Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-08-30  Saam barati  <sbarati@apple.com>
2
3         Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
4         https://bugs.webkit.org/show_bug.cgi?id=189166
5
6         Reviewed by Mark Lam.
7
8         * bytecode/AccessCase.cpp:
9         (JSC::AccessCase::generateImpl):
10         * bytecode/GetterSetterAccessCase.cpp:
11         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
12         * bytecode/InlineAccess.cpp:
13         (JSC::getScratchRegister):
14         * bytecode/PolymorphicAccess.cpp:
15         (JSC::PolymorphicAccess::regenerate):
16         * bytecode/StructureStubInfo.h:
17         (JSC::StructureStubInfo::valueRegs const):
18         * jit/JITInlineCacheGenerator.cpp:
19         (JSC::JITByIdGenerator::JITByIdGenerator):
20         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
21         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
22
23 2018-08-30  Saam barati  <sbarati@apple.com>
24
25         InlineAccess should do StringLength
26         https://bugs.webkit.org/show_bug.cgi?id=158911
27
28         Reviewed by Yusuke Suzuki.
29
30         This patch extends InlineAccess to support StringLength. This patch also
31         fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
32         I forgot to implement this for ArrayLength in the initial InlineAccess
33         implementation.  Supporting StringLength is a natural extension of the
34         InlineAccess machinery.
35
36         * assembler/MacroAssembler.h:
37         (JSC::MacroAssembler::patchableBranch8):
38         * assembler/MacroAssemblerARM64.h:
39         (JSC::MacroAssemblerARM64::patchableBranch8):
40         * bytecode/AccessCase.cpp:
41         (JSC::AccessCase::fromStructureStubInfo):
42         * bytecode/BytecodeDumper.cpp:
43         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
44         * bytecode/InlineAccess.cpp:
45         (JSC::InlineAccess::dumpCacheSizesAndCrash):
46         (JSC::InlineAccess::generateSelfPropertyAccess):
47         (JSC::getScratchRegister):
48         (JSC::InlineAccess::generateSelfPropertyReplace):
49         (JSC::InlineAccess::generateArrayLength):
50         (JSC::InlineAccess::generateSelfInAccess):
51         (JSC::InlineAccess::generateStringLength):
52         * bytecode/InlineAccess.h:
53         * bytecode/PolymorphicAccess.cpp:
54         (JSC::PolymorphicAccess::regenerate):
55         * bytecode/StructureStubInfo.cpp:
56         (JSC::StructureStubInfo::initStringLength):
57         (JSC::StructureStubInfo::deref):
58         (JSC::StructureStubInfo::aboutToDie):
59         (JSC::StructureStubInfo::propagateTransitions):
60         * bytecode/StructureStubInfo.h:
61         (JSC::StructureStubInfo::baseGPR const):
62         * jit/Repatch.cpp:
63         (JSC::tryCacheGetByID):
64
65 2018-08-30  Saam barati  <sbarati@apple.com>
66
67         CSE DataViewGet* DFG nodes
68         https://bugs.webkit.org/show_bug.cgi?id=188768
69
70         Reviewed by Yusuke Suzuki.
71
72         This patch makes it so that we CSE DataViewGet* accesses. To do this,
73         I needed to add a third descriptor to HeapLocation to represent the
74         isLittleEndian child. This patch is neutral on compile time benchmarks,
75         and is a 50% speedup on a trivial CSE microbenchmark that I added.
76
77         * dfg/DFGClobberize.h:
78         (JSC::DFG::clobberize):
79         * dfg/DFGFixupPhase.cpp:
80         (JSC::DFG::FixupPhase::fixupNode):
81         * dfg/DFGHeapLocation.cpp:
82         (WTF::printInternal):
83         * dfg/DFGHeapLocation.h:
84         (JSC::DFG::HeapLocation::HeapLocation):
85         (JSC::DFG::HeapLocation::hash const):
86         (JSC::DFG::HeapLocation::operator== const):
87         (JSC::DFG::indexedPropertyLocForResultType):
88
89 2018-08-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
90
91         output of toString() of Generator is wrong
92         https://bugs.webkit.org/show_bug.cgi?id=188952
93
94         Reviewed by Saam Barati.
95
96         Function#toString does not respect generator and async generator.
97         This patch fixes them and supports all the function types.
98
99         * runtime/FunctionPrototype.cpp:
100         (JSC::functionProtoFuncToString):
101
102 2018-08-29  Mark Lam  <mark.lam@apple.com>
103
104         Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
105         https://bugs.webkit.org/show_bug.cgi?id=189132
106         <rdar://problem/42513068>
107
108         Reviewed by Saam Barati.
109
110         * runtime/JSCJSValueInlines.h:
111         (JSC::JSValue::toPropertyKey const):
112         * runtime/JSString.cpp:
113         (JSC::JSRopeString::resolveRopeToAtomicString const):
114
115 2018-08-29  Commit Queue  <commit-queue@webkit.org>
116
117         Unreviewed, rolling out r235432 and r235436.
118         https://bugs.webkit.org/show_bug.cgi?id=189086
119
120         Is a Swift source breaking change. (Requested by keith_miller
121         on #webkit).
122
123         Reverted changesets:
124
125         "Add nullablity attributes to JSValue"
126         https://bugs.webkit.org/show_bug.cgi?id=189047
127         https://trac.webkit.org/changeset/235432
128
129         "Add nullablity attributes to JSValue"
130         https://bugs.webkit.org/show_bug.cgi?id=189047
131         https://trac.webkit.org/changeset/235436
132
133 2018-08-28  Mark Lam  <mark.lam@apple.com>
134
135         Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
136         https://bugs.webkit.org/show_bug.cgi?id=189059
137         <rdar://problem/40335354>
138
139         Reviewed by Saam Barati.
140
141         1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
142         2. Added $vm.dumpRegisters().
143
144             Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
145             Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
146
147            Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
148            It will treat inlined frames content as registers in the bounding physical frame.
149
150            Here's an example of such a dump on a DFG frame:
151
152                 Register frame: 
153
154                 -----------------------------------------------------------------------------
155                             use            |   address  |                value               
156                 -----------------------------------------------------------------------------
157                 [r 12 arguments[  7]]      | 0x7ffeefbfd330 | 0xa                Undefined
158                 [r 11 arguments[  6]]      | 0x7ffeefbfd328 | 0x10bbb3e80        Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
159                 [r 10 arguments[  5]]      | 0x7ffeefbfd320 | 0xa                Undefined
160                 [r  9 arguments[  4]]      | 0x7ffeefbfd318 | 0xa                Undefined
161                 [r  8 arguments[  3]]      | 0x7ffeefbfd310 | 0xa                Undefined
162                 [r  7 arguments[  2]]      | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
163                 [r  6 arguments[  1]]      | 0x7ffeefbfd300 | 0x10bbd00f0        Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
164                 [r  5           this]      | 0x7ffeefbfd2f8 | 0x10bbe0000        Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
165                 -----------------------------------------------------------------------------
166                 [ArgumentCount]            | 0x7ffeefbfd2f0 | 7 
167                 [ReturnVPC]                | 0x7ffeefbfd2f0 | 164 (line 57)
168                 [Callee]                   | 0x7ffeefbfd2e8 | 0x10bb68db0        Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
169                 [CodeBlock]                | 0x7ffeefbfd2e0 | 0x10bb2f8e0        __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
170                 [ReturnPC]                 | 0x7ffeefbfd2d8 | 0x10064d14c 
171                 [CallerFrame]              | 0x7ffeefbfd2d0 | 0x7ffeefbfd380 
172                 -----------------------------------------------------------------------------
173                 [r -1  CalleeSaveReg]      | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
174                 [r -2  CalleeSaveReg]      | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
175                 [r -3  CalleeSaveReg]      | 0x7ffeefbfd2b8 | 0x10baf1608        
176                 [r -4               ]      | 0x7ffeefbfd2b0 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
177                 [r -5               ]      | 0x7ffeefbfd2a8 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
178                 [r -6               ]      | 0x7ffeefbfd2a0 | 0xa                Undefined
179                 -----------------------------------------------------------------------------
180                 [r -7]                     | 0x7ffeefbfd298 | 0x10bb6fdc0        String (atomic) (identifier): length, StructureID: 4
181                 [r -8]                     | 0x7ffeefbfd290 | 0x10bbb7ec0        Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
182                 [r -9]                     | 0x7ffeefbfd288 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
183                 [r-10]                     | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
184                 [r-11]                     | 0x7ffeefbfd278 | 0x10bbb4290        Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
185                 [r-12]                     | 0x7ffeefbfd270 | 0x100000001        
186                 [r-13]                     | 0x7ffeefbfd268 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
187                 [r-14]                     | 0x7ffeefbfd260 | 0x0                
188                 [r-15]                     | 0x7ffeefbfd258 | 0x10064d14c        
189                 [r-16]                     | 0x7ffeefbfd250 | 0x7ffeefbfd2d0     
190                 [r-17]                     | 0x7ffeefbfd248 | 0x67ec87ee177      INVALID
191                 [r-18]                     | 0x7ffeefbfd240 | 0x7ffeefbfd250     
192                 -----------------------------------------------------------------------------
193
194         3. Removed dumpCallFrame() from the jsc shell.  We have the following tools that
195            we can use in its place:
196
197             $vm.dumpCallFrame()
198             $vm.dumpBytecodeFor()
199             $vm.dumpRegisters()     // Just added in this patch.
200
201         4. Also fixed a bug in BytecodeDumper: it should only access
202            CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
203
204         * bytecode/BytecodeDumper.cpp:
205         (JSC::BytecodeDumper<Block>::printCallOp):
206         * interpreter/Interpreter.cpp:
207         (JSC::Interpreter::dumpCallFrame): Deleted.
208         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
209         (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
210         (JSC::Interpreter::dumpRegisters): Deleted.
211         * interpreter/Interpreter.h:
212         * jsc.cpp:
213         (GlobalObject::finishCreation):
214         (functionDumpCallFrame): Deleted.
215         * tools/JSDollarVM.cpp:
216         (JSC::functionDumpRegisters):
217         (JSC::JSDollarVM::finishCreation):
218         * tools/VMInspector.cpp:
219         (JSC::VMInspector::dumpRegisters):
220         * tools/VMInspector.h:
221
222 2018-08-28  Keith Miller  <keith_miller@apple.com>
223
224         Add nullablity attributes to JSValue
225         https://bugs.webkit.org/show_bug.cgi?id=189047
226
227         Reviewed by Dan Bernstein.
228
229         Switch to using NS_ASSUME_NONNULL_BEGIN/END.
230
231         * API/JSValue.h:
232
233 2018-08-28  Keith Miller  <keith_miller@apple.com>
234
235         Add nullablity attributes to JSValue
236         https://bugs.webkit.org/show_bug.cgi?id=189047
237
238         Reviewed by Geoffrey Garen.
239
240         * API/JSValue.h:
241
242 2018-08-27  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
243
244         [WebAssembly] Parse wasm modules in a streaming fashion
245         https://bugs.webkit.org/show_bug.cgi?id=188943
246
247         Reviewed by Mark Lam.
248
249         This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
250         Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
251         we start integrating it into BBQPlan and dropping the old ModuleParser.
252
253         * JavaScriptCore.xcodeproj/project.pbxproj:
254         * Sources.txt:
255         * tools/JSDollarVM.cpp:
256         (WTF::WasmStreamingParser::WasmStreamingParser):
257         (WTF::WasmStreamingParser::create):
258         (WTF::WasmStreamingParser::createStructure):
259         (WTF::WasmStreamingParser::streamingParser):
260         (WTF::WasmStreamingParser::finishCreation):
261         (WTF::functionWasmStreamingParserAddBytes):
262         (WTF::functionWasmStreamingParserFinalize):
263         (JSC::functionCreateWasmStreamingParser):
264         (JSC::JSDollarVM::finishCreation):
265         The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
266         this interface to test streaming parser in the JSC shell.
267
268         * wasm/WasmBBQPlan.cpp:
269         (JSC::Wasm::BBQPlan::BBQPlan):
270         (JSC::Wasm::BBQPlan::parseAndValidateModule):
271         (JSC::Wasm::BBQPlan::prepare):
272         (JSC::Wasm::BBQPlan::compileFunctions):
273         (JSC::Wasm::BBQPlan::complete):
274         (JSC::Wasm::BBQPlan::work):
275         * wasm/WasmBBQPlan.h:
276         BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
277         In subsequent patches, we will remove this, and stream the data into the BBQPlan.
278
279         * wasm/WasmFormat.h:
280         * wasm/WasmModuleInformation.cpp:
281         (JSC::Wasm::ModuleInformation::ModuleInformation):
282         * wasm/WasmModuleInformation.h:
283         One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
284         since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
285         in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
286         Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
287         a function with this data can be done concurrently with StreamingParser.
288
289         (JSC::Wasm::ModuleInformation::create):
290         (JSC::Wasm::ModuleInformation::memoryCount const):
291         (JSC::Wasm::ModuleInformation::tableCount const):
292         memoryCount and tableCount should be recorded in ModuleInformation.
293
294         * wasm/WasmModuleParser.cpp:
295         (JSC::Wasm::ModuleParser::parse):
296         (JSC::Wasm::makeI32InitExpr): Deleted.
297         (JSC::Wasm::ModuleParser::parseType): Deleted.
298         (JSC::Wasm::ModuleParser::parseImport): Deleted.
299         (JSC::Wasm::ModuleParser::parseFunction): Deleted.
300         (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
301         (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
302         (JSC::Wasm::ModuleParser::parseTable): Deleted.
303         (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
304         (JSC::Wasm::ModuleParser::parseMemory): Deleted.
305         (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
306         (JSC::Wasm::ModuleParser::parseExport): Deleted.
307         (JSC::Wasm::ModuleParser::parseStart): Deleted.
308         (JSC::Wasm::ModuleParser::parseElement): Deleted.
309         (JSC::Wasm::ModuleParser::parseCode): Deleted.
310         (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
311         (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
312         (JSC::Wasm::ModuleParser::parseData): Deleted.
313         (JSC::Wasm::ModuleParser::parseCustom): Deleted.
314         Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
315         SectionParser is also used by StreamingParser.
316
317         * wasm/WasmModuleParser.h:
318         (): Deleted.
319         * wasm/WasmNameSection.h:
320         (JSC::Wasm::NameSection::NameSection):
321         (JSC::Wasm::NameSection::create):
322         (JSC::Wasm::NameSection::setHash):
323         Hash calculation is deferred since all the source is not available in streaming parsing.
324
325         * wasm/WasmNameSectionParser.cpp:
326         (JSC::Wasm::NameSectionParser::parse):
327         * wasm/WasmNameSectionParser.h:
328         Use Ref<NameSection>.
329
330         * wasm/WasmOMGPlan.cpp:
331         (JSC::Wasm::OMGPlan::work):
332         Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
333         OMGPlan can get data of the function by using ModuleInformation::functions.
334
335         * wasm/WasmParser.h:
336         (JSC::Wasm::Parser::source const):
337         (JSC::Wasm::Parser::length const):
338         (JSC::Wasm::Parser::offset const):
339         (JSC::Wasm::Parser::fail const):
340         (JSC::Wasm::makeI32InitExpr):
341         * wasm/WasmPlan.cpp:
342         (JSC::Wasm::Plan::Plan):
343         Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
344
345         * wasm/WasmPlan.h:
346         * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
347         SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
348         ModuleParser and the new StreamingParser.
349
350         (JSC::Wasm::SectionParser::parseType):
351         (JSC::Wasm::SectionParser::parseImport):
352         (JSC::Wasm::SectionParser::parseFunction):
353         (JSC::Wasm::SectionParser::parseResizableLimits):
354         (JSC::Wasm::SectionParser::parseTableHelper):
355         (JSC::Wasm::SectionParser::parseTable):
356         (JSC::Wasm::SectionParser::parseMemoryHelper):
357         (JSC::Wasm::SectionParser::parseMemory):
358         (JSC::Wasm::SectionParser::parseGlobal):
359         (JSC::Wasm::SectionParser::parseExport):
360         (JSC::Wasm::SectionParser::parseStart):
361         (JSC::Wasm::SectionParser::parseElement):
362         (JSC::Wasm::SectionParser::parseCode):
363         (JSC::Wasm::SectionParser::parseInitExpr):
364         (JSC::Wasm::SectionParser::parseGlobalType):
365         (JSC::Wasm::SectionParser::parseData):
366         (JSC::Wasm::SectionParser::parseCustom):
367         * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
368         * wasm/WasmStreamingParser.cpp: Added.
