[JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
4         https://bugs.webkit.org/show_bug.cgi?id=201634
5
6         Reviewed by Mark Lam and Robin Morisset.
7
8         This patch includes two things. One is fixing 32bit bitwise operation with allOne constants. Another is fixing the existing bug in BitAnd strength reduction.
9
10         1. 32bit bitwise operation with allOne constants
11
12             Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
13             For example, in BitAnd strength reduction,
14
15                 1034             // Turn this: BitAnd(value, all-ones)
16                 1035             // Into this: value.
17                 1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
18                 1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
19                 1038                 replaceWithIdentity(m_value->child(0));
20                 1039                 break;
21                 1040             }
22
23             We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
24
25                 262 inline bool Value::isInt(int64_t value) const
26                 263 {
27                 264     return hasInt() && asInt() == value;
28                 265 }
29
30             So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
31
32                 257 inline int64_t Value::asInt() const
33                 258 {
34                 259     return hasInt32() ? asInt32() : asInt64();
35                 260 }
36
37             So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
38             We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
39
40         2. BitAnd and BitOr strength reduction bug
41
42             We also fix the following optimization.
43
44                 // Turn this: BitAnd(Op(value, constant1), constant2)
45                 //     where !(constant1 & constant2)
46                 //       and Op is BitOr or BitXor
47                 // into this: BitAnd(value, constant2)
48
49             Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
50
51                 // Turn this: BitAnd(BitXor(x, allOnes), c)
52                 // Into this: BitXor(BitOr(x, ~c), allOnes)
53
54             And we also found that this not-used optimization has a bug not inserting a newly produced constant B3::Value. This patch also fixes it.
55
56         For both, this patch adds tests. And (2) fix can be ensured that the testb3 does not crash with validate-graph option.
57
58         * b3/B3LowerToAir.cpp:
59         * b3/B3ReduceStrength.cpp:
60         * b3/testb3.h:
61         * b3/testb3_2.cpp:
62         (testBitAndNotNot32):
63         (testBitAndNotImm):
64         (testBitAndNotImm32):
65         (testBitOrAndAndArgs32):
66         (testBitOrAndSameArgs32):
67         (testBitOrNotNot32):
68         (testBitOrNotImm32):
69         (addBitTests):
70         * b3/testb3_3.cpp:
71         (testBitXorAndAndArgs32):
72         (testBitXorAndSameArgs32):
73
74 2019-09-10  Commit Queue  <commit-queue@webkit.org>
75
76         Unreviewed, rolling out r249721.
77         https://bugs.webkit.org/show_bug.cgi?id=201667
78
79         Discovering existing bug (Requested by yusukesuzuki on
80         #webkit).
81
82         Reverted changeset:
83
84         "[JSC] 32bit bitwide operation with all-one (-1) is wrong in
85         B3"
86         https://bugs.webkit.org/show_bug.cgi?id=201634
87         https://trac.webkit.org/changeset/249721
88
89 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
90
91         [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
92         https://bugs.webkit.org/show_bug.cgi?id=201664
93         <rdar://problem/52126927>
94
95         Reviewed by Tadeu Zagallo.
96
97         We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result.
98         This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters.
99         Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread,
100         we can see half-baked JITData structure which holds garbage pointers.
101
102         But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons.
103
104         1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are
105            called while taking this exact same lock, so dead-lock can happen.
106         2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT
107            compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock.
108
109         Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that
110         JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread.
111
112         * bytecode/CodeBlock.cpp:
113         (JSC::CodeBlock::ensureJITDataSlow):
114
115 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
116
117         [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
118         https://bugs.webkit.org/show_bug.cgi?id=198253
119
120         Reviewed by Mark Lam.
121
122         ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
123         When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
124         it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
125
126         In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
127
128         * parser/ResultType.h:
129         (JSC::ResultType::bigIntOrInt32Type):
130
131 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
132
133         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
134         https://bugs.webkit.org/show_bug.cgi?id=201634
135
136         Reviewed by Mark Lam.
137
138         Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
139         For example, in BitAnd strength reduction,
140
141             1034             // Turn this: BitAnd(value, all-ones)
142             1035             // Into this: value.
143             1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
144             1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
145             1038                 replaceWithIdentity(m_value->child(0));
146             1039                 break;
147             1040             }
148
149         We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
150
151             262 inline bool Value::isInt(int64_t value) const
152             263 {
153             264     return hasInt() && asInt() == value;
154             265 }
155
156         So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
157
158             257 inline int64_t Value::asInt() const
159             258 {
160             259     return hasInt32() ? asInt32() : asInt64();
161             260 }
162
163         So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
164         We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
165
166         We also fix the following optimization.
167
168             // Turn this: BitAnd(Op(value, constant1), constant2)
169             //     where !(constant1 & constant2)
170             //       and Op is BitOr or BitXor
171             // into this: BitAnd(value, constant2)
172
173         Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
174
175             // Turn this: BitAnd(BitXor(x, allOnes), c)
176             // Into this: BitXor(BitOr(x, ~c), allOnes)
177
178         We add 32bit version of B3 tests for these optimizations.
179
180         * b3/B3LowerToAir.cpp:
181         * b3/B3ReduceStrength.cpp:
182         * b3/testb3.h:
183         * b3/testb3_2.cpp:
184         (testBitAndNotNot32):
185         (testBitAndNotImm):
186         (testBitAndNotImm32):
187         (testBitOrAndAndArgs32):
188         (testBitOrAndSameArgs32):
189         (testBitOrNotNot32):
190         (testBitOrNotImm32):
191         (addBitTests):
192         * b3/testb3_3.cpp:
193         (testBitXorAndAndArgs32):
194         (testBitXorAndSameArgs32):
195
196 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
197
198         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
199         https://bugs.webkit.org/show_bug.cgi?id=189043
200
201         Reviewed by Keith Miller.
202
203         This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
204         And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
205         using Wasm::StreamingParser.
206
207         Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
208         create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
209         and instantiateStreaming.
210
211         * JavaScriptCore.xcodeproj/project.pbxproj:
212         * Sources.txt:
213         * tools/JSDollarVM.cpp:
214         (JSC::WasmStreamingParser::WasmStreamingParser):
215         * wasm/WasmAirIRGenerator.cpp:
216         (JSC::Wasm::parseAndCompileAir):
217         * wasm/WasmAirIRGenerator.h:
218         * wasm/WasmB3IRGenerator.cpp:
219         (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
220         * wasm/WasmB3IRGenerator.h:
221         * wasm/WasmBBQPlan.cpp:
222         (JSC::Wasm::BBQPlan::BBQPlan):
223         (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
224         (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
225         (JSC::Wasm::BBQPlan::compileFunctions):
226         (JSC::Wasm::BBQPlan::complete):
227         * wasm/WasmBBQPlan.h:
228         * wasm/WasmModuleParser.cpp: Removed.
229         * wasm/WasmModuleParser.h: Removed.
230         * wasm/WasmOMGForOSREntryPlan.cpp:
231         (JSC::Wasm::OMGForOSREntryPlan::work):
232         * wasm/WasmOMGPlan.cpp:
233         (JSC::Wasm::OMGPlan::work):
234         * wasm/WasmPlan.cpp:
235         (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
236         * wasm/WasmSectionParser.cpp:
237         (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
238         * wasm/WasmStreamingParser.cpp:
239         (JSC::Wasm::StreamingParser::StreamingParser):
240         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
241         (JSC::Wasm::StreamingParser::parseFunctionPayload):
242         (JSC::Wasm::StreamingParser::parseSectionPayload):
243         (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
244         * wasm/WasmStreamingParser.h:
245         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
246         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
247         (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
248         which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
249         at appropriate timings.
250         * wasm/WasmValidate.cpp:
251         (JSC::Wasm::validateFunction):
252         * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.
253
254 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
255
256         [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
257         https://bugs.webkit.org/show_bug.cgi?id=201622
258
259         Reviewed by Mark Lam.
260
261         CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
262         this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
263         the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.
264
265         * bytecode/CodeBlock.cpp:
266         (JSC::CodeBlock::finishCreation):
267         (JSC::CodeBlock::setConstantRegisters):
268         * bytecode/CodeBlock.h:
269         (JSC::CodeBlock::addConstant):
270         (JSC::CodeBlock::addConstantLazily):
271         * dfg/DFGDesiredWatchpoints.cpp:
272         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
273         (JSC::DFG::SymbolTableAdaptor::add):
274         (JSC::DFG::FunctionExecutableAdaptor::add):
275         * dfg/DFGGraph.cpp:
276         (JSC::DFG::Graph::registerFrozenValues):
277         * dfg/DFGJITFinalizer.cpp:
278         (JSC::DFG::JITFinalizer::finalizeCommon):
279         * dfg/DFGLazyJSValue.cpp:
280         (JSC::DFG::LazyJSValue::emit const):
281
282 2019-09-09  Robin Morisset  <rmorisset@apple.com>
283
284         [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
285         https://bugs.webkit.org/show_bug.cgi?id=197305
286
287         Reviewed by Keith Miller.
288
289         Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
290         Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).
291
292         This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
293         Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).
294
295         The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
296         So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.
297
298         No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.
299
300         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
301
302 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
303
304         [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
305         https://bugs.webkit.org/show_bug.cgi?id=201613
306
307         Reviewed by Mark Lam.
308
309         We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
310         since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
311         issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
312         misleading, it is like "instructions-requires-llint-finalize").
313
314         * bytecode/CodeBlock.cpp:
315         (JSC::CodeBlock::propagateTransitions):
316         (JSC::CodeBlock::finalizeLLIntInlineCaches):
317         * bytecode/UnlinkedCodeBlock.cpp:
318         (JSC::UnlinkedCodeBlock::applyModification):
319         (JSC::UnlinkedCodeBlock::shrinkToFit):
320         * bytecode/UnlinkedCodeBlock.h:
321         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
322         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
323         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
324         * bytecompiler/BytecodeGenerator.cpp:
325         (JSC::BytecodeGenerator::emitResolveScope):
326         (JSC::BytecodeGenerator::emitGetFromScope):
327         (JSC::BytecodeGenerator::emitPutToScope):
328         (JSC::BytecodeGenerator::emitGetById):
329         (JSC::BytecodeGenerator::emitDirectGetById):
330         (JSC::BytecodeGenerator::emitPutById):
331         (JSC::BytecodeGenerator::emitDirectPutById):
332         (JSC::BytecodeGenerator::emitCreateThis):
333         (JSC::BytecodeGenerator::emitToThis):
334         * runtime/CachedTypes.cpp:
335         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
336         (JSC::CachedCodeBlock<CodeBlockType>::encode):
337
338 2019-09-07  Keith Miller  <keith_miller@apple.com>
339
340         OSR entry into wasm misses some contexts
341         https://bugs.webkit.org/show_bug.cgi?id=201569
342
343         Reviewed by Yusuke Suzuki.
344
345         This patch fixes an issue where we could fail to capture some of
346         our contexts when OSR entering into wasm code. Before we would
347         only capture the state of the block immediately surrounding the
348         entrance loop block header. We actually need to capture all
349         enclosed stacks.
350
351         Additionally, we don't need to use variables for all the captured
352         values. We can use a Phi and insert an upsilon just below the
353         captured value.
354
355         * interpreter/CallFrame.h:
356         * jsc.cpp:
357         (GlobalObject::finishCreation):
358         (functionCallerIsOMGCompiled):
359         * wasm/WasmAirIRGenerator.cpp:
360         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
361         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
362         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
363         (JSC::Wasm::AirIRGenerator::addLoop):
364         * wasm/WasmB3IRGenerator.cpp:
365         (JSC::Wasm::B3IRGenerator::createStack):
366         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
367         (JSC::Wasm::B3IRGenerator::addConstant):
368         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
369         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
370         (JSC::Wasm::B3IRGenerator::addLoop):
371         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
372         (JSC::Wasm::dumpExpressionStack):
373         (JSC::Wasm::B3IRGenerator::dump):
374         (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
375         (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
376         (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
377         (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
378         (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
379         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
380         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
381         (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
382         (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
383         (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
384         (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
385         (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
386         * wasm/WasmFunctionParser.h:
387         (JSC::Wasm::FunctionParser::controlStack):
388
389 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
390
391         [JSC] Promise resolve/reject functions should be created more efficiently
392         https://bugs.webkit.org/show_bug.cgi?id=201488
393
394         Reviewed by Mark Lam.
395
396         While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
397         Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
398         for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
399         Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.
400
401         In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
402         to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
403         anonymous-builtin-function creation faster.
404
405         We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
406         The simple microbenchmark shows 1.7x improvement.
407
408                                               ToT                     Patched
409
410             promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster
411
412         * dfg/DFGSpeculativeJIT.cpp:
413         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
414         * ftl/FTLLowerDFGToB3.cpp:
415         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
416         * runtime/FunctionRareData.cpp:
417         (JSC::FunctionRareData::create):
418         (JSC::FunctionRareData::FunctionRareData):
419         * runtime/FunctionRareData.h:
420         * runtime/JSFunction.cpp:
421         (JSC::JSFunction::finishCreation):
422         (JSC::JSFunction::allocateRareData):
423         (JSC::JSFunction::allocateAndInitializeRareData):
424         * runtime/JSFunctionInlines.h:
425         (JSC::JSFunction::hasReifiedName const):
426
427 2019-09-07  Mark Lam  <mark.lam@apple.com>
428
429         performJITMemcpy() source buffer should not be in the Gigacage.
430         https://bugs.webkit.org/show_bug.cgi?id=201577
431         <rdar://problem/55142606>
432
433         Reviewed by Michael Saboff.
434
435         Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
436         buffer is not in the Gigacage.
437
438         * jit/ExecutableAllocator.h:
439         (JSC::performJITMemcpy):
440
441 2019-09-07  Mark Lam  <mark.lam@apple.com>
442
443         The jsc shell should allow disabling of the Gigacage for testing purposes.
444         https://bugs.webkit.org/show_bug.cgi?id=201579
445
446         Reviewed by Michael Saboff.
447
448         Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
449         this env var is present and it has a falsy value, then do not
450         forbidDisablingPrimitiveGigacage() in the jsc shell.
451
452         * jsc.cpp:
453         (jscmain):
454
455 2019-09-06  Mark Lam  <mark.lam@apple.com>
456
457         Harden protection of the Gigacage Config parameters.
458         https://bugs.webkit.org/show_bug.cgi?id=201570
459         <rdar://problem/55134229>
460
461         Reviewed by Saam Barati.
462
463         Just renaming some function names here.
464
465         * assembler/testmasm.cpp:
466         (JSC::testCagePreservesPACFailureBit):
467         * jit/AssemblyHelpers.h:
468         (JSC::AssemblyHelpers::cageConditionally):
469         * jsc.cpp:
470         (jscmain):
471
472 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
473
474         Math.round() produces wrong result for value prior to 0.5
475         https://bugs.webkit.org/show_bug.cgi?id=185115
476
477         Reviewed by Saam Barati.
478
479         Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
480         This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.
481
482         Specifically:
483           - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
484             so taking the difference between ceil(value)` and `value` is problematic.
485           - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
486             (by falling back to jsRound). This patch gives baseline a legitimate implementation too.
487
488         * dfg/DFGSpeculativeJIT.cpp:
489         (JSC::DFG::SpeculativeJIT::compileArithRounding):
490         * ftl/FTLLowerDFGToB3.cpp:
491         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
492         * jit/ThunkGenerators.cpp:
493         (JSC::roundThunkGenerator):
494         * runtime/MathCommon.cpp:
495
496 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
497
498         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
499         https://bugs.webkit.org/show_bug.cgi?id=201366
500
501         Reviewed by Saam Barati.
502
503         It is possible for the log buffer to be full right as someone is trying to
504         log a function prologue. In such a case the machine stack has already been
505         updated to include the new JavaScript call frame, but the prologue packet
506         cannot be included in the update because the log is full. This would mean
507         that the update fails to rationalize the machine stack with the shadow
508         log / stack. Namely, the current JavaScript call frame is unable to
509         find a matching prologue (the one we are holding to include after the update)
510         and inserts a questionable value into the stack; and in the process
511         missing and removing real potential tail calls.
512
513         For example:
514         
515             "use strict";
516             function third() { return 1; }
517             function second() { return third(); }
518             function first() { return second(); }
519             function start() { return first(); }
520
521         If the the log fills up just as we are entering `b` then we may have a list
522         full log of packets looking like:
523
524           Shadow Log:
525             ...
526             { prologue-packet: entering `start` ... }
527             { prologue-packet: entering `first` ... }
528             { tail-packet: leaving `first` with a tail call }
529
530           Incoming Packet:
531             { prologue-packet: entering `second` ... }
532
533           Current JS Stack:
534             second
535             start
536
537         Since the Current JavaScript stack already has `second`, if we process the
538         log without the prologue for `second` then we push a confused entry on the
539         shadow stack and clear the log such that we eventually lose the tail-call
540         information for `first` to `second`.
