a231642f663fc35be7bed32f39ae84d3954dd92a
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
4         https://bugs.webkit.org/show_bug.cgi?id=201373
5
6         * bytecode/BytecodeList.rb:
7         * bytecode/BytecodeUseDef.h:
8         (JSC::computeUsesForBytecodeOffset):
9         (JSC::computeDefsForBytecodeOffset):
10         * bytecompiler/BytecodeGenerator.cpp:
11         (JSC::BytecodeGenerator::BytecodeGenerator):
12         (JSC::BytecodeGenerator::emitLoopHint):
13         (JSC::BytecodeGenerator::emitCheckTraps):
14         * bytecompiler/BytecodeGenerator.h:
15         * dfg/DFGByteCodeParser.cpp:
16         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
17         (JSC::DFG::ByteCodeParser::parseBlock):
18         * dfg/DFGCapabilities.cpp:
19         (JSC::DFG::capabilityLevel):
20         * jit/JIT.cpp:
21         (JSC::JIT::emitEnterOptimizationCheck):
22         (JSC::JIT::privateCompileMainPass):
23         (JSC::JIT::privateCompileSlowCases):
24         * jit/JIT.h:
25         * jit/JITOpcodes.cpp:
26         (JSC::JIT::emit_op_enter):
27         (JSC::JIT::emit_op_loop_hint):
28         (JSC::JIT::emitSlow_op_loop_hint):
29         (JSC::JIT::emit_op_check_traps):
30         (JSC::JIT::emitSlow_op_check_traps):
31         (JSC::JIT::emitSlow_op_enter): Deleted.
32         * jit/JITOpcodes32_64.cpp:
33         (JSC::JIT::emit_op_enter):
34         * llint/LowLevelInterpreter.asm:
35         * llint/LowLevelInterpreter32_64.asm:
36         * llint/LowLevelInterpreter64.asm:
37         * runtime/CommonSlowPaths.cpp:
38         (JSC::SLOW_PATH_DECL):
39         * runtime/CommonSlowPaths.h:
40
41 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
42
43         Unreviewed, rebaseline builtin generator test results
44         https://bugs.webkit.org/show_bug.cgi?id=200898
45
46         Rebaseline the result files.
47
48         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
49         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
50         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
51         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
52         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
53         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
54         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
55         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
56         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
57         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
58         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
59         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
60         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
61
62 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
63
64         [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
65         https://bugs.webkit.org/show_bug.cgi?id=201485
66
67         Reviewed by Tadeu Zagallo.
68
69         FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
70         it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
71         a race issue like,
72
73         1. While one thread is adding overrides information,
74         2. Another thread is accessing this hash table.
75
76         This patch adds a lock to make sure that only one thread can access this registry.
77
78         * tools/FunctionOverrides.cpp:
79         (JSC::FunctionOverrides::FunctionOverrides):
80         (JSC::FunctionOverrides::reinstallOverrides):
81         (JSC::FunctionOverrides::initializeOverrideFor):
82         (JSC::FunctionOverrides::parseOverridesInFile):
83         * tools/FunctionOverrides.h:
84         (JSC::FunctionOverrides::clear):
85
86 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
87
88         [JSC] Make Promise implementation faster
89         https://bugs.webkit.org/show_bug.cgi?id=200898
90
91         Reviewed by Saam Barati.
92
93         This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.
94
95         1. Make JSPromise C++ friendly
96
97             Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
98             This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
99             fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
100             fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
101             supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
102             this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].
103
104             We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
105             This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.
106
107             Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
108             is filed in [2].
109
110         2. Make JSPromise constructor JS friendly
111
112             The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
113             calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
114             If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
115             Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
116             construct is 100. We might want to investigate getting it inlined in the future[3].
117
118             We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
119             annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
120             do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
121             us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
122             which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
123             JSPromise constructor fully in JS.
124             With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].
125
126         3. DFG supports for JSPromise operations
127
128             This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
129             and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
130             promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
131             When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
132             used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
133             can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
134             in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
135             structure is invalidated: `callee.prototype` is replaced.
136
137         4. Avoid creating unnecessary promises
138
139             Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
140             For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
141             intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
142             take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
143             in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
144             check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.
145
146         5. Avoid creating resolving-functions and promise capabilities
147
148             Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
149             patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
150             created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
151             and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
152             The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
153             `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
154             This mechanism will be used to drop JSPromiseDeferred in a separate patch.
155
156         JetStream2/async-fs results.
157             ToT:
158                 Running async-fs:
159                     Startup: 116.279
160                     Worst Case: 151.515
161                     Average: 176.630
162                     Score: 145.996
163                     Wall time: 0:01.149
164
165             Patched:
166                 Running async-fs:
167                     Startup: 166.667
168                     Worst Case: 267.857
169                     Average: 299.080
170                     Score: 237.235
171                     Wall time: 0:00.683
172
173         [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
174         [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
175         [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
176         [4]: https://bugs.webkit.org/show_bug.cgi?id=201158
177
178         * CMakeLists.txt:
179         * JavaScriptCore.xcodeproj/project.pbxproj:
180         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
181         (ConstructAbility):
182         (ConstructorKind):
183         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
184         * Scripts/wkbuiltins/builtins_generator.py:
185         (BuiltinsGenerator.generate_embedded_code_data_for_function):
186         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
187         * Scripts/wkbuiltins/builtins_model.py:
188         (BuiltinFunction.__init__):
189         (BuiltinFunction.fromString):
190         * Scripts/wkbuiltins/builtins_templates.py:
191         * builtins/AsyncFromSyncIteratorPrototype.js:
192         (next.try):
193         (next):
194         (return.try):
195         (return):
196         (throw.try):
197         (throw):
198         * builtins/AsyncFunctionPrototype.js:
199         (globalPrivate.asyncFunctionResume):
200         * builtins/AsyncGeneratorPrototype.js:
201         (globalPrivate.asyncGeneratorQueueIsEmpty):
202         (globalPrivate.asyncGeneratorQueueEnqueue):
203         (globalPrivate.asyncGeneratorQueueDequeue):
204         (globalPrivate.asyncGeneratorReject):
205         (globalPrivate.asyncGeneratorResolve):
206         (globalPrivate.asyncGeneratorYield):
207         (onRejected):
208         (globalPrivate.awaitValue):
209         (onFulfilled):
210         (globalPrivate.doAsyncGeneratorBodyCall):
211         (globalPrivate.asyncGeneratorResumeNext):
212         (globalPrivate.asyncGeneratorEnqueue):
213         (globalPrivate.asyncGeneratorDequeue): Deleted.
214         (const.onRejected): Deleted.
215         (const.onFulfilled): Deleted.
216         (globalPrivate.asyncGeneratorResumeNext.): Deleted.
217         * builtins/BuiltinExecutableCreator.h:
218         * builtins/BuiltinExecutables.cpp:
219         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
220         (JSC::BuiltinExecutables::createDefaultConstructor):
221         (JSC::BuiltinExecutables::createBuiltinExecutable):
222         (JSC::BuiltinExecutables::createExecutable):
223         (JSC::createBuiltinExecutable): Deleted.
224         * builtins/BuiltinExecutables.h:
225         * builtins/BuiltinNames.h:
226         * builtins/BuiltinUtils.h:
227         * builtins/ModuleLoader.js:
228         (forceFulfillPromise):
229         * builtins/PromiseConstructor.js:
230         (nakedConstructor.Promise.resolve):
231         (nakedConstructor.Promise.reject):
232         (nakedConstructor.Promise):
233         (nakedConstructor.InternalPromise.resolve):
234         (nakedConstructor.InternalPromise.reject):
235         (nakedConstructor.InternalPromise):
236         * builtins/PromiseOperations.js:
237         (globalPrivate.newPromiseReaction):
238         (globalPrivate.newPromiseCapability):
239         (globalPrivate.newHandledRejectedPromise):
240         (globalPrivate.triggerPromiseReactions):
241         (globalPrivate.resolvePromise):
242         (globalPrivate.rejectPromise):
243         (globalPrivate.fulfillPromise):
244         (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
245         (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
246         (globalPrivate.createResolvingFunctions.resolve):
247         (globalPrivate.createResolvingFunctions.reject):
248         (globalPrivate.createResolvingFunctions):
249         (globalPrivate.promiseReactionJobWithoutPromise):
250         (globalPrivate.resolveWithoutPromise):
251         (globalPrivate.rejectWithoutPromise):
252         (globalPrivate.fulfillWithoutPromise):
253         (resolve):
254         (reject):
255         (globalPrivate.createResolvingFunctionsWithoutPromise):
256         (globalPrivate.promiseReactionJob):
257         (globalPrivate.promiseResolveThenableJobFast):
258         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
259         (globalPrivate.promiseResolveThenableJob):
260         (globalPrivate.isPromise): Deleted.
261         (globalPrivate.newPromiseCapability.executor): Deleted.
262         (globalPrivate.initializePromise): Deleted.
263         * builtins/PromisePrototype.js:
264         (then):
265         * bytecode/BytecodeIntrinsicRegistry.cpp:
266         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
267         * bytecode/BytecodeIntrinsicRegistry.h:
268         * bytecode/BytecodeList.rb:
269         * bytecode/BytecodeUseDef.h:
270         (JSC::computeUsesForBytecodeOffset):
271         (JSC::computeDefsForBytecodeOffset):
272         * bytecode/CodeBlock.cpp:
273         (JSC::CodeBlock::finishCreation):
274         (JSC::CodeBlock::finalizeLLIntInlineCaches):
275         * bytecode/Opcode.h:
276         * bytecode/SpeculatedType.cpp:
277         (JSC::dumpSpeculation):
278         (JSC::speculationFromClassInfo):
279         (JSC::speculationFromJSType):
280         (JSC::speculationFromString):
281         * bytecode/SpeculatedType.h:
282         * bytecode/UnlinkedFunctionExecutable.h:
283         * bytecompiler/BytecodeGenerator.cpp:
284         (JSC::BytecodeGenerator::generate):
285         (JSC::BytecodeGenerator::BytecodeGenerator):
286         (JSC::BytecodeGenerator::emitGetPromiseInternalField):
287         (JSC::BytecodeGenerator::emitPutPromiseInternalField):
288         (JSC::BytecodeGenerator::emitCreatePromise):
289         (JSC::BytecodeGenerator::emitNewPromise):
290         (JSC::BytecodeGenerator::emitReturn):
291         * bytecompiler/BytecodeGenerator.h:
292         (JSC::BytecodeGenerator::promiseRegister):
293         (JSC::BytecodeGenerator::emitIsPromise):
294         (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
295         * bytecompiler/NodesCodegen.cpp:
296         (JSC::promiseInternalFieldIndex):
297         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
298         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
299         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
300         (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
301         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
302         (JSC::FunctionNode::emitBytecode):
303         * dfg/DFGAbstractHeap.h:
304         * dfg/DFGAbstractInterpreterInlines.h:
305         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
306         * dfg/DFGByteCodeParser.cpp:
307         (JSC::DFG::ByteCodeParser::parseBlock):
308         * dfg/DFGCapabilities.cpp:
309         (JSC::DFG::capabilityLevel):
310         * dfg/DFGClobberize.h:
311         (JSC::DFG::clobberize):
312         * dfg/DFGClobbersExitState.cpp:
313         (JSC::DFG::clobbersExitState):
314         * dfg/DFGConstantFoldingPhase.cpp:
315         (JSC::DFG::ConstantFoldingPhase::foldConstants):
316         * dfg/DFGDoesGC.cpp:
317         (JSC::DFG::doesGC):
318         * dfg/DFGFixupPhase.cpp:
319         (JSC::DFG::FixupPhase::fixupNode):
320         * dfg/DFGGraph.cpp:
321         (JSC::DFG::Graph::dump):
322         * dfg/DFGHeapLocation.cpp:
323         (WTF::printInternal):
324         * dfg/DFGHeapLocation.h:
325         * dfg/DFGMayExit.cpp:
326         * dfg/DFGNode.h:
327         (JSC::DFG::Node::convertToNewPromise):
328         (JSC::DFG::Node::hasIsInternalPromise):
329         (JSC::DFG::Node::isInternalPromise):
330         (JSC::DFG::Node::hasInternalFieldIndex):
331         (JSC::DFG::Node::internalFieldIndex):
332         (JSC::DFG::Node::hasHeapPrediction):
333         (JSC::DFG::Node::hasStructure):
334         * dfg/DFGNodeType.h:
335         * dfg/DFGOperations.cpp:
336         * dfg/DFGOperations.h:
337         * dfg/DFGPredictionPropagationPhase.cpp:
338         * dfg/DFGPromotedHeapLocation.cpp:
339         (WTF::printInternal):
340         * dfg/DFGPromotedHeapLocation.h:
341         * dfg/DFGSafeToExecute.h:
342         (JSC::DFG::SafeToExecuteEdge::operator()):
343         (JSC::DFG::safeToExecute):
344         * dfg/DFGSpeculativeJIT.cpp:
345         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
346         (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
347         (JSC::DFG::SpeculativeJIT::speculate):
348         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
349         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
350         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
351         (JSC::DFG::SpeculativeJIT::compileNewPromise):
352         * dfg/DFGSpeculativeJIT.h:
353         * dfg/DFGSpeculativeJIT32_64.cpp:
354         (JSC::DFG::SpeculativeJIT::compile):
355         * dfg/DFGSpeculativeJIT64.cpp:
356         (JSC::DFG::SpeculativeJIT::compile):
357         * dfg/DFGStoreBarrierInsertionPhase.cpp:
358         * dfg/DFGUseKind.cpp:
359         (WTF::printInternal):
360         * dfg/DFGUseKind.h:
361         (JSC::DFG::typeFilterFor):
362         (JSC::DFG::isCell):
363         * ftl/FTLAbstractHeapRepository.h:
364         * ftl/FTLCapabilities.cpp:
365         (JSC::FTL::canCompile):
366         * ftl/FTLLowerDFGToB3.cpp:
367         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
368         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
369         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
370         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
371         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
372         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
373         (JSC::FTL::DFG::LowerDFGToB3::speculate):
374         (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
375         * jit/JIT.cpp:
376         (JSC::JIT::privateCompileMainPass):
377         (JSC::JIT::privateCompileSlowCases):
378         * jit/JIT.h:
379         * jit/JITOperations.cpp:
380         * jit/JITOperations.h:
381         * jit/JITPropertyAccess.cpp:
382         (JSC::JIT::emit_op_get_promise_internal_field):
383         (JSC::JIT::emit_op_put_promise_internal_field):
384         * jit/JITPropertyAccess32_64.cpp:
385         (JSC::JIT::emit_op_get_promise_internal_field):
386         (JSC::JIT::emit_op_put_promise_internal_field):
387         * llint/LowLevelInterpreter.asm:
388         * llint/LowLevelInterpreter32_64.asm:
389         * llint/LowLevelInterpreter64.asm:
390         * parser/Parser.cpp:
391         (JSC::Parser<LexerType>::Parser):
392         (JSC::Parser<LexerType>::parseFunctionInfo):
393         * parser/Parser.h:
394         (JSC::parse):
395         * parser/ParserModes.h:
396         * runtime/CommonSlowPaths.cpp:
397         (JSC::SLOW_PATH_DECL):
398         * runtime/CommonSlowPaths.h:
399         * runtime/ConstructAbility.h:
400         * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
401         * runtime/FunctionRareData.cpp:
402         (JSC::FunctionRareData::FunctionRareData):
403         (JSC::FunctionRareData::initializeObjectAllocationProfile):
404         (JSC::FunctionRareData::clear):
405         * runtime/FunctionRareData.h:
406         * runtime/InternalFunction.cpp:
407         (JSC::InternalFunction::createSubclassStructureSlow):
408         * runtime/InternalFunction.h:
409         (JSC::InternalFunction::createSubclassStructure):
410         * runtime/JSCast.h:
411         * runtime/JSGlobalObject.cpp:
412         (JSC::enqueueJob):
413         (JSC::JSGlobalObject::init):
414         (JSC::JSGlobalObject::visitChildren):
415         * runtime/JSGlobalObject.h:
416         (JSC::JSGlobalObject::arrayProtoValuesFunction const):
417         (JSC::JSGlobalObject::promiseProtoThenFunction const):
418         (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
419         * runtime/JSInternalPromise.cpp:
420         (JSC::JSInternalPromise::createStructure):
421         * runtime/JSInternalPromiseConstructor.cpp:
422         (JSC::JSInternalPromiseConstructor::create):
423         (JSC::JSInternalPromiseConstructor::createStructure):
424         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
425         (JSC::constructPromise): Deleted.
426         * runtime/JSInternalPromiseConstructor.h:
427         * runtime/JSInternalPromisePrototype.cpp:
428         (JSC::JSInternalPromisePrototype::create):
429         * runtime/JSMicrotask.cpp:
430         (JSC::createJSMicrotask):
431         (JSC::JSMicrotask::run):
432         * runtime/JSMicrotask.h:
433         * runtime/JSPromise.cpp:
434         (JSC::JSPromise::createStructure):
435         (JSC::JSPromise::finishCreation):
436         (JSC::JSPromise::visitChildren):
437         (JSC::JSPromise::status const):
438         (JSC::JSPromise::result const):
439         (JSC::JSPromise::isHandled const):
440         (JSC::JSPromise::initialize): Deleted.
441         * runtime/JSPromise.h:
442         (JSC::JSPromise::allocationSize):
443         (JSC::JSPromise::offsetOfInternalFields):
444         (JSC::JSPromise::offsetOfInternalField):
445         * runtime/JSPromiseConstructor.cpp:
446         (JSC::JSPromiseConstructor::create):
447         (JSC::JSPromiseConstructor::createStructure):
448         (JSC::JSPromiseConstructor::JSPromiseConstructor):
449         (JSC::JSPromiseConstructor::finishCreation):
450         (JSC::constructPromise): Deleted.
451         (JSC::callPromise): Deleted.
452         * runtime/JSPromiseConstructor.h:
453         * runtime/JSPromisePrototype.cpp:
454         (JSC::JSPromisePrototype::create):
455         (JSC::JSPromisePrototype::finishCreation):
456         (JSC::JSPromisePrototype::addOwnInternalSlots):
457         * runtime/JSPromisePrototype.h:
458         * runtime/JSType.cpp:
459         (WTF::printInternal):
460         * runtime/JSType.h:
461
462 2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>
463
464         Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
465         https://bugs.webkit.org/show_bug.cgi?id=201262
466         <rdar://problem/13108764>
467
468         Reviewed by Devin Rousso.
469
470         When interception is enabled, Network requests that match any of the configured
471         interception patterns will be paused on the backend and allowed to be modified
472         by the frontend.
473
474         Currently the only time a network request can be intercepted is during the
475         HTTP response. However, this intercepting interface is mean to extend to
476         HTTP requests as well.
477
478         When a response is to be intercepted a new event is sent to the frontend:
479
480           `Network.responseIntercepted` event
481
482         With a `requestId` to identify that network request. The frontend
483         must respond with one of the following commands to continue:
484
485           `Network.interceptContinue`     - proceed with the response unmodified
486           `Network.interceptWithResponse` - provide a response
487
488         The response is paused in the meantime.
489
490         * inspector/protocol/Network.json:
491         New interfaces for intercepting network responses and suppling override content.
492
493         * Scripts/generate-combined-inspector-json.py:
494         * inspector/scripts/generate-inspector-protocol-bindings.py:
495         (generate_from_specification.load_specification):
496         Complete allowing comments in JSON protocol files.
497
498         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
499         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
500         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
501         Allow optional enums in ObjC interfaces.
502
503 2019-09-03  Mark Lam  <mark.lam@apple.com>
504
505         Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread().
506         https://bugs.webkit.org/show_bug.cgi?id=201449
507
508         Reviewed by Yusuke Suzuki.
509
510         Using !isMainThread() in the assertion also disables the assertion for the mutator
511         of worker threads.  This is not what we intended.
512
513         * runtime/StructureInlines.h:
514         (JSC::Structure::storedPrototype const):
515         (JSC::Structure::storedPrototypeObject const):
516
517 2019-09-04  Mark Lam  <mark.lam@apple.com>
518
519         Disambiguate a symbol used in JSDollarVM.
520         https://bugs.webkit.org/show_bug.cgi?id=201466
521         <rdar://problem/51826672>
522
523         Reviewed by Tadeu Zagallo.
524
525         This was causing a build issue on some internal build.
526
527         * tools/JSDollarVM.cpp:
528
529 2019-09-03  Mark Lam  <mark.lam@apple.com>
530
531         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
532         https://bugs.webkit.org/show_bug.cgi?id=201309
533         <rdar://problem/54832121>
534
535         Reviewed by Yusuke Suzuki.
536
537         * dfg/DFGAbstractInterpreterInlines.h:
538         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
539         * runtime/JSArrayBufferView.h:
540         * runtime/JSArrayBufferViewInlines.h:
541         (JSC::JSArrayBufferView::possiblySharedBufferImpl):
542         (JSC::JSArrayBufferView::possiblySharedBuffer):
543         (JSC::JSArrayBufferView::byteOffsetImpl):
544         (JSC::JSArrayBufferView::byteOffset):
545         (JSC::JSArrayBufferView::byteOffsetConcurrently):
546
547 2019-09-03  Devin Rousso  <drousso@apple.com>
548
549         Web Inspector: implement blackboxing of script resources
550         https://bugs.webkit.org/show_bug.cgi?id=17240
551         <rdar://problem/5732847>
552
553         Reviewed by Joseph Pecoraro.
554
555         When a script is blackboxed and the debugger attempts to pause in that script, the pause
556         reason/data will be saved and execution will continue until it has left the blackboxed
557         script. Once outside, execution is paused with the saved reason/data.
558
559         This is especially useful when debugging issues using libraries/frameworks, as it allows the
560         developer to "skip" the internal logic of the library/framework and instead focus only on
561         how they're using it.
