[JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
4         https://bugs.webkit.org/show_bug.cgi?id=201485
5
6         Reviewed by Tadeu Zagallo.
7
8         FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
9         it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
10         a race issue like,
11
12         1. While one thread is adding overrides information,
13         2. Another thread is accessing this hash table.
14
15         This patch adds a lock to make sure that only one thread can access this registry.
16
17         * tools/FunctionOverrides.cpp:
18         (JSC::FunctionOverrides::FunctionOverrides):
19         (JSC::FunctionOverrides::reinstallOverrides):
20         (JSC::FunctionOverrides::initializeOverrideFor):
21         (JSC::FunctionOverrides::parseOverridesInFile):
22         * tools/FunctionOverrides.h:
23         (JSC::FunctionOverrides::clear):
24
25 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
26
27         [JSC] Make Promise implementation faster
28         https://bugs.webkit.org/show_bug.cgi?id=200898
29
30         Reviewed by Saam Barati.
31
32         This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.
33
34         1. Make JSPromise C++ friendly
35
36             Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
37             This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
38             fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
39             fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
40             supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
41             this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].
42
43             We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
44             This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.
45
46             Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
47             is filed in [2].
48
49         2. Make JSPromise constructor JS friendly
50
51             The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
52             calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
53             If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
54             Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
55             construct is 100. We might want to investigate getting it inlined in the future[3].
56
57             We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
58             annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
59             do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
60             us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
61             which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
62             JSPromise constructor fully in JS.
63             With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].
64
65         3. DFG supports for JSPromise operations
66
67             This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
68             and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
69             promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
70             When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
71             used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
72             can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
73             in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
74             structure is invalidated: `callee.prototype` is replaced.
75
76         4. Avoid creating unnecessary promises
77
78             Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
79             For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
80             intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
81             take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
82             in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
83             check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.
84
85         5. Avoid creating resolving-functions and promise capabilities
86
87             Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
88             patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
89             created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
90             and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
91             The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
92             `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
93             This mechanism will be used to drop JSPromiseDeferred in a separate patch.
94
95         JetStream2/async-fs results.
96             ToT:
97                 Running async-fs:
98                     Startup: 116.279
99                     Worst Case: 151.515
100                     Average: 176.630
101                     Score: 145.996
102                     Wall time: 0:01.149
103
104             Patched:
105                 Running async-fs:
106                     Startup: 166.667
107                     Worst Case: 267.857
108                     Average: 299.080
109                     Score: 237.235
110                     Wall time: 0:00.683
111
112         [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
113         [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
114         [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
115         [4]: https://bugs.webkit.org/show_bug.cgi?id=201158
116
117         * CMakeLists.txt:
118         * JavaScriptCore.xcodeproj/project.pbxproj:
119         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
120         (ConstructAbility):
121         (ConstructorKind):
122         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
123         * Scripts/wkbuiltins/builtins_generator.py:
124         (BuiltinsGenerator.generate_embedded_code_data_for_function):
125         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
126         * Scripts/wkbuiltins/builtins_model.py:
127         (BuiltinFunction.__init__):
128         (BuiltinFunction.fromString):
129         * Scripts/wkbuiltins/builtins_templates.py:
130         * builtins/AsyncFromSyncIteratorPrototype.js:
131         (next.try):
132         (next):
133         (return.try):
134         (return):
135         (throw.try):
136         (throw):
137         * builtins/AsyncFunctionPrototype.js:
138         (globalPrivate.asyncFunctionResume):
139         * builtins/AsyncGeneratorPrototype.js:
140         (globalPrivate.asyncGeneratorQueueIsEmpty):
141         (globalPrivate.asyncGeneratorQueueEnqueue):
142         (globalPrivate.asyncGeneratorQueueDequeue):
143         (globalPrivate.asyncGeneratorReject):
144         (globalPrivate.asyncGeneratorResolve):
145         (globalPrivate.asyncGeneratorYield):
146         (onRejected):
147         (globalPrivate.awaitValue):
148         (onFulfilled):
149         (globalPrivate.doAsyncGeneratorBodyCall):
150         (globalPrivate.asyncGeneratorResumeNext):
151         (globalPrivate.asyncGeneratorEnqueue):
152         (globalPrivate.asyncGeneratorDequeue): Deleted.
153         (const.onRejected): Deleted.
154         (const.onFulfilled): Deleted.
155         (globalPrivate.asyncGeneratorResumeNext.): Deleted.
156         * builtins/BuiltinExecutableCreator.h:
157         * builtins/BuiltinExecutables.cpp:
158         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
159         (JSC::BuiltinExecutables::createDefaultConstructor):
160         (JSC::BuiltinExecutables::createBuiltinExecutable):
161         (JSC::BuiltinExecutables::createExecutable):
162         (JSC::createBuiltinExecutable): Deleted.
