Add SPI to save a PDF from the contents of a WKWebView.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
4         https://bugs.webkit.org/show_bug.cgi?id=198253
5
6         Reviewed by Mark Lam.
7
8         ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
9         When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
10         it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
11
12         In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
13
14         * parser/ResultType.h:
15         (JSC::ResultType::bigIntOrInt32Type):
16
17 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
18
19         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
20         https://bugs.webkit.org/show_bug.cgi?id=201634
21
22         Reviewed by Mark Lam.
23
24         Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
25         For example, in BitAnd strength reduction,
26
27             1034             // Turn this: BitAnd(value, all-ones)
28             1035             // Into this: value.
29             1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
30             1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
31             1038                 replaceWithIdentity(m_value->child(0));
32             1039                 break;
33             1040             }
34
35         We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
36
37             262 inline bool Value::isInt(int64_t value) const
38             263 {
39             264     return hasInt() && asInt() == value;
40             265 }
41
42         So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
43
44             257 inline int64_t Value::asInt() const
45             258 {
46             259     return hasInt32() ? asInt32() : asInt64();
47             260 }
48
49         So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
50         We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
51
52         We also fix the following optimization.
53
54             // Turn this: BitAnd(Op(value, constant1), constant2)
55             //     where !(constant1 & constant2)
56             //       and Op is BitOr or BitXor
57             // into this: BitAnd(value, constant2)
58
59         Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
60
61             // Turn this: BitAnd(BitXor(x, allOnes), c)
62             // Into this: BitXor(BitOr(x, ~c), allOnes)
63
64         We add 32bit version of B3 tests for these optimizations.
65
66         * b3/B3LowerToAir.cpp:
67         * b3/B3ReduceStrength.cpp:
68         * b3/testb3.h:
69         * b3/testb3_2.cpp:
70         (testBitAndNotNot32):
71         (testBitAndNotImm):
72         (testBitAndNotImm32):
73         (testBitOrAndAndArgs32):
74         (testBitOrAndSameArgs32):
75         (testBitOrNotNot32):
76         (testBitOrNotImm32):
77         (addBitTests):
78         * b3/testb3_3.cpp:
79         (testBitXorAndAndArgs32):
80         (testBitXorAndSameArgs32):
81
82 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
83
84         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
85         https://bugs.webkit.org/show_bug.cgi?id=189043
86
87         Reviewed by Keith Miller.
88
89         This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
90         And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
91         using Wasm::StreamingParser.
92
93         Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
94         create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
95         and instantiateStreaming.
96
97         * JavaScriptCore.xcodeproj/project.pbxproj:
98         * Sources.txt:
99         * tools/JSDollarVM.cpp:
100         (JSC::WasmStreamingParser::WasmStreamingParser):
101         * wasm/WasmAirIRGenerator.cpp:
102         (JSC::Wasm::parseAndCompileAir):
103         * wasm/WasmAirIRGenerator.h:
104         * wasm/WasmB3IRGenerator.cpp:
105         (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
106         * wasm/WasmB3IRGenerator.h:
107         * wasm/WasmBBQPlan.cpp:
108         (JSC::Wasm::BBQPlan::BBQPlan):
109         (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
110         (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
111         (JSC::Wasm::BBQPlan::compileFunctions):
112         (JSC::Wasm::BBQPlan::complete):
113         * wasm/WasmBBQPlan.h:
114         * wasm/WasmModuleParser.cpp: Removed.
115         * wasm/WasmModuleParser.h: Removed.
116         * wasm/WasmOMGForOSREntryPlan.cpp:
117         (JSC::Wasm::OMGForOSREntryPlan::work):
118         * wasm/WasmOMGPlan.cpp:
119         (JSC::Wasm::OMGPlan::work):
120         * wasm/WasmPlan.cpp:
121         (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
122         * wasm/WasmSectionParser.cpp:
123         (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
124         * wasm/WasmStreamingParser.cpp:
125         (JSC::Wasm::StreamingParser::StreamingParser):
126         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
127         (JSC::Wasm::StreamingParser::parseFunctionPayload):
128         (JSC::Wasm::StreamingParser::parseSectionPayload):
129         (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
130         * wasm/WasmStreamingParser.h:
131         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
132         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
133         (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
134         which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
135         at appropriate timings.
136         * wasm/WasmValidate.cpp:
137         (JSC::Wasm::validateFunction):
138         * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.
139
140 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
141
142         [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
143         https://bugs.webkit.org/show_bug.cgi?id=201622
144
145         Reviewed by Mark Lam.
146
147         CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
148         this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
149         the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.
150
151         * bytecode/CodeBlock.cpp:
152         (JSC::CodeBlock::finishCreation):
153         (JSC::CodeBlock::setConstantRegisters):
154         * bytecode/CodeBlock.h:
155         (JSC::CodeBlock::addConstant):
156         (JSC::CodeBlock::addConstantLazily):
157         * dfg/DFGDesiredWatchpoints.cpp:
158         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
159         (JSC::DFG::SymbolTableAdaptor::add):
160         (JSC::DFG::FunctionExecutableAdaptor::add):
161         * dfg/DFGGraph.cpp:
162         (JSC::DFG::Graph::registerFrozenValues):
163         * dfg/DFGJITFinalizer.cpp:
164         (JSC::DFG::JITFinalizer::finalizeCommon):
165         * dfg/DFGLazyJSValue.cpp:
166         (JSC::DFG::LazyJSValue::emit const):
167
168 2019-09-09  Robin Morisset  <rmorisset@apple.com>
169
170         [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
171         https://bugs.webkit.org/show_bug.cgi?id=197305
172
173         Reviewed by Keith Miller.
174
175         Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
176         Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).
177
178         This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
179         Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).
180
181         The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
182         So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.
183
184         No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.
185
186         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
187
188 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
189
190         [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
191         https://bugs.webkit.org/show_bug.cgi?id=201613
192
193         Reviewed by Mark Lam.
194
195         We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
196         since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
197         issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
198         misleading, it is like "instructions-requires-llint-finalize").
199
200         * bytecode/CodeBlock.cpp:
201         (JSC::CodeBlock::propagateTransitions):
202         (JSC::CodeBlock::finalizeLLIntInlineCaches):
203         * bytecode/UnlinkedCodeBlock.cpp:
204         (JSC::UnlinkedCodeBlock::applyModification):
205         (JSC::UnlinkedCodeBlock::shrinkToFit):
206         * bytecode/UnlinkedCodeBlock.h:
207         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
208         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
209         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
210         * bytecompiler/BytecodeGenerator.cpp:
211         (JSC::BytecodeGenerator::emitResolveScope):
212         (JSC::BytecodeGenerator::emitGetFromScope):
213         (JSC::BytecodeGenerator::emitPutToScope):
214         (JSC::BytecodeGenerator::emitGetById):
215         (JSC::BytecodeGenerator::emitDirectGetById):
216         (JSC::BytecodeGenerator::emitPutById):
217         (JSC::BytecodeGenerator::emitDirectPutById):
218         (JSC::BytecodeGenerator::emitCreateThis):
219         (JSC::BytecodeGenerator::emitToThis):
220         * runtime/CachedTypes.cpp:
221         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
222         (JSC::CachedCodeBlock<CodeBlockType>::encode):
223
224 2019-09-07  Keith Miller  <keith_miller@apple.com>
225
226         OSR entry into wasm misses some contexts
227         https://bugs.webkit.org/show_bug.cgi?id=201569
228
229         Reviewed by Yusuke Suzuki.
230
231         This patch fixes an issue where we could fail to capture some of
232         our contexts when OSR entering into wasm code. Before we would
233         only capture the state of the block immediately surrounding the
234         entrance loop block header. We actually need to capture all
235         enclosed stacks.
236
237         Additionally, we don't need to use variables for all the captured
238         values. We can use a Phi and insert an upsilon just below the
239         captured value.
240
241         * interpreter/CallFrame.h:
242         * jsc.cpp:
243         (GlobalObject::finishCreation):
244         (functionCallerIsOMGCompiled):
245         * wasm/WasmAirIRGenerator.cpp:
246         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
247         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
248         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
249         (JSC::Wasm::AirIRGenerator::addLoop):
250         * wasm/WasmB3IRGenerator.cpp:
251         (JSC::Wasm::B3IRGenerator::createStack):
252         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
253         (JSC::Wasm::B3IRGenerator::addConstant):
254         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
255         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
256         (JSC::Wasm::B3IRGenerator::addLoop):
257         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
258         (JSC::Wasm::dumpExpressionStack):
259         (JSC::Wasm::B3IRGenerator::dump):
260         (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
261         (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
262         (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
263         (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
264         (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
265         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
266         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
267         (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
268         (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
269         (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
270         (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
271         (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
272         * wasm/WasmFunctionParser.h:
273         (JSC::Wasm::FunctionParser::controlStack):
274
275 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
276
277         [JSC] Promise resolve/reject functions should be created more efficiently
278         https://bugs.webkit.org/show_bug.cgi?id=201488
279
280         Reviewed by Mark Lam.
281
282         While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
283         Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
284         for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
285         Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.
286
287         In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
288         to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
289         anonymous-builtin-function creation faster.
290
291         We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
292         The simple microbenchmark shows 1.7x improvement.
293
294                                               ToT                     Patched
295
296             promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster
297
298         * dfg/DFGSpeculativeJIT.cpp:
299         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
300         * ftl/FTLLowerDFGToB3.cpp:
301         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
302         * runtime/FunctionRareData.cpp:
303         (JSC::FunctionRareData::create):
304         (JSC::FunctionRareData::FunctionRareData):
305         * runtime/FunctionRareData.h:
306         * runtime/JSFunction.cpp:
307         (JSC::JSFunction::finishCreation):
308         (JSC::JSFunction::allocateRareData):
309         (JSC::JSFunction::allocateAndInitializeRareData):
310         * runtime/JSFunctionInlines.h:
311         (JSC::JSFunction::hasReifiedName const):
312
313 2019-09-07  Mark Lam  <mark.lam@apple.com>
314
315         performJITMemcpy() source buffer should not be in the Gigacage.
316         https://bugs.webkit.org/show_bug.cgi?id=201577
317         <rdar://problem/55142606>
318
319         Reviewed by Michael Saboff.
320
321         Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
322         buffer is not in the Gigacage.
323
324         * jit/ExecutableAllocator.h:
325         (JSC::performJITMemcpy):
326
327 2019-09-07  Mark Lam  <mark.lam@apple.com>
328
329         The jsc shell should allow disabling of the Gigacage for testing purposes.
330         https://bugs.webkit.org/show_bug.cgi?id=201579
331
332         Reviewed by Michael Saboff.
333
334         Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
335         this env var is present and it has a falsy value, then do not
336         forbidDisablingPrimitiveGigacage() in the jsc shell.
337
338         * jsc.cpp:
339         (jscmain):
340
341 2019-09-06  Mark Lam  <mark.lam@apple.com>
342
343         Harden protection of the Gigacage Config parameters.
344         https://bugs.webkit.org/show_bug.cgi?id=201570
345         <rdar://problem/55134229>
346
347         Reviewed by Saam Barati.
348
349         Just renaming some function names here.
350
351         * assembler/testmasm.cpp:
352         (JSC::testCagePreservesPACFailureBit):
353         * jit/AssemblyHelpers.h:
354         (JSC::AssemblyHelpers::cageConditionally):
355         * jsc.cpp:
356         (jscmain):
357
358 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
359
360         Math.round() produces wrong result for value prior to 0.5
361         https://bugs.webkit.org/show_bug.cgi?id=185115
362
363         Reviewed by Saam Barati.
364
365         Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
366         This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.
367
368         Specifically:
369           - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
370             so taking the difference between ceil(value)` and `value` is problematic.
371           - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
372             (by falling back to jsRound). This patch gives baseline a legitimate implementation too.
373
374         * dfg/DFGSpeculativeJIT.cpp:
375         (JSC::DFG::SpeculativeJIT::compileArithRounding):
376         * ftl/FTLLowerDFGToB3.cpp:
377         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
378         * jit/ThunkGenerators.cpp:
379         (JSC::roundThunkGenerator):
380         * runtime/MathCommon.cpp:
381
382 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
383
384         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
385         https://bugs.webkit.org/show_bug.cgi?id=201366
386
387         Reviewed by Saam Barati.
388
389         It is possible for the log buffer to be full right as someone is trying to
390         log a function prologue. In such a case the machine stack has already been
391         updated to include the new JavaScript call frame, but the prologue packet
392         cannot be included in the update because the log is full. This would mean
393         that the update fails to rationalize the machine stack with the shadow
394         log / stack. Namely, the current JavaScript call frame is unable to
395         find a matching prologue (the one we are holding to include after the update)
396         and inserts a questionable value into the stack; and in the process
397         missing and removing real potential tail calls.
398
399         For example:
400         
401             "use strict";
402             function third() { return 1; }
403             function second() { return third(); }
404             function first() { return second(); }
405             function start() { return first(); }
406
407         If the the log fills up just as we are entering `b` then we may have a list
408         full log of packets looking like:
409
410           Shadow Log:
411             ...
412             { prologue-packet: entering `start` ... }
413             { prologue-packet: entering `first` ... }
414             { tail-packet: leaving `first` with a tail call }
415
416           Incoming Packet:
417             { prologue-packet: entering `second` ... }
418
419           Current JS Stack:
420             second
421             start
422
423         Since the Current JavaScript stack already has `second`, if we process the
424         log without the prologue for `second` then we push a confused entry on the
425         shadow stack and clear the log such that we eventually lose the tail-call
426         information for `first` to `second`.
427
428         This patch solves this issue by providing enough extra space in the log
429         to always process the incoming packet when that forces an update. This way
430         clients can continue to behave exactly as they are.
431
432         --
433
434         We also document a corner case in some circumstances where the shadow
435         log may currently be insufficient to know how to reconcile:
436         
437         For example:
438
439             "use strict";
440             function third() { return 1; }
441             function second() { return third(); }
442             function first() { return second(); }
443             function doNothingTail() { return Math.random() }
444             function start() {
445                 for (i=0;i<1000;++i) doNothingTail();
446                 return first();
447             }
448
449         In this case the ShadowChicken log may be processed multiple times due
450         to the many calls to `doNothingTail` / `Math.random()`. When calling the
451         Native function no prologue packet is emitted, so it is unclear that we
452         temporarly go deeper and come back out on the stack, so the log appears
453         to have lots of doNothingTail calls reusing the same frame:
454
455           Shadow Log:
456             ...
457             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
458             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
459             , [125] tail-packet:{frame = 0x7ffeef8971f0}
460             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
461             , [127] tail-packet:{frame = 0x7ffeef8971f0}
462             ...
463             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
464             , [141] tail-packet:{frame = 0x7ffeef8971f0}
465             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
466             , [143] tail-packet:{frame = 0x7ffeef8971f0}
467             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
468             , [145] tail-packet:{frame = 0x7ffeef8971f0}
469             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
470             ...
471
472         This log would seem to be indistinguishable from real tail recursion, such as:
473
474             "use strict";
475             function third() { return 1; }
476             function second() { return third(); }
477             function first() { return second(); }
478             function doNothingTail(n) {
479                 return n ? doNothingTail(n-1) : first();
480             }
481             function start() {
482                 return doNothingTail(1000);
483             }
484
485         Likewise there are more cases where the shadow log appears to be ambiguous with determining
486         the appropriate parent call frame with intermediate function calls. In practice this may
487         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
488         It seems likely we would only show additional frames that did in fact happen serially
489         between JavaScript call frames, but may not actually be the proper parent frames
490         heirachy in the stack.
491
492         * interpreter/ShadowChicken.cpp:
493         (JSC::ShadowChicken::Packet::dump const):
494         (JSC::ShadowChicken::Frame::dump const):
495         (JSC::ShadowChicken::dump const):
496         Improved debugging output. Especially for functions.
497
498         (JSC::ShadowChicken::ShadowChicken):
499         Make space in the log for 1 additional packet to process when we slow log.
500
501         (JSC::ShadowChicken::log):
502         Include this packet in our update.
503
504         (JSC::ShadowChicken::update):
505         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
506
507 2019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
508
509         Unreviewed, rolling out r249566.
510
511         Causes inspector layout test crashes under GuardMalloc
512
513         Reverted changeset:
514
515         "Tail Deleted Frames shown in Web Inspector are sometimes
516         incorrect (Shadow Chicken)"
517         https://bugs.webkit.org/show_bug.cgi?id=201366
518         https://trac.webkit.org/changeset/249566
519
520 2019-09-06  Guillaume Emont  <guijemont@igalia.com>
521
522         testmasm: save r6 in JIT'ed code on ARM_THUMB2
523         https://bugs.webkit.org/show_bug.cgi?id=201138
524
525         Reviewed by Mark Lam.
526
527         MacroAssemblerArmv7 uses r6 as a temporary register, and it is a
528         callee-saved register. The JITs use
529         AssemblyHelpers::emitSaveCalleeSaves() and friends to save
530         callee-saved registers, but there is no such mechanism in testmasm,
531         which seems to make the assumption that the macroassembler does not
532         use callee-saved registers (which I guess is true for all other
533         architectures, but not for Armv7).
