PropertyAttribute needs a CustomValue bit.

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2018-12-10  Mark Lam  <mark.lam@apple.com>

        PropertyAttribute needs a CustomValue bit.
        https://bugs.webkit.org/show_bug.cgi?id=191993
        <rdar://problem/46264467>

        Reviewed by Saam Barati.

        This is because GetByIdStatus needs to distinguish CustomValue properties from
        other types, and its only means of doing so is via the property's attributes.
        Previously, there's nothing in the property's attributes that can indicate that
        the property is a CustomValue.

        We fix this by doing the following:

        1. Added a PropertyAttribute::CustomValue bit.
        2. Added a PropertyAttribute::CustomAccessorOrValue convenience bit mask that is
           CustomAccessor | CustomValue.

        3. Since CustomGetterSetter properties are only set via JSObject::putDirectCustomAccessor(),
           we added a check in JSObject::putDirectCustomAccessor() to see if the attributes
           bits include PropertyAttribute::CustomAccessor.  If not, then the property
           must be a CustomValue, and we'll add the PropertyAttribute::CustomValue bit
           to the attributes bits.

           This ensures that the property attributes is sufficient to tell us if the
           property contains a CustomGetterSetter.

        4. Updated all checks for PropertyAttribute::CustomAccessor to check for
           PropertyAttribute::CustomAccessorOrValue instead if their intent is to check
           for the presence of a CustomGetterSetter as opposed to checking specifically
           for one that is used as a CustomAccessor.

           This includes all the Structure transition code that needs to capture the
           attributes change when a CustomValue has been added.

        5. Filtered out the PropertyAttribute::CustomValue bit in PropertyDescriptor.
           The fact that we're using a CustomGetterSetter as a CustomValue should remain
           invisible to the descriptor.  This is because the descriptor should describe
           a CustomValue no differently from a plain value.

        6. Added some asserts to ensure that property attributes are as expected, and to
           document some invariants.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/InByIdStatus.cpp:
        (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * runtime/JSFunction.cpp:
        (JSC::getCalculatedDisplayName):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectCustomAccessor):
        (JSC::JSObject::putDirectNonIndexAccessor):
        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirectIndex):
        (JSC::JSObject::fillCustomGetterPropertySlot):
        (JSC::JSObject::putDirect):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::putDirectInternal):
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setDescriptor):
        (JSC::PropertyDescriptor::setCustomDescriptor):
        (JSC::PropertyDescriptor::setAccessorDescriptor):
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::setCustomGetterSetter):

2018-12-10  Mark Lam  <mark.lam@apple.com>

        LinkBuffer::copyCompactAndLinkCode() needs to be aware of ENABLE(SEPARATED_WX_HEAP).
        https://bugs.webkit.org/show_bug.cgi?id=192569
        <rdar://problem/45615617>

        Reviewed by Saam Barati.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):

2018-12-10  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add ValueMul into DFG
        https://bugs.webkit.org/show_bug.cgi?id=186175

        Reviewed by Yusuke Suzuki.

        This patch is adding a new DFG node called ValueMul. This node is
        responsible to handle multiplication operations that can result into
        non-number values. We emit such node during DFGByteCodeParser when the
        operands are not numbers. During FixupPhase, we change this
        operation to ArithMul if we can speculate Number/Boolean operands.

        The BigInt specialization shows a small progression:

                                noSpec                changes

        big-int-simple-mul  18.8090+-1.0435  ^  17.4305+-0.2673  ^ definitely 1.0791x faster

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupMultiplication):
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::arithNodeFlags):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueMul):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):

2018-12-08  Mark Lam  <mark.lam@apple.com>

        Reduce size of PropertySlot and PutPropertySlot.
        https://bugs.webkit.org/show_bug.cgi?id=192526

        Reviewed by Keith Miller.

        With some minor adjustments, we can reduce the size of PropertySlot from 80 bytes
        (19 padding bytes) to 64 bytes (3 padding bytes), and PutPropertySlot from 40
        bytes (4 padding bytes) to 32 bytes (0 padding bytes but with 6 unused bits).
        These measurements are for a 64-bit build.

        * runtime/PropertySlot.h:
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::PutPropertySlot):

2018-12-08  Dominik Infuehr  <dinfuehr@igalia.com>

        Record right offset with aligned wide instructions
        https://bugs.webkit.org/show_bug.cgi?id=192006

        Reviewed by Yusuke Suzuki.

        Aligning bytecode instructions inserts nops into the instruction stream.
        Emitting an instruction did not record the actual start of the instruction with
        aligned instructions, but the nop just before the actual instruction. This was
        problematic with the StaticPropertyAnalyzer that used the wrong instruction offset.

        * bytecode/InstructionStream.h:
        (JSC::InstructionStream::MutableRef::clone):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::alignWideOpcode):
        (JSC::BytecodeGenerator::emitCreateThis):
        (JSC::BytecodeGenerator::emitNewObject):
        * generator/Opcode.rb:

2018-12-07  Tadeu Zagallo  <tzagallo@apple.com>

        Align the metadata table on all platforms
        https://bugs.webkit.org/show_bug.cgi?id=192050
        <rdar://problem/46312674>

        Reviewed by Mark Lam.

        Although certain platforms don't require the metadata to be aligned,
        values were being concurrently read and written to ValueProfiles,
        which caused crashes since these operations are not atomic on unaligned
        addresses.

        * bytecode/Opcode.cpp:
        (JSC::metadataAlignment):
        * bytecode/Opcode.h:
        * bytecode/UnlinkedMetadataTableInlines.h:
        (JSC::UnlinkedMetadataTable::finalize):

2018-12-05  Mark Lam  <mark.lam@apple.com>

        speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
        https://bugs.webkit.org/show_bug.cgi?id=192441
        <rdar://problem/46480355>

        Reviewed by Saam Barati.

        This is because a regular String (non-Identifier) can be converted into an
        Identifier.  During DFG/FTL compilation, AbstractValue::checkConsistency() may
        expect a value to be of type SpecStringVar, but the mutator thread may have
        converted the string into an Identifier.  This creates a race where
        AbstractValue::checkConsistency() may fail because it sees a SpecStringIdent when
        it expects the a SpecStringVar.  

        The fix is to speculate non-Identifier strings as type SpecString which allows it
        to be SpecStringVar or SpecStringIndent.

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromCell):

2018-12-04  Mark Lam  <mark.lam@apple.com>

        DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
        https://bugs.webkit.org/show_bug.cgi?id=192386
        <rdar://problem/46445516>

        Reviewed by Saam Barati.

        This violates an invariant documented by a RELEASE_ASSERT in operationLinkDirectCall().

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):

2018-12-04  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Support logic operations
        https://bugs.webkit.org/show_bug.cgi?id=179903

        Reviewed by Yusuke Suzuki.

        We are introducing in this patch the ToBoolean support for JSBigInt.
        With this change, we can implement the correct behavior of BigInt as
        operand of logical opertions. During JIT genertion into DFG and FTL,
        we are using JSBigInt::m_length to verify if the number is 0n or not,
        following the same approach used by JSString. This is also safe in the case
        of BigInt, because only 0n has m_length == 0.

        We are not including BigInt speculation into Branch nodes in this
        patch, but the plan is to implement it in further patches.

        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::boolify):
        (JSC::FTL::DFG::LowerDFGToB3::isBigInt):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitConvertValueToBoolean):
        (JSC::AssemblyHelpers::branchIfValue):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::isZero const):
        (JSC::JSBigInt::offsetOfLength):
        (JSC::JSBigInt::toBoolean const):
        (JSC::JSBigInt::isZero): Deleted.
        * runtime/JSBigInt.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::toBoolean const):
        (JSC::JSCell::pureToBoolean const):

2018-12-04  Devin Rousso  <drousso@apple.com>

        Web Inspector: Audit: tests should support async operations
        https://bugs.webkit.org/show_bug.cgi?id=192171
        <rdar://problem/46423562>

        Reviewed by Joseph Pecoraro.

        Add `awaitPromise` command for executing a callback when a Promise gets settled.

        Drive-by: allow `wasThrown` to be optional, instead of expecting it to always have a value.

        * inspector/protocol/Runtime.json:

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype.awaitPromise): Added.

        * inspector/InjectedScript.h:
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::evaluate):
        (Inspector::InjectedScript::awaitPromise): Added.
        (Inspector::InjectedScript::callFunctionOn):
        (Inspector::InjectedScript::evaluateOnCallFrame):

        * inspector/InjectedScriptBase.h:
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeEvalCall):
        (Inspector::InjectedScriptBase::makeAsyncCall): Added.
        (Inspector::InjcetedScriptBase::checkCallResult): Added.
        (Inspector::InjcetedScriptBase::checkAsyncCallResult): Added.

        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::evaluate):
        (Inspector::InspectorRuntimeAgent::awaitPromise):
        (Inspector::InspectorRuntimeAgent::callFunctionOn):

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):

2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r238833.

        Breaks macOS and iOS debug builds.

        Reverted changeset:

        "[ESNext][BigInt] Support logic operations"
        https://bugs.webkit.org/show_bug.cgi?id=179903
        https://trac.webkit.org/changeset/238833

2018-12-03  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Support logic operations
        https://bugs.webkit.org/show_bug.cgi?id=179903

        Reviewed by Yusuke Suzuki.

        We are introducing in this patch the ToBoolean support for JSBigInt.
        With this change, we can implement the correct behavior of BigInt as
        operand of logical opertions. During JIT genertion into DFG and FTL,
        we are using JSBigInt::m_length to verify if the number is 0n or not,
        following the same approach used by JSString. This is also safe in the case
        of BigInt, because only 0n has m_length == 0.

        We are not including BigInt speculation into Branch nodes in this
        patch, but the plan is to implement it in further patches.

        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::boolify):
        (JSC::FTL::DFG::LowerDFGToB3::isBigInt):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitConvertValueToBoolean):
        (JSC::AssemblyHelpers::branchIfValue):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::isZero const):
        (JSC::JSBigInt::offsetOfLength):
        (JSC::JSBigInt::toBoolean const):
        (JSC::JSBigInt::isZero): Deleted.
        * runtime/JSBigInt.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::toBoolean const):
        (JSC::JSCell::pureToBoolean const):

2018-12-03  Keith Rollin  <krollin@apple.com>

        Add .xcfilelist files
        https://bugs.webkit.org/show_bug.cgi?id=192082
        <rdar://problem/46312533>

        Reviewed by Brent Fulgham.

        Add .xcfilelist files for Generate Derived Sources and Generate
        Unified Sources build phases in Xcode. These are just being staged for
        now; they'll be added to the Xcode projects later.

        * DerivedSources-input.xcfilelist: Added.
        * DerivedSources-output.xcfilelist: Added.
        * UnifiedSources-input.xcfilelist: Added.
        * UnifiedSources-output.xcfilelist: Added.

2018-12-03  Mark Lam  <mark.lam@apple.com>

        Fix the bytecode code generator scripts to pretty print BytecodeStructs.h and BytecodeIndices.h.
        https://bugs.webkit.org/show_bug.cgi?id=192271

        Reviewed by Keith Miller.

        This makes the generated code style compliant and human readable.

        * generator/Argument.rb:
        * generator/DSL.rb:
        * generator/Fits.rb:
        * generator/Metadata.rb:
        * generator/Opcode.rb:

2018-12-02  Zalan Bujtas  <zalan@apple.com>

        Add a runtime feature flag for LayoutFormattingContext.
        https://bugs.webkit.org/show_bug.cgi?id=192280

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2018-12-02  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "<<" and ">>"
        https://bugs.webkit.org/show_bug.cgi?id=186233

        Reviewed by Yusuke Suzuki.

        This patch is introducing the support for BigInt into lshift and
        rshift into LLint and Baseline layers.

        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::createWithLength):
        (JSC::JSBigInt::leftShift):
        (JSC::JSBigInt::signedRightShift):
        (JSC::JSBigInt::leftShiftByAbsolute):
        (JSC::JSBigInt::rightShiftByAbsolute):
        (JSC::JSBigInt::rightShiftByMaximum):
        (JSC::JSBigInt::toShiftAmount):
        * runtime/JSBigInt.h:

2018-12-01  Simon Fraser  <simon.fraser@apple.com>

        Heap.h refers to the non-existent HeapStatistics
        https://bugs.webkit.org/show_bug.cgi?id=187882

        Reviewed by Keith Miller.
        
        Just remove the "friend class HeapStatistics".

        * heap/Heap.h:

2018-11-29  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Keep TypeMaybeBigInt small
        https://bugs.webkit.org/show_bug.cgi?id=192203

        Reviewed by Saam Barati.

        As BigInt is being implemented, more and more bytecodes start returning BigInt.
        It means that ResultType of these bytecodes include TypeMaybeBigInt. However,
        TypeMaybeBigInt was large number 0x20, leading to wide instruction since ResultType
        easily becomes larger than 32 (e.g. TypeInt32 | TypeMaybeBigInt == 33).

        This patch sorts the numbers of TypeMaybeXXX based on the frequency of appearance in
        the code.

        * parser/ResultType.h:

2018-11-30  Dean Jackson  <dino@apple.com>

        Try to fix Windows build by using strcmp instead of strcasecmp.

        * jsc.cpp:
        (isMJSFile):

2018-11-30  Mark Lam  <mark.lam@apple.com>

        Fix the bytecode code generator scripts to pretty print Bytecodes.h.
        https://bugs.webkit.org/show_bug.cgi?id=192258

        Reviewed by Keith Miller.

        This makes Bytecodes.h more human readable.

        * generator/DSL.rb:
        * generator/Section.rb:

2018-11-30  Mark Lam  <mark.lam@apple.com>

        Add the generator directory to the Xcode project.
        https://bugs.webkit.org/show_bug.cgi?id=192252

        Reviewed by Michael Saboff.

        This is so that we can work with these bytecode class generator files easily in Xcode.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2018-11-30  Don Olmstead  <don.olmstead@sony.com>

        Rename ENABLE_SUBTLE_CRYPTO to ENABLE_WEB_CRYPTO
        https://bugs.webkit.org/show_bug.cgi?id=192197

        Reviewed by Jiewen Tan.

        * Configurations/FeatureDefines.xcconfig:

2018-11-30  Dean Jackson  <dino@apple.com>

        Add first-class support for .mjs files in jsc binary
        https://bugs.webkit.org/show_bug.cgi?id=192190
        <rdar://problem/46375715>

        Reviewed by Keith Miller.

        Treat files with a .mjs extension as a module, regardless
        of whether or not the --module-file argument was given.

