ee6c6ca88221a82470a2402732f00cd870253484
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-08-31  Mark Lam  <mark.lam@apple.com>
2
3         Add missing exception check in arrayProtoFuncLastIndexOf().
4         https://bugs.webkit.org/show_bug.cgi?id=189184
5         <rdar://problem/39785959>
6
7         Reviewed by Yusuke Suzuki.
8
9         * runtime/ArrayPrototype.cpp:
10         (JSC::arrayProtoFuncLastIndexOf):
11
12 2018-08-31  Saam barati  <sbarati@apple.com>
13
14         convertToRegExpMatchFastGlobal must use KnownString as the child use kind
15         https://bugs.webkit.org/show_bug.cgi?id=189173
16         <rdar://problem/43501645>
17
18         Reviewed by Michael Saboff.
19
20         We were crashing during validation because mayExit returned true
21         at a point in the program when we weren't allowed to exit.
22         
23         The issue was is in StrengthReduction: we end up emitting code that
24         had a StringUse on an edge after a node that did side effects and before
25         an ExitOK/bytecode number transition. However, StrenghReduction did the
26         right thing here and also emitted the type checks before the node with
27         side effects. It just did bad bookkeeping. The node we convert to needs
28         to use KnownStringUse instead of StringUse for the child edge.
29
30         * dfg/DFGNode.cpp:
31         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
32         (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
33         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
34         (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
35         * dfg/DFGNode.h:
36         * dfg/DFGStrengthReductionPhase.cpp:
37         (JSC::DFG::StrengthReductionPhase::handleNode):
38
39 2018-08-30  Saam barati  <sbarati@apple.com>
40
41         Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
42         https://bugs.webkit.org/show_bug.cgi?id=189166
43
44         Reviewed by Mark Lam.
45
46         * bytecode/AccessCase.cpp:
47         (JSC::AccessCase::generateImpl):
48         * bytecode/GetterSetterAccessCase.cpp:
49         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
50         * bytecode/InlineAccess.cpp:
51         (JSC::getScratchRegister):
52         * bytecode/PolymorphicAccess.cpp:
53         (JSC::PolymorphicAccess::regenerate):
54         * bytecode/StructureStubInfo.h:
55         (JSC::StructureStubInfo::valueRegs const):
56         * jit/JITInlineCacheGenerator.cpp:
57         (JSC::JITByIdGenerator::JITByIdGenerator):
58         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
59         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
60
61 2018-08-30  Saam barati  <sbarati@apple.com>
62
63         InlineAccess should do StringLength
64         https://bugs.webkit.org/show_bug.cgi?id=158911
65
66         Reviewed by Yusuke Suzuki.
67
68         This patch extends InlineAccess to support StringLength. This patch also
69         fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
70         I forgot to implement this for ArrayLength in the initial InlineAccess
71         implementation.  Supporting StringLength is a natural extension of the
72         InlineAccess machinery.
73
74         * assembler/MacroAssembler.h:
75         (JSC::MacroAssembler::patchableBranch8):
76         * assembler/MacroAssemblerARM64.h:
77         (JSC::MacroAssemblerARM64::patchableBranch8):
78         * bytecode/AccessCase.cpp:
79         (JSC::AccessCase::fromStructureStubInfo):
80         * bytecode/BytecodeDumper.cpp:
81         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
82         * bytecode/InlineAccess.cpp:
83         (JSC::InlineAccess::dumpCacheSizesAndCrash):
84         (JSC::InlineAccess::generateSelfPropertyAccess):
85         (JSC::getScratchRegister):
86         (JSC::InlineAccess::generateSelfPropertyReplace):
87         (JSC::InlineAccess::generateArrayLength):
88         (JSC::InlineAccess::generateSelfInAccess):
89         (JSC::InlineAccess::generateStringLength):
90         * bytecode/InlineAccess.h:
91         * bytecode/PolymorphicAccess.cpp:
92         (JSC::PolymorphicAccess::regenerate):
93         * bytecode/StructureStubInfo.cpp:
94         (JSC::StructureStubInfo::initStringLength):
95         (JSC::StructureStubInfo::deref):
96         (JSC::StructureStubInfo::aboutToDie):
97         (JSC::StructureStubInfo::propagateTransitions):
98         * bytecode/StructureStubInfo.h:
99         (JSC::StructureStubInfo::baseGPR const):
100         * jit/Repatch.cpp:
101         (JSC::tryCacheGetByID):
102
103 2018-08-30  Saam barati  <sbarati@apple.com>
104
105         CSE DataViewGet* DFG nodes
106         https://bugs.webkit.org/show_bug.cgi?id=188768
107
108         Reviewed by Yusuke Suzuki.
109
110         This patch makes it so that we CSE DataViewGet* accesses. To do this,
111         I needed to add a third descriptor to HeapLocation to represent the
112         isLittleEndian child. This patch is neutral on compile time benchmarks,
113         and is a 50% speedup on a trivial CSE microbenchmark that I added.
114
115         * dfg/DFGClobberize.h:
116         (JSC::DFG::clobberize):
117         * dfg/DFGFixupPhase.cpp:
118         (JSC::DFG::FixupPhase::fixupNode):
119         * dfg/DFGHeapLocation.cpp:
120         (WTF::printInternal):
121         * dfg/DFGHeapLocation.h:
122         (JSC::DFG::HeapLocation::HeapLocation):
123         (JSC::DFG::HeapLocation::hash const):
124         (JSC::DFG::HeapLocation::operator== const):
125         (JSC::DFG::indexedPropertyLocForResultType):
126
127 2018-08-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
128
129         output of toString() of Generator is wrong
130         https://bugs.webkit.org/show_bug.cgi?id=188952
131
132         Reviewed by Saam Barati.
133
134         Function#toString does not respect generator and async generator.
135         This patch fixes them and supports all the function types.
136
137         * runtime/FunctionPrototype.cpp:
138         (JSC::functionProtoFuncToString):
139
140 2018-08-29  Mark Lam  <mark.lam@apple.com>
141
142         Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
143         https://bugs.webkit.org/show_bug.cgi?id=189132
144         <rdar://problem/42513068>
145
146         Reviewed by Saam Barati.
147
148         * runtime/JSCJSValueInlines.h:
149         (JSC::JSValue::toPropertyKey const):
150         * runtime/JSString.cpp:
151         (JSC::JSRopeString::resolveRopeToAtomicString const):
152
153 2018-08-29  Commit Queue  <commit-queue@webkit.org>
154
155         Unreviewed, rolling out r235432 and r235436.
156         https://bugs.webkit.org/show_bug.cgi?id=189086
157
158         Is a Swift source breaking change. (Requested by keith_miller
159         on #webkit).
160
161         Reverted changesets:
162
163         "Add nullablity attributes to JSValue"
164         https://bugs.webkit.org/show_bug.cgi?id=189047
165         https://trac.webkit.org/changeset/235432
166
167         "Add nullablity attributes to JSValue"
168         https://bugs.webkit.org/show_bug.cgi?id=189047
169         https://trac.webkit.org/changeset/235436
170
171 2018-08-28  Mark Lam  <mark.lam@apple.com>
172
173         Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
174         https://bugs.webkit.org/show_bug.cgi?id=189059
175         <rdar://problem/40335354>
176
177         Reviewed by Saam Barati.
178
179         1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
180         2. Added $vm.dumpRegisters().
181
182             Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
183             Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
184
185            Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
186            It will treat inlined frames content as registers in the bounding physical frame.
187
188            Here's an example of such a dump on a DFG frame:
189
190                 Register frame: 
191
192                 -----------------------------------------------------------------------------
193                             use            |   address  |                value               
194                 -----------------------------------------------------------------------------
195                 [r 12 arguments[  7]]      | 0x7ffeefbfd330 | 0xa                Undefined
196                 [r 11 arguments[  6]]      | 0x7ffeefbfd328 | 0x10bbb3e80        Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
197                 [r 10 arguments[  5]]      | 0x7ffeefbfd320 | 0xa                Undefined
198                 [r  9 arguments[  4]]      | 0x7ffeefbfd318 | 0xa                Undefined
199                 [r  8 arguments[  3]]      | 0x7ffeefbfd310 | 0xa                Undefined
200                 [r  7 arguments[  2]]      | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
201                 [r  6 arguments[  1]]      | 0x7ffeefbfd300 | 0x10bbd00f0        Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
202                 [r  5           this]      | 0x7ffeefbfd2f8 | 0x10bbe0000        Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
203                 -----------------------------------------------------------------------------
204                 [ArgumentCount]            | 0x7ffeefbfd2f0 | 7 
205                 [ReturnVPC]                | 0x7ffeefbfd2f0 | 164 (line 57)
206                 [Callee]                   | 0x7ffeefbfd2e8 | 0x10bb68db0        Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
207                 [CodeBlock]                | 0x7ffeefbfd2e0 | 0x10bb2f8e0        __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
208                 [ReturnPC]                 | 0x7ffeefbfd2d8 | 0x10064d14c 
209                 [CallerFrame]              | 0x7ffeefbfd2d0 | 0x7ffeefbfd380 
210                 -----------------------------------------------------------------------------
211                 [r -1  CalleeSaveReg]      | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
212                 [r -2  CalleeSaveReg]      | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
213                 [r -3  CalleeSaveReg]      | 0x7ffeefbfd2b8 | 0x10baf1608        
214                 [r -4               ]      | 0x7ffeefbfd2b0 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
215                 [r -5               ]      | 0x7ffeefbfd2a8 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
216                 [r -6               ]      | 0x7ffeefbfd2a0 | 0xa                Undefined
217                 -----------------------------------------------------------------------------
218                 [r -7]                     | 0x7ffeefbfd298 | 0x10bb6fdc0        String (atomic) (identifier): length, StructureID: 4
219                 [r -8]                     | 0x7ffeefbfd290 | 0x10bbb7ec0        Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
220                 [r -9]                     | 0x7ffeefbfd288 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
221                 [r-10]                     | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
222                 [r-11]                     | 0x7ffeefbfd278 | 0x10bbb4290        Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
223                 [r-12]                     | 0x7ffeefbfd270 | 0x100000001        
224                 [r-13]                     | 0x7ffeefbfd268 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
225                 [r-14]                     | 0x7ffeefbfd260 | 0x0                
226                 [r-15]                     | 0x7ffeefbfd258 | 0x10064d14c        
227                 [r-16]                     | 0x7ffeefbfd250 | 0x7ffeefbfd2d0     
228                 [r-17]                     | 0x7ffeefbfd248 | 0x67ec87ee177      INVALID
229                 [r-18]                     | 0x7ffeefbfd240 | 0x7ffeefbfd250     
230                 -----------------------------------------------------------------------------
231
232         3. Removed dumpCallFrame() from the jsc shell.  We have the following tools that
233            we can use in its place:
234
235             $vm.dumpCallFrame()
236             $vm.dumpBytecodeFor()
237             $vm.dumpRegisters()     // Just added in this patch.
238
239         4. Also fixed a bug in BytecodeDumper: it should only access
240            CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
241
242         * bytecode/BytecodeDumper.cpp:
243         (JSC::BytecodeDumper<Block>::printCallOp):
244         * interpreter/Interpreter.cpp:
245         (JSC::Interpreter::dumpCallFrame): Deleted.
246         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
247         (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
248         (JSC::Interpreter::dumpRegisters): Deleted.
249         * interpreter/Interpreter.h:
250         * jsc.cpp:
251         (GlobalObject::finishCreation):
252         (functionDumpCallFrame): Deleted.
253         * tools/JSDollarVM.cpp:
254         (JSC::functionDumpRegisters):
255         (JSC::JSDollarVM::finishCreation):
256         * tools/VMInspector.cpp:
257         (JSC::VMInspector::dumpRegisters):
258         * tools/VMInspector.h:
259
260 2018-08-28  Keith Miller  <keith_miller@apple.com>
261
262         Add nullablity attributes to JSValue
263         https://bugs.webkit.org/show_bug.cgi?id=189047
264
265         Reviewed by Dan Bernstein.
266
267         Switch to using NS_ASSUME_NONNULL_BEGIN/END.
268
269         * API/JSValue.h:
270
271 2018-08-28  Keith Miller  <keith_miller@apple.com>
272
273         Add nullablity attributes to JSValue
274         https://bugs.webkit.org/show_bug.cgi?id=189047
275
276         Reviewed by Geoffrey Garen.
277
278         * API/JSValue.h:
279
280 2018-08-27  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
281
282         [WebAssembly] Parse wasm modules in a streaming fashion
283         https://bugs.webkit.org/show_bug.cgi?id=188943
284
285         Reviewed by Mark Lam.
286
287         This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
288         Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
289         we start integrating it into BBQPlan and dropping the old ModuleParser.
290
291         * JavaScriptCore.xcodeproj/project.pbxproj:
292         * Sources.txt:
293         * tools/JSDollarVM.cpp:
294         (WTF::WasmStreamingParser::WasmStreamingParser):
295         (WTF::WasmStreamingParser::create):
296         (WTF::WasmStreamingParser::createStructure):
297         (WTF::WasmStreamingParser::streamingParser):
298         (WTF::WasmStreamingParser::finishCreation):
299         (WTF::functionWasmStreamingParserAddBytes):
300         (WTF::functionWasmStreamingParserFinalize):
301         (JSC::functionCreateWasmStreamingParser):
302         (JSC::JSDollarVM::finishCreation):
303         The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
304         this interface to test streaming parser in the JSC shell.
305
306         * wasm/WasmBBQPlan.cpp:
307         (JSC::Wasm::BBQPlan::BBQPlan):
308         (JSC::Wasm::BBQPlan::parseAndValidateModule):
309         (JSC::Wasm::BBQPlan::prepare):
310         (JSC::Wasm::BBQPlan::compileFunctions):
311         (JSC::Wasm::BBQPlan::complete):
312         (JSC::Wasm::BBQPlan::work):
313         * wasm/WasmBBQPlan.h:
314         BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
315         In subsequent patches, we will remove this, and stream the data into the BBQPlan.
316
317         * wasm/WasmFormat.h:
318         * wasm/WasmModuleInformation.cpp:
319         (JSC::Wasm::ModuleInformation::ModuleInformation):
320         * wasm/WasmModuleInformation.h:
321         One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
322         since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
323         in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
324         Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
325         a function with this data can be done concurrently with StreamingParser.
326
327         (JSC::Wasm::ModuleInformation::create):
328         (JSC::Wasm::ModuleInformation::memoryCount const):
329         (JSC::Wasm::ModuleInformation::tableCount const):
330         memoryCount and tableCount should be recorded in ModuleInformation.
331
332         * wasm/WasmModuleParser.cpp:
333         (JSC::Wasm::ModuleParser::parse):
334         (JSC::Wasm::makeI32InitExpr): Deleted.
335         (JSC::Wasm::ModuleParser::parseType): Deleted.
336         (JSC::Wasm::ModuleParser::parseImport): Deleted.
337         (JSC::Wasm::ModuleParser::parseFunction): Deleted.
338         (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
339         (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
340         (JSC::Wasm::ModuleParser::parseTable): Deleted.
341         (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
342         (JSC::Wasm::ModuleParser::parseMemory): Deleted.
343         (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
344         (JSC::Wasm::ModuleParser::parseExport): Deleted.
345         (JSC::Wasm::ModuleParser::parseStart): Deleted.
346         (JSC::Wasm::ModuleParser::parseElement): Deleted.
347         (JSC::Wasm::ModuleParser::parseCode): Deleted.
348         (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
349         (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
350         (JSC::Wasm::ModuleParser::parseData): Deleted.
351         (JSC::Wasm::ModuleParser::parseCustom): Deleted.
352         Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
353         SectionParser is also used by StreamingParser.
354
355         * wasm/WasmModuleParser.h:
356         (): Deleted.
357         * wasm/WasmNameSection.h:
358         (JSC::Wasm::NameSection::NameSection):
359         (JSC::Wasm::NameSection::create):
360         (JSC::Wasm::NameSection::setHash):
361         Hash calculation is deferred since all the source is not available in streaming parsing.
362
363         * wasm/WasmNameSectionParser.cpp:
364         (JSC::Wasm::NameSectionParser::parse):
365         * wasm/WasmNameSectionParser.h:
366         Use Ref<NameSection>.
367
368         * wasm/WasmOMGPlan.cpp:
369         (JSC::Wasm::OMGPlan::work):
370         Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
371         OMGPlan can get data of the function by using ModuleInformation::functions.
372
373         * wasm/WasmParser.h:
374         (JSC::Wasm::Parser::source const):
375         (JSC::Wasm::Parser::length const):
376         (JSC::Wasm::Parser::offset const):
377         (JSC::Wasm::Parser::fail const):
378         (JSC::Wasm::makeI32InitExpr):
379         * wasm/WasmPlan.cpp:
380         (JSC::Wasm::Plan::Plan):
381         Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
382
383         * wasm/WasmPlan.h:
384         * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
385         SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
386         ModuleParser and the new StreamingParser.
387
388         (JSC::Wasm::SectionParser::parseType):
389         (JSC::Wasm::SectionParser::parseImport):
390         (JSC::Wasm::SectionParser::parseFunction):
391         (JSC::Wasm::SectionParser::parseResizableLimits):
392         (JSC::Wasm::SectionParser::parseTableHelper):
393         (JSC::Wasm::SectionParser::parseTable):
394         (JSC::Wasm::SectionParser::parseMemoryHelper):
395         (JSC::Wasm::SectionParser::parseMemory):
396         (JSC::Wasm::SectionParser::parseGlobal):
397         (JSC::Wasm::SectionParser::parseExport):
398         (JSC::Wasm::SectionParser::parseStart):
399         (JSC::Wasm::SectionParser::parseElement):
400         (JSC::Wasm::SectionParser::parseCode):
401         (JSC::Wasm::SectionParser::parseInitExpr):
402         (JSC::Wasm::SectionParser::parseGlobalType):
403         (JSC::Wasm::SectionParser::parseData):
404         (JSC::Wasm::SectionParser::parseCustom):
405         * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
406         * wasm/WasmStreamingParser.cpp: Added.
407         (JSC::Wasm::parseUInt7):
408         (JSC::Wasm::StreamingParser::fail):
409         (JSC::Wasm::StreamingParser::StreamingParser):
410         (JSC::Wasm::StreamingParser::parseModuleHeader):
411         (JSC::Wasm::StreamingParser::parseSectionID):
412         (JSC::Wasm::StreamingParser::parseSectionSize):
413         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
414         Code section in Wasm binary is specially handled compared with the other sections since it includes
415         a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
416         streaming validation / compilation of Wasm functions.
417
418         (JSC::Wasm::StreamingParser::parseFunctionSize):
419         (JSC::Wasm::StreamingParser::parseFunctionPayload):
420         (JSC::Wasm::StreamingParser::parseSectionPayload):
421         (JSC::Wasm::StreamingParser::consume):
422         (JSC::Wasm::StreamingParser::consumeVarUInt32):
423         (JSC::Wasm::StreamingParser::addBytes):
424         (JSC::Wasm::StreamingParser::failOnState):
425         (JSC::Wasm::StreamingParser::finalize):
426         * wasm/WasmStreamingParser.h: Added.
