Fix exception check accounting in JSDataView::defineOwnProperty().
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-08-31  Mark Lam  <mark.lam@apple.com>
2
3         Fix exception check accounting in JSDataView::defineOwnProperty().
4         https://bugs.webkit.org/show_bug.cgi?id=189186
5         <rdar://problem/39786049>
6
7         Reviewed by Michael Saboff.
8
9         * runtime/JSDataView.cpp:
10         (JSC::JSDataView::defineOwnProperty):
11
12 2018-08-31  Mark Lam  <mark.lam@apple.com>
13
14         Add missing exception check in arrayProtoFuncLastIndexOf().
15         https://bugs.webkit.org/show_bug.cgi?id=189184
16         <rdar://problem/39785959>
17
18         Reviewed by Yusuke Suzuki.
19
20         * runtime/ArrayPrototype.cpp:
21         (JSC::arrayProtoFuncLastIndexOf):
22
23 2018-08-31  Saam barati  <sbarati@apple.com>
24
25         convertToRegExpMatchFastGlobal must use KnownString as the child use kind
26         https://bugs.webkit.org/show_bug.cgi?id=189173
27         <rdar://problem/43501645>
28
29         Reviewed by Michael Saboff.
30
31         We were crashing during validation because mayExit returned true
32         at a point in the program when we weren't allowed to exit.
33         
34         The issue was is in StrengthReduction: we end up emitting code that
35         had a StringUse on an edge after a node that did side effects and before
36         an ExitOK/bytecode number transition. However, StrenghReduction did the
37         right thing here and also emitted the type checks before the node with
38         side effects. It just did bad bookkeeping. The node we convert to needs
39         to use KnownStringUse instead of StringUse for the child edge.
40
41         * dfg/DFGNode.cpp:
42         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
43         (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
44         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
45         (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
46         * dfg/DFGNode.h:
47         * dfg/DFGStrengthReductionPhase.cpp:
48         (JSC::DFG::StrengthReductionPhase::handleNode):
49
50 2018-08-30  Saam barati  <sbarati@apple.com>
51
52         Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
53         https://bugs.webkit.org/show_bug.cgi?id=189166
54
55         Reviewed by Mark Lam.
56
57         * bytecode/AccessCase.cpp:
58         (JSC::AccessCase::generateImpl):
59         * bytecode/GetterSetterAccessCase.cpp:
60         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
61         * bytecode/InlineAccess.cpp:
62         (JSC::getScratchRegister):
63         * bytecode/PolymorphicAccess.cpp:
64         (JSC::PolymorphicAccess::regenerate):
65         * bytecode/StructureStubInfo.h:
66         (JSC::StructureStubInfo::valueRegs const):
67         * jit/JITInlineCacheGenerator.cpp:
68         (JSC::JITByIdGenerator::JITByIdGenerator):
69         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
70         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
71
72 2018-08-30  Saam barati  <sbarati@apple.com>
73
74         InlineAccess should do StringLength
75         https://bugs.webkit.org/show_bug.cgi?id=158911
76
77         Reviewed by Yusuke Suzuki.
78
79         This patch extends InlineAccess to support StringLength. This patch also
80         fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
81         I forgot to implement this for ArrayLength in the initial InlineAccess
82         implementation.  Supporting StringLength is a natural extension of the
83         InlineAccess machinery.
84
85         * assembler/MacroAssembler.h:
86         (JSC::MacroAssembler::patchableBranch8):
87         * assembler/MacroAssemblerARM64.h:
88         (JSC::MacroAssemblerARM64::patchableBranch8):
89         * bytecode/AccessCase.cpp:
90         (JSC::AccessCase::fromStructureStubInfo):
91         * bytecode/BytecodeDumper.cpp:
92         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
93         * bytecode/InlineAccess.cpp:
94         (JSC::InlineAccess::dumpCacheSizesAndCrash):
95         (JSC::InlineAccess::generateSelfPropertyAccess):
96         (JSC::getScratchRegister):
97         (JSC::InlineAccess::generateSelfPropertyReplace):
98         (JSC::InlineAccess::generateArrayLength):
99         (JSC::InlineAccess::generateSelfInAccess):
100         (JSC::InlineAccess::generateStringLength):
101         * bytecode/InlineAccess.h:
102         * bytecode/PolymorphicAccess.cpp:
103         (JSC::PolymorphicAccess::regenerate):
104         * bytecode/StructureStubInfo.cpp:
105         (JSC::StructureStubInfo::initStringLength):
106         (JSC::StructureStubInfo::deref):
107         (JSC::StructureStubInfo::aboutToDie):
108         (JSC::StructureStubInfo::propagateTransitions):
109         * bytecode/StructureStubInfo.h:
110         (JSC::StructureStubInfo::baseGPR const):
111         * jit/Repatch.cpp:
112         (JSC::tryCacheGetByID):
113
114 2018-08-30  Saam barati  <sbarati@apple.com>
115
116         CSE DataViewGet* DFG nodes
117         https://bugs.webkit.org/show_bug.cgi?id=188768
118
119         Reviewed by Yusuke Suzuki.
120
121         This patch makes it so that we CSE DataViewGet* accesses. To do this,
122         I needed to add a third descriptor to HeapLocation to represent the
123         isLittleEndian child. This patch is neutral on compile time benchmarks,
124         and is a 50% speedup on a trivial CSE microbenchmark that I added.
125
126         * dfg/DFGClobberize.h:
127         (JSC::DFG::clobberize):
128         * dfg/DFGFixupPhase.cpp:
129         (JSC::DFG::FixupPhase::fixupNode):
130         * dfg/DFGHeapLocation.cpp:
131         (WTF::printInternal):
132         * dfg/DFGHeapLocation.h:
133         (JSC::DFG::HeapLocation::HeapLocation):
134         (JSC::DFG::HeapLocation::hash const):
135         (JSC::DFG::HeapLocation::operator== const):
136         (JSC::DFG::indexedPropertyLocForResultType):
137
138 2018-08-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
139
140         output of toString() of Generator is wrong
141         https://bugs.webkit.org/show_bug.cgi?id=188952
142
143         Reviewed by Saam Barati.
144
145         Function#toString does not respect generator and async generator.
146         This patch fixes them and supports all the function types.
147
148         * runtime/FunctionPrototype.cpp:
149         (JSC::functionProtoFuncToString):
150
151 2018-08-29  Mark Lam  <mark.lam@apple.com>
152
153         Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
154         https://bugs.webkit.org/show_bug.cgi?id=189132
155         <rdar://problem/42513068>
156
157         Reviewed by Saam Barati.
158
159         * runtime/JSCJSValueInlines.h:
160         (JSC::JSValue::toPropertyKey const):
161         * runtime/JSString.cpp:
162         (JSC::JSRopeString::resolveRopeToAtomicString const):
163
164 2018-08-29  Commit Queue  <commit-queue@webkit.org>
165
166         Unreviewed, rolling out r235432 and r235436.
167         https://bugs.webkit.org/show_bug.cgi?id=189086
168
169         Is a Swift source breaking change. (Requested by keith_miller
170         on #webkit).
171
172         Reverted changesets:
173
174         "Add nullablity attributes to JSValue"
175         https://bugs.webkit.org/show_bug.cgi?id=189047
176         https://trac.webkit.org/changeset/235432
177
178         "Add nullablity attributes to JSValue"
179         https://bugs.webkit.org/show_bug.cgi?id=189047
180         https://trac.webkit.org/changeset/235436
181
182 2018-08-28  Mark Lam  <mark.lam@apple.com>
183
184         Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
185         https://bugs.webkit.org/show_bug.cgi?id=189059
186         <rdar://problem/40335354>
187
188         Reviewed by Saam Barati.
189
190         1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
191         2. Added $vm.dumpRegisters().
192
193             Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
194             Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
195
196            Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
197            It will treat inlined frames content as registers in the bounding physical frame.
198
199            Here's an example of such a dump on a DFG frame:
200
201                 Register frame: 
202
203                 -----------------------------------------------------------------------------
204                             use            |   address  |                value               
205                 -----------------------------------------------------------------------------
206                 [r 12 arguments[  7]]      | 0x7ffeefbfd330 | 0xa                Undefined
207                 [r 11 arguments[  6]]      | 0x7ffeefbfd328 | 0x10bbb3e80        Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
208                 [r 10 arguments[  5]]      | 0x7ffeefbfd320 | 0xa                Undefined
209                 [r  9 arguments[  4]]      | 0x7ffeefbfd318 | 0xa                Undefined
210                 [r  8 arguments[  3]]      | 0x7ffeefbfd310 | 0xa                Undefined
211                 [r  7 arguments[  2]]      | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
212                 [r  6 arguments[  1]]      | 0x7ffeefbfd300 | 0x10bbd00f0        Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
213                 [r  5           this]      | 0x7ffeefbfd2f8 | 0x10bbe0000        Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
214                 -----------------------------------------------------------------------------
215                 [ArgumentCount]            | 0x7ffeefbfd2f0 | 7 
216                 [ReturnVPC]                | 0x7ffeefbfd2f0 | 164 (line 57)
217                 [Callee]                   | 0x7ffeefbfd2e8 | 0x10bb68db0        Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
218                 [CodeBlock]                | 0x7ffeefbfd2e0 | 0x10bb2f8e0        __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
219                 [ReturnPC]                 | 0x7ffeefbfd2d8 | 0x10064d14c 
220                 [CallerFrame]              | 0x7ffeefbfd2d0 | 0x7ffeefbfd380 
221                 -----------------------------------------------------------------------------
222                 [r -1  CalleeSaveReg]      | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
223                 [r -2  CalleeSaveReg]      | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
224                 [r -3  CalleeSaveReg]      | 0x7ffeefbfd2b8 | 0x10baf1608        
225                 [r -4               ]      | 0x7ffeefbfd2b0 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
226                 [r -5               ]      | 0x7ffeefbfd2a8 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
227                 [r -6               ]      | 0x7ffeefbfd2a0 | 0xa                Undefined
228                 -----------------------------------------------------------------------------
229                 [r -7]                     | 0x7ffeefbfd298 | 0x10bb6fdc0        String (atomic) (identifier): length, StructureID: 4
230                 [r -8]                     | 0x7ffeefbfd290 | 0x10bbb7ec0        Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
231                 [r -9]                     | 0x7ffeefbfd288 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
232                 [r-10]                     | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
233                 [r-11]                     | 0x7ffeefbfd278 | 0x10bbb4290        Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
234                 [r-12]                     | 0x7ffeefbfd270 | 0x100000001        
235                 [r-13]                     | 0x7ffeefbfd268 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
236                 [r-14]                     | 0x7ffeefbfd260 | 0x0                
237                 [r-15]                     | 0x7ffeefbfd258 | 0x10064d14c        
238                 [r-16]                     | 0x7ffeefbfd250 | 0x7ffeefbfd2d0     
239                 [r-17]                     | 0x7ffeefbfd248 | 0x67ec87ee177      INVALID
240                 [r-18]                     | 0x7ffeefbfd240 | 0x7ffeefbfd250     
241                 -----------------------------------------------------------------------------
242
243         3. Removed dumpCallFrame() from the jsc shell.  We have the following tools that
244            we can use in its place:
245
246             $vm.dumpCallFrame()
247             $vm.dumpBytecodeFor()
248             $vm.dumpRegisters()     // Just added in this patch.
249
250         4. Also fixed a bug in BytecodeDumper: it should only access
251            CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
252
253         * bytecode/BytecodeDumper.cpp:
254         (JSC::BytecodeDumper<Block>::printCallOp):
255         * interpreter/Interpreter.cpp:
256         (JSC::Interpreter::dumpCallFrame): Deleted.
257         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
258         (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
259         (JSC::Interpreter::dumpRegisters): Deleted.
260         * interpreter/Interpreter.h:
261         * jsc.cpp:
262         (GlobalObject::finishCreation):
263         (functionDumpCallFrame): Deleted.
264         * tools/JSDollarVM.cpp:
265         (JSC::functionDumpRegisters):
266         (JSC::JSDollarVM::finishCreation):
267         * tools/VMInspector.cpp:
268         (JSC::VMInspector::dumpRegisters):
269         * tools/VMInspector.h:
270
271 2018-08-28  Keith Miller  <keith_miller@apple.com>
272
273         Add nullablity attributes to JSValue
274         https://bugs.webkit.org/show_bug.cgi?id=189047
275
276         Reviewed by Dan Bernstein.
277
278         Switch to using NS_ASSUME_NONNULL_BEGIN/END.
279
280         * API/JSValue.h:
281
282 2018-08-28  Keith Miller  <keith_miller@apple.com>
283
284         Add nullablity attributes to JSValue
285         https://bugs.webkit.org/show_bug.cgi?id=189047
286
287         Reviewed by Geoffrey Garen.
288
289         * API/JSValue.h:
290
291 2018-08-27  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
292
293         [WebAssembly] Parse wasm modules in a streaming fashion
294         https://bugs.webkit.org/show_bug.cgi?id=188943
295
296         Reviewed by Mark Lam.
297
298         This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
299         Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
300         we start integrating it into BBQPlan and dropping the old ModuleParser.
301
302         * JavaScriptCore.xcodeproj/project.pbxproj:
303         * Sources.txt:
304         * tools/JSDollarVM.cpp:
305         (WTF::WasmStreamingParser::WasmStreamingParser):
306         (WTF::WasmStreamingParser::create):
307         (WTF::WasmStreamingParser::createStructure):
308         (WTF::WasmStreamingParser::streamingParser):
309         (WTF::WasmStreamingParser::finishCreation):
310         (WTF::functionWasmStreamingParserAddBytes):
311         (WTF::functionWasmStreamingParserFinalize):
312         (JSC::functionCreateWasmStreamingParser):
313         (JSC::JSDollarVM::finishCreation):
314         The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
315         this interface to test streaming parser in the JSC shell.
316
317         * wasm/WasmBBQPlan.cpp:
318         (JSC::Wasm::BBQPlan::BBQPlan):
319         (JSC::Wasm::BBQPlan::parseAndValidateModule):
320         (JSC::Wasm::BBQPlan::prepare):
321         (JSC::Wasm::BBQPlan::compileFunctions):
322         (JSC::Wasm::BBQPlan::complete):
323         (JSC::Wasm::BBQPlan::work):
324         * wasm/WasmBBQPlan.h:
325         BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
326         In subsequent patches, we will remove this, and stream the data into the BBQPlan.
327
328         * wasm/WasmFormat.h:
329         * wasm/WasmModuleInformation.cpp:
330         (JSC::Wasm::ModuleInformation::ModuleInformation):
331         * wasm/WasmModuleInformation.h:
332         One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
333         since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
334         in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
335         Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
336         a function with this data can be done concurrently with StreamingParser.
337
338         (JSC::Wasm::ModuleInformation::create):
339         (JSC::Wasm::ModuleInformation::memoryCount const):
340         (JSC::Wasm::ModuleInformation::tableCount const):
341         memoryCount and tableCount should be recorded in ModuleInformation.
342
343         * wasm/WasmModuleParser.cpp:
344         (JSC::Wasm::ModuleParser::parse):
345         (JSC::Wasm::makeI32InitExpr): Deleted.
346         (JSC::Wasm::ModuleParser::parseType): Deleted.
347         (JSC::Wasm::ModuleParser::parseImport): Deleted.
348         (JSC::Wasm::ModuleParser::parseFunction): Deleted.
349         (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
350         (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
351         (JSC::Wasm::ModuleParser::parseTable): Deleted.
352         (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
353         (JSC::Wasm::ModuleParser::parseMemory): Deleted.
354         (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
355         (JSC::Wasm::ModuleParser::parseExport): Deleted.
356         (JSC::Wasm::ModuleParser::parseStart): Deleted.
357         (JSC::Wasm::ModuleParser::parseElement): Deleted.
358         (JSC::Wasm::ModuleParser::parseCode): Deleted.
359         (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
360         (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
361         (JSC::Wasm::ModuleParser::parseData): Deleted.
362         (JSC::Wasm::ModuleParser::parseCustom): Deleted.
363         Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
364         SectionParser is also used by StreamingParser.
365
366         * wasm/WasmModuleParser.h:
367         (): Deleted.
