Unreviewed, forgot to add untracked files.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-10-16  Keith Miller  <keith_miller@apple.com>
2
3         Unreviewed, forgot to add untracked files.
4
5         * llint/LLIntSettingsExtractor.cpp: Added.
6         (main):
7         * offlineasm/generate_settings_extractor.rb: Added.
8
9 2018-10-16  Keith Miller  <keith_miller@apple.com>
10
11         Unreviewed, reland https://bugs.webkit.org/show_bug.cgi?id=189708 with build fix.
12
13         * CMakeLists.txt:
14         * JavaScriptCore.xcodeproj/project.pbxproj:
15         * llint/LLIntOffsetsExtractor.cpp:
16         (JSC::LLIntOffsetsExtractor::dummy):
17         * offlineasm/generate_offset_extractor.rb:
18         * offlineasm/offsets.rb:
19         * offlineasm/settings.rb:
20
21 2018-10-16  Keith Miller  <keith_miller@apple.com>
22
23         Unreviewed, add missing include.
24
25         * runtime/BasicBlockLocation.h:
26
27 2018-10-15  Keith Miller  <keith_miller@apple.com>
28
29         Support arm64 CPUs with a 32-bit address space
30         https://bugs.webkit.org/show_bug.cgi?id=190273
31
32         Reviewed by Michael Saboff.
33
34         This patch adds support for arm64_32 in the LLInt. In order to
35         make this work we needed to add a new type that reflects the size
36         of a cpu register. This type is called CPURegister or UCPURegister
37         for the unsigned version. Most places that used void* or intptr_t
38         to refer to a register have been changed to use this new type.
39
40         * JavaScriptCore.xcodeproj/project.pbxproj:
41         * assembler/ARM64Assembler.h:
42         (JSC::isInt):
43         (JSC::is4ByteAligned):
44         (JSC::PairPostIndex::PairPostIndex):
45         (JSC::PairPreIndex::PairPreIndex):
46         (JSC::ARM64Assembler::readPointer):
47         (JSC::ARM64Assembler::readCallTarget):
48         (JSC::ARM64Assembler::computeJumpType):
49         (JSC::ARM64Assembler::linkCompareAndBranch):
50         (JSC::ARM64Assembler::linkConditionalBranch):
51         (JSC::ARM64Assembler::linkTestAndBranch):
52         (JSC::ARM64Assembler::loadRegisterLiteral):
53         (JSC::ARM64Assembler::loadStoreRegisterPairPostIndex):
54         (JSC::ARM64Assembler::loadStoreRegisterPairPreIndex):
55         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
56         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
57         (JSC::isInt7): Deleted.
58         (JSC::isInt11): Deleted.
59         * assembler/CPU.h:
60         (JSC::isAddress64Bit):
61         (JSC::isAddress32Bit):
62         * assembler/MacroAssembler.h:
63         (JSC::MacroAssembler::shouldBlind):
64         * assembler/MacroAssemblerARM64.cpp:
65         (JSC::MacroAssemblerARM64::collectCPUFeatures):
66         * assembler/MacroAssemblerARM64.h:
67         (JSC::MacroAssemblerARM64::load):
68         (JSC::MacroAssemblerARM64::store):
69         (JSC::MacroAssemblerARM64::isInIntRange): Deleted.
70         * assembler/Printer.h:
71         * assembler/ProbeContext.h:
72         (JSC::Probe::CPUState::gpr):
73         (JSC::Probe::CPUState::spr):
74         (JSC::Probe::Context::gpr):
75         (JSC::Probe::Context::spr):
76         * b3/B3ConstPtrValue.h:
77         * b3/B3StackmapSpecial.cpp:
78         (JSC::B3::StackmapSpecial::isArgValidForRep):
79         * b3/air/AirArg.h:
80         (JSC::B3::Air::Arg::stackSlot const):
81         (JSC::B3::Air::Arg::special const):
82         * b3/air/testair.cpp:
83         * b3/testb3.cpp:
84         (JSC::B3::testStoreConstantPtr):
85         (JSC::B3::testInterpreter):
86         (JSC::B3::testAddShl32):
87         (JSC::B3::testLoadBaseIndexShift32):
88         * bindings/ScriptFunctionCall.cpp:
89         (Deprecated::ScriptCallArgumentHandler::appendArgument):
90         * bindings/ScriptFunctionCall.h:
91         * bytecode/CodeBlock.cpp:
92         (JSC::roundCalleeSaveSpaceAsVirtualRegisters):
93         * dfg/DFGOSRExit.cpp:
94         (JSC::DFG::restoreCalleeSavesFor):
95         (JSC::DFG::saveCalleeSavesFor):
96         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
97         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
98         * dfg/DFGOSRExitCompilerCommon.cpp:
99         (JSC::DFG::reifyInlinedCallFrames):
100         * dfg/DFGSpeculativeJIT64.cpp:
101         (JSC::DFG::SpeculativeJIT::compile):
102         * disassembler/UDis86Disassembler.cpp:
103         (JSC::tryToDisassembleWithUDis86):
104         * ftl/FTLLowerDFGToB3.cpp:
105         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
106         * heap/MachineStackMarker.cpp:
107         (JSC::copyMemory):
108         * interpreter/CallFrame.h:
109         (JSC::ExecState::returnPC const):
110         (JSC::ExecState::hasReturnPC const):
111         (JSC::ExecState::clearReturnPC):
112         (JSC::ExecState::returnPCOffset):
113         (JSC::ExecState::isGlobalExec const):
114         (JSC::ExecState::setReturnPC):
115         * interpreter/CalleeBits.h:
116         (JSC::CalleeBits::boxWasm):
117         (JSC::CalleeBits::isWasm const):
118         (JSC::CalleeBits::asWasmCallee const):
119         * interpreter/Interpreter.cpp:
120         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
121         * interpreter/VMEntryRecord.h:
122         * jit/AssemblyHelpers.h:
123         (JSC::AssemblyHelpers::clearStackFrame):
124         * jit/RegisterAtOffset.h:
125         (JSC::RegisterAtOffset::offsetAsIndex const):
126         * jit/RegisterAtOffsetList.cpp:
127         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
128         * llint/LLIntData.cpp:
129         (JSC::LLInt::Data::performAssertions):
130         * llint/LLIntOfflineAsmConfig.h:
131         * llint/LowLevelInterpreter.asm:
132         * llint/LowLevelInterpreter64.asm:
133         * offlineasm/arm64.rb:
134         * offlineasm/asm.rb:
135         * offlineasm/ast.rb:
136         * offlineasm/backends.rb:
137         * offlineasm/parser.rb:
138         * offlineasm/x86.rb:
139         * runtime/BasicBlockLocation.cpp:
140         (JSC::BasicBlockLocation::dumpData const):
141         (JSC::BasicBlockLocation::emitExecuteCode const):
142         * runtime/BasicBlockLocation.h:
143         * runtime/HasOwnPropertyCache.h:
144         * runtime/JSBigInt.cpp:
145         (JSC::JSBigInt::inplaceMultiplyAdd):
146         (JSC::JSBigInt::digitDiv):
147         * runtime/JSBigInt.h:
148         * runtime/JSObject.h:
149         * runtime/Options.cpp:
150         (JSC::jitEnabledByDefault):
151         * runtime/Options.h:
152         * runtime/RegExp.cpp:
153         (JSC::RegExp::printTraceData):
154         * runtime/SamplingProfiler.cpp:
155         (JSC::CFrameWalker::walk):
156         * runtime/SlowPathReturnType.h:
157         (JSC::encodeResult):
158         (JSC::decodeResult):
159         * tools/SigillCrashAnalyzer.cpp:
160         (JSC::SigillCrashAnalyzer::dumpCodeBlock):
161
162 2018-10-15  Justin Fan  <justin_fan@apple.com>
163
164         Add WebGPU 2018 feature flag and experimental feature flag
165         https://bugs.webkit.org/show_bug.cgi?id=190509
166
167         Reviewed by Dean Jackson.
168
169         Re-add ENABLE_WEBGPU, an experimental feature flag, and a RuntimeEnabledFeature
170         for the 2018 WebGPU prototype.
171
172         * Configurations/FeatureDefines.xcconfig:
173
174 2018-10-15  Timothy Hatcher  <timothy@apple.com>
175
176         Add support for prefers-color-scheme media query
177         https://bugs.webkit.org/show_bug.cgi?id=190499
178         rdar://problem/45212025
179
180         Reviewed by Dean Jackson.
181
182         * Configurations/FeatureDefines.xcconfig: Added ENABLE_DARK_MODE_CSS.
183
184 2018-10-15  Commit Queue  <commit-queue@webkit.org>
185
186         Unreviewed, rolling out r237084, r237088, r237098, and
187         r237114.
188         https://bugs.webkit.org/show_bug.cgi?id=190602
189
190         Breaks internal builds. (Requested by ryanhaddad on #webkit).
191
192         Reverted changesets:
193
194         "Separate configuration extraction from offset extraction"
195         https://bugs.webkit.org/show_bug.cgi?id=189708
196         https://trac.webkit.org/changeset/237084
197
198         "Gardening: Build fix after r237084."
199         https://bugs.webkit.org/show_bug.cgi?id=189708
200         https://trac.webkit.org/changeset/237088
201
202         "Gardening: Build fix after r237084."
203         https://bugs.webkit.org/show_bug.cgi?id=189708
204         https://trac.webkit.org/changeset/237098
205
206         "REGRESSION (r237084): JavaScriptCore fails to build on Linux"
207         https://trac.webkit.org/changeset/237114
208
209 2018-10-15  Keith Miller  <keith_miller@apple.com>
210
211         BytecodeDumper should print all switch labels
212         https://bugs.webkit.org/show_bug.cgi?id=190596
213
214         Reviewed by Saam Barati.
215
216         Right now the bytecode dumper only prints the default target not any of the
217         non-default targets.
218
219         * bytecode/BytecodeDumper.cpp:
220         (JSC::BytecodeDumper<Block>::dumpBytecode):
221
222 2018-10-15  Saam barati  <sbarati@apple.com>
223
224         Emit fjcvtzs on ARM64E on Darwin
225         https://bugs.webkit.org/show_bug.cgi?id=184023
226
227         Reviewed by Yusuke Suzuki and Filip Pizlo.
228
229         ARMv8.3 introduced the fjcvtzs instruction which does double->int32
230         conversion using the semantics defined by JavaScript:
231         http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0801g/hko1477562192868.html
232         This patch teaches JSC to use that instruction when possible.
233
234         * assembler/ARM64Assembler.h:
235         (JSC::ARM64Assembler::fjcvtzs):
236         (JSC::ARM64Assembler::fjcvtzsInsn):
237         * assembler/MacroAssemblerARM64.cpp:
238         (JSC::MacroAssemblerARM64::collectCPUFeatures):
239         * assembler/MacroAssemblerARM64.h:
240         (JSC::MacroAssemblerARM64::supportsDoubleToInt32ConversionUsingJavaScriptSemantics):
241         (JSC::MacroAssemblerARM64::convertDoubleToInt32UsingJavaScriptSemantics):
242         * dfg/DFGSpeculativeJIT.cpp:
243         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
244         * disassembler/ARM64/A64DOpcode.cpp:
245         * disassembler/ARM64/A64DOpcode.h:
246         (JSC::ARM64Disassembler::A64DOpcode::appendInstructionName):
247         * ftl/FTLLowerDFGToB3.cpp:
248         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
249         * jit/JITRightShiftGenerator.cpp:
250         (JSC::JITRightShiftGenerator::generateFastPath):
251         * runtime/MathCommon.h:
252         (JSC::toInt32):
253
254 2018-10-15  Saam Barati  <sbarati@apple.com>
255
256         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
257         https://bugs.webkit.org/show_bug.cgi?id=190262
258         <rdar://problem/44986241>
259
260         Reviewed by Mark Lam.
261
262         We would take the fast path for shiftCountWithArrayStorage when the array
263         hasHoles(). However, the code for this was wrong. It'd incorrectly update
264         ArrayStorage::m_numValuesInVector. Since the hasHoles() for ArrayStorage
265         path is never taken in JetStream 2, this patch just removes that from
266         the fast path. Instead, we just fallback to the slow path when hasHoles().
267         If we find evidence that this matters for real use cases, we can
268         figure out a way to make the fast path work.
269
270         * runtime/JSArray.cpp:
271         (JSC::JSArray::shiftCountWithArrayStorage):
272
273 2018-10-15  Commit Queue  <commit-queue@webkit.org>
274
275         Unreviewed, rolling out r237054.
276         https://bugs.webkit.org/show_bug.cgi?id=190593
277
278         "this regressed JetStream 2 by 6% on iOS" (Requested by
279         saamyjoon on #webkit).
280
281         Reverted changeset:
282
283         "[JSC] JSC should have "parseFunction" to optimize Function
284         constructor"
285         https://bugs.webkit.org/show_bug.cgi?id=190340
286         https://trac.webkit.org/changeset/237054
287
288 2018-10-14  David Kilzer  <ddkilzer@apple.com>
289
290         REGRESSION (r237084): JavaScriptCore fails to build on Linux
291         <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10949>
292
293         * llint/LLIntSettingsExtractor.cpp: Attempt to fix build by
294         including <stdio.h>.
295
296 2018-10-15  Alex Christensen  <achristensen@webkit.org>
297
298         Shrink more enum classes
299         https://bugs.webkit.org/show_bug.cgi?id=190540
300
301         Reviewed by Chris Dumez.
302
303         * runtime/ConsoleTypes.h:
304
305 2018-10-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
306
307         [JSC] Disable DOMJIT on 32bit architecture
308         https://bugs.webkit.org/show_bug.cgi?id=190387
309
310         Reviewed by Mark Lam.
311
312         We disable DOMJIT on 32bit architecture due to exhaustion of registers.
313
314         * runtime/Options.h:
315
316 2018-10-15  Alex Christensen  <achristensen@webkit.org>
317
318         Include EnumTraits.h less
319         https://bugs.webkit.org/show_bug.cgi?id=190535
320
321         Reviewed by Chris Dumez.
322
323         * runtime/ConsoleTypes.h:
324
325 2018-10-14  Mark Lam  <mark.lam@apple.com>
326
327         Gardening: Build fix after r237084.
328         https://bugs.webkit.org/show_bug.cgi?id=189708
329
330         Unreviewd.
331
332         * llint/LLIntOffsetsExtractor.cpp:
333
334 2018-10-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
335
336         [JSC] Remove Option::useAsyncIterator
337         https://bugs.webkit.org/show_bug.cgi?id=190567
338
339         Reviewed by Saam Barati.
340
341         Async iterator is enabled by default at 2017-08-09. It is already shipped in several releases,
342         and we can think that it is already mature. Let's drop the option `Option::useAsyncIterator`.
343
344         * Configurations/FeatureDefines.xcconfig:
345         * bytecompiler/BytecodeGenerator.cpp:
346         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
347         (JSC::BytecodeGenerator::emitNewFunction):
348         * parser/ASTBuilder.h:
349         (JSC::ASTBuilder::createFunctionMetadata):
350         * parser/Parser.cpp:
351         (JSC::Parser<LexerType>::parseForStatement):
352         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
353         (JSC::Parser<LexerType>::parseClass):
354         (JSC::Parser<LexerType>::parseProperty):
355         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
356         * runtime/Options.h:
357
358 2018-10-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
359
360         [JSC] Remove Options::useObjectRestSpread
361         https://bugs.webkit.org/show_bug.cgi?id=190568
362
363         Reviewed by Saam Barati.
364
365         Options::useObjectRestSpread is enabled by default at 2017-06-27. It is already shipped in several releases,
366         and we can think that it is mature. Let's drop Options::useObjectRestSpread() flag.
367
368         * parser/Parser.cpp:
369         (JSC::Parser<LexerType>::Parser):
370         (JSC::Parser<LexerType>::parseDestructuringPattern):
371         (JSC::Parser<LexerType>::parseProperty):
372         * parser/Parser.h:
373         * runtime/Options.h:
374
375 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
376
377         [JSC] JSON.stringify can accept call-with-no-arguments
378         https://bugs.webkit.org/show_bug.cgi?id=190343
379
380         Reviewed by Mark Lam.
381
382         JSON.stringify can accept `JSON.stringify()` call (call-with-no-arguments) according to the spec[1].
383         Instead of throwing an error, we should take the first argument as `undefined` if it is not given.
384
385         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
386
387         * runtime/JSONObject.cpp:
388         (JSC::JSONProtoFuncStringify):
389
390 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
391
392         Gardening: Build fix after r237084.
393         https://bugs.webkit.org/show_bug.cgi?id=189708
394
395         Unreviewd.
396
397         * JavaScriptCore.xcodeproj/project.pbxproj:
398
399 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
400
401         Separate configuration extraction from offset extraction
402         https://bugs.webkit.org/show_bug.cgi?id=189708
403
404         Reviewed by Keith Miller.
405
406         Instead of generating a file with all offsets for every combination of
407         configurations, we first generate a file with only the configuration
408         indices and pass that to the offset extractor. The offset extractor then
409         only generates the offsets for valid configurations
410
411         * CMakeLists.txt:
412         * JavaScriptCore.xcodeproj/project.pbxproj:
413         * llint/LLIntOffsetsExtractor.cpp:
414         (JSC::LLIntOffsetsExtractor::dummy):
415         * llint/LLIntSettingsExtractor.cpp: Added.
416         (main):
417         * offlineasm/generate_offset_extractor.rb:
418         * offlineasm/generate_settings_extractor.rb: Added.
419         * offlineasm/offsets.rb:
420         * offlineasm/settings.rb:
421
422 2018-10-12  Ryan Haddad  <ryanhaddad@apple.com>
423
424         Unreviewed, rolling out r237063.
425
426         Caused layout test fast/dom/Window/window-postmessage-clone-
427         deep-array.html to fail on macOS and iOS Debug bots.
428
429         Reverted changeset:
430
431         "[JSC] Remove gcc warnings on mips and armv7"
432         https://bugs.webkit.org/show_bug.cgi?id=188598
433         https://trac.webkit.org/changeset/237063
434
435 2018-10-11  Guillaume Emont  <guijemont@igalia.com>
436
437         [JSC] Remove gcc warnings on mips and armv7
438         https://bugs.webkit.org/show_bug.cgi?id=188598
439
440         Reviewed by Mark Lam.
441
442         Fix many gcc/clang warnings that are false positives, mostly alignment
443         issues.
444
445         * assembler/MacroAssemblerPrinter.cpp:
446         (JSC::Printer::printMemory):
447         Use bitwise_cast instead of reinterpret_cast.
448         * assembler/testmasm.cpp:
449         (JSC::floatOperands):
450         marked as potentially unused as it is not used on all platforms.
