[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove getTypedArrayImpl
        https://bugs.webkit.org/show_bug.cgi?id=187338

        Reviewed by Mark Lam.

        getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
        are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
        This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.

        * runtime/ClassInfo.h:
        * runtime/GenericTypedArrayView.h:
        (JSC::GenericTypedArrayView::data const): Deleted.
        (JSC::GenericTypedArrayView::set): Deleted.
        (JSC::GenericTypedArrayView::setRange): Deleted.
        (JSC::GenericTypedArrayView::zeroRange): Deleted.
        (JSC::GenericTypedArrayView::zeroFill): Deleted.
        (JSC::GenericTypedArrayView::length const): Deleted.
        (JSC::GenericTypedArrayView::item const): Deleted.
        (JSC::GenericTypedArrayView::set const): Deleted.
        (JSC::GenericTypedArrayView::setNative const): Deleted.
        (JSC::GenericTypedArrayView::getRange): Deleted.
        (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
        (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::possiblySharedImpl):
        * runtime/JSArrayBufferView.h:
        * runtime/JSArrayBufferViewInlines.h:
        (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
        * runtime/JSCell.cpp:
        (JSC::JSCell::getTypedArrayImpl): Deleted.
        * runtime/JSCell.h:
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::getTypedArrayImpl): Deleted.
        * runtime/JSDataView.h:
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.

2018-07-10  Keith Miller  <keith_miller@apple.com>

        hasOwnProperty returns true for out of bounds property index on TypedArray
        https://bugs.webkit.org/show_bug.cgi?id=187520

        Reviewed by Saam Barati.

        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):

2018-07-10  Michael Saboff  <msaboff@apple.com>

        DFG JIT: compileMathIC produces incorrect machine code
        https://bugs.webkit.org/show_bug.cgi?id=187537

        Reviewed by Saam Barati.

        Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
        fall back to the fast path generator which handles such cases.

        * jit/JITMulGenerator.cpp:
        (JSC::JITMulGenerator::generateInline):

2018-07-10  Filip Pizlo  <fpizlo@apple.com>

        Change the reoptimization backoff base to 1.3 from 2
        https://bugs.webkit.org/show_bug.cgi?id=187540

        Reviewed by Saam Barati.
        
        I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
        
        I also have data that hints that a backoff base of 1 might be even better, but I think that
        we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::reoptimizationRetryCounter const):
        (JSC::CodeBlock::countReoptimization):
        (JSC::CodeBlock::adjustedCounterValue):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2018-07-10  Mark Lam  <mark.lam@apple.com>

        [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
        https://bugs.webkit.org/show_bug.cgi?id=187362
        <rdar://problem/42027210>

        Reviewed by Saam Barati.

        On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
        value to use for initializing unused properties.  Updated an assertion to account
        for this.

        * runtime/ObjectInitializationScope.cpp:
        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):

2018-07-10  Michael Saboff  <msaboff@apple.com>

        YARR: . doesn't match non-BMP Unicode characters in some cases
        https://bugs.webkit.org/show_bug.cgi?id=187248

        Reviewed by Geoffrey Garen.

        The safety check in optimizeAlternative() for moving character classes that only consist of BMP
        characters did not take into account that the character class is inverted.  In this case, we
        represent '.' as "not a newline" using the newline character class with an inverted check.
        Clearly that includes non-BMP characters.

        The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
        inverted use of that character class.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::optimizeAlternative):

2018-07-09  Mark Lam  <mark.lam@apple.com>

        Add --traceLLIntExecution and --traceLLIntSlowPath options.
        https://bugs.webkit.org/show_bug.cgi?id=187479

        Reviewed by Yusuke Suzuki and Saam Barati.

        These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.

        The details:
        1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
        2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
           This makes it such that enabling LLINT_TRACING doesn't means that we'll
           continually spammed with logging until we rebuild.
        3. Fixed slow path LLINT tracing to work with exception check validation.

        * llint/LLIntCommon.h:
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::slowPathLog):
        (JSC::LLInt::slowPathLn):
        (JSC::LLInt::slowPathLogF):
        (JSC::LLInt::slowPathLogLn):
        (JSC::LLInt::llint_trace_operand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPathsExceptions.cpp:
        (JSC::CommonSlowPaths::interpreterThrowInCaller):
        * runtime/Options.cpp:
        (JSC::Options::isAvailable):
        * runtime/Options.h:

2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=187477

        Reviewed by Mark Lam.

        Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
        However, it is not necessary since JSCells can be reside in a constant buffer.
        This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
        vector from RareData.

        We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.

        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        (JSC::BytecodeDumper<Block>::dumpBlock):
        (JSC::regexpToSourceString): Deleted.
        (JSC::regexpName): Deleted.
        (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
        * bytecode/BytecodeDumper.h:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::regexp const): Deleted.
        (JSC::CodeBlock::numberOfRegExps const): Deleted.
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::visitChildren):
        (JSC::UnlinkedCodeBlock::shrinkToFit):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
        (JSC::UnlinkedCodeBlock::regexp const): Deleted.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewRegExp):
        (JSC::BytecodeGenerator::addRegExp): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_regexp):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContextAssumingStructure const):
        * runtime/RegExp.cpp:
        (JSC::regexpToSourceString):
        (JSC::RegExp::dumpToStream):
        * runtime/RegExp.h:

2018-07-09  Brian Burg  <bburg@apple.com>

        REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
        https://bugs.webkit.org/show_bug.cgi?id=187350
        <rdar://problem/41728249>

        Reviewed by Matt Baker.

        Add a new command that toggles whether or not to blackbox internal scripts.
        If blackboxed, the scripts will not be shown to the frontend and the debugger will
        not pause in source frames from blackboxed scripts. Sometimes we want to break into
        those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
        that injects scripts.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/protocol/Debugger.json:

2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Make some data members of UnlinkedCodeBlock private
        https://bugs.webkit.org/show_bug.cgi?id=187467

        Reviewed by Mark Lam.

        This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
        We also remove m_numCapturedVars since it is no longer used.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:

2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
        https://bugs.webkit.org/show_bug.cgi?id=187465

        Reviewed by Keith Miller.

        ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
        of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.

        This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
        in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
        of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
        from 104 to 96 since it inherits ProxyableAccessCase.

        * bytecode/AccessCase.h:
        (JSC::AccessCase::viaProxy const):
        (JSC::AccessCase::AccessCase):
        * bytecode/ProxyableAccessCase.cpp:
        (JSC::ProxyableAccessCase::ProxyableAccessCase):
        * bytecode/ProxyableAccessCase.h:

2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for debug builds after r233630
        https://bugs.webkit.org/show_bug.cgi?id=187441

        * jit/JIT.cpp:
        (JSC::JIT::frameRegisterCountFor):
        * llint/LLIntEntrypoint.cpp:
        (JSC::LLInt::frameRegisterCountFor):

2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of CodeBlock to reduce padding
        https://bugs.webkit.org/show_bug.cgi?id=187441

        Reviewed by Mark Lam.

        Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
        We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
        Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.

        We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.

        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::dumpBlock):
        * bytecode/BytecodeUseDef.h:
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numVars const):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::numVars const):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        (JSC::DFG::ByteCodeParser::inlineCall):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct const):
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        * jit/JIT.cpp:
        (JSC::JIT::frameRegisterCountFor):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_enter):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_enter):
        * jit/JITOperations.cpp:
        * llint/LLIntEntrypoint.cpp:
        (JSC::LLInt::frameRegisterCountFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSCJSValue.h:

2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize padding of UnlinkedCodeBlock to shrink
        https://bugs.webkit.org/show_bug.cgi?id=187448

        Reviewed by Saam Barati.

        We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
        These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.

        * bytecode/CodeType.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::codeType const):
        (JSC::UnlinkedCodeBlock::didOptimize const):
        (JSC::UnlinkedCodeBlock::setDidOptimize):
        * bytecode/VirtualRegister.h:

2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize padding of InferredTypeTable by using cellLock
        https://bugs.webkit.org/show_bug.cgi?id=187447

        Reviewed by Mark Lam.

        Use cellLock() in InferredTypeTable to guard changes of internal structures.
        This is the same usage to SparseArrayValueMap. By using cellLock(), we can
        reduce the size of InferredTypeTable from 40 to 32.

        * runtime/InferredTypeTable.cpp:
        (JSC::InferredTypeTable::visitChildren):
        (JSC::InferredTypeTable::get):
        (JSC::InferredTypeTable::willStoreValue):
        (JSC::InferredTypeTable::makeTop):
        * runtime/InferredTypeTable.h:
        Using enum class and using. And remove `isEmpty()` since it is not used.

        * runtime/Structure.h:

2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of SourceProvider to reduce padding
        https://bugs.webkit.org/show_bug.cgi?id=187440

        Reviewed by Mark Lam.

        Arrange members of SourceProvider to reduce the size from 80 to 72.

        * parser/SourceProvider.cpp:
        (JSC::SourceProvider::SourceProvider):
        * parser/SourceProvider.h:

2018-07-08  Mark Lam  <mark.lam@apple.com>

        PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
        https://bugs.webkit.org/show_bug.cgi?id=187444
        <rdar://problem/41282849>

        Reviewed by Saam Barati.

        PropertyTable supports C++ iteration by offering begin() and end() methods, and
        an iterator class.  The begin() methods and the iterator operator++() method uses
        PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
        However, PropertyTable::skipDeletedEntries() does not prevent the iteration
        pointer from being incremented past the end of the table.  As a result, we can
        iterate past the end of the table.  Note that the C++ iteration protocol tests
        for the iterator not being equal to the end() value.  It does not do a <= test.
        If the iterator ever shoots past end, the loop will effectively not terminate.

        This issue can manifest if and only if the last entry in the table is a deleted
        one, and the key field of the PropertyMapEntry shaped space at the end of the
        table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
        value.

        No test because manifesting this issue requires uncontrollable happenstance where
        memory just beyond the end of the table looks like a deleted entry.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::begin):
        (JSC::PropertyTable::end):
        (JSC::PropertyTable::begin const):
        (JSC::PropertyTable::end const):
        (JSC::PropertyTable::skipDeletedEntries):

2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of SymbolTable to reduce padding
        https://bugs.webkit.org/show_bug.cgi?id=187437

        Reviewed by Mark Lam.

        Arrange the layout of SymbolTable to reduce the size from 88 to 72.

        * runtime/SymbolTable.h:

2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of RegExp to reduce padding
        https://bugs.webkit.org/show_bug.cgi?id=187438

        Reviewed by Mark Lam.

        Reduce the size of RegExp from 168 to 144.

        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        * runtime/RegExp.h:
        * runtime/RegExpKey.h:
        * yarr/YarrErrorCode.h:

2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize layout of ValueProfile to reduce padding
        https://bugs.webkit.org/show_bug.cgi?id=187439

        Reviewed by Mark Lam.

        Reduce the size of ValueProfile from 40 to 32 by reordering members.

        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::ValueProfileBase):

2018-07-05  Saam Barati  <sbarati@apple.com>

        ProgramExecutable may be collected as we checkSyntax on it
        https://bugs.webkit.org/show_bug.cgi?id=187359
        <rdar://problem/41832135>

        Reviewed by Mark Lam.

        The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
        the ProgramExecutable itself may be collected. The fix here is to make a copy
        of the field instead of passing in a reference inside of ParserError::toErrorObject.
        
        No new tests here as this was already caught by our iOS JSC testers.

        * parser/ParserError.h:
        (JSC::ParserError::toErrorObject):

2018-07-04  Tim Horton  <timothy_horton@apple.com>

        Introduce PLATFORM(IOSMAC)
        https://bugs.webkit.org/show_bug.cgi?id=187315

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:
        * Configurations/FeatureDefines.xcconfig:

2018-07-03  Mark Lam  <mark.lam@apple.com>

        [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
        https://bugs.webkit.org/show_bug.cgi?id=187255
        <rdar://problem/41785257>

        Reviewed by Saam Barati.

        The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
        too: basically, do what the 64-bit code is doing.  At present, this change only
        serves to pacify an assertion.  It is not needed for correctness because the
        concurrent GC is not used on 32-bit builds.

        This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
        test.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_this):

2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
        https://bugs.webkit.org/show_bug.cgi?id=187290

        Reviewed by Saam Barati.

        slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
        we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
        is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
        easily calculated from JSType.
        This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.

        * runtime/ClassInfo.h:
        * runtime/JSArrayBufferView.cpp:
        (JSC::elementSize):
        (JSC::JSArrayBufferView::slowDownAndWasteMemory):
        * runtime/JSArrayBufferView.h:
        * runtime/JSArrayBufferViewInlines.h:
        (JSC::JSArrayBufferView::possiblySharedBuffer):
        * runtime/JSCell.cpp:
        (JSC::JSCell::slowDownAndWasteMemory): Deleted.
        * runtime/JSCell.h:
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
        * runtime/JSDataView.h:
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.

2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Regular expressions with ".?" expressions at the start and the end match the entire string
        https://bugs.webkit.org/show_bug.cgi?id=119191

        Reviewed by Michael Saboff.

        r90962 optimized regular expressions in the form of /.*abc.*/ by looking
        for "abc" first and then processing the leading and trailing dot stars
        to find the beginning and the end of the match. However, it erroneously
        enabled this optimization for regular expressions whose leading or
        trailing dots had quantifiers that were not of arbitrary length, e.g.,
        /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
        match the entire string when it shouldn't. This patch disables the
        optimization for those cases.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):

2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        RegExp.exec returns wrong value with a long integer quantifier
        https://bugs.webkit.org/show_bug.cgi?id=187042

        Reviewed by Saam Barati.

        Prior to this patch, the Yarr parser checked for integer overflow when
        parsing quantifiers in regular expressions by adding one digit at a time
        to a number and checking if the result got larger. This is wrong;
        The parser would fail to detect overflow when parsing, for example,
        10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.

        Another issue was that once it detected overflow, it stopped consuming
        the remaining digits. Since it didn't find the closing bracket, it
        parsed the quantifier as a normal string instead.

        This patch fixes these issues by reading all the digits and checking for
        overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
        returns the largest possible value (quantifyInfinite in this case). This
        matches Chrome [1], Firefox [2], and Edge [3].

        [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
        [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
        [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::consumeNumber):

2018-07-02  Keith Miller  <keith_miller@apple.com>

        InstanceOf IC should do generic if the prototype is not an object.
        https://bugs.webkit.org/show_bug.cgi?id=187250

        Reviewed by Mark Lam.