368         * wasm/WasmNameSection.h:
369         (JSC::Wasm::NameSection::NameSection):
370         (JSC::Wasm::NameSection::create):
371         (JSC::Wasm::NameSection::setHash):
372         Hash calculation is deferred since all the source is not available in streaming parsing.
373
374         * wasm/WasmNameSectionParser.cpp:
375         (JSC::Wasm::NameSectionParser::parse):
376         * wasm/WasmNameSectionParser.h:
377         Use Ref<NameSection>.
378
379         * wasm/WasmOMGPlan.cpp:
380         (JSC::Wasm::OMGPlan::work):
381         Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
382         OMGPlan can get data of the function by using ModuleInformation::functions.
383
384         * wasm/WasmParser.h:
385         (JSC::Wasm::Parser::source const):
386         (JSC::Wasm::Parser::length const):
387         (JSC::Wasm::Parser::offset const):
388         (JSC::Wasm::Parser::fail const):
389         (JSC::Wasm::makeI32InitExpr):
390         * wasm/WasmPlan.cpp:
391         (JSC::Wasm::Plan::Plan):
392         Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
393
394         * wasm/WasmPlan.h:
395         * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
396         SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
397         ModuleParser and the new StreamingParser.
398
399         (JSC::Wasm::SectionParser::parseType):
400         (JSC::Wasm::SectionParser::parseImport):
401         (JSC::Wasm::SectionParser::parseFunction):
402         (JSC::Wasm::SectionParser::parseResizableLimits):
403         (JSC::Wasm::SectionParser::parseTableHelper):
404         (JSC::Wasm::SectionParser::parseTable):
405         (JSC::Wasm::SectionParser::parseMemoryHelper):
406         (JSC::Wasm::SectionParser::parseMemory):
407         (JSC::Wasm::SectionParser::parseGlobal):
408         (JSC::Wasm::SectionParser::parseExport):
409         (JSC::Wasm::SectionParser::parseStart):
410         (JSC::Wasm::SectionParser::parseElement):
411         (JSC::Wasm::SectionParser::parseCode):
412         (JSC::Wasm::SectionParser::parseInitExpr):
413         (JSC::Wasm::SectionParser::parseGlobalType):
414         (JSC::Wasm::SectionParser::parseData):
415         (JSC::Wasm::SectionParser::parseCustom):
416         * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
417         * wasm/WasmStreamingParser.cpp: Added.
418         (JSC::Wasm::parseUInt7):
419         (JSC::Wasm::StreamingParser::fail):
420         (JSC::Wasm::StreamingParser::StreamingParser):
421         (JSC::Wasm::StreamingParser::parseModuleHeader):
422         (JSC::Wasm::StreamingParser::parseSectionID):
423         (JSC::Wasm::StreamingParser::parseSectionSize):
424         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
425         Code section in Wasm binary is specially handled compared with the other sections since it includes
426         a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
427         streaming validation / compilation of Wasm functions.
428
429         (JSC::Wasm::StreamingParser::parseFunctionSize):
430         (JSC::Wasm::StreamingParser::parseFunctionPayload):
431         (JSC::Wasm::StreamingParser::parseSectionPayload):
432         (JSC::Wasm::StreamingParser::consume):
433         (JSC::Wasm::StreamingParser::consumeVarUInt32):
434         (JSC::Wasm::StreamingParser::addBytes):
435         (JSC::Wasm::StreamingParser::failOnState):
436         (JSC::Wasm::StreamingParser::finalize):
437         * wasm/WasmStreamingParser.h: Added.
438         (JSC::Wasm::StreamingParser::addBytes):
439         (JSC::Wasm::StreamingParser::errorMessage const):
440         This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
441         StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
442         StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
443         the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
444         incoming byte stream.
445
446         * wasm/js/JSWebAssemblyModule.cpp:
447         (JSC::JSWebAssemblyModule::source const): Deleted.
448         All the source should not be held.
449
450         * wasm/js/JSWebAssemblyModule.h:
451         * wasm/js/WebAssemblyPrototype.cpp:
452         (JSC::webAssemblyValidateFunc):
453
454 2018-08-27  Mark Lam  <mark.lam@apple.com>
455
456         Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
457         https://bugs.webkit.org/show_bug.cgi?id=188577
458         <rdar://problem/42985684>
459
460         Reviewed by Saam Barati.
461
462         1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
463            (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
464
465            The StackOverflowFrame is a sentinel frame that the low level code (exception
466            throwing code, stack visitor, and stack unwinding code) will know to skip
467            over.  The StackOverflowFrame will also have a valid JSCallee so that client
468            code can compute the globalObject or VM from this frame.
469
470            As a result, client code that throws StackOverflowErrors no longer need to
471            compute the caller frame to throw from: it just converts the top frame into
472            a StackOverflowFrame and everything should *Just Work*.
473
474         2. NativeCallFrameTracerWithRestore is now obsolete.
475
476            Instead, client code should always call convertToStackOverflowFrame() on the
477            frame before instantiating a NativeCallFrameTracer with it.
478
479            This means that topCallFrame will always point to the top CallFrame (which
480            may be a StackOverflowFrame), and topEntryFrame will always point to the top
481            EntryFrame.  We'll never temporarily point them to the previous EntryFrame
482            (which we used to do with NativeCallFrameTracerWithRestore).
483
484         3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
485            CallFrame, and will know how to handle a StackOverflowFrame if they see one.
486
487            This obsoletes the UnwindStart flag.
488
489         * CMakeLists.txt:
490         * JavaScriptCore.xcodeproj/project.pbxproj:
491         * Sources.txt:
492         * debugger/Debugger.cpp:
493         (JSC::Debugger::pauseIfNeeded):
494         * interpreter/CallFrame.cpp:
495         (JSC::CallFrame::callerFrame const):
496         (JSC::CallFrame::unsafeCallerFrame const):
497         (JSC::CallFrame::convertToStackOverflowFrame):
498         (JSC::CallFrame::callerFrame): Deleted.
499         (JSC::CallFrame::unsafeCallerFrame): Deleted.
500         * interpreter/CallFrame.h:
501         (JSC::ExecState::iterate):
502         * interpreter/CallFrameInlines.h: Added.
503         (JSC::CallFrame::isStackOverflowFrame const):
504         (JSC::CallFrame::isWasmFrame const):
505         * interpreter/EntryFrame.h: Added.
506         (JSC::EntryFrame::vmEntryRecordOffset):
507         (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
508         * interpreter/FrameTracers.h:
509         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
510         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
511         * interpreter/Interpreter.cpp:
512         (JSC::Interpreter::unwind):
513         * interpreter/Interpreter.h:
514         * interpreter/StackVisitor.cpp:
515         (JSC::StackVisitor::StackVisitor):
516         * interpreter/StackVisitor.h:
517         (JSC::StackVisitor::visit):
518         (JSC::StackVisitor::topEntryFrameIsEmpty const):
519         * interpreter/VMEntryRecord.h:
520         (JSC::VMEntryRecord::callee const):
521         (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
522         (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
523         * jit/AssemblyHelpers.h:
524         * jit/JITExceptions.cpp:
525         (JSC::genericUnwind):
526         * jit/JITExceptions.h:
527         * jit/JITOperations.cpp:
528         * llint/LLIntOffsetsExtractor.cpp:
529         * llint/LLIntSlowPaths.cpp:
530         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
531         * llint/LowLevelInterpreter.asm:
532         * llint/LowLevelInterpreter32_64.asm:
533         * llint/LowLevelInterpreter64.asm:
534         * runtime/CallData.cpp:
535         * runtime/CommonSlowPaths.cpp:
536         (JSC::throwArityCheckStackOverflowError):
537         (JSC::SLOW_PATH_DECL):
538         * runtime/CommonSlowPathsExceptions.cpp: Removed.
539         * runtime/CommonSlowPathsExceptions.h: Removed.
540         * runtime/Completion.cpp:
541         (JSC::evaluateWithScopeExtension):
542         * runtime/JSGeneratorFunction.h:
543         * runtime/JSGlobalObject.cpp:
544         (JSC::JSGlobalObject::init):
545         (JSC::JSGlobalObject::visitChildren):
546         * runtime/JSGlobalObject.h:
547         (JSC::JSGlobalObject::stackOverflowFrameCallee const):
548         * runtime/VM.cpp:
549         (JSC::VM::throwException):
550         * runtime/VM.h:
551         * runtime/VMInlines.h:
552         (JSC::VM::topJSCallFrame const):
553
554 2018-08-27  Keith Rollin  <krollin@apple.com>
555
556         Unreviewed build fix -- disable LTO for production builds
557
558         * Configurations/Base.xcconfig:
559
560 2018-08-27  Aditya Keerthi  <akeerthi@apple.com>
561
562         Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
563         https://bugs.webkit.org/show_bug.cgi?id=188931
564
565         Reviewed by Wenson Hsieh.
566
567         * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
568
569 2018-08-27  Devin Rousso  <drousso@apple.com>
570
571         Web Inspector: provide autocompletion for event breakpoints
572         https://bugs.webkit.org/show_bug.cgi?id=188717
573
574         Reviewed by Brian Burg.
575
576         * inspector/protocol/DOM.json:
577         Add `getSupportedEventNames` command.
578
579 2018-08-27  Keith Rollin  <krollin@apple.com>
580
581         Build system support for LTO
582         https://bugs.webkit.org/show_bug.cgi?id=187785
583         <rdar://problem/42353132>
584
585         Reviewed by Dan Bernstein.
586
587         Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
588         LTO.
589
590         * Configurations/Base.xcconfig:
591         * Configurations/DebugRelease.xcconfig:
592
593 2018-08-27  Patrick Griffis  <pgriffis@igalia.com>
594
595         [GTK][JSC] Add warn_unused_result attribute to some APIs
596         https://bugs.webkit.org/show_bug.cgi?id=188983
597
598         Reviewed by Michael Catanzaro.
599
600         * API/glib/JSCValue.h:
601
602 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
603
604         [JSC] Array.prototype.reverse modifies JSImmutableButterfly
605         https://bugs.webkit.org/show_bug.cgi?id=188794
606
607         Reviewed by Saam Barati.
608
609         While Array.prototype.reverse modifies the butterfly of the given Array,
610         it does not account JSImmutableButterfly case. So it accidentally modifies
611         the content of JSImmutableButterfly.
612         This patch converts CoW arrays to writable arrays before reversing.
613
614         * runtime/ArrayPrototype.cpp:
615         (JSC::arrayProtoFuncReverse):
616         * runtime/JSObject.h:
617         (JSC::JSObject::ensureWritable):
618
619 2018-08-24  Michael Saboff  <msaboff@apple.com>
620
621         YARR: Update UCS canonicalization tables for Unicode 11
622         https://bugs.webkit.org/show_bug.cgi?id=188928
623
624         Reviewed by Mark Lam.
625
626         Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
627
628         This passes JavaScriptCore and test262 tests.
629
630         * yarr/YarrCanonicalizeUCS2.cpp:
631         * yarr/YarrCanonicalizeUCS2.js:
632         (printHeader):
633
634 2018-08-24  Michael Saboff  <msaboff@apple.com>
635
636         YARR: JIT RegExps with non-greedy parenthesized sub patterns
637         https://bugs.webkit.org/show_bug.cgi?id=180876
638
639         Reviewed by Filip Pizlo.
640
641         Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
642         For the matching code, the greedy path was correct except that we don't try matching for the
643         non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
644         first / next match when we backtrack.  The backtracking code needs to check to see if we have
645         tried the first match or if we can do another match.
646
647         Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
648         count.  Did other minor cleanup as well.
649
650         Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
651
652         Updated the text in some comments, both for this change as well as accuracy for existing code.
653
654         * yarr/YarrJIT.cpp:
655         (JSC::Yarr::YarrGenerator::generate):
656         (JSC::Yarr::YarrGenerator::backtrack):
657         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
658         (JSC::Yarr::YarrGenerator::compile):
659         (JSC::Yarr::dumpCompileFailure):
660         (JSC::Yarr::jitCompile):
661         * yarr/YarrJIT.h:
662         (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
663         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
664
665 2018-08-23  Simon Fraser  <simon.fraser@apple.com>
666
667         Add support for dumping GC heap snapshots, and a viewer
668         https://bugs.webkit.org/show_bug.cgi?id=186416
669
670         Reviewed by Joseph Pecoraro.
671
672         Make a way to dump information about the GC heap that is useful for looking for leaked
673         or abandoned objects. This dump is obtained (on Apple platforms) via:
674             notifyutil -p com.apple.WebKit.dumpGCHeap
675         which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
676         
677         This leverages the heap snapshot used by Web Inspector, adding an alternate format for
678         the snapshot JSON that adds additional data about objects and why they are GC roots.
679
680         SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
681         the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
682         objects visited via opaque roots, we record the reason why via a new out param to
683         isReachableFromOpaqueRoots().
684
685         HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
686         additional information including the address of the JSCell* and the wrapped object (for
687         JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
688         be the document URL.
689
690         GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
691
692         * API/JSAPIWrapperObject.mm:
693         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
694         * API/JSManagedValue.mm:
695         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
696         * API/glib/JSAPIWrapperObjectGLib.cpp:
697         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
698         * CMakeLists.txt:
699         * heap/ConservativeRoots.h:
700         (JSC::ConservativeRoots::size const):
701         (JSC::ConservativeRoots::size): Deleted.
702         * heap/Heap.cpp:
703         (JSC::Heap::addCoreConstraints):
704         * heap/HeapSnapshotBuilder.cpp:
705         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
706         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
707         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
708         (JSC::HeapSnapshotBuilder::buildSnapshot):
709         (JSC::HeapSnapshotBuilder::appendNode):
710         (JSC::HeapSnapshotBuilder::appendEdge):
711         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
712         (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
713         (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
714         (JSC::snapshotTypeToString):
715         (JSC::rootTypeToString):
716         (JSC::HeapSnapshotBuilder::setLabelForCell):
717         (JSC::HeapSnapshotBuilder::descriptionForCell const):
718         (JSC::HeapSnapshotBuilder::json):
719         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
720         * heap/HeapSnapshotBuilder.h:
721         * heap/SlotVisitor.cpp:
722         (JSC::SlotVisitor::appendSlow):
723         * heap/SlotVisitor.h:
724         (JSC::SlotVisitor::heapSnapshotBuilder const):
725         (JSC::SlotVisitor::rootMarkReason const):
726         (JSC::SlotVisitor::setRootMarkReason):
727         (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
728         (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
729         * heap/WeakBlock.cpp:
730         (JSC::WeakBlock::specializedVisit):
731         * heap/WeakHandleOwner.cpp:
732         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
733         * heap/WeakHandleOwner.h:
734         * runtime/SimpleTypedArrayController.cpp:
735         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
736         * runtime/SimpleTypedArrayController.h:
737         * tools/JSDollarVM.cpp:
738
739 2018-08-23  Saam barati  <sbarati@apple.com>
740
741         JSRunLoopTimer may run part of a member function after it's destroyed
742         https://bugs.webkit.org/show_bug.cgi?id=188426
743
744         Reviewed by Mark Lam.
745
746         When I was reading the JSRunLoopTimer code, I noticed that it is possible
747         to end up running timer code after the class had been destroyed.
748         
749         The issue I spotted was in this function:
750         ```
751         void JSRunLoopTimer::timerDidFire()
752         {
753             JSLock* apiLock = m_apiLock.get();
754             if (!apiLock) {
755                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
756                 return;
757             }
758             // HERE
759             std::lock_guard<JSLock> lock(*apiLock);
760             RefPtr<VM> vm = apiLock->vm();
761             if (!vm) {
762                 // The VM has been destroyed, so we should just give up.
763                 return;
764             }
765         
766             doWork();
767         }
768         ```
769         
770         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
771         switched before grabbing the API lock. Then, some other thread destroys the VM.
772         And let's say that the VM owns (perhaps transitively) this timer. Then, the
773         timer would run code and access member variables after it was destroyed.
774         
775         This patch fixes this issue by introducing a new timer manager class. 
776         This class manages timers on a per VM basis. When a timer is scheduled,
777         this class refs the timer. It also calls the timer callback while actively
778         maintaining a +1 ref to it. So, it's no longer possible to call the timer
779         callback after the timer has been destroyed. However, calling a timer callback
780         can still race with the VM being destroyed. We continue to detect this case and
781         bail out of the callback early.
782         
783         This patch also removes a lot of duplicate code between GCActivityCallback
784         and JSRunLoopTimer.