427         (JSC::Wasm::StreamingParser::addBytes):
428         (JSC::Wasm::StreamingParser::errorMessage const):
429         This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
430         StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
431         StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
432         the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
433         incoming byte stream.
434
435         * wasm/js/JSWebAssemblyModule.cpp:
436         (JSC::JSWebAssemblyModule::source const): Deleted.
437         All the source should not be held.
438
439         * wasm/js/JSWebAssemblyModule.h:
440         * wasm/js/WebAssemblyPrototype.cpp:
441         (JSC::webAssemblyValidateFunc):
442
443 2018-08-27  Mark Lam  <mark.lam@apple.com>
444
445         Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
446         https://bugs.webkit.org/show_bug.cgi?id=188577
447         <rdar://problem/42985684>
448
449         Reviewed by Saam Barati.
450
451         1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
452            (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
453
454            The StackOverflowFrame is a sentinel frame that the low level code (exception
455            throwing code, stack visitor, and stack unwinding code) will know to skip
456            over.  The StackOverflowFrame will also have a valid JSCallee so that client
457            code can compute the globalObject or VM from this frame.
458
459            As a result, client code that throws StackOverflowErrors no longer need to
460            compute the caller frame to throw from: it just converts the top frame into
461            a StackOverflowFrame and everything should *Just Work*.
462
463         2. NativeCallFrameTracerWithRestore is now obsolete.
464
465            Instead, client code should always call convertToStackOverflowFrame() on the
466            frame before instantiating a NativeCallFrameTracer with it.
467
468            This means that topCallFrame will always point to the top CallFrame (which
469            may be a StackOverflowFrame), and topEntryFrame will always point to the top
470            EntryFrame.  We'll never temporarily point them to the previous EntryFrame
471            (which we used to do with NativeCallFrameTracerWithRestore).
472
473         3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
474            CallFrame, and will know how to handle a StackOverflowFrame if they see one.
475
476            This obsoletes the UnwindStart flag.
477
478         * CMakeLists.txt:
479         * JavaScriptCore.xcodeproj/project.pbxproj:
480         * Sources.txt:
481         * debugger/Debugger.cpp:
482         (JSC::Debugger::pauseIfNeeded):
483         * interpreter/CallFrame.cpp:
484         (JSC::CallFrame::callerFrame const):
485         (JSC::CallFrame::unsafeCallerFrame const):
486         (JSC::CallFrame::convertToStackOverflowFrame):
487         (JSC::CallFrame::callerFrame): Deleted.
488         (JSC::CallFrame::unsafeCallerFrame): Deleted.
489         * interpreter/CallFrame.h:
490         (JSC::ExecState::iterate):
491         * interpreter/CallFrameInlines.h: Added.
492         (JSC::CallFrame::isStackOverflowFrame const):
493         (JSC::CallFrame::isWasmFrame const):
494         * interpreter/EntryFrame.h: Added.
495         (JSC::EntryFrame::vmEntryRecordOffset):
496         (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
497         * interpreter/FrameTracers.h:
498         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
499         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
500         * interpreter/Interpreter.cpp:
501         (JSC::Interpreter::unwind):
502         * interpreter/Interpreter.h:
503         * interpreter/StackVisitor.cpp:
504         (JSC::StackVisitor::StackVisitor):
505         * interpreter/StackVisitor.h:
506         (JSC::StackVisitor::visit):
507         (JSC::StackVisitor::topEntryFrameIsEmpty const):
508         * interpreter/VMEntryRecord.h:
509         (JSC::VMEntryRecord::callee const):
510         (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
511         (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
512         * jit/AssemblyHelpers.h:
513         * jit/JITExceptions.cpp:
514         (JSC::genericUnwind):
515         * jit/JITExceptions.h:
516         * jit/JITOperations.cpp:
517         * llint/LLIntOffsetsExtractor.cpp:
518         * llint/LLIntSlowPaths.cpp:
519         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
520         * llint/LowLevelInterpreter.asm:
521         * llint/LowLevelInterpreter32_64.asm:
522         * llint/LowLevelInterpreter64.asm:
523         * runtime/CallData.cpp:
524         * runtime/CommonSlowPaths.cpp:
525         (JSC::throwArityCheckStackOverflowError):
526         (JSC::SLOW_PATH_DECL):
527         * runtime/CommonSlowPathsExceptions.cpp: Removed.
528         * runtime/CommonSlowPathsExceptions.h: Removed.
529         * runtime/Completion.cpp:
530         (JSC::evaluateWithScopeExtension):
531         * runtime/JSGeneratorFunction.h:
532         * runtime/JSGlobalObject.cpp:
533         (JSC::JSGlobalObject::init):
534         (JSC::JSGlobalObject::visitChildren):
535         * runtime/JSGlobalObject.h:
536         (JSC::JSGlobalObject::stackOverflowFrameCallee const):
537         * runtime/VM.cpp:
538         (JSC::VM::throwException):
539         * runtime/VM.h:
540         * runtime/VMInlines.h:
541         (JSC::VM::topJSCallFrame const):
542
543 2018-08-27  Keith Rollin  <krollin@apple.com>
544
545         Unreviewed build fix -- disable LTO for production builds
546
547         * Configurations/Base.xcconfig:
548
549 2018-08-27  Aditya Keerthi  <akeerthi@apple.com>
550
551         Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
552         https://bugs.webkit.org/show_bug.cgi?id=188931
553
554         Reviewed by Wenson Hsieh.
555
556         * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
557
558 2018-08-27  Devin Rousso  <drousso@apple.com>
559
560         Web Inspector: provide autocompletion for event breakpoints
561         https://bugs.webkit.org/show_bug.cgi?id=188717
562
563         Reviewed by Brian Burg.
564
565         * inspector/protocol/DOM.json:
566         Add `getSupportedEventNames` command.
567
568 2018-08-27  Keith Rollin  <krollin@apple.com>
569
570         Build system support for LTO
571         https://bugs.webkit.org/show_bug.cgi?id=187785
572         <rdar://problem/42353132>
573
574         Reviewed by Dan Bernstein.
575
576         Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
577         LTO.
578
579         * Configurations/Base.xcconfig:
580         * Configurations/DebugRelease.xcconfig:
581
582 2018-08-27  Patrick Griffis  <pgriffis@igalia.com>
583
584         [GTK][JSC] Add warn_unused_result attribute to some APIs
585         https://bugs.webkit.org/show_bug.cgi?id=188983
586
587         Reviewed by Michael Catanzaro.
588
589         * API/glib/JSCValue.h:
590
591 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
592
593         [JSC] Array.prototype.reverse modifies JSImmutableButterfly
594         https://bugs.webkit.org/show_bug.cgi?id=188794
595
596         Reviewed by Saam Barati.
597
598         While Array.prototype.reverse modifies the butterfly of the given Array,
599         it does not account JSImmutableButterfly case. So it accidentally modifies
600         the content of JSImmutableButterfly.
601         This patch converts CoW arrays to writable arrays before reversing.
602
603         * runtime/ArrayPrototype.cpp:
604         (JSC::arrayProtoFuncReverse):
605         * runtime/JSObject.h:
606         (JSC::JSObject::ensureWritable):
607
608 2018-08-24  Michael Saboff  <msaboff@apple.com>
609
610         YARR: Update UCS canonicalization tables for Unicode 11
611         https://bugs.webkit.org/show_bug.cgi?id=188928
612
613         Reviewed by Mark Lam.
614
615         Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
616
617         This passes JavaScriptCore and test262 tests.
618
619         * yarr/YarrCanonicalizeUCS2.cpp:
620         * yarr/YarrCanonicalizeUCS2.js:
621         (printHeader):
622
623 2018-08-24  Michael Saboff  <msaboff@apple.com>
624
625         YARR: JIT RegExps with non-greedy parenthesized sub patterns
626         https://bugs.webkit.org/show_bug.cgi?id=180876
627
628         Reviewed by Filip Pizlo.
629
630         Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
631         For the matching code, the greedy path was correct except that we don't try matching for the
632         non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
633         first / next match when we backtrack.  The backtracking code needs to check to see if we have
634         tried the first match or if we can do another match.
635
636         Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
637         count.  Did other minor cleanup as well.
638
639         Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
640
641         Updated the text in some comments, both for this change as well as accuracy for existing code.
642
643         * yarr/YarrJIT.cpp:
644         (JSC::Yarr::YarrGenerator::generate):
645         (JSC::Yarr::YarrGenerator::backtrack):
646         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
647         (JSC::Yarr::YarrGenerator::compile):
648         (JSC::Yarr::dumpCompileFailure):
649         (JSC::Yarr::jitCompile):
650         * yarr/YarrJIT.h:
651         (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
652         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
653
654 2018-08-23  Simon Fraser  <simon.fraser@apple.com>
655
656         Add support for dumping GC heap snapshots, and a viewer
657         https://bugs.webkit.org/show_bug.cgi?id=186416
658
659         Reviewed by Joseph Pecoraro.
660
661         Make a way to dump information about the GC heap that is useful for looking for leaked
662         or abandoned objects. This dump is obtained (on Apple platforms) via:
663             notifyutil -p com.apple.WebKit.dumpGCHeap
664         which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
665         
666         This leverages the heap snapshot used by Web Inspector, adding an alternate format for
667         the snapshot JSON that adds additional data about objects and why they are GC roots.
668
669         SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
670         the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
671         objects visited via opaque roots, we record the reason why via a new out param to
672         isReachableFromOpaqueRoots().
673
674         HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
675         additional information including the address of the JSCell* and the wrapped object (for
676         JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
677         be the document URL.
678
679         GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
680
681         * API/JSAPIWrapperObject.mm:
682         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
683         * API/JSManagedValue.mm:
684         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
685         * API/glib/JSAPIWrapperObjectGLib.cpp:
686         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
687         * CMakeLists.txt:
688         * heap/ConservativeRoots.h:
689         (JSC::ConservativeRoots::size const):
690         (JSC::ConservativeRoots::size): Deleted.
691         * heap/Heap.cpp:
692         (JSC::Heap::addCoreConstraints):
693         * heap/HeapSnapshotBuilder.cpp:
694         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
695         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
696         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
697         (JSC::HeapSnapshotBuilder::buildSnapshot):
698         (JSC::HeapSnapshotBuilder::appendNode):
699         (JSC::HeapSnapshotBuilder::appendEdge):
700         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
701         (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
702         (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
703         (JSC::snapshotTypeToString):
704         (JSC::rootTypeToString):
705         (JSC::HeapSnapshotBuilder::setLabelForCell):
706         (JSC::HeapSnapshotBuilder::descriptionForCell const):
707         (JSC::HeapSnapshotBuilder::json):
708         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
709         * heap/HeapSnapshotBuilder.h:
710         * heap/SlotVisitor.cpp:
711         (JSC::SlotVisitor::appendSlow):
712         * heap/SlotVisitor.h:
713         (JSC::SlotVisitor::heapSnapshotBuilder const):
714         (JSC::SlotVisitor::rootMarkReason const):
715         (JSC::SlotVisitor::setRootMarkReason):
716         (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
717         (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
718         * heap/WeakBlock.cpp:
719         (JSC::WeakBlock::specializedVisit):
720         * heap/WeakHandleOwner.cpp:
721         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
722         * heap/WeakHandleOwner.h:
723         * runtime/SimpleTypedArrayController.cpp:
724         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
725         * runtime/SimpleTypedArrayController.h:
726         * tools/JSDollarVM.cpp:
727
728 2018-08-23  Saam barati  <sbarati@apple.com>
729
730         JSRunLoopTimer may run part of a member function after it's destroyed
731         https://bugs.webkit.org/show_bug.cgi?id=188426
732
733         Reviewed by Mark Lam.
734
735         When I was reading the JSRunLoopTimer code, I noticed that it is possible
736         to end up running timer code after the class had been destroyed.
737         
738         The issue I spotted was in this function:
739         ```
740         void JSRunLoopTimer::timerDidFire()
741         {
742             JSLock* apiLock = m_apiLock.get();
743             if (!apiLock) {
744                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
745                 return;
746             }
747             // HERE
748             std::lock_guard<JSLock> lock(*apiLock);
749             RefPtr<VM> vm = apiLock->vm();
750             if (!vm) {
751                 // The VM has been destroyed, so we should just give up.
752                 return;
753             }
754         
755             doWork();
756         }
757         ```
758         
759         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
760         switched before grabbing the API lock. Then, some other thread destroys the VM.
761         And let's say that the VM owns (perhaps transitively) this timer. Then, the
762         timer would run code and access member variables after it was destroyed.
763         
764         This patch fixes this issue by introducing a new timer manager class. 
765         This class manages timers on a per VM basis. When a timer is scheduled,
766         this class refs the timer. It also calls the timer callback while actively
767         maintaining a +1 ref to it. So, it's no longer possible to call the timer
768         callback after the timer has been destroyed. However, calling a timer callback
769         can still race with the VM being destroyed. We continue to detect this case and
770         bail out of the callback early.
771         
772         This patch also removes a lot of duplicate code between GCActivityCallback
773         and JSRunLoopTimer.
774
775         * heap/EdenGCActivityCallback.cpp:
776         (JSC::EdenGCActivityCallback::doCollection):
777         (JSC::EdenGCActivityCallback::lastGCLength):
778         (JSC::EdenGCActivityCallback::deathRate):
779         * heap/EdenGCActivityCallback.h:
780         * heap/FullGCActivityCallback.cpp:
781         (JSC::FullGCActivityCallback::doCollection):
782         (JSC::FullGCActivityCallback::lastGCLength):
783         (JSC::FullGCActivityCallback::deathRate):
784         * heap/FullGCActivityCallback.h:
785         * heap/GCActivityCallback.cpp:
786         (JSC::GCActivityCallback::doWork):
787         (JSC::GCActivityCallback::scheduleTimer):
788         (JSC::GCActivityCallback::didAllocate):
789         (JSC::GCActivityCallback::willCollect):
790         (JSC::GCActivityCallback::cancel):
791         (JSC::GCActivityCallback::cancelTimer): Deleted.
792         (JSC::GCActivityCallback::nextFireTime): Deleted.
793         * heap/GCActivityCallback.h:
794         * heap/Heap.cpp:
795         (JSC::Heap::reportAbandonedObjectGraph):
796         (JSC::Heap::notifyIncrementalSweeper):
797         (JSC::Heap::updateAllocationLimits):
798         (JSC::Heap::didAllocate):
799         * heap/IncrementalSweeper.cpp:
800         (JSC::IncrementalSweeper::scheduleTimer):
801         (JSC::IncrementalSweeper::doWork):
802         (JSC::IncrementalSweeper::doSweep):
803         (JSC::IncrementalSweeper::sweepNextBlock):
804         (JSC::IncrementalSweeper::startSweeping):
805         (JSC::IncrementalSweeper::stopSweeping):
806         * heap/IncrementalSweeper.h:
807         * heap/StopIfNecessaryTimer.cpp:
808         (JSC::StopIfNecessaryTimer::doWork):
809         (JSC::StopIfNecessaryTimer::scheduleSoon):
810         * heap/StopIfNecessaryTimer.h:
811         * runtime/JSRunLoopTimer.cpp:
812         (JSC::epochTime):
813         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
814         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
815         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
816         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
817         (JSC::JSRunLoopTimer::Manager::timerDidFire):
818         (JSC::JSRunLoopTimer::Manager::shared):
819         (JSC::JSRunLoopTimer::Manager::registerVM):
820         (JSC::JSRunLoopTimer::Manager::unregisterVM):
821         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
822         (JSC::JSRunLoopTimer::Manager::cancelTimer):
823         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
824         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
825         (JSC::JSRunLoopTimer::timerDidFire):
826         (JSC::JSRunLoopTimer::JSRunLoopTimer):
827         (JSC::JSRunLoopTimer::timeUntilFire):
828         (JSC::JSRunLoopTimer::setTimeUntilFire):
829         (JSC::JSRunLoopTimer::cancelTimer):
830         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
831         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
832         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
833         * runtime/JSRunLoopTimer.h:
834         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
835         * runtime/PromiseDeferredTimer.cpp:
836         (JSC::PromiseDeferredTimer::doWork):
837         (JSC::PromiseDeferredTimer::runRunLoop):
838         (JSC::PromiseDeferredTimer::addPendingPromise):
839         (JSC::PromiseDeferredTimer::hasPendingPromise):
840         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
841         (JSC::PromiseDeferredTimer::cancelPendingPromise):
842         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
843         * runtime/PromiseDeferredTimer.h:
844         * runtime/VM.cpp:
845         (JSC::VM::VM):
846         (JSC::VM::~VM):
847         (JSC::VM::setRunLoop):
848         (JSC::VM::registerRunLoopTimer): Deleted.
849         (JSC::VM::unregisterRunLoopTimer): Deleted.
850         * runtime/VM.h:
851         (JSC::VM::runLoop const):
852         * wasm/js/WebAssemblyPrototype.cpp:
853         (JSC::webAssemblyModuleValidateAsyncInternal):
854         (JSC::instantiate):
855         (JSC::compileAndInstantiate):
856         (JSC::webAssemblyModuleInstantinateAsyncInternal):
857         (JSC::webAssemblyCompileStreamingInternal):
858         (JSC::webAssemblyInstantiateStreamingInternal):
859
860 2018-08-23  Mark Lam  <mark.lam@apple.com>
861
862         Move vmEntryGlobalObject() to VM from CallFrame.
863         https://bugs.webkit.org/show_bug.cgi?id=188900
864         <rdar://problem/43655753>
865
866         Reviewed by Michael Saboff.
867
868         Also introduced CallFrame::isGlobalExec() which makes use of one property of
869         GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
870         CallFrame::initGlobalExec() ensures this.
871
872         In contrast, normal CallFrames always have a callerFrame (because they must at
873         least be preceded by a VM EntryFrame) and a returnPC (at least return to the
874         VM entry glue).
875
876         * API/APIUtils.h:
877         (handleExceptionIfNeeded):
878         (setException):
879         * API/JSBase.cpp:
880         (JSEvaluateScript):
881         (JSCheckScriptSyntax):
882         * API/JSContextRef.cpp:
883         (JSGlobalContextRetain):
884         (JSGlobalContextRelease):
885         (JSGlobalContextCopyName):
886         (JSGlobalContextSetName):
887         (JSGlobalContextGetRemoteInspectionEnabled):
888         (JSGlobalContextSetRemoteInspectionEnabled):
889         (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
890         (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
891         (JSGlobalContextGetDebuggerRunLoop):
892         (JSGlobalContextSetDebuggerRunLoop):
893         (JSGlobalContextGetAugmentableInspectorController):
894         * API/JSValue.mm:
895         (reportExceptionToInspector):
896         * API/glib/JSCClass.cpp:
897         (jscContextForObject):
898         * API/glib/JSCContext.cpp:
899         (jsc_context_evaluate_in_object):
900         * debugger/Debugger.cpp:
901         (JSC::Debugger::pauseIfNeeded):
902         * debugger/DebuggerCallFrame.cpp:
903         (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
904         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
905         * interpreter/CallFrame.cpp:
906         (JSC::CallFrame::vmEntryGlobalObject): Deleted.
