constructArray() should always allocate the requested length.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-10  Mark Lam  <mark.lam@apple.com>
2
3         constructArray() should always allocate the requested length.
4         https://bugs.webkit.org/show_bug.cgi?id=187543
5         <rdar://problem/41947884>
6
7         Reviewed by Saam Barati.
8
9         Currently, it does not when we're having a bad time.  We fix this by switching
10         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
11         If we detect that a structure transition is possible before we can initialize
12         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
13         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
14
15         Also enhanced the DisallowScope and ObjectInitializationScope to support this
16         eager initialization when needed.
17
18         * dfg/DFGOperations.cpp:
19         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
20           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
21           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
22           generated code, which will appear as a generic null pointer dereference.
23
24         * runtime/ArrayPrototype.cpp:
25         (JSC::concatAppendOne):
26         - the code here clearly wants to check for an allocation failure.  Switched to
27           using JSArray::tryCreate() instead of JSArray::create().
28
29         * runtime/DisallowScope.h:
30         (JSC::DisallowScope::disable):
31         * runtime/JSArray.cpp:
32         (JSC::JSArray::tryCreateUninitializedRestricted):
33         (JSC::JSArray::eagerlyInitializeButterfly):
34         (JSC::constructArray):
35         * runtime/JSArray.h:
36         * runtime/ObjectInitializationScope.cpp:
37         (JSC::ObjectInitializationScope::notifyInitialized):
38         * runtime/ObjectInitializationScope.h:
39         (JSC::ObjectInitializationScope::notifyInitialized):
40
41 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
42
43         [JSC] Remove getTypedArrayImpl
44         https://bugs.webkit.org/show_bug.cgi?id=187338
45
46         Reviewed by Mark Lam.
47
48         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
49         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
50         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
51
52         * runtime/ClassInfo.h:
53         * runtime/GenericTypedArrayView.h:
54         (JSC::GenericTypedArrayView::data const): Deleted.
55         (JSC::GenericTypedArrayView::set): Deleted.
56         (JSC::GenericTypedArrayView::setRange): Deleted.
57         (JSC::GenericTypedArrayView::zeroRange): Deleted.
58         (JSC::GenericTypedArrayView::zeroFill): Deleted.
59         (JSC::GenericTypedArrayView::length const): Deleted.
60         (JSC::GenericTypedArrayView::item const): Deleted.
61         (JSC::GenericTypedArrayView::set const): Deleted.
62         (JSC::GenericTypedArrayView::setNative const): Deleted.
63         (JSC::GenericTypedArrayView::getRange): Deleted.
64         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
65         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
66         * runtime/JSArrayBufferView.cpp:
67         (JSC::JSArrayBufferView::possiblySharedImpl):
68         * runtime/JSArrayBufferView.h:
69         * runtime/JSArrayBufferViewInlines.h:
70         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
71         * runtime/JSCell.cpp:
72         (JSC::JSCell::getTypedArrayImpl): Deleted.
73         * runtime/JSCell.h:
74         * runtime/JSDataView.cpp:
75         (JSC::JSDataView::getTypedArrayImpl): Deleted.
76         * runtime/JSDataView.h:
77         * runtime/JSGenericTypedArrayView.h:
78         * runtime/JSGenericTypedArrayViewInlines.h:
79         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
80
81 2018-07-10  Keith Miller  <keith_miller@apple.com>
82
83         hasOwnProperty returns true for out of bounds property index on TypedArray
84         https://bugs.webkit.org/show_bug.cgi?id=187520
85
86         Reviewed by Saam Barati.
87
88         * runtime/JSGenericTypedArrayViewInlines.h:
89         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
90
91 2018-07-10  Michael Saboff  <msaboff@apple.com>
92
93         DFG JIT: compileMathIC produces incorrect machine code
94         https://bugs.webkit.org/show_bug.cgi?id=187537
95
96         Reviewed by Saam Barati.
97
98         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
99         fall back to the fast path generator which handles such cases.
100
101         * jit/JITMulGenerator.cpp:
102         (JSC::JITMulGenerator::generateInline):
103
104 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
105
106         Change the reoptimization backoff base to 1.3 from 2
107         https://bugs.webkit.org/show_bug.cgi?id=187540
108
109         Reviewed by Saam Barati.
110         
111         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
112         
113         I also have data that hints that a backoff base of 1 might be even better, but I think that
114         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
115
116         * bytecode/CodeBlock.cpp:
117         (JSC::CodeBlock::reoptimizationRetryCounter const):
118         (JSC::CodeBlock::countReoptimization):
119         (JSC::CodeBlock::adjustedCounterValue):
120         * runtime/Options.cpp:
121         (JSC::recomputeDependentOptions):
122         * runtime/Options.h:
123
124 2018-07-10  Mark Lam  <mark.lam@apple.com>
125
126         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
127         https://bugs.webkit.org/show_bug.cgi?id=187362
128         <rdar://problem/42027210>
129
130         Reviewed by Saam Barati.
131
132         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
133         value to use for initializing unused properties.  Updated an assertion to account
134         for this.
135
136         * runtime/ObjectInitializationScope.cpp:
137         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
138
139 2018-07-10  Michael Saboff  <msaboff@apple.com>
140
141         YARR: . doesn't match non-BMP Unicode characters in some cases
142         https://bugs.webkit.org/show_bug.cgi?id=187248
143
144         Reviewed by Geoffrey Garen.
145
146         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
147         characters did not take into account that the character class is inverted.  In this case, we
148         represent '.' as "not a newline" using the newline character class with an inverted check.
149         Clearly that includes non-BMP characters.
150
151         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
152         inverted use of that character class.
153
154         * yarr/YarrJIT.cpp:
155         (JSC::Yarr::YarrGenerator::optimizeAlternative):
156
157 2018-07-09  Mark Lam  <mark.lam@apple.com>
158
159         Add --traceLLIntExecution and --traceLLIntSlowPath options.
160         https://bugs.webkit.org/show_bug.cgi?id=187479
161
162         Reviewed by Yusuke Suzuki and Saam Barati.
163
164         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
165
166         The details:
167         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
168         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
169            This makes it such that enabling LLINT_TRACING doesn't means that we'll
170            continually spammed with logging until we rebuild.
171         3. Fixed slow path LLINT tracing to work with exception check validation.
172
173         * llint/LLIntCommon.h:
174         * llint/LLIntExceptions.cpp:
175         (JSC::LLInt::returnToThrow):
176         (JSC::LLInt::callToThrow):
177         * llint/LLIntOfflineAsmConfig.h:
178         * llint/LLIntSlowPaths.cpp:
179         (JSC::LLInt::slowPathLog):
180         (JSC::LLInt::slowPathLn):
181         (JSC::LLInt::slowPathLogF):
182         (JSC::LLInt::slowPathLogLn):
183         (JSC::LLInt::llint_trace_operand):
184         (JSC::LLInt::llint_trace_value):
185         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
186         (JSC::LLInt::traceFunctionPrologue):
187         (JSC::LLInt::handleHostCall):
188         (JSC::LLInt::setUpCall):
189         * llint/LLIntSlowPaths.h:
190         * llint/LowLevelInterpreter.asm:
191         * runtime/CommonSlowPathsExceptions.cpp:
192         (JSC::CommonSlowPaths::interpreterThrowInCaller):
193         * runtime/Options.cpp:
194         (JSC::Options::isAvailable):
195         * runtime/Options.h:
196
197 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
198
199         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
200         https://bugs.webkit.org/show_bug.cgi?id=187477
201
202         Reviewed by Mark Lam.
203
204         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
205         However, it is not necessary since JSCells can be reside in a constant buffer.
206         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
207         vector from RareData.
208
209         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
210
211         * bytecode/BytecodeDumper.cpp:
212         (JSC::BytecodeDumper<Block>::dumpBytecode):
213         (JSC::BytecodeDumper<Block>::dumpBlock):
214         (JSC::regexpToSourceString): Deleted.
215         (JSC::regexpName): Deleted.
216         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
217         * bytecode/BytecodeDumper.h:
218         * bytecode/CodeBlock.h:
219         (JSC::CodeBlock::regexp const): Deleted.
220         (JSC::CodeBlock::numberOfRegExps const): Deleted.
221         * bytecode/UnlinkedCodeBlock.cpp:
222         (JSC::UnlinkedCodeBlock::visitChildren):
223         (JSC::UnlinkedCodeBlock::shrinkToFit):
224         * bytecode/UnlinkedCodeBlock.h:
225         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
226         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
227         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
228         * bytecompiler/BytecodeGenerator.cpp:
229         (JSC::BytecodeGenerator::emitNewRegExp):
230         (JSC::BytecodeGenerator::addRegExp): Deleted.
231         * bytecompiler/BytecodeGenerator.h:
232         * dfg/DFGByteCodeParser.cpp:
233         (JSC::DFG::ByteCodeParser::parseBlock):
234         * jit/JITOpcodes.cpp:
235         (JSC::JIT::emit_op_new_regexp):
236         * llint/LLIntSlowPaths.cpp:
237         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
238         * runtime/JSCJSValue.cpp:
239         (JSC::JSValue::dumpInContextAssumingStructure const):
240         * runtime/RegExp.cpp:
241         (JSC::regexpToSourceString):
242         (JSC::RegExp::dumpToStream):
243         * runtime/RegExp.h:
244
245 2018-07-09  Brian Burg  <bburg@apple.com>
246
247         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
248         https://bugs.webkit.org/show_bug.cgi?id=187350
249         <rdar://problem/41728249>
250
251         Reviewed by Matt Baker.
252
253         Add a new command that toggles whether or not to blackbox internal scripts.
254         If blackboxed, the scripts will not be shown to the frontend and the debugger will
255         not pause in source frames from blackboxed scripts. Sometimes we want to break into
256         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
257         that injects scripts.
258
259         * inspector/agents/InspectorDebuggerAgent.cpp:
260         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
261         (Inspector::InspectorDebuggerAgent::didParseSource):
262         * inspector/agents/InspectorDebuggerAgent.h:
263         * inspector/protocol/Debugger.json:
264
265 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
266
267         [JSC] Make some data members of UnlinkedCodeBlock private
268         https://bugs.webkit.org/show_bug.cgi?id=187467
269
270         Reviewed by Mark Lam.
271
272         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
273         We also remove m_numCapturedVars since it is no longer used.
274
275         * bytecode/CodeBlock.cpp:
276         (JSC::CodeBlock::CodeBlock):
277         * bytecode/CodeBlock.h:
278         * bytecode/UnlinkedCodeBlock.cpp:
279         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
280         * bytecode/UnlinkedCodeBlock.h:
281
282 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
283
284         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
285         https://bugs.webkit.org/show_bug.cgi?id=187465
286
287         Reviewed by Keith Miller.
288
289         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
290         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
291
292         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
293         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
294         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
295         from 104 to 96 since it inherits ProxyableAccessCase.
296
297         * bytecode/AccessCase.h:
298         (JSC::AccessCase::viaProxy const):
299         (JSC::AccessCase::AccessCase):
300         * bytecode/ProxyableAccessCase.cpp:
301         (JSC::ProxyableAccessCase::ProxyableAccessCase):
302         * bytecode/ProxyableAccessCase.h:
303
304 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
305
306         Unreviewed, build fix for debug builds after r233630
307         https://bugs.webkit.org/show_bug.cgi?id=187441
308
309         * jit/JIT.cpp:
310         (JSC::JIT::frameRegisterCountFor):
311         * llint/LLIntEntrypoint.cpp:
312         (JSC::LLInt::frameRegisterCountFor):
313
314 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
315
316         [JSC] Optimize layout of CodeBlock to reduce padding
317         https://bugs.webkit.org/show_bug.cgi?id=187441
318
319         Reviewed by Mark Lam.
320
321         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
322         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
323         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
324
325         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
326
327         * bytecode/BytecodeDumper.cpp:
328         (JSC::BytecodeDumper<Block>::dumpBlock):
329         * bytecode/BytecodeUseDef.h:
330         (JSC::computeDefsForBytecodeOffset):
331         * bytecode/CodeBlock.cpp:
332         (JSC::CodeBlock::CodeBlock):
333         * bytecode/CodeBlock.h:
334         (JSC::CodeBlock::numVars const):
335         * bytecode/UnlinkedCodeBlock.h:
336         (JSC::UnlinkedCodeBlock::numVars const):
337         * dfg/DFGByteCodeParser.cpp:
338         (JSC::DFG::ByteCodeParser::ByteCodeParser):
339         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
340         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
341         (JSC::DFG::ByteCodeParser::inlineCall):
342         (JSC::DFG::ByteCodeParser::handleGetById):
343         (JSC::DFG::ByteCodeParser::handlePutById):
344         (JSC::DFG::ByteCodeParser::parseBlock):
345         * dfg/DFGGraph.h:
346         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
347         * dfg/DFGOSREntrypointCreationPhase.cpp:
348         (JSC::DFG::OSREntrypointCreationPhase::run):
349         * dfg/DFGVariableEventStream.cpp:
350         (JSC::DFG::VariableEventStream::reconstruct const):
351         * ftl/FTLOSREntry.cpp:
352         (JSC::FTL::prepareOSREntry):
353         * ftl/FTLState.cpp:
354         (JSC::FTL::State::State):
355         * interpreter/Interpreter.cpp:
356         (JSC::Interpreter::dumpRegisters):
357         * jit/JIT.cpp:
358         (JSC::JIT::frameRegisterCountFor):
359         * jit/JITOpcodes.cpp:
360         (JSC::JIT::emit_op_enter):
361         * jit/JITOpcodes32_64.cpp:
362         (JSC::JIT::emit_op_enter):
363         * jit/JITOperations.cpp:
364         * llint/LLIntEntrypoint.cpp:
365         (JSC::LLInt::frameRegisterCountFor):
366         * llint/LLIntSlowPaths.cpp:
367         (JSC::LLInt::traceFunctionPrologue):
368         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
369         * runtime/JSCJSValue.h:
370
371 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
372
373         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
374         https://bugs.webkit.org/show_bug.cgi?id=187448
375
376         Reviewed by Saam Barati.
377
378         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
379         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
380
381         * bytecode/CodeType.h:
382         * bytecode/UnlinkedCodeBlock.cpp:
383         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
384         * bytecode/UnlinkedCodeBlock.h:
385         (JSC::UnlinkedCodeBlock::codeType const):
386         (JSC::UnlinkedCodeBlock::didOptimize const):
387         (JSC::UnlinkedCodeBlock::setDidOptimize):
388         * bytecode/VirtualRegister.h:
389
390 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
391
392         [JSC] Optimize padding of InferredTypeTable by using cellLock
393         https://bugs.webkit.org/show_bug.cgi?id=187447
394
395         Reviewed by Mark Lam.
396
397         Use cellLock() in InferredTypeTable to guard changes of internal structures.
398         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
399         reduce the size of InferredTypeTable from 40 to 32.
400
401         * runtime/InferredTypeTable.cpp:
402         (JSC::InferredTypeTable::visitChildren):
403         (JSC::InferredTypeTable::get):
404         (JSC::InferredTypeTable::willStoreValue):
405         (JSC::InferredTypeTable::makeTop):
406         * runtime/InferredTypeTable.h:
407         Using enum class and using. And remove `isEmpty()` since it is not used.
408
409         * runtime/Structure.h:
410
411 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
412
413         [JSC] Optimize layout of SourceProvider to reduce padding
414         https://bugs.webkit.org/show_bug.cgi?id=187440
415
416         Reviewed by Mark Lam.
417
418         Arrange members of SourceProvider to reduce the size from 80 to 72.
419
420         * parser/SourceProvider.cpp:
421         (JSC::SourceProvider::SourceProvider):
422         * parser/SourceProvider.h:
423
424 2018-07-08  Mark Lam  <mark.lam@apple.com>
425
426         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
427         https://bugs.webkit.org/show_bug.cgi?id=187444
428         <rdar://problem/41282849>
429
430         Reviewed by Saam Barati.
431
432         PropertyTable supports C++ iteration by offering begin() and end() methods, and
433         an iterator class.  The begin() methods and the iterator operator++() method uses
434         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
435         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
436         pointer from being incremented past the end of the table.  As a result, we can
437         iterate past the end of the table.  Note that the C++ iteration protocol tests
438         for the iterator not being equal to the end() value.  It does not do a <= test.
439         If the iterator ever shoots past end, the loop will effectively not terminate.
440
441         This issue can manifest if and only if the last entry in the table is a deleted
442         one, and the key field of the PropertyMapEntry shaped space at the end of the
443         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
444         value.
445
446         No test because manifesting this issue requires uncontrollable happenstance where
447         memory just beyond the end of the table looks like a deleted entry.
