgi?id=201196
2389         <rdar://problem/54703775>
2390
2391         Reviewed by Yusuke Suzuki.
2392
2393         * runtime/FunctionConstructor.cpp:
2394         (JSC::constructFunctionSkippingEvalEnabledCheck):
2395
2396 2019-08-27  Keith Miller  <keith_miller@apple.com>
2397
2398         When dumping Air Graphs BBQ should dump patchpoints.
2399         https://bugs.webkit.org/show_bug.cgi?id=201167
2400
2401         Reviewed by Filip Pizlo.
2402
2403         * wasm/WasmAirIRGenerator.cpp:
2404         (JSC::Wasm::AirIRGenerator:: const):
2405         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2406         (JSC::Wasm::parseAndCompileAir):
2407
2408 2019-08-27  Basuke Suzuki  <Basuke.Suzuki@sony.com>
2409
2410         [RemoteInspector][Socket] Restructuring the components of Socket implementation
2411         https://bugs.webkit.org/show_bug.cgi?id=201079
2412
2413         Reviewed by Ross Kirsling.
2414
2415         Since the change for WeakPtr on r248386, our port start assertion failure on the usage of
2416         RemoteInspectorSocketEndpoint. We have to send a message to connection client, but if that
2417         has to be done in the same thread which weakPtr generated, it's a little bit stronger
2418         restriction for us to handle. In this restructure, we are stopping to use weakPtr to
2419         resolve circular dependency, but using a reference with invalidation method because
2420         everything is under our control.
2421
2422         - Make SocketEndpoint a singleton. This class represents a central place to handle socket
2423           connections and there's no need to instantiate more than one in a process. Once every
2424           connection goes away, it just start sleeping until next connection is created. Very low
2425           resource usage when it is idle.
2426         - Move Socket::Connection structure from global definition to SocketEndpoint local
2427           structure. It is directly used in SocketEndpoint privately.
2428         - Move responsibility to handle message encoding/decoding task from SocketEndpoint to
2429           ConnectionClient. Make SocketEndpoint as plain socket handling as possible to keep it
2430           simple to exist long span.
2431         - Extract an interface from ConnectionClient as SocketEndpoint::Client which is required
2432           to work with SocketEndpoint. Now SocketEndpoint is very independent from others.
2433           SocketEndpoint::Client is the required parameter to create a connection.
2434
2435         Many responsibilities are moved into ConnectionClient which was a thin interface for
2436         communication between RemoteInspector, RemoteInspectorServer and RemoteInspectorClient.
2437         It now handles followings:
2438         - life cycle of connection: create, listen and close or invalidation
2439         - sending and receiving data packed in a message.
2440
2441         RemoteInspector and RemoteInspectorServer are now free from creation of SocketEndpoint.
2442         All communication to SocketEndpoint id now the duty of super class.
2443
2444         * inspector/remote/RemoteInspector.h:
2445         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
2446         (Inspector::RemoteInspectorConnectionClient::~RemoteInspectorConnectionClient): Make all connection invalidated.
2447         (Inspector::RemoteInspectorConnectionClient::connectInet): Add itself as a listener of socket.
2448         (Inspector::RemoteInspectorConnectionClient::listenInet): Ditto.
2449         (Inspector::RemoteInspectorConnectionClient::createClient): Ditto.
2450         (Inspector::RemoteInspectorConnectionClient::send): Add message processing.
2451         (Inspector::RemoteInspectorConnectionClient::didReceive): Ditto.
2452         (Inspector::RemoteInspectorConnectionClient::extractEvent): Extracted from send.
2453         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
2454         * inspector/remote/socket/RemoteInspectorMessageParser.cpp:
2455         (Inspector::MessageParser::MessageParser):
2456         (Inspector::MessageParser::pushReceivedData):
2457         (Inspector::MessageParser::parse):
2458         * inspector/remote/socket/RemoteInspectorMessageParser.h:
2459         (Inspector::MessageParser::MessageParser):
2460         (Inspector::MessageParser::Function<void):
2461         * inspector/remote/socket/RemoteInspectorServer.cpp:
2462         (Inspector::RemoteInspectorServer::connect): Remove direct communication to Socket Endpoint.
2463         (Inspector::RemoteInspectorServer::listenForTargets): Ditto.
2464         (Inspector::RemoteInspectorServer::sendWebInspectorEvent): Ditto.
2465         (Inspector::RemoteInspectorServer::start): Ditto.
2466         * inspector/remote/socket/RemoteInspectorServer.h:
2467         * inspector/remote/socket/RemoteInspectorSocket.cpp:
2468         (Inspector::RemoteInspector::sendWebInspectorEvent): Remove direct communication to Socket Endpoint.
2469         (Inspector::RemoteInspector::start): Ditto.
2470         (Inspector::RemoteInspector::stopInternal): Ditto.
2471         (Inspector::RemoteInspector::pushListingsNow): Change the target of validity check to ID.
2472         (Inspector::RemoteInspector::pushListingsSoon): Ditto.
2473         (Inspector::RemoteInspector::sendMessageToRemote): Ditto.
2474         * inspector/remote/socket/RemoteInspectorSocket.h: Move Connection structure to RemoteInspectorSocketEndpoint.
2475         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
2476         (Inspector::RemoteInspectorSocketEndpoint::singleton): Added.
2477         (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint): Use hard-coded thread name.
2478         (Inspector::RemoteInspectorSocketEndpoint::connectInet): Accept RemoteInspectorSocketEndpoint::Client as listener.
2479         (Inspector::RemoteInspectorSocketEndpoint::listenInet): Ditto.
2480         (Inspector::RemoteInspectorSocketEndpoint::createClient): Ditto.
2481         (Inspector::RemoteInspectorSocketEndpoint::invalidateClient): Added. Invalidate all connection from the client.
2482         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled): Remove message parser handling.