534
535         This issue means that testmasm crashes on Armv7 since code generated
536         by gcc uses r6, and it gets modified by JIT'ed code.
537
538         This change makes sure that we save and restore r6 for all code
539         compiled by testmasm on Armv7.
540
541         * assembler/testmasm.cpp:
542         (JSC::emitFunctionPrologue):
543         (JSC::emitFunctionEpilogue):
544         (JSC::testSimple):
545         (JSC::testGetEffectiveAddress):
546         (JSC::testBranchTruncateDoubleToInt32):
547         (JSC::testBranchTestBit32RegReg):
548         (JSC::testBranchTestBit32RegImm):
549         (JSC::testBranchTestBit32AddrImm):
550         (JSC::testBranchTestBit64RegReg):
551         (JSC::testBranchTestBit64RegImm):
552         (JSC::testBranchTestBit64AddrImm):
553         (JSC::testCompareDouble):
554         (JSC::testMul32WithImmediates):
555         (JSC::testMul32SignExtend):
556         (JSC::testCompareFloat):
557         (JSC::testProbeReadsArgumentRegisters):
558         (JSC::testProbeWritesArgumentRegisters):
559         (JSC::testProbePreservesGPRS):
560         (JSC::testProbeModifiesStackPointer):
561         (JSC::testProbeModifiesProgramCounter):
562         (JSC::testProbeModifiesStackValues):
563         (JSC::testByteSwap):
564         (JSC::testMoveDoubleConditionally32):
565         (JSC::testMoveDoubleConditionally64):
566         (JSC::testCagePreservesPACFailureBit):
567
568 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
569
570         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
571         https://bugs.webkit.org/show_bug.cgi?id=201366
572
573         Reviewed by Saam Barati.
574
575         It is possible for the log buffer to be full right as someone is trying to
576         log a function prologue. In such a case the machine stack has already been
577         updated to include the new JavaScript call frame, but the prologue packet
578         cannot be included in the update because the log is full. This would mean
579         that the update fails to rationalize the machine stack with the shadow
580         log / stack. Namely, the current JavaScript call frame is unable to
581         find a matching prologue (the one we are holding to include after the update)
582         and inserts a questionable value into the stack; and in the process
583         missing and removing real potential tail calls.
584
585         For example:
586         
587             "use strict";
588             function third() { return 1; }
589             function second() { return third(); }
590             function first() { return second(); }
591             function start() { return first(); }
592
593         If the the log fills up just as we are entering `b` then we may have a list
594         full log of packets looking like:
595
596           Shadow Log:
597             ...
598             { prologue-packet: entering `start` ... }
599             { prologue-packet: entering `first` ... }
600             { tail-packet: leaving `first` with a tail call }
601
602           Incoming Packet:
603             { prologue-packet: entering `second` ... }
604
605           Current JS Stack:
606             second
607             start
608
609         Since the Current JavaScript stack already has `second`, if we process the
610         log without the prologue for `second` then we push a confused entry on the
611         shadow stack and clear the log such that we eventually lose the tail-call
612         information for `first` to `second`.
613
614         This patch solves this issue by providing enough extra space in the log
615         to always process the incoming packet when that forces an update. This way
616         clients can continue to behave exactly as they are.
617
618         --
619
620         We also document a corner case in some circumstances where the shadow
621         log may currently be insufficient to know how to reconcile:
622         
623         For example:
624
625             "use strict";
626             function third() { return 1; }
627             function second() { return third(); }
628             function first() { return second(); }
629             function doNothingTail() { return Math.random() }
630             function start() {
631                 for (i=0;i<1000;++i) doNothingTail();
632                 return first();
633             }
634
635         In this case the ShadowChicken log may be processed multiple times due
636         to the many calls to `doNothingTail` / `Math.random()`. When calling the
637         Native function no prologue packet is emitted, so it is unclear that we
638         temporarly go deeper and come back out on the stack, so the log appears
639         to have lots of doNothingTail calls reusing the same frame:
640
641           Shadow Log:
642             ...
643             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
644             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
645             , [125] tail-packet:{frame = 0x7ffeef8971f0}
646             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
647             , [127] tail-packet:{frame = 0x7ffeef8971f0}
648             ...
649             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
650             , [141] tail-packet:{frame = 0x7ffeef8971f0}
651             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
652             , [143] tail-packet:{frame = 0x7ffeef8971f0}
653             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
654             , [145] tail-packet:{frame = 0x7ffeef8971f0}
655             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
656             ...
657
658         This log would seem to be indistinguishable from real tail recursion, such as:
659
660             "use strict";
661             function third() { return 1; }
662             function second() { return third(); }
663             function first() { return second(); }
664             function doNothingTail(n) {
665                 return n ? doNothingTail(n-1) : first();
666             }
667             function start() {
668                 return doNothingTail(1000);
669             }
670
671         Likewise there are more cases where the shadow log appears to be ambiguous with determining
672         the appropriate parent call frame with intermediate function calls. In practice this may
673         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
674         It seems likely we would only show additional frames that did in fact happen serially
675         between JavaScript call frames, but may not actually be the proper parent frames
676         heirachy in the stack.
677
678         * interpreter/ShadowChicken.cpp:
679         (JSC::ShadowChicken::Packet::dump const):
680         (JSC::ShadowChicken::Frame::dump const):
681         (JSC::ShadowChicken::dump const):
682         Improved debugging output. Especially for functions.
683
684         (JSC::ShadowChicken::ShadowChicken):
685         Make space in the log for 1 additional packet to process when we slow log.
686
687         (JSC::ShadowChicken::log):
688         Include this packet in our update.
689
690         (JSC::ShadowChicken::update):
691         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
692
693 2019-09-05  Mark Lam  <mark.lam@apple.com>
694
695         Refactor the Gigacage code to require less pointer casting.
696         https://bugs.webkit.org/show_bug.cgi?id=201521
697
698         Reviewed by Saam Barati.
699
700         Change LLInt's loadCagedJSValue() to skip the caging if Gigacage is not enabled
701         in the build.  This allows us to remove the unneeded stubs in WTF Gigacage.h.
702
703         * jit/AssemblyHelpers.h:
704         (JSC::AssemblyHelpers::cageConditionally):
705         * llint/LowLevelInterpreter.asm:
706         * llint/LowLevelInterpreter64.asm:
707         * runtime/VM.h:
708         (JSC::VM::gigacageAuxiliarySpace):
709
710 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
711
712         Unreviewed, follow-up after r249530 and r249509
713         https://bugs.webkit.org/show_bug.cgi?id=201495
714
715         Rename FTLOutput::weakPointer to alreadyRegisteredWeakPointer and alreadyRegisteredFrozenPointer.
716
717         * builtins/PromiseConstructor.js:
718         (nakedConstructor.Promise.resolve):
719         (nakedConstructor.Promise.reject):
720         (nakedConstructor.Promise):
721         (nakedConstructor.InternalPromise.resolve):
722         (nakedConstructor.InternalPromise.reject):
723         (nakedConstructor.InternalPromise):
724         * ftl/FTLLowerDFGToB3.cpp:
725         (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
726         (JSC::FTL::DFG::LowerDFGToB3::frozenPointer):
727         (JSC::FTL::DFG::LowerDFGToB3::weakStructure):
728         * ftl/FTLOutput.h:
729         (JSC::FTL::Output::alreadyRegisteredWeakPointer):
730         (JSC::FTL::Output::alreadyRegisteredFrozenPointer):
731         (JSC::FTL::Output::weakPointer): Deleted.
732
733 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
734
735         [JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl
736         https://bugs.webkit.org/show_bug.cgi?id=201513
737
738         Reviewed by Ross Kirsling.
739
740         This patch extracts JSPromise's internal fields mechanism as JSInternalFieldsObjectImpl, and make it reusable for the other objects.
741         It is preparation for using this internal fields mechanism for generators, async functions, async generators, array iterators and so on.
742
743         The profiler is telling many recompilation of Generator's resume function (including async generator's one). We are using properties
744         with private-symbols as a storage for internal state of generators. However, the spec defines that each generator from different generator-functions
745         has different [[Prototype]]. While we need to share one Generator.prototype.next function, generators tend to have different Structures due to
746         different [[Prototype]] and accessing internal fields with `get_by_id_direct` sadly becomes super megamorphic while it is not necessary.
747         And every time new Structure for new generator pops up, DFG/FTL code for generator resume function gets OSR exit or eventually this function gets
748         emits super generic code unfortunately. By using internal fields for storing these state, we can avoid this performance problem.
749
750         Bytecodes and corresponding DFG nodes are just renamed. JSPromise is now inheriting JSInternalFieldsObjectImpl, which can holds specified
751         number of internal fields. And op_get_internal_field / op_put_internal_field can access these internal fields.
752
753         * CMakeLists.txt:
754         * JavaScriptCore.xcodeproj/project.pbxproj:
755         * bytecode/BytecodeList.rb:
756         * bytecode/BytecodeUseDef.h:
757         (JSC::computeUsesForBytecodeOffset):
758         (JSC::computeDefsForBytecodeOffset):
759         * bytecode/CodeBlock.cpp:
760         (JSC::CodeBlock::finishCreation):
761         * bytecode/Opcode.h:
762         * bytecompiler/BytecodeGenerator.cpp:
763         (JSC::BytecodeGenerator::emitGetInternalField):
764         (JSC::BytecodeGenerator::emitPutInternalField):
765         (JSC::BytecodeGenerator::emitGetPromiseInternalField): Deleted.
766         (JSC::BytecodeGenerator::emitPutPromiseInternalField): Deleted.
767         * bytecompiler/BytecodeGenerator.h:
768         * bytecompiler/NodesCodegen.cpp:
769         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
770         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
771         * dfg/DFGAbstractInterpreterInlines.h:
772         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
773         * dfg/DFGByteCodeParser.cpp:
774         (JSC::DFG::ByteCodeParser::parseBlock):
775         * dfg/DFGCapabilities.cpp:
776         (JSC::DFG::capabilityLevel):
777         * dfg/DFGClobberize.h:
778         (JSC::DFG::clobberize):
779         * dfg/DFGDoesGC.cpp:
780         (JSC::DFG::doesGC):
781         * dfg/DFGFixupPhase.cpp:
782         (JSC::DFG::FixupPhase::fixupNode):
783         * dfg/DFGMayExit.cpp:
784         * dfg/DFGNode.h:
785         (JSC::DFG::Node::hasInternalFieldIndex):
786         (JSC::DFG::Node::hasHeapPrediction):
787         * dfg/DFGNodeType.h:
788         * dfg/DFGPredictionPropagationPhase.cpp:
789         * dfg/DFGSafeToExecute.h:
790         (JSC::DFG::safeToExecute):
791         * dfg/DFGSpeculativeJIT.cpp:
792         (JSC::DFG::SpeculativeJIT::compileGetInternalField):
793         (JSC::DFG::SpeculativeJIT::compilePutInternalField):
794         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
795         (JSC::DFG::SpeculativeJIT::compileNewPromise):
796         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): Deleted.
797         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): Deleted.
798         * dfg/DFGSpeculativeJIT.h:
799         * dfg/DFGSpeculativeJIT32_64.cpp:
800         (JSC::DFG::SpeculativeJIT::compile):
801         * dfg/DFGSpeculativeJIT64.cpp:
802         (JSC::DFG::SpeculativeJIT::compile):
803         * dfg/DFGStoreBarrierInsertionPhase.cpp:
804         * ftl/FTLAbstractHeapRepository.h:
805         * ftl/FTLCapabilities.cpp:
806         (JSC::FTL::canCompile):
807         * ftl/FTLLowerDFGToB3.cpp:
808         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
809         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
810         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
811         (JSC::FTL::DFG::LowerDFGToB3::compileGetInternalField):
812         (JSC::FTL::DFG::LowerDFGToB3::compilePutInternalField):
813         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): Deleted.
814         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): Deleted.
815         * jit/JIT.cpp:
816         (JSC::JIT::privateCompileMainPass):
817         * jit/JIT.h:
818         * jit/JITPropertyAccess.cpp:
819         (JSC::JIT::emit_op_get_internal_field):
820         (JSC::JIT::emit_op_put_internal_field):
821         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
822         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
823         * jit/JITPropertyAccess32_64.cpp:
824         (JSC::JIT::emit_op_get_internal_field):
825         (JSC::JIT::emit_op_put_internal_field):
826         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
827         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
828         * llint/LLIntOffsetsExtractor.cpp:
829         * llint/LowLevelInterpreter.asm:
830         * llint/LowLevelInterpreter32_64.asm:
831         * llint/LowLevelInterpreter64.asm:
832         * runtime/JSInternalFieldObjectImpl.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
833         (JSC::JSInternalFieldObjectImpl::allocationSize):
834         (JSC::JSInternalFieldObjectImpl::internalField const):
835         (JSC::JSInternalFieldObjectImpl::internalField):
836         (JSC::JSInternalFieldObjectImpl::offsetOfInternalFields):
837         (JSC::JSInternalFieldObjectImpl::offsetOfInternalField):
838         (JSC::JSInternalFieldObjectImpl::JSInternalFieldObjectImpl):
839         * runtime/JSInternalFieldObjectImplInlines.h: Added.
840         (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren):
841         * runtime/JSPromise.cpp:
842         (JSC::JSPromise::finishCreation):
843         (JSC::JSPromise::visitChildren):
844         (JSC::JSPromise::status const):
845         (JSC::JSPromise::result const):
846         (JSC::JSPromise::isHandled const):
847         * runtime/JSPromise.h:
848         (JSC::JSPromise::allocationSize): Deleted.
849         (JSC::JSPromise::offsetOfInternalFields): Deleted.
850         (JSC::JSPromise::offsetOfInternalField): Deleted.
851         (): Deleted.
852
853 2019-09-05  Commit Queue  <commit-queue@webkit.org>
854
855         Unreviewed, rolling out r247463.
856         https://bugs.webkit.org/show_bug.cgi?id=201515
857
858         JetStream2 code-load related regression (Requested by
859         yusukesuzuki on #webkit).
860
861         Reverted changeset:
862
863         "Keyword lookup can use memcmp to get around unaligned load
864         undefined behavior"
865         https://bugs.webkit.org/show_bug.cgi?id=199650
866         https://trac.webkit.org/changeset/247463
867
868 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
869
870         LazyClassStructure::setConstructor should not store the constructor to the global object
871         https://bugs.webkit.org/show_bug.cgi?id=201484
872         <rdar://problem/50400451>
873
874         Reviewed by Yusuke Suzuki.
875
876         LazyClassStructure::setConstructor sets the constructor as a property of the global object.
877         This became a problem when it started being used for WebAssembly constructors, such as Module
878         and Instance, since they are properties of the WebAssembly object, not the global object. That
879         resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
880         was first accessed. e.g.
881
882         globalThis.Module = x;
883         WebAssembly.Module;
884         globalThis.Module === WebAssembly.Module;
885
886         * runtime/LazyClassStructure.cpp:
887         (JSC::LazyClassStructure::Initializer::setConstructor):
888         * runtime/LazyClassStructure.h:
889         * runtime/Lookup.h:
890         (JSC::reifyStaticProperty):
891
892 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
893
894         [JSC] Do not use FTLOutput::weakPointer directly
895         https://bugs.webkit.org/show_bug.cgi?id=201495
896
897         Reviewed by Filip Pizlo.
898
899         FTLOutput::weakPointer does not register the cell as a weak pointer.
900         CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
901         While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
902         and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
903         For FrozenValue, we should use frozenPointer helper function.
904
905         * ftl/FTLLowerDFGToB3.cpp:
906         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
907         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
908
909 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
910
911         Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
912         https://bugs.webkit.org/show_bug.cgi?id=201373
913
914         * bytecode/BytecodeList.rb:
915         * bytecode/BytecodeUseDef.h:
916         (JSC::computeUsesForBytecodeOffset):
917         (JSC::computeDefsForBytecodeOffset):
918         * bytecompiler/BytecodeGenerator.cpp:
919         (JSC::BytecodeGenerator::BytecodeGenerator):
920         (JSC::BytecodeGenerator::emitLoopHint):
921         (JSC::BytecodeGenerator::emitCheckTraps):
922         * bytecompiler/BytecodeGenerator.h:
923         * dfg/DFGByteCodeParser.cpp:
924         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
925         (JSC::DFG::ByteCodeParser::parseBlock):
926         * dfg/DFGCapabilities.cpp:
927         (JSC::DFG::capabilityLevel):
928         * jit/JIT.cpp:
929         (JSC::JIT::emitEnterOptimizationCheck):
930         (JSC::JIT::privateCompileMainPass):
931         (JSC::JIT::privateCompileSlowCases):
932         * jit/JIT.h:
933         * jit/JITOpcodes.cpp:
934         (JSC::JIT::emit_op_enter):
935         (JSC::JIT::emit_op_loop_hint):
936         (JSC::JIT::emitSlow_op_loop_hint):
937         (JSC::JIT::emit_op_check_traps):
938         (JSC::JIT::emitSlow_op_check_traps):
939         (JSC::JIT::emitSlow_op_enter): Deleted.