785
786         * heap/EdenGCActivityCallback.cpp:
787         (JSC::EdenGCActivityCallback::doCollection):
788         (JSC::EdenGCActivityCallback::lastGCLength):
789         (JSC::EdenGCActivityCallback::deathRate):
790         * heap/EdenGCActivityCallback.h:
791         * heap/FullGCActivityCallback.cpp:
792         (JSC::FullGCActivityCallback::doCollection):
793         (JSC::FullGCActivityCallback::lastGCLength):
794         (JSC::FullGCActivityCallback::deathRate):
795         * heap/FullGCActivityCallback.h:
796         * heap/GCActivityCallback.cpp:
797         (JSC::GCActivityCallback::doWork):
798         (JSC::GCActivityCallback::scheduleTimer):
799         (JSC::GCActivityCallback::didAllocate):
800         (JSC::GCActivityCallback::willCollect):
801         (JSC::GCActivityCallback::cancel):
802         (JSC::GCActivityCallback::cancelTimer): Deleted.
803         (JSC::GCActivityCallback::nextFireTime): Deleted.
804         * heap/GCActivityCallback.h:
805         * heap/Heap.cpp:
806         (JSC::Heap::reportAbandonedObjectGraph):
807         (JSC::Heap::notifyIncrementalSweeper):
808         (JSC::Heap::updateAllocationLimits):
809         (JSC::Heap::didAllocate):
810         * heap/IncrementalSweeper.cpp:
811         (JSC::IncrementalSweeper::scheduleTimer):
812         (JSC::IncrementalSweeper::doWork):
813         (JSC::IncrementalSweeper::doSweep):
814         (JSC::IncrementalSweeper::sweepNextBlock):
815         (JSC::IncrementalSweeper::startSweeping):
816         (JSC::IncrementalSweeper::stopSweeping):
817         * heap/IncrementalSweeper.h:
818         * heap/StopIfNecessaryTimer.cpp:
819         (JSC::StopIfNecessaryTimer::doWork):
820         (JSC::StopIfNecessaryTimer::scheduleSoon):
821         * heap/StopIfNecessaryTimer.h:
822         * runtime/JSRunLoopTimer.cpp:
823         (JSC::epochTime):
824         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
825         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
826         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
827         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
828         (JSC::JSRunLoopTimer::Manager::timerDidFire):
829         (JSC::JSRunLoopTimer::Manager::shared):
830         (JSC::JSRunLoopTimer::Manager::registerVM):
831         (JSC::JSRunLoopTimer::Manager::unregisterVM):
832         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
833         (JSC::JSRunLoopTimer::Manager::cancelTimer):
834         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
835         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
836         (JSC::JSRunLoopTimer::timerDidFire):
837         (JSC::JSRunLoopTimer::JSRunLoopTimer):
838         (JSC::JSRunLoopTimer::timeUntilFire):
839         (JSC::JSRunLoopTimer::setTimeUntilFire):
840         (JSC::JSRunLoopTimer::cancelTimer):
841         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
842         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
843         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
844         * runtime/JSRunLoopTimer.h:
845         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
846         * runtime/PromiseDeferredTimer.cpp:
847         (JSC::PromiseDeferredTimer::doWork):
848         (JSC::PromiseDeferredTimer::runRunLoop):
849         (JSC::PromiseDeferredTimer::addPendingPromise):
850         (JSC::PromiseDeferredTimer::hasPendingPromise):
851         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
852         (JSC::PromiseDeferredTimer::cancelPendingPromise):
853         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
854         * runtime/PromiseDeferredTimer.h:
855         * runtime/VM.cpp:
856         (JSC::VM::VM):
857         (JSC::VM::~VM):
858         (JSC::VM::setRunLoop):
859         (JSC::VM::registerRunLoopTimer): Deleted.
860         (JSC::VM::unregisterRunLoopTimer): Deleted.
861         * runtime/VM.h:
862         (JSC::VM::runLoop const):
863         * wasm/js/WebAssemblyPrototype.cpp:
864         (JSC::webAssemblyModuleValidateAsyncInternal):
865         (JSC::instantiate):
866         (JSC::compileAndInstantiate):
867         (JSC::webAssemblyModuleInstantinateAsyncInternal):
868         (JSC::webAssemblyCompileStreamingInternal):
869         (JSC::webAssemblyInstantiateStreamingInternal):
870
871 2018-08-23  Mark Lam  <mark.lam@apple.com>
872
873         Move vmEntryGlobalObject() to VM from CallFrame.
874         https://bugs.webkit.org/show_bug.cgi?id=188900
875         <rdar://problem/43655753>
876
877         Reviewed by Michael Saboff.
878
879         Also introduced CallFrame::isGlobalExec() which makes use of one property of
880         GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
881         CallFrame::initGlobalExec() ensures this.
882
883         In contrast, normal CallFrames always have a callerFrame (because they must at
884         least be preceded by a VM EntryFrame) and a returnPC (at least return to the
885         VM entry glue).
886
887         * API/APIUtils.h:
888         (handleExceptionIfNeeded):
889         (setException):
890         * API/JSBase.cpp:
891         (JSEvaluateScript):
892         (JSCheckScriptSyntax):
893         * API/JSContextRef.cpp:
894         (JSGlobalContextRetain):
895         (JSGlobalContextRelease):
896         (JSGlobalContextCopyName):
897         (JSGlobalContextSetName):
898         (JSGlobalContextGetRemoteInspectionEnabled):
899         (JSGlobalContextSetRemoteInspectionEnabled):
900         (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
901         (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
902         (JSGlobalContextGetDebuggerRunLoop):
903         (JSGlobalContextSetDebuggerRunLoop):
904         (JSGlobalContextGetAugmentableInspectorController):
905         * API/JSValue.mm:
906         (reportExceptionToInspector):
907         * API/glib/JSCClass.cpp:
908         (jscContextForObject):
909         * API/glib/JSCContext.cpp:
910         (jsc_context_evaluate_in_object):
911         * debugger/Debugger.cpp:
912         (JSC::Debugger::pauseIfNeeded):
913         * debugger/DebuggerCallFrame.cpp:
914         (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
915         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
916         * interpreter/CallFrame.cpp:
917         (JSC::CallFrame::vmEntryGlobalObject): Deleted.
918         * interpreter/CallFrame.h:
919         (JSC::ExecState::scope const):
920         (JSC::ExecState::noCaller):
921         (JSC::ExecState::isGlobalExec const):
922         * interpreter/Interpreter.cpp:
923         (JSC::notifyDebuggerOfUnwinding):
924         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
925         (JSC::Interpreter::debug):
926         * runtime/CallData.cpp:
927         (JSC::profiledCall):
928         * runtime/Completion.cpp:
929         (JSC::evaluate):
930         (JSC::profiledEvaluate):
931         (JSC::evaluateWithScopeExtension):
932         (JSC::loadAndEvaluateModule):
933         (JSC::loadModule):
934         (JSC::linkAndEvaluateModule):
935         (JSC::importModule):
936         * runtime/ConstructData.cpp:
937         (JSC::profiledConstruct):
938         * runtime/Error.cpp:
939         (JSC::getStackTrace):
940         * runtime/VM.cpp:
941         (JSC::VM::throwException):
942         (JSC::VM::vmEntryGlobalObject const):
943         * runtime/VM.h:
944
945 2018-08-23  Andy Estes  <aestes@apple.com>
946
947         [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
948         https://bugs.webkit.org/show_bug.cgi?id=188829
949
950         Reviewed by Tim Horton.
951
952         * Configurations/FeatureDefines.xcconfig:
953
954 2018-08-23  Devin Rousso  <drousso@apple.com>
955
956         Web Inspector: support breakpoints for timers and animation-frame events
957         https://bugs.webkit.org/show_bug.cgi?id=188778
958
959         Reviewed by Brian Burg.
960
961         * inspector/protocol/Debugger.json:
962         Add `AnimationFrame` and `Timer` types to the list of pause reasons.
963
964         * inspector/protocol/DOMDebugger.json:
965         Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
966          - `setEventListenerBreakpoint`
967          - `removeEventListenerBreakpoint`
968          - `setInstrumentationBreakpoint`
969          - `removeInstrumentationBreakpoint`
970         Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
971
972         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
973         (CppProtocolTypesHeaderGenerator.generate_output):
974         (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
975         (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
976         (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
977         Generate `DefaultHash` for all `enum class` used by inspector protocols.
978
979         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
980         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
981         * inspector/scripts/tests/generic/expected/enum-values.json-result:
982         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
983         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
984         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
985         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
986
987 2018-08-23  Michael Saboff  <msaboff@apple.com>
988
989         YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
990         https://bugs.webkit.org/show_bug.cgi?id=188895
991
992         Reviewed by Mark Lam.
993
994         Found while working on another change.  This will allow processing of nested
995         parenthesis that require saved ParenContext structures.
996
997         * yarr/YarrJIT.cpp:
998         (JSC::Yarr::YarrGenerator::compile):
999
1000 2018-08-22  Michael Saboff  <msaboff@apple.com>
1001
1002         https://bugs.webkit.org/show_bug.cgi?id=188859
1003         Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
1004
1005         Rubber-stamped by Saam Barati.
1006
1007         Deleted these two functions.
1008
1009         * jit/JITOperations.cpp:
1010         * jit/JITOperations.h:
1011
1012 2018-08-22  Mark Lam  <mark.lam@apple.com>
1013
1014         The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
1015         https://bugs.webkit.org/show_bug.cgi?id=188298
1016         <rdar://problem/42888427>
1017
1018         Reviewed by Saam Barati.
1019
1020         In the event that both targets of a Branch is the same block, then even if we'll
1021         always take one path of the branch, the other target is not unreachable because
1022         it is the same target as the one in the taken path.  Hence, it should not be
1023         jettisoned.
1024
1025         * JavaScriptCore.xcodeproj/project.pbxproj:
1026         - Added DFGCFG.h which is in use and should have been added to the project.
1027         * dfg/DFGCFGSimplificationPhase.cpp:
1028         (JSC::DFG::CFGSimplificationPhase::run):
1029
1030 2018-08-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1031
1032         [JSC] HeapUtil should care about pointer overflow
1033         https://bugs.webkit.org/show_bug.cgi?id=188740
1034
1035         Reviewed by Saam Barati.
1036
1037         `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
1038         For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
1039         with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
1040
1041         * heap/HeapUtil.h:
1042         (JSC::HeapUtil::findGCObjectPointersForMarking):
1043
1044 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1045
1046         [JSC] Should not rotate constant with 64
1047         https://bugs.webkit.org/show_bug.cgi?id=188556
1048
1049         Reviewed by Saam Barati.
1050
1051         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1052         But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
1053         where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
1054         the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
1055
1056         * assembler/MacroAssembler.h:
1057         (JSC::MacroAssembler::generateRotationSeed):
1058         (JSC::MacroAssembler::rotationBlindConstant):
1059
1060 2018-08-21  Commit Queue  <commit-queue@webkit.org>
1061
1062         Unreviewed, rolling out r235107.
1063         https://bugs.webkit.org/show_bug.cgi?id=188832
1064
1065         "It revealed bugs in Blob code as well as regressed JS
1066         performance tests" (Requested by saamyjoon on #webkit).
1067
1068         Reverted changeset:
1069
1070         "JSRunLoopTimer may run part of a member function after it's
1071         destroyed"
1072         https://bugs.webkit.org/show_bug.cgi?id=188426
1073         https://trac.webkit.org/changeset/235107
1074
1075 2018-08-21  Saam barati  <sbarati@apple.com>
1076
1077         JSRunLoopTimer may run part of a member function after it's destroyed
1078         https://bugs.webkit.org/show_bug.cgi?id=188426
1079
1080         Reviewed by Mark Lam.
1081
1082         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1083         to end up running timer code after the class had been destroyed.
1084         
1085         The issue I spotted was in this function:
1086         ```
1087         void JSRunLoopTimer::timerDidFire()
1088         {
1089             JSLock* apiLock = m_apiLock.get();
1090             if (!apiLock) {
1091                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1092                 return;
1093             }
1094             // HERE
1095             std::lock_guard<JSLock> lock(*apiLock);
1096             RefPtr<VM> vm = apiLock->vm();
1097             if (!vm) {
1098                 // The VM has been destroyed, so we should just give up.
1099                 return;
1100             }
1101         
1102             doWork();
1103         }
1104         ```
1105         
1106         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1107         switched before grabbing the API lock. Then, some other thread destroys the VM.
1108         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1109         timer would run code and access member variables after it was destroyed.
1110         
1111         This patch fixes this issue by introducing a new timer manager class. 
1112         This class manages timers on a per VM basis. When a timer is scheduled,
1113         this class refs the timer. It also calls the timer callback while actively
1114         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1115         callback after the timer has been destroyed. However, calling a timer callback
1116         can still race with the VM being destroyed. We continue to detect this case and
1117         bail out of the callback early.
1118         
1119         This patch also removes a lot of duplicate code between GCActivityCallback
1120         and JSRunLoopTimer.
1121
1122         * heap/EdenGCActivityCallback.cpp:
1123         (JSC::EdenGCActivityCallback::doCollection):
1124         (JSC::EdenGCActivityCallback::lastGCLength):
1125         (JSC::EdenGCActivityCallback::deathRate):
1126         * heap/EdenGCActivityCallback.h:
1127         * heap/FullGCActivityCallback.cpp:
1128         (JSC::FullGCActivityCallback::doCollection):
1129         (JSC::FullGCActivityCallback::lastGCLength):
1130         (JSC::FullGCActivityCallback::deathRate):
1131         * heap/FullGCActivityCallback.h:
1132         * heap/GCActivityCallback.cpp:
1133         (JSC::GCActivityCallback::doWork):
1134         (JSC::GCActivityCallback::scheduleTimer):
1135         (JSC::GCActivityCallback::didAllocate):
1136         (JSC::GCActivityCallback::willCollect):
1137         (JSC::GCActivityCallback::cancel):
1138         (JSC::GCActivityCallback::cancelTimer): Deleted.
1139         (JSC::GCActivityCallback::nextFireTime): Deleted.
1140         * heap/GCActivityCallback.h:
1141         * heap/Heap.cpp:
1142         (JSC::Heap::reportAbandonedObjectGraph):
1143         (JSC::Heap::notifyIncrementalSweeper):
1144         (JSC::Heap::updateAllocationLimits):
1145         (JSC::Heap::didAllocate):
1146         * heap/IncrementalSweeper.cpp:
1147         (JSC::IncrementalSweeper::scheduleTimer):
1148         (JSC::IncrementalSweeper::doWork):
1149         (JSC::IncrementalSweeper::doSweep):
1150         (JSC::IncrementalSweeper::sweepNextBlock):
1151         (JSC::IncrementalSweeper::startSweeping):
1152         (JSC::IncrementalSweeper::stopSweeping):
1153         * heap/IncrementalSweeper.h:
1154         * heap/StopIfNecessaryTimer.cpp:
1155         (JSC::StopIfNecessaryTimer::doWork):
1156         (JSC::StopIfNecessaryTimer::scheduleSoon):
1157         * heap/StopIfNecessaryTimer.h:
1158         * runtime/JSRunLoopTimer.cpp:
1159         (JSC::epochTime):
1160         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1161         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1162         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1163         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1164         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1165         (JSC::JSRunLoopTimer::Manager::shared):
1166         (JSC::JSRunLoopTimer::Manager::registerVM):
1167         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1168         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1169         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1170         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1171         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1172         (JSC::JSRunLoopTimer::timerDidFire):
1173         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1174         (JSC::JSRunLoopTimer::timeUntilFire):
1175         (JSC::JSRunLoopTimer::setTimeUntilFire):
1176         (JSC::JSRunLoopTimer::cancelTimer):
1177         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1178         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1179         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1180         * runtime/JSRunLoopTimer.h:
1181         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1182         * runtime/PromiseDeferredTimer.cpp:
1183         (JSC::PromiseDeferredTimer::doWork):
1184         (JSC::PromiseDeferredTimer::runRunLoop):
1185         (JSC::PromiseDeferredTimer::addPendingPromise):
1186         (JSC::PromiseDeferredTimer::hasPendingPromise):
1187         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1188         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1189         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1190         * runtime/PromiseDeferredTimer.h:
1191         * runtime/VM.cpp:
1192         (JSC::VM::VM):
1193         (JSC::VM::~VM):
1194         (JSC::VM::setRunLoop):
1195         (JSC::VM::registerRunLoopTimer): Deleted.