        The old code was wrong for two reasons. First, the AccessCase expected that
        the prototype value would be non-null. Second, we would end up returning
        false instead of throwing an exception.

        * jit/Repatch.cpp:
        (JSC::tryCacheInstanceOf):

2018-07-01  Mark Lam  <mark.lam@apple.com>

        Builtins and host functions should get their own structures.
        https://bugs.webkit.org/show_bug.cgi?id=187211
        <rdar://problem/41646336>

        Reviewed by Saam Barati.

        JSFunctions do lazy reification of properties, but ordinary functions applies
        different rules of property reification than builtin and host functions.  Hence,
        we should give builtins and host functions their own structures.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::selectStructureForNewFuncExp):
        (JSC::JSFunction::create):
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::hostFunctionStructure const):
        (JSC::JSGlobalObject::arrowFunctionStructure const):
        (JSC::JSGlobalObject::sloppyFunctionStructure const):
        (JSC::JSGlobalObject::strictFunctionStructure const):

2018-07-01  David Kilzer  <ddkilzer@apple.com>

        JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
        <https://webkit.org/b/187233>

        Reviewed by Mark Lam.

        * b3/air/AirEliminateDeadCode.cpp:
        (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
        * parser/ParserTokens.h:
        (JSC::JSTextPosition::JSTextPosition): Add struct member
        initialization. Simplify default constructor.
        (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
        union to the beginning to make it easy to zero out all fields.
        (JSC::JSTokenLocation::JSTokenLocation): Add struct member
        initialization.  Simplify default constructor.  Note that
        `endOffset` was not being initialized previously.
        (JSC::JSTextPosition::JSToken): Add struct member initialization
        where necessary.
        * runtime/IntlObject.cpp:
        (JSC::MatcherResult): Add struct member initialization.

2018-06-23  Darin Adler  <darin@apple.com>

        [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=186973

        Reviewed by Dan Bernstein.

        * API/JSContext.mm:
        (WeakContextRef::WeakContextRef): Deleted.
        (WeakContextRef::~WeakContextRef): Deleted.
        (WeakContextRef::get): Deleted.
        (WeakContextRef::set): Deleted.

        * API/JSContextInternal.h: Removed unneeded header guards since this is
        an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
        of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
        since neither is used outside the class implementation.

        * API/JSManagedValue.mm:
        (-[JSManagedValue initWithValue:]): Use a bridging cast.
        (-[JSManagedValue dealloc]): Ditto.
        (-[JSManagedValue didAddOwner:]): Ditto.
        (-[JSManagedValue didRemoveOwner:]): Ditto.
        (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
        (JSManagedValueHandleOwner::finalize): Ditto.
        * API/JSValue.mm:
        (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
        (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
        (-[JSValue valueForProperty:]): Ditto.
        (-[JSValue setValue:forProperty:]): Ditto.
        (-[JSValue deleteProperty:]): Ditto.
        (-[JSValue hasProperty:]): Ditto.
        (-[JSValue invokeMethod:withArguments:]): Ditto.
        (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
        (valueToArray): Ditto.
        (valueToDictionary): Ditto.
        (objectToValueWithoutCopy): Ditto.
        (objectToValue): Ditto.
        * API/JSVirtualMachine.mm:
        (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
        (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
        (-[JSVirtualMachine isOldExternalObject:]): Ditto.
        (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
        (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
        (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
        (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
        (scanExternalObjectGraph): Ditto.
        (scanExternalRememberedSet): Ditto.
        * API/JSWrapperMap.mm:
        (makeWrapper): Ditto.
        (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
        (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
        (tryUnwrapObjcObject): Ditto.
        * API/ObjCCallbackFunction.mm:
        (blockSignatureContainsClass): Ditto.
        (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
        sure we will be keeping this the same way under ARC.
        (objCCallbackFunctionForBlock): Use a bridging cast.

        * API/ObjcRuntimeExtras.h:
        (protocolImplementsProtocol): Use a more specific type that includes the
        explicit __unsafe_unretained for copied protocol lists.
        (forEachProtocolImplementingProtocol): Ditto.

        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
        (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
        (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.

        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
        CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
        (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
        (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
        (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.

2018-06-30  Adam Barth  <abarth@webkit.org>

        Port JavaScriptCore to OS(FUCHSIA)
        https://bugs.webkit.org/show_bug.cgi?id=187223

        Reviewed by Daniel Bates.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
        * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
        (JSC::MachineContext::stackPointerImpl):
        (JSC::MachineContext::framePointerImpl):
        (JSC::MachineContext::instructionPointerImpl):
        (JSC::MachineContext::argumentPointer<1>):
        (JSC::MachineContext::llintInstructionPointer):

2018-06-30  David Kilzer  <ddkilzer@apple.com>

        Fix clang static analyzer warnings: Garbage return value
        <https://webkit.org/b/187224>

        Reviewed by Eric Carlson.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
        - Use brace initialization for local variables.
        * debugger/DebuggerCallFrame.cpp:
        (class JSC::LineAndColumnFunctor):
        - Use class member initialization for member variables.

2018-06-29  Saam Barati  <sbarati@apple.com>

        Unreviewed. Try to fix Windows build after r233377

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutable):

2018-06-29  Saam Barati  <sbarati@apple.com>

        Don't use tracePoints in JS/Wasm entry
        https://bugs.webkit.org/show_bug.cgi?id=187196

        Reviewed by Mark Lam.

        This puts VM entry and Wasm entry tracePoints behind a runtime
        option. This is a ~4x speedup on a soon to be released Wasm
        benchmark. tracePoints should basically never run more than 50
        times a second. Entering the VM and entering Wasm are user controlled,
        and can happen hundreds of thousands of times in a second. Depending
        on how the Wasm/JS code is structured, this can be disastrous for
        performance.

        * runtime/Options.h:
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        (JSC::VMEntryScope::~VMEntryScope):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::compileFunctions):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):

2018-06-29  Saam Barati  <sbarati@apple.com>

        We shouldn't recurse into the parser when gathering metadata about various function offsets
        https://bugs.webkit.org/show_bug.cgi?id=184074
        <rdar://problem/37165897>

        Reviewed by Mark Lam.

        Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
        for that builtin. This required calling into the parser. However, the parser
        may throw a stack overflow. We were not able to recover from that. The only
        reason we called into the parser here is that we were gathering text offsets
        and various metadata for things in the builtin function. This patch writes a
        mini parser that figures this information out without calling into the full
        parser. (I've also added a debug assert that verifies the mini parser stays in
        sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
        always succeeds.

        * builtins/AsyncFromSyncIteratorPrototype.js:
        (globalPrivate.createAsyncFromSyncIterator):
        (globalPrivate.AsyncFromSyncIteratorConstructor):
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutable):
        * builtins/GlobalOperations.js:
        (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
        (globalPrivate.speciesConstructor):
        (globalPrivate.copyDataProperties):
        (globalPrivate.copyDataPropertiesNoExclusions):
        * builtins/PromiseOperations.js:
        (globalPrivate.newHandledRejectedPromise):
        * builtins/RegExpPrototype.js:
        (globalPrivate.hasObservableSideEffectsForRegExpMatch):
        (globalPrivate.hasObservableSideEffectsForRegExpSplit):
        * builtins/StringPrototype.js:
        (globalPrivate.hasObservableSideEffectsForStringReplace):
        (globalPrivate.getDefaultCollator):
        * parser/Nodes.cpp:
        (JSC::FunctionMetadataNode::FunctionMetadataNode):
        (JSC::FunctionMetadataNode::operator== const):
        (JSC::FunctionMetadataNode::dump const):
        * parser/Nodes.h:
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserError.h:
        (JSC::ParserError::type const):
        * parser/ParserTokens.h:
        (JSC::JSTextPosition::operator== const):
        (JSC::JSTextPosition::operator!= const):
        * parser/SourceCode.h:
        (JSC::SourceCode::operator== const):
        (JSC::SourceCode::operator!= const):
        (JSC::SourceCode::subExpression const):
        (JSC::SourceCode::subExpression): Deleted.

2018-06-28  Michael Saboff  <msaboff@apple.com>
  
        IsoCellSet::sweepToFreeList() not safe when Full GC in process
        https://bugs.webkit.org/show_bug.cgi?id=187157

        Reviewed by Mark Lam.

        * heap/IsoCellSet.cpp:
        (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
        is in MarkedBlock::Handle::specializedSweep where it takes into account whether
        or not we are in the process of marking during a full GC.
        * heap/MarkedBlock.h:
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.

2018-06-27  Saam Barati  <sbarati@apple.com>

        Add some more register state information when we crash in repatchPutById
        https://bugs.webkit.org/show_bug.cgi?id=187112

        Reviewed by Mark Lam.

        This will help us gather info when we end up seeing a ObjectPropertyConditionSet
        with an offset that is different than what the put tells us.

        * jit/Repatch.cpp:
        (JSC::tryCachePutByID):

2018-06-27  Mark Lam  <mark.lam@apple.com>

        Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
        https://bugs.webkit.org/show_bug.cgi?id=187119

        Reviewed by Keith Miller.

        $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
        should be checking for codeBlock instead of !codeBlock
        before using the codeBlock.

        I also renamed some other "print" functions to use "dump" instead
        to match their underlying C++ code that they will call e.g.
        CodeBlock::dumpSource().

        * tools/JSDollarVM.cpp:
        (WTF::JSDollarVMCallFrame::finishCreation):
        (JSC::functionDumpSourceFor):
        (JSC::functionDumpBytecodeFor):
        (JSC::doPrint):
        (JSC::functionDataLog):
        (JSC::functionPrint):
        (JSC::functionDumpCallFrame):
        (JSC::functionDumpStack):
        (JSC::JSDollarVM::finishCreation):
        (JSC::functionPrintSourceFor): Deleted.
        (JSC::functionPrintBytecodeFor): Deleted.
        (JSC::doPrintln): Deleted.
        (JSC::functionPrintln): Deleted.
        (JSC::functionPrintCallFrame): Deleted.
        (JSC::functionPrintStack): Deleted.
        * tools/VMInspector.cpp:
        (JSC::DumpFrameFunctor::DumpFrameFunctor):
        (JSC::DumpFrameFunctor::operator() const):
        (JSC::VMInspector::dumpCallFrame):
        (JSC::VMInspector::dumpStack):
        (JSC::VMInspector::dumpValue):
        (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
        (JSC::PrintFrameFunctor::operator() const): Deleted.
        (JSC::VMInspector::printCallFrame): Deleted.
        (JSC::VMInspector::printStack): Deleted.
        (JSC::VMInspector::printValue): Deleted.
        * tools/VMInspector.h:

2018-06-27  Keith Miller  <keith_miller@apple.com>

        Add logging to try to diagnose where we get a null structure.
        https://bugs.webkit.org/show_bug.cgi?id=187106

        Reviewed by Mark Lam.

        Add a logging to JSObject::toPrimitive to help diagnose a nullptr
        structure crash.

        This code should be removed when we fix <rdar://problem/33451840>

        * runtime/JSObject.cpp:
        (JSC::callToPrimitiveFunction):
        * runtime/JSObject.h:
        (JSC::JSObject::getPropertySlot):

2018-06-27  Mark Lam  <mark.lam@apple.com>

        DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
        https://bugs.webkit.org/show_bug.cgi?id=187091
        <rdar://problem/41395624>

        Reviewed by Yusuke Suzuki.

        Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
        take their slow paths, the slow path would jump back to the fast path right after
        the emitted code which clears the unused property values.  As a result, the
        unused properties are not initialized.  We've fixed this by adding the slow path
        generators before we emit the code to clear the unused properties.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):

2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
        https://bugs.webkit.org/show_bug.cgi?id=185943

        Reviewed by Mark Lam.

        ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
        the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
        the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
        This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.

        ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
        but it should be done in a separate patch since it would be performance sensitive.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayPatternNode::emitDirectBinding):

2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Pass VM& to functions more
        https://bugs.webkit.org/show_bug.cgi?id=186241

        Reviewed by Mark Lam.

        This patch threads VM& to functions requiring VM& more.

        * API/JSObjectRef.cpp:
        (JSObjectIsConstructor):
        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
        (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
        (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
        (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
        (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
        * bytecode/CodeBlockJettisoningWatchpoint.cpp:
        (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
        * bytecode/CodeBlockJettisoningWatchpoint.h:
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
        * bytecode/StructureStubClearingWatchpoint.cpp:
        (JSC::StructureStubClearingWatchpoint::fireInternal):
        * bytecode/StructureStubClearingWatchpoint.h:
        * bytecode/Watchpoint.cpp:
        (JSC::Watchpoint::fire):
        (JSC::WatchpointSet::fireAllWatchpoints):
        * bytecode/Watchpoint.h:
        * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
        * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
        * dfg/DFGAdaptiveStructureWatchpoint.cpp:
        (JSC::DFG::AdaptiveStructureWatchpoint::install):
        (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
        * dfg/DFGAdaptiveStructureWatchpoint.h:
        * dfg/DFGDesiredWatchpoints.cpp:
        (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setupGetByIdPrototypeCache):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
        * runtime/ECMAScriptSpecInternalFunctions.cpp:
        (JSC::esSpecIsConstructor):
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
        * runtime/FunctionRareData.h:
        * runtime/InferredStructureWatchpoint.cpp:
        (JSC::InferredStructureWatchpoint::fireInternal):
        * runtime/InferredStructureWatchpoint.h:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructureSlow):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isConstructor const):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::isConstructor):
        (JSC::JSCell::methodTable const):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
        (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::finishCreation):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectConstruct):
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::setObjectToStringValue):
        (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
        (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
        (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):

2018-06-26  Mark Lam  <mark.lam@apple.com>

        eval() is wrong about the LiteralParser never throwing any exceptions.
        https://bugs.webkit.org/show_bug.cgi?id=187074
        <rdar://problem/41461099>

        Reviewed by Saam Barati.

        Added the missing exception check, and removed an erroneous assertion.

        * interpreter/Interpreter.cpp:
        (JSC::eval):

2018-06-26  Saam Barati  <sbarati@apple.com>

        JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
        https://bugs.webkit.org/show_bug.cgi?id=186878
        <rdar://problem/40568659>

        Reviewed by Filip Pizlo.

        This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
        our stress GC bots. Before this patch, JSImmutableButterfly was allocated
        with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
        be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
        called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
        conservative scan knows to treat it like a butterfly in when we we may be
        pointing into the middle of it.
        