940         * jit/JITOpcodes32_64.cpp:
941         (JSC::JIT::emit_op_enter):
942         * llint/LowLevelInterpreter.asm:
943         * llint/LowLevelInterpreter32_64.asm:
944         * llint/LowLevelInterpreter64.asm:
945         * runtime/CommonSlowPaths.cpp:
946         (JSC::SLOW_PATH_DECL):
947         * runtime/CommonSlowPaths.h:
948
949 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
950
951         Unreviewed, rebaseline builtin generator test results
952         https://bugs.webkit.org/show_bug.cgi?id=200898
953
954         Rebaseline the result files.
955
956         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
957         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
958         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
959         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
960         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
961         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
962         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
963         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
964         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
965         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
966         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
967         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
968         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
969
970 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
971
972         [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
973         https://bugs.webkit.org/show_bug.cgi?id=201485
974
975         Reviewed by Tadeu Zagallo.
976
977         FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
978         it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
979         a race issue like,
980
981         1. While one thread is adding overrides information,
982         2. Another thread is accessing this hash table.
983
984         This patch adds a lock to make sure that only one thread can access this registry.
985
986         * tools/FunctionOverrides.cpp:
987         (JSC::FunctionOverrides::FunctionOverrides):
988         (JSC::FunctionOverrides::reinstallOverrides):
989         (JSC::FunctionOverrides::initializeOverrideFor):
990         (JSC::FunctionOverrides::parseOverridesInFile):
991         * tools/FunctionOverrides.h:
992         (JSC::FunctionOverrides::clear):
993
994 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
995
996         [JSC] Make Promise implementation faster
997         https://bugs.webkit.org/show_bug.cgi?id=200898
998
999         Reviewed by Saam Barati.
1000
1001         This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.
1002
1003         1. Make JSPromise C++ friendly
1004
1005             Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
1006             This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
1007             fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
1008             fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
1009             supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
1010             this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].
1011
1012             We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
1013             This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.
1014
1015             Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
1016             is filed in [2].
1017
1018         2. Make JSPromise constructor JS friendly
1019
1020             The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
1021             calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
1022             If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
1023             Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
1024             construct is 100. We might want to investigate getting it inlined in the future[3].
1025
1026             We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
1027             annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
1028             do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
1029             us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
1030             which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
1031             JSPromise constructor fully in JS.
1032             With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].
1033
1034         3. DFG supports for JSPromise operations
1035
1036             This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
1037             and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
1038             promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
1039             When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
1040             used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
1041             can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
1042             in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
1043             structure is invalidated: `callee.prototype` is replaced.
1044
1045         4. Avoid creating unnecessary promises
1046
1047             Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
1048             For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
1049             intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
1050             take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
1051             in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
1052             check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.
1053
1054         5. Avoid creating resolving-functions and promise capabilities
1055
1056             Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
1057             patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
1058             created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
1059             and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
1060             The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
1061             `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
1062             This mechanism will be used to drop JSPromiseDeferred in a separate patch.
1063
1064         JetStream2/async-fs results.
1065             ToT:
1066                 Running async-fs:
1067                     Startup: 116.279
1068                     Worst Case: 151.515
1069                     Average: 176.630
1070                     Score: 145.996
1071                     Wall time: 0:01.149
1072
1073             Patched:
1074                 Running async-fs:
1075                     Startup: 166.667
1076                     Worst Case: 267.857
1077                     Average: 299.080
1078                     Score: 237.235
1079                     Wall time: 0:00.683
1080
1081         [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
1082         [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
1083         [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
1084         [4]: https://bugs.webkit.org/show_bug.cgi?id=201158
1085
1086         * CMakeLists.txt:
1087         * JavaScriptCore.xcodeproj/project.pbxproj:
1088         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
1089         (ConstructAbility):
1090         (ConstructorKind):
1091         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
1092         * Scripts/wkbuiltins/builtins_generator.py:
1093         (BuiltinsGenerator.generate_embedded_code_data_for_function):
1094         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
1095         * Scripts/wkbuiltins/builtins_model.py:
1096         (BuiltinFunction.__init__):
1097         (BuiltinFunction.fromString):
1098         * Scripts/wkbuiltins/builtins_templates.py:
1099         * builtins/AsyncFromSyncIteratorPrototype.js:
1100         (next.try):
1101         (next):
1102         (return.try):
1103         (return):
1104         (throw.try):
1105         (throw):
1106         * builtins/AsyncFunctionPrototype.js:
1107         (globalPrivate.asyncFunctionResume):
1108         * builtins/AsyncGeneratorPrototype.js:
1109         (globalPrivate.asyncGeneratorQueueIsEmpty):
1110         (globalPrivate.asyncGeneratorQueueEnqueue):
1111         (globalPrivate.asyncGeneratorQueueDequeue):
1112         (globalPrivate.asyncGeneratorReject):
1113         (globalPrivate.asyncGeneratorResolve):
1114         (globalPrivate.asyncGeneratorYield):
1115         (onRejected):
1116         (globalPrivate.awaitValue):
1117         (onFulfilled):
1118         (globalPrivate.doAsyncGeneratorBodyCall):
1119         (globalPrivate.asyncGeneratorResumeNext):
1120         (globalPrivate.asyncGeneratorEnqueue):
1121         (globalPrivate.asyncGeneratorDequeue): Deleted.
1122         (const.onRejected): Deleted.
1123         (const.onFulfilled): Deleted.
1124         (globalPrivate.asyncGeneratorResumeNext.): Deleted.
1125         * builtins/BuiltinExecutableCreator.h:
1126         * builtins/BuiltinExecutables.cpp:
1127         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1128         (JSC::BuiltinExecutables::createDefaultConstructor):
1129         (JSC::BuiltinExecutables::createBuiltinExecutable):
1130         (JSC::BuiltinExecutables::createExecutable):
1131         (JSC::createBuiltinExecutable): Deleted.
1132         * builtins/BuiltinExecutables.h:
1133         * builtins/BuiltinNames.h:
1134         * builtins/BuiltinUtils.h:
1135         * builtins/ModuleLoader.js:
1136         (forceFulfillPromise):
1137         * builtins/PromiseConstructor.js:
1138         (nakedConstructor.Promise.resolve):
1139         (nakedConstructor.Promise.reject):
1140         (nakedConstructor.Promise):
1141         (nakedConstructor.InternalPromise.resolve):
1142         (nakedConstructor.InternalPromise.reject):
1143         (nakedConstructor.InternalPromise):
1144         * builtins/PromiseOperations.js:
1145         (globalPrivate.newPromiseReaction):
1146         (globalPrivate.newPromiseCapability):
1147         (globalPrivate.newHandledRejectedPromise):
1148         (globalPrivate.triggerPromiseReactions):
1149         (globalPrivate.resolvePromise):
1150         (globalPrivate.rejectPromise):
1151         (globalPrivate.fulfillPromise):
1152         (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
1153         (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
1154         (globalPrivate.createResolvingFunctions.resolve):
1155         (globalPrivate.createResolvingFunctions.reject):
1156         (globalPrivate.createResolvingFunctions):
1157         (globalPrivate.promiseReactionJobWithoutPromise):
1158         (globalPrivate.resolveWithoutPromise):
1159         (globalPrivate.rejectWithoutPromise):
1160         (globalPrivate.fulfillWithoutPromise):
1161         (resolve):
1162         (reject):
1163         (globalPrivate.createResolvingFunctionsWithoutPromise):
1164         (globalPrivate.promiseReactionJob):
1165         (globalPrivate.promiseResolveThenableJobFast):
1166         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
1167         (globalPrivate.promiseResolveThenableJob):
1168         (globalPrivate.isPromise): Deleted.
1169         (globalPrivate.newPromiseCapability.executor): Deleted.
1170         (globalPrivate.initializePromise): Deleted.
1171         * builtins/PromisePrototype.js:
1172         (then):
1173         * bytecode/BytecodeIntrinsicRegistry.cpp:
1174         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1175         * bytecode/BytecodeIntrinsicRegistry.h:
1176         * bytecode/BytecodeList.rb:
1177         * bytecode/BytecodeUseDef.h:
1178         (JSC::computeUsesForBytecodeOffset):
1179         (JSC::computeDefsForBytecodeOffset):
1180         * bytecode/CodeBlock.cpp:
1181         (JSC::CodeBlock::finishCreation):
1182         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1183         * bytecode/Opcode.h:
1184         * bytecode/SpeculatedType.cpp:
1185         (JSC::dumpSpeculation):
1186         (JSC::speculationFromClassInfo):
1187         (JSC::speculationFromJSType):
1188         (JSC::speculationFromString):
1189         * bytecode/SpeculatedType.h:
1190         * bytecode/UnlinkedFunctionExecutable.h:
1191         * bytecompiler/BytecodeGenerator.cpp:
1192         (JSC::BytecodeGenerator::generate):
1193         (JSC::BytecodeGenerator::BytecodeGenerator):
1194         (JSC::BytecodeGenerator::emitGetPromiseInternalField):
1195         (JSC::BytecodeGenerator::emitPutPromiseInternalField):
1196         (JSC::BytecodeGenerator::emitCreatePromise):
1197         (JSC::BytecodeGenerator::emitNewPromise):
1198         (JSC::BytecodeGenerator::emitReturn):
1199         * bytecompiler/BytecodeGenerator.h:
1200         (JSC::BytecodeGenerator::promiseRegister):
1201         (JSC::BytecodeGenerator::emitIsPromise):
1202         (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
1203         * bytecompiler/NodesCodegen.cpp:
1204         (JSC::promiseInternalFieldIndex):
1205         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
1206         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
1207         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
1208         (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
1209         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
1210         (JSC::FunctionNode::emitBytecode):
1211         * dfg/DFGAbstractHeap.h:
1212         * dfg/DFGAbstractInterpreterInlines.h:
1213         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1214         * dfg/DFGByteCodeParser.cpp:
1215         (JSC::DFG::ByteCodeParser::parseBlock):
1216         * dfg/DFGCapabilities.cpp:
1217         (JSC::DFG::capabilityLevel):
1218         * dfg/DFGClobberize.h:
1219         (JSC::DFG::clobberize):
1220         * dfg/DFGClobbersExitState.cpp:
1221         (JSC::DFG::clobbersExitState):
1222         * dfg/DFGConstantFoldingPhase.cpp:
1223         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1224         * dfg/DFGDoesGC.cpp:
1225         (JSC::DFG::doesGC):
1226         * dfg/DFGFixupPhase.cpp:
1227         (JSC::DFG::FixupPhase::fixupNode):
1228         * dfg/DFGGraph.cpp:
1229         (JSC::DFG::Graph::dump):
1230         * dfg/DFGHeapLocation.cpp:
1231         (WTF::printInternal):
1232         * dfg/DFGHeapLocation.h:
1233         * dfg/DFGMayExit.cpp:
1234         * dfg/DFGNode.h:
1235         (JSC::DFG::Node::convertToNewPromise):
1236         (JSC::DFG::Node::hasIsInternalPromise):
1237         (JSC::DFG::Node::isInternalPromise):
1238         (JSC::DFG::Node::hasInternalFieldIndex):
1239         (JSC::DFG::Node::internalFieldIndex):
1240         (JSC::DFG::Node::hasHeapPrediction):
1241         (JSC::DFG::Node::hasStructure):
1242         * dfg/DFGNodeType.h:
1243         * dfg/DFGOperations.cpp:
1244         * dfg/DFGOperations.h:
1245         * dfg/DFGPredictionPropagationPhase.cpp:
1246         * dfg/DFGPromotedHeapLocation.cpp:
1247         (WTF::printInternal):
1248         * dfg/DFGPromotedHeapLocation.h:
1249         * dfg/DFGSafeToExecute.h:
1250         (JSC::DFG::SafeToExecuteEdge::operator()):
1251         (JSC::DFG::safeToExecute):
1252         * dfg/DFGSpeculativeJIT.cpp:
1253         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1254         (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
1255         (JSC::DFG::SpeculativeJIT::speculate):
1256         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
1257         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
1258         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1259         (JSC::DFG::SpeculativeJIT::compileNewPromise):
1260         * dfg/DFGSpeculativeJIT.h:
1261         * dfg/DFGSpeculativeJIT32_64.cpp:
1262         (JSC::DFG::SpeculativeJIT::compile):
1263         * dfg/DFGSpeculativeJIT64.cpp:
1264         (JSC::DFG::SpeculativeJIT::compile):
1265         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1266         * dfg/DFGUseKind.cpp:
1267         (WTF::printInternal):
1268         * dfg/DFGUseKind.h:
1269         (JSC::DFG::typeFilterFor):
1270         (JSC::DFG::isCell):
1271         * ftl/FTLAbstractHeapRepository.h:
1272         * ftl/FTLCapabilities.cpp:
1273         (JSC::FTL::canCompile):
1274         * ftl/FTLLowerDFGToB3.cpp:
1275         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1276         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1277         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
1278         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1279         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
1280         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
1281         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1282         (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
1283         * jit/JIT.cpp:
1284         (JSC::JIT::privateCompileMainPass):
1285         (JSC::JIT::privateCompileSlowCases):
1286         * jit/JIT.h:
1287         * jit/JITOperations.cpp:
1288         * jit/JITOperations.h:
1289         * jit/JITPropertyAccess.cpp:
1290         (JSC::JIT::emit_op_get_promise_internal_field):
1291         (JSC::JIT::emit_op_put_promise_internal_field):
1292         * jit/JITPropertyAccess32_64.cpp:
1293         (JSC::JIT::emit_op_get_promise_internal_field):
1294         (JSC::JIT::emit_op_put_promise_internal_field):
1295         * llint/LowLevelInterpreter.asm:
1296         * llint/LowLevelInterpreter32_64.asm:
1297         * llint/LowLevelInterpreter64.asm:
1298         * parser/Parser.cpp:
1299         (JSC::Parser<LexerType>::Parser):
1300         (JSC::Parser<LexerType>::parseFunctionInfo):
1301         * parser/Parser.h:
1302         (JSC::parse):
1303         * parser/ParserModes.h:
1304         * runtime/CommonSlowPaths.cpp:
1305         (JSC::SLOW_PATH_DECL):
1306         * runtime/CommonSlowPaths.h:
1307         * runtime/ConstructAbility.h:
1308         * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
1309         * runtime/FunctionRareData.cpp:
1310         (JSC::FunctionRareData::FunctionRareData):
1311         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1312         (JSC::FunctionRareData::clear):
1313         * runtime/FunctionRareData.h:
1314         * runtime/InternalFunction.cpp:
1315         (JSC::InternalFunction::createSubclassStructureSlow):
1316         * runtime/InternalFunction.h:
1317         (JSC::InternalFunction::createSubclassStructure):
1318         * runtime/JSCast.h:
1319         * runtime/JSGlobalObject.cpp:
1320         (JSC::enqueueJob):
1321         (JSC::JSGlobalObject::init):
1322         (JSC::JSGlobalObject::visitChildren):
1323         * runtime/JSGlobalObject.h:
1324         (JSC::JSGlobalObject::arrayProtoValuesFunction const):
1325         (JSC::JSGlobalObject::promiseProtoThenFunction const):
1326         (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
1327         * runtime/JSInternalPromise.cpp:
1328         (JSC::JSInternalPromise::createStructure):
1329         * runtime/JSInternalPromiseConstructor.cpp:
1330         (JSC::JSInternalPromiseConstructor::create):
1331         (JSC::JSInternalPromiseConstructor::createStructure):
1332         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
1333         (JSC::constructPromise): Deleted.
1334         * runtime/JSInternalPromiseConstructor.h:
1335         * runtime/JSInternalPromisePrototype.cpp:
1336         (JSC::JSInternalPromisePrototype::create):
1337         * runtime/JSMicrotask.cpp:
1338         (JSC::createJSMicrotask):
1339         (JSC::JSMicrotask::run):
1340         * runtime/JSMicrotask.h:
1341         * runtime/JSPromise.cpp:
1342         (JSC::JSPromise::createStructure):
1343         (JSC::JSPromise::finishCreation):
1344         (JSC::JSPromise::visitChildren):
1345         (JSC::JSPromise::status const):
1346         (JSC::JSPromise::result const):
1347         (JSC::JSPromise::isHandled const):
1348         (JSC::JSPromise::initialize): Deleted.
1349         * runtime/JSPromise.h:
1350         (JSC::JSPromise::allocationSize):
1351         (JSC::JSPromise::offsetOfInternalFields):
1352         (JSC::JSPromise::offsetOfInternalField):
1353         * runtime/JSPromiseConstructor.cpp:
1354         (JSC::JSPromiseConstructor::create):
1355         (JSC::JSPromiseConstructor::createStructure):
1356         (JSC::JSPromiseConstructor::JSPromiseConstructor):
1357         (JSC::JSPromiseConstructor::finishCreation):
1358         (JSC::constructPromise): Deleted.
1359         (JSC::callPromise): Deleted.
