[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>

        %TypedArray%.prototype.toLocaleString must make conscious use of @toString
        https://bugs.webkit.org/show_bug.cgi?id=216956

        Reviewed by Yusuke Suzuki.

        A fascinating bug: if we override Number.prototype.toLocaleString to return { valueOf() { ... } },
        then we can observe our %TypedArray%.prototype.toLocaleString resolving its element values in the wrong order.

        * builtins/TypedArrayPrototype.js:
        (toLocaleString):
        Wrap the toLocaleString call for each element in @toString(), as the spec indicates.

2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>

        %TypedArray%.prototype.sort must throw if comparator is defined and uncallable
        https://bugs.webkit.org/show_bug.cgi?id=216952

        Reviewed by Yusuke Suzuki.

        * builtins/TypedArrayPrototype.js:
        (sort):

2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>

        %TypedArray% methods should perform TypedArraySpeciesCreate correctly
        https://bugs.webkit.org/show_bug.cgi?id=216938

        Reviewed by Yusuke Suzuki.

        map, filter, and slice are obliged to throw when:
        1. this.constructor is defined but not an object
        2. the species constructor produces a valid typed array which is shorter than the expected length

        * builtins/TypedArrayPrototype.js:
        (map):
        (filter):
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::genericTypedArrayViewProtoFuncSlice):

2020-09-24  Basuke Suzuki  <basuke.suzuki@sony.com>

        [PlayStation] Stop raising SIGPIPE when client side of RemoteInspector dies
        https://bugs.webkit.org/show_bug.cgi?id=216805

        Reviewed by Don Olmstead.

        When communication is stopped caused by peer crash or non-polite close, SIGPIPE will be
        raised on BSD (and maybe on Linux). We prefer to handle those events by returning error.

        On Windows, there's no such fancy feature from the beginning.

        * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp:
        (Inspector::Socket::read):
        (Inspector::Socket::write):

2020-09-24  Angelos Oikonomopoulos  <angelos@igalia.com>

        [MIPS] Broken build after r267371
        https://bugs.webkit.org/show_bug.cgi?id=216893

        Reviewed by Adrian Perez de Castro.

        This addresses two issues.

        First, the fix in https://bugs.webkit.org/show_bug.cgi?id=216772 was not
        getting exercised, because the LabelReference offset was always zero.

        The reason the offset was zero is that LabelReference.mapChildren would discard
        the offset when generating a new LabelReference to wrap the Label returned by
        the code block it yielded to.

        The reason this was only an issue on MIPS is because only MIPS was using the
        result of calls to LabelReference.mapChildren (in its lowering phase,
        assignRegistersToTemporaries -> replaceTemporariesWithRegisters ->
        mapChildren). Other archs, e.g. X86_64 only call mapChildren in earlier phases
        (specifically, subsequent to a call to isASTErroneous), in which the new
        LabelReferences returned by mapChildren are later discarded. Even though ARM
        32/64 contains indirect calls to mapChildren, those are made after the
        arm{,64}LowerLabelReferences transformation which doesn't leave any
        LabelReference nodes around for .mapChildren to be called on.

        So this is not an issue for architectures other than MIPS because
        (a) AddImmediates.fold correctly constructs a LabelReference with an offset by
        calling LabelReference.plusOffset and
        (b) they don't call (and therefore don't use the result of)
        LabelReference.mapChildren in their lowering code.

        Second, the code we generate needs to look up the /label/ in the GOT, not the
        computed address. After the lookup, we simply need to add the offset.

        * offlineasm/ast.rb:
        * offlineasm/mips.rb:

2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>

        %TypedArray%.prototype.fill must only evaluate its argument once
        https://bugs.webkit.org/show_bug.cgi?id=216912

        Reviewed by Yusuke Suzuki.

        Currently, we evaluate the argument in `typedArray.fill({ valueOf() { ... } })` once per filled element,
        but it should only be evaluated once in total.

        * builtins/TypedArrayPrototype.js:
        (fill):

2020-09-23  Ross Kirsling  <ross.kirsling@sony.com>

        %ArrayIteratorPrototype%.next must check for detached buffers
        https://bugs.webkit.org/show_bug.cgi?id=216904

        Reviewed by Yusuke Suzuki.

        Per https://tc39.es/ecma262/#sec-%arrayiteratorprototype%.next:
          8. If a has a [[TypedArrayName]] internal slot, then
            a. If IsDetachedBuffer(a.[[ViewedArrayBuffer]]) is true, throw a TypeError exception.

        * builtins/ArrayIteratorPrototype.js:
        (next):
        * builtins/BuiltinNames.h:
        * bytecode/LinkTimeConstant.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::typedArrayViewPrivateFuncIsNeutered):
        * runtime/JSTypedArrayViewPrototype.h:

2020-09-23  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Simply some of template-specialized host functions by defining each function
        https://bugs.webkit.org/show_bug.cgi?id=216907

        Reviewed by Saam Barati.

        This makes automatically-registering these functions in JIT-caging easy.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::callImpl):
        (JSC::APICallbackFunction::constructImpl):
        (JSC::APICallbackFunction::call): Deleted.
        (JSC::APICallbackFunction::construct): Deleted.
        * API/JSCallbackConstructor.cpp:
        (JSC::constructJSCallbackConstructor):
        (JSC::JSCallbackConstructor::getConstructData):
        * API/JSCallbackFunction.cpp:
        (JSC::callJSCallbackFunction):
        (JSC::JSCallbackFunction::JSCallbackFunction):
        * API/ObjCCallbackFunction.mm:
        (JSC::callObjCCallbackFunction):
        (JSC::constructObjCCallbackFunction):
        (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
        * API/glib/JSCCallbackFunction.cpp:
        (JSC::callJSCCallbackFunction):
        (JSC::constructJSCCallbackFunction):
        (JSC::JSCCallbackFunction::JSCCallbackFunction):
        * dfg/DFGOperations.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jsc.cpp:
        (accessorMakeMasquerader):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
        (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructImpl):
        (JSC::constructArrayBuffer):
        (JSC::constructSharedArrayBuffer):
        (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer): Deleted.
        * runtime/JSArrayBufferConstructor.h:
        * runtime/JSCustomGetterSetterFunction.cpp:
        (JSC::customGetterSetterFunctionCall):
        (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall): Deleted.
        * runtime/JSCustomGetterSetterFunction.h:
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor<errorType>::constructImpl):
        (JSC::NativeErrorConstructor<errorType>::callImpl):
        (JSC::callEvalError):
        (JSC::constructEvalError):
        (JSC::callRangeError):
        (JSC::constructRangeError):
        (JSC::callReferenceError):
        (JSC::constructReferenceError):
        (JSC::callSyntaxError):
        (JSC::constructSyntaxError):
        (JSC::callTypeError):
        (JSC::constructTypeError):
        (JSC::callURIError):
        (JSC::constructURIError):
        (JSC::callFunction):
        (JSC::constructFunction):
        (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
        (JSC::NativeErrorConstructorBase::finishCreation):
        (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor): Deleted.
        (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor): Deleted.
        * runtime/NativeErrorConstructor.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::regExpConstructorDollarImpl):
        (JSC::regExpConstructorDollar1):
        (JSC::regExpConstructorDollar2):
        (JSC::regExpConstructorDollar3):
        (JSC::regExpConstructorDollar4):
        (JSC::regExpConstructorDollar5):
        (JSC::regExpConstructorDollar6):
        (JSC::regExpConstructorDollar7):
        (JSC::regExpConstructorDollar8):
        (JSC::regExpConstructorDollar9):
        (JSC::regExpConstructorInput):
        (JSC::regExpConstructorMultiline):
        (JSC::regExpConstructorLastMatch):
        (JSC::regExpConstructorLastParen):
        (JSC::regExpConstructorLeftContext):
        (JSC::regExpConstructorRightContext):
        (JSC::setRegExpConstructorInput):
        (JSC::setRegExpConstructorMultiline):
        (JSC::regExpConstructorDollar): Deleted.
        * tools/JSDollarVM.cpp:

2020-09-23  Alexey Shvayka  <shvaikalesh@gmail.com>

        Update Array.prototype.sort to be consistent with tightened spec
        https://bugs.webkit.org/show_bug.cgi?id=202582

        Reviewed by Yusuke Suzuki and Keith Miller.

        This patch implements the spec change [1] that reduces amount of cases resulting
        in an implementation-defined sort order, aligning JSC with V8 and SpiderMonkey.

        To achieve this, we collect all existing non-undefined receiver elements to a
        temporary array, sort it, and write back sorted items, followed by `undefined`
        values and holes.

        This change is proven to be web-compatible (shipping since Chrome 76) and neutral
        on peak memory consumption in the wild.

        Although we can unobservably detect sparse receivers, we can't avoid creating a
        temporary array for common case since userland comparators may throw; string
        sorting won't measurably benefit from this, only increasing code complexity.

        This change uses @putByValDirect unless the spec requires [[Set]], avoids using
        closure variables, and adds a few drive-by optimizations, resulting in ~22%
        faster string sorting and 13% speed-up for userland comparators.
        Dromaeo/jslib is neutral.

        [1]: https://github.com/tc39/ecma262/pull/1585

        * builtins/ArrayPrototype.js:
        (sort.stringComparator):
        Optimization #1: replace char-by-char comparison loop with > operator, aligning
        JSC with V8 and SpiderMonkey. This semantically equivalent change alone is a ~15%
        progression for string sort.

        (sort.compact):
        (sort.commit):
        Optimization #2: copy large non-numeric arrays in a loop rather than @appendMemcpy.
        Using the latter unconditionally regresses provided microbenchmarks.

        (sort.merge):
        Optimization #3: replace `typeof` check and negation with strict equality.

        (sort.mergeSort):
        Optimization #4: always return sorted array instead of copying, even if it's the buffer.
        Tweak: create the buffer with correct length.

        (sort.bucketSort):
        Optimization #5: avoid emitting 2 extra get_by_val ops by saving bucket lookup to a variable.
        Tweak: create new bucket via array literal.

        (sort): Fix typo in error message.
        (sort.compactSparse): Deleted.
        (sort.compactSlow): Deleted.
        (sort.comparatorSort): Deleted.
        (sort.stringSort): Deleted.
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        Remove @Object.@getPrototypeOf as it's now unused and we have @getPrototypeOf intrinsic anyway.

2020-09-23  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Intl spec update: handle awkward rounding behavior
        https://bugs.webkit.org/show_bug.cgi?id=216760

        Reviewed by Ross Kirsling.

        This patch supports new spec change of "handle awkward rounding behavior"[1].
        This changes minimumFractionDigits / maximumFractionDigits calculation when the specified ones are less than currency-digits.

        [1]: https://github.com/tc39/ecma402/pull/471

        * runtime/CommonIdentifiers.h:
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::resolvedOptions const):
        * runtime/IntlNumberFormatInlines.h:
        (JSC::setNumberFormatDigitOptions):
        * runtime/IntlPluralRules.cpp:
        (JSC::IntlPluralRules::resolvedOptions const):

2020-09-23  Caio Lima  <ticaiolima@gmail.com>

        [JSC][ESNext] Create a new opcode to handle private fields store/define
        https://bugs.webkit.org/show_bug.cgi?id=213372

        Reviewed by Yusuke Suzuki.

        This patch is adding a new opcode to handle private field storage.
        Before this change, we were using `put_by_val_direct` and including
        the information of `PutKind` into `PutByValFlags`. We initially decided
        to use `put_by_val_direct` to take advantage of all IC mechanism already
        implemented for this instruction, however the semantics of private field
        is different enough to complicate the understanding of
        `put_by_val_direct`.

        The new instruction is called `put_private_name` and has as its operands
        `baseObject` where the put is going to be placed, the `property`
        that's going to be installed (it is always a private symbol of a
        private field), the `value` we are going to store and the
        `PrivateFieldPutKind` that can be `Define` or `Set`.
        The difference of each `PrivateFieldPutKind` is the following:
        
        - Define: It defines a new private field. If this field is already
        present, it throws a `TypeError`.
        - Set: It sets the value of a private field. If the field is not
        present at the moment of set, it throws a `TypeError`.

        This patch includes support of IC for all tiers. For DFG and FTL, we
        are only emmiting IC when we are able to emit `CheckConstant`
        for subscript identifier during Bytecode parsing. We are adding a new
        DFG node called `PutPrivateNameById` that handles such cases when we
        have constant identifiers.
        We are also adding a new DFG node `PutPrivateName` that handles generic
        case of `put_private_name`. The strategy used to compile
        `put_private_name` is very similar with what we are using with
        `put_by_val[_direct]`. We first try to compile it as `[Multi]PutByOffset`
        using profiled information from LLInt and Baseline execution. If it
        is not possible, we then emit `PutPrivateName[ById]` node. We get another
        chance to transform `PutPrivateNameById` into `PutByOffset` if we can prove
        its structure set at constant folding phase.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/BytecodeList.rb:
        * bytecode/BytecodeUseDef.cpp:
        (JSC::computeUsesForBytecodeIndexImpl):
        (JSC::computeDefsForBytecodeIndexImpl):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        * bytecode/Fits.h:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        * bytecode/PutByValFlags.cpp: Removed.
        * bytecode/PutByValFlags.h: Removed.
        * bytecode/PutKind.h:
        (): Deleted.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDirectPutByVal):
        (JSC::BytecodeGenerator::emitDefinePrivateField):
        (JSC::BytecodeGenerator::emitPrivateFieldPut):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handlePutPrivateNameById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::handlePutByVal):
        (JSC::DFG::ecmaMode): Deleted.
        (JSC::DFG::ecmaMode<OpPutByValDirect>): Deleted.
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToPutByOffset):
        (JSC::DFG::Node::convertToMultiPutByOffset):
        (JSC::DFG::Node::hasCacheableIdentifier):
        (JSC::DFG::Node::hasPrivateFieldPutKind):
        (JSC::DFG::Node::privateFieldPutKind):
        * dfg/DFGNodeType.h:
        * dfg/DFGOpInfo.h:
        (JSC::DFG::OpInfo::OpInfo):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutPrivateName):
        (JSC::DFG::SpeculativeJIT::compilePutPrivateNameById):
        (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
        (JSC::DFG::SpeculativeJIT::compilePutById):
        (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateNameById):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName):
        (JSC::FTL::DFG::LowerDFGToB3::cachedPutById):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
        * generator/DSL.rb:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::link):
        * jit/JIT.h:
        (JSC::ByValCompilationInfo::ByValCompilationInfo):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        (JSC::JITPutByIdGenerator::slowPathFunction):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlines.h:
        (JSC::JIT::ecmaMode<OpPutPrivateName>):
        (JSC::JIT::ecmaMode<OpPutByValDirect>): Deleted.
        (JSC::JIT::privateFieldAccessKind): Deleted.
        (JSC::JIT::privateFieldAccessKind<OpPutByValDirect>): Deleted.
        * jit/JITOperations.cpp:
        (JSC::setPrivateField):
        (JSC::putPrivateField): Deleted.
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitPutByValWithCachedId):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::emit_op_put_private_name):
        (JSC::JIT::emitSlow_op_put_private_name):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitPutPrivateNameWithCachedId):
        (JSC::JIT::privateCompilePutPrivateNameWithCachedId):
        (JSC::JIT::privateCompilePutByValWithCachedId):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_private_name):
        (JSC::JIT::emitSlow_op_put_private_name):
        (JSC::JIT::emit_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::appropriateGenericPutByIdFunction):
        (JSC::appropriateOptimizingPutByIdFunction):
        (JSC::tryCachePutByID):
        (JSC::resetPutByID):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSObject.h:
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::setPrivateField):
        (JSC::JSObject::putPrivateField): Deleted.
        * runtime/PrivateFieldPutKind.cpp: Added.
        (JSC::PrivateFieldPutKind::dump const):
        * runtime/PrivateFieldPutKind.h: Added.
        (JSC::PrivateFieldPutKind::fromByte):
        (JSC::PrivateFieldPutKind::none):
        (JSC::PrivateFieldPutKind::set):
        (JSC::PrivateFieldPutKind::define):
        (JSC::PrivateFieldPutKind::isNone const):
        (JSC::PrivateFieldPutKind::isSet const):
        (JSC::PrivateFieldPutKind::isDefine const):
        (JSC::PrivateFieldPutKind::value const):
        (JSC::PrivateFieldPutKind::PrivateFieldPutKind):

2020-09-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Enable Intl.DateTimeFormat dayPeriod
        https://bugs.webkit.org/show_bug.cgi?id=216845

        Reviewed by Mark Lam.

        Since we already have consensus, let's enable it.
        For now, we keep this flag since it is possible that something
        happens before the change is integrated into the spec.