907         * interpreter/CallFrame.h:
908         (JSC::ExecState::scope const):
909         (JSC::ExecState::noCaller):
910         (JSC::ExecState::isGlobalExec const):
911         * interpreter/Interpreter.cpp:
912         (JSC::notifyDebuggerOfUnwinding):
913         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
914         (JSC::Interpreter::debug):
915         * runtime/CallData.cpp:
916         (JSC::profiledCall):
917         * runtime/Completion.cpp:
918         (JSC::evaluate):
919         (JSC::profiledEvaluate):
920         (JSC::evaluateWithScopeExtension):
921         (JSC::loadAndEvaluateModule):
922         (JSC::loadModule):
923         (JSC::linkAndEvaluateModule):
924         (JSC::importModule):
925         * runtime/ConstructData.cpp:
926         (JSC::profiledConstruct):
927         * runtime/Error.cpp:
928         (JSC::getStackTrace):
929         * runtime/VM.cpp:
930         (JSC::VM::throwException):
931         (JSC::VM::vmEntryGlobalObject const):
932         * runtime/VM.h:
933
934 2018-08-23  Andy Estes  <aestes@apple.com>
935
936         [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
937         https://bugs.webkit.org/show_bug.cgi?id=188829
938
939         Reviewed by Tim Horton.
940
941         * Configurations/FeatureDefines.xcconfig:
942
943 2018-08-23  Devin Rousso  <drousso@apple.com>
944
945         Web Inspector: support breakpoints for timers and animation-frame events
946         https://bugs.webkit.org/show_bug.cgi?id=188778
947
948         Reviewed by Brian Burg.
949
950         * inspector/protocol/Debugger.json:
951         Add `AnimationFrame` and `Timer` types to the list of pause reasons.
952
953         * inspector/protocol/DOMDebugger.json:
954         Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
955          - `setEventListenerBreakpoint`
956          - `removeEventListenerBreakpoint`
957          - `setInstrumentationBreakpoint`
958          - `removeInstrumentationBreakpoint`
959         Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
960
961         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
962         (CppProtocolTypesHeaderGenerator.generate_output):
963         (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
964         (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
965         (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
966         Generate `DefaultHash` for all `enum class` used by inspector protocols.
967
968         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
969         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
970         * inspector/scripts/tests/generic/expected/enum-values.json-result:
971         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
972         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
973         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
974         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
975
976 2018-08-23  Michael Saboff  <msaboff@apple.com>
977
978         YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
979         https://bugs.webkit.org/show_bug.cgi?id=188895
980
981         Reviewed by Mark Lam.
982
983         Found while working on another change.  This will allow processing of nested
984         parenthesis that require saved ParenContext structures.
985
986         * yarr/YarrJIT.cpp:
987         (JSC::Yarr::YarrGenerator::compile):
988
989 2018-08-22  Michael Saboff  <msaboff@apple.com>
990
991         https://bugs.webkit.org/show_bug.cgi?id=188859
992         Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
993
994         Rubber-stamped by Saam Barati.
995
996         Deleted these two functions.
997
998         * jit/JITOperations.cpp:
999         * jit/JITOperations.h:
1000
1001 2018-08-22  Mark Lam  <mark.lam@apple.com>
1002
1003         The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
1004         https://bugs.webkit.org/show_bug.cgi?id=188298
1005         <rdar://problem/42888427>
1006
1007         Reviewed by Saam Barati.
1008
1009         In the event that both targets of a Branch is the same block, then even if we'll
1010         always take one path of the branch, the other target is not unreachable because
1011         it is the same target as the one in the taken path.  Hence, it should not be
1012         jettisoned.
1013
1014         * JavaScriptCore.xcodeproj/project.pbxproj:
1015         - Added DFGCFG.h which is in use and should have been added to the project.
1016         * dfg/DFGCFGSimplificationPhase.cpp:
1017         (JSC::DFG::CFGSimplificationPhase::run):
1018
1019 2018-08-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1020
1021         [JSC] HeapUtil should care about pointer overflow
1022         https://bugs.webkit.org/show_bug.cgi?id=188740
1023
1024         Reviewed by Saam Barati.
1025
1026         `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
1027         For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
1028         with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
1029
1030         * heap/HeapUtil.h:
1031         (JSC::HeapUtil::findGCObjectPointersForMarking):
1032
1033 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1034
1035         [JSC] Should not rotate constant with 64
1036         https://bugs.webkit.org/show_bug.cgi?id=188556
1037
1038         Reviewed by Saam Barati.
1039
1040         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1041         But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
1042         where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
1043         the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
1044
1045         * assembler/MacroAssembler.h:
1046         (JSC::MacroAssembler::generateRotationSeed):
1047         (JSC::MacroAssembler::rotationBlindConstant):
1048
1049 2018-08-21  Commit Queue  <commit-queue@webkit.org>
1050
1051         Unreviewed, rolling out r235107.
1052         https://bugs.webkit.org/show_bug.cgi?id=188832
1053
1054         "It revealed bugs in Blob code as well as regressed JS
1055         performance tests" (Requested by saamyjoon on #webkit).
1056
1057         Reverted changeset:
1058
1059         "JSRunLoopTimer may run part of a member function after it's
1060         destroyed"
1061         https://bugs.webkit.org/show_bug.cgi?id=188426
1062         https://trac.webkit.org/changeset/235107
1063
1064 2018-08-21  Saam barati  <sbarati@apple.com>
1065
1066         JSRunLoopTimer may run part of a member function after it's destroyed
1067         https://bugs.webkit.org/show_bug.cgi?id=188426
1068
1069         Reviewed by Mark Lam.
1070
1071         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1072         to end up running timer code after the class had been destroyed.
1073         
1074         The issue I spotted was in this function:
1075         ```
1076         void JSRunLoopTimer::timerDidFire()
1077         {
1078             JSLock* apiLock = m_apiLock.get();
1079             if (!apiLock) {
1080                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1081                 return;
1082             }
1083             // HERE
1084             std::lock_guard<JSLock> lock(*apiLock);
1085             RefPtr<VM> vm = apiLock->vm();
1086             if (!vm) {
1087                 // The VM has been destroyed, so we should just give up.
1088                 return;
1089             }
1090         
1091             doWork();
1092         }
1093         ```
1094         
1095         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1096         switched before grabbing the API lock. Then, some other thread destroys the VM.
1097         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1098         timer would run code and access member variables after it was destroyed.
1099         
1100         This patch fixes this issue by introducing a new timer manager class. 
1101         This class manages timers on a per VM basis. When a timer is scheduled,
1102         this class refs the timer. It also calls the timer callback while actively
1103         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1104         callback after the timer has been destroyed. However, calling a timer callback
1105         can still race with the VM being destroyed. We continue to detect this case and
1106         bail out of the callback early.
1107         
1108         This patch also removes a lot of duplicate code between GCActivityCallback
1109         and JSRunLoopTimer.
1110
1111         * heap/EdenGCActivityCallback.cpp:
1112         (JSC::EdenGCActivityCallback::doCollection):
1113         (JSC::EdenGCActivityCallback::lastGCLength):
1114         (JSC::EdenGCActivityCallback::deathRate):
1115         * heap/EdenGCActivityCallback.h:
1116         * heap/FullGCActivityCallback.cpp:
1117         (JSC::FullGCActivityCallback::doCollection):
1118         (JSC::FullGCActivityCallback::lastGCLength):
1119         (JSC::FullGCActivityCallback::deathRate):
1120         * heap/FullGCActivityCallback.h:
1121         * heap/GCActivityCallback.cpp:
1122         (JSC::GCActivityCallback::doWork):
1123         (JSC::GCActivityCallback::scheduleTimer):
1124         (JSC::GCActivityCallback::didAllocate):
1125         (JSC::GCActivityCallback::willCollect):
1126         (JSC::GCActivityCallback::cancel):
1127         (JSC::GCActivityCallback::cancelTimer): Deleted.
1128         (JSC::GCActivityCallback::nextFireTime): Deleted.
1129         * heap/GCActivityCallback.h:
1130         * heap/Heap.cpp:
1131         (JSC::Heap::reportAbandonedObjectGraph):
1132         (JSC::Heap::notifyIncrementalSweeper):
1133         (JSC::Heap::updateAllocationLimits):
1134         (JSC::Heap::didAllocate):
1135         * heap/IncrementalSweeper.cpp:
1136         (JSC::IncrementalSweeper::scheduleTimer):
1137         (JSC::IncrementalSweeper::doWork):
1138         (JSC::IncrementalSweeper::doSweep):
1139         (JSC::IncrementalSweeper::sweepNextBlock):
1140         (JSC::IncrementalSweeper::startSweeping):
1141         (JSC::IncrementalSweeper::stopSweeping):
1142         * heap/IncrementalSweeper.h:
1143         * heap/StopIfNecessaryTimer.cpp:
1144         (JSC::StopIfNecessaryTimer::doWork):
1145         (JSC::StopIfNecessaryTimer::scheduleSoon):
1146         * heap/StopIfNecessaryTimer.h:
1147         * runtime/JSRunLoopTimer.cpp:
1148         (JSC::epochTime):
1149         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1150         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1151         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1152         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1153         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1154         (JSC::JSRunLoopTimer::Manager::shared):
1155         (JSC::JSRunLoopTimer::Manager::registerVM):
1156         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1157         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1158         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1159         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1160         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1161         (JSC::JSRunLoopTimer::timerDidFire):
1162         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1163         (JSC::JSRunLoopTimer::timeUntilFire):
1164         (JSC::JSRunLoopTimer::setTimeUntilFire):
1165         (JSC::JSRunLoopTimer::cancelTimer):
1166         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1167         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1168         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1169         * runtime/JSRunLoopTimer.h:
1170         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1171         * runtime/PromiseDeferredTimer.cpp:
1172         (JSC::PromiseDeferredTimer::doWork):
1173         (JSC::PromiseDeferredTimer::runRunLoop):
1174         (JSC::PromiseDeferredTimer::addPendingPromise):
1175         (JSC::PromiseDeferredTimer::hasPendingPromise):
1176         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1177         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1178         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1179         * runtime/PromiseDeferredTimer.h:
1180         * runtime/VM.cpp:
1181         (JSC::VM::VM):
1182         (JSC::VM::~VM):
1183         (JSC::VM::setRunLoop):
1184         (JSC::VM::registerRunLoopTimer): Deleted.
1185         (JSC::VM::unregisterRunLoopTimer): Deleted.
1186         * runtime/VM.h:
1187         (JSC::VM::runLoop const):
1188         * wasm/js/WebAssemblyPrototype.cpp:
1189         (JSC::webAssemblyModuleValidateAsyncInternal):
1190         (JSC::instantiate):
1191         (JSC::compileAndInstantiate):
1192         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1193         (JSC::webAssemblyCompileStreamingInternal):
1194         (JSC::webAssemblyInstantiateStreamingInternal):
1195
1196 2018-08-20  Saam barati  <sbarati@apple.com>
1197
1198         Inline DataView accesses into DFG/FTL
1199         https://bugs.webkit.org/show_bug.cgi?id=188573
1200         <rdar://problem/43286746>
1201
1202         Reviewed by Michael Saboff.
1203
1204         This patch teaches the DFG/FTL to inline DataView accesses. The approach is
1205         straight forward. We inline the various get*/set* operations as intrinsics.
1206         
1207         This patch takes the most obvious approach for now. We OSR exit when:
1208         - An isLittleEndian argument is provided, and is not a boolean.
1209         - The index isn't an integer.
1210         - The |this| isn't a DataView.
1211         - We do an OOB access (or see a neutered array)
1212         
1213         To implement this change in a performant way, this patch teaches the macro
1214         assembler how to emit byte swap operations. The semantics of the added functions
1215         are byteSwap + zero extend. This means for the 16bit byte swaps, we need
1216         to actually emit zero extend instructions. For the 32/64bit byte swaps,
1217         the instructions already have these semantics.
1218         
1219         This patch is just a lightweight initial implementation. There are some easy
1220         extensions we can do in future changes:
1221         - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
1222         - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
1223
1224         * assembler/MacroAssemblerARM64.h:
1225         (JSC::MacroAssemblerARM64::byteSwap16):
1226         (JSC::MacroAssemblerARM64::byteSwap32):
1227         (JSC::MacroAssemblerARM64::byteSwap64):
1228         * assembler/MacroAssemblerX86Common.h:
1229         (JSC::MacroAssemblerX86Common::byteSwap32):
1230         (JSC::MacroAssemblerX86Common::byteSwap16):
1231         (JSC::MacroAssemblerX86Common::byteSwap64):
1232         * assembler/X86Assembler.h:
1233         (JSC::X86Assembler::bswapl_r):
1234         (JSC::X86Assembler::bswapq_r):
1235         (JSC::X86Assembler::shiftInstruction16):
1236         (JSC::X86Assembler::rolw_i8r):
1237         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1238         * assembler/testmasm.cpp:
1239         (JSC::testByteSwap):
1240         (JSC::run):
1241         * bytecode/DataFormat.h:
1242         * bytecode/SpeculatedType.cpp:
1243         (JSC::dumpSpeculation):
1244         (JSC::speculationFromClassInfo):
1245         (JSC::speculationFromJSType):
1246         (JSC::speculationFromString):
1247         * bytecode/SpeculatedType.h:
1248         * dfg/DFGAbstractInterpreterInlines.h:
1249         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1250         * dfg/DFGByteCodeParser.cpp:
1251         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1252         * dfg/DFGClobberize.h:
1253         (JSC::DFG::clobberize):
1254         * dfg/DFGDoesGC.cpp:
1255         (JSC::DFG::doesGC):
1256         * dfg/DFGFixupPhase.cpp:
1257         (JSC::DFG::FixupPhase::fixupNode):
1258         * dfg/DFGNode.h:
1259         (JSC::DFG::Node::hasHeapPrediction):
1260         (JSC::DFG::Node::dataViewData):
1261         * dfg/DFGNodeType.h:
1262         * dfg/DFGPredictionPropagationPhase.cpp:
1263         * dfg/DFGSafeToExecute.h:
1264         (JSC::DFG::SafeToExecuteEdge::operator()):
1265         (JSC::DFG::safeToExecute):
1266         * dfg/DFGSpeculativeJIT.cpp:
1267         (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
1268         (JSC::DFG::SpeculativeJIT::speculate):
1269         * dfg/DFGSpeculativeJIT.h:
1270         * dfg/DFGSpeculativeJIT32_64.cpp:
1271         (JSC::DFG::SpeculativeJIT::compile):
1272         * dfg/DFGSpeculativeJIT64.cpp:
1273         (JSC::DFG::SpeculativeJIT::compile):
1274         * dfg/DFGUseKind.cpp:
1275         (WTF::printInternal):
1276         * dfg/DFGUseKind.h:
1277         (JSC::DFG::typeFilterFor):
1278         (JSC::DFG::isCell):
1279         * ftl/FTLCapabilities.cpp:
1280         (JSC::FTL::canCompile):
1281         * ftl/FTLLowerDFGToB3.cpp:
1282         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1283         (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
1284         (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
1285         (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
1286         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
1287         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
1288         (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
1289         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1290         (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
1291         * runtime/Intrinsic.cpp:
1292         (JSC::intrinsicName):
1293         * runtime/Intrinsic.h:
1294         * runtime/JSDataViewPrototype.cpp:
1295
1296 2018-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1297
1298         [YARR] Extend size of fixed characters bulk matching in 64bit platform
1299         https://bugs.webkit.org/show_bug.cgi?id=181989
1300
1301         Reviewed by Michael Saboff.
1302
1303         This patch extends bulk matching style for fixed-sized characters.
1304         In 64bit environment, the GPR can hold up to 8 characters. This change
1305         reduces the code size since we can fuse multiple `mov` operations into one.
1306
1307         * assembler/LinkBuffer.h:
1308         * runtime/Options.h:
1309         * yarr/YarrJIT.cpp:
1310         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1311         (JSC::Yarr::YarrGenerator::compile):
1312
1313 2018-08-20  Devin Rousso  <drousso@apple.com>
1314
1315         Web Inspector: allow breakpoints to be set for specific event listeners
1316         https://bugs.webkit.org/show_bug.cgi?id=183138
1317
1318         Reviewed by Joseph Pecoraro.
1319
1320         * inspector/protocol/DOM.json:
1321         Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
1322         takes an `eventListenerId` and toggles whether that specific usage of that event listener
1323         should have a breakpoint and pause before running.
1324
1325 2018-08-20  Mark Lam  <mark.lam@apple.com>
1326
1327         Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
1328         https://bugs.webkit.org/show_bug.cgi?id=188769
1329
1330         Reviewed by Michael Saboff.
1331
1332         * llint/LowLevelInterpreter.asm:
1333         - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
1334           so that libunwind doesn't get confused by the 2 labels pointing to the same
1335           code address.
1336
1337 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1338
1339         [GLIB] Add API to throw exceptions using printf formatted strings
1340         https://bugs.webkit.org/show_bug.cgi?id=188698
1341
1342         Reviewed by Michael Catanzaro.
1343
1344         Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
1345         JSCException using printf formatted string.
1346
1347         * API/glib/JSCContext.cpp:
1348         (jsc_context_throw_printf):
1349         (jsc_context_throw_with_name_printf):
1350         * API/glib/JSCContext.h:
1351         * API/glib/JSCException.cpp:
1352         (jsc_exception_new_printf):
1353         (jsc_exception_new_vprintf):
1354         (jsc_exception_new_with_name_printf):
1355         (jsc_exception_new_with_name_vprintf):
1356         * API/glib/JSCException.h:
1357         * API/glib/docs/jsc-glib-4.0-sections.txt:
1358
1359 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1360
1361         [GLIB] Complete the JSCException API
1362         https://bugs.webkit.org/show_bug.cgi?id=188695
1363
1364         Reviewed by Michael Catanzaro.
1365
1366         Add more API to JSCException:
1367          - New function to get the column number
1368          - New function get exception as string (toString())
1369          - Add the possibility to create exceptions with a custom error name.
1370          - New function to get the exception error name
1371          - New function to get the exception backtrace.
1372          - New convenience function to report a exception by returning a formatted string with all the exception
1373            details, to be shown as a user error message.
1374
1375         * API/glib/JSCContext.cpp:
1376         (jsc_context_throw_with_name):
1377         * API/glib/JSCContext.h:
1378         * API/glib/JSCException.cpp:
1379         (jscExceptionEnsureProperties):
1380         (jsc_exception_new):
1381         (jsc_exception_new_with_name):
1382         (jsc_exception_get_name):
1383         (jsc_exception_get_column_number):
1384         (jsc_exception_get_back_trace_string):
1385         (jsc_exception_to_string):
1386         (jsc_exception_report):
1387         * API/glib/JSCException.h:
1388         * API/glib/docs/jsc-glib-4.0-sections.txt:
1389
1390 2018-08-19  Commit Queue  <commit-queue@webkit.org>
1391
1392         Unreviewed, rolling out r234852.
1393         https://bugs.webkit.org/show_bug.cgi?id=188736
1394
1395         Workaround is not correct (Requested by yusukesuzuki on
1396         #webkit).