163         * builtins/BuiltinExecutables.h:
164         * builtins/BuiltinNames.h:
165         * builtins/BuiltinUtils.h:
166         * builtins/ModuleLoader.js:
167         (forceFulfillPromise):
168         * builtins/PromiseConstructor.js:
169         (nakedConstructor.Promise.resolve):
170         (nakedConstructor.Promise.reject):
171         (nakedConstructor.Promise):
172         (nakedConstructor.InternalPromise.resolve):
173         (nakedConstructor.InternalPromise.reject):
174         (nakedConstructor.InternalPromise):
175         * builtins/PromiseOperations.js:
176         (globalPrivate.newPromiseReaction):
177         (globalPrivate.newPromiseCapability):
178         (globalPrivate.newHandledRejectedPromise):
179         (globalPrivate.triggerPromiseReactions):
180         (globalPrivate.resolvePromise):
181         (globalPrivate.rejectPromise):
182         (globalPrivate.fulfillPromise):
183         (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
184         (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
185         (globalPrivate.createResolvingFunctions.resolve):
186         (globalPrivate.createResolvingFunctions.reject):
187         (globalPrivate.createResolvingFunctions):
188         (globalPrivate.promiseReactionJobWithoutPromise):
189         (globalPrivate.resolveWithoutPromise):
190         (globalPrivate.rejectWithoutPromise):
191         (globalPrivate.fulfillWithoutPromise):
192         (resolve):
193         (reject):
194         (globalPrivate.createResolvingFunctionsWithoutPromise):
195         (globalPrivate.promiseReactionJob):
196         (globalPrivate.promiseResolveThenableJobFast):
197         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
198         (globalPrivate.promiseResolveThenableJob):
199         (globalPrivate.isPromise): Deleted.
200         (globalPrivate.newPromiseCapability.executor): Deleted.
201         (globalPrivate.initializePromise): Deleted.
202         * builtins/PromisePrototype.js:
203         (then):
204         * bytecode/BytecodeIntrinsicRegistry.cpp:
205         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
206         * bytecode/BytecodeIntrinsicRegistry.h:
207         * bytecode/BytecodeList.rb:
208         * bytecode/BytecodeUseDef.h:
209         (JSC::computeUsesForBytecodeOffset):
210         (JSC::computeDefsForBytecodeOffset):
211         * bytecode/CodeBlock.cpp:
212         (JSC::CodeBlock::finishCreation):
213         (JSC::CodeBlock::finalizeLLIntInlineCaches):
214         * bytecode/Opcode.h:
215         * bytecode/SpeculatedType.cpp:
216         (JSC::dumpSpeculation):
217         (JSC::speculationFromClassInfo):
218         (JSC::speculationFromJSType):
219         (JSC::speculationFromString):
220         * bytecode/SpeculatedType.h:
221         * bytecode/UnlinkedFunctionExecutable.h:
222         * bytecompiler/BytecodeGenerator.cpp:
223         (JSC::BytecodeGenerator::generate):
224         (JSC::BytecodeGenerator::BytecodeGenerator):
225         (JSC::BytecodeGenerator::emitGetPromiseInternalField):
226         (JSC::BytecodeGenerator::emitPutPromiseInternalField):
227         (JSC::BytecodeGenerator::emitCreatePromise):
228         (JSC::BytecodeGenerator::emitNewPromise):
229         (JSC::BytecodeGenerator::emitReturn):
230         * bytecompiler/BytecodeGenerator.h:
231         (JSC::BytecodeGenerator::promiseRegister):
232         (JSC::BytecodeGenerator::emitIsPromise):
233         (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
234         * bytecompiler/NodesCodegen.cpp:
235         (JSC::promiseInternalFieldIndex):
236         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
237         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
238         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
239         (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
240         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
241         (JSC::FunctionNode::emitBytecode):
242         * dfg/DFGAbstractHeap.h:
243         * dfg/DFGAbstractInterpreterInlines.h:
244         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
245         * dfg/DFGByteCodeParser.cpp:
246         (JSC::DFG::ByteCodeParser::parseBlock):
247         * dfg/DFGCapabilities.cpp:
248         (JSC::DFG::capabilityLevel):
249         * dfg/DFGClobberize.h:
250         (JSC::DFG::clobberize):
251         * dfg/DFGClobbersExitState.cpp:
252         (JSC::DFG::clobbersExitState):
253         * dfg/DFGConstantFoldingPhase.cpp:
254         (JSC::DFG::ConstantFoldingPhase::foldConstants):
255         * dfg/DFGDoesGC.cpp:
256         (JSC::DFG::doesGC):
257         * dfg/DFGFixupPhase.cpp:
258         (JSC::DFG::FixupPhase::fixupNode):
259         * dfg/DFGGraph.cpp:
260         (JSC::DFG::Graph::dump):
261         * dfg/DFGHeapLocation.cpp:
262         (WTF::printInternal):
263         * dfg/DFGHeapLocation.h:
264         * dfg/DFGMayExit.cpp:
265         * dfg/DFGNode.h:
266         (JSC::DFG::Node::convertToNewPromise):
267         (JSC::DFG::Node::hasIsInternalPromise):
268         (JSC::DFG::Node::isInternalPromise):
269         (JSC::DFG::Node::hasInternalFieldIndex):
270         (JSC::DFG::Node::internalFieldIndex):
271         (JSC::DFG::Node::hasHeapPrediction):
272         (JSC::DFG::Node::hasStructure):
273         * dfg/DFGNodeType.h:
274         * dfg/DFGOperations.cpp:
275         * dfg/DFGOperations.h:
276         * dfg/DFGPredictionPropagationPhase.cpp:
277         * dfg/DFGPromotedHeapLocation.cpp:
278         (WTF::printInternal):
279         * dfg/DFGPromotedHeapLocation.h:
280         * dfg/DFGSafeToExecute.h:
281         (JSC::DFG::SafeToExecuteEdge::operator()):
282         (JSC::DFG::safeToExecute):
283         * dfg/DFGSpeculativeJIT.cpp:
284         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
285         (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
286         (JSC::DFG::SpeculativeJIT::speculate):