        * runtime/OptionsList.h:

2020-09-22  HyeockJin Kim  <kherootz@gmail.com>

        Coerce computed property before adding to |excludedList|
        https://bugs.webkit.org/show_bug.cgi?id=216437

        Reviewed by Yusuke Suzuki.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ObjectPatternNode::bindValue const):

2020-09-21  Paulo Matos  <pmatos@igalia.com>

        Fix MIPS leai,leap when offset is nonzero
        https://bugs.webkit.org/show_bug.cgi?id=216772

        Reviewed by Mark Lam.

        Fix required by change from webkit#216685
        * offlineasm/mips.rb:

2020-09-21  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] BigInt should work with Map / Set
        https://bugs.webkit.org/show_bug.cgi?id=216667

        Reviewed by Robin Morisset.

        This patch makes BigInt supported in Map / Set.

        1. In NormalizeMapKey, we always attempt to convert HeapBigInt to BigInt32 (if supported). So we ensure that,
            normalized BigInt has one unique form for BigInt32 range. This allows us to use hashing for BigInt32 bit pattern directly.
        2. In MapHash, for BigInt32, we directly has the JSValue bits. For HeapBigInt, we calculate hash via Hasher.
        3. In GetMapBucket, we consider HeapBigInt case correctly.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
        (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
        * runtime/HashMapImpl.h:
        (JSC::normalizeMapKey):
        (JSC::jsMapHash):
        (JSC::concurrentJSMapHash):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::concurrentHash):
        * runtime/JSBigInt.h:
        (JSC::tryConvertToBigInt32):

2020-09-21  Mark Lam  <mark.lam@apple.com>

        Move some LLInt globals into JSC::Config.
        https://bugs.webkit.org/show_bug.cgi?id=216685
        rdar://68964544

        Reviewed by Keith Miller.

        1. Moved the following into g_jscConfig:

           Data::s_exceptionInstructions ==> g_jscConfig.llint.exceptionInstructions
           Data::s_wasmExceptionInstructions ==> g_jscConfig.llint.wasmExceptionInstructions
           g_opcodeMap ==> g_jscConfig.llint.opcodeMap
           g_opcodeMapWide16 ==> g_jscConfig.llint.opcodeMapWide16
           g_opcodeMapWide32 ==> g_jscConfig.llint.opcodeMapWide32

        2. Fixed cloop.rb so that it can take an offset for the leap offlineasm instruction.
        3. Fixed x86.rb so that it can take an offset for the leap offlineasm instruction.
        4. Fixed arm.rb so that it can take an offset for the leap offlineasm instruction.

           Note: arm64.rb already does this right.

        5. Added JSC::Config::singleton() to return a reference to g_jscConfig.
           This is useful when debugging with lldb since g_jscConfig is not an actual
           label, but is a macro that computes the address of the Config record.

        This patch has been smoke tested on arm64e, x86_64, and cloop (on x86_64 and armv7k).

        * llint/LLIntData.cpp:
        (JSC::LLInt::LLIntInitializeAssertScope::LLIntInitializeAssertScope):
        (JSC::LLInt::LLIntInitializeAssertScope::~LLIntInitializeAssertScope):
        (JSC::LLInt::LLIntInitializeAssertScope::assertInitializationIsAllowed):
        (JSC::LLInt::initialize):
        * llint/LLIntData.h:
        (JSC::LLInt::exceptionInstructions):
        (JSC::LLInt::wasmExceptionInstructions):
        (JSC::LLInt::opcodeMap):
        (JSC::LLInt::opcodeMapWide16):
        (JSC::LLInt::opcodeMapWide32):
        (JSC::LLInt::getOpcode):
        (JSC::LLInt::getOpcodeWide16):
        (JSC::LLInt::getOpcodeWide32):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter64.asm:
        * llint/WebAssembly.asm:
        * offlineasm/arm.rb:
        * offlineasm/cloop.rb:
        * offlineasm/x86.rb:
        * runtime/JSCConfig.cpp:
        (JSC::Config::singleton):
        * runtime/JSCConfig.h:

2020-09-21  Basuke Suzuki  <basuke.suzuki@sony.com>

        [WinCairo][PlayStation] Support different instances of listener client.
        https://bugs.webkit.org/show_bug.cgi?id=216733

        Reviewed by Don Olmstead.

        Currently RemoteInspectorSocketEndpoint support one client instance for all
        listeners. This patch allows listeners to create its own listener client on
        accept timing.

        * inspector/remote/RemoteControllableTarget.h:
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
        (Inspector::RemoteInspectorConnectionClient::didReceive):
        * inspector/remote/socket/RemoteInspectorConnectionClient.h:
        * inspector/remote/socket/RemoteInspectorServer.cpp:
        (Inspector::RemoteInspectorServer::start):
        (Inspector::RemoteInspectorServer::doAccept):
        * inspector/remote/socket/RemoteInspectorServer.h:
        * inspector/remote/socket/RemoteInspectorSocket.cpp:
        (Inspector::RemoteInspector::didClose):
        * inspector/remote/socket/RemoteInspectorSocket.h:
        * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
        (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint):
        (Inspector::RemoteInspectorSocketEndpoint::~RemoteInspectorSocketEndpoint):
        (Inspector::RemoteInspectorSocketEndpoint::listenInet):
        (Inspector::RemoteInspectorSocketEndpoint::workerThread):
        (Inspector::RemoteInspectorSocketEndpoint::generateConnectionID):
        (Inspector::RemoteInspectorSocketEndpoint::createClient):
        (Inspector::RemoteInspectorSocketEndpoint::disconnect):
        (Inspector::RemoteInspectorSocketEndpoint::createListener):
        (Inspector::RemoteInspectorSocketEndpoint::invalidateClient):
        (Inspector::RemoteInspectorSocketEndpoint::invalidateListener):
        (Inspector::RemoteInspectorSocketEndpoint::getPort const):
        (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
        (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
        (Inspector::RemoteInspectorSocketEndpoint::send):
        (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
        * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:

2020-09-21  Keith Miller  <keith_miller@apple.com>

        Functions should consistently enumerate length before name
        https://bugs.webkit.org/show_bug.cgi?id=216789

        Reviewed by Yusuke Suzuki.

        In https://github.com/tc39/ecma262/pull/2116, which has been
        approved to be merged into the main JS spec, it's expected that
        all functions should have their length property enumerated before
        the name property. To ensure this invariant, this patch moves the
        length set into InternalFunction::finishCreation.

        There are no new tests since tests will be added to test262 when
        the spec PR is merged. Adding tests to stress just means we will
        have the same test twice, which seems like a waste.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::finishCreation):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunction::create):
        * API/glib/JSCCallbackFunction.cpp:
        (JSC::JSCCallbackFunction::create):
        * runtime/AggregateErrorConstructor.cpp:
        (JSC::AggregateErrorConstructor::finishCreation):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        * runtime/AsyncFunctionConstructor.cpp:
        (JSC::AsyncFunctionConstructor::finishCreation):
        * runtime/AsyncGeneratorFunctionConstructor.cpp:
        (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
        * runtime/BigIntConstructor.cpp:
        (JSC::BigIntConstructor::finishCreation):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::finishCreation):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::finishCreation):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::finishCreation):
        * runtime/FinalizationRegistryConstructor.cpp:
        (JSC::FinalizationRegistryConstructor::finishCreation):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::finishCreation):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::finishCreation):
        * runtime/GeneratorFunctionConstructor.cpp:
        (JSC::GeneratorFunctionConstructor::finishCreation):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::finishCreation):
        (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined):
        * runtime/InternalFunction.h:
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::IntlCollatorConstructor::finishCreation):
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::IntlDateTimeFormatConstructor::finishCreation):
        * runtime/IntlDisplayNamesConstructor.cpp:
        (JSC::IntlDisplayNamesConstructor::finishCreation):
        * runtime/IntlLocaleConstructor.cpp:
        (JSC::IntlLocaleConstructor::finishCreation):
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::IntlNumberFormatConstructor::finishCreation):
        * runtime/IntlPluralRulesConstructor.cpp:
        (JSC::IntlPluralRulesConstructor::finishCreation):
        * runtime/IntlRelativeTimeFormatConstructor.cpp:
        (JSC::IntlRelativeTimeFormatConstructor::finishCreation):
        * runtime/IntlSegmenterConstructor.cpp:
        (JSC::IntlSegmenterConstructor::finishCreation):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
        * runtime/JSTypedArrayViewConstructor.cpp:
        (JSC::JSTypedArrayViewConstructor::finishCreation):
        * runtime/MapConstructor.cpp:
        (JSC::MapConstructor::finishCreation):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructorBase::finishCreation):
        * runtime/NullGetterFunction.h:
        * runtime/NullSetterFunction.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        * runtime/ProxyConstructor.cpp:
        (JSC::ProxyConstructor::finishCreation):
        * runtime/ProxyRevoke.cpp:
        (JSC::ProxyRevoke::finishCreation):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::finishCreation):
        * runtime/SetConstructor.cpp:
        (JSC::SetConstructor::finishCreation):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::finishCreation):
        * runtime/SymbolConstructor.cpp:
        (JSC::SymbolConstructor::finishCreation):
        * runtime/WeakMapConstructor.cpp:
        (JSC::WeakMapConstructor::finishCreation):
        * runtime/WeakObjectRefConstructor.cpp:
        (JSC::WeakObjectRefConstructor::finishCreation):
        * runtime/WeakSetConstructor.cpp:
        (JSC::WeakSetConstructor::finishCreation):
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyGlobalConstructor.cpp:
        (JSC::WebAssemblyGlobalConstructor::finishCreation):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::WebAssemblyInstanceConstructor::finishCreation):
        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
        (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::WebAssemblyMemoryConstructor::finishCreation):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::WebAssemblyModuleConstructor::finishCreation):
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
        (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::WebAssemblyTableConstructor::finishCreation):

2020-09-21  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Proxy should be trapped if base value is primitive
        https://bugs.webkit.org/show_bug.cgi?id=216764

        Reviewed by Darin Adler.

        While we have special care in JSObject::putInline etc., we missed it in JSValue::putToPrimitive.
        So, if proxy exists in the prototype chain for the primitive values (e.g. StringPrototype -> Proxy chain),
        we miss the Proxy trap. We should have ProxyObject special check in JSValue::putToPrimitive too.

        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):

2020-09-20  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Drop Options::useBigInt
        https://bugs.webkit.org/show_bug.cgi?id=216743

        Reviewed by Darin Adler.

        Now BigInt is shipped. Let's just remove Options::useBigInt.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEqualityOpImpl):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::parseHex):
        (JSC::Lexer<T>::parseBinary):
        (JSC::Lexer<T>::parseOctal):
        (JSC::Lexer<T>::parseDecimal):
        * runtime/JSGlobalObject.h:
        * runtime/OptionsList.h:

2020-09-20  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, use RELEASE_AND_RETURN to suppress exception verification failure
        https://bugs.webkit.org/show_bug.cgi?id=216686
        <rdar://problem/69157632>

        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::JSModuleNamespaceObject::defineOwnProperty):

2020-09-18  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Generator declaration should not be allowed in single statement context
        https://bugs.webkit.org/show_bug.cgi?id=216720

        Reviewed by Ross Kirsling.

        Generator declaration in single statement context (like the following code) should be syntax error.
        We already made async function / async generator function syntax error. We should apply the same rule
        to generator declaration too.

            if (false)
                function * gen() { }

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseSingleFunction):
        (JSC::Parser<LexerType>::parseStatement):
        (JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
        (JSC::Parser<LexerType>::parseFunctionDeclaration):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        * parser/Parser.h:

2020-09-18  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] PreciseAllocation's isNewlyAllocated flag should be propagated from isMarked at GC begin phase to make isLive correct
        https://bugs.webkit.org/show_bug.cgi?id=216717

        Reviewed by Mark Lam.

        When starting full GC, at beginMarking, PreciseAllocation's mark bit is cleared to be usable for upcoming marking.
        However, this means that HeapCell::isLive will see this object as dead until it is marked.
        Let's consider that this object is not newly allocated one. Then, its isNewlyAllocated is false. And now mark bit
        is also cleared. Since PreciseAllocation::isLive is isNewlyAllocated || isMarked, then it looks dead, while it is live.
        This confuses HeapCell:isLive function and makes some of watchpoints perform wrong decisions (e.g. this condition is
        no longer valid, let's just discard it).
        At the beginning of full collection, we should propagate the old mark bit to isNewlyAllocated so that it looks live
        during marking. This is similar trick to MarkedBlock::aboutToMark.

        * heap/PreciseAllocation.cpp:
        (JSC::PreciseAllocation::flip):

2020-09-18  Saam Barati  <sbarati@apple.com>

        console APIs shouldn't crash making a string that's too long for a console warning when using user provided labels
        https://bugs.webkit.org/show_bug.cgi?id=216709
        <rdar://problem/68275357>

        Reviewed by Mark Lam and Devin Rousso.

        Various console APIs send warnings when a label can't be found. These warnings
        include the label itself. If this label has a long enough length, when we make
        these warning strings, we can crash, because we exceed max string length.
        This patch fixes this by truncating the label everywhere it's used if it
        exceeds a length of 10000.

        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::profile):
        * inspector/ScriptArguments.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::startTiming):
        (Inspector::InspectorConsoleAgent::logTiming):
        (Inspector::InspectorConsoleAgent::stopTiming):
        (Inspector::InspectorConsoleAgent::count):
        (Inspector::InspectorConsoleAgent::countReset):

2020-09-18  Keith Miller  <keith_miller@apple.com>

        DFG should ensure there are PhantomLocals for the taken block of op_jneq_ptr
        https://bugs.webkit.org/show_bug.cgi?id=216669

        Reviewed by Saam Barati.

        Right now, if there is a local that is live on the taken branch but dead on
        not-taken branch then nothing will preserve it for OSR exit. This patch simply
        adds a PhantomLocal for each live operand for the first bytecode of the taken block.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2020-09-18  Paulo Matos  <pmatos@igalia.com>

        Unified build fixes from ARMv7 build failures
        https://bugs.webkit.org/show_bug.cgi?id=216698

        Reviewed by Adrian Perez de Castro.

        * llint/LLIntThunks.cpp:
        * runtime/FileBasedFuzzerAgent.cpp:
        * runtime/FunctionExecutableDump.cpp:
        * runtime/NativeExecutable.cpp:
        * runtime/WeakMapImpl.cpp:

2020-09-17  Mark Lam  <mark.lam@apple.com>

        Use OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) in speculationFromCell()'s isSanePointer().
        https://bugs.webkit.org/show_bug.cgi?id=216638

        Reviewed by Saam Barati.

        We should be using OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) instead of assuming the
        width of the pointer address bits.

        * bytecode/SpeculatedType.cpp:
        (JSC::isSanePointer):

2020-09-17  Devin Rousso  <drousso@apple.com>

        Web Inspector: REGRESSION(r266885): fix open source build
        https://bugs.webkit.org/show_bug.cgi?id=216675

        Reviewed by Timothy Hatcher.

        Add back methods used by `WebInspector.framework`.

        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::getInteger): Added.
        (Inspector::BackendDispatcher::getDouble): Added.
        (Inspector::BackendDispatcher::getString): Added.

2020-09-17  Tadeu Zagallo  <tzagallo@apple.com>

        Inconsistent loop exit assertion in B3ReduceLoopStrength
        https://bugs.webkit.org/show_bug.cgi?id=216274
        <rdar://problem/68513573>

        Reviewed by Keith Miller.

        On B3ReduceLoopStrength, we first calculate where the loop exits to, and ensure there's only
        one exit target. Later on, we compute how many places within the loop exit to that single exit
        target. Currently, we assume that having a single target implies that we'll only ever have one
        exit point, which is incorrect. To fix it, instead of asserting there should only be one exit
        point, we just bail if we find more than one.

        * b3/B3ReduceLoopStrength.cpp:
        (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy):

2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Async generator default-export is not handled
        https://bugs.webkit.org/show_bug.cgi?id=216643

        Reviewed by Ross Kirsling.

        `export default async function * test() { }` syntax should be correctly handled.
        This patch adds the code retrieving "test" name from the above declaration correctly.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseExportDeclaration):

2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Update JSModuleNamespaceObject::defineOwnProperty
        https://bugs.webkit.org/show_bug.cgi?id=216640

        Reviewed by Ross Kirsling.

        This patch implements spec update of JSModuleNamespaceObject::defineOwnProperty.
        We implement https://tc39.es/ecma262/#sec-module-namespace-exotic-objects-defineownproperty-p-desc precisely.

        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
        (JSC::JSModuleNamespaceObject::deleteProperty):
        (JSC::JSModuleNamespaceObject::getOwnPropertyNames):
        (JSC::JSModuleNamespaceObject::defineOwnProperty):

2020-09-17  Mark Lam  <mark.lam@apple.com>

        Add some pointer sanity checks to speculationFromCell().
        https://bugs.webkit.org/show_bug.cgi?id=216638
        rdar://23226333

        Reviewed by Yusuke Suzuki.

