Separate configuration extraction from offset extraction

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>

        Separate configuration extraction from offset extraction
        https://bugs.webkit.org/show_bug.cgi?id=189708

        Reviewed by Keith Miller.

        Instead of generating a file with all offsets for every combination of
        configurations, we first generate a file with only the configuration
        indices and pass that to the offset extractor. The offset extractor then
        only generates the offsets for valid configurations

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * llint/LLIntOffsetsExtractor.cpp:
        (JSC::LLIntOffsetsExtractor::dummy):
        * llint/LLIntSettingsExtractor.cpp: Added.
        (main):
        * offlineasm/generate_offset_extractor.rb:
        * offlineasm/generate_settings_extractor.rb: Added.
        * offlineasm/offsets.rb:
        * offlineasm/settings.rb:

2018-10-12  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r237063.

        Caused layout test fast/dom/Window/window-postmessage-clone-
        deep-array.html to fail on macOS and iOS Debug bots.

        Reverted changeset:

        "[JSC] Remove gcc warnings on mips and armv7"
        https://bugs.webkit.org/show_bug.cgi?id=188598
        https://trac.webkit.org/changeset/237063

2018-10-11  Guillaume Emont  <guijemont@igalia.com>

        [JSC] Remove gcc warnings on mips and armv7
        https://bugs.webkit.org/show_bug.cgi?id=188598

        Reviewed by Mark Lam.

        Fix many gcc/clang warnings that are false positives, mostly alignment
        issues.

        * assembler/MacroAssemblerPrinter.cpp:
        (JSC::Printer::printMemory):
        Use bitwise_cast instead of reinterpret_cast.
        * assembler/testmasm.cpp:
        (JSC::floatOperands):
        marked as potentially unused as it is not used on all platforms.
        (JSC::testProbeModifiesStackValues):
        modifiedFlags is not used on mips, so don't declare it.
        * bytecode/CodeBlock.h:
        Make ScriptExecutable::prepareForExecution() return an
        std::optional<Exception*> instead of a JSObject*.
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeProgram):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeModuleProgram):
        Update calling code for the prototype change of
        ScriptExecutable::prepareForExecution().
        * jit/JITOperations.cpp: Same as for Interpreter.cpp.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setUpCall): Same as for Interpreter.cpp.
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::dataStorage):
        Use bitwise_cast instead of reinterpret_cast.
        * runtime/ScriptExecutable.cpp:
        * runtime/ScriptExecutable.h:
        Make ScriptExecutable::prepareForExecution() return an
        std::optional<Exception*> instead of a JSObject*.
        * tools/JSDollarVM.cpp:
        (JSC::codeBlockFromArg): Use bitwise_cast instead of reinterpret_cast.

2018-10-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Use currentStackPointer more
        https://bugs.webkit.org/show_bug.cgi?id=190503

        Reviewed by Saam Barati.

        * runtime/VM.cpp:
        (JSC::VM::committedStackByteCount):

2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] JSC should have "parseFunction" to optimize Function constructor
        https://bugs.webkit.org/show_bug.cgi?id=190340

        Reviewed by Mark Lam.

        The current Function constructor is suboptimal. We parse the piece of the same code three times to meet
        the spec requirement. (1) check parameters syntax, (2) check body syntax, and (3) parse the entire function.
        And to parse 1-3 correctly, we create two strings, the parameters and the entire function. This operation
        is really costly and ideally we should meet the above requirement by the one time parsing.

        To meet the above requirement, we add a special function for Parser, parseSingleFunction. This function
        takes `std::optional<int> functionConstructorParametersEndPosition` and check this end position is correct in the parser.
        For example, if we run the code,

            Function('/*', '*/){')

        According to the spec, this should produce '/*' parameter string and '*/){' body string. And parameter
        string should be syntax-checked by the parser, and raise the error since it is incorrect. Instead of doing
        that, in our implementation, we first create the entire string.

            function anonymous(/*) {
                */){
            }

        And we parse it. At that time, we also pass the end position of the parameters to the parser. In the above case,
        the position of the `function anonymous(/*)' <> is passed. And in the parser, we check that the last token
        offset of the parameters is the given end position. This check allows us to raise the error correctly to the
        above example while we parse the entire function only once. And we do not need to create two strings too.

        This improves the performance of the Function constructor significantly. And web-tooling-benchmark/uglify-js is
        significantly sped up (28.2%).

        Before:
            uglify-js:  2.94 runs/s
        After:
            uglify-js:  3.77 runs/s

        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        * bytecode/UnlinkedFunctionExecutable.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::parseSingleFunction):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseFunctionDeclaration):
        (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parsePropertyMethod):
        (JSC::Parser<LexerType>::parseGetterSetter):
        (JSC::Parser<LexerType>::parseFunctionExpression):
        (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
        (JSC::Parser<LexerType>::parseArrowFunctionExpression):
        * parser/Parser.h:
        (JSC::Parser<LexerType>::parse):
        (JSC::parse):
        (JSC::parseFunctionForFunctionConstructor):
        * parser/ParserModes.h:
        * parser/ParserTokens.h:
        (JSC::JSTextPosition::JSTextPosition):
        (JSC::JSTokenLocation::JSTokenLocation): Deleted.
        * parser/SourceCodeKey.h:
        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::operator== const):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
        * runtime/CodeCache.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/FunctionExecutable.h:

2018-10-11  Ross Kirsling  <ross.kirsling@sony.com>

        Fix non-existent define `CPU(JSVALUE64)`
        https://bugs.webkit.org/show_bug.cgi?id=190479

        Reviewed by Yusuke Suzuki.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsImpl):
        Correct CPU(JSVALUE64) to USE(JSVALUE64).

2018-10-11  Keith Rollin  <krollin@apple.com>

        CURRENT_ARCH should not be used in Run Script phase.
        https://bugs.webkit.org/show_bug.cgi?id=190407
        <rdar://problem/45133556>

        Reviewed by Alexey Proskuryakov.

        CURRENT_ARCH is used in a number of Xcode Run Script phases. However,
        CURRENT_ARCH is not well-defined during this phase (and may even have
        the value "undefined") since this phase is run just once per build
        rather than once per supported architecture. Migrate away from
        CURRENT_ARCH in favor of ARCHS, either by iterating over ARCHS and
        performing an operation for each value, or by picking the first entry
        in ARCHS and using that as a representative value.

        * JavaScriptCore.xcodeproj/project.pbxproj: Store
        LLIntDesiredOffsets.h into a directory with a name based on ARCHS
        rather than CURRENT_ARCH.

2018-10-10  Mark Lam  <mark.lam@apple.com>

        Changes towards allowing use of the ASAN detect_stack_use_after_return option.
        https://bugs.webkit.org/show_bug.cgi?id=190405
        <rdar://problem/45131464>

        Reviewed by Michael Saboff.

        The ASAN detect_stack_use_after_return option checks for use of stack variables
        after they have been freed.  It does this by allocating relevant stack variables
        in heap memory (instead of on the stack) if the code ever takes the address of
        those stack variables.  Unfortunately, this is a common idiom that we use to
        compute the approximate stack pointer value.  As a result, on such ASAN runs, the
        computed approximate stack pointer value will point into the heap instead of the
        stack.  This breaks the VM's expectations and wreaks havoc.

        To fix this, we use the newly introduced WTF::currentStackPointer() instead of
        taking the address of stack variables.

        We also need to enhance ExceptionScopes to be able to work with ASAN
        detect_stack_use_after_return which will allocated the scope in the heap.  We
        work around this by passing the current stack pointer of the instantiating calling
        frame into the scope constructor, and using that for the position check in
        ~ThrowScope() instead.

        The above is only a start towards enabling ASAN detect_stack_use_after_return on
        the VM.  There are still other issues to be resolved before we can run with this
        ASAN option.

        * runtime/CatchScope.h:
        * runtime/ExceptionEventLocation.h:
        (JSC::ExceptionEventLocation::ExceptionEventLocation):
        * runtime/ExceptionScope.h:
        (JSC::ExceptionScope::stackPosition const):
        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):
        * runtime/ThrowScope.cpp:
        (JSC::ThrowScope::~ThrowScope):
        * runtime/ThrowScope.h:
        * runtime/VM.h:
        (JSC::VM::needExceptionCheck const):
        (JSC::VM::isSafeToRecurse const):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):

2018-10-10  Devin Rousso  <drousso@apple.com>

        Web Inspector: create special Network waterfall for media events
        https://bugs.webkit.org/show_bug.cgi?id=189773
        <rdar://problem/44626605>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/DOM.json:
        Add `didFireEvent` event that is fired when specific event listeners added by
        `InspectorInstrumentation::addEventListenersToNode` are fired.

2018-10-10  Michael Saboff  <msaboff@apple.com>

        Increase executable memory pool from 64MB to 128MB for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=190453

        Reviewed by Saam Barati.

        * jit/ExecutableAllocator.cpp:

2018-10-10  Devin Rousso  <drousso@apple.com>

        Web Inspector: notify the frontend when a canvas has started recording via console.record
        https://bugs.webkit.org/show_bug.cgi?id=190306

        Reviewed by Brian Burg.

        * inspector/protocol/Canvas.json:
        Add `recordingStarted` event.

        * inspector/protocol/Recording.json:
        Add `Initiator` enum for determining who started the recording.

2018-10-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Rename createXXX to tryCreateXXX if it can return RefPtr
        https://bugs.webkit.org/show_bug.cgi?id=190429

        Reviewed by Saam Barati.

        Some createXXX functions can fail. But sometimes the caller does not perform error checking.
        To make it explicit that these functions can fail, we rename these functions from createXXX
        to tryCreateXXX. In this patch, we focus on non-JS-managed factory functions. If the factory
        function does not fail, it should return Ref<>. Otherwise, it should be named as tryCreateXXX
        and it should return RefPtr<>.

        This patch mainly focuses on TypedArray factory functions. Previously, these functions are
        `RefPtr<XXXArray> create(...)`. This patch changes them to `RefPtr<XXXArray> tryCreate(...)`.
        And we also introduce `Ref<XXXArray> create(...)` function which internally performs
        RELEASE_ASSERT on the result of `tryCreate(...)`.

        And we also convert OpaqueJSString::create to OpaqueJSString::tryCreate since it can fail.

        This change actually finds one place which does not perform any null checkings while it uses
        `RefPtr<> create(...)` function.

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
        (JSC::JSCallbackObject<Parent>::put):
        (JSC::JSCallbackObject<Parent>::putByIndex):
        (JSC::JSCallbackObject<Parent>::deleteProperty):
        (JSC::JSCallbackObject<Parent>::callbackGetter):
        * API/JSClassRef.h:
        (StaticValueEntry::StaticValueEntry):
        * API/JSContext.mm:
        (-[JSContext evaluateScript:withSourceURL:]):
        (-[JSContext setName:]):
        * API/JSContextRef.cpp:
        (JSGlobalContextCopyName):
        (JSContextCreateBacktrace):
        * API/JSObjectRef.cpp:
        (JSObjectCopyPropertyNames):
        * API/JSScriptRef.cpp:
        * API/JSStringRef.cpp:
        (JSStringCreateWithCharactersNoCopy):
        * API/JSValue.mm:
        (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
        (+[JSValue valueWithNewErrorFromMessage:inContext:]):
        (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
        (performPropertyOperation):
        (-[JSValue invokeMethod:withArguments:]):
        (containerValueToObject):
        (objectToValueWithoutCopy):
        (objectToValue):
        * API/JSValueRef.cpp:
        (JSValueCreateJSONString):
        (JSValueToStringCopy):
        * API/OpaqueJSString.cpp:
        (OpaqueJSString::tryCreate):
        (OpaqueJSString::create): Deleted.
        * API/OpaqueJSString.h:
        * API/glib/JSCContext.cpp:
        (evaluateScriptInContext):
        * API/glib/JSCValue.cpp:
        (jsc_value_new_string_from_bytes):
        * ftl/FTLLazySlowPath.h:
        (JSC::FTL::LazySlowPath::createGenerator):
        * ftl/FTLLazySlowPathCall.h:
        (JSC::FTL::createLazyCallGenerator):
        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExitDescriptor::emitOSRExit):
        (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
        (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
        * ftl/FTLOSRExit.h:
        * ftl/FTLPatchpointExceptionHandle.cpp:
        (JSC::FTL::PatchpointExceptionHandle::create):
        (JSC::FTL::PatchpointExceptionHandle::createHandle):
        * ftl/FTLPatchpointExceptionHandle.h:
        * heap/EdenGCActivityCallback.h:
        (JSC::GCActivityCallback::tryCreateEdenTimer):
        (JSC::GCActivityCallback::createEdenTimer): Deleted.
        * heap/FullGCActivityCallback.h:
        (JSC::GCActivityCallback::tryCreateFullTimer):
        (JSC::GCActivityCallback::createFullTimer): Deleted.
        * heap/GCActivityCallback.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        * inspector/AsyncStackTrace.cpp:
        (Inspector::AsyncStackTrace::create):
        * inspector/AsyncStackTrace.h:
        * jsc.cpp:
        (fillBufferWithContentsOfFile):
        * runtime/ArrayBuffer.h:
        * runtime/GenericTypedArrayView.h:
        * runtime/GenericTypedArrayViewInlines.h:
        (JSC::GenericTypedArrayView<Adaptor>::create):
        (JSC::GenericTypedArrayView<Adaptor>::tryCreate):
        (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
        (JSC::GenericTypedArrayView<Adaptor>::tryCreateUninitialized):
        (JSC::GenericTypedArrayView<Adaptor>::subarray const):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::possiblySharedImpl):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
        (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
        * wasm/WasmMemory.cpp:
        (JSC::Wasm::Memory::create):
        (JSC::Wasm::Memory::tryCreate):
        * wasm/WasmMemory.h:
        * wasm/WasmTable.cpp:
        (JSC::Wasm::Table::tryCreate):
        (JSC::Wasm::Table::create): Deleted.
        * wasm/WasmTable.h:
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):