541
542         This patch solves this issue by providing enough extra space in the log
543         to always process the incoming packet when that forces an update. This way
544         clients can continue to behave exactly as they are.
545
546         --
547
548         We also document a corner case in some circumstances where the shadow
549         log may currently be insufficient to know how to reconcile:
550         
551         For example:
552
553             "use strict";
554             function third() { return 1; }
555             function second() { return third(); }
556             function first() { return second(); }
557             function doNothingTail() { return Math.random() }
558             function start() {
559                 for (i=0;i<1000;++i) doNothingTail();
560                 return first();
561             }
562
563         In this case the ShadowChicken log may be processed multiple times due
564         to the many calls to `doNothingTail` / `Math.random()`. When calling the
565         Native function no prologue packet is emitted, so it is unclear that we
566         temporarly go deeper and come back out on the stack, so the log appears
567         to have lots of doNothingTail calls reusing the same frame:
568
569           Shadow Log:
570             ...
571             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
572             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
573             , [125] tail-packet:{frame = 0x7ffeef8971f0}
574             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
575             , [127] tail-packet:{frame = 0x7ffeef8971f0}
576             ...
577             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
578             , [141] tail-packet:{frame = 0x7ffeef8971f0}
579             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
580             , [143] tail-packet:{frame = 0x7ffeef8971f0}
581             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
582             , [145] tail-packet:{frame = 0x7ffeef8971f0}
583             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
584             ...
585
586         This log would seem to be indistinguishable from real tail recursion, such as:
587
588             "use strict";
589             function third() { return 1; }
590             function second() { return third(); }
591             function first() { return second(); }
592             function doNothingTail(n) {
593                 return n ? doNothingTail(n-1) : first();
594             }
595             function start() {
596                 return doNothingTail(1000);
597             }
598
599         Likewise there are more cases where the shadow log appears to be ambiguous with determining
600         the appropriate parent call frame with intermediate function calls. In practice this may
601         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
602         It seems likely we would only show additional frames that did in fact happen serially
603         between JavaScript call frames, but may not actually be the proper parent frames
604         heirachy in the stack.
605
606         * interpreter/ShadowChicken.cpp:
607         (JSC::ShadowChicken::Packet::dump const):
608         (JSC::ShadowChicken::Frame::dump const):
609         (JSC::ShadowChicken::dump const):
610         Improved debugging output. Especially for functions.
611
612         (JSC::ShadowChicken::ShadowChicken):
613         Make space in the log for 1 additional packet to process when we slow log.
614
615         (JSC::ShadowChicken::log):
616         Include this packet in our update.
617
618         (JSC::ShadowChicken::update):
619         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
620
621 2019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
622
623         Unreviewed, rolling out r249566.
624
625         Causes inspector layout test crashes under GuardMalloc
626
627         Reverted changeset:
628
629         "Tail Deleted Frames shown in Web Inspector are sometimes
630         incorrect (Shadow Chicken)"
631         https://bugs.webkit.org/show_bug.cgi?id=201366
632         https://trac.webkit.org/changeset/249566
633
634 2019-09-06  Guillaume Emont  <guijemont@igalia.com>
635
636         testmasm: save r6 in JIT'ed code on ARM_THUMB2
637         https://bugs.webkit.org/show_bug.cgi?id=201138
638
639         Reviewed by Mark Lam.
640
641         MacroAssemblerArmv7 uses r6 as a temporary register, and it is a
642         callee-saved register. The JITs use
643         AssemblyHelpers::emitSaveCalleeSaves() and friends to save
644         callee-saved registers, but there is no such mechanism in testmasm,
645         which seems to make the assumption that the macroassembler does not
646         use callee-saved registers (which I guess is true for all other
647         architectures, but not for Armv7).
648
649         This issue means that testmasm crashes on Armv7 since code generated
650         by gcc uses r6, and it gets modified by JIT'ed code.
651
652         This change makes sure that we save and restore r6 for all code
653         compiled by testmasm on Armv7.
654
655         * assembler/testmasm.cpp:
656         (JSC::emitFunctionPrologue):
657         (JSC::emitFunctionEpilogue):
658         (JSC::testSimple):
659         (JSC::testGetEffectiveAddress):
660         (JSC::testBranchTruncateDoubleToInt32):
661         (JSC::testBranchTestBit32RegReg):
662         (JSC::testBranchTestBit32RegImm):
663         (JSC::testBranchTestBit32AddrImm):
664         (JSC::testBranchTestBit64RegReg):
665         (JSC::testBranchTestBit64RegImm):
666         (JSC::testBranchTestBit64AddrImm):
667         (JSC::testCompareDouble):
668         (JSC::testMul32WithImmediates):
669         (JSC::testMul32SignExtend):
670         (JSC::testCompareFloat):
671         (JSC::testProbeReadsArgumentRegisters):
672         (JSC::testProbeWritesArgumentRegisters):
673         (JSC::testProbePreservesGPRS):
674         (JSC::testProbeModifiesStackPointer):
675         (JSC::testProbeModifiesProgramCounter):
676         (JSC::testProbeModifiesStackValues):
677         (JSC::testByteSwap):
678         (JSC::testMoveDoubleConditionally32):
679         (JSC::testMoveDoubleConditionally64):
680         (JSC::testCagePreservesPACFailureBit):
681
682 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
683
684         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
685         https://bugs.webkit.org/show_bug.cgi?id=201366
686
687         Reviewed by Saam Barati.
688
689         It is possible for the log buffer to be full right as someone is trying to
690         log a function prologue. In such a case the machine stack has already been
691         updated to include the new JavaScript call frame, but the prologue packet
692         cannot be included in the update because the log is full. This would mean
693         that the update fails to rationalize the machine stack with the shadow
694         log / stack. Namely, the current JavaScript call frame is unable to
695         find a matching prologue (the one we are holding to include after the update)
696         and inserts a questionable value into the stack; and in the process
697         missing and removing real potential tail calls.
698
699         For example:
700         
701             "use strict";
702             function third() { return 1; }
703             function second() { return third(); }
704             function first() { return second(); }
705             function start() { return first(); }
706
707         If the the log fills up just as we are entering `b` then we may have a list
708         full log of packets looking like:
709
710           Shadow Log:
711             ...
712             { prologue-packet: entering `start` ... }
713             { prologue-packet: entering `first` ... }
714             { tail-packet: leaving `first` with a tail call }
715
716           Incoming Packet:
717             { prologue-packet: entering `second` ... }
718
719           Current JS Stack:
720             second
721             start
722
723         Since the Current JavaScript stack already has `second`, if we process the
724         log without the prologue for `second` then we push a confused entry on the
725         shadow stack and clear the log such that we eventually lose the tail-call
726         information for `first` to `second`.
727
728         This patch solves this issue by providing enough extra space in the log
729         to always process the incoming packet when that forces an update. This way
730         clients can continue to behave exactly as they are.
731
732         --
733
734         We also document a corner case in some circumstances where the shadow
735         log may currently be insufficient to know how to reconcile:
736         
737         For example:
738
739             "use strict";
740             function third() { return 1; }
741             function second() { return third(); }
742             function first() { return second(); }
743             function doNothingTail() { return Math.random() }
744             function start() {
745                 for (i=0;i<1000;++i) doNothingTail();
746                 return first();
747             }
748
749         In this case the ShadowChicken log may be processed multiple times due
750         to the many calls to `doNothingTail` / `Math.random()`. When calling the
751         Native function no prologue packet is emitted, so it is unclear that we
752         temporarly go deeper and come back out on the stack, so the log appears
753         to have lots of doNothingTail calls reusing the same frame:
754
755           Shadow Log:
756             ...
757             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
758             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
759             , [125] tail-packet:{frame = 0x7ffeef8971f0}
760             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
761             , [127] tail-packet:{frame = 0x7ffeef8971f0}
762             ...
763             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
764             , [141] tail-packet:{frame = 0x7ffeef8971f0}
765             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
766             , [143] tail-packet:{frame = 0x7ffeef8971f0}
767             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
768             , [145] tail-packet:{frame = 0x7ffeef8971f0}
769             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
770             ...
771
772         This log would seem to be indistinguishable from real tail recursion, such as:
773
774             "use strict";
775             function third() { return 1; }
776             function second() { return third(); }
777             function first() { return second(); }
778             function doNothingTail(n) {
779                 return n ? doNothingTail(n-1) : first();
780             }
781             function start() {
782                 return doNothingTail(1000);
783             }
784
785         Likewise there are more cases where the shadow log appears to be ambiguous with determining
786         the appropriate parent call frame with intermediate function calls. In practice this may
787         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
788         It seems likely we would only show additional frames that did in fact happen serially
789         between JavaScript call frames, but may not actually be the proper parent frames
790         heirachy in the stack.
791
792         * interpreter/ShadowChicken.cpp:
793         (JSC::ShadowChicken::Packet::dump const):
794         (JSC::ShadowChicken::Frame::dump const):
795         (JSC::ShadowChicken::dump const):
796         Improved debugging output. Especially for functions.
797
798         (JSC::ShadowChicken::ShadowChicken):
799         Make space in the log for 1 additional packet to process when we slow log.
800
801         (JSC::ShadowChicken::log):
802         Include this packet in our update.
803
804         (JSC::ShadowChicken::update):
805         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
806
807 2019-09-05  Mark Lam  <mark.lam@apple.com>
808
809         Refactor the Gigacage code to require less pointer casting.
810         https://bugs.webkit.org/show_bug.cgi?id=201521
811
812         Reviewed by Saam Barati.
813
814         Change LLInt's loadCagedJSValue() to skip the caging if Gigacage is not enabled
815         in the build.  This allows us to remove the unneeded stubs in WTF Gigacage.h.
816
817         * jit/AssemblyHelpers.h:
818         (JSC::AssemblyHelpers::cageConditionally):
819         * llint/LowLevelInterpreter.asm:
820         * llint/LowLevelInterpreter64.asm:
821         * runtime/VM.h:
822         (JSC::VM::gigacageAuxiliarySpace):
823
824 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
825
826         Unreviewed, follow-up after r249530 and r249509
827         https://bugs.webkit.org/show_bug.cgi?id=201495
828
829         Rename FTLOutput::weakPointer to alreadyRegisteredWeakPointer and alreadyRegisteredFrozenPointer.
830
831         * builtins/PromiseConstructor.js:
832         (nakedConstructor.Promise.resolve):
833         (nakedConstructor.Promise.reject):
834         (nakedConstructor.Promise):
835         (nakedConstructor.InternalPromise.resolve):
836         (nakedConstructor.InternalPromise.reject):
837         (nakedConstructor.InternalPromise):
838         * ftl/FTLLowerDFGToB3.cpp:
839         (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
840         (JSC::FTL::DFG::LowerDFGToB3::frozenPointer):
841         (JSC::FTL::DFG::LowerDFGToB3::weakStructure):
842         * ftl/FTLOutput.h:
843         (JSC::FTL::Output::alreadyRegisteredWeakPointer):
844         (JSC::FTL::Output::alreadyRegisteredFrozenPointer):
845         (JSC::FTL::Output::weakPointer): Deleted.
846
847 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
848
849         [JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl
850         https://bugs.webkit.org/show_bug.cgi?id=201513
851
852         Reviewed by Ross Kirsling.
853
854         This patch extracts JSPromise's internal fields mechanism as JSInternalFieldsObjectImpl, and make it reusable for the other objects.
855         It is preparation for using this internal fields mechanism for generators, async functions, async generators, array iterators and so on.
856
857         The profiler is telling many recompilation of Generator's resume function (including async generator's one). We are using properties
858         with private-symbols as a storage for internal state of generators. However, the spec defines that each generator from different generator-functions
859         has different [[Prototype]]. While we need to share one Generator.prototype.next function, generators tend to have different Structures due to
860         different [[Prototype]] and accessing internal fields with `get_by_id_direct` sadly becomes super megamorphic while it is not necessary.
861         And every time new Structure for new generator pops up, DFG/FTL code for generator resume function gets OSR exit or eventually this function gets
862         emits super generic code unfortunately. By using internal fields for storing these state, we can avoid this performance problem.
863
864         Bytecodes and corresponding DFG nodes are just renamed. JSPromise is now inheriting JSInternalFieldsObjectImpl, which can holds specified
865         number of internal fields. And op_get_internal_field / op_put_internal_field can access these internal fields.
866
867         * CMakeLists.txt:
868         * JavaScriptCore.xcodeproj/project.pbxproj:
869         * bytecode/BytecodeList.rb:
870         * bytecode/BytecodeUseDef.h:
871         (JSC::computeUsesForBytecodeOffset):
872         (JSC::computeDefsForBytecodeOffset):
873         * bytecode/CodeBlock.cpp:
874         (JSC::CodeBlock::finishCreation):
875         * bytecode/Opcode.h:
876         * bytecompiler/BytecodeGenerator.cpp:
877         (JSC::BytecodeGenerator::emitGetInternalField):
878         (JSC::BytecodeGenerator::emitPutInternalField):
879         (JSC::BytecodeGenerator::emitGetPromiseInternalField): Deleted.
880         (JSC::BytecodeGenerator::emitPutPromiseInternalField): Deleted.
881         * bytecompiler/BytecodeGenerator.h:
882         * bytecompiler/NodesCodegen.cpp:
883         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
884         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
885         * dfg/DFGAbstractInterpreterInlines.h:
886         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
887         * dfg/DFGByteCodeParser.cpp:
888         (JSC::DFG::ByteCodeParser::parseBlock):
889         * dfg/DFGCapabilities.cpp:
890         (JSC::DFG::capabilityLevel):
891         * dfg/DFGClobberize.h:
892         (JSC::DFG::clobberize):
893         * dfg/DFGDoesGC.cpp:
894         (JSC::DFG::doesGC):
895         * dfg/DFGFixupPhase.cpp:
896         (JSC::DFG::FixupPhase::fixupNode):
897         * dfg/DFGMayExit.cpp:
898         * dfg/DFGNode.h:
899         (JSC::DFG::Node::hasInternalFieldIndex):
900         (JSC::DFG::Node::hasHeapPrediction):
901         * dfg/DFGNodeType.h:
902         * dfg/DFGPredictionPropagationPhase.cpp:
903         * dfg/DFGSafeToExecute.h:
904         (JSC::DFG::safeToExecute):
905         * dfg/DFGSpeculativeJIT.cpp:
906         (JSC::DFG::SpeculativeJIT::compileGetInternalField):
907         (JSC::DFG::SpeculativeJIT::compilePutInternalField):
908         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
909         (JSC::DFG::SpeculativeJIT::compileNewPromise):
910         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): Deleted.
911         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): Deleted.
912         * dfg/DFGSpeculativeJIT.h:
913         * dfg/DFGSpeculativeJIT32_64.cpp:
914         (JSC::DFG::SpeculativeJIT::compile):
915         * dfg/DFGSpeculativeJIT64.cpp:
916         (JSC::DFG::SpeculativeJIT::compile):
917         * dfg/DFGStoreBarrierInsertionPhase.cpp:
918         * ftl/FTLAbstractHeapRepository.h:
919         * ftl/FTLCapabilities.cpp:
920         (JSC::FTL::canCompile):
921         * ftl/FTLLowerDFGToB3.cpp:
922         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
923         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
924         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
925         (JSC::FTL::DFG::LowerDFGToB3::compileGetInternalField):
926         (JSC::FTL::DFG::LowerDFGToB3::compilePutInternalField):
927         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): Deleted.
928         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): Deleted.
929         * jit/JIT.cpp:
930         (JSC::JIT::privateCompileMainPass):
931         * jit/JIT.h:
932         * jit/JITPropertyAccess.cpp:
933         (JSC::JIT::emit_op_get_internal_field):
934         (JSC::JIT::emit_op_put_internal_field):
935         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
936         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
937         * jit/JITPropertyAccess32_64.cpp:
938         (JSC::JIT::emit_op_get_internal_field):
939         (JSC::JIT::emit_op_put_internal_field):
940         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
941         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
942         * llint/LLIntOffsetsExtractor.cpp:
943         * llint/LowLevelInterpreter.asm:
944         * llint/LowLevelInterpreter32_64.asm:
945         * llint/LowLevelInterpreter64.asm:
946         * runtime/JSInternalFieldObjectImpl.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
947         (JSC::JSInternalFieldObjectImpl::allocationSize):
948         (JSC::JSInternalFieldObjectImpl::internalField const):
949         (JSC::JSInternalFieldObjectImpl::internalField):
950         (JSC::JSInternalFieldObjectImpl::offsetOfInternalFields):
951         (JSC::JSInternalFieldObjectImpl::offsetOfInternalField):
952         (JSC::JSInternalFieldObjectImpl::JSInternalFieldObjectImpl):
953         * runtime/JSInternalFieldObjectImplInlines.h: Added.