        Add some sanity checks to mitigate against some potential pointer corruptions
        from profiling data.  The goal here is not to exhaustively filter out all possible
        bad pointers, but simply to filter out as many as possible to reduce crashes from
        such bad pointers, and to do so with the least possible performance impact.

        It is OK to do such filtering here because we're only trying to compute a
        SpeculatedType from the pointer.  If the pointer is bad, we can just return
        SpecNone indicating that we don't have any info to speculate on.

        * bytecode/SpeculatedType.cpp:
        (JSC::isSanePointer):
        (JSC::speculationFromCell):
        * runtime/StructureIDTable.h:
        (JSC::StructureIDTable::tryGet):
        * runtime/VM.h:
        (JSC::VM::tryGetStructure):

2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>

        Support export namespace `export * as ns`
        https://bugs.webkit.org/show_bug.cgi?id=214379

        Reviewed by Ross Kirsling.

        This patch supports `export * as ns from "module"` syntax. If it is used, we expose "module"'s namespace object as "ns".
        For each module environment, we create *namespace* (starNamespace) private symbol scope variable. And we fill it later
        with module namespace object. This way allows us to use module namespace object IC and super fast imported module binding
        lookup though environment variable lookup mechanism.

        * builtins/BuiltinNames.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * parser/NodesAnalyzeModule.cpp:
        (JSC::ExportNamedDeclarationNode::analyzeModule):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseExportDeclaration):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::ExportEntry::createNamespace):
        (JSC::AbstractModuleRecord::resolveExportImpl):
        (JSC::AbstractModuleRecord::getModuleNamespace):
        (JSC::AbstractModuleRecord::setModuleEnvironment):
        (JSC::AbstractModuleRecord::dump):
        * runtime/AbstractModuleRecord.h:
        * runtime/CommonIdentifiers.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::name):
        (JSC::JSFunction::reifyName):
        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::instantiateDeclarations):
        (JSC::JSModuleRecord::evaluate):
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::finishCreation):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):

2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Optimize Promise#finally by avoiding creating multiple environments
        https://bugs.webkit.org/show_bug.cgi?id=216637

        Reviewed by Ross Kirsling.

        Let's just create functions inside Promise#finally. This avoids creating
        multiple lexical environments that are captured by each function.

        * builtins/PromisePrototype.js:
        (finally):
        (globalPrivate.getThenFinally): Deleted.
        (globalPrivate.getCatchFinally): Deleted.

2020-09-16  Saam Barati  <sbarati@apple.com>

        Don't IC a null custom accessor/value setter
        https://bugs.webkit.org/show_bug.cgi?id=216620
        <rdar://problem/68976066>

        Reviewed by Mark Lam.

        Our runtime allows CustomGetterSetter objects setter field to not contain an
        actual C function to call. In such a scenario, the runtime just does nothing
        except return false to the ::put code (which may result in throwing an
        exception in strict mode code). 
        
        However, our IC code never considered whether this function could be nullptr.
        The fix here is simple: don't IC such custom accessor/value setters.

        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::isCacheableCustom const):

2020-09-16  Philippe Normand  <pnormand@igalia.com>

        [Flatpak SDK][WPE] Launching the remote inspector kills MB
        https://bugs.webkit.org/show_bug.cgi?id=213899

        Reviewed by Adrian Perez de Castro.

        Load inspector resources from developer build artefacts, when the inspector server is
        running in this configuration. Fall back to system libraries loading mechanism otherwise.

        * inspector/remote/glib/RemoteInspectorUtils.cpp:
        (Inspector::backendCommands):

2020-09-16  Adrian Perez de Castro  <aperez@igalia.com>

        Non-unified build fixes, early September 2020 edition
        https://bugs.webkit.org/show_bug.cgi?id=216599

        Unreviewed build fix.

        Largely based on a patch by Lauro Moura <lmoura@igalia.com>

        * runtime/IntlCache.cpp: Add missing wtf/Vector.h include.
        * runtime/IntlCache.h: Add missing wtf/text/CString.h include.
        * runtime/IntlNumberFormatPrototype.cpp: Replace IntlNumberFormat.h
        include with IntlNumberFormatInlines.h to fix linking.

2020-09-15  Saam Barati  <sbarati@apple.com>

        JSImmutableButterfly::get needs to return jsDoubleNumber for double arrays
        https://bugs.webkit.org/show_bug.cgi?id=216589
        <rdar://problem/68061245>

        Reviewed by Yusuke Suzuki.

        We are using JSImmutableButterfly::get in AI to constant fold GetByVal,
        but we were failing to always return a boxed double value for double loads.
        We were calling jsNumber instead of jsDooubleNumber. This is in contrast to
        the runtime, which always returns a double boxed value. This would lead AI
        to disagree with the runtime, and miscompile code.

        * runtime/JSImmutableButterfly.h:
        (JSC::JSImmutableButterfly::get const):

2020-09-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Cache UDateTimePatternGenerator
        https://bugs.webkit.org/show_bug.cgi?id=213454

        Reviewed by Ross Kirsling.

        ICU udatpg_open function is particularly slow. As a result, 80~% of time is used by this function when calling Date#toLocaleString.
        We should have last-used cache in VM, which covers major cases like, "One locale (possibly default locale) is used and continuously
        use toLocaleString with that locale".

        This significantly improves toLocaleString / toLocaleDateString / toLocaleTimeString performance.

                                                   ToT                     Patched

            date-to-locale-string           392.0092+-0.6811     ^     87.3196+-3.1598        ^ definitely 4.4894x faster
            date-to-locale-date-string      377.9117+-7.8701     ^     70.4155+-3.6661        ^ definitely 5.3669x faster
            date-to-locale-time-string      373.1970+-3.0142     ^     67.3790+-2.8952        ^ definitely 5.5388x faster


        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * runtime/IntlCache.cpp: Added.
        (JSC::IntlCache::cacheSharedPatternGenerator):
        (JSC::IntlCache::getBestDateTimePattern):
        * runtime/IntlCache.h: Added.
        (JSC::IntlCache::getSharedPatternGenerator):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::intlCache):

2020-09-15  HyeockJin Kim  <kherootz@gmail.com>

        Check whether the iterator is callable in spread
        https://bugs.webkit.org/show_bug.cgi?id=215974

        Reviewed by Darin Adler.

        * builtins/IteratorHelpers.js:
        (performIteration):

2020-09-15  Tadeu Zagallo  <tzagallo@apple.com>

        Object allocation sinking forgets escaped nodes when structure changes
        https://bugs.webkit.org/show_bug.cgi?id=216214
        <rdar://problem/68518460>

        Reviewed by Saam Barati.

        Consider the following program:
            bb0:
                a: NewObject
                b: CreateActivation()
                _: Branch(bb2, bb1)
            bb1:
                _: PutByOffset(a, 'x', 42)
                _: PutStrucute(a, {x: 0})
                _: Branch(bb2, bb1)
            bb2:
                _: CheckStructure(a, {x: 0})
                _: PutClosureVar(b, 0, Kill:a)
                _: Branch(bb3, bb2)
            bb3:
                c: GetClosureVar(b, 0)
                _: PutByOffset(global, 'y', c)
                _: Return

        Due to the order we visit the program, we'll visit bb2 before bb1. The first time we visit bb2, heapAtHead will be:
            #@a: ObjectAllocation({})
            #@b: ActivationAllocation()
            @a => #@a
            @b => #@b

        Now CheckStructure would always fail, so it will escape @a and heapAtTail will be:
            #@a: EscapedAllocation()
            #@b: ActivationAllocation()
            @a => #@a
            @b => #@b

        And after pruning:
            #@b: ActivationAllocation()
            @b => #@b

        Now, we'll visit bb3 and then bb1. When we visit bb1 we'll set the structure {x: 0} for the #@a and eventually visit bb2 again. This time around CheckStructure will no longer escape @a, since the allocation has the right structure, and heapAtTail will be:
            #@a: ObjectAllocation({x: 0})
            #@b: ActivationAllocation(0: #@a)
            @b => #@b

        However, we now have to merge into bb3, which has heapAtHead:
            #@b: ActivationAllocation()
            @b => #@b

        Since we can't add the extra field to the activation, we'll end up escaping @a at the edge and therefore pruning #@b, which will leave the heap for bb3 unchanged.
        That's a problem, since PutClosureVar didn't see the escaped object, but GetClosureVar thinks it's escaped. The materialization for @a will be placed after the
        PutClosureVar, at end of bb2, when the node is already dead. When computing the SSA defs, the PutByOffset at bb3 will then see @a (which at this point will be a
        PhantomNewObject) instead of its materialization.

        The issue happens because we don't allow allocations to add extra fields while merging, but we do allow adding new structures. This results in different decisions
        being made about what escapes in CheckStructure and MultiGetByOffset. To avoid this problem, we track two sets of structures: structures and structuresForMaterialization.
        The first is used for checks and should never grow while the second is used for materialization and is allowed to grow.

        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2020-09-15  Saam Barati  <sbarati@apple.com>

        CustomFunctionEquivalence PropertyCondition needs to check if the structure has the property
        https://bugs.webkit.org/show_bug.cgi?id=216575
        <rdar://problem/68286930>

        Reviewed by Yusuke Suzuki.

        The CustomFunctionEquivalence PropertyCondition would only return false to
        isStillValidAssumingImpurePropertyWatchpoint if the Structure's static
        property table was reified or if the static property table did not contain the
        property. However, this missed the obvious case of where we store to this
        property in normal object storage without reifying the static property table.
        The fix here is simple: we first check if the Structure's property table
        has this property, and if so, return false.
        
        This patch also renames CustomFunctionEquivalence to HasStaticProperty to
        better capture what we're doing.

        * bytecode/ObjectPropertyCondition.h:
        (JSC::ObjectPropertyCondition::hasStaticProperty):
        (JSC::ObjectPropertyCondition::customFunctionEquivalence): Deleted.
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const):
        (JSC::ObjectPropertyConditionSet::slotBaseCondition const):
        (JSC::generateConditionsForPrototypePropertyHitCustom):
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::dumpInContext const):
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
        (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
        (JSC::PropertyCondition::isStillValid const):
        (JSC::PropertyCondition::isWatchableWhenValid const):
        (WTF::printInternal):
        * bytecode/PropertyCondition.h:
        (JSC::PropertyCondition::hasStaticProperty):
        (JSC::PropertyCondition::hash const):
        (JSC::PropertyCondition::operator== const):
        (JSC::PropertyCondition::customFunctionEquivalence): Deleted.
        * tools/JSDollarVM.cpp:
        (JSC::functionCreateStaticCustomValue):
        (JSC::JSDollarVM::finishCreation):

2020-09-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Apply Intl.DateTimeFormat hour-cycle correctly when timeStyle is used
        https://bugs.webkit.org/show_bug.cgi?id=216521

        Reviewed by Ross Kirsling.

        When specifying timeStyle in Intl.DateTimeFormat, we need to check that the generated format also follows to the hourCycle / hour12 options
        specified in the constructor. Because dayPeriod can be included automatically, just replacing symbols after generating a pattern can dump strange result.
        For example, the generated one is something like "02:12:47 PM Coordinated Universal Time". And we adjust the pattern to make it "14:12:47 PM Coordinated Universal Time"
        when hourCycle H23 / H24 is specified. But this looks strange since dayPeriod "PM" should not exist when using H23 / H24.

        In this patch, we revise our hour-cycle handling in Intl.DateTimeFormat. We align our behavior to SpiderMonkey's one[1] rather than the spec's one: when hour12 is specified,
        we will just use 'H' or 'h' skeleton and do not enforce hour-cycle after generating pattern in hour12 case. If hour12 is not specified, then we use 'h' or 'H' skeleton
        symbols based on hour-cycle, and later we modify the pattern based on hour-cycle. If both are not offered, we use 'j' which allows ICU to pick preferable one.
        This is slightly different behavior to the spec (hcDefault etc.) but the spec's behavior can cause a bit surprising result[2,3], and SpiderMonkey like behavior will be
        integrated into the spec eventually[4].

        [1]: https://github.com/tc39/ecma402/issues/402#issuecomment-623628320
        [2]: https://github.com/tc39/ecma402/issues/402
        [3]: https://bugs.chromium.org/p/chromium/issues/detail?id=1045791
        [4]: https://github.com/tc39/ecma402/pull/436

        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::setFormatsFromPattern):
        (JSC::IntlDateTimeFormat::parseHourCycle):
        (JSC::IntlDateTimeFormat::hourCycleFromPattern):
        (JSC::IntlDateTimeFormat::replaceHourCycleInSkeleton):
        (JSC::IntlDateTimeFormat::replaceHourCycleInPattern):
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        (JSC::IntlDateTimeFormat::hourCycleString):
        (JSC::IntlDateTimeFormat::resolvedOptions const):
        (JSC::IntlDateTimeFormat::createDateIntervalFormatIfNecessary):
        * runtime/IntlDateTimeFormat.h:

2020-09-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Intl.Collator should take collation option
        https://bugs.webkit.org/show_bug.cgi?id=216529

        Reviewed by Ross Kirsling.

        This patch adds "collation" option to Intl.Collator. We are already getting consensus[1], and will be integrated into the spec.
        Previously, passing "collation" is only available through "-u-co-" unicode extension in the passed locale. The proposal exposes
        collation option as an option to Intl.Collator so that we can set it easily.
        "collation" is used only when "usage" is "sort". "search" usage will filter out collation options since "search" itself is one of
        the "collation" option.

        [1]: https://github.com/tc39/ecma402/pull/459

        * runtime/IntlCollator.cpp:
        (JSC::IntlCollator::sortLocaleData):
        (JSC::IntlCollator::initializeCollator):

2020-09-15  Joonghun Park  <jh718.park@samsung.com>

        Unreviewed. Remove the build warning below since r228533.
        warning: ‘%40s’ directive argument is null [-Wformat-overflow=]

        Since gcc which has version >= 9 is stricter about passing null string
        pointers to printf-like functions, add null string pointer check
        to fix the warning proactively.

        * jsc.cpp:
        (runJSC):

2020-09-14  Keith Miller  <keith_miller@apple.com>

        BytecodeParser should GetLocal op_ret's value even if it's unused by the caller
        https://bugs.webkit.org/show_bug.cgi?id=216506

        Reviewed by Mark Lam.

        We have to unconditionally GetLocal operands each bytecode claims to use
        regardless of true liveness. This is important to keep OSRAvailability simple.
        However, op_ret would only GetLocal the return value if we knew the value
        was going to be used by an inline caller.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>

        Proxy's "ownKeys" trap result should not be sorted
        https://bugs.webkit.org/show_bug.cgi?id=216227

        Reviewed by Yusuke Suzuki.

        Given that we can't know whether ownPropertyKeys() received property names from
        userland Proxy's "ownKeys" trap, this patch moves symbols after strings sorting [1]
        to Structure::getPropertyNamesFromStructure(), aligning observed property order
        (via Proxy's "getOwnPropertyDescriptor" trap) with V8 and SpiderMonkey.

        Also, removes sorting logic duplication in objectConstructorAssign().

        This change is neutral on provided Reflect.ownKeys microbenchmark. Although property
        name collection besides PropertyNameMode::StringsAndSymbols cases is unaffected,
        Object.{keys,getOwnPropertySymbols} microbenchmarks regress by 6-12% due to
        increased Structure::getPropertyNamesFromStructure() code size.

        [1]: https://tc39.es/ecma262/#sec-ordinaryownpropertykeys (steps 3-4)

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorAssign):
        (JSC::ownPropertyKeys):
        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):

2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>

        ArraySetLength should coerce [[Value]] before descriptor validation
        https://bugs.webkit.org/show_bug.cgi?id=158791

        Reviewed by Darin Adler.

        This patch:

        1. Moves [[Value]] coercion before descriptor validation as per spec [1],
           which fixes ASSERT() failure and aligns JSC with V8 & SpiderMonkey.

        2. Prevents JSArray::setLengthWithArrayStorage() from throwing if the length
           is unchanged, even if it's read-only [2].

        3. Refactors JSArray::defineOwnProperty() leveraging #2 to always perform
           setLength(), which greatly reduces the number of checks, branches,
           and setLengthWritable() calls.

        Following the ArraySetLength spec steps precisely [1] would result in
        more difficult-to-follow code because descriptor validation [2] is inlined
        and [[Delete]] failures are handled in setLength().

        This change is performance-neutral as it doesn't affect JSArray::put(),
        which was vetted to be spec-correct and is covered by test262 suite.

        [1]: https://tc39.es/ecma262/#sec-arraysetlength (steps 3-4)
        [2]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor (step 7.a.ii)

        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        (JSC::JSArray::setLengthWithArrayStorage):

2020-09-14  Saam Barati  <sbarati@apple.com>

        Remove bogus asserts in FTLLower that assume programs are compiled with sensible speculations
        https://bugs.webkit.org/show_bug.cgi?id=216485
        <rdar://problem/68562804>

        Reviewed by Keith Miller.