2483         (Inspector::RemoteInspectorSocketEndpoint::send): Remove message packing.
2484         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
2485         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
2486         (Inspector::RemoteInspectorSocketEndpoint::Connection::Connection):
2487
2488 2019-08-26  Devin Rousso  <drousso@apple.com>
2489
2490         Web Inspector: use more C++ keywords for defining agents
2491         https://bugs.webkit.org/show_bug.cgi?id=200959
2492
2493         Reviewed by Joseph Pecoraro.
2494
2495          - make constructors `protected` when the agent isn't meant to be constructed directly
2496          - add `virtual` destructors that are defined in the *.cpp so forward-declarations work
2497          - use `final` wherever possible
2498          - add comments to indicate where any virtual functions come from
2499
2500         * inspector/agents/InspectorAgent.h:
2501         * inspector/agents/InspectorAgent.cpp:
2502         * inspector/agents/InspectorAuditAgent.h:
2503         * inspector/agents/InspectorAuditAgent.cpp:
2504         * inspector/agents/InspectorConsoleAgent.h:
2505         * inspector/agents/InspectorConsoleAgent.cpp:
2506         * inspector/agents/InspectorDebuggerAgent.h:
2507         * inspector/agents/InspectorDebuggerAgent.cpp:
2508         * inspector/agents/InspectorHeapAgent.h:
2509         * inspector/agents/InspectorHeapAgent.cpp:
2510         * inspector/agents/InspectorRuntimeAgent.h:
2511         * inspector/agents/InspectorScriptProfilerAgent.h:
2512         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2513         * inspector/agents/InspectorTargetAgent.h:
2514         * inspector/agents/InspectorTargetAgent.cpp:
2515         * inspector/agents/JSGlobalObjectAuditAgent.h:
2516         * inspector/agents/JSGlobalObjectAuditAgent.cpp:
2517         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2518         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2519         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2520         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2521
2522 2019-08-26  Devin Rousso  <drousso@apple.com>
2523
2524         Web Inspector: unify agent command error messages
2525         https://bugs.webkit.org/show_bug.cgi?id=200950
2526
2527         Reviewed by Joseph Pecoraro.
2528
2529         Different agents can sometimes have different error messages for commands that have a
2530         similar intended effect.  We should make our error messages more similar.
2531
2532         * inspector/JSGlobalObjectConsoleClient.cpp:
2533         * inspector/agents/InspectorAgent.cpp:
2534         * inspector/agents/InspectorAuditAgent.cpp:
2535         * inspector/agents/InspectorConsoleAgent.cpp:
2536         * inspector/agents/InspectorDebuggerAgent.cpp:
2537         * inspector/agents/InspectorHeapAgent.cpp:
2538         * inspector/agents/InspectorRuntimeAgent.cpp:
2539         * inspector/agents/InspectorTargetAgent.cpp:
2540         * inspector/agents/JSGlobalObjectAuditAgent.cpp:
2541         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2542         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2543         Elide function lists to avoid an extremely large ChangeLog entry.
2544
2545 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
2546
2547         [JSC] Ensure x?.y ?? z is fast
2548         https://bugs.webkit.org/show_bug.cgi?id=200875
2549
2550         Reviewed by Yusuke Suzuki.
2551
2552         We anticipate `x?.y ?? z` to quickly become a common idiom in JS. With a little bytecode rearrangement,
2553         we can avoid the "load undefined and check it" dance in the middle and just turn this into two jumps.
2554
2555         Before:
2556                 (get x)
2557           ----- jundefined_or_null
2558           |     (get y)
2559           | --- jmp
2560           > |   (load undefined)
2561             > - jnundefined_or_null
2562               | (get z)
2563               > end
2564
2565         After:
2566                 (get x)
2567             --- jundefined_or_null
2568             |   (get y)
2569             | - jnundefined_or_null
2570             > | (get z)
2571               > end
2572
2573         * bytecompiler/BytecodeGenerator.cpp:
2574         (JSC::BytecodeGenerator::popOptionalChainTarget): Added specialization.
2575         * bytecompiler/BytecodeGenerator.h:
2576         * bytecompiler/NodesCodegen.cpp:
2577         (JSC::CoalesceNode::emitBytecode):
2578         (JSC::OptionalChainNode::emitBytecode):
2579         * parser/ASTBuilder.h:
2580         (JSC::ASTBuilder::makeDeleteNode):
2581         (JSC::ASTBuilder::makeCoalesceNode): Added.
2582         (JSC::ASTBuilder::makeBinaryNode):
2583         * parser/NodeConstructors.h:
2584         (JSC::CoalesceNode::CoalesceNode):
2585         * parser/Nodes.h:
2586         (JSC::ExpressionNode::isDeleteNode const): Added. (Replaces OptionalChainNode::m_isDelete.)
2587
2588 2019-08-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2589
2590         Missing media controls when WebKit is built with Python3
2591         https://bugs.webkit.org/show_bug.cgi?id=194367
2592
2593         Reviewed by Carlos Garcia Campos.
2594
2595         The JavaScript minifier script jsmin.py expects a text stream
2596         with text type as input, but the script make-js-file-arrays.py
2597         was passing to it a FileIO() object. So, when the jsmin script
2598         called read() over this object, python3 was returning a type of
2599         bytes, but for python2 it returns type str.
2600
2601         This caused two problems: first that jsmin failed to do any minifying
2602         because it was comparing strings with a variable of type bytes.
2603         The second major problem was in the write() function, when the
2604         jsmin script tried to convert a byte character to text by calling
2605         str() on it. Because what this does is not to convert from byte
2606         type to string, but to simply generate a string with the format b'c'.
2607         So the jsmin script was returning back as minified JS complete
2608         garbage in the form of "b't'b'h'b'h'b'i" for python3.
2609
2610         Therefore, when WebKit was built with python3 this broke everything
2611         that depended on the embedded JS code that make-js-file-arrays.py
2612         was supposed to generate, like the media controls and the WebDriver
2613         atoms.