448
449         * runtime/PropertyMapHashTable.h:
450         (JSC::PropertyTable::begin):
451         (JSC::PropertyTable::end):
452         (JSC::PropertyTable::begin const):
453         (JSC::PropertyTable::end const):
454         (JSC::PropertyTable::skipDeletedEntries):
455
456 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
457
458         [JSC] Optimize layout of SymbolTable to reduce padding
459         https://bugs.webkit.org/show_bug.cgi?id=187437
460
461         Reviewed by Mark Lam.
462
463         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
464
465         * runtime/SymbolTable.h:
466
467 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
468
469         [JSC] Optimize layout of RegExp to reduce padding
470         https://bugs.webkit.org/show_bug.cgi?id=187438
471
472         Reviewed by Mark Lam.
473
474         Reduce the size of RegExp from 168 to 144.
475
476         * runtime/RegExp.cpp:
477         (JSC::RegExp::RegExp):
478         * runtime/RegExp.h:
479         * runtime/RegExpKey.h:
480         * yarr/YarrErrorCode.h:
481
482 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
483
484         [JSC] Optimize layout of ValueProfile to reduce padding
485         https://bugs.webkit.org/show_bug.cgi?id=187439
486
487         Reviewed by Mark Lam.
488
489         Reduce the size of ValueProfile from 40 to 32 by reordering members.
490
491         * bytecode/ValueProfile.h:
492         (JSC::ValueProfileBase::ValueProfileBase):
493
494 2018-07-05  Saam Barati  <sbarati@apple.com>
495
496         ProgramExecutable may be collected as we checkSyntax on it
497         https://bugs.webkit.org/show_bug.cgi?id=187359
498         <rdar://problem/41832135>
499
500         Reviewed by Mark Lam.
501
502         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
503         the ProgramExecutable itself may be collected. The fix here is to make a copy
504         of the field instead of passing in a reference inside of ParserError::toErrorObject.
505         
506         No new tests here as this was already caught by our iOS JSC testers.
507
508         * parser/ParserError.h:
509         (JSC::ParserError::toErrorObject):
510
511 2018-07-04  Tim Horton  <timothy_horton@apple.com>
512
513         Introduce PLATFORM(IOSMAC)
514         https://bugs.webkit.org/show_bug.cgi?id=187315
515
516         Reviewed by Dan Bernstein.
517
518         * Configurations/Base.xcconfig:
519         * Configurations/FeatureDefines.xcconfig:
520
521 2018-07-03  Mark Lam  <mark.lam@apple.com>
522
523         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
524         https://bugs.webkit.org/show_bug.cgi?id=187255
525         <rdar://problem/41785257>
526
527         Reviewed by Saam Barati.
528
529         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
530         too: basically, do what the 64-bit code is doing.  At present, this change only
531         serves to pacify an assertion.  It is not needed for correctness because the
532         concurrent GC is not used on 32-bit builds.
533
534         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
535         test.
536
537         * jit/JITOpcodes32_64.cpp:
538         (JSC::JIT::emit_op_create_this):
539
540 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
541
542         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
543         https://bugs.webkit.org/show_bug.cgi?id=187290
544
545         Reviewed by Saam Barati.
546
547         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
548         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
549         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
550         easily calculated from JSType.
551         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
552
553         * runtime/ClassInfo.h:
554         * runtime/JSArrayBufferView.cpp:
555         (JSC::elementSize):
556         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
557         * runtime/JSArrayBufferView.h:
558         * runtime/JSArrayBufferViewInlines.h:
559         (JSC::JSArrayBufferView::possiblySharedBuffer):
560         * runtime/JSCell.cpp:
561         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
562         * runtime/JSCell.h:
563         * runtime/JSDataView.cpp:
564         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
565         * runtime/JSDataView.h:
566         * runtime/JSGenericTypedArrayView.h:
567         * runtime/JSGenericTypedArrayViewInlines.h:
568         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
569
570 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
571
572         Regular expressions with ".?" expressions at the start and the end match the entire string
573         https://bugs.webkit.org/show_bug.cgi?id=119191
574
575         Reviewed by Michael Saboff.
576
577         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
578         for "abc" first and then processing the leading and trailing dot stars
579         to find the beginning and the end of the match. However, it erroneously
580         enabled this optimization for regular expressions whose leading or
581         trailing dots had quantifiers that were not of arbitrary length, e.g.,
582         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
583         match the entire string when it shouldn't. This patch disables the
584         optimization for those cases.
585
586         * yarr/YarrPattern.cpp:
587         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
588
589 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
590
591         RegExp.exec returns wrong value with a long integer quantifier
592         https://bugs.webkit.org/show_bug.cgi?id=187042
593
594         Reviewed by Saam Barati.
595
596         Prior to this patch, the Yarr parser checked for integer overflow when
597         parsing quantifiers in regular expressions by adding one digit at a time
598         to a number and checking if the result got larger. This is wrong;
599         The parser would fail to detect overflow when parsing, for example,
600         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
601
602         Another issue was that once it detected overflow, it stopped consuming
603         the remaining digits. Since it didn't find the closing bracket, it
604         parsed the quantifier as a normal string instead.
605
606         This patch fixes these issues by reading all the digits and checking for
607         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
608         returns the largest possible value (quantifyInfinite in this case). This
609         matches Chrome [1], Firefox [2], and Edge [3].
610
611         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
612         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
613         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
614
615         * yarr/YarrParser.h:
616         (JSC::Yarr::Parser::consumeNumber):
617
618 2018-07-02  Keith Miller  <keith_miller@apple.com>
619
620         InstanceOf IC should do generic if the prototype is not an object.
621         https://bugs.webkit.org/show_bug.cgi?id=187250
622
623         Reviewed by Mark Lam.
624
625         The old code was wrong for two reasons. First, the AccessCase expected that
626         the prototype value would be non-null. Second, we would end up returning
627         false instead of throwing an exception.
628
629         * jit/Repatch.cpp:
630         (JSC::tryCacheInstanceOf):
631
632 2018-07-01  Mark Lam  <mark.lam@apple.com>
633
634         Builtins and host functions should get their own structures.
635         https://bugs.webkit.org/show_bug.cgi?id=187211
636         <rdar://problem/41646336>
637
638         Reviewed by Saam Barati.
639
640         JSFunctions do lazy reification of properties, but ordinary functions applies
641         different rules of property reification than builtin and host functions.  Hence,
642         we should give builtins and host functions their own structures.
643
644         * runtime/JSFunction.cpp:
645         (JSC::JSFunction::selectStructureForNewFuncExp):
646         (JSC::JSFunction::create):
647         (JSC::JSFunction::getOwnPropertySlot):
648         * runtime/JSGlobalObject.cpp:
649         (JSC::JSGlobalObject::init):
650         (JSC::JSGlobalObject::visitChildren):
651         * runtime/JSGlobalObject.h:
652         (JSC::JSGlobalObject::hostFunctionStructure const):
653         (JSC::JSGlobalObject::arrowFunctionStructure const):
654         (JSC::JSGlobalObject::sloppyFunctionStructure const):
655         (JSC::JSGlobalObject::strictFunctionStructure const):
656
657 2018-07-01  David Kilzer  <ddkilzer@apple.com>
658
659         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
660         <https://webkit.org/b/187233>
661
662         Reviewed by Mark Lam.
663
664         * b3/air/AirEliminateDeadCode.cpp:
665         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
666         * parser/ParserTokens.h:
667         (JSC::JSTextPosition::JSTextPosition): Add struct member
668         initialization. Simplify default constructor.
669         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
670         union to the beginning to make it easy to zero out all fields.
671         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
672         initialization.  Simplify default constructor.  Note that
673         `endOffset` was not being initialized previously.
674         (JSC::JSTextPosition::JSToken): Add struct member initialization
675         where necessary.
676         * runtime/IntlObject.cpp:
677         (JSC::MatcherResult): Add struct member initialization.
678
679 2018-06-23  Darin Adler  <darin@apple.com>
680
681         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
682         https://bugs.webkit.org/show_bug.cgi?id=186973
683
684         Reviewed by Dan Bernstein.
685
686         * API/JSContext.mm:
687         (WeakContextRef::WeakContextRef): Deleted.
688         (WeakContextRef::~WeakContextRef): Deleted.
689         (WeakContextRef::get): Deleted.
690         (WeakContextRef::set): Deleted.
691
692         * API/JSContextInternal.h: Removed unneeded header guards since this is
693         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
694         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
695         since neither is used outside the class implementation.
696
697         * API/JSManagedValue.mm:
698         (-[JSManagedValue initWithValue:]): Use a bridging cast.
699         (-[JSManagedValue dealloc]): Ditto.
700         (-[JSManagedValue didAddOwner:]): Ditto.
701         (-[JSManagedValue didRemoveOwner:]): Ditto.
702         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
703         (JSManagedValueHandleOwner::finalize): Ditto.
704         * API/JSValue.mm:
705         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
706         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
707         (-[JSValue valueForProperty:]): Ditto.
708         (-[JSValue setValue:forProperty:]): Ditto.
709         (-[JSValue deleteProperty:]): Ditto.
710         (-[JSValue hasProperty:]): Ditto.
711         (-[JSValue invokeMethod:withArguments:]): Ditto.
712         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
713         (valueToArray): Ditto.
714         (valueToDictionary): Ditto.
715         (objectToValueWithoutCopy): Ditto.
716         (objectToValue): Ditto.
717         * API/JSVirtualMachine.mm:
718         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
719         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
720         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
721         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
722         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
723         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
724         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
725         (scanExternalObjectGraph): Ditto.
726         (scanExternalRememberedSet): Ditto.
727         * API/JSWrapperMap.mm:
728         (makeWrapper): Ditto.
729         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
730         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
731         (tryUnwrapObjcObject): Ditto.
732         * API/ObjCCallbackFunction.mm:
733         (blockSignatureContainsClass): Ditto.
734         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
735         sure we will be keeping this the same way under ARC.
736         (objCCallbackFunctionForBlock): Use a bridging cast.
737
738         * API/ObjcRuntimeExtras.h:
739         (protocolImplementsProtocol): Use a more specific type that includes the
740         explicit __unsafe_unretained for copied protocol lists.
741         (forEachProtocolImplementingProtocol): Ditto.
742
743         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
744         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
745         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
746
747         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
748         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
749         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
750         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
751         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
752
753 2018-06-30  Adam Barth  <abarth@webkit.org>
754
755         Port JavaScriptCore to OS(FUCHSIA)
756         https://bugs.webkit.org/show_bug.cgi?id=187223
757
758         Reviewed by Daniel Bates.
759
760         * assembler/ARM64Assembler.h:
761         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
762         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
763         (JSC::MachineContext::stackPointerImpl):
764         (JSC::MachineContext::framePointerImpl):
765         (JSC::MachineContext::instructionPointerImpl):
766         (JSC::MachineContext::argumentPointer<1>):
767         (JSC::MachineContext::llintInstructionPointer):
768
769 2018-06-30  David Kilzer  <ddkilzer@apple.com>
770
771         Fix clang static analyzer warnings: Garbage return value
772         <https://webkit.org/b/187224>
773
774         Reviewed by Eric Carlson.
775
776         * bytecode/UnlinkedCodeBlock.cpp:
777         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
778         - Use brace initialization for local variables.
779         * debugger/DebuggerCallFrame.cpp:
780         (class JSC::LineAndColumnFunctor):
781         - Use class member initialization for member variables.
782
783 2018-06-29  Saam Barati  <sbarati@apple.com>
784
785         Unreviewed. Try to fix Windows build after r233377
786
787         * builtins/BuiltinExecutables.cpp:
788         (JSC::BuiltinExecutables::createExecutable):
789
790 2018-06-29  Saam Barati  <sbarati@apple.com>
791
792         Don't use tracePoints in JS/Wasm entry
793         https://bugs.webkit.org/show_bug.cgi?id=187196
794
795         Reviewed by Mark Lam.
796
797         This puts VM entry and Wasm entry tracePoints behind a runtime
798         option. This is a ~4x speedup on a soon to be released Wasm
799         benchmark. tracePoints should basically never run more than 50
800         times a second. Entering the VM and entering Wasm are user controlled,
801         and can happen hundreds of thousands of times in a second. Depending
802         on how the Wasm/JS code is structured, this can be disastrous for
803         performance.
804
805         * runtime/Options.h:
806         * runtime/VMEntryScope.cpp:
807         (JSC::VMEntryScope::VMEntryScope):
808         (JSC::VMEntryScope::~VMEntryScope):
809         * wasm/WasmBBQPlan.cpp:
810         (JSC::Wasm::BBQPlan::compileFunctions):
811         * wasm/js/WebAssemblyFunction.cpp:
812         (JSC::callWebAssemblyFunction):
813
814 2018-06-29  Saam Barati  <sbarati@apple.com>
815
816         We shouldn't recurse into the parser when gathering metadata about various function offsets
817         https://bugs.webkit.org/show_bug.cgi?id=184074
818         <rdar://problem/37165897>
819
820         Reviewed by Mark Lam.
821
822         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
823         for that builtin. This required calling into the parser. However, the parser
824         may throw a stack overflow. We were not able to recover from that. The only
825         reason we called into the parser here is that we were gathering text offsets
826         and various metadata for things in the builtin function. This patch writes a
827         mini parser that figures this information out without calling into the full
828         parser. (I've also added a debug assert that verifies the mini parser stays in
829         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
830         always succeeds.
831
832         * builtins/AsyncFromSyncIteratorPrototype.js:
833         (globalPrivate.createAsyncFromSyncIterator):
834         (globalPrivate.AsyncFromSyncIteratorConstructor):
835         * builtins/BuiltinExecutables.cpp:
836         (JSC::BuiltinExecutables::createExecutable):
837         * builtins/GlobalOperations.js:
838         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
839         (globalPrivate.speciesConstructor):
840         (globalPrivate.copyDataProperties):
841         (globalPrivate.copyDataPropertiesNoExclusions):
842         * builtins/PromiseOperations.js:
843         (globalPrivate.newHandledRejectedPromise):
844         * builtins/RegExpPrototype.js:
845         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
846         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
847         * builtins/StringPrototype.js:
848         (globalPrivate.hasObservableSideEffectsForStringReplace):
849         (globalPrivate.getDefaultCollator):
850         * parser/Nodes.cpp:
851         (JSC::FunctionMetadataNode::FunctionMetadataNode):
852         (JSC::FunctionMetadataNode::operator== const):
853         (JSC::FunctionMetadataNode::dump const):
854         * parser/Nodes.h:
855         * parser/Parser.h:
856         (JSC::parse):
857         * parser/ParserError.h:
858         (JSC::ParserError::type const):
859         * parser/ParserTokens.h:
860         (JSC::JSTextPosition::operator== const):
861         (JSC::JSTextPosition::operator!= const):
862         * parser/SourceCode.h:
863         (JSC::SourceCode::operator== const):
864         (JSC::SourceCode::operator!= const):
865         (JSC::SourceCode::subExpression const):
866         (JSC::SourceCode::subExpression): Deleted.
867
868 2018-06-28  Michael Saboff  <msaboff@apple.com>
869   
870         IsoCellSet::sweepToFreeList() not safe when Full GC in process
871         https://bugs.webkit.org/show_bug.cgi?id=187157
872
873         Reviewed by Mark Lam.
874
875         * heap/IsoCellSet.cpp:
876         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
877         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
878         or not we are in the process of marking during a full GC.
879         * heap/MarkedBlock.h:
880         * heap/MarkedBlockInlines.h:
881         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
882
883 2018-06-27  Saam Barati  <sbarati@apple.com>
884
885         Add some more register state information when we crash in repatchPutById
886         https://bugs.webkit.org/show_bug.cgi?id=187112
887
888         Reviewed by Mark Lam.
889
890         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
891         with an offset that is different than what the put tells us.
892
893         * jit/Repatch.cpp:
894         (JSC::tryCachePutByID):
895
896 2018-06-27  Mark Lam  <mark.lam@apple.com>
897
898         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
899         https://bugs.webkit.org/show_bug.cgi?id=187119
900
901         Reviewed by Keith Miller.
902
903         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
904         should be checking for codeBlock instead of !codeBlock
905         before using the codeBlock.
906
907         I also renamed some other "print" functions to use "dump" instead
908         to match their underlying C++ code that they will call e.g.
909         CodeBlock::dumpSource().
910
911         * tools/JSDollarVM.cpp:
912         (WTF::JSDollarVMCallFrame::finishCreation):
913         (JSC::functionDumpSourceFor):
914         (JSC::functionDumpBytecodeFor):
915         (JSC::doPrint):
916         (JSC::functionDataLog):
917         (JSC::functionPrint):
918         (JSC::functionDumpCallFrame):
919         (JSC::functionDumpStack):
920         (JSC::JSDollarVM::finishCreation):
921         (JSC::functionPrintSourceFor): Deleted.