369         (JSC::Wasm::parseUInt7):
370         (JSC::Wasm::StreamingParser::fail):
371         (JSC::Wasm::StreamingParser::StreamingParser):
372         (JSC::Wasm::StreamingParser::parseModuleHeader):
373         (JSC::Wasm::StreamingParser::parseSectionID):
374         (JSC::Wasm::StreamingParser::parseSectionSize):
375         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
376         Code section in Wasm binary is specially handled compared with the other sections since it includes
377         a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
378         streaming validation / compilation of Wasm functions.
379
380         (JSC::Wasm::StreamingParser::parseFunctionSize):
381         (JSC::Wasm::StreamingParser::parseFunctionPayload):
382         (JSC::Wasm::StreamingParser::parseSectionPayload):
383         (JSC::Wasm::StreamingParser::consume):
384         (JSC::Wasm::StreamingParser::consumeVarUInt32):
385         (JSC::Wasm::StreamingParser::addBytes):
386         (JSC::Wasm::StreamingParser::failOnState):
387         (JSC::Wasm::StreamingParser::finalize):
388         * wasm/WasmStreamingParser.h: Added.
389         (JSC::Wasm::StreamingParser::addBytes):
390         (JSC::Wasm::StreamingParser::errorMessage const):
391         This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
392         StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
393         StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
394         the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
395         incoming byte stream.
396
397         * wasm/js/JSWebAssemblyModule.cpp:
398         (JSC::JSWebAssemblyModule::source const): Deleted.
399         All the source should not be held.
400
401         * wasm/js/JSWebAssemblyModule.h:
402         * wasm/js/WebAssemblyPrototype.cpp:
403         (JSC::webAssemblyValidateFunc):
404
405 2018-08-27  Mark Lam  <mark.lam@apple.com>
406
407         Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
408         https://bugs.webkit.org/show_bug.cgi?id=188577
409         <rdar://problem/42985684>
410
411         Reviewed by Saam Barati.
412
413         1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
414            (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
415
416            The StackOverflowFrame is a sentinel frame that the low level code (exception
417            throwing code, stack visitor, and stack unwinding code) will know to skip
418            over.  The StackOverflowFrame will also have a valid JSCallee so that client
419            code can compute the globalObject or VM from this frame.
420
421            As a result, client code that throws StackOverflowErrors no longer need to
422            compute the caller frame to throw from: it just converts the top frame into
423            a StackOverflowFrame and everything should *Just Work*.
424
425         2. NativeCallFrameTracerWithRestore is now obsolete.
426
427            Instead, client code should always call convertToStackOverflowFrame() on the
428            frame before instantiating a NativeCallFrameTracer with it.
429
430            This means that topCallFrame will always point to the top CallFrame (which
431            may be a StackOverflowFrame), and topEntryFrame will always point to the top
432            EntryFrame.  We'll never temporarily point them to the previous EntryFrame
433            (which we used to do with NativeCallFrameTracerWithRestore).
434
435         3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
436            CallFrame, and will know how to handle a StackOverflowFrame if they see one.
437
438            This obsoletes the UnwindStart flag.
439
440         * CMakeLists.txt:
441         * JavaScriptCore.xcodeproj/project.pbxproj:
442         * Sources.txt:
443         * debugger/Debugger.cpp:
444         (JSC::Debugger::pauseIfNeeded):
445         * interpreter/CallFrame.cpp:
446         (JSC::CallFrame::callerFrame const):
447         (JSC::CallFrame::unsafeCallerFrame const):
448         (JSC::CallFrame::convertToStackOverflowFrame):
449         (JSC::CallFrame::callerFrame): Deleted.
450         (JSC::CallFrame::unsafeCallerFrame): Deleted.
451         * interpreter/CallFrame.h:
452         (JSC::ExecState::iterate):
453         * interpreter/CallFrameInlines.h: Added.
454         (JSC::CallFrame::isStackOverflowFrame const):
455         (JSC::CallFrame::isWasmFrame const):
456         * interpreter/EntryFrame.h: Added.
457         (JSC::EntryFrame::vmEntryRecordOffset):
458         (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
459         * interpreter/FrameTracers.h:
460         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
461         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
462         * interpreter/Interpreter.cpp:
463         (JSC::Interpreter::unwind):
464         * interpreter/Interpreter.h:
465         * interpreter/StackVisitor.cpp:
466         (JSC::StackVisitor::StackVisitor):
467         * interpreter/StackVisitor.h:
468         (JSC::StackVisitor::visit):
469         (JSC::StackVisitor::topEntryFrameIsEmpty const):
470         * interpreter/VMEntryRecord.h:
471         (JSC::VMEntryRecord::callee const):
472         (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
473         (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
474         * jit/AssemblyHelpers.h:
475         * jit/JITExceptions.cpp:
476         (JSC::genericUnwind):
477         * jit/JITExceptions.h:
478         * jit/JITOperations.cpp:
479         * llint/LLIntOffsetsExtractor.cpp:
480         * llint/LLIntSlowPaths.cpp:
481         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
482         * llint/LowLevelInterpreter.asm:
483         * llint/LowLevelInterpreter32_64.asm:
484         * llint/LowLevelInterpreter64.asm:
485         * runtime/CallData.cpp:
486         * runtime/CommonSlowPaths.cpp:
487         (JSC::throwArityCheckStackOverflowError):
488         (JSC::SLOW_PATH_DECL):
489         * runtime/CommonSlowPathsExceptions.cpp: Removed.
490         * runtime/CommonSlowPathsExceptions.h: Removed.
491         * runtime/Completion.cpp:
492         (JSC::evaluateWithScopeExtension):
493         * runtime/JSGeneratorFunction.h:
494         * runtime/JSGlobalObject.cpp:
495         (JSC::JSGlobalObject::init):
496         (JSC::JSGlobalObject::visitChildren):
497         * runtime/JSGlobalObject.h:
498         (JSC::JSGlobalObject::stackOverflowFrameCallee const):
499         * runtime/VM.cpp:
500         (JSC::VM::throwException):
501         * runtime/VM.h:
502         * runtime/VMInlines.h:
503         (JSC::VM::topJSCallFrame const):
504
505 2018-08-27  Keith Rollin  <krollin@apple.com>
506
507         Unreviewed build fix -- disable LTO for production builds
508
509         * Configurations/Base.xcconfig:
510
511 2018-08-27  Aditya Keerthi  <akeerthi@apple.com>
512
513         Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
514         https://bugs.webkit.org/show_bug.cgi?id=188931
515
516         Reviewed by Wenson Hsieh.
517
518         * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
519
520 2018-08-27  Devin Rousso  <drousso@apple.com>
521
522         Web Inspector: provide autocompletion for event breakpoints
523         https://bugs.webkit.org/show_bug.cgi?id=188717
524
525         Reviewed by Brian Burg.
526
527         * inspector/protocol/DOM.json:
528         Add `getSupportedEventNames` command.
529
530 2018-08-27  Keith Rollin  <krollin@apple.com>
531
532         Build system support for LTO
533         https://bugs.webkit.org/show_bug.cgi?id=187785
534         <rdar://problem/42353132>
535
536         Reviewed by Dan Bernstein.
537
538         Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
539         LTO.
540
541         * Configurations/Base.xcconfig:
542         * Configurations/DebugRelease.xcconfig:
543
544 2018-08-27  Patrick Griffis  <pgriffis@igalia.com>
545
546         [GTK][JSC] Add warn_unused_result attribute to some APIs
547         https://bugs.webkit.org/show_bug.cgi?id=188983
548
549         Reviewed by Michael Catanzaro.
550
551         * API/glib/JSCValue.h:
552
553 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
554
555         [JSC] Array.prototype.reverse modifies JSImmutableButterfly
556         https://bugs.webkit.org/show_bug.cgi?id=188794
557
558         Reviewed by Saam Barati.
559
560         While Array.prototype.reverse modifies the butterfly of the given Array,
561         it does not account JSImmutableButterfly case. So it accidentally modifies
562         the content of JSImmutableButterfly.
563         This patch converts CoW arrays to writable arrays before reversing.
564
565         * runtime/ArrayPrototype.cpp:
566         (JSC::arrayProtoFuncReverse):
567         * runtime/JSObject.h:
568         (JSC::JSObject::ensureWritable):
569
570 2018-08-24  Michael Saboff  <msaboff@apple.com>
571
572         YARR: Update UCS canonicalization tables for Unicode 11
573         https://bugs.webkit.org/show_bug.cgi?id=188928
574
575         Reviewed by Mark Lam.
576
577         Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
578
579         This passes JavaScriptCore and test262 tests.
580
581         * yarr/YarrCanonicalizeUCS2.cpp:
582         * yarr/YarrCanonicalizeUCS2.js:
583         (printHeader):
584
585 2018-08-24  Michael Saboff  <msaboff@apple.com>
586
587         YARR: JIT RegExps with non-greedy parenthesized sub patterns
588         https://bugs.webkit.org/show_bug.cgi?id=180876
589
590         Reviewed by Filip Pizlo.
591
592         Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
593         For the matching code, the greedy path was correct except that we don't try matching for the
594         non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
595         first / next match when we backtrack.  The backtracking code needs to check to see if we have
596         tried the first match or if we can do another match.
597
598         Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
599         count.  Did other minor cleanup as well.
600
601         Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
602
603         Updated the text in some comments, both for this change as well as accuracy for existing code.
604
605         * yarr/YarrJIT.cpp:
606         (JSC::Yarr::YarrGenerator::generate):
607         (JSC::Yarr::YarrGenerator::backtrack):
608         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
609         (JSC::Yarr::YarrGenerator::compile):
610         (JSC::Yarr::dumpCompileFailure):
611         (JSC::Yarr::jitCompile):
612         * yarr/YarrJIT.h:
613         (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
614         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
615
616 2018-08-23  Simon Fraser  <simon.fraser@apple.com>
617
618         Add support for dumping GC heap snapshots, and a viewer
619         https://bugs.webkit.org/show_bug.cgi?id=186416
620
621         Reviewed by Joseph Pecoraro.
622
623         Make a way to dump information about the GC heap that is useful for looking for leaked
624         or abandoned objects. This dump is obtained (on Apple platforms) via:
625             notifyutil -p com.apple.WebKit.dumpGCHeap
626         which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
627         
628         This leverages the heap snapshot used by Web Inspector, adding an alternate format for
629         the snapshot JSON that adds additional data about objects and why they are GC roots.
630
631         SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
632         the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
633         objects visited via opaque roots, we record the reason why via a new out param to
634         isReachableFromOpaqueRoots().
635
636         HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
637         additional information including the address of the JSCell* and the wrapped object (for
638         JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
639         be the document URL.
640
641         GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
642
643         * API/JSAPIWrapperObject.mm:
644         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
645         * API/JSManagedValue.mm:
646         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
647         * API/glib/JSAPIWrapperObjectGLib.cpp:
648         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
649         * CMakeLists.txt:
650         * heap/ConservativeRoots.h:
651         (JSC::ConservativeRoots::size const):
652         (JSC::ConservativeRoots::size): Deleted.
653         * heap/Heap.cpp:
654         (JSC::Heap::addCoreConstraints):
655         * heap/HeapSnapshotBuilder.cpp:
656         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
657         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
658         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
659         (JSC::HeapSnapshotBuilder::buildSnapshot):
660         (JSC::HeapSnapshotBuilder::appendNode):
661         (JSC::HeapSnapshotBuilder::appendEdge):
662         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
663         (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
664         (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
665         (JSC::snapshotTypeToString):
666         (JSC::rootTypeToString):
667         (JSC::HeapSnapshotBuilder::setLabelForCell):
668         (JSC::HeapSnapshotBuilder::descriptionForCell const):
669         (JSC::HeapSnapshotBuilder::json):
670         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
671         * heap/HeapSnapshotBuilder.h:
672         * heap/SlotVisitor.cpp:
673         (JSC::SlotVisitor::appendSlow):
674         * heap/SlotVisitor.h:
675         (JSC::SlotVisitor::heapSnapshotBuilder const):
676         (JSC::SlotVisitor::rootMarkReason const):
677         (JSC::SlotVisitor::setRootMarkReason):
678         (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
679         (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
680         * heap/WeakBlock.cpp:
681         (JSC::WeakBlock::specializedVisit):
682         * heap/WeakHandleOwner.cpp:
683         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
684         * heap/WeakHandleOwner.h:
685         * runtime/SimpleTypedArrayController.cpp:
686         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
687         * runtime/SimpleTypedArrayController.h:
688         * tools/JSDollarVM.cpp:
689
690 2018-08-23  Saam barati  <sbarati@apple.com>
691
692         JSRunLoopTimer may run part of a member function after it's destroyed
693         https://bugs.webkit.org/show_bug.cgi?id=188426
694
695         Reviewed by Mark Lam.
696
697         When I was reading the JSRunLoopTimer code, I noticed that it is possible
698         to end up running timer code after the class had been destroyed.
699         
700         The issue I spotted was in this function:
701         ```
702         void JSRunLoopTimer::timerDidFire()
703         {
704             JSLock* apiLock = m_apiLock.get();
705             if (!apiLock) {
706                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
707                 return;
708             }
709             // HERE
710             std::lock_guard<JSLock> lock(*apiLock);
711             RefPtr<VM> vm = apiLock->vm();
712             if (!vm) {
713                 // The VM has been destroyed, so we should just give up.
714                 return;
715             }
716         
717             doWork();
718         }
719         ```
720         
721         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
722         switched before grabbing the API lock. Then, some other thread destroys the VM.
723         And let's say that the VM owns (perhaps transitively) this timer. Then, the
724         timer would run code and access member variables after it was destroyed.
725         
726         This patch fixes this issue by introducing a new timer manager class. 
727         This class manages timers on a per VM basis. When a timer is scheduled,
728         this class refs the timer. It also calls the timer callback while actively
729         maintaining a +1 ref to it. So, it's no longer possible to call the timer
730         callback after the timer has been destroyed. However, calling a timer callback
731         can still race with the VM being destroyed. We continue to detect this case and
732         bail out of the callback early.
733         
734         This patch also removes a lot of duplicate code between GCActivityCallback
735         and JSRunLoopTimer.
736
737         * heap/EdenGCActivityCallback.cpp:
738         (JSC::EdenGCActivityCallback::doCollection):
739         (JSC::EdenGCActivityCallback::lastGCLength):
740         (JSC::EdenGCActivityCallback::deathRate):
741         * heap/EdenGCActivityCallback.h:
742         * heap/FullGCActivityCallback.cpp:
743         (JSC::FullGCActivityCallback::doCollection):
744         (JSC::FullGCActivityCallback::lastGCLength):
745         (JSC::FullGCActivityCallback::deathRate):
746         * heap/FullGCActivityCallback.h:
747         * heap/GCActivityCallback.cpp:
748         (JSC::GCActivityCallback::doWork):
749         (JSC::GCActivityCallback::scheduleTimer):
750         (JSC::GCActivityCallback::didAllocate):
751         (JSC::GCActivityCallback::willCollect):
752         (JSC::GCActivityCallback::cancel):
753         (JSC::GCActivityCallback::cancelTimer): Deleted.
754         (JSC::GCActivityCallback::nextFireTime): Deleted.