        The way we were crashing on the stress GC bots is that our conservative marking
        won't do cell visiting for things that are Auxiliary. This meant that if the
        stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
        that JSImmutableButterfly would not be visited. This is now fixed.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        * debugger/Debugger.cpp:
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::genericAddPointer):
        * heap/Heap.cpp:
        (JSC::GatherHeapSnapshotData::operator() const):
        (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
        (JSC::Heap::globalObjectCount):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::deleteAllCodeBlocks):
        * heap/HeapCell.cpp:
        (WTF::printInternal):
        * heap/HeapCell.h:
        (JSC::isJSCellKind):
        (JSC::hasInteriorPointers):
        * heap/HeapUtil.h:
        (JSC::HeapUtil::findGCObjectPointersForMarking):
        (JSC::HeapUtil::isPointerGCObjectJSCell):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::didAddToDirectory):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendJSCellOrAuxiliary):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSImmutableButterfly.h:
        (JSC::JSImmutableButterfly::subspaceFor):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        * tools/CellProfile.h:
        (JSC::CellProfile::CellProfile):
        (JSC::CellProfile::isJSCell const):
        * tools/HeapVerifier.cpp:
        (JSC::HeapVerifier::validateCell):

2018-06-26  Mark Lam  <mark.lam@apple.com>

        Skip some unnecessary work in Interpreter::getStackTrace().
        https://bugs.webkit.org/show_bug.cgi?id=187070

        Reviewed by Michael Saboff.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::getStackTrace):

2018-06-26  Mark Lam  <mark.lam@apple.com>

        ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
        https://bugs.webkit.org/show_bug.cgi?id=187060
        <rdar://problem/41452767>

        Reviewed by Keith Miller.

        JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
        write conversion.  Hence, we can return early after the conversion if the vector
        length is already sufficient to cover the requested length.

        * runtime/JSObject.cpp:
        (JSC::JSObject::ensureLengthSlow):

2018-06-26  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r233184.
        https://bugs.webkit.org/show_bug.cgi?id=187059

        "It regressed JetStream between 5-8%" (Requested by saamyjoon
        on #webkit).

        Reverted changeset:

        "JSImmutableButterfly can't be allocated from a subspace with
        HeapCell::Kind::Auxiliary"
        https://bugs.webkit.org/show_bug.cgi?id=186878
        https://trac.webkit.org/changeset/233184

2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>

        REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
        https://bugs.webkit.org/show_bug.cgi?id=187051

        Reviewed by Mark Lam.

        Revert r233065 changes over UnlinkedCodeBlock.h to allow
        clang-3.8 to be able to compile this back (with libstdc++5)

        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):

2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>

        Fix testapi build when DFG_JIT is disabled
        https://bugs.webkit.org/show_bug.cgi?id=187038

        Reviewed by Mark Lam.

        r233158 added a new API and tests for configuring the number of JIT threads, but
        the API is only available when DFG_JIT is enabled and so should the tests.

        * API/tests/testapi.mm:
        (runJITThreadLimitTests):

2018-06-25  Saam Barati  <sbarati@apple.com>

        JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
        https://bugs.webkit.org/show_bug.cgi?id=186878
        <rdar://problem/40568659>

        Reviewed by Mark Lam.

        This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
        our stress GC bots. Before this patch, JSImmutableButterfly was allocated
        with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
        allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
        bots is that our conservative marking won't do cell marking for things that
        are Auxiliary. This means that if the stack is the only thing pointing to a
        JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
        not be visited. This patch fixes this bug. This patch also extends our conservative
        marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        * heap/HeapUtil.h:
        (JSC::HeapUtil::findGCObjectPointersForMarking):
        * runtime/JSImmutableButterfly.h:
        (JSC::JSImmutableButterfly::subspaceFor):

2018-06-25  Mark Lam  <mark.lam@apple.com>

        constructArray() should set m_numValuesInVector to the specified length.
        https://bugs.webkit.org/show_bug.cgi?id=187010
        <rdar://problem/41392167>

        Reviewed by Filip Pizlo.

        Its client will fill in the storage vector with some values using initializeIndex()
        and expects m_numValuesInVector to be set to the length i.e. the number of values
        to be initialized.

        * runtime/JSArray.cpp:
        (JSC::constructArray):

2018-06-25  Mark Lam  <mark.lam@apple.com>

        Add missing exception check in RegExpObjectInlines.h's collectMatches.
        https://bugs.webkit.org/show_bug.cgi?id=187006
        <rdar://problem/41418412>

        Reviewed by Keith Miller.

        * runtime/RegExpObjectInlines.h:
        (JSC::collectMatches):

2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>

        Add API for configuring the number of threads used by DFG and FTL
        https://bugs.webkit.org/show_bug.cgi?id=186859
        <rdar://problem/41093519>

        Reviewed by Filip Pizlo.

        Add new private APIs for limiting the number of threads to be used by
        the DFG and FTL compilers. It was already possible to configure the
        limit through JSC Options, but now it can be changed at runtime, even
        in the case when the VM is already running.

        Add a test for both cases: when trying to configure the limit before
        and after the Worklist has been created, but in order to simulate the
        first scenario, we must guarantee that the test runs at the very
        beginning, so I also added a check for that.

        * API/JSVirtualMachine.mm:
        (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
        (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
        * API/JSVirtualMachinePrivate.h:
        * API/tests/testapi.mm:
        (runJITThreadLimitTests):
        (testObjectiveCAPIMain):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::finishCreation):
        (JSC::DFG::Worklist::createNewThread):
        (JSC::DFG::Worklist::setNumberOfThreads):
        * dfg/DFGWorklist.h:

2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove unnecessary PLATFORM guards
        https://bugs.webkit.org/show_bug.cgi?id=186995

        Reviewed by Mark Lam.

        * assembler/AssemblerCommon.h:
        (JSC::isIOS):
        Add constexpr.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        StackFrame works in all the platforms. If StackFrame::demangle failed,
        it just returns std::nullopt. And it is correctly handled in this code.

2018-06-23  Mark Lam  <mark.lam@apple.com>

        Add more debugging features to $vm.
        https://bugs.webkit.org/show_bug.cgi?id=186947

        Reviewed by Keith Miller.

        Adding the following features:

            // We now have println in addition to print.
            // println automatically adds a '\n' at the end.
            $vm.println("Hello");

            // We can now capture some info about a stack frame.
            var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
            var callerCallerFrame = $vm.callFrame(2);

            // We can inspect the following values associated with the frame:
            if (currentFrame.valid) {
                $vm.println("name is ", currentFrame.name));

                // Note: For a WASM frame, all of these will be undefined.
                $vm.println("callee is ", $vm.value(currentFrame.callee));
                $vm.println("codeBlock is ", currentFrame.codeBlock);
                $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
                $vm.println("executable is ", currentFrame.executable);
            }

            // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
            // to dataLog its JSValue instead of its toString() result.

            // Note that $vm.println() (and $vm.print()) can now print internal JSCells
            // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
            // toString on a non-object.

            // Does what it says about enabling/disabling debugger mode.
            $vm.enableDebuggerModeWhenIdle();
            $vm.disableDebuggerModeWhenIdle();

        * tools/JSDollarVM.cpp:
        (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
        (WTF::JSDollarVMCallFrame::createStructure):
        (WTF::JSDollarVMCallFrame::create):
        (WTF::JSDollarVMCallFrame::finishCreation):
        (WTF::JSDollarVMCallFrame::addProperty):
        (JSC::functionCallFrame):
        (JSC::functionCodeBlockForFrame):
        (JSC::codeBlockFromArg):
        (JSC::doPrintln):
        (JSC::functionPrint):
        (JSC::functionPrintln):
        (JSC::changeDebuggerModeWhenIdle):
        (JSC::functionEnableDebuggerModeWhenIdle):
        (JSC::functionDisableDebuggerModeWhenIdle):
        (JSC::JSDollarVM::finishCreation):

2018-06-22  Keith Miller  <keith_miller@apple.com>

        We need to have a getDirectConcurrently for use in the compilers
        https://bugs.webkit.org/show_bug.cgi?id=186954

        Reviewed by Mark Lam.

        It used to be that the propertyStorage of an object never shrunk
        so if you called getDirect with some offset it would never be an
        OOB read. However, this property storage can shrink when calling
        flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
        holds the Structure's ConcurrentJSLock while shrinking. This patch,
        adds a getDirectConcurrently that will safely try to load from the
        butterfly.

        * bytecode/ObjectPropertyConditionSet.cpp:
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
        (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::tryGetConstantProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::getDirectConcurrently const):

2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Use Ref<> for the result type of non-failing factory functions
        https://bugs.webkit.org/show_bug.cgi?id=186920

        Reviewed by Darin Adler.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::ThreadBody::ThreadBody):
        (JSC::DFG::Worklist::finishCreation):
        * dfg/DFGWorklist.h:
        * heap/Heap.cpp:
        (JSC::Heap::Thread::Thread):
        * heap/Heap.h:
        * jit/JITWorklist.cpp:
        (JSC::JITWorklist::Thread::Thread):
        * jit/JITWorklist.h:
        * runtime/VMTraps.cpp:
        * runtime/VMTraps.h:
        * wasm/WasmWorklist.cpp:
        * wasm/WasmWorklist.h:

2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Add user-defined literal for ASCIILiteral
        https://bugs.webkit.org/show_bug.cgi?id=186839

        Reviewed by Darin Adler.