451         (JSC::testProbeModifiesStackValues):
452         modifiedFlags is not used on mips, so don't declare it.
453         * bytecode/CodeBlock.h:
454         Make ScriptExecutable::prepareForExecution() return an
455         std::optional<Exception*> instead of a JSObject*.
456         * interpreter/Interpreter.cpp:
457         (JSC::Interpreter::executeProgram):
458         (JSC::Interpreter::executeCall):
459         (JSC::Interpreter::executeConstruct):
460         (JSC::Interpreter::prepareForRepeatCall):
461         (JSC::Interpreter::execute):
462         (JSC::Interpreter::executeModuleProgram):
463         Update calling code for the prototype change of
464         ScriptExecutable::prepareForExecution().
465         * jit/JITOperations.cpp: Same as for Interpreter.cpp.
466         * llint/LLIntSlowPaths.cpp:
467         (JSC::LLInt::setUpCall): Same as for Interpreter.cpp.
468         * runtime/JSBigInt.cpp:
469         (JSC::JSBigInt::dataStorage):
470         Use bitwise_cast instead of reinterpret_cast.
471         * runtime/ScriptExecutable.cpp:
472         * runtime/ScriptExecutable.h:
473         Make ScriptExecutable::prepareForExecution() return an
474         std::optional<Exception*> instead of a JSObject*.
475         * tools/JSDollarVM.cpp:
476         (JSC::codeBlockFromArg): Use bitwise_cast instead of reinterpret_cast.
477
478 2018-10-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
479
480         Use currentStackPointer more
481         https://bugs.webkit.org/show_bug.cgi?id=190503
482
483         Reviewed by Saam Barati.
484
485         * runtime/VM.cpp:
486         (JSC::VM::committedStackByteCount):
487
488 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
489
490         [JSC] JSC should have "parseFunction" to optimize Function constructor
491         https://bugs.webkit.org/show_bug.cgi?id=190340
492
493         Reviewed by Mark Lam.
494
495         The current Function constructor is suboptimal. We parse the piece of the same code three times to meet
496         the spec requirement. (1) check parameters syntax, (2) check body syntax, and (3) parse the entire function.
497         And to parse 1-3 correctly, we create two strings, the parameters and the entire function. This operation
498         is really costly and ideally we should meet the above requirement by the one time parsing.
499
500         To meet the above requirement, we add a special function for Parser, parseSingleFunction. This function
501         takes `std::optional<int> functionConstructorParametersEndPosition` and check this end position is correct in the parser.
502         For example, if we run the code,
503
504             Function('/*', '*/){')
505
506         According to the spec, this should produce '/*' parameter string and '*/){' body string. And parameter
507         string should be syntax-checked by the parser, and raise the error since it is incorrect. Instead of doing
508         that, in our implementation, we first create the entire string.
509
510             function anonymous(/*) {
511                 */){
512             }
513
514         And we parse it. At that time, we also pass the end position of the parameters to the parser. In the above case,
515         the position of the `function anonymous(/*)' <> is passed. And in the parser, we check that the last token
516         offset of the parameters is the given end position. This check allows us to raise the error correctly to the
517         above example while we parse the entire function only once. And we do not need to create two strings too.
518
519         This improves the performance of the Function constructor significantly. And web-tooling-benchmark/uglify-js is
520         significantly sped up (28.2%).
521
522         Before:
523             uglify-js:  2.94 runs/s
524         After:
525             uglify-js:  3.77 runs/s
526
527         * bytecode/UnlinkedFunctionExecutable.cpp:
528         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
529         * bytecode/UnlinkedFunctionExecutable.h:
530         * parser/Parser.cpp:
531         (JSC::Parser<LexerType>::parseInner):
532         (JSC::Parser<LexerType>::parseSingleFunction):
533         (JSC::Parser<LexerType>::parseFunctionInfo):
534         (JSC::Parser<LexerType>::parseFunctionDeclaration):
535         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
536         (JSC::Parser<LexerType>::parseClass):
537         (JSC::Parser<LexerType>::parsePropertyMethod):
538         (JSC::Parser<LexerType>::parseGetterSetter):
539         (JSC::Parser<LexerType>::parseFunctionExpression):
540         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
541         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
542         * parser/Parser.h:
543         (JSC::Parser<LexerType>::parse):
544         (JSC::parse):
545         (JSC::parseFunctionForFunctionConstructor):
546         * parser/ParserModes.h:
547         * parser/ParserTokens.h:
548         (JSC::JSTextPosition::JSTextPosition):
549         (JSC::JSTokenLocation::JSTokenLocation): Deleted.
550         * parser/SourceCodeKey.h:
551         (JSC::SourceCodeKey::SourceCodeKey):
552         (JSC::SourceCodeKey::operator== const):
553         * runtime/CodeCache.cpp:
554         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
555         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
556         * runtime/CodeCache.h:
557         * runtime/FunctionConstructor.cpp:
558         (JSC::constructFunctionSkippingEvalEnabledCheck):
559         * runtime/FunctionExecutable.cpp:
560         (JSC::FunctionExecutable::fromGlobalCode):
561         * runtime/FunctionExecutable.h:
562
563 2018-10-11  Ross Kirsling  <ross.kirsling@sony.com>
564
565         Fix non-existent define `CPU(JSVALUE64)`
566         https://bugs.webkit.org/show_bug.cgi?id=190479
567
568         Reviewed by Yusuke Suzuki.
569
570         * jit/CCallHelpers.h:
571         (JSC::CCallHelpers::setupArgumentsImpl):
572         Correct CPU(JSVALUE64) to USE(JSVALUE64).
573
574 2018-10-11  Keith Rollin  <krollin@apple.com>
575
576         CURRENT_ARCH should not be used in Run Script phase.
577         https://bugs.webkit.org/show_bug.cgi?id=190407
578         <rdar://problem/45133556>
579
580         Reviewed by Alexey Proskuryakov.
581
582         CURRENT_ARCH is used in a number of Xcode Run Script phases. However,
583         CURRENT_ARCH is not well-defined during this phase (and may even have
584         the value "undefined") since this phase is run just once per build
585         rather than once per supported architecture. Migrate away from
586         CURRENT_ARCH in favor of ARCHS, either by iterating over ARCHS and
587         performing an operation for each value, or by picking the first entry
588         in ARCHS and using that as a representative value.
589
590         * JavaScriptCore.xcodeproj/project.pbxproj: Store
591         LLIntDesiredOffsets.h into a directory with a name based on ARCHS
592         rather than CURRENT_ARCH.
593
594 2018-10-10  Mark Lam  <mark.lam@apple.com>
595
596         Changes towards allowing use of the ASAN detect_stack_use_after_return option.
597         https://bugs.webkit.org/show_bug.cgi?id=190405
598         <rdar://problem/45131464>
599
600         Reviewed by Michael Saboff.
601
602         The ASAN detect_stack_use_after_return option checks for use of stack variables
603         after they have been freed.  It does this by allocating relevant stack variables
604         in heap memory (instead of on the stack) if the code ever takes the address of
605         those stack variables.  Unfortunately, this is a common idiom that we use to
606         compute the approximate stack pointer value.  As a result, on such ASAN runs, the
607         computed approximate stack pointer value will point into the heap instead of the
608         stack.  This breaks the VM's expectations and wreaks havoc.
609
610         To fix this, we use the newly introduced WTF::currentStackPointer() instead of
611         taking the address of stack variables.
612
613         We also need to enhance ExceptionScopes to be able to work with ASAN
614         detect_stack_use_after_return which will allocated the scope in the heap.  We
615         work around this by passing the current stack pointer of the instantiating calling
616         frame into the scope constructor, and using that for the position check in
617         ~ThrowScope() instead.
618
619         The above is only a start towards enabling ASAN detect_stack_use_after_return on
620         the VM.  There are still other issues to be resolved before we can run with this
621         ASAN option.
622
623         * runtime/CatchScope.h:
624         * runtime/ExceptionEventLocation.h:
625         (JSC::ExceptionEventLocation::ExceptionEventLocation):
626         * runtime/ExceptionScope.h:
627         (JSC::ExceptionScope::stackPosition const):
628         * runtime/JSLock.cpp:
629         (JSC::JSLock::didAcquireLock):
630         * runtime/ThrowScope.cpp:
631         (JSC::ThrowScope::~ThrowScope):
632         * runtime/ThrowScope.h:
633         * runtime/VM.h:
634         (JSC::VM::needExceptionCheck const):
635         (JSC::VM::isSafeToRecurse const):
636         * wasm/js/WebAssemblyFunction.cpp:
637         (JSC::callWebAssemblyFunction):
638         * yarr/YarrPattern.cpp:
639         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
640
641 2018-10-10  Devin Rousso  <drousso@apple.com>
642
643         Web Inspector: create special Network waterfall for media events
644         https://bugs.webkit.org/show_bug.cgi?id=189773
645         <rdar://problem/44626605>
646
647         Reviewed by Joseph Pecoraro.
648
649         * inspector/protocol/DOM.json:
650         Add `didFireEvent` event that is fired when specific event listeners added by
651         `InspectorInstrumentation::addEventListenersToNode` are fired.
652
653 2018-10-10  Michael Saboff  <msaboff@apple.com>
654
655         Increase executable memory pool from 64MB to 128MB for ARM64
656         https://bugs.webkit.org/show_bug.cgi?id=190453
657
658         Reviewed by Saam Barati.
659
660         * jit/ExecutableAllocator.cpp:
661
662 2018-10-10  Devin Rousso  <drousso@apple.com>
663
664         Web Inspector: notify the frontend when a canvas has started recording via console.record
665         https://bugs.webkit.org/show_bug.cgi?id=190306
666
667         Reviewed by Brian Burg.
668
669         * inspector/protocol/Canvas.json:
670         Add `recordingStarted` event.
671
672         * inspector/protocol/Recording.json:
673         Add `Initiator` enum for determining who started the recording.
674
675 2018-10-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
676
677         [JSC] Rename createXXX to tryCreateXXX if it can return RefPtr
678         https://bugs.webkit.org/show_bug.cgi?id=190429
679
680         Reviewed by Saam Barati.
681
682         Some createXXX functions can fail. But sometimes the caller does not perform error checking.
683         To make it explicit that these functions can fail, we rename these functions from createXXX
684         to tryCreateXXX. In this patch, we focus on non-JS-managed factory functions. If the factory
685         function does not fail, it should return Ref<>. Otherwise, it should be named as tryCreateXXX
686         and it should return RefPtr<>.
687
688         This patch mainly focuses on TypedArray factory functions. Previously, these functions are
689         `RefPtr<XXXArray> create(...)`. This patch changes them to `RefPtr<XXXArray> tryCreate(...)`.
690         And we also introduce `Ref<XXXArray> create(...)` function which internally performs
691         RELEASE_ASSERT on the result of `tryCreate(...)`.
692
693         And we also convert OpaqueJSString::create to OpaqueJSString::tryCreate since it can fail.
694
695         This change actually finds one place which does not perform any null checkings while it uses
696         `RefPtr<> create(...)` function.
697
698         * API/JSCallbackObjectFunctions.h:
699         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
700         (JSC::JSCallbackObject<Parent>::put):
701         (JSC::JSCallbackObject<Parent>::putByIndex):
702         (JSC::JSCallbackObject<Parent>::deleteProperty):
703         (JSC::JSCallbackObject<Parent>::callbackGetter):
704         * API/JSClassRef.h:
705         (StaticValueEntry::StaticValueEntry):
706         * API/JSContext.mm:
707         (-[JSContext evaluateScript:withSourceURL:]):
708         (-[JSContext setName:]):
709         * API/JSContextRef.cpp:
710         (JSGlobalContextCopyName):
711         (JSContextCreateBacktrace):
712         * API/JSObjectRef.cpp:
713         (JSObjectCopyPropertyNames):
714         * API/JSScriptRef.cpp:
715         * API/JSStringRef.cpp:
716         (JSStringCreateWithCharactersNoCopy):
717         * API/JSValue.mm:
718         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
719         (+[JSValue valueWithNewErrorFromMessage:inContext:]):
720         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
721         (performPropertyOperation):
722         (-[JSValue invokeMethod:withArguments:]):
723         (containerValueToObject):
724         (objectToValueWithoutCopy):
725         (objectToValue):
726         * API/JSValueRef.cpp:
727         (JSValueCreateJSONString):
728         (JSValueToStringCopy):
729         * API/OpaqueJSString.cpp:
730         (OpaqueJSString::tryCreate):
731         (OpaqueJSString::create): Deleted.
732         * API/OpaqueJSString.h:
733         * API/glib/JSCContext.cpp:
734         (evaluateScriptInContext):
735         * API/glib/JSCValue.cpp:
736         (jsc_value_new_string_from_bytes):
737         * ftl/FTLLazySlowPath.h:
738         (JSC::FTL::LazySlowPath::createGenerator):
739         * ftl/FTLLazySlowPathCall.h:
740         (JSC::FTL::createLazyCallGenerator):
741         * ftl/FTLOSRExit.cpp:
742         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
743         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
744         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
745         * ftl/FTLOSRExit.h:
746         * ftl/FTLPatchpointExceptionHandle.cpp:
747         (JSC::FTL::PatchpointExceptionHandle::create):
748         (JSC::FTL::PatchpointExceptionHandle::createHandle):
749         * ftl/FTLPatchpointExceptionHandle.h:
750         * heap/EdenGCActivityCallback.h:
751         (JSC::GCActivityCallback::tryCreateEdenTimer):
752         (JSC::GCActivityCallback::createEdenTimer): Deleted.
753         * heap/FullGCActivityCallback.h:
754         (JSC::GCActivityCallback::tryCreateFullTimer):
755         (JSC::GCActivityCallback::createFullTimer): Deleted.
756         * heap/GCActivityCallback.h:
757         * heap/Heap.cpp:
758         (JSC::Heap::Heap):
759         * inspector/AsyncStackTrace.cpp:
760         (Inspector::AsyncStackTrace::create):
761         * inspector/AsyncStackTrace.h:
762         * jsc.cpp:
763         (fillBufferWithContentsOfFile):
764         * runtime/ArrayBuffer.h:
765         * runtime/GenericTypedArrayView.h:
766         * runtime/GenericTypedArrayViewInlines.h:
767         (JSC::GenericTypedArrayView<Adaptor>::create):
768         (JSC::GenericTypedArrayView<Adaptor>::tryCreate):
769         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
770         (JSC::GenericTypedArrayView<Adaptor>::tryCreateUninitialized):
771         (JSC::GenericTypedArrayView<Adaptor>::subarray const):
772         * runtime/JSArrayBufferView.cpp:
773         (JSC::JSArrayBufferView::possiblySharedImpl):
774         * runtime/JSGenericTypedArrayViewInlines.h:
775         (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
776         (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
777         * wasm/WasmMemory.cpp:
778         (JSC::Wasm::Memory::create):
779         (JSC::Wasm::Memory::tryCreate):
780         * wasm/WasmMemory.h:
781         * wasm/WasmTable.cpp:
782         (JSC::Wasm::Table::tryCreate):
783         (JSC::Wasm::Table::create): Deleted.
784         * wasm/WasmTable.h:
785         * wasm/js/JSWebAssemblyInstance.cpp:
786         (JSC::JSWebAssemblyInstance::create):
787         * wasm/js/JSWebAssemblyMemory.cpp:
788         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
789         * wasm/js/WebAssemblyMemoryConstructor.cpp:
790         (JSC::constructJSWebAssemblyMemory):
791         * wasm/js/WebAssemblyModuleRecord.cpp:
792         (JSC::WebAssemblyModuleRecord::link):
793         * wasm/js/WebAssemblyTableConstructor.cpp:
794         (JSC::constructJSWebAssemblyTable):
795
796 2018-10-09  Devin Rousso  <drousso@apple.com>
797
798         Web Inspector: show redirect requests in Network and Timelines tabs
799         https://bugs.webkit.org/show_bug.cgi?id=150005
800         <rdar://problem/5378164>
801
802         Reviewed by Joseph Pecoraro.
803
804         * inspector/protocol/Network.json:
805         Add missing fields to `ResourceTiming`.
806
807 2018-10-09  Claudio Saavedra  <csaavedra@igalia.com>
808
809         [WPE] Explicitly link against gmodule where used
810         https://bugs.webkit.org/show_bug.cgi?id=190398
811
812         Reviewed by Michael Catanzaro.
813
814         * PlatformWPE.cmake:
815
816 2018-10-08  Justin Fan  <justin_fan@apple.com>
817
818         WebGPU: Rename old WebGPU prototype to WebMetal
819         https://bugs.webkit.org/show_bug.cgi?id=190325
820         <rdar://problem/44990443>
821
822         Reviewed by Dean Jackson.
823
824         Rename WebGPU prototype files to WebMetal in preparation for implementing the new (Oct 2018) WebGPU interface.
825
826         * Configurations/FeatureDefines.xcconfig:
827         * inspector/protocol/Canvas.json:
828         * inspector/scripts/codegen/generator.py:
829
830 2018-10-08  Aditya Keerthi  <akeerthi@apple.com>
831
832         Make <input type=color> a runtime enabled (on-by-default) feature
833         https://bugs.webkit.org/show_bug.cgi?id=189162
834
835         Reviewed by Wenson Hsieh and Tim Horton.
836
837         * Configurations/FeatureDefines.xcconfig:
838
839 2018-10-08  Devin Rousso  <drousso@apple.com>
840
841         Web Inspector: group media network entries by the node that triggered the request
842         https://bugs.webkit.org/show_bug.cgi?id=189606
843         <rdar://problem/44438527>
844
845         Reviewed by Brian Burg.
846
847         * inspector/protocol/Network.json:
848         Add an optional `nodeId` field to the `Initiator` object that is set it is possible to
849         determine which ancestor node triggered the load. It may not correspond directly to the node
850         with the href/src, as that url may only be used by an ancestor for loading.
851
852 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
853
854         [JSC][Linux] Use non-truncated name for JIT workers in Linux
855         https://bugs.webkit.org/show_bug.cgi?id=190339
856
857         Reviewed by Mark Lam.
858
859         The current thread names are meaningless in Linux environment. We do not want to
860         have truncated name in Linux: we want to have clear name in Linux. Instead, we
861         should have the name for Linux separately from the name used in the non-Linux
862         environments. This patch adds FTLWorker, DFGWorker, and JITWorker names for
863         Linux environment.
864
865         * dfg/DFGWorklist.cpp:
866         (JSC::DFG::createWorklistName):
867         (JSC::DFG::Worklist::Worklist):
868         (JSC::DFG::Worklist::create):
869         (JSC::DFG::ensureGlobalDFGWorklist):
870         (JSC::DFG::ensureGlobalFTLWorklist):
871         * dfg/DFGWorklist.h:
872         * jit/JITWorklist.cpp:
873
874 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
875
876         Name Heap threads
877         https://bugs.webkit.org/show_bug.cgi?id=190337
878
879         Reviewed by Mark Lam.
880
881         Name heap threads as "Heap Helper Thread". In Linux, we name it "HeapHelper" since
882         Linux does not accept the name longer than 15. We do not want to use the short name
883         for non-Linux environment. And we want to have clear name in Linux: truncated name
884         is not good. So, having the two names is the only way.