755         * heap/GCActivityCallback.h:
756         * heap/Heap.cpp:
757         (JSC::Heap::reportAbandonedObjectGraph):
758         (JSC::Heap::notifyIncrementalSweeper):
759         (JSC::Heap::updateAllocationLimits):
760         (JSC::Heap::didAllocate):
761         * heap/IncrementalSweeper.cpp:
762         (JSC::IncrementalSweeper::scheduleTimer):
763         (JSC::IncrementalSweeper::doWork):
764         (JSC::IncrementalSweeper::doSweep):
765         (JSC::IncrementalSweeper::sweepNextBlock):
766         (JSC::IncrementalSweeper::startSweeping):
767         (JSC::IncrementalSweeper::stopSweeping):
768         * heap/IncrementalSweeper.h:
769         * heap/StopIfNecessaryTimer.cpp:
770         (JSC::StopIfNecessaryTimer::doWork):
771         (JSC::StopIfNecessaryTimer::scheduleSoon):
772         * heap/StopIfNecessaryTimer.h:
773         * runtime/JSRunLoopTimer.cpp:
774         (JSC::epochTime):
775         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
776         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
777         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
778         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
779         (JSC::JSRunLoopTimer::Manager::timerDidFire):
780         (JSC::JSRunLoopTimer::Manager::shared):
781         (JSC::JSRunLoopTimer::Manager::registerVM):
782         (JSC::JSRunLoopTimer::Manager::unregisterVM):
783         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
784         (JSC::JSRunLoopTimer::Manager::cancelTimer):
785         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
786         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
787         (JSC::JSRunLoopTimer::timerDidFire):
788         (JSC::JSRunLoopTimer::JSRunLoopTimer):
789         (JSC::JSRunLoopTimer::timeUntilFire):
790         (JSC::JSRunLoopTimer::setTimeUntilFire):
791         (JSC::JSRunLoopTimer::cancelTimer):
792         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
793         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
794         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
795         * runtime/JSRunLoopTimer.h:
796         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
797         * runtime/PromiseDeferredTimer.cpp:
798         (JSC::PromiseDeferredTimer::doWork):
799         (JSC::PromiseDeferredTimer::runRunLoop):
800         (JSC::PromiseDeferredTimer::addPendingPromise):
801         (JSC::PromiseDeferredTimer::hasPendingPromise):
802         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
803         (JSC::PromiseDeferredTimer::cancelPendingPromise):
804         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
805         * runtime/PromiseDeferredTimer.h:
806         * runtime/VM.cpp:
807         (JSC::VM::VM):
808         (JSC::VM::~VM):
809         (JSC::VM::setRunLoop):
810         (JSC::VM::registerRunLoopTimer): Deleted.
811         (JSC::VM::unregisterRunLoopTimer): Deleted.
812         * runtime/VM.h:
813         (JSC::VM::runLoop const):
814         * wasm/js/WebAssemblyPrototype.cpp:
815         (JSC::webAssemblyModuleValidateAsyncInternal):
816         (JSC::instantiate):
817         (JSC::compileAndInstantiate):
818         (JSC::webAssemblyModuleInstantinateAsyncInternal):
819         (JSC::webAssemblyCompileStreamingInternal):
820         (JSC::webAssemblyInstantiateStreamingInternal):
821
822 2018-08-23  Mark Lam  <mark.lam@apple.com>
823
824         Move vmEntryGlobalObject() to VM from CallFrame.
825         https://bugs.webkit.org/show_bug.cgi?id=188900
826         <rdar://problem/43655753>
827
828         Reviewed by Michael Saboff.
829
830         Also introduced CallFrame::isGlobalExec() which makes use of one property of
831         GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
832         CallFrame::initGlobalExec() ensures this.
833
834         In contrast, normal CallFrames always have a callerFrame (because they must at
835         least be preceded by a VM EntryFrame) and a returnPC (at least return to the
836         VM entry glue).
837
838         * API/APIUtils.h:
839         (handleExceptionIfNeeded):
840         (setException):
841         * API/JSBase.cpp:
842         (JSEvaluateScript):
843         (JSCheckScriptSyntax):
844         * API/JSContextRef.cpp:
845         (JSGlobalContextRetain):
846         (JSGlobalContextRelease):
847         (JSGlobalContextCopyName):
848         (JSGlobalContextSetName):
849         (JSGlobalContextGetRemoteInspectionEnabled):
850         (JSGlobalContextSetRemoteInspectionEnabled):
851         (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
852         (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
853         (JSGlobalContextGetDebuggerRunLoop):
854         (JSGlobalContextSetDebuggerRunLoop):
855         (JSGlobalContextGetAugmentableInspectorController):
856         * API/JSValue.mm:
857         (reportExceptionToInspector):
858         * API/glib/JSCClass.cpp:
859         (jscContextForObject):
860         * API/glib/JSCContext.cpp:
861         (jsc_context_evaluate_in_object):
862         * debugger/Debugger.cpp:
863         (JSC::Debugger::pauseIfNeeded):
864         * debugger/DebuggerCallFrame.cpp:
865         (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
866         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
867         * interpreter/CallFrame.cpp:
868         (JSC::CallFrame::vmEntryGlobalObject): Deleted.
869         * interpreter/CallFrame.h:
870         (JSC::ExecState::scope const):
871         (JSC::ExecState::noCaller):
872         (JSC::ExecState::isGlobalExec const):
873         * interpreter/Interpreter.cpp:
874         (JSC::notifyDebuggerOfUnwinding):
875         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
876         (JSC::Interpreter::debug):
877         * runtime/CallData.cpp:
878         (JSC::profiledCall):
879         * runtime/Completion.cpp:
880         (JSC::evaluate):
881         (JSC::profiledEvaluate):
882         (JSC::evaluateWithScopeExtension):
883         (JSC::loadAndEvaluateModule):
884         (JSC::loadModule):
885         (JSC::linkAndEvaluateModule):
886         (JSC::importModule):
887         * runtime/ConstructData.cpp:
888         (JSC::profiledConstruct):
889         * runtime/Error.cpp:
890         (JSC::getStackTrace):
891         * runtime/VM.cpp:
892         (JSC::VM::throwException):
893         (JSC::VM::vmEntryGlobalObject const):
894         * runtime/VM.h:
895
896 2018-08-23  Andy Estes  <aestes@apple.com>
897
898         [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
899         https://bugs.webkit.org/show_bug.cgi?id=188829
900
901         Reviewed by Tim Horton.
902
903         * Configurations/FeatureDefines.xcconfig:
904
905 2018-08-23  Devin Rousso  <drousso@apple.com>
906
907         Web Inspector: support breakpoints for timers and animation-frame events
908         https://bugs.webkit.org/show_bug.cgi?id=188778
909
910         Reviewed by Brian Burg.
911
912         * inspector/protocol/Debugger.json:
913         Add `AnimationFrame` and `Timer` types to the list of pause reasons.
914
915         * inspector/protocol/DOMDebugger.json:
916         Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
917          - `setEventListenerBreakpoint`
918          - `removeEventListenerBreakpoint`
919          - `setInstrumentationBreakpoint`
920          - `removeInstrumentationBreakpoint`
921         Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
922
923         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
924         (CppProtocolTypesHeaderGenerator.generate_output):
925         (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
926         (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
927         (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
928         Generate `DefaultHash` for all `enum class` used by inspector protocols.
929
930         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
931         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
932         * inspector/scripts/tests/generic/expected/enum-values.json-result:
933         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
934         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
935         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
936         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
937
938 2018-08-23  Michael Saboff  <msaboff@apple.com>
939
940         YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
941         https://bugs.webkit.org/show_bug.cgi?id=188895
942
943         Reviewed by Mark Lam.
944
945         Found while working on another change.  This will allow processing of nested
946         parenthesis that require saved ParenContext structures.
947
948         * yarr/YarrJIT.cpp:
949         (JSC::Yarr::YarrGenerator::compile):
950
951 2018-08-22  Michael Saboff  <msaboff@apple.com>
952
953         https://bugs.webkit.org/show_bug.cgi?id=188859
954         Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
955
956         Rubber-stamped by Saam Barati.
957
958         Deleted these two functions.
959
960         * jit/JITOperations.cpp:
961         * jit/JITOperations.h:
962
963 2018-08-22  Mark Lam  <mark.lam@apple.com>
964
965         The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
966         https://bugs.webkit.org/show_bug.cgi?id=188298
967         <rdar://problem/42888427>
968
969         Reviewed by Saam Barati.
970
971         In the event that both targets of a Branch is the same block, then even if we'll
972         always take one path of the branch, the other target is not unreachable because
973         it is the same target as the one in the taken path.  Hence, it should not be
974         jettisoned.
975
976         * JavaScriptCore.xcodeproj/project.pbxproj:
977         - Added DFGCFG.h which is in use and should have been added to the project.
978         * dfg/DFGCFGSimplificationPhase.cpp:
979         (JSC::DFG::CFGSimplificationPhase::run):
980
981 2018-08-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
982
983         [JSC] HeapUtil should care about pointer overflow
984         https://bugs.webkit.org/show_bug.cgi?id=188740
985
986         Reviewed by Saam Barati.
987
988         `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
989         For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
990         with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
991
992         * heap/HeapUtil.h:
993         (JSC::HeapUtil::findGCObjectPointersForMarking):
994
995 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
996
997         [JSC] Should not rotate constant with 64
998         https://bugs.webkit.org/show_bug.cgi?id=188556
999
1000         Reviewed by Saam Barati.
1001
1002         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1003         But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
1004         where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
1005         the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
1006
1007         * assembler/MacroAssembler.h:
1008         (JSC::MacroAssembler::generateRotationSeed):
1009         (JSC::MacroAssembler::rotationBlindConstant):
1010
1011 2018-08-21  Commit Queue  <commit-queue@webkit.org>
1012
1013         Unreviewed, rolling out r235107.
1014         https://bugs.webkit.org/show_bug.cgi?id=188832
1015
1016         "It revealed bugs in Blob code as well as regressed JS
1017         performance tests" (Requested by saamyjoon on #webkit).
1018
1019         Reverted changeset:
1020
1021         "JSRunLoopTimer may run part of a member function after it's
1022         destroyed"
1023         https://bugs.webkit.org/show_bug.cgi?id=188426
1024         https://trac.webkit.org/changeset/235107
1025
1026 2018-08-21  Saam barati  <sbarati@apple.com>
1027
1028         JSRunLoopTimer may run part of a member function after it's destroyed
1029         https://bugs.webkit.org/show_bug.cgi?id=188426
1030
1031         Reviewed by Mark Lam.
1032
1033         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1034         to end up running timer code after the class had been destroyed.
1035         
1036         The issue I spotted was in this function:
1037         ```
1038         void JSRunLoopTimer::timerDidFire()
1039         {
1040             JSLock* apiLock = m_apiLock.get();
1041             if (!apiLock) {
1042                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1043                 return;
1044             }
1045             // HERE
1046             std::lock_guard<JSLock> lock(*apiLock);
1047             RefPtr<VM> vm = apiLock->vm();
1048             if (!vm) {
1049                 // The VM has been destroyed, so we should just give up.
1050                 return;
1051             }
1052         
1053             doWork();
1054         }
1055         ```
1056         
1057         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1058         switched before grabbing the API lock. Then, some other thread destroys the VM.
1059         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1060         timer would run code and access member variables after it was destroyed.
1061         
1062         This patch fixes this issue by introducing a new timer manager class. 
1063         This class manages timers on a per VM basis. When a timer is scheduled,
1064         this class refs the timer. It also calls the timer callback while actively
1065         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1066         callback after the timer has been destroyed. However, calling a timer callback
1067         can still race with the VM being destroyed. We continue to detect this case and
1068         bail out of the callback early.
1069         
1070         This patch also removes a lot of duplicate code between GCActivityCallback
1071         and JSRunLoopTimer.
1072
1073         * heap/EdenGCActivityCallback.cpp:
1074         (JSC::EdenGCActivityCallback::doCollection):
1075         (JSC::EdenGCActivityCallback::lastGCLength):
1076         (JSC::EdenGCActivityCallback::deathRate):
1077         * heap/EdenGCActivityCallback.h:
1078         * heap/FullGCActivityCallback.cpp:
1079         (JSC::FullGCActivityCallback::doCollection):
1080         (JSC::FullGCActivityCallback::lastGCLength):
1081         (JSC::FullGCActivityCallback::deathRate):
1082         * heap/FullGCActivityCallback.h:
1083         * heap/GCActivityCallback.cpp:
1084         (JSC::GCActivityCallback::doWork):
1085         (JSC::GCActivityCallback::scheduleTimer):
1086         (JSC::GCActivityCallback::didAllocate):
1087         (JSC::GCActivityCallback::willCollect):
1088         (JSC::GCActivityCallback::cancel):
1089         (JSC::GCActivityCallback::cancelTimer): Deleted.
1090         (JSC::GCActivityCallback::nextFireTime): Deleted.
1091         * heap/GCActivityCallback.h:
1092         * heap/Heap.cpp:
1093         (JSC::Heap::reportAbandonedObjectGraph):
1094         (JSC::Heap::notifyIncrementalSweeper):
1095         (JSC::Heap::updateAllocationLimits):
1096         (JSC::Heap::didAllocate):
1097         * heap/IncrementalSweeper.cpp:
1098         (JSC::IncrementalSweeper::scheduleTimer):
1099         (JSC::IncrementalSweeper::doWork):
1100         (JSC::IncrementalSweeper::doSweep):
1101         (JSC::IncrementalSweeper::sweepNextBlock):
1102         (JSC::IncrementalSweeper::startSweeping):
1103         (JSC::IncrementalSweeper::stopSweeping):
1104         * heap/IncrementalSweeper.h:
1105         * heap/StopIfNecessaryTimer.cpp:
1106         (JSC::StopIfNecessaryTimer::doWork):
1107         (JSC::StopIfNecessaryTimer::scheduleSoon):
1108         * heap/StopIfNecessaryTimer.h:
1109         * runtime/JSRunLoopTimer.cpp:
1110         (JSC::epochTime):
1111         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1112         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1113         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1114         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1115         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1116         (JSC::JSRunLoopTimer::Manager::shared):
1117         (JSC::JSRunLoopTimer::Manager::registerVM):
1118         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1119         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1120         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1121         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1122         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1123         (JSC::JSRunLoopTimer::timerDidFire):
1124         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1125         (JSC::JSRunLoopTimer::timeUntilFire):
1126         (JSC::JSRunLoopTimer::setTimeUntilFire):
1127         (JSC::JSRunLoopTimer::cancelTimer):
1128         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1129         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1130         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1131         * runtime/JSRunLoopTimer.h:
1132         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1133         * runtime/PromiseDeferredTimer.cpp:
1134         (JSC::PromiseDeferredTimer::doWork):
1135         (JSC::PromiseDeferredTimer::runRunLoop):
1136         (JSC::PromiseDeferredTimer::addPendingPromise):
1137         (JSC::PromiseDeferredTimer::hasPendingPromise):
1138         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1139         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1140         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1141         * runtime/PromiseDeferredTimer.h:
1142         * runtime/VM.cpp:
1143         (JSC::VM::VM):
1144         (JSC::VM::~VM):
1145         (JSC::VM::setRunLoop):
1146         (JSC::VM::registerRunLoopTimer): Deleted.
1147         (JSC::VM::unregisterRunLoopTimer): Deleted.
1148         * runtime/VM.h:
1149         (JSC::VM::runLoop const):
1150         * wasm/js/WebAssemblyPrototype.cpp:
1151         (JSC::webAssemblyModuleValidateAsyncInternal):
1152         (JSC::instantiate):
1153         (JSC::compileAndInstantiate):
1154         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1155         (JSC::webAssemblyCompileStreamingInternal):
1156         (JSC::webAssemblyInstantiateStreamingInternal):
1157
1158 2018-08-20  Saam barati  <sbarati@apple.com>
1159
1160         Inline DataView accesses into DFG/FTL
1161         https://bugs.webkit.org/show_bug.cgi?id=188573
1162         <rdar://problem/43286746>
1163
1164         Reviewed by Michael Saboff.
1165
1166         This patch teaches the DFG/FTL to inline DataView accesses. The approach is
1167         straight forward. We inline the various get*/set* operations as intrinsics.
1168         
1169         This patch takes the most obvious approach for now. We OSR exit when:
1170         - An isLittleEndian argument is provided, and is not a boolean.
1171         - The index isn't an integer.
1172         - The |this| isn't a DataView.
1173         - We do an OOB access (or see a neutered array)
1174         
1175         To implement this change in a performant way, this patch teaches the macro
1176         assembler how to emit byte swap operations. The semantics of the added functions
1177         are byteSwap + zero extend. This means for the 16bit byte swaps, we need
1178         to actually emit zero extend instructions. For the 32/64bit byte swaps,
1179         the instructions already have these semantics.