1196         (JSC::VM::unregisterRunLoopTimer): Deleted.
1197         * runtime/VM.h:
1198         (JSC::VM::runLoop const):
1199         * wasm/js/WebAssemblyPrototype.cpp:
1200         (JSC::webAssemblyModuleValidateAsyncInternal):
1201         (JSC::instantiate):
1202         (JSC::compileAndInstantiate):
1203         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1204         (JSC::webAssemblyCompileStreamingInternal):
1205         (JSC::webAssemblyInstantiateStreamingInternal):
1206
1207 2018-08-20  Saam barati  <sbarati@apple.com>
1208
1209         Inline DataView accesses into DFG/FTL
1210         https://bugs.webkit.org/show_bug.cgi?id=188573
1211         <rdar://problem/43286746>
1212
1213         Reviewed by Michael Saboff.
1214
1215         This patch teaches the DFG/FTL to inline DataView accesses. The approach is
1216         straight forward. We inline the various get*/set* operations as intrinsics.
1217         
1218         This patch takes the most obvious approach for now. We OSR exit when:
1219         - An isLittleEndian argument is provided, and is not a boolean.
1220         - The index isn't an integer.
1221         - The |this| isn't a DataView.
1222         - We do an OOB access (or see a neutered array)
1223         
1224         To implement this change in a performant way, this patch teaches the macro
1225         assembler how to emit byte swap operations. The semantics of the added functions
1226         are byteSwap + zero extend. This means for the 16bit byte swaps, we need
1227         to actually emit zero extend instructions. For the 32/64bit byte swaps,
1228         the instructions already have these semantics.
1229         
1230         This patch is just a lightweight initial implementation. There are some easy
1231         extensions we can do in future changes:
1232         - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
1233         - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
1234
1235         * assembler/MacroAssemblerARM64.h:
1236         (JSC::MacroAssemblerARM64::byteSwap16):
1237         (JSC::MacroAssemblerARM64::byteSwap32):
1238         (JSC::MacroAssemblerARM64::byteSwap64):
1239         * assembler/MacroAssemblerX86Common.h:
1240         (JSC::MacroAssemblerX86Common::byteSwap32):
1241         (JSC::MacroAssemblerX86Common::byteSwap16):
1242         (JSC::MacroAssemblerX86Common::byteSwap64):
1243         * assembler/X86Assembler.h:
1244         (JSC::X86Assembler::bswapl_r):
1245         (JSC::X86Assembler::bswapq_r):
1246         (JSC::X86Assembler::shiftInstruction16):
1247         (JSC::X86Assembler::rolw_i8r):
1248         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1249         * assembler/testmasm.cpp:
1250         (JSC::testByteSwap):
1251         (JSC::run):
1252         * bytecode/DataFormat.h:
1253         * bytecode/SpeculatedType.cpp:
1254         (JSC::dumpSpeculation):
1255         (JSC::speculationFromClassInfo):
1256         (JSC::speculationFromJSType):
1257         (JSC::speculationFromString):
1258         * bytecode/SpeculatedType.h:
1259         * dfg/DFGAbstractInterpreterInlines.h:
1260         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1261         * dfg/DFGByteCodeParser.cpp:
1262         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1263         * dfg/DFGClobberize.h:
1264         (JSC::DFG::clobberize):
1265         * dfg/DFGDoesGC.cpp:
1266         (JSC::DFG::doesGC):
1267         * dfg/DFGFixupPhase.cpp:
1268         (JSC::DFG::FixupPhase::fixupNode):
1269         * dfg/DFGNode.h:
1270         (JSC::DFG::Node::hasHeapPrediction):
1271         (JSC::DFG::Node::dataViewData):
1272         * dfg/DFGNodeType.h:
1273         * dfg/DFGPredictionPropagationPhase.cpp:
1274         * dfg/DFGSafeToExecute.h:
1275         (JSC::DFG::SafeToExecuteEdge::operator()):
1276         (JSC::DFG::safeToExecute):
1277         * dfg/DFGSpeculativeJIT.cpp:
1278         (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
1279         (JSC::DFG::SpeculativeJIT::speculate):
1280         * dfg/DFGSpeculativeJIT.h:
1281         * dfg/DFGSpeculativeJIT32_64.cpp:
1282         (JSC::DFG::SpeculativeJIT::compile):
1283         * dfg/DFGSpeculativeJIT64.cpp:
1284         (JSC::DFG::SpeculativeJIT::compile):
1285         * dfg/DFGUseKind.cpp:
1286         (WTF::printInternal):
1287         * dfg/DFGUseKind.h:
1288         (JSC::DFG::typeFilterFor):
1289         (JSC::DFG::isCell):
1290         * ftl/FTLCapabilities.cpp:
1291         (JSC::FTL::canCompile):
1292         * ftl/FTLLowerDFGToB3.cpp:
1293         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1294         (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
1295         (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
1296         (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
1297         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
1298         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
1299         (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
1300         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1301         (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
1302         * runtime/Intrinsic.cpp:
1303         (JSC::intrinsicName):
1304         * runtime/Intrinsic.h:
1305         * runtime/JSDataViewPrototype.cpp:
1306
1307 2018-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1308
1309         [YARR] Extend size of fixed characters bulk matching in 64bit platform
1310         https://bugs.webkit.org/show_bug.cgi?id=181989
1311
1312         Reviewed by Michael Saboff.
1313
1314         This patch extends bulk matching style for fixed-sized characters.
1315         In 64bit environment, the GPR can hold up to 8 characters. This change
1316         reduces the code size since we can fuse multiple `mov` operations into one.
1317
1318         * assembler/LinkBuffer.h:
1319         * runtime/Options.h:
1320         * yarr/YarrJIT.cpp:
1321         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1322         (JSC::Yarr::YarrGenerator::compile):
1323
1324 2018-08-20  Devin Rousso  <drousso@apple.com>
1325
1326         Web Inspector: allow breakpoints to be set for specific event listeners
1327         https://bugs.webkit.org/show_bug.cgi?id=183138
1328
1329         Reviewed by Joseph Pecoraro.
1330
1331         * inspector/protocol/DOM.json:
1332         Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
1333         takes an `eventListenerId` and toggles whether that specific usage of that event listener
1334         should have a breakpoint and pause before running.
1335
1336 2018-08-20  Mark Lam  <mark.lam@apple.com>
1337
1338         Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
1339         https://bugs.webkit.org/show_bug.cgi?id=188769
1340
1341         Reviewed by Michael Saboff.
1342
1343         * llint/LowLevelInterpreter.asm:
1344         - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
1345           so that libunwind doesn't get confused by the 2 labels pointing to the same
1346           code address.
1347
1348 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1349
1350         [GLIB] Add API to throw exceptions using printf formatted strings
1351         https://bugs.webkit.org/show_bug.cgi?id=188698
1352
1353         Reviewed by Michael Catanzaro.
1354
1355         Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
1356         JSCException using printf formatted string.
1357
1358         * API/glib/JSCContext.cpp:
1359         (jsc_context_throw_printf):
1360         (jsc_context_throw_with_name_printf):
1361         * API/glib/JSCContext.h:
1362         * API/glib/JSCException.cpp:
1363         (jsc_exception_new_printf):
1364         (jsc_exception_new_vprintf):
1365         (jsc_exception_new_with_name_printf):
1366         (jsc_exception_new_with_name_vprintf):
1367         * API/glib/JSCException.h:
1368         * API/glib/docs/jsc-glib-4.0-sections.txt:
1369
1370 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1371
1372         [GLIB] Complete the JSCException API
1373         https://bugs.webkit.org/show_bug.cgi?id=188695
1374
1375         Reviewed by Michael Catanzaro.
1376
1377         Add more API to JSCException:
1378          - New function to get the column number
1379          - New function get exception as string (toString())
1380          - Add the possibility to create exceptions with a custom error name.
1381          - New function to get the exception error name
1382          - New function to get the exception backtrace.
1383          - New convenience function to report a exception by returning a formatted string with all the exception
1384            details, to be shown as a user error message.
1385
1386         * API/glib/JSCContext.cpp:
1387         (jsc_context_throw_with_name):
1388         * API/glib/JSCContext.h:
1389         * API/glib/JSCException.cpp:
1390         (jscExceptionEnsureProperties):
1391         (jsc_exception_new):
1392         (jsc_exception_new_with_name):
1393         (jsc_exception_get_name):
1394         (jsc_exception_get_column_number):
1395         (jsc_exception_get_back_trace_string):
1396         (jsc_exception_to_string):
1397         (jsc_exception_report):
1398         * API/glib/JSCException.h:
1399         * API/glib/docs/jsc-glib-4.0-sections.txt:
1400
1401 2018-08-19  Commit Queue  <commit-queue@webkit.org>
1402
1403         Unreviewed, rolling out r234852.
1404         https://bugs.webkit.org/show_bug.cgi?id=188736
1405
1406         Workaround is not correct (Requested by yusukesuzuki on
1407         #webkit).
1408
1409         Reverted changeset:
1410
1411         "[JSC] Should not rotate constant with 64"
1412         https://bugs.webkit.org/show_bug.cgi?id=188556
1413         https://trac.webkit.org/changeset/234852
1414
1415 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1416
1417         [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
1418         https://bugs.webkit.org/show_bug.cgi?id=188716
1419
1420         Reviewed by Darin Adler.
1421
1422         Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
1423         The compiler can emit appropriate mov operations in x86 even if we use these
1424         helper functions.
1425
1426         * assembler/AssemblerBuffer.h:
1427         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
1428         (JSC::AssemblerBuffer::putIntegral):
1429         (JSC::AssemblerBuffer::putIntegralUnchecked):
1430         * assembler/MacroAssemblerX86.h:
1431         (JSC::MacroAssemblerX86::readCallTarget):
1432         * assembler/X86Assembler.h:
1433         (JSC::X86Assembler::linkJump):
1434         (JSC::X86Assembler::readPointer):
1435         (JSC::X86Assembler::replaceWithHlt):
1436         (JSC::X86Assembler::replaceWithJump):
1437         (JSC::X86Assembler::setPointer):
1438         (JSC::X86Assembler::setInt32):
1439         (JSC::X86Assembler::setInt8):
1440         * interpreter/InterpreterInlines.h:
1441         (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
1442
1443 2018-08-17  Saam barati  <sbarati@apple.com>
1444
1445         intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
1446         https://bugs.webkit.org/show_bug.cgi?id=188707
1447         <rdar://problem/43015442>
1448
1449         Reviewed by Mark Lam.
1450
1451         We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
1452         OSR enter at the head of a block. We verify it's safe to OSR enter by checking
1453         that each incoming value is compatible with its corresponding AbstractValue.
1454         
1455         The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
1456         with abstract values that were clobbererd. This meant that the value we're
1457         verifying with at OSR entry effectively has an infinite structure set because
1458         it's clobbered. So, imagine we have code like this:
1459         ```
1460         ---> We OSR enter here, and we're clobbered here
1461         InvalidationPoint
1462         GetByOffset(@base)
1463         ```
1464         
1465         The abstract value for @base inside intersectionOfPastValuesAtHead has a
1466         clobberred structure set, so we'd allow an incoming object with any
1467         structure. However, this is wrong because the invalidation point is no
1468         longer fulfilling its promise that it filters the structure that @base has.
1469         
1470         We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
1471         as if the incoming value may be live past an InvalidationPoint.
1472         This places a stricter requirement that to safely OSR enter at any basic
1473         block, all incoming values must be compatible as if they lived past
1474         the execution of an invalidation point.
1475
1476         * dfg/DFGCFAPhase.cpp:
1477         (JSC::DFG::CFAPhase::run):
1478
1479 2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>
1480
1481         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1482         https://bugs.webkit.org/show_bug.cgi?id=188589
1483
1484         Reviewed by Mark Lam.
1485         And reviewed by Yusuke Suzuki for Hironori's change.
1486
1487         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1488         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1489
1490         - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1491         - We make GPRReg and FPRReg int8_t enums.
1492         - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1493         - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
1494           if `enum : int8_t` is used instead of `enum`.
1495
1496         * assembler/ARM64Assembler.h:
1497         * assembler/ARMAssembler.h:
1498         * assembler/ARMv7Assembler.h:
1499         * assembler/MIPSAssembler.h:
1500         * assembler/MacroAssembler.h:
1501         * assembler/X86Assembler.h:
1502         * jit/CCallHelpers.h:
1503         (JSC::CCallHelpers::clampArrayToSize):
1504         * jit/FPRInfo.h:
1505         * jit/GPRInfo.h:
1506         (JSC::JSValueRegs::JSValueRegs):
1507         (JSC::JSValueRegs::tagGPR const):
1508         (JSC::JSValueRegs::payloadGPR const):
1509         (JSC::JSValueSource::JSValueSource):
1510         (JSC::JSValueSource::unboxedCell):
1511         (JSC::JSValueSource::operator bool const):
1512         (JSC::JSValueSource::base const):
1513         (JSC::JSValueSource::tagGPR const):
1514         (JSC::JSValueSource::payloadGPR const):
1515         (JSC::JSValueSource::hasKnownTag const):
1516
1517 2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1518
1519         [JSC] alignas for RegisterState should respect alignof(RegisterState) too
1520         https://bugs.webkit.org/show_bug.cgi?id=188686
1521
1522         Reviewed by Saam Barati.
1523
1524         RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
1525         for `alignof` for RegisterState.
1526
1527         * heap/RegisterState.h:
1528
1529 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1530
1531         [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
1532         https://bugs.webkit.org/show_bug.cgi?id=188571
1533
1534         Reviewed by Saam Barati.
1535
1536         UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
1537         allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
1538         without considering alignment of them. This patch adds DisjunctionContext::allocationSize
1539         and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
1540         The size is always rounded to `sizeof(void*)` so that these classes are always allocated
1541         with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
1542         than or equal to `sizeof(void*)` by `static_assert`.
1543
1544         * yarr/YarrInterpreter.cpp:
1545         (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
1546         (JSC::Yarr::Interpreter::allocDisjunctionContext):
1547         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
1548         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
1549         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
1550         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
1551         (JSC::Yarr::Interpreter::Interpreter):
1552         (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
1553
1554 2018-08-15  Keith Miller  <keith_miller@apple.com>
1555
1556         Remove evernote hacks
1557         https://bugs.webkit.org/show_bug.cgi?id=188591
1558
1559         Reviewed by Joseph Pecoraro.
1560
1561         The hack was added in 2012 and the evernote app seems to work now.
1562         It's probably not needed anymore.
1563
1564         * API/JSValueRef.cpp:
1565         (JSValueUnprotect):
1566         (evernoteHackNeeded): Deleted.
1567
1568 2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>
1569
1570         Unreviewed, rolling out r234874 and r234876.
1571
1572         WinCairo port can't compile
1573
1574         Reverted changesets:
1575
1576         "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
1577         https://bugs.webkit.org/show_bug.cgi?id=188589
1578         https://trac.webkit.org/changeset/234874
1579
1580         "Unreviewed, attempt to fix CLoop build"
1581         https://bugs.webkit.org/show_bug.cgi?id=188589
1582         https://trac.webkit.org/changeset/234876
1583
1584 2018-08-14  Saam barati  <sbarati@apple.com>
1585
1586         HashMap<Ref<P>, V> asserts when V is not zero for its empty value
1587         https://bugs.webkit.org/show_bug.cgi?id=188582
1588
1589         Reviewed by Sam Weinig.
1590
1591         * runtime/SparseArrayValueMap.h:
1592
1593 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1594
1595         Unreviewed, attempt to fix CLoop build
1596         https://bugs.webkit.org/show_bug.cgi?id=188589
1597
1598         * assembler/MacroAssembler.h:
1599
1600 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1601
1602         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1603         https://bugs.webkit.org/show_bug.cgi?id=188589
1604
1605         Reviewed by Mark Lam.
1606
1607         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1608         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1609
1610         1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1611         2. We make GPRReg and FPRReg int8_t enums.