2018-10-09  Devin Rousso  <drousso@apple.com>

        Web Inspector: show redirect requests in Network and Timelines tabs
        https://bugs.webkit.org/show_bug.cgi?id=150005
        <rdar://problem/5378164>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Network.json:
        Add missing fields to `ResourceTiming`.

2018-10-09  Claudio Saavedra  <csaavedra@igalia.com>

        [WPE] Explicitly link against gmodule where used
        https://bugs.webkit.org/show_bug.cgi?id=190398

        Reviewed by Michael Catanzaro.

        * PlatformWPE.cmake:

2018-10-08  Justin Fan  <justin_fan@apple.com>

        WebGPU: Rename old WebGPU prototype to WebMetal
        https://bugs.webkit.org/show_bug.cgi?id=190325
        <rdar://problem/44990443>

        Reviewed by Dean Jackson.

        Rename WebGPU prototype files to WebMetal in preparation for implementing the new (Oct 2018) WebGPU interface.

        * Configurations/FeatureDefines.xcconfig:
        * inspector/protocol/Canvas.json:
        * inspector/scripts/codegen/generator.py:

2018-10-08  Aditya Keerthi  <akeerthi@apple.com>

        Make <input type=color> a runtime enabled (on-by-default) feature
        https://bugs.webkit.org/show_bug.cgi?id=189162

        Reviewed by Wenson Hsieh and Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2018-10-08  Devin Rousso  <drousso@apple.com>

        Web Inspector: group media network entries by the node that triggered the request
        https://bugs.webkit.org/show_bug.cgi?id=189606
        <rdar://problem/44438527>

        Reviewed by Brian Burg.

        * inspector/protocol/Network.json:
        Add an optional `nodeId` field to the `Initiator` object that is set it is possible to
        determine which ancestor node triggered the load. It may not correspond directly to the node
        with the href/src, as that url may only be used by an ancestor for loading.

2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC][Linux] Use non-truncated name for JIT workers in Linux
        https://bugs.webkit.org/show_bug.cgi?id=190339

        Reviewed by Mark Lam.

        The current thread names are meaningless in Linux environment. We do not want to
        have truncated name in Linux: we want to have clear name in Linux. Instead, we
        should have the name for Linux separately from the name used in the non-Linux
        environments. This patch adds FTLWorker, DFGWorker, and JITWorker names for
        Linux environment.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::createWorklistName):
        (JSC::DFG::Worklist::Worklist):
        (JSC::DFG::Worklist::create):
        (JSC::DFG::ensureGlobalDFGWorklist):
        (JSC::DFG::ensureGlobalFTLWorklist):
        * dfg/DFGWorklist.h:
        * jit/JITWorklist.cpp:

2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Name Heap threads
        https://bugs.webkit.org/show_bug.cgi?id=190337

        Reviewed by Mark Lam.

        Name heap threads as "Heap Helper Thread". In Linux, we name it "HeapHelper" since
        Linux does not accept the name longer than 15. We do not want to use the short name
        for non-Linux environment. And we want to have clear name in Linux: truncated name
        is not good. So, having the two names is the only way.

        * heap/HeapHelperPool.cpp:
        (JSC::heapHelperPool):

2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Avoid creating ProgramExecutable in checkSyntax
        https://bugs.webkit.org/show_bug.cgi?id=190332

        Reviewed by Mark Lam.

        uglify-js in web-tooling-benchmark executes massive number of Function constructor calls.
        In Function constructor code, we perform checkSyntax for body and parameters. So fast checkSyntax
        is important when the performance of Function constructor matters. Current checkSyntax code
        unnecessarily allocates ProgramExecutable. This patch removes this allocation and improves
        the benchmark score slightly.

        Before:
            uglify-js:  2.87 runs/s
        After:
            uglify-js:  2.94 runs/s

        * runtime/Completion.cpp:
        (JSC::checkSyntaxInternal):
        (JSC::checkSyntax):
        * runtime/ProgramExecutable.cpp:
        (JSC::ProgramExecutable::checkSyntax): Deleted.
        * runtime/ProgramExecutable.h:

2018-10-06  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "|"
        https://bugs.webkit.org/show_bug.cgi?id=186229

        Reviewed by Yusuke Suzuki.

        This patch is introducing support for BigInt into bitwise "or" operator.
        In addition, we are also introducing 2 new DFG nodes, named "ArithBitOr" and
        "ValueBitOr", to replace "BitOr" node. The idea is to follow the
        difference that we make on Arith<op> and Value<op>, where ArithBitOr
        handles cases when the operands are Int32 and ValueBitOr handles
        the remaining cases.

        We are also changing op_bitor to use ValueProfile. We are using
        ValueProfile during DFG generation to emit "ArithBitOr" when
        outcome prediction is Int32.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::arithProfileForPC):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitBinaryOp):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::bitwiseOp):
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
        (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::bitOp):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithBitOr):
        (JSC::FTL::DFG::LowerDFGToB3::compileBitOr): Deleted.
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_bitor):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::bitwiseAnd):
        (JSC::JSBigInt::bitwiseOr):
        (JSC::JSBigInt::absoluteBitwiseOp):
        (JSC::JSBigInt::absoluteAddOne):
        * runtime/JSBigInt.h:

2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Use new extra memory reporting in SparseArrayMap
        https://bugs.webkit.org/show_bug.cgi?id=190278

        Reviewed by Keith Miller.

        This patch switches the extra memory reporting mechanism from deprecatedReportExtraMemory
        to reportExtraMemoryAllocated & reportExtraMemoryVisited in SparseArrayMap.

        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::add):
        (JSC::SparseArrayValueMap::visitChildren):

2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC][Linux] Support Perf JITDump logging
        https://bugs.webkit.org/show_bug.cgi?id=189893

        Reviewed by Mark Lam.

        This patch adds Linux `perf` command's JIT Dump support. It allows JSC to tell perf about JIT code information.
        We add a command line option, `--logJITCodeForPerf`, which dumps `jit-%pid.dump` in the current directory.
        By using this dump and perf.data output, we can annotate JIT code with profiling information.

            $ echo "(function f() { var s = 0; for (var i = 0; i < 1000000000; i++) { s += i; } return s; })();" > test.js
            $ perf record -k mono ../../WebKitBuild/perf/Release/bin/jsc test.js --logJITCodeForPerf=true
            [ perf record: Woken up 1 times to write data ]
            [ perf record: Captured and wrote 0.182 MB perf.data (4346 samples) ]
            $ perf inject --jit -i perf.data -o perf.jit.data
            $ perf report -i perf.jit.data

        * Sources.txt:
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
        * assembler/PerfLog.cpp: Added.
        (JSC::PerfLog::singleton):
        (JSC::generateTimestamp):
        (JSC::getCurrentThreadID):
        (JSC::PerfLog::PerfLog):
        (JSC::PerfLog::write):
        (JSC::PerfLog::flush):
        (JSC::PerfLog::log):
        * assembler/PerfLog.h: Added.
        * jit/ExecutableAllocator.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        * runtime/Options.cpp:
        (JSC::Options::isAvailable):
        * runtime/Options.h:

2018-10-05  Mark Lam  <mark.lam@apple.com>

        Gardening: Build fix after r236880.
        https://bugs.webkit.org/show_bug.cgi?id=190317

        Unreviewed.

        * jit/ExecutableAllocator.h:

2018-10-05  Mark Lam  <mark.lam@apple.com>

        performJITMemcpy() should handle the case when the executable allocator is not initialized yet.
        https://bugs.webkit.org/show_bug.cgi?id=190317
        <rdar://problem/45039398>

        Reviewed by Saam Barati.

        When SeparatedWXHeaps is in use, jitWriteThunkGenerator() will call performJITMemcpy()
        to copy memory before the JIT fixed memory pool is initialize.  Before r236864,
        performJITMemcpy() would just do a memcpy in that case.  We need to restore the
        equivalent behavior.

        * jit/ExecutableAllocator.cpp:
        (JSC::isJITPC):
        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):

2018-10-05  Carlos Eduardo Ramalho  <cadubentzen@gmail.com>

        [WPE][JSC] Use Unified Sources for Platform-specific sources
        https://bugs.webkit.org/show_bug.cgi?id=190300

        Reviewed by Yusuke Suzuki.

        Currently the GTK port already used Unified Sources with the same source files.
        As WPE has conditional code using gmodule, we need to add GLIB_GMODULE_LIBRARIES
        to the list of libraries to link with.

        * PlatformWPE.cmake:
        * SourcesWPE.txt: Added.
        * shell/PlatformWPE.cmake:

2018-10-05  Mike Gorse  <mgorse@alum.wpi.edu>

        [GTK] build fails with python 3 if LANG and LC_TYPE are unset
        https://bugs.webkit.org/show_bug.cgi?id=190258

        Reviewed by Konstantin Tokarev.

        * Scripts/cssmin.py: Set stdout to UTF-8 on python 3.
        * Scripts/generateIntlCanonicalizeLanguage.py: Open files with
          encoding=UTF-8 on Python 3.
        * yarr/generateYarrCanonicalizeUnicode: Ditto.
        * yarr/generateYarrUnicodePropertyTables.py: Ditto.

2018-10-04  Mark Lam  <mark.lam@apple.com>

        Move start/EndOfFixedExecutableMemoryPool pointers into the FixedVMPoolExecutableAllocator object.
        https://bugs.webkit.org/show_bug.cgi?id=190295
        <rdar://problem/19197193>

        Reviewed by Saam Barati.

        This allows us to use the tagging logic already baked into MacroAssemblerCodePtr
        instead of needing to use our own custom version here.

        * jit/ExecutableAllocator.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        (JSC::FixedVMPoolExecutableAllocator::memoryStart):
        (JSC::FixedVMPoolExecutableAllocator::memoryEnd):
        (JSC::FixedVMPoolExecutableAllocator::isJITPC):
        (JSC::ExecutableAllocator::allocate):
        (JSC::startOfFixedExecutableMemoryPoolImpl):
        (JSC::endOfFixedExecutableMemoryPoolImpl):
        (JSC::isJITPC):
        * jit/ExecutableAllocator.h:

2018-10-04  Mark Lam  <mark.lam@apple.com>

        Disable Options::useWebAssemblyFastMemory() on linux if ASAN signal handling is not disabled.
        https://bugs.webkit.org/show_bug.cgi?id=190283
        <rdar://problem/45015752>

        Reviewed by Keith Miller.