2614
2615         Fix this by reworking the code in make-js-file-arrays script to
2616         read the data from the file using a TextIOWrapper in python 3
2617         with decoding for 'utf-8'. This ensures that the jsmin receives
2618         a text type. For python2 keep using the same FileIO class.
2619
2620         On the jsmin.py script remove the problematic call to str() inside
2621         the write() function when running with python3.
2622         On top of that, add an extra check in jsmin.py script to make it
2623         fail if the character type read is not the one expected. This
2624         will cause the build to fail instead of failing silently like
2625         now. I did some tests and the runtime cost of this extra check
2626         is almost zero.
2627
2628         * Scripts/jsmin.py:
2629         (JavascriptMinify.minify.write):
2630         (JavascriptMinify):
2631         * Scripts/make-js-file-arrays.py:
2632         (main):
2633
2634 2019-08-23  Devin Rousso  <drousso@apple.com>
2635
2636         Web Inspector: create additional command line api functions for other console methods
2637         https://bugs.webkit.org/show_bug.cgi?id=200971
2638
2639         Reviewed by Joseph Pecoraro.
2640
2641         Expose all `console.*` functions in the command line API, since they're all already able to
2642         be referenced via the `console` object.
2643
2644         Provide a simpler interface for other injected scripts to modify the command line API.
2645
2646         * inspector/InjectedScriptModule.cpp:
2647         (Inspector::InjectedScriptModule::ensureInjected):
2648
2649         * inspector/InjectedScriptSource.js:
2650         (InjectedScript.prototype.inspectObject):
2651         (InjectedScript.prototype.addCommandLineAPIGetter): Added.
2652         (InjectedScript.prototype.addCommandLineAPIMethod): Added.
2653         (InjectedScript.prototype.hasInjectedModule): Added.
2654         (InjectedScript.prototype.injectModule):
2655         (InjectedScript.prototype._evaluateOn):
2656         (InjectedScript.CommandLineAPI): Added.
2657         (InjectedScript.prototype.module): Deleted.
2658         (InjectedScript.prototype._savedResult): Deleted.
2659         (bind): Deleted.
2660         (BasicCommandLineAPI): Deleted.
2661         (clear): Deleted.
2662         (table): Deleted.
2663         (profile): Deleted.
2664         (profileEnd): Deleted.
2665         (keys): Deleted.
2666         (values): Deleted.
2667         (queryInstances): Deleted.
2668         (queryObjects): Deleted.
2669         (queryHolders): Deleted.
2670
2671 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
2672
2673         Remove MaximalFlushInsertionPhase
2674         https://bugs.webkit.org/show_bug.cgi?id=201036
2675
2676         Reviewed by Saam Barati.
2677
2678         Maximal flush has found too many false positives recently, so we decided it's finally time
2679         to remove it instead of hacking it to fix the most recent false positive.
2680
2681         The most recent false positive was caused by a LoadVarargs followed by a SetArgumentDefinitely
2682         for the argument count that was being flushed in a much later block. Now, since that block was
2683         the head of a loop, and there was a SetLocal in the same block to the same variable, this
2684         generated a Phi of both values, which then led to the unification of their VariableAccessData
2685         in the unification phase. This caused AI to assign the Int52 type to argument count, which
2686         broke the AI’s assumption that it should always be an Int32.
2687
2688         * JavaScriptCore.xcodeproj/project.pbxproj:
2689         * Sources.txt:
2690         * dfg/DFGByteCodeParser.cpp:
2691         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
2692         * dfg/DFGMaximalFlushInsertionPhase.cpp: Removed.
2693         * dfg/DFGMaximalFlushInsertionPhase.h: Removed.
2694         * dfg/DFGPlan.cpp:
2695         (JSC::DFG::Plan::compileInThreadImpl):
2696         * runtime/Options.cpp:
2697         (JSC::recomputeDependentOptions):
2698         * runtime/Options.h:
2699
2700 2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>
2701
2702         Unreviewed WinCairo build fix following r249058.
2703
2704         * API/tests/testapi.cpp:
2705         (TestAPI::callFunction):
2706         WinCairo chokes on `JSValueRef args[sizeof...(arguments)]` when there are no arguments, but AppleWin does not...
2707         MSVC must have changed somehow.
2708
2709 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
2710
2711         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
2712         https://bugs.webkit.org/show_bug.cgi?id=200952
2713
2714         Reviewed by Saam Barati.
2715
2716         The c call that we emitted was incorrect. If we had an int argument that was supposed to be placed in GPR0 by this loop,
2717         we would clobber it while making the call (among many other possible registers). To fix this, we just inline the call 
2718         to isWebassemblyHostFunction.
2719
2720         * wasm/js/WebAssemblyFunction.cpp:
2721         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2722
2723 2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>
2724
2725         JSC should have public API for unhandled promise rejections
2726         https://bugs.webkit.org/show_bug.cgi?id=197172
2727
2728         Reviewed by Keith Miller.
2729
2730         This patch makes it possible to register a unhandled promise rejection callback via the JSC API.
2731         Since there is no event loop in such an environment, this callback fires off of the microtask queue.
2732         The callback receives the promise and rejection reason as arguments and its return value is ignored.
2733
2734         * API/JSContextRef.cpp:
2735         (JSGlobalContextSetUnhandledRejectionCallback): Added.
2736         * API/JSContextRefPrivate.h:
2737         Add new C++ API call.
2738
2739         * API/tests/testapi.cpp:
2740         (TestAPI::promiseResolveTrue): Clean up test output.
2741         (TestAPI::promiseRejectTrue): Clean up test output.
2742         (TestAPI::promiseUnhandledRejection): Added.
2743         (TestAPI::promiseUnhandledRejectionFromUnhandledRejectionCallback): Added.
2744         (TestAPI::promiseEarlyHandledRejections): Added.