922         (JSC::functionPrintBytecodeFor): Deleted.
923         (JSC::doPrintln): Deleted.
924         (JSC::functionPrintln): Deleted.
925         (JSC::functionPrintCallFrame): Deleted.
926         (JSC::functionPrintStack): Deleted.
927         * tools/VMInspector.cpp:
928         (JSC::DumpFrameFunctor::DumpFrameFunctor):
929         (JSC::DumpFrameFunctor::operator() const):
930         (JSC::VMInspector::dumpCallFrame):
931         (JSC::VMInspector::dumpStack):
932         (JSC::VMInspector::dumpValue):
933         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
934         (JSC::PrintFrameFunctor::operator() const): Deleted.
935         (JSC::VMInspector::printCallFrame): Deleted.
936         (JSC::VMInspector::printStack): Deleted.
937         (JSC::VMInspector::printValue): Deleted.
938         * tools/VMInspector.h:
939
940 2018-06-27  Keith Miller  <keith_miller@apple.com>
941
942         Add logging to try to diagnose where we get a null structure.
943         https://bugs.webkit.org/show_bug.cgi?id=187106
944
945         Reviewed by Mark Lam.
946
947         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
948         structure crash.
949
950         This code should be removed when we fix <rdar://problem/33451840>
951
952         * runtime/JSObject.cpp:
953         (JSC::callToPrimitiveFunction):
954         * runtime/JSObject.h:
955         (JSC::JSObject::getPropertySlot):
956
957 2018-06-27  Mark Lam  <mark.lam@apple.com>
958
959         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
960         https://bugs.webkit.org/show_bug.cgi?id=187091
961         <rdar://problem/41395624>
962
963         Reviewed by Yusuke Suzuki.
964
965         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
966         take their slow paths, the slow path would jump back to the fast path right after
967         the emitted code which clears the unused property values.  As a result, the
968         unused properties are not initialized.  We've fixed this by adding the slow path
969         generators before we emit the code to clear the unused properties.
970
971         * dfg/DFGSpeculativeJIT.cpp:
972         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
973         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
974
975 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
976
977         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
978         https://bugs.webkit.org/show_bug.cgi?id=185943
979
980         Reviewed by Mark Lam.
981
982         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
983         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
984         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
985         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
986
987         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
988         but it should be done in a separate patch since it would be performance sensitive.
989
990         * bytecompiler/NodesCodegen.cpp:
991         (JSC::ArrayPatternNode::emitDirectBinding):
992
993 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
994
995         [JSC] Pass VM& to functions more
996         https://bugs.webkit.org/show_bug.cgi?id=186241
997
998         Reviewed by Mark Lam.
999
1000         This patch threads VM& to functions requiring VM& more.
1001
1002         * API/JSObjectRef.cpp:
1003         (JSObjectIsConstructor):
1004         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
1005         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
1006         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
1007         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
1008         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
1009         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
1010         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
1011         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
1012         * bytecode/CodeBlockJettisoningWatchpoint.h:
1013         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1014         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
1015         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1016         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
1017         * bytecode/StructureStubClearingWatchpoint.cpp:
1018         (JSC::StructureStubClearingWatchpoint::fireInternal):
1019         * bytecode/StructureStubClearingWatchpoint.h:
1020         * bytecode/Watchpoint.cpp:
1021         (JSC::Watchpoint::fire):
1022         (JSC::WatchpointSet::fireAllWatchpoints):
1023         * bytecode/Watchpoint.h:
1024         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
1025         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
1026         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
1027         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
1028         (JSC::DFG::AdaptiveStructureWatchpoint::install):
1029         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
1030         * dfg/DFGAdaptiveStructureWatchpoint.h:
1031         * dfg/DFGDesiredWatchpoints.cpp:
1032         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
1033         * llint/LLIntSlowPaths.cpp:
1034         (JSC::LLInt::setupGetByIdPrototypeCache):
1035         * runtime/ArrayPrototype.cpp:
1036         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1037         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1038         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1039         (JSC::esSpecIsConstructor):
1040         * runtime/FunctionRareData.cpp:
1041         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
1042         * runtime/FunctionRareData.h:
1043         * runtime/InferredStructureWatchpoint.cpp:
1044         (JSC::InferredStructureWatchpoint::fireInternal):
1045         * runtime/InferredStructureWatchpoint.h:
1046         * runtime/InternalFunction.cpp:
1047         (JSC::InternalFunction::createSubclassStructureSlow):
1048         * runtime/InternalFunction.h:
1049         (JSC::InternalFunction::createSubclassStructure):
1050         * runtime/JSCJSValue.h:
1051         * runtime/JSCJSValueInlines.h:
1052         (JSC::JSValue::isConstructor const):
1053         * runtime/JSCell.h:
1054         * runtime/JSCellInlines.h:
1055         (JSC::JSCell::isConstructor):
1056         (JSC::JSCell::methodTable const):
1057         * runtime/JSGlobalObject.cpp:
1058         (JSC::JSGlobalObject::init):
1059         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
1060         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
1061         * runtime/ProxyObject.cpp:
1062         (JSC::ProxyObject::finishCreation):
1063         * runtime/ReflectObject.cpp:
1064         (JSC::reflectObjectConstruct):
1065         * runtime/StructureRareData.cpp:
1066         (JSC::StructureRareData::setObjectToStringValue):
1067         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
1068         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1069         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1070
1071 2018-06-26  Mark Lam  <mark.lam@apple.com>
1072
1073         eval() is wrong about the LiteralParser never throwing any exceptions.
1074         https://bugs.webkit.org/show_bug.cgi?id=187074
1075         <rdar://problem/41461099>
1076
1077         Reviewed by Saam Barati.
1078
1079         Added the missing exception check, and removed an erroneous assertion.
1080
1081         * interpreter/Interpreter.cpp:
1082         (JSC::eval):
1083
1084 2018-06-26  Saam Barati  <sbarati@apple.com>
1085
1086         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
1087         https://bugs.webkit.org/show_bug.cgi?id=186878
1088         <rdar://problem/40568659>
1089
1090         Reviewed by Filip Pizlo.
1091
1092         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
1093         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
1094         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
1095         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
1096         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
1097         conservative scan knows to treat it like a butterfly in when we we may be
1098         pointing into the middle of it.
1099         
1100         The way we were crashing on the stress GC bots is that our conservative marking
1101         won't do cell visiting for things that are Auxiliary. This meant that if the
1102         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
1103         that JSImmutableButterfly would not be visited. This is now fixed.
1104
1105         * bytecompiler/NodesCodegen.cpp:
1106         (JSC::ArrayNode::emitBytecode):
1107         * debugger/Debugger.cpp:
1108         * heap/ConservativeRoots.cpp:
1109         (JSC::ConservativeRoots::genericAddPointer):
1110         * heap/Heap.cpp:
1111         (JSC::GatherHeapSnapshotData::operator() const):
1112         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
1113         (JSC::Heap::globalObjectCount):
1114         (JSC::Heap::objectTypeCounts):
1115         (JSC::Heap::deleteAllCodeBlocks):
1116         * heap/HeapCell.cpp:
1117         (WTF::printInternal):
1118         * heap/HeapCell.h:
1119         (JSC::isJSCellKind):
1120         (JSC::hasInteriorPointers):
1121         * heap/HeapUtil.h:
1122         (JSC::HeapUtil::findGCObjectPointersForMarking):
1123         (JSC::HeapUtil::isPointerGCObjectJSCell):
1124         * heap/MarkedBlock.cpp:
1125         (JSC::MarkedBlock::Handle::didAddToDirectory):
1126         * heap/SlotVisitor.cpp:
1127         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1128         * runtime/JSGlobalObject.cpp:
1129         * runtime/JSImmutableButterfly.h:
1130         (JSC::JSImmutableButterfly::subspaceFor):
1131         * runtime/VM.cpp:
1132         (JSC::VM::VM):
1133         * runtime/VM.h:
1134         * tools/CellProfile.h:
1135         (JSC::CellProfile::CellProfile):
1136         (JSC::CellProfile::isJSCell const):
1137         * tools/HeapVerifier.cpp:
1138         (JSC::HeapVerifier::validateCell):
1139
1140 2018-06-26  Mark Lam  <mark.lam@apple.com>
1141
1142         Skip some unnecessary work in Interpreter::getStackTrace().
1143         https://bugs.webkit.org/show_bug.cgi?id=187070
1144
1145         Reviewed by Michael Saboff.
1146
1147         * interpreter/Interpreter.cpp:
1148         (JSC::Interpreter::getStackTrace):
1149
1150 2018-06-26  Mark Lam  <mark.lam@apple.com>
1151
1152         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
1153         https://bugs.webkit.org/show_bug.cgi?id=187060
1154         <rdar://problem/41452767>
1155
1156         Reviewed by Keith Miller.
1157
1158         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
1159         write conversion.  Hence, we can return early after the conversion if the vector
1160         length is already sufficient to cover the requested length.
1161
1162         * runtime/JSObject.cpp:
1163         (JSC::JSObject::ensureLengthSlow):
1164
1165 2018-06-26  Commit Queue  <commit-queue@webkit.org>
1166
1167         Unreviewed, rolling out r233184.
1168         https://bugs.webkit.org/show_bug.cgi?id=187059
1169
1170         "It regressed JetStream between 5-8%" (Requested by saamyjoon
1171         on #webkit).
1172
1173         Reverted changeset:
1174
1175         "JSImmutableButterfly can't be allocated from a subspace with
1176         HeapCell::Kind::Auxiliary"
1177         https://bugs.webkit.org/show_bug.cgi?id=186878
1178         https://trac.webkit.org/changeset/233184
1179
1180 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
1181
1182         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
1183         https://bugs.webkit.org/show_bug.cgi?id=187051
1184
1185         Reviewed by Mark Lam.
1186
1187         Revert r233065 changes over UnlinkedCodeBlock.h to allow
1188         clang-3.8 to be able to compile this back (with libstdc++5)
1189
1190         * bytecode/UnlinkedCodeBlock.h:
1191         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
1192
1193 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
1194
1195         Fix testapi build when DFG_JIT is disabled
1196         https://bugs.webkit.org/show_bug.cgi?id=187038
1197
1198         Reviewed by Mark Lam.
1199
1200         r233158 added a new API and tests for configuring the number of JIT threads, but
1201         the API is only available when DFG_JIT is enabled and so should the tests.
1202
1203         * API/tests/testapi.mm:
1204         (runJITThreadLimitTests):
1205
1206 2018-06-25  Saam Barati  <sbarati@apple.com>
1207
1208         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
1209         https://bugs.webkit.org/show_bug.cgi?id=186878
1210         <rdar://problem/40568659>
1211
1212         Reviewed by Mark Lam.
1213
1214         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
1215         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
1216         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
1217         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
1218         bots is that our conservative marking won't do cell marking for things that
1219         are Auxiliary. This means that if the stack is the only thing pointing to a
1220         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
1221         not be visited. This patch fixes this bug. This patch also extends our conservative
1222         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
1223
1224         * bytecompiler/NodesCodegen.cpp:
1225         (JSC::ArrayNode::emitBytecode):
1226         * heap/HeapUtil.h:
1227         (JSC::HeapUtil::findGCObjectPointersForMarking):
1228         * runtime/JSImmutableButterfly.h:
1229         (JSC::JSImmutableButterfly::subspaceFor):
1230
1231 2018-06-25  Mark Lam  <mark.lam@apple.com>
1232
1233         constructArray() should set m_numValuesInVector to the specified length.
1234         https://bugs.webkit.org/show_bug.cgi?id=187010
1235         <rdar://problem/41392167>
1236
1237         Reviewed by Filip Pizlo.
1238
1239         Its client will fill in the storage vector with some values using initializeIndex()
1240         and expects m_numValuesInVector to be set to the length i.e. the number of values
1241         to be initialized.
1242
1243         * runtime/JSArray.cpp:
1244         (JSC::constructArray):
1245
1246 2018-06-25  Mark Lam  <mark.lam@apple.com>
1247
1248         Add missing exception check in RegExpObjectInlines.h's collectMatches.
1249         https://bugs.webkit.org/show_bug.cgi?id=187006
1250         <rdar://problem/41418412>
1251
1252         Reviewed by Keith Miller.
1253
1254         * runtime/RegExpObjectInlines.h:
1255         (JSC::collectMatches):
1256
1257 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
1258
1259         Add API for configuring the number of threads used by DFG and FTL
1260         https://bugs.webkit.org/show_bug.cgi?id=186859
1261         <rdar://problem/41093519>
1262
1263         Reviewed by Filip Pizlo.
1264
1265         Add new private APIs for limiting the number of threads to be used by
1266         the DFG and FTL compilers. It was already possible to configure the
1267         limit through JSC Options, but now it can be changed at runtime, even
1268         in the case when the VM is already running.
1269
1270         Add a test for both cases: when trying to configure the limit before
1271         and after the Worklist has been created, but in order to simulate the
1272         first scenario, we must guarantee that the test runs at the very
1273         beginning, so I also added a check for that.
1274
1275         * API/JSVirtualMachine.mm:
1276         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
1277         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
1278         * API/JSVirtualMachinePrivate.h:
1279         * API/tests/testapi.mm:
1280         (runJITThreadLimitTests):
1281         (testObjectiveCAPIMain):
1282         * dfg/DFGWorklist.cpp:
1283         (JSC::DFG::Worklist::finishCreation):
1284         (JSC::DFG::Worklist::createNewThread):
1285         (JSC::DFG::Worklist::setNumberOfThreads):
1286         * dfg/DFGWorklist.h:
1287
1288 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1289
1290         [JSC] Remove unnecessary PLATFORM guards
1291         https://bugs.webkit.org/show_bug.cgi?id=186995
1292
1293         Reviewed by Mark Lam.
1294
1295         * assembler/AssemblerCommon.h:
1296         (JSC::isIOS):
1297         Add constexpr.
1298
1299         * inspector/JSGlobalObjectInspectorController.cpp:
1300         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1301         StackFrame works in all the platforms. If StackFrame::demangle failed,
1302         it just returns std::nullopt. And it is correctly handled in this code.
1303
1304 2018-06-23  Mark Lam  <mark.lam@apple.com>
1305
1306         Add more debugging features to $vm.
1307         https://bugs.webkit.org/show_bug.cgi?id=186947
1308
1309         Reviewed by Keith Miller.
1310
1311         Adding the following features:
1312
1313             // We now have println in addition to print.
1314             // println automatically adds a '\n' at the end.
1315             $vm.println("Hello");
1316
1317             // We can now capture some info about a stack frame.
1318             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
1319             var callerCallerFrame = $vm.callFrame(2);
1320
1321             // We can inspect the following values associated with the frame:
1322             if (currentFrame.valid) {
1323                 $vm.println("name is ", currentFrame.name));
1324
1325                 // Note: For a WASM frame, all of these will be undefined.
1326                 $vm.println("callee is ", $vm.value(currentFrame.callee));
1327                 $vm.println("codeBlock is ", currentFrame.codeBlock);
1328                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
1329                 $vm.println("executable is ", currentFrame.executable);
1330             }
1331
1332             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
1333             // to dataLog its JSValue instead of its toString() result.
1334
1335             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
1336             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
1337             // toString on a non-object.
1338
1339             // Does what it says about enabling/disabling debugger mode.
1340             $vm.enableDebuggerModeWhenIdle();
1341             $vm.disableDebuggerModeWhenIdle();
1342
1343         * tools/JSDollarVM.cpp:
1344         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
1345         (WTF::JSDollarVMCallFrame::createStructure):
1346         (WTF::JSDollarVMCallFrame::create):
1347         (WTF::JSDollarVMCallFrame::finishCreation):
1348         (WTF::JSDollarVMCallFrame::addProperty):
1349         (JSC::functionCallFrame):
1350         (JSC::functionCodeBlockForFrame):
1351         (JSC::codeBlockFromArg):
1352         (JSC::doPrintln):
1353         (JSC::functionPrint):
1354         (JSC::functionPrintln):
1355         (JSC::changeDebuggerModeWhenIdle):
1356         (JSC::functionEnableDebuggerModeWhenIdle):
1357         (JSC::functionDisableDebuggerModeWhenIdle):
1358         (JSC::JSDollarVM::finishCreation):
1359
1360 2018-06-22  Keith Miller  <keith_miller@apple.com>
1361
1362         We need to have a getDirectConcurrently for use in the compilers
1363         https://bugs.webkit.org/show_bug.cgi?id=186954
1364
1365         Reviewed by Mark Lam.
1366
1367         It used to be that the propertyStorage of an object never shrunk
1368         so if you called getDirect with some offset it would never be an
1369         OOB read. However, this property storage can shrink when calling
1370         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
1371         holds the Structure's ConcurrentJSLock while shrinking. This patch,
1372         adds a getDirectConcurrently that will safely try to load from the
1373         butterfly.