885
886         * heap/HeapHelperPool.cpp:
887         (JSC::heapHelperPool):
888
889 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
890
891         [JSC] Avoid creating ProgramExecutable in checkSyntax
892         https://bugs.webkit.org/show_bug.cgi?id=190332
893
894         Reviewed by Mark Lam.
895
896         uglify-js in web-tooling-benchmark executes massive number of Function constructor calls.
897         In Function constructor code, we perform checkSyntax for body and parameters. So fast checkSyntax
898         is important when the performance of Function constructor matters. Current checkSyntax code
899         unnecessarily allocates ProgramExecutable. This patch removes this allocation and improves
900         the benchmark score slightly.
901
902         Before:
903             uglify-js:  2.87 runs/s
904         After:
905             uglify-js:  2.94 runs/s
906
907         * runtime/Completion.cpp:
908         (JSC::checkSyntaxInternal):
909         (JSC::checkSyntax):
910         * runtime/ProgramExecutable.cpp:
911         (JSC::ProgramExecutable::checkSyntax): Deleted.
912         * runtime/ProgramExecutable.h:
913
914 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
915
916         [ESNext][BigInt] Implement support for "|"
917         https://bugs.webkit.org/show_bug.cgi?id=186229
918
919         Reviewed by Yusuke Suzuki.
920
921         This patch is introducing support for BigInt into bitwise "or" operator.
922         In addition, we are also introducing 2 new DFG nodes, named "ArithBitOr" and
923         "ValueBitOr", to replace "BitOr" node. The idea is to follow the
924         difference that we make on Arith<op> and Value<op>, where ArithBitOr
925         handles cases when the operands are Int32 and ValueBitOr handles
926         the remaining cases.
927
928         We are also changing op_bitor to use ValueProfile. We are using
929         ValueProfile during DFG generation to emit "ArithBitOr" when
930         outcome prediction is Int32.
931
932         * bytecode/CodeBlock.cpp:
933         (JSC::CodeBlock::finishCreation):
934         (JSC::CodeBlock::arithProfileForPC):
935         * bytecompiler/BytecodeGenerator.cpp:
936         (JSC::BytecodeGenerator::emitBinaryOp):
937         * dfg/DFGAbstractInterpreterInlines.h:
938         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
939         * dfg/DFGBackwardsPropagationPhase.cpp:
940         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
941         (JSC::DFG::BackwardsPropagationPhase::propagate):
942         * dfg/DFGByteCodeParser.cpp:
943         (JSC::DFG::ByteCodeParser::parseBlock):
944         * dfg/DFGClobberize.h:
945         (JSC::DFG::clobberize):
946         * dfg/DFGDoesGC.cpp:
947         (JSC::DFG::doesGC):
948         * dfg/DFGFixupPhase.cpp:
949         (JSC::DFG::FixupPhase::fixupNode):
950         * dfg/DFGNodeType.h:
951         * dfg/DFGOperations.cpp:
952         (JSC::DFG::bitwiseOp):
953         * dfg/DFGOperations.h:
954         * dfg/DFGPredictionPropagationPhase.cpp:
955         * dfg/DFGSafeToExecute.h:
956         (JSC::DFG::safeToExecute):
957         * dfg/DFGSpeculativeJIT.cpp:
958         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
959         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
960         * dfg/DFGSpeculativeJIT.h:
961         (JSC::DFG::SpeculativeJIT::bitOp):
962         * dfg/DFGSpeculativeJIT32_64.cpp:
963         (JSC::DFG::SpeculativeJIT::compile):
964         * dfg/DFGSpeculativeJIT64.cpp:
965         (JSC::DFG::SpeculativeJIT::compile):
966         * dfg/DFGStrengthReductionPhase.cpp:
967         (JSC::DFG::StrengthReductionPhase::handleNode):
968         * ftl/FTLCapabilities.cpp:
969         (JSC::FTL::canCompile):
970         * ftl/FTLLowerDFGToB3.cpp:
971         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
972         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
973         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitOr):
974         (JSC::FTL::DFG::LowerDFGToB3::compileBitOr): Deleted.
975         * jit/JITArithmetic.cpp:
976         (JSC::JIT::emit_op_bitor):
977         * llint/LowLevelInterpreter32_64.asm:
978         * llint/LowLevelInterpreter64.asm:
979         * runtime/CommonSlowPaths.cpp:
980         (JSC::SLOW_PATH_DECL):
981         * runtime/JSBigInt.cpp:
982         (JSC::JSBigInt::bitwiseAnd):
983         (JSC::JSBigInt::bitwiseOr):
984         (JSC::JSBigInt::absoluteBitwiseOp):
985         (JSC::JSBigInt::absoluteAddOne):
986         * runtime/JSBigInt.h:
987
988 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
989
990         [JSC] Use new extra memory reporting in SparseArrayMap
991         https://bugs.webkit.org/show_bug.cgi?id=190278
992
993         Reviewed by Keith Miller.
994
995         This patch switches the extra memory reporting mechanism from deprecatedReportExtraMemory
996         to reportExtraMemoryAllocated & reportExtraMemoryVisited in SparseArrayMap.
997
998         * runtime/SparseArrayValueMap.cpp:
999         (JSC::SparseArrayValueMap::add):
1000         (JSC::SparseArrayValueMap::visitChildren):
1001
1002 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1003
1004         [JSC][Linux] Support Perf JITDump logging
1005         https://bugs.webkit.org/show_bug.cgi?id=189893
1006
1007         Reviewed by Mark Lam.
1008
1009         This patch adds Linux `perf` command's JIT Dump support. It allows JSC to tell perf about JIT code information.
1010         We add a command line option, `--logJITCodeForPerf`, which dumps `jit-%pid.dump` in the current directory.
1011         By using this dump and perf.data output, we can annotate JIT code with profiling information.
1012
1013             $ echo "(function f() { var s = 0; for (var i = 0; i < 1000000000; i++) { s += i; } return s; })();" > test.js
1014             $ perf record -k mono ../../WebKitBuild/perf/Release/bin/jsc test.js --logJITCodeForPerf=true
1015             [ perf record: Woken up 1 times to write data ]
1016             [ perf record: Captured and wrote 0.182 MB perf.data (4346 samples) ]
1017             $ perf inject --jit -i perf.data -o perf.jit.data
1018             $ perf report -i perf.jit.data
1019
1020         * Sources.txt:
1021         * assembler/LinkBuffer.cpp:
1022         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1023         * assembler/LinkBuffer.h:
1024         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1025         * assembler/PerfLog.cpp: Added.
1026         (JSC::PerfLog::singleton):
1027         (JSC::generateTimestamp):
1028         (JSC::getCurrentThreadID):
1029         (JSC::PerfLog::PerfLog):
1030         (JSC::PerfLog::write):
1031         (JSC::PerfLog::flush):
1032         (JSC::PerfLog::log):
1033         * assembler/PerfLog.h: Added.
1034         * jit/ExecutableAllocator.cpp:
1035         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1036         * runtime/Options.cpp:
1037         (JSC::Options::isAvailable):
1038         * runtime/Options.h:
1039
1040 2018-10-05  Mark Lam  <mark.lam@apple.com>
1041
1042         Gardening: Build fix after r236880.
1043         https://bugs.webkit.org/show_bug.cgi?id=190317
1044
1045         Unreviewed.
1046
1047         * jit/ExecutableAllocator.h:
1048
1049 2018-10-05  Mark Lam  <mark.lam@apple.com>
1050
1051         performJITMemcpy() should handle the case when the executable allocator is not initialized yet.
1052         https://bugs.webkit.org/show_bug.cgi?id=190317
1053         <rdar://problem/45039398>
1054
1055         Reviewed by Saam Barati.
1056
1057         When SeparatedWXHeaps is in use, jitWriteThunkGenerator() will call performJITMemcpy()
1058         to copy memory before the JIT fixed memory pool is initialize.  Before r236864,
1059         performJITMemcpy() would just do a memcpy in that case.  We need to restore the
1060         equivalent behavior.
1061
1062         * jit/ExecutableAllocator.cpp:
1063         (JSC::isJITPC):
1064         * jit/ExecutableAllocator.h:
1065         (JSC::performJITMemcpy):
1066
1067 2018-10-05  Carlos Eduardo Ramalho  <cadubentzen@gmail.com>
1068
1069         [WPE][JSC] Use Unified Sources for Platform-specific sources
1070         https://bugs.webkit.org/show_bug.cgi?id=190300
1071
1072         Reviewed by Yusuke Suzuki.
1073
1074         Currently the GTK port already used Unified Sources with the same source files.
1075         As WPE has conditional code using gmodule, we need to add GLIB_GMODULE_LIBRARIES
1076         to the list of libraries to link with.
1077
1078         * PlatformWPE.cmake:
1079         * SourcesWPE.txt: Added.
1080         * shell/PlatformWPE.cmake:
1081
1082 2018-10-05  Mike Gorse  <mgorse@alum.wpi.edu>
1083
1084         [GTK] build fails with python 3 if LANG and LC_TYPE are unset
1085         https://bugs.webkit.org/show_bug.cgi?id=190258
1086
1087         Reviewed by Konstantin Tokarev.
1088
1089         * Scripts/cssmin.py: Set stdout to UTF-8 on python 3.
1090         * Scripts/generateIntlCanonicalizeLanguage.py: Open files with
1091           encoding=UTF-8 on Python 3.
1092         * yarr/generateYarrCanonicalizeUnicode: Ditto.
1093         * yarr/generateYarrUnicodePropertyTables.py: Ditto.
1094
1095 2018-10-04  Mark Lam  <mark.lam@apple.com>
1096
1097         Move start/EndOfFixedExecutableMemoryPool pointers into the FixedVMPoolExecutableAllocator object.
1098         https://bugs.webkit.org/show_bug.cgi?id=190295
1099         <rdar://problem/19197193>
1100
1101         Reviewed by Saam Barati.
1102
1103         This allows us to use the tagging logic already baked into MacroAssemblerCodePtr
1104         instead of needing to use our own custom version here.
1105
1106         * jit/ExecutableAllocator.cpp:
1107         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1108         (JSC::FixedVMPoolExecutableAllocator::memoryStart):
1109         (JSC::FixedVMPoolExecutableAllocator::memoryEnd):
1110         (JSC::FixedVMPoolExecutableAllocator::isJITPC):
1111         (JSC::ExecutableAllocator::allocate):
1112         (JSC::startOfFixedExecutableMemoryPoolImpl):
1113         (JSC::endOfFixedExecutableMemoryPoolImpl):
1114         (JSC::isJITPC):
1115         * jit/ExecutableAllocator.h:
1116
1117 2018-10-04  Mark Lam  <mark.lam@apple.com>
1118
1119         Disable Options::useWebAssemblyFastMemory() on linux if ASAN signal handling is not disabled.
1120         https://bugs.webkit.org/show_bug.cgi?id=190283
1121         <rdar://problem/45015752>
1122
1123         Reviewed by Keith Miller.
1124
1125         * runtime/Options.cpp:
1126         (JSC::Options::initialize):
1127         * wasm/WasmFaultSignalHandler.cpp:
1128         (JSC::Wasm::enableFastMemory):
1129
1130 2018-10-03  Ross Kirsling  <ross.kirsling@sony.com>
1131
1132         [JSC] print() changes CRLF to CRCRLF on Windows
1133         https://bugs.webkit.org/show_bug.cgi?id=190228
1134
1135         Reviewed by Mark Lam.
1136
1137         * jsc.cpp:
1138         (main):
1139         Ultimately, this is just the normal behavior of printf in text mode on Windows.
1140         Since we're reading in files as binary, we need to be printing out as binary too
1141         (just as we do in DumpRenderTree and ImageDiff.)
1142
1143 2018-10-03  Saam barati  <sbarati@apple.com>
1144
1145         lowXYZ in FTLLower should always filter the type of the incoming edge
1146         https://bugs.webkit.org/show_bug.cgi?id=189939
1147         <rdar://problem/44407030>
1148
1149         Reviewed by Michael Saboff.
1150
1151         For example, the FTL may know more about data flow than AI in certain programs,
1152         and it needs to inform AI of these data flow properties to appease the assertion
1153         we have in AI that a node must perform type checks on its child nodes.
1154         
1155         For example, consider this program:
1156         
1157         ```
1158         bb#1
1159         a: Phi // Let's say it has an Int32 result, so it goes into the int32 hash table in FTLLower
1160         Branch(...,  #2, #3)
1161         
1162         bb#2
1163         ArrayifyToStructure(Cell:@a) // This modifies @a to have the its previous type union the type of some structure set.
1164         Jump(#3)
1165         
1166         bb#3
1167         c: Add(Int32:@something, Int32:@a)
1168         ```
1169         
1170         When the Add node does lowInt32() for @a, FTL lower used to just grab it
1171         from the int32 hash table without filtering the AbstractValue. However,
1172         the parent node is asking for a type check to happen, so we must inform
1173         AI of this "type check" if we want to appease the assertion that all nodes
1174         perform type checks for their edges that semantically perform type checks.
1175         This patch makes it so we filter the AbstractValue in the lowXYZ even
1176         if FTLLower proved the value must be XYZ.
1177
1178         * ftl/FTLLowerDFGToB3.cpp:
1179         (JSC::FTL::DFG::LowerDFGToB3::compilePhi):
1180         (JSC::FTL::DFG::LowerDFGToB3::simulatedTypeCheck):
1181         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
1182         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
1183         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
1184
1185 2018-10-03  Michael Saboff  <msaboff@apple.com>
1186
1187         Command line jsc should report memory footprint in bytes
1188         https://bugs.webkit.org/show_bug.cgi?id=190267
1189
1190         Reviewed by Mark Lam.
1191
1192         Change to leave the footprint values from the system unmodified.
1193
1194         * jsc.cpp:
1195         (JSCMemoryFootprint::finishCreation):
1196
1197 2018-10-03  Mark Lam  <mark.lam@apple.com>
1198
1199         Suppress unreachable code warning for LLIntAssembly.h code.
1200         https://bugs.webkit.org/show_bug.cgi?id=190263
1201         <rdar://problem/44986532>
1202
1203         Reviewed by Saam Barati.
1204
1205         This is needed because LLIntAssembly.h is template generated from LowLevelInterpreter
1206         asm files, and may contain dead code which are harmless, but will trip up the warning.
1207         We should suppress the warning so that it doesn't break builds.
1208
1209         * llint/LowLevelInterpreter.cpp:
1210         (JSC::CLoop::execute):
1211
1212 2018-10-03  Dan Bernstein  <mitz@apple.com>
1213
1214         JavaScriptCore part of [Xcode] Update some build settings as recommended by Xcode 10
1215         https://bugs.webkit.org/show_bug.cgi?id=190250
1216
1217         Reviewed by Alex Christensen.
1218
1219         * API/tests/Regress141275.mm:
1220         (-[JSTEvaluator _sourcePerform]): Addressed newly-enabled CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF
1221           by making the self-retaining explicit.
1222
1223         * API/tests/testapi.cpp:
1224         (testCAPIViaCpp): Addressed newly-enabled CLANG_WARN_UNREACHABLE_CODE by breaking out of the
1225           loop instead of returning from the lambda.
1226
1227         * Configurations/Base.xcconfig: Enabled CLANG_WARN_COMMA, CLANG_WARN_UNREACHABLE_CODE,
1228           CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS, CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF, and
1229           CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED.
1230
1231         * JavaScriptCore.xcodeproj/project.pbxproj: Removed a duplicate reference to
1232           UnlinkedFunctionExecutable.h, and let Xcode update the project file.
1233
1234         * assembler/MacroAssemblerPrinter.cpp:
1235         (JSC::Printer::printAllRegisters): Addressed newly-enabled CLANG_WARN_COMMA by replacing
1236           some commas with semicolons.
1237
1238 2018-10-03  Mark Lam  <mark.lam@apple.com>
1239
1240         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1241         https://bugs.webkit.org/show_bug.cgi?id=190187
1242         <rdar://problem/42512909>
1243
1244         Reviewed by Michael Saboff.
1245
1246         Allowing different max string lengths at each level opens up opportunities for
1247         bugs to creep in.  With 2 different max length values, it is more difficult to
1248         keep the story straight on how we do overflow / bounds checks at each place in
1249         the code.  It's also difficult to tell if a seemingly valid check at the WTF level
1250         will have bad ramifications at the JSC level.  Also, it's also not meaningful to
1251         support a max length > INT_MAX.  To eliminate this class of bugs, we'll
1252         standardize on a MaxLength of INT_MAX at all levels.
1253
1254         We'll also standardize the way we do length overflow checks on using
1255         CheckedArithmetic, and add some asserts to document the assumptions of the code.
1256
1257         * runtime/FunctionConstructor.cpp:
1258         (JSC::constructFunctionSkippingEvalEnabledCheck):
1259         - Fix OOM error handling which crashed a test after the new MaxLength was applied.
1260         * runtime/JSString.h:
1261         (JSC::JSString::finishCreation):
1262         (JSC::JSString::createHasOtherOwner):
1263         (JSC::JSString::setLength):
1264         * runtime/JSStringInlines.h:
1265         (JSC::jsMakeNontrivialString):
1266         * runtime/Operations.h:
1267         (JSC::jsString):
1268
1269 2018-10-03  Koby Boyango  <koby.b@mce-sys.com>
1270
1271         [JSC] Add a C++ callable overload of objectConstructorSeal
1272         https://bugs.webkit.org/show_bug.cgi?id=190137
1273
1274         Reviewed by Yusuke Suzuki.
1275
1276         * runtime/ObjectConstructor.cpp:
1277         * runtime/ObjectConstructor.h:
1278
1279 2018-10-02  Dominik Infuehr  <dinfuehr@igalia.com>
1280
1281         Fix Disassembler-output on ARM Thumb2
1282         https://bugs.webkit.org/show_bug.cgi?id=190203
1283
1284         On ARMv7 with Thumb2 addresses have bit 0 set to 1 to force
1285         execution in thumb mode for jumps and calls. The actual machine
1286         instructions are still aligned to 2-bytes though. Use dataLocation() as
1287         start address for disassembling since it unsets the thumb bit.