1397
1398         Reverted changeset:
1399
1400         "[JSC] Should not rotate constant with 64"
1401         https://bugs.webkit.org/show_bug.cgi?id=188556
1402         https://trac.webkit.org/changeset/234852
1403
1404 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1405
1406         [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
1407         https://bugs.webkit.org/show_bug.cgi?id=188716
1408
1409         Reviewed by Darin Adler.
1410
1411         Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
1412         The compiler can emit appropriate mov operations in x86 even if we use these
1413         helper functions.
1414
1415         * assembler/AssemblerBuffer.h:
1416         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
1417         (JSC::AssemblerBuffer::putIntegral):
1418         (JSC::AssemblerBuffer::putIntegralUnchecked):
1419         * assembler/MacroAssemblerX86.h:
1420         (JSC::MacroAssemblerX86::readCallTarget):
1421         * assembler/X86Assembler.h:
1422         (JSC::X86Assembler::linkJump):
1423         (JSC::X86Assembler::readPointer):
1424         (JSC::X86Assembler::replaceWithHlt):
1425         (JSC::X86Assembler::replaceWithJump):
1426         (JSC::X86Assembler::setPointer):
1427         (JSC::X86Assembler::setInt32):
1428         (JSC::X86Assembler::setInt8):
1429         * interpreter/InterpreterInlines.h:
1430         (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
1431
1432 2018-08-17  Saam barati  <sbarati@apple.com>
1433
1434         intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
1435         https://bugs.webkit.org/show_bug.cgi?id=188707
1436         <rdar://problem/43015442>
1437
1438         Reviewed by Mark Lam.
1439
1440         We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
1441         OSR enter at the head of a block. We verify it's safe to OSR enter by checking
1442         that each incoming value is compatible with its corresponding AbstractValue.
1443         
1444         The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
1445         with abstract values that were clobbererd. This meant that the value we're
1446         verifying with at OSR entry effectively has an infinite structure set because
1447         it's clobbered. So, imagine we have code like this:
1448         ```
1449         ---> We OSR enter here, and we're clobbered here
1450         InvalidationPoint
1451         GetByOffset(@base)
1452         ```
1453         
1454         The abstract value for @base inside intersectionOfPastValuesAtHead has a
1455         clobberred structure set, so we'd allow an incoming object with any
1456         structure. However, this is wrong because the invalidation point is no
1457         longer fulfilling its promise that it filters the structure that @base has.
1458         
1459         We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
1460         as if the incoming value may be live past an InvalidationPoint.
1461         This places a stricter requirement that to safely OSR enter at any basic
1462         block, all incoming values must be compatible as if they lived past
1463         the execution of an invalidation point.
1464
1465         * dfg/DFGCFAPhase.cpp:
1466         (JSC::DFG::CFAPhase::run):
1467
1468 2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>
1469
1470         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1471         https://bugs.webkit.org/show_bug.cgi?id=188589
1472
1473         Reviewed by Mark Lam.
1474         And reviewed by Yusuke Suzuki for Hironori's change.
1475
1476         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1477         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1478
1479         - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1480         - We make GPRReg and FPRReg int8_t enums.
1481         - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1482         - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
1483           if `enum : int8_t` is used instead of `enum`.
1484
1485         * assembler/ARM64Assembler.h:
1486         * assembler/ARMAssembler.h:
1487         * assembler/ARMv7Assembler.h:
1488         * assembler/MIPSAssembler.h:
1489         * assembler/MacroAssembler.h:
1490         * assembler/X86Assembler.h:
1491         * jit/CCallHelpers.h:
1492         (JSC::CCallHelpers::clampArrayToSize):
1493         * jit/FPRInfo.h:
1494         * jit/GPRInfo.h:
1495         (JSC::JSValueRegs::JSValueRegs):
1496         (JSC::JSValueRegs::tagGPR const):
1497         (JSC::JSValueRegs::payloadGPR const):
1498         (JSC::JSValueSource::JSValueSource):
1499         (JSC::JSValueSource::unboxedCell):
1500         (JSC::JSValueSource::operator bool const):
1501         (JSC::JSValueSource::base const):
1502         (JSC::JSValueSource::tagGPR const):
1503         (JSC::JSValueSource::payloadGPR const):
1504         (JSC::JSValueSource::hasKnownTag const):
1505
1506 2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1507
1508         [JSC] alignas for RegisterState should respect alignof(RegisterState) too
1509         https://bugs.webkit.org/show_bug.cgi?id=188686
1510
1511         Reviewed by Saam Barati.
1512
1513         RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
1514         for `alignof` for RegisterState.
1515
1516         * heap/RegisterState.h:
1517
1518 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1519
1520         [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
1521         https://bugs.webkit.org/show_bug.cgi?id=188571
1522
1523         Reviewed by Saam Barati.
1524
1525         UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
1526         allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
1527         without considering alignment of them. This patch adds DisjunctionContext::allocationSize
1528         and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
1529         The size is always rounded to `sizeof(void*)` so that these classes are always allocated
1530         with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
1531         than or equal to `sizeof(void*)` by `static_assert`.
1532
1533         * yarr/YarrInterpreter.cpp:
1534         (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
1535         (JSC::Yarr::Interpreter::allocDisjunctionContext):
1536         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
1537         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
1538         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
1539         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
1540         (JSC::Yarr::Interpreter::Interpreter):
1541         (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
1542
1543 2018-08-15  Keith Miller  <keith_miller@apple.com>
1544
1545         Remove evernote hacks
1546         https://bugs.webkit.org/show_bug.cgi?id=188591
1547
1548         Reviewed by Joseph Pecoraro.
1549
1550         The hack was added in 2012 and the evernote app seems to work now.
1551         It's probably not needed anymore.
1552
1553         * API/JSValueRef.cpp:
1554         (JSValueUnprotect):
1555         (evernoteHackNeeded): Deleted.
1556
1557 2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>
1558
1559         Unreviewed, rolling out r234874 and r234876.
1560
1561         WinCairo port can't compile
1562
1563         Reverted changesets:
1564
1565         "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
1566         https://bugs.webkit.org/show_bug.cgi?id=188589
1567         https://trac.webkit.org/changeset/234874
1568
1569         "Unreviewed, attempt to fix CLoop build"
1570         https://bugs.webkit.org/show_bug.cgi?id=188589
1571         https://trac.webkit.org/changeset/234876
1572
1573 2018-08-14  Saam barati  <sbarati@apple.com>
1574
1575         HashMap<Ref<P>, V> asserts when V is not zero for its empty value
1576         https://bugs.webkit.org/show_bug.cgi?id=188582
1577
1578         Reviewed by Sam Weinig.
1579
1580         * runtime/SparseArrayValueMap.h:
1581
1582 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1583
1584         Unreviewed, attempt to fix CLoop build
1585         https://bugs.webkit.org/show_bug.cgi?id=188589
1586
1587         * assembler/MacroAssembler.h:
1588
1589 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1590
1591         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1592         https://bugs.webkit.org/show_bug.cgi?id=188589
1593
1594         Reviewed by Mark Lam.
1595
1596         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1597         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1598
1599         1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1600         2. We make GPRReg and FPRReg int8_t enums.
1601         3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1602
1603         * assembler/ARM64Assembler.h:
1604         * assembler/ARMAssembler.h:
1605         * assembler/ARMv7Assembler.h:
1606         * assembler/MIPSAssembler.h:
1607         * assembler/X86Assembler.h:
1608         * jit/FPRInfo.h:
1609         * jit/GPRInfo.h:
1610         (JSC::JSValueRegs::JSValueRegs):
1611         (JSC::JSValueRegs::tagGPR const):
1612         (JSC::JSValueRegs::payloadGPR const):
1613         (JSC::JSValueSource::JSValueSource):
1614         (JSC::JSValueSource::unboxedCell):
1615         (JSC::JSValueSource::operator bool const):
1616         (JSC::JSValueSource::base const):
1617         (JSC::JSValueSource::tagGPR const):
1618         (JSC::JSValueSource::payloadGPR const):
1619         (JSC::JSValueSource::hasKnownTag const):
1620
1621 2018-08-14  Keith Miller  <keith_miller@apple.com>
1622
1623         Add missing availability macro.
1624         https://bugs.webkit.org/show_bug.cgi?id=188563
1625
1626         Reviewed by Mark Lam.
1627
1628         * API/JSValueRef.h:
1629
1630 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1631
1632         [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
1633         https://bugs.webkit.org/show_bug.cgi?id=188560
1634
1635         Reviewed by Keith Miller.
1636
1637         While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
1638         it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
1639         uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
1640         `m_wasSeenInJIT { false }`.
1641
1642         * bytecode/GetByIdStatus.h:
1643
1644 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1645
1646         [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
1647         https://bugs.webkit.org/show_bug.cgi?id=188557
1648
1649         Reviewed by Mark Lam.
1650
1651         DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
1652         processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
1653         in UBSan's result.
1654
1655         * dfg/DFGPredictionPropagationPhase.cpp:
1656
1657 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1658
1659         [JSC] Should not rotate constant with 64
1660         https://bugs.webkit.org/show_bug.cgi?id=188556
1661
1662         Reviewed by Mark Lam.
1663
1664         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1665         But if a seed becomes 64, the following code performs `value << 64` where value's type
1666         is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
1667         range of [0, 64) not to generate code causing UBs. This is found by UBSan.
1668
1669         * assembler/MacroAssembler.h:
1670         (JSC::MacroAssembler::generateRotationSeed):
1671         (JSC::MacroAssembler::rotationBlindConstant):
1672
1673 2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1674
1675         Disable JIT on IA-32 without SSE2
1676         https://bugs.webkit.org/show_bug.cgi?id=188476
1677
1678         Reviewed by Michael Catanzaro.
1679
1680         Including missing header (MacroAssembler.h) in case of other
1681         operating systems than Windows too.
1682
1683         * runtime/Options.cpp:
1684
1685 2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1686
1687         Disable JIT on IA-32 without SSE2
1688         https://bugs.webkit.org/show_bug.cgi?id=188476
1689
1690         Reviewed by Yusuke Suzuki.
1691
1692         On IA-32 CPUs without SSE2 most of the webpages cannot load
1693         if the JIT is turned on.
1694
1695         * runtime/Options.cpp:
1696         (JSC::recomputeDependentOptions):
1697
1698 2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
1699
1700         Web Inspector: console.log fires getters for deep properties
1701         https://bugs.webkit.org/show_bug.cgi?id=187542
1702         <rdar://problem/42873158>
1703
1704         Reviewed by Saam Barati.
1705
1706         * inspector/InjectedScriptSource.js:
1707         (RemoteObject.prototype._isPreviewableObject):
1708         Avoid getters/setters when checking for simple properties to preview.
1709         Here we avoid invoking `object[property]` if it could be a user getter.
1710
1711 2018-08-10  Keith Miller  <keith_miller@apple.com>
1712
1713         Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
1714         https://bugs.webkit.org/show_bug.cgi?id=185127
1715
1716         Reviewed by Saam Barati.
1717
1718         Previously, we would truncate the indicies passed to slice to an
1719         int. This meant that the value was not getting properly clamped
1720         later.
1721
1722         This patch also removes a non-spec compliant check that slice was
1723         passed at least one argument.
1724
1725         * runtime/ArrayBuffer.cpp:
1726         (JSC::ArrayBuffer::clampValue):
1727         (JSC::ArrayBuffer::clampIndex const):
1728         (JSC::ArrayBuffer::slice const):
1729         * runtime/ArrayBuffer.h:
1730         (JSC::ArrayBuffer::clampValue): Deleted.
1731         (JSC::ArrayBuffer::clampIndex const): Deleted.
1732         * runtime/JSArrayBufferPrototype.cpp:
1733         (JSC::arrayBufferProtoFuncSlice):
1734
1735 2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1736
1737         Date.UTC should not return NaN with only Year param
1738         https://bugs.webkit.org/show_bug.cgi?id=188378
1739
1740         Reviewed by Keith Miller.
1741
1742         Date.UTC requires one argument for |year|. But the other ones are optional.
1743         This patch fix this handling.
1744
1745         * runtime/DateConstructor.cpp:
1746         (JSC::millisecondsFromComponents):
1747
1748 2018-08-08  Keith Miller  <keith_miller@apple.com>
1749
1750         Array.prototype.sort should call @toLength instead of ">>> 0"
1751         https://bugs.webkit.org/show_bug.cgi?id=188430
1752
1753         Reviewed by Saam Barati.
1754
1755         Also add a new function to $vm that will fetch a private
1756         property. This can be useful for running builtin helper functions.
1757
1758         * builtins/ArrayPrototype.js:
1759         (sort):
1760         * tools/JSDollarVM.cpp:
1761         (JSC::functionGetPrivateProperty):
1762         (JSC::JSDollarVM::finishCreation):
1763
1764 2018-08-08  Keith Miller  <keith_miller@apple.com>
1765
1766         Array.prototype.sort should throw TypeError if param is a not callable object
1767         https://bugs.webkit.org/show_bug.cgi?id=188382
1768
1769         Reviewed by Saam Barati.
1770
1771         Improve spec compatability by checking if the Array.prototype.sort comparator is a function
1772         before doing anything else.
1773
1774         Also, refactor the various helper functions to use let instead of var.
1775
1776         * builtins/ArrayPrototype.js:
1777         (sort.stringComparator):
1778         (sort.compactSparse):
1779         (sort.compactSlow):
1780         (sort.compact):
1781         (sort.merge):
1782         (sort.mergeSort):
1783         (sort.bucketSort):
1784         (sort.comparatorSort):
1785         (sort.stringSort):
1786         (sort):
1787
1788 2018-08-08  Michael Saboff  <msaboff@apple.com>
1789
1790         Yarr JIT should include annotations with dumpDisassembly=true
1791         https://bugs.webkit.org/show_bug.cgi?id=188415
1792
1793         Reviewed by Yusuke Suzuki.
1794
1795         Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
1796         Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
1797         then the backtracking code through the YarrPattern ops in reverse order, the disassembler
1798         needs to do the same think.
1799
1800         Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
1801         out simple methods for what was needed by the YarrDisassembler.
1802
1803         Here is abbreviated sample output after this change.
1804
1805         Generated JIT code for 8-bit regular expression /ab*c/:
1806             Code at [0x469561c03720, 0x469561c03840):
1807                 0x469561c03720: push %rbp
1808                 0x469561c03721: mov %rsp, %rbp
1809                 ...
1810                 0x469561c03762: sub $0x40, %rsp
1811              == Matching ==
1812            0:OpBodyAlternativeBegin minimum size 2
1813                 0x469561c03766: add $0x2, %esi
1814                 0x469561c03769: cmp %edx, %esi
1815                 0x469561c0376b: ja 0x469561c037fa
1816            1:OpTerm TypePatternCharacter 'a'
1817                 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
1818                 0x469561c03776: cmp $0x61, %eax
1819                 0x469561c03779: jnz 0x469561c037e9
1820            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1821                 0x469561c0377f: xor %r9d, %r9d
1822                 0x469561c03782: cmp %edx, %esi
1823                 0x469561c03784: jz 0x469561c037a2
1824                 ...
1825                 0x469561c0379d: jmp 0x469561c03782
1826                 0x469561c037a2: mov %r9, 0x8(%rsp)
1827            3:OpTerm TypePatternCharacter 'c'
1828                 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
1829                 0x469561c037ac: cmp $0x63, %eax
1830                 0x469561c037af: jnz 0x469561c037d1
1831            4:OpBodyAlternativeEnd
1832                 0x469561c037b5: add $0x40, %rsp
1833                 ...
1834                 0x469561c037cf: pop %rbp
1835                 0x469561c037d0: ret
1836              == Backtracking ==
1837            4:OpBodyAlternativeEnd
1838            3:OpTerm TypePatternCharacter 'c'
1839            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1840                 0x469561c037d1: mov 0x8(%rsp), %r9
1841                 ...
1842                 0x469561c037e4: jmp 0x469561c037a2
1843            1:OpTerm TypePatternCharacter 'a'
1844            0:OpBodyAlternativeBegin minimum size 2
1845                 0x469561c037e9: mov %rsi, %rax
1846                 ...
1847                 0x469561c0382f: pop %rbp
1848                 0x469561c03830: ret
1849
1850         * JavaScriptCore.xcodeproj/project.pbxproj:
1851         * Sources.txt:
1852         * runtime/RegExp.cpp:
1853         (JSC::RegExp::compile):
1854         (JSC::RegExp::compileMatchOnly):
1855         * yarr/YarrDisassembler.cpp: Added.
1856         (JSC::Yarr::YarrDisassembler::indentString):
1857         (JSC::Yarr::YarrDisassembler::YarrDisassembler):
1858         (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
1859         (JSC::Yarr::YarrDisassembler::dump):
1860         (JSC::Yarr::YarrDisassembler::dumpHeader):
1861         (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
1862         (JSC::Yarr::YarrDisassembler::dumpForInstructions):
1863         (JSC::Yarr::YarrDisassembler::dumpDisassembly):
1864         * yarr/YarrDisassembler.h: Added.
1865         (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
1866         (JSC::Yarr::YarrDisassembler::setStartOfCode):
1867         (JSC::Yarr::YarrDisassembler::setForGenerate):
1868         (JSC::Yarr::YarrDisassembler::setForBacktrack):
1869         (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
1870         (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
1871         (JSC::Yarr::YarrDisassembler::setEndOfCode):
1872         (JSC::Yarr::YarrDisassembler::indentString):
1873         * yarr/YarrJIT.cpp:
1874         (JSC::Yarr::YarrGenerator::generate):
1875         (JSC::Yarr::YarrGenerator::backtrack):
1876         (JSC::Yarr::YarrGenerator::YarrGenerator):
1877         (JSC::Yarr::YarrGenerator::compile):
1878         (JSC::Yarr::jitCompile):
1879         * yarr/YarrJIT.h:
1880         * yarr/YarrPattern.cpp:
1881         (JSC::Yarr::dumpCharacterClass):
1882         (JSC::Yarr::PatternTerm::dump):
1883         (JSC::Yarr::YarrPattern::dumpPatternString):
1884         (JSC::Yarr::YarrPattern::dumpPattern):
1885         * yarr/YarrPattern.h:
1886
1887 2018-08-05  Darin Adler  <darin@apple.com>
1888
1889         [Cocoa] More tweaks and refactoring to prepare for ARC
1890         https://bugs.webkit.org/show_bug.cgi?id=188245
1891
1892         Reviewed by Dan Bernstein.
1893
1894         * API/JSValue.mm: Use __unsafe_unretained.
1895         (JSContainerConvertor::convert): Use auto for compatibility with the above.
1896         * API/JSWrapperMap.mm:
1897         (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
1898         (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
1899
1900         * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
1901
1902 2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1903
1904         Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
1905         https://bugs.webkit.org/show_bug.cgi?id=188328
1906
1907         Reviewed by Saam Barati.
1908
1909         Shrinking the size of PropertyCondition can improve memory consumption by a lot.
1910         For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
1911         and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
1912         as a member field.
1913
1914         This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
1915         PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
1916         are within 48bit, we can put PropertyCondition::Kind in this unused bits.
1917         To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
1918         folds a pointer and 1byte type into 64bit data.