        We had an assert inside lowCell that if a value was not part of the JSValue
        hashmap of values, then the type must not conform to being a cell. However,
        consider a program like this:
        
        ```
        x = ArithAdd(i32, i32) <-- x is an i32 here
        if (b) {
            Check(Cell:@x)
            ArrayifyToStructure(@x, thingy)
        }
        <-- HERE
        ```
        
        @x will live in FTLLower's i32 hashmap, but because of the AI rule for
        ArrayifyToStructure, it will also have SpecCell in its type. This is totally
        valid, and asserting that this isn't possible is wrong. (Obviously the above
        speculation is stupid, as we will always exit at the Check, but it's valid IR.)
        
        This patch removes this assertion from lowCell, and removes similar assertions
        from other low* functions.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
        (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
        (JSC::FTL::DFG::LowerDFGToB3::lowCell):
        (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
        (JSC::FTL::DFG::LowerDFGToB3::lowDouble):

2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>

        Make a few built-in methods throw if called as top-level functions
        https://bugs.webkit.org/show_bug.cgi?id=216467

        Reviewed by Darin Adler.

        Non-strict userland functions substitute undefined & null `this` values
        with the global object [1], while built-in functions do not [2].

        This patch adds 5 missing toThis(globalObject, ECMAMode::strict()) calls,
        preventing built-in methods from being called as top-level functions:

        ```
        let {toString} = Error.prototype;
        toString(); // now throws TypeError
        ```

        Aligns JSC with V8 and SpiderMonkey.
        This change is performance-neutral due to DFG inlining of OpToThis.
        All other callFrame->thisValue() usages were vetted to be spec-correct.

        [1]: https://tc39.es/ecma262/#sec-ordinarycallbindthis (step 6.a.iii)
        [2]: https://tc39.es/ecma262/#sec-built-in-function-objects-call-thisargument-argumentslist (step 10)

        * runtime/ArrayPrototype.cpp:
        (JSC::createArrayIteratorObject):
        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToPrimitiveSymbol):
        (JSC::dateProtoFuncToJSON):
        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncToString):

2020-09-14  Devin Rousso  <drousso@apple.com>

        Web Inspector: REGRESSION(r266885): dyld: Symbol not found: __ZN9Inspector17BackendDispatcher12sendResponseElON3WTF6RefPtrINS1_8JSONImpl6ObjectENS1_13DumbPtrTraitsIS4_EEEEb
        https://bugs.webkit.org/show_bug.cgi?id=216486

        Reviewed by Joseph Pecoraro.

        * inspector/InspectorBackendDispatcher.h:
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::sendResponse):
        Add back overloads removed in r266885 so that the symbols exist.

2020-09-14  Saam Barati  <sbarati@apple.com>

        Don't assume byte code operands are uint32 JSValues
        https://bugs.webkit.org/show_bug.cgi?id=216386

        Reviewed by Yusuke Suzuki.

        The slow path for enumerator_generic_pname was assuming that its input index operand
        would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true
        because that value can have double format in the DFG, and remain in that format when
        we exit from the DFG to baseline/LLInt code.
        
        This was found via the widening number fuzzing agent.
        
        I also audited two more places that seem like they suffer from the same issue,
        and also switched them to using the asUInt32AsAnyInt function:
        - enumerator_structure_pname
        - create_rest

        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):

2020-09-11  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Canonicalize "true" unicode extension type value to ""
        https://bugs.webkit.org/show_bug.cgi?id=216224

        Reviewed by Ross Kirsling.

        Unicode Technical Standard #35 defines that unicode extension type's "true" should be converged to "".
        This patch implements it by extracting unicode extension subtags and replacing "true" to "".

        * runtime/IntlLocale.cpp:
        (JSC::LocaleIDBuilder::toCanonical):
        (JSC::IntlLocale::keywordValue const):
        (JSC::IntlLocale::calendar):
        (JSC::IntlLocale::caseFirst):
        (JSC::IntlLocale::collation):
        (JSC::IntlLocale::hourCycle):
        (JSC::IntlLocale::numberingSystem):
        (JSC::IntlLocale::numeric):
        * runtime/IntlLocale.h:
        * runtime/IntlLocalePrototype.cpp:
        (JSC::IntlLocalePrototypeGetterCalendar):
        (JSC::IntlLocalePrototypeGetterCaseFirst):
        (JSC::IntlLocalePrototypeGetterCollation):
        (JSC::IntlLocalePrototypeGetterHourCycle):
        (JSC::IntlLocalePrototypeGetterNumberingSystem):
        * runtime/IntlObject.cpp:
        (JSC::unicodeExtensionSubTags):
        (JSC::canonicalizeUnicodeExtensionsAfterICULocaleCanonicalization):
        (JSC::languageTagForLocaleID):
        (JSC::resolveLocale):
        * runtime/IntlObject.h:
        * runtime/IntlObjectInlines.h:
        (JSC::computeTwoCharacters16Code):
        * runtime/StringPrototype.cpp:
        (JSC::computeTwoCharacters16Code): Deleted.

2020-09-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] attribute-change transition should not pin Structure
        https://bugs.webkit.org/show_bug.cgi?id=215528

        Reviewed by Saam Barati.

        This patch avoids using pin in attribute-change transition. To achieve this, attribute-change transition is now fully supported
        transition chain in forEachPropertyConcurrently etc.: we can retrieve properties with changed attributes correctly via traversing
        transition chain. And we also support attribute-change transition in materializePropertyTable, so we do not need to pin structure.

        The design largely mimics existing removePropertyTransition and addPropertyTransition. This patch also adds `hasBeenDictionary()`
        check before adding structure to the transition so that we can avoid adding unnecessary structure entry to the transition table.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
        * jit/Repatch.cpp:
        (JSC::tryCacheDeleteBy):
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyTable):
        (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::addNewPropertyTransition):
        (JSC::Structure::removePropertyTransitionFromExistingStructureImpl):
        (JSC::Structure::removeNewPropertyTransition):
        (JSC::Structure::attributeChangeTransitionToExistingStructure):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::nonPropertyTransitionSlow):
        (JSC::Structure::attributeChange):
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::forEachPropertyConcurrently):
        (JSC::Structure::attributeChange):
        (JSC::Structure::attributeChangeWithoutTransition):
        * tools/JSDollarVM.cpp:
        (JSC::JSDollarVMHelper::functionGetStructureTransitionList):

2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] customGetterSetterFunctionCall should have proper exception checking
        https://bugs.webkit.org/show_bug.cgi?id=216391
        <rdar://problem/68631643>

        Reviewed by Mark Lam.

        Add appropriate exception checking to customGetterSetterFunctionCall.

        * runtime/JSCustomGetterSetterFunction.cpp:
        (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):

2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add exception checks to JSCallbackObject
        https://bugs.webkit.org/show_bug.cgi?id=216384
        <rdar://problem/68632190>

        Reviewed by Saam Barati.

        This patch adds necessary exception checks to JSCallbackObject to suppress exception verifier crash in Debug build.

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
        (JSC::JSCallbackObject<Parent>::defaultValue):
        (JSC::JSCallbackObject<Parent>::put):
        (JSC::JSCallbackObject<Parent>::putByIndex):
        (JSC::JSCallbackObject<Parent>::deleteProperty):
        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):

2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] agent start function should move isolated copy of source
        https://bugs.webkit.org/show_bug.cgi?id=216383
        <rdar://problem/66371008>

        Reviewed by Saam Barati.

        We are calling `isolatedCopy()` and setting it to variable in caller thread. And we are copying it to the thread.
        This means that ref-count will happen in caller thread and callee thread, this is wrong.
        We should pass isolatedCopy string directly to the callee thread.

        * jsc.cpp:
        (functionDollarAgentStart):

2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] unshift / shift should take structure lock
        https://bugs.webkit.org/show_bug.cgi?id=216378
        <rdar://problem/68496096>

        Reviewed by Mark Lam.

        When unshifting / shifting butterfly, we need to move property storage values too.
        If property storage values are moved while concurrent JIT compiler is accessing it, it could include garbage value.

        For example, concurrent JIT compiler is accessing [2] property storage.

                            1          2         3
                       [ JSValue ][ JSValue ][ Header ]

        But unshift moved it like this.

                            1          2         3
            [ JSValue ][ JSValue ][ Header ]

        Since butterfly pointer held by JSObject is not updated yet, concurrent JIT compiler will read [ Header ] as JSValue and crash.
        In this patch, we take structure lock when shifting existing butterfly since this affect on property storage. Since JSObject::getDirectConcurrently
        takes a structure lock, this locking prevents concurrent compilers from getting an invalid value.

        * runtime/JSArray.cpp:
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::unshiftCountWithArrayStorage):

2020-09-10  Joonghun Park  <jh718.park@samsung.com>

        Unreviewed. Remove the build warning below since r266885.
        warning: redundant move in return statement [-Wredundant-move]

        Because return statement already returns rvalue reference,
        we don't need WTFMove at return.

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        (Inspector::InspectorRuntimeAgent::getBasicBlocks):

2020-09-10  Alexey Shvayka  <shvaikalesh@gmail.com>

        Promise.prototype.finally should perform PromiseResolve
        https://bugs.webkit.org/show_bug.cgi?id=176006

        Reviewed by Yusuke Suzuki.

        This patch extracts @promiseResolve global private function and utilizes it in
        Promise.prototype.finally then/catch functions [1] to avoid creating an extra
        Promise Capability. Aligns JSC with V8 and SpiderMonkey.

        [1]: https://tc39.es/ecma262/#sec-thenfinallyfunctions (step 7)

        * builtins/PromiseConstructor.js:
        (resolve):
        * builtins/PromiseOperations.js:
        (globalPrivate.promiseResolve):
        * builtins/PromisePrototype.js:
        (globalPrivate.getThenFinally):
        (globalPrivate.getCatchFinally):

2020-09-10  Devin Rousso  <drousso@apple.com>

        Web Inspector: modernize generated backend protocol code
        https://bugs.webkit.org/show_bug.cgi?id=216302
        <rdar://problem/68547649>

        Reviewed by Brian Burg.

        Previously, the inspector protocol was expressed in code in a somewhat confusing way:
         - the error string was the first argument
         - required parameters were `T` or `const T&`
         - optional parameters were `const T*`
         - enum parameters were the underlying type requiring the backend dispatcher handler to
           process it instead of it being preprocessed
         - required returns were `T&`
         - optional returns were `T*`
        This doesn't really make for easy/obvious reading of code since the order of arguments is
        not weird (e.g. error string first), and that there are references/pointers to primitive
        types.

        This patch cleans up the generated inspector protocol code to be:
         - required parameters are `T` or `Ref<T>&&`
         - optional parameters are `Optional<T>&&` or `RefPtr<T>&&`
         - enum parameters are preprocessed and passed to the backend dispatcher handler if valid
         - synchronous commands return `Expected<X, ErrorString>` using the same types/rules above
           where `X` is either a single return or a `std::tuple` of multiple returns

        The one exception to the above is `String`, which is already a tri-state of `nullString()`,
        `emptyString()`, and something set, so there's no need to use `Optional<String>`.

        Also use `Protocol` objects/`typedefs` wherever possible to further relate the protocol
        JSON and the actual backend dispatcher handler implementation.

        * inspector/scripts/codegen/generator.py:
        (Generator.generate_includes_from_entries):
        * inspector/scripts/codegen/cpp_generator_templates.py:
        * inspector/scripts/codegen/cpp_generator.py:
        (CppGenerator.helpers_namespace):
        (CppGenerator.cpp_getter_method_for_type):
        (CppGenerator.cpp_setter_method_for_type):
        (CppGenerator.cpp_protocol_type_for_type):
        (CppGenerator.cpp_type_for_type_member_argument): Added.
        (CppGenerator.cpp_type_for_command_parameter): Added.
        (CppGenerator.cpp_type_for_command_return_declaration): Added.
        (CppGenerator.cpp_type_for_command_return_argument): Added.
        (CppGenerator.cpp_type_for_event_parameter): Added.
        (CppGenerator.cpp_type_for_enum): Added.
        (CppGenerator.should_move_argument): Added.
        (CppGenerator.should_release_argument): Added.
        (CppGenerator.should_dereference_argument): Added.
        (CppGenerator.cpp_protocol_type_for_type_member): Deleted.
        (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Deleted.
        (CppGenerator.cpp_type_for_checked_formal_event_parameter): Deleted.
        (CppGenerator.cpp_type_for_type_member): Deleted.
        (CppGenerator.cpp_type_for_type_with_name): Deleted.
        (CppGenerator.cpp_type_for_formal_out_parameter): Deleted.
        (CppGenerator.cpp_type_for_formal_async_parameter): Deleted.
        (CppGenerator.cpp_type_for_stack_in_parameter): Deleted.
        (CppGenerator.cpp_type_for_stack_out_parameter): Deleted.
        (CppGenerator.cpp_assertion_method_for_type_member): Deleted.
        (CppGenerator.cpp_assertion_method_for_type_member.assertion_method_for_type): Deleted.
        (CppGenerator.should_use_wrapper_for_return_type): Deleted.
        (CppGenerator.should_use_references_for_type): Deleted.
        (CppGenerator.should_pass_by_copy_for_return_type): Deleted.
        * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
        (CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
        (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
        (CppBackendDispatcherHeaderGenerator.generate_output):
        (CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
        (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
        (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
        (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
        (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
        (CppBackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter): Deleted.
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes):
        (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
        (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
        (CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes):
        (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes):
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (CppProtocolTypesHeaderGenerator._generate_secondary_header_includes):
        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator._generate_secondary_header_includes):
        (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
        (CppProtocolTypesImplementationGenerator._generate_open_field_names):
        (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
        (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_command):
        (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
        (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command.and):
        (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command.in_param_expression):
        (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
        (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
        (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
        * inspector/scripts/codegen/objc_generator_templates.py:
        * inspector/scripts/codegen/objc_generator.py:
        (ObjCGenerator.protocol_type_for_type):
        (ObjCGenerator.objc_type_for_param_internal):
        (ObjCGenerator.objc_protocol_import_expression_for_parameter):

        * inspector/protocol/Page.json:
        Now that enums are processed before being passed to backend dispacher handlers, the
        `appearance` parameter of `Page.setForcedAppearance` must be marked `optional` as
        there's no way for it to accept an empty string, as that's not possible for an enum.

        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorAgent.cpp:
        * inspector/agents/InspectorAuditAgent.h:
        * inspector/agents/InspectorAuditAgent.cpp:
        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * inspector/agents/InspectorHeapAgent.h:
        * inspector/agents/InspectorHeapAgent.cpp:
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        * inspector/agents/InspectorScriptProfilerAgent.h:
        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        * inspector/agents/InspectorTargetAgent.h:
        * inspector/agents/InspectorTargetAgent.cpp:
        * inspector/agents/JSGlobalObjectAuditAgent.h:
        * inspector/agents/JSGlobalObjectAuditAgent.cpp:
        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
        * inspector/JSGlobalObjectConsoleClient.cpp:
        * inspector/JSGlobalObjectInspectorController.cpp:
        Elided backend dispatcher handler changes describe above.

        * bindings/ScriptValue.cpp:
        (Inspector::jsToInspectorValue):
        * inspector/AsyncStackTrace.h:
        * inspector/AsyncStackTrace.cpp:
        (Inspector::AsyncStackTrace::buildInspectorObject const):
        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::addToFrontend):
        * inspector/InjectedScriptBase.h:
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeEvalCall):
        (Inspector::InjectedScriptBase::checkCallResult):
        (Inspector::InjectedScriptBase::checkAsyncCallResult):
        * inspector/InjectedScript.h:
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::execute):
        (Inspector::InjectedScript::evaluate):
        (Inspector::InjectedScript::callFunctionOn):
        (Inspector::InjectedScript::evaluateOnCallFrame):
        (Inspector::InjectedScript::getFunctionDetails):
        (Inspector::InjectedScript::functionDetails):
        (Inspector::InjectedScript::getPreview):
        (Inspector::InjectedScript::getProperties):
        (Inspector::InjectedScript::getDisplayableProperties):
        (Inspector::InjectedScript::getInternalProperties):
        (Inspector::InjectedScript::getCollectionEntries):
        (Inspector::InjectedScript::saveResult):
        (Inspector::InjectedScript::wrapCallFrames const):
        (Inspector::InjectedScript::wrapObject const):
        (Inspector::InjectedScript::wrapJSONString const):
        (Inspector::InjectedScript::wrapTable const):
        (Inspector::InjectedScript::previewValue const):
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::injectedScriptForObjectId):
        * inspector/InspectorBackendDispatcher.h:
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
        (Inspector::BackendDispatcher::dispatch):
        (Inspector::BackendDispatcher::sendResponse):
        (Inspector::BackendDispatcher::getPropertyValue):
        (Inspector::BackendDispatcher::getBoolean):
        (Inspector::BackendDispatcher::getInteger):
        (Inspector::BackendDispatcher::getDouble):
        (Inspector::BackendDispatcher::getString):
        (Inspector::BackendDispatcher::getValue):
        (Inspector::BackendDispatcher::getObject):
        (Inspector::BackendDispatcher::getArray):
        (Inspector::castToInteger): Deleted.
        (Inspector::castToNumber): Deleted.
        * inspector/InspectorProtocolTypes.h:
        (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
        (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::assertValueHasExpectedType):
        * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
        (Inspector::RemoteInspectorConnectionClient::extractEvent):
        * inspector/remote/socket/RemoteInspectorSocket.cpp:
        (Inspector::RemoteInspector::pushListingsNow):
        * runtime/TypeSet.cpp:
        (JSC::StructureShape::inspectorRepresentation):
        `JSON` classes now use `Ref&&` wherever possible and `Optional` instead of an out parameter
        for `get*`/`as*` so that values can be more easily manipulated and can be confidently known
        to exist.