        * jsc.cpp:
        (printUsageStatement): Update usage.
        (isMJSFile): Helper to look for .mjs extensions.
        (CommandLine::parseArguments): Pick the appropriate script type.

2018-11-30  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Implement ValueBitXor into DFG
        https://bugs.webkit.org/show_bug.cgi?id=190264

        Reviewed by Yusuke Suzuki.

        This patch is splitting the BitXor node into ArithBitXor and
        ValueBitXor. This is necessary due the introduction of
        BigInt, since BitXor operations now can result into Int32 or BigInt.
        In such case, we use ArithBitXor when operands are Int and fallback to
        ValueBitXor when operands are anything else. In the case of
        ValueBitXor, we speculate BigInt when op1 and op2 are predicted as
        BigInt as well. BigInt specialization consist into call
        `operationBigIntBitXor` function, that calls JSBigInt::bitXor.

        * bytecode/BytecodeList.rb:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::arithProfileForPC):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
        (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::bitOp):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithBitXor):
        (JSC::FTL::DFG::LowerDFGToB3::compileBitXor): Deleted.
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_bitxor):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):

2018-11-29  Justin Michaud  <justin_michaud@apple.com>

        CSS Painting API should pass 'this' correctly to paint callback, and repaint when properties change.
        https://bugs.webkit.org/show_bug.cgi?id=191443

        Reviewed by Dean Jackson.

        Export the simpler construct() method for use in WebCore.

        * runtime/ConstructData.h:

2018-11-28  Mark Lam  <mark.lam@apple.com>

        ENABLE_SEPARATED_WX_HEAP needs to be defined in Platform.h.
        https://bugs.webkit.org/show_bug.cgi?id=192110
        <rdar://problem/46317746>

        Reviewed by Saam Barati.

        * config.h:

2018-11-28  Keith Rollin  <krollin@apple.com>

        Update generate-{derived,unified}-sources scripts to support generating .xcfilelist files
        https://bugs.webkit.org/show_bug.cgi?id=192031
        <rdar://problem/46286816>

        Reviewed by Alex Christensen.

        The Generate Derived Sources and Generate Unified Sources build phases
        in Xcode need to have their inputs and outputs specified. This
        specification will come in the form of .xcfilelist files that will be
        attached to these build phases. There is one .xcfilelist file that
        lists the input file and one that lists the output files. As part of
        this work, the various generate-{derived,unified}-sources scripts that
        are executed in these Generate build phases are modified to help in
        the creation of these .xcfilelist files. In particular, they can now
        be invoked with command-line parameters. These parameters are then
        used to alter the normal execution of these scripts, causing them to
        produce the .xcfilelist files as opposed to actually generating the
        files that are listed in those files.

        * Scripts/generate-derived-sources.sh:
        * Scripts/generate-unified-sources.sh:

2018-11-28  Keith Rollin  <krollin@apple.com>

        Revert print_all_generated_files work in r238008; tighten up target specifications
        https://bugs.webkit.org/show_bug.cgi?id=192025
        <rdar://problem/46284301>

        Reviewed by Alex Christensen.

        In r238008, I added a facility for DerivedSources.make makefiles to
        print out the list of files that they generate. This output was used
        in the generation of .xcfilelist files used to specify the output of
        the associated Generate Derived Sources build phases in Xcode. This
        approach worked, but it meant that people would need to follow a
        specific convention to keep this mechanism working.

        Instead of continuing this approach, I'm going to implement a new
        facility based on the output of `make` when passed the -d flag (which
        prints dependency information). This new mechanism is completely
        automatic and doesn't need maintainers to follow a convention. To that
        end, remove most of the work performed in r238008 that supports the
        print_all_generated_files target.

        At the same time, it's important for the sets of targets and their
        dependencies to be complete and correct. Therefore, also include
        changes to bring those up-to-date. As part of that, you'll see
        prevalent use of a particular technique. Here's an example:

            BYTECODE_FILES = \
                Bytecodes.h \
                BytecodeIndices.h \
                BytecodeStructs.h \
                InitBytecodes.asm \
            #
            BYTECODE_FILES_PATTERNS = $(subst .,%,$(BYTECODE_FILES))

            all : $(BYTECODE_FILES)

            $(BYTECODE_FILES_PATTERNS): $(wildcard $(JavaScriptCore)/generator/*.rb) $(JavaScriptCore)/bytecode/BytecodeList.rb
                ...

        These lines indicate a set of generated files (those specified in
        BYTECODE_FILES). These files are generated by the BytecodeList.rb
        tool. But, as opposed to the normal rule where a single foo.output is
        generated by foo.input plus some additional dependencies, this rule
        produces multiple output files from a tool whose connection to the
        output files is not immediately clear. A special approach is needed
        where a single rule produces multiple output files. The normal way to
        implement this is to use an .INTERMEDIATE target. However, we used
        this approach in the past and ran into a problem with it, addressing
        it with an alternate approach in r210507. The above example shows this
        approach. The .'s in the list of target files are replaced with %'s,
        and the result is used as the left side of the dependency rule.

        * DerivedSources.make:

2018-11-28  Keith Rollin  <krollin@apple.com>

        Remove Postprocess Headers dependencies
        https://bugs.webkit.org/show_bug.cgi?id=192023
        <rdar://problem/46283377>

        Reviewed by Mark Lam.

        JavaScriptCore's Xcode Postprocess Headers build phase used to have a
        dependency on a specific handful of files. In r234227, the script used
        in this phase (postprocess-headers.sh) was completely rewritten to
        operate on *all* files in JSC's Public and Private headers directories
        instead of just this handful. This rewrite makes the previous
        dependency specification insufficient, leading to incorrect
        incremental builds if the right files weren't touched. Address this by
        removing the dependencies completely. This will cause
        postprocess-headers.sh to always be executed, even when none of its
        files are touch. Running this script all the time is OK, since it has
        built-in protections against unnecessarily touching files that haven't
        changed.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2018-11-27  Mark Lam  <mark.lam@apple.com>

        ENABLE_FAST_JIT_PERMISSIONS should be false for iosmac.
        https://bugs.webkit.org/show_bug.cgi?id=192055
        <rdar://problem/46288783>

        Reviewed by Saam Barati.

        * Configurations/FeatureDefines.xcconfig:

2018-11-27  Saam barati  <sbarati@apple.com>

        r238510 broke scopes of size zero
        https://bugs.webkit.org/show_bug.cgi?id=192033
        <rdar://problem/46281734>

        Reviewed by Keith Miller.

        In r238510, I wrote the loop like this: 
        `for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1)`
        
        This breaks for scopes of size zero because maxScopeOffset() will be UINT_MAX.
        
        This patch fixes this by writing the loop as:
        `for (unsigned offset = 0; offset < symbolTable->scopeSize(); ++offset)`

        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2018-11-27  Mark Lam  <mark.lam@apple.com>

        ASSERTION FAILED: capacity && isPageAligned(capacity) in JSC::CLoopStack::CLoopStack(JSC::VM&).
        https://bugs.webkit.org/show_bug.cgi?id=192018

        Reviewed by Saam Barati.

        This assertion failed because the regress-191579.js test was specifying
        --maxPerThreadStackUsage=400000 i.e. it was running with a stack size that is not
        page aligned.  Given that the user can specify any arbitrary stack size, and the
        CLoop stack expects to be page aligned, we'll just round up the requested capacity
        to the next page alignment.

        * interpreter/CLoopStack.cpp:
        (JSC::CLoopStack::CLoopStack):

2018-11-27  Mark Lam  <mark.lam@apple.com>

        [Re-landing] NaNs read from Wasm code needs to be be purified.
        https://bugs.webkit.org/show_bug.cgi?id=191056
        <rdar://problem/45660341>

        Reviewed by Filip Pizlo.

        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):

2018-11-27  Timothy Hatcher  <timothy@apple.com>

        Web Inspector: Add support for forcing color scheme appearance in DOM tree.
        https://bugs.webkit.org/show_bug.cgi?id=191820
        rdar://problem/46153172

        Reviewed by Devin Rousso.

        * inspector/protocol/Page.json: Added setForcedAppearance.
        Also added the defaultAppearanceDidChange event and Appearance enum.

2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r238509.

        Causes JSC tests to fail on iOS.

        Reverted changeset:

        "NaNs read from Wasm code needs to be be purified."
        https://bugs.webkit.org/show_bug.cgi?id=191056
        https://trac.webkit.org/changeset/238509

2018-11-27  Mark Lam  <mark.lam@apple.com>

        Introducing a ENABLE_SEPARATED_WX_HEAP macro.
        https://bugs.webkit.org/show_bug.cgi?id=192013
        <rdar://problem/45494310>

        Reviewed by Keith Miller.

        This makes the code a little more readable.

        I put the definition of ENABLE_SEPARATED_WX_HEAP in JSC's config.h instead of
        Platform.h because ENABLE_SEPARATED_WX_HEAP is only needed inside JSC.  Also,
        ENABLE_SEPARATED_WX_HEAP depends on ENABLE(FAST_JIT_PERMISSIONS), which is only
        defined for JSC.

        * config.h:
        * jit/ExecutableAllocator.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2018-11-26  Caio Lima  <ticaiolima@gmail.com>

        Re-introduce op_bitnot
        https://bugs.webkit.org/show_bug.cgi?id=190923

        Reviewed by Yusuke Suzuki.

        With the introduction of BigInt as a new type, we can't emit bitwise
        not as `x ^ -1` anymore, because this is incompatible with the new type.
        Based on that, this Patch is adding `op_bitnot` as a new operation
        into LLInt, as well as introducing ArithBitNot node into DFG to support
        JIT compilation of such opcode. We will use the ValueProfile of this
        intruction in the future to generate better code when its operand
        is not Int32.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::not32):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::not32):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::not32):
        * bytecode/BytecodeList.rb:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitUnaryOp):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::UnaryPlusNode::emitBytecode):
        (JSC::BitwiseNotNode::emitBytecode): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileBitwiseNot):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithBitNot):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_bitnot):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/cloop.rb:
        * parser/NodeConstructors.h:
        (JSC::BitwiseNotNode::BitwiseNotNode):
        * parser/Nodes.h:
        * parser/ResultType.h:
        (JSC::ResultType::bigIntOrInt32Type):
        (JSC::ResultType::forBitOp):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:

2018-11-26  Saam barati  <sbarati@apple.com>

        InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
        https://bugs.webkit.org/show_bug.cgi?id=191956
        <rdar://problem/45665806>

        Reviewed by Yusuke Suzuki.

        This is a similar bug to what Keith fixed in r232134. The issue is if we have
        a program like this:
        
        a: JSConstant(jsNumber(0))
        b: SetLocal(Int32:@a, loc1, FlushedInt32)
        c: ArrayifyToStructure(Cell:@a)
        d: Jump(...)
        
        At the point in the program right after the Jump, a GetLocal for loc1
        would return whatever the ArrayifyToStructure resulting type is. This breaks
        the invariant that a GetLocal must return a value that is a subtype of its
        FlushFormat. InPlaceAbstractState::endBasicBlock will know if a SetLocal is
        the final node touching a local slot. If so, it'll see if any nodes later
        in the block may have refined the type of the value stored in that slot. If
        so, endBasicBlock() further refines the type to ensure that any GetLocals
        loading from the same slot will result in having this more refined type.
        However, we must ensure that this logic only considers types within the
        hierarchy of the variable access data's FlushFormat, otherwise, we may
        break the invariant that a GetLocal's type is a subtype of its FlushFormat.

        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::endBasicBlock):

2018-11-26  Saam barati  <sbarati@apple.com>

        Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
        https://bugs.webkit.org/show_bug.cgi?id=191958
        <rdar://problem/46221877>

        Reviewed by Yusuke Suzuki.

        There may be more entries in an activation than unique variables
        in a symbol table's hashmap. For example, if you have two parameters
        to a function, and they both are the same name, and the function
        uses eval, we'll end up with two scope slots, but only a single
        entry in the hashmap in the symbol table. Object allocation sinking
        phase was previously iterating over the hashmap, assuming these
        values were equivalent. This is wrong in the above case. Instead,
        we need to iterate over each scope offset.

        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * runtime/GenericOffset.h:
        (JSC::GenericOffset::operator+=):
        (JSC::GenericOffset::operator-=):

2018-11-26  Mark Lam  <mark.lam@apple.com>

        NaNs read from Wasm code needs to be be purified.
        https://bugs.webkit.org/show_bug.cgi?id=191056
        <rdar://problem/45660341>

        Reviewed by Filip Pizlo.

        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):

2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>

        ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
        https://bugs.webkit.org/show_bug.cgi?id=191716
        <rdar://problem/45723878>

        Reviewed by Saam Barati.

        After https://bugs.webkit.org/show_bug.cgi?id=187373, when updating
        jump targets during generatorification, we only stored the new jump
        target when it changed. However, the out-of-line jump targets are
        cleared at the beginning of the pass, so we need to store it
        unconditionally.

        * bytecode/PreciseJumpTargetsInlines.h:
        (JSC::extractStoredJumpTargetsForInstruction):
        (JSC::updateStoredJumpTargetsForInstruction):

2018-11-23  Wenson Hsieh  <wenson_hsieh@apple.com>

        Enable drag and drop support for iOSMac
        https://bugs.webkit.org/show_bug.cgi?id=191818
        <rdar://problem/43907454>

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig:

2018-11-22  Mark Lam  <mark.lam@apple.com>

        Make the jsc shell's dumpException() more robust against long exception strings.
        https://bugs.webkit.org/show_bug.cgi?id=191910
        <rdar://problem/46212980>

        Reviewed by Michael Saboff.

        This only affects the dumping of the exception string in the jsc shell due to
        unhandled exceptions or exceptions at shell boot time before any JS code is
        running.

        * jsc.cpp:
        (dumpException):

2018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Drop ARM_TRADITIONAL support in LLInt, baseline JIT, and DFG
        https://bugs.webkit.org/show_bug.cgi?id=191675

        Reviewed by Mark Lam.

        We no longer maintain ARM_TRADITIONAL LLInt and JIT in JSC. This architecture will use
        CLoop instead. This patch removes ARM_TRADITIONAL support in LLInt and JIT.