287         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
288         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
289         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
290         (JSC::DFG::SpeculativeJIT::compileNewPromise):
291         * dfg/DFGSpeculativeJIT.h:
292         * dfg/DFGSpeculativeJIT32_64.cpp:
293         (JSC::DFG::SpeculativeJIT::compile):
294         * dfg/DFGSpeculativeJIT64.cpp:
295         (JSC::DFG::SpeculativeJIT::compile):
296         * dfg/DFGStoreBarrierInsertionPhase.cpp:
297         * dfg/DFGUseKind.cpp:
298         (WTF::printInternal):
299         * dfg/DFGUseKind.h:
300         (JSC::DFG::typeFilterFor):
301         (JSC::DFG::isCell):
302         * ftl/FTLAbstractHeapRepository.h:
303         * ftl/FTLCapabilities.cpp:
304         (JSC::FTL::canCompile):
305         * ftl/FTLLowerDFGToB3.cpp:
306         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
307         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
308         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
309         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
310         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
311         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
312         (JSC::FTL::DFG::LowerDFGToB3::speculate):
313         (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
314         * jit/JIT.cpp:
315         (JSC::JIT::privateCompileMainPass):
316         (JSC::JIT::privateCompileSlowCases):
317         * jit/JIT.h:
318         * jit/JITOperations.cpp:
319         * jit/JITOperations.h:
320         * jit/JITPropertyAccess.cpp:
321         (JSC::JIT::emit_op_get_promise_internal_field):
322         (JSC::JIT::emit_op_put_promise_internal_field):
323         * jit/JITPropertyAccess32_64.cpp:
324         (JSC::JIT::emit_op_get_promise_internal_field):
325         (JSC::JIT::emit_op_put_promise_internal_field):
326         * llint/LowLevelInterpreter.asm:
327         * llint/LowLevelInterpreter32_64.asm:
328         * llint/LowLevelInterpreter64.asm:
329         * parser/Parser.cpp:
330         (JSC::Parser<LexerType>::Parser):
331         (JSC::Parser<LexerType>::parseFunctionInfo):
332         * parser/Parser.h:
333         (JSC::parse):
334         * parser/ParserModes.h:
335         * runtime/CommonSlowPaths.cpp:
336         (JSC::SLOW_PATH_DECL):
337         * runtime/CommonSlowPaths.h:
338         * runtime/ConstructAbility.h:
339         * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
340         * runtime/FunctionRareData.cpp:
341         (JSC::FunctionRareData::FunctionRareData):
342         (JSC::FunctionRareData::initializeObjectAllocationProfile):
343         (JSC::FunctionRareData::clear):
344         * runtime/FunctionRareData.h:
345         * runtime/InternalFunction.cpp:
346         (JSC::InternalFunction::createSubclassStructureSlow):
347         * runtime/InternalFunction.h:
348         (JSC::InternalFunction::createSubclassStructure):
349         * runtime/JSCast.h:
350         * runtime/JSGlobalObject.cpp:
351         (JSC::enqueueJob):
352         (JSC::JSGlobalObject::init):
353         (JSC::JSGlobalObject::visitChildren):
354         * runtime/JSGlobalObject.h:
355         (JSC::JSGlobalObject::arrayProtoValuesFunction const):
356         (JSC::JSGlobalObject::promiseProtoThenFunction const):
357         (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
358         * runtime/JSInternalPromise.cpp:
359         (JSC::JSInternalPromise::createStructure):
360         * runtime/JSInternalPromiseConstructor.cpp:
361         (JSC::JSInternalPromiseConstructor::create):
362         (JSC::JSInternalPromiseConstructor::createStructure):
363         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
364         (JSC::constructPromise): Deleted.
365         * runtime/JSInternalPromiseConstructor.h:
366         * runtime/JSInternalPromisePrototype.cpp:
367         (JSC::JSInternalPromisePrototype::create):
368         * runtime/JSMicrotask.cpp:
369         (JSC::createJSMicrotask):
370         (JSC::JSMicrotask::run):
371         * runtime/JSMicrotask.h:
372         * runtime/JSPromise.cpp:
373         (JSC::JSPromise::createStructure):
374         (JSC::JSPromise::finishCreation):
375         (JSC::JSPromise::visitChildren):
376         (JSC::JSPromise::status const):
377         (JSC::JSPromise::result const):
378         (JSC::JSPromise::isHandled const):
379         (JSC::JSPromise::initialize): Deleted.
380         * runtime/JSPromise.h:
381         (JSC::JSPromise::allocationSize):
382         (JSC::JSPromise::offsetOfInternalFields):
383         (JSC::JSPromise::offsetOfInternalField):
384         * runtime/JSPromiseConstructor.cpp:
385         (JSC::JSPromiseConstructor::create):
386         (JSC::JSPromiseConstructor::createStructure):
387         (JSC::JSPromiseConstructor::JSPromiseConstructor):
388         (JSC::JSPromiseConstructor::finishCreation):
389         (JSC::constructPromise): Deleted.
390         (JSC::callPromise): Deleted.
391         * runtime/JSPromiseConstructor.h:
392         * runtime/JSPromisePrototype.cpp:
393         (JSC::JSPromisePrototype::create):
394         (JSC::JSPromisePrototype::finishCreation):
395         (JSC::JSPromisePrototype::addOwnInternalSlots):
396         * runtime/JSPromisePrototype.h:
397         * runtime/JSType.cpp:
398         (WTF::printInternal):
399         * runtime/JSType.h:
400
401 2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>
402
403         Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
404         https://bugs.webkit.org/show_bug.cgi?id=201262
405         <rdar://problem/13108764>
406
407         Reviewed by Devin Rousso.
408
409         When interception is enabled, Network requests that match any of the configured
410         interception patterns will be paused on the backend and allowed to be modified
411         by the frontend.