562
563         * inspector/protocol/Debugger.json:
564         Add `setShouldBlackboxURL` command.
565
566         * inspector/agents/InspectorDebuggerAgent.h:
567         * inspector/agents/InspectorDebuggerAgent.cpp:
568         (Inspector::InspectorDebuggerAgent):
569         (Inspector::InspectorDebuggerAgent::enable):
570         (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added.
571         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
572         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
573         (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added.
574         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
575         (Inspector::InspectorDebuggerAgent::didParseSource):
576         (Inspector::InspectorDebuggerAgent::didPause):
577         (Inspector::InspectorDebuggerAgent::didContinue):
578         (Inspector::InspectorDebuggerAgent::breakProgram):
579         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
580         (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added.
581         (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted.
582         Renamed "break" to "pause" to match `Debugger` naming.
583
584         * debugger/Debugger.h:
585         * debugger/Debugger.cpp:
586         (JSC::Debugger::pauseIfNeeded):
587         (JSC::Debugger::setBlackboxType): Added.
588         (JSC::Debugger::clearBlackbox): Added.
589         (JSC::Debugger::isBlacklisted const): Deleted.
590         (JSC::Debugger::addToBlacklist): Deleted.
591         (JSC::Debugger::clearBlacklist): Deleted.
592
593 2019-09-03  Mark Lam  <mark.lam@apple.com>
594
595         Remove the need to pass performJITMemcpy as a pointer.
596         https://bugs.webkit.org/show_bug.cgi?id=201413
597
598         Reviewed by Michael Saboff.
599
600         We want performJITMemcpy to always be inlined.  In this patch, we also clean up
601         some template parameters to use enums instead of booleans to better document the
602         intent of the code.
603
604         * assembler/ARM64Assembler.h:
605         (JSC::ARM64Assembler::fillNops):
606         (JSC::ARM64Assembler::linkJump):
607         (JSC::ARM64Assembler::linkCall):
608         (JSC::ARM64Assembler::relinkJump):
609         (JSC::ARM64Assembler::relinkCall):
610         (JSC::ARM64Assembler::link):
611         (JSC::ARM64Assembler::linkJumpOrCall):
612         (JSC::ARM64Assembler::linkCompareAndBranch):
613         (JSC::ARM64Assembler::linkConditionalBranch):
614         (JSC::ARM64Assembler::linkTestAndBranch):
615         (JSC::ARM64Assembler::relinkJumpOrCall):
616         (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted.
617         (JSC::ARM64Assembler::CopyFunction::operator()): Deleted.
618         * assembler/ARMv7Assembler.h:
619         (JSC::ARMv7Assembler::fillNops):
620         (JSC::ARMv7Assembler::link):
621         (JSC::ARMv7Assembler::linkJumpT1):
622         (JSC::ARMv7Assembler::linkJumpT2):
623         (JSC::ARMv7Assembler::linkJumpT3):
624         (JSC::ARMv7Assembler::linkJumpT4):
625         (JSC::ARMv7Assembler::linkConditionalJumpT4):
626         (JSC::ARMv7Assembler::linkBX):
627         (JSC::ARMv7Assembler::linkConditionalBX):
628         * assembler/AbstractMacroAssembler.h:
629         (JSC::AbstractMacroAssembler::emitNops):
630         * assembler/LinkBuffer.cpp:
631         (JSC::LinkBuffer::copyCompactAndLinkCode):
632         * assembler/MIPSAssembler.h:
633         (JSC::MIPSAssembler::fillNops):
634         * assembler/MacroAssemblerARM64.h:
635         (JSC::MacroAssemblerARM64::link):
636         * assembler/MacroAssemblerARMv7.h:
637         (JSC::MacroAssemblerARMv7::link):
638         * assembler/X86Assembler.h:
639         (JSC::X86Assembler::fillNops):
640         * jit/ExecutableAllocator.h:
641         (JSC::performJITMemcpy):
642         * runtime/JSCPtrTag.h:
643
644 2019-09-03  Devin Rousso  <drousso@apple.com>
645
646         REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected
647         https://bugs.webkit.org/show_bug.cgi?id=201201
648         <rdar://problem/54771560>
649
650         Reviewed by Joseph Pecoraro.
651
652         * inspector/InjectedScriptSource.js:
653         (let.InjectedScript.prototype.injectModule):
654         (let.InjectedScript.prototype._evaluateOn):
655         (CommandLineAPI):
656         (let.InjectedScript.prototype.setInspectObject): Deleted.
657         (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted.
658         (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted.
659         (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted.
660         (InjectedScript.CommandLineAPI): Deleted.
661         Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects
662         directly, instead of having them call functions.
663
664         * inspector/InjectedScriptModule.cpp:
665         (Inspector::InjectedScriptModule::ensureInjected):
666         Make sure to reset `hadException` to `false` before making another call.
667
668 2019-09-03  Yusuke Suzuki  <ysuzuki@apple.com>
669
670         [JSC] Remove BytecodeGenerator::emitPopScope
671         https://bugs.webkit.org/show_bug.cgi?id=201395
672
673         Reviewed by Saam Barati.
674
675         Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions.
676
677         * bytecompiler/BytecodeGenerator.cpp:
678         (JSC::BytecodeGenerator::popLexicalScopeInternal):
679         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
680         (JSC::BytecodeGenerator::emitPopWithScope):
681         (JSC::BytecodeGenerator::emitPopScope): Deleted.
682         * bytecompiler/BytecodeGenerator.h:
683
684 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
685
686         [JSC] Merge op_check_traps into op_enter and op_loop_hint
687         https://bugs.webkit.org/show_bug.cgi?id=201373
688
689         Reviewed by Mark Lam.
690
691         This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations.
692         But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in
693         op_enter and op_loop_hint.
694
695         While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint),
696         since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy.
697
698         We also inline op_enter's slow path's write-barrier emission in LLInt.
699
700         * bytecode/BytecodeList.rb:
701         * bytecode/BytecodeUseDef.h:
702         (JSC::computeUsesForBytecodeOffset):
703         (JSC::computeDefsForBytecodeOffset):
704         * bytecompiler/BytecodeGenerator.cpp:
705         (JSC::BytecodeGenerator::BytecodeGenerator):
706         (JSC::BytecodeGenerator::emitLoopHint):
707         (JSC::BytecodeGenerator::emitCheckTraps): Deleted.
708         * bytecompiler/BytecodeGenerator.h:
709         * dfg/DFGByteCodeParser.cpp:
710         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
711         (JSC::DFG::ByteCodeParser::parseBlock):
712         * dfg/DFGCapabilities.cpp:
713         (JSC::DFG::capabilityLevel):
714         * jit/JIT.cpp:
715         (JSC::JIT::privateCompileMainPass):
716         (JSC::JIT::privateCompileSlowCases):
717         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
718         * jit/JIT.h:
719         * jit/JITOpcodes.cpp:
720         (JSC::JIT::emit_op_loop_hint):
721         (JSC::JIT::emitSlow_op_loop_hint):
722         (JSC::JIT::emit_op_enter):
723         (JSC::JIT::emitSlow_op_enter):
724         (JSC::JIT::emit_op_check_traps): Deleted.
725         (JSC::JIT::emitSlow_op_check_traps): Deleted.
726         * jit/JITOpcodes32_64.cpp:
727         (JSC::JIT::emit_op_enter): Deleted.
728         * llint/LowLevelInterpreter.asm:
729         * llint/LowLevelInterpreter32_64.asm:
730         * llint/LowLevelInterpreter64.asm:
731         * runtime/CommonSlowPaths.cpp:
732         * runtime/CommonSlowPaths.h:
733
734 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
735
736         [JSC] Fix testb3 debug failures
737         https://bugs.webkit.org/show_bug.cgi?id=201382
738
739         Reviewed by Mark Lam.
740
741         Fix testb3 debug failures due to incorrect types of operations like pointer + int32.
742
743         * b3/testb3_8.cpp:
744         (testByteCopyLoop):
745         (testByteCopyLoopStartIsLoopDependent):
746         (testByteCopyLoopBoundIsLoopDependent):
747
748 2019-09-01  Mark Lam  <mark.lam@apple.com>
749
750         Speculative build fix for ARMv7 and MIPS.
751         https://bugs.webkit.org/show_bug.cgi?id=201389
752
753         Not reviewed.
754
755         * bytecode/CodeBlock.cpp:
756         (JSC::CodeBlock::jettison):
757
758 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
759
760         [JSC] LLInt op should not emit the same code three times
761         https://bugs.webkit.org/show_bug.cgi?id=201370
762
763         Reviewed by Mark Lam.
764
765         LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue.
766         But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once.
767
768         * llint/LowLevelInterpreter.asm:
769
770 2019-08-30  Mark Lam  <mark.lam@apple.com>
771
772         Remove some obsolete statements that have no effect.
773         https://bugs.webkit.org/show_bug.cgi?id=201357
774
775         Reviewed by Saam Barati.
776
777         This patch removes 3 statements that look like this:
778
779             result->butterfly(); // Ensure that the butterfly is in to-space.
780
781         The statement just reads a field and does nothing with it.  This is a no-op
782         logic-wise, and the comment that accompanies it is obsolete.
783
784         * dfg/DFGOperations.cpp:
785
786 2019-08-30  Mark Lam  <mark.lam@apple.com>
787
788         Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
789         https://bugs.webkit.org/show_bug.cgi?id=201345
790
791         Reviewed by Yusuke Suzuki.
792
793         This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
794         the wrong pointer for capture the cell headerWord and zapReason.  As a result,
795         we get junk for those 2 values.
796
797         Previously, we were only capturing the upper 32-bits of the cell header slot,
798         and the lower 32-bit of the next slot in the zapped cell.  We now capture the
799         full 64-bits of both slots.  If the second slot did not contain a zapReason as we
800         expect, the upper 32-bits might give us a clue as to what type of value the slot
801         contains.
802
803         This patch also adds capturing of the found MarkedBlock address for the zapped
804         cell, as well as some state bit values.
805
806         * heap/SlotVisitor.cpp:
807         (JSC::SlotVisitor::reportZappedCellAndCrash):
808
809 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
810
811         [JSC] Generate new.target register only when it is used
812         https://bugs.webkit.org/show_bug.cgi?id=201335
813
814         Reviewed by Mark Lam.
815
816         Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register
817         only when it is actually required.
818
819         * bytecompiler/BytecodeGenerator.cpp:
820         (JSC::BytecodeGenerator::BytecodeGenerator):
821         * bytecompiler/BytecodeGenerator.h:
822         (JSC::BytecodeGenerator::newTarget):
823         * parser/Nodes.h:
824         (JSC::ScopeNode::needsNewTargetRegisterForThisScope const):
825
826 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
827
828         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
829         https://bugs.webkit.org/show_bug.cgi?id=201331
830
831         Reviewed by Mark Lam.
832
833         SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
834         For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.
835
836             1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
837             2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable
838
839         Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
840         This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
841         by profiled CodeBlock.
842
843         * bytecode/CodeBlock.h:
844         (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
845         * bytecode/JumpTable.h:
846         (JSC::SimpleJumpTable::cloneNonJITPart const):
847         (JSC::SimpleJumpTable::clear):
848         * dfg/DFGByteCodeParser.cpp:
849         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
850
851 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
852
853         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
854         https://bugs.webkit.org/show_bug.cgi?id=201332
855
856         Reviewed by Mark Lam.
857
858         When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
859         that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
860         does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.
861
862         * dfg/DFGByteCodeParser.cpp:
863         (JSC::DFG::ByteCodeParser::handleInlining):
864
865 2019-08-29  Devin Rousso  <drousso@apple.com>
866
867         Web Inspector: Debugger: async event listener stack traces should be available in Workers
868         https://bugs.webkit.org/show_bug.cgi?id=200903
869
870         Reviewed by Joseph Pecoraro.
871
872         * inspector/agents/InspectorDebuggerAgent.h:
873         (Inspector::InspectorDebuggerAgent::enabled): Added.
874         * inspector/agents/InspectorDebuggerAgent.cpp:
875         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
876         (Inspector::InspectorDebuggerAgent::enable):
877         (Inspector::InspectorDebuggerAgent::disable):
878         Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`.
879
880 2019-08-29  Keith Rollin  <krollin@apple.com>
881
882         Update .xcconfig symbols to reflect the current set of past and future product versions.
883         https://bugs.webkit.org/show_bug.cgi?id=200720
884         <rdar://problem/54305032>
885
886         Reviewed by Alex Christensen.
887
888         Remove version symbols related to old OS's we no longer support,
889         ensure that version symbols are defined for OS's we do support.
890
891         * Configurations/Base.xcconfig:
892         * Configurations/DebugRelease.xcconfig:
893         * Configurations/Version.xcconfig:
894
895 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
896
897         [JSC] Repatch should construct CallCases and CasesValue at the same time
898         https://bugs.webkit.org/show_bug.cgi?id=201325
899
900         Reviewed by Saam Barati.
901
902         In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`.
903         If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too.
904
905         * jit/Repatch.cpp:
906         (JSC::linkPolymorphicCall):
907
908 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
909
910         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
911         https://bugs.webkit.org/show_bug.cgi?id=198650
912
913         Reviewed by Saam Barati.
914
915         Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties.
916         This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this
917         interpreter interpret the control-flow edge that AI proved that is never taken.
918         AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But
919         ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis
920         done in ObjectAllocationSinking.
921
922         Let's see the example.
923
924             BB#0
925                 35: NewObject([%AM:Object])
926                 ...
927                 47: Branch(ConstantTrue, T:#1, F:#2)
928
929             BB#1 // This basic block is never taken due to @47's jump.
930                 ...
931                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
932                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
933                 ...
934                 XX: Jump(#2)
935
936             BB#2
937                 ...
938                 92: CheckStructure(@35, [%Dx:Object])
939                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
940                 ...
941
942         AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant.
943         AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92.
944         After AI removes @92, ObjectAllocationSinking starts looking into this graph.
945
946             BB#0
947                 35: NewObject([%AM:Object])
948                 ...
949                 47: Branch(ConstantTrue, T:#1, F:#2)
950
951             BB#1 // This basic block is never taken due to @47's jump.
952                 ...
953                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
954                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
955                 ...
956                 XX: Jump(#2)
957
958             BB#2
959                 ...
960                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
961                 ...
962                 YY: Jump(#3)
963
964             BB#3
965                 ...
966                 ZZ: <HERE> want to materialize @35's sunk object.
967
968         Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in
969         BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and
970         insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original
971         one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking
972         phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes
973         conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property.
974         So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug
975         assertion.
976
977             187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >)
978
979         This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data.
980         In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime.
981
982         * dfg/DFGObjectAllocationSinkingPhase.cpp:
983
984 2019-08-29  Devin Rousso  <drousso@apple.com>
985
986         Web Inspector: DOMDebugger: support event breakpoints in Worker contexts
987         https://bugs.webkit.org/show_bug.cgi?id=200651
988
989         Reviewed by Joseph Pecoraro.
990
991         * inspector/protocol/DOMDebugger.json:
992         Make the domain available in "worker" contexts as well.
993
994 2019-08-29  Keith Rollin  <krollin@apple.com>
995
996         Remove 32-bit macOS support
997         https://bugs.webkit.org/show_bug.cgi?id=201282
998         <rdar://problem/54821667>
999
1000         Reviewed by Anders Carlsson.
1001
1002         WebKit doesn’t support 32-bit Mac any more, so remove checks and code
1003         for that platform.
1004
1005         * API/JSBase.h:
1006         * runtime/VM.h:
1007
1008 2019-08-29  Keith Rollin  <krollin@apple.com>
1009
1010         Remove support for macOS < 10.13 (part 3)
1011         https://bugs.webkit.org/show_bug.cgi?id=201224
1012         <rdar://problem/54795934>
1013
1014         Reviewed by Darin Adler.
1015
1016         Remove symbols in WebKitTargetConditionals.xcconfig related to macOS
1017         10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes
1018         like _MACOS_SINCE_1013.
1019
1020         * Configurations/WebKitTargetConditionals.xcconfig:
1021
1022 2019-08-29  Mark Lam  <mark.lam@apple.com>
1023
1024         Remove a bad assertion in ByteCodeParser::inlineCall().
1025         https://bugs.webkit.org/show_bug.cgi?id=201292
1026         <rdar://problem/54121659>
1027
1028         Reviewed by Michael Saboff.
1029
1030         In the DFG bytecode parser, we've already computed the inlining cost of a candidate
1031         inlining target, and determine that it is worth inlining before invoking
1032         ByteCodeParser::inlineCall().  However, in ByteCodeParser::inlineCall(), it
1033         recomputes the inlining cost again only for the purpose of asserting that it isn't
1034         too high.
1035
1036         Not consider a badly written test that does the following:
1037
1038             function bar() {
1039                 ...
1040                 foo(); // Call in a hot loop here.
1041                 ...
1042             }
1043
1044             bar(); // <===== foo is inlineable into bar here.
1045             noInline(foo); // <===== Change mind, and make foo not inlineable.
1046             bar();
1047
1048         With this bad test, the following racy scenario can occur:
1049
1050         1. the first invocation of bar() gets hot, and a concurrent compile is kicked off.
1051         2. the compiler thread computes foo()'s inliningCost() and determines that it is
1052            worthy to be inlined, and will imminently call inlineCall().
1053         3. the mutator calls the noInline() test utility on foo(), thereby making it NOT
1054            inlineable.
1055         4. the compiler thread calls inlineCall().  In inlineCall(), it re-computes the
1056            inliningCost for foo() and now finds that it is not inlineable.  An assertion
1057            failure follows.
1058
1059         Technically, the test is in error because noInline() shouldn't be used that way.
1060         However, fuzzers that are not clued into noInline()'s proper usage may generate
1061         code like this.
1062
1063         On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the
1064         inlining cost and asserting on it.  The only reason inlineCall() is invoked is
1065         because it was already previously determined that a target function is inlineable
1066         based on its inlining cost.  Today, in practice, I don't think we have any real
1067         world condition where the mutator can affect the inlining cost of a target
1068         function midway through execution.  So, this assertion isn't a problem if no one
1069         writes a test that abuses noInline().  However, should things change such that the
1070         mutator is able to affect the inlining cost of a target function, then it is
1071         incorrect for the compiler to assume that the inlining cost is immutable.  Once
1072         the compiler decides to inline a function, it should just follow through.
1073
1074         This patch removes this assertion in ByteCodeParser::inlineCall().  It is an
1075         annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the
1076         ability to affect the inlining cost of a target function.
1077
1078         * dfg/DFGByteCodeParser.cpp:
1079         (JSC::DFG::ByteCodeParser::inlineCall):
1080
1081 2019-08-28  Mark Lam  <mark.lam@apple.com>
1082
1083         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
1084         https://bugs.webkit.org/show_bug.cgi?id=201281
1085         <rdar://problem/54028228>
1086
1087         Reviewed by Yusuke Suzuki and Saam Barati.
1088
1089         This (see title above) is already the preferred idiom used in most places in our
1090         compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
1091         compileStringCharAt().  Consider the following:
1092
1093             bool prototypeChainIsSane = false;
1094             if (globalObject->stringPrototypeChainIsSane()) {
1095                 ...
1096                 m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
1097                 m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));
1098
1099                 prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
1100             }
1101
1102         What's essential for correctness here is that the stringPrototype and objectPrototype
1103         structures be loaded before the loads in the second stringPrototypeChainIsSane()
1104         check.  Without a loadLoadFence before the second stringPrototypeChainIsSane()
1105         check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom
1106         for doing this right is to pre-load the structures first, do a loadLoadFence, and
1107         then do the IsSane check just once after e.g.
1108
1109             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
1110             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);
1111
1112             if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
1113                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
1114                 && globalObject->arrayPrototypeChainIsSane()) {
1115
1116                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1117                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1118                 ...
1119             }
1120
1121         This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
1122         compileStringCharAt() to follow the same idiom.
1123
1124         We also fix a bad assertion in Structure::storedPrototype() and
1125         Structure::storedPrototypeObject().  The assertion is only correct when those
1126         methods are called from the mutator thread.  The assertion has been updated to
1127         only check its test condition if the current thread is the mutator thread.
1128
1129         * dfg/DFGSpeculativeJIT.cpp:
1130         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1131         * ftl/FTLLowerDFGToB3.cpp:
1132         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1133         * runtime/StructureInlines.h:
1134         (JSC::Structure::storedPrototype const):
1135         (JSC::Structure::storedPrototypeObject const):
1136
1137 2019-08-28  Mark Lam  <mark.lam@apple.com>
1138
1139         Placate exception check validation in DFG's operationHasGenericProperty().
1140         https://bugs.webkit.org/show_bug.cgi?id=201245
1141         <rdar://problem/54777512>
1142
1143         Reviewed by Robin Morisset.
1144
1145         * dfg/DFGOperations.cpp:
1146
1147 2019-08-28  Ross Kirsling  <ross.kirsling@sony.com>
1148
1149         Unreviewed. Restabilize non-unified build.
1150
1151         * runtime/PropertySlot.h:
1152
1153 2019-08-28  Mark Lam  <mark.lam@apple.com>
1154
1155         Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.
1156         https://bugs.webkit.org/show_bug.cgi?id=201006
1157         <rdar://problem/52053991>
1158
1159         Reviewed by Yusuke Suzuki.
1160
1161         We already ensured that it is not possible to overflow in Wasm::FunctionParser's
1162         parse().  It is unnecessary and misleading to do those overflow checks in
1163         AirIRGenerator and B3IRGenerator.  The only check that is necessary is that
1164         m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory
1165         situation.
1166
1167         This patch changes these unnecessary checks to assertions instead.
1168
1169         * wasm/WasmAirIRGenerator.cpp:
1170         (JSC::Wasm::AirIRGenerator::addLocal):
1171         * wasm/WasmB3IRGenerator.cpp:
1172         (JSC::Wasm::B3IRGenerator::addLocal):
1173         * wasm/WasmValidate.cpp:
1174         (JSC::Wasm::Validate::addLocal):
1175
1176 2019-08-28  Keith Rollin  <krollin@apple.com>
1177
1178         Remove support for macOS < 10.13 (part 2)
1179         https://bugs.webkit.org/show_bug.cgi?id=201197
1180         <rdar://problem/54759985>
1181
1182         Update conditionals that reference WK_MACOS_1013 and suffixes like
1183         _MACOS_SINCE_1013, assuming that we're always building on 10.13 or
1184         later and that these conditionals are always True or False.