        * runtime/Options.cpp:
        (JSC::Options::initialize):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::enableFastMemory):

2018-10-03  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] print() changes CRLF to CRCRLF on Windows
        https://bugs.webkit.org/show_bug.cgi?id=190228

        Reviewed by Mark Lam.

        * jsc.cpp:
        (main):
        Ultimately, this is just the normal behavior of printf in text mode on Windows.
        Since we're reading in files as binary, we need to be printing out as binary too
        (just as we do in DumpRenderTree and ImageDiff.)

2018-10-03  Saam barati  <sbarati@apple.com>

        lowXYZ in FTLLower should always filter the type of the incoming edge
        https://bugs.webkit.org/show_bug.cgi?id=189939
        <rdar://problem/44407030>

        Reviewed by Michael Saboff.

        For example, the FTL may know more about data flow than AI in certain programs,
        and it needs to inform AI of these data flow properties to appease the assertion
        we have in AI that a node must perform type checks on its child nodes.
        
        For example, consider this program:
        
        ```
        bb#1
        a: Phi // Let's say it has an Int32 result, so it goes into the int32 hash table in FTLLower
        Branch(...,  #2, #3)
        
        bb#2
        ArrayifyToStructure(Cell:@a) // This modifies @a to have the its previous type union the type of some structure set.
        Jump(#3)
        
        bb#3
        c: Add(Int32:@something, Int32:@a)
        ```
        
        When the Add node does lowInt32() for @a, FTL lower used to just grab it
        from the int32 hash table without filtering the AbstractValue. However,
        the parent node is asking for a type check to happen, so we must inform
        AI of this "type check" if we want to appease the assertion that all nodes
        perform type checks for their edges that semantically perform type checks.
        This patch makes it so we filter the AbstractValue in the lowXYZ even
        if FTLLower proved the value must be XYZ.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compilePhi):
        (JSC::FTL::DFG::LowerDFGToB3::simulatedTypeCheck):
        (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
        (JSC::FTL::DFG::LowerDFGToB3::lowCell):
        (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):

2018-10-03  Michael Saboff  <msaboff@apple.com>

        Command line jsc should report memory footprint in bytes
        https://bugs.webkit.org/show_bug.cgi?id=190267

        Reviewed by Mark Lam.

        Change to leave the footprint values from the system unmodified.

        * jsc.cpp:
        (JSCMemoryFootprint::finishCreation):

2018-10-03  Mark Lam  <mark.lam@apple.com>

        Suppress unreachable code warning for LLIntAssembly.h code.
        https://bugs.webkit.org/show_bug.cgi?id=190263
        <rdar://problem/44986532>

        Reviewed by Saam Barati.

        This is needed because LLIntAssembly.h is template generated from LowLevelInterpreter
        asm files, and may contain dead code which are harmless, but will trip up the warning.
        We should suppress the warning so that it doesn't break builds.

        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):

2018-10-03  Dan Bernstein  <mitz@apple.com>

        JavaScriptCore part of [Xcode] Update some build settings as recommended by Xcode 10
        https://bugs.webkit.org/show_bug.cgi?id=190250

        Reviewed by Alex Christensen.

        * API/tests/Regress141275.mm:
        (-[JSTEvaluator _sourcePerform]): Addressed newly-enabled CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF
          by making the self-retaining explicit.

        * API/tests/testapi.cpp:
        (testCAPIViaCpp): Addressed newly-enabled CLANG_WARN_UNREACHABLE_CODE by breaking out of the
          loop instead of returning from the lambda.

        * Configurations/Base.xcconfig: Enabled CLANG_WARN_COMMA, CLANG_WARN_UNREACHABLE_CODE,
          CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS, CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF, and
          CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED.

        * JavaScriptCore.xcodeproj/project.pbxproj: Removed a duplicate reference to
          UnlinkedFunctionExecutable.h, and let Xcode update the project file.

        * assembler/MacroAssemblerPrinter.cpp:
        (JSC::Printer::printAllRegisters): Addressed newly-enabled CLANG_WARN_COMMA by replacing
          some commas with semicolons.

2018-10-03  Mark Lam  <mark.lam@apple.com>

        Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
        https://bugs.webkit.org/show_bug.cgi?id=190187
        <rdar://problem/42512909>

        Reviewed by Michael Saboff.

        Allowing different max string lengths at each level opens up opportunities for
        bugs to creep in.  With 2 different max length values, it is more difficult to
        keep the story straight on how we do overflow / bounds checks at each place in
        the code.  It's also difficult to tell if a seemingly valid check at the WTF level
        will have bad ramifications at the JSC level.  Also, it's also not meaningful to
        support a max length > INT_MAX.  To eliminate this class of bugs, we'll
        standardize on a MaxLength of INT_MAX at all levels.

        We'll also standardize the way we do length overflow checks on using
        CheckedArithmetic, and add some asserts to document the assumptions of the code.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        - Fix OOM error handling which crashed a test after the new MaxLength was applied.
        * runtime/JSString.h:
        (JSC::JSString::finishCreation):
        (JSC::JSString::createHasOtherOwner):
        (JSC::JSString::setLength):
        * runtime/JSStringInlines.h:
        (JSC::jsMakeNontrivialString):
        * runtime/Operations.h:
        (JSC::jsString):

2018-10-03  Koby Boyango  <koby.b@mce-sys.com>

        [JSC] Add a C++ callable overload of objectConstructorSeal
        https://bugs.webkit.org/show_bug.cgi?id=190137

        Reviewed by Yusuke Suzuki.

        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectConstructor.h:

2018-10-02  Dominik Infuehr  <dinfuehr@igalia.com>

        Fix Disassembler-output on ARM Thumb2
        https://bugs.webkit.org/show_bug.cgi?id=190203

        On ARMv7 with Thumb2 addresses have bit 0 set to 1 to force
        execution in thumb mode for jumps and calls. The actual machine
        instructions are still aligned to 2-bytes though. Use dataLocation() as
        start address for disassembling since it unsets the thumb bit.
        Until now the disassembler would start at the wrong address (off by 1),
        resulting in the wrong disassembled machine instructions.

        Reviewed by Mark Lam.

        * disassembler/CapstoneDisassembler.cpp:
        (JSC::tryToDisassemble):

2018-10-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Add stub of ExecutableAllocator used when JIT is disabled
        https://bugs.webkit.org/show_bug.cgi?id=190215

        Reviewed by Mark Lam.

        When ENABLE(JIT) is disabled, we do not use JIT. But we ExecutableAllocator is still available since
        it is guarded by ENABLE(ASSEMBLER). ENABLE(ASSEMBLER) is necessary for LLInt ASM interpreter since
        our MacroAssembler tells machine architecture information. Eventually, we would like to decouple
        this machine architecture information from MacroAssembler. But for now, we use ENABLE(ASSEMBLER)
        for LLInt ASM interpreter even if JIT is disabled by ENABLE(JIT).

        To ensure any executable memory allocation is not done, we add a stub of ExecutableAllocator for
        non-JIT configurations. This does not have any functionality allocating executable memory, thus
        any accidental operation cannot attempt to allocate executable memory if ENABLE(JIT) = OFF.

        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::initializeAllocator):
        (JSC::ExecutableAllocator::singleton):
        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::isValid const):
        (JSC::ExecutableAllocator::underMemoryPressure):
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        (JSC::ExecutableAllocator::dumpProfile):
        (JSC::ExecutableAllocator::allocate):
        (JSC::ExecutableAllocator::isValidExecutableMemory):
        (JSC::ExecutableAllocator::committedByteCount):
        (JSC::ExecutableAllocator::getLock const):
        (JSC::performJITMemcpy):

2018-10-01  Dean Jackson  <dino@apple.com>

        Remove CSS Animation Triggers
        https://bugs.webkit.org/show_bug.cgi?id=190175
        <rdar://problem/44925626>

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2018-10-02  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
        https://bugs.webkit.org/show_bug.cgi?id=190033

        Reviewed by Yusuke Suzuki.

        The implementation of JSBigInt::toStringToGeneric doesn't handle power
        of 2 radix when JSBigInt length is >= 2. To handle such cases, we
        implemented JSBigInt::toStringBasePowerOfTwo that follows the
        algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
        digit.

        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::toString):
        (JSC::JSBigInt::toStringBasePowerOfTwo):
        * runtime/JSBigInt.h:

2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Add branchIfNaN and branchIfNotNaN
        https://bugs.webkit.org/show_bug.cgi?id=190122

        Reviewed by Mark Lam.

        Add AssemblyHelpers::{branchIfNaN, branchIfNotNaN} to make code more readable.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
        (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
        (JSC::DFG::SpeculativeJIT::compileSpread):
        (JSC::DFG::SpeculativeJIT::compileNewArray):
        (JSC::DFG::SpeculativeJIT::speculateRealNumber):
        (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
        (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
        (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::purifyNaN):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::branchIfNaN):
        (JSC::AssemblyHelpers::branchIfNotNaN):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitGenericContiguousPutByVal):
        (JSC::JIT::emitDoubleLoad):
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitGenericContiguousPutByVal):
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):

2018-10-01  Mark Lam  <mark.lam@apple.com>

        Function.toString() should also copy the source code Functions that are class definitions.
        https://bugs.webkit.org/show_bug.cgi?id=190186
        <rdar://problem/44733360>

        Reviewed by Saam Barati.

        Previously, if the Function is a class definition, functionProtoFuncToString()
        would create a String using StringView::toStringWithoutCopying(), and use that
        String to make a JSString.  This is not a problem if the underlying SourceProvider
        (that backs the characters in that StringView) is immortal.  However, this is
        not always the case in practice.

        This patch fixes this issue by changing functionProtoFuncToString() to create the
        String using StringView::toString() instead, which makes a copy of the underlying
        characters buffer.  This detaches the resultant JSString from the SourceProvider
        characters buffer that it was created from, and ensure that the underlying
        characters buffer of the string will be alive for the entire lifetime of the
        JSString.

        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):

2018-10-01  Keith Miller  <keith_miller@apple.com>

        Create a RELEASE_AND_RETURN macro for ExceptionScopes
        https://bugs.webkit.org/show_bug.cgi?id=190163

        Reviewed by Mark Lam.