1612         3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1613
1614         * assembler/ARM64Assembler.h:
1615         * assembler/ARMAssembler.h:
1616         * assembler/ARMv7Assembler.h:
1617         * assembler/MIPSAssembler.h:
1618         * assembler/X86Assembler.h:
1619         * jit/FPRInfo.h:
1620         * jit/GPRInfo.h:
1621         (JSC::JSValueRegs::JSValueRegs):
1622         (JSC::JSValueRegs::tagGPR const):
1623         (JSC::JSValueRegs::payloadGPR const):
1624         (JSC::JSValueSource::JSValueSource):
1625         (JSC::JSValueSource::unboxedCell):
1626         (JSC::JSValueSource::operator bool const):
1627         (JSC::JSValueSource::base const):
1628         (JSC::JSValueSource::tagGPR const):
1629         (JSC::JSValueSource::payloadGPR const):
1630         (JSC::JSValueSource::hasKnownTag const):
1631
1632 2018-08-14  Keith Miller  <keith_miller@apple.com>
1633
1634         Add missing availability macro.
1635         https://bugs.webkit.org/show_bug.cgi?id=188563
1636
1637         Reviewed by Mark Lam.
1638
1639         * API/JSValueRef.h:
1640
1641 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1642
1643         [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
1644         https://bugs.webkit.org/show_bug.cgi?id=188560
1645
1646         Reviewed by Keith Miller.
1647
1648         While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
1649         it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
1650         uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
1651         `m_wasSeenInJIT { false }`.
1652
1653         * bytecode/GetByIdStatus.h:
1654
1655 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1656
1657         [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
1658         https://bugs.webkit.org/show_bug.cgi?id=188557
1659
1660         Reviewed by Mark Lam.
1661
1662         DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
1663         processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
1664         in UBSan's result.
1665
1666         * dfg/DFGPredictionPropagationPhase.cpp:
1667
1668 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1669
1670         [JSC] Should not rotate constant with 64
1671         https://bugs.webkit.org/show_bug.cgi?id=188556
1672
1673         Reviewed by Mark Lam.
1674
1675         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1676         But if a seed becomes 64, the following code performs `value << 64` where value's type
1677         is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
1678         range of [0, 64) not to generate code causing UBs. This is found by UBSan.
1679
1680         * assembler/MacroAssembler.h:
1681         (JSC::MacroAssembler::generateRotationSeed):
1682         (JSC::MacroAssembler::rotationBlindConstant):
1683
1684 2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1685
1686         Disable JIT on IA-32 without SSE2
1687         https://bugs.webkit.org/show_bug.cgi?id=188476
1688
1689         Reviewed by Michael Catanzaro.
1690
1691         Including missing header (MacroAssembler.h) in case of other
1692         operating systems than Windows too.
1693
1694         * runtime/Options.cpp:
1695
1696 2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1697
1698         Disable JIT on IA-32 without SSE2
1699         https://bugs.webkit.org/show_bug.cgi?id=188476
1700
1701         Reviewed by Yusuke Suzuki.
1702
1703         On IA-32 CPUs without SSE2 most of the webpages cannot load
1704         if the JIT is turned on.
1705
1706         * runtime/Options.cpp:
1707         (JSC::recomputeDependentOptions):
1708
1709 2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
1710
1711         Web Inspector: console.log fires getters for deep properties
1712         https://bugs.webkit.org/show_bug.cgi?id=187542
1713         <rdar://problem/42873158>
1714
1715         Reviewed by Saam Barati.
1716
1717         * inspector/InjectedScriptSource.js:
1718         (RemoteObject.prototype._isPreviewableObject):
1719         Avoid getters/setters when checking for simple properties to preview.
1720         Here we avoid invoking `object[property]` if it could be a user getter.
1721
1722 2018-08-10  Keith Miller  <keith_miller@apple.com>
1723
1724         Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
1725         https://bugs.webkit.org/show_bug.cgi?id=185127
1726
1727         Reviewed by Saam Barati.
1728
1729         Previously, we would truncate the indicies passed to slice to an
1730         int. This meant that the value was not getting properly clamped
1731         later.
1732
1733         This patch also removes a non-spec compliant check that slice was
1734         passed at least one argument.
1735
1736         * runtime/ArrayBuffer.cpp:
1737         (JSC::ArrayBuffer::clampValue):
1738         (JSC::ArrayBuffer::clampIndex const):
1739         (JSC::ArrayBuffer::slice const):
1740         * runtime/ArrayBuffer.h:
1741         (JSC::ArrayBuffer::clampValue): Deleted.
1742         (JSC::ArrayBuffer::clampIndex const): Deleted.
1743         * runtime/JSArrayBufferPrototype.cpp:
1744         (JSC::arrayBufferProtoFuncSlice):
1745
1746 2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1747
1748         Date.UTC should not return NaN with only Year param
1749         https://bugs.webkit.org/show_bug.cgi?id=188378
1750
1751         Reviewed by Keith Miller.
1752
1753         Date.UTC requires one argument for |year|. But the other ones are optional.
1754         This patch fix this handling.
1755
1756         * runtime/DateConstructor.cpp:
1757         (JSC::millisecondsFromComponents):
1758
1759 2018-08-08  Keith Miller  <keith_miller@apple.com>
1760
1761         Array.prototype.sort should call @toLength instead of ">>> 0"
1762         https://bugs.webkit.org/show_bug.cgi?id=188430
1763
1764         Reviewed by Saam Barati.
1765
1766         Also add a new function to $vm that will fetch a private
1767         property. This can be useful for running builtin helper functions.
1768
1769         * builtins/ArrayPrototype.js:
1770         (sort):
1771         * tools/JSDollarVM.cpp:
1772         (JSC::functionGetPrivateProperty):
1773         (JSC::JSDollarVM::finishCreation):
1774
1775 2018-08-08  Keith Miller  <keith_miller@apple.com>
1776
1777         Array.prototype.sort should throw TypeError if param is a not callable object
1778         https://bugs.webkit.org/show_bug.cgi?id=188382
1779
1780         Reviewed by Saam Barati.
1781
1782         Improve spec compatability by checking if the Array.prototype.sort comparator is a function
1783         before doing anything else.
1784
1785         Also, refactor the various helper functions to use let instead of var.
1786
1787         * builtins/ArrayPrototype.js:
1788         (sort.stringComparator):
1789         (sort.compactSparse):
1790         (sort.compactSlow):
1791         (sort.compact):
1792         (sort.merge):
1793         (sort.mergeSort):
1794         (sort.bucketSort):
1795         (sort.comparatorSort):
1796         (sort.stringSort):
1797         (sort):
1798
1799 2018-08-08  Michael Saboff  <msaboff@apple.com>
1800
1801         Yarr JIT should include annotations with dumpDisassembly=true
1802         https://bugs.webkit.org/show_bug.cgi?id=188415
1803
1804         Reviewed by Yusuke Suzuki.
1805
1806         Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
1807         Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
1808         then the backtracking code through the YarrPattern ops in reverse order, the disassembler
1809         needs to do the same think.
1810
1811         Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
1812         out simple methods for what was needed by the YarrDisassembler.
1813
1814         Here is abbreviated sample output after this change.
1815
1816         Generated JIT code for 8-bit regular expression /ab*c/:
1817             Code at [0x469561c03720, 0x469561c03840):
1818                 0x469561c03720: push %rbp
1819                 0x469561c03721: mov %rsp, %rbp
1820                 ...
1821                 0x469561c03762: sub $0x40, %rsp
1822              == Matching ==
1823            0:OpBodyAlternativeBegin minimum size 2
1824                 0x469561c03766: add $0x2, %esi
1825                 0x469561c03769: cmp %edx, %esi
1826                 0x469561c0376b: ja 0x469561c037fa
1827            1:OpTerm TypePatternCharacter 'a'
1828                 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
1829                 0x469561c03776: cmp $0x61, %eax
1830                 0x469561c03779: jnz 0x469561c037e9
1831            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1832                 0x469561c0377f: xor %r9d, %r9d
1833                 0x469561c03782: cmp %edx, %esi
1834                 0x469561c03784: jz 0x469561c037a2
1835                 ...
1836                 0x469561c0379d: jmp 0x469561c03782
1837                 0x469561c037a2: mov %r9, 0x8(%rsp)
1838            3:OpTerm TypePatternCharacter 'c'
1839                 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
1840                 0x469561c037ac: cmp $0x63, %eax
1841                 0x469561c037af: jnz 0x469561c037d1
1842            4:OpBodyAlternativeEnd
1843                 0x469561c037b5: add $0x40, %rsp
1844                 ...
1845                 0x469561c037cf: pop %rbp
1846                 0x469561c037d0: ret
1847              == Backtracking ==
1848            4:OpBodyAlternativeEnd
1849            3:OpTerm TypePatternCharacter 'c'
1850            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1851                 0x469561c037d1: mov 0x8(%rsp), %r9
1852                 ...
1853                 0x469561c037e4: jmp 0x469561c037a2
1854            1:OpTerm TypePatternCharacter 'a'
1855            0:OpBodyAlternativeBegin minimum size 2
1856                 0x469561c037e9: mov %rsi, %rax
1857                 ...
1858                 0x469561c0382f: pop %rbp
1859                 0x469561c03830: ret
1860
1861         * JavaScriptCore.xcodeproj/project.pbxproj:
1862         * Sources.txt:
1863         * runtime/RegExp.cpp:
1864         (JSC::RegExp::compile):
1865         (JSC::RegExp::compileMatchOnly):
1866         * yarr/YarrDisassembler.cpp: Added.
1867         (JSC::Yarr::YarrDisassembler::indentString):
1868         (JSC::Yarr::YarrDisassembler::YarrDisassembler):
1869         (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
1870         (JSC::Yarr::YarrDisassembler::dump):
1871         (JSC::Yarr::YarrDisassembler::dumpHeader):
1872         (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
1873         (JSC::Yarr::YarrDisassembler::dumpForInstructions):
1874         (JSC::Yarr::YarrDisassembler::dumpDisassembly):
1875         * yarr/YarrDisassembler.h: Added.
1876         (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
1877         (JSC::Yarr::YarrDisassembler::setStartOfCode):
1878         (JSC::Yarr::YarrDisassembler::setForGenerate):
1879         (JSC::Yarr::YarrDisassembler::setForBacktrack):
1880         (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
1881         (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
1882         (JSC::Yarr::YarrDisassembler::setEndOfCode):
1883         (JSC::Yarr::YarrDisassembler::indentString):
1884         * yarr/YarrJIT.cpp:
1885         (JSC::Yarr::YarrGenerator::generate):
1886         (JSC::Yarr::YarrGenerator::backtrack):
1887         (JSC::Yarr::YarrGenerator::YarrGenerator):
1888         (JSC::Yarr::YarrGenerator::compile):
1889         (JSC::Yarr::jitCompile):
1890         * yarr/YarrJIT.h:
1891         * yarr/YarrPattern.cpp:
1892         (JSC::Yarr::dumpCharacterClass):
1893         (JSC::Yarr::PatternTerm::dump):
1894         (JSC::Yarr::YarrPattern::dumpPatternString):
1895         (JSC::Yarr::YarrPattern::dumpPattern):
1896         * yarr/YarrPattern.h:
1897
1898 2018-08-05  Darin Adler  <darin@apple.com>
1899
1900         [Cocoa] More tweaks and refactoring to prepare for ARC
1901         https://bugs.webkit.org/show_bug.cgi?id=188245
1902
1903         Reviewed by Dan Bernstein.
1904
1905         * API/JSValue.mm: Use __unsafe_unretained.
1906         (JSContainerConvertor::convert): Use auto for compatibility with the above.
1907         * API/JSWrapperMap.mm:
1908         (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
1909         (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
1910
1911         * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
1912
1913 2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1914
1915         Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
1916         https://bugs.webkit.org/show_bug.cgi?id=188328
1917
1918         Reviewed by Saam Barati.
1919
1920         Shrinking the size of PropertyCondition can improve memory consumption by a lot.
1921         For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
1922         and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
1923         as a member field.
1924
1925         This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
1926         PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
1927         are within 48bit, we can put PropertyCondition::Kind in this unused bits.
1928         To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
1929         folds a pointer and 1byte type into 64bit data.
1930
1931         This change shrinks PropertyCondition from 24bytes to 16bytes.
1932
1933         * bytecode/PropertyCondition.cpp:
1934         (JSC::PropertyCondition::dumpInContext const):
1935         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1936         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
1937         (JSC::PropertyCondition::isStillValid const):
1938         (JSC::PropertyCondition::isWatchableWhenValid const):
1939         * bytecode/PropertyCondition.h:
1940         (JSC::PropertyCondition::PropertyCondition):
1941         (JSC::PropertyCondition::presenceWithoutBarrier):
1942         (JSC::PropertyCondition::absenceWithoutBarrier):
1943         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
1944         (JSC::PropertyCondition::equivalenceWithoutBarrier):
1945         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
1946         (JSC::PropertyCondition::operator bool const):
1947         (JSC::PropertyCondition::kind const):
1948         (JSC::PropertyCondition::uid const):
1949         (JSC::PropertyCondition::hasOffset const):
1950         (JSC::PropertyCondition::hasAttributes const):
1951         (JSC::PropertyCondition::hasPrototype const):
1952         (JSC::PropertyCondition::hasRequiredValue const):
1953         (JSC::PropertyCondition::hash const):
1954         (JSC::PropertyCondition::operator== const):
1955         (JSC::PropertyCondition::isHashTableDeletedValue const):
1956         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
1957
1958 2018-08-07  Mark Lam  <mark.lam@apple.com>
1959
1960         Use a more specific PtrTag for PlatformRegisters PC and LR.
1961         https://bugs.webkit.org/show_bug.cgi?id=188366
1962         <rdar://problem/42984123>
1963
1964         Reviewed by Keith Miller.
1965
1966         Also fixed a bug in linkRegister(), which was previously returning the PC instead
1967         of LR.  It now returns LR.
1968
1969         * runtime/JSCPtrTag.h:
1970         * runtime/MachineContext.h:
1971         (JSC::MachineContext::instructionPointer):
1972         (JSC::MachineContext::linkRegister):
1973         * runtime/VMTraps.cpp:
1974         (JSC::SignalContext::SignalContext):
1975         * tools/SigillCrashAnalyzer.cpp:
1976         (JSC::SignalContext::SignalContext):
1977
1978 2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1979
1980         Hardcoded LFENCE instruction
1981         https://bugs.webkit.org/show_bug.cgi?id=188145
1982
1983         Reviewed by Filip Pizlo.
1984
1985         Remove lfence instruction because it is crashing systems without SSE2 and
1986         this is not the way how WebKit mitigates Spectre.
1987
1988         * runtime/JSLock.cpp:
1989         (JSC::JSLock::didAcquireLock):
1990         (JSC::JSLock::willReleaseLock):
1991
1992 2018-08-04  David Kilzer  <ddkilzer@apple.com>
1993
1994         REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
1995         <https://webkit.org/b/188331>
1996
1997         Reviewed by Yusuke Suzuki.
1998
1999         * runtime/TemplateObjectDescriptor.h:
2000         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
2001         Use `m_rawstrings` instead of `rawStrings` to calculate hash.
2002
2003 2018-08-03  Saam Barati  <sbarati@apple.com>
2004
2005         Give the `jsc` shell the JIT entitlement
2006         https://bugs.webkit.org/show_bug.cgi?id=188324
2007         <rdar://problem/42885806>
2008
2009         Reviewed by Dan Bernstein.
2010
2011         This should help us in ensuring the system jsc is able to JIT.
2012
2013         * Configurations/JSC.xcconfig:
2014         * JavaScriptCore.xcodeproj/project.pbxproj:
2015         * allow-jit-macOS.entitlements: Added.