1374
1375         * bytecode/ObjectPropertyConditionSet.cpp:
1376         * bytecode/PropertyCondition.cpp:
1377         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1378         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
1379         * dfg/DFGGraph.cpp:
1380         (JSC::DFG::Graph::tryGetConstantProperty):
1381         * runtime/JSObject.h:
1382         (JSC::JSObject::getDirectConcurrently const):
1383
1384 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1385
1386         [WTF] Use Ref<> for the result type of non-failing factory functions
1387         https://bugs.webkit.org/show_bug.cgi?id=186920
1388
1389         Reviewed by Darin Adler.
1390
1391         * dfg/DFGWorklist.cpp:
1392         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
1393         (JSC::DFG::Worklist::finishCreation):
1394         * dfg/DFGWorklist.h:
1395         * heap/Heap.cpp:
1396         (JSC::Heap::Thread::Thread):
1397         * heap/Heap.h:
1398         * jit/JITWorklist.cpp:
1399         (JSC::JITWorklist::Thread::Thread):
1400         * jit/JITWorklist.h:
1401         * runtime/VMTraps.cpp:
1402         * runtime/VMTraps.h:
1403         * wasm/WasmWorklist.cpp:
1404         * wasm/WasmWorklist.h:
1405
1406 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1407
1408         [WTF] Add user-defined literal for ASCIILiteral
1409         https://bugs.webkit.org/show_bug.cgi?id=186839
1410
1411         Reviewed by Darin Adler.
1412
1413         * API/JSCallbackObjectFunctions.h:
1414         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1415         (JSC::JSCallbackObject<Parent>::callbackGetter):
1416         * API/JSObjectRef.cpp:
1417         (JSObjectMakeFunctionWithCallback):
1418         * API/JSTypedArray.cpp:
1419         (JSObjectGetArrayBufferBytesPtr):
1420         * API/JSValue.mm:
1421         (valueToArray):
1422         (valueToDictionary):
1423         * API/ObjCCallbackFunction.mm:
1424         (JSC::objCCallbackFunctionCallAsFunction):
1425         (JSC::objCCallbackFunctionCallAsConstructor):
1426         (JSC::ObjCCallbackFunctionImpl::call):
1427         * API/glib/JSCCallbackFunction.cpp:
1428         (JSC::JSCCallbackFunction::call):
1429         (JSC::JSCCallbackFunction::construct):
1430         * API/glib/JSCContext.cpp:
1431         (jscContextJSValueToGValue):
1432         * API/glib/JSCValue.cpp:
1433         (jsc_value_object_define_property_accessor):
1434         (jscValueFunctionCreate):
1435         * builtins/BuiltinUtils.h:
1436         * bytecode/CodeBlock.cpp:
1437         (JSC::CodeBlock::nameForRegister):
1438         * bytecompiler/BytecodeGenerator.cpp:
1439         (JSC::BytecodeGenerator::emitEnumeration):
1440         (JSC::BytecodeGenerator::emitIteratorNext):
1441         (JSC::BytecodeGenerator::emitIteratorClose):
1442         (JSC::BytecodeGenerator::emitDelegateYield):
1443         * bytecompiler/NodesCodegen.cpp:
1444         (JSC::FunctionCallValueNode::emitBytecode):
1445         (JSC::PostfixNode::emitBytecode):
1446         (JSC::PrefixNode::emitBytecode):
1447         (JSC::AssignErrorNode::emitBytecode):
1448         (JSC::ForInNode::emitBytecode):
1449         (JSC::ForOfNode::emitBytecode):
1450         (JSC::ClassExprNode::emitBytecode):
1451         (JSC::ObjectPatternNode::bindValue const):
1452         * dfg/DFGDriver.cpp:
1453         (JSC::DFG::compileImpl):
1454         * dfg/DFGOperations.cpp:
1455         (JSC::DFG::newTypedArrayWithSize):
1456         * dfg/DFGStrengthReductionPhase.cpp:
1457         (JSC::DFG::StrengthReductionPhase::handleNode):
1458         * inspector/ConsoleMessage.cpp:
1459         (Inspector::ConsoleMessage::addToFrontend):
1460         (Inspector::ConsoleMessage::clear):
1461         * inspector/ContentSearchUtilities.cpp:
1462         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
1463         * inspector/InjectedScript.cpp:
1464         (Inspector::InjectedScript::InjectedScript):
1465         (Inspector::InjectedScript::evaluate):
1466         (Inspector::InjectedScript::callFunctionOn):
1467         (Inspector::InjectedScript::evaluateOnCallFrame):
1468         (Inspector::InjectedScript::getFunctionDetails):
1469         (Inspector::InjectedScript::functionDetails):
1470         (Inspector::InjectedScript::getPreview):
1471         (Inspector::InjectedScript::getProperties):
1472         (Inspector::InjectedScript::getDisplayableProperties):
1473         (Inspector::InjectedScript::getInternalProperties):
1474         (Inspector::InjectedScript::getCollectionEntries):
1475         (Inspector::InjectedScript::saveResult):
1476         (Inspector::InjectedScript::wrapCallFrames const):
1477         (Inspector::InjectedScript::wrapObject const):
1478         (Inspector::InjectedScript::wrapJSONString const):
1479         (Inspector::InjectedScript::wrapTable const):
1480         (Inspector::InjectedScript::previewValue const):
1481         (Inspector::InjectedScript::setExceptionValue):
1482         (Inspector::InjectedScript::clearExceptionValue):
1483         (Inspector::InjectedScript::findObjectById const):
1484         (Inspector::InjectedScript::inspectObject):
1485         (Inspector::InjectedScript::releaseObject):
1486         (Inspector::InjectedScript::releaseObjectGroup):
1487         * inspector/InjectedScriptBase.cpp:
1488         (Inspector::InjectedScriptBase::makeEvalCall):
1489         * inspector/InjectedScriptManager.cpp:
1490         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1491         * inspector/InjectedScriptModule.cpp:
1492         (Inspector::InjectedScriptModule::ensureInjected):
1493         * inspector/InspectorBackendDispatcher.cpp:
1494         (Inspector::BackendDispatcher::dispatch):
1495         (Inspector::BackendDispatcher::sendResponse):
1496         (Inspector::BackendDispatcher::sendPendingErrors):
1497         * inspector/JSGlobalObjectConsoleClient.cpp:
1498         (Inspector::JSGlobalObjectConsoleClient::profile):
1499         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
1500         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
1501         * inspector/JSGlobalObjectInspectorController.cpp:
1502         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1503         * inspector/JSInjectedScriptHost.cpp:
1504         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1505         (Inspector::JSInjectedScriptHost::subtype):
1506         (Inspector::JSInjectedScriptHost::getInternalProperties):
1507         * inspector/JSJavaScriptCallFrame.cpp:
1508         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1509         (Inspector::JSJavaScriptCallFrame::type const):
1510         * inspector/ScriptArguments.cpp:
1511         (Inspector::ScriptArguments::getFirstArgumentAsString):
1512         * inspector/ScriptCallStackFactory.cpp:
1513         (Inspector::extractSourceInformationFromException):
1514         * inspector/agents/InspectorAgent.cpp:
1515         (Inspector::InspectorAgent::InspectorAgent):
1516         * inspector/agents/InspectorConsoleAgent.cpp:
1517         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
1518         (Inspector::InspectorConsoleAgent::clearMessages):
1519         (Inspector::InspectorConsoleAgent::count):
1520         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
1521         * inspector/agents/InspectorDebuggerAgent.cpp:
1522         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
1523         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
1524         (Inspector::buildObjectForBreakpointCookie):
1525         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1526         (Inspector::parseLocation):
1527         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1528         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1529         (Inspector::InspectorDebuggerAgent::continueToLocation):
1530         (Inspector::InspectorDebuggerAgent::searchInContent):
1531         (Inspector::InspectorDebuggerAgent::getScriptSource):
1532         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1533         (Inspector::InspectorDebuggerAgent::resume):
1534         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
1535         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1536         (Inspector::InspectorDebuggerAgent::didParseSource):
1537         (Inspector::InspectorDebuggerAgent::assertPaused):
1538         * inspector/agents/InspectorHeapAgent.cpp:
1539         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
1540         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
1541         (Inspector::InspectorHeapAgent::getPreview):
1542         (Inspector::InspectorHeapAgent::getRemoteObject):
1543         * inspector/agents/InspectorRuntimeAgent.cpp:
1544         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
1545         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1546         (Inspector::InspectorRuntimeAgent::getPreview):
1547         (Inspector::InspectorRuntimeAgent::getProperties):
1548         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1549         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1550         (Inspector::InspectorRuntimeAgent::saveResult):
1551         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1552         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1553         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1554         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
1555         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1556         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
1557         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1558         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
1559         * inspector/scripts/codegen/cpp_generator_templates.py:
1560         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1561         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1562         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1563         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1564         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1565         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1566         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1567         (CppProtocolTypesImplementationGenerator):
1568         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1569         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1570         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
1571         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1572         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1573         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1574         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1575         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
1576         * inspector/scripts/codegen/objc_generator_templates.py:
1577         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1578         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1579         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1580         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1581         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1582         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1583         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1584         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1585         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1586         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1587         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1588         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1589         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1590         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1591         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1592         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1593         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1594         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1595         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1596         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1597         * interpreter/CallFrame.cpp:
1598         (JSC::CallFrame::friendlyFunctionName):
1599         * interpreter/Interpreter.cpp:
1600         (JSC::Interpreter::execute):
1601         * interpreter/StackVisitor.cpp:
1602         (JSC::StackVisitor::Frame::functionName const):
1603         (JSC::StackVisitor::Frame::sourceURL const):
1604         * jit/JIT.cpp:
1605         (JSC::JIT::doMainThreadPreparationBeforeCompile):
1606         * jit/JITOperations.cpp:
1607         * jsc.cpp:
1608         (resolvePath):
1609         (GlobalObject::moduleLoaderImportModule):
1610         (GlobalObject::moduleLoaderResolve):
1611         (functionDescribeArray):
1612         (functionRun):
1613         (functionLoad):
1614         (functionCheckSyntax):
1615         (functionDollarEvalScript):
1616         (functionDollarAgentStart):
1617         (functionDollarAgentReceiveBroadcast):
1618         (functionDollarAgentBroadcast):
1619         (functionTransferArrayBuffer):
1620         (functionLoadModule):
1621         (functionSamplingProfilerStackTraces):
1622         (functionAsyncTestStart):
1623         (functionWebAssemblyMemoryMode):
1624         (runWithOptions):
1625         * parser/Lexer.cpp:
1626         (JSC::Lexer<T>::invalidCharacterMessage const):
1627         (JSC::Lexer<T>::parseString):
1628         (JSC::Lexer<T>::parseComplexEscape):
1629         (JSC::Lexer<T>::parseStringSlowCase):
1630         (JSC::Lexer<T>::parseTemplateLiteral):
1631         (JSC::Lexer<T>::lex):
1632         * parser/Parser.cpp:
1633         (JSC::Parser<LexerType>::parseInner):
1634         * parser/Parser.h:
1635         (JSC::Parser::setErrorMessage):
1636         * runtime/AbstractModuleRecord.cpp:
1637         (JSC::AbstractModuleRecord::finishCreation):
1638         * runtime/ArrayBuffer.cpp:
1639         (JSC::errorMesasgeForTransfer):
1640         * runtime/ArrayBufferSharingMode.h:
1641         (JSC::arrayBufferSharingModeName):
1642         * runtime/ArrayConstructor.cpp:
1643         (JSC::constructArrayWithSizeQuirk):
1644         (JSC::isArraySlowInline):
1645         * runtime/ArrayPrototype.cpp:
1646         (JSC::setLength):
1647         (JSC::shift):
1648         (JSC::unshift):
1649         (JSC::arrayProtoFuncPop):
1650         (JSC::arrayProtoFuncReverse):
1651         (JSC::arrayProtoFuncUnShift):
1652         * runtime/AtomicsObject.cpp:
1653         (JSC::atomicsFuncWait):
1654         (JSC::atomicsFuncWake):
1655         * runtime/BigIntConstructor.cpp:
1656         (JSC::BigIntConstructor::finishCreation):
1657         (JSC::toBigInt):
1658         (JSC::callBigIntConstructor):
1659         * runtime/BigIntObject.cpp:
1660         (JSC::BigIntObject::toStringName):
1661         * runtime/BigIntPrototype.cpp:
1662         (JSC::bigIntProtoFuncToString):
1663         (JSC::bigIntProtoFuncValueOf):
1664         * runtime/CommonSlowPaths.cpp:
1665         (JSC::SLOW_PATH_DECL):
1666         * runtime/ConsoleClient.cpp:
1667         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1668         * runtime/ConsoleObject.cpp:
1669         (JSC::valueOrDefaultLabelString):
1670         (JSC::consoleProtoFuncTime):
1671         (JSC::consoleProtoFuncTimeEnd):
1672         * runtime/DatePrototype.cpp:
1673         (JSC::formatLocaleDate):
1674         (JSC::formateDateInstance):
1675         (JSC::DatePrototype::finishCreation):
1676         (JSC::dateProtoFuncToISOString):
1677         (JSC::dateProtoFuncToJSON):
1678         * runtime/Error.cpp:
1679         (JSC::createNotEnoughArgumentsError):
1680         (JSC::throwSyntaxError):
1681         (JSC::createTypeError):
1682         (JSC::createOutOfMemoryError):
1683         * runtime/Error.h:
1684         (JSC::throwVMError):
1685         * runtime/ErrorConstructor.cpp:
1686         (JSC::ErrorConstructor::finishCreation):
1687         * runtime/ErrorInstance.cpp:
1688         (JSC::ErrorInstance::sanitizedToString):
1689         * runtime/ErrorPrototype.cpp:
1690         (JSC::ErrorPrototype::finishCreation):
1691         (JSC::errorProtoFuncToString):
1692         * runtime/ExceptionFuzz.cpp:
1693         (JSC::doExceptionFuzzing):
1694         * runtime/ExceptionHelpers.cpp:
1695         (JSC::TerminatedExecutionError::defaultValue):
1696         (JSC::createStackOverflowError):
1697         (JSC::createNotAConstructorError):
1698         (JSC::createNotAFunctionError):
1699         (JSC::createNotAnObjectError):
1700         * runtime/GetterSetter.cpp:
1701         (JSC::callSetter):
1702         * runtime/IntlCollator.cpp:
1703         (JSC::sortLocaleData):
1704         (JSC::searchLocaleData):
1705         (JSC::IntlCollator::initializeCollator):
1706         (JSC::IntlCollator::compareStrings):
1707         (JSC::IntlCollator::usageString):
1708         (JSC::IntlCollator::sensitivityString):
1709         (JSC::IntlCollator::caseFirstString):
1710         (JSC::IntlCollator::resolvedOptions):
1711         * runtime/IntlCollator.h:
1712         * runtime/IntlCollatorConstructor.cpp:
1713         (JSC::IntlCollatorConstructor::finishCreation):
1714         * runtime/IntlCollatorPrototype.cpp:
1715         (JSC::IntlCollatorPrototypeGetterCompare):
1716         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1717         * runtime/IntlDateTimeFormat.cpp:
1718         (JSC::defaultTimeZone):
1719         (JSC::canonicalizeTimeZoneName):
1720         (JSC::IntlDTFInternal::localeData):
1721         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
1722         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1723         (JSC::IntlDateTimeFormat::weekdayString):
1724         (JSC::IntlDateTimeFormat::eraString):
1725         (JSC::IntlDateTimeFormat::yearString):
1726         (JSC::IntlDateTimeFormat::monthString):
1727         (JSC::IntlDateTimeFormat::dayString):
1728         (JSC::IntlDateTimeFormat::hourString):
1729         (JSC::IntlDateTimeFormat::minuteString):