1185
1186         See Bug 200694 for earlier changes in this area.
1187
1188         Reviewed by Darin Adler.
1189
1190         * Configurations/FeatureDefines.xcconfig:
1191
1192 2019-08-28  Mark Lam  <mark.lam@apple.com>
1193
1194         Gardening: Rebase test results after r249175.
1195         https://bugs.webkit.org/show_bug.cgi?id=201172
1196
1197         Not reviewed.
1198
1199         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1200         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1201         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1202         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1203         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1204         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1205         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1206
1207 2019-08-27  Michael Saboff  <msaboff@apple.com>
1208
1209         Update PACCage changes for builds without Gigacage, but with signed pointers
1210         https://bugs.webkit.org/show_bug.cgi?id=201202
1211
1212         Reviewed by Saam Barati.
1213
1214         Factored out the untagging of pointers and added that to both the Gigacage enabled
1215         and disabled code paths.  Did this for the LLInt as well as the JITs.
1216
1217         * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list.
1218         * dfg/DFGSpeculativeJIT.cpp:
1219         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1220         * ftl/FTLLowerDFGToB3.cpp:
1221         (JSC::FTL::DFG::LowerDFGToB3::caged):
1222         * llint/LowLevelInterpreter64.asm:
1223
1224 2019-08-27  Mark Lam  <mark.lam@apple.com>
1225
1226         Refactor to use VM& instead of VM* at as many places as possible.
1227         https://bugs.webkit.org/show_bug.cgi?id=201172
1228
1229         Reviewed by Yusuke Suzuki.
1230
1231         Using VM& documents more clearly that the VM pointer is expected to never be null
1232         in most cases.  There are a few places where it can be null (e.g JSLock, and
1233         DFG::Plan).  Those will be left using a VM*.
1234
1235         Also converted some uses of ExecState* to using VM& instead since the ExecState*
1236         is only there to fetch the VM pointer.  Doing this also reduces the number of
1237         times we have to compute VM* from ExecState*.
1238
1239         This patch is not exhaustive in converting to use VM&, but applies the change to
1240         many commonly used pieces of code for a start.
1241
1242         Also fixed a missing exception check in JSString::toIdentifier() and
1243         JSValue::toPropertyKey() exposed by this patch.
1244
1245         * API/APICast.h:
1246         (toJS):
1247         * API/JSAPIGlobalObject.mm:
1248         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
1249         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1250         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
1251         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
1252         (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
1253         * API/JSCallbackConstructor.cpp:
1254         (JSC::JSCallbackConstructor::finishCreation):
1255         * API/JSCallbackObjectFunctions.h:
1256         (JSC::JSCallbackObject<Parent>::asCallbackObject):
1257         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
1258         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
1259         (JSC::JSCallbackObject<Parent>::putByIndex):
1260         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
1261         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1262         * API/JSContext.mm:
1263         (-[JSContext dependencyIdentifiersForModuleJSScript:]):
1264         * API/JSObjectRef.cpp:
1265         (JSObjectMakeFunction):
1266         (classInfoPrivate):
1267         (JSObjectGetPrivate):
1268         (JSObjectSetPrivate):
1269         (JSObjectCopyPropertyNames):
1270         (JSPropertyNameAccumulatorAddName):
1271         (JSObjectGetProxyTarget):
1272         * API/JSScriptRef.cpp:
1273         (parseScript):
1274         * API/JSValueRef.cpp:
1275         (JSValueMakeString):
1276         * API/OpaqueJSString.cpp:
1277         (OpaqueJSString::identifier const):
1278         * API/glib/JSCContext.cpp:
1279         (jsc_context_check_syntax):
1280         * KeywordLookupGenerator.py:
1281         (Trie.printSubTreeAsC):
1282         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py:
1283         (BuiltinsWrapperHeaderGenerator.generate_constructor):
1284         * Scripts/wkbuiltins/builtins_templates.py:
1285         * bindings/ScriptFunctionCall.cpp:
1286         (Deprecated::ScriptCallArgumentHandler::appendArgument):
1287         (Deprecated::ScriptFunctionCall::call):
1288         * bindings/ScriptValue.cpp:
1289         (Inspector::jsToInspectorValue):
1290         * builtins/BuiltinExecutables.cpp:
1291         (JSC::BuiltinExecutables::createExecutable):
1292         * builtins/BuiltinNames.cpp:
1293         (JSC::BuiltinNames::BuiltinNames):
1294         * builtins/BuiltinNames.h:
1295         (JSC::BuiltinNames::getPublicName const):
1296         * bytecode/BytecodeDumper.cpp:
1297         (JSC::BytecodeDumper<Block>::vm const):
1298         * bytecode/BytecodeDumper.h:
1299         * bytecode/BytecodeGeneratorification.cpp:
1300         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
1301         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
1302         (JSC::BytecodeGeneratorification::run):
1303         * bytecode/BytecodeIntrinsicRegistry.cpp:
1304         (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue):
1305         (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue):
1306         * bytecode/CallVariant.h:
1307         (JSC::CallVariant::internalFunction const):
1308         (JSC::CallVariant::function const):
1309         (JSC::CallVariant::isClosureCall const):
1310         (JSC::CallVariant::executable const):
1311         (JSC::CallVariant::functionExecutable const):
1312         (JSC::CallVariant::nativeExecutable const):
1313         * bytecode/CodeBlock.cpp:
1314         (JSC::CodeBlock::dumpSource):
1315         (JSC::CodeBlock::CodeBlock):
1316         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1317         (JSC::CodeBlock::setNumParameters):
1318         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
1319         (JSC::CodeBlock::unlinkIncomingCalls):
1320         (JSC::CodeBlock::replacement):
1321         (JSC::CodeBlock::computeCapabilityLevel):
1322         (JSC::CodeBlock::noticeIncomingCall):
1323         (JSC::CodeBlock::nameForRegister):
1324         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1325         * bytecode/CodeBlock.h:
1326         (JSC::CodeBlock::vm const):
1327         (JSC::CodeBlock::numberOfArgumentValueProfiles):
1328         (JSC::CodeBlock::valueProfileForArgument):
1329         * bytecode/DeferredSourceDump.cpp:
1330         (JSC::DeferredSourceDump::DeferredSourceDump):
1331         * bytecode/EvalCodeBlock.h:
1332         * bytecode/FunctionCodeBlock.h:
1333         * bytecode/GetByIdStatus.cpp:
1334         (JSC::GetByIdStatus::computeFromLLInt):
1335         * bytecode/GlobalCodeBlock.h:
1336         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1337         * bytecode/ModuleProgramCodeBlock.h:
1338         * bytecode/ObjectAllocationProfileInlines.h:
1339         (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
1340         * bytecode/PolyProtoAccessChain.cpp:
1341         (JSC::PolyProtoAccessChain::create):
1342         * bytecode/ProgramCodeBlock.h:
1343         * bytecode/PropertyCondition.cpp:
1344         (JSC::PropertyCondition::isWatchableWhenValid const):
1345         * bytecode/PutByIdStatus.cpp:
1346         (JSC::PutByIdStatus::computeFromLLInt):
1347         * bytecode/StructureStubInfo.cpp:
1348         (JSC::StructureStubInfo::initGetByIdSelf):
1349         (JSC::StructureStubInfo::initPutByIdReplace):
1350         (JSC::StructureStubInfo::initInByIdSelf):
1351         (JSC::StructureStubInfo::addAccessCase):
1352         (JSC::StructureStubInfo::visitWeakReferences):
1353         * bytecode/UnlinkedCodeBlock.cpp:
1354         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1355         * bytecode/UnlinkedCodeBlock.h:
1356         (JSC::UnlinkedCodeBlock::addSetConstant):
1357         (JSC::UnlinkedCodeBlock::addConstant):
1358         (JSC::UnlinkedCodeBlock::addFunctionDecl):
1359         (JSC::UnlinkedCodeBlock::addFunctionExpr):
1360         * bytecode/UnlinkedEvalCodeBlock.h:
1361         * bytecode/UnlinkedFunctionCodeBlock.h:
1362         * bytecode/UnlinkedFunctionExecutable.cpp:
1363         (JSC::generateUnlinkedFunctionCodeBlock):
1364         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1365         * bytecode/UnlinkedFunctionExecutable.h:
1366         * bytecode/UnlinkedGlobalCodeBlock.h:
1367         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1368         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1369         * bytecode/UnlinkedProgramCodeBlock.h:
1370         * bytecompiler/BytecodeGenerator.cpp:
1371         (JSC::BytecodeGenerator::BytecodeGenerator):
1372         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1373         (JSC::BytecodeGenerator::emitDirectPutById):
1374         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1375         (JSC::BytecodeGenerator::addBigIntConstant):
1376         (JSC::BytecodeGenerator::addTemplateObjectConstant):
1377         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
1378         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
1379         * bytecompiler/BytecodeGenerator.h:
1380         (JSC::BytecodeGenerator::vm const):
1381         (JSC::BytecodeGenerator::propertyNames const):
1382         (JSC::BytecodeGenerator::emitNodeInTailPosition):
1383         (JSC::BytecodeGenerator::emitDefineClassElements):
1384         (JSC::BytecodeGenerator::emitNodeInConditionContext):
1385         * bytecompiler/NodesCodegen.cpp:
1386         (JSC::RegExpNode::emitBytecode):
1387         (JSC::ArrayNode::emitBytecode):
1388         (JSC::FunctionCallResolveNode::emitBytecode):
1389         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1390         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1391         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
1392         (JSC::InstanceOfNode::emitBytecode):
1393         * debugger/Debugger.cpp:
1394         * debugger/DebuggerParseData.cpp:
1395         (JSC::gatherDebuggerParseData):
1396         * debugger/DebuggerScope.cpp:
1397         (JSC::DebuggerScope::next):
1398         (JSC::DebuggerScope::name const):
1399         (JSC::DebuggerScope::location const):
1400         * dfg/DFGDesiredIdentifiers.cpp:
1401         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1402         * dfg/DFGDesiredWatchpoints.cpp:
1403         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
1404         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
1405         * dfg/DFGFrozenValue.h:
1406         (JSC::DFG::FrozenValue::FrozenValue):
1407         * dfg/DFGGraph.cpp:
1408         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
1409         * dfg/DFGJITCompiler.cpp:
1410         (JSC::DFG::JITCompiler::linkOSRExits):
1411         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1412         (JSC::DFG::JITCompiler::link):
1413         (JSC::DFG::emitStackOverflowCheck):
1414         (JSC::DFG::JITCompiler::compileFunction):
1415         (JSC::DFG::JITCompiler::exceptionCheck):
1416         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
1417         * dfg/DFGJITCompiler.h:
1418         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
1419         (JSC::DFG::JITCompiler::fastExceptionCheck):
1420         (JSC::DFG::JITCompiler::vm):
1421         * dfg/DFGLazyJSValue.cpp:
1422         (JSC::DFG::LazyJSValue::getValue const):
1423         (JSC::DFG::LazyJSValue::emit const):
1424         * dfg/DFGOSREntry.cpp:
1425         (JSC::DFG::prepareOSREntry):
1426         * dfg/DFGOSRExit.cpp:
1427         (JSC::DFG::OSRExit::compileOSRExit):
1428         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1429         * dfg/DFGOSRExitCompilerCommon.h:
1430         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
1431         * dfg/DFGOperations.cpp:
1432         (JSC::DFG::newTypedArrayWithSize):
1433         (JSC::DFG::binaryOp):
1434         (JSC::DFG::bitwiseBinaryOp):
1435         * dfg/DFGPlan.cpp:
1436         (JSC::DFG::Plan::Plan):
1437         * dfg/DFGSpeculativeJIT.cpp:
1438         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1439         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1440         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1441         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
1442         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1443         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1444         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
1445         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
1446         (JSC::DFG::SpeculativeJIT::emitStringBranch):
1447         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
1448         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1449         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
1450         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1451         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1452         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1453         (JSC::DFG::SpeculativeJIT::compileSpread):
1454         (JSC::DFG::SpeculativeJIT::compileNewArray):
1455         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1456         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1457         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1458         (JSC::DFG::SpeculativeJIT::compileTypeOf):
1459         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1460         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1461         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
1462         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1463         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1464         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1465         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1466         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
1467         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1468         (JSC::DFG::SpeculativeJIT::compileStringReplace):
1469         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
1470         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1471         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1472         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
1473         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1474         (JSC::DFG::SpeculativeJIT::compileNewObject):
1475         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
1476         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
1477         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
1478         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1479         (JSC::DFG::SpeculativeJIT::compileProfileType):
1480         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1481         * dfg/DFGSpeculativeJIT.h:
1482         (JSC::DFG::SpeculativeJIT::vm):
1483         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
1484         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1485         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1486         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
1487         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1488         * dfg/DFGSpeculativeJIT32_64.cpp:
1489         (JSC::DFG::SpeculativeJIT::emitCall):
1490         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1491         (JSC::DFG::SpeculativeJIT::emitBranch):
1492         (JSC::DFG::SpeculativeJIT::compile):
1493         * dfg/DFGSpeculativeJIT64.cpp:
1494         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1495         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1496         (JSC::DFG::SpeculativeJIT::emitCall):
1497         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1498         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1499         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1500         (JSC::DFG::SpeculativeJIT::emitBranch):
1501         (JSC::DFG::SpeculativeJIT::compile):
1502         * dfg/DFGThunks.cpp:
1503         (JSC::DFG::osrExitThunkGenerator):
1504         (JSC::DFG::osrExitGenerationThunkGenerator):
1505         (JSC::DFG::osrEntryThunkGenerator):
1506         * dfg/DFGThunks.h:
1507         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1508         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
1509         * dfg/DFGWorklist.cpp:
1510         (JSC::DFG::Worklist::visitWeakReferences):
1511         * dynbench.cpp:
1512         (main):
1513         * ftl/FTLLowerDFGToB3.cpp:
1514         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1515         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1516         (JSC::FTL::DFG::LowerDFGToB3::boolify):
1517         * ftl/FTLThunks.cpp:
1518         (JSC::FTL::genericGenerationThunkGenerator):
1519         (JSC::FTL::osrExitGenerationThunkGenerator):
1520         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1521         * ftl/FTLThunks.h:
1522         * heap/CellContainer.h:
1523         * heap/CellContainerInlines.h:
1524         (JSC::CellContainer::vm const):
1525         (JSC::CellContainer::heap const):
1526         * heap/CompleteSubspace.cpp:
1527         (JSC::CompleteSubspace::tryAllocateSlow):
1528         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
1529         * heap/GCActivityCallback.h:
1530         * heap/GCAssertions.h:
1531         * heap/HandleSet.cpp:
1532         (JSC::HandleSet::HandleSet):
1533         * heap/HandleSet.h:
1534         (JSC::HandleSet::vm):
1535         * heap/Heap.cpp:
1536         (JSC::Heap::Heap):
1537         (JSC::Heap::lastChanceToFinalize):
1538         (JSC::Heap::releaseDelayedReleasedObjects):
1539         (JSC::Heap::protect):
1540         (JSC::Heap::unprotect):
1541         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
1542         (JSC::Heap::finalizeUnconditionalFinalizers):
1543         (JSC::Heap::completeAllJITPlans):
1544         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
1545         (JSC::Heap::gatherJSStackRoots):
1546         (JSC::Heap::gatherScratchBufferRoots):
1547         (JSC::Heap::removeDeadCompilerWorklistEntries):
1548         (JSC::Heap::isAnalyzingHeap const):
1549         (JSC::Heap::gatherExtraHeapData):
1550         (JSC::Heap::protectedObjectTypeCounts):
1551         (JSC::Heap::objectTypeCounts):
1552         (JSC::Heap::deleteAllCodeBlocks):
1553         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1554         (JSC::Heap::deleteUnmarkedCompiledCode):
1555         (JSC::Heap::checkConn):
1556         (JSC::Heap::runEndPhase):
1557         (JSC::Heap::stopThePeriphery):
1558         (JSC::Heap::finalize):
1559         (JSC::Heap::requestCollection):
1560         (JSC::Heap::sweepInFinalize):
1561         (JSC::Heap::sweepArrayBuffers):
1562         (JSC::Heap::deleteSourceProviderCaches):
1563         (JSC::Heap::didFinishCollection):
1564         (JSC::Heap::addCoreConstraints):
1565         * heap/Heap.h:
1566         * heap/HeapCell.h:
1567         * heap/HeapCellInlines.h:
1568         (JSC::HeapCell::heap const):
1569         (JSC::HeapCell::vm const):
1570         * heap/HeapInlines.h:
1571         (JSC::Heap::vm const):
1572         * heap/IsoSubspacePerVM.cpp:
1573         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1574         * heap/LargeAllocation.cpp:
1575         (JSC::LargeAllocation::sweep):
1576         (JSC::LargeAllocation::assertValidCell const):
1577         * heap/LargeAllocation.h:
1578         (JSC::LargeAllocation::vm const):
1579         * heap/LocalAllocator.cpp:
1580         (JSC::LocalAllocator::allocateSlowCase):
1581         * heap/MarkedBlock.cpp:
1582         (JSC::MarkedBlock::Handle::Handle):
1583         (JSC::MarkedBlock::aboutToMarkSlow):
1584         (JSC::MarkedBlock::assertMarksNotStale):
1585         (JSC::MarkedBlock::areMarksStale):
1586         (JSC::MarkedBlock::isMarked):
1587         (JSC::MarkedBlock::assertValidCell const):
1588         * heap/MarkedBlock.h:
1589         (JSC::MarkedBlock::Handle::vm const):
1590         (JSC::MarkedBlock::vm const):
1591         * heap/MarkedBlockInlines.h:
1592         (JSC::MarkedBlock::heap const):
1593         (JSC::MarkedBlock::Handle::specializedSweep):
1594         * heap/SlotVisitor.cpp:
1595         (JSC::validate):
1596         * heap/SlotVisitorInlines.h:
1597         (JSC::SlotVisitor::vm):
1598         (JSC::SlotVisitor::vm const):
1599         * heap/StopIfNecessaryTimer.cpp:
1600         (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
1601         * heap/StopIfNecessaryTimer.h:
1602         * heap/Strong.h:
1603         (JSC::Strong::operator=):
1604         * heap/WeakSet.h:
1605         (JSC::WeakSet::WeakSet):
1606         (JSC::WeakSet::vm const):
1607         * inspector/JSInjectedScriptHost.cpp:
1608         (Inspector::JSInjectedScriptHost::savedResultAlias const):
1609         (Inspector::JSInjectedScriptHost::internalConstructorName):
1610         (Inspector::JSInjectedScriptHost::subtype):
1611         (Inspector::JSInjectedScriptHost::functionDetails):
1612         (Inspector::constructInternalProperty):
1613         (Inspector::JSInjectedScriptHost::getInternalProperties):
1614         (Inspector::JSInjectedScriptHost::weakMapEntries):
1615         (Inspector::JSInjectedScriptHost::weakSetEntries):
1616         (Inspector::JSInjectedScriptHost::iteratorEntries):
1617         (Inspector::JSInjectedScriptHost::queryInstances):
1618         (Inspector::JSInjectedScriptHost::queryHolders):
1619         * inspector/JSJavaScriptCallFrame.cpp:
1620         (Inspector::valueForScopeLocation):
1621         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
1622         (Inspector::JSJavaScriptCallFrame::functionName const):
1623         (Inspector::JSJavaScriptCallFrame::type const):
1624         * inspector/ScriptCallStackFactory.cpp:
1625         (Inspector::extractSourceInformationFromException):
1626         * inspector/agents/InspectorAuditAgent.cpp:
1627         (Inspector::InspectorAuditAgent::populateAuditObject):
1628         * inspector/agents/InspectorHeapAgent.cpp:
1629         (Inspector::InspectorHeapAgent::gc):
1630         * interpreter/FrameTracers.h:
1631         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1632         * interpreter/Interpreter.cpp:
1633         (JSC::Interpreter::executeProgram):
1634         (JSC::Interpreter::prepareForRepeatCall):
1635         (JSC::Interpreter::execute):
1636         (JSC::Interpreter::executeModuleProgram):
1637         * interpreter/StackVisitor.cpp:
1638         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1639         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1640         * jit/AssemblyHelpers.cpp:
1641         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1642         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1643         (JSC::AssemblyHelpers::branchIfValue):
1644         * jit/AssemblyHelpers.h:
1645         (JSC::AssemblyHelpers::vm):
1646         * jit/JIT.cpp:
1647         (JSC::JIT::JIT):
1648         (JSC::JIT::emitEnterOptimizationCheck):
1649         (JSC::JIT::privateCompileMainPass):
1650         (JSC::JIT::privateCompileExceptionHandlers):
1651         * jit/JIT.h:
1652         * jit/JITCall.cpp:
1653         (JSC::JIT::compileCallEvalSlowCase):
1654         * jit/JITCall32_64.cpp:
1655         (JSC::JIT::compileCallEvalSlowCase):
1656         * jit/JITExceptions.cpp:
1657         (JSC::genericUnwind):
1658         * jit/JITExceptions.h:
1659         * jit/JITInlineCacheGenerator.cpp:
1660         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1661         * jit/JITOpcodes.cpp:
1662         (JSC::JIT::emit_op_is_undefined):
1663         (JSC::JIT::emit_op_jfalse):
1664         (JSC::JIT::emit_op_jeq_null):
1665         (JSC::JIT::emit_op_jneq_null):
1666         (JSC::JIT::emit_op_jtrue):
1667         (JSC::JIT::emit_op_throw):
1668         (JSC::JIT::emit_op_catch):
1669         (JSC::JIT::emit_op_eq_null):
1670         (JSC::JIT::emit_op_neq_null):
1671         (JSC::JIT::emitSlow_op_loop_hint):
1672         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1673         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1674         * jit/JITOpcodes32_64.cpp:
1675         (JSC::JIT::emit_op_jfalse):
1676         (JSC::JIT::emit_op_jtrue):
1677         (JSC::JIT::emit_op_throw):
1678         (JSC::JIT::emit_op_catch):
1679         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1680         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1681         * jit/JITOperations.cpp:
1682         (JSC::operationNewFunctionCommon):
1683         (JSC::tryGetByValOptimize):
1684         * jit/JITPropertyAccess.cpp:
1685         (JSC::JIT::emitWriteBarrier):
1686         * jit/JITThunks.cpp:
1687         (JSC::JITThunks::ctiNativeCall):
1688         (JSC::JITThunks::ctiNativeConstruct):
1689         (JSC::JITThunks::ctiNativeTailCall):
1690         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1691         (JSC::JITThunks::ctiInternalFunctionCall):
1692         (JSC::JITThunks::ctiInternalFunctionConstruct):
1693         (JSC::JITThunks::ctiStub):
1694         (JSC::JITThunks::hostFunctionStub):
1695         * jit/JITThunks.h:
1696         * jit/JITWorklist.cpp:
1697         (JSC::JITWorklist::Plan::vm):
1698         (JSC::JITWorklist::completeAllForVM):
1699         (JSC::JITWorklist::poll):
1700         (JSC::JITWorklist::compileLater):
1701         (JSC::JITWorklist::compileNow):
1702         * jit/Repatch.cpp:
1703         (JSC::readPutICCallTarget):
1704         (JSC::ftlThunkAwareRepatchCall):
1705         (JSC::linkSlowFor):
1706         (JSC::linkFor):
1707         (JSC::linkDirectFor):
1708         (JSC::revertCall):
1709         (JSC::unlinkFor):
1710         (JSC::linkVirtualFor):
1711         (JSC::linkPolymorphicCall):
1712         * jit/SpecializedThunkJIT.h:
1713         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
1714         * jit/ThunkGenerator.h:
1715         * jit/ThunkGenerators.cpp:
1716         (JSC::throwExceptionFromCallSlowPathGenerator):
1717         (JSC::slowPathFor):
1718         (JSC::linkCallThunkGenerator):
1719         (JSC::linkPolymorphicCallThunkGenerator):
1720         (JSC::virtualThunkFor):
1721         (JSC::nativeForGenerator):
1722         (JSC::nativeCallGenerator):
1723         (JSC::nativeTailCallGenerator):
1724         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1725         (JSC::nativeConstructGenerator):
1726         (JSC::internalFunctionCallGenerator):
1727         (JSC::internalFunctionConstructGenerator):
1728         (JSC::arityFixupGenerator):
1729         (JSC::unreachableGenerator):
1730         (JSC::stringGetByValGenerator):
1731         (JSC::charToString):
1732         (JSC::charCodeAtThunkGenerator):
1733         (JSC::charAtThunkGenerator):
1734         (JSC::fromCharCodeThunkGenerator):
1735         (JSC::clz32ThunkGenerator):
1736         (JSC::sqrtThunkGenerator):
1737         (JSC::floorThunkGenerator):
1738         (JSC::ceilThunkGenerator):
1739         (JSC::truncThunkGenerator):
1740         (JSC::roundThunkGenerator):
1741         (JSC::expThunkGenerator):
1742         (JSC::logThunkGenerator):
1743         (JSC::absThunkGenerator):
1744         (JSC::imulThunkGenerator):
1745         (JSC::randomThunkGenerator):
1746         (JSC::boundThisNoArgsFunctionCallGenerator):
1747         * jit/ThunkGenerators.h:
1748         * jsc.cpp:
1749         (GlobalObject::finishCreation):
1750         (GlobalObject::addFunction):
1751         (GlobalObject::moduleLoaderImportModule):
1752         (GlobalObject::moduleLoaderResolve):
1753         (GlobalObject::moduleLoaderCreateImportMetaProperties):
1754         (functionDescribe):
1755         (functionDescribeArray):
1756         (JSCMemoryFootprint::addProperty):
1757         (functionRun):
1758         (functionRunString):
1759         (functionReadFile):
1760         (functionCallerSourceOrigin):
1761         (functionReadline):
1762         (functionDollarCreateRealm):
1763         (functionDollarEvalScript):
1764         (functionDollarAgentGetReport):
1765         (functionWaitForReport):
1766         (functionJSCOptions):
1767         (functionCheckModuleSyntax):
1768         (functionGenerateHeapSnapshotForGCDebugging):
1769         (functionWebAssemblyMemoryMode):
1770         (dumpException):
1771         (checkUncaughtException):
1772         * llint/LLIntSlowPaths.cpp:
1773         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1774         (JSC::LLInt::handleHostCall):
1775         * parser/ASTBuilder.h:
1776         (JSC::ASTBuilder::ASTBuilder):
1777         (JSC::ASTBuilder::createResolve):
1778         (JSC::ASTBuilder::createGetterOrSetterProperty):
1779         (JSC::ASTBuilder::createProperty):
1780         (JSC::ASTBuilder::createFuncDeclStatement):
1781         (JSC::ASTBuilder::makeFunctionCallNode):
1782         * parser/Lexer.cpp:
1783         (JSC::Lexer<T>::Lexer):
1784         (JSC::Lexer<LChar>::parseIdentifier):
1785         (JSC::Lexer<UChar>::parseIdentifier):
1786         * parser/Lexer.h:
1787         (JSC::Lexer<T>::lexExpectIdentifier):
1788         * parser/ModuleAnalyzer.cpp:
1789         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1790         * parser/ModuleAnalyzer.h:
1791         (JSC::ModuleAnalyzer::vm):
1792         * parser/Parser.cpp:
1793         (JSC::Parser<LexerType>::Parser):
1794         (JSC::Parser<LexerType>::parseInner):
1795         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1796         (JSC::Parser<LexerType>::parseSourceElements):
1797         (JSC::Parser<LexerType>::parseModuleSourceElements):
1798         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1799         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
1800         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1801         (JSC::Parser<LexerType>::parseSingleFunction):
1802         (JSC::Parser<LexerType>::parseStatementListItem):
1803         (JSC::Parser<LexerType>::parseObjectRestAssignmentElement):
1804         (JSC::Parser<LexerType>::parseAssignmentElement):
1805         (JSC::Parser<LexerType>::parseDestructuringPattern):
1806         (JSC::Parser<LexerType>::parseForStatement):
1807         (JSC::Parser<LexerType>::parseBreakStatement):
1808         (JSC::Parser<LexerType>::parseContinueStatement):
1809         (JSC::Parser<LexerType>::parseStatement):
1810         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
1811         (JSC::Parser<LexerType>::createGeneratorParameters):
1812         (JSC::Parser<LexerType>::parseFunctionInfo):
1813         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1814         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1815         (JSC::Parser<LexerType>::parseClassDeclaration):
1816         (JSC::Parser<LexerType>::parseClass):
1817         (JSC::Parser<LexerType>::parseImportClauseItem):
1818         (JSC::Parser<LexerType>::parseImportDeclaration):
1819         (JSC::Parser<LexerType>::parseExportSpecifier):
1820         (JSC::Parser<LexerType>::parseExportDeclaration):
1821         (JSC::Parser<LexerType>::parseAssignmentExpression):
1822         (JSC::Parser<LexerType>::parseProperty):
1823         (JSC::Parser<LexerType>::parseGetterSetter):
1824         (JSC::Parser<LexerType>::parseObjectLiteral):
1825         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
1826         (JSC::Parser<LexerType>::parseClassExpression):
1827         (JSC::Parser<LexerType>::parseFunctionExpression):
1828         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
1829         (JSC::Parser<LexerType>::parsePrimaryExpression):
1830         (JSC::Parser<LexerType>::parseMemberExpression):
1831         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1832         (JSC::Parser<LexerType>::parseUnaryExpression):
1833         * parser/Parser.h:
1834         (JSC::isArguments):
1835         (JSC::isEval):
1836         (JSC::isEvalOrArgumentsIdentifier):
1837         (JSC::Scope::Scope):
1838         (JSC::Scope::declareParameter):
1839         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1840         (JSC::Scope::collectFreeVariables):
1841         (JSC::Parser::canRecurse):
1842         (JSC::parse):
1843         (JSC::parseFunctionForFunctionConstructor):
1844         * parser/ParserArena.h:
1845         (JSC::IdentifierArena::makeIdentifier):
1846         (JSC::IdentifierArena::makeEmptyIdentifier):
1847         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
1848         (JSC::IdentifierArena::makeNumericIdentifier):
1849         * parser/SyntaxChecker.h:
1850         (JSC::SyntaxChecker::SyntaxChecker):
1851         (JSC::SyntaxChecker::createProperty):
1852         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1853         * profiler/ProfilerBytecode.cpp:
1854         (JSC::Profiler::Bytecode::toJS const):
1855         * profiler/ProfilerBytecodeSequence.cpp:
1856         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
1857         * profiler/ProfilerBytecodes.cpp:
1858         (JSC::Profiler::Bytecodes::toJS const):
1859         * profiler/ProfilerCompilation.cpp:
1860         (JSC::Profiler::Compilation::toJS const):
1861         * profiler/ProfilerCompiledBytecode.cpp:
1862         (JSC::Profiler::CompiledBytecode::toJS const):
1863         * profiler/ProfilerEvent.cpp:
1864         (JSC::Profiler::Event::toJS const):
1865         * profiler/ProfilerOSRExit.cpp:
1866         (JSC::Profiler::OSRExit::toJS const):
1867         * profiler/ProfilerOSRExitSite.cpp:
1868         (JSC::Profiler::OSRExitSite::toJS const):
1869         * profiler/ProfilerUID.cpp:
1870         (JSC::Profiler::UID::toJS const):
1871         * runtime/AbstractModuleRecord.cpp:
1872         (JSC::AbstractModuleRecord::finishCreation):
1873         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1874         (JSC::AbstractModuleRecord::resolveExportImpl):
1875         (JSC::getExportedNames):
1876         (JSC::AbstractModuleRecord::getModuleNamespace):
1877         * runtime/ArrayBufferNeuteringWatchpointSet.cpp:
1878         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
1879         * runtime/ArrayIteratorPrototype.cpp:
1880         (JSC::ArrayIteratorPrototype::finishCreation):
1881         * runtime/ArrayPrototype.cpp:
1882         (JSC::fastJoin):
1883         (JSC::arrayProtoFuncToLocaleString):
1884         (JSC::slowJoin):
1885         (JSC::arrayProtoFuncJoin):
1886         (JSC::arrayProtoFuncPush):
1887         * runtime/AsyncFunctionPrototype.cpp:
1888         (JSC::AsyncFunctionPrototype::finishCreation):
1889         * runtime/AsyncGeneratorFunctionPrototype.cpp:
1890         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
1891         * runtime/AsyncGeneratorPrototype.cpp:
1892         (JSC::AsyncGeneratorPrototype::finishCreation):
1893         * runtime/AtomicsObject.cpp:
1894         (JSC::AtomicsObject::finishCreation):
1895         (JSC::atomicsFuncWait):
1896         (JSC::operationAtomicsAdd):
1897         (JSC::operationAtomicsAnd):
1898         (JSC::operationAtomicsCompareExchange):
1899         (JSC::operationAtomicsExchange):
1900         (JSC::operationAtomicsIsLockFree):
1901         (JSC::operationAtomicsLoad):
1902         (JSC::operationAtomicsOr):
1903         (JSC::operationAtomicsStore):
1904         (JSC::operationAtomicsSub):
1905         (JSC::operationAtomicsXor):
1906         * runtime/BigIntPrototype.cpp:
1907         (JSC::BigIntPrototype::finishCreation):
1908         (JSC::bigIntProtoFuncToString):
1909         * runtime/CachedTypes.cpp:
1910         (JSC::CachedUniquedStringImplBase::decode const):
1911         (JSC::CachedIdentifier::decode const):
1912         (JSC::CachedJSValue::decode const):
1913         * runtime/CodeCache.cpp:
1914         (JSC::CodeCacheMap::pruneSlowCase):
1915         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1916         * runtime/CodeCache.h:
1917         (JSC::generateUnlinkedCodeBlockImpl):
1918         * runtime/CommonIdentifiers.cpp:
1919         (JSC::CommonIdentifiers::CommonIdentifiers):
1920         * runtime/CommonIdentifiers.h:
1921         * runtime/CommonSlowPaths.cpp:
1922         (JSC::SLOW_PATH_DECL):
1923         * runtime/Completion.cpp:
1924         (JSC::checkSyntaxInternal):
1925         (JSC::checkModuleSyntax):
1926         (JSC::loadAndEvaluateModule):
1927         (JSC::loadModule):
1928         * runtime/DateConstructor.cpp:
1929         (JSC::callDate):
1930         * runtime/DatePrototype.cpp:
1931         (JSC::formatLocaleDate):
1932         (JSC::formateDateInstance):
1933         (JSC::DatePrototype::finishCreation):
1934         (JSC::dateProtoFuncToISOString):
1935         * runtime/Error.cpp:
1936         (JSC::addErrorInfo):
1937         * runtime/ErrorInstance.cpp:
1938         (JSC::appendSourceToError):
1939         (JSC::ErrorInstance::finishCreation):
1940         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1941         * runtime/ErrorPrototype.cpp:
1942         (JSC::ErrorPrototype::finishCreation):
1943         (JSC::errorProtoFuncToString):
1944         * runtime/ExceptionHelpers.cpp:
1945         (JSC::TerminatedExecutionError::defaultValue):
1946         * runtime/FunctionPrototype.cpp:
1947         (JSC::functionProtoFuncToString):
1948         * runtime/FunctionRareData.cpp:
1949         (JSC::FunctionRareData::clear):
1950         * runtime/GeneratorFunctionPrototype.cpp:
1951         (JSC::GeneratorFunctionPrototype::finishCreation):
1952         * runtime/GeneratorPrototype.cpp:
1953         (JSC::GeneratorPrototype::finishCreation):
1954         * runtime/GenericArgumentsInlines.h:
1955         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1956         * runtime/GetterSetter.h:
1957         * runtime/Identifier.cpp:
1958         (JSC::Identifier::add):
1959         (JSC::Identifier::add8):
1960         (JSC::Identifier::from):
1961         (JSC::Identifier::checkCurrentAtomStringTable):
1962         * runtime/Identifier.h:
1963         (JSC::Identifier::fromString):
1964         (JSC::Identifier::createLCharFromUChar):
1965         (JSC::Identifier::Identifier):
1966         (JSC::Identifier::add):
1967         * runtime/IdentifierInlines.h:
1968         (JSC::Identifier::Identifier):
1969         (JSC::Identifier::add):
1970         (JSC::Identifier::fromUid):
1971         (JSC::Identifier::fromString):
1972         (JSC::identifierToJSValue):
1973         (JSC::identifierToSafePublicJSValue):
1974         * runtime/InternalFunction.cpp:
1975         (JSC::InternalFunction::finishCreation):
1976         * runtime/IntlCollator.cpp:
1977         (JSC::IntlCollator::resolvedOptions):
1978         * runtime/IntlCollatorPrototype.cpp:
1979         (JSC::IntlCollatorPrototype::finishCreation):
1980         * runtime/IntlDateTimeFormat.cpp:
1981         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
1982         (JSC::IntlDateTimeFormat::resolvedOptions):
1983         (JSC::IntlDateTimeFormat::format):
1984         (JSC::IntlDateTimeFormat::formatToParts):
1985         * runtime/IntlDateTimeFormatPrototype.cpp:
1986         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1987         * runtime/IntlNumberFormat.cpp:
1988         (JSC::IntlNumberFormat::initializeNumberFormat):
1989         (JSC::IntlNumberFormat::formatNumber):
1990         (JSC::IntlNumberFormat::resolvedOptions):
1991         (JSC::IntlNumberFormat::formatToParts):
1992         * runtime/IntlNumberFormatPrototype.cpp:
1993         (JSC::IntlNumberFormatPrototype::finishCreation):
1994         * runtime/IntlObject.cpp:
1995         (JSC::lookupSupportedLocales):
1996         (JSC::supportedLocales):
1997         (JSC::intlObjectFuncGetCanonicalLocales):
1998         * runtime/IntlPluralRules.cpp:
1999         (JSC::IntlPluralRules::initializePluralRules):
2000         (JSC::IntlPluralRules::resolvedOptions):
2001         (JSC::IntlPluralRules::select):
2002         * runtime/IntlPluralRulesPrototype.cpp:
2003         (JSC::IntlPluralRulesPrototype::finishCreation):
2004         * runtime/JSArray.h:
2005         (JSC::asArray):
2006         (JSC::isJSArray):
2007         * runtime/JSArrayBufferPrototype.cpp:
2008         (JSC::JSArrayBufferPrototype::finishCreation):
2009         * runtime/JSArrayBufferView.cpp:
2010         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
2011         * runtime/JSCJSValue.cpp:
2012         (JSC::JSValue::putToPrimitiveByIndex):
2013         (JSC::JSValue::dumpForBacktrace const):
2014         (JSC::JSValue::toStringSlowCase const):
2015         * runtime/JSCJSValueInlines.h:
2016         (JSC::JSValue::toPropertyKey const):
2017         (JSC::JSValue::get const):
2018         * runtime/JSCast.h:
2019         (JSC::jsCast):
2020         * runtime/JSCell.cpp:
2021         (JSC::JSCell::dump const):
2022         (JSC::JSCell::dumpToStream):
2023         (JSC::JSCell::putByIndex):
2024         * runtime/JSCellInlines.h:
2025         (JSC::JSCell::structure const):
2026         (JSC::ExecState::vm const):
2027         (JSC::tryAllocateCellHelper):
2028         * runtime/JSDataViewPrototype.cpp:
2029         (JSC::JSDataViewPrototype::finishCreation):
2030         * runtime/JSFixedArray.cpp:
2031         (JSC::JSFixedArray::dumpToStream):
2032         * runtime/JSFunction.cpp:
2033         (JSC::JSFunction::finishCreation):
2034         (JSC::RetrieveCallerFunctionFunctor::operator() const):
2035         (JSC::JSFunction::reifyName):
2036         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2037         (JSC::JSFunction::assertTypeInfoFlagInvariants):
2038         * runtime/JSGenericTypedArrayViewInlines.h:
2039         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
2040         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
2041         * runtime/JSGlobalObject.cpp:
2042         (JSC::JSGlobalObject::init):
2043         (JSC::JSGlobalObject::exposeDollarVM):
2044         * runtime/JSGlobalObjectFunctions.cpp:
2045         (JSC::encode):
2046         (JSC::decode):
2047         (JSC::globalFuncEscape):
2048         (JSC::globalFuncUnescape):
2049         (JSC::globalFuncBuiltinDescribe):
2050         * runtime/JSLexicalEnvironment.cpp:
2051         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2052         * runtime/JSModuleEnvironment.cpp:
2053         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2054         (JSC::JSModuleEnvironment::put):
2055         (JSC::JSModuleEnvironment::deleteProperty):
2056         * runtime/JSModuleLoader.cpp:
2057         (JSC::JSModuleLoader::finishCreation):
2058         (JSC::JSModuleLoader::requestImportModule):
2059         (JSC::moduleLoaderParseModule):
2060         (JSC::moduleLoaderRequestedModules):
2061         * runtime/JSModuleNamespaceObject.cpp:
2062         (JSC::JSModuleNamespaceObject::finishCreation):
2063         (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
2064         * runtime/JSModuleRecord.cpp:
2065         (JSC::JSModuleRecord::instantiateDeclarations):
2066         * runtime/JSONObject.cpp:
2067         (JSC::JSONObject::finishCreation):
2068         (JSC::PropertyNameForFunctionCall::value const):
2069         (JSC::Stringifier::Stringifier):
2070         (JSC::Stringifier::stringify):
2071         (JSC::Stringifier::Holder::appendNextProperty):
2072         (JSC::Walker::walk):
2073         * runtime/JSObject.cpp:
2074         (JSC::getClassPropertyNames):
2075         (JSC::JSObject::getOwnPropertySlotByIndex):
2076         (JSC::JSObject::putByIndex):
2077         (JSC::JSObject::deletePropertyByIndex):
2078         (JSC::JSObject::toString const):
2079         (JSC::JSObject::reifyAllStaticProperties):
2080         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2081         * runtime/JSObject.h:
2082         (JSC::JSObject::putByIndexInline):
2083         (JSC::JSObject::butterflyPreCapacity):
2084         (JSC::JSObject::butterflyTotalSize):
2085         (JSC::makeIdentifier):
2086         * runtime/JSPromisePrototype.cpp:
2087         (JSC::JSPromisePrototype::finishCreation):
2088         * runtime/JSPropertyNameEnumerator.cpp:
2089         (JSC::JSPropertyNameEnumerator::finishCreation):
2090         * runtime/JSPropertyNameEnumerator.h:
2091         (JSC::propertyNameEnumerator):
2092         * runtime/JSRunLoopTimer.cpp:
2093         (JSC::JSRunLoopTimer::JSRunLoopTimer):
2094         * runtime/JSRunLoopTimer.h:
2095         * runtime/JSString.cpp:
2096         (JSC::JSString::dumpToStream):
2097         (JSC::JSRopeString::resolveRopeWithFunction const):