2745         (testCAPIViaCpp):
2746         Add new C++ API test.
2747
2748         * jsc.cpp:
2749         (GlobalObject::finishCreation):
2750         (functionSetUnhandledRejectionCallback): Added.
2751         Add corresponding global to JSC shell.
2752
2753         * runtime/JSGlobalObject.h:
2754         (JSC::JSGlobalObject::setUnhandledRejectionCallback): Added.
2755         (JSC::JSGlobalObject::unhandledRejectionCallback const): Added.
2756         Keep a strong reference to the callback.
2757
2758         * runtime/JSGlobalObjectFunctions.cpp:
2759         (JSC::globalFuncHostPromiseRejectionTracker):
2760         Add default behavior.
2761
2762         * runtime/VM.cpp:
2763         (JSC::VM::callPromiseRejectionCallback): Added.
2764         (JSC::VM::didExhaustMicrotaskQueue): Added.
2765         (JSC::VM::promiseRejected): Added.
2766         (JSC::VM::drainMicrotasks):
2767         When microtask queue is exhausted, deal with any pending unhandled rejections
2768         (in a manner based on RejectedPromiseTracker's reportUnhandledRejections),
2769         then make sure this didn't cause any new microtasks to be added to the queue.
2770
2771         * runtime/VM.h:
2772         Store unhandled rejections.
2773         (This collection will always be empty in the presence of WebCore.)
2774
2775 2019-08-22  Mark Lam  <mark.lam@apple.com>
2776
2777         VirtualRegister::dump() can use more informative CallFrame header slot names.
2778         https://bugs.webkit.org/show_bug.cgi?id=201062
2779
2780         Reviewed by Tadeu Zagallo.
2781
2782         For example, it currently dumps head3 instead of callee.  This patch changes the
2783         dump as follows (for 64-bit addressing):
2784             head0 => callerFrame
2785             head1 => returnPC
2786             head2 => codeBlock
2787             head3 => callee
2788             head4 => argumentCount
2789
2790         Now, one might be wondering when would bytecode ever access callerFrame and
2791         returnPC?  The answer is never.  However, I don't think its the role of the
2792         dumper to catch a bug where these header slots are being used.  The dumper's role
2793         is to clearly report them so that we can see that these unexpected values are
2794         being used.
2795
2796         * bytecode/VirtualRegister.cpp:
2797         (JSC::VirtualRegister::dump const):
2798
2799 2019-08-22  Andy Estes  <aestes@apple.com>
2800
2801         [watchOS] Disable Content Filtering in the simulator build
2802         https://bugs.webkit.org/show_bug.cgi?id=201047
2803
2804         Reviewed by Tim Horton.
2805
2806         * Configurations/FeatureDefines.xcconfig:
2807
2808 2019-08-22  Adrian Perez de Castro  <aperez@igalia.com>
2809
2810         [GTK][WPE] Fixes for non-unified builds after r248547
2811         https://bugs.webkit.org/show_bug.cgi?id=201044
2812
2813         Reviewed by Philippe Normand.
2814
2815         * b3/B3ReduceLoopStrength.cpp: Add missing inclusions of B3BasicBlockInlines.h,
2816         B3InsertionSet.h, and B3NaturalLoops.h
2817         * wasm/WasmOMGForOSREntryPlan.h: Include WasmCallee.h instead of forward-declaring
2818         BBQCallee in order to avoid build failure due to incomplete definition on template
2819         expansions.
2820
2821 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
2822
2823         Add missing exception check in canonicalizeLocaleList
2824         https://bugs.webkit.org/show_bug.cgi?id=201021
2825
2826         Reviewed by Mark Lam.
2827
2828         * runtime/IntlObject.cpp:
2829         (JSC::canonicalizeLocaleList):
2830
2831 2019-08-17  Darin Adler  <darin@apple.com>
2832
2833         Use makeString and multi-argument StringBuilder::append instead of less efficient multiple appends
2834         https://bugs.webkit.org/show_bug.cgi?id=200862
2835
2836         Reviewed by Ryosuke Niwa.
2837
2838         * runtime/ExceptionHelpers.cpp:
2839         (JSC::createUndefinedVariableError): Got rid of unnecessary local variable.
2840         (JSC::notAFunctionSourceAppender): Use single append instead of multiple.
2841         Eliminate unneeded and unconventional use of makeString on a single string literal.
2842         (JSC::invalidParameterInstanceofNotFunctionSourceAppender): Ditto.
2843         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender): Ditto.
2844         (JSC::createInvalidFunctionApplyParameterError): Ditto.
2845         (JSC::createInvalidInParameterError): Ditto.
2846         (JSC::createInvalidInstanceofParameterErrorNotFunction): Ditto.
2847         (JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction): Ditto.
2848
2849         * runtime/FunctionConstructor.cpp:
2850         (JSC::constructFunctionSkippingEvalEnabledCheck): Use single append instead of multiple.
2851         * runtime/Options.cpp:
2852         (JSC::Options::dumpOption): Ditto.
2853         * runtime/TypeProfiler.cpp:
2854         (JSC::TypeProfiler::typeInformationForExpressionAtOffset): Ditto.
2855         * runtime/TypeSet.cpp:
2856         (JSC::StructureShape::stringRepresentation): Ditto. Also use a modern for loop.
2857
2858 2019-08-21  Mark Lam  <mark.lam@apple.com>
2859
2860         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
2861         https://bugs.webkit.org/show_bug.cgi?id=201016
2862         <rdar://problem/54579911>
2863
2864         Reviewed by Yusuke Suzuki.
2865
2866         Currently, Wasm::FunctionParser is allowing
2867
2868             maxFunctionParams + maxFunctionLocals * maxFunctionLocals
2869
2870         ... locals, which is 0x9502FCE8.  It should be enforcing max locals of
2871         maxFunctionLocals instead.