        The new RELEASE_AND_RETURN does all the work for cases
        where you want to return the result of some expression
        without explicitly checking for an exception. This is
        much like the existing RETURN_IF_EXCEPTION macro.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::newTypedArrayWithSize):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * jsc.cpp:
        (functionDollarAgentReceiveBroadcast):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setUpCall):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::varargsSetup):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::toJSON const):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::hostResolveImportedModule):
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        * runtime/ArrayPrototype.cpp:
        (JSC::getProperty):
        (JSC::fastJoin):
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoPrivateFuncConcatMemcpy):
        * runtime/BigIntConstructor.cpp:
        (JSC::toBigInt):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opInByVal):
        * runtime/ConstructData.cpp:
        (JSC::construct):
        * runtime/DateConstructor.cpp:
        (JSC::dateParse):
        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToPrimitiveSymbol):
        * runtime/DirectArguments.h:
        * runtime/ErrorConstructor.cpp:
        (JSC::Interpreter::constructWithErrorConstructor):
        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):
        * runtime/ExceptionScope.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::defineOwnProperty):
        * runtime/GetterSetter.cpp:
        (JSC::callGetter):
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorFuncCompare):
        (JSC::IntlCollatorPrototypeFuncResolvedOptions):
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatFuncFormatDateTime):
        (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
        (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatFuncFormatNumber):
        (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
        (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
        * runtime/IntlObject.cpp:
        (JSC::intlNumberOption):
        * runtime/IntlObjectInlines.h:
        (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
        * runtime/IntlPluralRules.cpp:
        (JSC::IntlPluralRules::resolvedOptions):
        * runtime/IntlPluralRulesConstructor.cpp:
        (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
        * runtime/IntlPluralRulesPrototype.cpp:
        (JSC::IntlPluralRulesPrototypeFuncSelect):
        (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        (JSC::JSArray::put):
        (JSC::JSArray::setLength):
        (JSC::JSArray::unshiftCountWithAnyIndexingType):
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferProtoGetterFuncByteLength):
        (JSC::sharedArrayBufferProtoGetterFuncByteLength):
        * runtime/JSArrayInlines.h:
        (JSC::toLength):
        * runtime/JSBoundFunction.cpp:
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toIndex const):
        (JSC::JSValue::toPropertyKey const):
        (JSC::JSValue::get const):
        (JSC::JSValue::getPropertySlot const):
        (JSC::JSValue::getOwnPropertySlot const):
        (JSC::JSValue::equalSlowCaseInline):
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::put):
        (JSC::JSDataView::defineOwnProperty):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewWithArguments):
        (JSC::constructGenericTypedArrayView):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::set):
        (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::speciesConstruct):
        (JSC::genericTypedArrayViewProtoFuncJoin):
        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::put):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::decode):
        (JSC::globalFuncEval):
        (JSC::globalFuncProtoGetter):
        * runtime/JSInternalPromise.cpp:
        (JSC::JSInternalPromise::then):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::put):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::provideFetch):
        (JSC::JSModuleLoader::loadAndEvaluateModule):
        (JSC::JSModuleLoader::loadModule):
        (JSC::JSModuleLoader::linkAndEvaluateModule):
        (JSC::JSModuleLoader::requestImportModule):
        (JSC::JSModuleLoader::getModuleNamespaceObject):
        (JSC::moduleLoaderRequestedModules):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::stringify):
        (JSC::Stringifier::toJSON):
        (JSC::Walker::walk):
        (JSC::JSONProtoFuncStringify):
        * runtime/JSObject.cpp:
        (JSC::ordinarySetSlow):
        (JSC::JSObject::putInlineSlow):
        (JSC::JSObject::toPrimitive const):
        (JSC::JSObject::hasInstance):
        (JSC::JSObject::toNumber const):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::defineOwnNonIndexProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::get const):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::getPropertySlot const):
        (JSC::JSObject::putInlineForJSObject):
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::Interpreter::constructWithNativeErrorConstructor):
        * runtime/ObjectConstructor.cpp:
        (JSC::constructObject):
        (JSC::objectConstructorGetPrototypeOf):
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorGetOwnPropertyDescriptors):
        (JSC::objectConstructorGetOwnPropertyNames):
        (JSC::objectConstructorGetOwnPropertySymbols):
        (JSC::objectConstructorKeys):
        (JSC::objectConstructorDefineProperty):
        (JSC::objectConstructorDefineProperties):
        (JSC::objectConstructorCreate):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToLocaleString):
        (JSC::objectProtoFuncToString):
        * runtime/Operations.cpp:
        (JSC::jsAddSlowCase):
        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsLess):
        (JSC::jsLessEq):
        * runtime/ParseInt.h:
        (JSC::toStringView):
        * runtime/ProxyConstructor.cpp:
        (JSC::constructProxyObject):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::toStringName):
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::getOwnPropertySlotCommon):
        (JSC::ProxyObject::performPut):
        (JSC::ProxyObject::putByIndexCommon):
        (JSC::performProxyCall):
        (JSC::performProxyConstruct):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performPreventExtensions):
        (JSC::ProxyObject::performIsExtensible):
        (JSC::ProxyObject::performDefineOwnProperty):
        (JSC::ProxyObject::performSetPrototype):
        (JSC::ProxyObject::performGetPrototype):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectConstruct):
        (JSC::reflectObjectDefineProperty):
        (JSC::reflectObjectGet):
        (JSC::reflectObjectGetOwnPropertyDescriptor):
        (JSC::reflectObjectGetPrototypeOf):
        (JSC::reflectObjectOwnKeys):
        (JSC::reflectObjectSet):
        * runtime/RegExpConstructor.cpp:
        (JSC::constructRegExp):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::defineOwnProperty):
        (JSC::RegExpObject::matchGlobal):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTestFast):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncToString):
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        * runtime/SetConstructor.cpp:
        (JSC::constructSet):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::putEntry):
        (JSC::SparseArrayEntry::put):
        * runtime/StringConstructor.cpp:
        (JSC::stringFromCharCode):
        (JSC::stringFromCodePoint):
        * runtime/StringObject.cpp:
        (JSC::StringObject::put):
        (JSC::StringObject::putByIndex):
        (JSC::StringObject::defineOwnProperty):
        * runtime/StringPrototype.cpp:
        (JSC::jsSpliceSubstrings):
        (JSC::jsSpliceSubstringsWithSeparators):
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):
        (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
        (JSC::replaceUsingStringSearch):
        (JSC::repeatCharacter):
        (JSC::replace):
        (JSC::stringProtoFuncReplaceUsingRegExp):
        (JSC::stringProtoFuncReplaceUsingStringSearch):
        (JSC::stringProtoFuncSplitFast):
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):
        (JSC::toLocaleCase):
        (JSC::trimString):
        (JSC::stringProtoFuncIncludes):
        (JSC::builtinStringIncludesInternal):
        (JSC::normalize):
        (JSC::stringProtoFuncNormalize):
        * runtime/SymbolPrototype.cpp:
        (JSC::symbolProtoFuncToString):
        (JSC::symbolProtoFuncValueOf):
        * tools/JSDollarVM.cpp:
        (WTF::functionWasmStreamingParserAddBytes):
        (JSC::functionGetPrivateProperty):
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        (JSC::constructJSWebAssemblyCompileError):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::constructJSWebAssemblyModule):
        (JSC::WebAssemblyModuleConstructor::createModule):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):
        * wasm/js/WebAssemblyWrapperFunction.cpp:
        (JSC::callWebAssemblyWrapperFunction):

2018-10-01  Koby Boyango  <koby.b@mce-sys.com>

        [JSC] Add a JSONStringify overload that receives a JSValue space
        https://bugs.webkit.org/show_bug.cgi?id=190131

        Reviewed by Yusuke Suzuki.

        * runtime/JSONObject.cpp:
        * runtime/JSONObject.h:

2018-10-01  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r236647.
        https://bugs.webkit.org/show_bug.cgi?id=190124

        Breaking test stress/big-int-to-string.js (Requested by
        caiolima_ on #webkit).

        Reverted changeset:

        "[BigInt] BigInt.proptotype.toString is broken when radix is
        power of 2"
        https://bugs.webkit.org/show_bug.cgi?id=190033
        https://trac.webkit.org/changeset/236647

2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [WebAssembly] Move type conversion code of JSToWasm return type to JS wasm wrapper
        https://bugs.webkit.org/show_bug.cgi?id=189498

        Reviewed by Saam Barati.

        To call JS-to-Wasm code we need to convert the result value from wasm function to
        the JS type. Previously this is done by callWebAssemblyFunction by using swtich
        over signature.returnType(). But since we know the value of `signature.returnType()`
        at compiling phase, we can emit a small conversion code directly to JSToWasm glue
        and remove this switch from callWebAssemblyFunction.

        In JSToWasm glue code, we do not have tag registers. So we use DoNotHaveTagRegisters
        in boxInt32 and boxDouble. Since boxDouble does not have DoNotHaveTagRegisters version,
        we add an implementation for that.

        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::boxDouble):
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):

2018-09-30  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
        https://bugs.webkit.org/show_bug.cgi?id=190033

        Reviewed by Yusuke Suzuki.

        The implementation of JSBigInt::toStringToGeneric doesn't handle power
        of 2 radix when JSBigInt length is >= 2. To handle such cases, we
        implemented JSBigInt::toStringBasePowerOfTwo that follows the
        algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
        digit.

        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::toString):
        (JSC::JSBigInt::toStringBasePowerOfTwo):
        * runtime/JSBigInt.h:

2018-09-28  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "&"
        https://bugs.webkit.org/show_bug.cgi?id=186228

        Reviewed by Yusuke Suzuki.

        This patch introduces support of BigInt into bitwise "&" operation.
        We are also introducing the ValueBitAnd DFG node, that is responsible
        to take care of JIT for non-Int32 operands. With the introduction of this
        new node, we renamed the BitAnd node to ArithBitAnd. The ArithBitAnd
        follows the behavior of ArithAdd and other arithmetic nodes, where
        the Arith<op> version always results in Number (in the case of
        ArithBitAnd, its is always an Int32).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitBinaryOp):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
        (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::bitOp):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithBitAnd):
        (JSC::FTL::DFG::LowerDFGToB3::compileBitAnd): Deleted.
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitBitBinaryOpFastPath):
        (JSC::JIT::emit_op_bitand):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::JSBigInt):
        (JSC::JSBigInt::initialize):
        (JSC::JSBigInt::createZero):
        (JSC::JSBigInt::createFrom):
        (JSC::JSBigInt::bitwiseAnd):
        (JSC::JSBigInt::absoluteBitwiseOp):
        (JSC::JSBigInt::absoluteAnd):
        (JSC::JSBigInt::absoluteOr):
        (JSC::JSBigInt::absoluteAndNot):
        (JSC::JSBigInt::absoluteAddOne):
        (JSC::JSBigInt::absoluteSubOne):
        * runtime/JSBigInt.h:
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toBigIntOrInt32 const):

2018-09-28  Mark Lam  <mark.lam@apple.com>

        Gardening: speculative build fix.
        <rdar://problem/44869924>

        Not reviewed.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):

2018-09-28  Guillaume Emont  <guijemont@igalia.com>

        [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions.
        https://bugs.webkit.org/show_bug.cgi?id=190080

        Reviewed by Mark Lam.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::link):
        (JSC::ARMv7Assembler::linkJumpT1):
        (JSC::ARMv7Assembler::linkJumpT2):
        (JSC::ARMv7Assembler::linkJumpT3):
        (JSC::ARMv7Assembler::linkJumpT4):
        (JSC::ARMv7Assembler::linkConditionalJumpT4):
        (JSC::ARMv7Assembler::linkBX):
        (JSC::ARMv7Assembler::linkConditionalBX):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::link):

2018-09-27  Saam barati  <sbarati@apple.com>

        Verify the contents of AssemblerBuffer on arm64e
        https://bugs.webkit.org/show_bug.cgi?id=190057
        <rdar://problem/38916630>

        Reviewed by Mark Lam.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::ARM64Assembler):
        (JSC::ARM64Assembler::fillNops):
        (JSC::ARM64Assembler::link):
        (JSC::ARM64Assembler::linkJumpOrCall):
        (JSC::ARM64Assembler::linkCompareAndBranch):
        (JSC::ARM64Assembler::linkConditionalBranch):
        (JSC::ARM64Assembler::linkTestAndBranch):
        (JSC::ARM64Assembler::unlinkedCode): Deleted.
        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::fillNops):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::unlinkedCode): Deleted.
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::emitNops):
        (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
        * assembler/AssemblerBuffer.h:
        (JSC::ARM64EHash::ARM64EHash):
        (JSC::ARM64EHash::update):
        (JSC::ARM64EHash::hash const):
        (JSC::ARM64EHash::randomSeed const):
        (JSC::AssemblerBuffer::AssemblerBuffer):
        (JSC::AssemblerBuffer::putShort):
        (JSC::AssemblerBuffer::putIntUnchecked):
        (JSC::AssemblerBuffer::putInt):
        (JSC::AssemblerBuffer::hash const):
        (JSC::AssemblerBuffer::data const):
        (JSC::AssemblerBuffer::putIntegralUnchecked):
        (JSC::AssemblerBuffer::append): Deleted.
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::fillNops):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::jumpsToLink):
        (JSC::MacroAssemblerARM64::link):
        (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::jumpsToLink):
        (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::fillNops):

2018-09-27  Mark Lam  <mark.lam@apple.com>

        ByValInfo should not use integer offsets.
        https://bugs.webkit.org/show_bug.cgi?id=190070
        <rdar://problem/44803430>

        Reviewed by Saam Barati.

        Also moved some fields around to allow the ByValInfo struct to be more densely packed.

        * bytecode/ByValInfo.h:
        (JSC::ByValInfo::ByValInfo):
        * jit/JIT.cpp:
        (JSC::JIT::link):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileHasIndexedProperty):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileHasIndexedProperty):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompileGetByValWithCachedId):
        (JSC::JIT::privateCompilePutByVal):
        (JSC::JIT::privateCompilePutByValWithCachedId):

2018-09-27  Saam barati  <sbarati@apple.com>

        DFG::OSRExit::m_patchableCodeOffset should not be an int
        https://bugs.webkit.org/show_bug.cgi?id=190066
        <rdar://problem/39498244>

        Reviewed by Mark Lam.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::codeLocationForRepatch const):
        (JSC::DFG::OSRExit::compileOSRExit):
        (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
        (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
        (JSC::DFG::OSRExit::correctJump): Deleted.
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompilationInfo.h:

2018-09-27  Saam barati  <sbarati@apple.com>

        Don't use int offsets in StructureStubInfo
        https://bugs.webkit.org/show_bug.cgi?id=190064
        <rdar://problem/44784719>

        Reviewed by Mark Lam.