1919
1920         This change shrinks PropertyCondition from 24bytes to 16bytes.
1921
1922         * bytecode/PropertyCondition.cpp:
1923         (JSC::PropertyCondition::dumpInContext const):
1924         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1925         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
1926         (JSC::PropertyCondition::isStillValid const):
1927         (JSC::PropertyCondition::isWatchableWhenValid const):
1928         * bytecode/PropertyCondition.h:
1929         (JSC::PropertyCondition::PropertyCondition):
1930         (JSC::PropertyCondition::presenceWithoutBarrier):
1931         (JSC::PropertyCondition::absenceWithoutBarrier):
1932         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
1933         (JSC::PropertyCondition::equivalenceWithoutBarrier):
1934         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
1935         (JSC::PropertyCondition::operator bool const):
1936         (JSC::PropertyCondition::kind const):
1937         (JSC::PropertyCondition::uid const):
1938         (JSC::PropertyCondition::hasOffset const):
1939         (JSC::PropertyCondition::hasAttributes const):
1940         (JSC::PropertyCondition::hasPrototype const):
1941         (JSC::PropertyCondition::hasRequiredValue const):
1942         (JSC::PropertyCondition::hash const):
1943         (JSC::PropertyCondition::operator== const):
1944         (JSC::PropertyCondition::isHashTableDeletedValue const):
1945         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
1946
1947 2018-08-07  Mark Lam  <mark.lam@apple.com>
1948
1949         Use a more specific PtrTag for PlatformRegisters PC and LR.
1950         https://bugs.webkit.org/show_bug.cgi?id=188366
1951         <rdar://problem/42984123>
1952
1953         Reviewed by Keith Miller.
1954
1955         Also fixed a bug in linkRegister(), which was previously returning the PC instead
1956         of LR.  It now returns LR.
1957
1958         * runtime/JSCPtrTag.h:
1959         * runtime/MachineContext.h:
1960         (JSC::MachineContext::instructionPointer):
1961         (JSC::MachineContext::linkRegister):
1962         * runtime/VMTraps.cpp:
1963         (JSC::SignalContext::SignalContext):
1964         * tools/SigillCrashAnalyzer.cpp:
1965         (JSC::SignalContext::SignalContext):
1966
1967 2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1968
1969         Hardcoded LFENCE instruction
1970         https://bugs.webkit.org/show_bug.cgi?id=188145
1971
1972         Reviewed by Filip Pizlo.
1973
1974         Remove lfence instruction because it is crashing systems without SSE2 and
1975         this is not the way how WebKit mitigates Spectre.
1976
1977         * runtime/JSLock.cpp:
1978         (JSC::JSLock::didAcquireLock):
1979         (JSC::JSLock::willReleaseLock):
1980
1981 2018-08-04  David Kilzer  <ddkilzer@apple.com>
1982
1983         REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
1984         <https://webkit.org/b/188331>
1985
1986         Reviewed by Yusuke Suzuki.
1987
1988         * runtime/TemplateObjectDescriptor.h:
1989         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
1990         Use `m_rawstrings` instead of `rawStrings` to calculate hash.
1991
1992 2018-08-03  Saam Barati  <sbarati@apple.com>
1993
1994         Give the `jsc` shell the JIT entitlement
1995         https://bugs.webkit.org/show_bug.cgi?id=188324
1996         <rdar://problem/42885806>
1997
1998         Reviewed by Dan Bernstein.
1999
2000         This should help us in ensuring the system jsc is able to JIT.
2001
2002         * Configurations/JSC.xcconfig:
2003         * JavaScriptCore.xcodeproj/project.pbxproj:
2004         * allow-jit-macOS.entitlements: Added.
2005
2006 2018-08-03  Alex Christensen  <achristensen@webkit.org>
2007
2008         Fix spelling of "overridden"
2009         https://bugs.webkit.org/show_bug.cgi?id=188315
2010
2011         Reviewed by Darin Adler.
2012
2013         * API/JSExport.h:
2014         * inspector/InjectedScriptSource.js:
2015
2016 2018-08-02  Saam Barati  <sbarati@apple.com>
2017
2018         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
2019         https://bugs.webkit.org/show_bug.cgi?id=188271
2020         <rdar://problem/42850884>
2021
2022         Reviewed by Michael Saboff.
2023
2024         This patch defends against the instructionPointer containing garbage bits.
2025         See radar for details.
2026
2027         * runtime/MachineContext.h:
2028         (JSC::MachineContext::instructionPointer):
2029         * runtime/SamplingProfiler.cpp:
2030         (JSC::SamplingProfiler::takeSample):
2031         * runtime/VMTraps.cpp:
2032         (JSC::SignalContext::SignalContext):
2033         (JSC::SignalContext::tryCreate):
2034         * tools/CodeProfiling.cpp:
2035         (JSC::profilingTimer):
2036         * tools/SigillCrashAnalyzer.cpp:
2037         (JSC::SignalContext::SignalContext):
2038         (JSC::SignalContext::tryCreate):
2039         (JSC::SignalContext::dump):
2040         (JSC::installCrashHandler):
2041         * wasm/WasmFaultSignalHandler.cpp:
2042         (JSC::Wasm::trapHandler):
2043
2044 2018-08-02  David Fenton  <david_fenton@apple.com>
2045
2046         Unreviewed, rolling out r234489.
2047
2048         Caused 50+ crashes and 60+ API failures on iOS
2049
2050         Reverted changeset:
2051
2052         "[WTF] Rename String::format to String::deprecatedFormat"
2053         https://bugs.webkit.org/show_bug.cgi?id=188191
2054         https://trac.webkit.org/changeset/234489
2055
2056 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2057
2058         Add self.queueMicrotask(f) on DOMWindow
2059         https://bugs.webkit.org/show_bug.cgi?id=188212
2060
2061         Reviewed by Ryosuke Niwa.
2062
2063         * CMakeLists.txt:
2064         * JavaScriptCore.xcodeproj/project.pbxproj:
2065         * Sources.txt:
2066         * runtime/JSGlobalObject.cpp:
2067         (JSC::enqueueJob):
2068         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
2069         (JSC::createJSMicrotask):
2070         Export them to WebCore.
2071
2072         (JSC::JSMicrotask::run):
2073         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
2074         Add another version of JSMicrotask which does not have arguments.
2075
2076 2018-08-01  Tomas Popela  <tpopela@redhat.com>
2077
2078         [WTF] Rename String::format to String::deprecatedFormat
2079         https://bugs.webkit.org/show_bug.cgi?id=188191
2080
2081         Reviewed by Darin Adler.
2082
2083         It should be replaced with string concatenation.
2084
2085         * bytecode/CodeBlock.cpp:
2086         (JSC::CodeBlock::nameForRegister):
2087         * inspector/InjectedScriptBase.cpp:
2088         (Inspector::InjectedScriptBase::makeCall):
2089         * inspector/InspectorBackendDispatcher.cpp:
2090         (Inspector::BackendDispatcher::getPropertyValue):
2091         * inspector/agents/InspectorConsoleAgent.cpp:
2092         (Inspector::InspectorConsoleAgent::enable):
2093         (Inspector::InspectorConsoleAgent::stopTiming):
2094         * jsc.cpp:
2095         (FunctionJSCStackFunctor::operator() const):
2096         * parser/Lexer.cpp:
2097         (JSC::Lexer<T>::invalidCharacterMessage const):
2098         * runtime/IntlDateTimeFormat.cpp:
2099         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2100         * runtime/IntlObject.cpp:
2101         (JSC::canonicalizeLocaleList):
2102         * runtime/LiteralParser.cpp:
2103         (JSC::LiteralParser<CharType>::Lexer::lex):
2104         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2105         (JSC::LiteralParser<CharType>::parse):
2106         * runtime/LiteralParser.h:
2107         (JSC::LiteralParser::getErrorMessage):
2108
2109 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2110
2111         [INTL] Allow "unknown" formatToParts types
2112         https://bugs.webkit.org/show_bug.cgi?id=188176
2113
2114         Reviewed by Darin Adler.
2115
2116         Originally extra unexpected field types were marked as "literal", since
2117         the spec did not account for these. The ECMA 402 spec has since been updated
2118         to specify "unknown" should be used in these cases.
2119
2120         Currently there is no known way to reach these cases, so no tests can
2121         account for them. Theoretically they shoudn't exist, but they are specified,
2122         just to be safe. Marking them as "unknown" instead of "literal" hopefully
2123         will make such cases easy to identify if they ever happen.
2124
2125         * runtime/IntlDateTimeFormat.cpp:
2126         (JSC::IntlDateTimeFormat::partTypeString):
2127         * runtime/IntlNumberFormat.cpp:
2128         (JSC::IntlNumberFormat::partTypeString):
2129
2130 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2131
2132         [INTL] Implement hourCycle in DateTimeFormat
2133         https://bugs.webkit.org/show_bug.cgi?id=188006
2134
2135         Reviewed by Darin Adler.
2136
2137         Implemented hourCycle, updating both the skeleton and the final pattern.
2138         Changed resolveLocale to assume undefined options are not given and null
2139         strings actually mean null, which removes the tag extension.
2140
2141         * runtime/CommonIdentifiers.h:
2142         * runtime/IntlCollator.cpp:
2143         (JSC::IntlCollator::initializeCollator):
2144         * runtime/IntlDateTimeFormat.cpp:
2145         (JSC::IntlDTFInternal::localeData):
2146         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2147         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2148         (JSC::IntlDateTimeFormat::resolvedOptions):
2149         * runtime/IntlDateTimeFormat.h:
2150         * runtime/IntlObject.cpp:
2151         (JSC::resolveLocale):
2152
2153 2018-08-01  Keith Miller  <keith_miller@apple.com>
2154
2155         JSArrayBuffer should have its own JSType
2156         https://bugs.webkit.org/show_bug.cgi?id=188231
2157
2158         Reviewed by Saam Barati.
2159
2160         * runtime/JSArrayBuffer.cpp:
2161         (JSC::JSArrayBuffer::createStructure):
2162         * runtime/JSCast.h:
2163         * runtime/JSType.h:
2164
2165 2018-07-31  Keith Miller  <keith_miller@apple.com>
2166
2167         Unreviewed 32-bit build fix...
2168
2169         * dfg/DFGSpeculativeJIT32_64.cpp:
2170
2171 2018-07-31  Keith Miller  <keith_miller@apple.com>
2172
2173         Long compiling JSC files should not be unified
2174         https://bugs.webkit.org/show_bug.cgi?id=188205
2175
2176         Reviewed by Saam Barati.
2177
2178         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
2179         to compile. Unifying them means touching anything in the same
2180         bundle as those files takes a long time to incrementally build.
2181         This patch separates those files so they build standalone.
2182
2183         * JavaScriptCore.xcodeproj/project.pbxproj:
2184         * Sources.txt:
2185         * dfg/DFGSpeculativeJIT64.cpp:
2186
2187 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2188
2189         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
2190         https://bugs.webkit.org/show_bug.cgi?id=188201
2191
2192         Reviewed by Keith Miller.
2193
2194         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
2195         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
2196         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
2197         never becomes broken state. This patch removes unnecessary locking.
2198
2199         * runtime/JSObject.cpp:
2200         (JSC::JSObject::visitButterflyImpl):
2201
2202 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
2203
2204         [JSC] Remove gcc warnings for 32-bit platforms
2205         https://bugs.webkit.org/show_bug.cgi?id=187803
2206
2207         Reviewed by Yusuke Suzuki.
2208
2209         * assembler/MacroAssemblerPrinter.cpp:
2210         (JSC::Printer::printPCRegister):
2211         (JSC::Printer::printRegisterID):
2212         (JSC::Printer::printAddress):
2213         * dfg/DFGSpeculativeJIT.cpp:
2214         (JSC::DFG::SpeculativeJIT::speculateNumber):
2215         (JSC::DFG::SpeculativeJIT::speculateMisc):
2216         * jit/CCallHelpers.h:
2217         (JSC::CCallHelpers::calculatePokeOffset):
2218         * runtime/Options.cpp:
2219         (JSC::parse):
2220
2221 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
2222
2223         watchOS engineering build is broken after r234227
2224         https://bugs.webkit.org/show_bug.cgi?id=188180
2225
2226         Reviewed by Keith Miller.
2227
2228         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
2229         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
2230         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
2231         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
2232
2233         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
2234         entirely, since there's no relevant version to replace them with.
2235
2236         * postprocess-headers.sh:
2237
2238 2018-07-30  Keith Miller  <keith_miller@apple.com>
2239
2240         Clarify conversion rules for JSValue property access API
2241         https://bugs.webkit.org/show_bug.cgi?id=188179
2242
2243         Reviewed by Geoffrey Garen.
2244
2245         * API/JSValue.h:
2246
2247 2018-07-30  Keith Miller  <keith_miller@apple.com>
2248
2249         Rename some JSC API functions/types.
2250         https://bugs.webkit.org/show_bug.cgi?id=188173
2251
2252         Reviewed by Saam Barati.
2253
2254         * API/JSObjectRef.cpp:
2255         (JSObjectHasPropertyForKey):
2256         (JSObjectGetPropertyForKey):
2257         (JSObjectSetPropertyForKey):
2258         (JSObjectDeletePropertyForKey):
2259         (JSObjectHasPropertyKey): Deleted.
2260         (JSObjectGetPropertyKey): Deleted.
2261         (JSObjectSetPropertyKey): Deleted.
2262         (JSObjectDeletePropertyKey): Deleted.
2263         * API/JSObjectRef.h:
2264         * API/JSValue.h:
2265         * API/JSValue.mm:
2266         (-[JSValue valueForProperty:]):
2267         (-[JSValue setValue:forProperty:]):
2268         (-[JSValue deleteProperty:]):
2269         (-[JSValue hasProperty:]):
2270         (-[JSValue defineProperty:descriptor:]):
2271         * API/tests/testapi.cpp:
2272         (TestAPI::run):
2273
2274 2018-07-30  Mark Lam  <mark.lam@apple.com>
2275
2276         Add a debugging utility to dump the memory layout of a JSCell.
2277         https://bugs.webkit.org/show_bug.cgi?id=188157
2278
2279         Reviewed by Yusuke Suzuki.
2280
2281         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
2282         dump the memory contents of a cell and if present, its butterfly for debugging
2283         purposes.
2284
2285         Example usage for JS code when JSC_useDollarVM=true:
2286
2287             $vm.dumpCell(obj);
2288
2289         Example usage from C++ code or from lldb: 
2290
2291             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
2292
2293         Some examples of dumps:
2294
2295             <0x104bc8260, Object>
2296               [0] 0x104bc8260 : 0x010016000000016c header
2297                 structureID 364 0x16c structure 0x104b721b0
2298                 indexingTypeAndMisc 0 0x0 NonArray
2299                 type 22 0x16
2300                 flags 0 0x0
2301                 cellState 1
2302               [1] 0x104bc8268 : 0x0000000000000000 butterfly
2303               [2] 0x104bc8270 : 0xffff000000000007
2304               [3] 0x104bc8278 : 0xffff000000000008
2305
2306             <0x104bb4360, Array>
2307               [0] 0x104bb4360 : 0x0108210b00000171 header
2308                 structureID 369 0x171 structure 0x104b723e0
2309                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
2310                 type 33 0x21
2311                 flags 8 0x8
2312                 cellState 1
2313               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
2314                 base 0x8000f46e0
2315                 hasIndexingHeader YES hasAnyArrayStorage YES
2316                 publicLength 4 vectorLength 7 indexBias 2
2317                 preCapacity 2 propertyCapacity 4
2318                   <--- preCapacity
2319                   [0] 0x8000f46e0 : 0x0000000000000000
2320                   [1] 0x8000f46e8 : 0x0000000000000000
2321                   <--- propertyCapacity
2322                   [2] 0x8000f46f0 : 0x0000000000000000
2323                   [3] 0x8000f46f8 : 0x0000000000000000
2324                   [4] 0x8000f4700 : 0xffff00000000000d
2325                   [5] 0x8000f4708 : 0xffff00000000000c
2326                   <--- indexingHeader
2327                   [6] 0x8000f4710 : 0x0000000700000004
2328                   <--- butterfly
2329                   <--- arrayStorage
2330                   [7] 0x8000f4718 : 0x0000000000000000
2331                   [8] 0x8000f4720 : 0x0000000400000002
2332                   <--- indexedProperties
2333                   [9] 0x8000f4728 : 0xffff000000000008
2334                   [10] 0x8000f4730 : 0xffff000000000009
2335                   [11] 0x8000f4738 : 0xffff000000000005
2336                   [12] 0x8000f4740 : 0xffff000000000006
2337                   [13] 0x8000f4748 : 0x0000000000000000
2338                   [14] 0x8000f4750 : 0x0000000000000000
2339                   [15] 0x8000f4758 : 0x0000000000000000
2340                   <--- unallocated capacity
2341                   [16] 0x8000f4760 : 0x0000000000000000
2342                   [17] 0x8000f4768 : 0x0000000000000000
2343                   [18] 0x8000f4770 : 0x0000000000000000
2344                   [19] 0x8000f4778 : 0x0000000000000000
2345
2346         * runtime/JSObject.h:
2347         * tools/JSDollarVM.cpp:
2348         (JSC::functionDumpCell):
2349         (JSC::JSDollarVM::finishCreation):
2350         * tools/VMInspector.cpp:
2351         (JSC::VMInspector::dumpCellMemory):
2352         (JSC::IndentationScope::IndentationScope):
2353         (JSC::IndentationScope::~IndentationScope):
2354         (JSC::VMInspector::dumpCellMemoryToStream):
2355         * tools/VMInspector.h:
2356
2357 2018-07-27  Mark Lam  <mark.lam@apple.com>
2358
2359         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
2360         https://bugs.webkit.org/show_bug.cgi?id=188123
2361         <rdar://problem/42672268>
2362
2363         Reviewed by Keith Miller.
2364
2365         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
2366            padding space in VM and Heap, and should not cost any measurable perf to
2367            initialize and update.
2368
2369         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
2370
2371            worldState tells us the value we failed the assertion on.
2372
2373            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
2374            that led us here.
2375
2376            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
2377
2378            VM::isEntered() tells us if the current VM is currently executing JS code.
2379
2380            Some of this data may be redundant, but the redundancy is intentional so that
2381            we can double check what is really happening at the time of crash.