2016
2017 2018-08-03  Alex Christensen  <achristensen@webkit.org>
2018
2019         Fix spelling of "overridden"
2020         https://bugs.webkit.org/show_bug.cgi?id=188315
2021
2022         Reviewed by Darin Adler.
2023
2024         * API/JSExport.h:
2025         * inspector/InjectedScriptSource.js:
2026
2027 2018-08-02  Saam Barati  <sbarati@apple.com>
2028
2029         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
2030         https://bugs.webkit.org/show_bug.cgi?id=188271
2031         <rdar://problem/42850884>
2032
2033         Reviewed by Michael Saboff.
2034
2035         This patch defends against the instructionPointer containing garbage bits.
2036         See radar for details.
2037
2038         * runtime/MachineContext.h:
2039         (JSC::MachineContext::instructionPointer):
2040         * runtime/SamplingProfiler.cpp:
2041         (JSC::SamplingProfiler::takeSample):
2042         * runtime/VMTraps.cpp:
2043         (JSC::SignalContext::SignalContext):
2044         (JSC::SignalContext::tryCreate):
2045         * tools/CodeProfiling.cpp:
2046         (JSC::profilingTimer):
2047         * tools/SigillCrashAnalyzer.cpp:
2048         (JSC::SignalContext::SignalContext):
2049         (JSC::SignalContext::tryCreate):
2050         (JSC::SignalContext::dump):
2051         (JSC::installCrashHandler):
2052         * wasm/WasmFaultSignalHandler.cpp:
2053         (JSC::Wasm::trapHandler):
2054
2055 2018-08-02  David Fenton  <david_fenton@apple.com>
2056
2057         Unreviewed, rolling out r234489.
2058
2059         Caused 50+ crashes and 60+ API failures on iOS
2060
2061         Reverted changeset:
2062
2063         "[WTF] Rename String::format to String::deprecatedFormat"
2064         https://bugs.webkit.org/show_bug.cgi?id=188191
2065         https://trac.webkit.org/changeset/234489
2066
2067 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2068
2069         Add self.queueMicrotask(f) on DOMWindow
2070         https://bugs.webkit.org/show_bug.cgi?id=188212
2071
2072         Reviewed by Ryosuke Niwa.
2073
2074         * CMakeLists.txt:
2075         * JavaScriptCore.xcodeproj/project.pbxproj:
2076         * Sources.txt:
2077         * runtime/JSGlobalObject.cpp:
2078         (JSC::enqueueJob):
2079         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
2080         (JSC::createJSMicrotask):
2081         Export them to WebCore.
2082
2083         (JSC::JSMicrotask::run):
2084         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
2085         Add another version of JSMicrotask which does not have arguments.
2086
2087 2018-08-01  Tomas Popela  <tpopela@redhat.com>
2088
2089         [WTF] Rename String::format to String::deprecatedFormat
2090         https://bugs.webkit.org/show_bug.cgi?id=188191
2091
2092         Reviewed by Darin Adler.
2093
2094         It should be replaced with string concatenation.
2095
2096         * bytecode/CodeBlock.cpp:
2097         (JSC::CodeBlock::nameForRegister):
2098         * inspector/InjectedScriptBase.cpp:
2099         (Inspector::InjectedScriptBase::makeCall):
2100         * inspector/InspectorBackendDispatcher.cpp:
2101         (Inspector::BackendDispatcher::getPropertyValue):
2102         * inspector/agents/InspectorConsoleAgent.cpp:
2103         (Inspector::InspectorConsoleAgent::enable):
2104         (Inspector::InspectorConsoleAgent::stopTiming):
2105         * jsc.cpp:
2106         (FunctionJSCStackFunctor::operator() const):
2107         * parser/Lexer.cpp:
2108         (JSC::Lexer<T>::invalidCharacterMessage const):
2109         * runtime/IntlDateTimeFormat.cpp:
2110         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2111         * runtime/IntlObject.cpp:
2112         (JSC::canonicalizeLocaleList):
2113         * runtime/LiteralParser.cpp:
2114         (JSC::LiteralParser<CharType>::Lexer::lex):
2115         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2116         (JSC::LiteralParser<CharType>::parse):
2117         * runtime/LiteralParser.h:
2118         (JSC::LiteralParser::getErrorMessage):
2119
2120 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2121
2122         [INTL] Allow "unknown" formatToParts types
2123         https://bugs.webkit.org/show_bug.cgi?id=188176
2124
2125         Reviewed by Darin Adler.
2126
2127         Originally extra unexpected field types were marked as "literal", since
2128         the spec did not account for these. The ECMA 402 spec has since been updated
2129         to specify "unknown" should be used in these cases.
2130
2131         Currently there is no known way to reach these cases, so no tests can
2132         account for them. Theoretically they shoudn't exist, but they are specified,
2133         just to be safe. Marking them as "unknown" instead of "literal" hopefully
2134         will make such cases easy to identify if they ever happen.
2135
2136         * runtime/IntlDateTimeFormat.cpp:
2137         (JSC::IntlDateTimeFormat::partTypeString):
2138         * runtime/IntlNumberFormat.cpp:
2139         (JSC::IntlNumberFormat::partTypeString):
2140
2141 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2142
2143         [INTL] Implement hourCycle in DateTimeFormat
2144         https://bugs.webkit.org/show_bug.cgi?id=188006
2145
2146         Reviewed by Darin Adler.
2147
2148         Implemented hourCycle, updating both the skeleton and the final pattern.
2149         Changed resolveLocale to assume undefined options are not given and null
2150         strings actually mean null, which removes the tag extension.
2151
2152         * runtime/CommonIdentifiers.h:
2153         * runtime/IntlCollator.cpp:
2154         (JSC::IntlCollator::initializeCollator):
2155         * runtime/IntlDateTimeFormat.cpp:
2156         (JSC::IntlDTFInternal::localeData):
2157         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2158         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2159         (JSC::IntlDateTimeFormat::resolvedOptions):
2160         * runtime/IntlDateTimeFormat.h:
2161         * runtime/IntlObject.cpp:
2162         (JSC::resolveLocale):
2163
2164 2018-08-01  Keith Miller  <keith_miller@apple.com>
2165
2166         JSArrayBuffer should have its own JSType
2167         https://bugs.webkit.org/show_bug.cgi?id=188231
2168
2169         Reviewed by Saam Barati.
2170
2171         * runtime/JSArrayBuffer.cpp:
2172         (JSC::JSArrayBuffer::createStructure):
2173         * runtime/JSCast.h:
2174         * runtime/JSType.h:
2175
2176 2018-07-31  Keith Miller  <keith_miller@apple.com>
2177
2178         Unreviewed 32-bit build fix...
2179
2180         * dfg/DFGSpeculativeJIT32_64.cpp:
2181
2182 2018-07-31  Keith Miller  <keith_miller@apple.com>
2183
2184         Long compiling JSC files should not be unified
2185         https://bugs.webkit.org/show_bug.cgi?id=188205
2186
2187         Reviewed by Saam Barati.
2188
2189         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
2190         to compile. Unifying them means touching anything in the same
2191         bundle as those files takes a long time to incrementally build.
2192         This patch separates those files so they build standalone.
2193
2194         * JavaScriptCore.xcodeproj/project.pbxproj:
2195         * Sources.txt:
2196         * dfg/DFGSpeculativeJIT64.cpp:
2197
2198 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2199
2200         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
2201         https://bugs.webkit.org/show_bug.cgi?id=188201
2202
2203         Reviewed by Keith Miller.
2204
2205         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
2206         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
2207         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
2208         never becomes broken state. This patch removes unnecessary locking.
2209
2210         * runtime/JSObject.cpp:
2211         (JSC::JSObject::visitButterflyImpl):
2212
2213 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
2214
2215         [JSC] Remove gcc warnings for 32-bit platforms
2216         https://bugs.webkit.org/show_bug.cgi?id=187803
2217
2218         Reviewed by Yusuke Suzuki.
2219
2220         * assembler/MacroAssemblerPrinter.cpp:
2221         (JSC::Printer::printPCRegister):
2222         (JSC::Printer::printRegisterID):
2223         (JSC::Printer::printAddress):
2224         * dfg/DFGSpeculativeJIT.cpp:
2225         (JSC::DFG::SpeculativeJIT::speculateNumber):
2226         (JSC::DFG::SpeculativeJIT::speculateMisc):
2227         * jit/CCallHelpers.h:
2228         (JSC::CCallHelpers::calculatePokeOffset):
2229         * runtime/Options.cpp:
2230         (JSC::parse):
2231
2232 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
2233
2234         watchOS engineering build is broken after r234227
2235         https://bugs.webkit.org/show_bug.cgi?id=188180
2236
2237         Reviewed by Keith Miller.
2238
2239         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
2240         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
2241         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
2242         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
2243
2244         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
2245         entirely, since there's no relevant version to replace them with.
2246
2247         * postprocess-headers.sh:
2248
2249 2018-07-30  Keith Miller  <keith_miller@apple.com>
2250
2251         Clarify conversion rules for JSValue property access API
2252         https://bugs.webkit.org/show_bug.cgi?id=188179
2253
2254         Reviewed by Geoffrey Garen.
2255
2256         * API/JSValue.h:
2257
2258 2018-07-30  Keith Miller  <keith_miller@apple.com>
2259
2260         Rename some JSC API functions/types.
2261         https://bugs.webkit.org/show_bug.cgi?id=188173
2262
2263         Reviewed by Saam Barati.
2264
2265         * API/JSObjectRef.cpp:
2266         (JSObjectHasPropertyForKey):
2267         (JSObjectGetPropertyForKey):
2268         (JSObjectSetPropertyForKey):
2269         (JSObjectDeletePropertyForKey):
2270         (JSObjectHasPropertyKey): Deleted.
2271         (JSObjectGetPropertyKey): Deleted.
2272         (JSObjectSetPropertyKey): Deleted.
2273         (JSObjectDeletePropertyKey): Deleted.
2274         * API/JSObjectRef.h:
2275         * API/JSValue.h:
2276         * API/JSValue.mm:
2277         (-[JSValue valueForProperty:]):
2278         (-[JSValue setValue:forProperty:]):
2279         (-[JSValue deleteProperty:]):
2280         (-[JSValue hasProperty:]):
2281         (-[JSValue defineProperty:descriptor:]):
2282         * API/tests/testapi.cpp:
2283         (TestAPI::run):
2284
2285 2018-07-30  Mark Lam  <mark.lam@apple.com>
2286
2287         Add a debugging utility to dump the memory layout of a JSCell.
2288         https://bugs.webkit.org/show_bug.cgi?id=188157
2289
2290         Reviewed by Yusuke Suzuki.
2291
2292         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
2293         dump the memory contents of a cell and if present, its butterfly for debugging
2294         purposes.
2295
2296         Example usage for JS code when JSC_useDollarVM=true:
2297
2298             $vm.dumpCell(obj);
2299
2300         Example usage from C++ code or from lldb: 
2301
2302             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
2303
2304         Some examples of dumps:
2305
2306             <0x104bc8260, Object>
2307               [0] 0x104bc8260 : 0x010016000000016c header
2308                 structureID 364 0x16c structure 0x104b721b0
2309                 indexingTypeAndMisc 0 0x0 NonArray
2310                 type 22 0x16
2311                 flags 0 0x0
2312                 cellState 1
2313               [1] 0x104bc8268 : 0x0000000000000000 butterfly
2314               [2] 0x104bc8270 : 0xffff000000000007
2315               [3] 0x104bc8278 : 0xffff000000000008
2316
2317             <0x104bb4360, Array>
2318               [0] 0x104bb4360 : 0x0108210b00000171 header
2319                 structureID 369 0x171 structure 0x104b723e0
2320                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
2321                 type 33 0x21
2322                 flags 8 0x8
2323                 cellState 1
2324               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
2325                 base 0x8000f46e0
2326                 hasIndexingHeader YES hasAnyArrayStorage YES
2327                 publicLength 4 vectorLength 7 indexBias 2
2328                 preCapacity 2 propertyCapacity 4
2329                   <--- preCapacity
2330                   [0] 0x8000f46e0 : 0x0000000000000000
2331                   [1] 0x8000f46e8 : 0x0000000000000000
2332                   <--- propertyCapacity
2333                   [2] 0x8000f46f0 : 0x0000000000000000
2334                   [3] 0x8000f46f8 : 0x0000000000000000
2335                   [4] 0x8000f4700 : 0xffff00000000000d
2336                   [5] 0x8000f4708 : 0xffff00000000000c
2337                   <--- indexingHeader
2338                   [6] 0x8000f4710 : 0x0000000700000004
2339                   <--- butterfly
2340                   <--- arrayStorage
2341                   [7] 0x8000f4718 : 0x0000000000000000
2342                   [8] 0x8000f4720 : 0x0000000400000002
2343                   <--- indexedProperties
2344                   [9] 0x8000f4728 : 0xffff000000000008
2345                   [10] 0x8000f4730 : 0xffff000000000009
2346                   [11] 0x8000f4738 : 0xffff000000000005
2347                   [12] 0x8000f4740 : 0xffff000000000006
2348                   [13] 0x8000f4748 : 0x0000000000000000
2349                   [14] 0x8000f4750 : 0x0000000000000000
2350                   [15] 0x8000f4758 : 0x0000000000000000
2351                   <--- unallocated capacity
2352                   [16] 0x8000f4760 : 0x0000000000000000
2353                   [17] 0x8000f4768 : 0x0000000000000000
2354                   [18] 0x8000f4770 : 0x0000000000000000
2355                   [19] 0x8000f4778 : 0x0000000000000000
2356
2357         * runtime/JSObject.h:
2358         * tools/JSDollarVM.cpp:
2359         (JSC::functionDumpCell):
2360         (JSC::JSDollarVM::finishCreation):
2361         * tools/VMInspector.cpp:
2362         (JSC::VMInspector::dumpCellMemory):
2363         (JSC::IndentationScope::IndentationScope):
2364         (JSC::IndentationScope::~IndentationScope):
2365         (JSC::VMInspector::dumpCellMemoryToStream):
2366         * tools/VMInspector.h:
2367
2368 2018-07-27  Mark Lam  <mark.lam@apple.com>
2369
2370         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
2371         https://bugs.webkit.org/show_bug.cgi?id=188123
2372         <rdar://problem/42672268>
2373
2374         Reviewed by Keith Miller.
2375
2376         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
2377            padding space in VM and Heap, and should not cost any measurable perf to
2378            initialize and update.
2379
2380         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
2381
2382            worldState tells us the value we failed the assertion on.
2383
2384            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
2385            that led us here.
2386
2387            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
2388
2389            VM::isEntered() tells us if the current VM is currently executing JS code.
2390
2391            Some of this data may be redundant, but the redundancy is intentional so that
2392            we can double check what is really happening at the time of crash.
2393
2394         * heap/Heap.cpp:
2395         (JSC::asInt):
2396         (JSC::Heap::checkConn):
2397         (JSC::Heap::changePhase):
2398         * heap/Heap.h:
2399         * runtime/VM.cpp:
2400         (JSC::VM::nextID):
2401         (JSC::VM::VM):
2402         * runtime/VM.h:
2403         (JSC::VM::numberOfIDs):
2404         (JSC::VM::id const):
2405         (JSC::VM::isEntered const):
2406
2407 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2408
2409         [JSC] Record CoW status in ArrayProfile correctly
2410         https://bugs.webkit.org/show_bug.cgi?id=187949
2411
2412         Reviewed by Saam Barati.
2413
2414         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
2415         This is important since our OSR exit compiler records m_observedArrayModes by calculating
2416         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
2417         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
2418         Array::Generic DFG nodes.
2419
2420         * bytecode/ArrayProfile.h:
2421         (JSC::asArrayModes):
2422         (JSC::ArrayProfile::ArrayProfile):
2423         * dfg/DFGOSRExit.cpp:
2424         (JSC::DFG::OSRExit::compileExit):
2425         * ftl/FTLOSRExitCompiler.cpp:
2426         (JSC::FTL::compileStub):
2427         * runtime/IndexingType.h:
2428
2429 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2430
2431         [INTL] Remove INTL sub-feature compile flags
2432         https://bugs.webkit.org/show_bug.cgi?id=188081
2433
2434         Reviewed by Michael Catanzaro.
2435
2436         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
2437         The runtime flags are still present, and should be relied on instead.
2438         The defines for ICU features have also been updated to match HAVE() style.
2439
2440         * Configurations/FeatureDefines.xcconfig:
2441         * runtime/IntlPluralRules.cpp:
2442         (JSC::IntlPluralRules::resolvedOptions):
2443         (JSC::IntlPluralRules::select):
2444         * runtime/IntlPluralRules.h:
2445         * runtime/Options.h:
2446
2447 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2448
2449         [JSC] Dump IndexingMode in Structure
2450         https://bugs.webkit.org/show_bug.cgi?id=188085
2451
2452         Reviewed by Keith Miller.
2453
2454         Dump IndexingMode instead of IndexingType.
2455
2456         * runtime/Structure.cpp:
2457         (JSC::Structure::dump const):
2458
2459 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
2460
2461         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
2462         https://bugs.webkit.org/show_bug.cgi?id=187963
2463
2464         Reviewed by Alex Christensen.
2465
2466         * inspector/InspectorBackendDispatcher.cpp:
2467         (Inspector::BackendDispatcher::dispatch):
2468         * jsc.cpp:
2469         (ModuleName::ModuleName):
2470         (resolvePath):
2471         * runtime/IntlObject.cpp:
2472         (JSC::canonicalizeLanguageTag):
2473         (JSC::removeUnicodeLocaleExtension):
2474         Update split/splitAllowingEmptyEntries usage.
2475
2476 2018-07-26  Commit Queue  <commit-queue@webkit.org>
2477
2478         Unreviewed, rolling out r234181 and r234189.
2479         https://bugs.webkit.org/show_bug.cgi?id=188075
2480
2481         These are not needed right now (Requested by thorton on
2482         #webkit).