1730         (JSC::IntlDateTimeFormat::secondString):
1731         (JSC::IntlDateTimeFormat::timeZoneNameString):
1732         (JSC::IntlDateTimeFormat::resolvedOptions):
1733         (JSC::IntlDateTimeFormat::format):
1734         (JSC::IntlDateTimeFormat::partTypeString):
1735         (JSC::IntlDateTimeFormat::formatToParts):
1736         * runtime/IntlDateTimeFormat.h:
1737         * runtime/IntlDateTimeFormatConstructor.cpp:
1738         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1739         * runtime/IntlDateTimeFormatPrototype.cpp:
1740         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1741         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1742         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1743         * runtime/IntlNumberFormat.cpp:
1744         (JSC::IntlNumberFormat::initializeNumberFormat):
1745         (JSC::IntlNumberFormat::formatNumber):
1746         (JSC::IntlNumberFormat::styleString):
1747         (JSC::IntlNumberFormat::currencyDisplayString):
1748         (JSC::IntlNumberFormat::resolvedOptions):
1749         (JSC::IntlNumberFormat::partTypeString):
1750         (JSC::IntlNumberFormat::formatToParts):
1751         * runtime/IntlNumberFormat.h:
1752         * runtime/IntlNumberFormatConstructor.cpp:
1753         (JSC::IntlNumberFormatConstructor::finishCreation):
1754         * runtime/IntlNumberFormatPrototype.cpp:
1755         (JSC::IntlNumberFormatPrototypeGetterFormat):
1756         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1757         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1758         * runtime/IntlObject.cpp:
1759         (JSC::grandfatheredLangTag):
1760         (JSC::canonicalizeLocaleList):
1761         (JSC::resolveLocale):
1762         (JSC::supportedLocales):
1763         * runtime/IntlPluralRules.cpp:
1764         (JSC::IntlPluralRules::initializePluralRules):
1765         (JSC::IntlPluralRules::resolvedOptions):
1766         (JSC::IntlPluralRules::select):
1767         * runtime/IntlPluralRulesConstructor.cpp:
1768         (JSC::IntlPluralRulesConstructor::finishCreation):
1769         * runtime/IntlPluralRulesPrototype.cpp:
1770         (JSC::IntlPluralRulesPrototypeFuncSelect):
1771         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1772         * runtime/IteratorOperations.cpp:
1773         (JSC::iteratorNext):
1774         (JSC::iteratorClose):
1775         (JSC::hasIteratorMethod):
1776         (JSC::iteratorMethod):
1777         * runtime/JSArray.cpp:
1778         (JSC::JSArray::tryCreateUninitializedRestricted):
1779         (JSC::JSArray::defineOwnProperty):
1780         (JSC::JSArray::put):
1781         (JSC::JSArray::setLengthWithArrayStorage):
1782         (JSC::JSArray::appendMemcpy):
1783         (JSC::JSArray::pop):
1784         * runtime/JSArray.h:
1785         * runtime/JSArrayBufferConstructor.cpp:
1786         (JSC::JSArrayBufferConstructor::finishCreation):
1787         * runtime/JSArrayBufferPrototype.cpp:
1788         (JSC::arrayBufferProtoFuncSlice):
1789         (JSC::arrayBufferProtoGetterFuncByteLength):
1790         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1791         * runtime/JSArrayBufferView.cpp:
1792         (JSC::JSArrayBufferView::toStringName):
1793         * runtime/JSArrayInlines.h:
1794         (JSC::JSArray::pushInline):
1795         * runtime/JSBigInt.cpp:
1796         (JSC::JSBigInt::divide):
1797         (JSC::JSBigInt::remainder):
1798         (JSC::JSBigInt::toNumber const):
1799         * runtime/JSCJSValue.cpp:
1800         (JSC::JSValue::putToPrimitive):
1801         (JSC::JSValue::putToPrimitiveByIndex):
1802         (JSC::JSValue::toStringSlowCase const):
1803         * runtime/JSCJSValueInlines.h:
1804         (JSC::toPreferredPrimitiveType):
1805         * runtime/JSDataView.cpp:
1806         (JSC::JSDataView::create):
1807         (JSC::JSDataView::put):
1808         (JSC::JSDataView::defineOwnProperty):
1809         * runtime/JSDataViewPrototype.cpp:
1810         (JSC::getData):
1811         (JSC::setData):
1812         * runtime/JSFunction.cpp:
1813         (JSC::JSFunction::callerGetter):
1814         (JSC::JSFunction::put):
1815         (JSC::JSFunction::defineOwnProperty):
1816         * runtime/JSGenericTypedArrayView.h:
1817         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1818         (JSC::constructGenericTypedArrayViewWithArguments):
1819         (JSC::constructGenericTypedArrayView):
1820         * runtime/JSGenericTypedArrayViewInlines.h:
1821         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1822         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1823         (JSC::speciesConstruct):
1824         (JSC::genericTypedArrayViewProtoFuncSet):
1825         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1826         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1827         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1828         * runtime/JSGlobalObject.cpp:
1829         (JSC::JSGlobalObject::init):
1830         * runtime/JSGlobalObjectDebuggable.cpp:
1831         (JSC::JSGlobalObjectDebuggable::name const):
1832         * runtime/JSGlobalObjectFunctions.cpp:
1833         (JSC::encode):
1834         (JSC::decode):
1835         (JSC::globalFuncProtoSetter):
1836         * runtime/JSGlobalObjectFunctions.h:
1837         * runtime/JSMap.cpp:
1838         (JSC::JSMap::toStringName):
1839         * runtime/JSModuleEnvironment.cpp:
1840         (JSC::JSModuleEnvironment::put):
1841         * runtime/JSModuleNamespaceObject.cpp:
1842         (JSC::JSModuleNamespaceObject::put):
1843         (JSC::JSModuleNamespaceObject::putByIndex):
1844         (JSC::JSModuleNamespaceObject::defineOwnProperty):
1845         * runtime/JSONObject.cpp:
1846         (JSC::Stringifier::appendStringifiedValue):
1847         (JSC::JSONProtoFuncParse):
1848         (JSC::JSONProtoFuncStringify):
1849         * runtime/JSObject.cpp:
1850         (JSC::getClassPropertyNames):
1851         (JSC::JSObject::calculatedClassName):
1852         (JSC::ordinarySetSlow):
1853         (JSC::JSObject::putInlineSlow):
1854         (JSC::JSObject::setPrototypeWithCycleCheck):
1855         (JSC::callToPrimitiveFunction):
1856         (JSC::JSObject::ordinaryToPrimitive const):
1857         (JSC::JSObject::defaultHasInstance):
1858         (JSC::JSObject::defineOwnIndexedProperty):
1859         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1860         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1861         (JSC::validateAndApplyPropertyDescriptor):
1862         * runtime/JSObject.h:
1863         * runtime/JSObjectInlines.h:
1864         (JSC::JSObject::putInlineForJSObject):
1865         * runtime/JSPromiseConstructor.cpp:
1866         (JSC::JSPromiseConstructor::finishCreation):
1867         * runtime/JSSet.cpp:
1868         (JSC::JSSet::toStringName):
1869         * runtime/JSSymbolTableObject.h:
1870         (JSC::symbolTablePut):
1871         * runtime/JSTypedArrayViewConstructor.cpp:
1872         (JSC::constructTypedArrayView):
1873         * runtime/JSTypedArrayViewPrototype.cpp:
1874         (JSC::typedArrayViewPrivateFuncLength):
1875         (JSC::typedArrayViewProtoFuncSet):
1876         (JSC::typedArrayViewProtoFuncCopyWithin):
1877         (JSC::typedArrayViewProtoFuncLastIndexOf):
1878         (JSC::typedArrayViewProtoFuncIndexOf):
1879         (JSC::typedArrayViewProtoFuncJoin):
1880         (JSC::typedArrayViewProtoGetterFuncBuffer):
1881         (JSC::typedArrayViewProtoGetterFuncLength):
1882         (JSC::typedArrayViewProtoGetterFuncByteLength):
1883         (JSC::typedArrayViewProtoGetterFuncByteOffset):
1884         (JSC::typedArrayViewProtoFuncReverse):
1885         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
1886         (JSC::typedArrayViewProtoFuncSlice):
1887         (JSC::JSTypedArrayViewPrototype::finishCreation):
1888         * runtime/JSWeakMap.cpp:
1889         (JSC::JSWeakMap::toStringName):
1890         * runtime/JSWeakSet.cpp:
1891         (JSC::JSWeakSet::toStringName):
1892         * runtime/LiteralParser.cpp:
1893         (JSC::LiteralParser<CharType>::Lexer::lex):
1894         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
1895         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
1896         (JSC::LiteralParser<CharType>::parse):
1897         * runtime/LiteralParser.h:
1898         (JSC::LiteralParser::getErrorMessage):
1899         * runtime/Lookup.cpp:
1900         (JSC::reifyStaticAccessor):
1901         * runtime/Lookup.h:
1902         (JSC::putEntry):
1903         * runtime/MapPrototype.cpp:
1904         (JSC::getMap):
1905         * runtime/NullSetterFunction.cpp:
1906         (JSC::NullSetterFunctionInternal::callReturnUndefined):
1907         * runtime/NumberPrototype.cpp:
1908         (JSC::numberProtoFuncToExponential):
1909         (JSC::numberProtoFuncToFixed):
1910         (JSC::numberProtoFuncToPrecision):
1911         (JSC::extractToStringRadixArgument):
1912         * runtime/ObjectConstructor.cpp:
1913         (JSC::objectConstructorSetPrototypeOf):
1914         (JSC::objectConstructorAssign):
1915         (JSC::objectConstructorValues):
1916         (JSC::toPropertyDescriptor):
1917         (JSC::objectConstructorDefineProperty):
1918         (JSC::objectConstructorDefineProperties):
1919         (JSC::objectConstructorCreate):
1920         (JSC::objectConstructorSeal):
1921         (JSC::objectConstructorFreeze):
1922         * runtime/ObjectPrototype.cpp:
1923         (JSC::objectProtoFuncDefineGetter):
1924         (JSC::objectProtoFuncDefineSetter):
1925         * runtime/Operations.cpp:
1926         (JSC::jsAddSlowCase):
1927         * runtime/Operations.h:
1928         (JSC::jsSub):
1929         (JSC::jsMul):
1930         * runtime/ProgramExecutable.cpp:
1931         (JSC::ProgramExecutable::initializeGlobalProperties):
1932         * runtime/ProxyConstructor.cpp:
1933         (JSC::makeRevocableProxy):
1934         (JSC::proxyRevocableConstructorThrowError):
1935         (JSC::ProxyConstructor::finishCreation):
1936         (JSC::constructProxyObject):
1937         * runtime/ProxyObject.cpp:
1938         (JSC::ProxyObject::toStringName):
1939         (JSC::ProxyObject::finishCreation):
1940         (JSC::performProxyGet):
1941         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1942         (JSC::ProxyObject::performHasProperty):
1943         (JSC::ProxyObject::performPut):
1944         (JSC::performProxyCall):
1945         (JSC::performProxyConstruct):
1946         (JSC::ProxyObject::performDelete):
1947         (JSC::ProxyObject::performPreventExtensions):
1948         (JSC::ProxyObject::performIsExtensible):
1949         (JSC::ProxyObject::performDefineOwnProperty):
1950         (JSC::ProxyObject::performGetOwnPropertyNames):
1951         (JSC::ProxyObject::performSetPrototype):
1952         (JSC::ProxyObject::performGetPrototype):
1953         * runtime/ReflectObject.cpp:
1954         (JSC::reflectObjectConstruct):
1955         (JSC::reflectObjectDefineProperty):
1956         (JSC::reflectObjectGet):
1957         (JSC::reflectObjectGetOwnPropertyDescriptor):
1958         (JSC::reflectObjectGetPrototypeOf):
1959         (JSC::reflectObjectIsExtensible):
1960         (JSC::reflectObjectOwnKeys):
1961         (JSC::reflectObjectPreventExtensions):
1962         (JSC::reflectObjectSet):
1963         (JSC::reflectObjectSetPrototypeOf):
1964         * runtime/RegExpConstructor.cpp:
1965         (JSC::RegExpConstructor::finishCreation):
1966         (JSC::toFlags):
1967         * runtime/RegExpObject.cpp:
1968         (JSC::RegExpObject::defineOwnProperty):
1969         * runtime/RegExpObject.h:
1970         * runtime/RegExpPrototype.cpp:
1971         (JSC::regExpProtoFuncCompile):
1972         (JSC::regExpProtoGetterGlobal):
1973         (JSC::regExpProtoGetterIgnoreCase):
1974         (JSC::regExpProtoGetterMultiline):
1975         (JSC::regExpProtoGetterDotAll):
1976         (JSC::regExpProtoGetterSticky):
1977         (JSC::regExpProtoGetterUnicode):
1978         (JSC::regExpProtoGetterFlags):
1979         (JSC::regExpProtoGetterSourceInternal):
1980         (JSC::regExpProtoGetterSource):
1981         * runtime/RuntimeType.cpp:
1982         (JSC::runtimeTypeAsString):
1983         * runtime/SamplingProfiler.cpp:
1984         (JSC::SamplingProfiler::StackFrame::displayName):
1985         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
1986         * runtime/ScriptExecutable.cpp:
1987         (JSC::ScriptExecutable::prepareForExecutionImpl):
1988         * runtime/SetPrototype.cpp:
1989         (JSC::getSet):
1990         * runtime/SparseArrayValueMap.cpp:
1991         (JSC::SparseArrayValueMap::putEntry):
1992         (JSC::SparseArrayValueMap::putDirect):
1993         (JSC::SparseArrayEntry::put):
1994         * runtime/StackFrame.cpp:
1995         (JSC::StackFrame::sourceURL const):
1996         (JSC::StackFrame::functionName const):
1997         * runtime/StringConstructor.cpp:
1998         (JSC::stringFromCodePoint):
1999         * runtime/StringObject.cpp:
2000         (JSC::StringObject::put):
2001         (JSC::StringObject::putByIndex):
2002         * runtime/StringPrototype.cpp:
2003         (JSC::StringPrototype::finishCreation):
2004         (JSC::toLocaleCase):
2005         (JSC::stringProtoFuncNormalize):
2006         * runtime/Symbol.cpp:
2007         (JSC::Symbol::toNumber const):
2008         * runtime/SymbolConstructor.cpp:
2009         (JSC::symbolConstructorKeyFor):
2010         * runtime/SymbolObject.cpp:
2011         (JSC::SymbolObject::toStringName):
2012         * runtime/SymbolPrototype.cpp:
2013         (JSC::SymbolPrototype::finishCreation):
2014         * runtime/TypeSet.cpp:
2015         (JSC::TypeSet::dumpTypes const):
2016         (JSC::TypeSet::displayName const):
2017         (JSC::StructureShape::leastCommonAncestor):
2018         * runtime/TypeSet.h:
2019         (JSC::StructureShape::setConstructorName):
2020         * runtime/VM.cpp:
2021         (JSC::VM::dumpTypeProfilerData):
2022         * runtime/WeakMapPrototype.cpp:
2023         (JSC::getWeakMap):
2024         (JSC::protoFuncWeakMapSet):
2025         * runtime/WeakSetPrototype.cpp:
2026         (JSC::getWeakSet):
2027         (JSC::protoFuncWeakSetAdd):
2028         * tools/JSDollarVM.cpp:
2029         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2030         (WTF::DOMJITGetterComplex::customGetter):
2031         (JSC::functionSetImpureGetterDelegate):
2032         (JSC::functionCreateElement):
2033         (JSC::functionGetHiddenValue):
2034         (JSC::functionSetHiddenValue):
2035         (JSC::functionFindTypeForExpression):
2036         (JSC::functionReturnTypeFor):
2037         (JSC::functionLoadGetterFromGetterSetter):
2038         * wasm/WasmB3IRGenerator.cpp:
2039         (JSC::Wasm::B3IRGenerator::fail const):
2040         * wasm/WasmIndexOrName.cpp:
2041         (JSC::Wasm::makeString):
2042         * wasm/WasmParser.h:
2043         (JSC::Wasm::FailureHelper::makeString):
2044         (JSC::Wasm::Parser::fail const):
2045         * wasm/WasmPlan.cpp:
2046         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
2047         * wasm/WasmValidate.cpp:
2048         (JSC::Wasm::Validate::fail const):
2049         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2050         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2051         * wasm/js/JSWebAssemblyHelpers.h:
2052         (JSC::toNonWrappingUint32):
2053         (JSC::getWasmBufferFromValue):
2054         * wasm/js/JSWebAssemblyInstance.cpp:
2055         (JSC::JSWebAssemblyInstance::create):
2056         * wasm/js/JSWebAssemblyMemory.cpp:
2057         (JSC::JSWebAssemblyMemory::grow):
2058         * wasm/js/WasmToJS.cpp:
2059         (JSC::Wasm::handleBadI64Use):
2060         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2061         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
2062         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2063         (JSC::constructJSWebAssemblyInstance):
2064         (JSC::WebAssemblyInstanceConstructor::finishCreation):
2065         * wasm/js/WebAssemblyInstancePrototype.cpp:
2066         (JSC::getInstance):
2067         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2068         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
2069         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2070         (JSC::constructJSWebAssemblyMemory):
2071         (JSC::WebAssemblyMemoryConstructor::finishCreation):
2072         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2073         (JSC::getMemory):
2074         * wasm/js/WebAssemblyModuleConstructor.cpp:
2075         (JSC::webAssemblyModuleCustomSections):
2076         (JSC::webAssemblyModuleImports):
2077         (JSC::webAssemblyModuleExports):
2078         (JSC::WebAssemblyModuleConstructor::finishCreation):
2079         * wasm/js/WebAssemblyModuleRecord.cpp:
2080         (JSC::WebAssemblyModuleRecord::link):
2081         (JSC::dataSegmentFail):
2082         (JSC::WebAssemblyModuleRecord::evaluate):
2083         * wasm/js/WebAssemblyPrototype.cpp:
2084         (JSC::resolve):
2085         (JSC::webAssemblyInstantiateFunc):
2086         (JSC::webAssemblyInstantiateStreamingInternal):
2087         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2088         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
2089         * wasm/js/WebAssemblyTableConstructor.cpp:
2090         (JSC::constructJSWebAssemblyTable):
2091         (JSC::WebAssemblyTableConstructor::finishCreation):
2092         * wasm/js/WebAssemblyTablePrototype.cpp:
2093         (JSC::getTable):
2094         (JSC::webAssemblyTableProtoFuncGrow):
2095         (JSC::webAssemblyTableProtoFuncGet):
2096         (JSC::webAssemblyTableProtoFuncSet):
2097
2098 2018-06-22  Keith Miller  <keith_miller@apple.com>
2099
2100         unshift should zero unused property storage
2101         https://bugs.webkit.org/show_bug.cgi?id=186960
2102
2103         Reviewed by Saam Barati.
2104
2105         Also, this patch adds the zeroed unused property storage assertion
2106         to one more place it was missing.