2098         (JSC::jsStringWithCacheSlowCase):
2099         * runtime/JSString.h:
2100         (JSC::jsEmptyString):
2101         (JSC::jsSingleCharacterString):
2102         (JSC::jsNontrivialString):
2103         (JSC::JSString::toIdentifier const):
2104         (JSC::JSString::toAtomString const):
2105         (JSC::JSString::toExistingAtomString const):
2106         (JSC::JSString::value const):
2107         (JSC::JSString::tryGetValue const):
2108         (JSC::JSString::getIndex):
2109         (JSC::jsString):
2110         (JSC::jsSubstring):
2111         (JSC::jsOwnedString):
2112         (JSC::jsStringWithCache):
2113         (JSC::JSRopeString::unsafeView const):
2114         (JSC::JSRopeString::viewWithUnderlyingString const):
2115         (JSC::JSString::unsafeView const):
2116         * runtime/JSStringInlines.h:
2117         (JSC::jsMakeNontrivialString):
2118         (JSC::repeatCharacter):
2119         * runtime/JSStringJoiner.cpp:
2120         (JSC::JSStringJoiner::join):
2121         * runtime/JSSymbolTableObject.cpp:
2122         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2123         * runtime/JSTemplateObjectDescriptor.cpp:
2124         (JSC::JSTemplateObjectDescriptor::createTemplateObject):
2125         * runtime/JSTypedArrayViewPrototype.cpp:
2126         (JSC::typedArrayViewProtoGetterFuncToStringTag):
2127         * runtime/LazyClassStructure.cpp:
2128         (JSC::LazyClassStructure::Initializer::setConstructor):
2129         * runtime/LazyProperty.h:
2130         (JSC::LazyProperty::Initializer::Initializer):
2131         * runtime/LiteralParser.cpp:
2132         (JSC::LiteralParser<CharType>::tryJSONPParse):
2133         (JSC::LiteralParser<CharType>::makeIdentifier):
2134         (JSC::LiteralParser<CharType>::parse):
2135         * runtime/Lookup.h:
2136         (JSC::reifyStaticProperties):
2137         * runtime/MapIteratorPrototype.cpp:
2138         (JSC::MapIteratorPrototype::finishCreation):
2139         * runtime/MapPrototype.cpp:
2140         (JSC::MapPrototype::finishCreation):
2141         * runtime/MathObject.cpp:
2142         (JSC::MathObject::finishCreation):
2143         * runtime/NumberConstructor.cpp:
2144         (JSC::NumberConstructor::finishCreation):
2145         * runtime/NumberPrototype.cpp:
2146         (JSC::numberProtoFuncToExponential):
2147         (JSC::numberProtoFuncToFixed):
2148         (JSC::numberProtoFuncToPrecision):
2149         (JSC::int32ToStringInternal):
2150         (JSC::numberToStringInternal):
2151         (JSC::int52ToString):
2152         * runtime/ObjectConstructor.cpp:
2153         (JSC::objectConstructorGetOwnPropertyDescriptors):
2154         (JSC::objectConstructorAssign):
2155         (JSC::objectConstructorValues):
2156         (JSC::defineProperties):
2157         (JSC::setIntegrityLevel):
2158         (JSC::testIntegrityLevel):
2159         (JSC::ownPropertyKeys):
2160         * runtime/ObjectPrototype.cpp:
2161         (JSC::objectProtoFuncToString):
2162         * runtime/Operations.h:
2163         (JSC::jsString):
2164         (JSC::jsStringFromRegisterArray):
2165         (JSC::jsStringFromArguments):
2166         * runtime/ProgramExecutable.cpp:
2167         (JSC::ProgramExecutable::initializeGlobalProperties):
2168         * runtime/PromiseDeferredTimer.cpp:
2169         (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
2170         (JSC::PromiseDeferredTimer::hasPendingPromise):
2171         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
2172         (JSC::PromiseDeferredTimer::cancelPendingPromise):
2173         * runtime/PropertyNameArray.h:
2174         (JSC::PropertyNameArray::PropertyNameArray):
2175         (JSC::PropertyNameArray::vm):
2176         * runtime/PropertySlot.h:
2177         (JSC::PropertySlot::getValue const):
2178         * runtime/ProxyObject.cpp:
2179         (JSC::performProxyGet):
2180         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2181         (JSC::ProxyObject::performHasProperty):
2182         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2183         (JSC::ProxyObject::performPut):
2184         (JSC::ProxyObject::putByIndexCommon):
2185         (JSC::ProxyObject::performDelete):
2186         (JSC::ProxyObject::deletePropertyByIndex):
2187         (JSC::ProxyObject::performDefineOwnProperty):
2188         (JSC::ProxyObject::performGetOwnPropertyNames):
2189         * runtime/RegExpGlobalData.cpp:
2190         (JSC::RegExpGlobalData::getBackref):
2191         (JSC::RegExpGlobalData::getLastParen):
2192         * runtime/RegExpMatchesArray.cpp:
2193         (JSC::createEmptyRegExpMatchesArray):
2194         * runtime/RegExpMatchesArray.h:
2195         (JSC::createRegExpMatchesArray):
2196         * runtime/RegExpPrototype.cpp:
2197         (JSC::regExpProtoGetterFlags):
2198         (JSC::regExpProtoGetterSourceInternal):
2199         (JSC::regExpProtoGetterSource):
2200         * runtime/RegExpStringIteratorPrototype.cpp:
2201         (JSC::RegExpStringIteratorPrototype::finishCreation):
2202         * runtime/SamplingProfiler.cpp:
2203         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2204         * runtime/ScriptExecutable.cpp:
2205         (JSC::ScriptExecutable::installCode):
2206         (JSC::ScriptExecutable::newCodeBlockFor):
2207         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
2208         (JSC::setupJIT):
2209         * runtime/SetIteratorPrototype.cpp:
2210         (JSC::SetIteratorPrototype::finishCreation):
2211         * runtime/SetPrototype.cpp:
2212         (JSC::SetPrototype::finishCreation):
2213         * runtime/StackFrame.cpp:
2214         (JSC::StackFrame::computeLineAndColumn const):
2215         * runtime/StringConstructor.cpp:
2216         (JSC::stringFromCharCode):
2217         (JSC::stringFromCodePoint):
2218         (JSC::stringConstructor):
2219         (JSC::callStringConstructor):
2220         * runtime/StringIteratorPrototype.cpp:
2221         (JSC::StringIteratorPrototype::finishCreation):
2222         * runtime/StringObject.cpp:
2223         (JSC::StringObject::getOwnPropertySlotByIndex):
2224         (JSC::StringObject::getOwnPropertyNames):
2225         * runtime/StringObject.h:
2226         (JSC::StringObject::create):
2227         (JSC::jsStringWithReuse):
2228         (JSC::jsSubstring):
2229         * runtime/StringPrototype.cpp:
2230         (JSC::StringPrototype::finishCreation):
2231         (JSC::StringPrototype::create):
2232         (JSC::jsSpliceSubstrings):
2233         (JSC::jsSpliceSubstringsWithSeparators):
2234         (JSC::replaceUsingRegExpSearch):
2235         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
2236         (JSC::operationStringProtoFuncReplaceRegExpString):
2237         (JSC::replaceUsingStringSearch):
2238         (JSC::operationStringProtoFuncReplaceGeneric):
2239         (JSC::stringProtoFuncCharAt):
2240         (JSC::stringProtoFuncSplitFast):
2241         (JSC::stringProtoFuncSubstr):
2242         (JSC::stringProtoFuncToLowerCase):
2243         (JSC::stringProtoFuncToUpperCase):
2244         (JSC::toLocaleCase):
2245         (JSC::trimString):
2246         (JSC::normalize):
2247         * runtime/StringPrototypeInlines.h:
2248         (JSC::stringSlice):
2249         * runtime/StringRecursionChecker.cpp:
2250         (JSC::StringRecursionChecker::emptyString):
2251         * runtime/Structure.cpp:
2252         (JSC::Structure::didTransitionFromThisStructure const):
2253         * runtime/StructureInlines.h:
2254         (JSC::Structure::didReplaceProperty):
2255         (JSC::Structure::shouldConvertToPolyProto):
2256         * runtime/SymbolConstructor.cpp:
2257         (JSC::symbolConstructorKeyFor):
2258         * runtime/SymbolPrototype.cpp:
2259         (JSC::SymbolPrototype::finishCreation):
2260         (JSC::symbolProtoGetterDescription):
2261         (JSC::symbolProtoFuncToString):
2262         * runtime/SymbolTable.cpp:
2263         (JSC::SymbolTable::setRareDataCodeBlock):
2264         * runtime/TestRunnerUtils.cpp:
2265         (JSC::getExecutableForFunction):
2266         * runtime/VM.cpp:
2267         (JSC::VM::VM):
2268         (JSC::VM::getHostFunction):
2269         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2270         (JSC::VM::shrinkFootprintWhenIdle):
2271         (JSC::logSanitizeStack):
2272         (JSC::sanitizeStackForVM):
2273         (JSC::VM::emptyPropertyNameEnumeratorSlow):
2274         * runtime/VM.h:
2275         (JSC::VM::getCTIStub):
2276         (JSC::WeakSet::heap const):
2277         * runtime/VMTraps.cpp:
2278         * runtime/WeakMapPrototype.cpp:
2279         (JSC::WeakMapPrototype::finishCreation):
2280         * runtime/WeakObjectRefPrototype.cpp:
2281         (JSC::WeakObjectRefPrototype::finishCreation):
2282         * runtime/WeakSetPrototype.cpp:
2283         (JSC::WeakSetPrototype::finishCreation):
2284         * tools/HeapVerifier.cpp:
2285         (JSC::HeapVerifier::printVerificationHeader):
2286         (JSC::HeapVerifier::verifyCellList):
2287         (JSC::HeapVerifier::validateJSCell):
2288         (JSC::HeapVerifier::reportCell):
2289         * tools/JSDollarVM.cpp:
2290         (JSC::JSDollarVMCallFrame::finishCreation):
2291         (JSC::JSDollarVMCallFrame::addProperty):
2292         (JSC::CustomGetter::getOwnPropertySlot):
2293         (JSC::CustomGetter::customGetter):
2294         (JSC::CustomGetter::customGetterAcessor):
2295         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
2296         (JSC::DOMJITGetter::finishCreation):
2297         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2298         (JSC::DOMJITGetterComplex::finishCreation):
2299         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
2300         (JSC::DOMJITFunctionObject::finishCreation):
2301         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
2302         (JSC::DOMJITCheckSubClassObject::finishCreation):
2303         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2304         (JSC::DOMJITGetterBaseJSObject::finishCreation):
2305         (JSC::customSetAccessor):
2306         (JSC::customSetValue):
2307         (JSC::JSTestCustomGetterSetter::finishCreation):
2308         (JSC::WasmStreamingParser::finishCreation):
2309         (JSC::getExecutableForFunction):
2310         (JSC::functionCodeBlockFor):
2311         (JSC::functionIndexingMode):
2312         (JSC::functionValue):
2313         (JSC::functionCreateBuiltin):
2314         (JSC::functionGetPrivateProperty):
2315         (JSC::JSDollarVM::finishCreation):
2316         (JSC::JSDollarVM::addFunction):
2317         (JSC::JSDollarVM::addConstructibleFunction):
2318         * tools/VMInspector.cpp:
2319         (JSC::VMInspector::dumpRegisters):
2320         (JSC::VMInspector::dumpCellMemoryToStream):
2321         * wasm/WasmInstance.cpp:
2322         (JSC::Wasm::Instance::setGlobal):
2323         (JSC::Wasm::Instance::setFunctionWrapper):
2324         (JSC::Wasm::setWasmTableElement):
2325         (JSC::Wasm::doWasmRefFunc):
2326         * wasm/WasmTable.cpp:
2327         (JSC::Wasm::Table::set):
2328         (JSC::Wasm::FuncRefTable::setFunction):
2329         * wasm/js/JSWebAssembly.cpp:
2330         (JSC::resolve):
2331         * wasm/js/JSWebAssemblyInstance.cpp:
2332         (JSC::JSWebAssemblyInstance::create):
2333         * wasm/js/WasmToJS.cpp:
2334         (JSC::Wasm::handleBadI64Use):
2335         (JSC::Wasm::wasmToJS):
2336         (JSC::Wasm::wasmToJSException):
2337         * wasm/js/WebAssemblyFunction.cpp:
2338         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2339         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2340         (JSC::constructJSWebAssemblyMemory):
2341         * wasm/js/WebAssemblyModuleConstructor.cpp:
2342         (JSC::webAssemblyModuleImports):
2343         (JSC::webAssemblyModuleExports):
2344         * wasm/js/WebAssemblyModuleRecord.cpp:
2345         (JSC::WebAssemblyModuleRecord::finishCreation):
2346         (JSC::WebAssemblyModuleRecord::link):
2347         * wasm/js/WebAssemblyTableConstructor.cpp:
2348         (JSC::constructJSWebAssemblyTable):
2349
2350 2019-08-27  Devin Rousso  <drousso@apple.com>
2351
2352         Web Inspector: don't attach properties to `injectedScript` for the CommandLineAPI
2353         https://bugs.webkit.org/show_bug.cgi?id=201193
2354
2355         Reviewed by Joseph Pecoraro.
2356
2357         For some reason, adding `injectedScript._inspectObject` inside CommandLineAPIModuleSource.js
2358         causes inspector/debugger/tail-deleted-frames-this-value.html to fail.
2359
2360         We should have a similar approach to adding command line api getters and functions, in that
2361         the CommandLineAPIModuleSource.js calls a function with a callback.
2362
2363         * inspector/InjectedScriptSource.js:
2364         (InjectedScript.prototype.inspectObject):
2365         (InjectedScript.prototype.setInspectObject): Added.
2366         (InjectedScript.prototype._evaluateOn):
2367
2368 2019-08-27  Mark Lam  <mark.lam@apple.com>
2369
2370         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
2371         https://bugs.webkit.org/show_bug.cgi?id=201196
2372         <rdar://problem/54703775>
2373
2374         Reviewed by Yusuke Suzuki.
2375
2376         * runtime/FunctionConstructor.cpp:
2377         (JSC::constructFunctionSkippingEvalEnabledCheck):
2378
2379 2019-08-27  Keith Miller  <keith_miller@apple.com>
2380
2381         When dumping Air Graphs BBQ should dump patchpoints.
2382         https://bugs.webkit.org/show_bug.cgi?id=201167
2383
2384         Reviewed by Filip Pizlo.
2385
2386         * wasm/WasmAirIRGenerator.cpp:
2387         (JSC::Wasm::AirIRGenerator:: const):
2388         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2389         (JSC::Wasm::parseAndCompileAir):
2390
2391 2019-08-27  Basuke Suzuki  <Basuke.Suzuki@sony.com>
2392
2393         [RemoteInspector][Socket] Restructuring the components of Socket implementation
2394         https://bugs.webkit.org/show_bug.cgi?id=201079
2395
2396         Reviewed by Ross Kirsling.
2397
2398         Since the change for WeakPtr on r248386, our port start assertion failure on the usage of
2399         RemoteInspectorSocketEndpoint. We have to send a message to connection client, but if that
2400         has to be done in the same thread which weakPtr generated, it's a little bit stronger
2401         restriction for us to handle. In this restructure, we are stopping to use weakPtr to
2402         resolve circular dependency, but using a reference with invalidation method because
2403         everything is under our control.
2404
2405         - Make SocketEndpoint a singleton. This class represents a central place to handle socket
2406           connections and there's no need to instantiate more than one in a process. Once every
2407           connection goes away, it just start sleeping until next connection is created. Very low
2408           resource usage when it is idle.
2409         - Move Socket::Connection structure from global definition to SocketEndpoint local
2410           structure. It is directly used in SocketEndpoint privately.
2411         - Move responsibility to handle message encoding/decoding task from SocketEndpoint to
2412           ConnectionClient. Make SocketEndpoint as plain socket handling as possible to keep it
2413           simple to exist long span.
2414         - Extract an interface from ConnectionClient as SocketEndpoint::Client which is required
2415           to work with SocketEndpoint. Now SocketEndpoint is very independent from others.
2416           SocketEndpoint::Client is the required parameter to create a connection.
2417
2418         Many responsibilities are moved into ConnectionClient which was a thin interface for
2419         communication between RemoteInspector, RemoteInspectorServer and RemoteInspectorClient.
2420         It now handles followings:
2421         - life cycle of connection: create, listen and close or invalidation
2422         - sending and receiving data packed in a message.
2423
2424         RemoteInspector and RemoteInspectorServer are now free from creation of SocketEndpoint.
2425         All communication to SocketEndpoint id now the duty of super class.
2426
2427         * inspector/remote/RemoteInspector.h:
2428         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
2429         (Inspector::RemoteInspectorConnectionClient::~RemoteInspectorConnectionClient): Make all connection invalidated.
2430         (Inspector::RemoteInspectorConnectionClient::connectInet): Add itself as a listener of socket.
2431         (Inspector::RemoteInspectorConnectionClient::listenInet): Ditto.
2432         (Inspector::RemoteInspectorConnectionClient::createClient): Ditto.
2433         (Inspector::RemoteInspectorConnectionClient::send): Add message processing.
2434         (Inspector::RemoteInspectorConnectionClient::didReceive): Ditto.
2435         (Inspector::RemoteInspectorConnectionClient::extractEvent): Extracted from send.
2436         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
2437         * inspector/remote/socket/RemoteInspectorMessageParser.cpp:
2438         (Inspector::MessageParser::MessageParser):
2439         (Inspector::MessageParser::pushReceivedData):
2440         (Inspector::MessageParser::parse):
2441         * inspector/remote/socket/RemoteInspectorMessageParser.h:
2442         (Inspector::MessageParser::MessageParser):
2443         (Inspector::MessageParser::Function<void):
2444         * inspector/remote/socket/RemoteInspectorServer.cpp:
2445         (Inspector::RemoteInspectorServer::connect): Remove direct communication to Socket Endpoint.
2446         (Inspector::RemoteInspectorServer::listenForTargets): Ditto.
2447         (Inspector::RemoteInspectorServer::sendWebInspectorEvent): Ditto.
2448         (Inspector::RemoteInspectorServer::start): Ditto.
2449         * inspector/remote/socket/RemoteInspectorServer.h:
2450         * inspector/remote/socket/RemoteInspectorSocket.cpp:
2451         (Inspector::RemoteInspector::sendWebInspectorEvent): Remove direct communication to Socket Endpoint.
2452         (Inspector::RemoteInspector::start): Ditto.
2453         (Inspector::RemoteInspector::stopInternal): Ditto.
2454         (Inspector::RemoteInspector::pushListingsNow): Change the target of validity check to ID.
2455         (Inspector::RemoteInspector::pushListingsSoon): Ditto.
2456         (Inspector::RemoteInspector::sendMessageToRemote): Ditto.
2457         * inspector/remote/socket/RemoteInspectorSocket.h: Move Connection structure to RemoteInspectorSocketEndpoint.
2458         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
2459         (Inspector::RemoteInspectorSocketEndpoint::singleton): Added.
2460         (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint): Use hard-coded thread name.
2461         (Inspector::RemoteInspectorSocketEndpoint::connectInet): Accept RemoteInspectorSocketEndpoint::Client as listener.
2462         (Inspector::RemoteInspectorSocketEndpoint::listenInet): Ditto.
2463         (Inspector::RemoteInspectorSocketEndpoint::createClient): Ditto.
2464         (Inspector::RemoteInspectorSocketEndpoint::invalidateClient): Added. Invalidate all connection from the client.
2465         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled): Remove message parser handling.
2466         (Inspector::RemoteInspectorSocketEndpoint::send): Remove message packing.
2467         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
2468         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
2469         (Inspector::RemoteInspectorSocketEndpoint::Connection::Connection):
2470
2471 2019-08-26  Devin Rousso  <drousso@apple.com>
2472
2473         Web Inspector: use more C++ keywords for defining agents
2474         https://bugs.webkit.org/show_bug.cgi?id=200959
2475
2476         Reviewed by Joseph Pecoraro.
2477
2478          - make constructors `protected` when the agent isn't meant to be constructed directly
2479          - add `virtual` destructors that are defined in the *.cpp so forward-declarations work
2480          - use `final` wherever possible
2481          - add comments to indicate where any virtual functions come from
2482
2483         * inspector/agents/InspectorAgent.h:
2484         * inspector/agents/InspectorAgent.cpp:
2485         * inspector/agents/InspectorAuditAgent.h:
2486         * inspector/agents/InspectorAuditAgent.cpp:
2487         * inspector/agents/InspectorConsoleAgent.h:
2488         * inspector/agents/InspectorConsoleAgent.cpp:
2489         * inspector/agents/InspectorDebuggerAgent.h:
2490         * inspector/agents/InspectorDebuggerAgent.cpp:
2491         * inspector/agents/InspectorHeapAgent.h:
2492         * inspector/agents/InspectorHeapAgent.cpp:
2493         * inspector/agents/InspectorRuntimeAgent.h:
2494         * inspector/agents/InspectorScriptProfilerAgent.h:
2495         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2496         * inspector/agents/InspectorTargetAgent.h:
2497         * inspector/agents/InspectorTargetAgent.cpp:
2498         * inspector/agents/JSGlobalObjectAuditAgent.h:
2499         * inspector/agents/JSGlobalObjectAuditAgent.cpp:
2500         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2501         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2502         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2503         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2504
2505 2019-08-26  Devin Rousso  <drousso@apple.com>
2506
2507         Web Inspector: unify agent command error messages
2508         https://bugs.webkit.org/show_bug.cgi?id=200950
2509
2510         Reviewed by Joseph Pecoraro.
2511
2512         Different agents can sometimes have different error messages for commands that have a
2513         similar intended effect.  We should make our error messages more similar.
2514
2515         * inspector/JSGlobalObjectConsoleClient.cpp:
2516         * inspector/agents/InspectorAgent.cpp:
2517         * inspector/agents/InspectorAuditAgent.cpp:
2518         * inspector/agents/InspectorConsoleAgent.cpp:
2519         * inspector/agents/InspectorDebuggerAgent.cpp:
2520         * inspector/agents/InspectorHeapAgent.cpp:
2521         * inspector/agents/InspectorRuntimeAgent.cpp:
2522         * inspector/agents/InspectorTargetAgent.cpp:
2523         * inspector/agents/JSGlobalObjectAuditAgent.cpp:
2524         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2525         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2526         Elide function lists to avoid an extremely large ChangeLog entry.