2483
2484         Reverted changesets:
2485
2486         "Enable Web Content Filtering on watchOS"
2487         https://bugs.webkit.org/show_bug.cgi?id=187979
2488         https://trac.webkit.org/changeset/234181
2489
2490         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
2491         https://bugs.webkit.org/show_bug.cgi?id=187985
2492         https://trac.webkit.org/changeset/234189
2493
2494 2018-07-26  Mark Lam  <mark.lam@apple.com>
2495
2496         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
2497         https://bugs.webkit.org/show_bug.cgi?id=188065
2498         <rdar://problem/42515726>
2499
2500         Reviewed by Saam Barati.
2501
2502         * runtime/ArrayPrototype.cpp:
2503         (JSC::clearElement):
2504         (JSC::copyElements):
2505         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2506
2507 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2508
2509         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
2510         https://bugs.webkit.org/show_bug.cgi?id=167991
2511
2512         Reviewed by Michael Catanzaro.
2513
2514         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
2515         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
2516         no more cases where you might have an invalid locale come back from resolveLocale.
2517
2518         * runtime/IntlObject.cpp:
2519         (JSC::convertICULocaleToBCP47LanguageTag):
2520         (JSC::defaultLocale):
2521         (JSC::lookupMatcher):
2522         * runtime/IntlObject.h:
2523         * runtime/JSGlobalObject.cpp:
2524         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2525         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2526         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2527         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2528
2529 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2530
2531         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
2532         https://bugs.webkit.org/show_bug.cgi?id=188040
2533
2534         Unreviewed build fix for AppleWin port.
2535
2536         * API/tests/testapi.c: Disabled warning C4204.
2537         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
2538
2539 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2540
2541         [JSC API] We should support the symbol type in our C/Obj-C API
2542         https://bugs.webkit.org/show_bug.cgi?id=175836
2543
2544         Unreviewed build fix for Windows port.
2545
2546         r234227 introduced a compilation error unresolved external symbol
2547         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
2548
2549         Windows ports are compiling testapi.c as C++ by using /TP switch.
2550
2551         * API/tests/testapi.c:
2552         (main): Removed `::` prefix of ::SetErrorMode Windows API.
2553         (dllLauncherEntryPoint): Converted into C style.
2554         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
2555
2556 2018-07-25  Keith Miller  <keith_miller@apple.com>
2557
2558         [JSC API] We should support the symbol type in our C/Obj-C API
2559         https://bugs.webkit.org/show_bug.cgi?id=175836
2560
2561         Reviewed by Filip Pizlo.
2562
2563         This patch makes the following API additions:
2564         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
2565         2) Create a symbol on both APIs.
2566         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
2567         4) Add Get/Set/Delete in the C API.
2568
2569         We can do 3 because it is both binary and source compatable with
2570         the existing API. I added (4) because the current property access
2571         APIs only have the ability to get Strings. It was possible to
2572         merge symbols into JSStringRef but that felt confusing and exposes
2573         implementation details of our engine. The new functions match the
2574         same meaning that they have in JS, thus should be forward
2575         compatible with any future language extensions.
2576
2577         Lastly, this patch adds the same availability preproccessing phase
2578         in WebCore to JavaScriptCore, which enables TBA features for
2579         testing on previous releases.
2580
2581         * API/APICast.h:
2582         * API/JSBasePrivate.h:
2583         * API/JSContext.h:
2584         * API/JSContextPrivate.h:
2585         * API/JSContextRef.h:
2586         * API/JSContextRefInternal.h:
2587         * API/JSContextRefPrivate.h:
2588         * API/JSManagedValue.h:
2589         * API/JSObjectRef.cpp:
2590         (JSObjectHasPropertyKey):
2591         (JSObjectGetPropertyKey):
2592         (JSObjectSetPropertyKey):
2593         (JSObjectDeletePropertyKey):
2594         * API/JSObjectRef.h:
2595         * API/JSRemoteInspector.h:
2596         * API/JSTypedArray.h:
2597         * API/JSValue.h:
2598         * API/JSValue.mm:
2599         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
2600         (performPropertyOperation):
2601         (-[JSValue valueForProperty:valueForProperty:]):
2602         (-[JSValue setValue:forProperty:setValue:forProperty:]):
2603         (-[JSValue deleteProperty:deleteProperty:]):
2604         (-[JSValue hasProperty:hasProperty:]):
2605         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
2606         (-[JSValue isSymbol]):
2607         (-[JSValue objectForKeyedSubscript:]):
2608         (-[JSValue setObject:forKeyedSubscript:]):
2609         (-[JSValue valueForProperty:]): Deleted.
2610         (-[JSValue setValue:forProperty:]): Deleted.
2611         (-[JSValue deleteProperty:]): Deleted.
2612         (-[JSValue hasProperty:]): Deleted.
2613         (-[JSValue defineProperty:descriptor:]): Deleted.
2614         * API/JSValueRef.cpp:
2615         (JSValueGetType):
2616         (JSValueIsSymbol):
2617         (JSValueMakeSymbol):
2618         * API/JSValueRef.h:
2619         * API/WebKitAvailability.h:
2620         * API/tests/CurrentThisInsideBlockGetterTest.mm:
2621         * API/tests/CustomGlobalObjectClassTest.c:
2622         * API/tests/DateTests.mm:
2623         * API/tests/JSExportTests.mm:
2624         * API/tests/JSNode.c:
2625         * API/tests/JSNodeList.c:
2626         * API/tests/Node.c:
2627         * API/tests/NodeList.c:
2628         * API/tests/minidom.c:
2629         * API/tests/testapi.c:
2630         (main):
2631         * API/tests/testapi.cpp: Added.
2632         (APIString::APIString):
2633         (APIString::~APIString):
2634         (APIString::operator JSStringRef):
2635         (APIContext::APIContext):
2636         (APIContext::~APIContext):
2637         (APIContext::operator JSGlobalContextRef):
2638         (APIVector::APIVector):
2639         (APIVector::~APIVector):
2640         (APIVector::append):
2641         (testCAPIViaCpp):
2642         (TestAPI::evaluateScript):
2643         (TestAPI::callFunction):
2644         (TestAPI::functionReturnsTrue):
2645         (TestAPI::check):
2646         (TestAPI::checkJSAndAPIMatch):
2647         (TestAPI::interestingObjects):
2648         (TestAPI::interestingKeys):
2649         (TestAPI::run):
2650         * API/tests/testapi.mm:
2651         (testObjectiveCAPIMain):
2652         * JavaScriptCore.xcodeproj/project.pbxproj:
2653         * config.h:
2654         * postprocess-headers.sh:
2655         * shell/CMakeLists.txt:
2656         * testmem/testmem.mm:
2657
2658 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2659
2660         [INTL] Call Typed Array elements toLocaleString with locale and options
2661         https://bugs.webkit.org/show_bug.cgi?id=185796
2662
2663         Reviewed by Keith Miller.
2664
2665         Improve ECMA 402 compliance of typed array toLocaleString, passing along
2666         the locale and options to element toLocaleString calls.
2667
2668         * builtins/TypedArrayPrototype.js:
2669         (toLocaleString):
2670
2671 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2672
2673         [INTL] Intl constructor lengths should be configurable
2674         https://bugs.webkit.org/show_bug.cgi?id=187960
2675
2676         Reviewed by Saam Barati.
2677
2678         Removed DontDelete from Intl constructor lengths.
2679         Fixed DateTimeFormat formatToParts length.
2680
2681         * runtime/IntlCollatorConstructor.cpp:
2682         (JSC::IntlCollatorConstructor::finishCreation):
2683         * runtime/IntlDateTimeFormatConstructor.cpp:
2684         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2685         * runtime/IntlDateTimeFormatPrototype.cpp:
2686         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2687         * runtime/IntlNumberFormatConstructor.cpp:
2688         (JSC::IntlNumberFormatConstructor::finishCreation):
2689         * runtime/IntlPluralRulesConstructor.cpp:
2690         (JSC::IntlPluralRulesConstructor::finishCreation):
2691
2692 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
2693
2694         runJITThreadLimitTests is failing
2695         https://bugs.webkit.org/show_bug.cgi?id=187886
2696         <rdar://problem/42561966>
2697
2698         Unreviewed build fix for MSVC.
2699
2700         MSVC doen't support ternary operator without second operand.
2701
2702         * dfg/DFGWorklist.cpp:
2703         (JSC::DFG::getNumberOfDFGCompilerThreads):
2704         (JSC::DFG::getNumberOfFTLCompilerThreads):
2705
2706 2018-07-24  Commit Queue  <commit-queue@webkit.org>
2707
2708         Unreviewed, rolling out r234183.
2709         https://bugs.webkit.org/show_bug.cgi?id=187983
2710
2711         cause regression in Kraken gaussian blur and desaturate
2712         (Requested by yusukesuzuki on #webkit).
2713
2714         Reverted changeset:
2715
2716         "[JSC] Record CoW status in ArrayProfile"
2717         https://bugs.webkit.org/show_bug.cgi?id=187949
2718         https://trac.webkit.org/changeset/234183
2719
2720 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2721
2722         [JSC] Record CoW status in ArrayProfile
2723         https://bugs.webkit.org/show_bug.cgi?id=187949
2724
2725         Reviewed by Saam Barati.
2726
2727         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
2728         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
2729         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
2730         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
2731         CoW arrays.
2732
2733         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
2734         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
2735
2736         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
2737
2738                                       baseline                  patched
2739
2740         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
2741         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
2742
2743         * bytecode/ArrayProfile.cpp:
2744         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2745         * bytecode/ArrayProfile.h:
2746         (JSC::asArrayModes):
2747         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
2748
2749         (JSC::ArrayProfile::ArrayProfile):
2750         (JSC::ArrayProfile::addressOfObservedIndexingModes):
2751         (JSC::ArrayProfile::observedIndexingModes const):
2752         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
2753         So storing the union of seen IndexingMode in `unsigned` instead.
2754
2755         * dfg/DFGArrayMode.cpp:
2756         (JSC::DFG::ArrayMode::fromObserved):
2757         * dfg/DFGArrayMode.h:
2758         (JSC::DFG::ArrayMode::withProfile const):
2759         * jit/JITCall.cpp:
2760         (JSC::JIT::compileOpCall):
2761         * jit/JITCall32_64.cpp:
2762         (JSC::JIT::compileOpCall):
2763         * jit/JITInlines.h:
2764         (JSC::JIT::emitArrayProfilingSiteWithCell):
2765         * llint/LowLevelInterpreter.asm:
2766         * llint/LowLevelInterpreter32_64.asm:
2767         * llint/LowLevelInterpreter64.asm:
2768
2769 2018-07-24  Tim Horton  <timothy_horton@apple.com>
2770
2771         Enable Web Content Filtering on watchOS
2772         https://bugs.webkit.org/show_bug.cgi?id=187979
2773         <rdar://problem/42559346>
2774
2775         Reviewed by Wenson Hsieh.
2776
2777         * Configurations/FeatureDefines.xcconfig:
2778
2779 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
2780
2781         Don't modify Options when setting JIT thread limits
2782         https://bugs.webkit.org/show_bug.cgi?id=187886
2783
2784         Reviewed by Filip Pizlo.
2785
2786         Previously, when setting the JIT thread limit prior to the worklist
2787         initialization, it'd be set via Options, which didn't work if Options
2788         hadn't been initialized yet. Change it to use a static variable in the
2789         Worklist instead.
2790
2791         * API/JSVirtualMachine.mm:
2792         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
2793         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
2794         * API/tests/testapi.mm:
2795         (testObjectiveCAPIMain):
2796         * dfg/DFGWorklist.cpp:
2797         (JSC::DFG::getNumberOfDFGCompilerThreads):
2798         (JSC::DFG::getNumberOfFTLCompilerThreads):
2799         (JSC::DFG::setNumberOfDFGCompilerThreads):
2800         (JSC::DFG::setNumberOfFTLCompilerThreads):
2801         (JSC::DFG::ensureGlobalDFGWorklist):
2802         (JSC::DFG::ensureGlobalFTLWorklist):
2803         * dfg/DFGWorklist.h:
2804
2805 2018-07-24  Mark Lam  <mark.lam@apple.com>
2806
2807         Refactoring: make DFG::Plan a class.
2808         https://bugs.webkit.org/show_bug.cgi?id=187968
2809
2810         Reviewed by Saam Barati.
2811
2812         This patch makes all the DFG::Plan fields private, and provide accessor methods
2813         for them.  This makes it easier to reason about how these fields are used and
2814         modified.