        * inspector/scripts/tests/enum-values.json:
        * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result:
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/expected/domain-debuggableTypes.json-result:
        * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result:
        * inspector/scripts/tests/expected/domain-targetTypes.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/should-strip-comments.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/expected/type-with-open-parameters.json-result:
        * inspector/scripts/tests/expected/version.json-result:

2020-09-09  Saam Barati  <sbarati@apple.com>

        OutOfBoundsSaneChain operations should use their own heap locations
        https://bugs.webkit.org/show_bug.cgi?id=216328
        <rdar://problem/68568039>

        Reviewed by Keith Miller.

        There is code in local CSE that does some basic bounds check elimination
        for PutByVal. It does this analysis by seeing if a particular heap location
        is already defined, and if so, it eliminates the bounds check for the
        PutByVal. This doesn't work for OutOfBoundsSaneChain for the obvious reason
        that these GetByVals are not proven to be in bounds. So GetByVal's in the
        OutOfBoundsSaneChain mode reusing non OutOfBoundsSaneChain heap locations
        can lead to a bug where we mistakenly remove a bounds check. The fix is to
        have all OutOfBoundsSaneChain operations use distinct heaps, and for CSE to
        not query those heaps.

        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::isAnySaneChain const): Deleted.
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:

2020-09-09  Keith Miller  <keith_miller@apple.com>

        BigInt should PACCage its data pointer
        https://bugs.webkit.org/show_bug.cgi?id=216319

        Reviewed by Yusuke Suzuki.

        * runtime/JSBigInt.h:

2020-09-09  Alexey Shvayka  <shvaikalesh@gmail.com>

        Don't emitDirectBinding() if there is a [...rest] element binding
        https://bugs.webkit.org/show_bug.cgi?id=216228

        Reviewed by Darin Adler.

        emitDirectBinding() is up for removal due to not respecting overriden or removed
        Array.prototype[Symbol.iterator]. However, dropping it slows down popular swap pattern
        `[a, b] = [b, a]` by 40% with DFG/FTL, and by a factor of 6 with baseline JIT only.

        Until we figure out the best way to preserve common case performance, this patch
        prevents `let [...rest] = [1]` from ending up as a number instead of an array,
        aligning JSC with V8 and SpiderMonkey.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayPatternNode::emitDirectBinding):

2020-09-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] returnEarlyFromInfiniteLoopsForFuzzing should return object
        https://bugs.webkit.org/show_bug.cgi?id=216289
        <rdar://problem/68496533>

        Reviewed by Saam Barati.

        When returning early with returnEarlyFromInfiniteLoopsForFuzzing, we are returning with undefined.
        But this is wrong when the callee is constructor since constructor is strongly assumed that it returns an object.
        We should return some object from returnEarlyFromInfiniteLoopsForFuzzing. In this patch, we return global object
        associated to this callee instead of undefined

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::~CodeBlock):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_loop_hint):
        * llint/LowLevelInterpreter64.asm:

2020-09-08  Saam Barati  <sbarati@apple.com>

        re-enable TCSM on all OSs
        https://bugs.webkit.org/show_bug.cgi?id=216281

        Reviewed by Tadeu Zagallo.

        * runtime/Options.cpp:
        (JSC::defaultTCSMValue):

2020-09-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Special property caching should check Structure's cacheability
        https://bugs.webkit.org/show_bug.cgi?id=216222

        Reviewed by Saam Barati.

        While StructureRareData::cacheSpecialPropertySlow caches properties, the way it takes is incomplete.
        It is not checking Structure's cacheability. We were caching miss condition even if structure is !propertyAccessesAreCacheableForAbsence.
        We should perform the same check done in IC case. Strictly speaking, we can cache value for uncacheable-dictionary because we are setting
        property change watchpoint (which will fire). But it sounds not so profitable if this structure is uncacheable.

        * runtime/JSObject.cpp:
        (JSC::JSObject::convertToUncacheableDictionary):
        * runtime/JSObject.h:
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::cacheSpecialPropertySlow):
        * tools/JSDollarVM.cpp:
        (JSC::functionToUncacheableDictionary):
        (JSC::JSDollarVM::finishCreation):

2020-09-07  Joonghun Park  <jh718.park@samsung.com>

        Unreviewed. Remove the build warning below since r266567.
        warning: parameter ‘hint’ set but not used [-Wunused-but-set-parameter]

        * runtime/JSObject.cpp:
        (JSC::callToPrimitiveFunction):

2020-09-06  Darin Adler  <darin@apple.com>

        TextCodec refinements
        https://bugs.webkit.org/show_bug.cgi?id=216219

        Reviewed by Sam Weinig.

        * parser/Lexer.h:
        (JSC::Lexer<UChar>::isWhiteSpace): Use byteOrderMark constant.

2020-09-05  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, suppress exception checking after unwrapForOldFunctions
        https://bugs.webkit.org/show_bug.cgi?id=216193

        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototypeGetterFormat):
        (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):

2020-09-05  Devin Rousso  <drousso@apple.com>

        Web Inspector: allow DOM breakpoints to be configured
        https://bugs.webkit.org/show_bug.cgi?id=215795

        Reviewed by Brian Burg.

        * inspector/protocol/DOMDebugger.json:
        Add an `options` parameter to `DOMDebugger.setDOMBreakpoint` to allow configuration.

2020-09-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Align legacy Intl constructor behavior to spec
        https://bugs.webkit.org/show_bug.cgi?id=216193

        Reviewed by Darin Adler.

        Legacy Intl constructors (Intl.DateTimeFormat and Intl.NumberFormat) have special handling when it is called via `Intl.DateTimeFormat()` form.
        This allowed legacy Intl constructors to be used with prototype-based inheritance without using class syntax. This legacy behavior is later specified
        explicitly in the spec. So we should align our implementation to the spec's one.

            1. When defining fallback formats, we need to put them into the property which is visible via Symbol("IntlLegacyConstructedSymbol").
            2. Even if the provided thisValue is IntlDateTimeFormat* / IntlNumberFormat*, we should create another instance and put it to Symbol("IntlLegacyConstructedSymbol") field.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinNames.cpp:
        (JSC::BuiltinNames::BuiltinNames):
        * builtins/BuiltinNames.h:
        (JSC::BuiltinNames::intlLegacyConstructedSymbol const):
        * runtime/CommonIdentifiers.h:
        * runtime/IntlDateTimeFormat.h:
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::IntlDateTimeFormatConstructor::finishCreation):
        (JSC::callIntlDateTimeFormat):
        * runtime/IntlDateTimeFormatInlines.h: Added.
        (JSC::IntlDateTimeFormat::unwrapForOldFunctions):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
        (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
        (JSC::IntlDateTimeFormatPrototypeFuncFormatRange):
        (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
        * runtime/IntlNumberFormat.h:
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::IntlNumberFormatConstructor::finishCreation):
        (JSC::callIntlNumberFormat):
        * runtime/IntlNumberFormatInlines.h:
        (JSC::IntlNumberFormat::unwrapForOldFunctions):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototypeGetterFormat):
        (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
        (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
        * runtime/IntlObject.cpp:
        (JSC::createDateTimeFormatConstructor):
        (JSC::createNumberFormatConstructor):
        * runtime/IntlObjectInlines.h:
        (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
        (JSC::unwrapForLegacyIntlConstructor):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::dateTimeFormatConstructor):
        (JSC::JSGlobalObject::dateTimeFormatPrototype):
        (JSC::JSGlobalObject::numberFormatConstructor):
        (JSC::JSGlobalObject::numberFormatPrototype):

2020-09-04  Alexey Shvayka  <shvaikalesh@gmail.com>

        Array.prototype.push should always perform [[Set]] in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=216121

        Unreviewed, address Darin's feedback on r266581.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncPush): Remove unnecessary static_cast<uint64_t>.

2020-09-04  Alexey Shvayka  <shvaikalesh@gmail.com>

        Array.prototype.push should always perform [[Set]] in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=216121

        Reviewed by Darin Adler.

        This patch fixes arrayProtoFuncPush() to throw a TypeError if putting an
        index beyond UINT32_MAX has failed, aligning JSC with the spec [1], V8,
        and SpiderMonkey. Also, refactors the method leveraging putByIndexInline().

        Array.prototype.push microbenchmarks, including varargs tests, are neutral.

        [1]: https://tc39.es/ecma262/#sec-array.prototype.push (step 5.b)

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncPush):

2020-09-03  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. [GLIB] Add missing return

        There's no change in behavior because jsObjectCall() returns undefined in case of failure, but fixes a memory leak.

        * API/glib/JSCValue.cpp:
        (jsc_value_object_invoke_methodv):

2020-09-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Cache toString / valueOf / @@toPrimitive for major cases
        https://bugs.webkit.org/show_bug.cgi?id=216061

        Reviewed by Saam Barati.

        When toPrimitive is called, we need to look-up three properties at most to perform operation. And these special properties do not have caching mechanism at all.
        We found that Speedometer2/EmberJS-Debug-TodoMVC is using very much time for this property look-up. We should have caching mechanism in StructureRareData, which
        should be similar to @@toStringTag & Object#toString caching mechanism.

        This patch generalizes @@toStringTag & Object#toString caching mechanism as SpecialPropertyCache. And we accelerate toString / valueOf / @@toPrimitive look-ups in
        toPrimitive with this caching mechanism.

        This patch improved Speedometer2/EmberJS-Debug-TodoMVC by 10%.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/Watchpoint.cpp:
        * bytecode/Watchpoint.h:
        * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.cpp.
        (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::CachedSpecialPropertyAdaptiveStructureWatchpoint):
        (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install):
        (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::fireInternal):
        * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.h.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::objectProtoToStringFunction const):
        * runtime/JSObject.cpp:
        (JSC::callToPrimitiveFunction):
        (JSC::JSObject::ordinaryToPrimitive const):
        (JSC::JSObject::toPrimitive const):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::finishCreation):
        (JSC::objectProtoFuncToString):
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::cacheSpecialProperty):
        (JSC::Structure::setObjectToStringValue): Deleted.
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::visitChildren):
        (JSC::StructureRareData::ensureSpecialPropertyCacheSlow):
        (JSC::StructureRareData::giveUpOnSpecialPropertyCache):
        (JSC::StructureRareData::cacheSpecialPropertySlow):
        (JSC::StructureRareData::clearCachedSpecialProperty):
        (JSC::StructureRareData::finalizeUnconditionally):
        (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint):
        (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::isValid const):
        (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::handleFire):
        (JSC::StructureRareData::setObjectToStringValue): Deleted.
        (JSC::StructureRareData::clearObjectToStringValue): Deleted.
        (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::ObjectToStringAdaptiveInferredPropertyValueWatchpoint): Deleted.
        (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid const): Deleted.
        (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire): Deleted.
        * runtime/StructureRareData.h:
        * runtime/StructureRareDataInlines.h:
        (JSC::StructureRareData::cachedSpecialProperty const):
        (JSC::StructureRareData::canCacheSpecialProperty):
        (JSC::StructureRareData::ensureSpecialPropertyCache):
        (JSC::StructureRareData::cacheSpecialProperty):
        (JSC::StructureRareData::objectToStringValue const): Deleted.

2020-09-03  Saam Barati  <sbarati@apple.com>

        Sampling profiler should dump hash as part of the top function key to prevent incorrectly grouping nameless functions together
        https://bugs.webkit.org/show_bug.cgi?id=216087

        Reviewed by Tadeu Zagallo.

        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::reportTopFunctions):

2020-09-03  Devin Rousso  <drousso@apple.com>

        Web Inspector: allow url breakpoints to be configured
        https://bugs.webkit.org/show_bug.cgi?id=215793

        Reviewed by Brian Burg.

        * inspector/protocol/DOMDebugger.json:
        Add an `options` parameter to `DOMDebugger.setURLBreakpoint` to allow configuration.
        Add an `isRegex` parameter to `DOMDebugger.removeURLBreakpoint` so that we know what
        type of URL breakpoint is being removed.

2020-09-03  Devin Rousso  <drousso@apple.com>

        Web Inspector: allow special JavaScript breakpoints to be configured
        https://bugs.webkit.org/show_bug.cgi?id=215794

        Reviewed by Brian Burg.

        * inspector/protocol/Debugger.json:
        Add an `options` parameter to the following commands for configuring the related breakpoint:
         - `Debugger.setPauseOnDebuggerStatements`
         - `Debugger.setPauseOnExceptions`
         - `Debugger.setPauseOnAssertions`
         - `Debugger.setPauseOnMicrotasks`

        * debugger/Debugger.h:
        (JSC::Debugger::needsExceptionCallbacks const):
        (JSC::Debugger::pauseOnAllExceptionsBreakpoint const): Added.
        (JSC::Debugger::setPauseOnAllExceptionsBreakpoint): Added.
        (JSC::Debugger::pauseOnUncaughtExceptionsBreakpoint const): Added.
        (JSC::Debugger::setPauseOnUncaughtExceptionsBreakpoint): Added.
        (JSC::Debugger::setPauseOnDebuggerStatementsBreakpoint): Added.
        (JSC::Debugger::pauseOnExceptionsState const): Deleted.
        (JSC::Debugger::setPauseOnDebuggerStatements): Deleted.
        * debugger/Debugger.cpp:
        (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::TemporarilyDisableExceptionBreakpoints): Added.
        (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::~TemporarilyDisableExceptionBreakpoints): Added.
        (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::replace): Added.
        (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::restore): Added.
        (JSC::Debugger::Debugger):
        (JSC::Debugger::breakProgram):
        (JSC::Debugger::exception):
        (JSC::Debugger::didReachDebuggerStatement):
        (JSC::Debugger::setPauseOnExceptionsState): Deleted.
        Add `JSC::Breakpoint` member variables for the Debugger Statements and Exceptions
        breakpoints. Split the Exceptions breakpoint into two `JSC::Breakpoint` now that
        All Exceptions and Uncaught Exceptions can be independently configured (the All
        Exceptions breakpoint still takes precedence).

        * debugger/DebuggerCallFrame.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
        If there is no `CallFrame`, climb the backtrace until the first valid `CallFrame` is reached.
        This is needed when pausing in native code, such as for assertions/exceptions.

        * debugger/Breakpoint.h:
        Export `JSC::Breakpoint::create` so that other parts of WebKit can create breakpoints.

        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::disable):
        (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
        (Inspector::InspectorDebuggerAgent::setPauseOnDebuggerStatements):
        (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
        (Inspector::InspectorDebuggerAgent::setPauseOnAssertions):
        (Inspector::InspectorDebuggerAgent::setPauseOnMicrotasks):
        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
        (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
        (Inspector::InspectorDebuggerAgent::willRunMicrotask):
        (Inspector::InspectorDebuggerAgent::didRunMicrotask):
        (Inspector::InspectorDebuggerAgent::breakProgram):
        Add `JSC::Breakpoint` member variables for the Assertion Failures and All Microtasks
        breakpoints. Pass them to the `JSC::Debugger` when they are hit.

        * inspector/agents/InspectorAuditAgent.cpp:
        (Inspector::InspectorAuditAgent::run):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::evaluate):
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::getPreview):
        (Inspector::InspectorRuntimeAgent::getProperties):
        (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
        (Inspector::setPauseOnExceptionsState): Deleted.
        Use `TemporarilyDisableExceptionBreakpoints` to save, override, and restore the exceptions
        breakpoints now that they've been separated into two `JSC::Breakpoint` instead of an `enum`.

2020-09-03  Keith Miller  <keith_miller@apple.com>

        Finish comment describing the various *Stack SSA nodes in DFG
        https://bugs.webkit.org/show_bug.cgi?id=216110

        Reviewed by Sam Weinig.