412
413         Currently the only time a network request can be intercepted is during the
414         HTTP response. However, this intercepting interface is mean to extend to
415         HTTP requests as well.
416
417         When a response is to be intercepted a new event is sent to the frontend:
418
419           `Network.responseIntercepted` event
420
421         With a `requestId` to identify that network request. The frontend
422         must respond with one of the following commands to continue:
423
424           `Network.interceptContinue`     - proceed with the response unmodified
425           `Network.interceptWithResponse` - provide a response
426
427         The response is paused in the meantime.
428
429         * inspector/protocol/Network.json:
430         New interfaces for intercepting network responses and suppling override content.
431
432         * Scripts/generate-combined-inspector-json.py:
433         * inspector/scripts/generate-inspector-protocol-bindings.py:
434         (generate_from_specification.load_specification):
435         Complete allowing comments in JSON protocol files.
436
437         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
438         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
439         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
440         Allow optional enums in ObjC interfaces.
441
442 2019-09-03  Mark Lam  <mark.lam@apple.com>
443
444         Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread().
445         https://bugs.webkit.org/show_bug.cgi?id=201449
446
447         Reviewed by Yusuke Suzuki.
448
449         Using !isMainThread() in the assertion also disables the assertion for the mutator
450         of worker threads.  This is not what we intended.
451
452         * runtime/StructureInlines.h:
453         (JSC::Structure::storedPrototype const):
454         (JSC::Structure::storedPrototypeObject const):
455
456 2019-09-04  Mark Lam  <mark.lam@apple.com>
457
458         Disambiguate a symbol used in JSDollarVM.
459         https://bugs.webkit.org/show_bug.cgi?id=201466
460         <rdar://problem/51826672>
461
462         Reviewed by Tadeu Zagallo.
463
464         This was causing a build issue on some internal build.
465
466         * tools/JSDollarVM.cpp:
467
468 2019-09-03  Mark Lam  <mark.lam@apple.com>
469
470         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
471         https://bugs.webkit.org/show_bug.cgi?id=201309
472         <rdar://problem/54832121>
473
474         Reviewed by Yusuke Suzuki.
475
476         * dfg/DFGAbstractInterpreterInlines.h:
477         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
478         * runtime/JSArrayBufferView.h:
479         * runtime/JSArrayBufferViewInlines.h:
480         (JSC::JSArrayBufferView::possiblySharedBufferImpl):
481         (JSC::JSArrayBufferView::possiblySharedBuffer):
482         (JSC::JSArrayBufferView::byteOffsetImpl):
483         (JSC::JSArrayBufferView::byteOffset):
484         (JSC::JSArrayBufferView::byteOffsetConcurrently):
485
486 2019-09-03  Devin Rousso  <drousso@apple.com>
487
488         Web Inspector: implement blackboxing of script resources
489         https://bugs.webkit.org/show_bug.cgi?id=17240
490         <rdar://problem/5732847>
491
492         Reviewed by Joseph Pecoraro.
493
494         When a script is blackboxed and the debugger attempts to pause in that script, the pause
495         reason/data will be saved and execution will continue until it has left the blackboxed
496         script. Once outside, execution is paused with the saved reason/data.
497
498         This is especially useful when debugging issues using libraries/frameworks, as it allows the
499         developer to "skip" the internal logic of the library/framework and instead focus only on
500         how they're using it.
501
502         * inspector/protocol/Debugger.json:
503         Add `setShouldBlackboxURL` command.
504
505         * inspector/agents/InspectorDebuggerAgent.h:
506         * inspector/agents/InspectorDebuggerAgent.cpp:
507         (Inspector::InspectorDebuggerAgent):
508         (Inspector::InspectorDebuggerAgent::enable):
509         (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added.
510         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
511         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
512         (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added.
513         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
514         (Inspector::InspectorDebuggerAgent::didParseSource):
515         (Inspector::InspectorDebuggerAgent::didPause):
516         (Inspector::InspectorDebuggerAgent::didContinue):
517         (Inspector::InspectorDebuggerAgent::breakProgram):
518         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
519         (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added.
520         (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted.
521         Renamed "break" to "pause" to match `Debugger` naming.
522
523         * debugger/Debugger.h:
524         * debugger/Debugger.cpp:
525         (JSC::Debugger::pauseIfNeeded):
526         (JSC::Debugger::setBlackboxType): Added.
527         (JSC::Debugger::clearBlackbox): Added.
528         (JSC::Debugger::isBlacklisted const): Deleted.
529         (JSC::Debugger::addToBlacklist): Deleted.
530         (JSC::Debugger::clearBlacklist): Deleted.
531
532 2019-09-03  Mark Lam  <mark.lam@apple.com>
533
534         Remove the need to pass performJITMemcpy as a pointer.
535         https://bugs.webkit.org/show_bug.cgi?id=201413
536
537         Reviewed by Michael Saboff.
538
539         We want performJITMemcpy to always be inlined.  In this patch, we also clean up
540         some template parameters to use enums instead of booleans to better document the
541         intent of the code.