1288         Until now the disassembler would start at the wrong address (off by 1),
1289         resulting in the wrong disassembled machine instructions.
1290
1291         Reviewed by Mark Lam.
1292
1293         * disassembler/CapstoneDisassembler.cpp:
1294         (JSC::tryToDisassemble):
1295
1296 2018-10-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1297
1298         [JSC] Add stub of ExecutableAllocator used when JIT is disabled
1299         https://bugs.webkit.org/show_bug.cgi?id=190215
1300
1301         Reviewed by Mark Lam.
1302
1303         When ENABLE(JIT) is disabled, we do not use JIT. But we ExecutableAllocator is still available since
1304         it is guarded by ENABLE(ASSEMBLER). ENABLE(ASSEMBLER) is necessary for LLInt ASM interpreter since
1305         our MacroAssembler tells machine architecture information. Eventually, we would like to decouple
1306         this machine architecture information from MacroAssembler. But for now, we use ENABLE(ASSEMBLER)
1307         for LLInt ASM interpreter even if JIT is disabled by ENABLE(JIT).
1308
1309         To ensure any executable memory allocation is not done, we add a stub of ExecutableAllocator for
1310         non-JIT configurations. This does not have any functionality allocating executable memory, thus
1311         any accidental operation cannot attempt to allocate executable memory if ENABLE(JIT) = OFF.
1312
1313         * jit/ExecutableAllocator.cpp:
1314         (JSC::ExecutableAllocator::initializeAllocator):
1315         (JSC::ExecutableAllocator::singleton):
1316         * jit/ExecutableAllocator.h:
1317         (JSC::ExecutableAllocator::isValid const):
1318         (JSC::ExecutableAllocator::underMemoryPressure):
1319         (JSC::ExecutableAllocator::memoryPressureMultiplier):
1320         (JSC::ExecutableAllocator::dumpProfile):
1321         (JSC::ExecutableAllocator::allocate):
1322         (JSC::ExecutableAllocator::isValidExecutableMemory):
1323         (JSC::ExecutableAllocator::committedByteCount):
1324         (JSC::ExecutableAllocator::getLock const):
1325         (JSC::performJITMemcpy):
1326
1327 2018-10-01  Dean Jackson  <dino@apple.com>
1328
1329         Remove CSS Animation Triggers
1330         https://bugs.webkit.org/show_bug.cgi?id=190175
1331         <rdar://problem/44925626>
1332
1333         Reviewed by Simon Fraser.
1334
1335         * Configurations/FeatureDefines.xcconfig:
1336
1337 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1338
1339         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1340         https://bugs.webkit.org/show_bug.cgi?id=190033
1341
1342         Reviewed by Yusuke Suzuki.
1343
1344         The implementation of JSBigInt::toStringToGeneric doesn't handle power
1345         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
1346         implemented JSBigInt::toStringBasePowerOfTwo that follows the
1347         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
1348         digit.
1349
1350         * runtime/JSBigInt.cpp:
1351         (JSC::JSBigInt::toString):
1352         (JSC::JSBigInt::toStringBasePowerOfTwo):
1353         * runtime/JSBigInt.h:
1354
1355 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1356
1357         [JSC] Add branchIfNaN and branchIfNotNaN
1358         https://bugs.webkit.org/show_bug.cgi?id=190122
1359
1360         Reviewed by Mark Lam.
1361
1362         Add AssemblyHelpers::{branchIfNaN, branchIfNotNaN} to make code more readable.
1363
1364         * dfg/DFGSpeculativeJIT.cpp:
1365         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1366         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1367         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
1368         (JSC::DFG::SpeculativeJIT::compileSpread):
1369         (JSC::DFG::SpeculativeJIT::compileNewArray):
1370         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
1371         (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
1372         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1373         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1374         * dfg/DFGSpeculativeJIT32_64.cpp:
1375         (JSC::DFG::SpeculativeJIT::compile):
1376         * dfg/DFGSpeculativeJIT64.cpp:
1377         (JSC::DFG::SpeculativeJIT::compile):
1378         * jit/AssemblyHelpers.cpp:
1379         (JSC::AssemblyHelpers::purifyNaN):
1380         * jit/AssemblyHelpers.h:
1381         (JSC::AssemblyHelpers::branchIfNaN):
1382         (JSC::AssemblyHelpers::branchIfNotNaN):
1383         * jit/JITPropertyAccess.cpp:
1384         (JSC::JIT::emitGenericContiguousPutByVal):
1385         (JSC::JIT::emitDoubleLoad):
1386         (JSC::JIT::emitFloatTypedArrayGetByVal):
1387         * jit/JITPropertyAccess32_64.cpp:
1388         (JSC::JIT::emitGenericContiguousPutByVal):
1389         * wasm/js/JSToWasm.cpp:
1390         (JSC::Wasm::createJSToWasmWrapper):
1391
1392 2018-10-01  Mark Lam  <mark.lam@apple.com>
1393
1394         Function.toString() should also copy the source code Functions that are class definitions.
1395         https://bugs.webkit.org/show_bug.cgi?id=190186
1396         <rdar://problem/44733360>
1397
1398         Reviewed by Saam Barati.
1399
1400         Previously, if the Function is a class definition, functionProtoFuncToString()
1401         would create a String using StringView::toStringWithoutCopying(), and use that
1402         String to make a JSString.  This is not a problem if the underlying SourceProvider
1403         (that backs the characters in that StringView) is immortal.  However, this is
1404         not always the case in practice.
1405
1406         This patch fixes this issue by changing functionProtoFuncToString() to create the
1407         String using StringView::toString() instead, which makes a copy of the underlying
1408         characters buffer.  This detaches the resultant JSString from the SourceProvider
1409         characters buffer that it was created from, and ensure that the underlying
1410         characters buffer of the string will be alive for the entire lifetime of the
1411         JSString.
1412
1413         * runtime/FunctionPrototype.cpp:
1414         (JSC::functionProtoFuncToString):
1415
1416 2018-10-01  Keith Miller  <keith_miller@apple.com>
1417
1418         Create a RELEASE_AND_RETURN macro for ExceptionScopes
1419         https://bugs.webkit.org/show_bug.cgi?id=190163
1420
1421         Reviewed by Mark Lam.
1422
1423         The new RELEASE_AND_RETURN does all the work for cases
1424         where you want to return the result of some expression
1425         without explicitly checking for an exception. This is
1426         much like the existing RETURN_IF_EXCEPTION macro.
1427
1428         * dfg/DFGOperations.cpp:
1429         (JSC::DFG::newTypedArrayWithSize):
1430         * interpreter/Interpreter.cpp:
1431         (JSC::eval):
1432         * jit/JITOperations.cpp:
1433         (JSC::getByVal):
1434         * jsc.cpp:
1435         (functionDollarAgentReceiveBroadcast):
1436         * llint/LLIntSlowPaths.cpp:
1437         (JSC::LLInt::setUpCall):
1438         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1439         (JSC::LLInt::varargsSetup):
1440         * profiler/ProfilerDatabase.cpp:
1441         (JSC::Profiler::Database::toJSON const):
1442         * runtime/AbstractModuleRecord.cpp:
1443         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1444         * runtime/ArrayConstructor.cpp:
1445         (JSC::constructArrayWithSizeQuirk):
1446         * runtime/ArrayPrototype.cpp:
1447         (JSC::getProperty):
1448         (JSC::fastJoin):
1449         (JSC::arrayProtoFuncToString):
1450         (JSC::arrayProtoFuncToLocaleString):
1451         (JSC::arrayProtoFuncJoin):
1452         (JSC::arrayProtoFuncPop):
1453         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1454         * runtime/BigIntConstructor.cpp:
1455         (JSC::toBigInt):
1456         * runtime/CommonSlowPaths.h:
1457         (JSC::CommonSlowPaths::opInByVal):
1458         * runtime/ConstructData.cpp:
1459         (JSC::construct):
1460         * runtime/DateConstructor.cpp:
1461         (JSC::dateParse):
1462         * runtime/DatePrototype.cpp:
1463         (JSC::dateProtoFuncToPrimitiveSymbol):
1464         * runtime/DirectArguments.h:
1465         * runtime/ErrorConstructor.cpp:
1466         (JSC::Interpreter::constructWithErrorConstructor):
1467         * runtime/ErrorPrototype.cpp:
1468         (JSC::errorProtoFuncToString):
1469         * runtime/ExceptionScope.h:
1470         * runtime/FunctionConstructor.cpp:
1471         (JSC::constructFunction):
1472         * runtime/FunctionPrototype.cpp:
1473         (JSC::functionProtoFuncToString):
1474         * runtime/GenericArgumentsInlines.h:
1475         (JSC::GenericArguments<Type>::defineOwnProperty):
1476         * runtime/GetterSetter.cpp:
1477         (JSC::callGetter):
1478         * runtime/IntlCollatorConstructor.cpp:
1479         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1480         * runtime/IntlCollatorPrototype.cpp:
1481         (JSC::IntlCollatorFuncCompare):
1482         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1483         * runtime/IntlDateTimeFormatConstructor.cpp:
1484         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1485         * runtime/IntlDateTimeFormatPrototype.cpp:
1486         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1487         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1488         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1489         * runtime/IntlNumberFormatConstructor.cpp:
1490         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1491         * runtime/IntlNumberFormatPrototype.cpp:
1492         (JSC::IntlNumberFormatFuncFormatNumber):
1493         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1494         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1495         * runtime/IntlObject.cpp:
1496         (JSC::intlNumberOption):
1497         * runtime/IntlObjectInlines.h:
1498         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1499         * runtime/IntlPluralRules.cpp:
1500         (JSC::IntlPluralRules::resolvedOptions):
1501         * runtime/IntlPluralRulesConstructor.cpp:
1502         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
1503         * runtime/IntlPluralRulesPrototype.cpp:
1504         (JSC::IntlPluralRulesPrototypeFuncSelect):
1505         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1506         * runtime/JSArray.cpp:
1507         (JSC::JSArray::defineOwnProperty):
1508         (JSC::JSArray::put):
1509         (JSC::JSArray::setLength):
1510         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1511         * runtime/JSArrayBufferPrototype.cpp:
1512         (JSC::arrayBufferProtoGetterFuncByteLength):
1513         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1514         * runtime/JSArrayInlines.h:
1515         (JSC::toLength):
1516         * runtime/JSBoundFunction.cpp:
1517         (JSC::boundFunctionCall):
1518         (JSC::boundFunctionConstruct):
1519         * runtime/JSCJSValue.cpp:
1520         (JSC::JSValue::putToPrimitive):
1521         * runtime/JSCJSValueInlines.h:
1522         (JSC::JSValue::toIndex const):
1523         (JSC::JSValue::toPropertyKey const):
1524         (JSC::JSValue::get const):
1525         (JSC::JSValue::getPropertySlot const):
1526         (JSC::JSValue::getOwnPropertySlot const):
1527         (JSC::JSValue::equalSlowCaseInline):
1528         * runtime/JSDataView.cpp:
1529         (JSC::JSDataView::put):
1530         (JSC::JSDataView::defineOwnProperty):
1531         * runtime/JSFunction.cpp:
1532         (JSC::JSFunction::put):
1533         (JSC::JSFunction::defineOwnProperty):
1534         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1535         (JSC::constructGenericTypedArrayViewWithArguments):
1536         (JSC::constructGenericTypedArrayView):
1537         * runtime/JSGenericTypedArrayViewInlines.h:
1538         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1539         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1540         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1541         (JSC::speciesConstruct):
1542         (JSC::genericTypedArrayViewProtoFuncJoin):
1543         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1544         * runtime/JSGlobalObject.cpp:
1545         (JSC::JSGlobalObject::put):
1546         * runtime/JSGlobalObjectFunctions.cpp:
1547         (JSC::decode):
1548         (JSC::globalFuncEval):
1549         (JSC::globalFuncProtoGetter):
1550         * runtime/JSInternalPromise.cpp:
1551         (JSC::JSInternalPromise::then):
1552         * runtime/JSModuleEnvironment.cpp:
1553         (JSC::JSModuleEnvironment::put):
1554         * runtime/JSModuleLoader.cpp:
1555         (JSC::JSModuleLoader::provideFetch):
1556         (JSC::JSModuleLoader::loadAndEvaluateModule):
1557         (JSC::JSModuleLoader::loadModule):
1558         (JSC::JSModuleLoader::linkAndEvaluateModule):
1559         (JSC::JSModuleLoader::requestImportModule):
1560         (JSC::JSModuleLoader::getModuleNamespaceObject):
1561         (JSC::moduleLoaderRequestedModules):
1562         * runtime/JSONObject.cpp:
1563         (JSC::Stringifier::stringify):
1564         (JSC::Stringifier::toJSON):
1565         (JSC::Walker::walk):
1566         (JSC::JSONProtoFuncStringify):
1567         * runtime/JSObject.cpp:
1568         (JSC::ordinarySetSlow):
1569         (JSC::JSObject::putInlineSlow):
1570         (JSC::JSObject::toPrimitive const):
1571         (JSC::JSObject::hasInstance):
1572         (JSC::JSObject::toNumber const):
1573         (JSC::JSObject::defineOwnIndexedProperty):
1574         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1575         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1576         (JSC::JSObject::defineOwnNonIndexProperty):
1577         * runtime/JSObject.h:
1578         (JSC::JSObject::get const):
1579         * runtime/JSObjectInlines.h:
1580         (JSC::JSObject::getPropertySlot const):
1581         (JSC::JSObject::putInlineForJSObject):
1582         * runtime/MapConstructor.cpp:
1583         (JSC::constructMap):
1584         * runtime/NativeErrorConstructor.cpp:
1585         (JSC::Interpreter::constructWithNativeErrorConstructor):
1586         * runtime/ObjectConstructor.cpp:
1587         (JSC::constructObject):
1588         (JSC::objectConstructorGetPrototypeOf):
1589         (JSC::objectConstructorGetOwnPropertyDescriptor):
1590         (JSC::objectConstructorGetOwnPropertyDescriptors):
1591         (JSC::objectConstructorGetOwnPropertyNames):
1592         (JSC::objectConstructorGetOwnPropertySymbols):
1593         (JSC::objectConstructorKeys):
1594         (JSC::objectConstructorDefineProperty):
1595         (JSC::objectConstructorDefineProperties):
1596         (JSC::objectConstructorCreate):
1597         * runtime/ObjectPrototype.cpp:
1598         (JSC::objectProtoFuncToLocaleString):
1599         (JSC::objectProtoFuncToString):
1600         * runtime/Operations.cpp:
1601         (JSC::jsAddSlowCase):
1602         * runtime/Operations.h:
1603         (JSC::jsString):
1604         (JSC::jsLess):
1605         (JSC::jsLessEq):
1606         * runtime/ParseInt.h:
1607         (JSC::toStringView):
1608         * runtime/ProxyConstructor.cpp:
1609         (JSC::constructProxyObject):
1610         * runtime/ProxyObject.cpp:
1611         (JSC::ProxyObject::toStringName):
1612         (JSC::performProxyGet):
1613         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1614         (JSC::ProxyObject::performHasProperty):
1615         (JSC::ProxyObject::getOwnPropertySlotCommon):
1616         (JSC::ProxyObject::performPut):
1617         (JSC::ProxyObject::putByIndexCommon):
1618         (JSC::performProxyCall):
1619         (JSC::performProxyConstruct):
1620         (JSC::ProxyObject::performDelete):
1621         (JSC::ProxyObject::performPreventExtensions):
1622         (JSC::ProxyObject::performIsExtensible):
1623         (JSC::ProxyObject::performDefineOwnProperty):
1624         (JSC::ProxyObject::performSetPrototype):
1625         (JSC::ProxyObject::performGetPrototype):
1626         * runtime/ReflectObject.cpp:
1627         (JSC::reflectObjectConstruct):
1628         (JSC::reflectObjectDefineProperty):
1629         (JSC::reflectObjectGet):
1630         (JSC::reflectObjectGetOwnPropertyDescriptor):
1631         (JSC::reflectObjectGetPrototypeOf):
1632         (JSC::reflectObjectOwnKeys):
1633         (JSC::reflectObjectSet):
1634         * runtime/RegExpConstructor.cpp:
1635         (JSC::constructRegExp):
1636         * runtime/RegExpObject.cpp:
1637         (JSC::RegExpObject::defineOwnProperty):
1638         (JSC::RegExpObject::matchGlobal):
1639         * runtime/RegExpPrototype.cpp:
1640         (JSC::regExpProtoFuncTestFast):
1641         (JSC::regExpProtoFuncExec):
1642         (JSC::regExpProtoFuncToString):
1643         * runtime/ScriptExecutable.cpp:
1644         (JSC::ScriptExecutable::newCodeBlockFor):
1645         * runtime/SetConstructor.cpp:
1646         (JSC::constructSet):
1647         * runtime/SparseArrayValueMap.cpp:
1648         (JSC::SparseArrayValueMap::putEntry):
1649         (JSC::SparseArrayEntry::put):
1650         * runtime/StringConstructor.cpp:
1651         (JSC::stringFromCharCode):
1652         (JSC::stringFromCodePoint):
1653         * runtime/StringObject.cpp:
1654         (JSC::StringObject::put):
1655         (JSC::StringObject::putByIndex):
1656         (JSC::StringObject::defineOwnProperty):
1657         * runtime/StringPrototype.cpp:
1658         (JSC::jsSpliceSubstrings):
1659         (JSC::jsSpliceSubstringsWithSeparators):
1660         (JSC::removeUsingRegExpSearch):
1661         (JSC::replaceUsingRegExpSearch):
1662         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1663         (JSC::replaceUsingStringSearch):
1664         (JSC::repeatCharacter):
1665         (JSC::replace):
1666         (JSC::stringProtoFuncReplaceUsingRegExp):
1667         (JSC::stringProtoFuncReplaceUsingStringSearch):
1668         (JSC::stringProtoFuncSplitFast):
1669         (JSC::stringProtoFuncToLowerCase):
1670         (JSC::stringProtoFuncToUpperCase):
1671         (JSC::toLocaleCase):
1672         (JSC::trimString):
1673         (JSC::stringProtoFuncIncludes):
1674         (JSC::builtinStringIncludesInternal):
1675         (JSC::normalize):
1676         (JSC::stringProtoFuncNormalize):
1677         * runtime/SymbolPrototype.cpp:
1678         (JSC::symbolProtoFuncToString):
1679         (JSC::symbolProtoFuncValueOf):
1680         * tools/JSDollarVM.cpp:
1681         (WTF::functionWasmStreamingParserAddBytes):
1682         (JSC::functionGetPrivateProperty):
1683         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1684         (JSC::constructJSWebAssemblyCompileError):
1685         * wasm/js/WebAssemblyModuleConstructor.cpp:
1686         (JSC::constructJSWebAssemblyModule):
1687         (JSC::WebAssemblyModuleConstructor::createModule):
1688         * wasm/js/WebAssemblyTableConstructor.cpp:
1689         (JSC::constructJSWebAssemblyTable):
1690         * wasm/js/WebAssemblyWrapperFunction.cpp:
1691         (JSC::callWebAssemblyWrapperFunction):
1692
1693 2018-10-01  Koby Boyango  <koby.b@mce-sys.com>
1694
1695         [JSC] Add a JSONStringify overload that receives a JSValue space
1696         https://bugs.webkit.org/show_bug.cgi?id=190131
1697
1698         Reviewed by Yusuke Suzuki.
1699
1700         * runtime/JSONObject.cpp:
1701         * runtime/JSONObject.h:
1702
1703 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1704
1705         Unreviewed, rolling out r236647.
1706         https://bugs.webkit.org/show_bug.cgi?id=190124
1707
1708         Breaking test stress/big-int-to-string.js (Requested by
1709         caiolima_ on #webkit).
