89ca52e6de1165947dee335605232f577712cbd0
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Remove getTypedArrayImpl
4         https://bugs.webkit.org/show_bug.cgi?id=187338
5
6         Reviewed by Mark Lam.
7
8         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
9         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
10         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
11
12         * runtime/ClassInfo.h:
13         * runtime/GenericTypedArrayView.h:
14         (JSC::GenericTypedArrayView::data const): Deleted.
15         (JSC::GenericTypedArrayView::set): Deleted.
16         (JSC::GenericTypedArrayView::setRange): Deleted.
17         (JSC::GenericTypedArrayView::zeroRange): Deleted.
18         (JSC::GenericTypedArrayView::zeroFill): Deleted.
19         (JSC::GenericTypedArrayView::length const): Deleted.
20         (JSC::GenericTypedArrayView::item const): Deleted.
21         (JSC::GenericTypedArrayView::set const): Deleted.
22         (JSC::GenericTypedArrayView::setNative const): Deleted.
23         (JSC::GenericTypedArrayView::getRange): Deleted.
24         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
25         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
26         * runtime/JSArrayBufferView.cpp:
27         (JSC::JSArrayBufferView::possiblySharedImpl):
28         * runtime/JSArrayBufferView.h:
29         * runtime/JSArrayBufferViewInlines.h:
30         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
31         * runtime/JSCell.cpp:
32         (JSC::JSCell::getTypedArrayImpl): Deleted.
33         * runtime/JSCell.h:
34         * runtime/JSDataView.cpp:
35         (JSC::JSDataView::getTypedArrayImpl): Deleted.
36         * runtime/JSDataView.h:
37         * runtime/JSGenericTypedArrayView.h:
38         * runtime/JSGenericTypedArrayViewInlines.h:
39         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
40
41 2018-07-10  Keith Miller  <keith_miller@apple.com>
42
43         hasOwnProperty returns true for out of bounds property index on TypedArray
44         https://bugs.webkit.org/show_bug.cgi?id=187520
45
46         Reviewed by Saam Barati.
47
48         * runtime/JSGenericTypedArrayViewInlines.h:
49         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
50
51 2018-07-10  Michael Saboff  <msaboff@apple.com>
52
53         DFG JIT: compileMathIC produces incorrect machine code
54         https://bugs.webkit.org/show_bug.cgi?id=187537
55
56         Reviewed by Saam Barati.
57
58         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
59         fall back to the fast path generator which handles such cases.
60
61         * jit/JITMulGenerator.cpp:
62         (JSC::JITMulGenerator::generateInline):
63
64 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
65
66         Change the reoptimization backoff base to 1.3 from 2
67         https://bugs.webkit.org/show_bug.cgi?id=187540
68
69         Reviewed by Saam Barati.
70         
71         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
72         
73         I also have data that hints that a backoff base of 1 might be even better, but I think that
74         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
75
76         * bytecode/CodeBlock.cpp:
77         (JSC::CodeBlock::reoptimizationRetryCounter const):
78         (JSC::CodeBlock::countReoptimization):
79         (JSC::CodeBlock::adjustedCounterValue):
80         * runtime/Options.cpp:
81         (JSC::recomputeDependentOptions):
82         * runtime/Options.h:
83
84 2018-07-10  Mark Lam  <mark.lam@apple.com>
85
86         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
87         https://bugs.webkit.org/show_bug.cgi?id=187362
88         <rdar://problem/42027210>
89
90         Reviewed by Saam Barati.
91
92         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
93         value to use for initializing unused properties.  Updated an assertion to account
94         for this.
95
96         * runtime/ObjectInitializationScope.cpp:
97         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
98
99 2018-07-10  Michael Saboff  <msaboff@apple.com>
100
101         YARR: . doesn't match non-BMP Unicode characters in some cases
102         https://bugs.webkit.org/show_bug.cgi?id=187248
103
104         Reviewed by Geoffrey Garen.
105
106         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
107         characters did not take into account that the character class is inverted.  In this case, we
108         represent '.' as "not a newline" using the newline character class with an inverted check.
109         Clearly that includes non-BMP characters.
110
111         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
112         inverted use of that character class.
113
114         * yarr/YarrJIT.cpp:
115         (JSC::Yarr::YarrGenerator::optimizeAlternative):
116
117 2018-07-09  Mark Lam  <mark.lam@apple.com>
118
119         Add --traceLLIntExecution and --traceLLIntSlowPath options.
120         https://bugs.webkit.org/show_bug.cgi?id=187479
121
122         Reviewed by Yusuke Suzuki and Saam Barati.
123
124         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
125
126         The details:
127         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
128         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
129            This makes it such that enabling LLINT_TRACING doesn't means that we'll
130            continually spammed with logging until we rebuild.
131         3. Fixed slow path LLINT tracing to work with exception check validation.
132
133         * llint/LLIntCommon.h:
134         * llint/LLIntExceptions.cpp:
135         (JSC::LLInt::returnToThrow):
136         (JSC::LLInt::callToThrow):
137         * llint/LLIntOfflineAsmConfig.h:
138         * llint/LLIntSlowPaths.cpp:
139         (JSC::LLInt::slowPathLog):
140         (JSC::LLInt::slowPathLn):
141         (JSC::LLInt::slowPathLogF):
142         (JSC::LLInt::slowPathLogLn):
143         (JSC::LLInt::llint_trace_operand):
144         (JSC::LLInt::llint_trace_value):
145         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
146         (JSC::LLInt::traceFunctionPrologue):
147         (JSC::LLInt::handleHostCall):
148         (JSC::LLInt::setUpCall):
149         * llint/LLIntSlowPaths.h:
150         * llint/LowLevelInterpreter.asm:
151         * runtime/CommonSlowPathsExceptions.cpp:
152         (JSC::CommonSlowPaths::interpreterThrowInCaller):
153         * runtime/Options.cpp:
154         (JSC::Options::isAvailable):
155         * runtime/Options.h:
156
157 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
158
159         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
160         https://bugs.webkit.org/show_bug.cgi?id=187477
161
162         Reviewed by Mark Lam.
163
164         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
165         However, it is not necessary since JSCells can be reside in a constant buffer.
166         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
167         vector from RareData.
168
169         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
170
171         * bytecode/BytecodeDumper.cpp:
172         (JSC::BytecodeDumper<Block>::dumpBytecode):
173         (JSC::BytecodeDumper<Block>::dumpBlock):
174         (JSC::regexpToSourceString): Deleted.
175         (JSC::regexpName): Deleted.
176         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
177         * bytecode/BytecodeDumper.h:
178         * bytecode/CodeBlock.h:
179         (JSC::CodeBlock::regexp const): Deleted.
180         (JSC::CodeBlock::numberOfRegExps const): Deleted.
181         * bytecode/UnlinkedCodeBlock.cpp:
182         (JSC::UnlinkedCodeBlock::visitChildren):
183         (JSC::UnlinkedCodeBlock::shrinkToFit):
184         * bytecode/UnlinkedCodeBlock.h:
185         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
186         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
187         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
188         * bytecompiler/BytecodeGenerator.cpp:
189         (JSC::BytecodeGenerator::emitNewRegExp):
190         (JSC::BytecodeGenerator::addRegExp): Deleted.
191         * bytecompiler/BytecodeGenerator.h:
192         * dfg/DFGByteCodeParser.cpp:
193         (JSC::DFG::ByteCodeParser::parseBlock):
194         * jit/JITOpcodes.cpp:
195         (JSC::JIT::emit_op_new_regexp):
196         * llint/LLIntSlowPaths.cpp:
197         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
198         * runtime/JSCJSValue.cpp:
199         (JSC::JSValue::dumpInContextAssumingStructure const):
200         * runtime/RegExp.cpp:
201         (JSC::regexpToSourceString):
202         (JSC::RegExp::dumpToStream):
203         * runtime/RegExp.h:
204
205 2018-07-09  Brian Burg  <bburg@apple.com>
206
207         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
208         https://bugs.webkit.org/show_bug.cgi?id=187350
209         <rdar://problem/41728249>
210
211         Reviewed by Matt Baker.
212
213         Add a new command that toggles whether or not to blackbox internal scripts.
214         If blackboxed, the scripts will not be shown to the frontend and the debugger will
215         not pause in source frames from blackboxed scripts. Sometimes we want to break into
216         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
217         that injects scripts.
218
219         * inspector/agents/InspectorDebuggerAgent.cpp:
220         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
221         (Inspector::InspectorDebuggerAgent::didParseSource):
222         * inspector/agents/InspectorDebuggerAgent.h:
223         * inspector/protocol/Debugger.json:
224
225 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
226
227         [JSC] Make some data members of UnlinkedCodeBlock private
228         https://bugs.webkit.org/show_bug.cgi?id=187467
229
230         Reviewed by Mark Lam.
231
232         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
233         We also remove m_numCapturedVars since it is no longer used.
234
235         * bytecode/CodeBlock.cpp:
236         (JSC::CodeBlock::CodeBlock):
237         * bytecode/CodeBlock.h:
238         * bytecode/UnlinkedCodeBlock.cpp:
239         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
240         * bytecode/UnlinkedCodeBlock.h:
241
242 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
243
244         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
245         https://bugs.webkit.org/show_bug.cgi?id=187465
246
247         Reviewed by Keith Miller.
248
249         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
250         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
251
252         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
253         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
254         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
255         from 104 to 96 since it inherits ProxyableAccessCase.
256
257         * bytecode/AccessCase.h:
258         (JSC::AccessCase::viaProxy const):
259         (JSC::AccessCase::AccessCase):
260         * bytecode/ProxyableAccessCase.cpp:
261         (JSC::ProxyableAccessCase::ProxyableAccessCase):
262         * bytecode/ProxyableAccessCase.h:
263
264 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
265
266         Unreviewed, build fix for debug builds after r233630
267         https://bugs.webkit.org/show_bug.cgi?id=187441
268
269         * jit/JIT.cpp:
270         (JSC::JIT::frameRegisterCountFor):
271         * llint/LLIntEntrypoint.cpp:
272         (JSC::LLInt::frameRegisterCountFor):
273
274 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
275
276         [JSC] Optimize layout of CodeBlock to reduce padding
277         https://bugs.webkit.org/show_bug.cgi?id=187441
278
279         Reviewed by Mark Lam.
280
281         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
282         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
283         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
284
285         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
286
287         * bytecode/BytecodeDumper.cpp:
288         (JSC::BytecodeDumper<Block>::dumpBlock):
289         * bytecode/BytecodeUseDef.h:
290         (JSC::computeDefsForBytecodeOffset):
291         * bytecode/CodeBlock.cpp:
292         (JSC::CodeBlock::CodeBlock):
293         * bytecode/CodeBlock.h:
294         (JSC::CodeBlock::numVars const):
295         * bytecode/UnlinkedCodeBlock.h:
296         (JSC::UnlinkedCodeBlock::numVars const):
297         * dfg/DFGByteCodeParser.cpp:
298         (JSC::DFG::ByteCodeParser::ByteCodeParser):
299         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
300         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
301         (JSC::DFG::ByteCodeParser::inlineCall):
302         (JSC::DFG::ByteCodeParser::handleGetById):
303         (JSC::DFG::ByteCodeParser::handlePutById):
304         (JSC::DFG::ByteCodeParser::parseBlock):
305         * dfg/DFGGraph.h:
306         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
307         * dfg/DFGOSREntrypointCreationPhase.cpp:
308         (JSC::DFG::OSREntrypointCreationPhase::run):
309         * dfg/DFGVariableEventStream.cpp:
310         (JSC::DFG::VariableEventStream::reconstruct const):
311         * ftl/FTLOSREntry.cpp:
312         (JSC::FTL::prepareOSREntry):
313         * ftl/FTLState.cpp:
314         (JSC::FTL::State::State):
315         * interpreter/Interpreter.cpp:
316         (JSC::Interpreter::dumpRegisters):
317         * jit/JIT.cpp:
318         (JSC::JIT::frameRegisterCountFor):
319         * jit/JITOpcodes.cpp:
320         (JSC::JIT::emit_op_enter):
321         * jit/JITOpcodes32_64.cpp:
322         (JSC::JIT::emit_op_enter):
323         * jit/JITOperations.cpp:
324         * llint/LLIntEntrypoint.cpp:
325         (JSC::LLInt::frameRegisterCountFor):
326         * llint/LLIntSlowPaths.cpp:
327         (JSC::LLInt::traceFunctionPrologue):
328         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
329         * runtime/JSCJSValue.h:
330
331 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
332
333         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
334         https://bugs.webkit.org/show_bug.cgi?id=187448
335
336         Reviewed by Saam Barati.
337
338         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
339         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
340
341         * bytecode/CodeType.h:
342         * bytecode/UnlinkedCodeBlock.cpp:
343         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
344         * bytecode/UnlinkedCodeBlock.h:
345         (JSC::UnlinkedCodeBlock::codeType const):
346         (JSC::UnlinkedCodeBlock::didOptimize const):
347         (JSC::UnlinkedCodeBlock::setDidOptimize):
348         * bytecode/VirtualRegister.h:
349
350 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
351
352         [JSC] Optimize padding of InferredTypeTable by using cellLock
353         https://bugs.webkit.org/show_bug.cgi?id=187447
354
355         Reviewed by Mark Lam.
356
357         Use cellLock() in InferredTypeTable to guard changes of internal structures.
358         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
359         reduce the size of InferredTypeTable from 40 to 32.
360
361         * runtime/InferredTypeTable.cpp:
362         (JSC::InferredTypeTable::visitChildren):
363         (JSC::InferredTypeTable::get):
364         (JSC::InferredTypeTable::willStoreValue):
365         (JSC::InferredTypeTable::makeTop):
366         * runtime/InferredTypeTable.h:
367         Using enum class and using. And remove `isEmpty()` since it is not used.
368
369         * runtime/Structure.h:
370
371 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
372
373         [JSC] Optimize layout of SourceProvider to reduce padding
374         https://bugs.webkit.org/show_bug.cgi?id=187440
375
376         Reviewed by Mark Lam.
377
378         Arrange members of SourceProvider to reduce the size from 80 to 72.
379
380         * parser/SourceProvider.cpp:
381         (JSC::SourceProvider::SourceProvider):
382         * parser/SourceProvider.h:
383
384 2018-07-08  Mark Lam  <mark.lam@apple.com>
385
386         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
387         https://bugs.webkit.org/show_bug.cgi?id=187444
388         <rdar://problem/41282849>
389
390         Reviewed by Saam Barati.
391
392         PropertyTable supports C++ iteration by offering begin() and end() methods, and
393         an iterator class.  The begin() methods and the iterator operator++() method uses
394         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
395         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
396         pointer from being incremented past the end of the table.  As a result, we can
397         iterate past the end of the table.  Note that the C++ iteration protocol tests
398         for the iterator not being equal to the end() value.  It does not do a <= test.
399         If the iterator ever shoots past end, the loop will effectively not terminate.
400
401         This issue can manifest if and only if the last entry in the table is a deleted
402         one, and the key field of the PropertyMapEntry shaped space at the end of the
403         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
404         value.
405
406         No test because manifesting this issue requires uncontrollable happenstance where
407         memory just beyond the end of the table looks like a deleted entry.
408
409         * runtime/PropertyMapHashTable.h:
410         (JSC::PropertyTable::begin):
411         (JSC::PropertyTable::end):
412         (JSC::PropertyTable::begin const):
413         (JSC::PropertyTable::end const):
414         (JSC::PropertyTable::skipDeletedEntries):
415
416 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
417
418         [JSC] Optimize layout of SymbolTable to reduce padding
419         https://bugs.webkit.org/show_bug.cgi?id=187437
420
421         Reviewed by Mark Lam.
422
423         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
424
425         * runtime/SymbolTable.h:
426
427 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
428
429         [JSC] Optimize layout of RegExp to reduce padding
430         https://bugs.webkit.org/show_bug.cgi?id=187438
431
432         Reviewed by Mark Lam.
433
434         Reduce the size of RegExp from 168 to 144.
435
436         * runtime/RegExp.cpp:
437         (JSC::RegExp::RegExp):
438         * runtime/RegExp.h:
439         * runtime/RegExpKey.h:
440         * yarr/YarrErrorCode.h:
441
442 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
443
444         [JSC] Optimize layout of ValueProfile to reduce padding
445         https://bugs.webkit.org/show_bug.cgi?id=187439
446
447         Reviewed by Mark Lam.
448
449         Reduce the size of ValueProfile from 40 to 32 by reordering members.
450
451         * bytecode/ValueProfile.h:
452         (JSC::ValueProfileBase::ValueProfileBase):
453
454 2018-07-05  Saam Barati  <sbarati@apple.com>
455
456         ProgramExecutable may be collected as we checkSyntax on it
457         https://bugs.webkit.org/show_bug.cgi?id=187359
458         <rdar://problem/41832135>
459
460         Reviewed by Mark Lam.
461
462         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
463         the ProgramExecutable itself may be collected. The fix here is to make a copy
464         of the field instead of passing in a reference inside of ParserError::toErrorObject.
465         
466         No new tests here as this was already caught by our iOS JSC testers.
467
468         * parser/ParserError.h:
469         (JSC::ParserError::toErrorObject):
470
471 2018-07-04  Tim Horton  <timothy_horton@apple.com>
472
473         Introduce PLATFORM(IOSMAC)
474         https://bugs.webkit.org/show_bug.cgi?id=187315
475
476         Reviewed by Dan Bernstein.
477
478         * Configurations/Base.xcconfig:
479         * Configurations/FeatureDefines.xcconfig:
480
481 2018-07-03  Mark Lam  <mark.lam@apple.com>
482
483         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
484         https://bugs.webkit.org/show_bug.cgi?id=187255
485         <rdar://problem/41785257>
486
487         Reviewed by Saam Barati.
488
489         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
490         too: basically, do what the 64-bit code is doing.  At present, this change only
491         serves to pacify an assertion.  It is not needed for correctness because the
492         concurrent GC is not used on 32-bit builds.
493
494         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
495         test.
496
497         * jit/JITOpcodes32_64.cpp:
498         (JSC::JIT::emit_op_create_this):
499
500 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
501
502         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
503         https://bugs.webkit.org/show_bug.cgi?id=187290
504
505         Reviewed by Saam Barati.
506
507         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
508         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
509         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
510         easily calculated from JSType.
511         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
512
513         * runtime/ClassInfo.h:
514         * runtime/JSArrayBufferView.cpp:
515         (JSC::elementSize):
516         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
517         * runtime/JSArrayBufferView.h:
518         * runtime/JSArrayBufferViewInlines.h:
519         (JSC::JSArrayBufferView::possiblySharedBuffer):
520         * runtime/JSCell.cpp:
521         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
522         * runtime/JSCell.h:
523         * runtime/JSDataView.cpp:
524         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
525         * runtime/JSDataView.h:
526         * runtime/JSGenericTypedArrayView.h:
527         * runtime/JSGenericTypedArrayViewInlines.h:
528         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
529
530 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
531
532         Regular expressions with ".?" expressions at the start and the end match the entire string
533         https://bugs.webkit.org/show_bug.cgi?id=119191
534
535         Reviewed by Michael Saboff.
536
537         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
538         for "abc" first and then processing the leading and trailing dot stars
539         to find the beginning and the end of the match. However, it erroneously
540         enabled this optimization for regular expressions whose leading or
541         trailing dots had quantifiers that were not of arbitrary length, e.g.,
542         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
543         match the entire string when it shouldn't. This patch disables the
544         optimization for those cases.