2872
2873         * wasm/WasmFunctionParser.h:
2874         (JSC::Wasm::FunctionParser<Context>::parse):
2875
2876 2019-08-21  Michael Saboff  <msaboff@apple.com>
2877
2878         [JSC] incorrent JIT lead to StackOverflow
2879         https://bugs.webkit.org/show_bug.cgi?id=197823
2880
2881         Reviewed by Tadeu Zagallo.
2882
2883         Added stack overflow check to the bound function thunk generator.  Added a new C++ operation
2884         throwStackOverflowErrorFromThunk() to throw the error.
2885         
2886         * jit/JITOperations.cpp:
2887         * jit/JITOperations.h:
2888         * jit/ThunkGenerators.cpp:
2889         (JSC::boundThisNoArgsFunctionCallGenerator):
2890
2891 2019-08-21  Devin Rousso  <drousso@apple.com>
2892
2893         Web Inspector: Page: re-add enable/disable after r248454
2894         https://bugs.webkit.org/show_bug.cgi?id=200947
2895
2896         Reviewed by Joseph Pecoraro.
2897
2898         We shouldn't design the agent system with only Web Inspector in mind. Other clients may want
2899         to have different functionality, not being told about frames creation/updates/destruction.
2900         In these cases, we should have graceful error message failures for other agents that rely on
2901         the Page agent.
2902
2903         * inspector/protocol/Page.json:
2904
2905 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
2906
2907         Identify memcpy loops in b3
2908         https://bugs.webkit.org/show_bug.cgi?id=200181
2909
2910         Reviewed by Saam Barati.
2911
2912         Add a new pass in B3 to identify one type of forward byte copy loop and replace it with a call to a custom version of memcpy
2913         that will not cause GC tearing and have the correct behaviour when overlapping regions are passed in. 
2914
2915         Microbenchmarks show memcpy-typed-loop-large is about 6x faster, and everything else is neutral. The optimization is disabled
2916         on arm for now, until we add a memcpy implementation for it.
2917
2918         * JavaScriptCore.xcodeproj/project.pbxproj:
2919         * Sources.txt:
2920         * b3/B3Generate.cpp:
2921         (JSC::B3::generateToAir):
2922         * b3/B3ReduceLoopStrength.cpp: Added.
2923         (JSC::B3::fastForwardCopy32):
2924         (JSC::B3::ReduceLoopStrength::AddrInfo::appendAddr):
2925         (JSC::B3::ReduceLoopStrength::ReduceLoopStrength):
2926         (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy):
2927         (JSC::B3::ReduceLoopStrength::hoistValue):
2928         (JSC::B3::ReduceLoopStrength::run):
2929         (JSC::B3::reduceLoopStrength):
2930         * b3/B3ReduceLoopStrength.h: Added.
2931         * b3/testb3.h:
2932         * b3/testb3_1.cpp:
2933         (run):
2934         * b3/testb3_8.cpp:
2935         (testFastForwardCopy32):
2936         (testByteCopyLoop):
2937         (testByteCopyLoopStartIsLoopDependent):
2938         (testByteCopyLoopBoundIsLoopDependent):
2939         (addCopyTests):
2940
2941 2019-08-20  Devin Rousso  <drousso@apple.com>
2942
2943         Unreviewed, speculative build fix for High Sierra after r248925
2944
2945         * inspector/JSInjectedScriptHost.cpp:
2946         (Inspector::HeapHolderFinder::dump):
2947
2948 2019-08-20  Mark Lam  <mark.lam@apple.com>
2949
2950         Remove superfluous size argument to allocateCell() for fixed size objects.
2951         https://bugs.webkit.org/show_bug.cgi?id=200958
2952
2953         Reviewed by Yusuke Suzuki.
2954
2955         The size is already automatically computed by the allocateCell() template's default
2956         arguments.  Removing these superfluous arguments will make it easier for us to
2957         grep for cases where we do allocate variable size cells (for later analysis work).
2958
2959         * jsc.cpp:
2960         (JSC::Masquerader::create):
2961         (JSCMemoryFootprint::create):
2962         * tools/JSDollarVM.cpp:
2963         (JSC::JSDollarVMCallFrame::create):
2964         (JSC::Element::create):
2965         (JSC::Root::create):
2966         (JSC::SimpleObject::create):
2967         (JSC::ImpureGetter::create):
2968         (JSC::CustomGetter::create):
2969         (JSC::DOMJITNode::create):
2970         (JSC::DOMJITGetter::create):
2971         (JSC::DOMJITGetterComplex::create):
2972         (JSC::DOMJITFunctionObject::create):
2973         (JSC::DOMJITCheckSubClassObject::create):
2974         (JSC::DOMJITGetterBaseJSObject::create):
2975         (JSC::JSTestCustomGetterSetter::create):
2976         (JSC::WasmStreamingParser::create):
2977
2978 2019-08-20  Mark Lam  <mark.lam@apple.com>
2979
2980         JSBigInt::m_length should be immutable.
2981         https://bugs.webkit.org/show_bug.cgi?id=200956
2982
2983         Reviewed by Yusuke Suzuki.
2984
2985         This is because the JSBigInt cell size is allocated with that length.  Changing
2986         the length after construction does not change the size of the cell, and hence,
2987         makes no sense.
2988
2989         This patch removes the setLength() method, and decorates the m_length field with
2990         const to enforce that it is immutable after construction.
2991
2992         * runtime/JSBigInt.h:
2993
2994 2019-08-20  Devin Rousso  <drousso@apple.com>
2995
2996         Web Inspector: Implement `queryHolders` Command Line API
2997         https://bugs.webkit.org/show_bug.cgi?id=200458
2998
2999         Reviewed by Joseph Pecoraro.
3000
3001         Call `queryHolders(object)` from the Console to return an array of objects that strongly
3002         reference the given `object`. This could be very useful for finding JavaScript "leaks".