        * bytecode/InlineAccess.cpp:
        (JSC::linkCodeInline):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::slowPathCallLocation):
        (JSC::StructureStubInfo::doneLocation):
        (JSC::StructureStubInfo::slowPathStartLocation):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITInlineCacheGenerator::finalize):

2018-09-27  Mark Lam  <mark.lam@apple.com>

        DFG::OSREntry::m_machineCodeOffset should be a CodeLocation.
        https://bugs.webkit.org/show_bug.cgi?id=190054
        <rdar://problem/44803543>

        Reviewed by Saam Barati.

        * dfg/DFGJITCode.h:
        (JSC::DFG::JITCode::appendOSREntryData):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::OSREntryData::dumpInContext const):
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        * runtime/JSCPtrTag.h:

2018-09-27  Mark Lam  <mark.lam@apple.com>

        JITMathIC should not use integer offsets into machine code.
        https://bugs.webkit.org/show_bug.cgi?id=190030
        <rdar://problem/44803307>

        Reviewed by Saam Barati.

        We'll replace them with CodeLocation smart pointers instead.

        * jit/JITMathIC.h:
        (JSC::isProfileEmpty):

2018-09-26  Mark Lam  <mark.lam@apple.com>

        Options::useSeparatedWXHeap() should always be false when ENABLE(FAST_JIT_PERMISSIONS) && CPU(ARM64E).
        https://bugs.webkit.org/show_bug.cgi?id=190022
        <rdar://problem/44800928>

        Reviewed by Saam Barati.

        * jit/ExecutableAllocator.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2018-09-26  Mark Lam  <mark.lam@apple.com>

        Assert that performJITMemcpy() is always called with instruction size aligned addresses on ARM64.
        https://bugs.webkit.org/show_bug.cgi?id=190016
        <rdar://problem/44802875>

        Reviewed by Saam Barati.

        Also assert in performJITMemcpy() that the entire buffer to be copied will fit in
        JIT memory.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::fillNops):
        (JSC::ARM64Assembler::replaceWithVMHalt):
        (JSC::ARM64Assembler::replaceWithJump):
        (JSC::ARM64Assembler::replaceWithLoad):
        (JSC::ARM64Assembler::replaceWithAddressComputation):
        (JSC::ARM64Assembler::setPointer):
        (JSC::ARM64Assembler::repatchInt32):
        (JSC::ARM64Assembler::repatchCompact):
        (JSC::ARM64Assembler::linkJumpOrCall):
        (JSC::ARM64Assembler::linkCompareAndBranch):
        (JSC::ARM64Assembler::linkConditionalBranch):
        (JSC::ARM64Assembler::linkTestAndBranch):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        (JSC::LinkBuffer::linkCode):
        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):

2018-09-25  Keith Miller  <keith_miller@apple.com>

        Move Symbol API to SPI
        https://bugs.webkit.org/show_bug.cgi?id=189946

        Reviewed by Michael Saboff.

        Some of the property access methods on JSValue needed to be moved
        to a category so that SPI overloads don't result in a compiler
        error for internal users.

        Additionally, this patch does not move the new enum entry for
        Symbols in the JSType enumeration.

        * API/JSObjectRef.h:
        * API/JSObjectRefPrivate.h:
        * API/JSValue.h:
        * API/JSValuePrivate.h:
        * API/JSValueRef.h:

2018-09-26  Keith Miller  <keith_miller@apple.com>

        We should zero unused property storage when rebalancing array storage.
        https://bugs.webkit.org/show_bug.cgi?id=188151

        Reviewed by Michael Saboff.

        In unshiftCountSlowCase we sometimes will move property storage to the right even when net adding elements.
        This can happen because we "balance" the pre/post-capacity in that code so we need to zero the unused
        property storage.

        * runtime/JSArray.cpp:
        (JSC::JSArray::unshiftCountSlowCase):

2018-09-26  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Unreviewed, add scope verification handling
        https://bugs.webkit.org/show_bug.cgi?id=189780

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):

2018-09-26  Koby Boyango  <koby.b@mce.systems>

        [JSC] offlineasm parser should handle CRLF in asm files
        https://bugs.webkit.org/show_bug.cgi?id=189949

        Reviewed by Mark Lam.

        * offlineasm/parser.rb:

2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Optimize Array#lastIndexOf
        https://bugs.webkit.org/show_bug.cgi?id=189780

        Reviewed by Saam Barati.

        Optimize Array#lastIndexOf as the same to Array#indexOf. We add a fast path
        for JSArray with contiguous storage.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncLastIndexOf):

2018-09-25  Saam Barati  <sbarati@apple.com>

        Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=189940
        <rdar://problem/43640987>

        Reviewed by Mark Lam.

        We were calling baselineCodeBlockForOriginAndBaselineCodeBlock with the FTL
        CodeBlock. There is nothing semantically wrong with doing that (except for
        poor naming), however, the poor naming here led us to make a real semantic
        mistake. We wanted the baseline CodeBlock's constant pool, but we were
        accessing the FTL CodeBlock's constant pool accidentally. We need to
        access the baseline CodeBlock's constant pool when we update the NewArrayBuffer
        constant value.

        * bytecode/InlineCallFrame.h:
        (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::operationMaterializeObjectInOSR):

2018-09-25  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Stricter block syntax in generated ObjC protocol interfaces
        https://bugs.webkit.org/show_bug.cgi?id=189962
        <rdar://problem/44648287>

        Reviewed by Brian Burg.

        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator._callback_block_for_command):
        If there are no return parameters include "void" in the block signature.

        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
        Rebaseline test results.

2018-09-24  Joseph Pecoraro  <pecoraro@apple.com>

        Remove AUTHORS and THANKS files which are stale
        https://bugs.webkit.org/show_bug.cgi?id=189941

        Reviewed by Darin Adler.

        Included mentions below so their names are still in ChangeLogs.

        * AUTHORS: Removed.
        Harri Porten (porten@kde.org) and Peter Kelly (pmk@post.com).
        These authors remain mentioned in copyrights in source files.

        * THANKS: Removed.
        Richard Moore <rich@kde.org> - for filling the Math object with some life
        Daegeun Lee <realking@mizi.com> - for pointing out some bugs and providing much code for the String and Date object.
        Marco Pinelli <pinmc@libero.it> - for his patches
        Christian Kirsch <ck@held.mind.de> - for his contribution to the Date object
        
2018-09-24  Fujii Hironori  <Hironori.Fujii@sony.com>

        Rename WTF_COMPILER_GCC_OR_CLANG to WTF_COMPILER_GCC_COMPATIBLE
        https://bugs.webkit.org/show_bug.cgi?id=189733

        Reviewed by Michael Catanzaro.

        * assembler/ARM64Assembler.h:
        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::cacheFlush):
        * assembler/MacroAssemblerARM.cpp:
        (JSC::isVFPPresent):
        * assembler/MacroAssemblerARM64.cpp:
        * assembler/MacroAssemblerARMv7.cpp:
        * assembler/MacroAssemblerMIPS.cpp:
        * assembler/MacroAssemblerX86Common.cpp:
        * heap/HeapCell.cpp:
        * heap/HeapCell.h:
        * jit/HostCallReturnValue.h:
        * jit/JIT.h:
        * jit/JITOperations.cpp:
        * jit/ThunkGenerators.cpp:
        * runtime/ArrayConventions.cpp:
        (JSC::clearArrayMemset):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::digitDiv):

2018-09-24  Saam Barati  <sbarati@apple.com>

        Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
        https://bugs.webkit.org/show_bug.cgi?id=189922
        <rdar://problem/44651275>

        Reviewed by Mark Lam.

        The implementation was first getting the length to iterate up to,
        then getting the starting index. However, getting the starting
        index may perform effects. e.g, it could change the length of the
        array. This changes it so we verify the length is still valid.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncIndexOf):

2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>

        offlineasm: fix macro scoping
        https://bugs.webkit.org/show_bug.cgi?id=189902

        Reviewed by Mark Lam.

        In the code below, the reference to `f` in `g`, which should refer to
        the outer macro definition will instead refer to the f argument of the
        anonymous macro passed to `g`. That leads to this code failing to
        compile (f expected 0 args but got 1).
        
        ```
        macro f(x)
            move x, t0
        end
        
        macro g(fn)
            fn(macro () f(42) end)
        end
        
        g(macro(f) f() end)
        ```

        * offlineasm/ast.rb:
        * offlineasm/transform.rb:

2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>

        Add forEach method for iterating CodeBlock's ValueProfiles
        https://bugs.webkit.org/show_bug.cgi?id=189897

        Reviewed by Mark Lam.

        Add method to abstract how we find ValueProfiles in a CodeBlock in
        preparation for https://bugs.webkit.org/show_bug.cgi?id=189785, when
        ValueProfiles will be stored in the MetadataTable.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
        (JSC::CodeBlock::updateAllValueProfilePredictions):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::forEachValueProfile):
        (JSC::CodeBlock::numberOfArgumentValueProfiles):
        (JSC::CodeBlock::valueProfileForArgument):
        (JSC::CodeBlock::numberOfValueProfiles):
        (JSC::CodeBlock::valueProfile):
        (JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
        (JSC::CodeBlock::getFromAllValueProfiles): Deleted.
        * tools/HeapVerifier.cpp:
        (JSC::HeapVerifier::validateJSCell):

2018-09-24  Saam barati  <sbarati@apple.com>

        ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
        https://bugs.webkit.org/show_bug.cgi?id=189682
        <rdar://problem/43557315>

        Reviewed by Mark Lam.

        Otherwise, if we have code like this:
        ```
        a: Arguments
        b: GetButterfly(@a)
        c: ForceExit
        d: GetArrayLength(@a, @b)
        ```
        it will get transformed into this invalid DFG IR:
        ```
        a: PhantomArguments
        b: Check(@a)
        c: ForceExit
        d: GetArrayLength(@a, @b)
        ```
        
        And we will fail DFG validation since @b does not have a result.
        
        The fix is to just remove all nodes after the ForceExit and plant an
        Unreachable after it. So the above code program will now turn into this:
        ```
        a: PhantomArguments
        b: Check(@a)
        c: ForceExit
        e: Unreachable
        ```

        * dfg/DFGArgumentsEliminationPhase.cpp:

2018-09-22  Saam barati  <sbarati@apple.com>

        The sampling should not use Strong<CodeBlock> in its machineLocation field
        https://bugs.webkit.org/show_bug.cgi?id=189319

        Reviewed by Filip Pizlo.

        The sampling profiler has a CLI mode where we gather information about inline
        call frames. That data structure was using a Strong<CodeBlock>. We were
        constructing this Strong<CodeBlock> during GC concurrently to processing all
        the Strong handles. This is a bug since we end up corrupting that data
        structure. This patch fixes this by just making this data structure use the
        sampling profiler's mechanism for holding onto and properly visiting heap pointers.

        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        (Inspector::InspectorScriptProfilerAgent::trackingComplete):
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::processUnverifiedStackTraces):

        (JSC::SamplingProfiler::reportTopFunctions):
        (JSC::SamplingProfiler::reportTopBytecodes):
        These CLI helpers needed a DeferGC otherwise we may end up deadlocking when we
        cause a GC to happen while already holding the sampling profiler's
        lock.

2018-09-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Enable LLInt ASM interpreter on X64 and ARM64 in non JIT configuration
        https://bugs.webkit.org/show_bug.cgi?id=189778

        Reviewed by Keith Miller.

        LLInt ASM interpreter is 2x and 15% faster than CLoop interpreter on
        Linux and macOS respectively. We would like to enable it for non JIT
        configurations in X86_64 and ARM64.