2382
2383         * heap/Heap.cpp:
2384         (JSC::asInt):
2385         (JSC::Heap::checkConn):
2386         (JSC::Heap::changePhase):
2387         * heap/Heap.h:
2388         * runtime/VM.cpp:
2389         (JSC::VM::nextID):
2390         (JSC::VM::VM):
2391         * runtime/VM.h:
2392         (JSC::VM::numberOfIDs):
2393         (JSC::VM::id const):
2394         (JSC::VM::isEntered const):
2395
2396 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2397
2398         [JSC] Record CoW status in ArrayProfile correctly
2399         https://bugs.webkit.org/show_bug.cgi?id=187949
2400
2401         Reviewed by Saam Barati.
2402
2403         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
2404         This is important since our OSR exit compiler records m_observedArrayModes by calculating
2405         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
2406         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
2407         Array::Generic DFG nodes.
2408
2409         * bytecode/ArrayProfile.h:
2410         (JSC::asArrayModes):
2411         (JSC::ArrayProfile::ArrayProfile):
2412         * dfg/DFGOSRExit.cpp:
2413         (JSC::DFG::OSRExit::compileExit):
2414         * ftl/FTLOSRExitCompiler.cpp:
2415         (JSC::FTL::compileStub):
2416         * runtime/IndexingType.h:
2417
2418 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2419
2420         [INTL] Remove INTL sub-feature compile flags
2421         https://bugs.webkit.org/show_bug.cgi?id=188081
2422
2423         Reviewed by Michael Catanzaro.
2424
2425         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
2426         The runtime flags are still present, and should be relied on instead.
2427         The defines for ICU features have also been updated to match HAVE() style.
2428
2429         * Configurations/FeatureDefines.xcconfig:
2430         * runtime/IntlPluralRules.cpp:
2431         (JSC::IntlPluralRules::resolvedOptions):
2432         (JSC::IntlPluralRules::select):
2433         * runtime/IntlPluralRules.h:
2434         * runtime/Options.h:
2435
2436 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2437
2438         [JSC] Dump IndexingMode in Structure
2439         https://bugs.webkit.org/show_bug.cgi?id=188085
2440
2441         Reviewed by Keith Miller.
2442
2443         Dump IndexingMode instead of IndexingType.
2444
2445         * runtime/Structure.cpp:
2446         (JSC::Structure::dump const):
2447
2448 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
2449
2450         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
2451         https://bugs.webkit.org/show_bug.cgi?id=187963
2452
2453         Reviewed by Alex Christensen.
2454
2455         * inspector/InspectorBackendDispatcher.cpp:
2456         (Inspector::BackendDispatcher::dispatch):
2457         * jsc.cpp:
2458         (ModuleName::ModuleName):
2459         (resolvePath):
2460         * runtime/IntlObject.cpp:
2461         (JSC::canonicalizeLanguageTag):
2462         (JSC::removeUnicodeLocaleExtension):
2463         Update split/splitAllowingEmptyEntries usage.
2464
2465 2018-07-26  Commit Queue  <commit-queue@webkit.org>
2466
2467         Unreviewed, rolling out r234181 and r234189.
2468         https://bugs.webkit.org/show_bug.cgi?id=188075
2469
2470         These are not needed right now (Requested by thorton on
2471         #webkit).
2472
2473         Reverted changesets:
2474
2475         "Enable Web Content Filtering on watchOS"
2476         https://bugs.webkit.org/show_bug.cgi?id=187979
2477         https://trac.webkit.org/changeset/234181
2478
2479         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
2480         https://bugs.webkit.org/show_bug.cgi?id=187985
2481         https://trac.webkit.org/changeset/234189
2482
2483 2018-07-26  Mark Lam  <mark.lam@apple.com>
2484
2485         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
2486         https://bugs.webkit.org/show_bug.cgi?id=188065
2487         <rdar://problem/42515726>
2488
2489         Reviewed by Saam Barati.
2490
2491         * runtime/ArrayPrototype.cpp:
2492         (JSC::clearElement):
2493         (JSC::copyElements):
2494         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2495
2496 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2497
2498         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
2499         https://bugs.webkit.org/show_bug.cgi?id=167991
2500
2501         Reviewed by Michael Catanzaro.
2502
2503         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
2504         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
2505         no more cases where you might have an invalid locale come back from resolveLocale.
2506
2507         * runtime/IntlObject.cpp:
2508         (JSC::convertICULocaleToBCP47LanguageTag):
2509         (JSC::defaultLocale):
2510         (JSC::lookupMatcher):
2511         * runtime/IntlObject.h:
2512         * runtime/JSGlobalObject.cpp:
2513         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2514         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2515         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2516         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2517
2518 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2519
2520         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
2521         https://bugs.webkit.org/show_bug.cgi?id=188040
2522
2523         Unreviewed build fix for AppleWin port.
2524
2525         * API/tests/testapi.c: Disabled warning C4204.
2526         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
2527
2528 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2529
2530         [JSC API] We should support the symbol type in our C/Obj-C API
2531         https://bugs.webkit.org/show_bug.cgi?id=175836
2532
2533         Unreviewed build fix for Windows port.
2534
2535         r234227 introduced a compilation error unresolved external symbol
2536         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
2537
2538         Windows ports are compiling testapi.c as C++ by using /TP switch.
2539
2540         * API/tests/testapi.c:
2541         (main): Removed `::` prefix of ::SetErrorMode Windows API.
2542         (dllLauncherEntryPoint): Converted into C style.
2543         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
2544
2545 2018-07-25  Keith Miller  <keith_miller@apple.com>
2546
2547         [JSC API] We should support the symbol type in our C/Obj-C API
2548         https://bugs.webkit.org/show_bug.cgi?id=175836
2549
2550         Reviewed by Filip Pizlo.
2551
2552         This patch makes the following API additions:
2553         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
2554         2) Create a symbol on both APIs.
2555         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
2556         4) Add Get/Set/Delete in the C API.
2557
2558         We can do 3 because it is both binary and source compatable with
2559         the existing API. I added (4) because the current property access
2560         APIs only have the ability to get Strings. It was possible to
2561         merge symbols into JSStringRef but that felt confusing and exposes
2562         implementation details of our engine. The new functions match the
2563         same meaning that they have in JS, thus should be forward
2564         compatible with any future language extensions.
2565
2566         Lastly, this patch adds the same availability preproccessing phase
2567         in WebCore to JavaScriptCore, which enables TBA features for
2568         testing on previous releases.
2569
2570         * API/APICast.h:
2571         * API/JSBasePrivate.h:
2572         * API/JSContext.h:
2573         * API/JSContextPrivate.h:
2574         * API/JSContextRef.h:
2575         * API/JSContextRefInternal.h:
2576         * API/JSContextRefPrivate.h:
2577         * API/JSManagedValue.h:
2578         * API/JSObjectRef.cpp:
2579         (JSObjectHasPropertyKey):
2580         (JSObjectGetPropertyKey):
2581         (JSObjectSetPropertyKey):
2582         (JSObjectDeletePropertyKey):
2583         * API/JSObjectRef.h:
2584         * API/JSRemoteInspector.h:
2585         * API/JSTypedArray.h:
2586         * API/JSValue.h:
2587         * API/JSValue.mm:
2588         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
2589         (performPropertyOperation):
2590         (-[JSValue valueForProperty:valueForProperty:]):
2591         (-[JSValue setValue:forProperty:setValue:forProperty:]):
2592         (-[JSValue deleteProperty:deleteProperty:]):
2593         (-[JSValue hasProperty:hasProperty:]):
2594         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
2595         (-[JSValue isSymbol]):
2596         (-[JSValue objectForKeyedSubscript:]):
2597         (-[JSValue setObject:forKeyedSubscript:]):
2598         (-[JSValue valueForProperty:]): Deleted.
2599         (-[JSValue setValue:forProperty:]): Deleted.
2600         (-[JSValue deleteProperty:]): Deleted.
2601         (-[JSValue hasProperty:]): Deleted.
2602         (-[JSValue defineProperty:descriptor:]): Deleted.
2603         * API/JSValueRef.cpp:
2604         (JSValueGetType):
2605         (JSValueIsSymbol):
2606         (JSValueMakeSymbol):
2607         * API/JSValueRef.h:
2608         * API/WebKitAvailability.h:
2609         * API/tests/CurrentThisInsideBlockGetterTest.mm:
2610         * API/tests/CustomGlobalObjectClassTest.c:
2611         * API/tests/DateTests.mm:
2612         * API/tests/JSExportTests.mm:
2613         * API/tests/JSNode.c:
2614         * API/tests/JSNodeList.c:
2615         * API/tests/Node.c:
2616         * API/tests/NodeList.c:
2617         * API/tests/minidom.c:
2618         * API/tests/testapi.c:
2619         (main):
2620         * API/tests/testapi.cpp: Added.
2621         (APIString::APIString):
2622         (APIString::~APIString):
2623         (APIString::operator JSStringRef):
2624         (APIContext::APIContext):
2625         (APIContext::~APIContext):
2626         (APIContext::operator JSGlobalContextRef):
2627         (APIVector::APIVector):
2628         (APIVector::~APIVector):
2629         (APIVector::append):
2630         (testCAPIViaCpp):
2631         (TestAPI::evaluateScript):
2632         (TestAPI::callFunction):
2633         (TestAPI::functionReturnsTrue):
2634         (TestAPI::check):
2635         (TestAPI::checkJSAndAPIMatch):
2636         (TestAPI::interestingObjects):
2637         (TestAPI::interestingKeys):
2638         (TestAPI::run):
2639         * API/tests/testapi.mm:
2640         (testObjectiveCAPIMain):
2641         * JavaScriptCore.xcodeproj/project.pbxproj:
2642         * config.h:
2643         * postprocess-headers.sh:
2644         * shell/CMakeLists.txt:
2645         * testmem/testmem.mm:
2646
2647 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2648
2649         [INTL] Call Typed Array elements toLocaleString with locale and options
2650         https://bugs.webkit.org/show_bug.cgi?id=185796
2651
2652         Reviewed by Keith Miller.
2653
2654         Improve ECMA 402 compliance of typed array toLocaleString, passing along
2655         the locale and options to element toLocaleString calls.
2656
2657         * builtins/TypedArrayPrototype.js:
2658         (toLocaleString):
2659
2660 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2661
2662         [INTL] Intl constructor lengths should be configurable
2663         https://bugs.webkit.org/show_bug.cgi?id=187960
2664
2665         Reviewed by Saam Barati.
2666
2667         Removed DontDelete from Intl constructor lengths.
2668         Fixed DateTimeFormat formatToParts length.
2669
2670         * runtime/IntlCollatorConstructor.cpp:
2671         (JSC::IntlCollatorConstructor::finishCreation):
2672         * runtime/IntlDateTimeFormatConstructor.cpp:
2673         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2674         * runtime/IntlDateTimeFormatPrototype.cpp:
2675         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2676         * runtime/IntlNumberFormatConstructor.cpp:
2677         (JSC::IntlNumberFormatConstructor::finishCreation):
2678         * runtime/IntlPluralRulesConstructor.cpp:
2679         (JSC::IntlPluralRulesConstructor::finishCreation):
2680
2681 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
2682
2683         runJITThreadLimitTests is failing
2684         https://bugs.webkit.org/show_bug.cgi?id=187886
2685         <rdar://problem/42561966>
2686
2687         Unreviewed build fix for MSVC.
2688
2689         MSVC doen't support ternary operator without second operand.
2690
2691         * dfg/DFGWorklist.cpp:
2692         (JSC::DFG::getNumberOfDFGCompilerThreads):
2693         (JSC::DFG::getNumberOfFTLCompilerThreads):
2694
2695 2018-07-24  Commit Queue  <commit-queue@webkit.org>
2696
2697         Unreviewed, rolling out r234183.
2698         https://bugs.webkit.org/show_bug.cgi?id=187983
2699
2700         cause regression in Kraken gaussian blur and desaturate
2701         (Requested by yusukesuzuki on #webkit).
2702
2703         Reverted changeset:
2704
2705         "[JSC] Record CoW status in ArrayProfile"
2706         https://bugs.webkit.org/show_bug.cgi?id=187949
2707         https://trac.webkit.org/changeset/234183
2708
2709 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2710
2711         [JSC] Record CoW status in ArrayProfile
2712         https://bugs.webkit.org/show_bug.cgi?id=187949
2713
2714         Reviewed by Saam Barati.
2715
2716         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
2717         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
2718         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
2719         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
2720         CoW arrays.
2721
2722         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
2723         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
2724
2725         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
2726
2727                                       baseline                  patched
2728
2729         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
2730         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
2731
2732         * bytecode/ArrayProfile.cpp:
2733         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2734         * bytecode/ArrayProfile.h:
2735         (JSC::asArrayModes):
2736         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
2737
2738         (JSC::ArrayProfile::ArrayProfile):
2739         (JSC::ArrayProfile::addressOfObservedIndexingModes):
2740         (JSC::ArrayProfile::observedIndexingModes const):
2741         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
2742         So storing the union of seen IndexingMode in `unsigned` instead.
2743
2744         * dfg/DFGArrayMode.cpp:
2745         (JSC::DFG::ArrayMode::fromObserved):
2746         * dfg/DFGArrayMode.h:
2747         (JSC::DFG::ArrayMode::withProfile const):
2748         * jit/JITCall.cpp:
2749         (JSC::JIT::compileOpCall):
2750         * jit/JITCall32_64.cpp:
2751         (JSC::JIT::compileOpCall):
2752         * jit/JITInlines.h:
2753         (JSC::JIT::emitArrayProfilingSiteWithCell):
2754         * llint/LowLevelInterpreter.asm:
2755         * llint/LowLevelInterpreter32_64.asm:
2756         * llint/LowLevelInterpreter64.asm:
2757
2758 2018-07-24  Tim Horton  <timothy_horton@apple.com>
2759
2760         Enable Web Content Filtering on watchOS
2761         https://bugs.webkit.org/show_bug.cgi?id=187979
2762         <rdar://problem/42559346>
2763
2764         Reviewed by Wenson Hsieh.
2765
2766         * Configurations/FeatureDefines.xcconfig:
2767
2768 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
2769
2770         Don't modify Options when setting JIT thread limits
2771         https://bugs.webkit.org/show_bug.cgi?id=187886
2772
2773         Reviewed by Filip Pizlo.
2774
2775         Previously, when setting the JIT thread limit prior to the worklist
2776         initialization, it'd be set via Options, which didn't work if Options
2777         hadn't been initialized yet. Change it to use a static variable in the
2778         Worklist instead.
2779
2780         * API/JSVirtualMachine.mm:
2781         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
2782         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
2783         * API/tests/testapi.mm:
2784         (testObjectiveCAPIMain):
2785         * dfg/DFGWorklist.cpp:
2786         (JSC::DFG::getNumberOfDFGCompilerThreads):
2787         (JSC::DFG::getNumberOfFTLCompilerThreads):
2788         (JSC::DFG::setNumberOfDFGCompilerThreads):
2789         (JSC::DFG::setNumberOfFTLCompilerThreads):
2790         (JSC::DFG::ensureGlobalDFGWorklist):
2791         (JSC::DFG::ensureGlobalFTLWorklist):
2792         * dfg/DFGWorklist.h:
2793
2794 2018-07-24  Mark Lam  <mark.lam@apple.com>
2795
2796         Refactoring: make DFG::Plan a class.
2797         https://bugs.webkit.org/show_bug.cgi?id=187968
2798
2799         Reviewed by Saam Barati.
2800
2801         This patch makes all the DFG::Plan fields private, and provide accessor methods
2802         for them.  This makes it easier to reason about how these fields are used and
2803         modified.
2804
2805         * dfg/DFGAbstractInterpreterInlines.h:
2806         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2807         * dfg/DFGByteCodeParser.cpp:
2808         (JSC::DFG::ByteCodeParser::handleCall):
2809         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2810         (JSC::DFG::ByteCodeParser::handleInlining):
2811         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2812         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2813         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
2814         (JSC::DFG::ByteCodeParser::handleGetById):
2815         (JSC::DFG::ByteCodeParser::handlePutById):
2816         (JSC::DFG::ByteCodeParser::parseBlock):
2817         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2818         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2819         (JSC::DFG::ByteCodeParser::parse):
2820         * dfg/DFGCFAPhase.cpp:
2821         (JSC::DFG::CFAPhase::run):
2822         (JSC::DFG::CFAPhase::injectOSR):
2823         * dfg/DFGClobberize.h:
2824         (JSC::DFG::clobberize):
2825         * dfg/DFGCommonData.cpp:
2826         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2827         * dfg/DFGCommonData.h:
2828         * dfg/DFGConstantFoldingPhase.cpp:
2829         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2830         * dfg/DFGDriver.cpp:
2831         (JSC::DFG::compileImpl):
2832         * dfg/DFGFinalizer.h:
2833         * dfg/DFGFixupPhase.cpp:
2834         (JSC::DFG::FixupPhase::fixupNode):
2835         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2836         * dfg/DFGGraph.cpp:
2837         (JSC::DFG::Graph::Graph):
2838         (JSC::DFG::Graph::watchCondition):
2839         (JSC::DFG::Graph::inferredTypeFor):
2840         (JSC::DFG::Graph::requiredRegisterCountForExit):
2841         (JSC::DFG::Graph::registerFrozenValues):
2842         (JSC::DFG::Graph::registerStructure):
2843         (JSC::DFG::Graph::registerAndWatchStructureTransition):
2844         (JSC::DFG::Graph::assertIsRegistered):
2845         * dfg/DFGGraph.h:
2846         (JSC::DFG::Graph::compilation):
2847         (JSC::DFG::Graph::identifiers):
2848         (JSC::DFG::Graph::watchpoints):
2849         * dfg/DFGJITCompiler.cpp:
2850         (JSC::DFG::JITCompiler::JITCompiler):
2851         (JSC::DFG::JITCompiler::link):
2852         (JSC::DFG::JITCompiler::compile):
2853         (JSC::DFG::JITCompiler::compileFunction):
2854         (JSC::DFG::JITCompiler::disassemble):
2855         * dfg/DFGJITCompiler.h:
2856         (JSC::DFG::JITCompiler::addWeakReference):
2857         * dfg/DFGJITFinalizer.cpp:
2858         (JSC::DFG::JITFinalizer::finalize):
2859         (JSC::DFG::JITFinalizer::finalizeFunction):
2860         (JSC::DFG::JITFinalizer::finalizeCommon):
2861         * dfg/DFGOSREntrypointCreationPhase.cpp:
2862         (JSC::DFG::OSREntrypointCreationPhase::run):
2863         * dfg/DFGPhase.cpp:
2864         (JSC::DFG::Phase::beginPhase):
2865         * dfg/DFGPhase.h:
2866         (JSC::DFG::runAndLog):
2867         * dfg/DFGPlan.cpp:
2868         (JSC::DFG::Plan::Plan):
2869         (JSC::DFG::Plan::computeCompileTimes const):
2870         (JSC::DFG::Plan::reportCompileTimes const):
2871         (JSC::DFG::Plan::compileInThread):
2872         (JSC::DFG::Plan::compileInThreadImpl):
2873         (JSC::DFG::Plan::isStillValid):
2874         (JSC::DFG::Plan::reallyAdd):
2875         (JSC::DFG::Plan::notifyCompiling):
2876         (JSC::DFG::Plan::notifyReady):
2877         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2878         (JSC::DFG::Plan::finalizeAndNotifyCallback):
2879         (JSC::DFG::Plan::key):
2880         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2881         (JSC::DFG::Plan::finalizeInGC):
2882         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2883         (JSC::DFG::Plan::cancel):
2884         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2885         * dfg/DFGPlan.h:
2886         (JSC::DFG::Plan::canTierUpAndOSREnter const):
2887         (JSC::DFG::Plan::vm const):
2888         (JSC::DFG::Plan::codeBlock):
2889         (JSC::DFG::Plan::mode const):
2890         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
2891         (JSC::DFG::Plan::mustHandleValues const):
2892         (JSC::DFG::Plan::threadData const):
2893         (JSC::DFG::Plan::compilation const):
2894         (JSC::DFG::Plan::finalizer const):
2895         (JSC::DFG::Plan::setFinalizer):
2896         (JSC::DFG::Plan::inlineCallFrames const):
2897         (JSC::DFG::Plan::watchpoints):
2898         (JSC::DFG::Plan::identifiers):
2899         (JSC::DFG::Plan::weakReferences):
2900         (JSC::DFG::Plan::transitions):
2901         (JSC::DFG::Plan::recordedStatuses):
2902         (JSC::DFG::Plan::willTryToTierUp const):
2903         (JSC::DFG::Plan::setWillTryToTierUp):
2904         (JSC::DFG::Plan::tierUpInLoopHierarchy):
2905         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
2906         (JSC::DFG::Plan::stage const):
2907         (JSC::DFG::Plan::callback const):
2908         (JSC::DFG::Plan::setCallback):
2909         * dfg/DFGPlanInlines.h:
2910         (JSC::DFG::Plan::iterateCodeBlocksForGC):
2911         * dfg/DFGPreciseLocalClobberize.h:
2912         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2913         * dfg/DFGPredictionInjectionPhase.cpp:
2914         (JSC::DFG::PredictionInjectionPhase::run):
2915         * dfg/DFGSafepoint.cpp:
2916         (JSC::DFG::Safepoint::Safepoint):
2917         (JSC::DFG::Safepoint::~Safepoint):
2918         (JSC::DFG::Safepoint::begin):
2919         * dfg/DFGSafepoint.h:
2920         * dfg/DFGSpeculativeJIT.h:
2921         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
2922         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
2923         * dfg/DFGStackLayoutPhase.cpp:
2924         (JSC::DFG::StackLayoutPhase::run):
2925         * dfg/DFGStrengthReductionPhase.cpp:
2926         (JSC::DFG::StrengthReductionPhase::handleNode):
2927         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2928         (JSC::DFG::TierUpCheckInjectionPhase::run):
2929         * dfg/DFGTypeCheckHoistingPhase.cpp:
2930         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
2931         * dfg/DFGWorklist.cpp:
2932         (JSC::DFG::Worklist::isActiveForVM const):
2933         (JSC::DFG::Worklist::compilationState):
2934         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2935         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2936         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2937         (JSC::DFG::Worklist::visitWeakReferences):
2938         (JSC::DFG::Worklist::removeDeadPlans):
2939         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
2940         * dfg/DFGWorklistInlines.h:
2941         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
2942         * ftl/FTLCompile.cpp:
2943         (JSC::FTL::compile):
2944         * ftl/FTLFail.cpp:
2945         (JSC::FTL::fail):
2946         * ftl/FTLJITFinalizer.cpp:
2947         (JSC::FTL::JITFinalizer::finalizeCommon):
2948         * ftl/FTLLink.cpp:
2949         (JSC::FTL::link):
2950         * ftl/FTLLowerDFGToB3.cpp:
2951         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2952         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2953         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
2954         * ftl/FTLState.cpp:
2955         (JSC::FTL::State::State):