545
546         * yarr/YarrPattern.cpp:
547         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
548
549 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
550
551         RegExp.exec returns wrong value with a long integer quantifier
552         https://bugs.webkit.org/show_bug.cgi?id=187042
553
554         Reviewed by Saam Barati.
555
556         Prior to this patch, the Yarr parser checked for integer overflow when
557         parsing quantifiers in regular expressions by adding one digit at a time
558         to a number and checking if the result got larger. This is wrong;
559         The parser would fail to detect overflow when parsing, for example,
560         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
561
562         Another issue was that once it detected overflow, it stopped consuming
563         the remaining digits. Since it didn't find the closing bracket, it
564         parsed the quantifier as a normal string instead.
565
566         This patch fixes these issues by reading all the digits and checking for
567         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
568         returns the largest possible value (quantifyInfinite in this case). This
569         matches Chrome [1], Firefox [2], and Edge [3].
570
571         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
572         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
573         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
574
575         * yarr/YarrParser.h:
576         (JSC::Yarr::Parser::consumeNumber):
577
578 2018-07-02  Keith Miller  <keith_miller@apple.com>
579
580         InstanceOf IC should do generic if the prototype is not an object.
581         https://bugs.webkit.org/show_bug.cgi?id=187250
582
583         Reviewed by Mark Lam.
584
585         The old code was wrong for two reasons. First, the AccessCase expected that
586         the prototype value would be non-null. Second, we would end up returning
587         false instead of throwing an exception.
588
589         * jit/Repatch.cpp:
590         (JSC::tryCacheInstanceOf):
591
592 2018-07-01  Mark Lam  <mark.lam@apple.com>
593
594         Builtins and host functions should get their own structures.
595         https://bugs.webkit.org/show_bug.cgi?id=187211
596         <rdar://problem/41646336>
597
598         Reviewed by Saam Barati.
599
600         JSFunctions do lazy reification of properties, but ordinary functions applies
601         different rules of property reification than builtin and host functions.  Hence,
602         we should give builtins and host functions their own structures.
603
604         * runtime/JSFunction.cpp:
605         (JSC::JSFunction::selectStructureForNewFuncExp):
606         (JSC::JSFunction::create):
607         (JSC::JSFunction::getOwnPropertySlot):
608         * runtime/JSGlobalObject.cpp:
609         (JSC::JSGlobalObject::init):
610         (JSC::JSGlobalObject::visitChildren):
611         * runtime/JSGlobalObject.h:
612         (JSC::JSGlobalObject::hostFunctionStructure const):
613         (JSC::JSGlobalObject::arrowFunctionStructure const):
614         (JSC::JSGlobalObject::sloppyFunctionStructure const):
615         (JSC::JSGlobalObject::strictFunctionStructure const):
616
617 2018-07-01  David Kilzer  <ddkilzer@apple.com>
618
619         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
620         <https://webkit.org/b/187233>
621
622         Reviewed by Mark Lam.
623
624         * b3/air/AirEliminateDeadCode.cpp:
625         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
626         * parser/ParserTokens.h:
627         (JSC::JSTextPosition::JSTextPosition): Add struct member
628         initialization. Simplify default constructor.
629         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
630         union to the beginning to make it easy to zero out all fields.
631         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
632         initialization.  Simplify default constructor.  Note that
633         `endOffset` was not being initialized previously.
634         (JSC::JSTextPosition::JSToken): Add struct member initialization
635         where necessary.
636         * runtime/IntlObject.cpp:
637         (JSC::MatcherResult): Add struct member initialization.
638
639 2018-06-23  Darin Adler  <darin@apple.com>
640
641         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
642         https://bugs.webkit.org/show_bug.cgi?id=186973
643
644         Reviewed by Dan Bernstein.
645
646         * API/JSContext.mm:
647         (WeakContextRef::WeakContextRef): Deleted.
648         (WeakContextRef::~WeakContextRef): Deleted.
649         (WeakContextRef::get): Deleted.
650         (WeakContextRef::set): Deleted.
651
652         * API/JSContextInternal.h: Removed unneeded header guards since this is
653         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
654         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
655         since neither is used outside the class implementation.
656
657         * API/JSManagedValue.mm:
658         (-[JSManagedValue initWithValue:]): Use a bridging cast.
659         (-[JSManagedValue dealloc]): Ditto.
660         (-[JSManagedValue didAddOwner:]): Ditto.
661         (-[JSManagedValue didRemoveOwner:]): Ditto.
662         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
663         (JSManagedValueHandleOwner::finalize): Ditto.
664         * API/JSValue.mm:
665         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
666         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
667         (-[JSValue valueForProperty:]): Ditto.
668         (-[JSValue setValue:forProperty:]): Ditto.
669         (-[JSValue deleteProperty:]): Ditto.
670         (-[JSValue hasProperty:]): Ditto.
671         (-[JSValue invokeMethod:withArguments:]): Ditto.
672         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
673         (valueToArray): Ditto.
674         (valueToDictionary): Ditto.
675         (objectToValueWithoutCopy): Ditto.
676         (objectToValue): Ditto.
677         * API/JSVirtualMachine.mm:
678         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
679         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
680         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
681         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
682         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
683         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
684         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
685         (scanExternalObjectGraph): Ditto.
686         (scanExternalRememberedSet): Ditto.
687         * API/JSWrapperMap.mm:
688         (makeWrapper): Ditto.
689         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
690         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
691         (tryUnwrapObjcObject): Ditto.
692         * API/ObjCCallbackFunction.mm:
693         (blockSignatureContainsClass): Ditto.
694         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
695         sure we will be keeping this the same way under ARC.
696         (objCCallbackFunctionForBlock): Use a bridging cast.
697
698         * API/ObjcRuntimeExtras.h:
699         (protocolImplementsProtocol): Use a more specific type that includes the
700         explicit __unsafe_unretained for copied protocol lists.
701         (forEachProtocolImplementingProtocol): Ditto.
702
703         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
704         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
705         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
706
707         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
708         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
709         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
710         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
711         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
712
713 2018-06-30  Adam Barth  <abarth@webkit.org>
714
715         Port JavaScriptCore to OS(FUCHSIA)
716         https://bugs.webkit.org/show_bug.cgi?id=187223
717
718         Reviewed by Daniel Bates.
719
720         * assembler/ARM64Assembler.h:
721         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
722         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
723         (JSC::MachineContext::stackPointerImpl):
724         (JSC::MachineContext::framePointerImpl):
725         (JSC::MachineContext::instructionPointerImpl):
726         (JSC::MachineContext::argumentPointer<1>):
727         (JSC::MachineContext::llintInstructionPointer):
728
729 2018-06-30  David Kilzer  <ddkilzer@apple.com>
730
731         Fix clang static analyzer warnings: Garbage return value
732         <https://webkit.org/b/187224>
733
734         Reviewed by Eric Carlson.
735
736         * bytecode/UnlinkedCodeBlock.cpp:
737         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
738         - Use brace initialization for local variables.
739         * debugger/DebuggerCallFrame.cpp:
740         (class JSC::LineAndColumnFunctor):
741         - Use class member initialization for member variables.
742
743 2018-06-29  Saam Barati  <sbarati@apple.com>
744
745         Unreviewed. Try to fix Windows build after r233377
746
747         * builtins/BuiltinExecutables.cpp:
748         (JSC::BuiltinExecutables::createExecutable):
749
750 2018-06-29  Saam Barati  <sbarati@apple.com>
751
752         Don't use tracePoints in JS/Wasm entry
753         https://bugs.webkit.org/show_bug.cgi?id=187196
754
755         Reviewed by Mark Lam.
756
757         This puts VM entry and Wasm entry tracePoints behind a runtime
758         option. This is a ~4x speedup on a soon to be released Wasm
759         benchmark. tracePoints should basically never run more than 50
760         times a second. Entering the VM and entering Wasm are user controlled,
761         and can happen hundreds of thousands of times in a second. Depending
762         on how the Wasm/JS code is structured, this can be disastrous for
763         performance.
764
765         * runtime/Options.h:
766         * runtime/VMEntryScope.cpp:
767         (JSC::VMEntryScope::VMEntryScope):
768         (JSC::VMEntryScope::~VMEntryScope):
769         * wasm/WasmBBQPlan.cpp:
770         (JSC::Wasm::BBQPlan::compileFunctions):
771         * wasm/js/WebAssemblyFunction.cpp:
772         (JSC::callWebAssemblyFunction):
773
774 2018-06-29  Saam Barati  <sbarati@apple.com>
775
776         We shouldn't recurse into the parser when gathering metadata about various function offsets
777         https://bugs.webkit.org/show_bug.cgi?id=184074
778         <rdar://problem/37165897>
779
780         Reviewed by Mark Lam.
781
782         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
783         for that builtin. This required calling into the parser. However, the parser
784         may throw a stack overflow. We were not able to recover from that. The only
785         reason we called into the parser here is that we were gathering text offsets
786         and various metadata for things in the builtin function. This patch writes a
787         mini parser that figures this information out without calling into the full
788         parser. (I've also added a debug assert that verifies the mini parser stays in
789         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
790         always succeeds.
791
792         * builtins/AsyncFromSyncIteratorPrototype.js:
793         (globalPrivate.createAsyncFromSyncIterator):
794         (globalPrivate.AsyncFromSyncIteratorConstructor):
795         * builtins/BuiltinExecutables.cpp:
796         (JSC::BuiltinExecutables::createExecutable):
797         * builtins/GlobalOperations.js:
798         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
799         (globalPrivate.speciesConstructor):
800         (globalPrivate.copyDataProperties):
801         (globalPrivate.copyDataPropertiesNoExclusions):
802         * builtins/PromiseOperations.js:
803         (globalPrivate.newHandledRejectedPromise):
804         * builtins/RegExpPrototype.js:
805         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
806         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
807         * builtins/StringPrototype.js:
808         (globalPrivate.hasObservableSideEffectsForStringReplace):
809         (globalPrivate.getDefaultCollator):
810         * parser/Nodes.cpp:
811         (JSC::FunctionMetadataNode::FunctionMetadataNode):
812         (JSC::FunctionMetadataNode::operator== const):
813         (JSC::FunctionMetadataNode::dump const):
814         * parser/Nodes.h:
815         * parser/Parser.h:
816         (JSC::parse):
817         * parser/ParserError.h:
818         (JSC::ParserError::type const):
819         * parser/ParserTokens.h:
820         (JSC::JSTextPosition::operator== const):
821         (JSC::JSTextPosition::operator!= const):
822         * parser/SourceCode.h:
823         (JSC::SourceCode::operator== const):
824         (JSC::SourceCode::operator!= const):
825         (JSC::SourceCode::subExpression const):
826         (JSC::SourceCode::subExpression): Deleted.
827
828 2018-06-28  Michael Saboff  <msaboff@apple.com>
829   
830         IsoCellSet::sweepToFreeList() not safe when Full GC in process
831         https://bugs.webkit.org/show_bug.cgi?id=187157
832
833         Reviewed by Mark Lam.
834
835         * heap/IsoCellSet.cpp:
836         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
837         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
838         or not we are in the process of marking during a full GC.
839         * heap/MarkedBlock.h:
840         * heap/MarkedBlockInlines.h:
841         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
842
843 2018-06-27  Saam Barati  <sbarati@apple.com>
844
845         Add some more register state information when we crash in repatchPutById
846         https://bugs.webkit.org/show_bug.cgi?id=187112
847
848         Reviewed by Mark Lam.
849
850         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
851         with an offset that is different than what the put tells us.
852
853         * jit/Repatch.cpp:
854         (JSC::tryCachePutByID):
855
856 2018-06-27  Mark Lam  <mark.lam@apple.com>
857
858         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
859         https://bugs.webkit.org/show_bug.cgi?id=187119
860
861         Reviewed by Keith Miller.
862
863         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
864         should be checking for codeBlock instead of !codeBlock
865         before using the codeBlock.
866
867         I also renamed some other "print" functions to use "dump" instead
868         to match their underlying C++ code that they will call e.g.
869         CodeBlock::dumpSource().
870
871         * tools/JSDollarVM.cpp:
872         (WTF::JSDollarVMCallFrame::finishCreation):
873         (JSC::functionDumpSourceFor):
874         (JSC::functionDumpBytecodeFor):
875         (JSC::doPrint):
876         (JSC::functionDataLog):
877         (JSC::functionPrint):
878         (JSC::functionDumpCallFrame):
879         (JSC::functionDumpStack):
880         (JSC::JSDollarVM::finishCreation):
881         (JSC::functionPrintSourceFor): Deleted.
882         (JSC::functionPrintBytecodeFor): Deleted.
883         (JSC::doPrintln): Deleted.
884         (JSC::functionPrintln): Deleted.
885         (JSC::functionPrintCallFrame): Deleted.
886         (JSC::functionPrintStack): Deleted.
887         * tools/VMInspector.cpp:
888         (JSC::DumpFrameFunctor::DumpFrameFunctor):
889         (JSC::DumpFrameFunctor::operator() const):
890         (JSC::VMInspector::dumpCallFrame):
891         (JSC::VMInspector::dumpStack):
892         (JSC::VMInspector::dumpValue):
893         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
894         (JSC::PrintFrameFunctor::operator() const): Deleted.
895         (JSC::VMInspector::printCallFrame): Deleted.
896         (JSC::VMInspector::printStack): Deleted.
897         (JSC::VMInspector::printValue): Deleted.
898         * tools/VMInspector.h:
899
900 2018-06-27  Keith Miller  <keith_miller@apple.com>
901
902         Add logging to try to diagnose where we get a null structure.
903         https://bugs.webkit.org/show_bug.cgi?id=187106
904
905         Reviewed by Mark Lam.
906
907         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
908         structure crash.
909
910         This code should be removed when we fix <rdar://problem/33451840>
911
912         * runtime/JSObject.cpp:
913         (JSC::callToPrimitiveFunction):
914         * runtime/JSObject.h:
915         (JSC::JSObject::getPropertySlot):
916
917 2018-06-27  Mark Lam  <mark.lam@apple.com>
918
919         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
920         https://bugs.webkit.org/show_bug.cgi?id=187091
921         <rdar://problem/41395624>
922
923         Reviewed by Yusuke Suzuki.
924
925         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
926         take their slow paths, the slow path would jump back to the fast path right after
927         the emitted code which clears the unused property values.  As a result, the
928         unused properties are not initialized.  We've fixed this by adding the slow path
929         generators before we emit the code to clear the unused properties.
930
931         * dfg/DFGSpeculativeJIT.cpp:
932         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
933         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
934
935 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
936
937         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
938         https://bugs.webkit.org/show_bug.cgi?id=185943
939
940         Reviewed by Mark Lam.
941
942         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
943         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
944         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
945         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
946
947         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
948         but it should be done in a separate patch since it would be performance sensitive.
949
950         * bytecompiler/NodesCodegen.cpp:
951         (JSC::ArrayPatternNode::emitDirectBinding):
952
953 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
954
955         [JSC] Pass VM& to functions more
956         https://bugs.webkit.org/show_bug.cgi?id=186241
957
958         Reviewed by Mark Lam.
959
960         This patch threads VM& to functions requiring VM& more.
961
962         * API/JSObjectRef.cpp:
963         (JSObjectIsConstructor):
964         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
965         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
966         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
967         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
968         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
969         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
970         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
971         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
972         * bytecode/CodeBlockJettisoningWatchpoint.h:
973         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
974         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
975         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
976         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
977         * bytecode/StructureStubClearingWatchpoint.cpp:
978         (JSC::StructureStubClearingWatchpoint::fireInternal):
979         * bytecode/StructureStubClearingWatchpoint.h:
980         * bytecode/Watchpoint.cpp:
981         (JSC::Watchpoint::fire):
982         (JSC::WatchpointSet::fireAllWatchpoints):
983         * bytecode/Watchpoint.h:
984         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
985         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
986         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
987         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
988         (JSC::DFG::AdaptiveStructureWatchpoint::install):
989         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
990         * dfg/DFGAdaptiveStructureWatchpoint.h:
991         * dfg/DFGDesiredWatchpoints.cpp:
992         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
993         * llint/LLIntSlowPaths.cpp:
994         (JSC::LLInt::setupGetByIdPrototypeCache):
995         * runtime/ArrayPrototype.cpp:
996         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
997         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
998         * runtime/ECMAScriptSpecInternalFunctions.cpp:
999         (JSC::esSpecIsConstructor):
1000         * runtime/FunctionRareData.cpp:
1001         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
1002         * runtime/FunctionRareData.h:
1003         * runtime/InferredStructureWatchpoint.cpp:
1004         (JSC::InferredStructureWatchpoint::fireInternal):
1005         * runtime/InferredStructureWatchpoint.h:
1006         * runtime/InternalFunction.cpp:
1007         (JSC::InternalFunction::createSubclassStructureSlow):
1008         * runtime/InternalFunction.h:
1009         (JSC::InternalFunction::createSubclassStructure):
1010         * runtime/JSCJSValue.h:
1011         * runtime/JSCJSValueInlines.h:
1012         (JSC::JSValue::isConstructor const):
1013         * runtime/JSCell.h:
1014         * runtime/JSCellInlines.h:
1015         (JSC::JSCell::isConstructor):
1016         (JSC::JSCell::methodTable const):
1017         * runtime/JSGlobalObject.cpp:
1018         (JSC::JSGlobalObject::init):
1019         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
1020         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
1021         * runtime/ProxyObject.cpp:
1022         (JSC::ProxyObject::finishCreation):
1023         * runtime/ReflectObject.cpp:
1024         (JSC::reflectObjectConstruct):
1025         * runtime/StructureRareData.cpp:
1026         (JSC::StructureRareData::setObjectToStringValue):
1027         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
1028         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1029         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1030
1031 2018-06-26  Mark Lam  <mark.lam@apple.com>
1032
1033         eval() is wrong about the LiteralParser never throwing any exceptions.
1034         https://bugs.webkit.org/show_bug.cgi?id=187074
1035         <rdar://problem/41461099>
1036
1037         Reviewed by Saam Barati.
1038
1039         Added the missing exception check, and removed an erroneous assertion.
1040
1041         * interpreter/Interpreter.cpp:
1042         (JSC::eval):
1043
1044 2018-06-26  Saam Barati  <sbarati@apple.com>
1045
1046         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
1047         https://bugs.webkit.org/show_bug.cgi?id=186878
1048         <rdar://problem/40568659>
1049
1050         Reviewed by Filip Pizlo.
1051
1052         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
1053         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
1054         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
1055         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
1056         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
1057         conservative scan knows to treat it like a butterfly in when we we may be
1058         pointing into the middle of it.
1059         
1060         The way we were crashing on the stress GC bots is that our conservative marking
1061         won't do cell visiting for things that are Auxiliary. This meant that if the
1062         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
1063         that JSImmutableButterfly would not be visited. This is now fixed.