1710
1711         Reverted changeset:
1712
1713         "[BigInt] BigInt.proptotype.toString is broken when radix is
1714         power of 2"
1715         https://bugs.webkit.org/show_bug.cgi?id=190033
1716         https://trac.webkit.org/changeset/236647
1717
1718 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1719
1720         [WebAssembly] Move type conversion code of JSToWasm return type to JS wasm wrapper
1721         https://bugs.webkit.org/show_bug.cgi?id=189498
1722
1723         Reviewed by Saam Barati.
1724
1725         To call JS-to-Wasm code we need to convert the result value from wasm function to
1726         the JS type. Previously this is done by callWebAssemblyFunction by using swtich
1727         over signature.returnType(). But since we know the value of `signature.returnType()`
1728         at compiling phase, we can emit a small conversion code directly to JSToWasm glue
1729         and remove this switch from callWebAssemblyFunction.
1730
1731         In JSToWasm glue code, we do not have tag registers. So we use DoNotHaveTagRegisters
1732         in boxInt32 and boxDouble. Since boxDouble does not have DoNotHaveTagRegisters version,
1733         we add an implementation for that.
1734
1735         * jit/AssemblyHelpers.h:
1736         (JSC::AssemblyHelpers::boxDouble):
1737         * wasm/js/JSToWasm.cpp:
1738         (JSC::Wasm::createJSToWasmWrapper):
1739         * wasm/js/WebAssemblyFunction.cpp:
1740         (JSC::callWebAssemblyFunction):
1741
1742 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1743
1744         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1745         https://bugs.webkit.org/show_bug.cgi?id=190033
1746
1747         Reviewed by Yusuke Suzuki.
1748
1749         The implementation of JSBigInt::toStringToGeneric doesn't handle power
1750         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
1751         implemented JSBigInt::toStringBasePowerOfTwo that follows the
1752         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
1753         digit.
1754
1755         * runtime/JSBigInt.cpp:
1756         (JSC::JSBigInt::toString):
1757         (JSC::JSBigInt::toStringBasePowerOfTwo):
1758         * runtime/JSBigInt.h:
1759
1760 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1761
1762         [ESNext][BigInt] Implement support for "&"
1763         https://bugs.webkit.org/show_bug.cgi?id=186228
1764
1765         Reviewed by Yusuke Suzuki.
1766
1767         This patch introduces support of BigInt into bitwise "&" operation.
1768         We are also introducing the ValueBitAnd DFG node, that is responsible
1769         to take care of JIT for non-Int32 operands. With the introduction of this
1770         new node, we renamed the BitAnd node to ArithBitAnd. The ArithBitAnd
1771         follows the behavior of ArithAdd and other arithmetic nodes, where
1772         the Arith<op> version always results in Number (in the case of
1773         ArithBitAnd, its is always an Int32).
1774
1775         * bytecode/CodeBlock.cpp:
1776         (JSC::CodeBlock::finishCreation):
1777         * bytecompiler/BytecodeGenerator.cpp:
1778         (JSC::BytecodeGenerator::emitBinaryOp):
1779         * dfg/DFGAbstractInterpreterInlines.h:
1780         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1781         * dfg/DFGBackwardsPropagationPhase.cpp:
1782         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
1783         (JSC::DFG::BackwardsPropagationPhase::propagate):
1784         * dfg/DFGByteCodeParser.cpp:
1785         (JSC::DFG::ByteCodeParser::parseBlock):
1786         * dfg/DFGClobberize.h:
1787         (JSC::DFG::clobberize):
1788         * dfg/DFGDoesGC.cpp:
1789         (JSC::DFG::doesGC):
1790         * dfg/DFGFixupPhase.cpp:
1791         (JSC::DFG::FixupPhase::fixupNode):
1792         * dfg/DFGNodeType.h:
1793         * dfg/DFGOperations.cpp:
1794         * dfg/DFGOperations.h:
1795         * dfg/DFGPredictionPropagationPhase.cpp:
1796         * dfg/DFGSafeToExecute.h:
1797         (JSC::DFG::safeToExecute):
1798         * dfg/DFGSpeculativeJIT.cpp:
1799         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
1800         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
1801         * dfg/DFGSpeculativeJIT.h:
1802         (JSC::DFG::SpeculativeJIT::bitOp):
1803         * dfg/DFGSpeculativeJIT32_64.cpp:
1804         (JSC::DFG::SpeculativeJIT::compile):
1805         * dfg/DFGSpeculativeJIT64.cpp:
1806         (JSC::DFG::SpeculativeJIT::compile):
1807         * dfg/DFGStrengthReductionPhase.cpp:
1808         (JSC::DFG::StrengthReductionPhase::handleNode):
1809         * ftl/FTLCapabilities.cpp:
1810         (JSC::FTL::canCompile):
1811         * ftl/FTLLowerDFGToB3.cpp:
1812         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1813         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
1814         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitAnd):
1815         (JSC::FTL::DFG::LowerDFGToB3::compileBitAnd): Deleted.
1816         * jit/JIT.h:
1817         * jit/JITArithmetic.cpp:
1818         (JSC::JIT::emitBitBinaryOpFastPath):
1819         (JSC::JIT::emit_op_bitand):
1820         * llint/LowLevelInterpreter32_64.asm:
1821         * llint/LowLevelInterpreter64.asm:
1822         * runtime/CommonSlowPaths.cpp:
1823         (JSC::SLOW_PATH_DECL):
1824         * runtime/JSBigInt.cpp:
1825         (JSC::JSBigInt::JSBigInt):
1826         (JSC::JSBigInt::initialize):
1827         (JSC::JSBigInt::createZero):
1828         (JSC::JSBigInt::createFrom):
1829         (JSC::JSBigInt::bitwiseAnd):
1830         (JSC::JSBigInt::absoluteBitwiseOp):
1831         (JSC::JSBigInt::absoluteAnd):
1832         (JSC::JSBigInt::absoluteOr):
1833         (JSC::JSBigInt::absoluteAndNot):
1834         (JSC::JSBigInt::absoluteAddOne):
1835         (JSC::JSBigInt::absoluteSubOne):
1836         * runtime/JSBigInt.h:
1837         * runtime/JSCJSValue.h:
1838         * runtime/JSCJSValueInlines.h:
1839         (JSC::JSValue::toBigIntOrInt32 const):
1840
1841 2018-09-28  Mark Lam  <mark.lam@apple.com>
1842
1843         Gardening: speculative build fix.
1844         <rdar://problem/44869924>
1845
1846         Not reviewed.
1847
1848         * assembler/LinkBuffer.cpp:
1849         (JSC::LinkBuffer::copyCompactAndLinkCode):
1850
1851 2018-09-28  Guillaume Emont  <guijemont@igalia.com>
1852
1853         [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions.
1854         https://bugs.webkit.org/show_bug.cgi?id=190080
1855
1856         Reviewed by Mark Lam.
1857
1858         * assembler/ARMv7Assembler.h:
1859         (JSC::ARMv7Assembler::link):
1860         (JSC::ARMv7Assembler::linkJumpT1):
1861         (JSC::ARMv7Assembler::linkJumpT2):
1862         (JSC::ARMv7Assembler::linkJumpT3):
1863         (JSC::ARMv7Assembler::linkJumpT4):
1864         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1865         (JSC::ARMv7Assembler::linkBX):
1866         (JSC::ARMv7Assembler::linkConditionalBX):
1867         * assembler/MacroAssemblerARMv7.h:
1868         (JSC::MacroAssemblerARMv7::link):
1869
1870 2018-09-27  Saam barati  <sbarati@apple.com>
1871
1872         Verify the contents of AssemblerBuffer on arm64e
1873         https://bugs.webkit.org/show_bug.cgi?id=190057
1874         <rdar://problem/38916630>
1875
1876         Reviewed by Mark Lam.
1877
1878         * assembler/ARM64Assembler.h:
1879         (JSC::ARM64Assembler::ARM64Assembler):
1880         (JSC::ARM64Assembler::fillNops):
1881         (JSC::ARM64Assembler::link):
1882         (JSC::ARM64Assembler::linkJumpOrCall):
1883         (JSC::ARM64Assembler::linkCompareAndBranch):
1884         (JSC::ARM64Assembler::linkConditionalBranch):
1885         (JSC::ARM64Assembler::linkTestAndBranch):
1886         (JSC::ARM64Assembler::unlinkedCode): Deleted.
1887         * assembler/ARMAssembler.h:
1888         (JSC::ARMAssembler::fillNops):
1889         * assembler/ARMv7Assembler.h:
1890         (JSC::ARMv7Assembler::unlinkedCode): Deleted.
1891         * assembler/AbstractMacroAssembler.h:
1892         (JSC::AbstractMacroAssembler::emitNops):
1893         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
1894         * assembler/AssemblerBuffer.h:
1895         (JSC::ARM64EHash::ARM64EHash):
1896         (JSC::ARM64EHash::update):
1897         (JSC::ARM64EHash::hash const):
1898         (JSC::ARM64EHash::randomSeed const):
1899         (JSC::AssemblerBuffer::AssemblerBuffer):
1900         (JSC::AssemblerBuffer::putShort):
1901         (JSC::AssemblerBuffer::putIntUnchecked):
1902         (JSC::AssemblerBuffer::putInt):
1903         (JSC::AssemblerBuffer::hash const):
1904         (JSC::AssemblerBuffer::data const):
1905         (JSC::AssemblerBuffer::putIntegralUnchecked):
1906         (JSC::AssemblerBuffer::append): Deleted.
1907         * assembler/LinkBuffer.cpp:
1908         (JSC::LinkBuffer::copyCompactAndLinkCode):
1909         * assembler/MIPSAssembler.h:
1910         (JSC::MIPSAssembler::fillNops):
1911         * assembler/MacroAssemblerARM64.h:
1912         (JSC::MacroAssemblerARM64::jumpsToLink):
1913         (JSC::MacroAssemblerARM64::link):
1914         (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
1915         * assembler/MacroAssemblerARMv7.h:
1916         (JSC::MacroAssemblerARMv7::jumpsToLink):
1917         (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
1918         * assembler/X86Assembler.h:
1919         (JSC::X86Assembler::fillNops):
1920
1921 2018-09-27  Mark Lam  <mark.lam@apple.com>
1922
1923         ByValInfo should not use integer offsets.
1924         https://bugs.webkit.org/show_bug.cgi?id=190070
1925         <rdar://problem/44803430>
1926
1927         Reviewed by Saam Barati.
1928
1929         Also moved some fields around to allow the ByValInfo struct to be more densely packed.
1930
1931         * bytecode/ByValInfo.h:
1932         (JSC::ByValInfo::ByValInfo):
1933         * jit/JIT.cpp:
1934         (JSC::JIT::link):
1935         * jit/JITOpcodes.cpp:
1936         (JSC::JIT::privateCompileHasIndexedProperty):
1937         * jit/JITOpcodes32_64.cpp:
1938         (JSC::JIT::privateCompileHasIndexedProperty):
1939         * jit/JITPropertyAccess.cpp:
1940         (JSC::JIT::privateCompileGetByVal):
1941         (JSC::JIT::privateCompileGetByValWithCachedId):
1942         (JSC::JIT::privateCompilePutByVal):
1943         (JSC::JIT::privateCompilePutByValWithCachedId):
1944
1945 2018-09-27  Saam barati  <sbarati@apple.com>
1946
1947         DFG::OSRExit::m_patchableCodeOffset should not be an int
1948         https://bugs.webkit.org/show_bug.cgi?id=190066
1949         <rdar://problem/39498244>
1950
1951         Reviewed by Mark Lam.
1952
1953         * dfg/DFGJITCompiler.cpp:
1954         (JSC::DFG::JITCompiler::linkOSRExits):
1955         (JSC::DFG::JITCompiler::link):
1956         * dfg/DFGOSRExit.cpp:
1957         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1958         (JSC::DFG::OSRExit::compileOSRExit):
1959         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1960         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1961         (JSC::DFG::OSRExit::correctJump): Deleted.
1962         * dfg/DFGOSRExit.h:
1963         * dfg/DFGOSRExitCompilationInfo.h:
1964
1965 2018-09-27  Saam barati  <sbarati@apple.com>
1966
1967         Don't use int offsets in StructureStubInfo
1968         https://bugs.webkit.org/show_bug.cgi?id=190064
1969         <rdar://problem/44784719>
1970
1971         Reviewed by Mark Lam.
1972
1973         * bytecode/InlineAccess.cpp:
1974         (JSC::linkCodeInline):
1975         * bytecode/StructureStubInfo.h:
1976         (JSC::StructureStubInfo::slowPathCallLocation):
1977         (JSC::StructureStubInfo::doneLocation):
1978         (JSC::StructureStubInfo::slowPathStartLocation):
1979         * jit/JITInlineCacheGenerator.cpp:
1980         (JSC::JITInlineCacheGenerator::finalize):
1981
1982 2018-09-27  Mark Lam  <mark.lam@apple.com>
1983
1984         DFG::OSREntry::m_machineCodeOffset should be a CodeLocation.
1985         https://bugs.webkit.org/show_bug.cgi?id=190054
1986         <rdar://problem/44803543>
1987
1988         Reviewed by Saam Barati.
1989
1990         * dfg/DFGJITCode.h:
1991         (JSC::DFG::JITCode::appendOSREntryData):
1992         * dfg/DFGJITCompiler.cpp:
1993         (JSC::DFG::JITCompiler::noticeOSREntry):
1994         * dfg/DFGOSREntry.cpp:
1995         (JSC::DFG::OSREntryData::dumpInContext const):
1996         (JSC::DFG::prepareOSREntry):
1997         * dfg/DFGOSREntry.h:
1998         * runtime/JSCPtrTag.h:
1999
2000 2018-09-27  Mark Lam  <mark.lam@apple.com>
2001
2002         JITMathIC should not use integer offsets into machine code.
2003         https://bugs.webkit.org/show_bug.cgi?id=190030
2004         <rdar://problem/44803307>
2005
2006         Reviewed by Saam Barati.
2007
2008         We'll replace them with CodeLocation smart pointers instead.
2009
2010         * jit/JITMathIC.h:
2011         (JSC::isProfileEmpty):
2012
2013 2018-09-26  Mark Lam  <mark.lam@apple.com>
2014
2015         Options::useSeparatedWXHeap() should always be false when ENABLE(FAST_JIT_PERMISSIONS) && CPU(ARM64E).
2016         https://bugs.webkit.org/show_bug.cgi?id=190022
2017         <rdar://problem/44800928>
2018
2019         Reviewed by Saam Barati.
2020
2021         * jit/ExecutableAllocator.cpp:
2022         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2023         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2024         * jit/ExecutableAllocator.h:
2025         (JSC::performJITMemcpy):
2026         * runtime/Options.cpp:
2027         (JSC::recomputeDependentOptions):
2028
2029 2018-09-26  Mark Lam  <mark.lam@apple.com>
2030
2031         Assert that performJITMemcpy() is always called with instruction size aligned addresses on ARM64.
2032         https://bugs.webkit.org/show_bug.cgi?id=190016
2033         <rdar://problem/44802875>
2034
2035         Reviewed by Saam Barati.
2036
2037         Also assert in performJITMemcpy() that the entire buffer to be copied will fit in
2038         JIT memory.
2039
2040         * assembler/ARM64Assembler.h:
2041         (JSC::ARM64Assembler::fillNops):
2042         (JSC::ARM64Assembler::replaceWithVMHalt):
2043         (JSC::ARM64Assembler::replaceWithJump):
2044         (JSC::ARM64Assembler::replaceWithLoad):
2045         (JSC::ARM64Assembler::replaceWithAddressComputation):
2046         (JSC::ARM64Assembler::setPointer):
2047         (JSC::ARM64Assembler::repatchInt32):
2048         (JSC::ARM64Assembler::repatchCompact):
2049         (JSC::ARM64Assembler::linkJumpOrCall):
2050         (JSC::ARM64Assembler::linkCompareAndBranch):
2051         (JSC::ARM64Assembler::linkConditionalBranch):
2052         (JSC::ARM64Assembler::linkTestAndBranch):
2053         * assembler/LinkBuffer.cpp:
2054         (JSC::LinkBuffer::copyCompactAndLinkCode):
2055         (JSC::LinkBuffer::linkCode):
2056         * jit/ExecutableAllocator.h:
2057         (JSC::performJITMemcpy):
2058
2059 2018-09-25  Keith Miller  <keith_miller@apple.com>
2060
2061         Move Symbol API to SPI
2062         https://bugs.webkit.org/show_bug.cgi?id=189946
2063
2064         Reviewed by Michael Saboff.
2065
2066         Some of the property access methods on JSValue needed to be moved
2067         to a category so that SPI overloads don't result in a compiler
2068         error for internal users.
2069
2070         Additionally, this patch does not move the new enum entry for
2071         Symbols in the JSType enumeration.
2072
2073         * API/JSObjectRef.h:
2074         * API/JSObjectRefPrivate.h:
2075         * API/JSValue.h:
2076         * API/JSValuePrivate.h:
2077         * API/JSValueRef.h:
2078
2079 2018-09-26  Keith Miller  <keith_miller@apple.com>
2080
2081         We should zero unused property storage when rebalancing array storage.
2082         https://bugs.webkit.org/show_bug.cgi?id=188151
2083
2084         Reviewed by Michael Saboff.
2085
2086         In unshiftCountSlowCase we sometimes will move property storage to the right even when net adding elements.
2087         This can happen because we "balance" the pre/post-capacity in that code so we need to zero the unused
2088         property storage.