        Discussed in https://lists.webkit.org/pipermail/webkit-dev/2018-October/030220.html.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * assembler/ARMAssembler.cpp: Removed.
        * assembler/ARMAssembler.h: Removed.
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::linkCode):
        (JSC::LinkBuffer::dumpCode):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::patchableBranch32):
        * assembler/MacroAssemblerARM.cpp: Removed.
        * assembler/MacroAssemblerARM.h: Removed.
        * assembler/PerfLog.cpp:
        * assembler/PerfLog.h:
        * assembler/ProbeContext.h:
        (JSC::Probe::CPUState::pc):
        (JSC::Probe::CPUState::fp):
        (JSC::Probe::CPUState::sp):
        * assembler/testmasm.cpp:
        (JSC::isPC):
        (JSC::testProbeModifiesStackPointer):
        (JSC::testProbeModifiesStackValues):
        * bytecode/InlineAccess.h:
        (JSC::InlineAccess::sizeForPropertyAccess):
        (JSC::InlineAccess::sizeForPropertyReplace):
        (JSC::InlineAccess::sizeForLengthAccess):
        * dfg/DFGSpeculativeJIT.h:
        * disassembler/CapstoneDisassembler.cpp:
        (JSC::tryToDisassemble):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::debugCall):
        * jit/AssemblyHelpers.h:
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsImpl):
        (JSC::CCallHelpers::prepareForTailCallSlow):
        * jit/CallFrameShuffler.cpp:
        (JSC::CallFrameShuffler::prepareForTailCall):
        * jit/HostCallReturnValue.cpp:
        * jit/JITMathIC.h:
        (JSC::isProfileEmpty):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::reservedHardwareRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
        (JSC::RegisterSet::dfgCalleeSaveRegisters):
        * jit/Repatch.cpp:
        (JSC::forceICFailure):
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * offlineasm/arm.rb:
        * offlineasm/backends.rb:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateEnter):
        (JSC::Yarr::YarrGenerator::generateReturn):

2018-11-21  Saam barati  <sbarati@apple.com>

        DFGSpeculativeJIT should not &= exitOK with mayExit(node)
        https://bugs.webkit.org/show_bug.cgi?id=191897
        <rdar://problem/45871998>

        Reviewed by Mark Lam.

        exitOK is a statement about it being legal to exit. mayExit() is about being
        conservative and returning false only if an OSR exit *could never* happen.
        mayExit() tries to be as smart as possible to see if it can return false.
        It can't return false if a runtime exit *could* happen. However, there is
        code in the compiler where mayExit() returns false (because it uses data
        generated from AI about type checks being proved), but the code we emit in the
        compiler backend unconditionally generates an OSR exit, even if that exit may
        never execute. For example, let's say we have this IR:
        
        SomeNode(Boolean:@input)
        
        And we always emit code like this as a way of emitting a boolean type check:
        
        jump L1 if input == true
        jump L1 if input == false
        emit an OSR exit
        
        In such a program, when we generate the above OSR exit, in a validationEnabled()
        build, and if @input is proved to be a boolean, we'll end up crashing because we
        have the bogus assertion saying !exitOK. This is one reason why things are cleaner
        if we don't conflate mayExit() with exitOK.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):

2018-11-21  Saam barati  <sbarati@apple.com>

        Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
        https://bugs.webkit.org/show_bug.cgi?id=191895
        <rdar://problem/46167406>

        Reviewed by Mark Lam.

        We were asserting that the input edge should have type SpecCell but it should
        really be SpecCellCheck since the type filter for KnownCellUse is SpecCellCheck.
        
        This patch cleans up that assertion code by joining a bunch of cases into a
        single function call which grabs the type filter for the edge UseKind and
        asserts that the incoming edge meets the type filter criteria.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculate):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::speculate):

2018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Use ProtoCallFrame::numberOfRegisters instead of raw number `4`
        https://bugs.webkit.org/show_bug.cgi?id=191877

        Reviewed by Sam Weinig.

        Instead of hard-coding `4` into LowLevelInterpreter, use ProtoCallFrame::numberOfRegisters.

        * interpreter/ProtoCallFrame.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2018-11-21  Mark Lam  <mark.lam@apple.com>

        Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
        https://bugs.webkit.org/show_bug.cgi?id=191776
        <rdar://problem/46152851>

        Reviewed by Saam Barati.

        * wasm/WasmMemory.cpp:
        (JSC::Wasm::Memory::tryCreate):
        - return nullptr if the requested bytes exceed MAX_ARRAY_BUFFER_SIZE.
          The clients will already do a null check and throw an OutOfMemoryError if needed.
        (JSC::Wasm::Memory::grow):
        - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.

2018-11-21  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
        https://bugs.webkit.org/show_bug.cgi?id=190836

        Reviewed by Saam Barati and Yusuke Suzuki.

        In this patch we are creating a new method called `JSBigInt::createWithLengthUnchecked`
        where we allocate a BigInt trusting the length received as argument.
        With this additional method, we now check if length passed to
        `JSBigInt::tryCreateWithLength` is not greater than JSBigInt::maxLength.
        When the length is greater than JSBigInt::maxLength, we then throw OOM
        exception.
        This required us to change the interface of some JSBigInt operations to
        receive `ExecState*` instead of `VM&`. We changed only operations that
        can throw because of OOM.
        We beleive that this approach of throwing instead of finishing the
        execution abruptly is better because JS programs can catch such
        exception and handle this issue properly.

        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::createZero):
        (JSC::JSBigInt::tryCreateWithLength):
        (JSC::JSBigInt::createWithLengthUnchecked):
        (JSC::JSBigInt::createFrom):
        (JSC::JSBigInt::multiply):
        (JSC::JSBigInt::divide):
        (JSC::JSBigInt::copy):
        (JSC::JSBigInt::unaryMinus):
        (JSC::JSBigInt::remainder):
        (JSC::JSBigInt::add):
        (JSC::JSBigInt::sub):
        (JSC::JSBigInt::bitwiseAnd):
        (JSC::JSBigInt::bitwiseOr):
        (JSC::JSBigInt::bitwiseXor):
        (JSC::JSBigInt::absoluteAdd):
        (JSC::JSBigInt::absoluteSub):
        (JSC::JSBigInt::absoluteDivWithDigitDivisor):
        (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
        (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
        (JSC::JSBigInt::absoluteBitwiseOp):
        (JSC::JSBigInt::absoluteAddOne):
        (JSC::JSBigInt::absoluteSubOne):
        (JSC::JSBigInt::toStringGeneric):
        (JSC::JSBigInt::rightTrim):
        (JSC::JSBigInt::allocateFor):
        (JSC::JSBigInt::createWithLength): Deleted.
        * runtime/JSBigInt.h:
        * runtime/Operations.cpp:
        (JSC::jsAddSlowCase):
        * runtime/Operations.h:
        (JSC::jsSub):
        (JSC::jsMul):

2018-11-20  Mark Lam  <mark.lam@apple.com>

        Remove invalid assertion in VMTraps::SignalSender's SignalAction.
        https://bugs.webkit.org/show_bug.cgi?id=191856
        <rdar://problem/46089992>

        Reviewed by Yusuke Suzuki.

        The ASSERT(vm.traps().needTrapHandling()) assertion in SignalSender's SigAction
        function is invalid because we can't be sure that the trap has been handled yet
        by the time the trap fires.  This is because the main thread may also check traps
        (in LLInt, baseline JIT and VM runtime code).  There's a race to handle the trap.
        Hence, the SigAction cannot assume that the trap still needs handling by the time
        it is executed.  This patch removed the invalid assertion.

        Also renamed m_trapSet to m_condition because it is a AutomaticThreadCondition,
        and all the ways it is used is as a condvar.  The m_trapSet name doesn't seem
        appropriate nor meaningful.

        * runtime/VMTraps.cpp:
        (JSC::VMTraps::tryInstallTrapBreakpoints):
        - Added a !needTrapHandling() check as an optimization: there's no need to install
          VMTrap breakpoints if someone already beat us to handling the trap (remember,
          the main thread is racing against the VMTraps signalling thread to handle the
          trap too).  We only need to install the VMTraps breakpoints if we need DFG/FTL
          compiled code to deopt so that they can check and handle pending traps.  If the
          trap has already been handled, it's better to not deopt any DFG/FTL functions.

        (JSC::VMTraps::willDestroyVM):
        (JSC::VMTraps::fireTrap):
        (JSC::VMTraps::VMTraps):
        * runtime/VMTraps.h:

2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>

        Enable JIT on ARM/Linux
        https://bugs.webkit.org/show_bug.cgi?id=191548

        Reviewed by Yusuke Suzuki.

        Enable JIT by default on ARMv7/Linux after it was disabled with
        recent bytcode format change.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::getICStatusMap):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::metadata):
        * bytecode/InByIdStatus.cpp:
        (JSC::InByIdStatus::computeFor):
        * bytecode/Instruction.h:
        (JSC::Instruction::cast):
        * bytecode/MetadataTable.h:
        (JSC::MetadataTable::forEach):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::hasExitSite): Deleted.
        * bytecode/PutByIdStatus.h:
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * generator/Argument.rb:
        * generator/Opcode.rb:
        * jit/GPRInfo.h:
        * jit/JIT.h:
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_compareAndJump):
        (JSC::JIT::emit_compareUnsignedAndJump):
        (JSC::JIT::emit_compareUnsigned):
        (JSC::JIT::emit_compareAndJumpSlow):
        (JSC::JIT::emit_op_unsigned):
        (JSC::JIT::emit_op_inc):
        (JSC::JIT::emit_op_dec):
        (JSC::JIT::emitBinaryDoubleOp):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emitPutCallResult):
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emitSlow_op_call):
        (JSC::JIT::emitSlow_op_tail_call):
        (JSC::JIT::emitSlow_op_call_eval):
        (JSC::JIT::emitSlow_op_call_varargs):
        (JSC::JIT::emitSlow_op_tail_call_varargs):
        (JSC::JIT::emitSlow_op_tail_call_forward_arguments):
        (JSC::JIT::emitSlow_op_construct_varargs):
        (JSC::JIT::emitSlow_op_construct):
        (JSC::JIT::emit_op_call):
        (JSC::JIT::emit_op_tail_call):
        (JSC::JIT::emit_op_call_eval):
        (JSC::JIT::emit_op_call_varargs):
        (JSC::JIT::emit_op_tail_call_varargs):
        (JSC::JIT::emit_op_tail_call_forward_arguments):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::emit_op_construct):
        (JSC::JIT::compileSetupFrame):
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::compileSetupVarargsFrame): Deleted.
        * jit/JITInlines.h:
        (JSC::JIT::updateTopCallFrame):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emit_op_jmp):
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_overrides_has_instance):
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_instanceof_custom):
        (JSC::JIT::emitSlow_op_instanceof):
        (JSC::JIT::emitSlow_op_instanceof_custom):
        (JSC::JIT::emit_op_is_empty):
        (JSC::JIT::emit_op_is_undefined):
        (JSC::JIT::emit_op_is_boolean):
        (JSC::JIT::emit_op_is_number):
        (JSC::JIT::emit_op_is_cell_with_type):
        (JSC::JIT::emit_op_is_object):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_set_function_name):
        (JSC::JIT::emit_op_not):
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_jneq_ptr):
        (JSC::JIT::emit_op_eq):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emit_op_jeq):
        (JSC::JIT::emitSlow_op_jeq):
        (JSC::JIT::emit_op_neq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::emit_op_jneq):
        (JSC::JIT::emitSlow_op_jneq):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_stricteq):
        (JSC::JIT::emit_op_nstricteq):
        (JSC::JIT::compileOpStrictEqJump):
        (JSC::JIT::emit_op_jstricteq):
        (JSC::JIT::emit_op_jnstricteq):
        (JSC::JIT::emitSlow_op_jstricteq):
        (JSC::JIT::emitSlow_op_jnstricteq):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_to_number):
        (JSC::JIT::emit_op_to_string):
        (JSC::JIT::emit_op_to_object):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_identity_with_profile):
        (JSC::JIT::emit_op_get_parent_scope):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::emit_op_debug):
        (JSC::JIT::emit_op_enter):
        (JSC::JIT::emit_op_get_scope):
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emit_op_to_this):
        (JSC::JIT::emit_op_check_tdz):
        (JSC::JIT::emit_op_has_structure_property):
        (JSC::JIT::privateCompileHasIndexedProperty):
        (JSC::JIT::emit_op_has_indexed_property):
        (JSC::JIT::emitSlow_op_has_indexed_property):
        (JSC::JIT::emit_op_get_direct_pname):
        (JSC::JIT::emit_op_enumerator_structure_pname):
        (JSC::JIT::emit_op_enumerator_generic_pname):
        (JSC::JIT::emit_op_profile_type):
        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
        (JSC::JIT::emit_op_log_shadow_chicken_tail):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_getter_by_id):
        (JSC::JIT::emit_op_put_setter_by_id):
        (JSC::JIT::emit_op_put_getter_setter_by_id):
        (JSC::JIT::emit_op_put_getter_by_val):
        (JSC::JIT::emit_op_put_setter_by_val):
        (JSC::JIT::emit_op_del_by_id):
        (JSC::JIT::emit_op_del_by_val):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitGetByValWithCachedId):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val_direct):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitGenericContiguousPutByVal):
        (JSC::JIT::emitArrayStoragePutByVal):
        (JSC::JIT::emitPutByValWithCachedId):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::emit_op_try_get_by_id):
        (JSC::JIT::emitSlow_op_try_get_by_id):
        (JSC::JIT::emit_op_get_by_id_direct):
        (JSC::JIT::emitSlow_op_get_by_id_direct):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_get_by_id_with_this):
        (JSC::JIT::emitSlow_op_get_by_id_with_this):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::emit_op_in_by_id):
        (JSC::JIT::emitSlow_op_in_by_id):
        (JSC::JIT::emit_op_resolve_scope):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emitSlow_op_get_from_scope):
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        (JSC::JIT::emit_op_get_from_arguments):
        (JSC::JIT::emit_op_put_to_arguments):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::vmCalleeSaveRegisters):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * runtime/SamplingProfiler.cpp:
        (JSC::tryGetBytecodeIndex):

2018-11-20  Saam barati  <sbarati@apple.com>

        Merging an IC variant may lead to the IC status containing overlapping structure sets
        https://bugs.webkit.org/show_bug.cgi?id=191869
        <rdar://problem/45403453>

        Reviewed by Mark Lam.

        When merging two IC variant lists, we may end up in a world where we have
        overlapping structure sets. We defend against this when we append a new
        variant, but we should also defend against it once we merge in a new variant.
        
        Consider this case with MultiPutByOffset, where we merge two PutByIdStatuses
        together, P1 and P2.
        
        Let's consider these structures:
        s1 = {}
        s2 = {p: 0}
        s3 = {p: 0, p2: 1}
        
        P1 contains these variants:
        Transition: [s1 => s2]
        Replace: [s2, s3]
        
        P2 contains:
        Replace: [s2]
        
        Because of the ordering of the variants, we may end up combining
        P2's replace into P1's transition, forming this new list:
        Transition: [(s1, s2) => s2]
        Replace: [s2, s3]
        
        Obviously the ideal thing here is to have some ordering when we merge
        in variants to choose the most ideal option. It'd be ideal for P2's
        Replace to be merged into P1's replace.
        