        * dfg/DFGNodeType.h:

2020-09-03  David Kilzer  <ddkilzer@apple.com>

        AbstractMacroAssembler::Jump class has uninitialized instance variables
        <https://webkit.org/b/216082>

        Reviewed by Michael Saboff.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Jump):
        - Switch to default constructor syntax.
        - Provide defaults for instance variables.

2020-09-03  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Add missing detached buffer errors for DataView
        https://bugs.webkit.org/show_bug.cgi?id=216062

        Reviewed by Yusuke Suzuki.

        DataView methods are often expected to throw a TypeError if the underlying ArrayBuffer is detached
        (or neutered, in older terminology) -- this patch adds a slew of missing cases from the following spec section:
          - https://tc39.es/ecma262/#sec-properties-of-the-dataview-prototype-object

        At the same time:
         - get rid of JSDataView::getOwnPropertySlot, which was turning dataViewProtoGetterByte{Length,Offset}
           into mostly unreachable code and erroneously causing byte{Length,Offset} to have property descriptors
         - perform some simple cleanup of neighboring error calls / messages
         - fix value of DataView.length (our only other DataView spec bug)

        * runtime/JSDataView.cpp:
        (JSC::JSDataView::create):
        (JSC::JSDataView::getOwnPropertySlot): Deleted.
        * runtime/JSDataView.h:
        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):
        (JSC::dataViewProtoGetterByteLength):
        (JSC::dataViewProtoGetterByteOffset):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):

2020-09-02  Michael Saboff  <msaboff@apple.com>

        ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp
        https://bugs.webkit.org/show_bug.cgi?id=216103

        Reviewed by Saam Barati.

        Changed the ASSERT to an if statement.  This checks to see if, the likely newly changed,
        property is still a custom getter setter before caching its access as such.

        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::generateConditionsForPrototypePropertyHitCustom):
        * tools/JSDollarVM.cpp: Added test helper function.

2020-09-01  Yusuke Suzuki  <ysuzuki@apple.com>

        Skip fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html if Gigacage is not enabled
        https://bugs.webkit.org/show_bug.cgi?id=216043
        <rdar://problem/66394369>

        Reviewed by Mark Lam.

        * tools/JSDollarVM.cpp:
        (JSC::functionIsGigacageEnabled):
        (JSC::JSDollarVM::finishCreation):

2020-08-31  Mark Lam  <mark.lam@apple.com>

        Remove some PtrTag debugging code from release builds.
        https://bugs.webkit.org/show_bug.cgi?id=216025
        <rdar://problem/68098263>

        Reviewed by Saam Barati.

        Removed PtrTag name lookup debugging utility from release builds.

        * runtime/JSCPtrTag.cpp:
        * runtime/JSCPtrTag.h:

2020-09-01  Carlos Garcia Campos  <cgarcia@igalia.com>

        [Linux] Web Inspector: show per thread cpu usage
        https://bugs.webkit.org/show_bug.cgi?id=215883

        Reviewed by Adrian Perez de Castro.

        Remove platform specific getter machThread() and add thread() to return the Thread instead. The caller knows how
        to get the machThread or id from a Thread.

        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::reportTopBytecodes):
        (JSC::SamplingProfiler::machThread): Deleted.
        * runtime/SamplingProfiler.h:
        (JSC::SamplingProfiler::thread):

2020-08-31  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] StructureStubInfo / CallLinkInfo / ByValInfo should set CodeOrigin or BytecodeIndex at construction
        https://bugs.webkit.org/show_bug.cgi?id=215987
        <rdar://problem/66370323>

        Reviewed by Mark Lam.

        We had race condition during construction of StructureStubInfo and CodeOrigin field setting.

            1. The thread creates StructureStubInfo by calling CodeBlock::addStubInfo. This is guarded by the lock. But at this point we are not setting StructureStubInfo::codeOrigin.
            2. Then (1)'s thread attempts to set StructureStubInfo::codeOrigin. But at this point, it is not guarded by the lock.
            3. Before (2) is executed, DFG ByteCodeParser calls CodeBlock::getICStatusMap. It creates HashMap<CodeOrigin, StructureStubInfo*>.
            4. Since StructureStubInfo*'s codeOrigin is not configured yet, (3) sees invalid CodeOrigin. And storing invalid CodeOrigin as a HashMap key is not correct.

        We should configure CodeOrigin at construction of StructureStubInfo, which is guarded by the lock. We have the same problem for CallLinkInfo and ByValInfo. This patch fixes them.
        To reproduce this, we need to execute a script 2~ days repeatedly. So it is difficult to add a test.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/ByValInfo.h:
        (JSC::ByValInfo::ByValInfo):
        (JSC::ByValInfo::setUp):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::CallLinkInfo):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::setUpCall):
        (JSC::CallLinkInfo::setCodeOrigin): Deleted.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::addStubInfo):
        (JSC::CodeBlock::addByValInfo):
        (JSC::CodeBlock::addCallLinkInfo):
        * bytecode/CodeBlock.h:
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::StructureStubInfo):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
        * jit/JIT.cpp:
        (JSC::JIT::link):
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::garbageStubInfo):
        (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_has_indexed_property):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_has_indexed_property):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_val):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_val):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):

2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] @defaultPromiseThen fast path should check species constructor
        https://bugs.webkit.org/show_bug.cgi?id=215996

        Reviewed by Ross Kirsling.

        When executing @defaultPromiseThen fast path, we assumed that this execution is not observable.
        This is wrong only for species constructor part: this @@species access & derived constructor calls
        can be observable. In this patch,

            1. We extract part of Promise#then as @performPromiseThen, which corresponds to the spec's PerformPromiseThen.
            2. In promise fast path, we check @speciesConstructor is @Promise or @InternalPromise. If it is not, then we go to the slow path.

        This fixes Promise#finally failures in test262.

        * builtins/PromiseOperations.js:
        (globalPrivate.promiseResolveThenableJobFast):
        (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
        (globalPrivate.promiseResolveThenableJobWithDerivedPromise):
        (onFulfilled):
        (onRejected):
        (globalPrivate.performPromiseThen):
        * builtins/PromisePrototype.js:
        (then):
        (onFulfilled): Deleted.
        (onRejected): Deleted.

2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use -2 for grouping options in IntlRelativeTimeFormat
        https://bugs.webkit.org/show_bug.cgi?id=215984

        Reviewed by Ross Kirsling.

        Several test262 tests are failing after ICU 67. This is because Intl.RelativeTimeFormat is not using locale-sensitive grouping option.
        There are hidden option -2 for UNumberFormat. It is supported so long, but it is not explicitly documented. After ICU 68, it is exposed as a constant,
        we should pass -2 to UNumberFormat's grouping options to use locale-sensitive grouping option here.

        * runtime/IntlRelativeTimeFormat.cpp:
        (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):

2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] async function cannot appear in single-statement context
        https://bugs.webkit.org/show_bug.cgi?id=215993

        Reviewed by Darin Adler.

        The following code is syntax error[1] because ExpressionStatement has `async [no LineTerminator here] function` lookahead.

            if (false)
                async function t() { }

        [1]: https://tc39.es/ecma262/#sec-expression-statement

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseStatement):
        (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement): Deleted.
        * parser/Parser.h:

2020-08-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] `let [` sequence cannot appear in ExpressionStatement context
        https://bugs.webkit.org/show_bug.cgi?id=215977

        Reviewed by Ross Kirsling.

        Because of ambiguity between destructuring assignment and member access (let IDENTIFIER), ECMA262 does not allow `let [` sequence in ExpressionStatement context[1].
        We should throw SyntaxError when we see something like this.

            if (false)
                let [ok] = [42];

        [1]: https://tc39.es/ecma262/#sec-expression-statement

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseStatement):

2020-08-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] for-of uses AssignmentExpression while for-in uses Expression
        https://bugs.webkit.org/show_bug.cgi?id=215975

        Reviewed by Ross Kirsling.

        While for-in uses Expression, for-of and for-await-of use AssignmentExpression which does not accept comma-expression.
        We should align our implementation to that.

            for (LeftHandSideExpression in Expression) Statement
            for (LeftHandSideExpression of AssignmentExpression) Statement
            for await(LeftHandSideExpression of AssignmentExpression) Statement

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseForStatement):

2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] for-of / for-in left-hand-side target should be simple-assignment-target
        https://bugs.webkit.org/show_bug.cgi?id=215969

        Reviewed by Ross Kirsling.

        Left-hand-side of `for-in`, `for-of`, and `for-await-of` should be simple assignment target[1]
        if the target is not declaration and not destructuring pattern.

        [1]: https://tc39.es/ecma262/#sec-for-in-and-for-of-statements-static-semantics-early-errors

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseForStatement):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createCommaExpr): Should return CommaExpr to align it to ASTBuilder.
        (JSC::SyntaxChecker::appendToCommaExpr):
        (JSC::SyntaxChecker::appendStatement):
        (JSC::SyntaxChecker::combineCommaNodes): Deleted since it is not used.

2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Implement Intl.DateTimeFormat dayPeriod
        https://bugs.webkit.org/show_bug.cgi?id=215839

        Reviewed by Ross Kirsling.

        This patch implements Intl.DateTimeFormat dayPeriod option[1]. We can use "narrow", "short", or "long" for dayPeriod,
        and it determines how "AM" etc. is represented.

        [1]: https://github.com/tc39/ecma402/pull/346

        * builtins/DatePrototype.js:
        (toLocaleString.toDateTimeOptionsAnyAll):
        (toLocaleString):
        (toLocaleTimeString.toDateTimeOptionsTimeTime):
        (toLocaleTimeString):
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * runtime/CommonIdentifiers.h:
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::toDateTimeOptionsAnyDate):
        (JSC::IntlDateTimeFormat::setFormatsFromPattern):
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        (JSC::IntlDateTimeFormat::dayPeriodString):
        (JSC::IntlDateTimeFormat::resolvedOptions const):
        * runtime/IntlDateTimeFormat.h:
        * runtime/OptionsList.h:

2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] super property with new should be accepted
        https://bugs.webkit.org/show_bug.cgi?id=215966

        Reviewed by Ross Kirsling.

        While we should reject `new super` / `new super()`, we should accept `new super.property`.
        https://tc39.es/ecma262/#prod-SuperProperty is a child production of https://tc39.es/ecma262/#prod-MemberExpression,
        unlike https://tc39.es/ecma262/#prod-SuperCall. So `new` should accept SuperProperty (e.g. `super.xxx`).

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseMemberExpression):

2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] `new import.meta()` is acceptable
        https://bugs.webkit.org/show_bug.cgi?id=215915

        Reviewed by Ross Kirsling.

        `new import.meta()` is valid in terms of syntax while it throws runtime error.
        We should accept this code, while `new import()` is not correct syntax.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseMemberExpression):

2020-08-27  Alexey Shvayka  <shvaikalesh@gmail.com>

        __proto__ in object literal should perform [[SetPrototypeOf]] directly
        https://bugs.webkit.org/show_bug.cgi?id=215769

        Reviewed by Ross Kirsling.

        To fix __proto__ usage in object literals if Object.prototype.__proto__ is overridden
        or removed, this patch sets the [[Prototype]] directly, aligning JSC with V8 and
        SpiderMonkey. We are safe to skip method table lookups and cycle checks, as the
        spec [1] calls [[SetPrototypeOf]] on newly created (unreferenced) ordinary objects.

        This change removes PropertyNode::PutType because its only purpose was to accomodate
        __proto__ in object literals. Since emitPutConstantProperty() handles static public
        class fields, which don't need `super` binding, PropertyNode::isUnderscoreProtoSetter()
        is extended to reject class properties.

        This patch speeds up creating object literals with __proto__ by 25%.

        [1]: https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers (step 7.a)

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::emitDirectSetPrototypeOf):
        1. Remove unused `dst` parameter to align with other `put` methods.
        2. Remove `divot*` parameters as it's cumbersome to pass them through,
           and globalFuncSetPrototypeDirect() never throws anyway.

        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitPutConstantProperty):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
        (JSC::ClassExprNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createProperty):
        (JSC::ASTBuilder::isUnderscoreProtoSetter const):
        * parser/NodeConstructors.h:
        (JSC::PropertyNode::PropertyNode):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseProperty):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createProperty):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncSetPrototypeDirect):
        1. Ignore a prototype value of incorrect type as per spec [1],
           which is unobservable for call sites in ClassExprNode::emitBytecode().
        2. Assert that JSObject::setPrototypeDirect() doesn't throw.

2020-08-27  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] setLength in Array#push could get very large length
        https://bugs.webkit.org/show_bug.cgi?id=215897
        <rdar://problem/67859149>

        Reviewed by Keith Miller.

        Array#push can get length larger than UINT32_MAX. And in this case, we should throw a RangeError.
        Before r266215, it was using putLength which throws an error. But it was replaced with setLength,
        and JSC::setLength assumes that it never gets a length greater than UINT32_MAX by asserting. We
        should fix it so that Array#push should thrown an error correctly.

        * runtime/ArrayPrototype.cpp:
        (JSC::setLength):

2020-08-27  Saam Barati  <sbarati@apple.com>

        GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
        https://bugs.webkit.org/show_bug.cgi?id=215894
        <rdar://problem/67669696>

        Reviewed by Michael Saboff and Keith Miller.

        GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
        BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
        The constant folding for this though was folding to jsUndefined(). I forgot
        to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
        implementation.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2020-08-27  Keith Miller  <keith_miller@apple.com>

        structureOrNull should take VM instead of getting it from the marked block
        https://bugs.webkit.org/show_bug.cgi?id=215899

        Reviewed by Yusuke Suzuki.

        It's slightly faster use an existing VM over recomputing the address. It probably doesn't
        happen to matter here for performance but it's good hygiene.

        * API/tests/JSWrapperMapTests.mm:
        (+[JSWrapperMapTests testStructureIdentity]):
        * jit/JITOperations.cpp:
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::structureOrNull const):
        (JSC::JSValue::structureOrUndefined const): Deleted.

2020-08-27  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use auxiliary memory for JSBigInt storage
        https://bugs.webkit.org/show_bug.cgi?id=215876

        Reviewed by Mark Lam.

        This makes JSBigInt non-destructible cell. And it makes allocating JSBigInt from JIT easy.

        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::JSBigInt):
        (JSC::JSBigInt::visitChildren):
        (JSC::JSBigInt::createWithLength):
        (JSC::JSBigInt::destroy): Deleted.
        * runtime/JSBigInt.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):

2020-08-27  Keith Miller  <keith_miller@apple.com>

        OSR availability validation should run for any node with exitOK
        https://bugs.webkit.org/show_bug.cgi?id=215672

        Reviewed by Saam Barati.

        Currently we only validate OSR exit availability if a node would
        say `mayExit(graph, node) != DoesNotExit` and the node is marked
        as exitOK. However, it would be perfectly valid to insert a node
        that exits anywhere we have a node marked exitOK. So with this
        patch we now validate all places where it would ever be possible
        to OSR exit.

        Relaxing our criteria revealed a number of bugs however. Which I
        will describe below in, IMO, increasing complexity/subtly.

        First, we currently don't mark arity fixup during inlining as not
        exitOK. However, since our arity code says its code origin is
        OpEnter, we assume arity fixup has already happened.

        Second, OpGetScope, should not mark its first argument as used
        since it's not actually used. This is problematic because we could
        have a loop where OpGetScope is the first bytecode, namely when
        doing tail recursive inlining. If we were in that position, there
        could be a local that was used at a merge point at the loop
        backedge that had two MovHint defs from both predecessors. In DFG
        IR this would look like:

        BB#1:
        @1: MovHint(Undefined, loc1)
        ...
        Jump(#2)

        BB#2:
        ... // loc1 is live here in bytecode
        @2: MovHint(@scopeObject, loc1)
        @3: SetLocal(@scopeObject, loc1)
        Branch(#3, #4) // #4 is the successor of the tail call loop

        BB#3:
        @4 MovHint(Undefined, loc1)
        ...
        Jump(#2)

        When we do CPS conversion the MovHints at @1 and @4 will be seen
        as different variables (there's no GetLocal). Then, after, during
        SSA conversion we won't insert a phi connecting them, making the
        argument to OpGetScope, in this case loc1, unrecoverable there are
        conflicting nodes and the value isn't saved on the stack.

        There were also issues with MovHintRemoval Phase but rather than
        fix them we opted to just remove the phase as it didn't show any
        performance impact. I'll describe the issues I found below for
        completeness, however.

        Third, MovHint removal phase had a bug where it would not mark
        sections where a zombied MovHint has yet to be killed as not
        exitOK. So in theory another phase could come along and insert an
        exiting node there.

        Fourth, MovHint removal phase had a second bug where a MovHint
        that was not killed in the current block would be zombied, which
        is wrong for SSA. It's wrong because the MovHinted value could
        still be live for OSR exit in a successor block.

        Lastly, this patch adds some new verbose options as well as the ability to
        dump a DFG::BasicBlock without dereferencing it.