2089
2090         * runtime/JSArray.cpp:
2091         (JSC::JSArray::unshiftCountSlowCase):
2092
2093 2018-09-26  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2094
2095         Unreviewed, add scope verification handling
2096         https://bugs.webkit.org/show_bug.cgi?id=189780
2097
2098         * runtime/ArrayPrototype.cpp:
2099         (JSC::arrayProtoFuncIndexOf):
2100         (JSC::arrayProtoFuncLastIndexOf):
2101
2102 2018-09-26  Koby Boyango  <koby.b@mce.systems>
2103
2104         [JSC] offlineasm parser should handle CRLF in asm files
2105         https://bugs.webkit.org/show_bug.cgi?id=189949
2106
2107         Reviewed by Mark Lam.
2108
2109         * offlineasm/parser.rb:
2110
2111 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2112
2113         [JSC] Optimize Array#lastIndexOf
2114         https://bugs.webkit.org/show_bug.cgi?id=189780
2115
2116         Reviewed by Saam Barati.
2117
2118         Optimize Array#lastIndexOf as the same to Array#indexOf. We add a fast path
2119         for JSArray with contiguous storage.
2120
2121         * runtime/ArrayPrototype.cpp:
2122         (JSC::arrayProtoFuncLastIndexOf):
2123
2124 2018-09-25  Saam Barati  <sbarati@apple.com>
2125
2126         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2127         https://bugs.webkit.org/show_bug.cgi?id=189940
2128         <rdar://problem/43640987>
2129
2130         Reviewed by Mark Lam.
2131
2132         We were calling baselineCodeBlockForOriginAndBaselineCodeBlock with the FTL
2133         CodeBlock. There is nothing semantically wrong with doing that (except for
2134         poor naming), however, the poor naming here led us to make a real semantic
2135         mistake. We wanted the baseline CodeBlock's constant pool, but we were
2136         accessing the FTL CodeBlock's constant pool accidentally. We need to
2137         access the baseline CodeBlock's constant pool when we update the NewArrayBuffer
2138         constant value.
2139
2140         * bytecode/InlineCallFrame.h:
2141         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
2142         * ftl/FTLOperations.cpp:
2143         (JSC::FTL::operationMaterializeObjectInOSR):
2144
2145 2018-09-25  Joseph Pecoraro  <pecoraro@apple.com>
2146
2147         Web Inspector: Stricter block syntax in generated ObjC protocol interfaces
2148         https://bugs.webkit.org/show_bug.cgi?id=189962
2149         <rdar://problem/44648287>
2150
2151         Reviewed by Brian Burg.
2152
2153         * inspector/scripts/codegen/generate_objc_header.py:
2154         (ObjCHeaderGenerator._callback_block_for_command):
2155         If there are no return parameters include "void" in the block signature.
2156
2157         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2158         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2159         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2160         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2161         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2162         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2163         Rebaseline test results.
2164
2165 2018-09-24  Joseph Pecoraro  <pecoraro@apple.com>
2166
2167         Remove AUTHORS and THANKS files which are stale
2168         https://bugs.webkit.org/show_bug.cgi?id=189941
2169
2170         Reviewed by Darin Adler.
2171
2172         Included mentions below so their names are still in ChangeLogs.
2173
2174         * AUTHORS: Removed.
2175         Harri Porten (porten@kde.org) and Peter Kelly (pmk@post.com).
2176         These authors remain mentioned in copyrights in source files.
2177
2178         * THANKS: Removed.
2179         Richard Moore <rich@kde.org> - for filling the Math object with some life
2180         Daegeun Lee <realking@mizi.com> - for pointing out some bugs and providing much code for the String and Date object.
2181         Marco Pinelli <pinmc@libero.it> - for his patches
2182         Christian Kirsch <ck@held.mind.de> - for his contribution to the Date object
2183         
2184 2018-09-24  Fujii Hironori  <Hironori.Fujii@sony.com>
2185
2186         Rename WTF_COMPILER_GCC_OR_CLANG to WTF_COMPILER_GCC_COMPATIBLE
2187         https://bugs.webkit.org/show_bug.cgi?id=189733
2188
2189         Reviewed by Michael Catanzaro.
2190
2191         * assembler/ARM64Assembler.h:
2192         * assembler/ARMAssembler.h:
2193         (JSC::ARMAssembler::cacheFlush):
2194         * assembler/MacroAssemblerARM.cpp:
2195         (JSC::isVFPPresent):
2196         * assembler/MacroAssemblerARM64.cpp:
2197         * assembler/MacroAssemblerARMv7.cpp:
2198         * assembler/MacroAssemblerMIPS.cpp:
2199         * assembler/MacroAssemblerX86Common.cpp:
2200         * heap/HeapCell.cpp:
2201         * heap/HeapCell.h:
2202         * jit/HostCallReturnValue.h:
2203         * jit/JIT.h:
2204         * jit/JITOperations.cpp:
2205         * jit/ThunkGenerators.cpp:
2206         * runtime/ArrayConventions.cpp:
2207         (JSC::clearArrayMemset):
2208         * runtime/JSBigInt.cpp:
2209         (JSC::JSBigInt::digitDiv):
2210
2211 2018-09-24  Saam Barati  <sbarati@apple.com>
2212
2213         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2214         https://bugs.webkit.org/show_bug.cgi?id=189922
2215         <rdar://problem/44651275>
2216
2217         Reviewed by Mark Lam.
2218
2219         The implementation was first getting the length to iterate up to,
2220         then getting the starting index. However, getting the starting
2221         index may perform effects. e.g, it could change the length of the
2222         array. This changes it so we verify the length is still valid.
2223
2224         * runtime/ArrayPrototype.cpp:
2225         (JSC::arrayProtoFuncIndexOf):
2226
2227 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
2228
2229         offlineasm: fix macro scoping
2230         https://bugs.webkit.org/show_bug.cgi?id=189902
2231
2232         Reviewed by Mark Lam.
2233
2234         In the code below, the reference to `f` in `g`, which should refer to
2235         the outer macro definition will instead refer to the f argument of the
2236         anonymous macro passed to `g`. That leads to this code failing to
2237         compile (f expected 0 args but got 1).
2238         
2239         ```
2240         macro f(x)
2241             move x, t0
2242         end
2243         
2244         macro g(fn)
2245             fn(macro () f(42) end)
2246         end
2247         
2248         g(macro(f) f() end)
2249         ```
2250
2251         * offlineasm/ast.rb:
2252         * offlineasm/transform.rb:
2253
2254 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
2255
2256         Add forEach method for iterating CodeBlock's ValueProfiles
2257         https://bugs.webkit.org/show_bug.cgi?id=189897
2258
2259         Reviewed by Mark Lam.
2260
2261         Add method to abstract how we find ValueProfiles in a CodeBlock in
2262         preparation for https://bugs.webkit.org/show_bug.cgi?id=189785, when
2263         ValueProfiles will be stored in the MetadataTable.
2264
2265         * bytecode/CodeBlock.cpp:
2266         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2267         (JSC::CodeBlock::updateAllValueProfilePredictions):
2268         (JSC::CodeBlock::shouldOptimizeNow):
2269         (JSC::CodeBlock::dumpValueProfiles):
2270         * bytecode/CodeBlock.h:
2271         (JSC::CodeBlock::forEachValueProfile):
2272         (JSC::CodeBlock::numberOfArgumentValueProfiles):
2273         (JSC::CodeBlock::valueProfileForArgument):
2274         (JSC::CodeBlock::numberOfValueProfiles):
2275         (JSC::CodeBlock::valueProfile):
2276         (JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
2277         (JSC::CodeBlock::getFromAllValueProfiles): Deleted.
2278         * tools/HeapVerifier.cpp:
2279         (JSC::HeapVerifier::validateJSCell):
2280
2281 2018-09-24  Saam barati  <sbarati@apple.com>
2282
2283         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2284         https://bugs.webkit.org/show_bug.cgi?id=189682
2285         <rdar://problem/43557315>
2286
2287         Reviewed by Mark Lam.
2288
2289         Otherwise, if we have code like this:
2290         ```
2291         a: Arguments
2292         b: GetButterfly(@a)
2293         c: ForceExit
2294         d: GetArrayLength(@a, @b)
2295         ```
2296         it will get transformed into this invalid DFG IR:
2297         ```
2298         a: PhantomArguments
2299         b: Check(@a)
2300         c: ForceExit
2301         d: GetArrayLength(@a, @b)
2302         ```
2303         
2304         And we will fail DFG validation since @b does not have a result.
2305         
2306         The fix is to just remove all nodes after the ForceExit and plant an
2307         Unreachable after it. So the above code program will now turn into this:
2308         ```
2309         a: PhantomArguments
2310         b: Check(@a)
2311         c: ForceExit
2312         e: Unreachable
2313         ```
2314
2315         * dfg/DFGArgumentsEliminationPhase.cpp:
2316
2317 2018-09-22  Saam barati  <sbarati@apple.com>
2318
2319         The sampling should not use Strong<CodeBlock> in its machineLocation field
2320         https://bugs.webkit.org/show_bug.cgi?id=189319
2321
2322         Reviewed by Filip Pizlo.
2323
2324         The sampling profiler has a CLI mode where we gather information about inline
2325         call frames. That data structure was using a Strong<CodeBlock>. We were
2326         constructing this Strong<CodeBlock> during GC concurrently to processing all
2327         the Strong handles. This is a bug since we end up corrupting that data
2328         structure. This patch fixes this by just making this data structure use the
2329         sampling profiler's mechanism for holding onto and properly visiting heap pointers.
2330
2331         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2332         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2333         * runtime/SamplingProfiler.cpp:
2334         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2335
2336         (JSC::SamplingProfiler::reportTopFunctions):
2337         (JSC::SamplingProfiler::reportTopBytecodes):
2338         These CLI helpers needed a DeferGC otherwise we may end up deadlocking when we
2339         cause a GC to happen while already holding the sampling profiler's
2340         lock.
2341
2342 2018-09-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2343
2344         [JSC] Enable LLInt ASM interpreter on X64 and ARM64 in non JIT configuration
2345         https://bugs.webkit.org/show_bug.cgi?id=189778
2346
2347         Reviewed by Keith Miller.
2348
2349         LLInt ASM interpreter is 2x and 15% faster than CLoop interpreter on
2350         Linux and macOS respectively. We would like to enable it for non JIT
2351         configurations in X86_64 and ARM64.
2352
2353         This patch enables LLInt for non JIT builds in X86_64 and ARM64 architectures.
2354         Previously, we switch LLInt ASM interpreter and CLoop by using ENABLE(JIT)
2355         configuration. But it is wrong in the new scenario since we have a build
2356         configuration that uses LLInt ASM interpreter and JIT is disabled. We introduce
2357         ENABLE(C_LOOP) option, which represents that we use CLoop. And we replace
2358         ENABLE(JIT) with ENABLE(C_LOOP) if the previous ENABLE(JIT) is essentially just
2359         related to LLInt ASM interpreter and not related to JIT.
2360
2361         We also replace some ENABLE(JIT) configurations with ENABLE(ASSEMBLER).
2362         ENABLE(ASSEMBLER) is now enabled even if we disable JIT since MacroAssembler
2363         has machine register information that is used in LLInt ASM interpreter.
2364
2365         * API/tests/PingPongStackOverflowTest.cpp:
2366         (testPingPongStackOverflow):
2367         * CMakeLists.txt:
2368         * JavaScriptCore.xcodeproj/project.pbxproj:
2369         * assembler/MaxFrameExtentForSlowPathCall.h:
2370         * bytecode/CallReturnOffsetToBytecodeOffset.h: Removed. It is no longer used.
2371         * bytecode/CodeBlock.cpp:
2372         (JSC::CodeBlock::finishCreation):
2373         * bytecode/CodeBlock.h:
2374         (JSC::CodeBlock::calleeSaveRegisters const):
2375         (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters):
2376         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
2377         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2378         * bytecode/Opcode.h:
2379         (JSC::padOpcodeName):
2380         * heap/Heap.cpp:
2381         (JSC::Heap::gatherJSStackRoots):
2382         (JSC::Heap::stopThePeriphery):
2383         * interpreter/CLoopStack.cpp:
2384         * interpreter/CLoopStack.h:
2385         * interpreter/CLoopStackInlines.h:
2386         * interpreter/EntryFrame.h:
2387         * interpreter/Interpreter.cpp:
2388         (JSC::Interpreter::Interpreter):
2389         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2390         * interpreter/Interpreter.h:
2391         * interpreter/StackVisitor.cpp:
2392         (JSC::StackVisitor::Frame::calleeSaveRegisters):
2393         * interpreter/VMEntryRecord.h:
2394         * jit/ExecutableAllocator.h:
2395         * jit/FPRInfo.h:
2396         (WTF::printInternal):
2397         * jit/GPRInfo.cpp:
2398         * jit/GPRInfo.h:
2399         (WTF::printInternal):
2400         * jit/HostCallReturnValue.cpp:
2401         (JSC::getHostCallReturnValueWithExecState): Moved. They are used in LLInt ASM interpreter too.
2402         * jit/HostCallReturnValue.h:
2403         * jit/JITOperations.cpp:
2404         (JSC::getHostCallReturnValueWithExecState): Deleted.
2405         * jit/JITOperationsMSVC64.cpp:
2406         * jit/Reg.cpp:
2407         * jit/Reg.h:
2408         * jit/RegisterAtOffset.cpp:
2409         * jit/RegisterAtOffset.h:
2410         * jit/RegisterAtOffsetList.cpp:
2411         * jit/RegisterAtOffsetList.h:
2412         * jit/RegisterMap.h:
2413         * jit/RegisterSet.cpp:
2414         * jit/RegisterSet.h:
2415         * jit/TempRegisterSet.cpp:
2416         * jit/TempRegisterSet.h:
2417         * llint/LLIntCLoop.cpp:
2418         * llint/LLIntCLoop.h:
2419         * llint/LLIntData.cpp:
2420         (JSC::LLInt::initialize):
2421         (JSC::LLInt::Data::performAssertions):
2422         * llint/LLIntData.h:
2423         * llint/LLIntOfflineAsmConfig.h:
2424         * llint/LLIntOpcode.h:
2425         * llint/LLIntPCRanges.h:
2426         * llint/LLIntSlowPaths.cpp:
2427         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2428         * llint/LLIntSlowPaths.h:
2429         * llint/LLIntThunks.cpp:
2430         * llint/LowLevelInterpreter.cpp:
2431         * llint/LowLevelInterpreter.h:
2432         * runtime/JSCJSValue.h:
2433         * runtime/MachineContext.h:
2434         * runtime/SamplingProfiler.cpp:
2435         (JSC::SamplingProfiler::processUnverifiedStackTraces): Enable SamplingProfiler
2436         for LLInt ASM interpreter with non JIT configuration.
2437         * runtime/TestRunnerUtils.cpp:
2438         (JSC::optimizeNextInvocation):
2439         * runtime/VM.cpp:
2440         (JSC::VM::VM):
2441         (JSC::VM::getHostFunction):
2442         (JSC::VM::updateSoftReservedZoneSize):
2443         (JSC::sanitizeStackForVM):
2444         (JSC::VM::committedStackByteCount):
2445         * runtime/VM.h:
2446         * runtime/VMInlines.h:
2447         (JSC::VM::ensureStackCapacityFor):
2448         (JSC::VM::isSafeToRecurseSoft const):
2449
2450 2018-09-21  Keith Miller  <keith_miller@apple.com>
2451
2452         Add Promise SPI
2453         https://bugs.webkit.org/show_bug.cgi?id=189809
2454
2455         Reviewed by Saam Barati.
2456
2457         The Patch adds new SPI to create promises. It's mostly SPI because
2458         I want to see how internal users react to it before we make it
2459         public.
2460
2461         This patch adds a couple of new Obj-C SPI methods. The first
2462         creates a new promise using the same API that JS does where the
2463         user provides an executor callback. If an exception is raised
2464         in/to that callback the promise is automagically rejected. The
2465         other methods create a pre-resolved or rejected promise as this
2466         appears to be a common way to initialize a promise.
2467
2468         I was also considering adding a second version of executor API
2469         where it would catch specific Obj-C exceptions. This would work by
2470         taking a Class paramter and checking isKindOfClass: on the
2471         exception. I decided against this as nothing else in our API
2472         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2473         corrupt state if an Obj-C exception unwinds through JS frames.
2474
2475         This patch adds a new C function that will create a "deferred"
2476         promise. A deferred promise is a style of creating promise/futures
2477         where the resolve and reject functions are passed as outputs of a
2478         function. I went with this style for the C SPI because we don't have
2479         any concept of forwarding exceptions in the C API.
2480
2481         In order to make the C API work I refactored a bit of the promise code
2482         so that we can call a static method on JSDeferredPromise and just get
2483         the components without allocating an extra cell wrapper.
2484
2485         * API/JSContext.mm:
2486         (+[JSContext currentCallee]):
2487         * API/JSObjectRef.cpp:
2488         (JSObjectMakeDeferredPromise):
2489         * API/JSObjectRefPrivate.h:
2490         * API/JSValue.mm:
2491         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2492         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2493         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2494         * API/JSValuePrivate.h: Added.
2495         * API/JSVirtualMachine.mm:
2496         * API/JSVirtualMachinePrivate.h:
2497         * API/tests/testapi.c:
2498         (main):
2499         * API/tests/testapi.cpp:
2500         (APIContext::operator JSC::ExecState*):
2501         (TestAPI::failed const):
2502         (TestAPI::check):
2503         (TestAPI::basicSymbol):
2504         (TestAPI::symbolsTypeof):
2505         (TestAPI::symbolsGetPropertyForKey):
2506         (TestAPI::symbolsSetPropertyForKey):
2507         (TestAPI::symbolsHasPropertyForKey):
2508         (TestAPI::symbolsDeletePropertyForKey):
2509         (TestAPI::promiseResolveTrue):
2510         (TestAPI::promiseRejectTrue):
2511         (testCAPIViaCpp):
2512         (TestAPI::run): Deleted.
2513         * API/tests/testapi.mm:
2514         (testObjectiveCAPIMain):
2515         (promiseWithExecutor):
2516         (promiseRejectOnJSException):
2517         (promiseCreateResolved):
2518         (promiseCreateRejected):
2519         (parallelPromiseResolveTest):
2520         (testObjectiveCAPI):
2521         * JavaScriptCore.xcodeproj/project.pbxproj:
2522         * runtime/JSInternalPromiseDeferred.cpp:
2523         (JSC::JSInternalPromiseDeferred::create):
2524         * runtime/JSPromise.h:
2525         * runtime/JSPromiseConstructor.cpp:
2526         (JSC::constructPromise):
2527         * runtime/JSPromiseDeferred.cpp:
2528         (JSC::JSPromiseDeferred::createDeferredData):
2529         (JSC::JSPromiseDeferred::create):
2530         (JSC::JSPromiseDeferred::finishCreation):
2531         (JSC::newPromiseCapability): Deleted.