1180         
1181         This patch is just a lightweight initial implementation. There are some easy
1182         extensions we can do in future changes:
1183         - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
1184         - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
1185
1186         * assembler/MacroAssemblerARM64.h:
1187         (JSC::MacroAssemblerARM64::byteSwap16):
1188         (JSC::MacroAssemblerARM64::byteSwap32):
1189         (JSC::MacroAssemblerARM64::byteSwap64):
1190         * assembler/MacroAssemblerX86Common.h:
1191         (JSC::MacroAssemblerX86Common::byteSwap32):
1192         (JSC::MacroAssemblerX86Common::byteSwap16):
1193         (JSC::MacroAssemblerX86Common::byteSwap64):
1194         * assembler/X86Assembler.h:
1195         (JSC::X86Assembler::bswapl_r):
1196         (JSC::X86Assembler::bswapq_r):
1197         (JSC::X86Assembler::shiftInstruction16):
1198         (JSC::X86Assembler::rolw_i8r):
1199         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1200         * assembler/testmasm.cpp:
1201         (JSC::testByteSwap):
1202         (JSC::run):
1203         * bytecode/DataFormat.h:
1204         * bytecode/SpeculatedType.cpp:
1205         (JSC::dumpSpeculation):
1206         (JSC::speculationFromClassInfo):
1207         (JSC::speculationFromJSType):
1208         (JSC::speculationFromString):
1209         * bytecode/SpeculatedType.h:
1210         * dfg/DFGAbstractInterpreterInlines.h:
1211         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1212         * dfg/DFGByteCodeParser.cpp:
1213         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1214         * dfg/DFGClobberize.h:
1215         (JSC::DFG::clobberize):
1216         * dfg/DFGDoesGC.cpp:
1217         (JSC::DFG::doesGC):
1218         * dfg/DFGFixupPhase.cpp:
1219         (JSC::DFG::FixupPhase::fixupNode):
1220         * dfg/DFGNode.h:
1221         (JSC::DFG::Node::hasHeapPrediction):
1222         (JSC::DFG::Node::dataViewData):
1223         * dfg/DFGNodeType.h:
1224         * dfg/DFGPredictionPropagationPhase.cpp:
1225         * dfg/DFGSafeToExecute.h:
1226         (JSC::DFG::SafeToExecuteEdge::operator()):
1227         (JSC::DFG::safeToExecute):
1228         * dfg/DFGSpeculativeJIT.cpp:
1229         (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
1230         (JSC::DFG::SpeculativeJIT::speculate):
1231         * dfg/DFGSpeculativeJIT.h:
1232         * dfg/DFGSpeculativeJIT32_64.cpp:
1233         (JSC::DFG::SpeculativeJIT::compile):
1234         * dfg/DFGSpeculativeJIT64.cpp:
1235         (JSC::DFG::SpeculativeJIT::compile):
1236         * dfg/DFGUseKind.cpp:
1237         (WTF::printInternal):
1238         * dfg/DFGUseKind.h:
1239         (JSC::DFG::typeFilterFor):
1240         (JSC::DFG::isCell):
1241         * ftl/FTLCapabilities.cpp:
1242         (JSC::FTL::canCompile):
1243         * ftl/FTLLowerDFGToB3.cpp:
1244         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1245         (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
1246         (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
1247         (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
1248         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
1249         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
1250         (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
1251         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1252         (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
1253         * runtime/Intrinsic.cpp:
1254         (JSC::intrinsicName):
1255         * runtime/Intrinsic.h:
1256         * runtime/JSDataViewPrototype.cpp:
1257
1258 2018-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1259
1260         [YARR] Extend size of fixed characters bulk matching in 64bit platform
1261         https://bugs.webkit.org/show_bug.cgi?id=181989
1262
1263         Reviewed by Michael Saboff.
1264
1265         This patch extends bulk matching style for fixed-sized characters.
1266         In 64bit environment, the GPR can hold up to 8 characters. This change
1267         reduces the code size since we can fuse multiple `mov` operations into one.
1268
1269         * assembler/LinkBuffer.h:
1270         * runtime/Options.h:
1271         * yarr/YarrJIT.cpp:
1272         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1273         (JSC::Yarr::YarrGenerator::compile):
1274
1275 2018-08-20  Devin Rousso  <drousso@apple.com>
1276
1277         Web Inspector: allow breakpoints to be set for specific event listeners
1278         https://bugs.webkit.org/show_bug.cgi?id=183138
1279
1280         Reviewed by Joseph Pecoraro.
1281
1282         * inspector/protocol/DOM.json:
1283         Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
1284         takes an `eventListenerId` and toggles whether that specific usage of that event listener
1285         should have a breakpoint and pause before running.
1286
1287 2018-08-20  Mark Lam  <mark.lam@apple.com>
1288
1289         Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
1290         https://bugs.webkit.org/show_bug.cgi?id=188769
1291
1292         Reviewed by Michael Saboff.
1293
1294         * llint/LowLevelInterpreter.asm:
1295         - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
1296           so that libunwind doesn't get confused by the 2 labels pointing to the same
1297           code address.
1298
1299 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1300
1301         [GLIB] Add API to throw exceptions using printf formatted strings
1302         https://bugs.webkit.org/show_bug.cgi?id=188698
1303
1304         Reviewed by Michael Catanzaro.
1305
1306         Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
1307         JSCException using printf formatted string.
1308
1309         * API/glib/JSCContext.cpp:
1310         (jsc_context_throw_printf):
1311         (jsc_context_throw_with_name_printf):
1312         * API/glib/JSCContext.h:
1313         * API/glib/JSCException.cpp:
1314         (jsc_exception_new_printf):
1315         (jsc_exception_new_vprintf):
1316         (jsc_exception_new_with_name_printf):
1317         (jsc_exception_new_with_name_vprintf):
1318         * API/glib/JSCException.h:
1319         * API/glib/docs/jsc-glib-4.0-sections.txt:
1320
1321 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1322
1323         [GLIB] Complete the JSCException API
1324         https://bugs.webkit.org/show_bug.cgi?id=188695
1325
1326         Reviewed by Michael Catanzaro.
1327
1328         Add more API to JSCException:
1329          - New function to get the column number
1330          - New function get exception as string (toString())
1331          - Add the possibility to create exceptions with a custom error name.
1332          - New function to get the exception error name
1333          - New function to get the exception backtrace.
1334          - New convenience function to report a exception by returning a formatted string with all the exception
1335            details, to be shown as a user error message.
1336
1337         * API/glib/JSCContext.cpp:
1338         (jsc_context_throw_with_name):
1339         * API/glib/JSCContext.h:
1340         * API/glib/JSCException.cpp:
1341         (jscExceptionEnsureProperties):
1342         (jsc_exception_new):
1343         (jsc_exception_new_with_name):
1344         (jsc_exception_get_name):
1345         (jsc_exception_get_column_number):
1346         (jsc_exception_get_back_trace_string):
1347         (jsc_exception_to_string):
1348         (jsc_exception_report):
1349         * API/glib/JSCException.h:
1350         * API/glib/docs/jsc-glib-4.0-sections.txt:
1351
1352 2018-08-19  Commit Queue  <commit-queue@webkit.org>
1353
1354         Unreviewed, rolling out r234852.
1355         https://bugs.webkit.org/show_bug.cgi?id=188736
1356
1357         Workaround is not correct (Requested by yusukesuzuki on
1358         #webkit).
1359
1360         Reverted changeset:
1361
1362         "[JSC] Should not rotate constant with 64"
1363         https://bugs.webkit.org/show_bug.cgi?id=188556
1364         https://trac.webkit.org/changeset/234852
1365
1366 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1367
1368         [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
1369         https://bugs.webkit.org/show_bug.cgi?id=188716
1370
1371         Reviewed by Darin Adler.
1372
1373         Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
1374         The compiler can emit appropriate mov operations in x86 even if we use these
1375         helper functions.
1376
1377         * assembler/AssemblerBuffer.h:
1378         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
1379         (JSC::AssemblerBuffer::putIntegral):
1380         (JSC::AssemblerBuffer::putIntegralUnchecked):
1381         * assembler/MacroAssemblerX86.h:
1382         (JSC::MacroAssemblerX86::readCallTarget):
1383         * assembler/X86Assembler.h:
1384         (JSC::X86Assembler::linkJump):
1385         (JSC::X86Assembler::readPointer):
1386         (JSC::X86Assembler::replaceWithHlt):
1387         (JSC::X86Assembler::replaceWithJump):
1388         (JSC::X86Assembler::setPointer):
1389         (JSC::X86Assembler::setInt32):
1390         (JSC::X86Assembler::setInt8):
1391         * interpreter/InterpreterInlines.h:
1392         (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
1393
1394 2018-08-17  Saam barati  <sbarati@apple.com>
1395
1396         intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
1397         https://bugs.webkit.org/show_bug.cgi?id=188707
1398         <rdar://problem/43015442>
1399
1400         Reviewed by Mark Lam.
1401
1402         We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
1403         OSR enter at the head of a block. We verify it's safe to OSR enter by checking
1404         that each incoming value is compatible with its corresponding AbstractValue.
1405         
1406         The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
1407         with abstract values that were clobbererd. This meant that the value we're
1408         verifying with at OSR entry effectively has an infinite structure set because
1409         it's clobbered. So, imagine we have code like this:
1410         ```
1411         ---> We OSR enter here, and we're clobbered here
1412         InvalidationPoint
1413         GetByOffset(@base)
1414         ```
1415         
1416         The abstract value for @base inside intersectionOfPastValuesAtHead has a
1417         clobberred structure set, so we'd allow an incoming object with any
1418         structure. However, this is wrong because the invalidation point is no
1419         longer fulfilling its promise that it filters the structure that @base has.
1420         
1421         We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
1422         as if the incoming value may be live past an InvalidationPoint.
1423         This places a stricter requirement that to safely OSR enter at any basic
1424         block, all incoming values must be compatible as if they lived past
1425         the execution of an invalidation point.
1426
1427         * dfg/DFGCFAPhase.cpp:
1428         (JSC::DFG::CFAPhase::run):
1429
1430 2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>
1431
1432         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1433         https://bugs.webkit.org/show_bug.cgi?id=188589
1434
1435         Reviewed by Mark Lam.
1436         And reviewed by Yusuke Suzuki for Hironori's change.
1437
1438         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1439         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1440
1441         - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1442         - We make GPRReg and FPRReg int8_t enums.
1443         - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1444         - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
1445           if `enum : int8_t` is used instead of `enum`.
1446
1447         * assembler/ARM64Assembler.h:
1448         * assembler/ARMAssembler.h:
1449         * assembler/ARMv7Assembler.h:
1450         * assembler/MIPSAssembler.h:
1451         * assembler/MacroAssembler.h:
1452         * assembler/X86Assembler.h:
1453         * jit/CCallHelpers.h:
1454         (JSC::CCallHelpers::clampArrayToSize):
1455         * jit/FPRInfo.h:
1456         * jit/GPRInfo.h:
1457         (JSC::JSValueRegs::JSValueRegs):
1458         (JSC::JSValueRegs::tagGPR const):
1459         (JSC::JSValueRegs::payloadGPR const):
1460         (JSC::JSValueSource::JSValueSource):
1461         (JSC::JSValueSource::unboxedCell):
1462         (JSC::JSValueSource::operator bool const):
1463         (JSC::JSValueSource::base const):
1464         (JSC::JSValueSource::tagGPR const):
1465         (JSC::JSValueSource::payloadGPR const):
1466         (JSC::JSValueSource::hasKnownTag const):
1467
1468 2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1469
1470         [JSC] alignas for RegisterState should respect alignof(RegisterState) too
1471         https://bugs.webkit.org/show_bug.cgi?id=188686
1472
1473         Reviewed by Saam Barati.
1474
1475         RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
1476         for `alignof` for RegisterState.
1477
1478         * heap/RegisterState.h:
1479
1480 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1481
1482         [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
1483         https://bugs.webkit.org/show_bug.cgi?id=188571
1484
1485         Reviewed by Saam Barati.
1486
1487         UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
1488         allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
1489         without considering alignment of them. This patch adds DisjunctionContext::allocationSize
1490         and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
1491         The size is always rounded to `sizeof(void*)` so that these classes are always allocated
1492         with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
1493         than or equal to `sizeof(void*)` by `static_assert`.
1494
1495         * yarr/YarrInterpreter.cpp:
1496         (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
1497         (JSC::Yarr::Interpreter::allocDisjunctionContext):
1498         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
1499         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
1500         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
1501         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
1502         (JSC::Yarr::Interpreter::Interpreter):
1503         (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
1504
1505 2018-08-15  Keith Miller  <keith_miller@apple.com>
1506
1507         Remove evernote hacks
1508         https://bugs.webkit.org/show_bug.cgi?id=188591
1509
1510         Reviewed by Joseph Pecoraro.
1511
1512         The hack was added in 2012 and the evernote app seems to work now.
1513         It's probably not needed anymore.
1514
1515         * API/JSValueRef.cpp:
1516         (JSValueUnprotect):
1517         (evernoteHackNeeded): Deleted.
1518
1519 2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>
1520
1521         Unreviewed, rolling out r234874 and r234876.
1522
1523         WinCairo port can't compile
1524
1525         Reverted changesets:
1526
1527         "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
1528         https://bugs.webkit.org/show_bug.cgi?id=188589
1529         https://trac.webkit.org/changeset/234874
1530
1531         "Unreviewed, attempt to fix CLoop build"
1532         https://bugs.webkit.org/show_bug.cgi?id=188589
1533         https://trac.webkit.org/changeset/234876
1534
1535 2018-08-14  Saam barati  <sbarati@apple.com>
1536
1537         HashMap<Ref<P>, V> asserts when V is not zero for its empty value
1538         https://bugs.webkit.org/show_bug.cgi?id=188582
1539
1540         Reviewed by Sam Weinig.
1541
1542         * runtime/SparseArrayValueMap.h:
1543
1544 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1545
1546         Unreviewed, attempt to fix CLoop build
1547         https://bugs.webkit.org/show_bug.cgi?id=188589
1548
1549         * assembler/MacroAssembler.h:
1550
1551 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1552
1553         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1554         https://bugs.webkit.org/show_bug.cgi?id=188589
1555
1556         Reviewed by Mark Lam.
1557
1558         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1559         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1560
1561         1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1562         2. We make GPRReg and FPRReg int8_t enums.
1563         3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1564
1565         * assembler/ARM64Assembler.h:
1566         * assembler/ARMAssembler.h:
1567         * assembler/ARMv7Assembler.h:
1568         * assembler/MIPSAssembler.h:
1569         * assembler/X86Assembler.h:
1570         * jit/FPRInfo.h:
1571         * jit/GPRInfo.h:
1572         (JSC::JSValueRegs::JSValueRegs):
1573         (JSC::JSValueRegs::tagGPR const):
1574         (JSC::JSValueRegs::payloadGPR const):
1575         (JSC::JSValueSource::JSValueSource):
1576         (JSC::JSValueSource::unboxedCell):
1577         (JSC::JSValueSource::operator bool const):
1578         (JSC::JSValueSource::base const):
1579         (JSC::JSValueSource::tagGPR const):
1580         (JSC::JSValueSource::payloadGPR const):
1581         (JSC::JSValueSource::hasKnownTag const):
1582
1583 2018-08-14  Keith Miller  <keith_miller@apple.com>
1584
1585         Add missing availability macro.
1586         https://bugs.webkit.org/show_bug.cgi?id=188563
1587
1588         Reviewed by Mark Lam.
1589
1590         * API/JSValueRef.h:
1591
1592 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1593
1594         [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
1595         https://bugs.webkit.org/show_bug.cgi?id=188560
1596
1597         Reviewed by Keith Miller.
1598
1599         While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
1600         it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
1601         uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
1602         `m_wasSeenInJIT { false }`.
1603
1604         * bytecode/GetByIdStatus.h:
1605
1606 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1607
1608         [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
1609         https://bugs.webkit.org/show_bug.cgi?id=188557
1610
1611         Reviewed by Mark Lam.
1612
1613         DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
1614         processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
1615         in UBSan's result.
1616
1617         * dfg/DFGPredictionPropagationPhase.cpp:
1618
1619 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1620
1621         [JSC] Should not rotate constant with 64
1622         https://bugs.webkit.org/show_bug.cgi?id=188556
1623
1624         Reviewed by Mark Lam.
1625
1626         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1627         But if a seed becomes 64, the following code performs `value << 64` where value's type
1628         is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
1629         range of [0, 64) not to generate code causing UBs. This is found by UBSan.
1630
1631         * assembler/MacroAssembler.h:
1632         (JSC::MacroAssembler::generateRotationSeed):
1633         (JSC::MacroAssembler::rotationBlindConstant):
1634
1635 2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1636
1637         Disable JIT on IA-32 without SSE2
1638         https://bugs.webkit.org/show_bug.cgi?id=188476
1639
1640         Reviewed by Michael Catanzaro.
1641
1642         Including missing header (MacroAssembler.h) in case of other
1643         operating systems than Windows too.