        This patch enables LLInt for non JIT builds in X86_64 and ARM64 architectures.
        Previously, we switch LLInt ASM interpreter and CLoop by using ENABLE(JIT)
        configuration. But it is wrong in the new scenario since we have a build
        configuration that uses LLInt ASM interpreter and JIT is disabled. We introduce
        ENABLE(C_LOOP) option, which represents that we use CLoop. And we replace
        ENABLE(JIT) with ENABLE(C_LOOP) if the previous ENABLE(JIT) is essentially just
        related to LLInt ASM interpreter and not related to JIT.

        We also replace some ENABLE(JIT) configurations with ENABLE(ASSEMBLER).
        ENABLE(ASSEMBLER) is now enabled even if we disable JIT since MacroAssembler
        has machine register information that is used in LLInt ASM interpreter.

        * API/tests/PingPongStackOverflowTest.cpp:
        (testPingPongStackOverflow):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MaxFrameExtentForSlowPathCall.h:
        * bytecode/CallReturnOffsetToBytecodeOffset.h: Removed. It is no longer used.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::calleeSaveRegisters const):
        (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters):
        (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
        (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * heap/Heap.cpp:
        (JSC::Heap::gatherJSStackRoots):
        (JSC::Heap::stopThePeriphery):
        * interpreter/CLoopStack.cpp:
        * interpreter/CLoopStack.h:
        * interpreter/CLoopStackInlines.h:
        * interpreter/EntryFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
        * interpreter/Interpreter.h:
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::calleeSaveRegisters):
        * interpreter/VMEntryRecord.h:
        * jit/ExecutableAllocator.h:
        * jit/FPRInfo.h:
        (WTF::printInternal):
        * jit/GPRInfo.cpp:
        * jit/GPRInfo.h:
        (WTF::printInternal):
        * jit/HostCallReturnValue.cpp:
        (JSC::getHostCallReturnValueWithExecState): Moved. They are used in LLInt ASM interpreter too.
        * jit/HostCallReturnValue.h:
        * jit/JITOperations.cpp:
        (JSC::getHostCallReturnValueWithExecState): Deleted.
        * jit/JITOperationsMSVC64.cpp:
        * jit/Reg.cpp:
        * jit/Reg.h:
        * jit/RegisterAtOffset.cpp:
        * jit/RegisterAtOffset.h:
        * jit/RegisterAtOffsetList.cpp:
        * jit/RegisterAtOffsetList.h:
        * jit/RegisterMap.h:
        * jit/RegisterSet.cpp:
        * jit/RegisterSet.h:
        * jit/TempRegisterSet.cpp:
        * jit/TempRegisterSet.h:
        * llint/LLIntCLoop.cpp:
        * llint/LLIntCLoop.h:
        * llint/LLIntData.cpp:
        (JSC::LLInt::initialize):
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntData.h:
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntOpcode.h:
        * llint/LLIntPCRanges.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LLIntThunks.cpp:
        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter.h:
        * runtime/JSCJSValue.h:
        * runtime/MachineContext.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::processUnverifiedStackTraces): Enable SamplingProfiler
        for LLInt ASM interpreter with non JIT configuration.
        * runtime/TestRunnerUtils.cpp:
        (JSC::optimizeNextInvocation):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::getHostFunction):
        (JSC::VM::updateSoftReservedZoneSize):
        (JSC::sanitizeStackForVM):
        (JSC::VM::committedStackByteCount):
        * runtime/VM.h:
        * runtime/VMInlines.h:
        (JSC::VM::ensureStackCapacityFor):
        (JSC::VM::isSafeToRecurseSoft const):

2018-09-21  Keith Miller  <keith_miller@apple.com>

        Add Promise SPI
        https://bugs.webkit.org/show_bug.cgi?id=189809

        Reviewed by Saam Barati.

        The Patch adds new SPI to create promises. It's mostly SPI because
        I want to see how internal users react to it before we make it
        public.

        This patch adds a couple of new Obj-C SPI methods. The first
        creates a new promise using the same API that JS does where the
        user provides an executor callback. If an exception is raised
        in/to that callback the promise is automagically rejected. The
        other methods create a pre-resolved or rejected promise as this
        appears to be a common way to initialize a promise.

        I was also considering adding a second version of executor API
        where it would catch specific Obj-C exceptions. This would work by
        taking a Class paramter and checking isKindOfClass: on the
        exception. I decided against this as nothing else in our API
        handles Obj-C exceptions. I'm pretty sure the VM will end up in a
        corrupt state if an Obj-C exception unwinds through JS frames.

        This patch adds a new C function that will create a "deferred"
        promise. A deferred promise is a style of creating promise/futures
        where the resolve and reject functions are passed as outputs of a
        function. I went with this style for the C SPI because we don't have
        any concept of forwarding exceptions in the C API.

        In order to make the C API work I refactored a bit of the promise code
        so that we can call a static method on JSDeferredPromise and just get
        the components without allocating an extra cell wrapper.

        * API/JSContext.mm:
        (+[JSContext currentCallee]):
        * API/JSObjectRef.cpp:
        (JSObjectMakeDeferredPromise):
        * API/JSObjectRefPrivate.h:
        * API/JSValue.mm:
        (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
        (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
        (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
        * API/JSValuePrivate.h: Added.
        * API/JSVirtualMachine.mm:
        * API/JSVirtualMachinePrivate.h:
        * API/tests/testapi.c:
        (main):
        * API/tests/testapi.cpp:
        (APIContext::operator JSC::ExecState*):
        (TestAPI::failed const):
        (TestAPI::check):
        (TestAPI::basicSymbol):
        (TestAPI::symbolsTypeof):
        (TestAPI::symbolsGetPropertyForKey):
        (TestAPI::symbolsSetPropertyForKey):
        (TestAPI::symbolsHasPropertyForKey):
        (TestAPI::symbolsDeletePropertyForKey):
        (TestAPI::promiseResolveTrue):
        (TestAPI::promiseRejectTrue):
        (testCAPIViaCpp):
        (TestAPI::run): Deleted.
        * API/tests/testapi.mm:
        (testObjectiveCAPIMain):
        (promiseWithExecutor):
        (promiseRejectOnJSException):
        (promiseCreateResolved):
        (promiseCreateRejected):
        (parallelPromiseResolveTest):
        (testObjectiveCAPI):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSInternalPromiseDeferred.cpp:
        (JSC::JSInternalPromiseDeferred::create):
        * runtime/JSPromise.h:
        * runtime/JSPromiseConstructor.cpp:
        (JSC::constructPromise):
        * runtime/JSPromiseDeferred.cpp:
        (JSC::JSPromiseDeferred::createDeferredData):
        (JSC::JSPromiseDeferred::create):
        (JSC::JSPromiseDeferred::finishCreation):
        (JSC::newPromiseCapability): Deleted.
        * runtime/JSPromiseDeferred.h:
        (JSC::JSPromiseDeferred::promise const):
        (JSC::JSPromiseDeferred::resolve const):
        (JSC::JSPromiseDeferred::reject const):

2018-09-21  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r236359.

        Broke the Windows build.

        Reverted changeset:

        "Add Promise SPI"
        https://bugs.webkit.org/show_bug.cgi?id=189809
        https://trac.webkit.org/changeset/236359

2018-09-21  Mark Lam  <mark.lam@apple.com>

        JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState.
        https://bugs.webkit.org/show_bug.cgi?id=189855
        <rdar://problem/44680181>

        Reviewed by Filip Pizlo.

        tryGetValue() always passes a nullptr to JSRopeString::resolveRope() for the
        ExecState* argument.  This is intentional so that resolveRope() does not throw
        in the event of an OutOfMemory error.  Hence, JSRopeString::resolveRope() should
        get the VM from the cell instead of via the ExecState.

        Also removed an obsolete and unused field in JSString.

        * runtime/JSString.cpp:
        (JSC::JSRopeString::resolveRope const):
        (JSC::JSRopeString::outOfMemory const):
        * runtime/JSString.h:
        (JSC::JSString::tryGetValue const):

2018-09-21  Michael Saboff  <msaboff@apple.com>

        Add functions to measure memory footprint to JSC
        https://bugs.webkit.org/show_bug.cgi?id=189768

        Reviewed by Saam Barati.

        Rolling this back in again.

        Provide system memory metrics for the current process to aid in memory reduction measurement and
        tuning using native JS tests.

        * jsc.cpp:
        (MemoryFootprint::now):
        (MemoryFootprint::resetPeak):
        (GlobalObject::finishCreation):
        (JSCMemoryFootprint::JSCMemoryFootprint):
        (JSCMemoryFootprint::createStructure):
        (JSCMemoryFootprint::create):
        (JSCMemoryFootprint::finishCreation):
        (JSCMemoryFootprint::addProperty):
        (functionResetMemoryPeak):

2018-09-21  Keith Miller  <keith_miller@apple.com>

        Add Promise SPI
        https://bugs.webkit.org/show_bug.cgi?id=189809

        Reviewed by Saam Barati.

        The Patch adds new SPI to create promises. It's mostly SPI because
        I want to see how internal users react to it before we make it
        public.

        This patch adds a couple of new Obj-C SPI methods. The first
        creates a new promise using the same API that JS does where the
        user provides an executor callback. If an exception is raised
        in/to that callback the promise is automagically rejected. The
        other methods create a pre-resolved or rejected promise as this
        appears to be a common way to initialize a promise.

        I was also considering adding a second version of executor API
        where it would catch specific Obj-C exceptions. This would work by
        taking a Class paramter and checking isKindOfClass: on the
        exception. I decided against this as nothing else in our API
        handles Obj-C exceptions. I'm pretty sure the VM will end up in a
        corrupt state if an Obj-C exception unwinds through JS frames.

        This patch adds a new C function that will create a "deferred"
        promise. A deferred promise is a style of creating promise/futures
        where the resolve and reject functions are passed as outputs of a
        function. I went with this style for the C SPI because we don't have
        any concept of forwarding exceptions in the C API.

        In order to make the C API work I refactored a bit of the promise code
        so that we can call a static method on JSDeferredPromise and just get
        the components without allocating an extra cell wrapper.

        * API/JSContext.mm:
        (+[JSContext currentCallee]):
        * API/JSObjectRef.cpp:
        (JSObjectMakeDeferredPromise):
        * API/JSObjectRefPrivate.h:
        * API/JSValue.mm:
        (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
        (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
        (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
        * API/JSValuePrivate.h: Added.
        * API/JSVirtualMachine.mm:
        * API/JSVirtualMachinePrivate.h:
        * API/tests/testapi.c:
        (main):
        * API/tests/testapi.cpp:
        (APIContext::operator JSC::ExecState*):
        (TestAPI::failed const):
        (TestAPI::check):
        (TestAPI::basicSymbol):
        (TestAPI::symbolsTypeof):
        (TestAPI::symbolsGetPropertyForKey):
        (TestAPI::symbolsSetPropertyForKey):
        (TestAPI::symbolsHasPropertyForKey):
        (TestAPI::symbolsDeletePropertyForKey):
        (TestAPI::promiseResolveTrue):
        (TestAPI::promiseRejectTrue):
        (testCAPIViaCpp):
        (TestAPI::run): Deleted.
        * API/tests/testapi.mm:
        (testObjectiveCAPIMain):
        (promiseWithExecutor):
        (promiseRejectOnJSException):
        (promiseCreateResolved):
        (promiseCreateRejected):
        (parallelPromiseResolveTest):
        (testObjectiveCAPI):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSInternalPromiseDeferred.cpp:
        (JSC::JSInternalPromiseDeferred::create):
        * runtime/JSPromise.h:
        * runtime/JSPromiseConstructor.cpp:
        (JSC::constructPromise):
        * runtime/JSPromiseDeferred.cpp:
        (JSC::JSPromiseDeferred::createDeferredData):
        (JSC::JSPromiseDeferred::create):
        (JSC::JSPromiseDeferred::finishCreation):
        (JSC::newPromiseCapability): Deleted.
        * runtime/JSPromiseDeferred.h:
        (JSC::JSPromiseDeferred::promise const):
        (JSC::JSPromiseDeferred::resolve const):
        (JSC::JSPromiseDeferred::reject const):

2018-09-21  Truitt Savell  <tsavell@apple.com>

        Rebaseline tests after changes in https://trac.webkit.org/changeset/236321/webkit
        https://bugs.webkit.org/show_bug.cgi?id=156674

        Unreviewed Test Gardening

        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:

2018-09-21  Mike Gorse  <mgorse@suse.com>

        Build tools should work when the /usr/bin/python is python3
        https://bugs.webkit.org/show_bug.cgi?id=156674

        Reviewed by Michael Catanzaro.