954         (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren):
955         * runtime/JSPromise.cpp:
956         (JSC::JSPromise::finishCreation):
957         (JSC::JSPromise::visitChildren):
958         (JSC::JSPromise::status const):
959         (JSC::JSPromise::result const):
960         (JSC::JSPromise::isHandled const):
961         * runtime/JSPromise.h:
962         (JSC::JSPromise::allocationSize): Deleted.
963         (JSC::JSPromise::offsetOfInternalFields): Deleted.
964         (JSC::JSPromise::offsetOfInternalField): Deleted.
965         (): Deleted.
966
967 2019-09-05  Commit Queue  <commit-queue@webkit.org>
968
969         Unreviewed, rolling out r247463.
970         https://bugs.webkit.org/show_bug.cgi?id=201515
971
972         JetStream2 code-load related regression (Requested by
973         yusukesuzuki on #webkit).
974
975         Reverted changeset:
976
977         "Keyword lookup can use memcmp to get around unaligned load
978         undefined behavior"
979         https://bugs.webkit.org/show_bug.cgi?id=199650
980         https://trac.webkit.org/changeset/247463
981
982 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
983
984         LazyClassStructure::setConstructor should not store the constructor to the global object
985         https://bugs.webkit.org/show_bug.cgi?id=201484
986         <rdar://problem/50400451>
987
988         Reviewed by Yusuke Suzuki.
989
990         LazyClassStructure::setConstructor sets the constructor as a property of the global object.
991         This became a problem when it started being used for WebAssembly constructors, such as Module
992         and Instance, since they are properties of the WebAssembly object, not the global object. That
993         resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
994         was first accessed. e.g.
995
996         globalThis.Module = x;
997         WebAssembly.Module;
998         globalThis.Module === WebAssembly.Module;
999
1000         * runtime/LazyClassStructure.cpp:
1001         (JSC::LazyClassStructure::Initializer::setConstructor):
1002         * runtime/LazyClassStructure.h:
1003         * runtime/Lookup.h:
1004         (JSC::reifyStaticProperty):
1005
1006 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1007
1008         [JSC] Do not use FTLOutput::weakPointer directly
1009         https://bugs.webkit.org/show_bug.cgi?id=201495
1010
1011         Reviewed by Filip Pizlo.
1012
1013         FTLOutput::weakPointer does not register the cell as a weak pointer.
1014         CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
1015         While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
1016         and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
1017         For FrozenValue, we should use frozenPointer helper function.
1018
1019         * ftl/FTLLowerDFGToB3.cpp:
1020         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1021         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1022
1023 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1024
1025         Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
1026         https://bugs.webkit.org/show_bug.cgi?id=201373
1027
1028         * bytecode/BytecodeList.rb:
1029         * bytecode/BytecodeUseDef.h:
1030         (JSC::computeUsesForBytecodeOffset):
1031         (JSC::computeDefsForBytecodeOffset):
1032         * bytecompiler/BytecodeGenerator.cpp:
1033         (JSC::BytecodeGenerator::BytecodeGenerator):
1034         (JSC::BytecodeGenerator::emitLoopHint):
1035         (JSC::BytecodeGenerator::emitCheckTraps):
1036         * bytecompiler/BytecodeGenerator.h:
1037         * dfg/DFGByteCodeParser.cpp:
1038         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1039         (JSC::DFG::ByteCodeParser::parseBlock):
1040         * dfg/DFGCapabilities.cpp:
1041         (JSC::DFG::capabilityLevel):
1042         * jit/JIT.cpp:
1043         (JSC::JIT::emitEnterOptimizationCheck):
1044         (JSC::JIT::privateCompileMainPass):
1045         (JSC::JIT::privateCompileSlowCases):
1046         * jit/JIT.h:
1047         * jit/JITOpcodes.cpp:
1048         (JSC::JIT::emit_op_enter):
1049         (JSC::JIT::emit_op_loop_hint):
1050         (JSC::JIT::emitSlow_op_loop_hint):
1051         (JSC::JIT::emit_op_check_traps):
1052         (JSC::JIT::emitSlow_op_check_traps):
1053         (JSC::JIT::emitSlow_op_enter): Deleted.
1054         * jit/JITOpcodes32_64.cpp:
1055         (JSC::JIT::emit_op_enter):
1056         * llint/LowLevelInterpreter.asm:
1057         * llint/LowLevelInterpreter32_64.asm:
1058         * llint/LowLevelInterpreter64.asm:
1059         * runtime/CommonSlowPaths.cpp:
1060         (JSC::SLOW_PATH_DECL):
1061         * runtime/CommonSlowPaths.h:
1062
1063 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1064
1065         Unreviewed, rebaseline builtin generator test results
1066         https://bugs.webkit.org/show_bug.cgi?id=200898
1067
1068         Rebaseline the result files.
1069
1070         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1071         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1072         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1073         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1074         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1075         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1076         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1077         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1078         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1079         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1080         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1081         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1082         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1083
1084 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1085
1086         [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
1087         https://bugs.webkit.org/show_bug.cgi?id=201485
1088
1089         Reviewed by Tadeu Zagallo.
1090
1091         FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
1092         it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
1093         a race issue like,
1094
1095         1. While one thread is adding overrides information,
1096         2. Another thread is accessing this hash table.
1097
1098         This patch adds a lock to make sure that only one thread can access this registry.
1099
1100         * tools/FunctionOverrides.cpp:
1101         (JSC::FunctionOverrides::FunctionOverrides):
1102         (JSC::FunctionOverrides::reinstallOverrides):
1103         (JSC::FunctionOverrides::initializeOverrideFor):
1104         (JSC::FunctionOverrides::parseOverridesInFile):
1105         * tools/FunctionOverrides.h:
1106         (JSC::FunctionOverrides::clear):
1107
1108 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1109
1110         [JSC] Make Promise implementation faster
1111         https://bugs.webkit.org/show_bug.cgi?id=200898
1112
1113         Reviewed by Saam Barati.
1114
1115         This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.
1116
1117         1. Make JSPromise C++ friendly
1118
1119             Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
1120             This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
1121             fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
1122             fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
1123             supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
1124             this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].
1125
1126             We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
1127             This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.
1128
1129             Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
1130             is filed in [2].
1131
1132         2. Make JSPromise constructor JS friendly
1133
1134             The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
1135             calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
1136             If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
1137             Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
1138             construct is 100. We might want to investigate getting it inlined in the future[3].
1139
1140             We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
1141             annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
1142             do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
1143             us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
1144             which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
1145             JSPromise constructor fully in JS.
1146             With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].
1147
1148         3. DFG supports for JSPromise operations
1149
1150             This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
1151             and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
1152             promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
1153             When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
1154             used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
1155             can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
1156             in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
1157             structure is invalidated: `callee.prototype` is replaced.
1158
1159         4. Avoid creating unnecessary promises
1160
1161             Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
1162             For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
1163             intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
1164             take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
1165             in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
1166             check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.
1167
1168         5. Avoid creating resolving-functions and promise capabilities
1169
1170             Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
1171             patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
1172             created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
1173             and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
1174             The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
1175             `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
1176             This mechanism will be used to drop JSPromiseDeferred in a separate patch.
1177
1178         JetStream2/async-fs results.
1179             ToT:
1180                 Running async-fs:
1181                     Startup: 116.279
1182                     Worst Case: 151.515
1183                     Average: 176.630
1184                     Score: 145.996
1185                     Wall time: 0:01.149
1186
1187             Patched:
1188                 Running async-fs:
1189                     Startup: 166.667
1190                     Worst Case: 267.857
1191                     Average: 299.080
1192                     Score: 237.235
1193                     Wall time: 0:00.683
1194
1195         [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
1196         [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
1197         [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
1198         [4]: https://bugs.webkit.org/show_bug.cgi?id=201158
1199
1200         * CMakeLists.txt:
1201         * JavaScriptCore.xcodeproj/project.pbxproj:
1202         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
1203         (ConstructAbility):
1204         (ConstructorKind):
1205         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
1206         * Scripts/wkbuiltins/builtins_generator.py:
1207         (BuiltinsGenerator.generate_embedded_code_data_for_function):
1208         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
1209         * Scripts/wkbuiltins/builtins_model.py:
1210         (BuiltinFunction.__init__):
1211         (BuiltinFunction.fromString):
1212         * Scripts/wkbuiltins/builtins_templates.py:
1213         * builtins/AsyncFromSyncIteratorPrototype.js:
1214         (next.try):
1215         (next):
1216         (return.try):
1217         (return):
1218         (throw.try):
1219         (throw):
1220         * builtins/AsyncFunctionPrototype.js:
1221         (globalPrivate.asyncFunctionResume):
1222         * builtins/AsyncGeneratorPrototype.js:
1223         (globalPrivate.asyncGeneratorQueueIsEmpty):
1224         (globalPrivate.asyncGeneratorQueueEnqueue):
1225         (globalPrivate.asyncGeneratorQueueDequeue):
1226         (globalPrivate.asyncGeneratorReject):
1227         (globalPrivate.asyncGeneratorResolve):
1228         (globalPrivate.asyncGeneratorYield):
1229         (onRejected):
1230         (globalPrivate.awaitValue):
1231         (onFulfilled):
1232         (globalPrivate.doAsyncGeneratorBodyCall):
1233         (globalPrivate.asyncGeneratorResumeNext):
1234         (globalPrivate.asyncGeneratorEnqueue):
1235         (globalPrivate.asyncGeneratorDequeue): Deleted.
1236         (const.onRejected): Deleted.
1237         (const.onFulfilled): Deleted.
1238         (globalPrivate.asyncGeneratorResumeNext.): Deleted.
1239         * builtins/BuiltinExecutableCreator.h:
1240         * builtins/BuiltinExecutables.cpp:
1241         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1242         (JSC::BuiltinExecutables::createDefaultConstructor):
1243         (JSC::BuiltinExecutables::createBuiltinExecutable):
1244         (JSC::BuiltinExecutables::createExecutable):
1245         (JSC::createBuiltinExecutable): Deleted.
1246         * builtins/BuiltinExecutables.h:
1247         * builtins/BuiltinNames.h:
1248         * builtins/BuiltinUtils.h:
1249         * builtins/ModuleLoader.js:
1250         (forceFulfillPromise):
1251         * builtins/PromiseConstructor.js:
1252         (nakedConstructor.Promise.resolve):
1253         (nakedConstructor.Promise.reject):
1254         (nakedConstructor.Promise):
1255         (nakedConstructor.InternalPromise.resolve):
1256         (nakedConstructor.InternalPromise.reject):
1257         (nakedConstructor.InternalPromise):
1258         * builtins/PromiseOperations.js:
1259         (globalPrivate.newPromiseReaction):
1260         (globalPrivate.newPromiseCapability):
1261         (globalPrivate.newHandledRejectedPromise):
1262         (globalPrivate.triggerPromiseReactions):
1263         (globalPrivate.resolvePromise):
1264         (globalPrivate.rejectPromise):
1265         (globalPrivate.fulfillPromise):
1266         (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
1267         (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
1268         (globalPrivate.createResolvingFunctions.resolve):
1269         (globalPrivate.createResolvingFunctions.reject):
1270         (globalPrivate.createResolvingFunctions):
1271         (globalPrivate.promiseReactionJobWithoutPromise):
1272         (globalPrivate.resolveWithoutPromise):
1273         (globalPrivate.rejectWithoutPromise):
1274         (globalPrivate.fulfillWithoutPromise):
1275         (resolve):
1276         (reject):
1277         (globalPrivate.createResolvingFunctionsWithoutPromise):
1278         (globalPrivate.promiseReactionJob):
1279         (globalPrivate.promiseResolveThenableJobFast):
1280         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
1281         (globalPrivate.promiseResolveThenableJob):
1282         (globalPrivate.isPromise): Deleted.
1283         (globalPrivate.newPromiseCapability.executor): Deleted.
1284         (globalPrivate.initializePromise): Deleted.
1285         * builtins/PromisePrototype.js:
1286         (then):
1287         * bytecode/BytecodeIntrinsicRegistry.cpp:
1288         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1289         * bytecode/BytecodeIntrinsicRegistry.h:
1290         * bytecode/BytecodeList.rb:
1291         * bytecode/BytecodeUseDef.h:
1292         (JSC::computeUsesForBytecodeOffset):
1293         (JSC::computeDefsForBytecodeOffset):
1294         * bytecode/CodeBlock.cpp:
1295         (JSC::CodeBlock::finishCreation):
1296         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1297         * bytecode/Opcode.h:
1298         * bytecode/SpeculatedType.cpp:
1299         (JSC::dumpSpeculation):
1300         (JSC::speculationFromClassInfo):
1301         (JSC::speculationFromJSType):
1302         (JSC::speculationFromString):
1303         * bytecode/SpeculatedType.h:
1304         * bytecode/UnlinkedFunctionExecutable.h:
1305         * bytecompiler/BytecodeGenerator.cpp:
1306         (JSC::BytecodeGenerator::generate):
1307         (JSC::BytecodeGenerator::BytecodeGenerator):
1308         (JSC::BytecodeGenerator::emitGetPromiseInternalField):
1309         (JSC::BytecodeGenerator::emitPutPromiseInternalField):
1310         (JSC::BytecodeGenerator::emitCreatePromise):
1311         (JSC::BytecodeGenerator::emitNewPromise):
1312         (JSC::BytecodeGenerator::emitReturn):
1313         * bytecompiler/BytecodeGenerator.h:
1314         (JSC::BytecodeGenerator::promiseRegister):
1315         (JSC::BytecodeGenerator::emitIsPromise):
1316         (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
1317         * bytecompiler/NodesCodegen.cpp:
1318         (JSC::promiseInternalFieldIndex):
1319         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
1320         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
1321         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
1322         (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
1323         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
1324         (JSC::FunctionNode::emitBytecode):
1325         * dfg/DFGAbstractHeap.h:
1326         * dfg/DFGAbstractInterpreterInlines.h:
1327         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1328         * dfg/DFGByteCodeParser.cpp:
1329         (JSC::DFG::ByteCodeParser::parseBlock):
1330         * dfg/DFGCapabilities.cpp:
1331         (JSC::DFG::capabilityLevel):
1332         * dfg/DFGClobberize.h:
1333         (JSC::DFG::clobberize):
1334         * dfg/DFGClobbersExitState.cpp:
1335         (JSC::DFG::clobbersExitState):
1336         * dfg/DFGConstantFoldingPhase.cpp:
1337         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1338         * dfg/DFGDoesGC.cpp:
1339         (JSC::DFG::doesGC):
1340         * dfg/DFGFixupPhase.cpp:
1341         (JSC::DFG::FixupPhase::fixupNode):
1342         * dfg/DFGGraph.cpp:
1343         (JSC::DFG::Graph::dump):
1344         * dfg/DFGHeapLocation.cpp:
1345         (WTF::printInternal):
1346         * dfg/DFGHeapLocation.h:
1347         * dfg/DFGMayExit.cpp:
1348         * dfg/DFGNode.h:
1349         (JSC::DFG::Node::convertToNewPromise):
1350         (JSC::DFG::Node::hasIsInternalPromise):
1351         (JSC::DFG::Node::isInternalPromise):
1352         (JSC::DFG::Node::hasInternalFieldIndex):
1353         (JSC::DFG::Node::internalFieldIndex):
1354         (JSC::DFG::Node::hasHeapPrediction):
1355         (JSC::DFG::Node::hasStructure):
1356         * dfg/DFGNodeType.h:
1357         * dfg/DFGOperations.cpp:
1358         * dfg/DFGOperations.h:
1359         * dfg/DFGPredictionPropagationPhase.cpp:
1360         * dfg/DFGPromotedHeapLocation.cpp:
1361         (WTF::printInternal):
1362         * dfg/DFGPromotedHeapLocation.h:
1363         * dfg/DFGSafeToExecute.h:
1364         (JSC::DFG::SafeToExecuteEdge::operator()):
1365         (JSC::DFG::safeToExecute):
1366         * dfg/DFGSpeculativeJIT.cpp:
1367         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1368         (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
1369         (JSC::DFG::SpeculativeJIT::speculate):
1370         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
1371         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
1372         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1373         (JSC::DFG::SpeculativeJIT::compileNewPromise):
1374         * dfg/DFGSpeculativeJIT.h:
1375         * dfg/DFGSpeculativeJIT32_64.cpp:
1376         (JSC::DFG::SpeculativeJIT::compile):
1377         * dfg/DFGSpeculativeJIT64.cpp:
1378         (JSC::DFG::SpeculativeJIT::compile):
1379         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1380         * dfg/DFGUseKind.cpp:
1381         (WTF::printInternal):
1382         * dfg/DFGUseKind.h:
1383         (JSC::DFG::typeFilterFor):
1384         (JSC::DFG::isCell):
1385         * ftl/FTLAbstractHeapRepository.h:
1386         * ftl/FTLCapabilities.cpp:
1387         (JSC::FTL::canCompile):
1388         * ftl/FTLLowerDFGToB3.cpp:
1389         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1390         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1391         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
1392         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1393         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
1394         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
1395         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1396         (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
1397         * jit/JIT.cpp:
1398         (JSC::JIT::privateCompileMainPass):
1399         (JSC::JIT::privateCompileSlowCases):
1400         * jit/JIT.h:
1401         * jit/JITOperations.cpp:
1402         * jit/JITOperations.h:
1403         * jit/JITPropertyAccess.cpp:
1404         (JSC::JIT::emit_op_get_promise_internal_field):
1405         (JSC::JIT::emit_op_put_promise_internal_field):
1406         * jit/JITPropertyAccess32_64.cpp:
1407         (JSC::JIT::emit_op_get_promise_internal_field):
1408         (JSC::JIT::emit_op_put_promise_internal_field):
1409         * llint/LowLevelInterpreter.asm:
1410         * llint/LowLevelInterpreter32_64.asm:
1411         * llint/LowLevelInterpreter64.asm:
1412         * parser/Parser.cpp:
1413         (JSC::Parser<LexerType>::Parser):
1414         (JSC::Parser<LexerType>::parseFunctionInfo):
1415         * parser/Parser.h:
1416         (JSC::parse):
1417         * parser/ParserModes.h:
1418         * runtime/CommonSlowPaths.cpp:
1419         (JSC::SLOW_PATH_DECL):
1420         * runtime/CommonSlowPaths.h:
1421         * runtime/ConstructAbility.h:
1422         * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
1423         * runtime/FunctionRareData.cpp:
1424         (JSC::FunctionRareData::FunctionRareData):
1425         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1426         (JSC::FunctionRareData::clear):
1427         * runtime/FunctionRareData.h:
1428         * runtime/InternalFunction.cpp:
1429         (JSC::InternalFunction::createSubclassStructureSlow):
1430         * runtime/InternalFunction.h:
1431         (JSC::InternalFunction::createSubclassStructure):
1432         * runtime/JSCast.h:
1433         * runtime/JSGlobalObject.cpp:
1434         (JSC::enqueueJob):
1435         (JSC::JSGlobalObject::init):
1436         (JSC::JSGlobalObject::visitChildren):
1437         * runtime/JSGlobalObject.h:
1438         (JSC::JSGlobalObject::arrayProtoValuesFunction const):
1439         (JSC::JSGlobalObject::promiseProtoThenFunction const):
1440         (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
1441         * runtime/JSInternalPromise.cpp:
1442         (JSC::JSInternalPromise::createStructure):
1443         * runtime/JSInternalPromiseConstructor.cpp:
1444         (JSC::JSInternalPromiseConstructor::create):
1445         (JSC::JSInternalPromiseConstructor::createStructure):
1446         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
1447         (JSC::constructPromise): Deleted.