3003
3004         * inspector/InjectedScriptSource.js:
3005         (queryHolders): Added.
3006         * inspector/JSInjectedScriptHost.h:
3007         * inspector/JSInjectedScriptHost.cpp:
3008         (Inspector::HeapHolderFinder::HeapHolderFinder): Added.
3009         (Inspector::HeapHolderFinder::holders): Added.
3010         (Inspector::HeapHolderFinder::analyzeEdge): Added.
3011         (Inspector::HeapHolderFinder::analyzePropertyNameEdge): Added.
3012         (Inspector::HeapHolderFinder::analyzeVariableNameEdge): Added.
3013         (Inspector::HeapHolderFinder::analyzeIndexEdge): Added.
3014         (Inspector::HeapHolderFinder::analyzeNode): Added.
3015         (Inspector::HeapHolderFinder::setOpaqueRootReachabilityReasonForCell): Added.
3016         (Inspector::HeapHolderFinder::setWrappedObjectForCell): Added.
3017         (Inspector::HeapHolderFinder::setLabelForCell): Added.
3018         (Inspector::HeapHolderFinder::dump): Added.
3019         (Inspector::JSInjectedScriptHost::queryHolders): Added.
3020         * inspector/JSInjectedScriptHostPrototype.cpp:
3021         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3022         (Inspector::jsInjectedScriptHostPrototypeFunctionQueryHolders): Added.
3023
3024         * heap/HeapAnalyzer.h: Added.
3025         Create an abstract base class for analyzing the Heap during a GC. Rather than create an
3026         entire `HeapSnapshot` for `queryHolders`, the `HeapHolderFinder` can just walk the Heap and
3027         only save the information it needs to determine the holders of the given `object`.
3028
3029         * heap/Heap.h:
3030         * heap/Heap.cpp:
3031         (JSC::Heap::isAnalyzingHeap const): Added.
3032         (JSC::GatherExtraHeapData::GatherExtraHeapData): Added.
3033         (JSC::GatherExtraHeapData::operator() const): Added.
3034         (JSC::Heap::gatherExtraHeapData): Added.
3035         (JSC::Heap::didFinishCollection): Added.
3036         (JSC::Heap::isHeapSnapshotting const): Deleted.
3037         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData): Deleted.
3038         (JSC::GatherHeapSnapshotData::operator() const): Deleted.
3039         (JSC::Heap::gatherExtraHeapSnapshotData): Deleted.
3040         * heap/SlotVisitor.h:
3041         (JSC::SlotVisitor::isAnalyzingHeap const): Added.
3042         (JSC::SlotVisitor::heapAnalyzer const): Added.
3043         (JSC::SlotVisitor::isBuildingHeapSnapshot const): Deleted.
3044         (JSC::SlotVisitor::heapSnapshotBuilder const): Deleted.
3045         * heap/SlotVisitor.cpp:
3046         (JSC::SlotVisitor::didStartMarking):
3047         (JSC::SlotVisitor::reset):
3048         (JSC::SlotVisitor::appendSlow):
3049         (JSC::SlotVisitor::visitChildren):
3050         * heap/SlotVisitorInlines.h:
3051         (JSC::SlotVisitor::appendUnbarriered):
3052         * heap/WeakBlock.cpp:
3053         (JSC::WeakBlock::specializedVisit):
3054         * runtime/Structure.cpp:
3055         (JSC::Structure::visitChildren):
3056         Rename `HeapAnalyzer` functions to be less specific to building a `HeapSnapshot`.
3057
3058         * heap/HeapProfiler.h:
3059         (JSC::HeapProfiler::activeHeapAnalyzer const): Added.
3060         (JSC::HeapProfiler::activeSnapshotBuilder const): Deleted.
3061         * heap/HeapProfiler.cpp:
3062         (JSC::HeapProfiler::setActiveHeapAnalyzer): Added.
3063         (JSC::HeapProfiler::setActiveSnapshotBuilder): Deleted.
3064         * heap/HeapSnapshotBuilder.h:
3065         * heap/HeapSnapshotBuilder.cpp:
3066         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
3067         (JSC::HeapSnapshotBuilder::buildSnapshot):
3068         (JSC::HeapSnapshotBuilder::analyzeNode): Added.
3069         (JSC::HeapSnapshotBuilder::analyzeEdge): Added.
3070         (JSC::HeapSnapshotBuilder::analyzePropertyNameEdge): Added.
3071         (JSC::HeapSnapshotBuilder::analyzeVariableNameEdge): Added.
3072         (JSC::HeapSnapshotBuilder::analyzeIndexEdge): Added.
3073         (JSC::HeapSnapshotBuilder::appendNode): Deleted.
3074         (JSC::HeapSnapshotBuilder::appendEdge): Deleted.
3075         (JSC::HeapSnapshotBuilder::appendPropertyNameEdge): Deleted.
3076         (JSC::HeapSnapshotBuilder::appendVariableNameEdge): Deleted.
3077         (JSC::HeapSnapshotBuilder::appendIndexEdge): Deleted.
3078
3079         * inspector/InjectedScriptManager.h:
3080         * inspector/agents/InspectorRuntimeAgent.cpp:
3081
3082         * runtime/ClassInfo.h:
3083         * runtime/JSCell.h:
3084         * runtime/JSCell.cpp:
3085         (JSC::JSCell::analyzeHeap): Added.
3086         (JSC::JSCell::heapSnapshot): Deleted.
3087         * runtime/JSLexicalEnvironment.h:
3088         * runtime/JSLexicalEnvironment.cpp:
3089         (JSC::JSLexicalEnvironment::analyzeHeap): Added.
3090         (JSC::JSLexicalEnvironment::heapSnapshot): Deleted.
3091         * runtime/JSObject.h:
3092         * runtime/JSObject.cpp:
3093         (JSC::JSObject::analyzeHeap): Added.