1644
1645         * runtime/Options.cpp:
1646
1647 2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1648
1649         Disable JIT on IA-32 without SSE2
1650         https://bugs.webkit.org/show_bug.cgi?id=188476
1651
1652         Reviewed by Yusuke Suzuki.
1653
1654         On IA-32 CPUs without SSE2 most of the webpages cannot load
1655         if the JIT is turned on.
1656
1657         * runtime/Options.cpp:
1658         (JSC::recomputeDependentOptions):
1659
1660 2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
1661
1662         Web Inspector: console.log fires getters for deep properties
1663         https://bugs.webkit.org/show_bug.cgi?id=187542
1664         <rdar://problem/42873158>
1665
1666         Reviewed by Saam Barati.
1667
1668         * inspector/InjectedScriptSource.js:
1669         (RemoteObject.prototype._isPreviewableObject):
1670         Avoid getters/setters when checking for simple properties to preview.
1671         Here we avoid invoking `object[property]` if it could be a user getter.
1672
1673 2018-08-10  Keith Miller  <keith_miller@apple.com>
1674
1675         Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
1676         https://bugs.webkit.org/show_bug.cgi?id=185127
1677
1678         Reviewed by Saam Barati.
1679
1680         Previously, we would truncate the indicies passed to slice to an
1681         int. This meant that the value was not getting properly clamped
1682         later.
1683
1684         This patch also removes a non-spec compliant check that slice was
1685         passed at least one argument.
1686
1687         * runtime/ArrayBuffer.cpp:
1688         (JSC::ArrayBuffer::clampValue):
1689         (JSC::ArrayBuffer::clampIndex const):
1690         (JSC::ArrayBuffer::slice const):
1691         * runtime/ArrayBuffer.h:
1692         (JSC::ArrayBuffer::clampValue): Deleted.
1693         (JSC::ArrayBuffer::clampIndex const): Deleted.
1694         * runtime/JSArrayBufferPrototype.cpp:
1695         (JSC::arrayBufferProtoFuncSlice):
1696
1697 2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1698
1699         Date.UTC should not return NaN with only Year param
1700         https://bugs.webkit.org/show_bug.cgi?id=188378
1701
1702         Reviewed by Keith Miller.
1703
1704         Date.UTC requires one argument for |year|. But the other ones are optional.
1705         This patch fix this handling.
1706
1707         * runtime/DateConstructor.cpp:
1708         (JSC::millisecondsFromComponents):
1709
1710 2018-08-08  Keith Miller  <keith_miller@apple.com>
1711
1712         Array.prototype.sort should call @toLength instead of ">>> 0"
1713         https://bugs.webkit.org/show_bug.cgi?id=188430
1714
1715         Reviewed by Saam Barati.
1716
1717         Also add a new function to $vm that will fetch a private
1718         property. This can be useful for running builtin helper functions.
1719
1720         * builtins/ArrayPrototype.js:
1721         (sort):
1722         * tools/JSDollarVM.cpp:
1723         (JSC::functionGetPrivateProperty):
1724         (JSC::JSDollarVM::finishCreation):
1725
1726 2018-08-08  Keith Miller  <keith_miller@apple.com>
1727
1728         Array.prototype.sort should throw TypeError if param is a not callable object
1729         https://bugs.webkit.org/show_bug.cgi?id=188382
1730
1731         Reviewed by Saam Barati.
1732
1733         Improve spec compatability by checking if the Array.prototype.sort comparator is a function
1734         before doing anything else.
1735
1736         Also, refactor the various helper functions to use let instead of var.
1737
1738         * builtins/ArrayPrototype.js:
1739         (sort.stringComparator):
1740         (sort.compactSparse):
1741         (sort.compactSlow):
1742         (sort.compact):
1743         (sort.merge):
1744         (sort.mergeSort):
1745         (sort.bucketSort):
1746         (sort.comparatorSort):
1747         (sort.stringSort):
1748         (sort):
1749
1750 2018-08-08  Michael Saboff  <msaboff@apple.com>
1751
1752         Yarr JIT should include annotations with dumpDisassembly=true
1753         https://bugs.webkit.org/show_bug.cgi?id=188415
1754
1755         Reviewed by Yusuke Suzuki.
1756
1757         Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
1758         Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
1759         then the backtracking code through the YarrPattern ops in reverse order, the disassembler
1760         needs to do the same think.
1761
1762         Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
1763         out simple methods for what was needed by the YarrDisassembler.
1764
1765         Here is abbreviated sample output after this change.
1766
1767         Generated JIT code for 8-bit regular expression /ab*c/:
1768             Code at [0x469561c03720, 0x469561c03840):
1769                 0x469561c03720: push %rbp
1770                 0x469561c03721: mov %rsp, %rbp
1771                 ...
1772                 0x469561c03762: sub $0x40, %rsp
1773              == Matching ==
1774            0:OpBodyAlternativeBegin minimum size 2
1775                 0x469561c03766: add $0x2, %esi
1776                 0x469561c03769: cmp %edx, %esi
1777                 0x469561c0376b: ja 0x469561c037fa
1778            1:OpTerm TypePatternCharacter 'a'
1779                 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
1780                 0x469561c03776: cmp $0x61, %eax
1781                 0x469561c03779: jnz 0x469561c037e9
1782            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1783                 0x469561c0377f: xor %r9d, %r9d
1784                 0x469561c03782: cmp %edx, %esi
1785                 0x469561c03784: jz 0x469561c037a2
1786                 ...
1787                 0x469561c0379d: jmp 0x469561c03782
1788                 0x469561c037a2: mov %r9, 0x8(%rsp)
1789            3:OpTerm TypePatternCharacter 'c'
1790                 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
1791                 0x469561c037ac: cmp $0x63, %eax
1792                 0x469561c037af: jnz 0x469561c037d1
1793            4:OpBodyAlternativeEnd
1794                 0x469561c037b5: add $0x40, %rsp
1795                 ...
1796                 0x469561c037cf: pop %rbp
1797                 0x469561c037d0: ret
1798              == Backtracking ==
1799            4:OpBodyAlternativeEnd
1800            3:OpTerm TypePatternCharacter 'c'
1801            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1802                 0x469561c037d1: mov 0x8(%rsp), %r9
1803                 ...
1804                 0x469561c037e4: jmp 0x469561c037a2
1805            1:OpTerm TypePatternCharacter 'a'
1806            0:OpBodyAlternativeBegin minimum size 2
1807                 0x469561c037e9: mov %rsi, %rax
1808                 ...
1809                 0x469561c0382f: pop %rbp
1810                 0x469561c03830: ret
1811
1812         * JavaScriptCore.xcodeproj/project.pbxproj:
1813         * Sources.txt:
1814         * runtime/RegExp.cpp:
1815         (JSC::RegExp::compile):
1816         (JSC::RegExp::compileMatchOnly):
1817         * yarr/YarrDisassembler.cpp: Added.
1818         (JSC::Yarr::YarrDisassembler::indentString):
1819         (JSC::Yarr::YarrDisassembler::YarrDisassembler):
1820         (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
1821         (JSC::Yarr::YarrDisassembler::dump):
1822         (JSC::Yarr::YarrDisassembler::dumpHeader):
1823         (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
1824         (JSC::Yarr::YarrDisassembler::dumpForInstructions):
1825         (JSC::Yarr::YarrDisassembler::dumpDisassembly):
1826         * yarr/YarrDisassembler.h: Added.
1827         (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
1828         (JSC::Yarr::YarrDisassembler::setStartOfCode):
1829         (JSC::Yarr::YarrDisassembler::setForGenerate):
1830         (JSC::Yarr::YarrDisassembler::setForBacktrack):
1831         (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
1832         (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
1833         (JSC::Yarr::YarrDisassembler::setEndOfCode):
1834         (JSC::Yarr::YarrDisassembler::indentString):
1835         * yarr/YarrJIT.cpp:
1836         (JSC::Yarr::YarrGenerator::generate):
1837         (JSC::Yarr::YarrGenerator::backtrack):
1838         (JSC::Yarr::YarrGenerator::YarrGenerator):
1839         (JSC::Yarr::YarrGenerator::compile):
1840         (JSC::Yarr::jitCompile):
1841         * yarr/YarrJIT.h:
1842         * yarr/YarrPattern.cpp:
1843         (JSC::Yarr::dumpCharacterClass):
1844         (JSC::Yarr::PatternTerm::dump):
1845         (JSC::Yarr::YarrPattern::dumpPatternString):
1846         (JSC::Yarr::YarrPattern::dumpPattern):
1847         * yarr/YarrPattern.h:
1848
1849 2018-08-05  Darin Adler  <darin@apple.com>
1850
1851         [Cocoa] More tweaks and refactoring to prepare for ARC
1852         https://bugs.webkit.org/show_bug.cgi?id=188245
1853
1854         Reviewed by Dan Bernstein.
1855
1856         * API/JSValue.mm: Use __unsafe_unretained.
1857         (JSContainerConvertor::convert): Use auto for compatibility with the above.
1858         * API/JSWrapperMap.mm:
1859         (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
1860         (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
1861
1862         * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
1863
1864 2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1865
1866         Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
1867         https://bugs.webkit.org/show_bug.cgi?id=188328
1868
1869         Reviewed by Saam Barati.
1870
1871         Shrinking the size of PropertyCondition can improve memory consumption by a lot.
1872         For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
1873         and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
1874         as a member field.
1875
1876         This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
1877         PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
1878         are within 48bit, we can put PropertyCondition::Kind in this unused bits.
1879         To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
1880         folds a pointer and 1byte type into 64bit data.
1881
1882         This change shrinks PropertyCondition from 24bytes to 16bytes.
1883
1884         * bytecode/PropertyCondition.cpp:
1885         (JSC::PropertyCondition::dumpInContext const):
1886         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1887         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
1888         (JSC::PropertyCondition::isStillValid const):
1889         (JSC::PropertyCondition::isWatchableWhenValid const):
1890         * bytecode/PropertyCondition.h:
1891         (JSC::PropertyCondition::PropertyCondition):
1892         (JSC::PropertyCondition::presenceWithoutBarrier):
1893         (JSC::PropertyCondition::absenceWithoutBarrier):
1894         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
1895         (JSC::PropertyCondition::equivalenceWithoutBarrier):
1896         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
1897         (JSC::PropertyCondition::operator bool const):
1898         (JSC::PropertyCondition::kind const):
1899         (JSC::PropertyCondition::uid const):
1900         (JSC::PropertyCondition::hasOffset const):
1901         (JSC::PropertyCondition::hasAttributes const):
1902         (JSC::PropertyCondition::hasPrototype const):
1903         (JSC::PropertyCondition::hasRequiredValue const):
1904         (JSC::PropertyCondition::hash const):
1905         (JSC::PropertyCondition::operator== const):
1906         (JSC::PropertyCondition::isHashTableDeletedValue const):
1907         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
1908
1909 2018-08-07  Mark Lam  <mark.lam@apple.com>
1910
1911         Use a more specific PtrTag for PlatformRegisters PC and LR.
1912         https://bugs.webkit.org/show_bug.cgi?id=188366
1913         <rdar://problem/42984123>
1914
1915         Reviewed by Keith Miller.
1916
1917         Also fixed a bug in linkRegister(), which was previously returning the PC instead
1918         of LR.  It now returns LR.
1919
1920         * runtime/JSCPtrTag.h:
1921         * runtime/MachineContext.h:
1922         (JSC::MachineContext::instructionPointer):
1923         (JSC::MachineContext::linkRegister):
1924         * runtime/VMTraps.cpp:
1925         (JSC::SignalContext::SignalContext):
1926         * tools/SigillCrashAnalyzer.cpp:
1927         (JSC::SignalContext::SignalContext):
1928
1929 2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1930
1931         Hardcoded LFENCE instruction
1932         https://bugs.webkit.org/show_bug.cgi?id=188145
1933
1934         Reviewed by Filip Pizlo.
1935
1936         Remove lfence instruction because it is crashing systems without SSE2 and
1937         this is not the way how WebKit mitigates Spectre.
1938
1939         * runtime/JSLock.cpp:
1940         (JSC::JSLock::didAcquireLock):
1941         (JSC::JSLock::willReleaseLock):
1942
1943 2018-08-04  David Kilzer  <ddkilzer@apple.com>
1944
1945         REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
1946         <https://webkit.org/b/188331>
1947
1948         Reviewed by Yusuke Suzuki.
1949
1950         * runtime/TemplateObjectDescriptor.h:
1951         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
1952         Use `m_rawstrings` instead of `rawStrings` to calculate hash.
1953
1954 2018-08-03  Saam Barati  <sbarati@apple.com>
1955
1956         Give the `jsc` shell the JIT entitlement
1957         https://bugs.webkit.org/show_bug.cgi?id=188324
1958         <rdar://problem/42885806>
1959
1960         Reviewed by Dan Bernstein.
1961
1962         This should help us in ensuring the system jsc is able to JIT.
1963
1964         * Configurations/JSC.xcconfig:
1965         * JavaScriptCore.xcodeproj/project.pbxproj:
1966         * allow-jit-macOS.entitlements: Added.
1967
1968 2018-08-03  Alex Christensen  <achristensen@webkit.org>
1969
1970         Fix spelling of "overridden"
1971         https://bugs.webkit.org/show_bug.cgi?id=188315
1972
1973         Reviewed by Darin Adler.
1974
1975         * API/JSExport.h:
1976         * inspector/InjectedScriptSource.js:
1977
1978 2018-08-02  Saam Barati  <sbarati@apple.com>
1979
1980         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
1981         https://bugs.webkit.org/show_bug.cgi?id=188271
1982         <rdar://problem/42850884>
1983
1984         Reviewed by Michael Saboff.
1985
1986         This patch defends against the instructionPointer containing garbage bits.
1987         See radar for details.
1988
1989         * runtime/MachineContext.h:
1990         (JSC::MachineContext::instructionPointer):
1991         * runtime/SamplingProfiler.cpp:
1992         (JSC::SamplingProfiler::takeSample):
1993         * runtime/VMTraps.cpp:
1994         (JSC::SignalContext::SignalContext):
1995         (JSC::SignalContext::tryCreate):
1996         * tools/CodeProfiling.cpp:
1997         (JSC::profilingTimer):
1998         * tools/SigillCrashAnalyzer.cpp:
1999         (JSC::SignalContext::SignalContext):
2000         (JSC::SignalContext::tryCreate):
2001         (JSC::SignalContext::dump):
2002         (JSC::installCrashHandler):
2003         * wasm/WasmFaultSignalHandler.cpp:
2004         (JSC::Wasm::trapHandler):
2005
2006 2018-08-02  David Fenton  <david_fenton@apple.com>
2007
2008         Unreviewed, rolling out r234489.
2009
2010         Caused 50+ crashes and 60+ API failures on iOS
2011
2012         Reverted changeset:
2013
2014         "[WTF] Rename String::format to String::deprecatedFormat"
2015         https://bugs.webkit.org/show_bug.cgi?id=188191
2016         https://trac.webkit.org/changeset/234489
2017
2018 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2019
2020         Add self.queueMicrotask(f) on DOMWindow
2021         https://bugs.webkit.org/show_bug.cgi?id=188212
2022
2023         Reviewed by Ryosuke Niwa.
2024
2025         * CMakeLists.txt:
2026         * JavaScriptCore.xcodeproj/project.pbxproj:
2027         * Sources.txt:
2028         * runtime/JSGlobalObject.cpp:
2029         (JSC::enqueueJob):
2030         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
2031         (JSC::createJSMicrotask):
2032         Export them to WebCore.
2033
2034         (JSC::JSMicrotask::run):
2035         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
2036         Add another version of JSMicrotask which does not have arguments.
2037
2038 2018-08-01  Tomas Popela  <tpopela@redhat.com>
2039
2040         [WTF] Rename String::format to String::deprecatedFormat
2041         https://bugs.webkit.org/show_bug.cgi?id=188191
2042
2043         Reviewed by Darin Adler.
2044
2045         It should be replaced with string concatenation.
2046
2047         * bytecode/CodeBlock.cpp:
2048         (JSC::CodeBlock::nameForRegister):
2049         * inspector/InjectedScriptBase.cpp:
2050         (Inspector::InjectedScriptBase::makeCall):
2051         * inspector/InspectorBackendDispatcher.cpp:
2052         (Inspector::BackendDispatcher::getPropertyValue):
2053         * inspector/agents/InspectorConsoleAgent.cpp:
2054         (Inspector::InspectorConsoleAgent::enable):
2055         (Inspector::InspectorConsoleAgent::stopTiming):
2056         * jsc.cpp:
2057         (FunctionJSCStackFunctor::operator() const):
2058         * parser/Lexer.cpp:
2059         (JSC::Lexer<T>::invalidCharacterMessage const):
2060         * runtime/IntlDateTimeFormat.cpp:
2061         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2062         * runtime/IntlObject.cpp:
2063         (JSC::canonicalizeLocaleList):
2064         * runtime/LiteralParser.cpp:
2065         (JSC::LiteralParser<CharType>::Lexer::lex):
2066         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2067         (JSC::LiteralParser<CharType>::parse):
2068         * runtime/LiteralParser.h:
2069         (JSC::LiteralParser::getErrorMessage):
2070
2071 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2072
2073         [INTL] Allow "unknown" formatToParts types
2074         https://bugs.webkit.org/show_bug.cgi?id=188176
2075
2076         Reviewed by Darin Adler.
2077
2078         Originally extra unexpected field types were marked as "literal", since
2079         the spec did not account for these. The ECMA 402 spec has since been updated
2080         to specify "unknown" should be used in these cases.