2815
2816         * dfg/DFGAbstractInterpreterInlines.h:
2817         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2818         * dfg/DFGByteCodeParser.cpp:
2819         (JSC::DFG::ByteCodeParser::handleCall):
2820         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2821         (JSC::DFG::ByteCodeParser::handleInlining):
2822         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2823         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2824         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
2825         (JSC::DFG::ByteCodeParser::handleGetById):
2826         (JSC::DFG::ByteCodeParser::handlePutById):
2827         (JSC::DFG::ByteCodeParser::parseBlock):
2828         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2829         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2830         (JSC::DFG::ByteCodeParser::parse):
2831         * dfg/DFGCFAPhase.cpp:
2832         (JSC::DFG::CFAPhase::run):
2833         (JSC::DFG::CFAPhase::injectOSR):
2834         * dfg/DFGClobberize.h:
2835         (JSC::DFG::clobberize):
2836         * dfg/DFGCommonData.cpp:
2837         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2838         * dfg/DFGCommonData.h:
2839         * dfg/DFGConstantFoldingPhase.cpp:
2840         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2841         * dfg/DFGDriver.cpp:
2842         (JSC::DFG::compileImpl):
2843         * dfg/DFGFinalizer.h:
2844         * dfg/DFGFixupPhase.cpp:
2845         (JSC::DFG::FixupPhase::fixupNode):
2846         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2847         * dfg/DFGGraph.cpp:
2848         (JSC::DFG::Graph::Graph):
2849         (JSC::DFG::Graph::watchCondition):
2850         (JSC::DFG::Graph::inferredTypeFor):
2851         (JSC::DFG::Graph::requiredRegisterCountForExit):
2852         (JSC::DFG::Graph::registerFrozenValues):
2853         (JSC::DFG::Graph::registerStructure):
2854         (JSC::DFG::Graph::registerAndWatchStructureTransition):
2855         (JSC::DFG::Graph::assertIsRegistered):
2856         * dfg/DFGGraph.h:
2857         (JSC::DFG::Graph::compilation):
2858         (JSC::DFG::Graph::identifiers):
2859         (JSC::DFG::Graph::watchpoints):
2860         * dfg/DFGJITCompiler.cpp:
2861         (JSC::DFG::JITCompiler::JITCompiler):
2862         (JSC::DFG::JITCompiler::link):
2863         (JSC::DFG::JITCompiler::compile):
2864         (JSC::DFG::JITCompiler::compileFunction):
2865         (JSC::DFG::JITCompiler::disassemble):
2866         * dfg/DFGJITCompiler.h:
2867         (JSC::DFG::JITCompiler::addWeakReference):
2868         * dfg/DFGJITFinalizer.cpp:
2869         (JSC::DFG::JITFinalizer::finalize):
2870         (JSC::DFG::JITFinalizer::finalizeFunction):
2871         (JSC::DFG::JITFinalizer::finalizeCommon):
2872         * dfg/DFGOSREntrypointCreationPhase.cpp:
2873         (JSC::DFG::OSREntrypointCreationPhase::run):
2874         * dfg/DFGPhase.cpp:
2875         (JSC::DFG::Phase::beginPhase):
2876         * dfg/DFGPhase.h:
2877         (JSC::DFG::runAndLog):
2878         * dfg/DFGPlan.cpp:
2879         (JSC::DFG::Plan::Plan):
2880         (JSC::DFG::Plan::computeCompileTimes const):
2881         (JSC::DFG::Plan::reportCompileTimes const):
2882         (JSC::DFG::Plan::compileInThread):
2883         (JSC::DFG::Plan::compileInThreadImpl):
2884         (JSC::DFG::Plan::isStillValid):
2885         (JSC::DFG::Plan::reallyAdd):
2886         (JSC::DFG::Plan::notifyCompiling):
2887         (JSC::DFG::Plan::notifyReady):
2888         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2889         (JSC::DFG::Plan::finalizeAndNotifyCallback):
2890         (JSC::DFG::Plan::key):
2891         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2892         (JSC::DFG::Plan::finalizeInGC):
2893         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2894         (JSC::DFG::Plan::cancel):
2895         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2896         * dfg/DFGPlan.h:
2897         (JSC::DFG::Plan::canTierUpAndOSREnter const):
2898         (JSC::DFG::Plan::vm const):
2899         (JSC::DFG::Plan::codeBlock):
2900         (JSC::DFG::Plan::mode const):
2901         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
2902         (JSC::DFG::Plan::mustHandleValues const):
2903         (JSC::DFG::Plan::threadData const):
2904         (JSC::DFG::Plan::compilation const):
2905         (JSC::DFG::Plan::finalizer const):
2906         (JSC::DFG::Plan::setFinalizer):
2907         (JSC::DFG::Plan::inlineCallFrames const):
2908         (JSC::DFG::Plan::watchpoints):
2909         (JSC::DFG::Plan::identifiers):
2910         (JSC::DFG::Plan::weakReferences):
2911         (JSC::DFG::Plan::transitions):
2912         (JSC::DFG::Plan::recordedStatuses):
2913         (JSC::DFG::Plan::willTryToTierUp const):
2914         (JSC::DFG::Plan::setWillTryToTierUp):
2915         (JSC::DFG::Plan::tierUpInLoopHierarchy):
2916         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
2917         (JSC::DFG::Plan::stage const):
2918         (JSC::DFG::Plan::callback const):
2919         (JSC::DFG::Plan::setCallback):
2920         * dfg/DFGPlanInlines.h:
2921         (JSC::DFG::Plan::iterateCodeBlocksForGC):
2922         * dfg/DFGPreciseLocalClobberize.h:
2923         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2924         * dfg/DFGPredictionInjectionPhase.cpp:
2925         (JSC::DFG::PredictionInjectionPhase::run):
2926         * dfg/DFGSafepoint.cpp:
2927         (JSC::DFG::Safepoint::Safepoint):
2928         (JSC::DFG::Safepoint::~Safepoint):
2929         (JSC::DFG::Safepoint::begin):
2930         * dfg/DFGSafepoint.h:
2931         * dfg/DFGSpeculativeJIT.h:
2932         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
2933         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
2934         * dfg/DFGStackLayoutPhase.cpp:
2935         (JSC::DFG::StackLayoutPhase::run):
2936         * dfg/DFGStrengthReductionPhase.cpp:
2937         (JSC::DFG::StrengthReductionPhase::handleNode):
2938         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2939         (JSC::DFG::TierUpCheckInjectionPhase::run):
2940         * dfg/DFGTypeCheckHoistingPhase.cpp:
2941         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
2942         * dfg/DFGWorklist.cpp:
2943         (JSC::DFG::Worklist::isActiveForVM const):
2944         (JSC::DFG::Worklist::compilationState):
2945         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2946         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2947         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2948         (JSC::DFG::Worklist::visitWeakReferences):
2949         (JSC::DFG::Worklist::removeDeadPlans):
2950         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
2951         * dfg/DFGWorklistInlines.h:
2952         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
2953         * ftl/FTLCompile.cpp:
2954         (JSC::FTL::compile):
2955         * ftl/FTLFail.cpp:
2956         (JSC::FTL::fail):
2957         * ftl/FTLJITFinalizer.cpp:
2958         (JSC::FTL::JITFinalizer::finalizeCommon):
2959         * ftl/FTLLink.cpp:
2960         (JSC::FTL::link):
2961         * ftl/FTLLowerDFGToB3.cpp:
2962         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2963         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2964         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
2965         * ftl/FTLState.cpp:
2966         (JSC::FTL::State::State):
2967
2968 2018-07-24  Saam Barati  <sbarati@apple.com>
2969
2970         Make VM::canUseJIT an inlined function
2971         https://bugs.webkit.org/show_bug.cgi?id=187583
2972
2973         Reviewed by Mark Lam.
2974
2975         We know the answer to this query in initializeThreading after initializing
2976         the executable allocator. This patch makes it so that we just hold this value
2977         in a static variable and have an inlined function that just returns the value
2978         of that static variable.
2979
2980         * runtime/InitializeThreading.cpp:
2981         (JSC::initializeThreading):
2982         * runtime/VM.cpp:
2983         (JSC::VM::computeCanUseJIT):
2984         (JSC::VM::canUseJIT): Deleted.
2985         * runtime/VM.h:
2986         (JSC::VM::canUseJIT):
2987
2988 2018-07-24  Mark Lam  <mark.lam@apple.com>
2989
2990         Placate exception check verification after recent changes.
2991         https://bugs.webkit.org/show_bug.cgi?id=187961
2992         <rdar://problem/42545394>
2993
2994         Reviewed by Saam Barati.
2995
2996         * runtime/IntlObject.cpp:
2997         (JSC::intlNumberOption):
2998
2999 2018-07-23  Saam Barati  <sbarati@apple.com>
3000
3001         need to didFoldClobberWorld when we constant fold GetByVal
3002         https://bugs.webkit.org/show_bug.cgi?id=187917
3003         <rdar://problem/42505095>
3004
3005         Reviewed by Yusuke Suzuki.
3006
3007         * dfg/DFGAbstractInterpreterInlines.h:
3008         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3009
3010 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
3011
3012         [INTL] Language tags are not canonicalized
3013         https://bugs.webkit.org/show_bug.cgi?id=185836
3014
3015         Reviewed by Keith Miller.
3016
3017         Canonicalize language tags, replacing deprecated tag parts with the
3018         preferred values. Remove broken support for algorithmic numbering systems,
3019         that can cause an error in icu, and are not supported in other engines.
3020
3021         Generate the lookup functions from the language-subtag-registry.
3022
3023         Also initialize the UNumberFormat in initializeNumberFormat so any
3024         failures are thrown immediately instead of failing to format later.
3025
3026         * CMakeLists.txt:
3027         * DerivedSources.make:
3028         * JavaScriptCore.xcodeproj/project.pbxproj:
3029         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
3030         * runtime/IntlDateTimeFormat.cpp:
3031         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3032         * runtime/IntlNumberFormat.cpp:
3033         (JSC::IntlNumberFormat::initializeNumberFormat):
3034         (JSC::IntlNumberFormat::formatNumber):
3035         (JSC::IntlNumberFormat::formatToParts):
3036         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
3037         * runtime/IntlNumberFormat.h:
3038         * runtime/IntlObject.cpp:
3039         (JSC::intlNumberOption):
3040         (JSC::intlDefaultNumberOption):
3041         (JSC::preferredLanguage):
3042         (JSC::preferredRegion):
3043         (JSC::canonicalLangTag):
3044         (JSC::canonicalizeLanguageTag):
3045         (JSC::defaultLocale):
3046         (JSC::removeUnicodeLocaleExtension):
3047         (JSC::numberingSystemsForLocale):
3048         (JSC::grandfatheredLangTag): Deleted.
3049         * runtime/IntlObject.h:
3050         * runtime/IntlPluralRules.cpp:
3051         (JSC::IntlPluralRules::initializePluralRules):
3052         * runtime/JSGlobalObject.cpp:
3053         (JSC::addMissingScriptLocales):
3054         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
3055         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
3056         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
3057         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3058         * ucd/language-subtag-registry.txt: Added.
3059
3060 2018-07-23  Mark Lam  <mark.lam@apple.com>
3061
3062         Add some asserts to help diagnose a crash.
3063         https://bugs.webkit.org/show_bug.cgi?id=187915
3064         <rdar://problem/42508166>
3065
3066         Reviewed by Michael Saboff.
3067
3068         Add some asserts to verify that an CodeBlock alternative should always have a
3069         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
3070         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
3071         so that we'll retain the state of the variables that failed the assertion (again
3072         to help with diagnosis).
3073
3074         * bytecode/CodeBlock.cpp:
3075         (JSC::CodeBlock::setAlternative):
3076         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
3077         * dfg/DFGPlan.cpp:
3078         (JSC::DFG::Plan::Plan):
3079
3080 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
3081
3082         Unreviewed, fix no-JIT build.
3083
3084         * bytecode/CallLinkStatus.cpp:
3085         (JSC::CallLinkStatus::computeFor):
3086         * bytecode/CodeBlock.cpp:
3087         (JSC::CodeBlock::finalizeUnconditionally):
3088         * bytecode/GetByIdStatus.cpp:
3089         (JSC::GetByIdStatus::computeFor):
3090         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3091         * bytecode/InByIdStatus.cpp:
3092         * bytecode/PutByIdStatus.cpp:
3093         (JSC::PutByIdStatus::computeForStubInfo):
3094
3095 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3096
3097         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
3098         https://bugs.webkit.org/show_bug.cgi?id=187891
3099
3100         Reviewed by Saam Barati.
3101
3102         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
3103         two variants are mergeable but they have "Miss" status. We make merging failed if
3104         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
3105         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
3106         which patch have more chances to merge variants.
3107
3108         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
3109         is not related since it does not use this check in Transition case.
3110
3111         * bytecode/GetByIdVariant.cpp:
3112         (JSC::GetByIdVariant::attemptToMerge):
3113         * bytecode/InByIdVariant.cpp:
3114         (JSC::InByIdVariant::attemptToMerge):
3115
3116 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3117
3118         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
3119         https://bugs.webkit.org/show_bug.cgi?id=186462
3120
3121         Reviewed by Saam Barati.
3122
3123         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
3124         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
3125         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
3126
3127         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
3128         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
3129         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
3130         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
3131         changed and we can safely use it. We arrange our existing code to use this protocol.
3132
3133         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
3134         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
3135
3136         This patch improves SixSpeed/template_string_tag.es6.
3137
3138                                           baseline                  patched
3139
3140         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
3141
3142         * dfg/DFGAbstractInterpreterInlines.h:
3143         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3144         * runtime/JSArray.cpp:
3145         (JSC::JSArray::setLengthWithArrayStorage):
3146         * runtime/JSObject.cpp:
3147         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3148         (JSC::JSObject::deletePropertyByIndex):
3149         (JSC::JSObject::getOwnPropertyNames):
3150         (JSC::putIndexedDescriptor):
3151         (JSC::JSObject::defineOwnIndexedProperty):
3152         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
3153         (JSC::JSObject::putIndexedDescriptor): Deleted.
3154         * runtime/JSObject.h:
3155         * runtime/SparseArrayValueMap.cpp:
3156         (JSC::SparseArrayValueMap::SparseArrayValueMap):
3157         (JSC::SparseArrayValueMap::add):
3158         (JSC::SparseArrayValueMap::putDirect):
3159         (JSC::SparseArrayValueMap::getConcurrently):
3160         (JSC::SparseArrayEntry::get const):
3161         (JSC::SparseArrayEntry::getConcurrently const):
3162         (JSC::SparseArrayEntry::put):
3163         (JSC::SparseArrayEntry::getNonSparseMode const):
3164         (JSC::SparseArrayValueMap::visitChildren):
3165         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
3166         * runtime/SparseArrayValueMap.h:
3167         (JSC::SparseArrayEntry::SparseArrayEntry):
3168         (JSC::SparseArrayEntry::attributes const):
3169         (JSC::SparseArrayEntry::forceSet):
3170         (JSC::SparseArrayEntry::asValue):
3171
3172 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
3173
3174         We should support CreateThis in the FTL
3175         https://bugs.webkit.org/show_bug.cgi?id=164904
3176
3177         Reviewed by Yusuke Suzuki.
3178         
3179         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
3180         inference adventure.
3181         
3182         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
3183         benchmark's extremely perverse way of winning at type inference:
3184         
3185         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
3186           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
3187           benchmark was falling back to other mechanisms...
3188         
3189         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
3190           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
3191           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
3192           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
3193           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
3194           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
3195           
3196           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
3197           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
3198           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
3199           helper because it had a CreateThis.
3200         
3201         - Compilations that inlined the construction helper would have gotten super lucky with
3202           parse-time constant folding, so they knew what structure the input to the get_by_id would
3203           have at parse time. This is only profitable if the get_by_id parsing computed a
3204           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
3205           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
3206           cases, we would indeed get a finite number of cases. The parser would then prune those
3207           cases to just one - based on its knowledge of the structure - and that would result in that
3208           get_by_id being folded at parse time to a constant.
3209         
3210         - The subsequent op_call would inline based on parse-time knowledge of that constant.
3211         
3212         This patch comprehensively fixes these issues, as well as other issues that come up along the
3213         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
3214         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
3215         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
3216         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
3217         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
3218         attack raytrace's problem as a shortcoming of polyvariant profiling.
3219         
3220         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
3221           subset of the inline stack that includes the IC we're profiling. For example, if we have
3222           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
3223           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
3224           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
3225           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
3226           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
3227           from polyvariant profling. Previously, the polyvariant profiler would only look at the
3228           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
3229           had inlined bar and then baz. It may not have done that, because those calls could have
3230           required polyvariant profiling that was only available in the FTL.
3231           
3232         - A particularly interesting case is when some IC in foo-baseline is also available in
3233           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
3234           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
3235           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
3236           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
3237           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
3238           because it warns us of historical polymorphism. Historical polymorphism usually means
3239           future polymorphism. IC status code already had some merging functionality, but I needed to
3240           beef it up a lot to make this work right.
3241         
3242         - Inlining an inline cache now preserves as much information as profiling. One challenge of
3243           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
3244           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
3245           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
3246           say "I don't have such an IC". At this point the DFG compilation that included that IC that
3247           gave us the information that we used to inline the IC is no longer alive. To keep us from
3248           losing the information we learned about the IC, there is now a RecordedStatuses data
3249           structure that preserves the statuses we use for inlining ICs. We also filter those
3250           statuses according to things we learn from AI. This further reduces the risk of information
3251           about an IC being forgotten.
3252         
3253         - Exit profiling now considers whether or not an exit happened from inline code. This
3254           protects us in the case where the not-inlined version of an IC exited a lot because of
3255           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
3256           profiling data, we consider only inlined exits.
3257         
3258         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
3259           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
3260           surprising that we've had this bug.
3261         
3262         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
3263         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
3264         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
3265         prototype access folding in the bytecode parser and constant folder. That would require some
3266         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
3267         have a test that captures raytrace's behavior in the case that the parser cannot fold the
3268         get_by_id.
3269         
3270         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
3271         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
3272         compile time regression anytime we fill in FTL coverage.
3273         
3274         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
3275         speeds up and that raytrace slows down, but these changes balance out and don't affect the
3276         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
3277         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
3278         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
3279         see a significant difference. In all three cases the difference is <0.5% with a high p value,
3280         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
3281         an insignificant infinitesimal slow-down.
3282         
3283         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
3284         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
3285         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
3286
3287         * CMakeLists.txt:
3288         * JavaScriptCore.xcodeproj/project.pbxproj:
3289         * Sources.txt:
3290         * bytecode/ByValInfo.h:
3291         * bytecode/BytecodeDumper.cpp:
3292         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
3293         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
3294         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
3295         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
3296         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
3297         (JSC::BytecodeDumper<Block>::printCallOp):
3298         (JSC::BytecodeDumper<Block>::dumpBytecode):
3299         (JSC::BytecodeDumper<Block>::dumpBlock):
3300         * bytecode/BytecodeDumper.h:
3301         * bytecode/CallLinkInfo.h:
3302         * bytecode/CallLinkStatus.cpp:
3303         (JSC::CallLinkStatus::computeFor):
3304         (JSC::CallLinkStatus::computeExitSiteData):
3305         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3306         (JSC::CallLinkStatus::accountForExits):
3307         (JSC::CallLinkStatus::finalize):
3308         (JSC::CallLinkStatus::filter):
3309