1448         * runtime/JSInternalPromiseConstructor.h:
1449         * runtime/JSInternalPromisePrototype.cpp:
1450         (JSC::JSInternalPromisePrototype::create):
1451         * runtime/JSMicrotask.cpp:
1452         (JSC::createJSMicrotask):
1453         (JSC::JSMicrotask::run):
1454         * runtime/JSMicrotask.h:
1455         * runtime/JSPromise.cpp:
1456         (JSC::JSPromise::createStructure):
1457         (JSC::JSPromise::finishCreation):
1458         (JSC::JSPromise::visitChildren):
1459         (JSC::JSPromise::status const):
1460         (JSC::JSPromise::result const):
1461         (JSC::JSPromise::isHandled const):
1462         (JSC::JSPromise::initialize): Deleted.
1463         * runtime/JSPromise.h:
1464         (JSC::JSPromise::allocationSize):
1465         (JSC::JSPromise::offsetOfInternalFields):
1466         (JSC::JSPromise::offsetOfInternalField):
1467         * runtime/JSPromiseConstructor.cpp:
1468         (JSC::JSPromiseConstructor::create):
1469         (JSC::JSPromiseConstructor::createStructure):
1470         (JSC::JSPromiseConstructor::JSPromiseConstructor):
1471         (JSC::JSPromiseConstructor::finishCreation):
1472         (JSC::constructPromise): Deleted.
1473         (JSC::callPromise): Deleted.
1474         * runtime/JSPromiseConstructor.h:
1475         * runtime/JSPromisePrototype.cpp:
1476         (JSC::JSPromisePrototype::create):
1477         (JSC::JSPromisePrototype::finishCreation):
1478         (JSC::JSPromisePrototype::addOwnInternalSlots):
1479         * runtime/JSPromisePrototype.h:
1480         * runtime/JSType.cpp:
1481         (WTF::printInternal):
1482         * runtime/JSType.h:
1483
1484 2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>
1485
1486         Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
1487         https://bugs.webkit.org/show_bug.cgi?id=201262
1488         <rdar://problem/13108764>
1489
1490         Reviewed by Devin Rousso.
1491
1492         When interception is enabled, Network requests that match any of the configured
1493         interception patterns will be paused on the backend and allowed to be modified
1494         by the frontend.
1495
1496         Currently the only time a network request can be intercepted is during the
1497         HTTP response. However, this intercepting interface is mean to extend to
1498         HTTP requests as well.
1499
1500         When a response is to be intercepted a new event is sent to the frontend:
1501
1502           `Network.responseIntercepted` event
1503
1504         With a `requestId` to identify that network request. The frontend
1505         must respond with one of the following commands to continue:
1506
1507           `Network.interceptContinue`     - proceed with the response unmodified
1508           `Network.interceptWithResponse` - provide a response
1509
1510         The response is paused in the meantime.
1511
1512         * inspector/protocol/Network.json:
1513         New interfaces for intercepting network responses and suppling override content.
1514
1515         * Scripts/generate-combined-inspector-json.py:
1516         * inspector/scripts/generate-inspector-protocol-bindings.py:
1517         (generate_from_specification.load_specification):
1518         Complete allowing comments in JSON protocol files.
1519
1520         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1521         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
1522         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1523         Allow optional enums in ObjC interfaces.
1524
1525 2019-09-03  Mark Lam  <mark.lam@apple.com>
1526
1527         Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread().
1528         https://bugs.webkit.org/show_bug.cgi?id=201449
1529
1530         Reviewed by Yusuke Suzuki.
1531
1532         Using !isMainThread() in the assertion also disables the assertion for the mutator
1533         of worker threads.  This is not what we intended.
1534
1535         * runtime/StructureInlines.h:
1536         (JSC::Structure::storedPrototype const):
1537         (JSC::Structure::storedPrototypeObject const):
1538
1539 2019-09-04  Mark Lam  <mark.lam@apple.com>
1540
1541         Disambiguate a symbol used in JSDollarVM.
1542         https://bugs.webkit.org/show_bug.cgi?id=201466
1543         <rdar://problem/51826672>
1544
1545         Reviewed by Tadeu Zagallo.
1546
1547         This was causing a build issue on some internal build.
1548
1549         * tools/JSDollarVM.cpp:
1550
1551 2019-09-03  Mark Lam  <mark.lam@apple.com>
1552
1553         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
1554         https://bugs.webkit.org/show_bug.cgi?id=201309
1555         <rdar://problem/54832121>
1556
1557         Reviewed by Yusuke Suzuki.
1558
1559         * dfg/DFGAbstractInterpreterInlines.h:
1560         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1561         * runtime/JSArrayBufferView.h:
1562         * runtime/JSArrayBufferViewInlines.h:
1563         (JSC::JSArrayBufferView::possiblySharedBufferImpl):
1564         (JSC::JSArrayBufferView::possiblySharedBuffer):
1565         (JSC::JSArrayBufferView::byteOffsetImpl):
1566         (JSC::JSArrayBufferView::byteOffset):
1567         (JSC::JSArrayBufferView::byteOffsetConcurrently):
1568
1569 2019-09-03  Devin Rousso  <drousso@apple.com>
1570
1571         Web Inspector: implement blackboxing of script resources
1572         https://bugs.webkit.org/show_bug.cgi?id=17240
1573         <rdar://problem/5732847>
1574
1575         Reviewed by Joseph Pecoraro.
1576
1577         When a script is blackboxed and the debugger attempts to pause in that script, the pause
1578         reason/data will be saved and execution will continue until it has left the blackboxed
1579         script. Once outside, execution is paused with the saved reason/data.
1580
1581         This is especially useful when debugging issues using libraries/frameworks, as it allows the
1582         developer to "skip" the internal logic of the library/framework and instead focus only on
1583         how they're using it.
1584
1585         * inspector/protocol/Debugger.json:
1586         Add `setShouldBlackboxURL` command.
1587
1588         * inspector/agents/InspectorDebuggerAgent.h:
1589         * inspector/agents/InspectorDebuggerAgent.cpp:
1590         (Inspector::InspectorDebuggerAgent):
1591         (Inspector::InspectorDebuggerAgent::enable):
1592         (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added.
1593         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1594         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
1595         (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added.
1596         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
1597         (Inspector::InspectorDebuggerAgent::didParseSource):
1598         (Inspector::InspectorDebuggerAgent::didPause):
1599         (Inspector::InspectorDebuggerAgent::didContinue):
1600         (Inspector::InspectorDebuggerAgent::breakProgram):
1601         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
1602         (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added.
1603         (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted.
1604         Renamed "break" to "pause" to match `Debugger` naming.
1605
1606         * debugger/Debugger.h:
1607         * debugger/Debugger.cpp:
1608         (JSC::Debugger::pauseIfNeeded):
1609         (JSC::Debugger::setBlackboxType): Added.
1610         (JSC::Debugger::clearBlackbox): Added.
1611         (JSC::Debugger::isBlacklisted const): Deleted.
1612         (JSC::Debugger::addToBlacklist): Deleted.
1613         (JSC::Debugger::clearBlacklist): Deleted.
1614
1615 2019-09-03  Mark Lam  <mark.lam@apple.com>
1616
1617         Remove the need to pass performJITMemcpy as a pointer.
1618         https://bugs.webkit.org/show_bug.cgi?id=201413
1619
1620         Reviewed by Michael Saboff.
1621
1622         We want performJITMemcpy to always be inlined.  In this patch, we also clean up
1623         some template parameters to use enums instead of booleans to better document the
1624         intent of the code.
1625
1626         * assembler/ARM64Assembler.h:
1627         (JSC::ARM64Assembler::fillNops):
1628         (JSC::ARM64Assembler::linkJump):
1629         (JSC::ARM64Assembler::linkCall):
1630         (JSC::ARM64Assembler::relinkJump):
1631         (JSC::ARM64Assembler::relinkCall):
1632         (JSC::ARM64Assembler::link):
1633         (JSC::ARM64Assembler::linkJumpOrCall):
1634         (JSC::ARM64Assembler::linkCompareAndBranch):
1635         (JSC::ARM64Assembler::linkConditionalBranch):
1636         (JSC::ARM64Assembler::linkTestAndBranch):
1637         (JSC::ARM64Assembler::relinkJumpOrCall):
1638         (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted.
1639         (JSC::ARM64Assembler::CopyFunction::operator()): Deleted.
1640         * assembler/ARMv7Assembler.h:
1641         (JSC::ARMv7Assembler::fillNops):
1642         (JSC::ARMv7Assembler::link):
1643         (JSC::ARMv7Assembler::linkJumpT1):
1644         (JSC::ARMv7Assembler::linkJumpT2):
1645         (JSC::ARMv7Assembler::linkJumpT3):
1646         (JSC::ARMv7Assembler::linkJumpT4):
1647         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1648         (JSC::ARMv7Assembler::linkBX):
1649         (JSC::ARMv7Assembler::linkConditionalBX):
1650         * assembler/AbstractMacroAssembler.h:
1651         (JSC::AbstractMacroAssembler::emitNops):
1652         * assembler/LinkBuffer.cpp:
1653         (JSC::LinkBuffer::copyCompactAndLinkCode):
1654         * assembler/MIPSAssembler.h:
1655         (JSC::MIPSAssembler::fillNops):
1656         * assembler/MacroAssemblerARM64.h:
1657         (JSC::MacroAssemblerARM64::link):
1658         * assembler/MacroAssemblerARMv7.h:
1659         (JSC::MacroAssemblerARMv7::link):
1660         * assembler/X86Assembler.h:
1661         (JSC::X86Assembler::fillNops):
1662         * jit/ExecutableAllocator.h:
1663         (JSC::performJITMemcpy):
1664         * runtime/JSCPtrTag.h:
1665
1666 2019-09-03  Devin Rousso  <drousso@apple.com>
1667
1668         REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected
1669         https://bugs.webkit.org/show_bug.cgi?id=201201
1670         <rdar://problem/54771560>
1671
1672         Reviewed by Joseph Pecoraro.
1673
1674         * inspector/InjectedScriptSource.js:
1675         (let.InjectedScript.prototype.injectModule):
1676         (let.InjectedScript.prototype._evaluateOn):
1677         (CommandLineAPI):
1678         (let.InjectedScript.prototype.setInspectObject): Deleted.
1679         (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted.
1680         (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted.
1681         (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted.
1682         (InjectedScript.CommandLineAPI): Deleted.
1683         Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects
1684         directly, instead of having them call functions.
1685
1686         * inspector/InjectedScriptModule.cpp:
1687         (Inspector::InjectedScriptModule::ensureInjected):
1688         Make sure to reset `hadException` to `false` before making another call.
1689
1690 2019-09-03  Yusuke Suzuki  <ysuzuki@apple.com>
1691
1692         [JSC] Remove BytecodeGenerator::emitPopScope
1693         https://bugs.webkit.org/show_bug.cgi?id=201395
1694
1695         Reviewed by Saam Barati.
1696
1697         Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions.
1698
1699         * bytecompiler/BytecodeGenerator.cpp:
1700         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1701         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1702         (JSC::BytecodeGenerator::emitPopWithScope):
1703         (JSC::BytecodeGenerator::emitPopScope): Deleted.
1704         * bytecompiler/BytecodeGenerator.h:
1705
1706 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
1707
1708         [JSC] Merge op_check_traps into op_enter and op_loop_hint
1709         https://bugs.webkit.org/show_bug.cgi?id=201373
1710
1711         Reviewed by Mark Lam.
1712
1713         This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations.
1714         But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in
1715         op_enter and op_loop_hint.
1716
1717         While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint),
1718         since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy.
1719
1720         We also inline op_enter's slow path's write-barrier emission in LLInt.
1721
1722         * bytecode/BytecodeList.rb:
1723         * bytecode/BytecodeUseDef.h:
1724         (JSC::computeUsesForBytecodeOffset):
1725         (JSC::computeDefsForBytecodeOffset):
1726         * bytecompiler/BytecodeGenerator.cpp:
1727         (JSC::BytecodeGenerator::BytecodeGenerator):
1728         (JSC::BytecodeGenerator::emitLoopHint):
1729         (JSC::BytecodeGenerator::emitCheckTraps): Deleted.
1730         * bytecompiler/BytecodeGenerator.h:
1731         * dfg/DFGByteCodeParser.cpp:
1732         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1733         (JSC::DFG::ByteCodeParser::parseBlock):
1734         * dfg/DFGCapabilities.cpp:
1735         (JSC::DFG::capabilityLevel):
1736         * jit/JIT.cpp:
1737         (JSC::JIT::privateCompileMainPass):
1738         (JSC::JIT::privateCompileSlowCases):
1739         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
1740         * jit/JIT.h:
1741         * jit/JITOpcodes.cpp:
1742         (JSC::JIT::emit_op_loop_hint):
1743         (JSC::JIT::emitSlow_op_loop_hint):
1744         (JSC::JIT::emit_op_enter):
1745         (JSC::JIT::emitSlow_op_enter):
1746         (JSC::JIT::emit_op_check_traps): Deleted.
1747         (JSC::JIT::emitSlow_op_check_traps): Deleted.
1748         * jit/JITOpcodes32_64.cpp:
1749         (JSC::JIT::emit_op_enter): Deleted.