        * bytecode/BytecodeUseDef.cpp:
        (JSC::computeUsesForBytecodeIndexImpl):
        * dfg/DFGBasicBlock.cpp:
        (WTF::printInternal):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::inlineCall):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::propagatePhis):
        * dfg/DFGEpoch.h:
        (JSC::DFG::Epoch::operator bool const):
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        * dfg/DFGSSACalculator.cpp:
        (JSC::DFG::SSACalculator::dump const):

2020-08-27  Keith Miller  <keith_miller@apple.com>

        JSClassRef should work with JS class syntax.
        https://bugs.webkit.org/show_bug.cgi?id=215047

        Reviewed by Darin Adler.

        This is done by checking if value returned by the
        callAsConstructor parameter to JSObjectMakeConstructor returns an
        object allocated as the jsClass parameter. When that happens we
        replace the prototype of the returned object with the prototype of
        the new.target. Ideally we would have passed the derived classes
        constructor from the beginning of our support for JS subclassing
        but at this point that's probably not compatible with too many
        applications.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::construct):
        * API/JSObjectRef.h:
        * API/tests/testapi.cpp:
        (APIString::APIString):
        (TestAPI::markedJSValueArrayAndGC):
        (TestAPI::classDefinitionWithJSSubclass):
        (testCAPIViaCpp):
        * API/tests/testapi.mm:
        (testObjectiveCAPI):

2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>

        Use jsTypeofIsObject() in DFG AI and operationTypeOfIsObject()
        https://bugs.webkit.org/show_bug.cgi?id=144457

        Reviewed by Saam Barati.

        This patch refactors jsTypeofIsObject(), leveraging fast path of isCallable(),
        moves it to the header, and utilizes it in operationTypeOfIsObject() & DFG AI
        (minding concurrency) to eliminate code duplication.

        Also, removes orphaned slow_path_is_object declaration.

        No behavior change, `typeof` microbenchmarks are neutral.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGOperations.cpp:
        * runtime/CommonSlowPaths.h:
        * runtime/Operations.cpp:
        (JSC::jsTypeofIsObject): Deleted.
        * runtime/Operations.h:
        (JSC::jsTypeofIsObjectWithConcurrency):
        (JSC::jsTypeofIsObject):

2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>

        Merge putLength() into setLength()
        https://bugs.webkit.org/show_bug.cgi?id=211279

        Reviewed by Darin Adler and Saam Barati.

        This patch:

        1. Replaces all putLength() call sites with setLength(), saving two JSValue
           instantiations in arrayProtoFuncPop() and two in arrayProtoFuncShift().

        2. Merges putLength() into setLength(), removing superfluous put() call for
           JSArray. Also, performs put() in strict mode to preserve the original
           error messages, like ones in ProxyObject::performPut().

        3. Inlines performPop(), which avoided an extra index check and Identifier
           creation, as it was on the slow path anyway (note JSArray::pop() call).

        This change advances provided setLength()-heavy microbenchmark by ~40%,
        while existing Array tests are neutral.

        * runtime/ArrayPrototype.cpp:
        (JSC::setLength):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncUnShift):
        (JSC::putLength): Deleted.

2020-08-26  Saam Barati  <sbarati@apple.com>

        Make isIndex use MAX_ARRAY_INDEX
        https://bugs.webkit.org/show_bug.cgi?id=215872

        Reviewed by Darin Adler.

        It's already written in such a way where it relies on what MAX_ARRAY_INDEX
        is defined as. But instead of MAX_ARRAY_INDEX, the function was hardcoding
        MAX_ARRAY_INDEX + 1.

        * runtime/Identifier.h:
        (JSC::isIndex):

2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>

        Use unsigned type for `length` of JSFunction
        https://bugs.webkit.org/show_bug.cgi?id=215870

        Reviewed by Darin Adler.

        Since the `length` value of a built-in function is its arity,
        we can communicate it's always non-negative via method signatures.

        No behavior change: `length` values redefined by user code are unaffected.

        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined):
        * runtime/InternalFunction.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC::JSFunction::finishCreation):
        * runtime/JSFunction.h:
        * runtime/JSNativeStdFunction.cpp:
        (JSC::JSNativeStdFunction::finishCreation):
        (JSC::JSNativeStdFunction::create):
        * runtime/JSNativeStdFunction.h:

2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Enable Intl.Segmenter
        https://bugs.webkit.org/show_bug.cgi?id=215854

        Reviewed by Ross Kirsling.

        This is already stage-3 and all the features are implemented. Let's just enable it.

        * runtime/IntlObject.cpp:
        (JSC::IntlObject::finishCreation):
        * runtime/OptionsList.h:

2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add ASCII comparison fast path for IntlCollator
        https://bugs.webkit.org/show_bug.cgi?id=215798

        Reviewed by Darin Adler, Ross Kirsling, and Saam Barati.

        The idea behind this change is the following: ICU Collator's comparison is too slow. We should have fast path for ASCII strings when we know this equals to ICU Collator's result.
        The problem is that even for ASCII strings, collation is super complicated!

            1. Unicode defines Unicode Collation Algorithm (UCA). To perform collation, it uses collation element tables which defines weights on various levels per code point. UCA also offers
               the Default Unicode Collation Element Table (DUCET). This UCA with DUCET is used when using ICU Root Collator.
            2. UCA collation consists of rules, which defines how collation works. And ICU locales define customized collations by adding special rules to that.
            3. UCA behaves differently by using different options.

        Based on that, our observation is that some of major locales are not defining additional rules in (2). This means that they behaves the same to UCA with DUCET.
        This patch implements a simplified version of comparison which generates the same results for ASCII strings (excluding control characters) to UCA with DUCET. This fast path can be usable only when the following conditions are met.

            1. The collator does not have additional rules to ICU Root Colator.
            2. The collator is using default options.

        These checks are very important since there are a lot of edge-case locales. For example,

            1. th (Thai language) ignores punctuations (even including ASCII punctuations) by default. This is defined as ignore-punctuations option is enabled by default, so without (2)'s check, th comparison becomes wrong.
            2. There are contraction concept (multiple letters behave as a single letter). "ch" letters are ordered interestingly in Czech language. So even in ASCII, Czech shows very interesting collation behavior.

        So we cannot safely take this fast path without carefully querying the information to ICU.

        This shows 37% improvement in JetStream2/cdjs in en-US environment.

        * runtime/IntlCollator.cpp:
        (JSC::IntlCollator::initializeCollator):
        (JSC::IntlCollator::compareStrings const):
        (JSC::canDoASCIIUCADUCETComparisonWithUCollator):
        (JSC::IntlCollator::updateCanDoASCIIUCADUCETComparison const):
        (JSC::IntlCollator::checkICULocaleInvariants):
        * runtime/IntlCollator.h:
        * runtime/IntlObject.cpp:
        (JSC::intlCollatorAvailableLocales):
        * runtime/IntlObject.h:
        * runtime/IntlObjectInlines.h:
        (JSC::canUseASCIIUCADUCETComparison):
        (JSC::compareASCIIWithUCADUCET):

2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Implement Intl.DateTimeFormat fractionalSecondDigits
        https://bugs.webkit.org/show_bug.cgi?id=215840

        Reviewed by Ross Kirsling.

        This patch implements fractionalSecondDigits option for Intl.DateTimeFormat. If it is
        specified, milliseconds in N digits are represented in the formatted output.
        This extension is about to be merged into the spec[1]. SpiderMonkey and V8 support it,
        and V8 shipped it without flags.

        [1]: https://github.com/tc39/ecma402/pull/347

        * builtins/DatePrototype.js:
        (toLocaleString.toDateTimeOptionsAnyAll):
        (toLocaleString):
        (toLocaleTimeString.toDateTimeOptionsTimeTime):
        (toLocaleTimeString):
        * runtime/CommonIdentifiers.h:
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::toDateTimeOptionsAnyDate):
        (JSC::IntlDateTimeFormat::setFormatsFromPattern):
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        (JSC::IntlDateTimeFormat::resolvedOptions const):
        (JSC::partTypeString):
        * runtime/IntlDateTimeFormat.h:

2020-08-25  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] FTL should use m_origin instead of m_node->origin since m_node can be nullptr
        https://bugs.webkit.org/show_bug.cgi?id=215833

        Reviewed by Mark Lam.

        While we are using m_node->origin, m_node can be nullptr (at the entry of the FTL function).
        m_origin is always pointing appropriate origin. We should use it instead.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
        (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
        (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueMod):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary):
        (JSC::FTL::DFG::LowerDFGToB3::compileValuePow):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound):
        (JSC::FTL::DFG::LowerDFGToB3::compileIncOrDec):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree):
        (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
        (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateArgumentsButterfly):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
        (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeysOrObjectGetOwnPropertyNames):
        (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
        (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
        (JSC::FTL::DFG::LowerDFGToB3::compileToPropertyKey):
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
        (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
        (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength):
        (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
        (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
        (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
        (JSC::FTL::DFG::LowerDFGToB3::mapHashString):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
        (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsCallable):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileParseInt):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasStructurePropertyImpl):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
        (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
        (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
        (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
        (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
        (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
        (JSC::FTL::DFG::LowerDFGToB3::compare):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
        (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
        (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix):
        (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
        (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):
        (JSC::FTL::DFG::LowerDFGToB3::genericJSValueCompare):
        (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::boolify):
        (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
        (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
        (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
        (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
        (JSC::FTL::DFG::LowerDFGToB3::masqueradesAsUndefinedWatchpointIsStillValid):
        (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const):
        (JSC::FTL::DFG::LowerDFGToB3::callCheck):
        (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
        * jsc.cpp:
        (runJSC):
        * runtime/OptionsList.h:

2020-08-25  Devin Rousso  <drousso@apple.com>

        Web Inspector: breakpoint condition should be evaluated before the ignore count
        https://bugs.webkit.org/show_bug.cgi?id=215364
        <rdar://problem/67310703>

        Reviewed by Joseph Pecoraro.

        Previously, when pausing, `JSC::Breakpoint` would check that it's `ignoreCount` before it
        would even attempt to evaluate it's `condition`. This meant that a `JSC::Breakpoint` with
        a `condition` of `foo === 42` and an `ignoreCount` of `3` would ignore the first three
        pauses and then only pause if `foo === 42`. This is likely contrary to the expectation of
        most users (especially since the `condition` input is before the `ignoreCount` input in
        the Web Inspector frontend UI) in that they would probably expect to ignore the first
        three pauses if `foo === 42`.

        * debugger/Breakpoint.cpp:
        (JSC::Breakpoint::shouldPause):

2020-08-25  Alexey Shvayka  <shvaikalesh@gmail.com>

        Invalid early error for object literal method named "__proto__"
        https://bugs.webkit.org/show_bug.cgi?id=215760

        Reviewed by Ross Kirsling.

        According to Annex B [1], `{ __proto__: null, __proto__() {} }` is a valid object literal as the second
        `__proto__` wasn't obtained from `PropertyDefinition : PropertyName : AssignmentExpression` production.
        Currently, JSC throws an early SyntaxError, unlike V8 and SpiderMonkey.

        Since a method needs `super` binding, the most straightforward fix would be adding SuperBinding field
        to SyntaxChecker::Property and exposing it via an accessor. However, given that Property is a very
        common structure, this approach would noticeably increase memory pressure during parsing.

        Instead, this patch reworks SyntaxChecker::Property to accept `isUnderscoreProtoSetter` parameter,
        removing optional `name` field, its accessor, and shouldCheckPropertyForUnderscoreProtoDuplicate(),
        which reduces sizeof(SyntaxChecker::Property) by a factor of 8: from 16 to 2 bytes.
        Also, this change avoids two extra makeNumericIdentifier() calls, speeding up numeric keys parsing.

        This approach is feasible because "__proto__" is the only identifier-based early error for object
        literals [2], with no such errors being added in upcoming stage 2-4 proposals.

        Additionally, this patch removes `strict` / `complete` bool parameter from {parse,create}Property()
        signatures as a) it was always `true`, b) is now unused, and c) strict mode can be checked via scope.

        [1]: https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers
        [2]: https://tc39.es/ecma262/#sec-object-initializer-static-semantics-early-errors

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createProperty):
        (JSC::ASTBuilder::isUnderscoreProtoSetter const):
        (JSC::ASTBuilder::getName const): Deleted.
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parseGetterSetter):
        (JSC::Parser<LexerType>::parseObjectLiteral):
        (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate): Deleted.
        * parser/Parser.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::SyntaxChecker):
        (JSC::SyntaxChecker::Property::Property):
        (JSC::SyntaxChecker::Property::operator!):
        (JSC::SyntaxChecker::createProperty):
        (JSC::SyntaxChecker::createGetterOrSetterProperty):
        (JSC::SyntaxChecker::operatorStackPop):

2020-08-25  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add concurrency-aware version of isCallable / isConstructor to make it usable in DFG compiler
        https://bugs.webkit.org/show_bug.cgi?id=215746

        Reviewed by Saam Barati.

        This patch adds isCallableWithConcurrency and isConstructorWithConcurrency to JSCell, JSValue etc.
        This can work even if it is called from concurrent compiler threads. We also add jsTypeStringForValueWithConcurrency
        and jsTypeofIsFunctionWithConcurrency which are using the above WithConcurrency functionalities.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * runtime/Concurrency.h: Added.
        (WTF::printInternal):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::finishCreation):
        (JSC::InternalFunction::getCallData):
        (JSC::InternalFunction::getConstructData):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isCallableWithConcurrency const):
        (JSC::JSValue::isConstructorWithConcurrency const):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::isCallableWithConcurrency):
        (JSC::JSCell::isConstructorWithConcurrency):
        (JSC::JSCell::isCallable):
        (JSC::JSCell::isConstructor):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::finishCreation):
        (JSC::JSFunction::getCallData):
        (JSC::JSFunction::getConstructData):
        * runtime/NumberPrototype.cpp:
        (JSC::throwVMToThisNumberError):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValueWithConcurrency):
        (JSC::jsTypeStringForValue): Deleted.
        * runtime/Operations.h:
        (JSC::jsTypeofIsFunctionWithConcurrency):
        (JSC::jsTypeStringForValue):
        (JSC::jsTypeofIsFunction):

2020-08-25  Alexey Shvayka  <shvaikalesh@gmail.com>

        Implementation of the class "extends" clause incorrectly uses __proto__ for setting prototypes
        https://bugs.webkit.org/show_bug.cgi?id=205848

        Reviewed by Keith Miller.

        To prevent `class extends` from breaking if Object.prototype.__proto__ is overridden
        or removed, this patch replaces OpPutById bytecodes in ClassExprNode::emitBytecode()
        with JSObject::setPrototypeDirect() invocations via OpCall.

        Since the spec sets [[Prototype]] values directly [1], we are safe to skip method
        table lookups and cycle checks.

        Although this approach adds 4 `mov` ops to emitted bytecode for `class extends` creation,
        increasing instruction count to 35, I prefer it over introducing a slow path only op.
        To avoid emitting 2 extra `mov` ops, globalFuncSetPrototypeDirect() uses thisRegister().

        Aligns JSC with V8 and SpiderMonkey. Derived class creation microbenchmark is neutral.

        [1]: https://tc39.es/ecma262/#sec-createbuiltinfunction (step 7)

        * builtins/BuiltinNames.h:
        * bytecode/BytecodeDumper.cpp:
        (JSC::CodeBlockBytecodeDumper<Block>::dumpConstants): Fix typo.
        * bytecode/LinkTimeConstant.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitSetPrototypeOf):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ClassExprNode::emitBytecode):
        * parser/Nodes.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2020-08-24  Keith Miller  <keith_miller@apple.com>

        DFG should always run CFG Simplification after Constant Folding.
        https://bugs.webkit.org/show_bug.cgi?id=215286

        Reviewed by Robin Morisset.

        We didn't do this originally because LICM, many years ago, was
        unsound if the CFG didn't have exactly the right shape around
        loops. This is no longer true so we don't have to worry about
        changing the CFG anymore. While, this doesn't appear to be a
        speedup on JetStream 2 CFG, probably because we'd eventually
        simplify the graph in B3, CFG Simplification is very cheap and
        make other DFG optimizations easier in the future.

        Also, remove unecessary validation rule that no exitOKs can come
        before any Phi nodes in DFG. This isn't required and fails after
        merging two basic blocks where the latter block has a Phi.

        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGValidate.cpp:

2020-08-24  Keith Miller  <keith_miller@apple.com>

        Remove MovHintRemoval phase
        https://bugs.webkit.org/show_bug.cgi?id=215785

        Reviewed by Saam Barati.