1360         * runtime/JSPromiseConstructor.h:
1361         * runtime/JSPromisePrototype.cpp:
1362         (JSC::JSPromisePrototype::create):
1363         (JSC::JSPromisePrototype::finishCreation):
1364         (JSC::JSPromisePrototype::addOwnInternalSlots):
1365         * runtime/JSPromisePrototype.h:
1366         * runtime/JSType.cpp:
1367         (WTF::printInternal):
1368         * runtime/JSType.h:
1369
1370 2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>
1371
1372         Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
1373         https://bugs.webkit.org/show_bug.cgi?id=201262
1374         <rdar://problem/13108764>
1375
1376         Reviewed by Devin Rousso.
1377
1378         When interception is enabled, Network requests that match any of the configured
1379         interception patterns will be paused on the backend and allowed to be modified
1380         by the frontend.
1381
1382         Currently the only time a network request can be intercepted is during the
1383         HTTP response. However, this intercepting interface is mean to extend to
1384         HTTP requests as well.
1385
1386         When a response is to be intercepted a new event is sent to the frontend:
1387
1388           `Network.responseIntercepted` event
1389
1390         With a `requestId` to identify that network request. The frontend
1391         must respond with one of the following commands to continue:
1392
1393           `Network.interceptContinue`     - proceed with the response unmodified
1394           `Network.interceptWithResponse` - provide a response
1395
1396         The response is paused in the meantime.
1397
1398         * inspector/protocol/Network.json:
1399         New interfaces for intercepting network responses and suppling override content.
1400
1401         * Scripts/generate-combined-inspector-json.py:
1402         * inspector/scripts/generate-inspector-protocol-bindings.py:
1403         (generate_from_specification.load_specification):
1404         Complete allowing comments in JSON protocol files.
1405
1406         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1407         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
1408         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1409         Allow optional enums in ObjC interfaces.
1410
1411 2019-09-03  Mark Lam  <mark.lam@apple.com>
1412
1413         Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread().
1414         https://bugs.webkit.org/show_bug.cgi?id=201449
1415
1416         Reviewed by Yusuke Suzuki.
1417
1418         Using !isMainThread() in the assertion also disables the assertion for the mutator
1419         of worker threads.  This is not what we intended.
1420
1421         * runtime/StructureInlines.h:
1422         (JSC::Structure::storedPrototype const):
1423         (JSC::Structure::storedPrototypeObject const):
1424
1425 2019-09-04  Mark Lam  <mark.lam@apple.com>
1426
1427         Disambiguate a symbol used in JSDollarVM.
1428         https://bugs.webkit.org/show_bug.cgi?id=201466
1429         <rdar://problem/51826672>
1430
1431         Reviewed by Tadeu Zagallo.
1432
1433         This was causing a build issue on some internal build.
1434
1435         * tools/JSDollarVM.cpp:
1436
1437 2019-09-03  Mark Lam  <mark.lam@apple.com>
1438
1439         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
1440         https://bugs.webkit.org/show_bug.cgi?id=201309
1441         <rdar://problem/54832121>
1442
1443         Reviewed by Yusuke Suzuki.
1444
1445         * dfg/DFGAbstractInterpreterInlines.h:
1446         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1447         * runtime/JSArrayBufferView.h:
1448         * runtime/JSArrayBufferViewInlines.h:
1449         (JSC::JSArrayBufferView::possiblySharedBufferImpl):
1450         (JSC::JSArrayBufferView::possiblySharedBuffer):
1451         (JSC::JSArrayBufferView::byteOffsetImpl):
1452         (JSC::JSArrayBufferView::byteOffset):
1453         (JSC::JSArrayBufferView::byteOffsetConcurrently):
1454
1455 2019-09-03  Devin Rousso  <drousso@apple.com>
1456
1457         Web Inspector: implement blackboxing of script resources
1458         https://bugs.webkit.org/show_bug.cgi?id=17240
1459         <rdar://problem/5732847>
1460
1461         Reviewed by Joseph Pecoraro.
1462
1463         When a script is blackboxed and the debugger attempts to pause in that script, the pause
1464         reason/data will be saved and execution will continue until it has left the blackboxed
1465         script. Once outside, execution is paused with the saved reason/data.
1466
1467         This is especially useful when debugging issues using libraries/frameworks, as it allows the
1468         developer to "skip" the internal logic of the library/framework and instead focus only on
1469         how they're using it.
1470
1471         * inspector/protocol/Debugger.json:
1472         Add `setShouldBlackboxURL` command.
1473
1474         * inspector/agents/InspectorDebuggerAgent.h:
1475         * inspector/agents/InspectorDebuggerAgent.cpp:
1476         (Inspector::InspectorDebuggerAgent):
1477         (Inspector::InspectorDebuggerAgent::enable):
1478         (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added.
1479         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1480         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
1481         (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added.
1482         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
1483         (Inspector::InspectorDebuggerAgent::didParseSource):
1484         (Inspector::InspectorDebuggerAgent::didPause):
1485         (Inspector::InspectorDebuggerAgent::didContinue):
1486         (Inspector::InspectorDebuggerAgent::breakProgram):
1487         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
1488         (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added.
1489         (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted.
1490         Renamed "break" to "pause" to match `Debugger` naming.
1491
1492         * debugger/Debugger.h:
1493         * debugger/Debugger.cpp:
1494         (JSC::Debugger::pauseIfNeeded):
1495         (JSC::Debugger::setBlackboxType): Added.
1496         (JSC::Debugger::clearBlackbox): Added.
1497         (JSC::Debugger::isBlacklisted const): Deleted.
1498         (JSC::Debugger::addToBlacklist): Deleted.
1499         (JSC::Debugger::clearBlacklist): Deleted.
1500
1501 2019-09-03  Mark Lam  <mark.lam@apple.com>
1502
1503         Remove the need to pass performJITMemcpy as a pointer.
1504         https://bugs.webkit.org/show_bug.cgi?id=201413
1505
1506         Reviewed by Michael Saboff.
1507
1508         We want performJITMemcpy to always be inlined.  In this patch, we also clean up
1509         some template parameters to use enums instead of booleans to better document the
1510         intent of the code.
1511
1512         * assembler/ARM64Assembler.h:
1513         (JSC::ARM64Assembler::fillNops):
1514         (JSC::ARM64Assembler::linkJump):
1515         (JSC::ARM64Assembler::linkCall):
1516         (JSC::ARM64Assembler::relinkJump):
1517         (JSC::ARM64Assembler::relinkCall):
1518         (JSC::ARM64Assembler::link):
1519         (JSC::ARM64Assembler::linkJumpOrCall):
1520         (JSC::ARM64Assembler::linkCompareAndBranch):
1521         (JSC::ARM64Assembler::linkConditionalBranch):
1522         (JSC::ARM64Assembler::linkTestAndBranch):
1523         (JSC::ARM64Assembler::relinkJumpOrCall):
1524         (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted.
1525         (JSC::ARM64Assembler::CopyFunction::operator()): Deleted.
1526         * assembler/ARMv7Assembler.h:
1527         (JSC::ARMv7Assembler::fillNops):
1528         (JSC::ARMv7Assembler::link):
1529         (JSC::ARMv7Assembler::linkJumpT1):
1530         (JSC::ARMv7Assembler::linkJumpT2):
1531         (JSC::ARMv7Assembler::linkJumpT3):
1532         (JSC::ARMv7Assembler::linkJumpT4):
1533         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1534         (JSC::ARMv7Assembler::linkBX):
1535         (JSC::ARMv7Assembler::linkConditionalBX):
1536         * assembler/AbstractMacroAssembler.h:
1537         (JSC::AbstractMacroAssembler::emitNops):
1538         * assembler/LinkBuffer.cpp:
1539         (JSC::LinkBuffer::copyCompactAndLinkCode):
1540         * assembler/MIPSAssembler.h:
1541         (JSC::MIPSAssembler::fillNops):
1542         * assembler/MacroAssemblerARM64.h:
1543         (JSC::MacroAssemblerARM64::link):
1544         * assembler/MacroAssemblerARMv7.h:
1545         (JSC::MacroAssemblerARMv7::link):
1546         * assembler/X86Assembler.h:
1547         (JSC::X86Assembler::fillNops):
1548         * jit/ExecutableAllocator.h:
1549         (JSC::performJITMemcpy):
1550         * runtime/JSCPtrTag.h:
1551
1552 2019-09-03  Devin Rousso  <drousso@apple.com>
1553
1554         REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected
1555         https://bugs.webkit.org/show_bug.cgi?id=201201
1556         <rdar://problem/54771560>
1557
1558         Reviewed by Joseph Pecoraro.
1559
1560         * inspector/InjectedScriptSource.js:
1561         (let.InjectedScript.prototype.injectModule):
1562         (let.InjectedScript.prototype._evaluateOn):
1563         (CommandLineAPI):
1564         (let.InjectedScript.prototype.setInspectObject): Deleted.
1565         (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted.
1566         (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted.
1567         (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted.
1568         (InjectedScript.CommandLineAPI): Deleted.
1569         Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects
1570         directly, instead of having them call functions.
1571
1572         * inspector/InjectedScriptModule.cpp:
1573         (Inspector::InjectedScriptModule::ensureInjected):
1574         Make sure to reset `hadException` to `false` before making another call.
1575
1576 2019-09-03  Yusuke Suzuki  <ysuzuki@apple.com>
1577
1578         [JSC] Remove BytecodeGenerator::emitPopScope
1579         https://bugs.webkit.org/show_bug.cgi?id=201395
1580
1581         Reviewed by Saam Barati.
1582
1583         Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions.
1584
1585         * bytecompiler/BytecodeGenerator.cpp:
1586         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1587         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1588         (JSC::BytecodeGenerator::emitPopWithScope):
1589         (JSC::BytecodeGenerator::emitPopScope): Deleted.
1590         * bytecompiler/BytecodeGenerator.h:
1591
1592 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
1593
1594         [JSC] Merge op_check_traps into op_enter and op_loop_hint
1595         https://bugs.webkit.org/show_bug.cgi?id=201373
1596
1597         Reviewed by Mark Lam.
1598
1599         This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations.
1600         But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in
1601         op_enter and op_loop_hint.
1602
1603         While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint),
1604         since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy.
1605
1606         We also inline op_enter's slow path's write-barrier emission in LLInt.
1607
1608         * bytecode/BytecodeList.rb:
1609         * bytecode/BytecodeUseDef.h:
1610         (JSC::computeUsesForBytecodeOffset):
1611         (JSC::computeDefsForBytecodeOffset):
1612         * bytecompiler/BytecodeGenerator.cpp:
1613         (JSC::BytecodeGenerator::BytecodeGenerator):
1614         (JSC::BytecodeGenerator::emitLoopHint):
1615         (JSC::BytecodeGenerator::emitCheckTraps): Deleted.
1616         * bytecompiler/BytecodeGenerator.h:
1617         * dfg/DFGByteCodeParser.cpp:
1618         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1619         (JSC::DFG::ByteCodeParser::parseBlock):
1620         * dfg/DFGCapabilities.cpp:
1621         (JSC::DFG::capabilityLevel):
1622         * jit/JIT.cpp:
1623         (JSC::JIT::privateCompileMainPass):
1624         (JSC::JIT::privateCompileSlowCases):
1625         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
1626         * jit/JIT.h:
1627         * jit/JITOpcodes.cpp:
1628         (JSC::JIT::emit_op_loop_hint):
1629         (JSC::JIT::emitSlow_op_loop_hint):
1630         (JSC::JIT::emit_op_enter):
1631         (JSC::JIT::emitSlow_op_enter):
1632         (JSC::JIT::emit_op_check_traps): Deleted.
1633         (JSC::JIT::emitSlow_op_check_traps): Deleted.
1634         * jit/JITOpcodes32_64.cpp:
1635         (JSC::JIT::emit_op_enter): Deleted.
1636         * llint/LowLevelInterpreter.asm:
1637         * llint/LowLevelInterpreter32_64.asm:
1638         * llint/LowLevelInterpreter64.asm:
1639         * runtime/CommonSlowPaths.cpp:
1640         * runtime/CommonSlowPaths.h:
1641
1642 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
1643
1644         [JSC] Fix testb3 debug failures
1645         https://bugs.webkit.org/show_bug.cgi?id=201382
1646
1647         Reviewed by Mark Lam.
1648
1649         Fix testb3 debug failures due to incorrect types of operations like pointer + int32.
1650
1651         * b3/testb3_8.cpp:
1652         (testByteCopyLoop):
1653         (testByteCopyLoopStartIsLoopDependent):
1654         (testByteCopyLoopBoundIsLoopDependent):
1655
1656 2019-09-01  Mark Lam  <mark.lam@apple.com>
1657
1658         Speculative build fix for ARMv7 and MIPS.
1659         https://bugs.webkit.org/show_bug.cgi?id=201389
1660
1661         Not reviewed.
1662
1663         * bytecode/CodeBlock.cpp:
1664         (JSC::CodeBlock::jettison):
1665
1666 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1667
1668         [JSC] LLInt op should not emit the same code three times
1669         https://bugs.webkit.org/show_bug.cgi?id=201370
1670
1671         Reviewed by Mark Lam.
1672
1673         LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue.
1674         But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once.
1675
1676         * llint/LowLevelInterpreter.asm:
1677
1678 2019-08-30  Mark Lam  <mark.lam@apple.com>
1679
1680         Remove some obsolete statements that have no effect.
1681         https://bugs.webkit.org/show_bug.cgi?id=201357
1682
1683         Reviewed by Saam Barati.
1684
1685         This patch removes 3 statements that look like this:
1686
1687             result->butterfly(); // Ensure that the butterfly is in to-space.
1688
1689         The statement just reads a field and does nothing with it.  This is a no-op
1690         logic-wise, and the comment that accompanies it is obsolete.
1691
1692         * dfg/DFGOperations.cpp:
1693
1694 2019-08-30  Mark Lam  <mark.lam@apple.com>
1695
1696         Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
1697         https://bugs.webkit.org/show_bug.cgi?id=201345
1698
1699         Reviewed by Yusuke Suzuki.
1700
1701         This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
1702         the wrong pointer for capture the cell headerWord and zapReason.  As a result,
1703         we get junk for those 2 values.
1704
1705         Previously, we were only capturing the upper 32-bits of the cell header slot,
1706         and the lower 32-bit of the next slot in the zapped cell.  We now capture the
1707         full 64-bits of both slots.  If the second slot did not contain a zapReason as we
1708         expect, the upper 32-bits might give us a clue as to what type of value the slot
1709         contains.
1710
1711         This patch also adds capturing of the found MarkedBlock address for the zapped
1712         cell, as well as some state bit values.
1713
1714         * heap/SlotVisitor.cpp:
1715         (JSC::SlotVisitor::reportZappedCellAndCrash):
1716
1717 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1718
1719         [JSC] Generate new.target register only when it is used
1720         https://bugs.webkit.org/show_bug.cgi?id=201335
1721
1722         Reviewed by Mark Lam.
1723
1724         Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register
1725         only when it is actually required.
1726
1727         * bytecompiler/BytecodeGenerator.cpp:
1728         (JSC::BytecodeGenerator::BytecodeGenerator):
1729         * bytecompiler/BytecodeGenerator.h:
1730         (JSC::BytecodeGenerator::newTarget):
1731         * parser/Nodes.h:
1732         (JSC::ScopeNode::needsNewTargetRegisterForThisScope const):
1733
1734 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1735
1736         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
1737         https://bugs.webkit.org/show_bug.cgi?id=201331
1738
1739         Reviewed by Mark Lam.
1740
1741         SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
1742         For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.
1743
1744             1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
1745             2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable
1746
1747         Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
1748         This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
1749         by profiled CodeBlock.
1750
1751         * bytecode/CodeBlock.h:
1752         (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
1753         * bytecode/JumpTable.h:
1754         (JSC::SimpleJumpTable::cloneNonJITPart const):
1755         (JSC::SimpleJumpTable::clear):
1756         * dfg/DFGByteCodeParser.cpp:
1757         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1758
1759 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1760
1761         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
1762         https://bugs.webkit.org/show_bug.cgi?id=201332
1763
1764         Reviewed by Mark Lam.
1765
1766         When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
1767         that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
1768         does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.
1769
1770         * dfg/DFGByteCodeParser.cpp:
1771         (JSC::DFG::ByteCodeParser::handleInlining):
1772
1773 2019-08-29  Devin Rousso  <drousso@apple.com>
1774
1775         Web Inspector: Debugger: async event listener stack traces should be available in Workers
1776         https://bugs.webkit.org/show_bug.cgi?id=200903
1777
1778         Reviewed by Joseph Pecoraro.
1779
1780         * inspector/agents/InspectorDebuggerAgent.h:
1781         (Inspector::InspectorDebuggerAgent::enabled): Added.
1782         * inspector/agents/InspectorDebuggerAgent.cpp:
1783         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
1784         (Inspector::InspectorDebuggerAgent::enable):
1785         (Inspector::InspectorDebuggerAgent::disable):
1786         Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`.
1787
1788 2019-08-29  Keith Rollin  <krollin@apple.com>
1789
1790         Update .xcconfig symbols to reflect the current set of past and future product versions.
1791         https://bugs.webkit.org/show_bug.cgi?id=200720
1792         <rdar://problem/54305032>
1793
1794         Reviewed by Alex Christensen.
1795
1796         Remove version symbols related to old OS's we no longer support,
1797         ensure that version symbols are defined for OS's we do support.