2527
2528 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
2529
2530         [JSC] Ensure x?.y ?? z is fast
2531         https://bugs.webkit.org/show_bug.cgi?id=200875
2532
2533         Reviewed by Yusuke Suzuki.
2534
2535         We anticipate `x?.y ?? z` to quickly become a common idiom in JS. With a little bytecode rearrangement,
2536         we can avoid the "load undefined and check it" dance in the middle and just turn this into two jumps.
2537
2538         Before:
2539                 (get x)
2540           ----- jundefined_or_null
2541           |     (get y)
2542           | --- jmp
2543           > |   (load undefined)
2544             > - jnundefined_or_null
2545               | (get z)
2546               > end
2547
2548         After:
2549                 (get x)
2550             --- jundefined_or_null
2551             |   (get y)
2552             | - jnundefined_or_null
2553             > | (get z)
2554               > end
2555
2556         * bytecompiler/BytecodeGenerator.cpp:
2557         (JSC::BytecodeGenerator::popOptionalChainTarget): Added specialization.
2558         * bytecompiler/BytecodeGenerator.h:
2559         * bytecompiler/NodesCodegen.cpp:
2560         (JSC::CoalesceNode::emitBytecode):
2561         (JSC::OptionalChainNode::emitBytecode):
2562         * parser/ASTBuilder.h:
2563         (JSC::ASTBuilder::makeDeleteNode):
2564         (JSC::ASTBuilder::makeCoalesceNode): Added.
2565         (JSC::ASTBuilder::makeBinaryNode):
2566         * parser/NodeConstructors.h:
2567         (JSC::CoalesceNode::CoalesceNode):
2568         * parser/Nodes.h:
2569         (JSC::ExpressionNode::isDeleteNode const): Added. (Replaces OptionalChainNode::m_isDelete.)
2570
2571 2019-08-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2572
2573         Missing media controls when WebKit is built with Python3
2574         https://bugs.webkit.org/show_bug.cgi?id=194367
2575
2576         Reviewed by Carlos Garcia Campos.
2577
2578         The JavaScript minifier script jsmin.py expects a text stream
2579         with text type as input, but the script make-js-file-arrays.py
2580         was passing to it a FileIO() object. So, when the jsmin script
2581         called read() over this object, python3 was returning a type of
2582         bytes, but for python2 it returns type str.
2583
2584         This caused two problems: first that jsmin failed to do any minifying
2585         because it was comparing strings with a variable of type bytes.
2586         The second major problem was in the write() function, when the
2587         jsmin script tried to convert a byte character to text by calling
2588         str() on it. Because what this does is not to convert from byte
2589         type to string, but to simply generate a string with the format b'c'.
2590         So the jsmin script was returning back as minified JS complete
2591         garbage in the form of "b't'b'h'b'h'b'i" for python3.
2592
2593         Therefore, when WebKit was built with python3 this broke everything
2594         that depended on the embedded JS code that make-js-file-arrays.py
2595         was supposed to generate, like the media controls and the WebDriver
2596         atoms.
2597
2598         Fix this by reworking the code in make-js-file-arrays script to
2599         read the data from the file using a TextIOWrapper in python 3
2600         with decoding for 'utf-8'. This ensures that the jsmin receives
2601         a text type. For python2 keep using the same FileIO class.
2602
2603         On the jsmin.py script remove the problematic call to str() inside
2604         the write() function when running with python3.
2605         On top of that, add an extra check in jsmin.py script to make it
2606         fail if the character type read is not the one expected. This
2607         will cause the build to fail instead of failing silently like
2608         now. I did some tests and the runtime cost of this extra check
2609         is almost zero.
2610
2611         * Scripts/jsmin.py:
2612         (JavascriptMinify.minify.write):
2613         (JavascriptMinify):
2614         * Scripts/make-js-file-arrays.py:
2615         (main):
2616
2617 2019-08-23  Devin Rousso  <drousso@apple.com>
2618
2619         Web Inspector: create additional command line api functions for other console methods
2620         https://bugs.webkit.org/show_bug.cgi?id=200971
2621
2622         Reviewed by Joseph Pecoraro.
2623
2624         Expose all `console.*` functions in the command line API, since they're all already able to
2625         be referenced via the `console` object.
2626
2627         Provide a simpler interface for other injected scripts to modify the command line API.
2628
2629         * inspector/InjectedScriptModule.cpp:
2630         (Inspector::InjectedScriptModule::ensureInjected):
2631
2632         * inspector/InjectedScriptSource.js:
2633         (InjectedScript.prototype.inspectObject):
2634         (InjectedScript.prototype.addCommandLineAPIGetter): Added.
2635         (InjectedScript.prototype.addCommandLineAPIMethod): Added.
2636         (InjectedScript.prototype.hasInjectedModule): Added.
2637         (InjectedScript.prototype.injectModule):
2638         (InjectedScript.prototype._evaluateOn):
2639         (InjectedScript.CommandLineAPI): Added.
2640         (InjectedScript.prototype.module): Deleted.
2641         (InjectedScript.prototype._savedResult): Deleted.
2642         (bind): Deleted.
2643         (BasicCommandLineAPI): Deleted.
2644         (clear): Deleted.
2645         (table): Deleted.
2646         (profile): Deleted.
2647         (profileEnd): Deleted.
2648         (keys): Deleted.
2649         (values): Deleted.
2650         (queryInstances): Deleted.
2651         (queryObjects): Deleted.
2652         (queryHolders): Deleted.
2653
2654 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
2655
2656         Remove MaximalFlushInsertionPhase
2657         https://bugs.webkit.org/show_bug.cgi?id=201036
2658
2659         Reviewed by Saam Barati.
2660
2661         Maximal flush has found too many false positives recently, so we decided it's finally time
2662         to remove it instead of hacking it to fix the most recent false positive.
2663
2664         The most recent false positive was caused by a LoadVarargs followed by a SetArgumentDefinitely
2665         for the argument count that was being flushed in a much later block. Now, since that block was
2666         the head of a loop, and there was a SetLocal in the same block to the same variable, this
2667         generated a Phi of both values, which then led to the unification of their VariableAccessData
2668         in the unification phase. This caused AI to assign the Int52 type to argument count, which
2669         broke the AI’s assumption that it should always be an Int32.
2670
2671         * JavaScriptCore.xcodeproj/project.pbxproj:
2672         * Sources.txt:
2673         * dfg/DFGByteCodeParser.cpp:
2674         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
2675         * dfg/DFGMaximalFlushInsertionPhase.cpp: Removed.
2676         * dfg/DFGMaximalFlushInsertionPhase.h: Removed.
2677         * dfg/DFGPlan.cpp:
2678         (JSC::DFG::Plan::compileInThreadImpl):
2679         * runtime/Options.cpp:
2680         (JSC::recomputeDependentOptions):
2681         * runtime/Options.h:
2682
2683 2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>
2684
2685         Unreviewed WinCairo build fix following r249058.
2686
2687         * API/tests/testapi.cpp:
2688         (TestAPI::callFunction):
2689         WinCairo chokes on `JSValueRef args[sizeof...(arguments)]` when there are no arguments, but AppleWin does not...
2690         MSVC must have changed somehow.
2691
2692 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
2693
2694         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
2695         https://bugs.webkit.org/show_bug.cgi?id=200952
2696
2697         Reviewed by Saam Barati.
2698
2699         The c call that we emitted was incorrect. If we had an int argument that was supposed to be placed in GPR0 by this loop,
2700         we would clobber it while making the call (among many other possible registers). To fix this, we just inline the call 
2701         to isWebassemblyHostFunction.
2702
2703         * wasm/js/WebAssemblyFunction.cpp:
2704         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2705
2706 2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>
2707
2708         JSC should have public API for unhandled promise rejections
2709         https://bugs.webkit.org/show_bug.cgi?id=197172
2710
2711         Reviewed by Keith Miller.
2712
2713         This patch makes it possible to register a unhandled promise rejection callback via the JSC API.
2714         Since there is no event loop in such an environment, this callback fires off of the microtask queue.
2715         The callback receives the promise and rejection reason as arguments and its return value is ignored.
2716
2717         * API/JSContextRef.cpp:
2718         (JSGlobalContextSetUnhandledRejectionCallback): Added.
2719         * API/JSContextRefPrivate.h:
2720         Add new C++ API call.
2721
2722         * API/tests/testapi.cpp:
2723         (TestAPI::promiseResolveTrue): Clean up test output.
2724         (TestAPI::promiseRejectTrue): Clean up test output.
2725         (TestAPI::promiseUnhandledRejection): Added.
2726         (TestAPI::promiseUnhandledRejectionFromUnhandledRejectionCallback): Added.
2727         (TestAPI::promiseEarlyHandledRejections): Added.
2728         (testCAPIViaCpp):
2729         Add new C++ API test.
2730
2731         * jsc.cpp:
2732         (GlobalObject::finishCreation):
2733         (functionSetUnhandledRejectionCallback): Added.
2734         Add corresponding global to JSC shell.
2735
2736         * runtime/JSGlobalObject.h:
2737         (JSC::JSGlobalObject::setUnhandledRejectionCallback): Added.
2738         (JSC::JSGlobalObject::unhandledRejectionCallback const): Added.
2739         Keep a strong reference to the callback.
2740
2741         * runtime/JSGlobalObjectFunctions.cpp:
2742         (JSC::globalFuncHostPromiseRejectionTracker):
2743         Add default behavior.
2744
2745         * runtime/VM.cpp:
2746         (JSC::VM::callPromiseRejectionCallback): Added.
2747         (JSC::VM::didExhaustMicrotaskQueue): Added.
2748         (JSC::VM::promiseRejected): Added.
2749         (JSC::VM::drainMicrotasks):
2750         When microtask queue is exhausted, deal with any pending unhandled rejections
2751         (in a manner based on RejectedPromiseTracker's reportUnhandledRejections),
2752         then make sure this didn't cause any new microtasks to be added to the queue.
2753
2754         * runtime/VM.h:
2755         Store unhandled rejections.
2756         (This collection will always be empty in the presence of WebCore.)
2757
2758 2019-08-22  Mark Lam  <mark.lam@apple.com>
2759
2760         VirtualRegister::dump() can use more informative CallFrame header slot names.
2761         https://bugs.webkit.org/show_bug.cgi?id=201062
2762
2763         Reviewed by Tadeu Zagallo.
2764
2765         For example, it currently dumps head3 instead of callee.  This patch changes the
2766         dump as follows (for 64-bit addressing):
2767             head0 => callerFrame
2768             head1 => returnPC
2769             head2 => codeBlock
2770             head3 => callee
2771             head4 => argumentCount
2772
2773         Now, one might be wondering when would bytecode ever access callerFrame and
2774         returnPC?  The answer is never.  However, I don't think its the role of the
2775         dumper to catch a bug where these header slots are being used.  The dumper's role
2776         is to clearly report them so that we can see that these unexpected values are
2777         being used.
2778
2779         * bytecode/VirtualRegister.cpp:
2780         (JSC::VirtualRegister::dump const):
2781
2782 2019-08-22  Andy Estes  <aestes@apple.com>
2783
2784         [watchOS] Disable Content Filtering in the simulator build
2785         https://bugs.webkit.org/show_bug.cgi?id=201047
2786
2787         Reviewed by Tim Horton.
2788
2789         * Configurations/FeatureDefines.xcconfig:
2790
2791 2019-08-22  Adrian Perez de Castro  <aperez@igalia.com>
2792
2793         [GTK][WPE] Fixes for non-unified builds after r248547
2794         https://bugs.webkit.org/show_bug.cgi?id=201044
2795
2796         Reviewed by Philippe Normand.
2797
2798         * b3/B3ReduceLoopStrength.cpp: Add missing inclusions of B3BasicBlockInlines.h,
2799         B3InsertionSet.h, and B3NaturalLoops.h
2800         * wasm/WasmOMGForOSREntryPlan.h: Include WasmCallee.h instead of forward-declaring
2801         BBQCallee in order to avoid build failure due to incomplete definition on template
2802         expansions.
2803
2804 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
2805
2806         Add missing exception check in canonicalizeLocaleList
2807         https://bugs.webkit.org/show_bug.cgi?id=201021
2808
2809         Reviewed by Mark Lam.
2810
2811         * runtime/IntlObject.cpp:
2812         (JSC::canonicalizeLocaleList):
2813
2814 2019-08-17  Darin Adler  <darin@apple.com>
2815
2816         Use makeString and multi-argument StringBuilder::append instead of less efficient multiple appends
2817         https://bugs.webkit.org/show_bug.cgi?id=200862
2818
2819         Reviewed by Ryosuke Niwa.
2820
2821         * runtime/ExceptionHelpers.cpp:
2822         (JSC::createUndefinedVariableError): Got rid of unnecessary local variable.
2823         (JSC::notAFunctionSourceAppender): Use single append instead of multiple.
2824         Eliminate unneeded and unconventional use of makeString on a single string literal.
2825         (JSC::invalidParameterInstanceofNotFunctionSourceAppender): Ditto.
2826         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender): Ditto.
2827         (JSC::createInvalidFunctionApplyParameterError): Ditto.
2828         (JSC::createInvalidInParameterError): Ditto.
2829         (JSC::createInvalidInstanceofParameterErrorNotFunction): Ditto.
2830         (JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction): Ditto.
2831
2832         * runtime/FunctionConstructor.cpp:
2833         (JSC::constructFunctionSkippingEvalEnabledCheck): Use single append instead of multiple.
2834         * runtime/Options.cpp:
2835         (JSC::Options::dumpOption): Ditto.
2836         * runtime/TypeProfiler.cpp:
2837         (JSC::TypeProfiler::typeInformationForExpressionAtOffset): Ditto.
2838         * runtime/TypeSet.cpp:
2839         (JSC::StructureShape::stringRepresentation): Ditto. Also use a modern for loop.
2840
2841 2019-08-21  Mark Lam  <mark.lam@apple.com>
2842
2843         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
2844         https://bugs.webkit.org/show_bug.cgi?id=201016
2845         <rdar://problem/54579911>
2846
2847         Reviewed by Yusuke Suzuki.
2848
2849         Currently, Wasm::FunctionParser is allowing
2850
2851             maxFunctionParams + maxFunctionLocals * maxFunctionLocals
2852
2853         ... locals, which is 0x9502FCE8.  It should be enforcing max locals of
2854         maxFunctionLocals instead.
2855
2856         * wasm/WasmFunctionParser.h:
2857         (JSC::Wasm::FunctionParser<Context>::parse):
2858
2859 2019-08-21  Michael Saboff  <msaboff@apple.com>
2860
2861         [JSC] incorrent JIT lead to StackOverflow
2862         https://bugs.webkit.org/show_bug.cgi?id=197823
2863
2864         Reviewed by Tadeu Zagallo.
2865
2866         Added stack overflow check to the bound function thunk generator.  Added a new C++ operation
2867         throwStackOverflowErrorFromThunk() to throw the error.
2868         
2869         * jit/JITOperations.cpp:
2870         * jit/JITOperations.h:
2871         * jit/ThunkGenerators.cpp:
2872         (JSC::boundThisNoArgsFunctionCallGenerator):
2873
2874 2019-08-21  Devin Rousso  <drousso@apple.com>
2875
2876         Web Inspector: Page: re-add enable/disable after r248454
2877         https://bugs.webkit.org/show_bug.cgi?id=200947
2878
2879         Reviewed by Joseph Pecoraro.
2880
2881         We shouldn't design the agent system with only Web Inspector in mind. Other clients may want
2882         to have different functionality, not being told about frames creation/updates/destruction.
2883         In these cases, we should have graceful error message failures for other agents that rely on
2884         the Page agent.
2885
2886         * inspector/protocol/Page.json:
2887
2888 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
2889
2890         Identify memcpy loops in b3
2891         https://bugs.webkit.org/show_bug.cgi?id=200181
2892
2893         Reviewed by Saam Barati.
2894
2895         Add a new pass in B3 to identify one type of forward byte copy loop and replace it with a call to a custom version of memcpy
2896         that will not cause GC tearing and have the correct behaviour when overlapping regions are passed in. 
2897
2898         Microbenchmarks show memcpy-typed-loop-large is about 6x faster, and everything else is neutral. The optimization is disabled
2899         on arm for now, until we add a memcpy implementation for it.
2900
2901         * JavaScriptCore.xcodeproj/project.pbxproj:
2902         * Sources.txt:
2903         * b3/B3Generate.cpp:
2904         (JSC::B3::generateToAir):
2905         * b3/B3ReduceLoopStrength.cpp: Added.
2906         (JSC::B3::fastForwardCopy32):
2907         (JSC::B3::ReduceLoopStrength::AddrInfo::appendAddr):
2908         (JSC::B3::ReduceLoopStrength::ReduceLoopStrength):
2909         (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy):
2910         (JSC::B3::ReduceLoopStrength::hoistValue):
2911         (JSC::B3::ReduceLoopStrength::run):
2912         (JSC::B3::reduceLoopStrength):
2913         * b3/B3ReduceLoopStrength.h: Added.
2914         * b3/testb3.h:
2915         * b3/testb3_1.cpp:
2916         (run):
2917         * b3/testb3_8.cpp:
2918         (testFastForwardCopy32):
2919         (testByteCopyLoop):
2920         (testByteCopyLoopStartIsLoopDependent):
2921         (testByteCopyLoopBoundIsLoopDependent):
2922         (addCopyTests):
2923
2924 2019-08-20  Devin Rousso  <drousso@apple.com>
2925
2926         Unreviewed, speculative build fix for High Sierra after r248925
2927
2928         * inspector/JSInjectedScriptHost.cpp:
2929         (Inspector::HeapHolderFinder::dump):
2930
2931 2019-08-20  Mark Lam  <mark.lam@apple.com>
2932
2933         Remove superfluous size argument to allocateCell() for fixed size objects.
2934         https://bugs.webkit.org/show_bug.cgi?id=200958
2935
2936         Reviewed by Yusuke Suzuki.
2937
2938         The size is already automatically computed by the allocateCell() template's default
2939         arguments.  Removing these superfluous arguments will make it easier for us to
2940         grep for cases where we do allocate variable size cells (for later analysis work).
2941
2942         * jsc.cpp:
2943         (JSC::Masquerader::create):
2944         (JSCMemoryFootprint::create):
2945         * tools/JSDollarVM.cpp:
2946         (JSC::JSDollarVMCallFrame::create):
2947         (JSC::Element::create):
2948         (JSC::Root::create):
2949         (JSC::SimpleObject::create):
2950         (JSC::ImpureGetter::create):
2951         (JSC::CustomGetter::create):
2952         (JSC::DOMJITNode::create):
2953         (JSC::DOMJITGetter::create):
2954         (JSC::DOMJITGetterComplex::create):
2955         (JSC::DOMJITFunctionObject::create):
2956         (JSC::DOMJITCheckSubClassObject::create):
2957         (JSC::DOMJITGetterBaseJSObject::create):
2958         (JSC::JSTestCustomGetterSetter::create):
2959         (JSC::WasmStreamingParser::create):
2960
2961 2019-08-20  Mark Lam  <mark.lam@apple.com>
2962
2963         JSBigInt::m_length should be immutable.
2964         https://bugs.webkit.org/show_bug.cgi?id=200956
2965
2966         Reviewed by Yusuke Suzuki.
2967
2968         This is because the JSBigInt cell size is allocated with that length.  Changing
2969         the length after construction does not change the size of the cell, and hence,
2970         makes no sense.
2971
2972         This patch removes the setLength() method, and decorates the m_length field with
2973         const to enforce that it is immutable after construction.
2974
2975         * runtime/JSBigInt.h:
2976
2977 2019-08-20  Devin Rousso  <drousso@apple.com>
2978
2979         Web Inspector: Implement `queryHolders` Command Line API
2980         https://bugs.webkit.org/show_bug.cgi?id=200458
2981
2982         Reviewed by Joseph Pecoraro.
2983
2984         Call `queryHolders(object)` from the Console to return an array of objects that strongly
2985         reference the given `object`. This could be very useful for finding JavaScript "leaks".
2986
2987         * inspector/InjectedScriptSource.js:
2988         (queryHolders): Added.
2989         * inspector/JSInjectedScriptHost.h:
2990         * inspector/JSInjectedScriptHost.cpp:
2991         (Inspector::HeapHolderFinder::HeapHolderFinder): Added.
2992         (Inspector::HeapHolderFinder::holders): Added.
2993         (Inspector::HeapHolderFinder::analyzeEdge): Added.
2994         (Inspector::HeapHolderFinder::analyzePropertyNameEdge): Added.
2995         (Inspector::HeapHolderFinder::analyzeVariableNameEdge): Added.
2996         (Inspector::HeapHolderFinder::analyzeIndexEdge): Added.
2997         (Inspector::HeapHolderFinder::analyzeNode): Added.
2998         (Inspector::HeapHolderFinder::setOpaqueRootReachabilityReasonForCell): Added.
2999         (Inspector::HeapHolderFinder::setWrappedObjectForCell): Added.
3000         (Inspector::HeapHolderFinder::setLabelForCell): Added.
3001         (Inspector::HeapHolderFinder::dump): Added.
3002         (Inspector::JSInjectedScriptHost::queryHolders): Added.
3003         * inspector/JSInjectedScriptHostPrototype.cpp:
3004         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3005         (Inspector::jsInjectedScriptHostPrototypeFunctionQueryHolders): Added.
3006
3007         * heap/HeapAnalyzer.h: Added.
3008         Create an abstract base class for analyzing the Heap during a GC. Rather than create an
3009         entire `HeapSnapshot` for `queryHolders`, the `HeapHolderFinder` can just walk the Heap and
3010         only save the information it needs to determine the holders of the given `object`.
3011
3012         * heap/Heap.h:
3013         * heap/Heap.cpp:
3014         (JSC::Heap::isAnalyzingHeap const): Added.
3015         (JSC::GatherExtraHeapData::GatherExtraHeapData): Added.
3016         (JSC::GatherExtraHeapData::operator() const): Added.
3017         (JSC::Heap::gatherExtraHeapData): Added.