542
543         * assembler/ARM64Assembler.h:
544         (JSC::ARM64Assembler::fillNops):
545         (JSC::ARM64Assembler::linkJump):
546         (JSC::ARM64Assembler::linkCall):
547         (JSC::ARM64Assembler::relinkJump):
548         (JSC::ARM64Assembler::relinkCall):
549         (JSC::ARM64Assembler::link):
550         (JSC::ARM64Assembler::linkJumpOrCall):
551         (JSC::ARM64Assembler::linkCompareAndBranch):
552         (JSC::ARM64Assembler::linkConditionalBranch):
553         (JSC::ARM64Assembler::linkTestAndBranch):
554         (JSC::ARM64Assembler::relinkJumpOrCall):
555         (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted.
556         (JSC::ARM64Assembler::CopyFunction::operator()): Deleted.
557         * assembler/ARMv7Assembler.h:
558         (JSC::ARMv7Assembler::fillNops):
559         (JSC::ARMv7Assembler::link):
560         (JSC::ARMv7Assembler::linkJumpT1):
561         (JSC::ARMv7Assembler::linkJumpT2):
562         (JSC::ARMv7Assembler::linkJumpT3):
563         (JSC::ARMv7Assembler::linkJumpT4):
564         (JSC::ARMv7Assembler::linkConditionalJumpT4):
565         (JSC::ARMv7Assembler::linkBX):
566         (JSC::ARMv7Assembler::linkConditionalBX):
567         * assembler/AbstractMacroAssembler.h:
568         (JSC::AbstractMacroAssembler::emitNops):
569         * assembler/LinkBuffer.cpp:
570         (JSC::LinkBuffer::copyCompactAndLinkCode):
571         * assembler/MIPSAssembler.h:
572         (JSC::MIPSAssembler::fillNops):
573         * assembler/MacroAssemblerARM64.h:
574         (JSC::MacroAssemblerARM64::link):
575         * assembler/MacroAssemblerARMv7.h:
576         (JSC::MacroAssemblerARMv7::link):
577         * assembler/X86Assembler.h:
578         (JSC::X86Assembler::fillNops):
579         * jit/ExecutableAllocator.h:
580         (JSC::performJITMemcpy):
581         * runtime/JSCPtrTag.h:
582
583 2019-09-03  Devin Rousso  <drousso@apple.com>
584
585         REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected
586         https://bugs.webkit.org/show_bug.cgi?id=201201
587         <rdar://problem/54771560>
588
589         Reviewed by Joseph Pecoraro.
590
591         * inspector/InjectedScriptSource.js:
592         (let.InjectedScript.prototype.injectModule):
593         (let.InjectedScript.prototype._evaluateOn):
594         (CommandLineAPI):
595         (let.InjectedScript.prototype.setInspectObject): Deleted.
596         (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted.
597         (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted.
598         (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted.
599         (InjectedScript.CommandLineAPI): Deleted.
600         Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects
601         directly, instead of having them call functions.
602
603         * inspector/InjectedScriptModule.cpp:
604         (Inspector::InjectedScriptModule::ensureInjected):
605         Make sure to reset `hadException` to `false` before making another call.
606
607 2019-09-03  Yusuke Suzuki  <ysuzuki@apple.com>
608
609         [JSC] Remove BytecodeGenerator::emitPopScope
610         https://bugs.webkit.org/show_bug.cgi?id=201395
611
612         Reviewed by Saam Barati.
613
614         Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions.
615
616         * bytecompiler/BytecodeGenerator.cpp:
617         (JSC::BytecodeGenerator::popLexicalScopeInternal):
618         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
619         (JSC::BytecodeGenerator::emitPopWithScope):
620         (JSC::BytecodeGenerator::emitPopScope): Deleted.
621         * bytecompiler/BytecodeGenerator.h:
622
623 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
624
625         [JSC] Merge op_check_traps into op_enter and op_loop_hint
626         https://bugs.webkit.org/show_bug.cgi?id=201373
627
628         Reviewed by Mark Lam.
629
630         This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations.
631         But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in
632         op_enter and op_loop_hint.
633
634         While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint),
635         since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy.
636
637         We also inline op_enter's slow path's write-barrier emission in LLInt.
638
639         * bytecode/BytecodeList.rb:
640         * bytecode/BytecodeUseDef.h:
641         (JSC::computeUsesForBytecodeOffset):
642         (JSC::computeDefsForBytecodeOffset):
643         * bytecompiler/BytecodeGenerator.cpp:
644         (JSC::BytecodeGenerator::BytecodeGenerator):
645         (JSC::BytecodeGenerator::emitLoopHint):
646         (JSC::BytecodeGenerator::emitCheckTraps): Deleted.
647         * bytecompiler/BytecodeGenerator.h:
648         * dfg/DFGByteCodeParser.cpp:
649         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
650         (JSC::DFG::ByteCodeParser::parseBlock):
651         * dfg/DFGCapabilities.cpp:
652         (JSC::DFG::capabilityLevel):
653         * jit/JIT.cpp:
654         (JSC::JIT::privateCompileMainPass):
655         (JSC::JIT::privateCompileSlowCases):
656         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
657         * jit/JIT.h:
658         * jit/JITOpcodes.cpp:
659         (JSC::JIT::emit_op_loop_hint):
660         (JSC::JIT::emitSlow_op_loop_hint):
661         (JSC::JIT::emit_op_enter):
662         (JSC::JIT::emitSlow_op_enter):
663         (JSC::JIT::emit_op_check_traps): Deleted.
664         (JSC::JIT::emitSlow_op_check_traps): Deleted.
665         * jit/JITOpcodes32_64.cpp:
666         (JSC::JIT::emit_op_enter): Deleted.