2956
2957 2018-07-24  Saam Barati  <sbarati@apple.com>
2958
2959         Make VM::canUseJIT an inlined function
2960         https://bugs.webkit.org/show_bug.cgi?id=187583
2961
2962         Reviewed by Mark Lam.
2963
2964         We know the answer to this query in initializeThreading after initializing
2965         the executable allocator. This patch makes it so that we just hold this value
2966         in a static variable and have an inlined function that just returns the value
2967         of that static variable.
2968
2969         * runtime/InitializeThreading.cpp:
2970         (JSC::initializeThreading):
2971         * runtime/VM.cpp:
2972         (JSC::VM::computeCanUseJIT):
2973         (JSC::VM::canUseJIT): Deleted.
2974         * runtime/VM.h:
2975         (JSC::VM::canUseJIT):
2976
2977 2018-07-24  Mark Lam  <mark.lam@apple.com>
2978
2979         Placate exception check verification after recent changes.
2980         https://bugs.webkit.org/show_bug.cgi?id=187961
2981         <rdar://problem/42545394>
2982
2983         Reviewed by Saam Barati.
2984
2985         * runtime/IntlObject.cpp:
2986         (JSC::intlNumberOption):
2987
2988 2018-07-23  Saam Barati  <sbarati@apple.com>
2989
2990         need to didFoldClobberWorld when we constant fold GetByVal
2991         https://bugs.webkit.org/show_bug.cgi?id=187917
2992         <rdar://problem/42505095>
2993
2994         Reviewed by Yusuke Suzuki.
2995
2996         * dfg/DFGAbstractInterpreterInlines.h:
2997         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2998
2999 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
3000
3001         [INTL] Language tags are not canonicalized
3002         https://bugs.webkit.org/show_bug.cgi?id=185836
3003
3004         Reviewed by Keith Miller.
3005
3006         Canonicalize language tags, replacing deprecated tag parts with the
3007         preferred values. Remove broken support for algorithmic numbering systems,
3008         that can cause an error in icu, and are not supported in other engines.
3009
3010         Generate the lookup functions from the language-subtag-registry.
3011
3012         Also initialize the UNumberFormat in initializeNumberFormat so any
3013         failures are thrown immediately instead of failing to format later.
3014
3015         * CMakeLists.txt:
3016         * DerivedSources.make:
3017         * JavaScriptCore.xcodeproj/project.pbxproj:
3018         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
3019         * runtime/IntlDateTimeFormat.cpp:
3020         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3021         * runtime/IntlNumberFormat.cpp:
3022         (JSC::IntlNumberFormat::initializeNumberFormat):
3023         (JSC::IntlNumberFormat::formatNumber):
3024         (JSC::IntlNumberFormat::formatToParts):
3025         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
3026         * runtime/IntlNumberFormat.h:
3027         * runtime/IntlObject.cpp:
3028         (JSC::intlNumberOption):
3029         (JSC::intlDefaultNumberOption):
3030         (JSC::preferredLanguage):
3031         (JSC::preferredRegion):
3032         (JSC::canonicalLangTag):
3033         (JSC::canonicalizeLanguageTag):
3034         (JSC::defaultLocale):
3035         (JSC::removeUnicodeLocaleExtension):
3036         (JSC::numberingSystemsForLocale):
3037         (JSC::grandfatheredLangTag): Deleted.
3038         * runtime/IntlObject.h:
3039         * runtime/IntlPluralRules.cpp:
3040         (JSC::IntlPluralRules::initializePluralRules):
3041         * runtime/JSGlobalObject.cpp:
3042         (JSC::addMissingScriptLocales):
3043         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
3044         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
3045         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
3046         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3047         * ucd/language-subtag-registry.txt: Added.
3048
3049 2018-07-23  Mark Lam  <mark.lam@apple.com>
3050
3051         Add some asserts to help diagnose a crash.
3052         https://bugs.webkit.org/show_bug.cgi?id=187915
3053         <rdar://problem/42508166>
3054
3055         Reviewed by Michael Saboff.
3056
3057         Add some asserts to verify that an CodeBlock alternative should always have a
3058         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
3059         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
3060         so that we'll retain the state of the variables that failed the assertion (again
3061         to help with diagnosis).
3062
3063         * bytecode/CodeBlock.cpp:
3064         (JSC::CodeBlock::setAlternative):
3065         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
3066         * dfg/DFGPlan.cpp:
3067         (JSC::DFG::Plan::Plan):
3068
3069 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
3070
3071         Unreviewed, fix no-JIT build.
3072
3073         * bytecode/CallLinkStatus.cpp:
3074         (JSC::CallLinkStatus::computeFor):
3075         * bytecode/CodeBlock.cpp:
3076         (JSC::CodeBlock::finalizeUnconditionally):
3077         * bytecode/GetByIdStatus.cpp:
3078         (JSC::GetByIdStatus::computeFor):
3079         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3080         * bytecode/InByIdStatus.cpp:
3081         * bytecode/PutByIdStatus.cpp:
3082         (JSC::PutByIdStatus::computeForStubInfo):
3083
3084 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3085
3086         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
3087         https://bugs.webkit.org/show_bug.cgi?id=187891
3088
3089         Reviewed by Saam Barati.
3090
3091         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
3092         two variants are mergeable but they have "Miss" status. We make merging failed if
3093         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
3094         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
3095         which patch have more chances to merge variants.
3096
3097         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
3098         is not related since it does not use this check in Transition case.
3099
3100         * bytecode/GetByIdVariant.cpp:
3101         (JSC::GetByIdVariant::attemptToMerge):
3102         * bytecode/InByIdVariant.cpp:
3103         (JSC::InByIdVariant::attemptToMerge):
3104
3105 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3106
3107         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
3108         https://bugs.webkit.org/show_bug.cgi?id=186462
3109
3110         Reviewed by Saam Barati.
3111
3112         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
3113         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
3114         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
3115
3116         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
3117         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
3118         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
3119         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
3120         changed and we can safely use it. We arrange our existing code to use this protocol.
3121
3122         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
3123         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
3124
3125         This patch improves SixSpeed/template_string_tag.es6.
3126
3127                                           baseline                  patched
3128
3129         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
3130
3131         * dfg/DFGAbstractInterpreterInlines.h:
3132         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3133         * runtime/JSArray.cpp:
3134         (JSC::JSArray::setLengthWithArrayStorage):
3135         * runtime/JSObject.cpp:
3136         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3137         (JSC::JSObject::deletePropertyByIndex):
3138         (JSC::JSObject::getOwnPropertyNames):
3139         (JSC::putIndexedDescriptor):
3140         (JSC::JSObject::defineOwnIndexedProperty):
3141         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
3142         (JSC::JSObject::putIndexedDescriptor): Deleted.
3143         * runtime/JSObject.h:
3144         * runtime/SparseArrayValueMap.cpp:
3145         (JSC::SparseArrayValueMap::SparseArrayValueMap):
3146         (JSC::SparseArrayValueMap::add):
3147         (JSC::SparseArrayValueMap::putDirect):
3148         (JSC::SparseArrayValueMap::getConcurrently):
3149         (JSC::SparseArrayEntry::get const):
3150         (JSC::SparseArrayEntry::getConcurrently const):
3151         (JSC::SparseArrayEntry::put):
3152         (JSC::SparseArrayEntry::getNonSparseMode const):
3153         (JSC::SparseArrayValueMap::visitChildren):
3154         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
3155         * runtime/SparseArrayValueMap.h:
3156         (JSC::SparseArrayEntry::SparseArrayEntry):
3157         (JSC::SparseArrayEntry::attributes const):
3158         (JSC::SparseArrayEntry::forceSet):
3159         (JSC::SparseArrayEntry::asValue):
3160
3161 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
3162
3163         We should support CreateThis in the FTL
3164         https://bugs.webkit.org/show_bug.cgi?id=164904
3165
3166         Reviewed by Yusuke Suzuki.
3167         
3168         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
3169         inference adventure.
3170         
3171         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
3172         benchmark's extremely perverse way of winning at type inference:
3173         
3174         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
3175           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
3176           benchmark was falling back to other mechanisms...
3177         
3178         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
3179           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
3180           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
3181           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
3182           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
3183           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
3184           
3185           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
3186           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
3187           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
3188           helper because it had a CreateThis.
3189         
3190         - Compilations that inlined the construction helper would have gotten super lucky with
3191           parse-time constant folding, so they knew what structure the input to the get_by_id would
3192           have at parse time. This is only profitable if the get_by_id parsing computed a
3193           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
3194           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
3195           cases, we would indeed get a finite number of cases. The parser would then prune those
3196           cases to just one - based on its knowledge of the structure - and that would result in that
3197           get_by_id being folded at parse time to a constant.
3198         
3199         - The subsequent op_call would inline based on parse-time knowledge of that constant.
3200         
3201         This patch comprehensively fixes these issues, as well as other issues that come up along the
3202         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
3203         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
3204         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
3205         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
3206         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
3207         attack raytrace's problem as a shortcoming of polyvariant profiling.
3208         
3209         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
3210           subset of the inline stack that includes the IC we're profiling. For example, if we have
3211           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
3212           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
3213           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
3214           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
3215           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
3216           from polyvariant profling. Previously, the polyvariant profiler would only look at the
3217           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
3218           had inlined bar and then baz. It may not have done that, because those calls could have
3219           required polyvariant profiling that was only available in the FTL.
3220           
3221         - A particularly interesting case is when some IC in foo-baseline is also available in
3222           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
3223           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
3224           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
3225           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
3226           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
3227           because it warns us of historical polymorphism. Historical polymorphism usually means
3228           future polymorphism. IC status code already had some merging functionality, but I needed to
3229           beef it up a lot to make this work right.
3230         
3231         - Inlining an inline cache now preserves as much information as profiling. One challenge of
3232           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
3233           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
3234           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
3235           say "I don't have such an IC". At this point the DFG compilation that included that IC that
3236           gave us the information that we used to inline the IC is no longer alive. To keep us from
3237           losing the information we learned about the IC, there is now a RecordedStatuses data
3238           structure that preserves the statuses we use for inlining ICs. We also filter those
3239           statuses according to things we learn from AI. This further reduces the risk of information
3240           about an IC being forgotten.
3241         
3242         - Exit profiling now considers whether or not an exit happened from inline code. This
3243           protects us in the case where the not-inlined version of an IC exited a lot because of
3244           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
3245           profiling data, we consider only inlined exits.
3246         
3247         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
3248           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
3249           surprising that we've had this bug.
3250         
3251         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
3252         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
3253         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
3254         prototype access folding in the bytecode parser and constant folder. That would require some
3255         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
3256         have a test that captures raytrace's behavior in the case that the parser cannot fold the
3257         get_by_id.
3258         
3259         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
3260         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
3261         compile time regression anytime we fill in FTL coverage.
3262         
3263         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
3264         speeds up and that raytrace slows down, but these changes balance out and don't affect the
3265         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
3266         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
3267         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
3268         see a significant difference. In all three cases the difference is <0.5% with a high p value,
3269         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
3270         an insignificant infinitesimal slow-down.
3271         
3272         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
3273         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
3274         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
3275
3276         * CMakeLists.txt:
3277         * JavaScriptCore.xcodeproj/project.pbxproj:
3278         * Sources.txt:
3279         * bytecode/ByValInfo.h:
3280         * bytecode/BytecodeDumper.cpp:
3281         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
3282         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
3283         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
3284         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
3285         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
3286         (JSC::BytecodeDumper<Block>::printCallOp):
3287         (JSC::BytecodeDumper<Block>::dumpBytecode):
3288         (JSC::BytecodeDumper<Block>::dumpBlock):
3289         * bytecode/BytecodeDumper.h:
3290         * bytecode/CallLinkInfo.h:
3291         * bytecode/CallLinkStatus.cpp:
3292         (JSC::CallLinkStatus::computeFor):
3293         (JSC::CallLinkStatus::computeExitSiteData):
3294         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3295         (JSC::CallLinkStatus::accountForExits):
3296         (JSC::CallLinkStatus::finalize):
3297         (JSC::CallLinkStatus::filter):
3298         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
3299         * bytecode/CallLinkStatus.h:
3300         (JSC::CallLinkStatus::operator bool const):
3301         (JSC::CallLinkStatus::operator! const): Deleted.
3302         * bytecode/CallVariant.cpp:
3303         (JSC::CallVariant::finalize):
3304         (JSC::CallVariant::filter):
3305         * bytecode/CallVariant.h:
3306         (JSC::CallVariant::operator bool const):
3307         (JSC::CallVariant::operator! const): Deleted.
3308         * bytecode/CodeBlock.cpp:
3309         (JSC::CodeBlock::dumpBytecode):
3310         (JSC::CodeBlock::propagateTransitions):
3311         (JSC::CodeBlock::finalizeUnconditionally):
3312         (JSC::CodeBlock::getICStatusMap):
3313         (JSC::CodeBlock::resetJITData):
3314         (JSC::CodeBlock::getStubInfoMap): Deleted.
3315         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
3316         (JSC::CodeBlock::getByValInfoMap): Deleted.
3317         * bytecode/CodeBlock.h:
3318         * bytecode/CodeOrigin.cpp:
3319         (JSC::CodeOrigin::isApproximatelyEqualTo const):
3320         (JSC::CodeOrigin::approximateHash const):
3321         * bytecode/CodeOrigin.h:
3322         (JSC::CodeOrigin::exitingInlineKind const):
3323         * bytecode/DFGExitProfile.cpp:
3324         (JSC::DFG::FrequentExitSite::dump const):
3325         (JSC::DFG::ExitProfile::add):
3326         * bytecode/DFGExitProfile.h:
3327         (JSC::DFG::FrequentExitSite::FrequentExitSite):
3328         (JSC::DFG::FrequentExitSite::operator== const):
3329         (JSC::DFG::FrequentExitSite::subsumes const):
3330         (JSC::DFG::FrequentExitSite::hash const):
3331         (JSC::DFG::FrequentExitSite::inlineKind const):
3332         (JSC::DFG::FrequentExitSite::withInlineKind const):
3333         (JSC::DFG::QueryableExitProfile::hasExitSite const):
3334         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
3335         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
3336         * bytecode/ExitFlag.cpp: Added.
3337         (JSC::ExitFlag::dump const):
3338         * bytecode/ExitFlag.h: Added.
3339         (JSC::ExitFlag::ExitFlag):
3340         (JSC::ExitFlag::operator| const):
3341         (JSC::ExitFlag::operator|=):
3342         (JSC::ExitFlag::operator& const):
3343         (JSC::ExitFlag::operator&=):
3344         (JSC::ExitFlag::operator bool const):
3345         (JSC::ExitFlag::isSet const):
3346         * bytecode/ExitingInlineKind.cpp: Added.
3347         (WTF::printInternal):
3348         * bytecode/ExitingInlineKind.h: Added.
3349         * bytecode/GetByIdStatus.cpp:
3350         (JSC::GetByIdStatus::computeFor):
3351         (JSC::GetByIdStatus::computeForStubInfo):
3352         (JSC::GetByIdStatus::slowVersion const):
3353         (JSC::GetByIdStatus::markIfCheap):
3354         (JSC::GetByIdStatus::finalize):
3355         (JSC::GetByIdStatus::hasExitSite): Deleted.
3356         * bytecode/GetByIdStatus.h:
3357         * bytecode/GetByIdVariant.cpp:
3358         (JSC::GetByIdVariant::markIfCheap):
3359         (JSC::GetByIdVariant::finalize):
3360         * bytecode/GetByIdVariant.h:
3361         * bytecode/ICStatusMap.cpp: Added.
3362         (JSC::ICStatusContext::get const):
3363         (JSC::ICStatusContext::isInlined const):
3364         (JSC::ICStatusContext::inlineKind const):
3365         * bytecode/ICStatusMap.h: Added.
3366         * bytecode/ICStatusUtils.cpp: Added.
3367         (JSC::hasBadCacheExitSite):
3368         * bytecode/ICStatusUtils.h:
3369         * bytecode/InstanceOfStatus.cpp:
3370         (JSC::InstanceOfStatus::computeFor):
3371         * bytecode/InstanceOfStatus.h:
3372         * bytecode/PolyProtoAccessChain.h:
3373         * bytecode/PutByIdStatus.cpp:
3374         (JSC::PutByIdStatus::hasExitSite):
3375         (JSC::PutByIdStatus::computeFor):
3376         (JSC::PutByIdStatus::slowVersion const):
3377         (JSC::PutByIdStatus::markIfCheap):
3378         (JSC::PutByIdStatus::finalize):
3379         (JSC::PutByIdStatus::filter):
3380         * bytecode/PutByIdStatus.h:
3381         * bytecode/PutByIdVariant.cpp:
3382         (JSC::PutByIdVariant::markIfCheap):
3383         (JSC::PutByIdVariant::finalize):
3384         * bytecode/PutByIdVariant.h:
3385         (JSC::PutByIdVariant::structureSet const):
3386         * bytecode/RecordedStatuses.cpp: Added.