3018         (JSC::Heap::didFinishCollection): Added.
3019         (JSC::Heap::isHeapSnapshotting const): Deleted.
3020         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData): Deleted.
3021         (JSC::GatherHeapSnapshotData::operator() const): Deleted.
3022         (JSC::Heap::gatherExtraHeapSnapshotData): Deleted.
3023         * heap/SlotVisitor.h:
3024         (JSC::SlotVisitor::isAnalyzingHeap const): Added.
3025         (JSC::SlotVisitor::heapAnalyzer const): Added.
3026         (JSC::SlotVisitor::isBuildingHeapSnapshot const): Deleted.
3027         (JSC::SlotVisitor::heapSnapshotBuilder const): Deleted.
3028         * heap/SlotVisitor.cpp:
3029         (JSC::SlotVisitor::didStartMarking):
3030         (JSC::SlotVisitor::reset):
3031         (JSC::SlotVisitor::appendSlow):
3032         (JSC::SlotVisitor::visitChildren):
3033         * heap/SlotVisitorInlines.h:
3034         (JSC::SlotVisitor::appendUnbarriered):
3035         * heap/WeakBlock.cpp:
3036         (JSC::WeakBlock::specializedVisit):
3037         * runtime/Structure.cpp:
3038         (JSC::Structure::visitChildren):
3039         Rename `HeapAnalyzer` functions to be less specific to building a `HeapSnapshot`.
3040
3041         * heap/HeapProfiler.h:
3042         (JSC::HeapProfiler::activeHeapAnalyzer const): Added.
3043         (JSC::HeapProfiler::activeSnapshotBuilder const): Deleted.
3044         * heap/HeapProfiler.cpp:
3045         (JSC::HeapProfiler::setActiveHeapAnalyzer): Added.
3046         (JSC::HeapProfiler::setActiveSnapshotBuilder): Deleted.
3047         * heap/HeapSnapshotBuilder.h:
3048         * heap/HeapSnapshotBuilder.cpp:
3049         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
3050         (JSC::HeapSnapshotBuilder::buildSnapshot):
3051         (JSC::HeapSnapshotBuilder::analyzeNode): Added.
3052         (JSC::HeapSnapshotBuilder::analyzeEdge): Added.
3053         (JSC::HeapSnapshotBuilder::analyzePropertyNameEdge): Added.
3054         (JSC::HeapSnapshotBuilder::analyzeVariableNameEdge): Added.
3055         (JSC::HeapSnapshotBuilder::analyzeIndexEdge): Added.
3056         (JSC::HeapSnapshotBuilder::appendNode): Deleted.
3057         (JSC::HeapSnapshotBuilder::appendEdge): Deleted.
3058         (JSC::HeapSnapshotBuilder::appendPropertyNameEdge): Deleted.
3059         (JSC::HeapSnapshotBuilder::appendVariableNameEdge): Deleted.
3060         (JSC::HeapSnapshotBuilder::appendIndexEdge): Deleted.
3061
3062         * inspector/InjectedScriptManager.h:
3063         * inspector/agents/InspectorRuntimeAgent.cpp:
3064
3065         * runtime/ClassInfo.h:
3066         * runtime/JSCell.h:
3067         * runtime/JSCell.cpp:
3068         (JSC::JSCell::analyzeHeap): Added.
3069         (JSC::JSCell::heapSnapshot): Deleted.
3070         * runtime/JSLexicalEnvironment.h:
3071         * runtime/JSLexicalEnvironment.cpp:
3072         (JSC::JSLexicalEnvironment::analyzeHeap): Added.
3073         (JSC::JSLexicalEnvironment::heapSnapshot): Deleted.
3074         * runtime/JSObject.h:
3075         * runtime/JSObject.cpp:
3076         (JSC::JSObject::analyzeHeap): Added.
3077         (JSC::JSObject::heapSnapshot): Deleted.
3078         * runtime/JSSegmentedVariableObject.h:
3079         * runtime/JSSegmentedVariableObject.cpp:
3080         (JSC::JSSegmentedVariableObject::analyzeHeap): Added.
3081         (JSC::JSSegmentedVariableObject::heapSnapshot): Deleted.
3082         Rename `heapSnapshot` to `analyzeHeap`.
3083
3084         * CMakeLists.txt:
3085         * JavaScriptCore.xcodeproj/project.pbxproj:
3086
3087 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
3088
3089         [WASM-References] Enable by default
3090         https://bugs.webkit.org/show_bug.cgi?id=200931
3091
3092         Reviewed by Saam Barati.
3093
3094         * runtime/Options.h:
3095
3096 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
3097
3098         [JSC] Array.prototype.toString should not get "join" function each time
3099         https://bugs.webkit.org/show_bug.cgi?id=200905
3100
3101         Reviewed by Mark Lam.
3102
3103         We avoid looking up `join` every time Array#toString is called. This patch implements the most profitable and easy
3104         case first as we are doing optimization for Array#slice: non-modified original Array. Configuring watchpoint for
3105         Array.prototype.join change and use this information and structure information to determine whether `join` lookup
3106         in Array.prototype.toString is unnecessary. This improves JetStream2/3d-raytrace-SP score by 1.6%
3107
3108             ToT:     363.56
3109             Patched: 369.26
3110
3111         This patch also renames InlineWatchpointSet fields from Watchpoint to WatchpointSet since they are not Watchpoint.
3112
3113         * dfg/DFGByteCodeParser.cpp:
3114         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3115         * dfg/DFGGraph.h:
3116         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
3117         (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
3118         * runtime/ArrayPrototype.cpp:
3119         (JSC::speciesWatchpointIsValid):
3120         (JSC::canUseDefaultArrayJoinForToString):
3121         (JSC::arrayProtoFuncToString):
3122         * runtime/JSGlobalObject.cpp:
3123         (JSC::JSGlobalObject::JSGlobalObject):
3124         (JSC::JSGlobalObject::init):
3125         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
3126         * runtime/JSGlobalObject.h:
3127         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpointSet):
3128         (JSC::JSGlobalObject::mapIteratorProtocolWatchpointSet):
3129         (JSC::JSGlobalObject::setIteratorProtocolWatchpointSet):
3130         (JSC::JSGlobalObject::stringIteratorProtocolWatchpointSet):
3131         (JSC::JSGlobalObject::mapSetWatchpointSet):
3132         (JSC::JSGlobalObject::setAddWatchpointSet):
3133         (JSC::JSGlobalObject::arraySpeciesWatchpointSet):
3134         (JSC::JSGlobalObject::arrayJoinWatchpointSet):
3135         (JSC::JSGlobalObject::numberToStringWatchpointSet):
3136         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint): Deleted.
3137         (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint): Deleted.
3138         (JSC::JSGlobalObject::setIteratorProtocolWatchpoint): Deleted.
3139         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint): Deleted.
3140         (JSC::JSGlobalObject::mapSetWatchpoint): Deleted.
3141         (JSC::JSGlobalObject::setAddWatchpoint): Deleted.
3142         (JSC::JSGlobalObject::arraySpeciesWatchpoint): Deleted.
3143         (JSC::JSGlobalObject::numberToStringWatchpoint): Deleted.
3144         * runtime/JSGlobalObjectInlines.h:
3145         (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
3146         (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
3147         (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
3148         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
3149         (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
3150         (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
3151
3152 2019-08-20  Joseph Pecoraro  <pecoraro@apple.com>
3153
3154         Web Inspector: Support for JavaScript BigInt
3155         https://bugs.webkit.org/show_bug.cgi?id=180731
3156         <rdar://problem/36298748>
3157
3158         Reviewed by Devin Rousso.        
3159         
3160         * inspector/InjectedScriptSource.js:
3161         (toStringDescription):
3162         (isSymbol):
3163         (isBigInt):
3164         (let.InjectedScript.prototype._fallbackWrapper):
3165         (let.RemoteObject):
3166         (let.RemoteObject.subtype):
3167         (let.RemoteObject.describe):
3168         (let.RemoteObject.prototype._appendPropertyPreviews):
3169         (let.RemoteObject.set _isPreviewableObjectInternal):
3170         (let.RemoteObject.prototype._isPreviewableObject.set add):
3171         * inspector/protocol/Runtime.json:
3172         New RemoteObject type and preview support.
3173
3174         * runtime/RuntimeType.cpp:
3175         (JSC::runtimeTypeForValue):
3176         (JSC::runtimeTypeAsString):
3177         * runtime/RuntimeType.h:
3178         * runtime/TypeSet.cpp:
3179         (JSC::TypeSet::displayName const):
3180         (JSC::TypeSet::inspectorTypeSet const):
3181         New type for the type profiler.
3182
3183         * heap/HeapSnapshotBuilder.cpp:
3184         (JSC::HeapSnapshotBuilder::json):
3185         * inspector/agents/InspectorHeapAgent.cpp:
3186         (Inspector::InspectorHeapAgent::getPreview):
3187         * runtime/JSBigInt.cpp:
3188         (JSC::JSBigInt::toString):
3189         (JSC::JSBigInt::tryGetString):
3190         (JSC::JSBigInt::toStringBasePowerOfTwo):
3191         (JSC::JSBigInt::toStringGeneric):
3192         * runtime/JSBigInt.h:
3193         BigInts are not tied to a GlobalObject, so provide a way to get a
3194         String for HeapSnapshot previews that are not tied to an ExecState.
3195
3196 2019-08-19  Devin Rousso  <drousso@apple.com>
3197
3198         Web Inspector: Debugger: add a global breakpoint for pausing in the next microtask
3199         https://bugs.webkit.org/show_bug.cgi?id=200652
3200
3201         Reviewed by Joseph Pecoraro.
3202
3203         * inspector/protocol/Debugger.json:
3204         Add `setPauseOnMicrotasks` command.
3205
3206         * inspector/agents/InspectorDebuggerAgent.h:
3207         * inspector/agents/InspectorDebuggerAgent.cpp:
3208         (Inspector::InspectorDebuggerAgent::disable):
3209         (Inspector::InspectorDebuggerAgent::setPauseOnMicrotasks): Added.
3210         (Inspector::InspectorDebuggerAgent::willRunMicrotask): Added.
3211         (Inspector::InspectorDebuggerAgent::didRunMicrotask): Added.
3212
3213         * debugger/Debugger.h:
3214         (JSC::Debugger::willRunMicrotask): Added.
3215         (JSC::Debugger::didRunMicrotask): Added.
3216         * inspector/ScriptDebugListener.h:
3217         * inspector/ScriptDebugServer.h:
3218         * inspector/ScriptDebugServer.cpp:
3219         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
3220         (Inspector::ScriptDebugServer::sourceParsed):
3221         (Inspector::ScriptDebugServer::willRunMicrotask): Added.
3222         (Inspector::ScriptDebugServer::didRunMicrotask): Added.
3223         (Inspector::ScriptDebugServer::canDispatchFunctionToListeners const): ADded.
3224         (Inspector::ScriptDebugServer::dispatchFunctionToListeners): ADded.
3225         (Inspector::ScriptDebugServer::handlePause):
3226         (Inspector::ScriptDebugServer::dispatchDidPause): Deleted.
3227         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Deleted.
3228         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Deleted.
3229         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Deleted.
3230         (Inspector::ScriptDebugServer::dispatchDidContinue): Deleted.
3231         (Inspector::ScriptDebugServer::dispatchDidParseSource): Deleted.
3232         (Inspector::ScriptDebugServer::dispatchFailedToParseSource): Deleted.
3233         Unify the various `dispatch*` functions to use lambdas so state management is centralized.
3234
3235         * runtime/JSMicrotask.cpp:
3236         (JSC::JSMicrotask::run):
3237
3238         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3239
3240 2019-08-19  Devin Rousso  <drousso@apple.com>
3241
3242         Web Inspector: Debugger: pause on assertion failures breakpoint doesn't work when inspecting a JSContext
3243         https://bugs.webkit.org/show_bug.cgi?id=200874
3244
3245         Reviewed by Joseph Pecoraro.
3246
3247         * inspector/JSGlobalObjectConsoleClient.cpp:
3248         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3249
3250 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
3251
3252         Proxy constructor should throw if handler is revoked Proxy
3253         https://bugs.webkit.org/show_bug.cgi?id=198755
3254
3255         Reviewed by Saam Barati.
3256
3257         Reword error message and check if handler is revoked Proxy.
3258         (step 4 of https://tc39.es/ecma262/#sec-proxycreate)
3259
3260         * runtime/ProxyObject.cpp:
3261         (JSC::ProxyObject::finishCreation): Add isRevoked check.
3262
3263 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
3264
3265         [JSC] OSR entry to Wasm OMG
3266         https://bugs.webkit.org/show_bug.cgi?id=200362
3267
3268         Reviewed by Michael Saboff.
3269
3270         This patch implements Wasm OSR entry mechanism from BBQ tier to OMG tier.
3271         We found that one of JetStream2 test heavily relies on OSR entry feature. gcc-loops-wasm consumes
3272         most of time in BBQ tier since one of the function takes significantly long time. And since we did
3273         not have OSR entry feature, we cannot use OMG function until that BBQ function finishes.
3274
3275         To implement Wasm OSR feature, we first capture all locals and stacks in the patchpoint to generate
3276         the stackmap. Once the threshold is crossed, the patchpoint calls `MacroAssembler::probe` feature to
3277         capture whole register context, and C++ runtime function reads stackmap and Probe::Context to perform
3278         OSR entry. This patch intentionally makes OSR entry written in C++ runtime side as much as possible
3279         to make it easily reusable for the other tiers. For example, we are planning to introduce Wasm interpreter,
3280         and it can easily use this tier-up function. Because of this simplicity, this generic implementation can
3281         cover both BBQ Air and BBQ B3 tier-up features. So, in the feature, it is possible that we revive BBQ B3,
3282         and construct the wasm pipeline like, interpreter->BBQ B3->OMG B3.
3283
3284         To generate OMG code for OSR entry, we add a new mode OMGForOSREntry, which mimics the FTLForOSREntry.
3285         In FTLForOSREntry, we cut unrelated blocks including the usual entry point in DFG tier and later convert
3286         graph to SSA. This is possible because DFG is not SSA. On the other hand, B3 is SSA and we cannot take the
3287         same thing without a hack.
3288
3289         This patch introduce a hack: making all wasm locals and stack values B3::Variable for OMGForOSREntry mode.
3290         Then, we can cut blocks easily and we can generate the B3 graph without doing reachability analysis from the
3291         OSR entry point. B3 will remove unreachable blocks later.
3292
3293         Tier-up function mimics DFG->FTL OSR entry heuristics and threshold as much as possible. And this patch adjusts
3294         the tier-up count threshold to make it close to DFG->FTL ones. Wasm tier-up is now using ExecutionCounter, which
3295         is inherited from Wasm::TierUpCount. Since wasm can execute concurrently, the tier-up counter can be racily updated.
3296         But this is OK in practice. Even if we see some more tier-up function calls or tier-up function calls are delayed,
3297         the critical part is guarded by a lock in tier-up function.
3298
3299         In iMac Pro, it shows ~4x runtime improvement for gcc-loops-wasm. On iOS device (iPhone XR), we saw ~2x improvement.
3300
3301             ToT:
3302                 HashSet-wasm:Score: 24.6pt stdev=4.6%
3303                             :Time:Geometric: 204ms stdev=4.4%
3304                             Runtime:Time: 689ms stdev=1.0%
3305                             Startup:Time: 60.3ms stdev=8.4%
3306                 gcc-loops-wasm:Score: 8.41pt stdev=6.7%
3307                               :Time:Geometric: 597ms stdev=6.5%
3308                               Runtime:Time: 8.509s stdev=0.7%
3309                               Startup:Time: 42ms stdev=12.4%
3310                 quicksort-wasm:Score: 347pt stdev=20.9%
3311                               :Time:Geometric: 15ms stdev=18.6%
3312                               Runtime:Time: 28.2ms stdev=7.9%
3313                               Startup:Time: 8.2ms stdev=35.0%
3314                 richards-wasm:Score: 77.6pt stdev=4.5%
3315                              :Time:Geometric: 64.6ms stdev=4.4%
3316                              Runtime:Time: 544ms stdev=3.3%
3317                              Startup:Time: 7.67ms stdev=6.7%
3318                 tsf-wasm:Score: 47.9pt stdev=4.5%
3319                         :Time:Geometric: 104ms stdev=4.8%
3320                         Runtime:Time: 259ms stdev=4.4%
3321                         Startup:Time: 42.2ms stdev=8.5%
3322
3323             Patched:
3324                 HashSet-wasm:Score: 24.1pt stdev=4.1%
3325                             :Time:Geometric: 208ms stdev=4.1%
3326                             Runtime:Time: 684ms stdev=1.1%
3327                             Startup:Time: 63.2ms stdev=8.1%
3328                 gcc-loops-wasm:Score: 15.7pt stdev=5.1%
3329                               :Time:Geometric: 319ms stdev=5.3%
3330                               Runtime:Time: 2.491s stdev=0.7%
3331                               Startup:Time: 41ms stdev=11.0%
3332                 quicksort-wasm:Score: 353pt stdev=13.7%
3333                               :Time:Geometric: 14ms stdev=12.7%
3334                               Runtime:Time: 26.2ms stdev=2.9%
3335                               Startup:Time: 8.0ms stdev=23.7%
3336                 richards-wasm:Score: 77.4pt stdev=5.3%
3337                              :Time:Geometric: 64.7ms stdev=5.3%
3338                              Runtime:Time: 536ms stdev=1.5%
3339                              Startup:Time: 7.83ms stdev=9.6%
3340                 tsf-wasm:Score: 47.3pt stdev=5.7%
3341                         :Time:Geometric: 106ms stdev=6.1%
3342                         Runtime:Time: 250ms stdev=3.5%
3343                         Startup:Time: 45ms stdev=13.8%
3344
3345         * JavaScriptCore.xcodeproj/project.pbxproj:
3346         * Sources.txt:
3347         * assembler/MacroAssemblerARM64.h:
3348         (JSC::MacroAssemblerARM64::branchAdd32):
3349         * b3/B3ValueRep.h:
3350         * bytecode/CodeBlock.h:
3351         * bytecode/ExecutionCounter.cpp:
3352         (JSC::applyMemoryUsageHeuristics):
3353         (JSC::ExecutionCounter<countingVariant>::setThreshold):
3354         * bytecode/ExecutionCounter.h:
3355         (JSC::ExecutionCounter::clippedThreshold):
3356         * dfg/DFGJITCode.h:
3357         * dfg/DFGOperations.cpp:
3358         * jit/AssemblyHelpers.h:
3359         (JSC::AssemblyHelpers::prologueStackPointerDelta):
3360         * runtime/Options.h:
3361         * wasm/WasmAirIRGenerator.cpp:
3362         (JSC::Wasm::AirIRGenerator::createStack):
3363         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
3364         (JSC::Wasm::AirIRGenerator::outerLoopIndex const):
3365         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3366         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
3367         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
3368         (JSC::Wasm::AirIRGenerator::addLoop):
3369         (JSC::Wasm::AirIRGenerator::addElse):
3370         (JSC::Wasm::AirIRGenerator::addBranch):
3371         (JSC::Wasm::AirIRGenerator::addSwitch):
3372         (JSC::Wasm::AirIRGenerator::endBlock):
3373         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
3374         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
3375         (JSC::Wasm::AirIRGenerator::dump):
3376         (JSC::Wasm::AirIRGenerator::emitTierUpCheck): Deleted.
3377         * wasm/WasmB3IRGenerator.cpp:
3378         (JSC::Wasm::B3IRGenerator::Stack::Stack):
3379         (JSC::Wasm::B3IRGenerator::Stack::append):
3380         (JSC::Wasm::B3IRGenerator::Stack::takeLast):
3381         (JSC::Wasm::B3IRGenerator::Stack::last):
3382         (JSC::Wasm::B3IRGenerator::Stack::size const):
3383         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const):
3384         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList):
3385         (JSC::Wasm::B3IRGenerator::Stack::at const):
3386         (JSC::Wasm::B3IRGenerator::Stack::variableAt const):
3387         (JSC::Wasm::B3IRGenerator::Stack::shrink):
3388         (JSC::Wasm::B3IRGenerator::Stack::swap):
3389         (JSC::Wasm::B3IRGenerator::Stack::dump const):
3390         (JSC::Wasm::B3IRGenerator::createStack):
3391         (JSC::Wasm::B3IRGenerator::outerLoopIndex const):
3392         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3393         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
3394         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
3395         (JSC::Wasm::B3IRGenerator::addLoop):
3396         (JSC::Wasm::B3IRGenerator::addElse):
3397         (JSC::Wasm::B3IRGenerator::addBranch):
3398         (JSC::Wasm::B3IRGenerator::addSwitch):
3399         (JSC::Wasm::B3IRGenerator::endBlock):
3400         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
3401         (JSC::Wasm::B3IRGenerator::unifyValuesWithBlock):
3402         (JSC::Wasm::B3IRGenerator::dump):
3403         (JSC::Wasm::parseAndCompile):
3404         (JSC::Wasm::B3IRGenerator::emitTierUpCheck): Deleted.
3405         (JSC::Wasm::dumpExpressionStack): Deleted.
3406         * wasm/WasmB3IRGenerator.h:
3407         * wasm/WasmBBQPlan.cpp:
3408         (JSC::Wasm::BBQPlan::compileFunctions):
3409         * wasm/WasmBBQPlan.h:
3410         * wasm/WasmBBQPlanInlines.h:
3411         (JSC::Wasm::BBQPlan::initializeCallees):
3412         * wasm/WasmCallee.h:
3413         * wasm/WasmCodeBlock.cpp:
3414         (JSC::Wasm::CodeBlock::CodeBlock):
3415         * wasm/WasmCodeBlock.h:
3416         (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace):
3417         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
3418         (JSC::Wasm::CodeBlock::tierUpCount): Deleted.
3419         * wasm/WasmCompilationMode.cpp:
3420         (JSC::Wasm::makeString):
3421         * wasm/WasmCompilationMode.h:
3422         * wasm/WasmContext.cpp: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.cpp.