667         * llint/LowLevelInterpreter.asm:
668         * llint/LowLevelInterpreter32_64.asm:
669         * llint/LowLevelInterpreter64.asm:
670         * runtime/CommonSlowPaths.cpp:
671         * runtime/CommonSlowPaths.h:
672
673 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
674
675         [JSC] Fix testb3 debug failures
676         https://bugs.webkit.org/show_bug.cgi?id=201382
677
678         Reviewed by Mark Lam.
679
680         Fix testb3 debug failures due to incorrect types of operations like pointer + int32.
681
682         * b3/testb3_8.cpp:
683         (testByteCopyLoop):
684         (testByteCopyLoopStartIsLoopDependent):
685         (testByteCopyLoopBoundIsLoopDependent):
686
687 2019-09-01  Mark Lam  <mark.lam@apple.com>
688
689         Speculative build fix for ARMv7 and MIPS.
690         https://bugs.webkit.org/show_bug.cgi?id=201389
691
692         Not reviewed.
693
694         * bytecode/CodeBlock.cpp:
695         (JSC::CodeBlock::jettison):
696
697 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
698
699         [JSC] LLInt op should not emit the same code three times
700         https://bugs.webkit.org/show_bug.cgi?id=201370
701
702         Reviewed by Mark Lam.
703
704         LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue.
705         But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once.
706
707         * llint/LowLevelInterpreter.asm:
708
709 2019-08-30  Mark Lam  <mark.lam@apple.com>
710
711         Remove some obsolete statements that have no effect.
712         https://bugs.webkit.org/show_bug.cgi?id=201357
713
714         Reviewed by Saam Barati.
715
716         This patch removes 3 statements that look like this:
717
718             result->butterfly(); // Ensure that the butterfly is in to-space.
719
720         The statement just reads a field and does nothing with it.  This is a no-op
721         logic-wise, and the comment that accompanies it is obsolete.
722
723         * dfg/DFGOperations.cpp:
724
725 2019-08-30  Mark Lam  <mark.lam@apple.com>
726
727         Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
728         https://bugs.webkit.org/show_bug.cgi?id=201345
729
730         Reviewed by Yusuke Suzuki.
731
732         This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
733         the wrong pointer for capture the cell headerWord and zapReason.  As a result,
734         we get junk for those 2 values.
735
736         Previously, we were only capturing the upper 32-bits of the cell header slot,
737         and the lower 32-bit of the next slot in the zapped cell.  We now capture the
738         full 64-bits of both slots.  If the second slot did not contain a zapReason as we
739         expect, the upper 32-bits might give us a clue as to what type of value the slot
740         contains.
741
742         This patch also adds capturing of the found MarkedBlock address for the zapped
743         cell, as well as some state bit values.
744
745         * heap/SlotVisitor.cpp:
746         (JSC::SlotVisitor::reportZappedCellAndCrash):
747
748 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
749
750         [JSC] Generate new.target register only when it is used
751         https://bugs.webkit.org/show_bug.cgi?id=201335
752
753         Reviewed by Mark Lam.
754
755         Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register
756         only when it is actually required.
757
758         * bytecompiler/BytecodeGenerator.cpp:
759         (JSC::BytecodeGenerator::BytecodeGenerator):
760         * bytecompiler/BytecodeGenerator.h:
761         (JSC::BytecodeGenerator::newTarget):
762         * parser/Nodes.h:
763         (JSC::ScopeNode::needsNewTargetRegisterForThisScope const):
764
765 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
766
767         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
768         https://bugs.webkit.org/show_bug.cgi?id=201331
769
770         Reviewed by Mark Lam.
771
772         SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
773         For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.
774
775             1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
776             2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable
777
778         Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
779         This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
780         by profiled CodeBlock.
781
782         * bytecode/CodeBlock.h:
783         (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
784         * bytecode/JumpTable.h:
785         (JSC::SimpleJumpTable::cloneNonJITPart const):
786         (JSC::SimpleJumpTable::clear):
787         * dfg/DFGByteCodeParser.cpp:
788         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
789
790 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
791
792         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
793         https://bugs.webkit.org/show_bug.cgi?id=201332
794
795         Reviewed by Mark Lam.
796
797         When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
798         that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
799         does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.
800
801         * dfg/DFGByteCodeParser.cpp:
802         (JSC::DFG::ByteCodeParser::handleInlining):
803
804 2019-08-29  Devin Rousso  <drousso@apple.com>
805
806         Web Inspector: Debugger: async event listener stack traces should be available in Workers
807         https://bugs.webkit.org/show_bug.cgi?id=200903
808
809         Reviewed by Joseph Pecoraro.
810
811         * inspector/agents/InspectorDebuggerAgent.h:
812         (Inspector::InspectorDebuggerAgent::enabled): Added.
813         * inspector/agents/InspectorDebuggerAgent.cpp:
814         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
815         (Inspector::InspectorDebuggerAgent::enable):
816         (Inspector::InspectorDebuggerAgent::disable):
817         Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`.
818
819 2019-08-29  Keith Rollin  <krollin@apple.com>
820
821         Update .xcconfig symbols to reflect the current set of past and future product versions.
822         https://bugs.webkit.org/show_bug.cgi?id=200720
823         <rdar://problem/54305032>
824
825         Reviewed by Alex Christensen.
826
827         Remove version symbols related to old OS's we no longer support,
828         ensure that version symbols are defined for OS's we do support.