        If we notice that this is super important, we can implement some kind
        of ordering. None of our tests (until this patch) stress this. This patch
        just makes it so we defend against this crazy scenario by falling back
        to the slow path gracefully. This prevents us from emitting invalid
        IR in FTL->B3 lowering by creating a switch with two case labels being
        identical values.

        * bytecode/ICStatusUtils.h:
        (JSC::appendICStatusVariant):

2018-11-20  Fujii Hironori  <Hironori.Fujii@sony.com>

        REGRESSION(r238039) WebCore::JSDOMGlobalObject::createStructure is using JSC::Structure::create without including StructureInlines.h
        https://bugs.webkit.org/show_bug.cgi?id=191626
        <rdar://problem/46161064>

        Unreviewed adding comment for my change r238366.

        * runtime/Structure.h: Added a comment for Structure::create.

2018-11-19  Mark Lam  <mark.lam@apple.com>

        globalFuncImportModule() should return a promise when it clears exceptions.
        https://bugs.webkit.org/show_bug.cgi?id=191792
        <rdar://problem/46090763>

        Reviewed by Michael Saboff.

        If we're clearing the exceptions in a CatchScope, then it means that we've handled
        the exception, and is able to proceed in a normal manner.  Hence, we should not
        return the empty JSValue in this case: instead, we should return a Promise as
        expected by import's API.

        The only time when we can't return a promise is when we fail to create a Promise.
        In that case, we should be propagating the exception.

        Hence, globalFuncImportModule() contains a ThrowScope (for propagating the
        exception that arises from failure to create the Promise) wrapping a CatchScope
        (for catching any exception that arises from failure to execute the import).

        Also fixed similar issues, and some exception check issues in JSModuleLoader and
        the jsc shell.

        * jsc.cpp:
        (GlobalObject::moduleLoaderImportModule):
        (GlobalObject::moduleLoaderFetch):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncImportModule):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::loadAndEvaluateModule):
        (JSC::JSModuleLoader::loadModule):
        (JSC::JSModuleLoader::requestImportModule):
        (JSC::JSModuleLoader::importModule):
        (JSC::JSModuleLoader::resolve):
        (JSC::JSModuleLoader::fetch):
        (JSC::moduleLoaderParseModule):
        (JSC::moduleLoaderResolveSync):

2018-11-19  Alex Christensen  <achristensen@webkit.org>

        Add SPI to disable JIT in a WKWebView
        https://bugs.webkit.org/show_bug.cgi?id=191822
        <rdar://problem/28119360>

        Reviewed by Geoffrey Garen.

        * jit/ExecutableAllocator.cpp:
        (JSC::jitDisabled):
        (JSC::allowJIT):
        (JSC::ExecutableAllocator::setJITEnabled):
        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::setJITEnabled):

2018-11-19  Fujii Hironori  <Hironori.Fujii@sony.com>

        [MSVC] X86Assembler.h(108): error C2666: 'WebCore::operator -': 7 overloads have similar conversions
        https://bugs.webkit.org/show_bug.cgi?id=189467
        <rdar://problem/44290945>

        Reviewed by Mark Lam.

        This issue has happened several times. And, it seems that it will
        take more time for Microsoft to fix the MSVC bug. We need a
        effective workaround not to repeat this issue until they fix MSVC.

        Remove ": int8_t" of RegisterID only for COMPILER(MSVC).

        * assembler/X86Assembler.h: Added JSC_X86_ASM_REGISTER_ID_ENUM_BASE_TYPE macro.

2018-11-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [WebAssembly] I64 arguments / return value check should be moved from callWebAssemblyFunction to JSToWasm wrapper
        https://bugs.webkit.org/show_bug.cgi?id=190512

        Reviewed by Keith Miller.

        This patch moves I64 arguments / return value check from callWebAssemblyFunction to JSToWasm wrapper. Since this
        check can be done when compiling the function, we should encode the result into the generated wrapper instead of
        checking every time we call callWebAssemblyFunction. This change is also one of the steps removing callWebAssemblyFunction
        entirely.

        * wasm/WasmExceptionType.h:
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        * wasm/js/WebAssemblyWrapperFunction.cpp:
        (JSC::callWebAssemblyWrapperFunction):

2018-11-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Consider removing double load for accessing the instructions from LLInt
        https://bugs.webkit.org/show_bug.cgi?id=190932

        Reviewed by Mark Lam.

        Changing InstructionStream to RefCountedArray like structure involves so much changes
        including BytecodeGraph, PreciseJumpTargets etc. Instead, CodeBlock simply hold a raw
        pointer to the InstructionStream's data. Since InstructionStream is not changed
        anymore, this pointer is valid while CodeBlock is live.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        * bytecode/InstructionStream.h:
        (JSC::InstructionStream::rawPointer const):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2018-11-18  Fujii Hironori  <Hironori.Fujii@sony.com>

        REGRESSION(r238039) WebCore::JSDOMGlobalObject::createStructure is using JSC::Structure::create without including StructureInlines.h
        https://bugs.webkit.org/show_bug.cgi?id=191626

        Reviewed by Yusuke Suzuki.

        JSC::Structure::create is used everywhere. It should be defined in
        Structure.h, not in StructureInlines.h.

        * runtime/Structure.h:
        (JSC::Structure::create): Moved.
        * runtime/StructureInlines.h: Moved JSC::Structure::create.

2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Unreviewed, rolling in the rest of r237254
        https://bugs.webkit.org/show_bug.cgi?id=190340

        * parser/ParserModes.h:
        * parser/ParserTokens.h:
        (JSC::JSTextPosition::JSTextPosition):
        (JSC::JSTokenLocation::JSTokenLocation): Deleted.
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):

2018-11-17  Devin Rousso  <drousso@apple.com>

        Web Inspector: Network: add button to show system certificate dialog
        https://bugs.webkit.org/show_bug.cgi?id=191458
        <rdar://problem/45977019>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Network.json:
        Add `getSerializedCertificate` command.

2018-11-17  Dominik Infuehr  <dinfuehr@igalia.com>

        Fix build with disabled DFG/FTL
        https://bugs.webkit.org/show_bug.cgi?id=191256

        Reviewed by Yusuke Suzuki.

        Fix compilation errors and warnings with both DFG and FTL
        disabled at compile-time.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::getICStatusMap):
        * bytecode/InByIdStatus.cpp:
        (JSC::InByIdStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::hasExitSite): Deleted.
        * bytecode/PutByIdStatus.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):

2018-11-16  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Keep Web Inspector window alive across process swaps (PSON) (Local Inspector)
        https://bugs.webkit.org/show_bug.cgi?id=191740
        <rdar://problem/45470897>

        Reviewed by Timothy Hatcher.

        * inspector/InspectorFrontendChannel.h:
        Expose EnumTraits for ConnectionType for WebKit IPC messages.

2018-11-16  Filip Pizlo  <fpizlo@apple.com>

        All users of ArrayBuffer should agree on the same max size
        https://bugs.webkit.org/show_bug.cgi?id=191771

        Reviewed by Mark Lam.

        Array buffers cannot be larger than 0x7fffffff, because otherwise loading typedArray.length in the DFG/FTL would produce
        a uint32 or would require a signedness check, neither of which sounds reasonable. It's better to just bound their max size
        instead.

        * runtime/ArrayBuffer.cpp:
        (JSC::ArrayBufferContents::ArrayBufferContents):
        (JSC::ArrayBufferContents::tryAllocate):
        (JSC::ArrayBufferContents::transferTo):
        (JSC::ArrayBufferContents::copyTo):
        (JSC::ArrayBufferContents::shareWith):
        * runtime/ArrayBuffer.h:
        * wasm/WasmMemory.cpp:
        (JSC::Wasm::Memory::tryCreate):
        (JSC::Wasm::Memory::grow):
        * wasm/WasmPageCount.h:

2018-11-16  Saam Barati  <sbarati@apple.com>

        KnownCellUse should also have SpecCellCheck as its type filter
        https://bugs.webkit.org/show_bug.cgi?id=191729
        <rdar://problem/45872852>

        Reviewed by Filip Pizlo.

        We write transformations in the compiler like this where we emit edges with
        KnownCellUse if we know we're inserting code at a point where we're dominated
        by a Cell check:
        
        a: SomeValue
        b: Something(Cell:@a)
        c: SomethingElse(@b)
        d: CheckNotEmpty(@a)
        
        =>
        
        a: SomeValue
        b: Something(Cell:@a)
        e: RandomOtherThing(KnownCellUse:@a)
        c: SomethingElse(@b)
        d: CheckNotEmpty(@a)
        
        However, doing this used to lead to subtly incorrect programs since KnownCellUse
        did not allow the empty value to flow through it. We used to end up incorrectly
        deleting @d in the above program. We fix this, we make KnownCellUse allow the empty
        value to flow through.

        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):

2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>

        Fix assertion failure on BytecodeGenerator::recordOpcode
        https://bugs.webkit.org/show_bug.cgi?id=191724
        <rdar://problem/45724395>

        Reviewed by Saam Barati.

        Since https://bugs.webkit.org/show_bug.cgi?id=187373, we were not
        restoring m_lastInstruction after patching the bytecode when
        finalizing StructureForInContexts, only m_lastOpcodeID, which led to
        the assertion failure.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::StructureForInContext::finalize):

2018-11-15  Mark Lam  <mark.lam@apple.com>

        RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
        https://bugs.webkit.org/show_bug.cgi?id=191730
        <rdar://problem/46048517>

        Reviewed by Saam Barati.

        According to the spec https://www.ecma-international.org/ecma-262/9.0/index.html#sec-regexp.prototype-@@match,
        the RegExp match results are filled in using the spec's CreateDataProperty()
        function which does not consult the prototype for setters.  JSArray:push()
        consults the prototype for setters.  We should be using putDirectIndex() instead.

        * runtime/RegExpObjectInlines.h:
        (JSC::collectMatches):

2018-11-15  Mark Lam  <mark.lam@apple.com>

        RegExp operations should not take fast patch if lastIndex is not numeric.
        https://bugs.webkit.org/show_bug.cgi?id=191731
        <rdar://problem/46017305>

        Reviewed by Saam Barati.

        This is because if lastIndex is an object with a valueOf() method, it can execute
        arbitrary code which may have side effects, and side effects are not permitted by
        the RegExp fast paths.

        * builtins/RegExpPrototype.js:
        (globalPrivate.hasObservableSideEffectsForRegExpMatch):
        (overriddenName.string_appeared_here.search):
        (globalPrivate.hasObservableSideEffectsForRegExpSplit):
        (intrinsic.RegExpTestIntrinsic.test):
        * builtins/StringPrototype.js:
        (globalPrivate.hasObservableSideEffectsForStringReplace):

2018-11-15  Keith Rollin  <krollin@apple.com>

        Delete old .xcfilelist files
        https://bugs.webkit.org/show_bug.cgi?id=191669
        <rdar://problem/46081994>

        Reviewed by Chris Dumez.

        .xcfilelist files were created and added to the Xcode project files in
        https://trac.webkit.org/changeset/238008/webkit. However, they caused
        build issues and they were removed from the Xcode projects in
        https://trac.webkit.org/changeset/238055/webkit. This check-in removes
        the files from the repository altogether. They'll ultimately be
        replaced with new files with names that indicate whether the
        associated files are inputs to the Run Script phase or are files
        created by the Run Script phase.

        * DerivedSources.xcfilelist: Removed.
        * UnifiedSources.xcfilelist: Removed.

2018-11-14  Keith Rollin  <krollin@apple.com>

        Move scripts for Derived and Unified Sources to external files
        https://bugs.webkit.org/show_bug.cgi?id=191670
        <rdar://problem/46082278>

        Reviewed by Keith Miller.

        Move the scripts in the Generate Derived Sources and Generate Unified
        Sources Run Script phases from the Xcode projects to external shell
        script files. Then invoke those scripts from the Run Script phases.
        This refactoring is being performed to support later work that will
        invoke these scripts in other contexts.

        The scripts were maintained as-is when making the move. I did a little
        reformatting and added 'set -e' to the top of each file, but that's
        it.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Scripts/generate-derived-sources.sh: Added.
        * Scripts/generate-unified-sources.sh: Added.

2018-11-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Pass Inspector::FrontendChannel as a reference connect/disconnect methods
        https://bugs.webkit.org/show_bug.cgi?id=191612

        Reviewed by Matt Baker.

        * inspector/InspectorFrontendRouter.cpp:
        (Inspector::FrontendRouter::connectFrontend):
        (Inspector::FrontendRouter::disconnectFrontend):
        * inspector/InspectorFrontendRouter.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/remote/RemoteControllableTarget.h:
        * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
        (Inspector::RemoteConnectionToTarget::setup):
        (Inspector::RemoteConnectionToTarget::close):
        * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
        (Inspector::RemoteConnectionToTarget::setup):
        (Inspector::RemoteConnectionToTarget::close):
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::disconnect):
        * runtime/JSGlobalObjectDebuggable.h:

2018-11-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Keep Web Inspector window alive across process swaps (PSON) (Remote Inspector)
        https://bugs.webkit.org/show_bug.cgi?id=191494
        <rdar://problem/45469854>

        Reviewed by Devin Rousso.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        New domain and resources.

        * inspector/protocol/Target.json: Added.
        New protocol domain, modeled after Worker.json, to allow for
        multiplexing between different targets.

        * inspector/InspectorTarget.h:
        Each target will instantiate an InspectorTarget and must
        provide an identifier, type, and means of connecting/disconnecting
        to a frontend channel.

        * inspector/agents/InspectorTargetAgent.cpp: Added.
        (Inspector::InspectorTargetAgent::InspectorTargetAgent):
        (Inspector::InspectorTargetAgent::didCreateFrontendAndBackend):
        (Inspector::InspectorTargetAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorTargetAgent::exists):
        (Inspector::InspectorTargetAgent::initialized):
        (Inspector::InspectorTargetAgent::sendMessageToTarget):
        (Inspector::InspectorTargetAgent::sendMessageFromTargetToFrontend):
        (Inspector::targetTypeToProtocolType):
        (Inspector::buildTargetInfoObject):
        (Inspector::InspectorTargetAgent::targetCreated):
        (Inspector::InspectorTargetAgent::targetTerminated):
        (Inspector::InspectorTargetAgent::connectToTargets):
        (Inspector::InspectorTargetAgent::disconnectFromTargets):
        * inspector/agents/InspectorTargetAgent.h: Added.
        TargetAgent holds a list of targets, and connects/disconnects to each
        of the targets when a frontend connects/disconnects.