2532         * runtime/JSPromiseDeferred.h:
2533         (JSC::JSPromiseDeferred::promise const):
2534         (JSC::JSPromiseDeferred::resolve const):
2535         (JSC::JSPromiseDeferred::reject const):
2536
2537 2018-09-21  Ryan Haddad  <ryanhaddad@apple.com>
2538
2539         Unreviewed, rolling out r236359.
2540
2541         Broke the Windows build.
2542
2543         Reverted changeset:
2544
2545         "Add Promise SPI"
2546         https://bugs.webkit.org/show_bug.cgi?id=189809
2547         https://trac.webkit.org/changeset/236359
2548
2549 2018-09-21  Mark Lam  <mark.lam@apple.com>
2550
2551         JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState.
2552         https://bugs.webkit.org/show_bug.cgi?id=189855
2553         <rdar://problem/44680181>
2554
2555         Reviewed by Filip Pizlo.
2556
2557         tryGetValue() always passes a nullptr to JSRopeString::resolveRope() for the
2558         ExecState* argument.  This is intentional so that resolveRope() does not throw
2559         in the event of an OutOfMemory error.  Hence, JSRopeString::resolveRope() should
2560         get the VM from the cell instead of via the ExecState.
2561
2562         Also removed an obsolete and unused field in JSString.
2563
2564         * runtime/JSString.cpp:
2565         (JSC::JSRopeString::resolveRope const):
2566         (JSC::JSRopeString::outOfMemory const):
2567         * runtime/JSString.h:
2568         (JSC::JSString::tryGetValue const):
2569
2570 2018-09-21  Michael Saboff  <msaboff@apple.com>
2571
2572         Add functions to measure memory footprint to JSC
2573         https://bugs.webkit.org/show_bug.cgi?id=189768
2574
2575         Reviewed by Saam Barati.
2576
2577         Rolling this back in again.
2578
2579         Provide system memory metrics for the current process to aid in memory reduction measurement and
2580         tuning using native JS tests.
2581
2582         * jsc.cpp:
2583         (MemoryFootprint::now):
2584         (MemoryFootprint::resetPeak):
2585         (GlobalObject::finishCreation):
2586         (JSCMemoryFootprint::JSCMemoryFootprint):
2587         (JSCMemoryFootprint::createStructure):
2588         (JSCMemoryFootprint::create):
2589         (JSCMemoryFootprint::finishCreation):
2590         (JSCMemoryFootprint::addProperty):
2591         (functionResetMemoryPeak):
2592
2593 2018-09-21  Keith Miller  <keith_miller@apple.com>
2594
2595         Add Promise SPI
2596         https://bugs.webkit.org/show_bug.cgi?id=189809
2597
2598         Reviewed by Saam Barati.
2599
2600         The Patch adds new SPI to create promises. It's mostly SPI because
2601         I want to see how internal users react to it before we make it
2602         public.
2603
2604         This patch adds a couple of new Obj-C SPI methods. The first
2605         creates a new promise using the same API that JS does where the
2606         user provides an executor callback. If an exception is raised
2607         in/to that callback the promise is automagically rejected. The
2608         other methods create a pre-resolved or rejected promise as this
2609         appears to be a common way to initialize a promise.
2610
2611         I was also considering adding a second version of executor API
2612         where it would catch specific Obj-C exceptions. This would work by
2613         taking a Class paramter and checking isKindOfClass: on the
2614         exception. I decided against this as nothing else in our API
2615         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2616         corrupt state if an Obj-C exception unwinds through JS frames.
2617
2618         This patch adds a new C function that will create a "deferred"
2619         promise. A deferred promise is a style of creating promise/futures
2620         where the resolve and reject functions are passed as outputs of a
2621         function. I went with this style for the C SPI because we don't have
2622         any concept of forwarding exceptions in the C API.
2623
2624         In order to make the C API work I refactored a bit of the promise code
2625         so that we can call a static method on JSDeferredPromise and just get
2626         the components without allocating an extra cell wrapper.
2627
2628         * API/JSContext.mm:
2629         (+[JSContext currentCallee]):
2630         * API/JSObjectRef.cpp:
2631         (JSObjectMakeDeferredPromise):
2632         * API/JSObjectRefPrivate.h:
2633         * API/JSValue.mm:
2634         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2635         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2636         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2637         * API/JSValuePrivate.h: Added.
2638         * API/JSVirtualMachine.mm:
2639         * API/JSVirtualMachinePrivate.h:
2640         * API/tests/testapi.c:
2641         (main):
2642         * API/tests/testapi.cpp:
2643         (APIContext::operator JSC::ExecState*):
2644         (TestAPI::failed const):
2645         (TestAPI::check):
2646         (TestAPI::basicSymbol):
2647         (TestAPI::symbolsTypeof):
2648         (TestAPI::symbolsGetPropertyForKey):
2649         (TestAPI::symbolsSetPropertyForKey):
2650         (TestAPI::symbolsHasPropertyForKey):
2651         (TestAPI::symbolsDeletePropertyForKey):
2652         (TestAPI::promiseResolveTrue):
2653         (TestAPI::promiseRejectTrue):
2654         (testCAPIViaCpp):
2655         (TestAPI::run): Deleted.
2656         * API/tests/testapi.mm:
2657         (testObjectiveCAPIMain):
2658         (promiseWithExecutor):
2659         (promiseRejectOnJSException):
2660         (promiseCreateResolved):
2661         (promiseCreateRejected):
2662         (parallelPromiseResolveTest):
2663         (testObjectiveCAPI):
2664         * JavaScriptCore.xcodeproj/project.pbxproj:
2665         * runtime/JSInternalPromiseDeferred.cpp:
2666         (JSC::JSInternalPromiseDeferred::create):
2667         * runtime/JSPromise.h:
2668         * runtime/JSPromiseConstructor.cpp:
2669         (JSC::constructPromise):
2670         * runtime/JSPromiseDeferred.cpp:
2671         (JSC::JSPromiseDeferred::createDeferredData):
2672         (JSC::JSPromiseDeferred::create):
2673         (JSC::JSPromiseDeferred::finishCreation):
2674         (JSC::newPromiseCapability): Deleted.
2675         * runtime/JSPromiseDeferred.h:
2676         (JSC::JSPromiseDeferred::promise const):
2677         (JSC::JSPromiseDeferred::resolve const):
2678         (JSC::JSPromiseDeferred::reject const):
2679
2680 2018-09-21  Truitt Savell  <tsavell@apple.com>
2681
2682         Rebaseline tests after changes in https://trac.webkit.org/changeset/236321/webkit
2683         https://bugs.webkit.org/show_bug.cgi?id=156674
2684
2685         Unreviewed Test Gardening
2686
2687         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2688         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2689
2690 2018-09-21  Mike Gorse  <mgorse@suse.com>
2691
2692         Build tools should work when the /usr/bin/python is python3
2693         https://bugs.webkit.org/show_bug.cgi?id=156674
2694
2695         Reviewed by Michael Catanzaro.
2696
2697         * Scripts/cssmin.py:
2698         * Scripts/generate-js-builtins.py:
2699         (do_open):
2700         (generate_bindings_for_builtins_files):
2701         * Scripts/generateIntlCanonicalizeLanguage.py:
2702         * Scripts/jsmin.py:
2703         (JavascriptMinify.minify.write):
2704         (JavascriptMinify):
2705         (JavascriptMinify.minify):
2706         * Scripts/make-js-file-arrays.py:
2707         (chunk):
2708         (main):
2709         * Scripts/wkbuiltins/__init__.py:
2710         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2711         (generate_section_for_global_private_code_name_macro):
2712         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_header.py:
2713         (BuiltinsInternalsWrapperHeaderGenerator.__init__):
2714         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:
2715         (BuiltinsInternalsWrapperImplementationGenerator.__init__):
2716         * Scripts/wkbuiltins/builtins_model.py:
2717         (BuiltinFunction.__lt__):
2718         (BuiltinsCollection.copyrights):
2719         (BuiltinsCollection._parse_functions):
2720         * disassembler/udis86/ud_opcode.py:
2721         (UdOpcodeTables.pprint.printWalk):
2722         * generate-bytecode-files:
2723         * inspector/scripts/codegen/__init__.py:
2724         * inspector/scripts/codegen/cpp_generator.py:
2725         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2726         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
2727         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2728         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
2729         (CppBackendDispatcherHeaderGenerator.generate_output):
2730         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2731         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2732         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
2733         (CppBackendDispatcherImplementationGenerator.generate_output):
2734         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2735         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
2736         (CppFrontendDispatcherHeaderGenerator.generate_output):
2737         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2738         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
2739         (CppFrontendDispatcherImplementationGenerator.generate_output):
2740         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2741         (CppProtocolTypesHeaderGenerator.generate_output):
2742         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2743         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2744         (CppProtocolTypesImplementationGenerator.generate_output):
2745         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2746         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods):
2747         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2748         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
2749         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
2750         * inspector/scripts/codegen/generate_js_backend_commands.py:
2751         (JSBackendCommandsGenerator.should_generate_domain):
2752         (JSBackendCommandsGenerator.domains_to_generate):
2753         (JSBackendCommandsGenerator.generate_output):
2754         (JSBackendCommandsGenerator.generate_domain):
2755         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2756         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
2757         (ObjCBackendDispatcherHeaderGenerator.generate_output):
2758         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2759         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
2760         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2761         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2762         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2763         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2764         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2765         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
2766         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2767         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2768         * inspector/scripts/codegen/generate_objc_header.py:
2769         (ObjCHeaderGenerator.generate_output):
2770         (ObjCHeaderGenerator._generate_type_interface):
2771         * inspector/scripts/codegen/generate_objc_internal_header.py:
2772         (ObjCInternalHeaderGenerator.generate_output):
2773         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2774         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
2775         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
2776         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2777         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
2778         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2779         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
2780         (ObjCProtocolTypesImplementationGenerator.generate_output):
2781         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
2782         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
2783         * inspector/scripts/codegen/generator.py:
2784         (Generator.non_supplemental_domains):
2785         (Generator.open_fields):
2786         (Generator.calculate_types_requiring_shape_assertions):
2787         (Generator._traverse_and_assign_enum_values):
2788         (Generator.stylized_name_for_enum_value):
2789         * inspector/scripts/codegen/models.py:
2790         (find_duplicates):
2791         * inspector/scripts/codegen/objc_generator.py:
2792         * wasm/generateWasm.py:
2793         (opcodeIterator):
2794         * yarr/generateYarrCanonicalizeUnicode:
2795         * yarr/generateYarrUnicodePropertyTables.py:
2796         * yarr/hasher.py:
2797         (stringHash):
2798
2799 2018-09-21  Tomas Popela  <tpopela@redhat.com>
2800
2801         [ARM] Build broken on armv7hl after r235517
2802         https://bugs.webkit.org/show_bug.cgi?id=189831
2803
2804         Reviewed by Yusuke Suzuki.
2805
2806         Add missing implementation of patchebleBranch8() for traditional ARM.
2807
2808         * assembler/MacroAssemblerARM.h:
2809         (JSC::MacroAssemblerARM::patchableBranch8):
2810
2811 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
2812
2813         Unreviewed, rolling out r236293.
2814
2815         Internal build still broken.
2816
2817         Reverted changeset:
2818
2819         "Add functions to measure memory footprint to JSC"
2820         https://bugs.webkit.org/show_bug.cgi?id=189768
2821         https://trac.webkit.org/changeset/236293
2822
2823 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2824
2825         [JSC] Heap::reportExtraMemoryVisited shows contention if we have many JSString
2826         https://bugs.webkit.org/show_bug.cgi?id=189558
2827
2828         Reviewed by Mark Lam.
2829
2830         When running web-tooling-benchmark postcss test on Linux JSCOnly port, we get the following result in `perf report`.
2831
2832             10.95%  AutomaticThread  libJavaScriptCore.so.1.0.0  [.] JSC::Heap::reportExtraMemoryVisited
2833
2834         This is because postcss produces bunch of JSString, which require reportExtraMemoryVisited calls in JSString::visitChildren.
2835         And since reportExtraMemoryVisited attempts to update atomic counter, if we have bunch of marking threads, it becomes super contended.
2836
2837         This patch reduces the frequency of updating the atomic counter. Each SlotVisitor has per-SlotVisitor m_extraMemorySize counter.
2838         And we propagate this value to the global atomic counter when rebalance happens.
2839
2840         We also reduce HeapCell::heap() access by using `vm.heap`.
2841
2842         * heap/SlotVisitor.cpp:
2843         (JSC::SlotVisitor::didStartMarking):
2844         (JSC::SlotVisitor::propagateExternalMemoryVisitedIfNecessary):
2845         (JSC::SlotVisitor::drain):
2846         (JSC::SlotVisitor::performIncrementOfDraining):
2847         * heap/SlotVisitor.h:
2848         * heap/SlotVisitorInlines.h:
2849         (JSC::SlotVisitor::reportExtraMemoryVisited):
2850         * runtime/JSString.cpp:
2851         (JSC::JSRopeString::resolveRopeToAtomicString const):
2852         (JSC::JSRopeString::resolveRope const):
2853         * runtime/JSString.h:
2854         (JSC::JSString::finishCreation):
2855         * wasm/js/JSWebAssemblyInstance.cpp:
2856         (JSC::JSWebAssemblyInstance::finishCreation):
2857         * wasm/js/JSWebAssemblyMemory.cpp:
2858         (JSC::JSWebAssemblyMemory::finishCreation):
2859
2860 2018-09-20  Michael Saboff  <msaboff@apple.com>
2861
2862         Add functions to measure memory footprint to JSC
2863         https://bugs.webkit.org/show_bug.cgi?id=189768
2864
2865         Reviewed by Saam Barati.
2866
2867         Rolling this back in.
2868
2869         Provide system memory metrics for the current process to aid in memory reduction measurement and
2870         tuning using native JS tests.
2871
2872         * jsc.cpp:
2873         (MemoryFootprint::now):
2874         (MemoryFootprint::resetPeak):
2875         (GlobalObject::finishCreation):
2876         (JSCMemoryFootprint::JSCMemoryFootprint):
2877         (JSCMemoryFootprint::createStructure):
2878         (JSCMemoryFootprint::create):
2879         (JSCMemoryFootprint::finishCreation):
2880         (JSCMemoryFootprint::addProperty):
2881         (functionResetMemoryPeak):
2882
2883 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
2884
2885         Unreviewed, rolling out r236235.
2886
2887         Breaks internal builds.
2888
2889         Reverted changeset:
2890
2891         "Add functions to measure memory footprint to JSC"
2892         https://bugs.webkit.org/show_bug.cgi?id=189768
2893         https://trac.webkit.org/changeset/236235
2894
2895 2018-09-20  Fujii Hironori  <Hironori.Fujii@sony.com>
2896
2897         [Win][Clang] JITMathIC.h: error: missing 'template' keyword prior to dependent template name 'retagged'
2898         https://bugs.webkit.org/show_bug.cgi?id=189730
2899
2900         Reviewed by Saam Barati.
2901
2902         Clang for Windows can't compile the workaround for MSVC quirk in generateOutOfLine.
2903
2904         * jit/JITMathIC.h:
2905         (generateOutOfLine): Append "&& !COMPILER(CLANG)" to "#if COMPILER(MSVC)".
2906
2907 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2908
2909         [JSC] Optimize Array#indexOf in C++ runtime
2910         https://bugs.webkit.org/show_bug.cgi?id=189507
2911
2912         Reviewed by Saam Barati.
2913
2914         C++ Array#indexOf runtime function takes so much time in babylon benchmark in
2915         web-tooling-benchmark. While our DFG and FTL has Array#indexOf optimization
2916         and actually it is working well, C++ Array#indexOf is called significant amount
2917         of time before tiering up, and it takes 6.74% of jsc main thread samples according
2918         to perf command in Linux. This is because C++ Array#indexOf is too generic and
2919         misses the chance to optimize JSArray cases.
2920
2921         This patch adds JSArray fast path for Array#indexOf. If we know that indexed
2922         access to the given JSArray is non-observable and indexing type is good for the fast
2923         path, we go to the fast path. This makes sampling of Array#indexOf 3.83% in
2924         babylon web-tooling-benchmark.
2925
2926         * runtime/ArrayPrototype.cpp:
2927         (JSC::arrayProtoFuncIndexOf):
2928         * runtime/JSArray.h:
2929         * runtime/JSArrayInlines.h:
2930         (JSC::JSArray::canDoFastIndexedAccess):
2931         (JSC::toLength):
2932         * runtime/JSCJSValueInlines.h:
2933         (JSC::JSValue::JSValue):
2934         * runtime/JSGlobalObject.h:
2935         * runtime/JSGlobalObjectInlines.h:
2936         (JSC::JSGlobalObject::isArrayPrototypeIndexedAccessFastAndNonObservable):
2937         (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
2938         * runtime/MathCommon.h:
2939         (JSC::canBeStrictInt32):
2940         (JSC::canBeInt32):
2941
2942 2018-09-19  Michael Saboff  <msaboff@apple.com>
2943
2944         Add functions to measure memory footprint to JSC
2945         https://bugs.webkit.org/show_bug.cgi?id=189768
2946
2947         Reviewed by Saam Barati.
2948
2949         Provide system memory metrics for the current process to aid in memory reduction measurement and
2950         tuning using native JS tests.
2951
2952         * jsc.cpp:
2953         (MemoryFootprint::now):
2954         (MemoryFootprint::resetPeak):
2955         (GlobalObject::finishCreation):
2956         (JSCMemoryFootprint::JSCMemoryFootprint):
2957         (JSCMemoryFootprint::createStructure):
2958         (JSCMemoryFootprint::create):
2959         (JSCMemoryFootprint::finishCreation):
2960         (JSCMemoryFootprint::addProperty):
2961         (functionResetMemoryPeak):
2962
2963 2018-09-19  Saam barati  <sbarati@apple.com>
2964
2965         CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
2966         https://bugs.webkit.org/show_bug.cgi?id=189703
2967
2968         Reviewed by Mark Lam.
2969
2970         This fixes a crash that a TypeProfiler change revealed.
2971
2972         * dfg/DFGSpeculativeJIT64.cpp:
2973         (JSC::DFG::SpeculativeJIT::compile):
2974
2975 2018-09-19  Saam barati  <sbarati@apple.com>
2976
2977         AI rule for MultiPutByOffset executes its effects in the wrong order
2978         https://bugs.webkit.org/show_bug.cgi?id=189757
2979         <rdar://problem/43535257>
2980
2981         Reviewed by Michael Saboff.
2982
2983         The AI rule for MultiPutByOffset was executing effects in the wrong order.
2984         It first executed the transition effects and the effects on the base, and
2985         then executed the filtering effects on the value being stored. However, you
2986         can end up with the wrong type when the base and the value being stored
2987         are the same. E.g, in a program like `o.f = o`. These effects need to happen
2988         in the opposite order, modeling what happens in the runtime executing of
2989         MultiPutByOffset.
2990
2991         * dfg/DFGAbstractInterpreterInlines.h:
2992         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2993
2994 2018-09-18  Mark Lam  <mark.lam@apple.com>
2995
2996         Ensure that ForInContexts are invalidated if their loop local is over-written.
2997         https://bugs.webkit.org/show_bug.cgi?id=189571
2998         <rdar://problem/44402277>
2999
3000         Reviewed by Saam Barati.
3001
3002         Instead of hunting down every place in the BytecodeGenerator that potentially
3003         needs to invalidate an enclosing ForInContext (if one exists), we simply iterate
3004         the bytecode range of the loop body when the ForInContext is popped, and
3005         invalidate the context if we ever find the loop temp variable over-written.