829
830         * Configurations/Base.xcconfig:
831         * Configurations/DebugRelease.xcconfig:
832         * Configurations/Version.xcconfig:
833
834 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
835
836         [JSC] Repatch should construct CallCases and CasesValue at the same time
837         https://bugs.webkit.org/show_bug.cgi?id=201325
838
839         Reviewed by Saam Barati.
840
841         In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`.
842         If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too.
843
844         * jit/Repatch.cpp:
845         (JSC::linkPolymorphicCall):
846
847 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
848
849         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
850         https://bugs.webkit.org/show_bug.cgi?id=198650
851
852         Reviewed by Saam Barati.
853
854         Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties.
855         This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this
856         interpreter interpret the control-flow edge that AI proved that is never taken.
857         AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But
858         ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis
859         done in ObjectAllocationSinking.
860
861         Let's see the example.
862
863             BB#0
864                 35: NewObject([%AM:Object])
865                 ...
866                 47: Branch(ConstantTrue, T:#1, F:#2)
867
868             BB#1 // This basic block is never taken due to @47's jump.
869                 ...
870                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
871                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
872                 ...
873                 XX: Jump(#2)
874
875             BB#2
876                 ...
877                 92: CheckStructure(@35, [%Dx:Object])
878                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
879                 ...
880
881         AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant.
882         AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92.
883         After AI removes @92, ObjectAllocationSinking starts looking into this graph.
884
885             BB#0
886                 35: NewObject([%AM:Object])
887                 ...
888                 47: Branch(ConstantTrue, T:#1, F:#2)
889
890             BB#1 // This basic block is never taken due to @47's jump.
891                 ...
892                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
893                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
894                 ...
895                 XX: Jump(#2)
896
897             BB#2
898                 ...
899                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
900                 ...
901                 YY: Jump(#3)
902
903             BB#3
904                 ...
905                 ZZ: <HERE> want to materialize @35's sunk object.
906
907         Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in
908         BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and
909         insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original
910         one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking
911         phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes
912         conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property.
913         So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug
914         assertion.
915
916             187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >)
917
918         This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data.
919         In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime.
920
921         * dfg/DFGObjectAllocationSinkingPhase.cpp:
922
923 2019-08-29  Devin Rousso  <drousso@apple.com>
924
925         Web Inspector: DOMDebugger: support event breakpoints in Worker contexts
926         https://bugs.webkit.org/show_bug.cgi?id=200651
927
928         Reviewed by Joseph Pecoraro.
929
930         * inspector/protocol/DOMDebugger.json:
931         Make the domain available in "worker" contexts as well.
932
933 2019-08-29  Keith Rollin  <krollin@apple.com>
934
935         Remove 32-bit macOS support
936         https://bugs.webkit.org/show_bug.cgi?id=201282
937         <rdar://problem/54821667>
938
939         Reviewed by Anders Carlsson.
940
941         WebKit doesn’t support 32-bit Mac any more, so remove checks and code
942         for that platform.
943
944         * API/JSBase.h:
945         * runtime/VM.h:
946
947 2019-08-29  Keith Rollin  <krollin@apple.com>
948
949         Remove support for macOS < 10.13 (part 3)
950         https://bugs.webkit.org/show_bug.cgi?id=201224
951         <rdar://problem/54795934>
952
953         Reviewed by Darin Adler.
954
955         Remove symbols in WebKitTargetConditionals.xcconfig related to macOS
956         10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes
957         like _MACOS_SINCE_1013.
958
959         * Configurations/WebKitTargetConditionals.xcconfig:
960
961 2019-08-29  Mark Lam  <mark.lam@apple.com>
962
963         Remove a bad assertion in ByteCodeParser::inlineCall().
964         https://bugs.webkit.org/show_bug.cgi?id=201292
965         <rdar://problem/54121659>
966
967         Reviewed by Michael Saboff.
968
969         In the DFG bytecode parser, we've already computed the inlining cost of a candidate
970         inlining target, and determine that it is worth inlining before invoking
971         ByteCodeParser::inlineCall().  However, in ByteCodeParser::inlineCall(), it
972         recomputes the inlining cost again only for the purpose of asserting that it isn't
973         too high.
974
975         Not consider a badly written test that does the following:
976
977             function bar() {
978                 ...
979                 foo(); // Call in a hot loop here.
980                 ...
981             }
982
983             bar(); // <===== foo is inlineable into bar here.
984             noInline(foo); // <===== Change mind, and make foo not inlineable.
985             bar();
986
987         With this bad test, the following racy scenario can occur:
988
989         1. the first invocation of bar() gets hot, and a concurrent compile is kicked off.
990         2. the compiler thread computes foo()'s inliningCost() and determines that it is
991            worthy to be inlined, and will imminently call inlineCall().
992         3. the mutator calls the noInline() test utility on foo(), thereby making it NOT
993            inlineable.
994         4. the compiler thread calls inlineCall().  In inlineCall(), it re-computes the
995            inliningCost for foo() and now finds that it is not inlineable.  An assertion
996            failure follows.
997
998         Technically, the test is in error because noInline() shouldn't be used that way.
999         However, fuzzers that are not clued into noInline()'s proper usage may generate
1000         code like this.
1001
1002         On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the
1003         inlining cost and asserting on it.  The only reason inlineCall() is invoked is
1004         because it was already previously determined that a target function is inlineable
1005         based on its inlining cost.  Today, in practice, I don't think we have any real
1006         world condition where the mutator can affect the inlining cost of a target
1007         function midway through execution.  So, this assertion isn't a problem if no one
1008         writes a test that abuses noInline().  However, should things change such that the
1009         mutator is able to affect the inlining cost of a target function, then it is
1010         incorrect for the compiler to assume that the inlining cost is immutable.  Once
1011         the compiler decides to inline a function, it should just follow through.