        * inspector/scripts/codegen/generator.py:
        Better enum casing of ServiceWorker.

2018-11-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Unreviewed, rolling in CodeCache in r237254
        https://bugs.webkit.org/show_bug.cgi?id=190340

        Land the CodeCache part without adding an additional hash value.

        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        * bytecode/UnlinkedFunctionExecutable.h:
        * parser/SourceCodeKey.h:
        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::operator== const):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
        * runtime/CodeCache.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/FunctionExecutable.h:

2018-11-13  Saam Barati  <sbarati@apple.com>

        ProxyObject should check for VMInquiry and return early before throwing a stack overflow exception
        https://bugs.webkit.org/show_bug.cgi?id=191601

        Reviewed by Mark Lam.

        This doesn't fix any bugs today, but it may reduce future bugs. It was
        always weird that ProxyObject::getOwnPropertySlot with VMInquiry might
        throw a stack overflow error instead of just returning false like it
        normally does when VMInquiry is passed in.

        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::getOwnPropertySlotCommon):

2018-11-13  Saam Barati  <sbarati@apple.com>

        TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
        https://bugs.webkit.org/show_bug.cgi?id=191600

        Reviewed by Mark Lam.

        processLogEntries will call into calculatedClassName, which will clear
        any exceptions it encounters (it assumes that they're stack overflow exceptions).
        However, this code may be called when an exception is already pending on the 
        VM (e.g, when we throw an exception in the DFG, we compile an OSR exit
        offramp, which may compile a baseline codeblock, which will process
        the type profiler log). To get around this, processLogEntires should stash
        away and re-apply any pending exceptions.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGOperations.cpp:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * jit/JIT.cpp:
        (JSC::JIT::doMainThreadPreparationBeforeCompile):
        * jit/JITOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/TypeProfilerLog.cpp:
        (JSC::TypeProfilerLog::processLogEntries):
        * runtime/TypeProfilerLog.h:
        * runtime/VM.cpp:
        (JSC::VM::dumpTypeProfilerData):
        * runtime/VM.h:
        (JSC::VM::DeferExceptionScope::DeferExceptionScope):
        * tools/JSDollarVM.cpp:
        (JSC::functionFindTypeForExpression):
        (JSC::functionReturnTypeFor):

2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r238132.

        The test added with this change is timing out on Debug JSC
        bots.

        Reverted changeset:

        "[BigInt] JSBigInt::createWithLength should throw when length
        is greater than JSBigInt::maxLength"
        https://bugs.webkit.org/show_bug.cgi?id=190836
        https://trac.webkit.org/changeset/238132

2018-11-12  Mark Lam  <mark.lam@apple.com>

        Add OOM detection to StringPrototype's substituteBackreferences().
        https://bugs.webkit.org/show_bug.cgi?id=191563
        <rdar://problem/45720428>

        Reviewed by Saam Barati.

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * runtime/StringPrototype.cpp:
        (JSC::substituteBackreferencesSlow):
        (JSC::substituteBackreferencesInline):
        (JSC::substituteBackreferences):
        (JSC::replaceUsingRegExpSearch):
        (JSC::replaceUsingStringSearch):
        * runtime/StringPrototype.h:

2018-11-13  Mark Lam  <mark.lam@apple.com>

        LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
        https://bugs.webkit.org/show_bug.cgi?id=191579
        <rdar://problem/45942472>

        Reviewed by Saam Barati.

        Both of these functions do a lot of work.  It would be good for the topCallFrame
        to be correct should we need to throw an exception.

        For example, we've observed the following crash trace:

          * frame #0: WTFCrash() at Assertions.cpp:253
            frame #1: ...
            frame #2: JSC::StructureIDTable::get(this=0x00006040000162f0, structureID=1874583248) at StructureIDTable.h:129
            frame #3: JSC::VM::getStructure(this=0x0000604000016210, id=4022066896) at VM.h:705
            frame #4: JSC::JSCell::structure(this=0x00007ffeefbbde30, vm=0x0000604000016210) const at JSCellInlines.h:125
            frame #5: JSC::JSCell::classInfo(this=0x00007ffeefbbde30, vm=0x0000604000016210) const at JSCellInlines.h:335
            frame #6: JSC::JSCell::inherits(this=0x00007ffeefbbde30, vm=0x0000604000016210, info=0x0000000105eaf020) const at JSCellInlines.h:302
            frame #7: JSC::JSObject* JSC::jsCast<JSC::JSObject*, JSC::JSCell>(from=0x00007ffeefbbde30) at JSCast.h:36
            frame #8: JSC::asObject(cell=0x00007ffeefbbde30) at JSObject.h:1299
            frame #9: JSC::asObject(value=JSValue @ 0x00007ffeefbba380) at JSObject.h:1304
            frame #10: JSC::Register::object(this=0x00007ffeefbbdd58) const at JSObject.h:1514
            frame #11: JSC::ExecState::jsCallee(this=0x00007ffeefbbdd40) const at CallFrame.h:107
            frame #12: JSC::ExecState::isStackOverflowFrame(this=0x00007ffeefbbdd40) const at CallFrameInlines.h:36
            frame #13: JSC::StackVisitor::StackVisitor(this=0x00007ffeefbba860, startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800) at StackVisitor.cpp:52
            frame #14: JSC::StackVisitor::StackVisitor(this=0x00007ffeefbba860, startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800) at StackVisitor.cpp:41
            frame #15: void JSC::StackVisitor::visit<(JSC::StackVisitor::EmptyEntryFrameAction)0, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul>&, unsigned long, unsigned long)::$_3>(startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800, functor=0x00007ffeefbbaa60)::$_3 const&) at StackVisitor.h:147
            frame #16: JSC::Interpreter::getStackTrace(this=0x0000602000005db0, owner=0x000062d00020cbe0, results=0x00006020000249d0, framesToSkip=0, maxStackSize=1) at Interpreter.cpp:437
            frame #17: JSC::getStackTrace(exec=0x000062d00002c048, vm=0x0000631000000800, obj=0x000062d00020cbe0, useCurrentFrame=true) at Error.cpp:170
            frame #18: JSC::ErrorInstance::finishCreation(this=0x000062d00020cbe0, exec=0x000062d00002c048, vm=0x0000631000000800, message=0x00007ffeefbbb800, useCurrentFrame=true) at ErrorInstance.cpp:119
            frame #19: JSC::ErrorInstance::create(exec=0x000062d00002c048, vm=0x0000631000000800, structure=0x000062d0000f5730, message=0x00007ffeefbbb800, appender=0x0000000000000000, type=TypeNothing, useCurrentFrame=true)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) at ErrorInstance.h:49
            frame #20: JSC::createRangeError(exec=0x000062d00002c048, globalObject=0x000062d00002c000, message=0x00007ffeefbbb800, appender=0x0000000000000000)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) at Error.cpp:68
            frame #21: JSC::createRangeError(exec=0x000062d00002c048, globalObject=0x000062d00002c000, message=0x00007ffeefbbb800) at Error.cpp:316
            frame #22: JSC::createStackOverflowError(exec=0x000062d00002c048, globalObject=0x000062d00002c000) at ExceptionHelpers.cpp:77
            frame #23: JSC::createStackOverflowError(exec=0x000062d00002c048) at ExceptionHelpers.cpp:72
            frame #24: JSC::throwStackOverflowError(exec=0x000062d00002c048, scope=0x00007ffeefbbbaa0) at ExceptionHelpers.cpp:335
            frame #25: JSC::ProxyObject::getOwnPropertySlotCommon(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbba80, slot=0x00007ffeefbbc720) at ProxyObject.cpp:372
            frame #26: JSC::ProxyObject::getOwnPropertySlot(object=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbbd40, slot=0x00007ffeefbbc720) at ProxyObject.cpp:395
            frame #27: JSC::JSObject::getNonIndexPropertySlot(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbbea0, slot=0x00007ffeefbbc720) at JSObjectInlines.h:150
            frame #28: bool JSC::JSObject::getPropertySlot<false>(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbc320, slot=0x00007ffeefbbc720) at JSObject.h:1424
            frame #29: JSC::JSObject::calculatedClassName(object=0x000062d000200e40) at JSObject.cpp:535
            frame #30: JSC::Structure::toStructureShape(this=0x000062d000007410, value=JSValue @ 0x00007ffeefbbcae0, sawPolyProtoStructure=0x00007ffeefbbcf60) at Structure.cpp:1142
            frame #31: JSC::TypeProfilerLog::processLogEntries(this=0x000060400000a950, reason=0x00007ffeefbbd5c0) at TypeProfilerLog.cpp:89
            frame #32: JSC::JIT::doMainThreadPreparationBeforeCompile(this=0x0000619000034da0) at JIT.cpp:951
            frame #33: JSC::JITWorklist::Plan::Plan(this=0x0000619000034d80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:43
            frame #34: JSC::JITWorklist::Plan::Plan(this=0x0000619000034d80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:42
            frame #35: JSC::JITWorklist::compileLater(this=0x0000616000001b80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:256
            frame #36: JSC::LLInt::jitCompileAndSetHeuristics(codeBlock=0x000062d0001d88c0, exec=0x00007ffeefbbde30, loopOSREntryBytecodeOffset=0) at LLIntSlowPaths.cpp:391
            frame #37: llint_replace(exec=0x00007ffeefbbde30, pc=0x00006040000161ba) at LLIntSlowPaths.cpp:516
            frame #38: llint_entry at LowLevelInterpreter64.asm:98
            frame #39: vmEntryToJavaScript at LowLevelInterpreter64.asm:296
            ...

        This crash occurred because StackVisitor was seeing an invalid topCallFrame while
        trying to capture the Error stack while throwing a StackOverflowError below
        llint_replace.  While in this specific example, it is questionable whether we
        should be executing JS code below TypeProfilerLog::processLogEntries(), it is
        correct to have set the topCallFrame in llint_replace.  We do this by calling
        LLINT_BEGIN_NO_SET_PC() at the top of llint_replace.

        We also do the same for llint_osr.
        
        Note: both of these LLInt slow path functions are called with a fully initialized
        CallFrame.  Hence, there's no issue with setting topCallFrame to their CallFrames
        for these functions.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2018-11-13  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
        https://bugs.webkit.org/show_bug.cgi?id=190836

        Reviewed by Saam Barati.

        In this patch we are creating a new method called `JSBigInt::createWithLengthUnchecked`
        where we allocate a BigInt trusting the length received as argument.
        With this additional method, we now check if length passed to
        `JSBigInt::createWithLength` is not greater than JSBigInt::maxLength.
        When the length is greater than maxLength, we then throw OOM
        exception.
        This required change the interface of some JSBigInt operations to
        receive `ExecState*` instead of `VM&`. We changed only operations that
        can throw because of OOM.
        We beleive that this approach of throwing instead of finishing the
        execution abruptly is better because JS programs can catch such
        exception and handle this issue properly.

        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::createZero):
        (JSC::JSBigInt::tryCreateWithLength):
        (JSC::JSBigInt::createWithLengthUnchecked):
        (JSC::JSBigInt::createFrom):
        (JSC::JSBigInt::multiply):
        (JSC::JSBigInt::divide):
        (JSC::JSBigInt::copy):
        (JSC::JSBigInt::unaryMinus):
        (JSC::JSBigInt::remainder):
        (JSC::JSBigInt::add):
        (JSC::JSBigInt::sub):
        (JSC::JSBigInt::bitwiseAnd):
        (JSC::JSBigInt::bitwiseOr):
        (JSC::JSBigInt::bitwiseXor):
        (JSC::JSBigInt::absoluteAdd):
        (JSC::JSBigInt::absoluteSub):
        (JSC::JSBigInt::absoluteDivWithDigitDivisor):
        (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
        (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
        (JSC::JSBigInt::absoluteBitwiseOp):
        (JSC::JSBigInt::absoluteAddOne):
        (JSC::JSBigInt::absoluteSubOne):
        (JSC::JSBigInt::toStringGeneric):
        (JSC::JSBigInt::rightTrim):
        (JSC::JSBigInt::allocateFor):
        (JSC::JSBigInt::createWithLength): Deleted.
        * runtime/JSBigInt.h:
        * runtime/Operations.cpp:
        (JSC::jsAddSlowCase):
        * runtime/Operations.h:
        (JSC::jsSub):
        (JSC::jsMul):

2018-11-12  Devin Rousso  <drousso@apple.com>

        Web Inspector: Network: show secure certificate details per-request
        https://bugs.webkit.org/show_bug.cgi?id=191447
        <rdar://problem/30019476>

        Reviewed by Joseph Pecoraro.

        Add Security domain to hold security related protocol types.

        * CMakeLists.txt:
        * DerivedSources.make:
        * inspector/protocol/Network.json:
        * inspector/protocol/Security.json: Added.
        * inspector/scripts/codegen/objc_generator.py:
        (ObjCGenerator):

2018-11-12  Saam barati  <sbarati@apple.com>

        Unreviewed. Rollout 238026: It caused ~8% JetStream 2 regressions on some iOS devices
        https://bugs.webkit.org/show_bug.cgi?id=191555

        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        * bytecode/UnlinkedFunctionExecutable.h:
        * parser/SourceCodeKey.h:
        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::operator== const):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
        * runtime/CodeCache.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/FunctionExecutable.h:

2018-11-11  Benjamin Poulain  <benjamin@webkit.org>

        Fix a fixme: rename wtfObjcMsgSend to wtfObjCMsgSend
        https://bugs.webkit.org/show_bug.cgi?id=191492

        Reviewed by Alex Christensen.

        Rename file.

        * API/JSValue.mm:

2018-11-10  Benjamin Poulain  <benjamin@webkit.org>

        Fix a fixme: rename wtfObjcMsgSend to wtfObjCMsgSend
        https://bugs.webkit.org/show_bug.cgi?id=191492

        Reviewed by Alex Christensen.

        * API/JSValue.mm:

2018-11-10  Michael Catanzaro  <mcatanzaro@igalia.com>

        Unreviewed, silence -Wunused-variable warning

        * bytecode/Opcode.h:
        (JSC::padOpcodeName):

2018-11-09  Keith Rollin  <krollin@apple.com>

        Unreviewed build fix after https://bugs.webkit.org/show_bug.cgi?id=191324

        Remove the use of .xcfilelists until their side-effects are better
        understood.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2018-11-09  Keith Miller  <keith_miller@apple.com>

        LLInt VectorSizeOffset should be based on offset extraction
        https://bugs.webkit.org/show_bug.cgi?id=191468

        Reviewed by Yusuke Suzuki.