3006
3007         This has 2 benefits:
3008         1. It ensures that every type of opcode that can write to the loop temp will be
3009            handled appropriately, not just the op_mov that we've hunted down.
3010         2. It avoids us having to check the BytecodeGenerator's m_forInContextStack
3011            every time we emit an op_mov (or other opcodes that can write to a local)
3012            even when we're not inside a for-in loop.
3013
3014         JSC benchmarks show that that this change is performance neutral.
3015
3016         * bytecompiler/BytecodeGenerator.cpp:
3017         (JSC::BytecodeGenerator::pushIndexedForInScope):
3018         (JSC::BytecodeGenerator::popIndexedForInScope):
3019         (JSC::BytecodeGenerator::pushStructureForInScope):
3020         (JSC::BytecodeGenerator::popStructureForInScope):
3021         (JSC::ForInContext::finalize):
3022         (JSC::StructureForInContext::finalize):
3023         (JSC::IndexedForInContext::finalize):
3024         (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted.
3025         * bytecompiler/BytecodeGenerator.h:
3026         (JSC::ForInContext::ForInContext):
3027         (JSC::ForInContext::bodyBytecodeStartOffset const):
3028         (JSC::StructureForInContext::StructureForInContext):
3029         (JSC::IndexedForInContext::IndexedForInContext):
3030         * bytecompiler/NodesCodegen.cpp:
3031         (JSC::PostfixNode::emitResolve):
3032         (JSC::PrefixNode::emitResolve):
3033         (JSC::ReadModifyResolveNode::emitBytecode):
3034         (JSC::AssignResolveNode::emitBytecode):
3035         (JSC::EmptyLetExpression::emitBytecode):
3036         (JSC::ForInNode::emitLoopHeader):
3037         (JSC::ForOfNode::emitBytecode):
3038         (JSC::BindingNode::bindValue const):
3039         (JSC::AssignmentElementNode::bindValue const):
3040         * runtime/CommonSlowPaths.cpp:
3041         (JSC::SLOW_PATH_DECL):
3042
3043 2018-09-17  Devin Rousso  <drousso@apple.com>
3044
3045         Web Inspector: generate CSSKeywordCompletions from backend values
3046         https://bugs.webkit.org/show_bug.cgi?id=189041
3047
3048         Reviewed by Joseph Pecoraro.
3049
3050         * inspector/protocol/CSS.json:
3051         Include an optional `aliases` array and `inherited` boolean for `CSSPropertyInfo`.
3052
3053 2018-09-17  Saam barati  <sbarati@apple.com>
3054
3055         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3056         https://bugs.webkit.org/show_bug.cgi?id=189676
3057         <rdar://problem/39682897>
3058
3059         Reviewed by Michael Saboff.
3060
3061         Because the incoming value may be TDZ, CheckStructure may end up crashing.
3062         Since the Type Profile does not currently record TDZ values in any of its
3063         data structures, this is not a semantic change in how it will show you data.
3064         It just fixes crashes when we emit a CheckStructure and the incoming value
3065         is TDZ.
3066
3067         * dfg/DFGFixupPhase.cpp:
3068         (JSC::DFG::FixupPhase::fixupNode):
3069         * dfg/DFGNode.h:
3070         (JSC::DFG::Node::convertToCheckStructureOrEmpty):
3071
3072 2018-09-17  Darin Adler  <darin@apple.com>
3073
3074         Use OpaqueJSString rather than JSRetainPtr inside WebKit
3075         https://bugs.webkit.org/show_bug.cgi?id=189652
3076
3077         Reviewed by Saam Barati.
3078
3079         * API/JSCallbackObjectFunctions.h: Removed an uneeded include of
3080         JSStringRef.h.
3081
3082         * API/JSContext.mm:
3083         (-[JSContext evaluateScript:withSourceURL:]): Use OpaqueJSString::create rather
3084         than JSStringCreateWithCFString, simplifying the code and also obviating the
3085         need for explicit JSStringRelease.
3086         (-[JSContext setName:]): Ditto.
3087
3088         * API/JSStringRef.cpp:
3089         (JSStringIsEqualToUTF8CString): Use adoptRef rather than explicit JSStringRelease.
3090         It seems that additional optimization is possible, obviating the need to allocate
3091         an OpaqueJSString, but that's true almost everywhere else in this patch, too.
3092
3093         * API/JSValue.mm:
3094         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Use
3095         OpaqueJSString::create and adoptRef as appropriate.
3096         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
3097         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Ditto.
3098         (performPropertyOperation): Ditto.
3099         (-[JSValue invokeMethod:withArguments:]): Ditto.
3100         (valueToObjectWithoutCopy): Ditto.
3101         (containerValueToObject): Ditto.
3102         (valueToString): Ditto.
3103         (objectToValueWithoutCopy): Ditto.
3104         (objectToValue): Ditto.
3105
3106 2018-09-08  Darin Adler  <darin@apple.com>
3107
3108         Streamline JSRetainPtr, fix leaks of JSString and JSGlobalContext
3109         https://bugs.webkit.org/show_bug.cgi?id=189455
3110
3111         Reviewed by Keith Miller.
3112
3113         * API/JSObjectRef.cpp:
3114         (OpaqueJSPropertyNameArray): Use Ref<OpaqueJSString> instead of
3115         JSRetainPtr<JSStringRef>.
3116         (JSObjectCopyPropertyNames): Remove now-unneeded use of leakRef and
3117         adopt constructor.
3118         (JSPropertyNameArrayGetNameAtIndex): Use ptr() instead of get() since
3119         the array elements are now Ref.
3120
3121         * API/JSRetainPtr.h: While JSRetainPtr is written as a template,
3122         it only works for two specific unrelated types, JSStringRef and
3123         JSGlobalContextRef. Simplified the default constructor using data
3124         member initialization. Prepared to make the adopt constructor private
3125         (got everything compiling that way, then made it public again so that
3126         Apple internal software will still build). Got rid of unneeded
3127         templated constructor and assignment operator, since it's not relevant
3128         since there is no inheritance between JSRetainPtr template types.
3129         Added WARN_UNUSED_RETURN to leakRef as in RefPtr and RetainPtr.
3130         Added move constructor and move assignment operator for slightly better
3131         performance. Simplified implementations of various member functions
3132         so they are more obviously correct, by using leakPtr in more of them
3133         and using std::exchange to make the flow of values more obvious.
3134
3135         * API/JSValue.mm:
3136         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Added a
3137         missing JSStringRelease to fix a leak.
3138
3139         * API/tests/CustomGlobalObjectClassTest.c:
3140         (customGlobalObjectClassTest): Added a JSGlobalContextRelease to fix a leak.
3141         (globalObjectSetPrototypeTest): Ditto.
3142         (globalObjectPrivatePropertyTest): Ditto.
3143
3144         * API/tests/ExecutionTimeLimitTest.cpp:
3145         (testResetAfterTimeout): Added a call to JSStringRelease to fix a leak.
3146         (testExecutionTimeLimit): Ditto, lots more.
3147
3148         * API/tests/FunctionOverridesTest.cpp:
3149         (testFunctionOverrides): Added a call to JSStringRelease to fix a leak.
3150
3151         * API/tests/JSObjectGetProxyTargetTest.cpp:
3152         (testJSObjectGetProxyTarget): Added a call to JSGlobalContextRelease to fix
3153         a leak.
3154
3155         * API/tests/PingPongStackOverflowTest.cpp:
3156         (testPingPongStackOverflow): Added calls to JSGlobalContextRelease and
3157         JSStringRelease to fix leaks.
3158
3159         * API/tests/testapi.c:
3160         (throwException): Added. Helper function for repeated idiom where we want
3161         to throw an exception, but with additional JSStringRelease calls so we don't
3162         have to leak just to keep the code simpler to read.
3163         (MyObject_getProperty): Use throwException.
3164         (MyObject_setProperty): Ditto.
3165         (MyObject_deleteProperty): Ditto.
3166         (isValueEqualToString): Added. Helper function for an idiom where we check
3167         if something is a string and then if it's equal to a particular string
3168         constant, but a version that has an additional JSStringRelease call so we
3169         don't have to leak just to keep the code simpler to read.
3170         (MyObject_callAsFunction): Use isValueEqualToString and throwException.
3171         (MyObject_callAsConstructor): Ditto.
3172         (MyObject_hasInstance): Ditto.
3173         (globalContextNameTest): Added a JSGlobalContextRelease to fix a leak.
3174         (testMarkingConstraintsAndHeapFinalizers): Ditto.
3175
3176 2018-09-14  Saam barati  <sbarati@apple.com>
3177
3178         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3179         https://bugs.webkit.org/show_bug.cgi?id=189628
3180         <rdar://problem/39481690>
3181
3182         Reviewed by Mark Lam.
3183
3184         An Availability may point to a Node. And that Node may be removed from
3185         the graph, e.g, it's freed and its memory is no longer owned by Graph.
3186         This patch makes it so we no longer dump this metadata by default. If
3187         this metadata is interesting to you, you'll need to go in and change
3188         Graph::dump to dump the needed metadata.
3189
3190         * dfg/DFGGraph.cpp:
3191         (JSC::DFG::Graph::dump):
3192
3193 2018-09-14  Mark Lam  <mark.lam@apple.com>
3194
3195         Refactor some ForInContext code for better encapsulation.
3196         https://bugs.webkit.org/show_bug.cgi?id=189626
3197         <rdar://problem/44466415>
3198
3199         Reviewed by Keith Miller.
3200
3201         1. Add a ForInContext::m_type field to store the context type.  This does not
3202            increase the class size, but eliminates the need for a virtual call to get the
3203            type.
3204
3205            Note: we still need a virtual destructor because we'll be mingling
3206            IndexedForInContexts and StructureForInContexts in the BytecodeGenerator::m_forInContextStack.
3207
3208         2. Add ForInContext::isIndexedForInContext() and ForInContext::isStructureForInContext()
3209            convenience methods.
3210
3211         3. Add ForInContext::asIndexedForInContext() and ForInContext::asStructureForInContext()
3212            to do the casting to the subclass types.  This ensures that we'll properly
3213            assert that the casting is legal.
3214
3215         * bytecompiler/BytecodeGenerator.cpp:
3216         (JSC::BytecodeGenerator::emitGetByVal):
3217         (JSC::BytecodeGenerator::popIndexedForInScope):
3218         (JSC::BytecodeGenerator::popStructureForInScope):
3219         * bytecompiler/BytecodeGenerator.h:
3220         (JSC::ForInContext::type const):
3221         (JSC::ForInContext::isIndexedForInContext const):
3222         (JSC::ForInContext::isStructureForInContext const):
3223         (JSC::ForInContext::asIndexedForInContext):
3224         (JSC::ForInContext::asStructureForInContext):
3225         (JSC::ForInContext::ForInContext):
3226         (JSC::StructureForInContext::StructureForInContext):
3227         (JSC::IndexedForInContext::IndexedForInContext):
3228         (JSC::ForInContext::~ForInContext): Deleted.
3229
3230 2018-09-14  Devin Rousso  <webkit@devinrousso.com>
3231
3232         Web Inspector: Record actions performed on ImageBitmapRenderingContext
3233         https://bugs.webkit.org/show_bug.cgi?id=181341
3234
3235         Reviewed by Joseph Pecoraro.
3236
3237         * inspector/protocol/Recording.json:
3238         * inspector/scripts/codegen/generator.py:
3239
3240 2018-09-14  Mike Gorse  <mgorse@suse.com>
3241
3242         builtins directory causes name conflict on Python 3
3243         https://bugs.webkit.org/show_bug.cgi?id=189552
3244
3245         Reviewed by Michael Catanzaro.
3246
3247         * CMakeLists.txt: builtins -> wkbuiltins.
3248         * DerivedSources.make: builtins -> wkbuiltins.
3249         * Scripts/generate-js-builtins.py: import wkbuiltins, rather than
3250           builtins.
3251         * Scripts/wkbuiltins/__init__.py: Renamed from Source/JavaScriptCore/Scripts/builtins/__init__.py.
3252         * Scripts/wkbuiltins/builtins_generate_combined_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_header.py.
3253         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py.
3254         * Scripts/wkbuiltins/builtins_generate_separate_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_header.py.
3255         * Scripts/wkbuiltins/builtins_generate_separate_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py.
3256         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_header.py.
3257         * Scripts/wkbuiltins/builtins_generate_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_implementation.py.
3258         * Scripts/wkbuiltins/builtins_generator.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generator.py.
3259         * Scripts/wkbuiltins/builtins_model.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_model.py.
3260         * Scripts/wkbuiltins/builtins_templates.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_templates.py.
3261         * Scripts/wkbuiltins/wkbuiltins.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins.py.
3262         * JavaScriptCore.xcodeproj/project.pbxproj: Update for the renaming.
3263
3264 2018-09-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3265
3266         [WebAssembly] Inline WasmContext accessor functions
3267         https://bugs.webkit.org/show_bug.cgi?id=189416
3268
3269         Reviewed by Saam Barati.
3270
3271         WasmContext accessor functions are very small while it resides in the critical path of
3272         JS to Wasm function call. This patch makes them inline to improve performance.
3273         This change improves a small benchmark (calling JS to Wasm function 1e7 times) from 320ms to 270ms.
3274
3275         * JavaScriptCore.xcodeproj/project.pbxproj:
3276         * Sources.txt:
3277         * interpreter/CallFrame.cpp:
3278         * jit/AssemblyHelpers.cpp:
3279         * wasm/WasmB3IRGenerator.cpp:
3280         * wasm/WasmContextInlines.h: Renamed from Source/JavaScriptCore/wasm/WasmContext.cpp.
3281         (JSC::Wasm::Context::useFastTLS):
3282         (JSC::Wasm::Context::load const):
3283         (JSC::Wasm::Context::store):
3284         * wasm/WasmMemoryInformation.cpp:
3285         * wasm/WasmModuleParser.cpp: Include <wtf/SHA1.h> due to changes of unified source combinations.
3286         * wasm/js/JSToWasm.cpp:
3287         * wasm/js/WebAssemblyFunction.cpp:
3288
3289 2018-09-12  David Kilzer  <ddkilzer@apple.com>
3290
3291         Move JavaScriptCore files to match Xcode project hierarchy
3292         <https://webkit.org/b/189574>
3293
3294         Reviewed by Filip Pizlo.
3295
3296         * API/JSAPIValueWrapper.cpp: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.cpp.
3297         * API/JSAPIValueWrapper.h: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.h.
3298         * CMakeLists.txt: Update for new path to
3299         generateYarrUnicodePropertyTables.py, hasher.py and
3300         JSAPIValueWrapper.h.
3301         * DerivedSources.make: Ditto. Add missing dependency on
3302         hasher.py captured by CMakeLists.txt.
3303         * JavaScriptCore.xcodeproj/project.pbxproj: Update for new file
3304         reference paths. Add hasher.py library to project.
3305         * Sources.txt: Update for new path to
3306         JSAPIValueWrapper.cpp.
3307         * runtime/JSImmutableButterfly.h: Add missing includes
3308         after changes to Sources.txt and regenerating unified
3309         sources.
3310         * runtime/RuntimeType.h: Ditto.
3311         * yarr/generateYarrUnicodePropertyTables.py: Rename from Source/JavaScriptCore/Scripts/generateYarrUnicodePropertyTables.py.
3312         * yarr/hasher.py: Rename from Source/JavaScriptCore/Scripts/hasher.py.
3313
3314 2018-09-12  David Kilzer  <ddkilzer@apple.com>
3315
3316         Let Xcode have its way with the JavaScriptCore project
3317
3318         * JavaScriptCore.xcodeproj/project.pbxproj:
3319
3320 2018-09-12  Guillaume Emont  <guijemont@igalia.com>
3321
3322         Add IGNORE_WARNING_.* macros
3323         https://bugs.webkit.org/show_bug.cgi?id=188996
3324
3325         Reviewed by Michael Catanzaro.
3326
3327         * API/JSCallbackObject.h:
3328         * API/tests/testapi.c:
3329         * assembler/LinkBuffer.h:
3330         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3331         * b3/B3LowerToAir.cpp:
3332         * b3/B3Opcode.cpp:
3333         * b3/B3Type.h:
3334         * b3/B3TypeMap.h:
3335         * b3/B3Width.h:
3336         * b3/air/AirArg.cpp:
3337         * b3/air/AirArg.h:
3338         * b3/air/AirCode.h:
3339         * bytecode/Opcode.h:
3340         (JSC::padOpcodeName):
3341         * dfg/DFGSpeculativeJIT.cpp:
3342         (JSC::DFG::SpeculativeJIT::speculateNumber):
3343         (JSC::DFG::SpeculativeJIT::speculateMisc):
3344         * dfg/DFGSpeculativeJIT64.cpp:
3345         * ftl/FTLOutput.h:
3346         * jit/CCallHelpers.h:
3347         (JSC::CCallHelpers::calculatePokeOffset):
3348         * llint/LLIntData.cpp:
3349         * llint/LLIntSlowPaths.cpp:
3350         (JSC::LLInt::slowPathLogF):
3351         * runtime/ConfigFile.cpp:
3352         (JSC::ConfigFile::canonicalizePaths):
3353         * runtime/JSDataViewPrototype.cpp:
3354         * runtime/JSGenericTypedArrayViewConstructor.h:
3355         * runtime/JSGenericTypedArrayViewPrototype.h:
3356         * runtime/Options.cpp:
3357         (JSC::Options::setAliasedOption):
3358         * tools/CodeProfiling.cpp:
3359         * wasm/WasmSections.h:
3360         * wasm/generateWasmValidateInlinesHeader.py:
3361
3362 == Rolled over to ChangeLog-2018-09-11 ==