3423         (JSC::Wasm::Context::scratchBufferForSize):
3424         * wasm/WasmContext.h:
3425         * wasm/WasmContextInlines.h:
3426         (JSC::Wasm::Context::tryLoadInstanceFromTLS):
3427         * wasm/WasmFunctionParser.h:
3428         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
3429         (JSC::Wasm::FunctionParser<Context>::parseBody):
3430         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3431         * wasm/WasmOMGForOSREntryPlan.cpp: Copied from Source/JavaScriptCore/wasm/WasmOMGPlan.cpp.
3432         (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
3433         (JSC::Wasm::OMGForOSREntryPlan::work):
3434         * wasm/WasmOMGForOSREntryPlan.h: Copied from Source/JavaScriptCore/wasm/WasmOMGPlan.h.
3435         * wasm/WasmOMGPlan.cpp:
3436         (JSC::Wasm::OMGPlan::work):
3437         (JSC::Wasm::OMGPlan::runForIndex): Deleted.
3438         * wasm/WasmOMGPlan.h:
3439         * wasm/WasmOSREntryData.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
3440         (JSC::Wasm::OSREntryValue::OSREntryValue):
3441         (JSC::Wasm::OSREntryValue::type const):
3442         (JSC::Wasm::OSREntryData::OSREntryData):
3443         (JSC::Wasm::OSREntryData::functionIndex const):
3444         (JSC::Wasm::OSREntryData::loopIndex const):
3445         (JSC::Wasm::OSREntryData::values):
3446         * wasm/WasmOperations.cpp: Added.
3447         (JSC::Wasm::shouldTriggerOMGCompile):
3448         (JSC::Wasm::triggerOMGReplacementCompile):
3449         (JSC::Wasm::doOSREntry):
3450         (JSC::Wasm::triggerOSREntryNow):
3451         (JSC::Wasm::triggerTierUpNow):
3452         * wasm/WasmOperations.h: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.h.
3453         * wasm/WasmThunks.cpp:
3454         (JSC::Wasm::triggerOMGEntryTierUpThunkGenerator):
3455         (JSC::Wasm::triggerOMGTierUpThunkGenerator): Deleted.
3456         * wasm/WasmThunks.h:
3457         * wasm/WasmTierUpCount.cpp: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.cpp.
3458         (JSC::Wasm::TierUpCount::TierUpCount):
3459         (JSC::Wasm::TierUpCount::addOSREntryData):
3460         * wasm/WasmTierUpCount.h:
3461         (JSC::Wasm::TierUpCount::loopIncrement):
3462         (JSC::Wasm::TierUpCount::functionEntryIncrement):
3463         (JSC::Wasm::TierUpCount::osrEntryTriggers):
3464         (JSC::Wasm::TierUpCount::outerLoops):
3465         (JSC::Wasm::TierUpCount::getLock):
3466         (JSC::Wasm::TierUpCount::optimizeAfterWarmUp):
3467         (JSC::Wasm::TierUpCount::checkIfOptimizationThresholdReached):
3468         (JSC::Wasm::TierUpCount::dontOptimizeAnytimeSoon):
3469         (JSC::Wasm::TierUpCount::optimizeNextInvocation):
3470         (JSC::Wasm::TierUpCount::optimizeSoon):
3471         (JSC::Wasm::TierUpCount::setOptimizationThresholdBasedOnCompilationResult):
3472         (JSC::Wasm::TierUpCount::TierUpCount): Deleted.
3473         (JSC::Wasm::TierUpCount::loopDecrement): Deleted.
3474         (JSC::Wasm::TierUpCount::functionEntryDecrement): Deleted.
3475         (JSC::Wasm::TierUpCount::shouldStartTierUp): Deleted.
3476         (JSC::Wasm::TierUpCount::count): Deleted.
3477         * wasm/WasmValidate.cpp:
3478         (JSC::Wasm::Validate::createStack):
3479         (JSC::Wasm::Validate::addLoop):
3480         (JSC::Wasm::Validate::addElse):
3481         (JSC::Wasm::Validate::checkBranchTarget):
3482         (JSC::Wasm::Validate::addBranch):
3483         (JSC::Wasm::Validate::addSwitch):
3484         (JSC::Wasm::Validate::endBlock):
3485         (JSC::Wasm::Validate::unify):
3486         (JSC::Wasm::dumpExpressionStack):
3487         (JSC::Wasm::Validate::dump):
3488
3489 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
3490
3491         Date.prototype.toJSON throws if toISOString returns an object
3492         https://bugs.webkit.org/show_bug.cgi?id=198495
3493
3494         Reviewed by Ross Kirsling.
3495
3496         Don't throw TypeError if result of toISOString call is not a primitive.
3497         (step 4 of https://tc39.es/ecma262/#sec-date.prototype.tojson)
3498
3499         * runtime/DatePrototype.cpp:
3500         (JSC::dateProtoFuncToJSON): Remove isObject check.
3501
3502 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
3503
3504         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
3505         https://bugs.webkit.org/show_bug.cgi?id=200899
3506         <rdar://problem/54073341>
3507
3508         Reviewed by Mark Lam.
3509
3510         DFGByteCodeParser attempt to get constant flag for isLittleEndian for DataView get/set.
3511         When getting a constant in DFG, we first need to check whether it is JSEmpty. But we are missing
3512         this check for DataView get/set optimization.
3513
3514         * dfg/DFGByteCodeParser.cpp:
3515         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3516
3517 2019-08-19  Tadeu Zagallo  <tzagallo@apple.com>
3518
3519         JSC tool targets should unlock the keychain before codesigning
3520         https://bugs.webkit.org/show_bug.cgi?id=200733
3521         <rdar://problem/54223095>
3522
3523         Reviewed by Alexey Proskuryakov.
3524
3525         In r245564, we started codesigning JSC tool targets to run the datavault tests
3526         in testapi, but we should unlock the keychain first so that it doesn't require
3527         the password during builds.
3528
3529         * JavaScriptCore.xcodeproj/project.pbxproj:
3530
3531 2019-08-19  Michael Saboff  <msaboff@apple.com>
3532
3533         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
3534         https://bugs.webkit.org/show_bug.cgi?id=197090
3535
3536         Reviewed by Yusuke Suzuki.
3537
3538         Turned the debug JIT assert into falling back to the interpreter.  In release builds, that is effectively what we do
3539         after exhausting the loop try count.  No sense of looping until we exceed the count, as we can exit immediately.
3540
3541         * assembler/AbortReason.h:
3542         * yarr/YarrJIT.cpp:
3543         (JSC::Yarr::YarrGenerator::generate):
3544
3545 2019-08-18  Yusuke Suzuki  <ysuzuki@apple.com>
3546
3547         [WTF] Add makeUnique<T>, which ensures T is fast-allocated, makeUnique / makeUniqueWithoutFastMallocCheck part
3548         https://bugs.webkit.org/show_bug.cgi?id=200620
3549
3550         Reviewed by Geoff Garen.
3551
3552         * API/JSCallbackObject.h:
3553         (JSC::JSCallbackObjectData::setPrivateProperty):
3554         * API/JSCallbackObjectFunctions.h:
3555         (JSC::JSCallbackObject<Parent>::JSCallbackObject):
3556         * API/JSClassRef.cpp:
3557         (OpaqueJSClassContextData::OpaqueJSClassContextData):
3558         (OpaqueJSClass::contextData):
3559         * API/JSMarkingConstraintPrivate.cpp:
3560         (JSContextGroupAddMarkingConstraint):
3561         * API/JSWrapperMap.mm:
3562         (-[JSWrapperMap initWithGlobalContextRef:]):
3563         * API/ObjCCallbackFunction.mm:
3564         (ArgumentTypeDelegate::typeInteger):
3565         (ArgumentTypeDelegate::typeDouble):
3566         (ArgumentTypeDelegate::typeBool):
3567         (ArgumentTypeDelegate::typeId):
3568         (ArgumentTypeDelegate::typeOfClass):
3569         (ArgumentTypeDelegate::typeStruct):
3570         (ResultTypeDelegate::typeInteger):
3571         (ResultTypeDelegate::typeDouble):
3572         (ResultTypeDelegate::typeBool):
3573         (ResultTypeDelegate::typeVoid):
3574         (ResultTypeDelegate::typeId):
3575         (ResultTypeDelegate::typeOfClass):
3576         (ResultTypeDelegate::typeBlock):
3577         (ResultTypeDelegate::typeStruct):
3578         (objCCallbackFunctionForInvocation):
3579         * API/glib/JSCContext.cpp:
3580         (jscContextSetVirtualMachine):
3581         * API/glib/JSCWrapperMap.cpp:
3582         (JSC::WrapperMap::WrapperMap):
3583         * assembler/ProbeStack.cpp:
3584         (JSC::Probe::Stack::ensurePageFor):
3585         * b3/B3LowerToAir.cpp:
3586         * b3/B3Procedure.cpp:
3587         (JSC::B3::Procedure::Procedure):
3588         (JSC::B3::Procedure::dominators):
3589         (JSC::B3::Procedure::naturalLoops):
3590         (JSC::B3::Procedure::backwardsCFG):
3591         (JSC::B3::Procedure::backwardsDominators):
3592         (JSC::B3::Procedure::addDataSection):
3593         * b3/air/AirCode.cpp:
3594         (JSC::B3::Air::Code::cCallSpecial):
3595         * b3/air/AirGenerate.cpp:
3596         (JSC::B3::Air::prepareForGeneration):
3597         * b3/air/testair.cpp:
3598         * b3/testb3.h:
3599         (compileProc):
3600         * bytecode/AccessCase.cpp:
3601         (JSC::AccessCase::generateImpl):
3602         * bytecode/AccessCaseSnippetParams.cpp:
3603         * bytecode/BytecodeBasicBlock.cpp:
3604         (JSC::BytecodeBasicBlock::computeImpl):
3605         * bytecode/CallLinkInfo.cpp:
3606         (JSC::CallLinkInfo::setFrameShuffleData):
3607         * bytecode/CodeBlock.cpp:
3608         (JSC::CodeBlock::ensureJITDataSlow):
3609         (JSC::CodeBlock::setCalleeSaveRegisters):
3610         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
3611         * bytecode/CodeBlock.h:
3612         (JSC::CodeBlock::createRareDataIfNecessary):
3613         * bytecode/DFGExitProfile.cpp:
3614         (JSC::DFG::ExitProfile::add):
3615         * bytecode/DeferredCompilationCallback.cpp:
3616         (JSC::DeferredCompilationCallback::ensureDeferredSourceDump):
3617         * bytecode/GetByIdStatus.cpp:
3618         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3619         * bytecode/GetByIdVariant.cpp:
3620         (JSC::GetByIdVariant::operator=):
3621         * bytecode/LazyOperandValueProfile.cpp:
3622         (JSC::CompressedLazyOperandValueProfileHolder::add):
3623         * bytecode/PolyProtoAccessChain.h:
3624         (JSC::PolyProtoAccessChain::clone):
3625         * bytecode/PolymorphicAccess.cpp:
3626         (JSC::PolymorphicAccess::regenerate):
3627         * bytecode/PutByIdStatus.cpp:
3628         (JSC::PutByIdStatus::computeForStubInfo):
3629         * bytecode/PutByIdVariant.cpp:
3630         (JSC::PutByIdVariant::operator=):
3631         * bytecode/RecordedStatuses.cpp:
3632         (JSC::RecordedStatuses::addCallLinkStatus):
3633         (JSC::RecordedStatuses::addGetByIdStatus):
3634         (JSC::RecordedStatuses::addPutByIdStatus):
3635         (JSC::RecordedStatuses::addInByIdStatus):
3636         * bytecode/StructureStubClearingWatchpoint.cpp:
3637         (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
3638         * bytecode/StructureStubInfo.cpp:
3639         (JSC::StructureStubInfo::addAccessCase):
3640         * bytecode/UnlinkedCodeBlock.cpp:
3641         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
3642         * bytecode/UnlinkedCodeBlock.h:
3643         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary):
3644         * bytecode/UnlinkedFunctionExecutable.cpp:
3645         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
3646         * bytecompiler/BytecodeGenerator.h:
3647         (JSC::BytecodeGenerator::generate):
3648         * dfg/DFGAbstractInterpreterInlines.h:
3649         (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
3650         * dfg/DFGGraph.cpp:
3651         (JSC::DFG::Graph::Graph):
3652         (JSC::DFG::Graph::livenessFor):
3653         (JSC::DFG::Graph::killsFor):
3654         (JSC::DFG::Graph::ensureCPSCFG):
3655         (JSC::DFG::Graph::ensureCPSDominators):
3656         (JSC::DFG::Graph::ensureSSADominators):
3657         (JSC::DFG::Graph::ensureCPSNaturalLoops):
3658         (JSC::DFG::Graph::ensureSSANaturalLoops):
3659         (JSC::DFG::Graph::ensureBackwardsCFG):
3660         (JSC::DFG::Graph::ensureBackwardsDominators):
3661         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
3662         * dfg/DFGJITCompiler.cpp:
3663         (JSC::DFG::JITCompiler::JITCompiler):
3664         (JSC::DFG::JITCompiler::link):
3665         (JSC::DFG::JITCompiler::compile):
3666         (JSC::DFG::JITCompiler::compileFunction):
3667         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
3668         * dfg/DFGLivenessAnalysisPhase.cpp:
3669         * dfg/DFGPlan.cpp:
3670         (JSC::DFG::Plan::compileInThreadImpl):
3671         * dfg/DFGSSAConversionPhase.cpp:
3672         (JSC::DFG::SSAConversionPhase::run):
3673         * dfg/DFGSlowPathGenerator.h:
3674         (JSC::DFG::slowPathCall):
3675         (JSC::DFG::slowPathMove):
3676         * dfg/DFGSpeculativeJIT.cpp:
3677         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3678         (JSC::DFG::SpeculativeJIT::arrayify):
3679         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3680         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3681         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3682         (JSC::DFG::SpeculativeJIT::emitStructureCheck):
3683         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3684         * dfg/DFGStoreBarrierInsertionPhase.cpp:
3685         * dfg/DFGWorklist.cpp:
3686         (JSC::DFG::Worklist::createNewThread):
3687         * disassembler/Disassembler.cpp:
3688         (JSC::disassembleAsynchronously):
3689         * ftl/FTLAbstractHeap.cpp:
3690         (JSC::FTL::IndexedAbstractHeap::atSlow):
3691         * ftl/FTLCompile.cpp:
3692         (JSC::FTL::compile):
3693         * ftl/FTLFail.cpp:
3694         (JSC::FTL::fail):
3695         * ftl/FTLLink.cpp:
3696         (JSC::FTL::link):
3697         * ftl/FTLLowerDFGToB3.cpp:
3698         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3699         * ftl/FTLState.cpp:
3700         (JSC::FTL::State::State):
3701         * heap/CompleteSubspace.cpp:
3702         (JSC::CompleteSubspace::allocatorForSlow):
3703         * heap/Heap.cpp:
3704         (JSC::Heap::Heap):
3705         (JSC::Heap::protectedObjectTypeCounts):
3706         (JSC::Heap::objectTypeCounts):
3707         (JSC::Heap::addCoreConstraints):
3708         * heap/HeapInlines.h:
3709         * heap/HeapSnapshotBuilder.cpp:
3710         (JSC::HeapSnapshotBuilder::buildSnapshot):
3711         * heap/IsoCellSet.cpp:
3712         (JSC::IsoCellSet::addSlow):
3713         * heap/IsoSubspace.cpp:
3714         (JSC::IsoSubspace::IsoSubspace):
3715         * heap/MarkingConstraintSet.cpp:
3716         (JSC::MarkingConstraintSet::add):
3717         * inspector/JSGlobalObjectConsoleClient.cpp:
3718         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3719         (Inspector::JSGlobalObjectConsoleClient::profile):
3720         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
3721         (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
3722         * inspector/JSGlobalObjectInspectorController.cpp:
3723         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3724         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3725         (Inspector::JSGlobalObjectInspectorController::ensureInspectorAgent):
3726         (Inspector::JSGlobalObjectInspectorController::ensureDebuggerAgent):
3727         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3728         * inspector/agents/InspectorAgent.cpp:
3729         (Inspector::InspectorAgent::InspectorAgent):
3730         * inspector/agents/InspectorConsoleAgent.cpp:
3731         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
3732         (Inspector::InspectorConsoleAgent::startTiming):
3733         (Inspector::InspectorConsoleAgent::logTiming):
3734         (Inspector::InspectorConsoleAgent::stopTiming):
3735         (Inspector::InspectorConsoleAgent::count):
3736         (Inspector::InspectorConsoleAgent::countReset):
3737         * inspector/agents/InspectorDebuggerAgent.cpp:
3738         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3739         * inspector/agents/InspectorHeapAgent.cpp:
3740         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
3741         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3742         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
3743         * inspector/agents/InspectorTargetAgent.cpp:
3744         (Inspector::InspectorTargetAgent::InspectorTargetAgent):
3745         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3746         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3747         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3748         (Inspector::JSGlobalObjectRuntimeAgent::JSGlobalObjectRuntimeAgent):
3749         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
3750         (Inspector::RemoteInspectorSocketEndpoint::createClient):
3751         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
3752         * inspector/scripts/codegen/objc_generator_templates.py:
3753         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3754         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3755         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3756         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3757         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3758         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3759         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3760         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3761         * jit/JIT.cpp:
3762         (JSC::JIT::compileWithoutLinking):
3763         (JSC::JIT::link):
3764         * jit/JITThunks.cpp:
3765         (JSC::JITThunks::JITThunks):
3766         * jit/Repatch.cpp:
3767         (JSC::linkPolymorphicCall):
3768         * jsc.cpp:
3769         (runJSC):
3770         * parser/Parser.cpp:
3771         (JSC::Parser<LexerType>::Parser):
3772         * parser/Parser.h:
3773         (JSC::Scope::pushLabel):
3774         (JSC::Parser<LexerType>::parse):
3775         * parser/ParserArena.h:
3776         (JSC::ParserArena::identifierArena):
3777         * profiler/ProfilerCompilation.cpp:
3778         (JSC::Profiler::Compilation::executionCounterFor):
3779         * runtime/Error.cpp:
3780         (JSC::getStackTrace):
3781         * runtime/FunctionExecutable.cpp:
3782         (JSC::FunctionExecutable::ensureRareDataSlow):
3783         * runtime/FunctionRareData.h:
3784         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
3785         * runtime/JSGlobalObject.cpp:
3786         (JSC::JSGlobalObject::init):
3787         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
3788         * runtime/JSGlobalObject.h:
3789         (JSC::JSGlobalObject::createRareDataIfNeeded):
3790         * runtime/JSRunLoopTimer.cpp:
3791         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
3792         (JSC::JSRunLoopTimer::Manager::registerVM):
3793         * runtime/PropertyMapHashTable.h:
3794         (JSC::PropertyTable::addDeletedOffset):
3795         * runtime/PropertyTable.cpp:
3796         (JSC::PropertyTable::PropertyTable):
3797         * runtime/RegExp.cpp:
3798         (JSC::RegExp::finishCreation):
3799         * runtime/RegExp.h:
3800         * runtime/ScriptExecutable.cpp:
3801         (JSC::ScriptExecutable::ensureTemplateObjectMapImpl):
3802         * runtime/Structure.cpp:
3803         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
3804         * runtime/StructureRareData.cpp:
3805         (JSC::StructureRareData::setObjectToStringValue):
3806         * runtime/SymbolTable.cpp:
3807         (JSC::SymbolTable::localToEntry):
3808         (JSC::SymbolTable::cloneScopePart):
3809         (JSC::SymbolTable::prepareForTypeProfiling):
3810         (JSC::SymbolTable::setRareDataCodeBlock):
3811         * runtime/TypeSet.cpp:
3812         (JSC::StructureShape::propertyHash):
3813         * runtime/VM.cpp:
3814         (JSC::VM::VM):
3815         (JSC::VM::ensureHeapProfiler):
3816         (JSC::VM::enableTypeProfiler):
3817         (JSC::VM::enableControlFlowProfiler):
3818         (JSC::VM::queueMicrotask):
3819         (JSC::VM::ensureShadowChicken):
3820         * wasm/WasmAirIRGenerator.cpp:
3821         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
3822         (JSC::Wasm::AirIRGenerator::emitCheck):
3823         (JSC::Wasm::parseAndCompileAir):
3824         * wasm/WasmB3IRGenerator.cpp:
3825         (JSC::Wasm::parseAndCompile):
3826         * wasm/WasmBBQPlan.cpp:
3827         (JSC::Wasm::BBQPlan::complete):
3828         * wasm/WasmOMGPlan.cpp:
3829         (JSC::Wasm::OMGPlan::work):
3830         * wasm/WasmWorklist.cpp:
3831         (JSC::Wasm::Worklist::Worklist):
3832         * wasm/js/JSToWasm.cpp:
3833         (JSC::Wasm::createJSToWasmWrapper):
3834         * yarr/YarrInterpreter.cpp:
3835         (JSC::Yarr::ByteCompiler::compile):
3836         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
3837         (JSC::Yarr::ByteCompiler::regexBegin):
3838         * yarr/YarrJIT.cpp:
3839         (JSC::Yarr::YarrGenerator::compile):
3840         * yarr/YarrPattern.cpp:
3841         (JSC::Yarr::CharacterClassConstructor::charClass):
3842         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
3843         (JSC::Yarr::YarrPatternConstructor::resetForReparsing):
3844         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
3845         (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
3846         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
3847         (JSC::Yarr::anycharCreate):
3848         * yarr/YarrPattern.h:
3849         (JSC::Yarr::PatternDisjunction::addNewAlternative):
3850         * yarr/create_regex_tables:
3851         * yarr/generateYarrUnicodePropertyTables.py:
3852
3853 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
3854
3855         [JSC] Correct a->an in error messages and API docblocks
3856         https://bugs.webkit.org/show_bug.cgi?id=200833