1798
1799         * Configurations/Base.xcconfig:
1800         * Configurations/DebugRelease.xcconfig:
1801         * Configurations/Version.xcconfig:
1802
1803 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1804
1805         [JSC] Repatch should construct CallCases and CasesValue at the same time
1806         https://bugs.webkit.org/show_bug.cgi?id=201325
1807
1808         Reviewed by Saam Barati.
1809
1810         In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`.
1811         If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too.
1812
1813         * jit/Repatch.cpp:
1814         (JSC::linkPolymorphicCall):
1815
1816 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1817
1818         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
1819         https://bugs.webkit.org/show_bug.cgi?id=198650
1820
1821         Reviewed by Saam Barati.
1822
1823         Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties.
1824         This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this
1825         interpreter interpret the control-flow edge that AI proved that is never taken.
1826         AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But
1827         ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis
1828         done in ObjectAllocationSinking.
1829
1830         Let's see the example.
1831
1832             BB#0
1833                 35: NewObject([%AM:Object])
1834                 ...
1835                 47: Branch(ConstantTrue, T:#1, F:#2)
1836
1837             BB#1 // This basic block is never taken due to @47's jump.
1838                 ...
1839                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
1840                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
1841                 ...
1842                 XX: Jump(#2)
1843
1844             BB#2
1845                 ...
1846                 92: CheckStructure(@35, [%Dx:Object])
1847                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
1848                 ...
1849
1850         AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant.
1851         AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92.
1852         After AI removes @92, ObjectAllocationSinking starts looking into this graph.
1853
1854             BB#0
1855                 35: NewObject([%AM:Object])
1856                 ...
1857                 47: Branch(ConstantTrue, T:#1, F:#2)
1858
1859             BB#1 // This basic block is never taken due to @47's jump.
1860                 ...
1861                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
1862                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
1863                 ...
1864                 XX: Jump(#2)
1865
1866             BB#2
1867                 ...
1868                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
1869                 ...
1870                 YY: Jump(#3)
1871
1872             BB#3
1873                 ...
1874                 ZZ: <HERE> want to materialize @35's sunk object.
1875
1876         Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in
1877         BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and
1878         insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original
1879         one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking
1880         phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes
1881         conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property.
1882         So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug
1883         assertion.
1884
1885             187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >)
1886
1887         This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data.
1888         In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime.
1889
1890         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1891
1892 2019-08-29  Devin Rousso  <drousso@apple.com>
1893
1894         Web Inspector: DOMDebugger: support event breakpoints in Worker contexts
1895         https://bugs.webkit.org/show_bug.cgi?id=200651
1896
1897         Reviewed by Joseph Pecoraro.
1898
1899         * inspector/protocol/DOMDebugger.json:
1900         Make the domain available in "worker" contexts as well.
1901
1902 2019-08-29  Keith Rollin  <krollin@apple.com>
1903
1904         Remove 32-bit macOS support
1905         https://bugs.webkit.org/show_bug.cgi?id=201282
1906         <rdar://problem/54821667>
1907
1908         Reviewed by Anders Carlsson.
1909
1910         WebKit doesn’t support 32-bit Mac any more, so remove checks and code
1911         for that platform.
1912
1913         * API/JSBase.h:
1914         * runtime/VM.h:
1915
1916 2019-08-29  Keith Rollin  <krollin@apple.com>
1917
1918         Remove support for macOS < 10.13 (part 3)
1919         https://bugs.webkit.org/show_bug.cgi?id=201224
1920         <rdar://problem/54795934>
1921
1922         Reviewed by Darin Adler.
1923
1924         Remove symbols in WebKitTargetConditionals.xcconfig related to macOS
1925         10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes
1926         like _MACOS_SINCE_1013.
1927
1928         * Configurations/WebKitTargetConditionals.xcconfig:
1929
1930 2019-08-29  Mark Lam  <mark.lam@apple.com>
1931
1932         Remove a bad assertion in ByteCodeParser::inlineCall().
1933         https://bugs.webkit.org/show_bug.cgi?id=201292
1934         <rdar://problem/54121659>
1935
1936         Reviewed by Michael Saboff.
1937
1938         In the DFG bytecode parser, we've already computed the inlining cost of a candidate
1939         inlining target, and determine that it is worth inlining before invoking
1940         ByteCodeParser::inlineCall().  However, in ByteCodeParser::inlineCall(), it
1941         recomputes the inlining cost again only for the purpose of asserting that it isn't
1942         too high.
1943
1944         Not consider a badly written test that does the following:
1945
1946             function bar() {
1947                 ...
1948                 foo(); // Call in a hot loop here.
1949                 ...
1950             }
1951
1952             bar(); // <===== foo is inlineable into bar here.
1953             noInline(foo); // <===== Change mind, and make foo not inlineable.
1954             bar();
1955
1956         With this bad test, the following racy scenario can occur:
1957
1958         1. the first invocation of bar() gets hot, and a concurrent compile is kicked off.
1959         2. the compiler thread computes foo()'s inliningCost() and determines that it is
1960            worthy to be inlined, and will imminently call inlineCall().
1961         3. the mutator calls the noInline() test utility on foo(), thereby making it NOT
1962            inlineable.
1963         4. the compiler thread calls inlineCall().  In inlineCall(), it re-computes the
1964            inliningCost for foo() and now finds that it is not inlineable.  An assertion
1965            failure follows.
1966
1967         Technically, the test is in error because noInline() shouldn't be used that way.
1968         However, fuzzers that are not clued into noInline()'s proper usage may generate
1969         code like this.
1970
1971         On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the
1972         inlining cost and asserting on it.  The only reason inlineCall() is invoked is
1973         because it was already previously determined that a target function is inlineable
1974         based on its inlining cost.  Today, in practice, I don't think we have any real
1975         world condition where the mutator can affect the inlining cost of a target
1976         function midway through execution.  So, this assertion isn't a problem if no one
1977         writes a test that abuses noInline().  However, should things change such that the
1978         mutator is able to affect the inlining cost of a target function, then it is
1979         incorrect for the compiler to assume that the inlining cost is immutable.  Once
1980         the compiler decides to inline a function, it should just follow through.
1981
1982         This patch removes this assertion in ByteCodeParser::inlineCall().  It is an
1983         annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the
1984         ability to affect the inlining cost of a target function.
1985
1986         * dfg/DFGByteCodeParser.cpp:
1987         (JSC::DFG::ByteCodeParser::inlineCall):
1988
1989 2019-08-28  Mark Lam  <mark.lam@apple.com>
1990
1991         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
1992         https://bugs.webkit.org/show_bug.cgi?id=201281
1993         <rdar://problem/54028228>
1994
1995         Reviewed by Yusuke Suzuki and Saam Barati.
1996
1997         This (see title above) is already the preferred idiom used in most places in our
1998         compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
1999         compileStringCharAt().  Consider the following:
2000
2001             bool prototypeChainIsSane = false;
2002             if (globalObject->stringPrototypeChainIsSane()) {
2003                 ...
2004                 m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
2005                 m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));
2006
2007                 prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
2008             }
2009
2010         What's essential for correctness here is that the stringPrototype and objectPrototype
2011         structures be loaded before the loads in the second stringPrototypeChainIsSane()
2012         check.  Without a loadLoadFence before the second stringPrototypeChainIsSane()
2013         check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom
2014         for doing this right is to pre-load the structures first, do a loadLoadFence, and
2015         then do the IsSane check just once after e.g.
2016
2017             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
2018             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);
2019
2020             if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2021                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2022                 && globalObject->arrayPrototypeChainIsSane()) {
2023
2024                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
2025                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
2026                 ...
2027             }
2028
2029         This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2030         compileStringCharAt() to follow the same idiom.
2031
2032         We also fix a bad assertion in Structure::storedPrototype() and
2033         Structure::storedPrototypeObject().  The assertion is only correct when those
2034         methods are called from the mutator thread.  The assertion has been updated to
2035         only check its test condition if the current thread is the mutator thread.
2036
2037         * dfg/DFGSpeculativeJIT.cpp:
2038         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2039         * ftl/FTLLowerDFGToB3.cpp:
2040         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2041         * runtime/StructureInlines.h:
2042         (JSC::Structure::storedPrototype const):
2043         (JSC::Structure::storedPrototypeObject const):
2044
2045 2019-08-28  Mark Lam  <mark.lam@apple.com>
2046
2047         Placate exception check validation in DFG's operationHasGenericProperty().
2048         https://bugs.webkit.org/show_bug.cgi?id=201245
2049         <rdar://problem/54777512>
2050
2051         Reviewed by Robin Morisset.
2052
2053         * dfg/DFGOperations.cpp:
2054
2055 2019-08-28  Ross Kirsling  <ross.kirsling@sony.com>
2056
2057         Unreviewed. Restabilize non-unified build.
2058
2059         * runtime/PropertySlot.h:
2060
2061 2019-08-28  Mark Lam  <mark.lam@apple.com>
2062
2063         Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.
2064         https://bugs.webkit.org/show_bug.cgi?id=201006
2065         <rdar://problem/52053991>
2066
2067         Reviewed by Yusuke Suzuki.
2068
2069         We already ensured that it is not possible to overflow in Wasm::FunctionParser's
2070         parse().  It is unnecessary and misleading to do those overflow checks in
2071         AirIRGenerator and B3IRGenerator.  The only check that is necessary is that
2072         m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory
2073         situation.
2074
2075         This patch changes these unnecessary checks to assertions instead.
2076
2077         * wasm/WasmAirIRGenerator.cpp:
2078         (JSC::Wasm::AirIRGenerator::addLocal):
2079         * wasm/WasmB3IRGenerator.cpp:
2080         (JSC::Wasm::B3IRGenerator::addLocal):
2081         * wasm/WasmValidate.cpp:
2082         (JSC::Wasm::Validate::addLocal):
2083
2084 2019-08-28  Keith Rollin  <krollin@apple.com>
2085
2086         Remove support for macOS < 10.13 (part 2)
2087         https://bugs.webkit.org/show_bug.cgi?id=201197
2088         <rdar://problem/54759985>
2089
2090         Update conditionals that reference WK_MACOS_1013 and suffixes like
2091         _MACOS_SINCE_1013, assuming that we're always building on 10.13 or
2092         later and that these conditionals are always True or False.
2093
2094         See Bug 200694 for earlier changes in this area.
2095
2096         Reviewed by Darin Adler.
2097
2098         * Configurations/FeatureDefines.xcconfig:
2099
2100 2019-08-28  Mark Lam  <mark.lam@apple.com>
2101
2102         Gardening: Rebase test results after r249175.
2103         https://bugs.webkit.org/show_bug.cgi?id=201172
2104
2105         Not reviewed.
2106
2107         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2108         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2109         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2110         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2111         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2112         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2113         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2114
2115 2019-08-27  Michael Saboff  <msaboff@apple.com>
2116
2117         Update PACCage changes for builds without Gigacage, but with signed pointers
2118         https://bugs.webkit.org/show_bug.cgi?id=201202
2119
2120         Reviewed by Saam Barati.
2121
2122         Factored out the untagging of pointers and added that to both the Gigacage enabled
2123         and disabled code paths.  Did this for the LLInt as well as the JITs.
2124
2125         * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list.
2126         * dfg/DFGSpeculativeJIT.cpp:
2127         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
2128         * ftl/FTLLowerDFGToB3.cpp:
2129         (JSC::FTL::DFG::LowerDFGToB3::caged):
2130         * llint/LowLevelInterpreter64.asm:
2131
2132 2019-08-27  Mark Lam  <mark.lam@apple.com>
2133
2134         Refactor to use VM& instead of VM* at as many places as possible.
2135         https://bugs.webkit.org/show_bug.cgi?id=201172
2136
2137         Reviewed by Yusuke Suzuki.
2138
2139         Using VM& documents more clearly that the VM pointer is expected to never be null
2140         in most cases.  There are a few places where it can be null (e.g JSLock, and
2141         DFG::Plan).  Those will be left using a VM*.
2142
2143         Also converted some uses of ExecState* to using VM& instead since the ExecState*
2144         is only there to fetch the VM pointer.  Doing this also reduces the number of
2145         times we have to compute VM* from ExecState*.
2146
2147         This patch is not exhaustive in converting to use VM&, but applies the change to
2148         many commonly used pieces of code for a start.