        This patch also adds some usings to LLIntOffsetsExtractor that
        make it possible to use the bare names of Vector/RefCountedArray
        in offsets extraction.

        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LowLevelInterpreter.asm:

2018-11-09  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Unreviewed, rolling in CodeCache in r237254
        https://bugs.webkit.org/show_bug.cgi?id=190340

        Land the CodeCache part, which uses DefaultHash<>::Hash instead of computeHash.

        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        * bytecode/UnlinkedFunctionExecutable.h:
        * parser/SourceCodeKey.h:
        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::operator== const):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
        * runtime/CodeCache.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/FunctionExecutable.h:

2018-11-08  Keith Miller  <keith_miller@apple.com>

        put_by_val opcodes need to add the number tag as a 64-bit register
        https://bugs.webkit.org/show_bug.cgi?id=191456

        Reviewed by Saam Barati.

        Previously the LLInt would add it as a pointer sized value. That is
        wrong if pointer size is less 64-bits.

        * llint/LowLevelInterpreter64.asm:

2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] isStrWhiteSpace seems redundant with Lexer<UChar>::isWhiteSpace
        https://bugs.webkit.org/show_bug.cgi?id=191439

        Reviewed by Saam Barati.

        * CMakeLists.txt:
        * runtime/ParseInt.h:
        (JSC::isStrWhiteSpace):
        Define isStrWhiteSpace in terms of isWhiteSpace and isLineTerminator.

2018-11-08  Michael Saboff  <msaboff@apple.com>

        Options::useRegExpJIT() should use jitEnabledByDefault() just like useJIT()
        https://bugs.webkit.org/show_bug.cgi?id=191444

        Reviewed by Saam Barati.

        * runtime/Options.h:

2018-11-08  Fujii Hironori  <Hironori.Fujii@sony.com>

        [Win] UDis86Disassembler.cpp: warning: format specifies type 'unsigned long' but the argument has type 'uintptr_t' (aka 'unsigned long long')
        https://bugs.webkit.org/show_bug.cgi?id=191416

        Reviewed by Saam Barati.

        * disassembler/UDis86Disassembler.cpp:
        (JSC::tryToDisassembleWithUDis86): Use PRIxPTR for uintptr_t.

2018-11-08  Keith Rollin  <krollin@apple.com>

        Create .xcfilelist files
        https://bugs.webkit.org/show_bug.cgi?id=191324
        <rdar://problem/45852819>

        Reviewed by Alex Christensen.

        As part of preparing for enabling XCBuild, create and use .xcfilelist
        files. These files are using during Run Script build phases in an
        Xcode project. If a Run Script build phase produces new files that are
        used later as inputs to subsequent build phases, XCBuild needs to know
        about these files. These files can be either specified in an "output
        files" section of the Run Script phase editor, or in .xcfilelist files
        that are associated with the Run Script build phase.

        This patch takes the second approach. It consists of three sets of changes:

        - Modify the DerivedSources.make files to have a
          'print_all_generated_files" target that produces a list of the files
          they create.

        - Create a shell script that produces .xcfilelist files from the
          output of the previous step, as well as for the files created in the
          Generate Unified Sources build steps.

        - Add the new .xcfilelist files to the associated projects.

        Note that, with these changes, the Xcode workspace and projects can no
        longer be fully loaded into Xcode 9. Xcode will attempt to load the
        projects that have .xcfilelist files associated with them, but will
        fail and display a placeholder for those projects instead. It's
        expected that all developers are using Xcode 10 by now and that not
        being able to load into Xcode 9 is not a practical issue. Keep in mind
        that this is strictly an IDE issue, and that the projects can still be
        built with `xcodebuild`.

        Also note that the shell script that creates the .xcfilelist files can
        also be used to verify that the set of files that's currently checked
        in is up-to-date. This checking can be used as part of a check-in hook
        or part of check-webkit-style to sooner catch cases where the
        .xcfilelist files need to be regenerated.

        * DerivedSources.make:
        * DerivedSources.xcfilelist: Added.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * UnifiedSources.xcfilelist: Added.

2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>

        U+180E is no longer a whitespace character
        https://bugs.webkit.org/show_bug.cgi?id=191415

        Reviewed by Saam Barati.

        Mongolian Vowel Separator stopped being a valid whitespace character as of ES2016.
        (https://github.com/tc39/ecma262/pull/300)

        * parser/Lexer.h:
        (JSC::Lexer<UChar>::isWhiteSpace):
        * runtime/ParseInt.h:
        (JSC::isStrWhiteSpace):
        * yarr/create_regex_tables:

2018-11-08  Keith Miller  <keith_miller@apple.com>

        jitEnabledByDefault() should be on useJIT not useBaselineJIT
        https://bugs.webkit.org/show_bug.cgi?id=191434

        Reviewed by Saam Barati.

        * runtime/Options.h:

2018-11-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Restrict domains at the target level instead of only at the window level
        https://bugs.webkit.org/show_bug.cgi?id=191344

        Reviewed by Devin Rousso.

        * inspector/protocol/Console.json:
        * inspector/protocol/Debugger.json:
        * inspector/protocol/Heap.json:
        * inspector/protocol/Runtime.json:
        Remove workerSupported as it is now no longer necessary. It is implied
        by availability being empty (meaning it is supported everywhere).

        * inspector/protocol/Inspector.json:
        * inspector/protocol/ScriptProfiler.json:
        Restrict to "javascript" and "web" debuggables, not available in workers.

        * inspector/protocol/Worker.json:
        Cleanup, remove empty types list.
        
        * inspector/protocol/Recording.json:
        Cleanup, only expose this in the "web" domain for now.

        * inspector/scripts/codegen/generate_js_backend_commands.py:
        (JSBackendCommandsGenerator.generate_domain):
        * inspector/scripts/codegen/models.py:
        (Protocol.parse_domain):
        Allow a list of debuggable types. Add "worker" even though it is unused
        since that is a type we would want to allow or consider.

        (Domain.__init__):
        (Domains):
        Remove now unnecessary workerSupported code.
        Allow availability on a domain with only types.

        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result: Removed.
        * inspector/scripts/tests/generic/worker-supported-domains.json: Removed.

2018-11-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Consider removing double load for accessing the MetadataTable from LLInt
        https://bugs.webkit.org/show_bug.cgi?id=190933

        Reviewed by Keith Miller.

        This patch removes double load for accesses to MetadataTable from LLInt.
        MetadataTable is now specially RefCounted class, which has interesting memory layout.
        When refcount becomes 0, MetadataTable asks UnlinkedMetadataTable to destroy itself.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::estimatedSize):
        (JSC::CodeBlock::visitChildren):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::metadata):
        * bytecode/CodeBlockInlines.h:
        (JSC::CodeBlock::forEachValueProfile):
        (JSC::CodeBlock::forEachArrayProfile):
        (JSC::CodeBlock::forEachArrayAllocationProfile):
        (JSC::CodeBlock::forEachObjectAllocationProfile):
        (JSC::CodeBlock::forEachLLIntCallLinkInfo):
        * bytecode/MetadataTable.cpp:
        (JSC::MetadataTable::MetadataTable):
        (JSC::MetadataTable::~MetadataTable):
        (JSC::MetadataTable::sizeInBytes):
        * bytecode/MetadataTable.h:
        (JSC::MetadataTable::get):
        (JSC::MetadataTable::forEach):
        (JSC::MetadataTable::ref const):
        (JSC::MetadataTable::deref const):
        (JSC::MetadataTable::refCount const):
        (JSC::MetadataTable::hasOneRef const):
        (JSC::MetadataTable::buffer):
        (JSC::MetadataTable::linkingData const):
        (JSC::MetadataTable::getImpl):
        * bytecode/UnlinkedMetadataTable.h:
        (JSC::UnlinkedMetadataTable::buffer const):
        * bytecode/UnlinkedMetadataTableInlines.h:
        (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
        (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable):
        (JSC::UnlinkedMetadataTable::addEntry):
        (JSC::UnlinkedMetadataTable::sizeInBytes):
        (JSC::UnlinkedMetadataTable::finalize):
        (JSC::UnlinkedMetadataTable::link):
        (JSC::UnlinkedMetadataTable::unlink):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:

2018-11-07  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add support to BigInt into ValueAdd
        https://bugs.webkit.org/show_bug.cgi?id=186177

        Reviewed by Keith Miller.

        We are adding a very primitive specialization case of BigInts into ValueAdd.
        When compiling a speculated version of this node to BigInt, we are currently
        calling 'operationAddBigInt', a function that expects only BigInts as
        parameter and effectly add numbers using JSBigInt::add. To properly
        speculate BigInt operands, we changed ArithProfile to observe when
        its result is a BigInt. With this new observation, we are able to identify
        when ValueAdd results into a String or BigInt.

        Here are some numbers for this specialization running
        microbenchmarks:

        big-int-simple-add                   21.5411+-1.1096  ^  15.3502+-0.7027  ^ definitely 1.4033x faster
        big-int-add-prediction-propagation   13.7762+-0.5578  ^  10.8117+-0.5330  ^ definitely 1.2742x faster

        * bytecode/ArithProfile.cpp:
        (JSC::ArithProfile::emitObserveResult):
        (JSC::ArithProfile::shouldEmitSetNonNumeric const):
        (JSC::ArithProfile::shouldEmitSetBigInt const):
        (JSC::ArithProfile::emitSetNonNumeric const):
        (JSC::ArithProfile::emitSetBigInt const):
        (WTF::printInternal):
        (JSC::ArithProfile::shouldEmitSetNonNumber const): Deleted.
        (JSC::ArithProfile::emitSetNonNumber const): Deleted.
        * bytecode/ArithProfile.h:
        (JSC::ArithProfile::observedUnaryInt):
        (JSC::ArithProfile::observedUnaryNumber):
        (JSC::ArithProfile::observedBinaryIntInt):
        (JSC::ArithProfile::observedBinaryNumberInt):
        (JSC::ArithProfile::observedBinaryIntNumber):
        (JSC::ArithProfile::observedBinaryNumberNumber):
        (JSC::ArithProfile::didObserveNonInt32 const):
        (JSC::ArithProfile::didObserveNonNumeric const):
        (JSC::ArithProfile::didObserveBigInt const):
        (JSC::ArithProfile::setObservedNonNumeric):
        (JSC::ArithProfile::setObservedBigInt):
        (JSC::ArithProfile::observeResult):
        (JSC::ArithProfile::didObserveNonNumber const): Deleted.
        (JSC::ArithProfile::setObservedNonNumber): Deleted.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::mayHaveNonNumericResult):
        (JSC::DFG::Node::mayHaveBigIntResult):
        (JSC::DFG::Node::mayHaveNonNumberResult): Deleted.
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueAdd):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
        * runtime/CommonSlowPaths.cpp:
        (JSC::updateArithProfileForUnaryArithOp):
        (JSC::updateArithProfileForBinaryArithOp):

2018-11-07  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Fix "Javascript" => "JavaScript" enum in protocol generated objects
        https://bugs.webkit.org/show_bug.cgi?id=191340

        Reviewed by Devin Rousso.

        * inspector/ConsoleMessage.cpp:
        (Inspector::messageSourceValue):
        Use new enum name.

        * inspector/scripts/codegen/generator.py:
        Correct the casing of "JavaScript".

2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>

        Align wide opcodes in the instruction stream
        https://bugs.webkit.org/show_bug.cgi?id=191254

        Reviewed by Keith Miller.

        Pad the bytecode with nops to ensure that wide opcodes are 4-byte
        aligned on platforms that don't like unaligned memory access.

        For that, add a new type to represent jump targets, BoundLabel, which
        delays computing the offset in case we need to emit nops for padding.
        Extra padding is also emitted before op_yield and at the of each
        BytecodeWriter fragment, to ensure that the bytecode remains aligned
        after the rewriting.

        As a side effect, we can longer guarantee that the point immediately
        before emitting an opcode is the start of that opcode, since nops
        might be emitted in between if the opcode needs to be wide. To fix
        that, we only take the offset of opcodes after they have been emitted,
        using `m_lastInstruction.offset()`.

        * bytecode/BytecodeDumper.h:
        (JSC::BytecodeDumper::dumpValue):
        * bytecode/BytecodeGeneratorification.cpp:
        (JSC::BytecodeGeneratorification::run):
        * bytecode/BytecodeList.rb:
        * bytecode/BytecodeRewriter.h:
        (JSC::BytecodeRewriter::Fragment::align):
        (JSC::BytecodeRewriter::insertFragmentBefore):
        (JSC::BytecodeRewriter::insertFragmentAfter):
        * bytecode/Fits.h:
        * bytecode/InstructionStream.h:
        (JSC::InstructionStreamWriter::ref):
        * bytecode/PreciseJumpTargetsInlines.h:
        (JSC::updateStoredJumpTargetsForInstruction):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::Label::setLocation):
        (JSC::BoundLabel::target):
        (JSC::BoundLabel::saveTarget):
        (JSC::BoundLabel::commitTarget):
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::recordOpcode):
        (JSC::BytecodeGenerator::alignWideOpcode):
        (JSC::BytecodeGenerator::emitProfileControlFlow):
        (JSC::BytecodeGenerator::emitResolveScope):
        (JSC::BytecodeGenerator::emitGetFromScope):
        (JSC::BytecodeGenerator::emitPutToScope):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitDirectGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::emitCreateThis):
        (JSC::BytecodeGenerator::beginSwitch):
        (JSC::BytecodeGenerator::endSwitch):
        (JSC::BytecodeGenerator::emitRequireObjectCoercible):
        (JSC::BytecodeGenerator::emitYieldPoint):
        (JSC::BytecodeGenerator::emitToThis):
        (JSC::Label::bind): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::recordOpcode): Deleted.
        * bytecompiler/Label.h:
        (JSC::BoundLabel::BoundLabel):
        (JSC::BoundLabel::operator int):
        (JSC::Label::bind):
        * generator/Opcode.rb:

2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>

        REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
        https://bugs.webkit.org/show_bug.cgi?id=191184

        Reviewed by Saam Barati.

        Fix API test on CLoop: we can only disable the LLInt when the JIT is enabled.

        * API/tests/PingPongStackOverflowTest.cpp:
        (testPingPongStackOverflow):

2018-11-06  Justin Fan  <justin_fan@apple.com>

        [WebGPU] Experimental prototype for WebGPURenderPipeline and WebGPUSwapChain
        https://bugs.webkit.org/show_bug.cgi?id=191291

        Reviewed by Myles Maxfield.