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
        (JSC::JSCallbackObject<Parent>::callbackGetter):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunctionWithCallback):
        * API/JSTypedArray.cpp:
        (JSObjectGetArrayBufferBytesPtr):
        * API/JSValue.mm:
        (valueToArray):
        (valueToDictionary):
        * API/ObjCCallbackFunction.mm:
        (JSC::objCCallbackFunctionCallAsFunction):
        (JSC::objCCallbackFunctionCallAsConstructor):
        (JSC::ObjCCallbackFunctionImpl::call):
        * API/glib/JSCCallbackFunction.cpp:
        (JSC::JSCCallbackFunction::call):
        (JSC::JSCCallbackFunction::construct):
        * API/glib/JSCContext.cpp:
        (jscContextJSValueToGValue):
        * API/glib/JSCValue.cpp:
        (jsc_value_object_define_property_accessor):
        (jscValueFunctionCreate):
        * builtins/BuiltinUtils.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::nameForRegister):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::emitIteratorNext):
        (JSC::BytecodeGenerator::emitIteratorClose):
        (JSC::BytecodeGenerator::emitDelegateYield):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallValueNode::emitBytecode):
        (JSC::PostfixNode::emitBytecode):
        (JSC::PrefixNode::emitBytecode):
        (JSC::AssignErrorNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::ClassExprNode::emitBytecode):
        (JSC::ObjectPatternNode::bindValue const):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::newTypedArrayWithSize):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::addToFrontend):
        (Inspector::ConsoleMessage::clear):
        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::InjectedScript):
        (Inspector::InjectedScript::evaluate):
        (Inspector::InjectedScript::callFunctionOn):
        (Inspector::InjectedScript::evaluateOnCallFrame):
        (Inspector::InjectedScript::getFunctionDetails):
        (Inspector::InjectedScript::functionDetails):
        (Inspector::InjectedScript::getPreview):
        (Inspector::InjectedScript::getProperties):
        (Inspector::InjectedScript::getDisplayableProperties):
        (Inspector::InjectedScript::getInternalProperties):
        (Inspector::InjectedScript::getCollectionEntries):
        (Inspector::InjectedScript::saveResult):
        (Inspector::InjectedScript::wrapCallFrames const):
        (Inspector::InjectedScript::wrapObject const):
        (Inspector::InjectedScript::wrapJSONString const):
        (Inspector::InjectedScript::wrapTable const):
        (Inspector::InjectedScript::previewValue const):
        (Inspector::InjectedScript::setExceptionValue):
        (Inspector::InjectedScript::clearExceptionValue):
        (Inspector::InjectedScript::findObjectById const):
        (Inspector::InjectedScript::inspectObject):
        (Inspector::InjectedScript::releaseObject):
        (Inspector::InjectedScript::releaseObjectGroup):
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeEvalCall):
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::injectedScriptForObjectId):
        * inspector/InjectedScriptModule.cpp:
        (Inspector::InjectedScriptModule::ensureInjected):
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::dispatch):
        (Inspector::BackendDispatcher::sendResponse):
        (Inspector::BackendDispatcher::sendPendingErrors):
        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::profile):
        (Inspector::JSGlobalObjectConsoleClient::profileEnd):
        (Inspector::JSGlobalObjectConsoleClient::timeStamp):
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
        (Inspector::JSInjectedScriptHost::subtype):
        (Inspector::JSInjectedScriptHost::getInternalProperties):
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
        (Inspector::JSJavaScriptCallFrame::type const):
        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::getFirstArgumentAsString):
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::extractSourceInformationFromException):
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::InspectorAgent):
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
        (Inspector::InspectorConsoleAgent::clearMessages):
        (Inspector::InspectorConsoleAgent::count):
        (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
        (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
        (Inspector::buildObjectForBreakpointCookie):
        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
        (Inspector::parseLocation):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::InspectorDebuggerAgent::setBreakpoint):
        (Inspector::InspectorDebuggerAgent::continueToLocation):
        (Inspector::InspectorDebuggerAgent::searchInContent):
        (Inspector::InspectorDebuggerAgent::getScriptSource):
        (Inspector::InspectorDebuggerAgent::getFunctionDetails):
        (Inspector::InspectorDebuggerAgent::resume):
        (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        (Inspector::InspectorDebuggerAgent::assertPaused):
        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::InspectorHeapAgent):
        (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
        (Inspector::InspectorHeapAgent::getPreview):
        (Inspector::InspectorHeapAgent::getRemoteObject):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::getPreview):
        (Inspector::InspectorRuntimeAgent::getProperties):
        (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
        (Inspector::InspectorRuntimeAgent::getCollectionEntries):
        (Inspector::InspectorRuntimeAgent::saveResult):
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        (Inspector::InspectorRuntimeAgent::getBasicBlocks):
        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
        (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
        * inspector/scripts/codegen/cpp_generator_templates.py:
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
        (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
        (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
        (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
        * inspector/scripts/codegen/objc_generator_templates.py:
        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::friendlyFunctionName):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::functionName const):
        (JSC::StackVisitor::Frame::sourceURL const):
        * jit/JIT.cpp:
        (JSC::JIT::doMainThreadPreparationBeforeCompile):
        * jit/JITOperations.cpp:
        * jsc.cpp:
        (resolvePath):
        (GlobalObject::moduleLoaderImportModule):
        (GlobalObject::moduleLoaderResolve):
        (functionDescribeArray):
        (functionRun):
        (functionLoad):
        (functionCheckSyntax):
        (functionDollarEvalScript):
        (functionDollarAgentStart):
        (functionDollarAgentReceiveBroadcast):
        (functionDollarAgentBroadcast):
        (functionTransferArrayBuffer):
        (functionLoadModule):
        (functionSamplingProfilerStackTraces):
        (functionAsyncTestStart):
        (functionWebAssemblyMemoryMode):
        (runWithOptions):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::invalidCharacterMessage const):
        (JSC::Lexer<T>::parseString):
        (JSC::Lexer<T>::parseComplexEscape):
        (JSC::Lexer<T>::parseStringSlowCase):
        (JSC::Lexer<T>::parseTemplateLiteral):
        (JSC::Lexer<T>::lex):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        * parser/Parser.h:
        (JSC::Parser::setErrorMessage):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::finishCreation):
        * runtime/ArrayBuffer.cpp:
        (JSC::errorMesasgeForTransfer):
        * runtime/ArrayBufferSharingMode.h:
        (JSC::arrayBufferSharingModeName):
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        (JSC::isArraySlowInline):
        * runtime/ArrayPrototype.cpp:
        (JSC::setLength):
        (JSC::shift):
        (JSC::unshift):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncUnShift):
        * runtime/AtomicsObject.cpp:
        (JSC::atomicsFuncWait):
        (JSC::atomicsFuncWake):
        * runtime/BigIntConstructor.cpp:
        (JSC::BigIntConstructor::finishCreation):
        (JSC::toBigInt):
        (JSC::callBigIntConstructor):
        * runtime/BigIntObject.cpp:
        (JSC::BigIntObject::toStringName):
        * runtime/BigIntPrototype.cpp:
        (JSC::bigIntProtoFuncToString):
        (JSC::bigIntProtoFuncValueOf):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        * runtime/ConsoleObject.cpp:
        (JSC::valueOrDefaultLabelString):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeEnd):
        * runtime/DatePrototype.cpp:
        (JSC::formatLocaleDate):
        (JSC::formateDateInstance):
        (JSC::DatePrototype::finishCreation):
        (JSC::dateProtoFuncToISOString):
        (JSC::dateProtoFuncToJSON):
        * runtime/Error.cpp:
        (JSC::createNotEnoughArgumentsError):
        (JSC::throwSyntaxError):
        (JSC::createTypeError):
        (JSC::createOutOfMemoryError):
        * runtime/Error.h:
        (JSC::throwVMError):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::finishCreation):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::sanitizedToString):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::finishCreation):
        (JSC::errorProtoFuncToString):
        * runtime/ExceptionFuzz.cpp:
        (JSC::doExceptionFuzzing):
        * runtime/ExceptionHelpers.cpp:
        (JSC::TerminatedExecutionError::defaultValue):
        (JSC::createStackOverflowError):
        (JSC::createNotAConstructorError):
        (JSC::createNotAFunctionError):
        (JSC::createNotAnObjectError):
        * runtime/GetterSetter.cpp:
        (JSC::callSetter):
        * runtime/IntlCollator.cpp:
        (JSC::sortLocaleData):
        (JSC::searchLocaleData):
        (JSC::IntlCollator::initializeCollator):
        (JSC::IntlCollator::compareStrings):
        (JSC::IntlCollator::usageString):
        (JSC::IntlCollator::sensitivityString):
        (JSC::IntlCollator::caseFirstString):
        (JSC::IntlCollator::resolvedOptions):
        * runtime/IntlCollator.h:
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::IntlCollatorConstructor::finishCreation):
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorPrototypeGetterCompare):
        (JSC::IntlCollatorPrototypeFuncResolvedOptions):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::defaultTimeZone):
        (JSC::canonicalizeTimeZoneName):
        (JSC::IntlDTFInternal::localeData):
        (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        (JSC::IntlDateTimeFormat::weekdayString):
        (JSC::IntlDateTimeFormat::eraString):
        (JSC::IntlDateTimeFormat::yearString):
        (JSC::IntlDateTimeFormat::monthString):
        (JSC::IntlDateTimeFormat::dayString):
        (JSC::IntlDateTimeFormat::hourString):
        (JSC::IntlDateTimeFormat::minuteString):
        (JSC::IntlDateTimeFormat::secondString):
        (JSC::IntlDateTimeFormat::timeZoneNameString):
        (JSC::IntlDateTimeFormat::resolvedOptions):
        (JSC::IntlDateTimeFormat::format):
        (JSC::IntlDateTimeFormat::partTypeString):
        (JSC::IntlDateTimeFormat::formatToParts):
        * runtime/IntlDateTimeFormat.h:
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::IntlDateTimeFormatConstructor::finishCreation):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
        (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
        (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):
        (JSC::IntlNumberFormat::formatNumber):
        (JSC::IntlNumberFormat::styleString):
        (JSC::IntlNumberFormat::currencyDisplayString):
        (JSC::IntlNumberFormat::resolvedOptions):
        (JSC::IntlNumberFormat::partTypeString):
        (JSC::IntlNumberFormat::formatToParts):
        * runtime/IntlNumberFormat.h:
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::IntlNumberFormatConstructor::finishCreation):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototypeGetterFormat):
        (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
        (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
        * runtime/IntlObject.cpp:
        (JSC::grandfatheredLangTag):
        (JSC::canonicalizeLocaleList):
        (JSC::resolveLocale):
        (JSC::supportedLocales):
        * runtime/IntlPluralRules.cpp:
        (JSC::IntlPluralRules::initializePluralRules):
        (JSC::IntlPluralRules::resolvedOptions):
        (JSC::IntlPluralRules::select):
        * runtime/IntlPluralRulesConstructor.cpp:
        (JSC::IntlPluralRulesConstructor::finishCreation):
        * runtime/IntlPluralRulesPrototype.cpp:
        (JSC::IntlPluralRulesPrototypeFuncSelect):
        (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
        * runtime/IteratorOperations.cpp:
        (JSC::iteratorNext):
        (JSC::iteratorClose):
        (JSC::hasIteratorMethod):
        (JSC::iteratorMethod):
        * runtime/JSArray.cpp:
        (JSC::JSArray::tryCreateUninitializedRestricted):
        (JSC::JSArray::defineOwnProperty):
        (JSC::JSArray::put):
        (JSC::JSArray::setLengthWithArrayStorage):
        (JSC::JSArray::appendMemcpy):
        (JSC::JSArray::pop):
        * runtime/JSArray.h:
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSArrayBufferConstructor::finishCreation):
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferProtoFuncSlice):
        (JSC::arrayBufferProtoGetterFuncByteLength):
        (JSC::sharedArrayBufferProtoGetterFuncByteLength):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::toStringName):
        * runtime/JSArrayInlines.h:
        (JSC::JSArray::pushInline):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::divide):
        (JSC::JSBigInt::remainder):
        (JSC::JSBigInt::toNumber const):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        (JSC::JSValue::putToPrimitiveByIndex):
        (JSC::JSValue::toStringSlowCase const):
        * runtime/JSCJSValueInlines.h:
        (JSC::toPreferredPrimitiveType):
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::create):
        (JSC::JSDataView::put):
        (JSC::JSDataView::defineOwnProperty):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewWithArguments):
        (JSC::constructGenericTypedArrayView):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::speciesConstruct):
        (JSC::genericTypedArrayViewProtoFuncSet):
        (JSC::genericTypedArrayViewProtoFuncIndexOf):
        (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::name const):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode):
        (JSC::decode):
        (JSC::globalFuncProtoSetter):
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/JSMap.cpp:
        (JSC::JSMap::toStringName):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::put):
        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::JSModuleNamespaceObject::put):
        (JSC::JSModuleNamespaceObject::putByIndex):
        (JSC::JSModuleNamespaceObject::defineOwnProperty):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::JSONProtoFuncParse):
        (JSC::JSONProtoFuncStringify):
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        (JSC::JSObject::calculatedClassName):
        (JSC::ordinarySetSlow):
        (JSC::JSObject::putInlineSlow):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::callToPrimitiveFunction):
        (JSC::JSObject::ordinaryToPrimitive const):
        (JSC::JSObject::defaultHasInstance):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        (JSC::validateAndApplyPropertyDescriptor):
        * runtime/JSObject.h:
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::putInlineForJSObject):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::finishCreation):
        * runtime/JSSet.cpp:
        (JSC::JSSet::toStringName):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        * runtime/JSTypedArrayViewConstructor.cpp:
        (JSC::constructTypedArrayView):
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::typedArrayViewPrivateFuncLength):
        (JSC::typedArrayViewProtoFuncSet):
        (JSC::typedArrayViewProtoFuncCopyWithin):
        (JSC::typedArrayViewProtoFuncLastIndexOf):
        (JSC::typedArrayViewProtoFuncIndexOf):
        (JSC::typedArrayViewProtoFuncJoin):
        (JSC::typedArrayViewProtoGetterFuncBuffer):
        (JSC::typedArrayViewProtoGetterFuncLength):
        (JSC::typedArrayViewProtoGetterFuncByteLength):
        (JSC::typedArrayViewProtoGetterFuncByteOffset):
        (JSC::typedArrayViewProtoFuncReverse):
        (JSC::typedArrayViewPrivateFuncSubarrayCreate):
        (JSC::typedArrayViewProtoFuncSlice):
        (JSC::JSTypedArrayViewPrototype::finishCreation):
        * runtime/JSWeakMap.cpp:
        (JSC::JSWeakMap::toStringName):
        * runtime/JSWeakSet.cpp:
        (JSC::JSWeakSet::toStringName):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::Lexer::lex):
        (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
        (JSC::LiteralParser<CharType>::Lexer::lexNumber):
        (JSC::LiteralParser<CharType>::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::getErrorMessage):
        * runtime/Lookup.cpp:
        (JSC::reifyStaticAccessor):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/MapPrototype.cpp:
        (JSC::getMap):
        * runtime/NullSetterFunction.cpp:
        (JSC::NullSetterFunctionInternal::callReturnUndefined):
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToExponential):
        (JSC::numberProtoFuncToFixed):
        (JSC::numberProtoFuncToPrecision):
        (JSC::extractToStringRadixArgument):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSetPrototypeOf):
        (JSC::objectConstructorAssign):
        (JSC::objectConstructorValues):
        (JSC::toPropertyDescriptor):
        (JSC::objectConstructorDefineProperty):
        (JSC::objectConstructorDefineProperties):
        (JSC::objectConstructorCreate):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        * runtime/Operations.cpp:
        (JSC::jsAddSlowCase):
        * runtime/Operations.h:
        (JSC::jsSub):
        (JSC::jsMul):
        * runtime/ProgramExecutable.cpp:
        (JSC::ProgramExecutable::initializeGlobalProperties):
        * runtime/ProxyConstructor.cpp:
        (JSC::makeRevocableProxy):
        (JSC::proxyRevocableConstructorThrowError):
        (JSC::ProxyConstructor::finishCreation):
        (JSC::constructProxyObject):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::toStringName):
        (JSC::ProxyObject::finishCreation):
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::performPut):
        (JSC::performProxyCall):
        (JSC::performProxyConstruct):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performPreventExtensions):
        (JSC::ProxyObject::performIsExtensible):
        (JSC::ProxyObject::performDefineOwnProperty):
        (JSC::ProxyObject::performGetOwnPropertyNames):
        (JSC::ProxyObject::performSetPrototype):
        (JSC::ProxyObject::performGetPrototype):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectConstruct):
        (JSC::reflectObjectDefineProperty):
        (JSC::reflectObjectGet):
        (JSC::reflectObjectGetOwnPropertyDescriptor):
        (JSC::reflectObjectGetPrototypeOf):
        (JSC::reflectObjectIsExtensible):
        (JSC::reflectObjectOwnKeys):
        (JSC::reflectObjectPreventExtensions):
        (JSC::reflectObjectSet):
        (JSC::reflectObjectSetPrototypeOf):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::finishCreation):
        (JSC::toFlags):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::defineOwnProperty):
        * runtime/RegExpObject.h:
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncCompile):
        (JSC::regExpProtoGetterGlobal):
        (JSC::regExpProtoGetterIgnoreCase):
        (JSC::regExpProtoGetterMultiline):
        (JSC::regExpProtoGetterDotAll):
        (JSC::regExpProtoGetterSticky):
        (JSC::regExpProtoGetterUnicode):
        (JSC::regExpProtoGetterFlags):
        (JSC::regExpProtoGetterSourceInternal):
        (JSC::regExpProtoGetterSource):
        * runtime/RuntimeType.cpp:
        (JSC::runtimeTypeAsString):
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::StackFrame::displayName):
        (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/SetPrototype.cpp:
        (JSC::getSet):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::putEntry):
        (JSC::SparseArrayValueMap::putDirect):
        (JSC::SparseArrayEntry::put):
        * runtime/StackFrame.cpp:
        (JSC::StackFrame::sourceURL const):
        (JSC::StackFrame::functionName const):
        * runtime/StringConstructor.cpp:
        (JSC::stringFromCodePoint):
        * runtime/StringObject.cpp:
        (JSC::StringObject::put):
        (JSC::StringObject::putByIndex):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::toLocaleCase):
        (JSC::stringProtoFuncNormalize):
        * runtime/Symbol.cpp:
        (JSC::Symbol::toNumber const):
        * runtime/SymbolConstructor.cpp:
        (JSC::symbolConstructorKeyFor):
        * runtime/SymbolObject.cpp:
        (JSC::SymbolObject::toStringName):
        * runtime/SymbolPrototype.cpp:
        (JSC::SymbolPrototype::finishCreation):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::dumpTypes const):
        (JSC::TypeSet::displayName const):
        (JSC::StructureShape::leastCommonAncestor):
        * runtime/TypeSet.h:
        (JSC::StructureShape::setConstructorName):
        * runtime/VM.cpp:
        (JSC::VM::dumpTypeProfilerData):
        * runtime/WeakMapPrototype.cpp:
        (JSC::getWeakMap):
        (JSC::protoFuncWeakMapSet):
        * runtime/WeakSetPrototype.cpp:
        (JSC::getWeakSet):
        (JSC::protoFuncWeakSetAdd):
        * tools/JSDollarVM.cpp:
        (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
        (WTF::DOMJITGetterComplex::customGetter):
        (JSC::functionSetImpureGetterDelegate):
        (JSC::functionCreateElement):
        (JSC::functionGetHiddenValue):
        (JSC::functionSetHiddenValue):
        (JSC::functionFindTypeForExpression):
        (JSC::functionReturnTypeFor):
        (JSC::functionLoadGetterFromGetterSetter):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::fail const):
        * wasm/WasmIndexOrName.cpp:
        (JSC::Wasm::makeString):
        * wasm/WasmParser.h:
        (JSC::Wasm::FailureHelper::makeString):
        (JSC::Wasm::Parser::fail const):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::fail const):
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::toNonWrappingUint32):
        (JSC::getWasmBufferFromValue):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::grow):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::handleBadI64Use):
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        (JSC::WebAssemblyInstanceConstructor::finishCreation):
        * wasm/js/WebAssemblyInstancePrototype.cpp:
        (JSC::getInstance):
        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
        (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        (JSC::WebAssemblyMemoryConstructor::finishCreation):
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        (JSC::getMemory):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::webAssemblyModuleCustomSections):
        (JSC::webAssemblyModuleImports):
        (JSC::webAssemblyModuleExports):
        (JSC::WebAssemblyModuleConstructor::finishCreation):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::dataSegmentFail):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::resolve):
        (JSC::webAssemblyInstantiateFunc):
        (JSC::webAssemblyInstantiateStreamingInternal):
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
        (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):
        (JSC::WebAssemblyTableConstructor::finishCreation):
        * wasm/js/WebAssemblyTablePrototype.cpp:
        (JSC::getTable):
        (JSC::webAssemblyTableProtoFuncGrow):
        (JSC::webAssemblyTableProtoFuncGet):
        (JSC::webAssemblyTableProtoFuncSet):

2018-06-22  Keith Miller  <keith_miller@apple.com>

        unshift should zero unused property storage
        https://bugs.webkit.org/show_bug.cgi?id=186960

        Reviewed by Saam Barati.