1750         * llint/LowLevelInterpreter.asm:
1751         * llint/LowLevelInterpreter32_64.asm:
1752         * llint/LowLevelInterpreter64.asm:
1753         * runtime/CommonSlowPaths.cpp:
1754         * runtime/CommonSlowPaths.h:
1755
1756 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
1757
1758         [JSC] Fix testb3 debug failures
1759         https://bugs.webkit.org/show_bug.cgi?id=201382
1760
1761         Reviewed by Mark Lam.
1762
1763         Fix testb3 debug failures due to incorrect types of operations like pointer + int32.
1764
1765         * b3/testb3_8.cpp:
1766         (testByteCopyLoop):
1767         (testByteCopyLoopStartIsLoopDependent):
1768         (testByteCopyLoopBoundIsLoopDependent):
1769
1770 2019-09-01  Mark Lam  <mark.lam@apple.com>
1771
1772         Speculative build fix for ARMv7 and MIPS.
1773         https://bugs.webkit.org/show_bug.cgi?id=201389
1774
1775         Not reviewed.
1776
1777         * bytecode/CodeBlock.cpp:
1778         (JSC::CodeBlock::jettison):
1779
1780 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1781
1782         [JSC] LLInt op should not emit the same code three times
1783         https://bugs.webkit.org/show_bug.cgi?id=201370
1784
1785         Reviewed by Mark Lam.
1786
1787         LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue.
1788         But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once.
1789
1790         * llint/LowLevelInterpreter.asm:
1791
1792 2019-08-30  Mark Lam  <mark.lam@apple.com>
1793
1794         Remove some obsolete statements that have no effect.
1795         https://bugs.webkit.org/show_bug.cgi?id=201357
1796
1797         Reviewed by Saam Barati.
1798
1799         This patch removes 3 statements that look like this:
1800
1801             result->butterfly(); // Ensure that the butterfly is in to-space.
1802
1803         The statement just reads a field and does nothing with it.  This is a no-op
1804         logic-wise, and the comment that accompanies it is obsolete.
1805
1806         * dfg/DFGOperations.cpp:
1807
1808 2019-08-30  Mark Lam  <mark.lam@apple.com>
1809
1810         Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
1811         https://bugs.webkit.org/show_bug.cgi?id=201345
1812
1813         Reviewed by Yusuke Suzuki.
1814
1815         This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
1816         the wrong pointer for capture the cell headerWord and zapReason.  As a result,
1817         we get junk for those 2 values.
1818
1819         Previously, we were only capturing the upper 32-bits of the cell header slot,
1820         and the lower 32-bit of the next slot in the zapped cell.  We now capture the
1821         full 64-bits of both slots.  If the second slot did not contain a zapReason as we
1822         expect, the upper 32-bits might give us a clue as to what type of value the slot
1823         contains.
1824
1825         This patch also adds capturing of the found MarkedBlock address for the zapped
1826         cell, as well as some state bit values.
1827
1828         * heap/SlotVisitor.cpp:
1829         (JSC::SlotVisitor::reportZappedCellAndCrash):
1830
1831 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1832
1833         [JSC] Generate new.target register only when it is used
1834         https://bugs.webkit.org/show_bug.cgi?id=201335
1835
1836         Reviewed by Mark Lam.
1837
1838         Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register
1839         only when it is actually required.
1840
1841         * bytecompiler/BytecodeGenerator.cpp:
1842         (JSC::BytecodeGenerator::BytecodeGenerator):
1843         * bytecompiler/BytecodeGenerator.h:
1844         (JSC::BytecodeGenerator::newTarget):
1845         * parser/Nodes.h:
1846         (JSC::ScopeNode::needsNewTargetRegisterForThisScope const):
1847
1848 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1849
1850         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
1851         https://bugs.webkit.org/show_bug.cgi?id=201331
1852
1853         Reviewed by Mark Lam.
1854
1855         SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
1856         For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.
1857
1858             1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
1859             2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable
1860
1861         Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
1862         This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
1863         by profiled CodeBlock.
1864
1865         * bytecode/CodeBlock.h:
1866         (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
1867         * bytecode/JumpTable.h:
1868         (JSC::SimpleJumpTable::cloneNonJITPart const):
1869         (JSC::SimpleJumpTable::clear):
1870         * dfg/DFGByteCodeParser.cpp:
1871         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1872
1873 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1874
1875         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
1876         https://bugs.webkit.org/show_bug.cgi?id=201332
1877
1878         Reviewed by Mark Lam.
1879
1880         When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
1881         that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
1882         does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.
1883
1884         * dfg/DFGByteCodeParser.cpp:
1885         (JSC::DFG::ByteCodeParser::handleInlining):
1886
1887 2019-08-29  Devin Rousso  <drousso@apple.com>
1888
1889         Web Inspector: Debugger: async event listener stack traces should be available in Workers
1890         https://bugs.webkit.org/show_bug.cgi?id=200903
1891
1892         Reviewed by Joseph Pecoraro.
1893
1894         * inspector/agents/InspectorDebuggerAgent.h:
1895         (Inspector::InspectorDebuggerAgent::enabled): Added.
1896         * inspector/agents/InspectorDebuggerAgent.cpp:
1897         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
1898         (Inspector::InspectorDebuggerAgent::enable):
1899         (Inspector::InspectorDebuggerAgent::disable):
1900         Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`.
1901
1902 2019-08-29  Keith Rollin  <krollin@apple.com>
1903
1904         Update .xcconfig symbols to reflect the current set of past and future product versions.
1905         https://bugs.webkit.org/show_bug.cgi?id=200720
1906         <rdar://problem/54305032>
1907
1908         Reviewed by Alex Christensen.
1909
1910         Remove version symbols related to old OS's we no longer support,
1911         ensure that version symbols are defined for OS's we do support.
1912
1913         * Configurations/Base.xcconfig:
1914         * Configurations/DebugRelease.xcconfig:
1915         * Configurations/Version.xcconfig:
1916
1917 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1918
1919         [JSC] Repatch should construct CallCases and CasesValue at the same time
1920         https://bugs.webkit.org/show_bug.cgi?id=201325
1921
1922         Reviewed by Saam Barati.
1923
1924         In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`.
1925         If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too.
1926
1927         * jit/Repatch.cpp:
1928         (JSC::linkPolymorphicCall):
1929
1930 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1931
1932         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
1933         https://bugs.webkit.org/show_bug.cgi?id=198650
1934
1935         Reviewed by Saam Barati.
1936
1937         Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties.
1938         This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this
1939         interpreter interpret the control-flow edge that AI proved that is never taken.
1940         AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But
1941         ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis
1942         done in ObjectAllocationSinking.
1943
1944         Let's see the example.
1945
1946             BB#0
1947                 35: NewObject([%AM:Object])
1948                 ...
1949                 47: Branch(ConstantTrue, T:#1, F:#2)
1950
1951             BB#1 // This basic block is never taken due to @47's jump.
1952                 ...
1953                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
1954                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
1955                 ...
1956                 XX: Jump(#2)
1957
1958             BB#2
1959                 ...
1960                 92: CheckStructure(@35, [%Dx:Object])
1961                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
1962                 ...
1963
1964         AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant.
1965         AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92.
1966         After AI removes @92, ObjectAllocationSinking starts looking into this graph.
1967
1968             BB#0
1969                 35: NewObject([%AM:Object])
1970                 ...
1971                 47: Branch(ConstantTrue, T:#1, F:#2)
1972
1973             BB#1 // This basic block is never taken due to @47's jump.
1974                 ...
1975                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
1976                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
1977                 ...
1978                 XX: Jump(#2)
1979
1980             BB#2
1981                 ...
1982                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
1983                 ...
1984                 YY: Jump(#3)
1985
1986             BB#3
1987                 ...
1988                 ZZ: <HERE> want to materialize @35's sunk object.
1989
1990         Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in
1991         BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and
1992         insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original
1993         one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking
1994         phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes
1995         conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property.
1996         So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug
1997         assertion.
1998
1999             187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >)
2000
2001         This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data.
2002         In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime.
2003
2004         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2005
2006 2019-08-29  Devin Rousso  <drousso@apple.com>
2007
2008         Web Inspector: DOMDebugger: support event breakpoints in Worker contexts
2009         https://bugs.webkit.org/show_bug.cgi?id=200651
2010
2011         Reviewed by Joseph Pecoraro.
2012
2013         * inspector/protocol/DOMDebugger.json:
2014         Make the domain available in "worker" contexts as well.
2015
2016 2019-08-29  Keith Rollin  <krollin@apple.com>
2017
2018         Remove 32-bit macOS support
2019         https://bugs.webkit.org/show_bug.cgi?id=201282
2020         <rdar://problem/54821667>
2021
2022         Reviewed by Anders Carlsson.
2023
2024         WebKit doesn’t support 32-bit Mac any more, so remove checks and code
2025         for that platform.
2026
2027         * API/JSBase.h:
2028         * runtime/VM.h:
2029
2030 2019-08-29  Keith Rollin  <krollin@apple.com>
2031
2032         Remove support for macOS < 10.13 (part 3)
2033         https://bugs.webkit.org/show_bug.cgi?id=201224
2034         <rdar://problem/54795934>
2035
2036         Reviewed by Darin Adler.
2037
2038         Remove symbols in WebKitTargetConditionals.xcconfig related to macOS
2039         10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes
2040         like _MACOS_SINCE_1013.
2041
2042         * Configurations/WebKitTargetConditionals.xcconfig:
2043
2044 2019-08-29  Mark Lam  <mark.lam@apple.com>
2045
2046         Remove a bad assertion in ByteCodeParser::inlineCall().
2047         https://bugs.webkit.org/show_bug.cgi?id=201292
2048         <rdar://problem/54121659>
2049
2050         Reviewed by Michael Saboff.
2051
2052         In the DFG bytecode parser, we've already computed the inlining cost of a candidate
2053         inlining target, and determine that it is worth inlining before invoking
2054         ByteCodeParser::inlineCall().  However, in ByteCodeParser::inlineCall(), it
2055         recomputes the inlining cost again only for the purpose of asserting that it isn't
2056         too high.
2057
2058         Not consider a badly written test that does the following:
2059
2060             function bar() {
2061                 ...
2062                 foo(); // Call in a hot loop here.
2063                 ...
2064             }
2065
2066             bar(); // <===== foo is inlineable into bar here.
2067             noInline(foo); // <===== Change mind, and make foo not inlineable.
2068             bar();
2069
2070         With this bad test, the following racy scenario can occur:
2071
2072         1. the first invocation of bar() gets hot, and a concurrent compile is kicked off.
2073         2. the compiler thread computes foo()'s inliningCost() and determines that it is
2074            worthy to be inlined, and will imminently call inlineCall().
2075         3. the mutator calls the noInline() test utility on foo(), thereby making it NOT
2076            inlineable.
2077         4. the compiler thread calls inlineCall().  In inlineCall(), it re-computes the
2078            inliningCost for foo() and now finds that it is not inlineable.  An assertion
2079            failure follows.
2080
2081         Technically, the test is in error because noInline() shouldn't be used that way.
2082         However, fuzzers that are not clued into noInline()'s proper usage may generate
2083         code like this.
2084
2085         On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the
2086         inlining cost and asserting on it.  The only reason inlineCall() is invoked is
2087         because it was already previously determined that a target function is inlineable
2088         based on its inlining cost.  Today, in practice, I don't think we have any real
2089         world condition where the mutator can affect the inlining cost of a target
2090         function midway through execution.  So, this assertion isn't a problem if no one
2091         writes a test that abuses noInline().  However, should things change such that the
2092         mutator is able to affect the inlining cost of a target function, then it is
2093         incorrect for the compiler to assume that the inlining cost is immutable.  Once
2094         the compiler decides to inline a function, it should just follow through.
2095
2096         This patch removes this assertion in ByteCodeParser::inlineCall().  It is an
2097         annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the
2098         ability to affect the inlining cost of a target function.
2099
2100         * dfg/DFGByteCodeParser.cpp:
2101         (JSC::DFG::ByteCodeParser::inlineCall):
2102
2103 2019-08-28  Mark Lam  <mark.lam@apple.com>
2104
2105         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
2106         https://bugs.webkit.org/show_bug.cgi?id=201281
2107         <rdar://problem/54028228>
2108
2109         Reviewed by Yusuke Suzuki and Saam Barati.
2110
2111         This (see title above) is already the preferred idiom used in most places in our
2112         compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2113         compileStringCharAt().  Consider the following:
2114
2115             bool prototypeChainIsSane = false;
2116             if (globalObject->stringPrototypeChainIsSane()) {
2117                 ...
2118                 m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
2119                 m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));
2120
2121                 prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
2122             }
2123
2124         What's essential for correctness here is that the stringPrototype and objectPrototype
2125         structures be loaded before the loads in the second stringPrototypeChainIsSane()
2126         check.  Without a loadLoadFence before the second stringPrototypeChainIsSane()
2127         check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom
2128         for doing this right is to pre-load the structures first, do a loadLoadFence, and
2129         then do the IsSane check just once after e.g.
2130
2131             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
2132             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);
2133
2134             if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2135                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2136                 && globalObject->arrayPrototypeChainIsSane()) {
2137
2138                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
2139                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
2140                 ...
2141             }
2142
2143         This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2144         compileStringCharAt() to follow the same idiom.
2145
2146         We also fix a bad assertion in Structure::storedPrototype() and
2147         Structure::storedPrototypeObject().  The assertion is only correct when those
2148         methods are called from the mutator thread.  The assertion has been updated to
2149         only check its test condition if the current thread is the mutator thread.
2150
2151         * dfg/DFGSpeculativeJIT.cpp:
2152         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2153         * ftl/FTLLowerDFGToB3.cpp:
2154         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2155         * runtime/StructureInlines.h:
2156         (JSC::Structure::storedPrototype const):
2157         (JSC::Structure::storedPrototypeObject const):
2158
2159 2019-08-28  Mark Lam  <mark.lam@apple.com>
2160
2161         Placate exception check validation in DFG's operationHasGenericProperty().
2162         https://bugs.webkit.org/show_bug.cgi?id=201245
2163         <rdar://problem/54777512>
2164
2165         Reviewed by Robin Morisset.
2166
2167         * dfg/DFGOperations.cpp:
2168
2169 2019-08-28  Ross Kirsling  <ross.kirsling@sony.com>
2170
2171         Unreviewed. Restabilize non-unified build.
2172
2173         * runtime/PropertySlot.h:
2174
2175 2019-08-28  Mark Lam  <mark.lam@apple.com>
2176
2177         Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.
2178         https://bugs.webkit.org/show_bug.cgi?id=201006
2179         <rdar://problem/52053991>
2180
2181         Reviewed by Yusuke Suzuki.
2182
2183         We already ensured that it is not possible to overflow in Wasm::FunctionParser's
2184         parse().  It is unnecessary and misleading to do those overflow checks in
2185         AirIRGenerator and B3IRGenerator.  The only check that is necessary is that
2186         m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory
2187         situation.
2188
2189         This patch changes these unnecessary checks to assertions instead.
2190
2191         * wasm/WasmAirIRGenerator.cpp:
2192         (JSC::Wasm::AirIRGenerator::addLocal):
2193         * wasm/WasmB3IRGenerator.cpp:
2194         (JSC::Wasm::B3IRGenerator::addLocal):
2195         * wasm/WasmValidate.cpp:
2196         (JSC::Wasm::Validate::addLocal):
2197
2198 2019-08-28  Keith Rollin  <krollin@apple.com>
2199
2200         Remove support for macOS < 10.13 (part 2)
2201         https://bugs.webkit.org/show_bug.cgi?id=201197
2202         <rdar://problem/54759985>
2203
2204         Update conditionals that reference WK_MACOS_1013 and suffixes like
2205         _MACOS_SINCE_1013, assuming that we're always building on 10.13 or
2206         later and that these conditionals are always True or False.
2207
2208         See Bug 200694 for earlier changes in this area.
2209
2210         Reviewed by Darin Adler.
2211
2212         * Configurations/FeatureDefines.xcconfig:
2213
2214 2019-08-28  Mark Lam  <mark.lam@apple.com>
2215
2216         Gardening: Rebase test results after r249175.
2217         https://bugs.webkit.org/show_bug.cgi?id=201172
2218
2219         Not reviewed.
2220
2221         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2222         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2223         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2224         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2225         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2226         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2227         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2228
2229 2019-08-27  Michael Saboff  <msaboff@apple.com>
2230
2231         Update PACCage changes for builds without Gigacage, but with signed pointers
2232         https://bugs.webkit.org/show_bug.cgi?id=201202
2233
2234         Reviewed by Saam Barati.
2235
2236         Factored out the untagging of pointers and added that to both the Gigacage enabled
2237         and disabled code paths.  Did this for the LLInt as well as the JITs.
2238
2239         * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list.
2240         * dfg/DFGSpeculativeJIT.cpp:
2241         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
2242         * ftl/FTLLowerDFGToB3.cpp:
2243         (JSC::FTL::DFG::LowerDFGToB3::caged):
2244         * llint/LowLevelInterpreter64.asm:
2245
2246 2019-08-27  Mark Lam  <mark.lam@apple.com>
2247
2248         Refactor to use VM& instead of VM* at as many places as possible.
2249         https://bugs.webkit.org/show_bug.cgi?id=201172
2250
2251         Reviewed by Yusuke Suzuki.
2252
2253         Using VM& documents more clearly that the VM pointer is expected to never be null
2254         in most cases.  There are a few places where it can be null (e.g JSLock, and
2255         DFG::Plan).  Those will be left using a VM*.
2256
2257         Also converted some uses of ExecState* to using VM& instead since the ExecState*
2258         is only there to fetch the VM pointer.  Doing this also reduces the number of
2259         times we have to compute VM* from ExecState*.