2081
2082         Currently there is no known way to reach these cases, so no tests can
2083         account for them. Theoretically they shoudn't exist, but they are specified,
2084         just to be safe. Marking them as "unknown" instead of "literal" hopefully
2085         will make such cases easy to identify if they ever happen.
2086
2087         * runtime/IntlDateTimeFormat.cpp:
2088         (JSC::IntlDateTimeFormat::partTypeString):
2089         * runtime/IntlNumberFormat.cpp:
2090         (JSC::IntlNumberFormat::partTypeString):
2091
2092 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2093
2094         [INTL] Implement hourCycle in DateTimeFormat
2095         https://bugs.webkit.org/show_bug.cgi?id=188006
2096
2097         Reviewed by Darin Adler.
2098
2099         Implemented hourCycle, updating both the skeleton and the final pattern.
2100         Changed resolveLocale to assume undefined options are not given and null
2101         strings actually mean null, which removes the tag extension.
2102
2103         * runtime/CommonIdentifiers.h:
2104         * runtime/IntlCollator.cpp:
2105         (JSC::IntlCollator::initializeCollator):
2106         * runtime/IntlDateTimeFormat.cpp:
2107         (JSC::IntlDTFInternal::localeData):
2108         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2109         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2110         (JSC::IntlDateTimeFormat::resolvedOptions):
2111         * runtime/IntlDateTimeFormat.h:
2112         * runtime/IntlObject.cpp:
2113         (JSC::resolveLocale):
2114
2115 2018-08-01  Keith Miller  <keith_miller@apple.com>
2116
2117         JSArrayBuffer should have its own JSType
2118         https://bugs.webkit.org/show_bug.cgi?id=188231
2119
2120         Reviewed by Saam Barati.
2121
2122         * runtime/JSArrayBuffer.cpp:
2123         (JSC::JSArrayBuffer::createStructure):
2124         * runtime/JSCast.h:
2125         * runtime/JSType.h:
2126
2127 2018-07-31  Keith Miller  <keith_miller@apple.com>
2128
2129         Unreviewed 32-bit build fix...
2130
2131         * dfg/DFGSpeculativeJIT32_64.cpp:
2132
2133 2018-07-31  Keith Miller  <keith_miller@apple.com>
2134
2135         Long compiling JSC files should not be unified
2136         https://bugs.webkit.org/show_bug.cgi?id=188205
2137
2138         Reviewed by Saam Barati.
2139
2140         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
2141         to compile. Unifying them means touching anything in the same
2142         bundle as those files takes a long time to incrementally build.
2143         This patch separates those files so they build standalone.
2144
2145         * JavaScriptCore.xcodeproj/project.pbxproj:
2146         * Sources.txt:
2147         * dfg/DFGSpeculativeJIT64.cpp:
2148
2149 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2150
2151         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
2152         https://bugs.webkit.org/show_bug.cgi?id=188201
2153
2154         Reviewed by Keith Miller.
2155
2156         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
2157         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
2158         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
2159         never becomes broken state. This patch removes unnecessary locking.
2160
2161         * runtime/JSObject.cpp:
2162         (JSC::JSObject::visitButterflyImpl):
2163
2164 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
2165
2166         [JSC] Remove gcc warnings for 32-bit platforms
2167         https://bugs.webkit.org/show_bug.cgi?id=187803
2168
2169         Reviewed by Yusuke Suzuki.
2170
2171         * assembler/MacroAssemblerPrinter.cpp:
2172         (JSC::Printer::printPCRegister):
2173         (JSC::Printer::printRegisterID):
2174         (JSC::Printer::printAddress):
2175         * dfg/DFGSpeculativeJIT.cpp:
2176         (JSC::DFG::SpeculativeJIT::speculateNumber):
2177         (JSC::DFG::SpeculativeJIT::speculateMisc):
2178         * jit/CCallHelpers.h:
2179         (JSC::CCallHelpers::calculatePokeOffset):
2180         * runtime/Options.cpp:
2181         (JSC::parse):
2182
2183 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
2184
2185         watchOS engineering build is broken after r234227
2186         https://bugs.webkit.org/show_bug.cgi?id=188180
2187
2188         Reviewed by Keith Miller.
2189
2190         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
2191         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
2192         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
2193         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
2194
2195         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
2196         entirely, since there's no relevant version to replace them with.
2197
2198         * postprocess-headers.sh:
2199
2200 2018-07-30  Keith Miller  <keith_miller@apple.com>
2201
2202         Clarify conversion rules for JSValue property access API
2203         https://bugs.webkit.org/show_bug.cgi?id=188179
2204
2205         Reviewed by Geoffrey Garen.
2206
2207         * API/JSValue.h:
2208
2209 2018-07-30  Keith Miller  <keith_miller@apple.com>
2210
2211         Rename some JSC API functions/types.
2212         https://bugs.webkit.org/show_bug.cgi?id=188173
2213
2214         Reviewed by Saam Barati.
2215
2216         * API/JSObjectRef.cpp:
2217         (JSObjectHasPropertyForKey):
2218         (JSObjectGetPropertyForKey):
2219         (JSObjectSetPropertyForKey):
2220         (JSObjectDeletePropertyForKey):
2221         (JSObjectHasPropertyKey): Deleted.
2222         (JSObjectGetPropertyKey): Deleted.
2223         (JSObjectSetPropertyKey): Deleted.
2224         (JSObjectDeletePropertyKey): Deleted.
2225         * API/JSObjectRef.h:
2226         * API/JSValue.h:
2227         * API/JSValue.mm:
2228         (-[JSValue valueForProperty:]):
2229         (-[JSValue setValue:forProperty:]):
2230         (-[JSValue deleteProperty:]):
2231         (-[JSValue hasProperty:]):
2232         (-[JSValue defineProperty:descriptor:]):
2233         * API/tests/testapi.cpp:
2234         (TestAPI::run):
2235
2236 2018-07-30  Mark Lam  <mark.lam@apple.com>
2237
2238         Add a debugging utility to dump the memory layout of a JSCell.
2239         https://bugs.webkit.org/show_bug.cgi?id=188157
2240
2241         Reviewed by Yusuke Suzuki.
2242
2243         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
2244         dump the memory contents of a cell and if present, its butterfly for debugging
2245         purposes.
2246
2247         Example usage for JS code when JSC_useDollarVM=true:
2248
2249             $vm.dumpCell(obj);
2250
2251         Example usage from C++ code or from lldb: 
2252
2253             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
2254
2255         Some examples of dumps:
2256
2257             <0x104bc8260, Object>
2258               [0] 0x104bc8260 : 0x010016000000016c header
2259                 structureID 364 0x16c structure 0x104b721b0
2260                 indexingTypeAndMisc 0 0x0 NonArray
2261                 type 22 0x16
2262                 flags 0 0x0
2263                 cellState 1
2264               [1] 0x104bc8268 : 0x0000000000000000 butterfly
2265               [2] 0x104bc8270 : 0xffff000000000007
2266               [3] 0x104bc8278 : 0xffff000000000008
2267
2268             <0x104bb4360, Array>
2269               [0] 0x104bb4360 : 0x0108210b00000171 header
2270                 structureID 369 0x171 structure 0x104b723e0
2271                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
2272                 type 33 0x21
2273                 flags 8 0x8
2274                 cellState 1
2275               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
2276                 base 0x8000f46e0
2277                 hasIndexingHeader YES hasAnyArrayStorage YES
2278                 publicLength 4 vectorLength 7 indexBias 2
2279                 preCapacity 2 propertyCapacity 4
2280                   <--- preCapacity
2281                   [0] 0x8000f46e0 : 0x0000000000000000
2282                   [1] 0x8000f46e8 : 0x0000000000000000
2283                   <--- propertyCapacity
2284                   [2] 0x8000f46f0 : 0x0000000000000000
2285                   [3] 0x8000f46f8 : 0x0000000000000000
2286                   [4] 0x8000f4700 : 0xffff00000000000d
2287                   [5] 0x8000f4708 : 0xffff00000000000c
2288                   <--- indexingHeader
2289                   [6] 0x8000f4710 : 0x0000000700000004
2290                   <--- butterfly
2291                   <--- arrayStorage
2292                   [7] 0x8000f4718 : 0x0000000000000000
2293                   [8] 0x8000f4720 : 0x0000000400000002
2294                   <--- indexedProperties
2295                   [9] 0x8000f4728 : 0xffff000000000008
2296                   [10] 0x8000f4730 : 0xffff000000000009
2297                   [11] 0x8000f4738 : 0xffff000000000005
2298                   [12] 0x8000f4740 : 0xffff000000000006
2299                   [13] 0x8000f4748 : 0x0000000000000000
2300                   [14] 0x8000f4750 : 0x0000000000000000
2301                   [15] 0x8000f4758 : 0x0000000000000000
2302                   <--- unallocated capacity
2303                   [16] 0x8000f4760 : 0x0000000000000000
2304                   [17] 0x8000f4768 : 0x0000000000000000
2305                   [18] 0x8000f4770 : 0x0000000000000000
2306                   [19] 0x8000f4778 : 0x0000000000000000
2307
2308         * runtime/JSObject.h:
2309         * tools/JSDollarVM.cpp:
2310         (JSC::functionDumpCell):
2311         (JSC::JSDollarVM::finishCreation):
2312         * tools/VMInspector.cpp:
2313         (JSC::VMInspector::dumpCellMemory):
2314         (JSC::IndentationScope::IndentationScope):
2315         (JSC::IndentationScope::~IndentationScope):
2316         (JSC::VMInspector::dumpCellMemoryToStream):
2317         * tools/VMInspector.h:
2318
2319 2018-07-27  Mark Lam  <mark.lam@apple.com>
2320
2321         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
2322         https://bugs.webkit.org/show_bug.cgi?id=188123
2323         <rdar://problem/42672268>
2324
2325         Reviewed by Keith Miller.
2326
2327         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
2328            padding space in VM and Heap, and should not cost any measurable perf to
2329            initialize and update.
2330
2331         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
2332
2333            worldState tells us the value we failed the assertion on.
2334
2335            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
2336            that led us here.
2337
2338            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
2339
2340            VM::isEntered() tells us if the current VM is currently executing JS code.
2341
2342            Some of this data may be redundant, but the redundancy is intentional so that
2343            we can double check what is really happening at the time of crash.
2344
2345         * heap/Heap.cpp:
2346         (JSC::asInt):
2347         (JSC::Heap::checkConn):
2348         (JSC::Heap::changePhase):
2349         * heap/Heap.h:
2350         * runtime/VM.cpp:
2351         (JSC::VM::nextID):
2352         (JSC::VM::VM):
2353         * runtime/VM.h:
2354         (JSC::VM::numberOfIDs):
2355         (JSC::VM::id const):
2356         (JSC::VM::isEntered const):
2357
2358 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2359
2360         [JSC] Record CoW status in ArrayProfile correctly
2361         https://bugs.webkit.org/show_bug.cgi?id=187949
2362
2363         Reviewed by Saam Barati.
2364
2365         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
2366         This is important since our OSR exit compiler records m_observedArrayModes by calculating
2367         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
2368         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
2369         Array::Generic DFG nodes.
2370
2371         * bytecode/ArrayProfile.h:
2372         (JSC::asArrayModes):
2373         (JSC::ArrayProfile::ArrayProfile):
2374         * dfg/DFGOSRExit.cpp:
2375         (JSC::DFG::OSRExit::compileExit):
2376         * ftl/FTLOSRExitCompiler.cpp:
2377         (JSC::FTL::compileStub):
2378         * runtime/IndexingType.h:
2379
2380 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2381
2382         [INTL] Remove INTL sub-feature compile flags
2383         https://bugs.webkit.org/show_bug.cgi?id=188081
2384
2385         Reviewed by Michael Catanzaro.
2386
2387         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
2388         The runtime flags are still present, and should be relied on instead.
2389         The defines for ICU features have also been updated to match HAVE() style.
2390
2391         * Configurations/FeatureDefines.xcconfig:
2392         * runtime/IntlPluralRules.cpp:
2393         (JSC::IntlPluralRules::resolvedOptions):
2394         (JSC::IntlPluralRules::select):
2395         * runtime/IntlPluralRules.h:
2396         * runtime/Options.h:
2397
2398 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2399
2400         [JSC] Dump IndexingMode in Structure
2401         https://bugs.webkit.org/show_bug.cgi?id=188085
2402
2403         Reviewed by Keith Miller.
2404
2405         Dump IndexingMode instead of IndexingType.
2406
2407         * runtime/Structure.cpp:
2408         (JSC::Structure::dump const):
2409
2410 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
2411
2412         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
2413         https://bugs.webkit.org/show_bug.cgi?id=187963
2414
2415         Reviewed by Alex Christensen.
2416
2417         * inspector/InspectorBackendDispatcher.cpp:
2418         (Inspector::BackendDispatcher::dispatch):
2419         * jsc.cpp:
2420         (ModuleName::ModuleName):
2421         (resolvePath):
2422         * runtime/IntlObject.cpp:
2423         (JSC::canonicalizeLanguageTag):
2424         (JSC::removeUnicodeLocaleExtension):
2425         Update split/splitAllowingEmptyEntries usage.
2426
2427 2018-07-26  Commit Queue  <commit-queue@webkit.org>
2428
2429         Unreviewed, rolling out r234181 and r234189.
2430         https://bugs.webkit.org/show_bug.cgi?id=188075
2431
2432         These are not needed right now (Requested by thorton on
2433         #webkit).
2434
2435         Reverted changesets:
2436
2437         "Enable Web Content Filtering on watchOS"
2438         https://bugs.webkit.org/show_bug.cgi?id=187979
2439         https://trac.webkit.org/changeset/234181
2440
2441         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
2442         https://bugs.webkit.org/show_bug.cgi?id=187985
2443         https://trac.webkit.org/changeset/234189
2444
2445 2018-07-26  Mark Lam  <mark.lam@apple.com>
2446
2447         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
2448         https://bugs.webkit.org/show_bug.cgi?id=188065
2449         <rdar://problem/42515726>
2450
2451         Reviewed by Saam Barati.
2452
2453         * runtime/ArrayPrototype.cpp:
2454         (JSC::clearElement):
2455         (JSC::copyElements):
2456         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2457
2458 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2459
2460         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
2461         https://bugs.webkit.org/show_bug.cgi?id=167991
2462
2463         Reviewed by Michael Catanzaro.
2464
2465         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
2466         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
2467         no more cases where you might have an invalid locale come back from resolveLocale.
2468
2469         * runtime/IntlObject.cpp:
2470         (JSC::convertICULocaleToBCP47LanguageTag):
2471         (JSC::defaultLocale):
2472         (JSC::lookupMatcher):
2473         * runtime/IntlObject.h:
2474         * runtime/JSGlobalObject.cpp:
2475         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2476         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2477         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2478         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2479
2480 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2481
2482         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
2483         https://bugs.webkit.org/show_bug.cgi?id=188040
2484
2485         Unreviewed build fix for AppleWin port.
2486
2487         * API/tests/testapi.c: Disabled warning C4204.