1064
1065         * bytecompiler/NodesCodegen.cpp:
1066         (JSC::ArrayNode::emitBytecode):
1067         * debugger/Debugger.cpp:
1068         * heap/ConservativeRoots.cpp:
1069         (JSC::ConservativeRoots::genericAddPointer):
1070         * heap/Heap.cpp:
1071         (JSC::GatherHeapSnapshotData::operator() const):
1072         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
1073         (JSC::Heap::globalObjectCount):
1074         (JSC::Heap::objectTypeCounts):
1075         (JSC::Heap::deleteAllCodeBlocks):
1076         * heap/HeapCell.cpp:
1077         (WTF::printInternal):
1078         * heap/HeapCell.h:
1079         (JSC::isJSCellKind):
1080         (JSC::hasInteriorPointers):
1081         * heap/HeapUtil.h:
1082         (JSC::HeapUtil::findGCObjectPointersForMarking):
1083         (JSC::HeapUtil::isPointerGCObjectJSCell):
1084         * heap/MarkedBlock.cpp:
1085         (JSC::MarkedBlock::Handle::didAddToDirectory):
1086         * heap/SlotVisitor.cpp:
1087         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1088         * runtime/JSGlobalObject.cpp:
1089         * runtime/JSImmutableButterfly.h:
1090         (JSC::JSImmutableButterfly::subspaceFor):
1091         * runtime/VM.cpp:
1092         (JSC::VM::VM):
1093         * runtime/VM.h:
1094         * tools/CellProfile.h:
1095         (JSC::CellProfile::CellProfile):
1096         (JSC::CellProfile::isJSCell const):
1097         * tools/HeapVerifier.cpp:
1098         (JSC::HeapVerifier::validateCell):
1099
1100 2018-06-26  Mark Lam  <mark.lam@apple.com>
1101
1102         Skip some unnecessary work in Interpreter::getStackTrace().
1103         https://bugs.webkit.org/show_bug.cgi?id=187070
1104
1105         Reviewed by Michael Saboff.
1106
1107         * interpreter/Interpreter.cpp:
1108         (JSC::Interpreter::getStackTrace):
1109
1110 2018-06-26  Mark Lam  <mark.lam@apple.com>
1111
1112         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
1113         https://bugs.webkit.org/show_bug.cgi?id=187060
1114         <rdar://problem/41452767>
1115
1116         Reviewed by Keith Miller.
1117
1118         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
1119         write conversion.  Hence, we can return early after the conversion if the vector
1120         length is already sufficient to cover the requested length.
1121
1122         * runtime/JSObject.cpp:
1123         (JSC::JSObject::ensureLengthSlow):
1124
1125 2018-06-26  Commit Queue  <commit-queue@webkit.org>
1126
1127         Unreviewed, rolling out r233184.
1128         https://bugs.webkit.org/show_bug.cgi?id=187059
1129
1130         "It regressed JetStream between 5-8%" (Requested by saamyjoon
1131         on #webkit).
1132
1133         Reverted changeset:
1134
1135         "JSImmutableButterfly can't be allocated from a subspace with
1136         HeapCell::Kind::Auxiliary"
1137         https://bugs.webkit.org/show_bug.cgi?id=186878
1138         https://trac.webkit.org/changeset/233184
1139
1140 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
1141
1142         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
1143         https://bugs.webkit.org/show_bug.cgi?id=187051
1144
1145         Reviewed by Mark Lam.
1146
1147         Revert r233065 changes over UnlinkedCodeBlock.h to allow
1148         clang-3.8 to be able to compile this back (with libstdc++5)
1149
1150         * bytecode/UnlinkedCodeBlock.h:
1151         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
1152
1153 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
1154
1155         Fix testapi build when DFG_JIT is disabled
1156         https://bugs.webkit.org/show_bug.cgi?id=187038
1157
1158         Reviewed by Mark Lam.
1159
1160         r233158 added a new API and tests for configuring the number of JIT threads, but
1161         the API is only available when DFG_JIT is enabled and so should the tests.
1162
1163         * API/tests/testapi.mm:
1164         (runJITThreadLimitTests):
1165
1166 2018-06-25  Saam Barati  <sbarati@apple.com>
1167
1168         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
1169         https://bugs.webkit.org/show_bug.cgi?id=186878
1170         <rdar://problem/40568659>
1171
1172         Reviewed by Mark Lam.
1173
1174         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
1175         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
1176         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
1177         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
1178         bots is that our conservative marking won't do cell marking for things that
1179         are Auxiliary. This means that if the stack is the only thing pointing to a
1180         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
1181         not be visited. This patch fixes this bug. This patch also extends our conservative
1182         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
1183
1184         * bytecompiler/NodesCodegen.cpp:
1185         (JSC::ArrayNode::emitBytecode):
1186         * heap/HeapUtil.h:
1187         (JSC::HeapUtil::findGCObjectPointersForMarking):
1188         * runtime/JSImmutableButterfly.h:
1189         (JSC::JSImmutableButterfly::subspaceFor):
1190
1191 2018-06-25  Mark Lam  <mark.lam@apple.com>
1192
1193         constructArray() should set m_numValuesInVector to the specified length.
1194         https://bugs.webkit.org/show_bug.cgi?id=187010
1195         <rdar://problem/41392167>
1196
1197         Reviewed by Filip Pizlo.
1198
1199         Its client will fill in the storage vector with some values using initializeIndex()
1200         and expects m_numValuesInVector to be set to the length i.e. the number of values
1201         to be initialized.
1202
1203         * runtime/JSArray.cpp:
1204         (JSC::constructArray):
1205
1206 2018-06-25  Mark Lam  <mark.lam@apple.com>
1207
1208         Add missing exception check in RegExpObjectInlines.h's collectMatches.
1209         https://bugs.webkit.org/show_bug.cgi?id=187006
1210         <rdar://problem/41418412>
1211
1212         Reviewed by Keith Miller.
1213
1214         * runtime/RegExpObjectInlines.h:
1215         (JSC::collectMatches):
1216
1217 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
1218
1219         Add API for configuring the number of threads used by DFG and FTL
1220         https://bugs.webkit.org/show_bug.cgi?id=186859
1221         <rdar://problem/41093519>
1222
1223         Reviewed by Filip Pizlo.
1224
1225         Add new private APIs for limiting the number of threads to be used by
1226         the DFG and FTL compilers. It was already possible to configure the
1227         limit through JSC Options, but now it can be changed at runtime, even
1228         in the case when the VM is already running.
1229
1230         Add a test for both cases: when trying to configure the limit before
1231         and after the Worklist has been created, but in order to simulate the
1232         first scenario, we must guarantee that the test runs at the very
1233         beginning, so I also added a check for that.
1234
1235         * API/JSVirtualMachine.mm:
1236         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
1237         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
1238         * API/JSVirtualMachinePrivate.h:
1239         * API/tests/testapi.mm:
1240         (runJITThreadLimitTests):
1241         (testObjectiveCAPIMain):
1242         * dfg/DFGWorklist.cpp:
1243         (JSC::DFG::Worklist::finishCreation):
1244         (JSC::DFG::Worklist::createNewThread):
1245         (JSC::DFG::Worklist::setNumberOfThreads):
1246         * dfg/DFGWorklist.h:
1247
1248 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1249
1250         [JSC] Remove unnecessary PLATFORM guards
1251         https://bugs.webkit.org/show_bug.cgi?id=186995
1252
1253         Reviewed by Mark Lam.
1254
1255         * assembler/AssemblerCommon.h:
1256         (JSC::isIOS):
1257         Add constexpr.
1258
1259         * inspector/JSGlobalObjectInspectorController.cpp:
1260         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1261         StackFrame works in all the platforms. If StackFrame::demangle failed,
1262         it just returns std::nullopt. And it is correctly handled in this code.
1263
1264 2018-06-23  Mark Lam  <mark.lam@apple.com>
1265
1266         Add more debugging features to $vm.
1267         https://bugs.webkit.org/show_bug.cgi?id=186947
1268
1269         Reviewed by Keith Miller.
1270
1271         Adding the following features:
1272
1273             // We now have println in addition to print.
1274             // println automatically adds a '\n' at the end.
1275             $vm.println("Hello");
1276
1277             // We can now capture some info about a stack frame.
1278             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
1279             var callerCallerFrame = $vm.callFrame(2);
1280
1281             // We can inspect the following values associated with the frame:
1282             if (currentFrame.valid) {
1283                 $vm.println("name is ", currentFrame.name));
1284
1285                 // Note: For a WASM frame, all of these will be undefined.
1286                 $vm.println("callee is ", $vm.value(currentFrame.callee));
1287                 $vm.println("codeBlock is ", currentFrame.codeBlock);
1288                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
1289                 $vm.println("executable is ", currentFrame.executable);
1290             }
1291
1292             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
1293             // to dataLog its JSValue instead of its toString() result.
1294
1295             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
1296             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
1297             // toString on a non-object.
1298
1299             // Does what it says about enabling/disabling debugger mode.
1300             $vm.enableDebuggerModeWhenIdle();
1301             $vm.disableDebuggerModeWhenIdle();
1302
1303         * tools/JSDollarVM.cpp:
1304         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
1305         (WTF::JSDollarVMCallFrame::createStructure):
1306         (WTF::JSDollarVMCallFrame::create):
1307         (WTF::JSDollarVMCallFrame::finishCreation):
1308         (WTF::JSDollarVMCallFrame::addProperty):
1309         (JSC::functionCallFrame):
1310         (JSC::functionCodeBlockForFrame):
1311         (JSC::codeBlockFromArg):
1312         (JSC::doPrintln):
1313         (JSC::functionPrint):
1314         (JSC::functionPrintln):
1315         (JSC::changeDebuggerModeWhenIdle):
1316         (JSC::functionEnableDebuggerModeWhenIdle):
1317         (JSC::functionDisableDebuggerModeWhenIdle):
1318         (JSC::JSDollarVM::finishCreation):
1319
1320 2018-06-22  Keith Miller  <keith_miller@apple.com>
1321
1322         We need to have a getDirectConcurrently for use in the compilers
1323         https://bugs.webkit.org/show_bug.cgi?id=186954
1324
1325         Reviewed by Mark Lam.
1326
1327         It used to be that the propertyStorage of an object never shrunk
1328         so if you called getDirect with some offset it would never be an
1329         OOB read. However, this property storage can shrink when calling
1330         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
1331         holds the Structure's ConcurrentJSLock while shrinking. This patch,
1332         adds a getDirectConcurrently that will safely try to load from the
1333         butterfly.
1334
1335         * bytecode/ObjectPropertyConditionSet.cpp:
1336         * bytecode/PropertyCondition.cpp:
1337         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1338         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
1339         * dfg/DFGGraph.cpp:
1340         (JSC::DFG::Graph::tryGetConstantProperty):
1341         * runtime/JSObject.h:
1342         (JSC::JSObject::getDirectConcurrently const):
1343
1344 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1345
1346         [WTF] Use Ref<> for the result type of non-failing factory functions
1347         https://bugs.webkit.org/show_bug.cgi?id=186920
1348
1349         Reviewed by Darin Adler.
1350
1351         * dfg/DFGWorklist.cpp:
1352         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
1353         (JSC::DFG::Worklist::finishCreation):
1354         * dfg/DFGWorklist.h:
1355         * heap/Heap.cpp:
1356         (JSC::Heap::Thread::Thread):
1357         * heap/Heap.h:
1358         * jit/JITWorklist.cpp:
1359         (JSC::JITWorklist::Thread::Thread):
1360         * jit/JITWorklist.h:
1361         * runtime/VMTraps.cpp:
1362         * runtime/VMTraps.h:
1363         * wasm/WasmWorklist.cpp:
1364         * wasm/WasmWorklist.h:
1365
1366 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1367
1368         [WTF] Add user-defined literal for ASCIILiteral
1369         https://bugs.webkit.org/show_bug.cgi?id=186839
1370
1371         Reviewed by Darin Adler.
1372
1373         * API/JSCallbackObjectFunctions.h:
1374         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1375         (JSC::JSCallbackObject<Parent>::callbackGetter):
1376         * API/JSObjectRef.cpp:
1377         (JSObjectMakeFunctionWithCallback):
1378         * API/JSTypedArray.cpp:
1379         (JSObjectGetArrayBufferBytesPtr):
1380         * API/JSValue.mm:
1381         (valueToArray):
1382         (valueToDictionary):
1383         * API/ObjCCallbackFunction.mm:
1384         (JSC::objCCallbackFunctionCallAsFunction):
1385         (JSC::objCCallbackFunctionCallAsConstructor):
1386         (JSC::ObjCCallbackFunctionImpl::call):
1387         * API/glib/JSCCallbackFunction.cpp:
1388         (JSC::JSCCallbackFunction::call):
1389         (JSC::JSCCallbackFunction::construct):
1390         * API/glib/JSCContext.cpp:
1391         (jscContextJSValueToGValue):
1392         * API/glib/JSCValue.cpp:
1393         (jsc_value_object_define_property_accessor):
1394         (jscValueFunctionCreate):
1395         * builtins/BuiltinUtils.h:
1396         * bytecode/CodeBlock.cpp:
1397         (JSC::CodeBlock::nameForRegister):
1398         * bytecompiler/BytecodeGenerator.cpp:
1399         (JSC::BytecodeGenerator::emitEnumeration):
1400         (JSC::BytecodeGenerator::emitIteratorNext):
1401         (JSC::BytecodeGenerator::emitIteratorClose):
1402         (JSC::BytecodeGenerator::emitDelegateYield):
1403         * bytecompiler/NodesCodegen.cpp:
1404         (JSC::FunctionCallValueNode::emitBytecode):
1405         (JSC::PostfixNode::emitBytecode):
1406         (JSC::PrefixNode::emitBytecode):
1407         (JSC::AssignErrorNode::emitBytecode):
1408         (JSC::ForInNode::emitBytecode):
1409         (JSC::ForOfNode::emitBytecode):
1410         (JSC::ClassExprNode::emitBytecode):
1411         (JSC::ObjectPatternNode::bindValue const):
1412         * dfg/DFGDriver.cpp:
1413         (JSC::DFG::compileImpl):
1414         * dfg/DFGOperations.cpp:
1415         (JSC::DFG::newTypedArrayWithSize):
1416         * dfg/DFGStrengthReductionPhase.cpp:
1417         (JSC::DFG::StrengthReductionPhase::handleNode):
1418         * inspector/ConsoleMessage.cpp:
1419         (Inspector::ConsoleMessage::addToFrontend):
1420         (Inspector::ConsoleMessage::clear):
1421         * inspector/ContentSearchUtilities.cpp:
1422         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
1423         * inspector/InjectedScript.cpp:
1424         (Inspector::InjectedScript::InjectedScript):
1425         (Inspector::InjectedScript::evaluate):
1426         (Inspector::InjectedScript::callFunctionOn):
1427         (Inspector::InjectedScript::evaluateOnCallFrame):
1428         (Inspector::InjectedScript::getFunctionDetails):
1429         (Inspector::InjectedScript::functionDetails):
1430         (Inspector::InjectedScript::getPreview):
1431         (Inspector::InjectedScript::getProperties):
1432         (Inspector::InjectedScript::getDisplayableProperties):
1433         (Inspector::InjectedScript::getInternalProperties):
1434         (Inspector::InjectedScript::getCollectionEntries):
1435         (Inspector::InjectedScript::saveResult):
1436         (Inspector::InjectedScript::wrapCallFrames const):
1437         (Inspector::InjectedScript::wrapObject const):
1438         (Inspector::InjectedScript::wrapJSONString const):
1439         (Inspector::InjectedScript::wrapTable const):
1440         (Inspector::InjectedScript::previewValue const):
1441         (Inspector::InjectedScript::setExceptionValue):
1442         (Inspector::InjectedScript::clearExceptionValue):
1443         (Inspector::InjectedScript::findObjectById const):
1444         (Inspector::InjectedScript::inspectObject):
1445         (Inspector::InjectedScript::releaseObject):
1446         (Inspector::InjectedScript::releaseObjectGroup):
1447         * inspector/InjectedScriptBase.cpp:
1448         (Inspector::InjectedScriptBase::makeEvalCall):
1449         * inspector/InjectedScriptManager.cpp:
1450         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1451         * inspector/InjectedScriptModule.cpp:
1452         (Inspector::InjectedScriptModule::ensureInjected):
1453         * inspector/InspectorBackendDispatcher.cpp:
1454         (Inspector::BackendDispatcher::dispatch):
1455         (Inspector::BackendDispatcher::sendResponse):
1456         (Inspector::BackendDispatcher::sendPendingErrors):
1457         * inspector/JSGlobalObjectConsoleClient.cpp:
1458         (Inspector::JSGlobalObjectConsoleClient::profile):
1459         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
1460         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
1461         * inspector/JSGlobalObjectInspectorController.cpp:
1462         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1463         * inspector/JSInjectedScriptHost.cpp:
1464         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1465         (Inspector::JSInjectedScriptHost::subtype):
1466         (Inspector::JSInjectedScriptHost::getInternalProperties):
1467         * inspector/JSJavaScriptCallFrame.cpp:
1468         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1469         (Inspector::JSJavaScriptCallFrame::type const):
1470         * inspector/ScriptArguments.cpp:
1471         (Inspector::ScriptArguments::getFirstArgumentAsString):
1472         * inspector/ScriptCallStackFactory.cpp:
1473         (Inspector::extractSourceInformationFromException):
1474         * inspector/agents/InspectorAgent.cpp:
1475         (Inspector::InspectorAgent::InspectorAgent):
1476         * inspector/agents/InspectorConsoleAgent.cpp:
1477         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
1478         (Inspector::InspectorConsoleAgent::clearMessages):
1479         (Inspector::InspectorConsoleAgent::count):
1480         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
1481         * inspector/agents/InspectorDebuggerAgent.cpp:
1482         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
1483         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
1484         (Inspector::buildObjectForBreakpointCookie):
1485         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1486         (Inspector::parseLocation):
1487         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1488         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1489         (Inspector::InspectorDebuggerAgent::continueToLocation):
1490         (Inspector::InspectorDebuggerAgent::searchInContent):
1491         (Inspector::InspectorDebuggerAgent::getScriptSource):
1492         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1493         (Inspector::InspectorDebuggerAgent::resume):
1494         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
1495         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1496         (Inspector::InspectorDebuggerAgent::didParseSource):
1497         (Inspector::InspectorDebuggerAgent::assertPaused):
1498         * inspector/agents/InspectorHeapAgent.cpp:
1499         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
1500         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
1501         (Inspector::InspectorHeapAgent::getPreview):
1502         (Inspector::InspectorHeapAgent::getRemoteObject):
1503         * inspector/agents/InspectorRuntimeAgent.cpp:
1504         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
1505         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1506         (Inspector::InspectorRuntimeAgent::getPreview):
1507         (Inspector::InspectorRuntimeAgent::getProperties):
1508         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1509         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1510         (Inspector::InspectorRuntimeAgent::saveResult):
1511         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1512         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1513         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1514         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
1515         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1516         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
1517         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1518         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
1519         * inspector/scripts/codegen/cpp_generator_templates.py:
1520         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1521         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1522         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1523         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1524         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1525         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1526         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1527         (CppProtocolTypesImplementationGenerator):
1528         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1529         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1530         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
1531         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1532         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1533         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1534         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1535         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
1536         * inspector/scripts/codegen/objc_generator_templates.py:
1537         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1538         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1539         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1540         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1541         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1542         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1543         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1544         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1545         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1546         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1547         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1548         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1549         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1550         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1551         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1552         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1553         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1554         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1555         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1556         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1557         * interpreter/CallFrame.cpp:
1558         (JSC::CallFrame::friendlyFunctionName):
1559         * interpreter/Interpreter.cpp:
1560         (JSC::Interpreter::execute):
1561         * interpreter/StackVisitor.cpp:
1562         (JSC::StackVisitor::Frame::functionName const):
1563         (JSC::StackVisitor::Frame::sourceURL const):
1564         * jit/JIT.cpp:
1565         (JSC::JIT::doMainThreadPreparationBeforeCompile):
1566         * jit/JITOperations.cpp:
1567         * jsc.cpp:
1568         (resolvePath):
1569         (GlobalObject::moduleLoaderImportModule):
1570         (GlobalObject::moduleLoaderResolve):
1571         (functionDescribeArray):
1572         (functionRun):
1573         (functionLoad):
1574         (functionCheckSyntax):
1575         (functionDollarEvalScript):
1576         (functionDollarAgentStart):
1577         (functionDollarAgentReceiveBroadcast):
1578         (functionDollarAgentBroadcast):
1579         (functionTransferArrayBuffer):
1580         (functionLoadModule):
1581         (functionSamplingProfilerStackTraces):
1582         (functionAsyncTestStart):
1583         (functionWebAssemblyMemoryMode):
1584         (runWithOptions):
1585         * parser/Lexer.cpp:
1586         (JSC::Lexer<T>::invalidCharacterMessage const):
1587         (JSC::Lexer<T>::parseString):
1588         (JSC::Lexer<T>::parseComplexEscape):
1589         (JSC::Lexer<T>::parseStringSlowCase):
1590         (JSC::Lexer<T>::parseTemplateLiteral):
1591         (JSC::Lexer<T>::lex):
1592         * parser/Parser.cpp:
1593         (JSC::Parser<LexerType>::parseInner):
1594         * parser/Parser.h:
1595         (JSC::Parser::setErrorMessage):
1596         * runtime/AbstractModuleRecord.cpp:
1597         (JSC::AbstractModuleRecord::finishCreation):
1598         * runtime/ArrayBuffer.cpp:
1599         (JSC::errorMesasgeForTransfer):
1600         * runtime/ArrayBufferSharingMode.h:
1601         (JSC::arrayBufferSharingModeName):
1602         * runtime/ArrayConstructor.cpp:
1603         (JSC::constructArrayWithSizeQuirk):
1604         (JSC::isArraySlowInline):
1605         * runtime/ArrayPrototype.cpp:
1606         (JSC::setLength):
1607         (JSC::shift):
1608         (JSC::unshift):
1609         (JSC::arrayProtoFuncPop):
1610         (JSC::arrayProtoFuncReverse):
1611         (JSC::arrayProtoFuncUnShift):
1612         * runtime/AtomicsObject.cpp:
1613         (JSC::atomicsFuncWait):
1614         (JSC::atomicsFuncWake):
1615         * runtime/BigIntConstructor.cpp:
1616         (JSC::BigIntConstructor::finishCreation):
1617         (JSC::toBigInt):
1618         (JSC::callBigIntConstructor):
1619         * runtime/BigIntObject.cpp:
1620         (JSC::BigIntObject::toStringName):
1621         * runtime/BigIntPrototype.cpp:
1622         (JSC::bigIntProtoFuncToString):
1623         (JSC::bigIntProtoFuncValueOf):
1624         * runtime/CommonSlowPaths.cpp:
1625         (JSC::SLOW_PATH_DECL):
1626         * runtime/ConsoleClient.cpp:
1627         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1628         * runtime/ConsoleObject.cpp:
1629         (JSC::valueOrDefaultLabelString):
1630         (JSC::consoleProtoFuncTime):
1631         (JSC::consoleProtoFuncTimeEnd):
1632         * runtime/DatePrototype.cpp:
1633         (JSC::formatLocaleDate):
1634         (JSC::formateDateInstance):
1635         (JSC::DatePrototype::finishCreation):
1636         (JSC::dateProtoFuncToISOString):
1637         (JSC::dateProtoFuncToJSON):
1638         * runtime/Error.cpp:
1639         (JSC::createNotEnoughArgumentsError):
1640         (JSC::throwSyntaxError):
1641         (JSC::createTypeError):
1642         (JSC::createOutOfMemoryError):
1643         * runtime/Error.h:
1644         (JSC::throwVMError):
1645         * runtime/ErrorConstructor.cpp:
1646         (JSC::ErrorConstructor::finishCreation):
1647         * runtime/ErrorInstance.cpp:
1648         (JSC::ErrorInstance::sanitizedToString):
1649         * runtime/ErrorPrototype.cpp:
1650         (JSC::ErrorPrototype::finishCreation):
1651         (JSC::errorProtoFuncToString):
1652         * runtime/ExceptionFuzz.cpp:
1653         (JSC::doExceptionFuzzing):
1654         * runtime/ExceptionHelpers.cpp:
1655         (JSC::TerminatedExecutionError::defaultValue):
1656         (JSC::createStackOverflowError):
1657         (JSC::createNotAConstructorError):
1658         (JSC::createNotAFunctionError):
1659         (JSC::createNotAnObjectError):
1660         * runtime/GetterSetter.cpp:
1661         (JSC::callSetter):
1662         * runtime/IntlCollator.cpp:
1663         (JSC::sortLocaleData):
1664         (JSC::searchLocaleData):
1665         (JSC::IntlCollator::initializeCollator):
1666         (JSC::IntlCollator::compareStrings):
1667         (JSC::IntlCollator::usageString):
1668         (JSC::IntlCollator::sensitivityString):
1669         (JSC::IntlCollator::caseFirstString):
1670         (JSC::IntlCollator::resolvedOptions):
1671         * runtime/IntlCollator.h:
1672         * runtime/IntlCollatorConstructor.cpp:
1673         (JSC::IntlCollatorConstructor::finishCreation):
1674         * runtime/IntlCollatorPrototype.cpp:
1675         (JSC::IntlCollatorPrototypeGetterCompare):
1676         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1677         * runtime/IntlDateTimeFormat.cpp:
1678         (JSC::defaultTimeZone):
1679         (JSC::canonicalizeTimeZoneName):
1680         (JSC::IntlDTFInternal::localeData):
1681         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
1682         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1683         (JSC::IntlDateTimeFormat::weekdayString):
1684         (JSC::IntlDateTimeFormat::eraString):
1685         (JSC::IntlDateTimeFormat::yearString):
1686         (JSC::IntlDateTimeFormat::monthString):
1687         (JSC::IntlDateTimeFormat::dayString):
1688         (JSC::IntlDateTimeFormat::hourString):
1689         (JSC::IntlDateTimeFormat::minuteString):
1690         (JSC::IntlDateTimeFormat::secondString):
1691         (JSC::IntlDateTimeFormat::timeZoneNameString):
1692         (JSC::IntlDateTimeFormat::resolvedOptions):
1693         (JSC::IntlDateTimeFormat::format):
1694         (JSC::IntlDateTimeFormat::partTypeString):
1695         (JSC::IntlDateTimeFormat::formatToParts):
1696         * runtime/IntlDateTimeFormat.h:
1697         * runtime/IntlDateTimeFormatConstructor.cpp:
1698         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1699         * runtime/IntlDateTimeFormatPrototype.cpp:
1700         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1701         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1702         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1703         * runtime/IntlNumberFormat.cpp:
1704         (JSC::IntlNumberFormat::initializeNumberFormat):
1705         (JSC::IntlNumberFormat::formatNumber):
1706         (JSC::IntlNumberFormat::styleString):
1707         (JSC::IntlNumberFormat::currencyDisplayString):
1708         (JSC::IntlNumberFormat::resolvedOptions):
1709         (JSC::IntlNumberFormat::partTypeString):
1710         (JSC::IntlNumberFormat::formatToParts):
1711         * runtime/IntlNumberFormat.h:
1712         * runtime/IntlNumberFormatConstructor.cpp:
1713         (JSC::IntlNumberFormatConstructor::finishCreation):
1714         * runtime/IntlNumberFormatPrototype.cpp:
1715         (JSC::IntlNumberFormatPrototypeGetterFormat):
1716         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1717         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1718         * runtime/IntlObject.cpp:
1719         (JSC::grandfatheredLangTag):
1720         (JSC::canonicalizeLocaleList):
1721         (JSC::resolveLocale):
1722         (JSC::supportedLocales):
1723         * runtime/IntlPluralRules.cpp:
1724         (JSC::IntlPluralRules::initializePluralRules):
1725         (JSC::IntlPluralRules::resolvedOptions):
1726         (JSC::IntlPluralRules::select):
1727         * runtime/IntlPluralRulesConstructor.cpp:
1728         (JSC::IntlPluralRulesConstructor::finishCreation):
1729         * runtime/IntlPluralRulesPrototype.cpp:
1730         (JSC::IntlPluralRulesPrototypeFuncSelect):
1731         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1732         * runtime/IteratorOperations.cpp:
1733         (JSC::iteratorNext):
1734         (JSC::iteratorClose):
1735         (JSC::hasIteratorMethod):
1736         (JSC::iteratorMethod):
1737         * runtime/JSArray.cpp:
1738         (JSC::JSArray::tryCreateUninitializedRestricted):
1739         (JSC::JSArray::defineOwnProperty):
1740         (JSC::JSArray::put):
1741         (JSC::JSArray::setLengthWithArrayStorage):
1742         (JSC::JSArray::appendMemcpy):
1743         (JSC::JSArray::pop):
1744         * runtime/JSArray.h:
1745         * runtime/JSArrayBufferConstructor.cpp:
1746         (JSC::JSArrayBufferConstructor::finishCreation):
1747         * runtime/JSArrayBufferPrototype.cpp:
1748         (JSC::arrayBufferProtoFuncSlice):
1749         (JSC::arrayBufferProtoGetterFuncByteLength):
1750         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1751         * runtime/JSArrayBufferView.cpp:
1752         (JSC::JSArrayBufferView::toStringName):
1753         * runtime/JSArrayInlines.h:
1754         (JSC::JSArray::pushInline):
1755         * runtime/JSBigInt.cpp:
1756         (JSC::JSBigInt::divide):
1757         (JSC::JSBigInt::remainder):
1758         (JSC::JSBigInt::toNumber const):
1759         * runtime/JSCJSValue.cpp:
1760         (JSC::JSValue::putToPrimitive):
1761         (JSC::JSValue::putToPrimitiveByIndex):
1762         (JSC::JSValue::toStringSlowCase const):
1763         * runtime/JSCJSValueInlines.h:
1764         (JSC::toPreferredPrimitiveType):
1765         * runtime/JSDataView.cpp:
1766         (JSC::JSDataView::create):
1767         (JSC::JSDataView::put):
1768         (JSC::JSDataView::defineOwnProperty):
1769         * runtime/JSDataViewPrototype.cpp:
1770         (JSC::getData):
1771         (JSC::setData):
1772         * runtime/JSFunction.cpp:
1773         (JSC::JSFunction::callerGetter):
1774         (JSC::JSFunction::put):
1775         (JSC::JSFunction::defineOwnProperty):
1776         * runtime/JSGenericTypedArrayView.h:
1777         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1778         (JSC::constructGenericTypedArrayViewWithArguments):
1779         (JSC::constructGenericTypedArrayView):
1780         * runtime/JSGenericTypedArrayViewInlines.h:
1781         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1782         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1783         (JSC::speciesConstruct):
1784         (JSC::genericTypedArrayViewProtoFuncSet):
1785         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1786         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1787         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1788         * runtime/JSGlobalObject.cpp:
1789         (JSC::JSGlobalObject::init):
1790         * runtime/JSGlobalObjectDebuggable.cpp:
1791         (JSC::JSGlobalObjectDebuggable::name const):
1792         * runtime/JSGlobalObjectFunctions.cpp:
1793         (JSC::encode):
1794         (JSC::decode):
1795         (JSC::globalFuncProtoSetter):
1796         * runtime/JSGlobalObjectFunctions.h:
1797         * runtime/JSMap.cpp:
1798         (JSC::JSMap::toStringName):
1799         * runtime/JSModuleEnvironment.cpp:
1800         (JSC::JSModuleEnvironment::put):
1801         * runtime/JSModuleNamespaceObject.cpp:
1802         (JSC::JSModuleNamespaceObject::put):
1803         (JSC::JSModuleNamespaceObject::putByIndex):
1804         (JSC::JSModuleNamespaceObject::defineOwnProperty):
1805         * runtime/JSONObject.cpp:
1806         (JSC::Stringifier::appendStringifiedValue):
1807         (JSC::JSONProtoFuncParse):
1808         (JSC::JSONProtoFuncStringify):
1809         * runtime/JSObject.cpp:
1810         (JSC::getClassPropertyNames):
1811         (JSC::JSObject::calculatedClassName):
1812         (JSC::ordinarySetSlow):
1813         (JSC::JSObject::putInlineSlow):
1814         (JSC::JSObject::setPrototypeWithCycleCheck):
1815         (JSC::callToPrimitiveFunction):
1816         (JSC::JSObject::ordinaryToPrimitive const):
1817         (JSC::JSObject::defaultHasInstance):
1818         (JSC::JSObject::defineOwnIndexedProperty):
1819         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1820         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1821         (JSC::validateAndApplyPropertyDescriptor):
1822         * runtime/JSObject.h:
1823         * runtime/JSObjectInlines.h:
1824         (JSC::JSObject::putInlineForJSObject):
1825         * runtime/JSPromiseConstructor.cpp:
1826         (JSC::JSPromiseConstructor::finishCreation):
1827         * runtime/JSSet.cpp:
1828         (JSC::JSSet::toStringName):
1829         * runtime/JSSymbolTableObject.h:
1830         (JSC::symbolTablePut):
1831         * runtime/JSTypedArrayViewConstructor.cpp:
1832         (JSC::constructTypedArrayView):
1833         * runtime/JSTypedArrayViewPrototype.cpp:
1834         (JSC::typedArrayViewPrivateFuncLength):
1835         (JSC::typedArrayViewProtoFuncSet):
1836         (JSC::typedArrayViewProtoFuncCopyWithin):
1837         (JSC::typedArrayViewProtoFuncLastIndexOf):
1838         (JSC::typedArrayViewProtoFuncIndexOf):
1839         (JSC::typedArrayViewProtoFuncJoin):
1840         (JSC::typedArrayViewProtoGetterFuncBuffer):
1841         (JSC::typedArrayViewProtoGetterFuncLength):
1842         (JSC::typedArrayViewProtoGetterFuncByteLength):
1843         (JSC::typedArrayViewProtoGetterFuncByteOffset):
1844         (JSC::typedArrayViewProtoFuncReverse):
1845         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
1846         (JSC::typedArrayViewProtoFuncSlice):
1847         (JSC::JSTypedArrayViewPrototype::finishCreation):
1848         * runtime/JSWeakMap.cpp:
1849         (JSC::JSWeakMap::toStringName):
1850         * runtime/JSWeakSet.cpp:
1851         (JSC::JSWeakSet::toStringName):
1852         * runtime/LiteralParser.cpp:
1853         (JSC::LiteralParser<CharType>::Lexer::lex):
1854         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
1855         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
1856         (JSC::LiteralParser<CharType>::parse):
1857         * runtime/LiteralParser.h:
1858         (JSC::LiteralParser::getErrorMessage):
1859         * runtime/Lookup.cpp:
1860         (JSC::reifyStaticAccessor):
1861         * runtime/Lookup.h:
1862         (JSC::putEntry):
1863         * runtime/MapPrototype.cpp:
1864         (JSC::getMap):
1865         * runtime/NullSetterFunction.cpp:
1866         (JSC::NullSetterFunctionInternal::callReturnUndefined):
1867         * runtime/NumberPrototype.cpp:
1868         (JSC::numberProtoFuncToExponential):
1869         (JSC::numberProtoFuncToFixed):
1870         (JSC::numberProtoFuncToPrecision):
1871         (JSC::extractToStringRadixArgument):
1872         * runtime/ObjectConstructor.cpp:
1873         (JSC::objectConstructorSetPrototypeOf):
1874         (JSC::objectConstructorAssign):
1875         (JSC::objectConstructorValues):
1876         (JSC::toPropertyDescriptor):
1877         (JSC::objectConstructorDefineProperty):
1878         (JSC::objectConstructorDefineProperties):
1879         (JSC::objectConstructorCreate):
1880         (JSC::objectConstructorSeal):
1881         (JSC::objectConstructorFreeze):
1882         * runtime/ObjectPrototype.cpp:
1883         (JSC::objectProtoFuncDefineGetter):
1884         (JSC::objectProtoFuncDefineSetter):
1885         * runtime/Operations.cpp:
1886         (JSC::jsAddSlowCase):
1887         * runtime/Operations.h:
1888         (JSC::jsSub):
1889         (JSC::jsMul):
1890         * runtime/ProgramExecutable.cpp:
1891         (JSC::ProgramExecutable::initializeGlobalProperties):
1892         * runtime/ProxyConstructor.cpp:
1893         (JSC::makeRevocableProxy):
1894         (JSC::proxyRevocableConstructorThrowError):
1895         (JSC::ProxyConstructor::finishCreation):
1896         (JSC::constructProxyObject):
1897         * runtime/ProxyObject.cpp:
1898         (JSC::ProxyObject::toStringName):
1899         (JSC::ProxyObject::finishCreation):
1900         (JSC::performProxyGet):
1901         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1902         (JSC::ProxyObject::performHasProperty):
1903         (JSC::ProxyObject::performPut):
1904         (JSC::performProxyCall):
1905         (JSC::performProxyConstruct):
1906         (JSC::ProxyObject::performDelete):
1907         (JSC::ProxyObject::performPreventExtensions):
1908         (JSC::ProxyObject::performIsExtensible):
1909         (JSC::ProxyObject::performDefineOwnProperty):
1910         (JSC::ProxyObject::performGetOwnPropertyNames):
1911         (JSC::ProxyObject::performSetPrototype):
1912         (JSC::ProxyObject::performGetPrototype):
1913         * runtime/ReflectObject.cpp:
1914         (JSC::reflectObjectConstruct):
1915         (JSC::reflectObjectDefineProperty):
1916         (JSC::reflectObjectGet):
1917         (JSC::reflectObjectGetOwnPropertyDescriptor):
1918         (JSC::reflectObjectGetPrototypeOf):
1919         (JSC::reflectObjectIsExtensible):
1920         (JSC::reflectObjectOwnKeys):
1921         (JSC::reflectObjectPreventExtensions):
1922         (JSC::reflectObjectSet):
1923         (JSC::reflectObjectSetPrototypeOf):
1924         * runtime/RegExpConstructor.cpp:
1925         (JSC::RegExpConstructor::finishCreation):
1926         (JSC::toFlags):
1927         * runtime/RegExpObject.cpp:
1928         (JSC::RegExpObject::defineOwnProperty):
1929         * runtime/RegExpObject.h:
1930         * runtime/RegExpPrototype.cpp:
1931         (JSC::regExpProtoFuncCompile):
1932         (JSC::regExpProtoGetterGlobal):
1933         (JSC::regExpProtoGetterIgnoreCase):
1934         (JSC::regExpProtoGetterMultiline):
1935         (JSC::regExpProtoGetterDotAll):
1936         (JSC::regExpProtoGetterSticky):
1937         (JSC::regExpProtoGetterUnicode):
1938         (JSC::regExpProtoGetterFlags):
1939         (JSC::regExpProtoGetterSourceInternal):
1940         (JSC::regExpProtoGetterSource):
1941         * runtime/RuntimeType.cpp:
1942         (JSC::runtimeTypeAsString):
1943         * runtime/SamplingProfiler.cpp:
1944         (JSC::SamplingProfiler::StackFrame::displayName):
1945         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
1946         * runtime/ScriptExecutable.cpp:
1947         (JSC::ScriptExecutable::prepareForExecutionImpl):
1948         * runtime/SetPrototype.cpp:
1949         (JSC::getSet):
1950         * runtime/SparseArrayValueMap.cpp:
1951         (JSC::SparseArrayValueMap::putEntry):
1952         (JSC::SparseArrayValueMap::putDirect):
1953         (JSC::SparseArrayEntry::put):
1954         * runtime/StackFrame.cpp:
1955         (JSC::StackFrame::sourceURL const):
1956         (JSC::StackFrame::functionName const):
1957         * runtime/StringConstructor.cpp:
1958         (JSC::stringFromCodePoint):
1959         * runtime/StringObject.cpp:
1960         (JSC::StringObject::put):
1961         (JSC::StringObject::putByIndex):
1962         * runtime/StringPrototype.cpp:
1963         (JSC::StringPrototype::finishCreation):
1964         (JSC::toLocaleCase):
1965         (JSC::stringProtoFuncNormalize):
1966         * runtime/Symbol.cpp:
1967         (JSC::Symbol::toNumber const):
1968         * runtime/SymbolConstructor.cpp:
1969         (JSC::symbolConstructorKeyFor):
1970         * runtime/SymbolObject.cpp:
1971         (JSC::SymbolObject::toStringName):
1972         * runtime/SymbolPrototype.cpp:
1973         (JSC::SymbolPrototype::finishCreation):
1974         * runtime/TypeSet.cpp:
1975         (JSC::TypeSet::dumpTypes const):
1976         (JSC::TypeSet::displayName const):
1977         (JSC::StructureShape::leastCommonAncestor):
1978         * runtime/TypeSet.h:
1979         (JSC::StructureShape::setConstructorName):
1980         * runtime/VM.cpp:
1981         (JSC::VM::dumpTypeProfilerData):
1982         * runtime/WeakMapPrototype.cpp:
1983         (JSC::getWeakMap):
1984         (JSC::protoFuncWeakMapSet):
1985         * runtime/WeakSetPrototype.cpp:
1986         (JSC::getWeakSet):
1987         (JSC::protoFuncWeakSetAdd):
1988         * tools/JSDollarVM.cpp:
1989         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
1990         (WTF::DOMJITGetterComplex::customGetter):
1991         (JSC::functionSetImpureGetterDelegate):
1992         (JSC::functionCreateElement):
1993         (JSC::functionGetHiddenValue):
1994         (JSC::functionSetHiddenValue):
1995         (JSC::functionFindTypeForExpression):
1996         (JSC::functionReturnTypeFor):
1997         (JSC::functionLoadGetterFromGetterSetter):
1998         * wasm/WasmB3IRGenerator.cpp:
1999         (JSC::Wasm::B3IRGenerator::fail const):
2000         * wasm/WasmIndexOrName.cpp:
2001         (JSC::Wasm::makeString):
2002         * wasm/WasmParser.h:
2003         (JSC::Wasm::FailureHelper::makeString):
2004         (JSC::Wasm::Parser::fail const):
2005         * wasm/WasmPlan.cpp:
2006         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
2007         * wasm/WasmValidate.cpp:
2008         (JSC::Wasm::Validate::fail const):
2009         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2010         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2011         * wasm/js/JSWebAssemblyHelpers.h:
2012         (JSC::toNonWrappingUint32):
2013         (JSC::getWasmBufferFromValue):
2014         * wasm/js/JSWebAssemblyInstance.cpp:
2015         (JSC::JSWebAssemblyInstance::create):
2016         * wasm/js/JSWebAssemblyMemory.cpp:
2017         (JSC::JSWebAssemblyMemory::grow):
2018         * wasm/js/WasmToJS.cpp:
2019         (JSC::Wasm::handleBadI64Use):
2020         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2021         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
2022         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2023         (JSC::constructJSWebAssemblyInstance):
2024         (JSC::WebAssemblyInstanceConstructor::finishCreation):
2025         * wasm/js/WebAssemblyInstancePrototype.cpp:
2026         (JSC::getInstance):
2027         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2028         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
2029         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2030         (JSC::constructJSWebAssemblyMemory):
2031         (JSC::WebAssemblyMemoryConstructor::finishCreation):
2032         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2033         (JSC::getMemory):
2034         * wasm/js/WebAssemblyModuleConstructor.cpp:
2035         (JSC::webAssemblyModuleCustomSections):
2036         (JSC::webAssemblyModuleImports):
2037         (JSC::webAssemblyModuleExports):
2038         (JSC::WebAssemblyModuleConstructor::finishCreation):
2039         * wasm/js/WebAssemblyModuleRecord.cpp:
2040         (JSC::WebAssemblyModuleRecord::link):
2041         (JSC::dataSegmentFail):
2042         (JSC::WebAssemblyModuleRecord::evaluate):
2043         * wasm/js/WebAssemblyPrototype.cpp:
2044         (JSC::resolve):
2045         (JSC::webAssemblyInstantiateFunc):
2046         (JSC::webAssemblyInstantiateStreamingInternal):
2047         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2048         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
2049         * wasm/js/WebAssemblyTableConstructor.cpp:
2050         (JSC::constructJSWebAssemblyTable):
2051         (JSC::WebAssemblyTableConstructor::finishCreation):
2052         * wasm/js/WebAssemblyTablePrototype.cpp:
2053         (JSC::getTable):
2054         (JSC::webAssemblyTableProtoFuncGrow):
2055         (JSC::webAssemblyTableProtoFuncGet):
2056         (JSC::webAssemblyTableProtoFuncSet):