2260
2261         This patch is not exhaustive in converting to use VM&, but applies the change to
2262         many commonly used pieces of code for a start.
2263
2264         Also fixed a missing exception check in JSString::toIdentifier() and
2265         JSValue::toPropertyKey() exposed by this patch.
2266
2267         * API/APICast.h:
2268         (toJS):
2269         * API/JSAPIGlobalObject.mm:
2270         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
2271         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
2272         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
2273         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
2274         (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
2275         * API/JSCallbackConstructor.cpp:
2276         (JSC::JSCallbackConstructor::finishCreation):
2277         * API/JSCallbackObjectFunctions.h:
2278         (JSC::JSCallbackObject<Parent>::asCallbackObject):
2279         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
2280         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
2281         (JSC::JSCallbackObject<Parent>::putByIndex):
2282         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
2283         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2284         * API/JSContext.mm:
2285         (-[JSContext dependencyIdentifiersForModuleJSScript:]):
2286         * API/JSObjectRef.cpp:
2287         (JSObjectMakeFunction):
2288         (classInfoPrivate):
2289         (JSObjectGetPrivate):
2290         (JSObjectSetPrivate):
2291         (JSObjectCopyPropertyNames):
2292         (JSPropertyNameAccumulatorAddName):
2293         (JSObjectGetProxyTarget):
2294         * API/JSScriptRef.cpp:
2295         (parseScript):
2296         * API/JSValueRef.cpp:
2297         (JSValueMakeString):
2298         * API/OpaqueJSString.cpp:
2299         (OpaqueJSString::identifier const):
2300         * API/glib/JSCContext.cpp:
2301         (jsc_context_check_syntax):
2302         * KeywordLookupGenerator.py:
2303         (Trie.printSubTreeAsC):
2304         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py:
2305         (BuiltinsWrapperHeaderGenerator.generate_constructor):
2306         * Scripts/wkbuiltins/builtins_templates.py:
2307         * bindings/ScriptFunctionCall.cpp:
2308         (Deprecated::ScriptCallArgumentHandler::appendArgument):
2309         (Deprecated::ScriptFunctionCall::call):
2310         * bindings/ScriptValue.cpp:
2311         (Inspector::jsToInspectorValue):
2312         * builtins/BuiltinExecutables.cpp:
2313         (JSC::BuiltinExecutables::createExecutable):
2314         * builtins/BuiltinNames.cpp:
2315         (JSC::BuiltinNames::BuiltinNames):
2316         * builtins/BuiltinNames.h:
2317         (JSC::BuiltinNames::getPublicName const):
2318         * bytecode/BytecodeDumper.cpp:
2319         (JSC::BytecodeDumper<Block>::vm const):
2320         * bytecode/BytecodeDumper.h:
2321         * bytecode/BytecodeGeneratorification.cpp:
2322         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2323         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
2324         (JSC::BytecodeGeneratorification::run):
2325         * bytecode/BytecodeIntrinsicRegistry.cpp:
2326         (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue):
2327         (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue):
2328         * bytecode/CallVariant.h:
2329         (JSC::CallVariant::internalFunction const):
2330         (JSC::CallVariant::function const):
2331         (JSC::CallVariant::isClosureCall const):
2332         (JSC::CallVariant::executable const):
2333         (JSC::CallVariant::functionExecutable const):
2334         (JSC::CallVariant::nativeExecutable const):
2335         * bytecode/CodeBlock.cpp:
2336         (JSC::CodeBlock::dumpSource):
2337         (JSC::CodeBlock::CodeBlock):
2338         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
2339         (JSC::CodeBlock::setNumParameters):
2340         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2341         (JSC::CodeBlock::unlinkIncomingCalls):
2342         (JSC::CodeBlock::replacement):
2343         (JSC::CodeBlock::computeCapabilityLevel):
2344         (JSC::CodeBlock::noticeIncomingCall):
2345         (JSC::CodeBlock::nameForRegister):
2346         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2347         * bytecode/CodeBlock.h:
2348         (JSC::CodeBlock::vm const):
2349         (JSC::CodeBlock::numberOfArgumentValueProfiles):
2350         (JSC::CodeBlock::valueProfileForArgument):
2351         * bytecode/DeferredSourceDump.cpp:
2352         (JSC::DeferredSourceDump::DeferredSourceDump):
2353         * bytecode/EvalCodeBlock.h:
2354         * bytecode/FunctionCodeBlock.h:
2355         * bytecode/GetByIdStatus.cpp:
2356         (JSC::GetByIdStatus::computeFromLLInt):
2357         * bytecode/GlobalCodeBlock.h:
2358         (JSC::GlobalCodeBlock::GlobalCodeBlock):
2359         * bytecode/ModuleProgramCodeBlock.h:
2360         * bytecode/ObjectAllocationProfileInlines.h:
2361         (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
2362         * bytecode/PolyProtoAccessChain.cpp:
2363         (JSC::PolyProtoAccessChain::create):
2364         * bytecode/ProgramCodeBlock.h:
2365         * bytecode/PropertyCondition.cpp:
2366         (JSC::PropertyCondition::isWatchableWhenValid const):
2367         * bytecode/PutByIdStatus.cpp:
2368         (JSC::PutByIdStatus::computeFromLLInt):
2369         * bytecode/StructureStubInfo.cpp:
2370         (JSC::StructureStubInfo::initGetByIdSelf):
2371         (JSC::StructureStubInfo::initPutByIdReplace):
2372         (JSC::StructureStubInfo::initInByIdSelf):
2373         (JSC::StructureStubInfo::addAccessCase):
2374         (JSC::StructureStubInfo::visitWeakReferences):
2375         * bytecode/UnlinkedCodeBlock.cpp:
2376         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2377         * bytecode/UnlinkedCodeBlock.h:
2378         (JSC::UnlinkedCodeBlock::addSetConstant):
2379         (JSC::UnlinkedCodeBlock::addConstant):
2380         (JSC::UnlinkedCodeBlock::addFunctionDecl):
2381         (JSC::UnlinkedCodeBlock::addFunctionExpr):
2382         * bytecode/UnlinkedEvalCodeBlock.h:
2383         * bytecode/UnlinkedFunctionCodeBlock.h:
2384         * bytecode/UnlinkedFunctionExecutable.cpp:
2385         (JSC::generateUnlinkedFunctionCodeBlock):
2386         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2387         * bytecode/UnlinkedFunctionExecutable.h:
2388         * bytecode/UnlinkedGlobalCodeBlock.h:
2389         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
2390         * bytecode/UnlinkedModuleProgramCodeBlock.h:
2391         * bytecode/UnlinkedProgramCodeBlock.h:
2392         * bytecompiler/BytecodeGenerator.cpp:
2393         (JSC::BytecodeGenerator::BytecodeGenerator):
2394         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2395         (JSC::BytecodeGenerator::emitDirectPutById):
2396         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
2397         (JSC::BytecodeGenerator::addBigIntConstant):
2398         (JSC::BytecodeGenerator::addTemplateObjectConstant):
2399         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
2400         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
2401         * bytecompiler/BytecodeGenerator.h:
2402         (JSC::BytecodeGenerator::vm const):
2403         (JSC::BytecodeGenerator::propertyNames const):
2404         (JSC::BytecodeGenerator::emitNodeInTailPosition):
2405         (JSC::BytecodeGenerator::emitDefineClassElements):
2406         (JSC::BytecodeGenerator::emitNodeInConditionContext):
2407         * bytecompiler/NodesCodegen.cpp:
2408         (JSC::RegExpNode::emitBytecode):
2409         (JSC::ArrayNode::emitBytecode):
2410         (JSC::FunctionCallResolveNode::emitBytecode):
2411         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
2412         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
2413         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2414         (JSC::InstanceOfNode::emitBytecode):
2415         * debugger/Debugger.cpp:
2416         * debugger/DebuggerParseData.cpp:
2417         (JSC::gatherDebuggerParseData):
2418         * debugger/DebuggerScope.cpp:
2419         (JSC::DebuggerScope::next):
2420         (JSC::DebuggerScope::name const):
2421         (JSC::DebuggerScope::location const):
2422         * dfg/DFGDesiredIdentifiers.cpp:
2423         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2424         * dfg/DFGDesiredWatchpoints.cpp:
2425         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2426         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
2427         * dfg/DFGFrozenValue.h:
2428         (JSC::DFG::FrozenValue::FrozenValue):
2429         * dfg/DFGGraph.cpp:
2430         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
2431         * dfg/DFGJITCompiler.cpp:
2432         (JSC::DFG::JITCompiler::linkOSRExits):
2433         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2434         (JSC::DFG::JITCompiler::link):
2435         (JSC::DFG::emitStackOverflowCheck):
2436         (JSC::DFG::JITCompiler::compileFunction):
2437         (JSC::DFG::JITCompiler::exceptionCheck):
2438         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
2439         * dfg/DFGJITCompiler.h:
2440         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
2441         (JSC::DFG::JITCompiler::fastExceptionCheck):
2442         (JSC::DFG::JITCompiler::vm):
2443         * dfg/DFGLazyJSValue.cpp:
2444         (JSC::DFG::LazyJSValue::getValue const):
2445         (JSC::DFG::LazyJSValue::emit const):
2446         * dfg/DFGOSREntry.cpp:
2447         (JSC::DFG::prepareOSREntry):
2448         * dfg/DFGOSRExit.cpp:
2449         (JSC::DFG::OSRExit::compileOSRExit):
2450         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2451         * dfg/DFGOSRExitCompilerCommon.h:
2452         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
2453         * dfg/DFGOperations.cpp:
2454         (JSC::DFG::newTypedArrayWithSize):
2455         (JSC::DFG::binaryOp):
2456         (JSC::DFG::bitwiseBinaryOp):
2457         * dfg/DFGPlan.cpp:
2458         (JSC::DFG::Plan::Plan):
2459         * dfg/DFGSpeculativeJIT.cpp:
2460         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2461         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2462         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2463         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
2464         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2465         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2466         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
2467         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
2468         (JSC::DFG::SpeculativeJIT::emitStringBranch):
2469         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
2470         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
2471         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
2472         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2473         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2474         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2475         (JSC::DFG::SpeculativeJIT::compileSpread):
2476         (JSC::DFG::SpeculativeJIT::compileNewArray):
2477         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2478         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2479         (JSC::DFG::SpeculativeJIT::compileArrayPush):
2480         (JSC::DFG::SpeculativeJIT::compileTypeOf):
2481         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2482         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2483         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
2484         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2485         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2486         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2487         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
2488         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2489         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2490         (JSC::DFG::SpeculativeJIT::compileStringReplace):
2491         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
2492         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
2493         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
2494         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
2495         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2496         (JSC::DFG::SpeculativeJIT::compileNewObject):
2497         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
2498         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
2499         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2500         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2501         (JSC::DFG::SpeculativeJIT::compileProfileType):
2502         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2503         * dfg/DFGSpeculativeJIT.h:
2504         (JSC::DFG::SpeculativeJIT::vm):
2505         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
2506         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2507         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2508         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
2509         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2510         * dfg/DFGSpeculativeJIT32_64.cpp:
2511         (JSC::DFG::SpeculativeJIT::emitCall):
2512         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2513         (JSC::DFG::SpeculativeJIT::emitBranch):
2514         (JSC::DFG::SpeculativeJIT::compile):
2515         * dfg/DFGSpeculativeJIT64.cpp:
2516         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2517         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2518         (JSC::DFG::SpeculativeJIT::emitCall):
2519         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2520         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2521         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2522         (JSC::DFG::SpeculativeJIT::emitBranch):
2523         (JSC::DFG::SpeculativeJIT::compile):
2524         * dfg/DFGThunks.cpp:
2525         (JSC::DFG::osrExitThunkGenerator):
2526         (JSC::DFG::osrExitGenerationThunkGenerator):
2527         (JSC::DFG::osrEntryThunkGenerator):
2528         * dfg/DFGThunks.h:
2529         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2530         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
2531         * dfg/DFGWorklist.cpp:
2532         (JSC::DFG::Worklist::visitWeakReferences):
2533         * dynbench.cpp:
2534         (main):
2535         * ftl/FTLLowerDFGToB3.cpp:
2536         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2537         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2538         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2539         * ftl/FTLThunks.cpp:
2540         (JSC::FTL::genericGenerationThunkGenerator):
2541         (JSC::FTL::osrExitGenerationThunkGenerator):
2542         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2543         * ftl/FTLThunks.h:
2544         * heap/CellContainer.h:
2545         * heap/CellContainerInlines.h:
2546         (JSC::CellContainer::vm const):
2547         (JSC::CellContainer::heap const):
2548         * heap/CompleteSubspace.cpp:
2549         (JSC::CompleteSubspace::tryAllocateSlow):
2550         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
2551         * heap/GCActivityCallback.h:
2552         * heap/GCAssertions.h:
2553         * heap/HandleSet.cpp:
2554         (JSC::HandleSet::HandleSet):
2555         * heap/HandleSet.h:
2556         (JSC::HandleSet::vm):
2557         * heap/Heap.cpp:
2558         (JSC::Heap::Heap):
2559         (JSC::Heap::lastChanceToFinalize):
2560         (JSC::Heap::releaseDelayedReleasedObjects):
2561         (JSC::Heap::protect):
2562         (JSC::Heap::unprotect):
2563         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
2564         (JSC::Heap::finalizeUnconditionalFinalizers):
2565         (JSC::Heap::completeAllJITPlans):
2566         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
2567         (JSC::Heap::gatherJSStackRoots):
2568         (JSC::Heap::gatherScratchBufferRoots):
2569         (JSC::Heap::removeDeadCompilerWorklistEntries):
2570         (JSC::Heap::isAnalyzingHeap const):
2571         (JSC::Heap::gatherExtraHeapData):
2572         (JSC::Heap::protectedObjectTypeCounts):
2573         (JSC::Heap::objectTypeCounts):
2574         (JSC::Heap::deleteAllCodeBlocks):
2575         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2576         (JSC::Heap::deleteUnmarkedCompiledCode):
2577         (JSC::Heap::checkConn):
2578         (JSC::Heap::runEndPhase):
2579         (JSC::Heap::stopThePeriphery):
2580         (JSC::Heap::finalize):
2581         (JSC::Heap::requestCollection):