        Also, this patch adds the zeroed unused property storage assertion
        to one more place it was missing.

        * runtime/JSArray.cpp:
        (JSC::JSArray::unshiftCountSlowCase):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::putDirectInternal):

2018-06-22  Mark Lam  <mark.lam@apple.com>

        PropertyCondition::isValidValueForAttributes() should also consider deleted values.
        https://bugs.webkit.org/show_bug.cgi?id=186943
        <rdar://problem/41370337>

        Reviewed by Saam Barati.

        PropertyCondition::isValidValueForAttributes() should check if the passed in value
        is a deleted one before it does a jsDynamicCast on it.

        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isValidValueForAttributes):
        * runtime/JSCJSValueInlines.h:
        - removed an unnecessary #if.

2018-06-22  Keith Miller  <keith_miller@apple.com>

        performProxyCall should toThis the value passed to its handler
        https://bugs.webkit.org/show_bug.cgi?id=186951

        Reviewed by Mark Lam.

        * runtime/ProxyObject.cpp:
        (JSC::performProxyCall):

2018-06-22  Saam Barati  <sbarati@apple.com>

        ensureWritableX should only convert away from CoW when it will succeed
        https://bugs.webkit.org/show_bug.cgi?id=186898

        Reviewed by Keith Miller.

        Otherwise, when we OSR exit, we'll end up profiling the array after
        it has been converted away from CoW. It's better for the ArrayProfile
        to see the array as it's still in CoW mode.
        
        This patch also renames ensureWritableX to tryMakeWritableX since these
        were never really "ensure" operations -- they may fail and return null.

        * dfg/DFGOperations.cpp:
        * runtime/JSObject.cpp:
        (JSC::JSObject::tryMakeWritableInt32Slow):
        (JSC::JSObject::tryMakeWritableDoubleSlow):
        (JSC::JSObject::tryMakeWritableContiguousSlow):
        (JSC::JSObject::ensureWritableInt32Slow): Deleted.
        (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
        (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
        * runtime/JSObject.h:
        (JSC::JSObject::tryMakeWritableInt32):
        (JSC::JSObject::tryMakeWritableDouble):
        (JSC::JSObject::tryMakeWritableContiguous):
        (JSC::JSObject::ensureWritableInt32): Deleted.
        (JSC::JSObject::ensureWritableDouble): Deleted.
        (JSC::JSObject::ensureWritableContiguous): Deleted.

2018-06-22  Keith Miller  <keith_miller@apple.com>

        We should call visitChildren on Base not the exact typename
        https://bugs.webkit.org/show_bug.cgi?id=186928

        Reviewed by Mark Lam.

        A lot of places were not properly calling visitChildren on their
        superclass. For most of them it didn't matter because they had
        immortal structures. If code changed in the future this might
        break things however.

        Also, block off more of the MethodTable for GetterSetter objects.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitChildren):
        * bytecode/ExecutableToCodeBlockEdge.cpp:
        (JSC::ExecutableToCodeBlockEdge::visitChildren):
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::visitChildren):
        * runtime/EvalExecutable.cpp:
        (JSC::EvalExecutable::visitChildren):
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::visitChildren):
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::visitChildren):
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::visitChildren):
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildren):
        * runtime/GetterSetter.h:
        * runtime/InferredType.cpp:
        (JSC::InferredType::visitChildren):
        * runtime/InferredTypeTable.cpp:
        (JSC::InferredTypeTable::visitChildren):
        * runtime/InferredValue.cpp:
        (JSC::InferredValue::visitChildren):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::visitChildren):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
        * runtime/ModuleProgramExecutable.cpp:
        (JSC::ModuleProgramExecutable::visitChildren):
        * runtime/ProgramExecutable.cpp:
        (JSC::ProgramExecutable::visitChildren):
        * runtime/ScopedArguments.cpp:
        (JSC::ScopedArguments::visitChildren):
        * runtime/ScopedArguments.h:
        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::visitChildren):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::visitChildren):

2018-06-20  Darin Adler  <darin@apple.com>

        [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
        https://bugs.webkit.org/show_bug.cgi?id=186875

        Reviewed by Anders Carlsson.

        * API/tests/testapi.mm:
        (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.

2018-06-22  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
        https://bugs.webkit.org/show_bug.cgi?id=186915

        Reviewed by Žan Doberšek.

        Update StartAutomationSession message handling to receive a dictionary of session capabilities.

        * inspector/remote/glib/RemoteInspectorServer.cpp:
        (Inspector::processSessionCapabilities): Helper method to process the session capabilities.

2018-06-21  Mark Lam  <mark.lam@apple.com>

        WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
        https://bugs.webkit.org/show_bug.cgi?id=185947
        <rdar://problem/40131933>

        Reviewed by Saam Barati.

        Newer Clang versions (due to C++17 support) is not happy with how I implemented
        conversions between CodeLocation types.  We'll fix this by adding a conversion
        operator for converting between CodeLocation types.

        * assembler/CodeLocation.h:
        (JSC::CodeLocationCommon::operator T):

2018-06-21  Saam Barati  <sbarati@apple.com>

        Do some CoW cleanup
        https://bugs.webkit.org/show_bug.cgi?id=186896

        Reviewed by Mark Lam.

        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
        We don't need to WTFMove() ints

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        remove a TODO.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndex):
        We were checking for isCopyOnWrite even after we converted away
        from CoW in above code.
        (JSC::JSObject::ensureWritableInt32Slow):
        Model this in the same way the other ensureWritableXSlow are modeled.

2018-06-20  Keith Miller  <keith_miller@apple.com>

        flattenDictionaryStruture needs to zero inline storage.
        https://bugs.webkit.org/show_bug.cgi?id=186869

        Reviewed by Saam Barati.

        This patch also adds the assetion that unused property storage is
        zero or JSValue() to putDirectInternal. Additionally, functions
        have been added to $vm that flatten dictionary objects and return
        the inline capacity of an object.

        * runtime/JSObjectInlines.h:
        (JSC::JSObject::putDirectInternal):
        * runtime/Structure.cpp:
        (JSC::Structure::flattenDictionaryStructure):
        * tools/JSDollarVM.cpp:
        (JSC::functionInlineCapacity):
        (JSC::functionFlattenDictionaryObject):
        (JSC::JSDollarVM::finishCreation):

2018-06-21  Mark Lam  <mark.lam@apple.com>

        Use IsoCellSets to track Executables with clearable code.
        https://bugs.webkit.org/show_bug.cgi?id=186877

        Reviewed by Filip Pizlo.

        Here’s an example of the results that this fix may yield: 
        1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
        2. Statistics on memory touched and memory freed by VM::deleteAllCode():

           Visiting Executables:
                                                        Old             New
           Number of objects visited:                   70897           14264
           Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
           Number of memory pages visited:              3224            1602
           Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)

           Visitng UnlinkedFunctionExecutables:
                                                        Old             New
           Number of objects visited:                   105454          17231
           Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
           Number of memory pages visited:              4796            1349
           Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)

        ** The number of objects differ because the old code only visit unlinked
           executables indirectly via linked executables, whereas the new behavior visit
           all unlinked executables with deletable code directly.  This means:

           a. we used to not visit unlinked executables that have not been linked yet
              i.e. deleteAllCode() may not delete all code (especially code that is not
              used).
           b. we had to visit all linked executables to check if they of type
              FunctionExecutable, before going on to visit their unlinked executable, and
              this includes the ones that do not have deletable code.  This means that we
              would touch more memory in the process.

           Both of these these issues are now fixed with the new code.

        This code was tested with manually inserted instrumentation to track the above
        statistics.  It is not feasible to write an automated test for this without
        leaving a lot of invasive instrumentation in the code.

        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
        * bytecode/UnlinkedFunctionExecutable.h:
        * heap/CodeBlockSetInlines.h:
        (JSC::CodeBlockSet::iterateViaSubspaces):
        * heap/Heap.cpp:
        (JSC::Heap::deleteAllCodeBlocks):
        (JSC::Heap::deleteAllUnlinkedCodeBlocks):
        (JSC::Heap::deleteUnmarkedCompiledCode):
        (JSC::Heap::clearUnmarkedExecutables): Deleted.
        (JSC::Heap::addExecutable): Deleted.
        * heap/Heap.h:
        * runtime/DirectEvalExecutable.h:

        * runtime/ExecutableBase.cpp:
        (JSC::ExecutableBase::hasClearableCode const):
        - this is written based on the implementation of ExecutableBase::clearCode().

        * runtime/ExecutableBase.h:
        * runtime/FunctionExecutable.h:
        * runtime/IndirectEvalExecutable.h:
        * runtime/ModuleProgramExecutable.h:
        * runtime/ProgramExecutable.h:
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::clearCode):
        (JSC::ScriptExecutable::installCode):
        * runtime/ScriptExecutable.h:
        (JSC::ScriptExecutable::finishCreation):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
        (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
        (JSC::VM::forEachScriptExecutableSpace):
        (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
        (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):

2018-06-21  Zan Dobersek  <zdobersek@igalia.com>

        [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
        https://bugs.webkit.org/show_bug.cgi?id=186884

        Reviewed by Carlos Garcia Campos.

        Add a tuple array input parameter to the StartAutomationSession DBus
        message, representing a list of host-and-certificate pairs that have to
        be allowed for a given session. This array is then unpacked and used to
        fill out the certificates Vector object in the SessionCapabilities
        struct.

        * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
        String pairs representing hosts and the certificate file paths.
        * inspector/remote/glib/RemoteInspectorServer.cpp:

2018-06-20  Keith Miller  <keith_miller@apple.com>

        Expand concurrent GC assertion to accept JSValue() or 0
        https://bugs.webkit.org/show_bug.cgi?id=186855

        Reviewed by Mark Lam.

        We tend to set unused property slots to either JSValue() or 0
        depending on the context. On 64-bit these are the same but on
        32-bit JSValue() has a NaN tag. This patch makes it so we
        the accept either JSValue() or 0.

        * runtime/JSObjectInlines.h:
        (JSC::JSObject::prepareToPutDirectWithoutTransition):

2018-06-20  Guillaume Emont  <guijemont@igalia.com>

        [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
        https://bugs.webkit.org/show_bug.cgi?id=186765

        Reviewed by Michael Saboff.

        This widens the check for 0 so that we handle that case more correctly.

        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::executableOffsetFor):

2018-06-19  Keith Miller  <keith_miller@apple.com>

        Fix broken assertion on 32-bit
        https://bugs.webkit.org/show_bug.cgi?id=186830

        Reviewed by Mark Lam.

        The assertion was intended to catch concurrent GC issues. We don't
        run them on 32-bit so we don't need this assertion there. The
        assertion was broken because zero is not JSValue() on 32-bit.

        * runtime/JSObjectInlines.h:
        (JSC::JSObject::prepareToPutDirectWithoutTransition):

2018-06-19  Keith Miller  <keith_miller@apple.com>

        flattenDictionaryStructure needs to zero properties that have been compressed away
        https://bugs.webkit.org/show_bug.cgi?id=186828

        Reviewed by Mark Lam.

        This patch fixes a bunch of crashing Mozilla tests on the bots.

        * runtime/Structure.cpp:
        (JSC::Structure::flattenDictionaryStructure):

2018-06-19  Saam Barati  <sbarati@apple.com>

        DirectArguments::create needs to initialize to undefined instead of the empty value
        https://bugs.webkit.org/show_bug.cgi?id=186818
        <rdar://problem/38415177>

        Reviewed by Filip Pizlo.

        The bug here is that we will emit code that just loads from DirectArguments as
        long as the index is within the known capacity of the arguments object (op_get_from_arguments).
        The arguments object has at least enough capacity to hold the declared parameters.
        When we materialized this object in OSR exit, we initialized up to to the capacity
        with JSValue(). In OSR exit, though, we only filled up to the length of the
        object with actual values. So we'd end up with a DirectArguments object with
        capacity minus length slots of JSValue(). To fix this, we need initialize up to
        capacity with jsUndefined during construction. The invariant of this object is
        that the capacity minus length slots at the end are filled in with jsUndefined.

        * runtime/DirectArguments.cpp:
        (JSC::DirectArguments::create):

2018-06-19  Michael Saboff  <msaboff@apple.com>

        Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
        https://bugs.webkit.org/show_bug.cgi?id=186827

        Reviewed by Saam Barati.