2149
2150         Also fixed a missing exception check in JSString::toIdentifier() and
2151         JSValue::toPropertyKey() exposed by this patch.
2152
2153         * API/APICast.h:
2154         (toJS):
2155         * API/JSAPIGlobalObject.mm:
2156         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
2157         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
2158         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
2159         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
2160         (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
2161         * API/JSCallbackConstructor.cpp:
2162         (JSC::JSCallbackConstructor::finishCreation):
2163         * API/JSCallbackObjectFunctions.h:
2164         (JSC::JSCallbackObject<Parent>::asCallbackObject):
2165         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
2166         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
2167         (JSC::JSCallbackObject<Parent>::putByIndex):
2168         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
2169         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2170         * API/JSContext.mm:
2171         (-[JSContext dependencyIdentifiersForModuleJSScript:]):
2172         * API/JSObjectRef.cpp:
2173         (JSObjectMakeFunction):
2174         (classInfoPrivate):
2175         (JSObjectGetPrivate):
2176         (JSObjectSetPrivate):
2177         (JSObjectCopyPropertyNames):
2178         (JSPropertyNameAccumulatorAddName):
2179         (JSObjectGetProxyTarget):
2180         * API/JSScriptRef.cpp:
2181         (parseScript):
2182         * API/JSValueRef.cpp:
2183         (JSValueMakeString):
2184         * API/OpaqueJSString.cpp:
2185         (OpaqueJSString::identifier const):
2186         * API/glib/JSCContext.cpp:
2187         (jsc_context_check_syntax):
2188         * KeywordLookupGenerator.py:
2189         (Trie.printSubTreeAsC):
2190         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py:
2191         (BuiltinsWrapperHeaderGenerator.generate_constructor):
2192         * Scripts/wkbuiltins/builtins_templates.py:
2193         * bindings/ScriptFunctionCall.cpp:
2194         (Deprecated::ScriptCallArgumentHandler::appendArgument):
2195         (Deprecated::ScriptFunctionCall::call):
2196         * bindings/ScriptValue.cpp:
2197         (Inspector::jsToInspectorValue):
2198         * builtins/BuiltinExecutables.cpp:
2199         (JSC::BuiltinExecutables::createExecutable):
2200         * builtins/BuiltinNames.cpp:
2201         (JSC::BuiltinNames::BuiltinNames):
2202         * builtins/BuiltinNames.h:
2203         (JSC::BuiltinNames::getPublicName const):
2204         * bytecode/BytecodeDumper.cpp:
2205         (JSC::BytecodeDumper<Block>::vm const):
2206         * bytecode/BytecodeDumper.h:
2207         * bytecode/BytecodeGeneratorification.cpp:
2208         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2209         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
2210         (JSC::BytecodeGeneratorification::run):
2211         * bytecode/BytecodeIntrinsicRegistry.cpp:
2212         (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue):
2213         (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue):
2214         * bytecode/CallVariant.h:
2215         (JSC::CallVariant::internalFunction const):
2216         (JSC::CallVariant::function const):
2217         (JSC::CallVariant::isClosureCall const):
2218         (JSC::CallVariant::executable const):
2219         (JSC::CallVariant::functionExecutable const):
2220         (JSC::CallVariant::nativeExecutable const):
2221         * bytecode/CodeBlock.cpp:
2222         (JSC::CodeBlock::dumpSource):
2223         (JSC::CodeBlock::CodeBlock):
2224         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
2225         (JSC::CodeBlock::setNumParameters):
2226         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2227         (JSC::CodeBlock::unlinkIncomingCalls):
2228         (JSC::CodeBlock::replacement):
2229         (JSC::CodeBlock::computeCapabilityLevel):
2230         (JSC::CodeBlock::noticeIncomingCall):
2231         (JSC::CodeBlock::nameForRegister):
2232         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2233         * bytecode/CodeBlock.h:
2234         (JSC::CodeBlock::vm const):
2235         (JSC::CodeBlock::numberOfArgumentValueProfiles):
2236         (JSC::CodeBlock::valueProfileForArgument):
2237         * bytecode/DeferredSourceDump.cpp:
2238         (JSC::DeferredSourceDump::DeferredSourceDump):
2239         * bytecode/EvalCodeBlock.h:
2240         * bytecode/FunctionCodeBlock.h:
2241         * bytecode/GetByIdStatus.cpp:
2242         (JSC::GetByIdStatus::computeFromLLInt):
2243         * bytecode/GlobalCodeBlock.h:
2244         (JSC::GlobalCodeBlock::GlobalCodeBlock):
2245         * bytecode/ModuleProgramCodeBlock.h:
2246         * bytecode/ObjectAllocationProfileInlines.h:
2247         (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
2248         * bytecode/PolyProtoAccessChain.cpp:
2249         (JSC::PolyProtoAccessChain::create):
2250         * bytecode/ProgramCodeBlock.h:
2251         * bytecode/PropertyCondition.cpp:
2252         (JSC::PropertyCondition::isWatchableWhenValid const):
2253         * bytecode/PutByIdStatus.cpp:
2254         (JSC::PutByIdStatus::computeFromLLInt):
2255         * bytecode/StructureStubInfo.cpp:
2256         (JSC::StructureStubInfo::initGetByIdSelf):
2257         (JSC::StructureStubInfo::initPutByIdReplace):
2258         (JSC::StructureStubInfo::initInByIdSelf):
2259         (JSC::StructureStubInfo::addAccessCase):
2260         (JSC::StructureStubInfo::visitWeakReferences):
2261         * bytecode/UnlinkedCodeBlock.cpp:
2262         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2263         * bytecode/UnlinkedCodeBlock.h:
2264         (JSC::UnlinkedCodeBlock::addSetConstant):
2265         (JSC::UnlinkedCodeBlock::addConstant):
2266         (JSC::UnlinkedCodeBlock::addFunctionDecl):
2267         (JSC::UnlinkedCodeBlock::addFunctionExpr):
2268         * bytecode/UnlinkedEvalCodeBlock.h:
2269         * bytecode/UnlinkedFunctionCodeBlock.h:
2270         * bytecode/UnlinkedFunctionExecutable.cpp:
2271         (JSC::generateUnlinkedFunctionCodeBlock):
2272         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2273         * bytecode/UnlinkedFunctionExecutable.h:
2274         * bytecode/UnlinkedGlobalCodeBlock.h:
2275         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
2276         * bytecode/UnlinkedModuleProgramCodeBlock.h:
2277         * bytecode/UnlinkedProgramCodeBlock.h:
2278         * bytecompiler/BytecodeGenerator.cpp:
2279         (JSC::BytecodeGenerator::BytecodeGenerator):
2280         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2281         (JSC::BytecodeGenerator::emitDirectPutById):
2282         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
2283         (JSC::BytecodeGenerator::addBigIntConstant):
2284         (JSC::BytecodeGenerator::addTemplateObjectConstant):
2285         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
2286         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
2287         * bytecompiler/BytecodeGenerator.h:
2288         (JSC::BytecodeGenerator::vm const):
2289         (JSC::BytecodeGenerator::propertyNames const):
2290         (JSC::BytecodeGenerator::emitNodeInTailPosition):
2291         (JSC::BytecodeGenerator::emitDefineClassElements):
2292         (JSC::BytecodeGenerator::emitNodeInConditionContext):
2293         * bytecompiler/NodesCodegen.cpp:
2294         (JSC::RegExpNode::emitBytecode):
2295         (JSC::ArrayNode::emitBytecode):
2296         (JSC::FunctionCallResolveNode::emitBytecode):
2297         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
2298         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
2299         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2300         (JSC::InstanceOfNode::emitBytecode):
2301         * debugger/Debugger.cpp:
2302         * debugger/DebuggerParseData.cpp:
2303         (JSC::gatherDebuggerParseData):
2304         * debugger/DebuggerScope.cpp:
2305         (JSC::DebuggerScope::next):
2306         (JSC::DebuggerScope::name const):
2307         (JSC::DebuggerScope::location const):
2308         * dfg/DFGDesiredIdentifiers.cpp:
2309         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2310         * dfg/DFGDesiredWatchpoints.cpp:
2311         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2312         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
2313         * dfg/DFGFrozenValue.h:
2314         (JSC::DFG::FrozenValue::FrozenValue):
2315         * dfg/DFGGraph.cpp:
2316         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
2317         * dfg/DFGJITCompiler.cpp:
2318         (JSC::DFG::JITCompiler::linkOSRExits):
2319         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2320         (JSC::DFG::JITCompiler::link):
2321         (JSC::DFG::emitStackOverflowCheck):
2322         (JSC::DFG::JITCompiler::compileFunction):
2323         (JSC::DFG::JITCompiler::exceptionCheck):
2324         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
2325         * dfg/DFGJITCompiler.h:
2326         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
2327         (JSC::DFG::JITCompiler::fastExceptionCheck):
2328         (JSC::DFG::JITCompiler::vm):
2329         * dfg/DFGLazyJSValue.cpp:
2330         (JSC::DFG::LazyJSValue::getValue const):
2331         (JSC::DFG::LazyJSValue::emit const):
2332         * dfg/DFGOSREntry.cpp:
2333         (JSC::DFG::prepareOSREntry):
2334         * dfg/DFGOSRExit.cpp:
2335         (JSC::DFG::OSRExit::compileOSRExit):
2336         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2337         * dfg/DFGOSRExitCompilerCommon.h:
2338         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
2339         * dfg/DFGOperations.cpp:
2340         (JSC::DFG::newTypedArrayWithSize):
2341         (JSC::DFG::binaryOp):
2342         (JSC::DFG::bitwiseBinaryOp):
2343         * dfg/DFGPlan.cpp:
2344         (JSC::DFG::Plan::Plan):
2345         * dfg/DFGSpeculativeJIT.cpp:
2346         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2347         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2348         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2349         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
2350         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2351         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2352         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
2353         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
2354         (JSC::DFG::SpeculativeJIT::emitStringBranch):
2355         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
2356         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
2357         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
2358         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2359         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2360         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2361         (JSC::DFG::SpeculativeJIT::compileSpread):
2362         (JSC::DFG::SpeculativeJIT::compileNewArray):
2363         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2364         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2365         (JSC::DFG::SpeculativeJIT::compileArrayPush):
2366         (JSC::DFG::SpeculativeJIT::compileTypeOf):
2367         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2368         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2369         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
2370         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2371         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2372         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2373         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
2374         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2375         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2376         (JSC::DFG::SpeculativeJIT::compileStringReplace):
2377         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
2378         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
2379         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
2380         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
2381         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2382         (JSC::DFG::SpeculativeJIT::compileNewObject):
2383         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
2384         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
2385         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2386         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2387         (JSC::DFG::SpeculativeJIT::compileProfileType):
2388         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2389         * dfg/DFGSpeculativeJIT.h:
2390         (JSC::DFG::SpeculativeJIT::vm):
2391         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
2392         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2393         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2394         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
2395         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2396         * dfg/DFGSpeculativeJIT32_64.cpp:
2397         (JSC::DFG::SpeculativeJIT::emitCall):
2398         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2399         (JSC::DFG::SpeculativeJIT::emitBranch):
2400         (JSC::DFG::SpeculativeJIT::compile):
2401         * dfg/DFGSpeculativeJIT64.cpp:
2402         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2403         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2404         (JSC::DFG::SpeculativeJIT::emitCall):
2405         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2406         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2407         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2408         (JSC::DFG::SpeculativeJIT::emitBranch):
2409         (JSC::DFG::SpeculativeJIT::compile):
2410         * dfg/DFGThunks.cpp:
2411         (JSC::DFG::osrExitThunkGenerator):
2412         (JSC::DFG::osrExitGenerationThunkGenerator):
2413         (JSC::DFG::osrEntryThunkGenerator):
2414         * dfg/DFGThunks.h:
2415         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2416         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
2417         * dfg/DFGWorklist.cpp:
2418         (JSC::DFG::Worklist::visitWeakReferences):
2419         * dynbench.cpp:
2420         (main):
2421         * ftl/FTLLowerDFGToB3.cpp:
2422         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2423         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2424         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2425         * ftl/FTLThunks.cpp:
2426         (JSC::FTL::genericGenerationThunkGenerator):
2427         (JSC::FTL::osrExitGenerationThunkGenerator):
2428         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2429         * ftl/FTLThunks.h:
2430         * heap/CellContainer.h:
2431         * heap/CellContainerInlines.h:
2432         (JSC::CellContainer::vm const):
2433         (JSC::CellContainer::heap const):
2434         * heap/CompleteSubspace.cpp:
2435         (JSC::CompleteSubspace::tryAllocateSlow):
2436         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
2437         * heap/GCActivityCallback.h:
2438         * heap/GCAssertions.h:
2439         * heap/HandleSet.cpp:
2440         (JSC::HandleSet::HandleSet):
2441         * heap/HandleSet.h:
2442         (JSC::HandleSet::vm):
2443         * heap/Heap.cpp:
2444         (JSC::Heap::Heap):
2445         (JSC::Heap::lastChanceToFinalize):
2446         (JSC::Heap::releaseDelayedReleasedObjects):
2447         (JSC::Heap::protect):
2448         (JSC::Heap::unprotect):
2449         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
2450         (JSC::Heap::finalizeUnconditionalFinalizers):
2451         (JSC::Heap::completeAllJITPlans):
2452         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
2453         (JSC::Heap::gatherJSStackRoots):
2454         (JSC::Heap::gatherScratchBufferRoots):
2455         (JSC::Heap::removeDeadCompilerWorklistEntries):
2456         (JSC::Heap::isAnalyzingHeap const):
2457         (JSC::Heap::gatherExtraHeapData):
2458         (JSC::Heap::protectedObjectTypeCounts):
2459         (JSC::Heap::objectTypeCounts):
2460         (JSC::Heap::deleteAllCodeBlocks):
2461         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2462         (JSC::Heap::deleteUnmarkedCompiledCode):
2463         (JSC::Heap::checkConn):
2464         (JSC::Heap::runEndPhase):
2465         (JSC::Heap::stopThePeriphery):
2466         (JSC::Heap::finalize):
2467         (JSC::Heap::requestCollection):
2468         (JSC::Heap::sweepInFinalize):
2469         (JSC::Heap::sweepArrayBuffers):
2470         (JSC::Heap::deleteSourceProviderCaches):
2471         (JSC::Heap::didFinishCollection):
2472         (JSC::Heap::addCoreConstraints):
2473         * heap/Heap.h:
2474         * heap/HeapCell.h:
2475         * heap/HeapCellInlines.h:
2476         (JSC::HeapCell::heap const):
2477         (JSC::HeapCell::vm const):
2478         * heap/HeapInlines.h:
2479         (JSC::Heap::vm const):
2480         * heap/IsoSubspacePerVM.cpp:
2481         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
2482         * heap/LargeAllocation.cpp:
2483         (JSC::LargeAllocation::sweep):
2484         (JSC::LargeAllocation::assertValidCell const):
2485         * heap/LargeAllocation.h:
2486         (JSC::LargeAllocation::vm const):
2487         * heap/LocalAllocator.cpp:
2488         (JSC::LocalAllocator::allocateSlowCase):
2489         * heap/MarkedBlock.cpp:
2490         (JSC::MarkedBlock::Handle::Handle):
2491         (JSC::MarkedBlock::aboutToMarkSlow):
2492         (JSC::MarkedBlock::assertMarksNotStale):
2493         (JSC::MarkedBlock::areMarksStale):
2494         (JSC::MarkedBlock::isMarked):
2495         (JSC::MarkedBlock::assertValidCell const):
2496         * heap/MarkedBlock.h:
2497         (JSC::MarkedBlock::Handle::vm const):
2498         (JSC::MarkedBlock::vm const):
2499         * heap/MarkedBlockInlines.h:
2500         (JSC::MarkedBlock::heap const):
2501         (JSC::MarkedBlock::Handle::specializedSweep):
2502         * heap/SlotVisitor.cpp:
2503         (JSC::validate):
2504         * heap/SlotVisitorInlines.h:
2505         (JSC::SlotVisitor::vm):
2506         (JSC::SlotVisitor::vm const):
2507         * heap/StopIfNecessaryTimer.cpp:
2508         (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
2509         * heap/StopIfNecessaryTimer.h:
2510         * heap/Strong.h:
2511         (JSC::Strong::operator=):
2512         * heap/WeakSet.h:
2513         (JSC::WeakSet::WeakSet):
2514         (JSC::WeakSet::vm const):