        Properly disable WEBGPU on all non-Metal platforms for now.

        * Configurations/FeatureDefines.xcconfig:

2018-11-06  Keith Rollin  <krollin@apple.com>

        Adjust handling of Include paths that need quoting
        https://bugs.webkit.org/show_bug.cgi?id=191314
        <rdar://problem/45849143>

        Reviewed by Dan Bernstein.

        There are several places in the JavaScriptCore Xcode project where the
        paths defined in HEADER_SEARCH_PATHS are quoted. That is, the
        definitions look like:

            HEADER_SEARCH_PATHS = (
                "\"${BUILT_PRODUCTS_DIR}/DerivedSources/JavaScriptCore\"",
                "\"${BUILT_PRODUCTS_DIR}/LLIntOffsets/${ARCHS}\"",
                "\"$(JAVASCRIPTCORE_FRAMEWORKS_DIR)/JavaScriptCore.framework/PrivateHeaders\"",
                "$(inherited)",
            );

        The idea here is presumably to have the resulting $(CPP) command have
        -I options where the associated paths are themselves quoted,
        protecting against space characters in the paths.

        This approach to quote management can break under Xcode 9. If
        .xcfilelist files are added to the project, the 'objectVersion' value
        in the Xcode project file is changed from 46 to 51. If a project with
        objectVersion=51 is presented to Xcode 9 (as can happen when we build
        for older OS's), it produces build lines where the quotes are escaped,
        thereby becoming part of the path. The build then fails because a
        search for a file normally found in a directory called "Foo" will be
        looked for in "\"Foo\"", which doesn't exist.

        Simply removing the escaped quotes from the HEADER_SEARCH_PATHS
        definition doesn't work, leading to paths that need quoting due to
        space characters but that don't get this quoting (the part of the path
        after the space appears to simply go missing).

        Removing the escaped quotes from the HEADER_SEARCH_PATHS and moving
        the definitions to the .xcconfig fixes this problem.

        * Configurations/ToolExecutable.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2018-11-06  Michael Saboff  <msaboff@apple.com>

        Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
        https://bugs.webkit.org/show_bug.cgi?id=191271

        Reviewed by Saam Barati.

        Fixed use of ThrowScope my adding release() calls.  Found a few places where we needed
        RETURN_IF_EXCEPTION().  After some code inspections determined that we need to cover the
        exception bubbling for String.match() with a global RegExp as well as String.replace()
        and String.search().

        * runtime/RegExpObjectInlines.h:
        (JSC::RegExpObject::matchInline):
        (JSC::collectMatches):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncSearchFast):
        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):

2018-11-05  Don Olmstead  <don.olmstead@sony.com>

        Fix typos in closing ENABLE guards
        https://bugs.webkit.org/show_bug.cgi?id=191273

        Reviewed by Keith Miller.

        * ftl/FTLForOSREntryJITCode.h:
        * ftl/FTLJITCode.h:
        * jsc.cpp:
        * wasm/WasmMemoryInformation.h:
        * wasm/WasmPageCount.h:

2018-11-05  Keith Miller  <keith_miller@apple.com>

        Make static_asserts in APICast into bitwise_cast
        https://bugs.webkit.org/show_bug.cgi?id=191272

        Reviewed by Filip Pizlo.

        * API/APICast.h:
        (toJS):
        (toJSForGC):
        (toRef):

2018-11-05  Dominik Infuehr  <dinfuehr@igalia.com>

        Enable LLInt on ARMv7/Linux
        https://bugs.webkit.org/show_bug.cgi?id=191190

        Reviewed by Yusuke Suzuki.

        After enabling the new bytecode format in r237547, C_LOOP was
        forced on all 32-bit platforms. Now enable LLInt again on
        ARMv7-Thumb2/Linux.

        This adds a callee-saved register in ARMv7/Linux for the metadataTable and
        stores/restores it on LLInt function calls. It also introduces the globaladdr-
        instruction for the ARM-offlineasm to access the opcode-table.

        * jit/GPRInfo.h:
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * offlineasm/arm.rb:
        * offlineasm/asm.rb:
        * offlineasm/instructions.rb:

2018-11-05  Fujii Hironori  <Hironori.Fujii@sony.com>

        [Win][Clang][JSC] JIT::is64BitType reports "warning: explicit specialization cannot have a storage class"
        https://bugs.webkit.org/show_bug.cgi?id=191146

        Reviewed by Yusuke Suzuki.

        * jit/JIT.h: Changed is64BitType from a template class method to a
        template inner class.

2018-11-02  Keith Miller  <keith_miller@apple.com>

        Assert JSValues can fit into a pointer when API casting
        https://bugs.webkit.org/show_bug.cgi?id=191220

        Reviewed by Michael Saboff.

        * API/APICast.h:
        (toJS):
        (toJSForGC):
        (toRef):

2018-11-02  Michael Saboff  <msaboff@apple.com>

        Rolling in r237753 with unreviewed build fix.

        Fixed issues with DECLARE_THROW_SCOPE placement.

2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r237753.

        Introduced JSC test failures

        Reverted changeset:

        "Running out of stack space not properly handled in
        RegExp::compile() and its callers"
        https://bugs.webkit.org/show_bug.cgi?id=191206
        https://trac.webkit.org/changeset/237753

2018-11-02  Michael Saboff  <msaboff@apple.com>

        Running out of stack space not properly handled in RegExp::compile() and its callers
        https://bugs.webkit.org/show_bug.cgi?id=191206

        Reviewed by Filip Pizlo.

        Eliminated two RELEASE_ASSERT_NOT_REACHED() for errors returned by Yarr parsing code.  Bubbled those errors
        up to where they are turned into the appropriate exceptions in matchInline().  If the errors are not due
        to syntax, we reset the RegExp state in case the parsing is tried with a smaller stack.

        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileMatchOnly):
        * runtime/RegExp.h:
        * runtime/RegExpInlines.h:
        (JSC::RegExp::compileIfNecessary):
        (JSC::RegExp::matchInline):
        (JSC::RegExp::compileIfNecessaryMatchOnly):
        * runtime/RegExpObjectInlines.h:
        (JSC::RegExpObject::execInline):
        * yarr/YarrErrorCode.h:
        (JSC::Yarr::hasHardError):

2018-11-02  Keith Miller  <keith_miller@apple.com>

        API should use wrapper object if address is 32-bit
        https://bugs.webkit.org/show_bug.cgi?id=191203

        Reviewed by Filip Pizlo.

        * API/APICast.h:
        (toJS):
        (toJSForGC):
        (toRef):

2018-11-02  Tadeu Zagallo  <tzagallo@apple.com>

        Metadata should not be copyable
        https://bugs.webkit.org/show_bug.cgi?id=191193

        Reviewed by Keith Miller.

        We should only ever hold references to the entry in the metadata table.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * generator/Metadata.rb:

2018-11-02  Tadeu Zagallo  <tzagallo@apple.com>

        REGRESSION(r237547): Exception handlers should be aware of wide opcodes when JIT is disabled
        https://bugs.webkit.org/show_bug.cgi?id=191175

        Reviewed by Keith Miller.

        https://bugs.webkit.org/show_bug.cgi?id=191108 did not handle the case where JIT is not enabled

        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * llint/LLIntData.h:
        (JSC::LLInt::getWideCodePtr):

2018-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>

        Rename <wtf/unicode/UTF8.h> to <wtf/unicode/UTF8Conversion.h> in order to avoid conflicting with ICU's unicode/utf8.h
        https://bugs.webkit.org/show_bug.cgi?id=189693

        Reviewed by Yusuke Suzuki.

        * API/JSClassRef.cpp: Replaced <wtf/unicode/UTF8.h> with <wtf/unicode/UTF8Conversion.h>.
        * API/JSStringRef.cpp: Ditto.
        * runtime/JSGlobalObjectFunctions.cpp: Ditto.
        * wasm/WasmParser.h: Ditto.

2018-11-01  Keith Miller  <keith_miller@apple.com>

        Unreviewed, JavaScriptCore should only guarantee to produce a
        modulemap if we are building for iOSMac.

        * Configurations/JavaScriptCore.xcconfig:

2018-10-31  Devin Rousso  <drousso@apple.com>

        Web Inspector: Canvas: create a setting for auto-recording newly created contexts
        https://bugs.webkit.org/show_bug.cgi?id=190856

        Reviewed by Brian Burg.

        * inspector/protocol/Canvas.json:
        Add `setRecordingAutoCaptureFrameCount` command for setting the number of frames to record
        immediately after a context is created.

        * inspector/protocol/Recording.json:
        Add `creation` value for `Initiator` enum.

2018-10-31  Devin Rousso  <drousso@apple.com>

        Web Inspector: display low-power enter/exit events in Timelines and Network node waterfalls
        https://bugs.webkit.org/show_bug.cgi?id=190641
        <rdar://problem/45319049>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/DOM.json:
        Add `videoLowPowerChanged` event that is fired when `InspectorDOMAgent` is able to determine
        whether a video element's low power state has changed.

2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>

        Adjust inlining threshold for new bytecode format
        https://bugs.webkit.org/show_bug.cgi?id=191115

        Reviewed by Saam Barati.

        The new format reduced the number of operands for many opcodes, which
        changed inlining decisions and impacted performance negatively.

        * runtime/Options.h:

2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>

        REGRESSION(r237547): Exception handlers should be aware of wide opcodes
        https://bugs.webkit.org/show_bug.cgi?id=191108
        <rdar://problem/45690700>

        Reviewed by Saam Barati.

        When linking the handler, we need to check whether the target op_catch is
        wide or narrow in order to chose the right code pointer for the handler.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):

2018-10-31  Dominik Infuehr  <dinfuehr@igalia.com>

        Align entries in metadata table
        https://bugs.webkit.org/show_bug.cgi?id=191062

        Reviewed by Filip Pizlo.

        Entries in the metadata table need to be aligned on some 32-bit
        architectures.

        * bytecode/MetadataTable.h:
        (JSC::MetadataTable::forEach):
        * bytecode/Opcode.cpp:
        (JSC::metadataAlignment):
        * bytecode/Opcode.h:
        * bytecode/UnlinkedMetadataTableInlines.h:
        (JSC::UnlinkedMetadataTable::finalize):
        * generator/Section.rb:

2018-10-31  Jim Mason  <jmason@ibinx.com>

        Static global 'fastHandlerInstalled' conditionally declared in WasmFaultSignalHandler.cpp
        https://bugs.webkit.org/show_bug.cgi?id=191063

        Reviewed by Yusuke Suzuki.

        * wasm/WasmFaultSignalHandler.cpp:

2018-10-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC][LLInt] Compact LLInt ASM code by removing unnecessary instructions
        https://bugs.webkit.org/show_bug.cgi?id=191092

        Reviewed by Saam Barati.

        Looking through LLIntAssembly.h, we can find several inefficiencies. This patch fixes the
        following things to tighten LLInt ASM code.

        1. Remove unnecessary load instructions. Use jmp with BaseIndex directly.
        2. Introduce strength reduction for mul instructions in offlineasm layer. This is now critical
        since mul instruction is executed in `metadata` operation in LLInt. If the given immediate is
        a power of two, we convert it to lshift instruction.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm64.rb:
        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:

2018-10-30  Don Olmstead  <don.olmstead@sony.com>

        [PlayStation] Enable JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=191072

        Reviewed by Brent Fulgham.

        Add platform files for the PlayStation port.

        * PlatformPlayStation.cmake: Added.

2018-10-30  Alexey Proskuryakov  <ap@apple.com>

        Clean up some obsolete MAX_ALLOWED macros
        https://bugs.webkit.org/show_bug.cgi?id=190916

        Reviewed by Tim Horton.

        * API/JSManagedValue.mm:
        * API/JSVirtualMachine.mm:
        * API/JSWrapperMap.mm:

2018-10-30  Ross Kirsling  <ross.kirsling@sony.com>

        useProbeOSRExit causes failures for Win64 DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=190656

        Reviewed by Keith Miller.

        * assembler/ProbeContext.cpp:
        (JSC::Probe::executeProbe):
        If lowWatermark is expected to equal lowWatermarkFromVisitingDirtyPages *regardless* of the input param,
        then let's just call lowWatermarkFromVisitingDirtyPages instead.

        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::executeOSRExit):
        The result of VariableEventStream::reconstruct appears to be inappropriate for direct use as a stack pointer offset;
        mimic the non-probe case and use requiredRegisterCountForExit from DFGCommonData instead.
        (Also, stop redundantly setting the stack pointer twice in a row.)

2018-10-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        "Unreviewed, partial rolling in r237254"
        https://bugs.webkit.org/show_bug.cgi?id=190340

        This only adds Parser.{cpp,h}. And it is not used in this patch.
        It examines that the regression is related to exact Parser changes.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::parseSingleFunction):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseFunctionDeclaration):
        (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
        * parser/Parser.h:
        (JSC::Parser<LexerType>::parse):
        (JSC::parse):
        (JSC::parseFunctionForFunctionConstructor):

2018-10-29  Mark Lam  <mark.lam@apple.com>

        Correctly detect string overflow when using the 'Function' constructor.
        https://bugs.webkit.org/show_bug.cgi?id=184883
        <rdar://problem/36320331>

        Reviewed by Saam Barati.

        Added StringBuilder::hasOverflowed() checks, and throwing OutOfMemoryErrors if
        we detect an overflow.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode):
        (JSC::decode):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::stringify):
        (JSC::Stringifier::appendStringifiedValue):

2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>

        Unreviewed, fix JSC on arm64e after r237547
        https://bugs.webkit.org/show_bug.cgi?id=187373

        Unreviewed.

        Remove unused move guarded by POINTER_PROFILING that was trashing the
        metadata on arm64e.

        * llint/LowLevelInterpreter64.asm:

2018-10-29  Keith Miller  <keith_miller@apple.com>

        JSC should explicitly list its modulemap file
        https://bugs.webkit.org/show_bug.cgi?id=191032

        Reviewed by Saam Barati.

        The automagically generated module map file for JSC will
        include headers where they may not work out of the box.
        This patch makes it so we now export the same modulemap
        that used to be provided via the legacy system.

        * Configurations/JavaScriptCore.xcconfig:
        * JavaScriptCore.modulemap: Added.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2018-10-29  Tim Horton  <timothy_horton@apple.com>

        Modernize WebKit nibs and lprojs for localization's sake
        https://bugs.webkit.org/show_bug.cgi?id=190911
        <rdar://problem/45349466>

        Reviewed by Dan Bernstein.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        English->en

2018-10-29  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r237492.
        https://bugs.webkit.org/show_bug.cgi?id=191035

        "It regresses JetStream 2 by 5% on some iOS devices"
        (Requested by saamyjoon on #webkit).