        Need to set VM::lastStackTop before any possible calls to sanitizeStack().

        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):

2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>

        ShadowChicken crashes with stack overflow in the LLInt
        https://bugs.webkit.org/show_bug.cgi?id=186540
        <rdar://problem/39682133>

        Reviewed by Saam Barati.

        Stack overflows in the LLInt were crashing in ShadowChicken when compiling
        with debug opcodes because it was accessing the scope of the incomplete top
        frame, which hadn't been set yet. Check that we have moved past the first
        opcode (enter) and that the scope is not undefined (enter will
        initialize it to undefined).

        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::update):

2018-06-19  Keith Miller  <keith_miller@apple.com>

        constructArray variants should take the slow path for subclasses of Array
        https://bugs.webkit.org/show_bug.cgi?id=186812

        Reviewed by Saam Barati and Mark Lam.

        This patch fixes a crashing test in ObjectInitializationScope where we would
        allocate a new structure for an indexing type change while initializing
        a subclass of Array. Since the new array hasn't been fully initialized
        if the GC ran it would see garbage and we might crash.

        * runtime/JSArray.cpp:
        (JSC::constructArray):
        (JSC::constructArrayNegativeIndexed):
        * runtime/JSArray.h:
        (JSC::constructArray): Deleted.
        (JSC::constructArrayNegativeIndexed): Deleted.

2018-06-19  Saam Barati  <sbarati@apple.com>

        Wasm: Any function argument of type Void should be a validation error
        https://bugs.webkit.org/show_bug.cgi?id=186794
        <rdar://problem/41140257>

        Reviewed by Keith Miller.

        * wasm/WasmModuleParser.cpp:
        (JSC::Wasm::ModuleParser::parseType):

2018-06-18  Keith Miller  <keith_miller@apple.com>

        JSImmutableButterfly should assert m_header is adjacent to the data
        https://bugs.webkit.org/show_bug.cgi?id=186795

        Reviewed by Saam Barati.

        * runtime/JSImmutableButterfly.cpp:
        * runtime/JSImmutableButterfly.h:

2018-06-18  Keith Miller  <keith_miller@apple.com>

        Unreviewed, fix the build...

        * runtime/JSArray.cpp:
        (JSC::JSArray::tryCreateUninitializedRestricted):

2018-06-18  Keith Miller  <keith_miller@apple.com>

        Unreviewed, remove bad assertion.

        * runtime/JSArray.cpp:
        (JSC::JSArray::tryCreateUninitializedRestricted):

2018-06-18  Keith Miller  <keith_miller@apple.com>

        Properly zero unused property storage offsets
        https://bugs.webkit.org/show_bug.cgi?id=186692

        Reviewed by Filip Pizlo.

        Since the concurrent GC might see a property slot before the mutator has actually
        stored the value there, we need to ensure that slot doesn't have garbage in it.

        Right now when calling constructConvertedArrayStorageWithoutCopyingElements
        or creating a RegExp matches array, we never cleared the unused
        property storage. ObjectIntializationScope has also been upgraded
        to look for our invariants around property storage. Additionally,
        a new assertion has been added to check for JSValue() when adding
        a new property.

        We used to put undefined into deleted property offsets. To
        make things simpler, this patch causes us to store JSValue() there
        instead.

        Lastly, this patch fixes an issue where we would initialize the
        array storage of RegExpMatchesArray twice. First with 0 and
        secondly with the actual result. Now we only zero memory between
        vector length and public length.

        * runtime/Butterfly.h:
        (JSC::Butterfly::offsetOfVectorLength):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::tryCreateUninitialized):
        (JSC::Butterfly::createUninitialized):
        (JSC::Butterfly::tryCreate):
        (JSC::Butterfly::create):
        (JSC::Butterfly::createOrGrowPropertyStorage):
        (JSC::Butterfly::createOrGrowArrayRight):
        (JSC::Butterfly::growArrayRight):
        (JSC::Butterfly::resizeArray):
        * runtime/JSArray.cpp:
        (JSC::JSArray::tryCreateUninitializedRestricted):
        (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
        * runtime/JSArray.h:
        (JSC::tryCreateArrayButterfly):
        * runtime/JSObject.cpp:
        (JSC::JSObject::createArrayStorageButterfly):
        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::shiftButterflyAfterFlattening):
        * runtime/JSObject.h:
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::prepareToPutDirectWithoutTransition):
        * runtime/ObjectInitializationScope.cpp:
        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
        * runtime/ObjectInitializationScope.h:
        (JSC::ObjectInitializationScope::release):
        * runtime/RegExpMatchesArray.h:
        (JSC::tryCreateUninitializedRegExpMatchesArray):
        (JSC::createRegExpMatchesArray):

        * runtime/Butterfly.h:
        (JSC::Butterfly::offsetOfVectorLength):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::tryCreateUninitialized):
        (JSC::Butterfly::createUninitialized):
        (JSC::Butterfly::tryCreate):
        (JSC::Butterfly::create):
        (JSC::Butterfly::createOrGrowPropertyStorage):
        (JSC::Butterfly::createOrGrowArrayRight):
        (JSC::Butterfly::growArrayRight):
        (JSC::Butterfly::resizeArray):
        * runtime/JSArray.cpp:
        (JSC::JSArray::tryCreateUninitializedRestricted):
        (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
        * runtime/JSArray.h:
        (JSC::tryCreateArrayButterfly):
        * runtime/JSObject.cpp:
        (JSC::JSObject::createArrayStorageButterfly):
        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::shiftButterflyAfterFlattening):
        * runtime/JSObject.h:
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::prepareToPutDirectWithoutTransition):
        * runtime/ObjectInitializationScope.cpp:
        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
        * runtime/RegExpMatchesArray.cpp:
        (JSC::createEmptyRegExpMatchesArray):
        * runtime/RegExpMatchesArray.h:
        (JSC::tryCreateUninitializedRegExpMatchesArray):
        (JSC::createRegExpMatchesArray):

2018-06-18  Tadeu Zagallo  <tzagallo@apple.com>

        Share structure across instances of classes exported through the ObjC API
        https://bugs.webkit.org/show_bug.cgi?id=186579
        <rdar://problem/40969212>

        Reviewed by Saam Barati.

        A new structure was being created for each instance of exported ObjC
        classes due to setting the prototype in the structure for every object,
        since prototype transitions are not cached by the structure. Cache the
        Structure in the JSObjcClassInfo to avoid the transition.

        * API/JSWrapperMap.mm:
        (-[JSObjCClassInfo wrapperForObject:inContext:]):
        (-[JSObjCClassInfo structureInContext:]):
        * API/tests/JSWrapperMapTests.h: Added.
        * API/tests/JSWrapperMapTests.mm: Added.
        (+[JSWrapperMapTests testStructureIdentity]):
        (runJSWrapperMapTests):
        * API/tests/testapi.mm:
        (testObjectiveCAPIMain):
        * JavaScriptCore.xcodeproj/project.pbxproj:

2018-06-18  Michael Saboff  <msaboff@apple.com>

        Support Unicode 11 in RegExp
        https://bugs.webkit.org/show_bug.cgi?id=186685

        Reviewed by Mark Lam.

        Updated the UCD tables used to generate RegExp property tables to version 11.0.

        * Scripts/generateYarrUnicodePropertyTables.py:
        * ucd/CaseFolding.txt:
        * ucd/DerivedBinaryProperties.txt:
        * ucd/DerivedCoreProperties.txt:
        * ucd/DerivedNormalizationProps.txt:
        * ucd/PropList.txt:
        * ucd/PropertyAliases.txt:
        * ucd/PropertyValueAliases.txt:
        * ucd/ScriptExtensions.txt:
        * ucd/Scripts.txt:
        * ucd/UnicodeData.txt:
        * ucd/emoji-data.txt:

2018-06-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>

        [WTF] Remove workarounds needed to support libstdc++-4
        https://bugs.webkit.org/show_bug.cgi?id=186762

        Reviewed by Michael Catanzaro.

        Revert r226299, r226300 r226301 and r226302.

        * API/tests/TypedArrayCTest.cpp:
        (assertEqualsAsNumber):

2018-06-16  Michael Catanzaro  <mcatanzaro@igalia.com>

        REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
        https://bugs.webkit.org/show_bug.cgi?id=182923

        Reviewed by Mark Lam.

        The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
        Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.

        * heap/MarkedBlock.h:

2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
        https://bugs.webkit.org/show_bug.cgi?id=186723

        Reviewed by Mark Lam.

        Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
        to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.

        This patch improves SixSpeed/spread-literal.es5.

                                     baseline                  patched

        spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster

        * runtime/JSArrayInlines.h:
        (JSC::JSArray::pushInline):
        * runtime/Structure.cpp:
        (JSC::Structure::nonPropertyTransitionSlow):
        (JSC::Structure::nonPropertyTransition): Deleted.
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::nonPropertyTransition):

2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
        https://bugs.webkit.org/show_bug.cgi?id=186721

        Reviewed by Keith Miller.

        We still have several other OSRExits, but this patch reduces that.

        1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
        So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.

        2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
        non-appropriate.

        These changes a bit fix Kraken/crypto-aes regression.

                                      baseline                  patched

        stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster


        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::operationMaterializeObjectInOSR):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):

2018-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
        https://bugs.webkit.org/show_bug.cgi?id=186460

        Reviewed by Saam Barati.

        Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
        We should return JSFixedArray for Spread. This patch adds a code generating
        a JSFixedArray from JSImmutableButterfly.

        Merging JSFixedArray into JSImmutableButterfly is possible future extension.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
        * runtime/JSFixedArray.h:

2018-06-15  Saam Barati  <sbarati@apple.com>

        Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
        https://bugs.webkit.org/show_bug.cgi?id=186687
        <rdar://problem/40071332>

        Reviewed by Keith Miller.

        * API/JSVirtualMachinePrivate.h:

2018-06-15  Saam Barati  <sbarati@apple.com>

        Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
        https://bugs.webkit.org/show_bug.cgi?id=186648

        Reviewed by Michael Saboff.

        This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
        regressed with my first version of ForceOSRExit CFG pruning. This patch makes
        ForceOSRExit CFG pruning more aggressive by not ignoring everything that
        can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
        if it's the plan's osr entry bytecode target. The goal is to get a speedometer
        2 speedup with this change on iOS.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parse):

2018-06-15  Michael Catanzaro  <mcatanzaro@igalia.com>

        Unreviewed, rolling out r232816.

        Suggested by Caitlin:
        "this patch clearly does get some things wrong, and it's not
        easy to find what those things are"

        Reverted changeset:

        "[LLInt] use loadp consistently for
        get_from_scope/put_to_scope"
        https://bugs.webkit.org/show_bug.cgi?id=132333
        https://trac.webkit.org/changeset/232816

2018-06-14  Michael Saboff  <msaboff@apple.com>

        REGRESSION(232741): Crash running ARES-6
        https://bugs.webkit.org/show_bug.cgi?id=186630

        Reviewed by Saam Barati.

        The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
        treated edges between identical predecessor->successor pairs independently.
        This fixes the issue by handling such edges once, using the added intermediate
        pad for all instances of the edges between the same pairs.

        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        (JSC::DFG::CriticalEdgeBreakingPhase::run):
        (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.

2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
        https://bugs.webkit.org/show_bug.cgi?id=186560

        Reviewed by Brian Burg.

        Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
        that always receives the session capabilities.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspectorConstants.h:
        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
        (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
        WebKit here and fill the SessionCapabilities instead.
        * inspector/remote/glib/RemoteInspectorGlib.cpp:
        (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
        * inspector/remote/glib/RemoteInspectorServer.cpp:
        (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
        * inspector/remote/glib/RemoteInspectorServer.h:

2018-06-13  Adrian Perez de Castro  <aperez@igalia.com>

        [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
        https://bugs.webkit.org/show_bug.cgi?id=186588

        Reviewed by Carlos Garcia Campos.

        Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
        for resource paths, which avoids needing a switcheroo depending on the port.

        * inspector/remote/glib/RemoteInspectorUtils.cpp:

2018-06-13  Caitlin Potter  <caitp@igalia.com>

        [LLInt] use loadp consistently for get_from_scope/put_to_scope
        https://bugs.webkit.org/show_bug.cgi?id=132333

        Reviewed by Mark Lam.

        Using `loadis` for register indexes and `loadp` for constant scopes /
        symboltables makes sense, but is problematic for big-endian
        architectures.

        Consistently treating the operand as a pointer simplifies determining
        how to access the operand, and helps avoid bad accesses and crashes on
        big-endian ports.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/Instruction.h:
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
        (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):

2018-06-13  Keith Miller  <keith_miller@apple.com>

        AutomaticThread should have a way to provide a thread name
        https://bugs.webkit.org/show_bug.cgi?id=186604

        Reviewed by Filip Pizlo.

        Add names for JSC's automatic threads.

        * dfg/DFGWorklist.cpp:
        * heap/Heap.cpp:
        * jit/JITWorklist.cpp:
        * runtime/VMTraps.cpp:
        * wasm/WasmWorklist.cpp:

2018-06-13  Saam Barati  <sbarati@apple.com>

        CFGSimplificationPhase should de-dupe jettisonedBlocks
        https://bugs.webkit.org/show_bug.cgi?id=186583

        Reviewed by Filip Pizlo.

        When making the predecessors list unique in r232741, it revealed a bug inside
        of CFG simplification, where we try to remove the same predecessor more than
        once from a blocks predecessors list. We built the list of blocks to remove
        from the list of successors, which is not unique, causing us to try to remove
        the same predecessor more than once. The solution here is to just add to this
        list of blocks to remove only if the block is not already in the list.

        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):

2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Always use Nuke & Set procedure for x86
        https://bugs.webkit.org/show_bug.cgi?id=186592

        Reviewed by Keith Miller.

        We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
        By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
        threads.

        * runtime/JSObject.cpp:
        (JSC::JSObject::convertContiguousToArrayStorage):

2018-06-12  Saam Barati  <sbarati@apple.com>

        Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
        https://bugs.webkit.org/show_bug.cgi?id=186071

        Reviewed by Mark Lam.

        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine shrinkFootprint]): Deleted.
        * API/JSVirtualMachinePrivate.h:

2018-06-11  Saam Barati  <sbarati@apple.com>

        Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
        https://bugs.webkit.org/show_bug.cgi?id=181409
        <rdar://problem/36383749>

        Reviewed by Keith Miller.