2582         (JSC::Heap::sweepInFinalize):
2583         (JSC::Heap::sweepArrayBuffers):
2584         (JSC::Heap::deleteSourceProviderCaches):
2585         (JSC::Heap::didFinishCollection):
2586         (JSC::Heap::addCoreConstraints):
2587         * heap/Heap.h:
2588         * heap/HeapCell.h:
2589         * heap/HeapCellInlines.h:
2590         (JSC::HeapCell::heap const):
2591         (JSC::HeapCell::vm const):
2592         * heap/HeapInlines.h:
2593         (JSC::Heap::vm const):
2594         * heap/IsoSubspacePerVM.cpp:
2595         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
2596         * heap/LargeAllocation.cpp:
2597         (JSC::LargeAllocation::sweep):
2598         (JSC::LargeAllocation::assertValidCell const):
2599         * heap/LargeAllocation.h:
2600         (JSC::LargeAllocation::vm const):
2601         * heap/LocalAllocator.cpp:
2602         (JSC::LocalAllocator::allocateSlowCase):
2603         * heap/MarkedBlock.cpp:
2604         (JSC::MarkedBlock::Handle::Handle):
2605         (JSC::MarkedBlock::aboutToMarkSlow):
2606         (JSC::MarkedBlock::assertMarksNotStale):
2607         (JSC::MarkedBlock::areMarksStale):
2608         (JSC::MarkedBlock::isMarked):
2609         (JSC::MarkedBlock::assertValidCell const):
2610         * heap/MarkedBlock.h:
2611         (JSC::MarkedBlock::Handle::vm const):
2612         (JSC::MarkedBlock::vm const):
2613         * heap/MarkedBlockInlines.h:
2614         (JSC::MarkedBlock::heap const):
2615         (JSC::MarkedBlock::Handle::specializedSweep):
2616         * heap/SlotVisitor.cpp:
2617         (JSC::validate):
2618         * heap/SlotVisitorInlines.h:
2619         (JSC::SlotVisitor::vm):
2620         (JSC::SlotVisitor::vm const):
2621         * heap/StopIfNecessaryTimer.cpp:
2622         (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
2623         * heap/StopIfNecessaryTimer.h:
2624         * heap/Strong.h:
2625         (JSC::Strong::operator=):
2626         * heap/WeakSet.h:
2627         (JSC::WeakSet::WeakSet):
2628         (JSC::WeakSet::vm const):
2629         * inspector/JSInjectedScriptHost.cpp:
2630         (Inspector::JSInjectedScriptHost::savedResultAlias const):
2631         (Inspector::JSInjectedScriptHost::internalConstructorName):
2632         (Inspector::JSInjectedScriptHost::subtype):
2633         (Inspector::JSInjectedScriptHost::functionDetails):
2634         (Inspector::constructInternalProperty):
2635         (Inspector::JSInjectedScriptHost::getInternalProperties):
2636         (Inspector::JSInjectedScriptHost::weakMapEntries):
2637         (Inspector::JSInjectedScriptHost::weakSetEntries):
2638         (Inspector::JSInjectedScriptHost::iteratorEntries):
2639         (Inspector::JSInjectedScriptHost::queryInstances):
2640         (Inspector::JSInjectedScriptHost::queryHolders):
2641         * inspector/JSJavaScriptCallFrame.cpp:
2642         (Inspector::valueForScopeLocation):
2643         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2644         (Inspector::JSJavaScriptCallFrame::functionName const):
2645         (Inspector::JSJavaScriptCallFrame::type const):
2646         * inspector/ScriptCallStackFactory.cpp:
2647         (Inspector::extractSourceInformationFromException):
2648         * inspector/agents/InspectorAuditAgent.cpp:
2649         (Inspector::InspectorAuditAgent::populateAuditObject):
2650         * inspector/agents/InspectorHeapAgent.cpp:
2651         (Inspector::InspectorHeapAgent::gc):
2652         * interpreter/FrameTracers.h:
2653         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2654         * interpreter/Interpreter.cpp:
2655         (JSC::Interpreter::executeProgram):
2656         (JSC::Interpreter::prepareForRepeatCall):
2657         (JSC::Interpreter::execute):
2658         (JSC::Interpreter::executeModuleProgram):
2659         * interpreter/StackVisitor.cpp:
2660         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2661         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2662         * jit/AssemblyHelpers.cpp:
2663         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2664         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
2665         (JSC::AssemblyHelpers::branchIfValue):
2666         * jit/AssemblyHelpers.h:
2667         (JSC::AssemblyHelpers::vm):
2668         * jit/JIT.cpp:
2669         (JSC::JIT::JIT):
2670         (JSC::JIT::emitEnterOptimizationCheck):
2671         (JSC::JIT::privateCompileMainPass):
2672         (JSC::JIT::privateCompileExceptionHandlers):
2673         * jit/JIT.h:
2674         * jit/JITCall.cpp:
2675         (JSC::JIT::compileCallEvalSlowCase):
2676         * jit/JITCall32_64.cpp:
2677         (JSC::JIT::compileCallEvalSlowCase):
2678         * jit/JITExceptions.cpp:
2679         (JSC::genericUnwind):
2680         * jit/JITExceptions.h:
2681         * jit/JITInlineCacheGenerator.cpp:
2682         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2683         * jit/JITOpcodes.cpp:
2684         (JSC::JIT::emit_op_is_undefined):
2685         (JSC::JIT::emit_op_jfalse):
2686         (JSC::JIT::emit_op_jeq_null):
2687         (JSC::JIT::emit_op_jneq_null):
2688         (JSC::JIT::emit_op_jtrue):
2689         (JSC::JIT::emit_op_throw):
2690         (JSC::JIT::emit_op_catch):
2691         (JSC::JIT::emit_op_eq_null):
2692         (JSC::JIT::emit_op_neq_null):
2693         (JSC::JIT::emitSlow_op_loop_hint):
2694         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2695         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2696         * jit/JITOpcodes32_64.cpp:
2697         (JSC::JIT::emit_op_jfalse):
2698         (JSC::JIT::emit_op_jtrue):
2699         (JSC::JIT::emit_op_throw):
2700         (JSC::JIT::emit_op_catch):
2701         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2702         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2703         * jit/JITOperations.cpp:
2704         (JSC::operationNewFunctionCommon):
2705         (JSC::tryGetByValOptimize):
2706         * jit/JITPropertyAccess.cpp:
2707         (JSC::JIT::emitWriteBarrier):
2708         * jit/JITThunks.cpp:
2709         (JSC::JITThunks::ctiNativeCall):
2710         (JSC::JITThunks::ctiNativeConstruct):
2711         (JSC::JITThunks::ctiNativeTailCall):
2712         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
2713         (JSC::JITThunks::ctiInternalFunctionCall):
2714         (JSC::JITThunks::ctiInternalFunctionConstruct):
2715         (JSC::JITThunks::ctiStub):
2716         (JSC::JITThunks::hostFunctionStub):
2717         * jit/JITThunks.h:
2718         * jit/JITWorklist.cpp:
2719         (JSC::JITWorklist::Plan::vm):
2720         (JSC::JITWorklist::completeAllForVM):
2721         (JSC::JITWorklist::poll):
2722         (JSC::JITWorklist::compileLater):
2723         (JSC::JITWorklist::compileNow):
2724         * jit/Repatch.cpp:
2725         (JSC::readPutICCallTarget):
2726         (JSC::ftlThunkAwareRepatchCall):
2727         (JSC::linkSlowFor):
2728         (JSC::linkFor):
2729         (JSC::linkDirectFor):
2730         (JSC::revertCall):
2731         (JSC::unlinkFor):
2732         (JSC::linkVirtualFor):
2733         (JSC::linkPolymorphicCall):
2734         * jit/SpecializedThunkJIT.h:
2735         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
2736         * jit/ThunkGenerator.h:
2737         * jit/ThunkGenerators.cpp:
2738         (JSC::throwExceptionFromCallSlowPathGenerator):
2739         (JSC::slowPathFor):
2740         (JSC::linkCallThunkGenerator):
2741         (JSC::linkPolymorphicCallThunkGenerator):
2742         (JSC::virtualThunkFor):
2743         (JSC::nativeForGenerator):
2744         (JSC::nativeCallGenerator):
2745         (JSC::nativeTailCallGenerator):
2746         (JSC::nativeTailCallWithoutSavedTagsGenerator):
2747         (JSC::nativeConstructGenerator):
2748         (JSC::internalFunctionCallGenerator):
2749         (JSC::internalFunctionConstructGenerator):
2750         (JSC::arityFixupGenerator):
2751         (JSC::unreachableGenerator):
2752         (JSC::stringGetByValGenerator):
2753         (JSC::charToString):
2754         (JSC::charCodeAtThunkGenerator):
2755         (JSC::charAtThunkGenerator):
2756         (JSC::fromCharCodeThunkGenerator):
2757         (JSC::clz32ThunkGenerator):
2758         (JSC::sqrtThunkGenerator):
2759         (JSC::floorThunkGenerator):
2760         (JSC::ceilThunkGenerator):
2761         (JSC::truncThunkGenerator):
2762         (JSC::roundThunkGenerator):
2763         (JSC::expThunkGenerator):
2764         (JSC::logThunkGenerator):
2765         (JSC::absThunkGenerator):
2766         (JSC::imulThunkGenerator):
2767         (JSC::randomThunkGenerator):
2768         (JSC::boundThisNoArgsFunctionCallGenerator):
2769         * jit/ThunkGenerators.h:
2770         * jsc.cpp:
2771         (GlobalObject::finishCreation):
2772         (GlobalObject::addFunction):
2773         (GlobalObject::moduleLoaderImportModule):
2774         (GlobalObject::moduleLoaderResolve):
2775         (GlobalObject::moduleLoaderCreateImportMetaProperties):
2776         (functionDescribe):
2777         (functionDescribeArray):
2778         (JSCMemoryFootprint::addProperty):
2779         (functionRun):
2780         (functionRunString):
2781         (functionReadFile):
2782         (functionCallerSourceOrigin):
2783         (functionReadline):
2784         (functionDollarCreateRealm):
2785         (functionDollarEvalScript):
2786         (functionDollarAgentGetReport):
2787         (functionWaitForReport):
2788         (functionJSCOptions):
2789         (functionCheckModuleSyntax):
2790         (functionGenerateHeapSnapshotForGCDebugging):
2791         (functionWebAssemblyMemoryMode):
2792         (dumpException):
2793         (checkUncaughtException):
2794         * llint/LLIntSlowPaths.cpp:
2795         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2796         (JSC::LLInt::handleHostCall):
2797         * parser/ASTBuilder.h:
2798         (JSC::ASTBuilder::ASTBuilder):
2799         (JSC::ASTBuilder::createResolve):
2800         (JSC::ASTBuilder::createGetterOrSetterProperty):
2801         (JSC::ASTBuilder::createProperty):
2802         (JSC::ASTBuilder::createFuncDeclStatement):
2803         (JSC::ASTBuilder::makeFunctionCallNode):
2804         * parser/Lexer.cpp:
2805         (JSC::Lexer<T>::Lexer):
2806         (JSC::Lexer<LChar>::parseIdentifier):
2807         (JSC::Lexer<UChar>::parseIdentifier):
2808         * parser/Lexer.h:
2809         (JSC::Lexer<T>::lexExpectIdentifier):
2810         * parser/ModuleAnalyzer.cpp:
2811         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2812         * parser/ModuleAnalyzer.h:
2813         (JSC::ModuleAnalyzer::vm):
2814         * parser/Parser.cpp:
2815         (JSC::Parser<LexerType>::Parser):
2816         (JSC::Parser<LexerType>::parseInner):
2817         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2818         (JSC::Parser<LexerType>::parseSourceElements):
2819         (JSC::Parser<LexerType>::parseModuleSourceElements):
2820         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
2821         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2822         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2823         (JSC::Parser<LexerType>::parseSingleFunction):
2824         (JSC::Parser<LexerType>::parseStatementListItem):
2825         (JSC::Parser<LexerType>::parseObjectRestAssignmentElement):
2826         (JSC::Parser<LexerType>::parseAssignmentElement):
2827         (JSC::Parser<LexerType>::parseDestructuringPattern):
2828         (JSC::Parser<LexerType>::parseForStatement):
2829         (JSC::Parser<LexerType>::parseBreakStatement):
2830         (JSC::Parser<LexerType>::parseContinueStatement):
2831         (JSC::Parser<LexerType>::parseStatement):
2832         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2833         (JSC::Parser<LexerType>::createGeneratorParameters):
2834         (JSC::Parser<LexerType>::parseFunctionInfo):
2835         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2836         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2837         (JSC::Parser<LexerType>::parseClassDeclaration):
2838         (JSC::Parser<LexerType>::parseClass):
2839         (JSC::Parser<LexerType>::parseImportClauseItem):
2840         (JSC::Parser<LexerType>::parseImportDeclaration):
2841         (JSC::Parser<LexerType>::parseExportSpecifier):
2842         (JSC::Parser<LexerType>::parseExportDeclaration):
2843         (JSC::Parser<LexerType>::parseAssignmentExpression):
2844         (JSC::Parser<LexerType>::parseProperty):
2845         (JSC::Parser<LexerType>::parseGetterSetter):
2846         (JSC::Parser<LexerType>::parseObjectLiteral):
2847         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
2848         (JSC::Parser<LexerType>::parseClassExpression):
2849         (JSC::Parser<LexerType>::parseFunctionExpression):
2850         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2851         (JSC::Parser<LexerType>::parsePrimaryExpression):
2852         (JSC::Parser<LexerType>::parseMemberExpression):
2853         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
2854         (JSC::Parser<LexerType>::parseUnaryExpression):
2855         * parser/Parser.h:
2856         (JSC::isArguments):
2857         (JSC::isEval):
2858         (JSC::isEvalOrArgumentsIdentifier):
2859         (JSC::Scope::Scope):
2860         (JSC::Scope::declareParameter):
2861         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
2862         (JSC::Scope::collectFreeVariables):
2863         (JSC::Parser::canRecurse):
2864         (JSC::parse):
2865         (JSC::parseFunctionForFunctionConstructor):
2866         * parser/ParserArena.h:
2867         (JSC::IdentifierArena::makeIdentifier):
2868         (JSC::IdentifierArena::makeEmptyIdentifier):
2869         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
2870         (JSC::IdentifierArena::makeNumericIdentifier):
2871         * parser/SyntaxChecker.h:
2872         (JSC::SyntaxChecker::SyntaxChecker):
2873         (JSC::SyntaxChecker::createProperty):
2874         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2875         * profiler/ProfilerBytecode.cpp:
2876         (JSC::Profiler::Bytecode::toJS const):
2877         * profiler/ProfilerBytecodeSequence.cpp:
2878         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
2879         * profiler/ProfilerBytecodes.cpp:
2880         (JSC::Profiler::Bytecodes::toJS const):
2881         * profiler/ProfilerCompilation.cpp:
2882         (JSC::Profiler::Compilation::toJS const):
2883         * profiler/ProfilerCompiledBytecode.cpp:
2884         (JSC::Profiler::CompiledBytecode::toJS const):
2885         * profiler/ProfilerEvent.cpp:
2886         (JSC::Profiler::Event::toJS const):
2887         * profiler/ProfilerOSRExit.cpp:
2888         (JSC::Profiler::OSRExit::toJS const):
2889         * profiler/ProfilerOSRExitSite.cpp:
2890         (JSC::Profiler::OSRExitSite::toJS const):
2891         * profiler/ProfilerUID.cpp:
2892         (JSC::Profiler::UID::toJS const):
2893         * runtime/AbstractModuleRecord.cpp:
2894         (JSC::AbstractModuleRecord::finishCreation):
2895         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2896         (JSC::AbstractModuleRecord::resolveExportImpl):
2897         (JSC::getExportedNames):
2898         (JSC::AbstractModuleRecord::getModuleNamespace):
2899         * runtime/ArrayBufferNeuteringWatchpointSet.cpp:
2900         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
2901         * runtime/ArrayIteratorPrototype.cpp:
2902         (JSC::ArrayIteratorPrototype::finishCreation):
2903         * runtime/ArrayPrototype.cpp:
2904         (JSC::fastJoin):
2905         (JSC::arrayProtoFuncToLocaleString):
2906         (JSC::slowJoin):
2907         (JSC::arrayProtoFuncJoin):
2908         (JSC::arrayProtoFuncPush):
2909         * runtime/AsyncFunctionPrototype.cpp:
2910         (JSC::AsyncFunctionPrototype::finishCreation):
2911         * runtime/AsyncGeneratorFunctionPrototype.cpp:
2912         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
2913         * runtime/AsyncGeneratorPrototype.cpp:
2914         (JSC::AsyncGeneratorPrototype::finishCreation):
2915         * runtime/AtomicsObject.cpp:
2916         (JSC::AtomicsObject::finishCreation):
2917         (JSC::atomicsFuncWait):
2918         (JSC::operationAtomicsAdd):
2919         (JSC::operationAtomicsAnd):
2920         (JSC::operationAtomicsCompareExchange):
2921         (JSC::operationAtomicsExchange):
2922         (JSC::operationAtomicsIsLockFree):
2923         (JSC::operationAtomicsLoad):
2924         (JSC::operationAtomicsOr):
2925         (JSC::operationAtomicsStore):
2926         (JSC::operationAtomicsSub):
2927         (JSC::operationAtomicsXor):
2928         * runtime/BigIntPrototype.cpp:
2929         (JSC::BigIntPrototype::finishCreation):
2930         (JSC::bigIntProtoFuncToString):
2931         * runtime/CachedTypes.cpp:
2932         (JSC::CachedUniquedStringImplBase::decode const):
2933         (JSC::CachedIdentifier::decode const):