        * Scripts/cssmin.py:
        * Scripts/generate-js-builtins.py:
        (do_open):
        (generate_bindings_for_builtins_files):
        * Scripts/generateIntlCanonicalizeLanguage.py:
        * Scripts/jsmin.py:
        (JavascriptMinify.minify.write):
        (JavascriptMinify):
        (JavascriptMinify.minify):
        * Scripts/make-js-file-arrays.py:
        (chunk):
        (main):
        * Scripts/wkbuiltins/__init__.py:
        * Scripts/wkbuiltins/builtins_generate_combined_header.py:
        (generate_section_for_global_private_code_name_macro):
        * Scripts/wkbuiltins/builtins_generate_internals_wrapper_header.py:
        (BuiltinsInternalsWrapperHeaderGenerator.__init__):
        * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:
        (BuiltinsInternalsWrapperImplementationGenerator.__init__):
        * Scripts/wkbuiltins/builtins_model.py:
        (BuiltinFunction.__lt__):
        (BuiltinsCollection.copyrights):
        (BuiltinsCollection._parse_functions):
        * disassembler/udis86/ud_opcode.py:
        (UdOpcodeTables.pprint.printWalk):
        * generate-bytecode-files:
        * inspector/scripts/codegen/__init__.py:
        * inspector/scripts/codegen/cpp_generator.py:
        * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
        (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
        (CppBackendDispatcherHeaderGenerator.domains_to_generate):
        (CppBackendDispatcherHeaderGenerator.generate_output):
        (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator.domains_to_generate):
        (CppBackendDispatcherImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
        (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
        (CppFrontendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
        (CppFrontendDispatcherImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (CppProtocolTypesHeaderGenerator.generate_output):
        (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator.generate_output):
        (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
        (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods):
        (CppProtocolTypesImplementationGenerator._generate_open_field_names):
        (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
        (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
        * inspector/scripts/codegen/generate_js_backend_commands.py:
        (JSBackendCommandsGenerator.should_generate_domain):
        (JSBackendCommandsGenerator.domains_to_generate):
        (JSBackendCommandsGenerator.generate_output):
        (JSBackendCommandsGenerator.generate_domain):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
        (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
        (ObjCBackendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
        (ObjCBackendDispatcherImplementationGenerator.generate_output):
        (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
        * inspector/scripts/codegen/generate_objc_configuration_header.py:
        * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
        (ObjCFrontendDispatcherImplementationGenerator.generate_output):
        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator.generate_output):
        (ObjCHeaderGenerator._generate_type_interface):
        * inspector/scripts/codegen/generate_objc_internal_header.py:
        (ObjCInternalHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
        (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
        (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
        (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
        (ObjCProtocolTypesImplementationGenerator.generate_output):
        (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
        (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
        * inspector/scripts/codegen/generator.py:
        (Generator.non_supplemental_domains):
        (Generator.open_fields):
        (Generator.calculate_types_requiring_shape_assertions):
        (Generator._traverse_and_assign_enum_values):
        (Generator.stylized_name_for_enum_value):
        * inspector/scripts/codegen/models.py:
        (find_duplicates):
        * inspector/scripts/codegen/objc_generator.py:
        * wasm/generateWasm.py:
        (opcodeIterator):
        * yarr/generateYarrCanonicalizeUnicode:
        * yarr/generateYarrUnicodePropertyTables.py:
        * yarr/hasher.py:
        (stringHash):

2018-09-21  Tomas Popela  <tpopela@redhat.com>

        [ARM] Build broken on armv7hl after r235517
        https://bugs.webkit.org/show_bug.cgi?id=189831

        Reviewed by Yusuke Suzuki.

        Add missing implementation of patchebleBranch8() for traditional ARM.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::patchableBranch8):

2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r236293.

        Internal build still broken.

        Reverted changeset:

        "Add functions to measure memory footprint to JSC"
        https://bugs.webkit.org/show_bug.cgi?id=189768
        https://trac.webkit.org/changeset/236293

2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Heap::reportExtraMemoryVisited shows contention if we have many JSString
        https://bugs.webkit.org/show_bug.cgi?id=189558

        Reviewed by Mark Lam.

        When running web-tooling-benchmark postcss test on Linux JSCOnly port, we get the following result in `perf report`.

            10.95%  AutomaticThread  libJavaScriptCore.so.1.0.0  [.] JSC::Heap::reportExtraMemoryVisited

        This is because postcss produces bunch of JSString, which require reportExtraMemoryVisited calls in JSString::visitChildren.
        And since reportExtraMemoryVisited attempts to update atomic counter, if we have bunch of marking threads, it becomes super contended.

        This patch reduces the frequency of updating the atomic counter. Each SlotVisitor has per-SlotVisitor m_extraMemorySize counter.
        And we propagate this value to the global atomic counter when rebalance happens.

        We also reduce HeapCell::heap() access by using `vm.heap`.

        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::didStartMarking):
        (JSC::SlotVisitor::propagateExternalMemoryVisitedIfNecessary):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::performIncrementOfDraining):
        * heap/SlotVisitor.h:
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::reportExtraMemoryVisited):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::resolveRopeToAtomicString const):
        (JSC::JSRopeString::resolveRope const):
        * runtime/JSString.h:
        (JSC::JSString::finishCreation):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::finishCreation):
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::finishCreation):

2018-09-20  Michael Saboff  <msaboff@apple.com>

        Add functions to measure memory footprint to JSC
        https://bugs.webkit.org/show_bug.cgi?id=189768

        Reviewed by Saam Barati.

        Rolling this back in.

        Provide system memory metrics for the current process to aid in memory reduction measurement and
        tuning using native JS tests.

        * jsc.cpp:
        (MemoryFootprint::now):
        (MemoryFootprint::resetPeak):
        (GlobalObject::finishCreation):
        (JSCMemoryFootprint::JSCMemoryFootprint):
        (JSCMemoryFootprint::createStructure):
        (JSCMemoryFootprint::create):
        (JSCMemoryFootprint::finishCreation):
        (JSCMemoryFootprint::addProperty):
        (functionResetMemoryPeak):

2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r236235.

        Breaks internal builds.

        Reverted changeset:

        "Add functions to measure memory footprint to JSC"
        https://bugs.webkit.org/show_bug.cgi?id=189768
        https://trac.webkit.org/changeset/236235

2018-09-20  Fujii Hironori  <Hironori.Fujii@sony.com>

        [Win][Clang] JITMathIC.h: error: missing 'template' keyword prior to dependent template name 'retagged'
        https://bugs.webkit.org/show_bug.cgi?id=189730

        Reviewed by Saam Barati.

        Clang for Windows can't compile the workaround for MSVC quirk in generateOutOfLine.

        * jit/JITMathIC.h:
        (generateOutOfLine): Append "&& !COMPILER(CLANG)" to "#if COMPILER(MSVC)".

2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Optimize Array#indexOf in C++ runtime
        https://bugs.webkit.org/show_bug.cgi?id=189507

        Reviewed by Saam Barati.

        C++ Array#indexOf runtime function takes so much time in babylon benchmark in
        web-tooling-benchmark. While our DFG and FTL has Array#indexOf optimization
        and actually it is working well, C++ Array#indexOf is called significant amount
        of time before tiering up, and it takes 6.74% of jsc main thread samples according
        to perf command in Linux. This is because C++ Array#indexOf is too generic and
        misses the chance to optimize JSArray cases.

        This patch adds JSArray fast path for Array#indexOf. If we know that indexed
        access to the given JSArray is non-observable and indexing type is good for the fast
        path, we go to the fast path. This makes sampling of Array#indexOf 3.83% in
        babylon web-tooling-benchmark.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncIndexOf):
        * runtime/JSArray.h:
        * runtime/JSArrayInlines.h:
        (JSC::JSArray::canDoFastIndexedAccess):
        (JSC::toLength):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::JSValue):
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectInlines.h:
        (JSC::JSGlobalObject::isArrayPrototypeIndexedAccessFastAndNonObservable):
        (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
        * runtime/MathCommon.h:
        (JSC::canBeStrictInt32):
        (JSC::canBeInt32):

2018-09-19  Michael Saboff  <msaboff@apple.com>

        Add functions to measure memory footprint to JSC
        https://bugs.webkit.org/show_bug.cgi?id=189768

        Reviewed by Saam Barati.

        Provide system memory metrics for the current process to aid in memory reduction measurement and
        tuning using native JS tests.

        * jsc.cpp:
        (MemoryFootprint::now):
        (MemoryFootprint::resetPeak):
        (GlobalObject::finishCreation):
        (JSCMemoryFootprint::JSCMemoryFootprint):
        (JSCMemoryFootprint::createStructure):
        (JSCMemoryFootprint::create):
        (JSCMemoryFootprint::finishCreation):
        (JSCMemoryFootprint::addProperty):
        (functionResetMemoryPeak):

2018-09-19  Saam barati  <sbarati@apple.com>

        CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
        https://bugs.webkit.org/show_bug.cgi?id=189703

        Reviewed by Mark Lam.

        This fixes a crash that a TypeProfiler change revealed.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2018-09-19  Saam barati  <sbarati@apple.com>

        AI rule for MultiPutByOffset executes its effects in the wrong order
        https://bugs.webkit.org/show_bug.cgi?id=189757
        <rdar://problem/43535257>

        Reviewed by Michael Saboff.

        The AI rule for MultiPutByOffset was executing effects in the wrong order.
        It first executed the transition effects and the effects on the base, and
        then executed the filtering effects on the value being stored. However, you
        can end up with the wrong type when the base and the value being stored
        are the same. E.g, in a program like `o.f = o`. These effects need to happen
        in the opposite order, modeling what happens in the runtime executing of
        MultiPutByOffset.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2018-09-18  Mark Lam  <mark.lam@apple.com>

        Ensure that ForInContexts are invalidated if their loop local is over-written.
        https://bugs.webkit.org/show_bug.cgi?id=189571
        <rdar://problem/44402277>

        Reviewed by Saam Barati.

        Instead of hunting down every place in the BytecodeGenerator that potentially
        needs to invalidate an enclosing ForInContext (if one exists), we simply iterate
        the bytecode range of the loop body when the ForInContext is popped, and
        invalidate the context if we ever find the loop temp variable over-written.

        This has 2 benefits:
        1. It ensures that every type of opcode that can write to the loop temp will be
           handled appropriately, not just the op_mov that we've hunted down.
        2. It avoids us having to check the BytecodeGenerator's m_forInContextStack
           every time we emit an op_mov (or other opcodes that can write to a local)
           even when we're not inside a for-in loop.

        JSC benchmarks show that that this change is performance neutral.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::pushIndexedForInScope):
        (JSC::BytecodeGenerator::popIndexedForInScope):
        (JSC::BytecodeGenerator::pushStructureForInScope):
        (JSC::BytecodeGenerator::popStructureForInScope):
        (JSC::ForInContext::finalize):
        (JSC::StructureForInContext::finalize):
        (JSC::IndexedForInContext::finalize):
        (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ForInContext::ForInContext):
        (JSC::ForInContext::bodyBytecodeStartOffset const):
        (JSC::StructureForInContext::StructureForInContext):
        (JSC::IndexedForInContext::IndexedForInContext):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PostfixNode::emitResolve):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::EmptyLetExpression::emitBytecode):
        (JSC::ForInNode::emitLoopHeader):
        (JSC::ForOfNode::emitBytecode):
        (JSC::BindingNode::bindValue const):
        (JSC::AssignmentElementNode::bindValue const):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):

2018-09-17  Devin Rousso  <drousso@apple.com>

        Web Inspector: generate CSSKeywordCompletions from backend values
        https://bugs.webkit.org/show_bug.cgi?id=189041

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/CSS.json:
        Include an optional `aliases` array and `inherited` boolean for `CSSPropertyInfo`.

2018-09-17  Saam barati  <sbarati@apple.com>

        We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
        https://bugs.webkit.org/show_bug.cgi?id=189676
        <rdar://problem/39682897>

        Reviewed by Michael Saboff.