        This patch is me redoing r226655. This is a patch I wrote when
        profiling Speedometer. Fil rolled this change out in r230928. He
        showed this slowed down a sunspider tests by ~2x. This sunspider
        regression revealed a real performance bug in the original change:
        we would kill blocks that reached OSR entry targets, sometimes leading
        us to not do OSR entry into the DFG, since we could end up deleting
        entire loops from the CFG. The reason for this is that code that has run
        ~once and that reaches loops often has ForceOSRExits inside of it. The
        solution to this is to not perform this optimization on blocks that can
        reach OSR entry targets.
        
        The reason I'm redoing this patch is that it turns out Fil rolling
        out the change was a Speedometer 2 regression.
        
        This is a modified version of the original ChangeLog I wrote in r226655:
        
        When I was looking at profiler data for Speedometer, I noticed that one of
        the hottest functions in Speedometer is around 1100 bytecode operations long.
        Only about 100 of those bytecode ops ever execute. However, we ended up
        spending a lot of time compiling basic blocks that never executed. We often
        plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
        This is the case when such a node never executes.
        
        This patch makes it so that anytime a block has a ForceOSRExit, and that block
        can not reach an OSR entry target, we replace its terminal node with an Unreachable
        node, and remove all nodes after the ForceOSRExit. This cuts down the graph
        size since it removes control flow edges from the CFG. This allows us to get
        rid of huge chunks of the CFG in certain programs. When doing this transformation,
        we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
        live-in to the ForceOSRExit.
        
        Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
        does not get rid of all the CFG that it could. If we decide it's worth
        it, we could use additional inputs into this mechanism. For example, we could
        profile if a basic block ever executes inside the LLInt/Baseline, and
        remove parts of the CFG based on that.
        
        When running Speedometer with the concurrent JIT turned off, this patch
        improves DFG/FTL compile times by around 5%.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::inlineCall):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::blocksInPostOrder):

2018-06-11  Saam Barati  <sbarati@apple.com>

        The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
        https://bugs.webkit.org/show_bug.cgi?id=184829

        Reviewed by Michael Saboff.

        This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
        In B3/Air, this just meant writing a validation rule. In DFG, this meant
        ensuring this property when building up the predecessors list, and also adding
        a validation rule. The NaturalLoops algorithm relies on this property.

        * b3/B3Validate.cpp:
        * b3/air/AirValidate.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testLoopWithMultipleHeaderEdges):
        (JSC::B3::run):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::handleSuccessor):
        * dfg/DFGValidate.cpp:

2018-06-11  Keith Miller  <keith_miller@apple.com>

        Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
        https://bugs.webkit.org/show_bug.cgi?id=186467

        Reviewed by Simon Fraser.

        This patch adds a LazyFireDetail that wraps ScopedLambda so that
        we don't actually malloc any strings for firing unless those
        Strings are actually going to be printed.

        * bytecode/Watchpoint.h:
        (JSC::LazyFireDetail::LazyFireDetail):
        * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
        * dfg/DFGAdaptiveStructureWatchpoint.cpp:
        (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):

2018-06-11  Mark Lam  <mark.lam@apple.com>

        Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
        https://bugs.webkit.org/show_bug.cgi?id=186451
        <rdar://problem/40875792>

        Reviewed by Tim Horton.

        Enhance setOptions() to be able to take a comma separated options string in
        addition to white space separated options strings.

        * runtime/Options.cpp:
        (JSC::isSeparator):
        (JSC::Options::setOptions):

2018-06-11  Michael Saboff  <msaboff@apple.com>

        JavaScriptCore: Disable 32-bit JIT on Windows
        https://bugs.webkit.org/show_bug.cgi?id=185989

        Reviewed by Mark Lam.

        Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.

        * llint/LLIntData.h:
        (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
        * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
        have a case label because these aren't opcodes.
        * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
        on the JIT being enabled.
        (JSC::recomputeDependentOptions):

2018-06-11  Michael Saboff  <msaboff@apple.com>

        Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
        https://bugs.webkit.org/show_bug.cgi?id=186477

        Reviewed by Filip Pizlo.

        Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
        YARR interpreter nodes.  This caused us to overwrite other frame information.

        Added frame offset debugging code to YARR interpreter.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::emitDisjunction):
        (JSC::Yarr::ByteCompiler::dumpDisjunction):

2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Array.prototype.sort should rejects null comparator
        https://bugs.webkit.org/show_bug.cgi?id=186458

        Reviewed by Keith Miller.

        This relaxed behavior is once introduced in r216169 to fix some pages by aligning
        the behavior to Chrome and Firefox.

        However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
        accepts it. This patch reverts r216169 to align JSC to the other engines and fix
        the spec issue.

        * builtins/ArrayPrototype.js:
        (sort):

2018-06-09  Dan Bernstein  <mitz@apple.com>

        [Xcode] Clean up and modernize some build setting definitions
        https://bugs.webkit.org/show_bug.cgi?id=186463

        Reviewed by Sam Weinig.

        * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
          definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
          is true for all supported Xcode versions.
        * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
        * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
          ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
        * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
        * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.

2018-06-09  Dan Bernstein  <mitz@apple.com>

        Added missing file references to the Configuration group.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2018-06-08  Darin Adler  <darin@apple.com>

        [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
        https://bugs.webkit.org/show_bug.cgi?id=186436

        Reviewed by Anders Carlsson.

        * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
        objc-internal.h and explicitly declaring the alternative.

2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>

        [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
        https://bugs.webkit.org/show_bug.cgi?id=186442
        <rdar://problem/40879364>

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>

        jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
        https://bugs.webkit.org/show_bug.cgi?id=186446
        <rdar://problem/40949995>

        Reviewed by Mark Lam.

        On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
        boolean literals, but it would only work for false. Change it so that it
        takes the fast path for true, false, null and undefined.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:

2018-06-08  Brian Burg  <bburg@apple.com>

        [Cocoa] Web Automation: include browser name and version in listing for automation targets
        https://bugs.webkit.org/show_bug.cgi?id=186204
        <rdar://problem/36950423>

        Reviewed by Darin Adler.

        Ask the client what the reported browser name and version should be, then
        send this as part of the listing for an automation target.

        * inspector/remote/RemoteInspectorConstants.h:
        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
        (Inspector::RemoteInspector::listingForAutomationTarget const):

2018-06-07  Chris Dumez  <cdumez@apple.com>

        Add base class to get WeakPtrFactory member and avoid some boilerplate code
        https://bugs.webkit.org/show_bug.cgi?id=186407

        Reviewed by Brent Fulgham.

        Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
        order to avoid some boilerplate code in every class needing a WeakPtrFactory.
        This also gets rid of old-style createWeakPtr() methods in favor of the newer
        makeWeakPtr().

        * wasm/WasmInstance.h:
        * wasm/WasmMemory.cpp:
        (JSC::Wasm::Memory::registerInstance):

2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>

        Don't try to allocate JIT memory if we don't have the JIT entitlement
        https://bugs.webkit.org/show_bug.cgi?id=182605
        <rdar://problem/38271229>

        Reviewed by Mark Lam.

        Check that the current process has the correct entitlements before
        trying to allocate JIT memory to silence warnings.

        * jit/ExecutableAllocator.cpp:
        (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate

2018-06-07  Saam Barati  <sbarati@apple.com>

        TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
        https://bugs.webkit.org/show_bug.cgi?id=186386

        Reviewed by Filip Pizlo.

        This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.

        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):

2018-06-02  Filip Pizlo  <fpizlo@apple.com>

        FunctionRareData::m_objectAllocationProfileWatchpoint is racy
        https://bugs.webkit.org/show_bug.cgi?id=186237

        Reviewed by Saam Barati.

        We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
        that means that we never notice that it fired if it fires between when the DFG decides to
        watch it and when it actually adds the watchpoint.
        
        Most watchpoints are initialized watched for this purpose. This one had a somewhat good
        reason for being initialized blind: that's how we knew to ignore changes to the prototype
        before the first allocation. However, that functionality also arose out of the fact that the
        rare data is created lazily and usually won't exist until the first allocation.
        
        The fix here is to make the watchpoint go into watched mode as soon as we initialize the
        object allocation profile.
        
        It's hard to repro this race, however it started causing spurious test failures for me after
        bug 164904.

        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::FunctionRareData):
        (JSC::FunctionRareData::initializeObjectAllocationProfile):

2018-06-07  Saam Barati  <sbarati@apple.com>

        Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
        https://bugs.webkit.org/show_bug.cgi?id=186218
        <rdar://problem/38449540>

        Reviewed by Filip Pizlo.

        This patch makes tierUpCommon a tad bit more sane. There are a few things
        that I did:
        - There were a few release asserts that were crashing. Those release asserts
        were incorrect. They were making assumptions about how the code and data
        structures were ordered that were wrong. This patch removes them. The code
        was using the loop hierarchy vector to make assumptions about which loop we
        were currently executing in, which is incorrect. The only information that
        can be used about where we're currently executing is the bytecode index we're
        at.
        - This makes it so that we go back to trying to compile outer loops before
        inner loops. JF accidentally reverted this behavior that Ben implemented.
        JF made it so that we just compiled the inner most loop. I make this
        functionality work by first triggering a compile for the outer most loop
        that the code is currently executing in and that can perform OSR entry.
        However, some programs can get stuck in inner loops. The code works by
        progressively asking inner loops to compile if program execution has not
        yet reached an outer loop.

        * dfg/DFGOperations.cpp:

2018-06-06  Guillaume Emont  <guijemont@igalia.com>

        ArityFixup should adjust SP first on 32-bit platforms too
        https://bugs.webkit.org/show_bug.cgi?id=186351

        Reviewed by Yusuke Suzuki.

        * jit/ThunkGenerators.cpp:
        (JSC::arityFixupGenerator):

2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Compare operations do not respect negative zeros
        https://bugs.webkit.org/show_bug.cgi?id=183729

        Reviewed by Saam Barati.

        Compare operations do not respect negative zeros. So propagating this can
        reduce the size of the produced code for negative zero case. This pattern
        can be seen in Kraken stanford-crypto-aes.

        This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
        However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
        This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.

        * bytecode/SpeculatedType.cpp:
        (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
        SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
        To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
        SpecDoubleReal.

        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):

2018-06-06  Saam Barati  <sbarati@apple.com>

        generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
        https://bugs.webkit.org/show_bug.cgi?id=186363

        Rubber-stamped by Filip Pizlo.

        The code was assuming that the object it was creating an OPC for always
        had a non-poly-proto structure. However, this assumption was wrong. For
        example, an object in the prototype chain could be poly proto. That type 
        of object graph would cause a crash in this code. This patch makes it so
        that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
        object as we traverse the prototype chain.

        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::generateConditionsForInstanceOf):

2018-06-05  Brent Fulgham  <bfulgham@apple.com>

        Adjust compile and runtime flags to match shippable state of features
        https://bugs.webkit.org/show_bug.cgi?id=186319
        <rdar://problem/40352045>

        Reviewed by Maciej Stachowiak, Jon Lee, and others.

        This patch revises the compile time and runtime state for various features to match their
        suitability for end-user releases.

        * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
        WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
        Cocoa builds.
        * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
        or ENABLE_INPUT_TYPE_COLOR_POPOVER.
        * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
        at runtime for non-production builds.

2018-06-05  Brent Fulgham  <bfulgham@apple.com>

        Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
        https://bugs.webkit.org/show_bug.cgi?id=186286
        <rdar://problem/40782992>

        Reviewed by Dan Bernstein.

        Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
        to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
        change this flag when preparing for a production release.

        * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
        whether experimental features should be enabled, and use it to properly define the
        feature flag.

2018-06-05  Darin Adler  <darin@apple.com>

        [Cocoa] Update some JavaScriptCore code to be more ready for ARC
        https://bugs.webkit.org/show_bug.cgi?id=186301

        Reviewed by Anders Carlsson.

        * API/JSContext.mm:
        (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
        (-[JSContext setName:]): Removed unnecessary call to copy, since the
        JSStringCreateWithCFString function already reads the characters out
        of the string and does not retain the string, so there is no need to
        make an immutable copy. And used __bridge for typecast.
        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
        (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
        Ditto.

        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
        Use CFBridgingRelease instead of autorelease for a CF dictionary that
        we return as an NSDictionary.

2018-06-04  Keith Miller  <keith_miller@apple.com>

        Remove missing files from JavaScriptCore Xcode project
        https://bugs.webkit.org/show_bug.cgi?id=186297

        Reviewed by Saam Barati.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2018-06-04  Keith Miller  <keith_miller@apple.com>

        Add test for CoW conversions in the DFG/FTL
        https://bugs.webkit.org/show_bug.cgi?id=186295

        Reviewed by Saam Barati.

        Add a function to $vm that returns a JSString containing the
        dataLog dump of the indexingMode of an Object.

        * tools/JSDollarVM.cpp:
        (JSC::functionIndexingMode):
        (JSC::JSDollarVM::finishCreation):

2018-06-04  Saam Barati  <sbarati@apple.com>

        Set the activeLength of all ScratchBuffers to zero when exiting the VM
        https://bugs.webkit.org/show_bug.cgi?id=186284
        <rdar://problem/40780738>

        Reviewed by Keith Miller.

        Simon recently found instances where we leak global objects from the
        ScratchBuffer. Yusuke found that we forgot to set the active length
        back to zero when doing catch OSR entry in the DFG/FTL. His solution
        to this was adding a node that cleared the active length. This is
        a good node to have, but it's not a complete solution: the DFG/FTL
        could OSR exit before that node executes, which would cause us to leak
        the data in it.
        
        This patch makes it so that we set each scratch buffer's active length
        to zero on VM exit. This helps prevent leaks for JS code that eventually
        exits the VM (which is essentially all code on the web and all API users).

        * runtime/VM.cpp:
        (JSC::VM::clearScratchBuffers):
        * runtime/VM.h:
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::~VMEntryScope):

2018-06-04  Keith Miller  <keith_miller@apple.com>

        JSLock should clear last exception when releasing the lock
        https://bugs.webkit.org/show_bug.cgi?id=186277

        Reviewed by Mark Lam.

        If we don't clear the last exception we essentially leak the
        object and everything referenced by it until another exception is
        thrown.

        * runtime/JSLock.cpp:
        (JSC::JSLock::willReleaseLock):

2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
        https://bugs.webkit.org/show_bug.cgi?id=180248

        Reviewed by Sam Weinig.