        Reverted changeset:

        "Unreviewed, partial rolling in r237254"
        https://bugs.webkit.org/show_bug.cgi?id=190340
        https://trac.webkit.org/changeset/237492

2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>

        Add support for GetStack FlushedDouble
        https://bugs.webkit.org/show_bug.cgi?id=191012
        <rdar://problem/45265141>

        Reviewed by Saam Barati.

        LowerDFGToB3::compileGetStack assumed that we would not emit GetStack
        for doubles, but it turns out it may arise from the PutStack sinking
        phase: if we sink a PutStack into a successor block, other predecessors
        will emit a GetStack followed by a Upsilon.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):

2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>

        New bytecode format for JSC
        https://bugs.webkit.org/show_bug.cgi?id=187373
        <rdar://problem/44186758>

        Reviewed by Filip Pizlo.

        Replace unlinked and linked bytecode with a new immutable bytecode that does not embed
        any addresses. Instructions can be encoded as narrow (1-byte operands) or wide (4-byte
        operands) and might contain an extra operand, the metadataID. The metadataID is used to
        access the instruction's mutable data in a side table in the CodeBlock (the MetadataTable).

        Bytecodes now must be structs declared in the new BytecodeList.rb. All bytecodes give names
        and types to all its operands. Additionally, reading a bytecode from the instruction stream
        requires decoding the whole bytecode, i.e. it's no longer possible to access arbitrary
        operands directly from the stream.


        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::ReturnAddressPtr::ReturnAddressPtr):
        (JSC::ReturnAddressPtr::value const):
        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
        * bytecode/ArithProfile.h:
        (JSC::ArithProfile::ArithProfile):
        * bytecode/ArrayAllocationProfile.h:
        (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
        * bytecode/ArrayProfile.h:
        * bytecode/BytecodeBasicBlock.cpp:
        (JSC::isJumpTarget):
        (JSC::BytecodeBasicBlock::computeImpl):
        (JSC::BytecodeBasicBlock::compute):
        * bytecode/BytecodeBasicBlock.h:
        (JSC::BytecodeBasicBlock::leaderOffset const):
        (JSC::BytecodeBasicBlock::totalLength const):
        (JSC::BytecodeBasicBlock::offsets const):
        (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
        (JSC::BytecodeBasicBlock::addLength):
        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::printLocationAndOp):
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        (JSC::BytecodeDumper<Block>::dumpIdentifiers):
        (JSC::BytecodeDumper<Block>::dumpConstants):
        (JSC::BytecodeDumper<Block>::dumpExceptionHandlers):
        (JSC::BytecodeDumper<Block>::dumpSwitchJumpTables):
        (JSC::BytecodeDumper<Block>::dumpStringSwitchJumpTables):
        (JSC::BytecodeDumper<Block>::dumpBlock):
        * bytecode/BytecodeDumper.h:
        (JSC::BytecodeDumper::dumpOperand):
        (JSC::BytecodeDumper::dumpValue):
        (JSC::BytecodeDumper::BytecodeDumper):
        (JSC::BytecodeDumper::block const):
        * bytecode/BytecodeGeneratorification.cpp:
        (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
        (JSC::BytecodeGeneratorification::enterPoint const):
        (JSC::BytecodeGeneratorification::instructions const):
        (JSC::GeneratorLivenessAnalysis::run):
        (JSC::BytecodeGeneratorification::run):
        (JSC::performGeneratorification):
        * bytecode/BytecodeGeneratorification.h:
        * bytecode/BytecodeGraph.h:
        (JSC::BytecodeGraph::blockContainsBytecodeOffset):
        (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
        (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
        (JSC::BytecodeGraph::BytecodeGraph):
        * bytecode/BytecodeKills.h:
        * bytecode/BytecodeList.json: Removed.
        * bytecode/BytecodeList.rb: Added.
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::BytecodeLivenessAnalysis::dumpResults):
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/BytecodeLivenessAnalysisInlines.h:
        (JSC::isValidRegisterForLiveness):
        (JSC::BytecodeLivenessPropagation::stepOverInstruction):
        * bytecode/BytecodeRewriter.cpp:
        (JSC::BytecodeRewriter::applyModification):
        (JSC::BytecodeRewriter::execute):
        (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
        (JSC::BytecodeRewriter::insertImpl):
        (JSC::BytecodeRewriter::adjustJumpTarget):
        (JSC::BytecodeRewriter::adjustJumpTargets):
        * bytecode/BytecodeRewriter.h:
        (JSC::BytecodeRewriter::InsertionPoint::InsertionPoint):
        (JSC::BytecodeRewriter::Fragment::Fragment):
        (JSC::BytecodeRewriter::Fragment::appendInstruction):
        (JSC::BytecodeRewriter::BytecodeRewriter):
        (JSC::BytecodeRewriter::insertFragmentBefore):
        (JSC::BytecodeRewriter::insertFragmentAfter):
        (JSC::BytecodeRewriter::removeBytecode):
        (JSC::BytecodeRewriter::adjustAbsoluteOffset):
        (JSC::BytecodeRewriter::adjustJumpTarget):
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::estimatedSize):
        (JSC::CodeBlock::visitChildren):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        (JSC::CodeBlock::addJITAddIC):
        (JSC::CodeBlock::addJITMulIC):
        (JSC::CodeBlock::addJITSubIC):
        (JSC::CodeBlock::addJITNegIC):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
        (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
        (JSC::CodeBlock::hasOpDebugForLineAndColumn):
        (JSC::CodeBlock::getArrayProfile):
        (JSC::CodeBlock::updateAllArrayPredictions):
        (JSC::CodeBlock::predictedMachineCodeSize):
        (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
        (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        (JSC::CodeBlock::validate):
        (JSC::CodeBlock::outOfLineJumpOffset):
        (JSC::CodeBlock::outOfLineJumpTarget):
        (JSC::CodeBlock::arithProfileForBytecodeOffset):
        (JSC::CodeBlock::arithProfileForPC):
        (JSC::CodeBlock::couldTakeSpecialFastCase):
        (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addMathIC):
        (JSC::CodeBlock::outOfLineJumpOffset):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::CodeBlock::instructions const):
        (JSC::CodeBlock::instructionCount const):
        (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
        (JSC::CodeBlock::metadata):
        (JSC::CodeBlock::metadataSizeInBytes):
        (JSC::CodeBlock::numberOfNonArgumentValueProfiles):
        (JSC::CodeBlock::totalNumberOfValueProfiles):
        * bytecode/CodeBlockInlines.h: Added.
        (JSC::CodeBlock::forEachValueProfile):
        (JSC::CodeBlock::forEachArrayProfile):
        (JSC::CodeBlock::forEachArrayAllocationProfile):
        (JSC::CodeBlock::forEachObjectAllocationProfile):
        (JSC::CodeBlock::forEachLLIntCallLinkInfo):
        * bytecode/Fits.h: Added.
        * bytecode/GetByIdMetadata.h: Copied from Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h.
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        (JSC::Instruction::Impl::opcodeID const):
        (JSC::Instruction::opcodeID const):
        (JSC::Instruction::name const):
        (JSC::Instruction::isWide const):
        (JSC::Instruction::size const):
        (JSC::Instruction::is const):
        (JSC::Instruction::as const):
        (JSC::Instruction::cast):
        (JSC::Instruction::cast const):
        (JSC::Instruction::narrow const):
        (JSC::Instruction::wide const):
        * bytecode/InstructionStream.cpp: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
        (JSC::InstructionStream::InstructionStream):
        (JSC::InstructionStream::sizeInBytes const):
        * bytecode/InstructionStream.h: Added.
        (JSC::InstructionStream::BaseRef::BaseRef):
        (JSC::InstructionStream::BaseRef::operator=):
        (JSC::InstructionStream::BaseRef::operator-> const):
        (JSC::InstructionStream::BaseRef::ptr const):
        (JSC::InstructionStream::BaseRef::operator!= const):
        (JSC::InstructionStream::BaseRef::next const):
        (JSC::InstructionStream::BaseRef::offset const):
        (JSC::InstructionStream::BaseRef::isValid const):
        (JSC::InstructionStream::BaseRef::unwrap const):
        (JSC::InstructionStream::MutableRef::freeze const):
        (JSC::InstructionStream::MutableRef::operator->):
        (JSC::InstructionStream::MutableRef::ptr):
        (JSC::InstructionStream::MutableRef::operator Ref):
        (JSC::InstructionStream::MutableRef::unwrap):
        (JSC::InstructionStream::iterator::operator*):
        (JSC::InstructionStream::iterator::operator++):
        (JSC::InstructionStream::begin const):
        (JSC::InstructionStream::end const):
        (JSC::InstructionStream::at const):
        (JSC::InstructionStream::size const):
        (JSC::InstructionStreamWriter::InstructionStreamWriter):
        (JSC::InstructionStreamWriter::ref):
        (JSC::InstructionStreamWriter::seek):
        (JSC::InstructionStreamWriter::position):
        (JSC::InstructionStreamWriter::write):
        (JSC::InstructionStreamWriter::rewind):
        (JSC::InstructionStreamWriter::finalize):
        (JSC::InstructionStreamWriter::swap):
        (JSC::InstructionStreamWriter::iterator::operator*):
        (JSC::InstructionStreamWriter::iterator::operator++):
        (JSC::InstructionStreamWriter::begin):
        (JSC::InstructionStreamWriter::end):
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
        * bytecode/MetadataTable.cpp: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
        (JSC::MetadataTable::MetadataTable):
        (JSC::DeallocTable::withOpcodeType):
        (JSC::MetadataTable::~MetadataTable):
        (JSC::MetadataTable::sizeInBytes):
        * bytecode/MetadataTable.h: Copied from Source/JavaScriptCore/runtime/Watchdog.h.
        (JSC::MetadataTable::get):
        (JSC::MetadataTable::forEach):
        (JSC::MetadataTable::getImpl):
        * bytecode/Opcode.cpp:
        (JSC::metadataSize):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/OpcodeInlines.h:
        (JSC::isOpcodeShape):
        (JSC::getOpcodeType):
        * bytecode/OpcodeSize.h: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
        * bytecode/PreciseJumpTargets.cpp:
        (JSC::getJumpTargetsForInstruction):
        (JSC::computePreciseJumpTargetsInternal):
        (JSC::computePreciseJumpTargets):
        (JSC::recomputePreciseJumpTargets):
        (JSC::findJumpTargetsForInstruction):
        * bytecode/PreciseJumpTargets.h:
        * bytecode/PreciseJumpTargetsInlines.h:
        (JSC::jumpTargetForInstruction):
        (JSC::extractStoredJumpTargetsForInstruction):
        (JSC::updateStoredJumpTargetsForInstruction):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        * bytecode/SpecialPointer.cpp:
        (WTF::printInternal):
        * bytecode/SpecialPointer.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        (JSC::UnlinkedCodeBlock::visitChildren):
        (JSC::UnlinkedCodeBlock::estimatedSize):
        (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
        (JSC::dumpLineColumnEntry):
        (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset const):
        (JSC::UnlinkedCodeBlock::setInstructions):
        (JSC::UnlinkedCodeBlock::instructions const):
        (JSC::UnlinkedCodeBlock::applyModification):
        (JSC::UnlinkedCodeBlock::addOutOfLineJumpTarget):
        (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction):
        (JSC::UnlinkedCodeBlock::propertyAccessInstructions const):
        (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
        (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const):
        (JSC::UnlinkedCodeBlock::metadata):
        (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
        (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
        (JSC::UnlinkedCodeBlock::replaceOutOfLineJumpTargets):
        * bytecode/UnlinkedInstructionStream.cpp: Removed.
        * bytecode/UnlinkedInstructionStream.h: Removed.
        * bytecode/UnlinkedMetadataTable.h: Copied from Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h.
        * bytecode/UnlinkedMetadataTableInlines.h: Added.
        (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
        (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable):
        (JSC::UnlinkedMetadataTable::addEntry):
        (JSC::UnlinkedMetadataTable::sizeInBytes):
        (JSC::UnlinkedMetadataTable::finalize):
        (JSC::UnlinkedMetadataTable::link):
        (JSC::UnlinkedMetadataTable::unlink):
        * bytecode/VirtualRegister.cpp:
        (JSC::VirtualRegister::VirtualRegister):
        * bytecode/VirtualRegister.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::Label::setLocation):
        (JSC::Label::bind):
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
        (JSC::BytecodeGenerator::emitEnter):
        (JSC::BytecodeGenerator::emitLoopHint):
        (JSC::BytecodeGenerator::emitJump):
        (JSC::BytecodeGenerator::emitCheckTraps):
        (JSC::BytecodeGenerator::rewind):
        (JSC::BytecodeGenerator::fuseCompareAndJump):
        (JSC::BytecodeGenerator::fuseTestAndJmp):
        (JSC::BytecodeGenerator::emitJumpIfTrue):
        (JSC::BytecodeGenerator::emitJumpIfFalse):
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
        (JSC::BytecodeGenerator::moveLinkTimeConstant):
        (JSC::BytecodeGenerator::moveEmptyValue):
        (JSC::BytecodeGenerator::emitMove):
        (JSC::BytecodeGenerator::emitUnaryOp):
        (JSC::BytecodeGenerator::emitBinaryOp):
        (JSC::BytecodeGenerator::emitToObject):
        (JSC::BytecodeGenerator::emitToNumber):
        (JSC::BytecodeGenerator::emitToString):
        (JSC::BytecodeGenerator::emitTypeOf):
        (JSC::BytecodeGenerator::emitInc):
        (JSC::BytecodeGenerator::emitDec):
        (JSC::BytecodeGenerator::emitEqualityOp):
        (JSC::BytecodeGenerator::emitProfileType):
        (JSC::BytecodeGenerator::emitProfileControlFlow):
        (JSC::BytecodeGenerator::pushLexicalScopeInternal):
        (JSC::BytecodeGenerator::emitResolveScopeForHoistingFuncDeclInEval):
        (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
        (JSC::BytecodeGenerator::emitOverridesHasInstance):
        (JSC::BytecodeGenerator::emitResolveScope):
        (JSC::BytecodeGenerator::emitGetFromScope):
        (JSC::BytecodeGenerator::emitPutToScope):
        (JSC::BytecodeGenerator::emitInstanceOf):
        (JSC::BytecodeGenerator::emitInstanceOfCustom):
        (JSC::BytecodeGenerator::emitInByVal):