        Because the incoming value may be TDZ, CheckStructure may end up crashing.
        Since the Type Profile does not currently record TDZ values in any of its
        data structures, this is not a semantic change in how it will show you data.
        It just fixes crashes when we emit a CheckStructure and the incoming value
        is TDZ.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToCheckStructureOrEmpty):

2018-09-17  Darin Adler  <darin@apple.com>

        Use OpaqueJSString rather than JSRetainPtr inside WebKit
        https://bugs.webkit.org/show_bug.cgi?id=189652

        Reviewed by Saam Barati.

        * API/JSCallbackObjectFunctions.h: Removed an uneeded include of
        JSStringRef.h.

        * API/JSContext.mm:
        (-[JSContext evaluateScript:withSourceURL:]): Use OpaqueJSString::create rather
        than JSStringCreateWithCFString, simplifying the code and also obviating the
        need for explicit JSStringRelease.
        (-[JSContext setName:]): Ditto.

        * API/JSStringRef.cpp:
        (JSStringIsEqualToUTF8CString): Use adoptRef rather than explicit JSStringRelease.
        It seems that additional optimization is possible, obviating the need to allocate
        an OpaqueJSString, but that's true almost everywhere else in this patch, too.

        * API/JSValue.mm:
        (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Use
        OpaqueJSString::create and adoptRef as appropriate.
        (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
        (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Ditto.
        (performPropertyOperation): Ditto.
        (-[JSValue invokeMethod:withArguments:]): Ditto.
        (valueToObjectWithoutCopy): Ditto.
        (containerValueToObject): Ditto.
        (valueToString): Ditto.
        (objectToValueWithoutCopy): Ditto.
        (objectToValue): Ditto.

2018-09-08  Darin Adler  <darin@apple.com>

        Streamline JSRetainPtr, fix leaks of JSString and JSGlobalContext
        https://bugs.webkit.org/show_bug.cgi?id=189455

        Reviewed by Keith Miller.

        * API/JSObjectRef.cpp:
        (OpaqueJSPropertyNameArray): Use Ref<OpaqueJSString> instead of
        JSRetainPtr<JSStringRef>.
        (JSObjectCopyPropertyNames): Remove now-unneeded use of leakRef and
        adopt constructor.
        (JSPropertyNameArrayGetNameAtIndex): Use ptr() instead of get() since
        the array elements are now Ref.

        * API/JSRetainPtr.h: While JSRetainPtr is written as a template,
        it only works for two specific unrelated types, JSStringRef and
        JSGlobalContextRef. Simplified the default constructor using data
        member initialization. Prepared to make the adopt constructor private
        (got everything compiling that way, then made it public again so that
        Apple internal software will still build). Got rid of unneeded
        templated constructor and assignment operator, since it's not relevant
        since there is no inheritance between JSRetainPtr template types.
        Added WARN_UNUSED_RETURN to leakRef as in RefPtr and RetainPtr.
        Added move constructor and move assignment operator for slightly better
        performance. Simplified implementations of various member functions
        so they are more obviously correct, by using leakPtr in more of them
        and using std::exchange to make the flow of values more obvious.

        * API/JSValue.mm:
        (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Added a
        missing JSStringRelease to fix a leak.

        * API/tests/CustomGlobalObjectClassTest.c:
        (customGlobalObjectClassTest): Added a JSGlobalContextRelease to fix a leak.
        (globalObjectSetPrototypeTest): Ditto.
        (globalObjectPrivatePropertyTest): Ditto.

        * API/tests/ExecutionTimeLimitTest.cpp:
        (testResetAfterTimeout): Added a call to JSStringRelease to fix a leak.
        (testExecutionTimeLimit): Ditto, lots more.

        * API/tests/FunctionOverridesTest.cpp:
        (testFunctionOverrides): Added a call to JSStringRelease to fix a leak.

        * API/tests/JSObjectGetProxyTargetTest.cpp:
        (testJSObjectGetProxyTarget): Added a call to JSGlobalContextRelease to fix
        a leak.

        * API/tests/PingPongStackOverflowTest.cpp:
        (testPingPongStackOverflow): Added calls to JSGlobalContextRelease and
        JSStringRelease to fix leaks.

        * API/tests/testapi.c:
        (throwException): Added. Helper function for repeated idiom where we want
        to throw an exception, but with additional JSStringRelease calls so we don't
        have to leak just to keep the code simpler to read.
        (MyObject_getProperty): Use throwException.
        (MyObject_setProperty): Ditto.
        (MyObject_deleteProperty): Ditto.
        (isValueEqualToString): Added. Helper function for an idiom where we check
        if something is a string and then if it's equal to a particular string
        constant, but a version that has an additional JSStringRelease call so we
        don't have to leak just to keep the code simpler to read.
        (MyObject_callAsFunction): Use isValueEqualToString and throwException.
        (MyObject_callAsConstructor): Ditto.
        (MyObject_hasInstance): Ditto.
        (globalContextNameTest): Added a JSGlobalContextRelease to fix a leak.
        (testMarkingConstraintsAndHeapFinalizers): Ditto.

2018-09-14  Saam barati  <sbarati@apple.com>

        Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
        https://bugs.webkit.org/show_bug.cgi?id=189628
        <rdar://problem/39481690>

        Reviewed by Mark Lam.

        An Availability may point to a Node. And that Node may be removed from
        the graph, e.g, it's freed and its memory is no longer owned by Graph.
        This patch makes it so we no longer dump this metadata by default. If
        this metadata is interesting to you, you'll need to go in and change
        Graph::dump to dump the needed metadata.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):

2018-09-14  Mark Lam  <mark.lam@apple.com>

        Refactor some ForInContext code for better encapsulation.
        https://bugs.webkit.org/show_bug.cgi?id=189626
        <rdar://problem/44466415>

        Reviewed by Keith Miller.

        1. Add a ForInContext::m_type field to store the context type.  This does not
           increase the class size, but eliminates the need for a virtual call to get the
           type.

           Note: we still need a virtual destructor because we'll be mingling
           IndexedForInContexts and StructureForInContexts in the BytecodeGenerator::m_forInContextStack.

        2. Add ForInContext::isIndexedForInContext() and ForInContext::isStructureForInContext()
           convenience methods.

        3. Add ForInContext::asIndexedForInContext() and ForInContext::asStructureForInContext()
           to do the casting to the subclass types.  This ensures that we'll properly
           assert that the casting is legal.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::popIndexedForInScope):
        (JSC::BytecodeGenerator::popStructureForInScope):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ForInContext::type const):
        (JSC::ForInContext::isIndexedForInContext const):
        (JSC::ForInContext::isStructureForInContext const):
        (JSC::ForInContext::asIndexedForInContext):
        (JSC::ForInContext::asStructureForInContext):
        (JSC::ForInContext::ForInContext):
        (JSC::StructureForInContext::StructureForInContext):
        (JSC::IndexedForInContext::IndexedForInContext):
        (JSC::ForInContext::~ForInContext): Deleted.

2018-09-14  Devin Rousso  <webkit@devinrousso.com>

        Web Inspector: Record actions performed on ImageBitmapRenderingContext
        https://bugs.webkit.org/show_bug.cgi?id=181341

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Recording.json:
        * inspector/scripts/codegen/generator.py:

2018-09-14  Mike Gorse  <mgorse@suse.com>

        builtins directory causes name conflict on Python 3
        https://bugs.webkit.org/show_bug.cgi?id=189552

        Reviewed by Michael Catanzaro.

        * CMakeLists.txt: builtins -> wkbuiltins.
        * DerivedSources.make: builtins -> wkbuiltins.
        * Scripts/generate-js-builtins.py: import wkbuiltins, rather than
          builtins.
        * Scripts/wkbuiltins/__init__.py: Renamed from Source/JavaScriptCore/Scripts/builtins/__init__.py.
        * Scripts/wkbuiltins/builtins_generate_combined_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_header.py.
        * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py.
        * Scripts/wkbuiltins/builtins_generate_separate_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_header.py.
        * Scripts/wkbuiltins/builtins_generate_separate_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py.
        * Scripts/wkbuiltins/builtins_generate_wrapper_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_header.py.
        * Scripts/wkbuiltins/builtins_generate_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_implementation.py.
        * Scripts/wkbuiltins/builtins_generator.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generator.py.
        * Scripts/wkbuiltins/builtins_model.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_model.py.
        * Scripts/wkbuiltins/builtins_templates.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_templates.py.
        * Scripts/wkbuiltins/wkbuiltins.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins.py.
        * JavaScriptCore.xcodeproj/project.pbxproj: Update for the renaming.

2018-09-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [WebAssembly] Inline WasmContext accessor functions
        https://bugs.webkit.org/show_bug.cgi?id=189416

        Reviewed by Saam Barati.

        WasmContext accessor functions are very small while it resides in the critical path of
        JS to Wasm function call. This patch makes them inline to improve performance.
        This change improves a small benchmark (calling JS to Wasm function 1e7 times) from 320ms to 270ms.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * interpreter/CallFrame.cpp:
        * jit/AssemblyHelpers.cpp:
        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmContextInlines.h: Renamed from Source/JavaScriptCore/wasm/WasmContext.cpp.
        (JSC::Wasm::Context::useFastTLS):
        (JSC::Wasm::Context::load const):
        (JSC::Wasm::Context::store):
        * wasm/WasmMemoryInformation.cpp:
        * wasm/WasmModuleParser.cpp: Include <wtf/SHA1.h> due to changes of unified source combinations.
        * wasm/js/JSToWasm.cpp:
        * wasm/js/WebAssemblyFunction.cpp:

2018-09-12  David Kilzer  <ddkilzer@apple.com>

        Move JavaScriptCore files to match Xcode project hierarchy
        <https://webkit.org/b/189574>

        Reviewed by Filip Pizlo.

        * API/JSAPIValueWrapper.cpp: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.cpp.
        * API/JSAPIValueWrapper.h: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.h.
        * CMakeLists.txt: Update for new path to
        generateYarrUnicodePropertyTables.py, hasher.py and
        JSAPIValueWrapper.h.
        * DerivedSources.make: Ditto. Add missing dependency on
        hasher.py captured by CMakeLists.txt.
        * JavaScriptCore.xcodeproj/project.pbxproj: Update for new file
        reference paths. Add hasher.py library to project.
        * Sources.txt: Update for new path to
        JSAPIValueWrapper.cpp.
        * runtime/JSImmutableButterfly.h: Add missing includes
        after changes to Sources.txt and regenerating unified
        sources.
        * runtime/RuntimeType.h: Ditto.
        * yarr/generateYarrUnicodePropertyTables.py: Rename from Source/JavaScriptCore/Scripts/generateYarrUnicodePropertyTables.py.
        * yarr/hasher.py: Rename from Source/JavaScriptCore/Scripts/hasher.py.

2018-09-12  David Kilzer  <ddkilzer@apple.com>

        Let Xcode have its way with the JavaScriptCore project

        * JavaScriptCore.xcodeproj/project.pbxproj:

2018-09-12  Guillaume Emont  <guijemont@igalia.com>

        Add IGNORE_WARNING_.* macros
        https://bugs.webkit.org/show_bug.cgi?id=188996

        Reviewed by Michael Catanzaro.

        * API/JSCallbackObject.h:
        * API/tests/testapi.c:
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
        * b3/B3LowerToAir.cpp:
        * b3/B3Opcode.cpp:
        * b3/B3Type.h:
        * b3/B3TypeMap.h:
        * b3/B3Width.h:
        * b3/air/AirArg.cpp:
        * b3/air/AirArg.h:
        * b3/air/AirCode.h:
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateNumber):
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        * dfg/DFGSpeculativeJIT64.cpp:
        * ftl/FTLOutput.h:
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::calculatePokeOffset):
        * llint/LLIntData.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::slowPathLogF):
        * runtime/ConfigFile.cpp:
        (JSC::ConfigFile::canonicalizePaths):
        * runtime/JSDataViewPrototype.cpp:
        * runtime/JSGenericTypedArrayViewConstructor.h:
        * runtime/JSGenericTypedArrayViewPrototype.h:
        * runtime/Options.cpp:
        (JSC::Options::setAliasedOption):
        * tools/CodeProfiling.cpp:
        * wasm/WasmSections.h:
        * wasm/generateWasmValidateInlinesHeader.py:

== Rolled over to ChangeLog-2018-09-11 ==