3387         (JSC::RecordedStatuses::operator=):
3388         (JSC::RecordedStatuses::RecordedStatuses):
3389         (JSC::RecordedStatuses::addCallLinkStatus):
3390         (JSC::RecordedStatuses::addGetByIdStatus):
3391         (JSC::RecordedStatuses::addPutByIdStatus):
3392         (JSC::RecordedStatuses::markIfCheap):
3393         (JSC::RecordedStatuses::finalizeWithoutDeleting):
3394         (JSC::RecordedStatuses::finalize):
3395         (JSC::RecordedStatuses::shrinkToFit):
3396         * bytecode/RecordedStatuses.h: Added.
3397         (JSC::RecordedStatuses::RecordedStatuses):
3398         (JSC::RecordedStatuses::forEachVector):
3399         * bytecode/StructureSet.cpp:
3400         (JSC::StructureSet::markIfCheap const):
3401         (JSC::StructureSet::isStillAlive const):
3402         * bytecode/StructureSet.h:
3403         * bytecode/TerminatedCodeOrigin.h: Added.
3404         (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
3405         (JSC::TerminatedCodeOriginHashTranslator::hash):
3406         (JSC::TerminatedCodeOriginHashTranslator::equal):
3407         * bytecode/Watchpoint.cpp:
3408         (WTF::printInternal):
3409         * bytecode/Watchpoint.h:
3410         * dfg/DFGAbstractInterpreter.h:
3411         * dfg/DFGAbstractInterpreterInlines.h:
3412         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3413         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
3414         * dfg/DFGByteCodeParser.cpp:
3415         (JSC::DFG::ByteCodeParser::handleCall):
3416         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3417         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3418         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
3419         (JSC::DFG::ByteCodeParser::handleGetById):
3420         (JSC::DFG::ByteCodeParser::handlePutById):
3421         (JSC::DFG::ByteCodeParser::parseBlock):
3422         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3423         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
3424         (JSC::DFG::ByteCodeParser::parse):
3425         * dfg/DFGClobberize.h:
3426         (JSC::DFG::clobberize):
3427         * dfg/DFGClobbersExitState.cpp:
3428         (JSC::DFG::clobbersExitState):
3429         * dfg/DFGCommonData.h:
3430         * dfg/DFGConstantFoldingPhase.cpp:
3431         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3432         * dfg/DFGDesiredWatchpoints.h:
3433         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
3434         * dfg/DFGDoesGC.cpp:
3435         (JSC::DFG::doesGC):
3436         * dfg/DFGFixupPhase.cpp:
3437         (JSC::DFG::FixupPhase::fixupNode):
3438         * dfg/DFGGraph.cpp:
3439         (JSC::DFG::Graph::dump):
3440         * dfg/DFGMayExit.cpp:
3441         * dfg/DFGNode.h:
3442         (JSC::DFG::Node::hasCallLinkStatus):
3443         (JSC::DFG::Node::callLinkStatus):
3444         (JSC::DFG::Node::hasGetByIdStatus):
3445         (JSC::DFG::Node::getByIdStatus):
3446         (JSC::DFG::Node::hasPutByIdStatus):
3447         (JSC::DFG::Node::putByIdStatus):
3448         * dfg/DFGNodeType.h:
3449         * dfg/DFGOSRExitBase.cpp:
3450         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
3451         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3452         * dfg/DFGPlan.cpp:
3453         (JSC::DFG::Plan::reallyAdd):
3454         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3455         (JSC::DFG::Plan::finalizeInGC):
3456         * dfg/DFGPlan.h:
3457         * dfg/DFGPredictionPropagationPhase.cpp:
3458         * dfg/DFGSafeToExecute.h:
3459         (JSC::DFG::safeToExecute):
3460         * dfg/DFGSpeculativeJIT32_64.cpp:
3461         (JSC::DFG::SpeculativeJIT::compile):
3462         * dfg/DFGSpeculativeJIT64.cpp:
3463         (JSC::DFG::SpeculativeJIT::compile):
3464         * dfg/DFGStrengthReductionPhase.cpp:
3465         (JSC::DFG::StrengthReductionPhase::handleNode):
3466         * dfg/DFGWorklist.cpp:
3467         (JSC::DFG::Worklist::removeDeadPlans):
3468         * ftl/FTLAbstractHeapRepository.h:
3469         * ftl/FTLCapabilities.cpp:
3470         (JSC::FTL::canCompile):
3471         * ftl/FTLLowerDFGToB3.cpp:
3472         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3473         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
3474         (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
3475         * jit/PolymorphicCallStubRoutine.cpp:
3476         (JSC::PolymorphicCallStubRoutine::hasEdges const):
3477         (JSC::PolymorphicCallStubRoutine::edges const):
3478         * jit/PolymorphicCallStubRoutine.h:
3479         * profiler/ProfilerBytecodeSequence.cpp:
3480         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
3481         * runtime/FunctionRareData.cpp:
3482         (JSC::FunctionRareData::initializeObjectAllocationProfile):
3483         * runtime/Options.h:
3484
3485 2018-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3486
3487         [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
3488         https://bugs.webkit.org/show_bug.cgi?id=187472
3489
3490         Reviewed by Mark Lam.
3491
3492         std::function allocates memory from standard malloc instead of bmalloc. Instead of
3493         using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
3494
3495         This patch attempts to replace std::function with the above WTF function types.
3496         If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
3497         is really efficient. Otherwise, we should use WTF::Function.
3498         For recurring use cases, we can use RecursableLambda.
3499
3500         * assembler/MacroAssembler.cpp:
3501         (JSC::stdFunctionCallback):
3502         (JSC::MacroAssembler::probe):
3503         * assembler/MacroAssembler.h:
3504         * b3/air/AirDisassembler.cpp:
3505         (JSC::B3::Air::Disassembler::dump):
3506         * b3/air/AirDisassembler.h:
3507         * bytecompiler/BytecodeGenerator.cpp:
3508         (JSC::BytecodeGenerator::BytecodeGenerator):
3509         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
3510         (JSC::BytecodeGenerator::emitEnumeration):
3511         * bytecompiler/BytecodeGenerator.h:
3512         * bytecompiler/NodesCodegen.cpp:
3513         (JSC::ArrayNode::emitBytecode):
3514         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3515         (JSC::ForOfNode::emitBytecode):
3516         * dfg/DFGSpeculativeJIT.cpp:
3517         (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
3518         (JSC::DFG::SpeculativeJIT::compileMathIC):
3519         * dfg/DFGSpeculativeJIT.h:
3520         * dfg/DFGSpeculativeJIT64.cpp:
3521         (JSC::DFG::SpeculativeJIT::compile):
3522         * dfg/DFGValidate.cpp:
3523         * ftl/FTLCompile.cpp:
3524         (JSC::FTL::compile):
3525         * heap/HeapSnapshotBuilder.cpp:
3526         (JSC::HeapSnapshotBuilder::json):
3527         * heap/HeapSnapshotBuilder.h:
3528         * interpreter/StackVisitor.cpp:
3529         (JSC::StackVisitor::Frame::dump const):
3530         * interpreter/StackVisitor.h:
3531         * runtime/PromiseDeferredTimer.h:
3532         * runtime/VM.cpp:
3533         (JSC::VM::whenIdle):
3534         (JSC::enableProfilerWithRespectToCount):
3535         (JSC::disableProfilerWithRespectToCount):
3536         * runtime/VM.h:
3537         * runtime/VMEntryScope.cpp:
3538         (JSC::VMEntryScope::addDidPopListener):
3539         * runtime/VMEntryScope.h:
3540         * tools/HeapVerifier.cpp:
3541         (JSC::HeapVerifier::verifyCellList):
3542         (JSC::HeapVerifier::validateCell):
3543         (JSC::HeapVerifier::validateJSCell):
3544         * tools/HeapVerifier.h:
3545
3546 2018-07-20  Michael Saboff  <msaboff@apple.com>
3547
3548         DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
3549         https://bugs.webkit.org/show_bug.cgi?id=187827
3550         rdar://problem/42146858
3551
3552         Reviewed by Saam Barati.
3553
3554         When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
3555         that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
3556         We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
3557         InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
3558         putByIndex() path that doesn't change the shape.
3559
3560         * dfg/DFGArrayMode.h:
3561         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
3562
3563 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3564
3565         [DFG] Fold GetByVal if Array is CoW
3566         https://bugs.webkit.org/show_bug.cgi?id=186459
3567
3568         Reviewed by Saam Barati.
3569
3570         CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
3571         fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
3572         is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
3573
3574         This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
3575         to these constant arrays can be folded into an actual constant by this patch.
3576
3577                                            baseline                  patched
3578
3579         template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
3580         template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster
3581
3582         * dfg/DFGAbstractInterpreterInlines.h:
3583         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3584
3585 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3586
3587         [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
3588         https://bugs.webkit.org/show_bug.cgi?id=186602
3589
3590         Reviewed by Saam Barati.
3591
3592         JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
3593         change the part of the butterfly, length etc. We prove that our procedure is safe, and
3594         drop the cellLock() here.
3595
3596         * runtime/JSObject.cpp:
3597         (JSC::JSObject::convertContiguousToArrayStorage):
3598
3599 2018-07-20  Saam Barati  <sbarati@apple.com>
3600
3601         CompareEq should be using KnownOtherUse instead of OtherUse
3602         https://bugs.webkit.org/show_bug.cgi?id=186814
3603         <rdar://problem/39720030>
3604
3605         Reviewed by Filip Pizlo.
3606
3607         CompareEq in fixup phase was doing this:
3608         insertCheck(child, OtherUse)
3609         setUseKind(child, OtherUse)
3610         And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
3611         lead to edge verification crashing because a phase may optimize the check out
3612         by removing the node. However, AI may not be privy to that optimization, and
3613         AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
3614         backend to actually emit a check here, but it does not.
3615         
3616         This exact pattern is why we have KnownXYZ use kinds. This patch introduces
3617         KnownOtherUse and changes the above pattern to be:
3618         insertCheck(child, OtherUse)
3619         setUseKind(child, KnownOtherUse)
3620
3621         * dfg/DFGFixupPhase.cpp:
3622         (JSC::DFG::FixupPhase::fixupNode):
3623         * dfg/DFGSafeToExecute.h:
3624         (JSC::DFG::SafeToExecuteEdge::operator()):
3625         * dfg/DFGSpeculativeJIT.cpp:
3626         (JSC::DFG::SpeculativeJIT::speculate):
3627         * dfg/DFGUseKind.cpp:
3628         (WTF::printInternal):
3629         * dfg/DFGUseKind.h:
3630         (JSC::DFG::typeFilterFor):
3631         (JSC::DFG::shouldNotHaveTypeCheck):
3632         (JSC::DFG::checkMayCrashIfInputIsEmpty):
3633         * dfg/DFGWatchpointCollectionPhase.cpp:
3634         (JSC::DFG::WatchpointCollectionPhase::handle):
3635         * ftl/FTLCapabilities.cpp:
3636         (JSC::FTL::canCompile):
3637         * ftl/FTLLowerDFGToB3.cpp:
3638         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
3639         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3640
3641 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3642
3643         [JSC] A bit performance improvement for Object.assign by cleaning up code
3644         https://bugs.webkit.org/show_bug.cgi?id=187852
3645
3646         Reviewed by Saam Barati.
3647
3648         We clean up Object.assign code a bit.
3649
3650         1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
3651         2. canDoFastPath is not necessary. Restructuring the code to clean up things.
3652
3653         It improves the performance a bit.
3654
3655                                     baseline                  patched
3656
3657         object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
3658
3659         * runtime/ObjectConstructor.cpp:
3660         (JSC::objectConstructorAssign):
3661
3662 2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>
3663
3664         [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
3665         https://bugs.webkit.org/show_bug.cgi?id=187798
3666
3667         Reviewed by Michael Catanzaro.
3668
3669         Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
3670         jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
3671         functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
3672         patch adds JSAPIWrapperGlobalObject or that.
3673
3674         * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
3675         (jsAPIWrapperGlobalObjectHandleOwner):
3676         (JSAPIWrapperGlobalObjectHandleOwner::finalize):
3677         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
3678         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
3679         (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
3680         (JSC::JSAPIWrapperGlobalObject::finishCreation):
3681         (JSC::JSAPIWrapperGlobalObject::visitChildren):
3682         * API/glib/JSAPIWrapperGlobalObject.h: Added.
3683         (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
3684         (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
3685         * API/glib/JSCClass.cpp:
3686         (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
3687         (wrappedObjectClass): Return the class of a wrapped object.
3688         (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
3689         scope extension global object is used instead.
3690         (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
3691         (setProperty): Ditto.
3692         (hasProperty): Ditto.
3693         (deleteProperty): Ditto.
3694         (getPropertyNames): Ditto.
3695         (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
3696         * API/glib/JSCClassPrivate.h:
3697         * API/glib/JSCContext.cpp:
3698         (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
3699         (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
3700         * API/glib/JSCContext.h:
3701         * API/glib/JSCContextPrivate.h:
3702         * API/glib/JSCWrapperMap.cpp:
3703         (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
3704         when a JSCClass is used to create the JSAPIWrapperGlobalObject.
3705         (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
3706         * API/glib/JSCWrapperMap.h:
3707         * GLib.cmake:
3708
3709 2018-07-19  Saam Barati  <sbarati@apple.com>
3710
3711         Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
3712         https://bugs.webkit.org/show_bug.cgi?id=187836
3713         <rdar://problem/42409527>
3714
3715         Reviewed by Mark Lam.
3716
3717         We have crash reports that we're crashing on source->getDirect in Object.assign's
3718         fast path. Mark investigated this and determined we end up with a nullptr for
3719         butterfly. This is curious, because source's Structure indicated that it has
3720         out of line properties. My leading hypothesis for this at the moment is a bit
3721         handwavy, but it's essentially:
3722         - We end up firing a watchpoint when assigning to the target (this can happen
3723         if a watchpoint was set up for storing to that particular field)
3724         - When we fire that watchpoint, we end up doing some kind work on the source,
3725         perhaps causing it to flattenDictionaryStructure. Therefore, we end up
3726         mutating source.
3727         
3728         I'm not super convinced this is what we're running into, but just by reading
3729         the code, I think it needs to be something similar to this. Seeing if this change
3730         fixes the crasher will give us good data to determine if something like this is
3731         happening or if the bug is something else entirely.
3732
3733         * runtime/ObjectConstructor.cpp:
3734         (JSC::objectConstructorAssign):
3735
3736 2018-07-19  Commit Queue  <commit-queue@webkit.org>
3737
3738         Unreviewed, rolling out r233998.
3739         https://bugs.webkit.org/show_bug.cgi?id=187815
3740
3741         Not needed. (Requested by mlam|a on #webkit).
3742
3743         Reverted changeset:
3744
3745         "Temporarily mitigate a bug where a source provider is null
3746         when it shouldn't be."
3747         https://bugs.webkit.org/show_bug.cgi?id=187812
3748         https://trac.webkit.org/changeset/233998
3749
3750 2018-07-19  Mark Lam  <mark.lam@apple.com>
3751
3752         Temporarily mitigate a bug where a source provider is null when it shouldn't be.
3753         https://bugs.webkit.org/show_bug.cgi?id=187812
3754         <rdar://problem/41192691>
3755
3756         Reviewed by Michael Saboff.
3757
3758         Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
3759
3760         * runtime/Error.cpp:
3761         (JSC::addErrorInfo):
3762
3763 2018-07-19  Keith Rollin  <krollin@apple.com>
3764
3765         Adjust WEBCORE_EXPORT annotations for LTO
3766         https://bugs.webkit.org/show_bug.cgi?id=187781
3767         <rdar://problem/42351124>
3768
3769         Reviewed by Alex Christensen.
3770
3771         Continuation of Bug 186944. This bug addresses issues not caught
3772         during the first pass of adjustments. The initial work focussed on
3773         macOS; this one addresses issues found when building for iOS. From
3774         186944:
3775
3776         Adjust a number of places that result in WebKit's
3777         'check-for-weak-vtables-and-externals' script reporting weak external
3778         symbols:
3779
3780             ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
3781             ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
3782             ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
3783             ...
3784
3785         These cases are caused by inline methods being marked with WTF_EXPORT
3786         (or related macro) or with an inline function being in a class marked
3787         as such, and when enabling LTO builds.
3788
3789         For the most part, address these by removing the WEBCORE_EXPORT
3790         annotation from inline methods. In some cases, move the implementation
3791         out-of-line because it's the class that has the WEBCORE_EXPORT on it
3792         and removing the annotation from the class would be too disruptive.
3793         Finally, in other cases, move the implementation out-of-line because
3794         check-for-weak-vtables-and-externals still complains when keeping the
3795         implementation inline and removing the annotation; this seems to
3796         typically (but not always) happen with destructors.
3797
3798         * inspector/remote/RemoteAutomationTarget.cpp:
3799         (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
3800         * inspector/remote/RemoteAutomationTarget.h:
3801         * inspector/remote/RemoteInspector.cpp:
3802         (Inspector::RemoteInspector::Client::~Client):
3803         * inspector/remote/RemoteInspector.h:
3804
3805 2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3806
3807         Unreviewed, check scope after performing getPropertySlot in JSON.stringify
3808         https://bugs.webkit.org/show_bug.cgi?id=187807
3809
3810         Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
3811         that we know that exception occurrence and handle it well.
3812
3813         * runtime/JSONObject.cpp:
3814         (JSC::Stringifier::Holder::appendNextProperty):
3815
3816 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3817
3818         [JSC] Reduce size of AST nodes
3819         https://bugs.webkit.org/show_bug.cgi?id=187689
3820
3821         Reviewed by Mark Lam.
3822
3823         We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
3824         of ParserArena at peak state.
3825
3826         1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
3827         devirtualize a call to the function which are implemented in a final class.
3828
3829         2. Use default member initializers more.
3830
3831         3. And use `nullptr` instead of `0`.
3832
3833         4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
3834         of classes in multiple inheritance. In particular, StatementNode is decreased from 48
3835         to 40. This decreases the sizes of all the derived Statement nodes.
3836
3837         * parser/NodeConstructors.h:
3838         (JSC::Node::Node):
3839         (JSC::StatementNode::StatementNode):
3840         (JSC::ElementNode::ElementNode):
3841         (JSC::ArrayNode::ArrayNode):
3842         (JSC::PropertyListNode::PropertyListNode):
3843         (JSC::ObjectLiteralNode::ObjectLiteralNode):
3844         (JSC::ArgumentListNode::ArgumentListNode):
3845         (JSC::ArgumentsNode::ArgumentsNode):
3846         (JSC::NewExprNode::NewExprNode):
3847         (JSC::BytecodeIntrinsicNode::Bytec