3094         (JSC::JSObject::heapSnapshot): Deleted.
3095         * runtime/JSSegmentedVariableObject.h:
3096         * runtime/JSSegmentedVariableObject.cpp:
3097         (JSC::JSSegmentedVariableObject::analyzeHeap): Added.
3098         (JSC::JSSegmentedVariableObject::heapSnapshot): Deleted.
3099         Rename `heapSnapshot` to `analyzeHeap`.
3100
3101         * CMakeLists.txt:
3102         * JavaScriptCore.xcodeproj/project.pbxproj:
3103
3104 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
3105
3106         [WASM-References] Enable by default
3107         https://bugs.webkit.org/show_bug.cgi?id=200931
3108
3109         Reviewed by Saam Barati.
3110
3111         * runtime/Options.h:
3112
3113 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
3114
3115         [JSC] Array.prototype.toString should not get "join" function each time
3116         https://bugs.webkit.org/show_bug.cgi?id=200905
3117
3118         Reviewed by Mark Lam.
3119
3120         We avoid looking up `join` every time Array#toString is called. This patch implements the most profitable and easy
3121         case first as we are doing optimization for Array#slice: non-modified original Array. Configuring watchpoint for
3122         Array.prototype.join change and use this information and structure information to determine whether `join` lookup
3123         in Array.prototype.toString is unnecessary. This improves JetStream2/3d-raytrace-SP score by 1.6%
3124
3125             ToT:     363.56
3126             Patched: 369.26
3127
3128         This patch also renames InlineWatchpointSet fields from Watchpoint to WatchpointSet since they are not Watchpoint.
3129
3130         * dfg/DFGByteCodeParser.cpp:
3131         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3132         * dfg/DFGGraph.h:
3133         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
3134         (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
3135         * runtime/ArrayPrototype.cpp:
3136         (JSC::speciesWatchpointIsValid):
3137         (JSC::canUseDefaultArrayJoinForToString):
3138         (JSC::arrayProtoFuncToString):
3139         * runtime/JSGlobalObject.cpp:
3140         (JSC::JSGlobalObject::JSGlobalObject):
3141         (JSC::JSGlobalObject::init):
3142         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
3143         * runtime/JSGlobalObject.h:
3144         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpointSet):
3145         (JSC::JSGlobalObject::mapIteratorProtocolWatchpointSet):
3146         (JSC::JSGlobalObject::setIteratorProtocolWatchpointSet):
3147         (JSC::JSGlobalObject::stringIteratorProtocolWatchpointSet):
3148         (JSC::JSGlobalObject::mapSetWatchpointSet):
3149         (JSC::JSGlobalObject::setAddWatchpointSet):
3150         (JSC::JSGlobalObject::arraySpeciesWatchpointSet):
3151         (JSC::JSGlobalObject::arrayJoinWatchpointSet):
3152         (JSC::JSGlobalObject::numberToStringWatchpointSet):
3153         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint): Deleted.
3154         (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint): Deleted.
3155         (JSC::JSGlobalObject::setIteratorProtocolWatchpoint): Deleted.
3156         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint): Deleted.
3157         (JSC::JSGlobalObject::mapSetWatchpoint): Deleted.
3158         (JSC::JSGlobalObject::setAddWatchpoint): Deleted.
3159         (JSC::JSGlobalObject::arraySpeciesWatchpoint): Deleted.
3160         (JSC::JSGlobalObject::numberToStringWatchpoint): Deleted.
3161         * runtime/JSGlobalObjectInlines.h:
3162         (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
3163         (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
3164         (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
3165         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
3166         (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
3167         (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
3168
3169 2019-08-20  Joseph Pecoraro  <pecoraro@apple.com>
3170
3171         Web Inspector: Support for JavaScript BigInt
3172         https://bugs.webkit.org/show_bug.cgi?id=180731
3173         <rdar://problem/36298748>
3174
3175         Reviewed by Devin Rousso.        
3176         
3177         * inspector/InjectedScriptSource.js:
3178         (toStringDescription):
3179         (isSymbol):
3180         (isBigInt):
3181         (let.InjectedScript.prototype._fallbackWrapper):
3182         (let.RemoteObject):
3183         (let.RemoteObject.subtype):
3184         (let.RemoteObject.describe):
3185         (let.RemoteObject.prototype._appendPropertyPreviews):
3186         (let.RemoteObject.set _isPreviewableObjectInternal):
3187         (let.RemoteObject.prototype._isPreviewableObject.set add):
3188         * inspector/protocol/Runtime.json:
3189         New RemoteObject type and preview support.
3190
3191         * runtime/RuntimeType.cpp:
3192         (JSC::runtimeTypeForValue):
3193         (JSC::runtimeTypeAsString):
3194         * runtime/RuntimeType.h:
3195         * runtime/TypeSet.cpp:
3196         (JSC::TypeSet::displayName const):
3197         (JSC::TypeSet::inspectorTypeSet const):
3198         New type for the type profiler.
3199
3200         * heap/HeapSnapshotBuilder.cpp:
3201         (JSC::HeapSnapshotBuilder::json):
3202         * inspector/agents/InspectorHeapAgent.cpp:
3203         (Inspector::InspectorHeapAgent::getPreview):
3204         * runtime/JSBigInt.cpp:
3205         (JSC::JSBigInt::toString):
3206         (JSC::JSBigInt::tryGetString):
3207         (JSC::JSBigInt::toStringBasePowerOfTwo):
3208         (JSC::JSBigInt::toStringGeneric):
3209         * runtime/JSBigInt.h:
3210         BigInts are not tied to a GlobalObject, so provide a way to get a
3211         String for HeapSnapshot previews that are not tied to an ExecState.
3212
3213 2019-08-19  Devin Rousso  <drousso@apple.com>
3214
3215         Web Inspector: Debugger: add a global breakpoint for pausing in the next microtask
3216         https://bugs.webkit.org/show_bug.cgi?id=200652
3217
3218         Reviewed by Joseph Pecoraro.
3219
3220         * inspector/protocol/Debugger.json:
3221         Add `setPauseOnMicrotasks` command.
3222
3223         * inspector/agents/InspectorDebuggerAgent.h:
3224         * inspector/agents/InspectorDebuggerAgent.cpp:
3225         (Inspector::InspectorDebuggerAgent::disable):
3226         (Inspector::InspectorDebuggerAgent::setPauseOnMicrotasks): Added.