2107
2108         * runtime/JSArray.cpp:
2109         (JSC::JSArray::unshiftCountSlowCase):
2110         * runtime/JSObjectInlines.h:
2111         (JSC::JSObject::putDirectInternal):
2112
2113 2018-06-22  Mark Lam  <mark.lam@apple.com>
2114
2115         PropertyCondition::isValidValueForAttributes() should also consider deleted values.
2116         https://bugs.webkit.org/show_bug.cgi?id=186943
2117         <rdar://problem/41370337>
2118
2119         Reviewed by Saam Barati.
2120
2121         PropertyCondition::isValidValueForAttributes() should check if the passed in value
2122         is a deleted one before it does a jsDynamicCast on it.
2123
2124         * bytecode/PropertyCondition.cpp:
2125         (JSC::PropertyCondition::isValidValueForAttributes):
2126         * runtime/JSCJSValueInlines.h:
2127         - removed an unnecessary #if.
2128
2129 2018-06-22  Keith Miller  <keith_miller@apple.com>
2130
2131         performProxyCall should toThis the value passed to its handler
2132         https://bugs.webkit.org/show_bug.cgi?id=186951
2133
2134         Reviewed by Mark Lam.
2135
2136         * runtime/ProxyObject.cpp:
2137         (JSC::performProxyCall):
2138
2139 2018-06-22  Saam Barati  <sbarati@apple.com>
2140
2141         ensureWritableX should only convert away from CoW when it will succeed
2142         https://bugs.webkit.org/show_bug.cgi?id=186898
2143
2144         Reviewed by Keith Miller.
2145
2146         Otherwise, when we OSR exit, we'll end up profiling the array after
2147         it has been converted away from CoW. It's better for the ArrayProfile
2148         to see the array as it's still in CoW mode.
2149         
2150         This patch also renames ensureWritableX to tryMakeWritableX since these
2151         were never really "ensure" operations -- they may fail and return null.
2152
2153         * dfg/DFGOperations.cpp:
2154         * runtime/JSObject.cpp:
2155         (JSC::JSObject::tryMakeWritableInt32Slow):
2156         (JSC::JSObject::tryMakeWritableDoubleSlow):
2157         (JSC::JSObject::tryMakeWritableContiguousSlow):
2158         (JSC::JSObject::ensureWritableInt32Slow): Deleted.
2159         (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
2160         (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
2161         * runtime/JSObject.h:
2162         (JSC::JSObject::tryMakeWritableInt32):
2163         (JSC::JSObject::tryMakeWritableDouble):
2164         (JSC::JSObject::tryMakeWritableContiguous):
2165         (JSC::JSObject::ensureWritableInt32): Deleted.
2166         (JSC::JSObject::ensureWritableDouble): Deleted.
2167         (JSC::JSObject::ensureWritableContiguous): Deleted.
2168
2169 2018-06-22  Keith Miller  <keith_miller@apple.com>
2170
2171         We should call visitChildren on Base not the exact typename
2172         https://bugs.webkit.org/show_bug.cgi?id=186928
2173
2174         Reviewed by Mark Lam.
2175
2176         A lot of places were not properly calling visitChildren on their
2177         superclass. For most of them it didn't matter because they had
2178         immortal structures. If code changed in the future this might
2179         break things however.
2180
2181         Also, block off more of the MethodTable for GetterSetter objects.
2182
2183         * bytecode/CodeBlock.cpp:
2184         (JSC::CodeBlock::visitChildren):
2185         * bytecode/ExecutableToCodeBlockEdge.cpp:
2186         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2187         * debugger/DebuggerScope.cpp:
2188         (JSC::DebuggerScope::visitChildren):
2189         * runtime/EvalExecutable.cpp:
2190         (JSC::EvalExecutable::visitChildren):
2191         * runtime/FunctionExecutable.cpp:
2192         (JSC::FunctionExecutable::visitChildren):
2193         * runtime/FunctionRareData.cpp:
2194         (JSC::FunctionRareData::visitChildren):
2195         * runtime/GenericArgumentsInlines.h:
2196         (JSC::GenericArguments<Type>::visitChildren):
2197         * runtime/GetterSetter.cpp:
2198         (JSC::GetterSetter::visitChildren):
2199         * runtime/GetterSetter.h:
2200         * runtime/InferredType.cpp:
2201         (JSC::InferredType::visitChildren):
2202         * runtime/InferredTypeTable.cpp:
2203         (JSC::InferredTypeTable::visitChildren):
2204         * runtime/InferredValue.cpp:
2205         (JSC::InferredValue::visitChildren):
2206         * runtime/JSArrayBufferView.cpp:
2207         (JSC::JSArrayBufferView::visitChildren):
2208         * runtime/JSGenericTypedArrayViewInlines.h:
2209         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2210         * runtime/ModuleProgramExecutable.cpp:
2211         (JSC::ModuleProgramExecutable::visitChildren):
2212         * runtime/ProgramExecutable.cpp:
2213         (JSC::ProgramExecutable::visitChildren):
2214         * runtime/ScopedArguments.cpp:
2215         (JSC::ScopedArguments::visitChildren):
2216         * runtime/ScopedArguments.h:
2217         * runtime/Structure.cpp:
2218         (JSC::Structure::visitChildren):
2219         * runtime/StructureRareData.cpp:
2220         (JSC::StructureRareData::visitChildren):
2221         * runtime/SymbolTable.cpp:
2222         (JSC::SymbolTable::visitChildren):
2223
2224 2018-06-20  Darin Adler  <darin@apple.com>
2225
2226         [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
2227         https://bugs.webkit.org/show_bug.cgi?id=186875
2228
2229         Reviewed by Anders Carlsson.
2230
2231         * API/tests/testapi.mm:
2232         (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
2233
2234 2018-06-22  Carlos Garcia Campos  <cgarcia@igalia.com>
2235
2236         [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
2237         https://bugs.webkit.org/show_bug.cgi?id=186915
2238
2239         Reviewed by Žan Doberšek.
2240
2241         Update StartAutomationSession message handling to receive a dictionary of session capabilities.
2242
2243         * inspector/remote/glib/RemoteInspectorServer.cpp:
2244         (Inspector::processSessionCapabilities): Helper method to process the session capabilities.
2245
2246 2018-06-21  Mark Lam  <mark.lam@apple.com>
2247
2248         WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
2249         https://bugs.webkit.org/show_bug.cgi?id=185947
2250         <rdar://problem/40131933>
2251
2252         Reviewed by Saam Barati.
2253
2254         Newer Clang versions (due to C++17 support) is not happy with how I implemented
2255         conversions between CodeLocation types.  We'll fix this by adding a conversion
2256         operator for converting between CodeLocation types.
2257
2258         * assembler/CodeLocation.h:
2259         (JSC::CodeLocationCommon::operator T):
2260
2261 2018-06-21  Saam Barati  <sbarati@apple.com>
2262
2263         Do some CoW cleanup
2264         https://bugs.webkit.org/show_bug.cgi?id=186896
2265
2266         Reviewed by Mark Lam.
2267
2268         * bytecode/UnlinkedCodeBlock.h:
2269         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
2270         We don't need to WTFMove() ints
2271
2272         * dfg/DFGByteCodeParser.cpp:
2273         (JSC::DFG::ByteCodeParser::parseBlock):
2274         remove a TODO.
2275
2276         * runtime/JSObject.cpp:
2277         (JSC::JSObject::putByIndex):
2278         We were checking for isCopyOnWrite even after we converted away
2279         from CoW in above code.
2280         (JSC::JSObject::ensureWritableInt32Slow):
2281         Model this in the same way the other ensureWritableXSlow are modeled.
2282
2283 2018-06-20  Keith Miller  <keith_miller@apple.com>
2284
2285         flattenDictionaryStruture needs to zero inline storage.
2286         https://bugs.webkit.org/show_bug.cgi?id=186869
2287
2288         Reviewed by Saam Barati.
2289
2290         This patch also adds the assetion that unused property storage is
2291         zero or JSValue() to putDirectInternal. Additionally, functions
2292         have been added to $vm that flatten dictionary objects and return
2293         the inline capacity of an object.
2294
2295         * runtime/JSObjectInlines.h:
2296         (JSC::JSObject::putDirectInternal):
2297         * runtime/Structure.cpp:
2298         (JSC::Structure::flattenDictionaryStructure):
2299         * tools/JSDollarVM.cpp:
2300         (JSC::functionInlineCapacity):
2301         (JSC::functionFlattenDictionaryObject):
2302         (JSC::JSDollarVM::finishCreation):
2303
2304 2018-06-21  Mark Lam  <mark.lam@apple.com>
2305
2306         Use IsoCellSets to track Executables with clearable code.
2307         https://bugs.webkit.org/show_bug.cgi?id=186877
2308
2309         Reviewed by Filip Pizlo.
2310
2311         Here’s an example of the results that this fix may yield: 
2312         1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
2313         2. Statistics on memory touched and memory freed by VM::deleteAllCode():
2314
2315            Visiting Executables:
2316                                                         Old             New
2317            Number of objects visited:                   70897           14264
2318            Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
2319            Number of memory pages visited:              3224            1602
2320            Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)
2321
2322            Visitng UnlinkedFunctionExecutables:
2323                                                         Old             New
2324            Number of objects visited:                   105454          17231
2325            Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
2326            Number of memory pages visited:              4796            1349
2327            Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)
2328
2329         ** The number of objects differ because the old code only visit unlinked
2330            executables indirectly via linked executables, whereas the new behavior visit
2331            all unlinked executables with deletable code directly.  This means:
2332
2333            a. we used to not visit unlinked executables that have not been linked yet
2334               i.e. deleteAllCode() may not delete all code (especially code that is not
2335               used).
2336            b. we had to visit all linked executables to check if they of type
2337               FunctionExecutable, before going on to visit their unlinked executable, and
2338               this includes the ones that do not have deletable code.  This means that we
2339               would touch more memory in the process.
2340
2341            Both of these these issues are now fixed with the new code.
2342
2343         This code was tested with manually inserted instrumentation to track the above
2344         statistics.  It is not feasible to write an automated test for this without
2345         leaving a lot of invasive instrumentation in the code.
2346
2347         * bytecode/UnlinkedFunctionExecutable.cpp:
2348         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2349         * bytecode/UnlinkedFunctionExecutable.h:
2350         * heap/CodeBlockSetInlines.h:
2351         (JSC::CodeBlockSet::iterateViaSubspaces):
2352         * heap/Heap.cpp:
2353         (JSC::Heap::deleteAllCodeBlocks):
2354         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2355         (JSC::Heap::deleteUnmarkedCompiledCode):
2356         (JSC::Heap::clearUnmarkedExecutables): Deleted.
2357         (JSC::Heap::addExecutable): Deleted.
2358         * heap/Heap.h:
2359         * runtime/DirectEvalExecutable.h:
2360
2361         * runtime/ExecutableBase.cpp:
2362         (JSC::ExecutableBase::hasClearableCode const):
2363         - this is written based on the implementation of ExecutableBase::clearCode().
2364
2365         * runtime/ExecutableBase.h:
2366         * runtime/FunctionExecutable.h:
2367         * runtime/IndirectEvalExecutable.h:
2368         * runtime/ModuleProgramExecutable.h:
2369         * runtime/ProgramExecutable.h:
2370         * runtime/ScriptExecutable.cpp:
2371         (JSC::ScriptExecutable::clearCode):
2372         (JSC::ScriptExecutable::installCode):
2373         * runtime/ScriptExecutable.h:
2374         (JSC::ScriptExecutable::finishCreation):
2375         * runtime/VM.cpp:
2376         (JSC::VM::VM):
2377         * runtime/VM.h:
2378         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
2379         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
2380         (JSC::VM::forEachScriptExecutableSpace):
2381         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
2382         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
2383
2384 2018-06-21  Zan Dobersek  <zdobersek@igalia.com>
2385
2386         [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
2387         https://bugs.webkit.org/show_bug.cgi?id=186884
2388
2389         Reviewed by Carlos Garcia Campos.
2390
2391         Add a tuple array input parameter to the StartAutomationSession DBus
2392         message, representing a list of host-and-certificate pairs that have to
2393         be allowed for a given session. This array is then unpacked and used to
2394         fill out the certificates Vector object in the SessionCapabilities
2395         struct.
2396
2397         * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
2398         String pairs representing hosts and the certificate file paths.
2399         * inspector/remote/glib/RemoteInspectorServer.cpp:
2400
2401 2018-06-20  Keith Miller  <keith_miller@apple.com>
2402
2403         Expand concurrent GC assertion to accept JSValue() or 0
2404         https://bugs.webkit.org/show_bug.cgi?id=186855
2405
2406         Reviewed by Mark Lam.
2407
2408         We tend to set unused property slots to either JSValue() or 0
2409         depending on the context. On 64-bit these are the same but on
2410         32-bit JSValue() has a NaN tag. This patch makes it so we
2411         the accept either JSValue() or 0.
2412
2413         * runtime/JSObjectInlines.h:
2414         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2415
2416 2018-06-20  Guillaume Emont  <guijemont@igalia.com>
2417
2418         [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
2419         https://bugs.webkit.org/show_bug.cgi?id=186765
2420
2421         Reviewed by Michael Saboff.
2422
2423         This widens the check for 0 so that we handle that case more correctly.
2424
2425         * assembler/LinkBuffer.h:
2426         (JSC::LinkBuffer::executableOffsetFor):
2427
2428 2018-06-19  Keith Miller  <keith_miller@apple.com>
2429
2430         Fix broken assertion on 32-bit
2431         https://bugs.webkit.org/show_bug.cgi?id=186830
2432
2433         Reviewed by Mark Lam.
2434
2435         The assertion was intended to catch concurrent GC issues. We don't
2436         run them on 32-bit so we don't need this assertion there. The
2437         assertion was broken because zero is not JSValue() on 32-bit.
2438
2439         * runtime/JSObjectInlines.h:
2440         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2441
2442 2018-06-19  Keith Miller  <keith_miller@apple.com>
2443
2444         flattenDictionaryStructure needs to zero properties that have been compressed away
2445         https://bugs.webkit.org/show_bug.cgi?id=186828
2446
2447         Reviewed by Mark Lam.
2448
2449         This patch fixes a bunch of crashing Mozilla tests on the bots.
2450
2451         * runtime/Structure.cpp:
2452         (JSC::Structure::flattenDictionaryStructure):
2453
2454 2018-06-19  Saam Barati  <sbarati@apple.com>
2455
2456         DirectArguments::create needs to initialize to undefined instead of the empty value
2457         https://bugs.webkit.org/show_bug.cgi?id=186818
2458         <rdar://problem/38415177>
2459
2460         Reviewed by Filip Pizlo.
2461
2462         The bug here is that we will emit code that just loads from DirectArguments as
2463         long as the index is within the known capacity of the arguments object (op_get_from_arguments).