2488         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
2489
2490 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2491
2492         [JSC API] We should support the symbol type in our C/Obj-C API
2493         https://bugs.webkit.org/show_bug.cgi?id=175836
2494
2495         Unreviewed build fix for Windows port.
2496
2497         r234227 introduced a compilation error unresolved external symbol
2498         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
2499
2500         Windows ports are compiling testapi.c as C++ by using /TP switch.
2501
2502         * API/tests/testapi.c:
2503         (main): Removed `::` prefix of ::SetErrorMode Windows API.
2504         (dllLauncherEntryPoint): Converted into C style.
2505         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
2506
2507 2018-07-25  Keith Miller  <keith_miller@apple.com>
2508
2509         [JSC API] We should support the symbol type in our C/Obj-C API
2510         https://bugs.webkit.org/show_bug.cgi?id=175836
2511
2512         Reviewed by Filip Pizlo.
2513
2514         This patch makes the following API additions:
2515         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
2516         2) Create a symbol on both APIs.
2517         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
2518         4) Add Get/Set/Delete in the C API.
2519
2520         We can do 3 because it is both binary and source compatable with
2521         the existing API. I added (4) because the current property access
2522         APIs only have the ability to get Strings. It was possible to
2523         merge symbols into JSStringRef but that felt confusing and exposes
2524         implementation details of our engine. The new functions match the
2525         same meaning that they have in JS, thus should be forward
2526         compatible with any future language extensions.
2527
2528         Lastly, this patch adds the same availability preproccessing phase
2529         in WebCore to JavaScriptCore, which enables TBA features for
2530         testing on previous releases.
2531
2532         * API/APICast.h:
2533         * API/JSBasePrivate.h:
2534         * API/JSContext.h:
2535         * API/JSContextPrivate.h:
2536         * API/JSContextRef.h:
2537         * API/JSContextRefInternal.h:
2538         * API/JSContextRefPrivate.h:
2539         * API/JSManagedValue.h:
2540         * API/JSObjectRef.cpp:
2541         (JSObjectHasPropertyKey):
2542         (JSObjectGetPropertyKey):
2543         (JSObjectSetPropertyKey):
2544         (JSObjectDeletePropertyKey):
2545         * API/JSObjectRef.h:
2546         * API/JSRemoteInspector.h:
2547         * API/JSTypedArray.h:
2548         * API/JSValue.h:
2549         * API/JSValue.mm:
2550         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
2551         (performPropertyOperation):
2552         (-[JSValue valueForProperty:valueForProperty:]):
2553         (-[JSValue setValue:forProperty:setValue:forProperty:]):
2554         (-[JSValue deleteProperty:deleteProperty:]):
2555         (-[JSValue hasProperty:hasProperty:]):
2556         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
2557         (-[JSValue isSymbol]):
2558         (-[JSValue objectForKeyedSubscript:]):
2559         (-[JSValue setObject:forKeyedSubscript:]):
2560         (-[JSValue valueForProperty:]): Deleted.
2561         (-[JSValue setValue:forProperty:]): Deleted.
2562         (-[JSValue deleteProperty:]): Deleted.
2563         (-[JSValue hasProperty:]): Deleted.
2564         (-[JSValue defineProperty:descriptor:]): Deleted.
2565         * API/JSValueRef.cpp:
2566         (JSValueGetType):
2567         (JSValueIsSymbol):
2568         (JSValueMakeSymbol):
2569         * API/JSValueRef.h:
2570         * API/WebKitAvailability.h:
2571         * API/tests/CurrentThisInsideBlockGetterTest.mm:
2572         * API/tests/CustomGlobalObjectClassTest.c:
2573         * API/tests/DateTests.mm:
2574         * API/tests/JSExportTests.mm:
2575         * API/tests/JSNode.c:
2576         * API/tests/JSNodeList.c:
2577         * API/tests/Node.c:
2578         * API/tests/NodeList.c:
2579         * API/tests/minidom.c:
2580         * API/tests/testapi.c:
2581         (main):
2582         * API/tests/testapi.cpp: Added.
2583         (APIString::APIString):
2584         (APIString::~APIString):
2585         (APIString::operator JSStringRef):
2586         (APIContext::APIContext):
2587         (APIContext::~APIContext):
2588         (APIContext::operator JSGlobalContextRef):
2589         (APIVector::APIVector):
2590         (APIVector::~APIVector):
2591         (APIVector::append):
2592         (testCAPIViaCpp):
2593         (TestAPI::evaluateScript):
2594         (TestAPI::callFunction):
2595         (TestAPI::functionReturnsTrue):
2596         (TestAPI::check):
2597         (TestAPI::checkJSAndAPIMatch):
2598         (TestAPI::interestingObjects):
2599         (TestAPI::interestingKeys):
2600         (TestAPI::run):
2601         * API/tests/testapi.mm:
2602         (testObjectiveCAPIMain):
2603         * JavaScriptCore.xcodeproj/project.pbxproj:
2604         * config.h:
2605         * postprocess-headers.sh:
2606         * shell/CMakeLists.txt:
2607         * testmem/testmem.mm:
2608
2609 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2610
2611         [INTL] Call Typed Array elements toLocaleString with locale and options
2612         https://bugs.webkit.org/show_bug.cgi?id=185796
2613
2614         Reviewed by Keith Miller.
2615
2616         Improve ECMA 402 compliance of typed array toLocaleString, passing along
2617         the locale and options to element toLocaleString calls.
2618
2619         * builtins/TypedArrayPrototype.js:
2620         (toLocaleString):
2621
2622 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2623
2624         [INTL] Intl constructor lengths should be configurable
2625         https://bugs.webkit.org/show_bug.cgi?id=187960
2626
2627         Reviewed by Saam Barati.
2628
2629         Removed DontDelete from Intl constructor lengths.
2630         Fixed DateTimeFormat formatToParts length.
2631
2632         * runtime/IntlCollatorConstructor.cpp:
2633         (JSC::IntlCollatorConstructor::finishCreation):
2634         * runtime/IntlDateTimeFormatConstructor.cpp:
2635         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2636         * runtime/IntlDateTimeFormatPrototype.cpp:
2637         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2638         * runtime/IntlNumberFormatConstructor.cpp:
2639         (JSC::IntlNumberFormatConstructor::finishCreation):
2640         * runtime/IntlPluralRulesConstructor.cpp:
2641         (JSC::IntlPluralRulesConstructor::finishCreation):
2642
2643 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
2644
2645         runJITThreadLimitTests is failing
2646         https://bugs.webkit.org/show_bug.cgi?id=187886
2647         <rdar://problem/42561966>
2648
2649         Unreviewed build fix for MSVC.
2650
2651         MSVC doen't support ternary operator without second operand.
2652
2653         * dfg/DFGWorklist.cpp:
2654         (JSC::DFG::getNumberOfDFGCompilerThreads):
2655         (JSC::DFG::getNumberOfFTLCompilerThreads):
2656
2657 2018-07-24  Commit Queue  <commit-queue@webkit.org>
2658
2659         Unreviewed, rolling out r234183.
2660         https://bugs.webkit.org/show_bug.cgi?id=187983
2661
2662         cause regression in Kraken gaussian blur and desaturate
2663         (Requested by yusukesuzuki on #webkit).
2664
2665         Reverted changeset:
2666
2667         "[JSC] Record CoW status in ArrayProfile"
2668         https://bugs.webkit.org/show_bug.cgi?id=187949
2669         https://trac.webkit.org/changeset/234183
2670
2671 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2672
2673         [JSC] Record CoW status in ArrayProfile
2674         https://bugs.webkit.org/show_bug.cgi?id=187949
2675
2676         Reviewed by Saam Barati.
2677
2678         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
2679         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
2680         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
2681         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
2682         CoW arrays.
2683
2684         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
2685         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
2686
2687         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
2688
2689                                       baseline                  patched
2690
2691         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
2692         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
2693
2694         * bytecode/ArrayProfile.cpp:
2695         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2696         * bytecode/ArrayProfile.h:
2697         (JSC::asArrayModes):
2698         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
2699
2700         (JSC::ArrayProfile::ArrayProfile):
2701         (JSC::ArrayProfile::addressOfObservedIndexingModes):
2702         (JSC::ArrayProfile::observedIndexingModes const):
2703         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
2704         So storing the union of seen IndexingMode in `unsigned` instead.
2705
2706         * dfg/DFGArrayMode.cpp:
2707         (JSC::DFG::ArrayMode::fromObserved):
2708         * dfg/DFGArrayMode.h:
2709         (JSC::DFG::ArrayMode::withProfile const):
2710         * jit/JITCall.cpp:
2711         (JSC::JIT::compileOpCall):
2712         * jit/JITCall32_64.cpp:
2713         (JSC::JIT::compileOpCall):
2714         * jit/JITInlines.h:
2715         (JSC::JIT::emitArrayProfilingSiteWithCell):
2716         * llint/LowLevelInterpreter.asm:
2717         * llint/LowLevelInterpreter32_64.asm:
2718         * llint/LowLevelInterpreter64.asm:
2719
2720 2018-07-24  Tim Horton  <timothy_horton@apple.com>
2721
2722         Enable Web Content Filtering on watchOS
2723         https://bugs.webkit.org/show_bug.cgi?id=187979
2724         <rdar://problem/42559346>
2725
2726         Reviewed by Wenson Hsieh.
2727
2728         * Configurations/FeatureDefines.xcconfig:
2729
2730 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
2731
2732         Don't modify Options when setting JIT thread limits
2733         https://bugs.webkit.org/show_bug.cgi?id=187886
2734
2735         Reviewed by Filip Pizlo.
2736
2737         Previously, when setting the JIT thread limit prior to the worklist
2738         initialization, it'd be set via Options, which didn't work if Options
2739         hadn't been initialized yet. Change it to use a static variable in the
2740         Worklist instead.
2741
2742         * API/JSVirtualMachine.mm:
2743         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
2744         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
2745         * API/tests/testapi.mm:
2746         (testObjectiveCAPIMain):
2747         * dfg/DFGWorklist.cpp:
2748         (JSC::DFG::getNumberOfDFGCompilerThreads):
2749         (JSC::DFG::getNumberOfFTLCompilerThreads):
2750         (JSC::DFG::setNumberOfDFGCompilerThreads):
2751         (JSC::DFG::setNumberOfFTLCompilerThreads):
2752         (JSC::DFG::ensureGlobalDFGWorklist):
2753         (JSC::DFG::ensureGlobalFTLWorklist):
2754         * dfg/DFGWorklist.h:
2755
2756 2018-07-24  Mark Lam  <mark.lam@apple.com>
2757
2758         Refactoring: make DFG::Plan a class.
2759         https://bugs.webkit.org/show_bug.cgi?id=187968
2760
2761         Reviewed by Saam Barati.
2762
2763         This patch makes all the DFG::Plan fields private, and provide accessor methods
2764         for them.  This makes it easier to reason about how these fields are used and
2765         modified.
2766
2767         * dfg/DFGAbstractInterpreterInlines.h:
2768         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2769         * dfg/DFGByteCodeParser.cpp:
2770         (JSC::DFG::ByteCodeParser::handleCall):
2771         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2772         (JSC::DFG::ByteCodeParser::handleInlining):
2773         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2774         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2775         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
2776         (JSC::DFG::ByteCodeParser::handleGetById):
2777         (JSC::DFG::ByteCodeParser::handlePutById):
2778         (JSC::DFG::ByteCodeParser::parseBlock):
2779         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2780         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2781         (JSC::DFG::ByteCodeParser::parse):
2782         * dfg/DFGCFAPhase.cpp:
2783         (JSC::DFG::CFAPhase::run):
2784         (JSC::DFG::CFAPhase::injectOSR):
2785         * dfg/DFGClobberize.h:
2786         (JSC::DFG::clobberize):
2787         * dfg/DFGCommonData.cpp:
2788         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2789         * dfg/DFGCommonData.h:
2790         * dfg/DFGConstantFoldingPhase.cpp:
2791         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2792         * dfg/DFGDriver.cpp:
2793         (JSC::DFG::compileImpl):
2794         * dfg/DFGFinalizer.h:
2795         * dfg/DFGFixupPhase.cpp:
2796         (JSC::DFG::FixupPhase::fixupNode):
2797         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2798         * dfg/DFGGraph.cpp:
2799         (JSC::DFG::Graph::Graph):
2800         (JSC::DFG::Graph::watchCondition):
2801         (JSC::DFG::Graph::inferredTypeFor):
2802         (JSC::DFG::Graph::requiredRegisterCountForExit):
2803         (JSC::DFG::Graph::registerFrozenValues):
2804         (JSC::DFG::Graph::registerStructure):
2805         (JSC::DFG::Graph::registerAndWatchStructureTransition):
2806         (JSC::DFG::Graph::assertIsRegistered):
2807         * dfg/DFGGraph.h:
2808         (JSC::DFG::Graph::compilation):
2809         (JSC::DFG::Graph::identifiers):
2810         (JSC::DFG::Graph::watchpoints):
2811         * dfg/DFGJITCompiler.cpp:
2812         (JSC::DFG::JITCompiler::JITCompiler):
2813         (JSC::DFG::JITCompiler::link):
2814         (JSC::DFG::JITCompiler::compile):
2815         (JSC::DFG::JITCompiler::compileFunction):
2816         (JSC::DFG::JITCompiler::disassemble):
2817         * dfg/DFGJITCompiler.h:
2818         (JSC::DFG::JITCompiler::addWeakReference):
2819         * dfg/DFGJITFinalizer.cpp:
2820         (JSC::DFG::JITFinalizer::finalize):
2821         (JSC::DFG::JITFinalizer::finalizeFunction):
2822         (JSC::DFG::JITFinalizer::finalizeCommon):
2823         * dfg/DFGOSREntrypointCreationPhase.cpp:
2824         (JSC::DFG::OSREntrypointCreationPhase::run):
2825         * dfg/DFGPhase.cpp:
2826         (JSC::DFG::Phase::beginPhase):
2827         * dfg/DFGPhase.h:
2828         (JSC::DFG::runAndLog):
2829         * dfg/DFGPlan.cpp:
2830         (JSC::DFG::Plan::Plan):
2831         (JSC::DFG::Plan::computeCompileTimes const):
2832         (JSC::DFG::Plan::reportCompileTimes const):
2833         (JSC::DFG::Plan::compileInThread):
2834         (JSC::DFG::Plan::compileInThreadImpl):
2835         (JSC::DFG::Plan::isStillValid):
2836         (JSC::DFG::Plan::reallyAdd):
2837         (JSC::DFG::Plan::notifyCompiling):
2838         (JSC::DFG::Plan::notifyReady):
2839         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2840         (JSC::DFG::Plan::finalizeAndNotifyCallback):
2841         (JSC::DFG::Plan::key):
2842         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2843         (JSC::DFG::Plan::finalizeInGC):
2844         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2845         (JSC::DFG::Plan::cancel):
2846         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2847         * dfg/DFGPlan.h:
2848         (JSC::DFG::Plan::canTierUpAndOSREnter const):
2849         (JSC::DFG::Plan::vm const):
2850         (JSC::DFG::Plan::codeBlock):
2851         (JSC::DFG::Plan::mode const):
2852         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
2853         (JSC::DFG::Plan::mustHandleValues const):
2854         (JSC::DFG::Plan::threadData const):
2855         (JSC::DFG::Plan::compilation const):
2856         (JSC::DFG::Plan::finalizer const):
2857         (JSC::DFG::Plan::setFinalizer):
2858         (JSC::DFG::Plan::inlineCallFrames const):
2859         (JSC::DFG::Plan::watchpoints):
2860         (JSC::DFG::Plan::identifiers):
2861         (JSC::DFG::Plan::weakReferences):
2862         (JSC::DFG::Plan::transitions):
2863         (JSC::DFG::Plan::recordedStatuses):
2864         (JSC::DFG::Plan::willTryToTierUp const):
2865         (JSC::DFG::Plan::setWillTryToTierUp):
2866         (JSC::DFG::Plan::tierUpInLoopHierarchy):
2867         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
2868         (JSC::DFG::Plan::stage const):
2869         (JSC::DFG::Plan::callback const):
2870         (JSC::DFG::Plan::setCallback):
2871         * dfg/DFGPlanInlines.h:
2872         (JSC::DFG::Plan::iterateCodeBlocksForGC):
2873         * dfg/DFGPreciseLocalClobberize.h:
2874         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2875         * dfg/DFGPredictionInjectionPhase.cpp:
2876         (JSC::DFG::PredictionInjectionPhase::run):
2877         * dfg/DFGSafepoint.cpp:
2878         (JSC::DFG::Safepoint::Safepoint):
2879         (JSC::DFG::Safepoint::~Safepoint):
2880         (JSC::DFG::Safepoint::begin):
2881         * dfg/DFGSafepoint.h:
2882         * dfg/DFGSpeculativeJIT.h:
2883         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
2884         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
2885         * dfg/DFGStackLayoutPhase.cpp:
2886         (JSC::DFG::StackLayoutPhase::run):
2887         * dfg/DFGStrengthReductionPhase.cpp:
2888         (JSC::DFG::StrengthReductionPhase::handleNode):
2889         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2890         (JSC::DFG::TierUpCheckInjectionPhase::run):
2891         * dfg/DFGTypeCheckHoistingPhase.cpp:
2892         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
2893         * dfg/DFGWorklist.cpp:
2894         (JSC::DFG::Worklist::isActiveForVM const):
2895         (JSC::DFG::Worklist::compilationState):
2896         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2897         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2898         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2899         (JSC::DFG::Worklist::visitWeakReferences):
2900         (JSC::DFG::Worklist::removeDeadPlans):
2901         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
2902         * dfg/DFGWorklistInlines.h:
2903         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
2904         * ftl/FTLCompile.cpp:
2905         (JSC::FTL::compile):
2906         * ftl/FTLFail.cpp:
2907         (JSC::FTL::fail):
2908         * ftl/FTLJITFinalizer.cpp:
2909         (JSC::FTL::JITFinalizer::finalizeCommon):
2910         * ftl/FTLLink.cpp:
2911         (JSC::FTL::link):
2912         * ftl/FTLLowerDFGToB3.cpp:
2913         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2914         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2915         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
2916         * ftl/FTLState.cpp:
2917         (JSC::FTL::State::State):
2918
2919 2018-07-24  Saam Barati  <sbarati@apple.com>
2920
2921         Make VM::canUseJIT an inlined function
2922         https://bugs.webkit.org/show_bug.cgi?id=187583
2923
2924         Reviewed by Mark Lam.
2925
2926         We know the answer to this query in initializeThreading after initializing
2927         the executable allocator. This patch makes it so that we just hold this value
2928         in a static variable and have an inlined function that just returns the value
2929         of that static variable.