        The MovHintRemoval phase doesn't play nicely with our OSR
        Availability. Specifically, it needs to do a tricky dance where it
        marks all the live ranges of the ZombieHints as not
        exitOK. There's also an issue because we treated unused locals as
        kill in this block, which is wrong for SSA when a MovHint is
        used in another block. Since removing MovHintRemoval isn't a
        performance regression, we are removing it rather than fixing bugs
        related to it. Relatedly, since the only place we produce
        ZombieHints is MovHintRemoval this patch also removes that node
        type.

        * Sources.txt:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGClobbersExitState.cpp:
        (JSC::DFG::clobbersExitState):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGMayExit.cpp:
        * dfg/DFGMovHintRemovalPhase.cpp: Removed.
        * dfg/DFGMovHintRemovalPhase.h: Removed.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::containsMovHint):
        (JSC::DFG::Node::hasUnlinkedOperand):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
        * dfg/DFGPhantomInsertionPhase.cpp:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVarargsForwardingPhase.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        * runtime/OptionsList.h:

2020-08-24  Devin Rousso  <drousso@apple.com>

        Web Inspector: rename `ScriptDebugServer` subclasses/methods
        https://bugs.webkit.org/show_bug.cgi?id=215363
        <rdar://problem/67310441>

        Reviewed by Brian Burg.

        r266074 merged `Inspector::ScriptDebugServer` into `JSC::Debugger`. All subclasses and
        functions should be renamed to match this change.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * inspector/InspectorEnvironment.h:
        * inspector/JSGlobalObjectDebugger.h: Renamed from Source/JavaScriptCore/inspector/JSGlobalObjectScriptDebugServer.h.
        * inspector/JSGlobalObjectDebugger.cpp: Renamed from Source/JavaScriptCore/inspector/JSGlobalObjectScriptDebugServer.cpp.
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        * inspector/agents/InspectorAuditAgent.h:
        * inspector/agents/InspectorAuditAgent.cpp:
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        * inspector/remote/RemoteInspectionTarget.cpp:
        * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:

2020-08-24  Devin Rousso  <drousso@apple.com>

        Web Inspector: allow event breakpoints to be configured
        https://bugs.webkit.org/show_bug.cgi?id=215362
        <rdar://problem/66932921>

        Reviewed by Brian Burg.

        This allows developers to do things like:
         - only pause when `window.event.type` is a certain value
         - ignore the first N pauses
         - evaluate JavaScript whenever an event listener is invoked without pausing

        * inspector/protocol/DOM.json:
        Add an `options` paramater to `DOM.setBreakpointForEventListener` to allow configuration.

        * inspector/protocol/DOMDebugger.json:
        Add an `options` paramater to `DOMDebugger.setEventBreakpoint` to allow configuration.

        * debugger/Breakpoint.h:
        (JSC::Breakpoint::id const): Added.
        (JSC::Breakpoint::sourceID const): Added.
        (JSC::Breakpoint::lineNumber const): Added.
        (JSC::Breakpoint::columnNumber const): Added.
        (JSC::Breakpoint::condition const): Added.
        (JSC::Breakpoint::actions const): Added.
        (JSC::Breakpoint::isAutoContinue const): Added.
        (JSC::Breakpoint::resetHitCount): Added.
        (JSC::Breakpoint::isLinked const): Added.
        (JSC::Breakpoint::isResolved const): Added.
        (JSC::BreakpointsList::~BreakpointsList): Deleted.
        * debugger/Breakpoint.cpp: Added.
        (JSC::Breakpoint::Action::Action): Added.
        (JSC::Breakpoint::create): Added.
        (JSC::Breakpoint::Breakpoint): Added.
        (JSC::Breakpoint::link): Added.
        (JSC::Breakpoint::resolve): Added.
        (JSC::Breakpoint::shouldPause): Added.
        Unify `JSC::Breakpoint` and `Inspector::ScriptBreakpoint`.

        * debugger/DebuggerPrimitives.h:
        * debugger/Debugger.h:
        * debugger/Debugger.cpp:
        (JSC::Debugger::Debugger):
        (JSC::Debugger::addObserver): Added.
        (JSC::Debugger::removeObserver): Added.
        (JSC::Debugger::canDispatchFunctionToObservers const): Added.
        (JSC::Debugger::dispatchFunctionToObservers): Added.
        (JSC::Debugger::sourceParsed): Added.
        (JSC::Debugger::toggleBreakpoint):
        (JSC::Debugger::applyBreakpoints):
        (JSC::Debugger::resolveBreakpoint):
        (JSC::Debugger::setBreakpoint):
        (JSC::Debugger::removeBreakpoint):
        (JSC::Debugger::didHitBreakpoint): Added.
        (JSC::Debugger::clearBreakpoints):
        (JSC::Debugger::evaluateBreakpointCondition): Added.
        (JSC::Debugger::evaluateBreakpointActions): Added.
        (JSC::Debugger::schedulePauseAtNextOpportunity): Added.
        (JSC::Debugger::cancelPauseAtNextOpportunity): Added.
        (JSC::Debugger::schedulePauseForSpecialBreakpoint): Added.
        (JSC::Debugger::cancelPauseForSpecialBreakpoint): Added.
        (JSC::Debugger::continueProgram):
        (JSC::Debugger::stepNextExpression):
        (JSC::Debugger::stepIntoStatement):
        (JSC::Debugger::stepOverStatement):
        (JSC::Debugger::stepOutOfFunction):
        (JSC::Debugger::pauseIfNeeded):
        (JSC::Debugger::handlePause): Added.
        (JSC::Debugger::exceptionOrCaughtValue): Added.
        (JSC::Debugger::atExpression):
        (JSC::Debugger::clearNextPauseState):
        (JSC::Debugger::willRunMicrotask): Added.
        (JSC::Debugger::didRunMicrotask): Added.
        (JSC::Debugger::hasBreakpoint): Deleted.
        (JSC::Debugger::setPauseOnNextStatement): Deleted.
        Unify `JSC::Debugger` and `Inspector::ScriptDebugServer` to simplify breakpoint logic.
        Introduce the concept of a "special breakpoint", which is essentially a `JSC::Breakpoint`
        that is expected to pause at the next opportunity but isn't tied to a particular location.
        As an example, whenever an event breakpoint is hit, instead of just pausing at the next
        opportunity, the newly managed `JSC::Breakpoint` is used as a "special breakpoint", allowing
        for it's configuration (ie.g. condition, ignore count, actions, auto-continue) to be used.

        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::objectGroupForBreakpointAction):
        (Inspector::breakpointActionTypeForString): Added.
        (Inspector::parseBreakpointOptions): Added.
        (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::fromPayload): Added.
        (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::ProtocolBreakpoint): Added.
        (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::createDebuggerBreakpoint const): Added.
        (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::matchesScriptURL const): Added.
        (Inspector::InspectorDebuggerAgent::debuggerBreakpointFromPayload): Added.
        (Inspector::InspectorDebuggerAgent::enable):
        (Inspector::InspectorDebuggerAgent::disable):
        (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
        (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
        (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
        (Inspector::buildDebuggerLocation):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::InspectorDebuggerAgent::setBreakpoint):
        (Inspector::InspectorDebuggerAgent::didSetBreakpoint):
        (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
        (Inspector::InspectorDebuggerAgent::removeBreakpoint):
        (Inspector::InspectorDebuggerAgent::continueToLocation):
        (Inspector::InspectorDebuggerAgent::schedulePauseAtNextOpportunity): Added.
        (Inspector::InspectorDebuggerAgent::cancelPauseAtNextOpportunity): Added.
        (Inspector::InspectorDebuggerAgent::schedulePauseForSpecialBreakpoint): Added.
        (Inspector::InspectorDebuggerAgent::cancelPauseForSpecialBreakpoint): Added.
        (Inspector::InspectorDebuggerAgent::pause):
        (Inspector::InspectorDebuggerAgent::resume):
        (Inspector::InspectorDebuggerAgent::didBecomeIdle):
        (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        (Inspector::InspectorDebuggerAgent::willRunMicrotask):
        (Inspector::InspectorDebuggerAgent::didRunMicrotask):
        (Inspector::InspectorDebuggerAgent::didPause):
        (Inspector::InspectorDebuggerAgent::breakpointActionSound):
        (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
        (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
        (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
        (Inspector::matches): Deleted.
        (Inspector::buildObjectForBreakpointCookie): Deleted.
        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): Deleted.
        (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement): Deleted.
        (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement): Deleted.
        Create a private `ProtocolBreakpoint` class that holds the data sent by the frontend. This
        is necessary because breakpoints in the frontend have a potentially one-to-many relationship
        with breakpoints in the backend, as the same script can be loaded many times on a page. Each
        of those scripts is independent, however, and can execute differently, meaning that the same
        breakpoint for each script also needs a different state (e.g. ignore count). As such, the
        `ProtocolBreakpoint` is effectively a template that is actualized whenever a new script is
        parsed that matches the URL of the `ProtocolBreakpoint` to create a `JSC::Breakpoint` that
        is used by the `JSC::Debugger`. `ProtocolBreakpoint` also parses breakpoint configurations.

        * inspector/InspectorEnvironment.h:
        * inspector/JSGlobalObjectScriptDebugServer.h:
        * inspector/JSGlobalObjectScriptDebugServer.cpp:
        (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
        (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger):
        (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger):
        (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
        * inspector/agents/InspectorAuditAgent.h:
        * inspector/agents/InspectorAuditAgent.cpp:
        (Inspector::InspectorAuditAgent::run):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::setPauseOnExceptionsState):
        (Inspector::InspectorRuntimeAgent::evaluate):
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::getPreview):
        (Inspector::InspectorRuntimeAgent::getProperties):
        (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
        Replace `Inspector::ScriptDebugServer` with `JSC::Debugger`.

        * runtime/JSMicrotask.cpp:
        (JSC::JSMicrotask::run):
        Drive-by: r248894 mistakenly omitted the call to notify the debugger that the microtask ran.

        * inspector/ScriptBreakpoint.h: Removed.
        * inspector/ScriptDebugListener.h: Removed.
        * inspector/ScriptDebugServer.h: Removed.
        * inspector/ScriptDebugServer.cpp: Removed.
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:

2020-08-24  Devin Rousso  <drousso@apple.com>

        Web Inspector: remove "extra domains" concept now that domains can be added based on the debuggable type
        https://bugs.webkit.org/show_bug.cgi?id=201150
        <rdar://problem/56545911>

        Reviewed by Brian Burg.

        * inspector/scripts/codegen/objc_generator_templates.py:
        * inspector/augmentable/AugmentableInspectorController.h:

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        (Inspector::JSGlobalObjectInspectorController::registerAlternateAgent): Added.
        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent): Deleted.

        * inspector/InspectorAgentRegistry.h:
        * inspector/InspectorAgentRegistry.cpp:
        (Inspector::AgentRegistry::appendExtraAgent): Deleted.

        * inspector/protocol/Inspector.json:
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::activateExtraDomain): Deleted.
        (Inspector::InspectorAgent::activateExtraDomains): Deleted.

        * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result:
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/expected/domain-debuggableTypes.json-result:
        * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result:
        * inspector/scripts/tests/expected/domain-targetTypes.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        Rebase protocol tests.

2020-08-23  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, wrong merge resolution between r266031 and r263837
        https://bugs.webkit.org/show_bug.cgi?id=209774

        r263837 is landed after r266031 is configured. OSS buildbots didn't catch this since they are using old ICU headers.

        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):

2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, assertion was opposite
        https://bugs.webkit.org/show_bug.cgi?id=215058

        We should ensure that this is *not* zero.

        * runtime/IntlObject.cpp:
        (JSC::parseVariantCode):

2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Implement Intl Language Tag Parser
        https://bugs.webkit.org/show_bug.cgi?id=215058

        Reviewed by Ross Kirsling and Darin Adler.

        This patch adds LanguageTagParser which performs isStructurallyValidLanguageTag[1] validation precisely.
        The spec strictly defines acceptable format as language-tag and this is not the same to ICU's one and this
        is even tested in test262. We should have LanguageTagParser to validate the input.

        [1]: https://tc39.es/ecma402/#sec-isstructurallyvalidlanguagetag

        * runtime/IntlLocale.cpp:
        (JSC::LocaleIDBuilder::initialize):
        (JSC::IntlLocale::initializeLocale):
        * runtime/IntlObject.cpp:
        (JSC::canonicalizeLocaleList):
        (JSC::parseVariantCode):
        (JSC::convertToUnicodeSingletonIndex):
        (JSC::isUnicodeExtensionAttribute):
        (JSC::isUnicodeExtensionKey):
        (JSC::isUnicodeExtensionTypeComponent):
        (JSC::isUnicodePUExtensionValue):
        (JSC::isUnicodeOtherExtensionValue):
        (JSC::isUnicodeTKey):
        (JSC::isUnicodeTValueComponent):
        (JSC::LanguageTagParser::LanguageTagParser):
        (JSC::LanguageTagParser::isEOS):
        (JSC::LanguageTagParser::next):
        (JSC::LanguageTagParser::parseUnicodeLocaleId):
        (JSC::LanguageTagParser::parseUnicodeLanguageId):
        (JSC::LanguageTagParser::parseUnicodeExtensionAfterPrefix):
        (JSC::LanguageTagParser::parseTransformedExtensionAfterPrefix):
        (JSC::LanguageTagParser::parseOtherExtensionAfterPrefix):
        (JSC::LanguageTagParser::parsePUExtensionAfterPrefix):
        (JSC::LanguageTagParser::parseExtensionsAndPUExtensions):
        (JSC::isStructurallyValidLanguageTag):
        (JSC::isUnicodeLanguageId):
        * runtime/IntlObject.h:

2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, workaround for old ICU headers in macOS Catalina bots
        https://bugs.webkit.org/show_bug.cgi?id=209774

        EWS and Catalina bots are inconsistent in terms of ICU header versions.
        This patch adds a workaround which checks ICU header version too at runtime.

        * tools/JSDollarVM.cpp:
        (JSC::functionICUHeaderVersion):
        (JSC::JSDollarVM::finishCreation):

2020-08-22  Alexey Shvayka  <shvaikalesh@gmail.com>

        The [[ThrowTypeError]] function object must not be extensible
        https://bugs.webkit.org/show_bug.cgi?id=108873

        Reviewed by Yusuke Suzuki.

        This patch:

        1. Sets the value of %ThrowTypeError% "name" property to the empty string,
           as required [1] for anonymous built-in functions.

        2. Calls JSObject::freeze() on %ThrowTypeError%, making it non-extensible and
           its "name" and "length" properties non-configurable to match the spec [2].

        Both changes align JSC with V8 and SpiderMonkey.

        [1]: https://tc39.es/ecma262/#sec-ecmascript-standard-built-in-objects
        [2]: https://tc39.es/ecma262/#sec-%throwtypeerror%

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [ECMA-402] Intl.DateTimeFormat dateStyle/timeStyle missing in WebKit
        https://bugs.webkit.org/show_bug.cgi?id=209776

        Reviewed by Darin Adler and Ross Kirsling.

        This patch implements Intl.DateTimeFormat dateStyle and timeStyle options. When it is specified,
        we query the best date-time format with these options to ICU instead of configuring each date-time
        formats.

        Since ECMA402 requires enforcement of hourCycle specified from the option, even if ICU ignores that.
        So, after getting the appropriate pattern from ICU, we modify this pattern and re-create UDateFormat
        from the modified pattern.

        * builtins/DatePrototype.js:
        (toLocaleString.toDateTimeOptionsAnyAll):
        (toLocaleString):
        (toLocaleDateString.toDateTimeOptionsDateDate):
        (toLocaleDateString):
        (toLocaleTimeString.toDateTimeOptionsTimeTime):
        (toLocaleTimeString):
        * runtime/CommonIdentifiers.h:
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::toDateTimeOptionsAnyDate):
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        (JSC::IntlDateTimeFormat::formatStyleString):
        (JSC::IntlDateTimeFormat::resolvedOptions const):
        * runtime/IntlDateTimeFormat.h:

2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [ECMA-402] Implement Intl.DateTimeFormat.prototype.formatRange
        https://bugs.webkit.org/show_bug.cgi?id=209778

        Reviewed by Ross Kirsling.

        This patch adds Intl.DateTimeFormat#formatRange. It takes two dates, and
        generates formatted text which represents interval between these two dates.
        We skip the implementation of Intl.DateTimeFormat#formatRangeToParts since
        ICU udtitvfmt_formatToResult API is not getting stable state yet. We retrieve
        pattern from UDateFormat, get skeleton from that pattern, and construct
        UDateIntervalFormat from this skeleton.

        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        (JSC::IntlDateTimeFormat::createDateIntervalFormatIfNecessary):
        (JSC::IntlDateTimeFormat::formatRange):
        (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator() const): Deleted.
        * runtime/IntlDateTimeFormat.h:
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototypeFuncFormatRange):

2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add Intl.Segmenter
        https://bugs.webkit.org/show_bug.cgi?id=213638

        Reviewed by Ross Kirsling.

       &nbs