        As a final step, this patch removes ListableHandler from JSC.
        Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.h:
        * heap/ListableHandler.h: Removed.

2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
        https://bugs.webkit.org/show_bug.cgi?id=186223

        Reviewed by Keith Miller.

        After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
        It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.

        This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
        We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
        this ClearCatchLocals valid.

        The existing tests for ExtractCatchLocal just pass.

        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGMayExit.cpp:
        * dfg/DFGNodeType.h:
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareCatchOSREntry):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):

2018-06-02  Darin Adler  <darin@apple.com>

        [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
        https://bugs.webkit.org/show_bug.cgi?id=186227

        Reviewed by Dan Bernstein.

        * API/JSContext.mm:
        (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
        * API/JSValue.mm:
        (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
        (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
        ARC-compatible, but more efficient.
        (valueToString): Use CFBridgingRelease instead of autorelease.

2018-06-02  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for addition operations
        https://bugs.webkit.org/show_bug.cgi?id=179002

        Reviewed by Yusuke Suzuki.

        This patch is implementing support to BigInt Operands into binary "+"
        and binary "-" operators. Right now, we have limited support to DFG
        and FTL JIT layers, but we plan to fix this support in future
        patches.

        * jit/JITOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::parseInt):
        (JSC::JSBigInt::stringToBigInt):
        (JSC::JSBigInt::toString):
        (JSC::JSBigInt::multiply):
        (JSC::JSBigInt::divide):
        (JSC::JSBigInt::remainder):
        (JSC::JSBigInt::add):
        (JSC::JSBigInt::sub):
        (JSC::JSBigInt::absoluteAdd):
        (JSC::JSBigInt::absoluteSub):
        (JSC::JSBigInt::toStringGeneric):
        (JSC::JSBigInt::allocateFor):
        (JSC::JSBigInt::toNumber const):
        (JSC::JSBigInt::getPrimitiveNumber const):
        * runtime/JSBigInt.h:
        * runtime/JSCJSValueInlines.h:
        * runtime/Operations.cpp:
        (JSC::jsAddSlowCase):
        * runtime/Operations.h:
        (JSC::jsSub):

2018-06-02  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r232439.
        https://bugs.webkit.org/show_bug.cgi?id=186238

        It breaks gtk-linux-32-release (Requested by caiolima on
        #webkit).

        Reverted changeset:

        "[ESNext][BigInt] Implement support for addition operations"
        https://bugs.webkit.org/show_bug.cgi?id=179002
        https://trac.webkit.org/changeset/232439

2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        Baseline op_jtrue emits an insane amount of code
        https://bugs.webkit.org/show_bug.cgi?id=185708

        Reviewed by Filip Pizlo.

        op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,

        1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
           to jump directly. This tightens the code.

        2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.

        This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.

        [  12] jtrue             arg1, 6(->18)
              0x7f233170162c: mov 0x30(%rbp), %rax
              0x7f2331701630: mov %rax, %rsi
              0x7f2331701633: xor $0x6, %rsi
              0x7f2331701637: test $0xfffffffffffffffe, %rsi
              0x7f233170163e: jnz 0x7f2331701654
              0x7f2331701644: cmp $0x7, %eax
              0x7f2331701647: setz %sil
              0x7f233170164b: movzx %sil, %esi
              0x7f233170164f: jmp 0x7f2331701705
              0x7f2331701654: test %rax, %r14
              0x7f2331701657: jz 0x7f233170169c
              0x7f233170165d: cmp %r14, %rax
              0x7f2331701660: jb 0x7f2331701675
              0x7f2331701666: test %eax, %eax
              0x7f2331701668: setnz %sil
              0x7f233170166c: movzx %sil, %esi
              0x7f2331701670: jmp 0x7f2331701705
              0x7f2331701675: lea (%r14,%rax), %rsi
              0x7f2331701679: movq %rsi, %xmm0
              0x7f233170167e: xorps %xmm1, %xmm1
              0x7f2331701681: ucomisd %xmm1, %xmm0
              0x7f2331701685: jz 0x7f2331701695
              0x7f233170168b: mov $0x1, %esi
              0x7f2331701690: jmp 0x7f2331701705
              0x7f2331701695: xor %esi, %esi
              0x7f2331701697: jmp 0x7f2331701705
              0x7f233170169c: test %rax, %r15
              0x7f233170169f: jnz 0x7f2331701703
              0x7f23317016a5: cmp $0x1, 0x5(%rax)
              0x7f23317016a9: jnz 0x7f23317016c1
              0x7f23317016af: mov 0x8(%rax), %esi
              0x7f23317016b2: test %esi, %esi
              0x7f23317016b4: setnz %sil
              0x7f23317016b8: movzx %sil, %esi
              0x7f23317016bc: jmp 0x7f2331701705
              0x7f23317016c1: test $0x1, 0x6(%rax)
              0x7f23317016c5: jz 0x7f23317016f9
              0x7f23317016cb: mov (%rax), %esi
              0x7f23317016cd: mov $0x7f23315000c8, %rdx
              0x7f23317016d7: mov (%rdx), %rdx
              0x7f23317016da: mov (%rdx,%rsi,8), %rsi
              0x7f23317016de: mov $0x7f2330de0000, %rdx
              0x7f23317016e8: cmp %rdx, 0x18(%rsi)
              0x7f23317016ec: jnz 0x7f23317016f9
              0x7f23317016f2: xor %esi, %esi
              0x7f23317016f4: jmp 0x7f2331701705
              0x7f23317016f9: mov $0x1, %esi
              0x7f23317016fe: jmp 0x7f2331701705
              0x7f2331701703: xor %esi, %esi
              0x7f2331701705: test %esi, %esi
              0x7f2331701707: jnz 0x7f233170171b

        [  12] jtrue             arg1, 6(->18)
              0x7f6c8710156c: mov 0x30(%rbp), %rax
              0x7f6c87101570: test %rax, %r15
              0x7f6c87101573: jnz 0x7f6c871015c8
              0x7f6c87101579: cmp $0x1, 0x5(%rax)
              0x7f6c8710157d: jnz 0x7f6c87101592
              0x7f6c87101583: cmp $0x0, 0x8(%rax)
              0x7f6c87101587: jnz 0x7f6c87101623
              0x7f6c8710158d: jmp 0x7f6c87101615
              0x7f6c87101592: test $0x1, 0x6(%rax)
              0x7f6c87101596: jz 0x7f6c87101623
              0x7f6c8710159c: mov (%rax), %esi
              0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
              0x7f6c871015a8: mov (%rdx), %rdx
              0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
              0x7f6c871015af: mov $0x7f6c867e0000, %rdx
              0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
              0x7f6c871015bd: jnz 0x7f6c87101623
              0x7f6c871015c3: jmp 0x7f6c87101615
              0x7f6c871015c8: cmp %r14, %rax
              0x7f6c871015cb: jb 0x7f6c871015de
              0x7f6c871015d1: test %eax, %eax
              0x7f6c871015d3: jnz 0x7f6c87101623
              0x7f6c871015d9: jmp 0x7f6c87101615
              0x7f6c871015de: test %rax, %r14
              0x7f6c871015e1: jz 0x7f6c87101602
              0x7f6c871015e7: lea (%r14,%rax), %rsi
              0x7f6c871015eb: movq %rsi, %xmm0
              0x7f6c871015f0: xorps %xmm1, %xmm1
              0x7f6c871015f3: ucomisd %xmm1, %xmm0
              0x7f6c871015f7: jz 0x7f6c87101615
              0x7f6c871015fd: jmp 0x7f6c87101623
              0x7f6c87101602: mov $0x7, %r11
              0x7f6c8710160c: cmp %r11, %rax
              0x7f6c8710160f: jz 0x7f6c87101623

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitConvertValueToBoolean):
        (JSC::AssemblyHelpers::branchIfValue):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::branchIfTruthy):
        (JSC::AssemblyHelpers::branchIfFalsey):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::addJump):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jtrue):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jtrue):

2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove WeakReferenceHarvester
        https://bugs.webkit.org/show_bug.cgi?id=186102

        Reviewed by Filip Pizlo.

        After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
        Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
        by using output constraints & Subspace iteration.

        This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
        output constraint set iterates marked JSWeakMap by using Subspace.

        And we also add locking for JSWeakMap's rehash and output constraint visiting.

        Attached microbenchmark does not show any regression.

        * API/JSAPIWrapperObject.h:
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::Heap::endMarking):
        (JSC::Heap::addCoreConstraints):
        * heap/Heap.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
        * heap/SlotVisitor.h:
        * heap/WeakReferenceHarvester.h: Removed.
        * runtime/WeakMapImpl.cpp:
        (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
        (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
        (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
        (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
        (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
        * runtime/WeakMapImpl.h:
        (JSC::WeakMapImpl::WeakMapImpl):
        (JSC::WeakMapImpl::finishCreation):
        (JSC::WeakMapImpl::rehash):
        (JSC::WeakMapImpl::makeAndSetNewBuffer):
        (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.

2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Object.create should have intrinsic
        https://bugs.webkit.org/show_bug.cgi?id=186200

        Reviewed by Filip Pizlo.

        Object.create is used in various JS code. `Object.create(null)` is particularly used
        to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
        call in ARES-6/Babylon code.

        This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
        DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
        object is null. It offers significant performance boost for `Object.create(null)`.

                                                         baseline                  patched

        object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
        object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
        object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToNewObject):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectCreate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
        * runtime/Intrinsic.cpp:
        (JSC::intrinsicName):
        * runtime/Intrinsic.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
        * runtime/ObjectConstructor.cpp:

2018-06-02  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for addition operations
        https://bugs.webkit.org/show_bug.cgi?id=179002

        Reviewed by Yusuke Suzuki.

        This patch is implementing support to BigInt Operands into binary "+"
        and binary "-" operators. Right now, we have limited support to DFG
        and FTL JIT layers, but we plan to fix this support in future
        patches.

        * jit/JITOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::parseInt):
        (JSC::JSBigInt::stringToBigInt):
        (JSC::JSBigInt::toString):
        (JSC::JSBigInt::multiply):
        (JSC::JSBigInt::divide):
        (JSC::JSBigInt::remainder):
        (JSC::JSBigInt::add):
        (JSC::JSBigInt::sub):
        (JSC::JSBigInt::absoluteAdd):
        (JSC::JSBigInt::absoluteSub):
        (JSC::JSBigInt::toStringGeneric):
        (JSC::JSBigInt::allocateFor):
        (JSC::JSBigInt::toNumber const):
        (JSC::JSBigInt::getPrimitiveNumber const):
        * runtime/JSBigInt.h:
        * runtime/JSCJSValueInlines.h:
        * runtime/Operations.cpp:
        (JSC::jsAddSlowCase):
        * runtime/Operations.h:
        (JSC::jsSub):

2018-06-01  Wenson Hsieh  <wenson_hsieh@apple.com>

        Fix the watchOS build after r232385
        https://bugs.webkit.org/show_bug.cgi?id=186203

        Reviewed by Keith Miller.

        Add a missing header include for JSImmutableButterfly.

        * runtime/ArrayPrototype.cpp:

2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add Symbol.prototype.description getter
        https://bugs.webkit.org/show_bug.cgi?id=186053

        Reviewed by Keith Miller.

        Symbol.prototype.description accessor  is now stage 3[1].
        This adds a getter to retrieve [[Description]] value from Symbol.
        Previously, Symbol#toString() returns `Symbol(${description})` value.
        So users need to extract `description` part if they want it.

        [1]: https://tc39.github.io/proposal-Symbol-description/

        * runtime/Symbol.cpp:
        (JSC::Symbol::description const):
        * runtime/Symbol.h:
        * runtime/SymbolPrototype.cpp:
        (JSC::tryExtractSymbol):
        (JSC::symbolProtoGetterDescription):
        (JSC::symbolProtoFuncToString):
        (JSC::symbolProtoFuncValueOf):

2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Correct values and members of JSBigInt appropriately
        https://bugs.webkit.org/show_bug.cgi?id=186196

        Reviewed by Darin Adler.

        This patch cleans up a bit to select more appropriate values and members of JSBigInt.

        1. JSBigInt's structure should be StructureIsImmortal.
        2. JSBigInt::allocationSize should be annotated with `inline`.
        3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
        4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.

        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::allocationSize):
        (JSC::JSBigInt::allocateFor):
        (JSC::JSBigInt::compareToDouble):
        (JSC::JSBigInt::visitChildren): Deleted.
        (JSC::JSBigInt::finishCreation): Deleted.
        * runtime/JSBigInt.h:

2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] InById should be converted to MatchStructure
        https://bugs.webkit.org/show_bug.cgi?id=185803

        Reviewed by Keith Miller.

        MatchStructure is introduced for instanceof optimization. But this node
        is also useful for InById node. This patch converts InById to MatchStructure
        node with CheckStructures if possible by using InByIdStatus.

        Added microbenchmarks show improvements.

                                   baseline                  patched

        in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
        in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/InByIdStatus.cpp: Added.
        (JSC::InByIdStatus::appendVariant):
        (JSC::InByIdStatus::computeFor):
        (JSC::InByIdStatus::hasExitSite):
        (JSC::InByIdStatus::computeForStubInfo):
        (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        (JSC::InByIdStatus::filter):
        (JSC::InByIdStatus::dump const):
        * bytecode/InByIdStatus.h: Added.
        (JSC::InByIdStatus::InByIdStatus):
        (JSC::InByIdStatus::state const):
        (JSC::InByIdStatus::isSet const):
        (JSC::InByIdStatus::operator bool const):
        (JSC::InByIdStatus::isSimple const):
        (JSC::InByIdStatus::numVariants const):
        (JSC::InByIdStatus::variants const):
        (JSC::InByIdStatus::at const):
        (JSC::InByIdStatus::operator[] const):
        (JSC::InByIdStatus::takesSlowPath const):
        * bytecode/InByIdVariant.cpp: Added.
        (JSC::InByIdVariant::InByIdVariant):
        (JSC::InByIdVariant::attemptToMerge):
        (JSC::InByIdVariant::dump const):
        (JSC::InByIdVariant::dumpInContext const):
        * bytecode/InByIdVariant.h: Added.
        (JSC::InByIdVariant::isSet const):
        (JSC::InByIdVariant::operator bool const):
        (JSC::InByIdVariant::structureSet const):
        (JSC::InByIdVariant::structureSet):
        (JSC::InByIdVariant::conditionSet const):