2464         The arguments object has at least enough capacity to hold the declared parameters.
2465         When we materialized this object in OSR exit, we initialized up to to the capacity
2466         with JSValue(). In OSR exit, though, we only filled up to the length of the
2467         object with actual values. So we'd end up with a DirectArguments object with
2468         capacity minus length slots of JSValue(). To fix this, we need initialize up to
2469         capacity with jsUndefined during construction. The invariant of this object is
2470         that the capacity minus length slots at the end are filled in with jsUndefined.
2471
2472         * runtime/DirectArguments.cpp:
2473         (JSC::DirectArguments::create):
2474
2475 2018-06-19  Michael Saboff  <msaboff@apple.com>
2476
2477         Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
2478         https://bugs.webkit.org/show_bug.cgi?id=186827
2479
2480         Reviewed by Saam Barati.
2481
2482         Need to set VM::lastStackTop before any possible calls to sanitizeStack().
2483
2484         * runtime/JSLock.cpp:
2485         (JSC::JSLock::didAcquireLock):
2486
2487 2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
2488
2489         ShadowChicken crashes with stack overflow in the LLInt
2490         https://bugs.webkit.org/show_bug.cgi?id=186540
2491         <rdar://problem/39682133>
2492
2493         Reviewed by Saam Barati.
2494
2495         Stack overflows in the LLInt were crashing in ShadowChicken when compiling
2496         with debug opcodes because it was accessing the scope of the incomplete top
2497         frame, which hadn't been set yet. Check that we have moved past the first
2498         opcode (enter) and that the scope is not undefined (enter will
2499         initialize it to undefined).
2500
2501         * interpreter/ShadowChicken.cpp:
2502         (JSC::ShadowChicken::update):
2503
2504 2018-06-19  Keith Miller  <keith_miller@apple.com>
2505
2506         constructArray variants should take the slow path for subclasses of Array
2507         https://bugs.webkit.org/show_bug.cgi?id=186812
2508
2509         Reviewed by Saam Barati and Mark Lam.
2510
2511         This patch fixes a crashing test in ObjectInitializationScope where we would
2512         allocate a new structure for an indexing type change while initializing
2513         a subclass of Array. Since the new array hasn't been fully initialized
2514         if the GC ran it would see garbage and we might crash.
2515
2516         * runtime/JSArray.cpp:
2517         (JSC::constructArray):
2518         (JSC::constructArrayNegativeIndexed):
2519         * runtime/JSArray.h:
2520         (JSC::constructArray): Deleted.
2521         (JSC::constructArrayNegativeIndexed): Deleted.
2522
2523 2018-06-19  Saam Barati  <sbarati@apple.com>
2524
2525         Wasm: Any function argument of type Void should be a validation error
2526         https://bugs.webkit.org/show_bug.cgi?id=186794
2527         <rdar://problem/41140257>
2528
2529         Reviewed by Keith Miller.
2530
2531         * wasm/WasmModuleParser.cpp:
2532         (JSC::Wasm::ModuleParser::parseType):
2533
2534 2018-06-18  Keith Miller  <keith_miller@apple.com>
2535
2536         JSImmutableButterfly should assert m_header is adjacent to the data
2537         https://bugs.webkit.org/show_bug.cgi?id=186795
2538
2539         Reviewed by Saam Barati.
2540
2541         * runtime/JSImmutableButterfly.cpp:
2542         * runtime/JSImmutableButterfly.h:
2543
2544 2018-06-18  Keith Miller  <keith_miller@apple.com>
2545
2546         Unreviewed, fix the build...
2547
2548         * runtime/JSArray.cpp:
2549         (JSC::JSArray::tryCreateUninitializedRestricted):
2550
2551 2018-06-18  Keith Miller  <keith_miller@apple.com>
2552
2553         Unreviewed, remove bad assertion.
2554
2555         * runtime/JSArray.cpp:
2556         (JSC::JSArray::tryCreateUninitializedRestricted):
2557
2558 2018-06-18  Keith Miller  <keith_miller@apple.com>
2559
2560         Properly zero unused property storage offsets
2561         https://bugs.webkit.org/show_bug.cgi?id=186692
2562
2563         Reviewed by Filip Pizlo.
2564
2565         Since the concurrent GC might see a property slot before the mutator has actually
2566         stored the value there, we need to ensure that slot doesn't have garbage in it.
2567
2568         Right now when calling constructConvertedArrayStorageWithoutCopyingElements
2569         or creating a RegExp matches array, we never cleared the unused
2570         property storage. ObjectIntializationScope has also been upgraded
2571         to look for our invariants around property storage. Additionally,
2572         a new assertion has been added to check for JSValue() when adding
2573         a new property.
2574
2575         We used to put undefined into deleted property offsets. To
2576         make things simpler, this patch causes us to store JSValue() there
2577         instead.
2578
2579         Lastly, this patch fixes an issue where we would initialize the
2580         array storage of RegExpMatchesArray twice. First with 0 and
2581         secondly with the actual result. Now we only zero memory between
2582         vector length and public length.
2583
2584         * runtime/Butterfly.h:
2585         (JSC::Butterfly::offsetOfVectorLength):
2586         * runtime/ButterflyInlines.h:
2587         (JSC::Butterfly::tryCreateUninitialized):
2588         (JSC::Butterfly::createUninitialized):
2589         (JSC::Butterfly::tryCreate):
2590         (JSC::Butterfly::create):
2591         (JSC::Butterfly::createOrGrowPropertyStorage):
2592         (JSC::Butterfly::createOrGrowArrayRight):
2593         (JSC::Butterfly::growArrayRight):
2594         (JSC::Butterfly::resizeArray):
2595         * runtime/JSArray.cpp:
2596         (JSC::JSArray::tryCreateUninitializedRestricted):
2597         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2598         * runtime/JSArray.h:
2599         (JSC::tryCreateArrayButterfly):
2600         * runtime/JSObject.cpp:
2601         (JSC::JSObject::createArrayStorageButterfly):
2602         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2603         (JSC::JSObject::deleteProperty):
2604         (JSC::JSObject::shiftButterflyAfterFlattening):
2605         * runtime/JSObject.h:
2606         * runtime/JSObjectInlines.h:
2607         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2608         * runtime/ObjectInitializationScope.cpp:
2609         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2610         * runtime/ObjectInitializationScope.h:
2611         (JSC::ObjectInitializationScope::release):
2612         * runtime/RegExpMatchesArray.h:
2613         (JSC::tryCreateUninitializedRegExpMatchesArray):
2614         (JSC::createRegExpMatchesArray):
2615
2616         * runtime/Butterfly.h:
2617         (JSC::Butterfly::offsetOfVectorLength):
2618         * runtime/ButterflyInlines.h:
2619         (JSC::Butterfly::tryCreateUninitialized):
2620         (JSC::Butterfly::createUninitialized):
2621         (JSC::Butterfly::tryCreate):
2622         (JSC::Butterfly::create):
2623         (JSC::Butterfly::createOrGrowPropertyStorage):
2624         (JSC::Butterfly::createOrGrowArrayRight):
2625         (JSC::Butterfly::growArrayRight):
2626         (JSC::Butterfly::resizeArray):
2627         * runtime/JSArray.cpp:
2628         (JSC::JSArray::tryCreateUninitializedRestricted):
2629         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2630         * runtime/JSArray.h:
2631         (JSC::tryCreateArrayButterfly):
2632         * runtime/JSObject.cpp:
2633         (JSC::JSObject::createArrayStorageButterfly):
2634         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2635         (JSC::JSObject::deleteProperty):
2636         (JSC::JSObject::shiftButterflyAfterFlattening):
2637         * runtime/JSObject.h:
2638         * runtime/JSObjectInlines.h:
2639         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2640         * runtime/ObjectInitializationScope.cpp:
2641         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2642         * runtime/RegExpMatchesArray.cpp:
2643         (JSC::createEmptyRegExpMatchesArray):
2644         * runtime/RegExpMatchesArray.h:
2645         (JSC::tryCreateUninitializedRegExpMatchesArray):
2646         (JSC::createRegExpMatchesArray):
2647
2648 2018-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2649
2650         Share structure across instances of classes exported through the ObjC API
2651         https://bugs.webkit.org/show_bug.cgi?id=186579
2652         <rdar://problem/40969212>
2653
2654         Reviewed by Saam Barati.
2655
2656         A new structure was being created for each instance of exported ObjC
2657         classes due to setting the prototype in the structure for every object,
2658         since prototype transitions are not cached by the structure. Cache the
2659         Structure in the JSObjcClassInfo to avoid the transition.
2660
2661         * API/JSWrapperMap.mm:
2662         (-[JSObjCClassInfo wrapperForObject:inContext:]):
2663         (-[JSObjCClassInfo structureInContext:]):
2664         * API/tests/JSWrapperMapTests.h: Added.
2665         * API/tests/JSWrapperMapTests.mm: Added.
2666         (+[JSWrapperMapTests testStructureIdentity]):
2667         (runJSWrapperMapTests):
2668         * API/tests/testapi.mm:
2669         (testObjectiveCAPIMain):
2670         * JavaScriptCore.xcodeproj/project.pbxproj:
2671
2672 2018-06-18  Michael Saboff  <msaboff@apple.com>
2673
2674         Support Unicode 11 in RegExp
2675         https://bugs.webkit.org/show_bug.cgi?id=186685
2676
2677         Reviewed by Mark Lam.
2678
2679         Updated the UCD tables used to generate RegExp property tables to version 11.0.
2680
2681         * Scripts/generateYarrUnicodePropertyTables.py:
2682         * ucd/CaseFolding.txt:
2683         * ucd/DerivedBinaryProperties.txt:
2684         * ucd/DerivedCoreProperties.txt:
2685         * ucd/DerivedNormalizationProps.txt:
2686         * ucd/PropList.txt:
2687         * ucd/PropertyAliases.txt:
2688         * ucd/PropertyValueAliases.txt:
2689         * ucd/ScriptExtensions.txt:
2690         * ucd/Scripts.txt:
2691         * ucd/UnicodeData.txt:
2692         * ucd/emoji-data.txt:
2693
2694 2018-06-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2695
2696         [WTF] Remove workarounds needed to support libstdc++-4
2697         https://bugs.webkit.org/show_bug.cgi?id=186762
2698
2699         Reviewed by Michael Catanzaro.
2700
2701         Revert r226299, r226300 r226301 and r226302.
2702
2703         * API/tests/TypedArrayCTest.cpp:
2704         (assertEqualsAsNumber):
2705
2706 2018-06-16  Michael Catanzaro  <mcatanzaro@igalia.com>
2707
2708         REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
2709         https://bugs.webkit.org/show_bug.cgi?id=182923
2710
2711         Reviewed by Mark Lam.
2712
2713         The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
2714         Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
2715
2716         * heap/MarkedBlock.h:
2717
2718 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2719
2720         [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
2721         https://bugs.webkit.org/show_bug.cgi?id=186723
2722
2723         Reviewed by Mark Lam.
2724
2725         Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
2726         to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
2727
2728         This patch improves SixSpeed/spread-literal.es5.
2729
2730                                      baseline                  patched
2731
2732         spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster
2733
2734         * runtime/JSArrayInlines.h:
2735         (JSC::JSArray::pushInline):
2736         * runtime/Structure.cpp:
2737         (JSC::Structure::nonPropertyTransitionSlow):
2738         (JSC::Structure::nonPropertyTransition): Deleted.
2739         * runtime/Structure.h:
2740         * runtime/StructureInlines.h:
2741         (JSC::Structure::nonPropertyTransition):
2742
2743 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2744
2745         [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
2746         https://bugs.webkit.org/show_bug.cgi?id=186721
2747
2748         Reviewed by Keith Miller.
2749
2750         We still have several other OSRExits, but this patch reduces that.
2751
2752         1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
2753         So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
2754
2755         2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
2756         non-appropriate.
2757
2758         These changes a bit fix Kraken/crypto-aes regression.
2759
2760                                       baseline                  patched
2761
2762         stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster
2763
2764
2765         * dfg/DFGByteCodeParser.cpp:
2766         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2767         * ftl/FTLOperations.cpp:
2768         (JSC::FTL::operationMaterializeObjectInOSR):
2769         * runtime/CommonSlowPaths.cpp:
2770         (JSC::SLOW_PATH_DECL):
2771
2772 2018-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2773
2774         [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
2775         https://bugs.webkit.org/show_bug.cgi?id=186460
2776
2777         Reviewed by Saam Barati.
2778
2779         Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
2780         We should return JSFixedArray for Spread. This patch adds a code generating
2781         a JSFixedArray from JSImmutableButterfly.
2782
2783         Merging JSFixedArray into JSImmutableButterfly is possible future extension.
2784
2785         * ftl/FTLLowerDFGToB3.cpp:
2786         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2787         * runtime/JSFixedArray.h:
2788
2789 2018-06-15  Saam Barati  <sbarati@apple.com>
2790
2791         Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
2792         https://bugs.webkit.org/show_bug.cgi?id=186687
2793         <rdar://problem/40071332>
2794
2795         Reviewed by Keith Miller.
2796
2797         * API/JSVirtualMachinePrivate.h:
2798
2799 2018-06-15  Saam Barati  <sbarati@apple.com>
2800
2801         Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
2802         https://bugs.webkit.org/show_bug.cgi?id=186648
2803
2804         Reviewed by Michael Saboff.
2805
2806         This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
2807         regressed with my first version of ForceOSRExit CFG pruning. This patch makes
2808         ForceOSRExit CFG pruning more aggressive by not ignoring everything that
2809         can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
2810         if it's the plan's osr entry bytecode target. The goal is to get a speedometer
2811         2 speedup with this change on iOS.
2812
2813         * dfg/DFGByteCodeParser.cpp:
2814         (JSC::DFG::ByteCodeParser::parse):
2815
2816 2018-06-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2817
2818         Unreviewed, rolling out r232816.
2819
2820         Suggested by Caitlin:
2821         "this patch clearly does get some things wrong, and it's not
2822         easy to find what those things are"
2823
2824         Reverted changeset:
2825
2826         "[LLInt] use loadp consistently for
2827         get_from_scope/put_to_scope"
2828         https://bugs.webkit.org/show_bug.cgi?id=132333
2829         https://trac.webkit.org/changeset/232816
2830
2831 2018-06-14  Michael Saboff  <msaboff@apple.com>
2832
2833         REGRESSION(232741): Crash running ARES-6
2834         https://bugs.webkit.org/show_bug.cgi?id=186630
2835
2836         Reviewed by Saam Barati.
2837
2838         The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
2839         treated edges between identical predecessor->successor pairs independently.
2840         This fixes the issue by handling such edges once, using the added intermediate
2841         pad for all instances of the edges between the same pairs.
2842
2843         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2844         (JSC::DFG::CriticalEdgeBreakingPhase::run):
2845         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
2846
2847 2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>
2848
2849         [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
2850         https://bugs.webkit.org/show_bug.cgi?id=186560
2851
2852         Reviewed by Brian Burg.
2853
2854         Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
2855         that always receives the session capabilities.
2856
2857         * inspector/remote/RemoteInspector.h:
2858         * inspector/remote/RemoteInspectorConstants.h:
2859         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2860         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
2861         WebKit here and fill the SessionCapabilities instead.
2862         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2863         (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
2864         * inspector/remote/glib/RemoteInspectorServer.cpp:
2865         (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
2866         * inspector/remote/glib/RemoteInspectorServer.h:
2867
2868 2018-06-13  Adrian Perez de Castro  <aperez@igalia.com>
2869
2870         [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
2871         https://bugs.webkit.org/show_bug.cgi?id=186588
2872
2873         Reviewed by Carlos Garcia Campos.
2874
2875         Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
2876         for resource paths, which avoids needing a switcheroo depending on the port.
2877
2878         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2879
2880 2018-06-13  Caitlin Potter  <caitp@igalia.com>
2881
2882         [LLInt] use loadp consistently for get_from_scope/put_to_scope
2883         https://bugs.webkit.org/show_bug.cgi?id=132333
2884
2885         Reviewed by Mark Lam.
2886
2887         Using `loadis` for register indexes and `loadp` for constant scopes /
2888         symboltables makes sense, but is problematic for big-endian
2889         architectures.
2890
2891         Consistently treating the operand as a pointer simplifies determining
2892         how to access the operand, and helps avoid bad accesses and crashes on
2893         big-endian ports.