2515         * inspector/JSInjectedScriptHost.cpp:
2516         (Inspector::JSInjectedScriptHost::savedResultAlias const):
2517         (Inspector::JSInjectedScriptHost::internalConstructorName):
2518         (Inspector::JSInjectedScriptHost::subtype):
2519         (Inspector::JSInjectedScriptHost::functionDetails):
2520         (Inspector::constructInternalProperty):
2521         (Inspector::JSInjectedScriptHost::getInternalProperties):
2522         (Inspector::JSInjectedScriptHost::weakMapEntries):
2523         (Inspector::JSInjectedScriptHost::weakSetEntries):
2524         (Inspector::JSInjectedScriptHost::iteratorEntries):
2525         (Inspector::JSInjectedScriptHost::queryInstances):
2526         (Inspector::JSInjectedScriptHost::queryHolders):
2527         * inspector/JSJavaScriptCallFrame.cpp:
2528         (Inspector::valueForScopeLocation):
2529         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2530         (Inspector::JSJavaScriptCallFrame::functionName const):
2531         (Inspector::JSJavaScriptCallFrame::type const):
2532         * inspector/ScriptCallStackFactory.cpp:
2533         (Inspector::extractSourceInformationFromException):
2534         * inspector/agents/InspectorAuditAgent.cpp:
2535         (Inspector::InspectorAuditAgent::populateAuditObject):
2536         * inspector/agents/InspectorHeapAgent.cpp:
2537         (Inspector::InspectorHeapAgent::gc):
2538         * interpreter/FrameTracers.h:
2539         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2540         * interpreter/Interpreter.cpp:
2541         (JSC::Interpreter::executeProgram):
2542         (JSC::Interpreter::prepareForRepeatCall):
2543         (JSC::Interpreter::execute):
2544         (JSC::Interpreter::executeModuleProgram):
2545         * interpreter/StackVisitor.cpp:
2546         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2547         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2548         * jit/AssemblyHelpers.cpp:
2549         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2550         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
2551         (JSC::AssemblyHelpers::branchIfValue):
2552         * jit/AssemblyHelpers.h:
2553         (JSC::AssemblyHelpers::vm):
2554         * jit/JIT.cpp:
2555         (JSC::JIT::JIT):
2556         (JSC::JIT::emitEnterOptimizationCheck):
2557         (JSC::JIT::privateCompileMainPass):
2558         (JSC::JIT::privateCompileExceptionHandlers):
2559         * jit/JIT.h:
2560         * jit/JITCall.cpp:
2561         (JSC::JIT::compileCallEvalSlowCase):
2562         * jit/JITCall32_64.cpp:
2563         (JSC::JIT::compileCallEvalSlowCase):
2564         * jit/JITExceptions.cpp:
2565         (JSC::genericUnwind):
2566         * jit/JITExceptions.h:
2567         * jit/JITInlineCacheGenerator.cpp:
2568         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2569         * jit/JITOpcodes.cpp:
2570         (JSC::JIT::emit_op_is_undefined):
2571         (JSC::JIT::emit_op_jfalse):
2572         (JSC::JIT::emit_op_jeq_null):
2573         (JSC::JIT::emit_op_jneq_null):
2574         (JSC::JIT::emit_op_jtrue):
2575         (JSC::JIT::emit_op_throw):
2576         (JSC::JIT::emit_op_catch):
2577         (JSC::JIT::emit_op_eq_null):
2578         (JSC::JIT::emit_op_neq_null):
2579         (JSC::JIT::emitSlow_op_loop_hint):
2580         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2581         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2582         * jit/JITOpcodes32_64.cpp:
2583         (JSC::JIT::emit_op_jfalse):
2584         (JSC::JIT::emit_op_jtrue):
2585         (JSC::JIT::emit_op_throw):
2586         (JSC::JIT::emit_op_catch):
2587         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2588         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2589         * jit/JITOperations.cpp:
2590         (JSC::operationNewFunctionCommon):
2591         (JSC::tryGetByValOptimize):
2592         * jit/JITPropertyAccess.cpp:
2593         (JSC::JIT::emitWriteBarrier):
2594         * jit/JITThunks.cpp:
2595         (JSC::JITThunks::ctiNativeCall):
2596         (JSC::JITThunks::ctiNativeConstruct):
2597         (JSC::JITThunks::ctiNativeTailCall):
2598         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
2599         (JSC::JITThunks::ctiInternalFunctionCall):
2600         (JSC::JITThunks::ctiInternalFunctionConstruct):
2601         (JSC::JITThunks::ctiStub):
2602         (JSC::JITThunks::hostFunctionStub):
2603         * jit/JITThunks.h:
2604         * jit/JITWorklist.cpp:
2605         (JSC::JITWorklist::Plan::vm):
2606         (JSC::JITWorklist::completeAllForVM):
2607         (JSC::JITWorklist::poll):
2608         (JSC::JITWorklist::compileLater):
2609         (JSC::JITWorklist::compileNow):
2610         * jit/Repatch.cpp:
2611         (JSC::readPutICCallTarget):
2612         (JSC::ftlThunkAwareRepatchCall):
2613         (JSC::linkSlowFor):
2614         (JSC::linkFor):
2615         (JSC::linkDirectFor):
2616         (JSC::revertCall):
2617         (JSC::unlinkFor):
2618         (JSC::linkVirtualFor):
2619         (JSC::linkPolymorphicCall):
2620         * jit/SpecializedThunkJIT.h:
2621         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
2622         * jit/ThunkGenerator.h:
2623         * jit/ThunkGenerators.cpp:
2624         (JSC::throwExceptionFromCallSlowPathGenerator):
2625         (JSC::slowPathFor):
2626         (JSC::linkCallThunkGenerator):
2627         (JSC::linkPolymorphicCallThunkGenerator):
2628         (JSC::virtualThunkFor):
2629         (JSC::nativeForGenerator):
2630         (JSC::nativeCallGenerator):
2631         (JSC::nativeTailCallGenerator):
2632         (JSC::nativeTailCallWithoutSavedTagsGenerator):
2633         (JSC::nativeConstructGenerator):
2634         (JSC::internalFunctionCallGenerator):
2635         (JSC::internalFunctionConstructGenerator):
2636         (JSC::arityFixupGenerator):
2637         (JSC::unreachableGenerator):
2638         (JSC::stringGetByValGenerator):
2639         (JSC::charToString):
2640         (JSC::charCodeAtThunkGenerator):
2641         (JSC::charAtThunkGenerator):
2642         (JSC::fromCharCodeThunkGenerator):
2643         (JSC::clz32ThunkGenerator):
2644         (JSC::sqrtThunkGenerator):
2645         (JSC::floorThunkGenerator):
2646         (JSC::ceilThunkGenerator):
2647         (JSC::truncThunkGenerator):
2648         (JSC::roundThunkGenerator):
2649         (JSC::expThunkGenerator):
2650         (JSC::logThunkGenerator):
2651         (JSC::absThunkGenerator):
2652         (JSC::imulThunkGenerator):
2653         (JSC::randomThunkGenerator):
2654         (JSC::boundThisNoArgsFunctionCallGenerator):
2655         * jit/ThunkGenerators.h:
2656         * jsc.cpp:
2657         (GlobalObject::finishCreation):
2658         (GlobalObject::addFunction):
2659         (GlobalObject::moduleLoaderImportModule):
2660         (GlobalObject::moduleLoaderResolve):
2661         (GlobalObject::moduleLoaderCreateImportMetaProperties):
2662         (functionDescribe):
2663         (functionDescribeArray):
2664         (JSCMemoryFootprint::addProperty):
2665         (functionRun):
2666         (functionRunString):
2667         (functionReadFile):
2668         (functionCallerSourceOrigin):
2669         (functionReadline):
2670         (functionDollarCreateRealm):
2671         (functionDollarEvalScript):
2672         (functionDollarAgentGetReport):
2673         (functionWaitForReport):
2674         (functionJSCOptions):
2675         (functionCheckModuleSyntax):
2676         (functionGenerateHeapSnapshotForGCDebugging):
2677         (functionWebAssemblyMemoryMode):
2678         (dumpException):
2679         (checkUncaughtException):
2680         * llint/LLIntSlowPaths.cpp:
2681         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2682         (JSC::LLInt::handleHostCall):
2683         * parser/ASTBuilder.h:
2684         (JSC::ASTBuilder::ASTBuilder):
2685         (JSC::ASTBuilder::createResolve):
2686         (JSC::ASTBuilder::createGetterOrSetterProperty):
2687         (JSC::ASTBuilder::createProperty):
2688         (JSC::ASTBuilder::createFuncDeclStatement):
2689         (JSC::ASTBuilder::makeFunctionCallNode):
2690         * parser/Lexer.cpp:
2691         (JSC::Lexer<T>::Lexer):
2692         (JSC::Lexer<LChar>::parseIdentifier):
2693         (JSC::Lexer<UChar>::parseIdentifier):
2694         * parser/Lexer.h:
2695         (JSC::Lexer<T>::lexExpectIdentifier):
2696         * parser/ModuleAnalyzer.cpp:
2697         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2698         * parser/ModuleAnalyzer.h:
2699         (JSC::ModuleAnalyzer::vm):
2700         * parser/Parser.cpp:
2701         (JSC::Parser<LexerType>::Parser):
2702         (JSC::Parser<LexerType>::parseInner):
2703         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2704         (JSC::Parser<LexerType>::parseSourceElements):
2705         (JSC::Parser<LexerType>::parseModuleSourceElements):
2706         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
2707         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2708         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2709         (JSC::Parser<LexerType>::parseSingleFunction):
2710         (JSC::Parser<LexerType>::parseStatementListItem):
2711         (JSC::Parser<LexerType>::parseObjectRestAssignmentElement):
2712         (JSC::Parser<LexerType>::parseAssignmentElement):
2713         (JSC::Parser<LexerType>::parseDestructuringPattern):
2714         (JSC::Parser<LexerType>::parseForStatement):
2715         (JSC::Parser<LexerType>::parseBreakStatement):
2716         (JSC::Parser<LexerType>::parseContinueStatement):
2717         (JSC::Parser<LexerType>::parseStatement):
2718         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2719         (JSC::Parser<LexerType>::createGeneratorParameters):
2720         (JSC::Parser<LexerType>::parseFunctionInfo):
2721         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2722         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2723         (JSC::Parser<LexerType>::parseClassDeclaration):
2724         (JSC::Parser<LexerType>::parseClass):
2725         (JSC::Parser<LexerType>::parseImportClauseItem):
2726         (JSC::Parser<LexerType>::parseImportDeclaration):
2727         (JSC::Parser<LexerType>::parseExportSpecifier):
2728         (JSC::Parser<LexerType>::parseExportDeclaration):
2729         (JSC::Parser<LexerType>::parseAssignmentExpression):
2730         (JSC::Parser<LexerType>::parseProperty):
2731         (JSC::Parser<LexerType>::parseGetterSetter):
2732         (JSC::Parser<LexerType>::parseObjectLiteral):
2733         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
2734         (JSC::Parser<LexerType>::parseClassExpression):
2735         (JSC::Parser<LexerType>::parseFunctionExpression):
2736         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2737         (JSC::Parser<LexerType>::parsePrimaryExpression):
2738         (JSC::Parser<LexerType>::parseMemberExpression):
2739         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
2740         (JSC::Parser<LexerType>::parseUnaryExpression):
2741         * parser/Parser.h:
2742         (JSC::isArguments):
2743         (JSC::isEval):
2744         (JSC::isEvalOrArgumentsIdentifier):
2745         (JSC::Scope::Scope):
2746         (JSC::Scope::declareParameter):
2747         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
2748         (JSC::Scope::collectFreeVariables):
2749         (JSC::Parser::canRecurse):
2750         (JSC::parse):
2751         (JSC::parseFunctionForFunctionConstructor):
2752         * parser/ParserArena.h:
2753         (JSC::IdentifierArena::makeIdentifier):
2754         (JSC::IdentifierArena::makeEmptyIdentifier):
2755         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
2756         (JSC::IdentifierArena::makeNumericIdentifier):
2757         * parser/SyntaxChecker.h:
2758         (JSC::SyntaxChecker::SyntaxChecker):
2759         (JSC::SyntaxChecker::createProperty):
2760         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2761         * profiler/ProfilerBytecode.cpp:
2762         (JSC::Profiler::Bytecode::toJS const):
2763         * profiler/ProfilerBytecodeSequence.cpp:
2764         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
2765         * profiler/ProfilerBytecodes.cpp:
2766         (JSC::Profiler::Bytecodes::toJS const):
2767         * profiler/ProfilerCompilation.cpp:
2768         (JSC::Profiler::Compilation::toJS const):
2769         * profiler/ProfilerCompiledBytecode.cpp:
2770         (JSC::Profiler::CompiledBytecode::toJS const):
2771         * profiler/ProfilerEvent.cpp:
2772         (JSC::Profiler::Event::toJS const):
2773         * profiler/ProfilerOSRExit.cpp:
2774         (JSC::Profiler::OSRExit::toJS const):
2775         * profiler/ProfilerOSRExitSite.cpp:
2776         (JSC::Profiler::OSRExitSite::toJS const):
2777         * profiler/ProfilerUID.cpp:
2778         (JSC::Profiler::UID::toJS const):
2779         * runtime/AbstractModuleRecord.cpp:
2780         (JSC::AbstractModuleRecord::finishCreation):
2781         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2782         (JSC::AbstractModuleRecord::resolveExportImpl):
2783         (JSC::getExportedNames):
2784         (JSC::AbstractModuleRecord::getModuleNamespace):
2785         * runtime/ArrayBufferNeuteringWatchpointSet.cpp:
2786         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
2787         * runtime/ArrayIteratorPrototype.cpp:
2788         (JSC::ArrayIteratorPrototype::finishCreation):
2789         * runtime/ArrayPrototype.cpp:
2790         (JSC::fastJoin):
2791         (JSC::arrayProtoFuncToLocaleString):
2792         (JSC::slowJoin):
2793         (JSC::arrayProtoFuncJoin):
2794         (JSC::arrayProtoFuncPush):
2795         * runtime/AsyncFunctionPrototype.cpp:
2796         (JSC::AsyncFunctionPrototype::finishCreation):
2797         * runtime/AsyncGeneratorFunctionPrototype.cpp:
2798         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
2799         * runtime/AsyncGeneratorPrototype.cpp:
2800         (JSC::AsyncGeneratorPrototype::finishCreation):
2801         * runtime/AtomicsObject.cpp:
2802         (JSC::AtomicsObject::finishCreation):
2803         (JSC::atomicsFuncWait):
2804         (JSC::operationAtomicsAdd):
2805         (JSC::operationAtomicsAnd):
2806         (JSC::operationAtomicsCompareExchange):
2807         (JSC::operationAtomicsExchange):
2808         (JSC::operationAtomicsIsLockFree):
2809         (JSC::operationAtomicsLoad):
2810         (JSC::operationAtomicsOr):
2811         (JSC::operationAtomicsStore):
2812         (JSC::operationAtomicsSub):
2813         (JSC::operationAtomicsXor):
2814         * runtime/BigIntPrototype.cpp:
2815         (JSC::BigIntPrototype::finishCreation):
2816         (JSC::bigIntProtoFuncToString):
2817         * runtime/CachedTypes.cpp:
2818         (JSC::CachedUniquedStringImplBase::decode const):
2819         (JSC::CachedIdentifier::decode const):
2820         (JSC::CachedJSValue::decode const):
2821         * runtime/CodeCache.cpp:
2822         (JSC::CodeCacheMap::pruneSlowCase):
2823         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2824         * runtime/CodeCache.h:
2825         (JSC::generateUnlinkedCodeBlockImpl):
2826         * runtime/CommonIdentifiers.cpp:
2827         (JSC::CommonIdentifiers::CommonIdentifiers):
2828         * runtime/CommonIdentifiers.h:
2829         * runtime/CommonSlowPaths.cpp:
2830         (JSC::SLOW_PATH_DECL):
2831         * runtime/Completion.cpp:
2832         (JSC::checkSyntaxInternal):
2833         (JSC::checkModuleSyntax):
2834         (JSC::loadAndEvaluateModule):
2835         (JSC::loadModule):
2836         * runtime/DateConstructor.cpp:
2837         (JSC::callDate):
2838         * runtime/DatePrototype.cpp:
2839         (JSC::formatLocaleDate):
2840         (JSC::formateDateInstance):
2841         (JSC::DatePrototype::finishCreation):
2842         (JSC::dateProtoFuncToISOString):
2843         * runtime/Error.cpp:
2844         (JSC::addErrorInfo):
2845         * runtime/ErrorInstance.cpp:
2846         (JSC::appendSourceToError):
2847         (JSC::ErrorInstance::finishCreation):
2848         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2849         * runtime/ErrorPrototype.cpp:
2850         (JSC::ErrorPrototype::finishCreation):
2851         (JSC::errorProtoFuncToString):
2852         * runtime/ExceptionHelpers.cpp:
2853         (JSC::TerminatedExecutionError::defaultValue):
2854         * runtime/FunctionPrototype.cpp:
2855         (JSC::functionProtoFuncToString):
2856         * runtime/FunctionRareData.cpp:
2857         (JSC::FunctionRareData::clear):
2858         * runtime/GeneratorFunctionPrototype.cpp:
2859         (JSC::GeneratorFunctionPrototype::finishCreation):
2860         * runtime/GeneratorPrototype.cpp:
2861         (JSC::GeneratorPrototype::finishCreation):
2862         * runtime/GenericArgumentsInlines.h:
2863         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2864         * runtime/GetterSetter.h:
2865         * runtime/Identifier.cpp:
2866         (JSC::Identifier::add):
2867         (JSC::Identifier::add8):
2868         (JSC::Identifier::from):
2869         (JSC::Identifier::checkCurrentAtomStringTable):
2870         * runtime/Identifier.h:
2871         (JSC::Identifier::fromString):
2872         (JSC::Identifier::createLCharFromUChar):
2873         (JSC::Identifier::Identifier):
2874         (JSC::Identifier::add):
2875         * runtime/IdentifierInlines.h:
2876         (JSC::Identifier::Identifier):
2877         (JSC::Identifier::add):
2878         (JSC::Identifier::fromUid):
2879         (JSC::Identifier::fromString):
2880         (JSC::identifierToJSValue):
2881         (JSC::identifierToSafePublicJSValue):
2882         * runtime/InternalFunction.cpp:
2883         (JSC::InternalFunction::finishCreation):
2884         * runtime/IntlCollator.cpp:
2885         (JSC::IntlCollator::resolvedOptions):
2886         * runtime/IntlCollatorPrototype.cpp:
2887         (JSC::IntlCollatorPrototype::finishCreation):
2888         * runtime/IntlDateTimeFormat.cpp:
2889         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
2890         (JSC::IntlDateTimeFormat::resolvedOptions):
2891         (JSC::IntlDateTimeFormat::format):
2892         (JSC::IntlDateTimeFormat::formatToParts):
2893         * runtime/IntlDateTimeFormatPrototype.cpp:
2894         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2895         * runtime/IntlNumberFormat.cpp:
2896         (JSC::IntlNumberFormat::initializeNumberFormat):
2897         (JSC::IntlNumberFormat::formatNumber):
2898         (JSC::IntlNumberFormat::resolvedOptions):
2899         (JSC::IntlNumberFormat::formatToParts):
2900         * runtime/IntlNumberFormatPrototype.cpp:
2901         (JSC::IntlNumberFormatPrototype::finishCreation):
2902         * runtime/IntlObject.cpp:
2903         (JSC::lookupSupportedLocales):
2904         (JSC::supportedLocales):
2905         (JSC::intlObjectFuncGetCanonicalLocales):
2906         * runtime/IntlPluralRules.cpp:
2907         (JSC::IntlPluralRules::initializePluralRules):
2908         (JSC::IntlPluralRules::resolvedOptions):
2909         (JSC::IntlPluralRules::select):
2910         * runtime/IntlPluralRulesPrototype.cpp:
2911         (JSC::IntlPluralRulesPrototype::finishCreation):
2912         * runtime/JSArray.h:
2913         (JSC::asArray):
2914         (JSC::isJSArray):
2915         * runtime/JSArrayBufferPrototype.cpp:
2916         (JSC::JSArrayBufferPrototype::finishCreation):
2917         * runtime/JSArrayBufferView.cpp:
2918         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
2919         * runtime/JSCJSValue.cpp:
2920         (JSC::JSValue::putToPrimitiveByIndex):
2921         (JSC::JSValue::dumpForBacktrace const):
2922         (JSC::JSValue::toStringSlowCase const):
2923         * runtime/JSCJSValueInlines.h:
2924         (JSC::JSValue::toPropertyKey const):
2925         (JSC::JSValue::get const):
2926         * runtime/JSCast.h:
2927         (JSC::jsCast):
2928         * runtime/JSCell.cpp:
2929         (JSC::JSCell::dump const):
2930         (JSC::JSCell::dumpToStream):
2931         (JSC::JSCell::putByIndex):
2932         * runtime/JSCellInlines.h:
2933         (JSC::JSCell::structure const):
2934         (JSC::ExecState::vm const):
2935         (JSC::tryAllocateCellHelper):
2936         * runtime/JSDataViewPrototype.cpp:
2937         (JSC::JSDataViewPrototype::finishCreation):
2938         * runtime/JSFixedArray.cpp:
2939         (JSC::JSFixedArray::dumpToStream):
2940         * runtime/JSFunction.cpp:
2941         (JSC::JSFunction::finishCreation):
2942         (JSC::RetrieveCallerFunctionFunctor::operator() const):
2943         (JSC::JSFunction::reifyName):
2944         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2945         (JSC::JSFunction::assertTypeInfoFlagInvariants):
2946         * runtime/JSGenericTypedArrayViewInlines.h:
2947         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
2948         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
2949         * runtime/JSGlobalObject.cpp:
2950         (JSC::JSGlobalObject::init):
2951         (JSC::JSGlobalObject::exposeDollarVM):
2952         * runtime/JSGlobalObjectFunctions.cpp:
2953         (JSC::encode):
2954         (JSC::decode):
2955         (JSC::globalFuncEscape):
2956         (JSC::globalFuncUnescape):
2957         (JSC::globalFuncBuiltinDescribe):
2958         * runtime/JSLexicalEnvironment.cpp:
2959         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2960         * runtime/JSModuleEnvironment.cpp:
2961         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2962         (JSC::JSModuleEnvironment::put):
2963         (JSC::JSModuleEnvironment::deleteProperty):
2964         * runtime/JSModuleLoader.cpp:
2965         (JSC::JSModuleLoader::finishCreation):
2966         (JSC::JSModuleLoader::requestImportModule):
2967         (JSC::moduleLoaderParseModule):
2968         (JSC::moduleLoaderRequestedModules):
2969         * runtime/JSModuleNamespaceObject.cpp:
2970         (JSC::JSModuleNamespaceObject::finishCreation):
2971         (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
2972         * runtime/JSModuleRecord.cpp:
2973         (JSC::JSModuleRecord::instantiateDeclarations):
2974         * runtime/JSONObject.cpp:
2975         (JSC::JSONObject::finishCreation):
2976         (JSC::PropertyNameForFunctionCall::value const):
2977         (JSC::Stringifier::Stringifier):
2978         (JSC::Stringifier::stringify):
2979         (JSC::Stringifier::Holder::appendNextProperty):
2980         (JSC::Walker::walk):
2981         * runtime/JSObject.cpp:
2982         (JSC::getClassPropertyNames):
2983         (JSC::JSObject::getOwnPropertySlotByIndex):
2984         (JSC::JSObject::putByIndex):
2985         (JSC::JSObject::deletePropertyByIndex):
2986         (JSC::JSObject::toString const):
2987         (JSC::JSObject::reifyAllStaticProperties):
2988         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2989         * runtime/JSObject.h:
2990         (JSC::JSObject::putByIndexInline):
2991         (JSC::JSObject::butterflyPreCapacity):
2992         (JSC::JSObject::butterflyTotalSize):
2993         (JSC::makeIdentifier):
2994         * runtime/JSPromisePrototype.cpp:
2995         (JSC::JSPromisePrototype::finishCreation):
2996         * runtime/JSPropertyNameEnumerator.cpp:
2997         (JSC::JSPropertyNameEnumerator::finishCreation):
2998         * runtime/JSPropertyNameEnumerator.h:
2999         (JSC::propertyNameEnumerator):
3000         * runtime/JSRunLoopTimer.cpp:
3001         (JSC::JSRunLoopTimer::JSRunLoopTimer):
3002         * runtime/JSRunLoopTimer.h:
3003         * runtime/JSString.cpp:
3004         (JSC::JSString::dumpToStream):
3005         (JSC::JSRopeString::resolveRopeWithFunction const):
3006         (JSC::jsStringWithCacheSlowCase):
3007         * runtime/JSString.h:
3008         (JSC::jsEmptyString):
3009         (JSC::jsSingleCharacterString):
3010         (JSC::jsNontrivialString):
3011         (JSC::JSString::toIdentifier const):
3012         (JSC::JSString::toAtomString const):
3013         (JSC::JSString::toExistingAtomString const):
3014         (JSC::JSString::value const):
3015         (JSC::JSString::tryGetValue const):
3016         (JSC::JSString::getIndex):
3017         (JSC::jsString):
3018         (JSC::jsSubstring):
3019         (JSC::jsOwnedString):
3020         (JSC::jsStringWithCache):
3021         (JSC::JSRopeString::unsafeView const):
3022         (JSC::JSRopeString::viewWithUnderlyingString const):
3023         (JSC::JSString::unsafeView const):
3024         * runtime/JSStringInlines.h:
3025         (JSC::jsMakeNontrivialString):
3026         (JSC::repeatCharacter):
3027         * runtime/JSStringJoiner.cpp:
3028         (JSC::JSStringJoiner::join):
3029         * runtime/JSSymbolTableObject.cpp:
3030         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3031         * runtime/JSTemplateObjectDescriptor.cpp:
3032         (JSC::JSTemplateObjectDescriptor::createTemplateObject):
3033         * runtime/JSTypedArrayViewPrototype.cpp:
3034         (JSC::typedArrayViewProtoGetterFuncToStringTag):
3035         * runtime/LazyClassStructure.cpp:
3036         (JSC::LazyClassStructure::Initializer::setConstructor):
3037         * runtime/LazyProperty.h:
3038         (JSC::LazyProperty::Initializer::Initializer):
3039         * runtime/LiteralParser.cpp:
3040         (JSC::LiteralParser<CharType>::tryJSONPParse):
3041         (JSC::LiteralParser<CharType>::makeIdentifier):
3042         (JSC::LiteralParser<CharType>::parse):
3043         * runtime/Lookup.h:
3044         (JSC::reifyStaticProperties):
3045         * runtime/MapIteratorPrototype.cpp:
3046         (JSC::MapIteratorPrototype::finishCreation):
3047         * runtime/MapPrototype.cpp:
3048         (JSC::MapPrototype::finishCreation):
3049         * runtime/MathObject.cpp:
3050         (JSC::MathObject::finishCreation):
3051         * runtime/NumberConstructor.cpp:
3052         (JSC::NumberConstructor::finishCreation):
3053         * runtime/NumberPrototype.cpp:
3054         (JSC::numberProtoFuncToExponential):
3055         (JSC::numberProtoFuncToFixed):
3056         (JSC::numberProtoFuncToPrecision):
3057         (JSC::int32ToStringInternal):
3058         (JSC::numberToStringInternal):
3059         (JSC::int52ToString):
3060         * runtime/ObjectConstructor.cpp:
3061         (JSC::objectConstructorGetOwnPropertyDescriptors):
3062         (JSC::objectConstructorAssign):
3063         (JSC::objectConstructorValues):
3064         (JSC::defineProperties):
3065         (JSC::setIntegrityLevel):
3066         (JSC::testIntegrityLevel):
3067         (JSC::ownPropertyKeys):
3068         * runtime/ObjectPrototype.cpp:
3069         (JSC::objectProtoFuncToString):
3070         * runtime/Operations.h:
3071         (JSC::jsString):
3072         (JSC::jsStringFromRegisterArray):
3073         (JSC::jsStringFromArguments):
3074         * runtime/ProgramExecutable.cpp:
3075         (JSC::ProgramExecutable::initializeGlobalProperties):
3076         * runtime/PromiseDeferredTimer.cpp:
3077         (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
3078         (JSC::PromiseDeferredTimer::hasPendingPromise):
3079         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
3080         (JSC::PromiseDeferredTimer::cancelPendingPromise):
3081         * runtime/PropertyNameArray.h:
3082         (JSC::PropertyNameArray::PropertyNameArray):
3083         (JSC::PropertyNameArray::vm):
3084         * runtime/PropertySlot.h:
3085         (JSC::PropertySlot::getValue const):
3086         * runtime/ProxyObject.cpp:
3087         (JSC::performProxyGet):
3088         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3089         (JSC::ProxyObject::performHasProperty):
3090         (JSC::ProxyObject::getOwnPropertySlotByIndex):
3091         (JSC::ProxyObject::performPut):
3092         (JSC::ProxyObject::putByIndexCommon):
3093         (JSC::ProxyObject::performDelete):
3094         (JSC::ProxyObject::deletePropertyByIndex):
3095         (JSC::ProxyObject::performDefineOwnProperty):
3096         (JSC::ProxyObject::performGetOwnPropertyNames):
3097         * runtime/RegExpGlobalData.cpp:
3098         (JSC::RegExpGlobalData::getBackref):
3099         (JSC::RegExpGlobalData::getLastParen):
3100         * runtime/RegExpMatchesArray.cpp:
3101         (JSC::createEmptyRegExpMatchesArray):
3102         * runtime/RegExpMatchesArray.h:
3103         (JSC::createRegExpMatchesArray):
3104         * runtime/RegExpPrototype.cpp:
3105         (JSC::regExpProtoGetterFlags):
3106         (JSC::regExpProtoGetterSourceInternal):
3107         (JSC::regExpProtoGetterSource):
3108         * runtime/RegExpStringIteratorPrototype.cpp:
3109         (JSC::RegExpStringIteratorPrototype::finishCreation):
3110         * runtime/SamplingProfiler.cpp:
3111         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3112         * runtime/ScriptExecutable.cpp:
3113         (JSC::ScriptExecutable::installCode):
3114         (JSC::ScriptExecutable::newCodeBlockFor):
3115         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
3116         (JSC::setupJIT):
3117         * runtime/SetIteratorPrototype.cpp:
3118         (JSC::SetIteratorPrototype::finishCreation):
3119         * runtime/SetPrototype.cpp:
3120         (JSC::SetPrototype::finishCreation):
3121         * runtime/StackFrame.cpp:
3122         (JSC::StackFrame::computeLineAndColumn const):
3123         * runtime/StringConstructor.cpp:
3124         (JSC::stringFromCharCode):
3125         (JSC::stringFromCodePoint):
3126         (JSC::stringConstructor):
3127         (JSC::callStringConstructor):
3128         * runtime/StringIteratorPrototype.cpp:
3129         (JSC::StringIteratorPrototype::finishCreation):
3130         * runtime/StringObject.cpp:
3131         (JSC::StringObject::getOwnPropertySlotByIndex):
3132         (JSC::StringObject::getOwnPropertyNames):
3133         * runtime/StringObject.h:
3134         (JSC::StringObject::create):
3135         (JSC::jsStringWithReuse):
3136         (JSC::jsSubstring):
3137         * runtime/StringPrototype.cpp:
3138         (JSC::StringPrototype::finishCreation):
3139         (JSC::StringPrototype::create):
3140         (JSC::jsSpliceSubstrings):
3141         (JSC::jsSpliceSubstringsWithSeparators):
3142         (JSC::replaceUsingRegExpSearch):
3143         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
3144         (JSC::operationStringProtoFuncReplaceRegExpString):
3145         (JSC::replaceUsingStringSearch):
3146         (JSC::operationStringProtoFuncReplaceGeneric):
3147         (JSC::stringProtoFuncCharAt):
3148         (JSC::stringProtoFuncSplitFast):
3149         (JSC::stringProtoFuncSubstr):
3150         (JSC::stringProtoFuncToLowerCase):
3151         (JSC::stringProtoFuncToUpperCase):
3152         (JSC::toLocaleCase):
3153         (JSC::trimString):
3154         (JSC::normalize):
3155         * runtime/StringPrototypeInlines.h:
3156         (JSC::stringSlice):
3157         * runtime/StringRecursionChecker.cpp:
3158         (JSC::StringRecursionChecker::emptyString):
3159         * runtime/Structure.cpp:
3160         (JSC::Structure::didTransitionFromThisStructure const):
3161         * runtime/StructureInlines.h:
3162         (JSC::Structure::didReplaceProperty):
3163         (JSC::Structure::shouldConvertToPolyProto):
3164         * runtime/SymbolConstructor.cpp:
3165         (JSC::symbolConstructorKeyFor):
3166         * runtime/SymbolPrototype.cpp:
3167         (JSC::SymbolPrototype::finishCreation):
3168         (JSC::symbolProtoGetterDescription):
3169         (JSC::symbolProtoFuncToString):
3170         * runtime/SymbolTable.cpp:
3171         (JSC::SymbolTable::setRareDataCodeBlock):
3172         * runtime/TestRunnerUtils.cpp:
3173         (JSC::getExecutableForFunction):
3174         * runtime/VM.cpp:
3175         (JSC::VM::VM):
3176         (JSC::VM::getHostFunction):
3177         (JSC::VM::getCTIInternalFunctionTrampolineFor):
3178         (JSC::VM::shrinkFootprintWhenIdle):
3179         (JSC::logSanitizeStack):
3180         (JSC::sanitizeStackForVM):
3181         (JSC::VM::emptyPropertyNameEnumeratorSlow):
3182         * runtime/VM.h:
3183         (JSC::VM::getCTIStub):
3184         (JSC::WeakSet::heap const):
3185         * runtime/VMTraps.cpp:
3186         * runtime/WeakMapPrototype.cpp:
3187         (JSC::WeakMapPrototype::finishCreation):
3188         * runtime/WeakObjectRefPrototype.cpp:
3189         (JSC::WeakObjectRefPrototype::finishCreation):
3190         * runtime/WeakSetPrototype.cpp:
3191         (JSC::WeakSetPrototype::finishCreation):
3192         * tools/HeapVerifier.cpp:
3193         (JSC::HeapVerifier::printVerificationHeader):
3194         (JSC::HeapVerifier::verifyCellList):
3195         (JSC::HeapVerifier::validateJSCell):
3196         (JSC::HeapVerifier::reportCell):
3197         * tools/JSDollarVM.cpp:
3198         (JSC::JSDollarVMCallFrame::finishCreation):
3199         (JSC::JSDollarVMCallFrame::addProperty):
3200         (JSC::CustomGetter::getOwnPropertySlot):
3201         (JSC::CustomGetter::customGetter):
3202         (JSC::CustomGetter::customGetterAcessor):
3203         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
3204         (JSC::DOMJITGetter::finishCreation):
3205         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
3206         (JSC::DOMJITGetterComplex::finishCreation):
3207         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
3208         (JSC::DOMJITFunctionObject::finishCreation):
3209         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
3210         (JSC::DOMJITCheckSubClassObject::finishCreation):
3211         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
3212         (JSC::DOMJITGetterBaseJSObject::finishCreation):
3213         (JSC::customSetAccessor):
3214         (JSC::customSetValue):
3215         (JSC::JSTestCustomGetterSetter::finishCreation):
3216         (JSC::WasmStreamingParser::finishCreation):
3217         (JSC::getExecutableForFunction):
3218         (JSC::functionCodeBlockFor):
3219         (JSC::functionIndexingMode):
3220         (JSC::functionValue):
3221         (JSC::functionCreateBuiltin):
3222         (JSC::functionGetPrivateProperty):
3223         (JSC::JSDollarVM::finishCreation):
3224         (JSC::JSDollarVM::addFunction):
3225         (JSC::JSDollarVM::addConstructibleFunction):
3226         * tools/VMInspector.cpp:
3227         (JSC::VMInspector::dumpRegisters):
3228         (JSC::VMInspector::dumpCellMemoryToStream):
3229         * wasm/WasmInstance.cpp:
3230         (JSC::Wasm::Instance::setGlobal):
3231         (JSC::Wasm::Instance::setFunctionWrapper):
3232         (JSC::Wasm::setWasmTableElement):
3233         (JSC::Wasm::doWasmRefFunc):
3234         * wasm/WasmTable.cpp:
3235         (JSC::Wasm::Table::set):
3236         (JSC::Wasm::FuncRefTable::setFunction):
3237         * wasm/js/JSWebAssembly.cpp:
3238         (JSC::resolve):
3239         * wasm/js/JSWebAssemblyInstance.cpp:
3240         (JSC::JSWebAssemblyInstance::create):
3241         * wasm/js/WasmToJS.cpp:
3242         (JSC::Wasm::handleBadI64Use):
3243         (JSC::Wasm::wasmToJS):
3244         (JSC::Wasm::wasmToJSException):
3245         * wasm/js/WebAssemblyFunction.cpp:
3246         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
3247         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3248         (JSC::constructJSWebAssemblyMemory):
3249         * wasm/js/WebAssemblyModuleConstructor.cpp:
3250         (JSC::webAssemblyModuleImports):
3251         (JSC::webAssemblyModuleExports):
3252         * wasm/js/WebAssemblyModuleRecord.cpp:
3253         (JSC::WebAssemblyModuleRecord::finishCreation):
3254         (JSC::WebAssemblyModuleRecord::link):
3255         * wasm/js/WebAssemblyTableConstructor.cpp:
3256         (JSC::constructJSWebAssemblyTable):
3257
3258 2019-08-27  Devin Rousso  <drousso@apple.com>
3259
3260         Web Inspector: don't attach properties to `injectedScript` for the CommandLineAPI
3261         https://bugs.webkit.org/show_bug.cgi?id=201193
3262
3263         Reviewed by Joseph Pecoraro.
3264
3265         For some reason, adding `injectedScript._inspectObject` inside CommandLineAPIModuleSource.js
3266         causes inspector/debugger/tail-deleted-frames-this-value.html to fail.
3267
3268         We should have a similar approach to adding command line api getters and functions, in that
3269         the CommandLineAPIModuleSource.js calls a function with a callback.
3270
3271         * inspector/InjectedScriptSource.js:
3272         (InjectedScript.prototype.inspectObject):
3273         (InjectedScript.prototype.setInspectObject): Added.
3274         (InjectedScript.prototype._evaluateOn):
3275
3276 2019-08-27  Mark Lam  <mark.lam@apple.com>
3277
3278         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
3279         https://bugs.webkit.org/show_bug.cgi?id=201196
3280         <rdar://problem/54703775>
3281
3282         Reviewed by Yusuke Suzuki.
3283
3284         * runtime/FunctionConstructor.cpp:
3285         (JSC::constructFunctionSkippingEvalEnabledCheck):
3286
3287 2019-08-27  Keith Miller  <keith_miller@apple.com>
3288
3289         When dumping Air Graphs BBQ should dump patchpoints.
3290         https://bugs.webkit.org/show_bug.cgi?id=201167
3291
3292         Reviewed by Filip Pizlo.
3293
3294         * wasm/WasmAirIRGenerator.cpp:
3295         (JSC::Wasm::AirIRGenerator:: const):
3296         (JSC::Wasm::AirIRGenerator::addPatchpoint):
3297         (JSC::Wasm::parseAndCompileAir):
3298
3299 2019-08-27  Basuke Suzuki  <Basuke.Suzuki@sony.com>
3300
3301         [RemoteInspector][Socket] Restructuring the components of Socket implementation