2934         (JSC::CachedJSValue::decode const):
2935         * runtime/CodeCache.cpp:
2936         (JSC::CodeCacheMap::pruneSlowCase):
2937         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2938         * runtime/CodeCache.h:
2939         (JSC::generateUnlinkedCodeBlockImpl):
2940         * runtime/CommonIdentifiers.cpp:
2941         (JSC::CommonIdentifiers::CommonIdentifiers):
2942         * runtime/CommonIdentifiers.h:
2943         * runtime/CommonSlowPaths.cpp:
2944         (JSC::SLOW_PATH_DECL):
2945         * runtime/Completion.cpp:
2946         (JSC::checkSyntaxInternal):
2947         (JSC::checkModuleSyntax):
2948         (JSC::loadAndEvaluateModule):
2949         (JSC::loadModule):
2950         * runtime/DateConstructor.cpp:
2951         (JSC::callDate):
2952         * runtime/DatePrototype.cpp:
2953         (JSC::formatLocaleDate):
2954         (JSC::formateDateInstance):
2955         (JSC::DatePrototype::finishCreation):
2956         (JSC::dateProtoFuncToISOString):
2957         * runtime/Error.cpp:
2958         (JSC::addErrorInfo):
2959         * runtime/ErrorInstance.cpp:
2960         (JSC::appendSourceToError):
2961         (JSC::ErrorInstance::finishCreation):
2962         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2963         * runtime/ErrorPrototype.cpp:
2964         (JSC::ErrorPrototype::finishCreation):
2965         (JSC::errorProtoFuncToString):
2966         * runtime/ExceptionHelpers.cpp:
2967         (JSC::TerminatedExecutionError::defaultValue):
2968         * runtime/FunctionPrototype.cpp:
2969         (JSC::functionProtoFuncToString):
2970         * runtime/FunctionRareData.cpp:
2971         (JSC::FunctionRareData::clear):
2972         * runtime/GeneratorFunctionPrototype.cpp:
2973         (JSC::GeneratorFunctionPrototype::finishCreation):
2974         * runtime/GeneratorPrototype.cpp:
2975         (JSC::GeneratorPrototype::finishCreation):
2976         * runtime/GenericArgumentsInlines.h:
2977         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2978         * runtime/GetterSetter.h:
2979         * runtime/Identifier.cpp:
2980         (JSC::Identifier::add):
2981         (JSC::Identifier::add8):
2982         (JSC::Identifier::from):
2983         (JSC::Identifier::checkCurrentAtomStringTable):
2984         * runtime/Identifier.h:
2985         (JSC::Identifier::fromString):
2986         (JSC::Identifier::createLCharFromUChar):
2987         (JSC::Identifier::Identifier):
2988         (JSC::Identifier::add):
2989         * runtime/IdentifierInlines.h:
2990         (JSC::Identifier::Identifier):
2991         (JSC::Identifier::add):
2992         (JSC::Identifier::fromUid):
2993         (JSC::Identifier::fromString):
2994         (JSC::identifierToJSValue):
2995         (JSC::identifierToSafePublicJSValue):
2996         * runtime/InternalFunction.cpp:
2997         (JSC::InternalFunction::finishCreation):
2998         * runtime/IntlCollator.cpp:
2999         (JSC::IntlCollator::resolvedOptions):
3000         * runtime/IntlCollatorPrototype.cpp:
3001         (JSC::IntlCollatorPrototype::finishCreation):
3002         * runtime/IntlDateTimeFormat.cpp:
3003         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
3004         (JSC::IntlDateTimeFormat::resolvedOptions):
3005         (JSC::IntlDateTimeFormat::format):
3006         (JSC::IntlDateTimeFormat::formatToParts):
3007         * runtime/IntlDateTimeFormatPrototype.cpp:
3008         (JSC::IntlDateTimeFormatPrototype::finishCreation):
3009         * runtime/IntlNumberFormat.cpp:
3010         (JSC::IntlNumberFormat::initializeNumberFormat):
3011         (JSC::IntlNumberFormat::formatNumber):
3012         (JSC::IntlNumberFormat::resolvedOptions):
3013         (JSC::IntlNumberFormat::formatToParts):
3014         * runtime/IntlNumberFormatPrototype.cpp:
3015         (JSC::IntlNumberFormatPrototype::finishCreation):
3016         * runtime/IntlObject.cpp:
3017         (JSC::lookupSupportedLocales):
3018         (JSC::supportedLocales):
3019         (JSC::intlObjectFuncGetCanonicalLocales):
3020         * runtime/IntlPluralRules.cpp:
3021         (JSC::IntlPluralRules::initializePluralRules):
3022         (JSC::IntlPluralRules::resolvedOptions):
3023         (JSC::IntlPluralRules::select):
3024         * runtime/IntlPluralRulesPrototype.cpp:
3025         (JSC::IntlPluralRulesPrototype::finishCreation):
3026         * runtime/JSArray.h:
3027         (JSC::asArray):
3028         (JSC::isJSArray):
3029         * runtime/JSArrayBufferPrototype.cpp:
3030         (JSC::JSArrayBufferPrototype::finishCreation):
3031         * runtime/JSArrayBufferView.cpp:
3032         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
3033         * runtime/JSCJSValue.cpp:
3034         (JSC::JSValue::putToPrimitiveByIndex):
3035         (JSC::JSValue::dumpForBacktrace const):
3036         (JSC::JSValue::toStringSlowCase const):
3037         * runtime/JSCJSValueInlines.h:
3038         (JSC::JSValue::toPropertyKey const):
3039         (JSC::JSValue::get const):
3040         * runtime/JSCast.h:
3041         (JSC::jsCast):
3042         * runtime/JSCell.cpp:
3043         (JSC::JSCell::dump const):
3044         (JSC::JSCell::dumpToStream):
3045         (JSC::JSCell::putByIndex):
3046         * runtime/JSCellInlines.h:
3047         (JSC::JSCell::structure const):
3048         (JSC::ExecState::vm const):
3049         (JSC::tryAllocateCellHelper):
3050         * runtime/JSDataViewPrototype.cpp:
3051         (JSC::JSDataViewPrototype::finishCreation):
3052         * runtime/JSFixedArray.cpp:
3053         (JSC::JSFixedArray::dumpToStream):
3054         * runtime/JSFunction.cpp:
3055         (JSC::JSFunction::finishCreation):
3056         (JSC::RetrieveCallerFunctionFunctor::operator() const):
3057         (JSC::JSFunction::reifyName):
3058         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
3059         (JSC::JSFunction::assertTypeInfoFlagInvariants):
3060         * runtime/JSGenericTypedArrayViewInlines.h:
3061         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
3062         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
3063         * runtime/JSGlobalObject.cpp:
3064         (JSC::JSGlobalObject::init):
3065         (JSC::JSGlobalObject::exposeDollarVM):
3066         * runtime/JSGlobalObjectFunctions.cpp:
3067         (JSC::encode):
3068         (JSC::decode):
3069         (JSC::globalFuncEscape):
3070         (JSC::globalFuncUnescape):
3071         (JSC::globalFuncBuiltinDescribe):
3072         * runtime/JSLexicalEnvironment.cpp:
3073         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
3074         * runtime/JSModuleEnvironment.cpp:
3075         (JSC::JSModuleEnvironment::getOwnPropertySlot):
3076         (JSC::JSModuleEnvironment::put):
3077         (JSC::JSModuleEnvironment::deleteProperty):
3078         * runtime/JSModuleLoader.cpp:
3079         (JSC::JSModuleLoader::finishCreation):
3080         (JSC::JSModuleLoader::requestImportModule):
3081         (JSC::moduleLoaderParseModule):
3082         (JSC::moduleLoaderRequestedModules):
3083         * runtime/JSModuleNamespaceObject.cpp:
3084         (JSC::JSModuleNamespaceObject::finishCreation):
3085         (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
3086         * runtime/JSModuleRecord.cpp:
3087         (JSC::JSModuleRecord::instantiateDeclarations):
3088         * runtime/JSONObject.cpp:
3089         (JSC::JSONObject::finishCreation):
3090         (JSC::PropertyNameForFunctionCall::value const):
3091         (JSC::Stringifier::Stringifier):
3092         (JSC::Stringifier::stringify):
3093         (JSC::Stringifier::Holder::appendNextProperty):
3094         (JSC::Walker::walk):
3095         * runtime/JSObject.cpp:
3096         (JSC::getClassPropertyNames):
3097         (JSC::JSObject::getOwnPropertySlotByIndex):
3098         (JSC::JSObject::putByIndex):
3099         (JSC::JSObject::deletePropertyByIndex):
3100         (JSC::JSObject::toString const):
3101         (JSC::JSObject::reifyAllStaticProperties):
3102         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3103         * runtime/JSObject.h:
3104         (JSC::JSObject::putByIndexInline):
3105         (JSC::JSObject::butterflyPreCapacity):
3106         (JSC::JSObject::butterflyTotalSize):
3107         (JSC::makeIdentifier):
3108         * runtime/JSPromisePrototype.cpp:
3109         (JSC::JSPromisePrototype::finishCreation):
3110         * runtime/JSPropertyNameEnumerator.cpp:
3111         (JSC::JSPropertyNameEnumerator::finishCreation):
3112         * runtime/JSPropertyNameEnumerator.h:
3113         (JSC::propertyNameEnumerator):
3114         * runtime/JSRunLoopTimer.cpp:
3115         (JSC::JSRunLoopTimer::JSRunLoopTimer):
3116         * runtime/JSRunLoopTimer.h:
3117         * runtime/JSString.cpp:
3118         (JSC::JSString::dumpToStream):
3119         (JSC::JSRopeString::resolveRopeWithFunction const):
3120         (JSC::jsStringWithCacheSlowCase):
3121         * runtime/JSString.h:
3122         (JSC::jsEmptyString):
3123         (JSC::jsSingleCharacterString):
3124         (JSC::jsNontrivialString):
3125         (JSC::JSString::toIdentifier const):
3126         (JSC::JSString::toAtomString const):
3127         (JSC::JSString::toExistingAtomString const):
3128         (JSC::JSString::value const):
3129         (JSC::JSString::tryGetValue const):
3130         (JSC::JSString::getIndex):
3131         (JSC::jsString):
3132         (JSC::jsSubstring):
3133         (JSC::jsOwnedString):
3134         (JSC::jsStringWithCache):
3135         (JSC::JSRopeString::unsafeView const):
3136         (JSC::JSRopeString::viewWithUnderlyingString const):
3137         (JSC::JSString::unsafeView const):
3138         * runtime/JSStringInlines.h:
3139         (JSC::jsMakeNontrivialString):
3140         (JSC::repeatCharacter):
3141         * runtime/JSStringJoiner.cpp:
3142         (JSC::JSStringJoiner::join):
3143         * runtime/JSSymbolTableObject.cpp:
3144         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3145         * runtime/JSTemplateObjectDescriptor.cpp:
3146         (JSC::JSTemplateObjectDescriptor::createTemplateObject):
3147         * runtime/JSTypedArrayViewPrototype.cpp:
3148         (JSC::typedArrayViewProtoGetterFuncToStringTag):
3149         * runtime/LazyClassStructure.cpp:
3150         (JSC::LazyClassStructure::Initializer::setConstructor):
3151         * runtime/LazyProperty.h:
3152         (JSC::LazyProperty::Initializer::Initializer):
3153         * runtime/LiteralParser.cpp:
3154         (JSC::LiteralParser<CharType>::tryJSONPParse):
3155         (JSC::LiteralParser<CharType>::makeIdentifier):
3156         (JSC::LiteralParser<CharType>::parse):
3157         * runtime/Lookup.h:
3158         (JSC::reifyStaticProperties):
3159         * runtime/MapIteratorPrototype.cpp:
3160         (JSC::MapIteratorPrototype::finishCreation):
3161         * runtime/MapPrototype.cpp:
3162         (JSC::MapPrototype::finishCreation):
3163         * runtime/MathObject.cpp:
3164         (JSC::MathObject::finishCreation):
3165         * runtime/NumberConstructor.cpp:
3166         (JSC::NumberConstructor::finishCreation):
3167         * runtime/NumberPrototype.cpp:
3168         (JSC::numberProtoFuncToExponential):
3169         (JSC::numberProtoFuncToFixed):
3170         (JSC::numberProtoFuncToPrecision):
3171         (JSC::int32ToStringInternal):
3172         (JSC::numberToStringInternal):
3173         (JSC::int52ToString):
3174         * runtime/ObjectConstructor.cpp:
3175         (JSC::objectConstructorGetOwnPropertyDescriptors):
3176         (JSC::objectConstructorAssign):
3177         (JSC::objectConstructorValues):
3178         (JSC::defineProperties):
3179         (JSC::setIntegrityLevel):
3180         (JSC::testIntegrityLevel):
3181         (JSC::ownPropertyKeys):
3182         * runtime/ObjectPrototype.cpp:
3183         (JSC::objectProtoFuncToString):
3184         * runtime/Operations.h:
3185         (JSC::jsString):
3186         (JSC::jsStringFromRegisterArray):
3187         (JSC::jsStringFromArguments):
3188         * runtime/ProgramExecutable.cpp:
3189         (JSC::ProgramExecutable::initializeGlobalProperties):
3190         * runtime/PromiseDeferredTimer.cpp:
3191         (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
3192         (JSC::PromiseDeferredTimer::hasPendingPromise):
3193         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
3194         (JSC::PromiseDeferredTimer::cancelPendingPromise):
3195         * runtime/PropertyNameArray.h:
3196         (JSC::PropertyNameArray::PropertyNameArray):
3197         (JSC::PropertyNameArray::vm):
3198         * runtime/PropertySlot.h:
3199         (JSC::PropertySlot::getValue const):
3200         * runtime/ProxyObject.cpp:
3201         (JSC::performProxyGet):
3202         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3203         (JSC::ProxyObject::performHasProperty):
3204         (JSC::ProxyObject::getOwnPropertySlotByIndex):
3205         (JSC::ProxyObject::performPut):
3206         (JSC::ProxyObject::putByIndexCommon):
3207         (JSC::ProxyObject::performDelete):
3208         (JSC::ProxyObject::deletePropertyByIndex):
3209         (JSC::ProxyObject::performDefineOwnProperty):
3210         (JSC::ProxyObject::performGetOwnPropertyNames):
3211         * runtime/RegExpGlobalData.cpp:
3212         (JSC::RegExpGlobalData::getBackref):
3213         (JSC::RegExpGlobalData::getLastParen):
3214         * runtime/RegExpMatchesArray.cpp:
3215         (JSC::createEmptyRegExpMatchesArray):
3216         * runtime/RegExpMatchesArray.h:
3217         (JSC::createRegExpMatchesArray):
3218         * runtime/RegExpPrototype.cpp:
3219         (JSC::regExpProtoGetterFlags):
3220         (JSC::regExpProtoGetterSourceInternal):
3221         (JSC::regExpProtoGetterSource):
3222         * runtime/RegExpStringIteratorPrototype.cpp:
3223         (JSC::RegExpStringIteratorPrototype::finishCreation):
3224         * runtime/SamplingProfiler.cpp:
3225         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3226         * runtime/ScriptExecutable.cpp:
3227         (JSC::ScriptExecutable::installCode):
3228         (JSC::ScriptExecutable::newCodeBlockFor):
3229         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
3230         (JSC::setupJIT):
3231         * runtime/SetIteratorPrototype.cpp:
3232         (JSC::SetIteratorPrototype::finishCreation):
3233         * runtime/SetPrototype.cpp:
3234         (JSC::SetPrototype::finishCreation):
3235         * runtime/StackFrame.cpp:
3236         (JSC::StackFrame::computeLineAndColumn const):
3237         * runtime/StringConstructor.cpp:
3238         (JSC::stringFromCharCode):
3239         (JSC::stringFromCodePoint):
3240         (JSC::stringConstructor):
3241         (JSC::callStringConstructor):
3242         * runtime/StringIteratorPrototype.cpp:
3243         (JSC::StringIteratorPrototype::finishCreation):
3244         * runtime/StringObject.cpp:
3245         (JSC::StringObject::getOwnPropertySlotByIndex):
3246         (JSC::StringObject::getOwnPropertyNames):
3247         * runtime/StringObject.h:
3248         (JSC::StringObject::create):
3249         (JSC::jsStringWithReuse):
3250         (JSC::jsSubstring):
3251         * runtime/StringPrototype.cpp:
3252         (JSC::StringPrototype::finishCreation):
3253         (JSC::StringPrototype::create):
3254         (JSC::jsSpliceSubstrings):
3255         (JSC::jsSpliceSubstringsWithSeparators):
3256         (JSC::replaceUsingRegExpSearch):
3257         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
3258         (JSC::operationStringProtoFuncReplaceRegExpString):
3259         (JSC::replaceUsingStringSearch):
3260         (JSC::operationStringProtoFuncReplaceGeneric):
3261         (JSC::stringProtoFuncCharAt):
3262         (JSC::stringProtoFuncSplitFast):
3263         (JSC::stringProtoFuncSubstr):
3264         (JSC::stringProtoFuncToLowerCase):
3265         (JSC::stringProtoFuncToUpperCase):
3266         (JSC::toLocaleCase):
3267         (JSC::trimString):
3268         (JSC::normalize):
3269         * runtime/StringPrototypeInlines.h:
3270         (JSC::stringSlice):
3271         * runtime/StringRecursionChecker.cpp:
3272         (JSC::StringRecursionChecker::emptyString):
3273         * runtime/Structure.cpp:
3274         (JSC::Structure::didTransitionFromThisStructure const):
3275         * runtime/StructureInlines.h:
3276         (JSC::Structure::didReplaceProperty):
3277         (JSC::Structure::shouldConvertToPolyProto):
3278         * runtime/SymbolConstructor.cpp:
3279         (JSC::symbolConstructorKeyFor):
3280         * runtime/SymbolPrototype.cpp:
3281         (JSC::SymbolPrototype::finishCreation):
3282         (JSC::symbolProtoGetterDescription):
3283         (JSC::symbolProtoFuncToString):
3284         * runtime/SymbolTable.cpp:
3285         (JSC::SymbolTable::setRareDataCodeBlock):
3286         * runtime/TestRunnerUtils.cpp:
3287         (JSC::getExecutableForFunction):
3288         * runtime/VM.cpp:
3289         (JSC::VM::VM):