2057
2058 2018-06-22  Keith Miller  <keith_miller@apple.com>
2059
2060         unshift should zero unused property storage
2061         https://bugs.webkit.org/show_bug.cgi?id=186960
2062
2063         Reviewed by Saam Barati.
2064
2065         Also, this patch adds the zeroed unused property storage assertion
2066         to one more place it was missing.
2067
2068         * runtime/JSArray.cpp:
2069         (JSC::JSArray::unshiftCountSlowCase):
2070         * runtime/JSObjectInlines.h:
2071         (JSC::JSObject::putDirectInternal):
2072
2073 2018-06-22  Mark Lam  <mark.lam@apple.com>
2074
2075         PropertyCondition::isValidValueForAttributes() should also consider deleted values.
2076         https://bugs.webkit.org/show_bug.cgi?id=186943
2077         <rdar://problem/41370337>
2078
2079         Reviewed by Saam Barati.
2080
2081         PropertyCondition::isValidValueForAttributes() should check if the passed in value
2082         is a deleted one before it does a jsDynamicCast on it.
2083
2084         * bytecode/PropertyCondition.cpp:
2085         (JSC::PropertyCondition::isValidValueForAttributes):
2086         * runtime/JSCJSValueInlines.h:
2087         - removed an unnecessary #if.
2088
2089 2018-06-22  Keith Miller  <keith_miller@apple.com>
2090
2091         performProxyCall should toThis the value passed to its handler
2092         https://bugs.webkit.org/show_bug.cgi?id=186951
2093
2094         Reviewed by Mark Lam.
2095
2096         * runtime/ProxyObject.cpp:
2097         (JSC::performProxyCall):
2098
2099 2018-06-22  Saam Barati  <sbarati@apple.com>
2100
2101         ensureWritableX should only convert away from CoW when it will succeed
2102         https://bugs.webkit.org/show_bug.cgi?id=186898
2103
2104         Reviewed by Keith Miller.
2105
2106         Otherwise, when we OSR exit, we'll end up profiling the array after
2107         it has been converted away from CoW. It's better for the ArrayProfile
2108         to see the array as it's still in CoW mode.
2109         
2110         This patch also renames ensureWritableX to tryMakeWritableX since these
2111         were never really "ensure" operations -- they may fail and return null.
2112
2113         * dfg/DFGOperations.cpp:
2114         * runtime/JSObject.cpp:
2115         (JSC::JSObject::tryMakeWritableInt32Slow):
2116         (JSC::JSObject::tryMakeWritableDoubleSlow):
2117         (JSC::JSObject::tryMakeWritableContiguousSlow):
2118         (JSC::JSObject::ensureWritableInt32Slow): Deleted.
2119         (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
2120         (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
2121         * runtime/JSObject.h:
2122         (JSC::JSObject::tryMakeWritableInt32):
2123         (JSC::JSObject::tryMakeWritableDouble):
2124         (JSC::JSObject::tryMakeWritableContiguous):
2125         (JSC::JSObject::ensureWritableInt32): Deleted.
2126         (JSC::JSObject::ensureWritableDouble): Deleted.
2127         (JSC::JSObject::ensureWritableContiguous): Deleted.
2128
2129 2018-06-22  Keith Miller  <keith_miller@apple.com>
2130
2131         We should call visitChildren on Base not the exact typename
2132         https://bugs.webkit.org/show_bug.cgi?id=186928
2133
2134         Reviewed by Mark Lam.
2135
2136         A lot of places were not properly calling visitChildren on their
2137         superclass. For most of them it didn't matter because they had
2138         immortal structures. If code changed in the future this might
2139         break things however.
2140
2141         Also, block off more of the MethodTable for GetterSetter objects.
2142
2143         * bytecode/CodeBlock.cpp:
2144         (JSC::CodeBlock::visitChildren):
2145         * bytecode/ExecutableToCodeBlockEdge.cpp:
2146         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2147         * debugger/DebuggerScope.cpp:
2148         (JSC::DebuggerScope::visitChildren):
2149         * runtime/EvalExecutable.cpp:
2150         (JSC::EvalExecutable::visitChildren):
2151         * runtime/FunctionExecutable.cpp:
2152         (JSC::FunctionExecutable::visitChildren):
2153         * runtime/FunctionRareData.cpp:
2154         (JSC::FunctionRareData::visitChildren):
2155         * runtime/GenericArgumentsInlines.h:
2156         (JSC::GenericArguments<Type>::visitChildren):
2157         * runtime/GetterSetter.cpp:
2158         (JSC::GetterSetter::visitChildren):
2159         * runtime/GetterSetter.h:
2160         * runtime/InferredType.cpp:
2161         (JSC::InferredType::visitChildren):
2162         * runtime/InferredTypeTable.cpp:
2163         (JSC::InferredTypeTable::visitChildren):
2164         * runtime/InferredValue.cpp:
2165         (JSC::InferredValue::visitChildren):
2166         * runtime/JSArrayBufferView.cpp:
2167         (JSC::JSArrayBufferView::visitChildren):
2168         * runtime/JSGenericTypedArrayViewInlines.h:
2169         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2170         * runtime/ModuleProgramExecutable.cpp:
2171         (JSC::ModuleProgramExecutable::visitChildren):
2172         * runtime/ProgramExecutable.cpp:
2173         (JSC::ProgramExecutable::visitChildren):
2174         * runtime/ScopedArguments.cpp:
2175         (JSC::ScopedArguments::visitChildren):
2176         * runtime/ScopedArguments.h:
2177         * runtime/Structure.cpp:
2178         (JSC::Structure::visitChildren):
2179         * runtime/StructureRareData.cpp:
2180         (JSC::StructureRareData::visitChildren):
2181         * runtime/SymbolTable.cpp:
2182         (JSC::SymbolTable::visitChildren):
2183
2184 2018-06-20  Darin Adler  <darin@apple.com>
2185
2186         [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
2187         https://bugs.webkit.org/show_bug.cgi?id=186875
2188
2189         Reviewed by Anders Carlsson.
2190
2191         * API/tests/testapi.mm:
2192         (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
2193
2194 2018-06-22  Carlos Garcia Campos  <cgarcia@igalia.com>
2195
2196         [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
2197         https://bugs.webkit.org/show_bug.cgi?id=186915
2198
2199         Reviewed by Žan Doberšek.
2200
2201         Update StartAutomationSession message handling to receive a dictionary of session capabilities.
2202
2203         * inspector/remote/glib/RemoteInspectorServer.cpp:
2204         (Inspector::processSessionCapabilities): Helper method to process the session capabilities.
2205
2206 2018-06-21  Mark Lam  <mark.lam@apple.com>
2207
2208         WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
2209         https://bugs.webkit.org/show_bug.cgi?id=185947
2210         <rdar://problem/40131933>
2211
2212         Reviewed by Saam Barati.
2213
2214         Newer Clang versions (due to C++17 support) is not happy with how I implemented
2215         conversions between CodeLocation types.  We'll fix this by adding a conversion
2216         operator for converting between CodeLocation types.
2217
2218         * assembler/CodeLocation.h:
2219         (JSC::CodeLocationCommon::operator T):
2220
2221 2018-06-21  Saam Barati  <sbarati@apple.com>
2222
2223         Do some CoW cleanup
2224         https://bugs.webkit.org/show_bug.cgi?id=186896
2225
2226         Reviewed by Mark Lam.
2227
2228         * bytecode/UnlinkedCodeBlock.h:
2229         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
2230         We don't need to WTFMove() ints
2231
2232         * dfg/DFGByteCodeParser.cpp:
2233         (JSC::DFG::ByteCodeParser::parseBlock):
2234         remove a TODO.
2235
2236         * runtime/JSObject.cpp:
2237         (JSC::JSObject::putByIndex):
2238         We were checking for isCopyOnWrite even after we converted away
2239         from CoW in above code.
2240         (JSC::JSObject::ensureWritableInt32Slow):
2241         Model this in the same way the other ensureWritableXSlow are modeled.
2242
2243 2018-06-20  Keith Miller  <keith_miller@apple.com>
2244
2245         flattenDictionaryStruture needs to zero inline storage.
2246         https://bugs.webkit.org/show_bug.cgi?id=186869
2247
2248         Reviewed by Saam Barati.
2249
2250         This patch also adds the assetion that unused property storage is
2251         zero or JSValue() to putDirectInternal. Additionally, functions
2252         have been added to $vm that flatten dictionary objects and return
2253         the inline capacity of an object.
2254
2255         * runtime/JSObjectInlines.h:
2256         (JSC::JSObject::putDirectInternal):
2257         * runtime/Structure.cpp:
2258         (JSC::Structure::flattenDictionaryStructure):
2259         * tools/JSDollarVM.cpp:
2260         (JSC::functionInlineCapacity):
2261         (JSC::functionFlattenDictionaryObject):
2262         (JSC::JSDollarVM::finishCreation):
2263
2264 2018-06-21  Mark Lam  <mark.lam@apple.com>
2265
2266         Use IsoCellSets to track Executables with clearable code.
2267         https://bugs.webkit.org/show_bug.cgi?id=186877
2268
2269         Reviewed by Filip Pizlo.
2270
2271         Here’s an example of the results that this fix may yield: 
2272         1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
2273         2. Statistics on memory touched and memory freed by VM::deleteAllCode():
2274
2275            Visiting Executables:
2276                                                         Old             New
2277            Number of objects visited:                   70897           14264
2278            Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
2279            Number of memory pages visited:              3224            1602
2280            Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)
2281
2282            Visitng UnlinkedFunctionExecutables:
2283                                                         Old             New
2284            Number of objects visited:                   105454          17231
2285            Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
2286            Number of memory pages visited:              4796            1349
2287            Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)
2288
2289         ** The number of objects differ because the old code only visit unlinked
2290            executables indirectly via linked executables, whereas the new behavior visit
2291            all unlinked executables with deletable code directly.  This means:
2292
2293            a. we used to not visit unlinked executables that have not been linked yet
2294               i.e. deleteAllCode() may not delete all code (especially code that is not
2295               used).
2296            b. we had to visit all linked executables to check if they of type
2297               FunctionExecutable, before going on to visit their unlinked executable, and
2298               this includes the ones that do not have deletable code.  This means that we
2299               would touch more memory in the process.
2300
2301            Both of these these issues are now fixed with the new code.
2302
2303         This code was tested with manually inserted instrumentation to track the above
2304         statistics.  It is not feasible to write an automated test for this without
2305         leaving a lot of invasive instrumentation in the code.
2306
2307         * bytecode/UnlinkedFunctionExecutable.cpp:
2308         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2309         * bytecode/UnlinkedFunctionExecutable.h:
2310         * heap/CodeBlockSetInlines.h:
2311         (JSC::CodeBlockSet::iterateViaSubspaces):
2312         * heap/Heap.cpp:
2313         (JSC::Heap::deleteAllCodeBlocks):
2314         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2315         (JSC::Heap::deleteUnmarkedCompiledCode):
2316         (JSC::Heap::clearUnmarkedExecutables): Deleted.
2317         (JSC::Heap::addExecutable): Deleted.
2318         * heap/Heap.h:
2319         * runtime/DirectEvalExecutable.h:
2320
2321         * runtime/ExecutableBase.cpp:
2322         (JSC::ExecutableBase::hasClearableCode const):
2323         - this is written based on the implementation of ExecutableBase::clearCode().
2324
2325         * runtime/ExecutableBase.h:
2326         * runtime/FunctionExecutable.h:
2327         * runtime/IndirectEvalExecutable.h:
2328         * runtime/ModuleProgramExecutable.h:
2329         * runtime/ProgramExecutable.h:
2330         * runtime/ScriptExecutable.cpp:
2331         (JSC::ScriptExecutable::clearCode):
2332         (JSC::ScriptExecutable::installCode):
2333         * runtime/ScriptExecutable.h:
2334         (JSC::ScriptExecutable::finishCreation):
2335         * runtime/VM.cpp:
2336         (JSC::VM::VM):
2337         * runtime/VM.h:
2338         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
2339         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
2340         (JSC::VM::forEachScriptExecutableSpace):
2341         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
2342         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
2343
2344 2018-06-21  Zan Dobersek  <zdobersek@igalia.com>
2345
2346         [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
2347         https://bugs.webkit.org/show_bug.cgi?id=186884
2348
2349         Reviewed by Carlos Garcia Campos.
2350
2351         Add a tuple array input parameter to the StartAutomationSession DBus
2352         message, representing a list of host-and-certificate pairs that have to
2353         be allowed for a given session. This array is then unpacked and used to
2354         fill out the certificates Vector object in the SessionCapabilities
2355         struct.
2356
2357         * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
2358         String pairs representing hosts and the certificate file paths.
2359         * inspector/remote/glib/RemoteInspectorServer.cpp:
2360
2361 2018-06-20  Keith Miller  <keith_miller@apple.com>
2362
2363         Expand concurrent GC assertion to accept JSValue() or 0
2364         https://bugs.webkit.org/show_bug.cgi?id=186855
2365
2366         Reviewed by Mark Lam.
2367
2368         We tend to set unused property slots to either JSValue() or 0
2369         depending on the context. On 64-bit these are the same but on
2370         32-bit JSValue() has a NaN tag. This patch makes it so we
2371         the accept either JSValue() or 0.
2372
2373         * runtime/JSObjectInlines.h:
2374         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2375
2376 2018-06-20  Guillaume Emont  <guijemont@igalia.com>
2377
2378         [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
2379         https://bugs.webkit.org/show_bug.cgi?id=186765
2380
2381         Reviewed by Michael Saboff.
2382
2383         This widens the check for 0 so that we handle that case more correctly.
2384
2385         * assembler/LinkBuffer.h:
2386         (JSC::LinkBuffer::executableOffsetFor):
2387
2388 2018-06-19  Keith Miller  <keith_miller@apple.com>
2389
2390         Fix broken assertion on 32-bit
2391         https://bugs.webkit.org/show_bug.cgi?id=186830
2392
2393         Reviewed by Mark Lam.
2394
2395         The assertion was intended to catch concurrent GC issues. We don't
2396         run them on 32-bit so we don't need this assertion there. The
2397         assertion was broken because zero is not JSValue() on 32-bit.
2398
2399         * runtime/JSObjectInlines.h:
2400         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2401
2402 2018-06-19  Keith Miller  <keith_miller@apple.com>
2403
2404         flattenDictionaryStructure needs to zero properties that have been compressed away
2405         https://bugs.webkit.org/show_bug.cgi?id=186828
2406
2407         Reviewed by Mark Lam.
2408
2409         This patch fixes a bunch of crashing Mozilla tests on the bots.
2410
2411         * runtime/Structure.cpp:
2412         (JSC::Structure::flattenDictionaryStructure):
2413
2414 2018-06-19  Saam Barati  <sbarati@apple.com>
2415
2416         DirectArguments::create needs to initialize to undefined instead of the empty value
2417         https://bugs.webkit.org/show_bug.cgi?id=186818
2418         <rdar://problem/38415177>
2419
2420         Reviewed by Filip Pizlo.
2421
2422         The bug here is that we will emit code that just loads from DirectArguments as
2423         long as the index is within the known capacity of the arguments object (op_get_from_arguments).