3227         (Inspector::InspectorDebuggerAgent::willRunMicrotask): Added.
3228         (Inspector::InspectorDebuggerAgent::didRunMicrotask): Added.
3229
3230         * debugger/Debugger.h:
3231         (JSC::Debugger::willRunMicrotask): Added.
3232         (JSC::Debugger::didRunMicrotask): Added.
3233         * inspector/ScriptDebugListener.h:
3234         * inspector/ScriptDebugServer.h:
3235         * inspector/ScriptDebugServer.cpp:
3236         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
3237         (Inspector::ScriptDebugServer::sourceParsed):
3238         (Inspector::ScriptDebugServer::willRunMicrotask): Added.
3239         (Inspector::ScriptDebugServer::didRunMicrotask): Added.
3240         (Inspector::ScriptDebugServer::canDispatchFunctionToListeners const): ADded.
3241         (Inspector::ScriptDebugServer::dispatchFunctionToListeners): ADded.
3242         (Inspector::ScriptDebugServer::handlePause):
3243         (Inspector::ScriptDebugServer::dispatchDidPause): Deleted.
3244         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Deleted.
3245         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Deleted.
3246         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Deleted.
3247         (Inspector::ScriptDebugServer::dispatchDidContinue): Deleted.
3248         (Inspector::ScriptDebugServer::dispatchDidParseSource): Deleted.
3249         (Inspector::ScriptDebugServer::dispatchFailedToParseSource): Deleted.
3250         Unify the various `dispatch*` functions to use lambdas so state management is centralized.
3251
3252         * runtime/JSMicrotask.cpp:
3253         (JSC::JSMicrotask::run):
3254
3255         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3256
3257 2019-08-19  Devin Rousso  <drousso@apple.com>
3258
3259         Web Inspector: Debugger: pause on assertion failures breakpoint doesn't work when inspecting a JSContext
3260         https://bugs.webkit.org/show_bug.cgi?id=200874
3261
3262         Reviewed by Joseph Pecoraro.
3263
3264         * inspector/JSGlobalObjectConsoleClient.cpp:
3265         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3266
3267 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
3268
3269         Proxy constructor should throw if handler is revoked Proxy
3270         https://bugs.webkit.org/show_bug.cgi?id=198755
3271
3272         Reviewed by Saam Barati.
3273
3274         Reword error message and check if handler is revoked Proxy.
3275         (step 4 of https://tc39.es/ecma262/#sec-proxycreate)
3276
3277         * runtime/ProxyObject.cpp:
3278         (JSC::ProxyObject::finishCreation): Add isRevoked check.
3279
3280 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
3281
3282         [JSC] OSR entry to Wasm OMG
3283         https://bugs.webkit.org/show_bug.cgi?id=200362
3284
3285         Reviewed by Michael Saboff.
3286
3287         This patch implements Wasm OSR entry mechanism from BBQ tier to OMG tier.
3288         We found that one of JetStream2 test heavily relies on OSR entry feature. gcc-loops-wasm consumes
3289         most of time in BBQ tier since one of the function takes significantly long time. And since we did
3290         not have OSR entry feature, we cannot use OMG function until that BBQ function finishes.
3291
3292         To implement Wasm OSR feature, we first capture all locals and stacks in the patchpoint to generate
3293         the stackmap. Once the threshold is crossed, the patchpoint calls `MacroAssembler::probe` feature to
3294         capture whole register context, and C++ runtime function reads stackmap and Probe::Context to perform
3295         OSR entry. This patch intentionally makes OSR entry written in C++ runtime side as much as possible
3296         to make it easily reusable for the other tiers. For example, we are planning to introduce Wasm interpreter,
3297         and it can easily use this tier-up function. Because of this simplicity, this generic implementation can
3298         cover both BBQ Air and BBQ B3 tier-up features. So, in the feature, it is possible that we revive BBQ B3,
3299         and construct the wasm pipeline like, interpreter->BBQ B3->OMG B3.
3300
3301         To generate OMG code for OSR entry, we add a new mode OMGForOSREntry, which mimics the FTLForOSREntry.
3302         In FTLForOSREntry, we cut unrelated blocks including the usual entry point in DFG tier and later convert
3303         graph to SSA. This is possible because DFG is not SSA. On the other hand, B3 is SSA and we cannot take the
3304         same thing without a hack.
3305
3306         This patch introduce a hack: making all wasm locals and stack values B3::Variable for OMGForOSREntry mode.
3307         Then, we can cut blocks easily and we can generate the B3 graph without doing reachability analysis from the
3308         OSR entry point. B3 will remove unreachable blocks later.
3309
3310         Tier-up function mimics DFG->FTL OSR entry heuristics and threshold as much as possible. And this patch adjusts
3311         the tier-up count threshold to make it close to DFG->FTL ones. Wasm tier-up is now using ExecutionCounter, which
3312         is inherited from Wasm::TierUpCount. Since wasm can execute concurrently, the tier-up counter can be racily updated.
3313         But this is OK in practice. Even if we see some more tier-up function calls or tier-up function calls are delayed,
3314         the critical part is guarded by a lock in tier-up function.
3315
3316         In iMac Pro, it shows ~4x runtime improvement for gcc-loops-wasm. On iOS device (iPhone XR), we saw ~2x improvement.
3317
3318             ToT:
3319                 HashSet-wasm:Score: 24.6pt stdev=4.6%