2930
2931         * runtime/InitializeThreading.cpp:
2932         (JSC::initializeThreading):
2933         * runtime/VM.cpp:
2934         (JSC::VM::computeCanUseJIT):
2935         (JSC::VM::canUseJIT): Deleted.
2936         * runtime/VM.h:
2937         (JSC::VM::canUseJIT):
2938
2939 2018-07-24  Mark Lam  <mark.lam@apple.com>
2940
2941         Placate exception check verification after recent changes.
2942         https://bugs.webkit.org/show_bug.cgi?id=187961
2943         <rdar://problem/42545394>
2944
2945         Reviewed by Saam Barati.
2946
2947         * runtime/IntlObject.cpp:
2948         (JSC::intlNumberOption):
2949
2950 2018-07-23  Saam Barati  <sbarati@apple.com>
2951
2952         need to didFoldClobberWorld when we constant fold GetByVal
2953         https://bugs.webkit.org/show_bug.cgi?id=187917
2954         <rdar://problem/42505095>
2955
2956         Reviewed by Yusuke Suzuki.
2957
2958         * dfg/DFGAbstractInterpreterInlines.h:
2959         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2960
2961 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
2962
2963         [INTL] Language tags are not canonicalized
2964         https://bugs.webkit.org/show_bug.cgi?id=185836
2965
2966         Reviewed by Keith Miller.
2967
2968         Canonicalize language tags, replacing deprecated tag parts with the
2969         preferred values. Remove broken support for algorithmic numbering systems,
2970         that can cause an error in icu, and are not supported in other engines.
2971
2972         Generate the lookup functions from the language-subtag-registry.
2973
2974         Also initialize the UNumberFormat in initializeNumberFormat so any
2975         failures are thrown immediately instead of failing to format later.
2976
2977         * CMakeLists.txt:
2978         * DerivedSources.make:
2979         * JavaScriptCore.xcodeproj/project.pbxproj:
2980         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
2981         * runtime/IntlDateTimeFormat.cpp:
2982         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2983         * runtime/IntlNumberFormat.cpp:
2984         (JSC::IntlNumberFormat::initializeNumberFormat):
2985         (JSC::IntlNumberFormat::formatNumber):
2986         (JSC::IntlNumberFormat::formatToParts):
2987         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
2988         * runtime/IntlNumberFormat.h:
2989         * runtime/IntlObject.cpp:
2990         (JSC::intlNumberOption):
2991         (JSC::intlDefaultNumberOption):
2992         (JSC::preferredLanguage):
2993         (JSC::preferredRegion):
2994         (JSC::canonicalLangTag):
2995         (JSC::canonicalizeLanguageTag):
2996         (JSC::defaultLocale):
2997         (JSC::removeUnicodeLocaleExtension):
2998         (JSC::numberingSystemsForLocale):
2999         (JSC::grandfatheredLangTag): Deleted.
3000         * runtime/IntlObject.h:
3001         * runtime/IntlPluralRules.cpp:
3002         (JSC::IntlPluralRules::initializePluralRules):
3003         * runtime/JSGlobalObject.cpp:
3004         (JSC::addMissingScriptLocales):
3005         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
3006         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
3007         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
3008         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3009         * ucd/language-subtag-registry.txt: Added.
3010
3011 2018-07-23  Mark Lam  <mark.lam@apple.com>
3012
3013         Add some asserts to help diagnose a crash.
3014         https://bugs.webkit.org/show_bug.cgi?id=187915
3015         <rdar://problem/42508166>
3016
3017         Reviewed by Michael Saboff.
3018
3019         Add some asserts to verify that an CodeBlock alternative should always have a
3020         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
3021         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
3022         so that we'll retain the state of the variables that failed the assertion (again
3023         to help with diagnosis).
3024
3025         * bytecode/CodeBlock.cpp:
3026         (JSC::CodeBlock::setAlternative):
3027         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
3028         * dfg/DFGPlan.cpp:
3029         (JSC::DFG::Plan::Plan):
3030
3031 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
3032
3033         Unreviewed, fix no-JIT build.
3034
3035         * bytecode/CallLinkStatus.cpp:
3036         (JSC::CallLinkStatus::computeFor):
3037         * bytecode/CodeBlock.cpp:
3038         (JSC::CodeBlock::finalizeUnconditionally):
3039         * bytecode/GetByIdStatus.cpp:
3040         (JSC::GetByIdStatus::computeFor):
3041         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3042         * bytecode/InByIdStatus.cpp:
3043         * bytecode/PutByIdStatus.cpp:
3044         (JSC::PutByIdStatus::computeForStubInfo):
3045
3046 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3047
3048         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
3049         https://bugs.webkit.org/show_bug.cgi?id=187891
3050
3051         Reviewed by Saam Barati.
3052
3053         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
3054         two variants are mergeable but they have "Miss" status. We make merging failed if
3055         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
3056         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
3057         which patch have more chances to merge variants.
3058
3059         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
3060         is not related since it does not use this check in Transition case.
3061
3062         * bytecode/GetByIdVariant.cpp:
3063         (JSC::GetByIdVariant::attemptToMerge):
3064         * bytecode/InByIdVariant.cpp:
3065         (JSC::InByIdVariant::attemptToMerge):
3066
3067 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3068
3069         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
3070         https://bugs.webkit.org/show_bug.cgi?id=186462
3071
3072         Reviewed by Saam Barati.
3073
3074         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
3075         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
3076         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
3077
3078         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
3079         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
3080         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
3081         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
3082         changed and we can safely use it. We arrange our existing code to use this protocol.
3083
3084         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
3085         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
3086
3087         This patch improves SixSpeed/template_string_tag.es6.
3088
3089                                           baseline                  patched
3090
3091         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
3092
3093         * dfg/DFGAbstractInterpreterInlines.h:
3094         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3095         * runtime/JSArray.cpp:
3096         (JSC::JSArray::setLengthWithArrayStorage):
3097         * runtime/JSObject.cpp:
3098         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3099         (JSC::JSObject::deletePropertyByIndex):
3100         (JSC::JSObject::getOwnPropertyNames):
3101         (JSC::putIndexedDescriptor):
3102         (JSC::JSObject::defineOwnIndexedProperty):
3103         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
3104         (JSC::JSObject::putIndexedDescriptor): Deleted.
3105         * runtime/JSObject.h:
3106         * runtime/SparseArrayValueMap.cpp:
3107         (JSC::SparseArrayValueMap::SparseArrayValueMap):
3108         (JSC::SparseArrayValueMap::add):
3109         (JSC::SparseArrayValueMap::putDirect):
3110         (JSC::SparseArrayValueMap::getConcurrently):
3111         (JSC::SparseArrayEntry::get const):
3112         (JSC::SparseArrayEntry::getConcurrently const):
3113         (JSC::SparseArrayEntry::put):
3114         (JSC::SparseArrayEntry::getNonSparseMode const):
3115         (JSC::SparseArrayValueMap::visitChildren):
3116         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
3117         * runtime/SparseArrayValueMap.h:
3118         (JSC::SparseArrayEntry::SparseArrayEntry):
3119         (JSC::SparseArrayEntry::attributes const):
3120         (JSC::SparseArrayEntry::forceSet):
3121         (JSC::SparseArrayEntry::asValue):
3122
3123 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
3124
3125         We should support CreateThis in the FTL
3126         https://bugs.webkit.org/show_bug.cgi?id=164904
3127
3128         Reviewed by Yusuke Suzuki.
3129         
3130         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
3131         inference adventure.
3132         
3133         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
3134         benchmark's extremely perverse way of winning at type inference:
3135         
3136         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
3137           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
3138           benchmark was falling back to other mechanisms...
3139         
3140         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
3141           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
3142           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
3143           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
3144           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
3145           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
3146           
3147           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
3148           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
3149           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
3150           helper because it had a CreateThis.
3151         
3152         - Compilations that inlined the construction helper would have gotten super lucky with
3153           parse-time constant folding, so they knew what structure the input to the get_by_id would
3154           have at parse time. This is only profitable if the get_by_id parsing computed a
3155           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
3156           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
3157           cases, we would indeed get a finite number of cases. The parser would then prune those
3158           cases to just one - based on its knowledge of the structure - and that would result in that
3159           get_by_id being folded at parse time to a constant.
3160         
3161         - The subsequent op_call would inline based on parse-time knowledge of that constant.
3162         
3163         This patch comprehensively fixes these issues, as well as other issues that come up along the
3164         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
3165         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
3166         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
3167         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
3168         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
3169         attack raytrace's problem as a shortcoming of polyvariant profiling.
3170         
3171         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
3172           subset of the inline stack that includes the IC we're profiling. For example, if we have
3173           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
3174           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
3175           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
3176           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
3177           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
3178           from polyvariant profling. Previously, the polyvariant profiler would only look at the
3179           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
3180           had inlined bar and then baz. It may not have done that, because those calls could have
3181           required polyvariant profiling that was only available in the FTL.
3182           
3183         - A particularly interesting case is when some IC in foo-baseline is also available in
3184           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
3185           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
3186           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
3187           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
3188           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
3189           because it warns us of historical polymorphism. Historical polymorphism usually means
3190           future polymorphism. IC status code already had some merging functionality, but I needed to
3191           beef it up a lot to make this work right.
3192         
3193         - Inlining an inline cache now preserves as much information as profiling. One challenge of
3194           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
3195           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
3196           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
3197           say "I don't have such an IC". At this point the DFG compilation that included that IC that
3198           gave us the information that we used to inline the IC is no longer alive. To keep us from
3199           losing the information we learned about the IC, there is now a RecordedStatuses data
3200           structure that preserves the statuses we use for inlining ICs. We also filter those
3201           statuses according to things we learn from AI. This further reduces the risk of information
3202           about an IC being forgotten.
3203         
3204         - Exit profiling now considers whether or not an exit happened from inline code. This
3205           protects us in the case where the not-inlined version of an IC exited a lot because of
3206           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
3207           profiling data, we consider only inlined exits.
3208         
3209         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
3210           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
3211           surprising that we've had this bug.
3212         
3213         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
3214         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
3215         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
3216         prototype access folding in the bytecode parser and constant folder. That would require some
3217         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
3218         have a test that captures raytrace's behavior in the case that the parser cannot fold the
3219         get_by_id.
3220         
3221         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
3222         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
3223         compile time regression anytime we fill in FTL coverage.
3224         
3225         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
3226         speeds up and that raytrace slows down, but these changes balance out and don't affect the
3227         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
3228         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
3229         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
3230         see a significant difference. In all three cases the difference is <0.5% with a high p value,
3231         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
3232         an insignificant infinitesimal slow-down.
3233         
3234         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
3235         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
3236         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
3237
3238         * CMakeLists.txt:
3239         * JavaScriptCore.xcodeproj/project.pbxproj:
3240         * Sources.txt:
3241         * bytecode/ByValInfo.h:
3242         * bytecode/BytecodeDumper.cpp:
3243         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
3244         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
3245         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
3246         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
3247         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
3248         (JSC::BytecodeDumper<Block>::printCallOp):
3249         (JSC::BytecodeDumper<Block>::dumpBytecode):
3250         (JSC::BytecodeDumper<Block>::dumpBlock):
3251         * bytecode/BytecodeDumper.h:
3252         * bytecode/CallLinkInfo.h:
3253         * bytecode/CallLinkStatus.cpp:
3254         (JSC::CallLinkStatus::computeFor):
3255         (JSC::CallLinkStatus::computeExitSiteData):
3256         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3257         (JSC::CallLinkStatus::accountForExits):
3258         (JSC::CallLinkStatus::finalize):
3259         (JSC::CallLinkStatus::filter):
3260         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
3261         * bytecode/CallLinkStatus.h:
3262         (JSC::CallLinkStatus::operator bool const):
3263         (JSC::CallLinkStatus::operator! const): Deleted.
3264         * bytecode/CallVariant.cpp:
3265         (JSC::CallVariant::finalize):
3266         (JSC::CallVariant::filter):
3267         * bytecode/CallVariant.h:
3268         (JSC::CallVariant::operator bool const):
3269         (JSC::CallVariant::operator! const): Deleted.
3270         * bytecode/CodeBlock.cpp:
3271         (JSC::CodeBlock::dumpBytecode):
3272         (JSC::CodeBlock::propagateTransitions):
3273         (JSC::CodeBlock::finalizeUnconditionally):
3274         (JSC::CodeBlock::getICStatusMap):
3275         (JSC::CodeBlock::resetJITData):
3276         (JSC::CodeBlock::getStubInfoMap): Deleted.
3277         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
3278         (JSC::CodeBlock::getByValInfoMap): Deleted.
3279         * bytecode/CodeBlock.h:
3280         * bytecode/CodeOrigin.cpp:
3281         (JSC::CodeOrigin::isApproximatelyEqualTo const):
3282         (JSC::CodeOrigin::approximateHash const):
3283         * bytecode/CodeOrigin.h:
3284         (JSC::CodeOrigin::exitingInlineKind const):
3285         * bytecode/DFGExitProfile.cpp:
3286         (JSC::DFG::FrequentExitSite::dump const):
3287         (JSC::DFG::ExitProfile::add):
3288         * bytecode/DFGExitProfile.h:
3289         (JSC::DFG::FrequentExitSite::FrequentExitSite):
3290         (JSC::DFG::FrequentExitSite::operator== const):
3291         (JSC::DFG::FrequentExitSite::subsumes const):
3292         (JSC::DFG::FrequentExitSite::hash const):
3293         (JSC::DFG::FrequentExitSite::inlineKind const):
3294         (JSC::DFG::FrequentExitSite::withInlineKind const):
3295         (JSC::DFG::QueryableExitProfile::hasExitSite const):
3296         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
3297         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
3298         * bytecode/ExitFlag.cpp: Added.
3299         (JSC::ExitFlag::dump const):
3300         * bytecode/ExitFlag.h: Added.
3301         (JSC::ExitFlag::ExitFlag):
3302         (JSC::ExitFlag::operator| const):
3303         (JSC::ExitFlag::operator|=):
3304         (JSC::ExitFlag::operator& const):
3305         (JSC::ExitFlag::operator&=):
3306         (JSC::ExitFlag::operator bool const):
3307         (JSC::ExitFlag::isSet const):