2424         The arguments object has at least enough capacity to hold the declared parameters.
2425         When we materialized this object in OSR exit, we initialized up to to the capacity
2426         with JSValue(). In OSR exit, though, we only filled up to the length of the
2427         object with actual values. So we'd end up with a DirectArguments object with
2428         capacity minus length slots of JSValue(). To fix this, we need initialize up to
2429         capacity with jsUndefined during construction. The invariant of this object is
2430         that the capacity minus length slots at the end are filled in with jsUndefined.
2431
2432         * runtime/DirectArguments.cpp:
2433         (JSC::DirectArguments::create):
2434
2435 2018-06-19  Michael Saboff  <msaboff@apple.com>
2436
2437         Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
2438         https://bugs.webkit.org/show_bug.cgi?id=186827
2439
2440         Reviewed by Saam Barati.
2441
2442         Need to set VM::lastStackTop before any possible calls to sanitizeStack().
2443
2444         * runtime/JSLock.cpp:
2445         (JSC::JSLock::didAcquireLock):
2446
2447 2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
2448
2449         ShadowChicken crashes with stack overflow in the LLInt
2450         https://bugs.webkit.org/show_bug.cgi?id=186540
2451         <rdar://problem/39682133>
2452
2453         Reviewed by Saam Barati.
2454
2455         Stack overflows in the LLInt were crashing in ShadowChicken when compiling
2456         with debug opcodes because it was accessing the scope of the incomplete top
2457         frame, which hadn't been set yet. Check that we have moved past the first
2458         opcode (enter) and that the scope is not undefined (enter will
2459         initialize it to undefined).
2460
2461         * interpreter/ShadowChicken.cpp:
2462         (JSC::ShadowChicken::update):
2463
2464 2018-06-19  Keith Miller  <keith_miller@apple.com>
2465
2466         constructArray variants should take the slow path for subclasses of Array
2467         https://bugs.webkit.org/show_bug.cgi?id=186812
2468
2469         Reviewed by Saam Barati and Mark Lam.
2470
2471         This patch fixes a crashing test in ObjectInitializationScope where we would
2472         allocate a new structure for an indexing type change while initializing
2473         a subclass of Array. Since the new array hasn't been fully initialized
2474         if the GC ran it would see garbage and we might crash.
2475
2476         * runtime/JSArray.cpp:
2477         (JSC::constructArray):
2478         (JSC::constructArrayNegativeIndexed):
2479         * runtime/JSArray.h:
2480         (JSC::constructArray): Deleted.
2481         (JSC::constructArrayNegativeIndexed): Deleted.
2482
2483 2018-06-19  Saam Barati  <sbarati@apple.com>
2484
2485         Wasm: Any function argument of type Void should be a validation error
2486         https://bugs.webkit.org/show_bug.cgi?id=186794
2487         <rdar://problem/41140257>
2488
2489         Reviewed by Keith Miller.
2490
2491         * wasm/WasmModuleParser.cpp:
2492         (JSC::Wasm::ModuleParser::parseType):
2493
2494 2018-06-18  Keith Miller  <keith_miller@apple.com>
2495
2496         JSImmutableButterfly should assert m_header is adjacent to the data
2497         https://bugs.webkit.org/show_bug.cgi?id=186795
2498
2499         Reviewed by Saam Barati.
2500
2501         * runtime/JSImmutableButterfly.cpp:
2502         * runtime/JSImmutableButterfly.h:
2503
2504 2018-06-18  Keith Miller  <keith_miller@apple.com>
2505
2506         Unreviewed, fix the build...
2507
2508         * runtime/JSArray.cpp:
2509         (JSC::JSArray::tryCreateUninitializedRestricted):
2510
2511 2018-06-18  Keith Miller  <keith_miller@apple.com>
2512
2513         Unreviewed, remove bad assertion.
2514
2515         * runtime/JSArray.cpp:
2516         (JSC::JSArray::tryCreateUninitializedRestricted):
2517
2518 2018-06-18  Keith Miller  <keith_miller@apple.com>
2519
2520         Properly zero unused property storage offsets
2521         https://bugs.webkit.org/show_bug.cgi?id=186692
2522
2523         Reviewed by Filip Pizlo.
2524
2525         Since the concurrent GC might see a property slot before the mutator has actually
2526         stored the value there, we need to ensure that slot doesn't have garbage in it.
2527
2528         Right now when calling constructConvertedArrayStorageWithoutCopyingElements
2529         or creating a RegExp matches array, we never cleared the unused
2530         property storage. ObjectIntializationScope has also been upgraded
2531         to look for our invariants around property storage. Additionally,
2532         a new assertion has been added to check for JSValue() when adding
2533         a new property.
2534
2535         We used to put undefined into deleted property offsets. To
2536         make things simpler, this patch causes us to store JSValue() there
2537         instead.
2538
2539         Lastly, this patch fixes an issue where we would initialize the
2540         array storage of RegExpMatchesArray twice. First with 0 and
2541         secondly with the actual result. Now we only zero memory between
2542         vector length and public length.
2543
2544         * runtime/Butterfly.h:
2545         (JSC::Butterfly::offsetOfVectorLength):
2546         * runtime/ButterflyInlines.h:
2547         (JSC::Butterfly::tryCreateUninitialized):
2548         (JSC::Butterfly::createUninitialized):
2549         (JSC::Butterfly::tryCreate):
2550         (JSC::Butterfly::create):
2551         (JSC::Butterfly::createOrGrowPropertyStorage):
2552         (JSC::Butterfly::createOrGrowArrayRight):
2553         (JSC::Butterfly::growArrayRight):
2554         (JSC::Butterfly::resizeArray):
2555         * runtime/JSArray.cpp:
2556         (JSC::JSArray::tryCreateUninitializedRestricted):
2557         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2558         * runtime/JSArray.h:
2559         (JSC::tryCreateArrayButterfly):
2560         * runtime/JSObject.cpp:
2561         (JSC::JSObject::createArrayStorageButterfly):
2562         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2563         (JSC::JSObject::deleteProperty):
2564         (JSC::JSObject::shiftButterflyAfterFlattening):
2565         * runtime/JSObject.h:
2566         * runtime/JSObjectInlines.h:
2567         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2568         * runtime/ObjectInitializationScope.cpp:
2569         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2570         * runtime/ObjectInitializationScope.h:
2571         (JSC::ObjectInitializationScope::release):
2572         * runtime/RegExpMatchesArray.h:
2573         (JSC::tryCreateUninitializedRegExpMatchesArray):
2574         (JSC::createRegExpMatchesArray):
2575
2576         * runtime/Butterfly.h:
2577         (JSC::Butterfly::offsetOfVectorLength):
2578         * runtime/ButterflyInlines.h:
2579         (JSC::Butterfly::tryCreateUninitialized):
2580         (JSC::Butterfly::createUninitialized):
2581         (JSC::Butterfly::tryCreate):
2582         (JSC::Butterfly::create):
2583         (JSC::Butterfly::createOrGrowPropertyStorage):
2584         (JSC::Butterfly::createOrGrowArrayRight):
2585         (JSC::Butterfly::growArrayRight):
2586         (JSC::Butterfly::resizeArray):
2587         * runtime/JSArray.cpp:
2588         (JSC::JSArray::tryCreateUninitializedRestricted):
2589         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2590         * runtime/JSArray.h:
2591         (JSC::tryCreateArrayButterfly):
2592         * runtime/JSObject.cpp:
2593         (JSC::JSObject::createArrayStorageButterfly):
2594         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2595         (JSC::JSObject::deleteProperty):
2596         (JSC::JSObject::shiftButterflyAfterFlattening):
2597         * runtime/JSObject.h:
2598         * runtime/JSObjectInlines.h:
2599         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2600         * runtime/ObjectInitializationScope.cpp:
2601         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2602         * runtime/RegExpMatchesArray.cpp:
2603         (JSC::createEmptyRegExpMatchesArray):
2604         * runtime/RegExpMatchesArray.h:
2605         (JSC::tryCreateUninitializedRegExpMatchesArray):
2606         (JSC::createRegExpMatchesArray):
2607
2608 2018-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2609
2610         Share structure across instances of classes exported through the ObjC API
2611         https://bugs.webkit.org/show_bug.cgi?id=186579
2612         <rdar://problem/40969212>
2613
2614         Reviewed by Saam Barati.
2615
2616         A new structure was being created for each instance of exported ObjC
2617         classes due to setting the prototype in the structure for every object,
2618         since prototype transitions are not cached by the structure. Cache the
2619         Structure in the JSObjcClassInfo to avoid the transition.
2620
2621         * API/JSWrapperMap.mm:
2622         (-[JSObjCClassInfo wrapperForObject:inContext:]):
2623         (-[JSObjCClassInfo structureInContext:]):
2624         * API/tests/JSWrapperMapTests.h: Added.
2625         * API/tests/JSWrapperMapTests.mm: Added.
2626         (+[JSWrapperMapTests testStructureIdentity]):
2627         (runJSWrapperMapTests):
2628         * API/tests/testapi.mm:
2629         (testObjectiveCAPIMain):
2630         * JavaScriptCore.xcodeproj/project.pbxproj:
2631
2632 2018-06-18  Michael Saboff  <msaboff@apple.com>
2633
2634         Support Unicode 11 in RegExp
2635         https://bugs.webkit.org/show_bug.cgi?id=186685
2636
2637         Reviewed by Mark Lam.
2638
2639         Updated the UCD tables used to generate RegExp property tables to version 11.0.
2640
2641         * Scripts/generateYarrUnicodePropertyTables.py:
2642         * ucd/CaseFolding.txt:
2643         * ucd/DerivedBinaryProperties.txt:
2644         * ucd/DerivedCoreProperties.txt:
2645         * ucd/DerivedNormalizationProps.txt:
2646         * ucd/PropList.txt:
2647         * ucd/PropertyAliases.txt:
2648         * ucd/PropertyValueAliases.txt:
2649         * ucd/ScriptExtensions.txt:
2650         * ucd/Scripts.txt:
2651         * ucd/UnicodeData.txt:
2652         * ucd/emoji-data.txt:
2653
2654 2018-06-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2655
2656         [WTF] Remove workarounds needed to support libstdc++-4
2657         https://bugs.webkit.org/show_bug.cgi?id=186762
2658
2659         Reviewed by Michael Catanzaro.
2660
2661         Revert r226299, r226300 r226301 and r226302.
2662
2663         * API/tests/TypedArrayCTest.cpp:
2664         (assertEqualsAsNumber):
2665
2666 2018-06-16  Michael Catanzaro  <mcatanzaro@igalia.com>
2667
2668         REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
2669         https://bugs.webkit.org/show_bug.cgi?id=182923
2670
2671         Reviewed by Mark Lam.
2672
2673         The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
2674         Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
2675
2676         * heap/MarkedBlock.h:
2677
2678 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2679
2680         [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
2681         https://bugs.webkit.org/show_bug.cgi?id=186723
2682
2683         Reviewed by Mark Lam.
2684
2685         Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
2686         to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
2687
2688         This patch improves SixSpeed/spread-literal.es5.
2689
2690                                      baseline                  patched
2691
2692         spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster
2693
2694         * runtime/JSArrayInlines.h:
2695         (JSC::JSArray::pushInline):
2696         * runtime/Structure.cpp:
2697         (JSC::Structure::nonPropertyTransitionSlow):
2698         (JSC::Structure::nonPropertyTransition): Deleted.
2699         * runtime/Structure.h:
2700         * runtime/StructureInlines.h:
2701         (JSC::Structure::nonPropertyTransition):
2702
2703 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2704
2705         [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
2706         https://bugs.webkit.org/show_bug.cgi?id=186721
2707
2708         Reviewed by Keith Miller.
2709
2710         We still have several other OSRExits, but this patch reduces that.
2711
2712         1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
2713         So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
2714
2715         2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
2716         non-appropriate.
2717
2718         These changes a bit fix Kraken/crypto-aes regression.
2719
2720                                       baseline                  patched
2721
2722         stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster
2723
2724
2725         * dfg/DFGByteCodeParser.cpp:
2726         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2727         * ftl/FTLOperations.cpp:
2728         (JSC::FTL::operationMaterializeObjectInOSR):
2729         * runtime/CommonSlowPaths.cpp:
2730         (JSC::SLOW_PATH_DECL):
2731
2732 2018-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2733
2734         [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
2735         https://bugs.webkit.org/show_bug.cgi?id=186460
2736
2737         Reviewed by Saam Barati.
2738
2739         Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
2740         We should return JSFixedArray for Spread. This patch adds a code generating
2741         a JSFixedArray from JSImmutableButterfly.
2742
2743         Merging JSFixedArray into JSImmutableButterfly is possible future extension.
2744
2745         * ftl/FTLLowerDFGToB3.cpp:
2746         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2747         * runtime/JSFixedArray.h:
2748
2749 2018-06-15  Saam Barati  <sbarati@apple.com>
2750
2751         Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
2752         https://bugs.webkit.org/show_bug.cgi?id=186687
2753         <rdar://problem/40071332>
2754
2755         Reviewed by Keith Miller.
2756
2757         * API/JSVirtualMachinePrivate.h:
2758
2759 2018-06-15  Saam Barati  <sbarati@apple.com>
2760
2761         Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
2762         https://bugs.webkit.org/show_bug.cgi?id=186648
2763
2764         Reviewed by Michael Saboff.
2765
2766         This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
2767         regressed with my first version of ForceOSRExit CFG pruning. This patch makes
2768         ForceOSRExit CFG pruning more aggressive by not ignoring everything that
2769         can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
2770         if it's the plan's osr entry bytecode target. The goal is to get a speedometer
2771         2 speedup with this change on iOS.
2772
2773         * dfg/DFGByteCodeParser.cpp:
2774         (JSC::DFG::ByteCodeParser::parse):
2775
2776 2018-06-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2777
2778         Unreviewed, rolling out r232816.
2779
2780         Suggested by Caitlin:
2781         "this patch clearly does get some things wrong, and it's not
2782         easy to find what those things are"
2783
2784         Reverted changeset:
2785
2786         "[LLInt] use loadp consistently for
2787         get_from_scope/put_to_scope"
2788         https://bugs.webkit.org/show_bug.cgi?id=132333
2789         https://trac.webkit.org/changeset/232816
2790
2791 2018-06-14  Michael Saboff  <msaboff@apple.com>
2792
2793         REGRESSION(232741): Crash running ARES-6
2794         https://bugs.webkit.org/show_bug.cgi?id=186630
2795
2796         Reviewed by Saam Barati.
2797
2798         The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
2799         treated edges between identical predecessor->successor pairs independently.
2800         This fixes the issue by handling such edges once, using the added intermediate
2801         pad for all instances of the edges between the same pairs.
2802
2803         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2804         (JSC::DFG::CriticalEdgeBreakingPhase::run):
2805         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
2806
2807 2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>
2808
2809         [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
2810         https://bugs.webkit.org/show_bug.cgi?id=186560
2811
2812         Reviewed by Brian Burg.
2813
2814         Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
2815         that always receives the session capabilities.
2816
2817         * inspector/remote/RemoteInspector.h:
2818         * inspector/remote/RemoteInspectorConstants.h:
2819         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2820         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
2821         WebKit here and fill the SessionCapabilities instead.
2822         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2823         (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
2824         * inspector/remote/glib/RemoteInspectorServer.cpp:
2825         (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
2826         * inspector/remote/glib/RemoteInspectorServer.h:
2827
2828 2018-06-13  Adrian Perez de Castro  <aperez@igalia.com>
2829
2830         [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
2831         https://bugs.webkit.org/show_bug.cgi?id=186588
2832
2833         Reviewed by Carlos Garcia Campos.
2834
2835         Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
2836         for resource paths, which avoids needing a switcheroo depending on the port.
2837
2838         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2839
2840 2018-06-13  Caitlin Potter  <caitp@igalia.com>
2841
2842         [LLInt] use loadp consistently for get_from_scope/put_to_scope
2843         https://bugs.webkit.org/show_bug.cgi?id=132333
2844
2845         Reviewed by Mark Lam.
2846
2847         Using `loadis` for register indexes and `loadp` for constant scopes /
2848         symboltables makes sense, but is problematic for big-endian
2849         architectures.
2850
2851         Consistently treating the operand as a pointer simplifies determining
2852         how to access the operand, and helps avoid bad accesses and crashes on
2853         big-endian ports.
2854
2855         * bytecode/CodeBlock.cpp:
2856         (JSC::CodeBlock::finishCreation):
2857         * bytecode/Instruction.h:
2858         * jit/JITOperations.cpp:
2859         * llint/LLIntSlowPaths.cpp:
2860         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2861         * llint/LowLevelInterpreter32_64.asm:
2862         * llint/LowLevelInterpreter64.asm:
2863         * runtime/CommonSlowPaths.h:
2864         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2865         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2866
2867 2018-06-13  Keith Miller  <keith_miller@apple.com>
2868
2869         AutomaticThread should have a way to provide a thread name
2870         https://bugs.webkit.org/show_bug.cgi?id=186604
2871
2872         Reviewed by Filip Pizlo.
2873
2874         Add names for JSC's automatic threads.
2875
2876         * dfg/DFGWorklist.cpp:
2877         * heap/Heap.cpp:
2878         * jit/JITWorklist.cpp:
2879         * runtime/VMTraps.cpp:
2880         * wasm/WasmWorklist.cpp:
2881
2882 2018-06-13  Saam Barati  <sbarati@apple.com>
2883
2884         CFGSimplificationPhase should de-dupe jettisonedBlocks
2885         https://bugs.webkit.org/show_bug.cgi?id=186583
2886
2887         Reviewed by Filip Pizlo.
2888
2889         When making the predecessors list unique in r232741, it revealed a bug inside
2890         of CFG simplification, where we try to remove the same predecessor more than
2891         once from a blocks predecessors list. We built the list of blocks to remove
2892         from the list of successors, which is not unique, causing us to try to remove
2893         the same predecessor more than once. The solution here is to just add to this
2894         list of blocks to remove only if the block is not already in the list.
2895
2896         * dfg/DFGCFGSimplificationPhase.cpp:
2897         (JSC::DFG::CFGSimplificationPhase::run):
2898
2899 2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2900
2901         [JSC] Always use Nuke & Set procedure for x86
2902         https://bugs.webkit.org/show_bug.cgi?id=186592
2903
2904         Reviewed by Keith Miller.
2905
2906         We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
2907         By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
2908         threads.
2909
2910         * runtime/JSObject.cpp:
2911         (JSC::JSObject::convertContiguousToArrayStorage):
2912
2913 2018-06-12  Saam Barati  <sbarati@apple.com>
2914
2915         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
2916         https://bugs.webkit.org/show_bug.cgi?id=186071
2917
2918         Reviewed by Mark Lam.
2919
2920         * API/JSVirtualMachine.mm:
2921         (-[JSVirtualMachine shrinkFootprint]): Deleted.