2894
2895         * bytecode/CodeBlock.cpp:
2896         (JSC::CodeBlock::finishCreation):
2897         * bytecode/Instruction.h:
2898         * jit/JITOperations.cpp:
2899         * llint/LLIntSlowPaths.cpp:
2900         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2901         * llint/LowLevelInterpreter32_64.asm:
2902         * llint/LowLevelInterpreter64.asm:
2903         * runtime/CommonSlowPaths.h:
2904         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2905         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2906
2907 2018-06-13  Keith Miller  <keith_miller@apple.com>
2908
2909         AutomaticThread should have a way to provide a thread name
2910         https://bugs.webkit.org/show_bug.cgi?id=186604
2911
2912         Reviewed by Filip Pizlo.
2913
2914         Add names for JSC's automatic threads.
2915
2916         * dfg/DFGWorklist.cpp:
2917         * heap/Heap.cpp:
2918         * jit/JITWorklist.cpp:
2919         * runtime/VMTraps.cpp:
2920         * wasm/WasmWorklist.cpp:
2921
2922 2018-06-13  Saam Barati  <sbarati@apple.com>
2923
2924         CFGSimplificationPhase should de-dupe jettisonedBlocks
2925         https://bugs.webkit.org/show_bug.cgi?id=186583
2926
2927         Reviewed by Filip Pizlo.
2928
2929         When making the predecessors list unique in r232741, it revealed a bug inside
2930         of CFG simplification, where we try to remove the same predecessor more than
2931         once from a blocks predecessors list. We built the list of blocks to remove
2932         from the list of successors, which is not unique, causing us to try to remove
2933         the same predecessor more than once. The solution here is to just add to this
2934         list of blocks to remove only if the block is not already in the list.
2935
2936         * dfg/DFGCFGSimplificationPhase.cpp:
2937         (JSC::DFG::CFGSimplificationPhase::run):
2938
2939 2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2940
2941         [JSC] Always use Nuke & Set procedure for x86
2942         https://bugs.webkit.org/show_bug.cgi?id=186592
2943
2944         Reviewed by Keith Miller.
2945
2946         We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
2947         By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
2948         threads.
2949
2950         * runtime/JSObject.cpp:
2951         (JSC::JSObject::convertContiguousToArrayStorage):
2952
2953 2018-06-12  Saam Barati  <sbarati@apple.com>
2954
2955         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
2956         https://bugs.webkit.org/show_bug.cgi?id=186071
2957
2958         Reviewed by Mark Lam.
2959
2960         * API/JSVirtualMachine.mm:
2961         (-[JSVirtualMachine shrinkFootprint]): Deleted.
2962         * API/JSVirtualMachinePrivate.h:
2963
2964 2018-06-11  Saam Barati  <sbarati@apple.com>
2965
2966         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
2967         https://bugs.webkit.org/show_bug.cgi?id=181409
2968         <rdar://problem/36383749>
2969
2970         Reviewed by Keith Miller.
2971
2972         This patch is me redoing r226655. This is a patch I wrote when
2973         profiling Speedometer. Fil rolled this change out in r230928. He
2974         showed this slowed down a sunspider tests by ~2x. This sunspider
2975         regression revealed a real performance bug in the original change:
2976         we would kill blocks that reached OSR entry targets, sometimes leading
2977         us to not do OSR entry into the DFG, since we could end up deleting
2978         entire loops from the CFG. The reason for this is that code that has run
2979         ~once and that reaches loops often has ForceOSRExits inside of it. The
2980         solution to this is to not perform this optimization on blocks that can
2981         reach OSR entry targets.
2982         
2983         The reason I'm redoing this patch is that it turns out Fil rolling
2984         out the change was a Speedometer 2 regression.
2985         
2986         This is a modified version of the original ChangeLog I wrote in r226655:
2987         
2988         When I was looking at profiler data for Speedometer, I noticed that one of
2989         the hottest functions in Speedometer is around 1100 bytecode operations long.
2990         Only about 100 of those bytecode ops ever execute. However, we ended up
2991         spending a lot of time compiling basic blocks that never executed. We often
2992         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
2993         This is the case when such a node never executes.
2994         
2995         This patch makes it so that anytime a block has a ForceOSRExit, and that block
2996         can not reach an OSR entry target, we replace its terminal node with an Unreachable
2997         node, and remove all nodes after the ForceOSRExit. This cuts down the graph
2998         size since it removes control flow edges from the CFG. This allows us to get
2999         rid of huge chunks of the CFG in certain programs. When doing this transformation,
3000         we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
3001         live-in to the ForceOSRExit.
3002         
3003         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
3004         does not get rid of all the CFG that it could. If we decide it's worth
3005         it, we could use additional inputs into this mechanism. For example, we could
3006         profile if a basic block ever executes inside the LLInt/Baseline, and
3007         remove parts of the CFG based on that.
3008         
3009         When running Speedometer with the concurrent JIT turned off, this patch
3010         improves DFG/FTL compile times by around 5%.
3011
3012         * dfg/DFGByteCodeParser.cpp:
3013         (JSC::DFG::ByteCodeParser::addToGraph):
3014         (JSC::DFG::ByteCodeParser::inlineCall):
3015         (JSC::DFG::ByteCodeParser::parse):
3016         * dfg/DFGGraph.cpp:
3017         (JSC::DFG::Graph::blocksInPostOrder):
3018
3019 2018-06-11  Saam Barati  <sbarati@apple.com>
3020
3021         The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
3022         https://bugs.webkit.org/show_bug.cgi?id=184829
3023
3024         Reviewed by Michael Saboff.
3025
3026         This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
3027         In B3/Air, this just meant writing a validation rule. In DFG, this meant
3028         ensuring this property when building up the predecessors list, and also adding
3029         a validation rule. The NaturalLoops algorithm relies on this property.
3030
3031         * b3/B3Validate.cpp:
3032         * b3/air/AirValidate.cpp:
3033         * b3/testb3.cpp:
3034         (JSC::B3::testLoopWithMultipleHeaderEdges):
3035         (JSC::B3::run):
3036         * dfg/DFGGraph.cpp:
3037         (JSC::DFG::Graph::handleSuccessor):
3038         * dfg/DFGValidate.cpp:
3039
3040 2018-06-11  Keith Miller  <keith_miller@apple.com>
3041
3042         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
3043         https://bugs.webkit.org/show_bug.cgi?id=186467
3044
3045         Reviewed by Simon Fraser.
3046
3047         This patch adds a LazyFireDetail that wraps ScopedLambda so that
3048         we don't actually malloc any strings for firing unless those
3049         Strings are actually going to be printed.
3050
3051         * bytecode/Watchpoint.h:
3052         (JSC::LazyFireDetail::LazyFireDetail):
3053         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
3054         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
3055         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
3056         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
3057         * runtime/ArrayPrototype.cpp:
3058         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
3059
3060 2018-06-11  Mark Lam  <mark.lam@apple.com>
3061
3062         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
3063         https://bugs.webkit.org/show_bug.cgi?id=186451
3064         <rdar://problem/40875792>
3065
3066         Reviewed by Tim Horton.
3067
3068         Enhance setOptions() to be able to take a comma separated options string in
3069         addition to white space separated options strings.
3070
3071         * runtime/Options.cpp:
3072         (JSC::isSeparator):
3073         (JSC::Options::setOptions):
3074
3075 2018-06-11  Michael Saboff  <msaboff@apple.com>
3076
3077         JavaScriptCore: Disable 32-bit JIT on Windows
3078         https://bugs.webkit.org/show_bug.cgi?id=185989
3079
3080         Reviewed by Mark Lam.
3081
3082         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
3083
3084         * llint/LLIntData.h:
3085         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
3086         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
3087         have a case label because these aren't opcodes.
3088         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
3089         on the JIT being enabled.
3090         (JSC::recomputeDependentOptions):
3091
3092 2018-06-11  Michael Saboff  <msaboff@apple.com>
3093
3094         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
3095         https://bugs.webkit.org/show_bug.cgi?id=186477
3096
3097         Reviewed by Filip Pizlo.
3098
3099         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
3100         YARR interpreter nodes.  This caused us to overwrite other frame information.
3101
3102         Added frame offset debugging code to YARR interpreter.
3103
3104         * yarr/YarrInterpreter.cpp:
3105         (JSC::Yarr::ByteCompiler::emitDisjunction):
3106         (JSC::Yarr::ByteCompiler::dumpDisjunction):
3107
3108 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3109
3110         [JSC] Array.prototype.sort should rejects null comparator
3111         https://bugs.webkit.org/show_bug.cgi?id=186458
3112
3113         Reviewed by Keith Miller.
3114
3115         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
3116         the behavior to Chrome and Firefox.
3117
3118         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
3119         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
3120         the spec issue.
3121
3122         * builtins/ArrayPrototype.js:
3123         (sort):
3124
3125 2018-06-09  Dan Bernstein  <mitz@apple.com>
3126
3127         [Xcode] Clean up and modernize some build setting definitions
3128         https://bugs.webkit.org/show_bug.cgi?id=186463
3129
3130         Reviewed by Sam Weinig.
3131
3132         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
3133           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
3134           is true for all supported Xcode versions.
3135         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
3136         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
3137           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
3138         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
3139         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
3140
3141 2018-06-09  Dan Bernstein  <mitz@apple.com>
3142
3143         Added missing file references to the Configuration group.
3144
3145         * JavaScriptCore.xcodeproj/project.pbxproj:
3146
3147 2018-06-08  Darin Adler  <darin@apple.com>
3148
3149         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
3150         https://bugs.webkit.org/show_bug.cgi?id=186436
3151
3152         Reviewed by Anders Carlsson.
3153
3154         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
3155         objc-internal.h and explicitly declaring the alternative.
3156
3157 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
3158
3159         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
3160         https://bugs.webkit.org/show_bug.cgi?id=186442
3161         <rdar://problem/40879364>
3162
3163         Reviewed by Tim Horton.
3164
3165         * Configurations/FeatureDefines.xcconfig:
3166
3167 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
3168
3169         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
3170         https://bugs.webkit.org/show_bug.cgi?id=186446
3171         <rdar://problem/40949995>
3172
3173         Reviewed by Mark Lam.
3174
3175         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
3176         boolean literals, but it would only work for false. Change it so that it
3177         takes the fast path for true, false, null and undefined.
3178
3179         * llint/LowLevelInterpreter.asm:
3180         * llint/LowLevelInterpreter64.asm:
3181
3182 2018-06-08  Brian Burg  <bburg@apple.com>
3183
3184         [Cocoa] Web Automation: include browser name and version in listing for automation targets
3185         https://bugs.webkit.org/show_bug.cgi?id=186204
3186         <rdar://problem/36950423>
3187
3188         Reviewed by Darin Adler.
3189
3190         Ask the client what the reported browser name and version should be, then
3191         send this as part of the listing for an automation target.
3192
3193         * inspector/remote/RemoteInspectorConstants.h:
3194         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3195         (Inspector::RemoteInspector::listingForAutomationTarget const):
3196
3197 2018-06-07  Chris Dumez  <cdumez@apple.com>
3198
3199         Add base class to get WeakPtrFactory member and avoid some boilerplate code
3200         https://bugs.webkit.org/show_bug.cgi?id=186407
3201
3202         Reviewed by Brent Fulgham.
3203
3204         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
3205         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
3206         This also gets rid of old-style createWeakPtr() methods in favor of the newer
3207         makeWeakPtr().
3208
3209         * wasm/WasmInstance.h:
3210         * wasm/WasmMemory.cpp:
3211         (JSC::Wasm::Memory::registerInstance):
3212
3213 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
3214
3215         Don't try to allocate JIT memory if we don't have the JIT entitlement
3216         https://bugs.webkit.org/show_bug.cgi?id=182605
3217         <rdar://problem/38271229>
3218
3219         Reviewed by Mark Lam.
3220
3221         Check that the current process has the correct entitlements before
3222         trying to allocate JIT memory to silence warnings.
3223
3224         * jit/ExecutableAllocator.cpp:
3225         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
3226         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
3227
3228 2018-06-07  Saam Barati  <sbarati@apple.com>
3229
3230         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
3231         https://bugs.webkit.org/show_bug.cgi?id=186386
3232
3233         Reviewed by Filip Pizlo.
3234
3235         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
3236
3237         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3238         (JSC::DFG::TierUpCheckInjectionPhase::run):
3239
3240 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
3241
3242         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
3243         https://bugs.webkit.org/show_bug.cgi?id=186237
3244
3245         Reviewed by Saam Barati.
3246
3247         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
3248         that means that we never notice that it fired if it fires between when the DFG decides to
3249         watch it and when it actually adds the watchpoint.
3250         
3251         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
3252         reason for being initialized blind: that's how we knew to ignore changes to the prototype
3253         before the first allocation. However, that functionality also arose out of the fact that the
3254         rare data is created lazily and usually won't exist until the first allocation.
3255         
3256         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
3257         object allocation profile.
3258         
3259         It's hard to repro this race, however it started causing spurious test failures for me after
3260         bug 164904.
3261
3262         * runtime/FunctionRareData.cpp:
3263         (JSC::FunctionRareData::FunctionRareData):
3264         (JSC::FunctionRareData::initializeObjectAllocationProfile):
3265
3266 2018-06-07  Saam Barati  <sbarati@apple.com>
3267
3268         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
3269         https://bugs.webkit.org/show_bug.cgi?id=186218
3270         <rdar://problem/38449540>
3271
3272         Reviewed by Filip Pizlo.
3273
3274         This patch makes tierUpCommon a tad bit more sane. There are a few things
3275         that I did:
3276         - There were a few release asserts that were crashing. Those release asserts
3277         were incorrect. They were making assumptions about how the code and data
3278         structures were ordered that were wrong. This patch removes them. The code
3279         was using the loop hierarchy vector to make assumptions about which loop we
3280         were currently executing in, which is incorrect. The only information that
3281         can be used about where we're currently executing is the bytecode index we're
3282         at.
3283         - This makes it so that we go back to trying to compile outer loops before
3284         inner loops. JF accidentally reverted this behavior that Ben implemented.
3285         JF made it so that we just compiled the inner most loop. I make this
3286         functionality work by first triggering a compile for the outer most loop
3287         that the code is currently executing in and that can perform OSR entry.
3288         However, some programs can get stuck in inner loops. The code works by
3289         progressively asking inner loops to compile if program execution has not
3290         yet reached an outer loop.
3291
3292         * dfg/DFGOperations.cpp:
3293
3294 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
3295
3296         ArityFixup should adjust SP first on 32-bit platforms too
3297         https://bugs.webkit.org/show_bug.cgi?id=186351
3298
3299         Reviewed by Yusuke Suzuki.
3300
3301         * jit/ThunkGenerators.cpp:
3302         (JSC::arityFixupGenerator):
3303
3304 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3305
3306         [DFG] Compare operations do not respect negative zeros
3307         https://bugs.webkit.org/show_bug.cgi?id=183729
3308
3309         Reviewed by Saam Barati.
3310
3311         Compare operations do not respect negative zeros. So propagating this can
3312         reduce the size of the produced code for negative zero case. This pattern
3313         can be seen in Kraken stanford-crypto-aes.
3314
3315         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
3316         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
3317         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
3318
3319         * bytecode/SpeculatedType.cpp:
3320         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
3321         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
3322         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
3323         SpecDoubleReal.
3324
3325         * dfg/DFGBackwardsPropagationPhase.cpp:
3326         (JSC::DFG::BackwardsPropagationPhase::propagate):
3327
3328 2018-06-06  Saam Barati  <sbarati@apple.com>
3329
3330         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
3331         https://bugs.webkit.org/show_bug.cgi?id=186363
3332
3333         Rubber-stamped by Filip Pizlo.
3334
3335         The code was assuming that the object it was creating an OPC for always
3336         had a non-poly-proto structure. However, this assumption was wrong. For
3337         example, an object in the prototype chain could be poly proto. That type 
3338         of object graph would cause a crash in this code. This patch makes it so
3339         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
3340         object as we traverse the prototype chain.
3341
3342         * bytecode/ObjectPropertyConditionSet.cpp:
3343         (JSC::generateConditionsForInstanceOf):
3344
3345 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
3346
3347         Adjust compile and runtime flags to match shippable state of features
3348         https://bugs.webkit.org/show_bug.cgi?id=186319
3349         <rdar://problem/40352045>
3350
3351         Reviewed by Maciej Stachowiak, Jon Lee, and others.
3352
3353         This patch revises the compile time and runtime state for various features to match their
3354         suitability for end-user releases.
3355
3356         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
3357         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
3358         Cocoa builds.
3359         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
3360         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
3361         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
3362         at runtime for non-production builds.
3363
3364 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
3365
3366         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
3367         https://bugs.webkit.org/show_bug.cgi?id=186286
3368         <rdar://problem/40782992>
3369
3370         Reviewed by Dan Bernstein.
3371