2922         * API/JSVirtualMachinePrivate.h:
2923
2924 2018-06-11  Saam Barati  <sbarati@apple.com>
2925
2926         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
2927         https://bugs.webkit.org/show_bug.cgi?id=181409
2928         <rdar://problem/36383749>
2929
2930         Reviewed by Keith Miller.
2931
2932         This patch is me redoing r226655. This is a patch I wrote when
2933         profiling Speedometer. Fil rolled this change out in r230928. He
2934         showed this slowed down a sunspider tests by ~2x. This sunspider
2935         regression revealed a real performance bug in the original change:
2936         we would kill blocks that reached OSR entry targets, sometimes leading
2937         us to not do OSR entry into the DFG, since we could end up deleting
2938         entire loops from the CFG. The reason for this is that code that has run
2939         ~once and that reaches loops often has ForceOSRExits inside of it. The
2940         solution to this is to not perform this optimization on blocks that can
2941         reach OSR entry targets.
2942         
2943         The reason I'm redoing this patch is that it turns out Fil rolling
2944         out the change was a Speedometer 2 regression.
2945         
2946         This is a modified version of the original ChangeLog I wrote in r226655:
2947         
2948         When I was looking at profiler data for Speedometer, I noticed that one of
2949         the hottest functions in Speedometer is around 1100 bytecode operations long.
2950         Only about 100 of those bytecode ops ever execute. However, we ended up
2951         spending a lot of time compiling basic blocks that never executed. We often
2952         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
2953         This is the case when such a node never executes.
2954         
2955         This patch makes it so that anytime a block has a ForceOSRExit, and that block
2956         can not reach an OSR entry target, we replace its terminal node with an Unreachable
2957         node, and remove all nodes after the ForceOSRExit. This cuts down the graph
2958         size since it removes control flow edges from the CFG. This allows us to get
2959         rid of huge chunks of the CFG in certain programs. When doing this transformation,
2960         we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
2961         live-in to the ForceOSRExit.
2962         
2963         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
2964         does not get rid of all the CFG that it could. If we decide it's worth
2965         it, we could use additional inputs into this mechanism. For example, we could
2966         profile if a basic block ever executes inside the LLInt/Baseline, and
2967         remove parts of the CFG based on that.
2968         
2969         When running Speedometer with the concurrent JIT turned off, this patch
2970         improves DFG/FTL compile times by around 5%.
2971
2972         * dfg/DFGByteCodeParser.cpp:
2973         (JSC::DFG::ByteCodeParser::addToGraph):
2974         (JSC::DFG::ByteCodeParser::inlineCall):
2975         (JSC::DFG::ByteCodeParser::parse):
2976         * dfg/DFGGraph.cpp:
2977         (JSC::DFG::Graph::blocksInPostOrder):
2978
2979 2018-06-11  Saam Barati  <sbarati@apple.com>
2980
2981         The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
2982         https://bugs.webkit.org/show_bug.cgi?id=184829
2983
2984         Reviewed by Michael Saboff.
2985
2986         This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
2987         In B3/Air, this just meant writing a validation rule. In DFG, this meant
2988         ensuring this property when building up the predecessors list, and also adding
2989         a validation rule. The NaturalLoops algorithm relies on this property.
2990
2991         * b3/B3Validate.cpp:
2992         * b3/air/AirValidate.cpp:
2993         * b3/testb3.cpp:
2994         (JSC::B3::testLoopWithMultipleHeaderEdges):
2995         (JSC::B3::run):
2996         * dfg/DFGGraph.cpp:
2997         (JSC::DFG::Graph::handleSuccessor):
2998         * dfg/DFGValidate.cpp:
2999
3000 2018-06-11  Keith Miller  <keith_miller@apple.com>
3001
3002         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
3003         https://bugs.webkit.org/show_bug.cgi?id=186467
3004
3005         Reviewed by Simon Fraser.
3006
3007         This patch adds a LazyFireDetail that wraps ScopedLambda so that
3008         we don't actually malloc any strings for firing unless those
3009         Strings are actually going to be printed.
3010
3011         * bytecode/Watchpoint.h:
3012         (JSC::LazyFireDetail::LazyFireDetail):
3013         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
3014         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
3015         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
3016         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
3017         * runtime/ArrayPrototype.cpp:
3018         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
3019
3020 2018-06-11  Mark Lam  <mark.lam@apple.com>
3021
3022         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
3023         https://bugs.webkit.org/show_bug.cgi?id=186451
3024         <rdar://problem/40875792>
3025
3026         Reviewed by Tim Horton.
3027
3028         Enhance setOptions() to be able to take a comma separated options string in
3029         addition to white space separated options strings.
3030
3031         * runtime/Options.cpp:
3032         (JSC::isSeparator):
3033         (JSC::Options::setOptions):
3034
3035 2018-06-11  Michael Saboff  <msaboff@apple.com>
3036
3037         JavaScriptCore: Disable 32-bit JIT on Windows
3038         https://bugs.webkit.org/show_bug.cgi?id=185989
3039
3040         Reviewed by Mark Lam.
3041
3042         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
3043
3044         * llint/LLIntData.h:
3045         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
3046         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
3047         have a case label because these aren't opcodes.
3048         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
3049         on the JIT being enabled.
3050         (JSC::recomputeDependentOptions):
3051
3052 2018-06-11  Michael Saboff  <msaboff@apple.com>
3053
3054         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
3055         https://bugs.webkit.org/show_bug.cgi?id=186477
3056
3057         Reviewed by Filip Pizlo.
3058
3059         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
3060         YARR interpreter nodes.  This caused us to overwrite other frame information.
3061
3062         Added frame offset debugging code to YARR interpreter.
3063
3064         * yarr/YarrInterpreter.cpp:
3065         (JSC::Yarr::ByteCompiler::emitDisjunction):
3066         (JSC::Yarr::ByteCompiler::dumpDisjunction):
3067
3068 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3069
3070         [JSC] Array.prototype.sort should rejects null comparator
3071         https://bugs.webkit.org/show_bug.cgi?id=186458
3072
3073         Reviewed by Keith Miller.
3074
3075         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
3076         the behavior to Chrome and Firefox.
3077
3078         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
3079         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
3080         the spec issue.
3081
3082         * builtins/ArrayPrototype.js:
3083         (sort):
3084
3085 2018-06-09  Dan Bernstein  <mitz@apple.com>
3086
3087         [Xcode] Clean up and modernize some build setting definitions
3088         https://bugs.webkit.org/show_bug.cgi?id=186463
3089
3090         Reviewed by Sam Weinig.
3091
3092         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
3093           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
3094           is true for all supported Xcode versions.
3095         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
3096         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
3097           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
3098         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
3099         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
3100
3101 2018-06-09  Dan Bernstein  <mitz@apple.com>
3102
3103         Added missing file references to the Configuration group.
3104
3105         * JavaScriptCore.xcodeproj/project.pbxproj:
3106
3107 2018-06-08  Darin Adler  <darin@apple.com>
3108
3109         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
3110         https://bugs.webkit.org/show_bug.cgi?id=186436
3111
3112         Reviewed by Anders Carlsson.
3113
3114         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
3115         objc-internal.h and explicitly declaring the alternative.
3116
3117 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
3118
3119         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
3120         https://bugs.webkit.org/show_bug.cgi?id=186442
3121         <rdar://problem/40879364>
3122
3123         Reviewed by Tim Horton.
3124
3125         * Configurations/FeatureDefines.xcconfig:
3126
3127 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
3128
3129         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
3130         https://bugs.webkit.org/show_bug.cgi?id=186446
3131         <rdar://problem/40949995>
3132
3133         Reviewed by Mark Lam.
3134
3135         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
3136         boolean literals, but it would only work for false. Change it so that it
3137         takes the fast path for true, false, null and undefined.
3138
3139         * llint/LowLevelInterpreter.asm:
3140         * llint/LowLevelInterpreter64.asm:
3141
3142 2018-06-08  Brian Burg  <bburg@apple.com>
3143
3144         [Cocoa] Web Automation: include browser name and version in listing for automation targets
3145         https://bugs.webkit.org/show_bug.cgi?id=186204
3146         <rdar://problem/36950423>
3147
3148         Reviewed by Darin Adler.
3149
3150         Ask the client what the reported browser name and version should be, then
3151         send this as part of the listing for an automation target.
3152
3153         * inspector/remote/RemoteInspectorConstants.h:
3154         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3155         (Inspector::RemoteInspector::listingForAutomationTarget const):
3156
3157 2018-06-07  Chris Dumez  <cdumez@apple.com>
3158
3159         Add base class to get WeakPtrFactory member and avoid some boilerplate code
3160         https://bugs.webkit.org/show_bug.cgi?id=186407
3161
3162         Reviewed by Brent Fulgham.
3163
3164         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
3165         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
3166         This also gets rid of old-style createWeakPtr() methods in favor of the newer
3167         makeWeakPtr().
3168
3169         * wasm/WasmInstance.h:
3170         * wasm/WasmMemory.cpp:
3171         (JSC::Wasm::Memory::registerInstance):
3172
3173 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
3174
3175         Don't try to allocate JIT memory if we don't have the JIT entitlement
3176         https://bugs.webkit.org/show_bug.cgi?id=182605
3177         <rdar://problem/38271229>
3178
3179         Reviewed by Mark Lam.
3180
3181         Check that the current process has the correct entitlements before
3182         trying to allocate JIT memory to silence warnings.
3183
3184         * jit/ExecutableAllocator.cpp:
3185         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
3186         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
3187
3188 2018-06-07  Saam Barati  <sbarati@apple.com>
3189
3190         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
3191         https://bugs.webkit.org/show_bug.cgi?id=186386
3192
3193         Reviewed by Filip Pizlo.
3194
3195         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
3196
3197         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3198         (JSC::DFG::TierUpCheckInjectionPhase::run):
3199
3200 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
3201
3202         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
3203         https://bugs.webkit.org/show_bug.cgi?id=186237
3204
3205         Reviewed by Saam Barati.
3206
3207         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
3208         that means that we never notice that it fired if it fires between when the DFG decides to
3209         watch it and when it actually adds the watchpoint.
3210         
3211         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
3212         reason for being initialized blind: that's how we knew to ignore changes to the prototype
3213         before the first allocation. However, that functionality also arose out of the fact that the
3214         rare data is created lazily and usually won't exist until the first allocation.
3215         
3216         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
3217         object allocation profile.
3218         
3219         It's hard to repro this race, however it started causing spurious test failures for me after
3220         bug 164904.
3221
3222         * runtime/FunctionRareData.cpp:
3223         (JSC::FunctionRareData::FunctionRareData):
3224         (JSC::FunctionRareData::initializeObjectAllocationProfile):
3225
3226 2018-06-07  Saam Barati  <sbarati@apple.com>
3227
3228         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
3229         https://bugs.webkit.org/show_bug.cgi?id=186218
3230         <rdar://problem/38449540>
3231
3232         Reviewed by Filip Pizlo.
3233
3234         This patch makes tierUpCommon a tad bit more sane. There are a few things
3235         that I did:
3236         - There were a few release asserts that were crashing. Those release asserts
3237         were incorrect. They were making assumptions about how the code and data
3238         structures were ordered that were wrong. This patch removes them. The code
3239         was using the loop hierarchy vector to make assumptions about which loop we
3240         were currently executing in, which is incorrect. The only information that
3241         can be used about where we're currently executing is the bytecode index we're
3242         at.
3243         - This makes it so that we go back to trying to compile outer loops before
3244         inner loops. JF accidentally reverted this behavior that Ben implemented.
3245         JF made it so that we just compiled the inner most loop. I make this
3246         functionality work by first triggering a compile for the outer most loop
3247         that the code is currently executing in and that can perform OSR entry.
3248         However, some programs can get stuck in inner loops. The code works by
3249         progressively asking inner loops to compile if program execution has not
3250         yet reached an outer loop.
3251
3252         * dfg/DFGOperations.cpp:
3253
3254 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
3255
3256         ArityFixup should adjust SP first on 32-bit platforms too
3257         https://bugs.webkit.org/show_bug.cgi?id=186351
3258
3259         Reviewed by Yusuke Suzuki.
3260
3261         * jit/ThunkGenerators.cpp:
3262         (JSC::arityFixupGenerator):
3263
3264 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3265
3266         [DFG] Compare operations do not respect negative zeros
3267         https://bugs.webkit.org/show_bug.cgi?id=183729
3268
3269         Reviewed by Saam Barati.
3270
3271         Compare operations do not respect negative zeros. So propagating this can
3272         reduce the size of the produced code for negative zero case. This pattern
3273         can be seen in Kraken stanford-crypto-aes.
3274
3275         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
3276         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
3277         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
3278
3279         * bytecode/SpeculatedType.cpp:
3280         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
3281         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
3282         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
3283         SpecDoubleReal.
3284
3285         * dfg/DFGBackwardsPropagationPhase.cpp:
3286         (JSC::DFG::BackwardsPropagationPhase::propagate):
3287
3288 2018-06-06  Saam Barati  <sbarati@apple.com>
3289
3290         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
3291         https://bugs.webkit.org/show_bug.cgi?id=186363
3292
3293         Rubber-stamped by Filip Pizlo.
3294
3295         The code was assuming that the object it was creating an OPC for always
3296         had a non-poly-proto structure. However, this assumption was wrong. For
3297         example, an object in the prototype chain could be poly proto. That type 
3298         of object graph would cause a crash in this code. This patch makes it so
3299         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
3300         object as we traverse the prototype chain.
3301
3302         * bytecode/ObjectPropertyConditionSet.cpp:
3303         (JSC::generateConditionsForInstanceOf):
3304
3305 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
3306
3307         Adjust compile and runtime flags to match shippable state of features
3308         https://bugs.webkit.org/show_bug.cgi?id=186319
3309         <rdar://problem/40352045>
3310
3311         Reviewed by Maciej Stachowiak, Jon Lee, and others.
3312
3313         This patch revises the compile time and runtime state for various features to match their
3314         suitability for end-user releases.
3315
3316         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
3317         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
3318         Cocoa builds.
3319         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
3320         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
3321         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
3322         at runtime for non-production builds.
3323
3324 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
3325
3326         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
3327         https://bugs.webkit.org/show_bug.cgi?id=186286
3328         <rdar://problem/40782992>
3329
3330         Reviewed by Dan Bernstein.
3331
3332         Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
3333         to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
3334         change this flag when preparing for a production release.
3335
3336         * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
3337         whether experimental features should be enabled, and use it to properly define the
3338         feature flag.
3339
3340 2018-06-05  Darin Adler  <darin@apple.com>
3341
3342         [Cocoa] Update some JavaScriptCore code to be more ready for ARC
3343         https://bugs.webkit.org/show_bug.cgi?id=186301
3344
3345         Reviewed by Anders Carlsson.
3346
3347         * API/JSContext.mm:
3348         (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
3349         (-[JSContext setName:]): Removed unnecessary call to copy, since the
3350         JSStringCreateWithCFString function already reads the characters out
3351         of the string and does not retain the string, so there is no need to
3352         make an immutable copy. And used __bridge for typecast.
3353         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3354         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
3355         Ditto.
3356
3357         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
3358         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3359         Use CFBridgingRelease instead of autorelease for a CF dictionary that
3360         we return as an NSDictionary.
3361
3362 2018-06-04  Keith Miller  <keith_miller@apple.com>
3363
3364         Remove missing files from JavaScriptCore Xcode project
3365         https://bugs.webkit.org/show_bug.cgi?id=186297
3366
3367         Reviewed by Saam Barati.
3368
3369         * JavaScriptCore.xcodeproj/project.pbxproj:
3370
3371 2018-06-04  Keith Miller  <keith_miller@apple.com>
3372
3373         Add test for CoW conversions in the DFG/FTL
3374         https://bugs.webkit.org/show_bug.cgi?id=186295
3375
3376         Reviewed by Saam Barati.
3377
3378         Add a function to $vm that returns a JSString containing the
3379         dataLog dump of the indexingMode of an Object.
3380
3381         * tools/JSDollarVM.cpp:
3382         (JSC::functionIndexingMode):
3383         (JSC::JSDollarVM::finishCreation):
3384
3385 2018-06-04  Saam Barati  <sbarati@apple.com>
3386
3387         Set the activeLength of all ScratchBuffers to zero when exiting the VM
3388         https://bugs.webkit.org/show_bug.cgi?id=186284
3389         <rdar://problem/40780738>
3390
3391         Reviewed by Keith Miller.
3392
3393         Simon recently found instances where we leak global objects from the
3394         ScratchBuffer. Yusuke found that we forgot to set the active length
3395         back to zero when doing catch OSR entry in the DFG/FTL. His solution
3396         to this was adding a node that cleared the active length. This is
3397         a good node to have, but it's not a complete solution: the DFG/FTL
3398         could OSR exit before that node executes, which would cause us to leak
3399         the data in it.
3400         
3401         This patch makes it so that we set each scratch buffer's active length
3402         to zero on VM exit. This helps prevent leaks for JS code that eventually
3403         exits the VM (which is essentially all code on the web and all API users).
3404
3405         * runtime/VM.cpp:
3406         (JSC::VM::clearScratchBuffers):
3407         * runtime/VM.h:
3408         * runtime/VMEntryScope.cpp:
3409         (JSC::VMEntryScope::~VMEntryScope):
3410
3411 2018-06-04  Keith Miller  <keith_miller@apple.com>
3412
3413         JSLock should clear last exception when releasing the lock
3414         https://bugs.webkit.org/show_bug.cgi?id=186277
3415
3416         Reviewed by Mark Lam.
3417
3418         If we don't clear the last exception we essentially leak the
3419         object and everything referenced by it until another exception is
3420         thrown.
3421
3422         * runtime/JSLock.cpp:
3423         (JSC::JSLock::willReleaseLock):
3424
3425 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3426
3427         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
3428         https://bugs.webkit.org/show_bug.cgi?id=180248
3429
3430         Reviewed by Sam Weinig.
3431
3432         As a final step, this patch removes ListableHandler from JSC.
3433         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
3434
3435         * CMakeLists.txt:
3436         * JavaScriptCore.xcodeproj/project.pbxproj:
3437         * heap/Heap.h:
3438         * heap/ListableHandler.h: Removed.
3439
3440 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3441
3442         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
3443         https://bugs.webkit.org/show_bug.cgi?id=186223
3444
3445         Reviewed by Keith Miller.
3446
3447         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
3448         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
3449
3450         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
3451         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
3452         this ClearCatchLocals valid.
3453
3454         The existing tests for ExtractCatchLocal just pass.
3455
3456         * dfg/DFGAbstractHeap.h:
3457         * dfg/DFGAbstractInterpreterInlines.h:
3458         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3459         * dfg/DFGByteCodeParser.cpp:
3460         (JSC::DFG::ByteCodeParser::parseBlock):
3461         * dfg/DFGClobberize.h:
3462         (JSC::DFG::clobberize):
3463         * dfg/DFGDoesGC.cpp:
3464         (JSC::DFG::doesGC):
3465         * dfg/DFGFixupPhase.cpp:
3466         (JSC::DFG::FixupPhase::fixupNode):
3467         * dfg/DFGMayExit.cpp:
3468         * dfg/DFGNodeType.h:
3469         * dfg/DFGOSREntry.cpp:
3470         (JSC::DFG::prepareCatchOSREntry):
3471         * dfg/DFGPredictionPropagationPhase.cpp:
3472         * dfg/DFGSafeToExecute.h:
3473         (JSC::DFG::safeToExecute):
3474         * dfg/DFGSpeculativeJIT.cpp:
3475         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
3476         * dfg/DFGSpeculativeJIT.h:
3477         * dfg/DFGSpeculativeJIT32_64.cpp:
3478         (JSC::DFG::SpeculativeJIT::compile):
3479         * dfg/DFGSpeculativeJIT64.cpp:
3480         (JSC::DFG::SpeculativeJIT::compile):
3481         * ftl/FTLCapabilities.cpp:
3482         (JSC::FTL::canCompile):
3483         * ftl/FTLLowerDFGToB3.cpp:
3484         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3485         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
3486
3487 2018-06-02  Darin Adler  <darin@apple.com>
3488
3489         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
3490         https://bugs.webkit.org/show_bug.cgi?id=186227
3491
3492         Reviewed by Dan Bernstein.
3493
3494         * API/JSContext.mm:
3495         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
3496         * API/JSValue.mm:
3497         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
3498         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
3499         ARC-compatible, but more efficient.
3500         (valueToString): Use CFBridgingRelease instead of autorelease.
3501
3502 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
3503
3504         [ESNext][BigInt] Implement support for addition operations
3505         https://bugs.webkit.org/show_bug.cgi?id=179002
3506
3507         Reviewed by Yusuke Suzuki.
3508
3509         This patch is implementing support to BigInt Operands into binary "+"
3510         and binary "-" operators. Right now, we have limited support to DFG
3511         and FTL JIT layers, but we plan to fix this support in future
3512         patches.
3513
3514         * jit/JITOperations.cpp:
3515         * runtime/CommonSlowPaths.cpp:
3516         (JSC::SLOW_PATH_DECL):
3517         * runtime/JSBigInt.cpp:
3518         (JSC::JSBigInt::parseInt):
3519         (JSC::JSBigInt::stringToBigInt):
3520         (JSC::JSBigInt::toString):
3521         (JSC::JSBigInt::multiply):
3522         (JSC::JSBigInt::divide):
3523         (JSC::JSBigInt::remainder):
3524         (JSC::JSBigInt::add):
3525         (JSC::JSBigInt::sub):
3526         (JSC::JSBigInt::absoluteAdd):
3527         (JSC::JSBigInt::absoluteSub):
3528         (JSC::JSBigInt::toStringGeneric):
3529         (JSC::JSBigInt::allocateFor):
3530         (JSC::JSBigInt::toNumber const):
3531         (JSC::JSBigInt::getPrimitiveNumber const):
3532         * runtime/JSBigInt.h:
3533         * runtime/JSCJSValueInlines.h:
3534         * runtime/Operations.cpp:
3535         (JSC::jsAddSlowCase):
3536         * runtime/Operations.h:
3537         (JSC::jsSub):
3538
3539 2018-06-02  Commit Queue  <commit-queue@webkit.org>
3540
3541         Unreviewed, rolling out r232439.
3542         https://bugs.webkit.org/show_bug.cgi?id=186238
3543
3544         It breaks gtk-linux-32-release (Requested by caiolima on
3545         #webkit).
3546
3547         Reverted changeset:
3548
3549         "[ESNext][BigInt] Implement support for addition operations"
3550         https://bugs.webkit.org/show_bug.cgi?id=179002
3551         https://trac.webkit.org/changeset/232439
3552
3553 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3554
3555         Baseline op_jtrue emits an insane amount of code
3556         https://bugs.webkit.org/show_bug.cgi?id=185708
3557
3558         Reviewed by Filip Pizlo.
3559
3560         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
3561
3562         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
3563            to jump directly. This tightens the code.
3564
3565         2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
3566
3567         This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
3568
3569         [  12] jtrue             arg1, 6(->18)
3570               0x7f233170162c: mov 0x30(%rbp), %rax
3571               0x7f2331701630: mov %rax, %rsi
3572               0x7f2331701633: xor $0x6, %rsi
3573               0x7f2331701637: test $0xfffffffffffffffe, %rsi
3574               0x7f233170163e: jnz 0x7f2331701654
3575               0x7f2331701644: cmp $0x7, %eax
3576               0x7f2331701647: setz %sil
3577               0x7f233170164b: movzx %sil, %esi
3578               0x7f233170164f: jmp 0x7f2331701705
3579               0x7f2331701654: test %rax, %r14
3580               0x7f2331701657: jz 0x7f233170169c
3581               0x7f233170165d: cmp %r14, %rax
3582               0x7f2331701660: jb 0x7f2331701675
3583               0x7f2331701666: test %eax, %eax
3584               0x7f2331701668: setnz %sil
3585               0x7f233170166c: movzx %sil, %esi
3586               0x7f2331701670: jmp 0x7f2331701705
3587               0x7f2331701675: lea (%r14,%rax), %rsi
3588               0x7f2331701679: movq %rsi, %xmm0
3589               0x7f233170167e: xorps %xmm1, %xmm1
3590               0x7f2331701681: ucomisd %xmm1, %xmm0
3591               0x7f2331701685: jz 0x7f2331701695
3592               0x7f233170168b: mov $0x1, %esi
3593               0x7f2331701690: jmp 0x7f2331701705
3594               0x7f2331701695: xor %esi, %esi
3595               0x7f2331701697: jmp 0x7f2331701705
3596               0x7f233170169c: test %rax, %r15
3597               0x7f233170169f: jnz 0x7f2331701703
3598               0x7f23317016a5: cmp $0x1, 0x5(%rax)
3599               0x7f23317016a9: jnz 0x7f23317016c1
3600               0x7f23317016af: mov 0x8(%rax), %esi
3601               0x7f23317016b2: test %esi, %esi
3602               0x7f23317016b4: setnz %sil
3603               0x7f23317016b8: movzx %sil, %esi
3604               0x7f23317016bc: jmp 0x7f2331701705
3605               0x7f23317016c1: test $0x1, 0x6(%rax)
3606               0x7f23317016c5: jz 0x7f23317016f9
3607               0x7f23317016cb: mov (%rax), %esi
3608               0x7f23317016cd: mov $0x7f23315000c8, %rdx
3609               0x7f23317016d7: mov (%rdx), %rdx
3610               0x7f23317016da: mov (%rdx,%rsi,8), %rsi
3611               0x7f23317016de: mov $0x7f2330de0000, %rdx
3612               0x7f23317016e8: cmp %rdx, 0x18(%rsi)
3613               0x7f23317016ec: jnz 0x7f23317016f9
3614               0x7f23317016f2: xor %esi, %esi
3615               0x7f23317016f4: jmp 0x7f2331701705
3616               0x7f23317016f9: mov $0x1, %esi
3617               0x7f23317016fe: jmp 0x7f2331701705
3618               0x7f2331701703: xor %esi, %esi
3619               0x7f2331701705: test %esi, %esi
3620               0x7f2331701707: jnz 0x7f233170171b
3621
3622         [  12] jtrue             arg1, 6(->18)
3623               0x7f6c8710156c: mov 0x30(%rbp), %rax
3624               0x7f6c87101570: test %rax, %r15
3625               0x7f6c87101573: jnz 0x7f6c871015c8
3626               0x7f6c87101579: cmp $0x1, 0x5(%rax)
3627               0x7f6c8710157d: jnz 0x7f6c87101592
3628               0x7f6c87101583: cmp $0x0, 0x8(%rax)
3629               0x7f6c87101587: jnz 0x7f6c87101623
3630               0x7f6c8710158d: jmp 0x7f6c87101615
3631               0x7f6c87101592: test $0x1, 0x6(%rax)
3632               0x7f6c87101596: jz 0x7f6c87101623
3633               0x7f6c8710159c: mov (%rax), %esi
3634               0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
3635               0x7f6c871015a8: mov (%rdx), %rdx
3636               0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
3637               0x7f6c871015af: mov $0x7f6c867e0000, %rdx
3638               0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
3639               0x7f6c871015bd: jnz 0x7f6c87101623
3640               0x7f6c871015c3: jmp 0x7f6c87101615
3641               0x7f6c871015c8: cmp %r14, %rax
3642               0x7f6c871015cb: jb 0x7f6c871015de
3643               0x7f6c871015d1: test %eax, %eax
3644               0x7f6c871015d3: jnz 0x7f6c87101623
3645               0x7f6c871015d9: jmp 0x7f6c87101615
3646               0x7f6c871015de: test %rax, %r14
3647               0x7f6c871015e1: jz 0x7f6c87101602
3648               0x7f6c871015e7: lea (%r14,%rax), %rsi
3649               0x7f6c871015eb: movq %rsi, %xmm0
3650               0x7f6c871015f0: xorps %xmm1, %xmm1
3651               0x7f6c871015f3: ucomisd %xmm1, %xmm0
3652               0x7f6c871015f7: jz 0x7f6c87101615
3653               0x7f6c871015fd: jmp 0x7f6c87101623
3654               0x7f6c87101602: mov $0x7, %r11
3655               0x7f6c8710160c: cmp %r11, %rax
3656               0x7f6c8710160f: jz 0x7f6c87101623
3657
3658         * dfg/DFGSpeculativeJIT32_64.cpp:
3659         (JSC::DFG::SpeculativeJIT::emitBranch):
3660         * dfg/DFGSpeculativeJIT64.cpp:
3661         (JSC::DFG::SpeculativeJIT::emitBranch):
3662         * jit/AssemblyHelpers.cpp:
3663         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
3664         (JSC::AssemblyHelpers::branchIfValue):
3665         * jit/AssemblyHelpers.h:
3666         (JSC::AssemblyHelpers::branchIfTruthy):
3667         (JSC::AssemblyHelpers::branchIfFalsey):
3668         * jit/JIT.h:
3669         * jit/JITInlines.h:
3670         (JSC::JIT::addJump):
3671         * jit/JITOpcodes.cpp:
3672         (JSC::JIT::emit_op_jfalse):
3673         (JSC::JIT::emit_op_jtrue):
3674         * jit/JITOpcodes32_64.cpp:
3675         (JSC::JIT::emit_op_jfalse):
3676         (JSC::JIT::emit_op_jtrue):
3677
3678 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3679
3680         [JSC] Remove WeakReferenceHarvester
3681         https://bugs.webkit.org/show_bug.cgi?id=186102
3682
3683         Reviewed by Filip Pizlo.
3684
3685         After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
3686         Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
3687         by using output constraints & Subspace iteration.
3688
3689         This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
3690         output constraint set iterates marked JSWeakMap by using Subspace.
3691
3692         And we also add locking for JSWeakMap's rehash and output constraint visiting.
3693
3694         Attached microbenchmark does not show any regression.
3695
3696         * API/JSAPIWrapperObject.h:
3697         * CMakeLists.txt:
3698         * JavaScriptCore.xcodeproj/project.pbxproj:
3699         * heap/Heap.cpp:
3700         (JSC::Heap::endMarking):
3701         (JSC::Heap::addCoreConstraints):
3702         * heap/Heap.h:
3703         * heap/SlotVisitor.cpp:
3704         (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
3705         * heap/SlotVisitor.h:
3706         * heap/WeakReferenceHarvester.h: Removed.
3707         * runtime/WeakMapImpl.cpp:
3708         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
3709         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
3710         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
3711         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
3712         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
3713         * runtime/WeakMapImpl.h:
3714         (JSC::WeakMapImpl::WeakMapImpl):
3715         (JSC::WeakMapImpl::finishCreation):
3716         (JSC::WeakMapImpl::rehash):
3717         (JSC::WeakMapImpl::makeAndSetNewBuffer):
3718         (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
3719
3720 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3721
3722         [JSC] Object.create should have intrinsic
3723         https://bugs.webkit.org/show_bug.cgi?id=186200
3724
3725         Reviewed by Filip Pizlo.
3726
3727         Object.create is used in various JS code. `Object.create(null)` is particularly used
3728         to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
3729         call in ARES-6/Babylon code.
3730
3731         This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
3732         DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
3733         object is null. It offers significant performance boost for `Object.create(null)`.
3734
3735                                                          baseline                  patched
3736
3737         object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
3738         object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
3739         object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster
3740
3741         * dfg/DFGAbstractInterpreterInlines.h:
3742         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3743         * dfg/DFGByteCodeParser.cpp:
3744         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3745         * dfg/DFGClobberize.h:
3746         (JSC::DFG::clobberize):
3747         * dfg/DFGConstantFoldingPhase.cpp:
3748         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3749         * dfg/DFGDoesGC.cpp:
3750         (JSC::DFG::doesGC):
3751         * dfg/DFGFixupPhase.cpp:
3752         (JSC::DFG::FixupPhase::fixupNode):
3753         * dfg/DFGNode.h:
3754         (JSC::DFG::Node::convertToNewObject):
3755         * dfg/DFGNodeType.h:
3756         * dfg/DFGOperations.cpp:
3757         * dfg/DFGOperations.h:
3758         * dfg/DFGPredictionPropagationPhase.cpp:
3759         * dfg/DFGSafeToExecute.h:
3760         (JSC::DFG::safeToExecute):
3761         * dfg/DFGSpeculativeJIT.cpp:
3762         (JSC::DFG::SpeculativeJIT::compileObjectCreate):
3763         * dfg/DFGSpeculativeJIT.h:
3764         * dfg/DFGSpeculativeJIT32_64.cpp:
3765         (JSC::DFG::SpeculativeJIT::compile):
3766         * dfg/DFGSpeculativeJIT64.cpp:
3767         (JSC::DFG::SpeculativeJIT::compile):
3768         * ftl/FTLCapabilities.cpp:
3769         (JSC::FTL::canCompile):
3770         * ftl/FTLLowerDFGToB3.cpp:
3771         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3772         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
3773         * runtime/Intrinsic.cpp:
3774         (JSC::intrinsicName):
3775         * runtime/Intrinsic.h:
3776         * runtime/JSGlobalObject.cpp:
3777         (JSC::JSGlobalObject::init):
3778         (JSC::JSGlobalObject::visitChildren):
3779         * runtime/JSGlobalObject.h:
3780         (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
3781         * runtime/ObjectConstructor.cpp:
3782
3783 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
3784
3785         [ESNext][BigInt] Implement support for addition operations
3786         https://bugs.webkit.org/show_bug.cgi?id=179002
3787
3788         Reviewed by Yusuke Suzuki.
3789
3790         This patch is implementing support to BigInt Operands into binary "+"
3791         and binary "-" operators. Right now, we have limited support to DFG
3792         and FTL JIT layers, but we plan to fix this support in future
3793         patches.
3794
3795         * jit/JITOperations.cpp:
3796         * runtime/CommonSlowPaths.cpp:
3797         (JSC::SLOW_PATH_DECL):
3798         * runtime/JSBigInt.cpp:
3799         (JSC::JSBigInt::parseInt):
3800         (JSC::JSBigInt::stringToBigInt):
3801         (JSC::JSBigInt::toString):
3802         (JSC::JSBigInt::multiply):
3803         (JSC::JSBigInt::divide):
3804         (JSC::JSBigInt::remainder):
3805         (JSC::JSBigInt::add):
3806         (JSC::JSBigInt::sub):
3807         (JSC::JSBigInt::absoluteAdd):
3808         (JSC::JSBigInt::absoluteSub):
3809         (JSC::JSBigInt::toStringGeneric):
3810         (JSC::JSBigInt::allocateFor):
3811         (JSC::JSBigInt::toNumber const):
3812         (JSC::JSBigInt::getPrimitiveNumber const):
3813         * runtime/JSBigInt.h:
3814         * runtime/JSCJSValueInlines.h:
3815         * runtime/Operations.cpp:
3816         (JSC::jsAddSlowCase):
3817         * runtime/Operations.h:
3818         (JSC::jsSub):
3819
3820 2018-06-01  Wenson Hsieh  <wenson_hsieh@apple.com>
3821
3822         Fix the watchOS build after r232385
3823         https://bugs.webkit.org/show_bug.cgi?id=186203
3824
3825         Reviewed by Keith Miller.
3826
3827         Add a missing header include for JSImmutableButterfly.
3828
3829         * runtime/ArrayPrototype.cpp:
3830
3831 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3832
3833         [JSC] Add Symbol.prototype.description getter
3834         https://bugs.webkit.org/show_bug.cgi?id=186053
3835
3836         Reviewed by Keith Miller.
3837
3838         Symbol.prototype.description accessor  is now stage 3[1].
3839         This adds a getter to retrieve [[Description]] value from Symbol.
3840         Previously, Symbol#toString() returns `Symbol(${description})` value.
3841         So users need to extract `description` part if they want it.
3842
3843         [1]: https://tc39.github.io/proposal-Symbol-description/
3844
3845         * runtime/Symbol.cpp:
3846         (JSC::Symbol::description const):
3847         * runtime/Symbol.h:
3848         * runtime/SymbolPrototype.cpp:
3849         (JSC::tryExtractSymbol):
3850         (JSC::symbolProtoGetterDescription):
3851         (JSC::symbolProtoFuncToString):
3852         (JSC::symbolProtoFuncValueOf):
3853
3854 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3855
3856         [JSC] Correct values and members of JSBigInt appropriately
3857         https://bugs.webkit.org/show_bug.cgi?id=186196
3858
3859         Reviewed by Darin Adler.
3860
3861         This patch cleans up a bit to select more appropriate values and members of JSBigInt.
3862
3863         1. JSBigInt's structure should be StructureIsImmortal.
3864         2. JSBigInt::allocationSize should be annotated with `inline`.
3865         3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
3866         4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
3867
3868         * runtime/JSBigInt.cpp:
3869         (JSC::JSBigInt::allocationSize):
3870         (JSC::JSBigInt::allocateFor):
3871         (JSC::JSBigInt::compareToDouble):
3872         (JSC::JSBigInt::visitChildren): Deleted.
3873         (JSC::JSBigInt::finishCreation): Deleted.
3874         * runtime/JSBigInt.h:
3875
3876 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3877
3878         [DFG] InById should be converted to MatchStructure
3879         https://bugs.webkit.org/show_bug.cgi?id=185803
3880
3881         Reviewed by Keith Miller.
3882
3883         MatchStructure is introduced for instanceof optimization. But this node
3884         is also useful for InById node. This patch converts InById to MatchStructure
3885         node with CheckStructures if possible by using InByIdStatus.
3886
3887         Added microbenchmarks show improvements.
3888
3889                                    baseline                  patched
3890
3891         in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
3892         in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster
3893
3894         * JavaScriptCore.xcodeproj/project.pbxproj:
3895         * Sources.txt:
3896         * bytecode/InByIdStatus.cpp: Added.
3897         (JSC::InByIdStatus::appendVariant):
3898         (JSC::InByIdStatus::computeFor):
3899         (JSC::InByIdStatus::hasExitSite):
3900         (JSC::InByIdStatus::computeForStubInfo):
3901         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3902         (JSC::InByIdStatus::filter):
3903         (JSC::InByIdStatus::dump const):
3904         * bytecode/InByIdStatus.h: Added.
3905         (JSC::InByIdStatus::InByIdStatus):
3906         (JSC::InByIdStatus::state const):
3907         (JSC::InByIdStatus::isSet const):
3908         (JSC::InByIdStatus::operator bool const):
3909         (JSC::InByIdStatus::isSimple const):
3910         (JSC::InByIdStatus::numVariants const):
3911         (JSC::InByIdStatus::variants const):
3912         (JSC::InByIdStatus::at const):
3913         (JSC::InByIdStatus::operator[] const):
3914         (JSC::InByIdStatus::takesSlowPath const):
3915         * bytecode/InByIdVariant.cpp: Added.
3916         (JSC::InByIdVariant::InByIdVariant):
3917         (JSC::InByIdVariant::attemptToMerge):
3918         (JSC::InByIdVariant::dump const):
3919         (JSC::InByIdVariant::dumpInContext const):
3920         * bytecode/InByIdVariant.h: Added.
3921         (JSC::InByIdVariant::isSet const):
3922         (JSC::InByIdVariant::operator bool const):
3923         (JSC::InByIdVariant::structureSet const):
3924         (JSC::InByIdVariant::structureSet):
3925         (JSC::InByIdVariant::conditionSet const):