1012
1013         This patch removes this assertion in ByteCodeParser::inlineCall().  It is an
1014         annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the
1015         ability to affect the inlining cost of a target function.
1016
1017         * dfg/DFGByteCodeParser.cpp:
1018         (JSC::DFG::ByteCodeParser::inlineCall):
1019
1020 2019-08-28  Mark Lam  <mark.lam@apple.com>
1021
1022         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
1023         https://bugs.webkit.org/show_bug.cgi?id=201281
1024         <rdar://problem/54028228>
1025
1026         Reviewed by Yusuke Suzuki and Saam Barati.
1027
1028         This (see title above) is already the preferred idiom used in most places in our
1029         compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
1030         compileStringCharAt().  Consider the following:
1031
1032             bool prototypeChainIsSane = false;
1033             if (globalObject->stringPrototypeChainIsSane()) {
1034                 ...
1035                 m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
1036                 m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));
1037
1038                 prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
1039             }
1040
1041         What's essential for correctness here is that the stringPrototype and objectPrototype
1042         structures be loaded before the loads in the second stringPrototypeChainIsSane()
1043         check.  Without a loadLoadFence before the second stringPrototypeChainIsSane()
1044         check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom
1045         for doing this right is to pre-load the structures first, do a loadLoadFence, and
1046         then do the IsSane check just once after e.g.
1047
1048             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
1049             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);
1050
1051             if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
1052                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
1053                 && globalObject->arrayPrototypeChainIsSane()) {
1054
1055                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1056                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1057                 ...
1058             }
1059
1060         This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
1061         compileStringCharAt() to follow the same idiom.
1062
1063         We also fix a bad assertion in Structure::storedPrototype() and
1064         Structure::storedPrototypeObject().  The assertion is only correct when those
1065         methods are called from the mutator thread.  The assertion has been updated to
1066         only check its test condition if the current thread is the mutator thread.
1067
1068         * dfg/DFGSpeculativeJIT.cpp:
1069         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1070         * ftl/FTLLowerDFGToB3.cpp:
1071         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1072         * runtime/StructureInlines.h:
1073         (JSC::Structure::storedPrototype const):
1074         (JSC::Structure::storedPrototypeObject const):
1075
1076 2019-08-28  Mark Lam  <mark.lam@apple.com>
1077
1078         Placate exception check validation in DFG's operationHasGenericProperty().
1079         https://bugs.webkit.org/show_bug.cgi?id=201245
1080         <rdar://problem/54777512>
1081
1082         Reviewed by Robin Morisset.
1083
1084         * dfg/DFGOperations.cpp:
1085
1086 2019-08-28  Ross Kirsling  <ross.kirsling@sony.com>
1087
1088         Unreviewed. Restabilize non-unified build.
1089
1090         * runtime/PropertySlot.h:
1091
1092 2019-08-28  Mark Lam  <mark.lam@apple.com>
1093
1094         Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.
1095         https://bugs.webkit.org/show_bug.cgi?id=201006
1096         <rdar://problem/52053991>
1097
1098         Reviewed by Yusuke Suzuki.
1099
1100         We already ensured that it is not possible to overflow in Wasm::FunctionParser's
1101         parse().  It is unnecessary and misleading to do those overflow checks in
1102         AirIRGenerator and B3IRGenerator.  The only check that is necessary is that
1103         m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory
1104         situation.
1105
1106         This patch changes these unnecessary checks to assertions instead.
1107
1108         * wasm/WasmAirIRGenerator.cpp:
1109         (JSC::Wasm::AirIRGenerator::addLocal):
1110         * wasm/WasmB3IRGenerator.cpp:
1111         (JSC::Wasm::B3IRGenerator::addLocal):
1112         * wasm/WasmValidate.cpp:
1113         (JSC::Wasm::Validate::addLocal):
1114
1115 2019-08-28  Keith Rollin  <krollin@apple.com>
1116
1117         Remove support for macOS < 10.13 (part 2)
1118         https://bugs.webkit.org/show_bug.cgi?id=201197
1119         <rdar://problem/54759985>
1120
1121         Update conditionals that reference WK_MACOS_1013 and suffixes like
1122         _MACOS_SINCE_1013, assuming that we're always building on 10.13 or
1123         later and that these conditionals are always True or False.
1124
1125         See Bug 200694 for earlier changes in this area.
1126
1127         Reviewed by Darin Adler.
1128
1129         * Configurations/FeatureDefines.xcconfig:
1130
1131 2019-08-28  Mark Lam  <mark.lam@apple.com>
1132
1133         Gardening: Rebase test results after r249175.
1134         https://bugs.webkit.org/show_bug.cgi?id=201172
1135
1136         Not reviewed.
1137
1138         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1139         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1140         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1141         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1142         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1143         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1144         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1145
1146 2019-08-27  Michael Saboff  <msaboff@apple.com>
1147
1148         Update PACCage changes for builds without Gigacage, but with signed pointers
1149         https://bugs.webkit.org/show_bug.cgi?id=201202
1150
1151         Reviewed by Saam Barati.
1152
1153         Factored out the untagging of pointers and added that to both the Gigacage enabled
1154         and disabled code paths.  Did this for the LLInt as well as the JITs.
1155
1156         * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list.
1157         * dfg/DFGSpeculativeJIT.cpp:
1158         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1159         * ftl/FTLLowerDFGToB3.cpp:
1160         (JSC::FTL::DFG::LowerDFGToB3::caged):
1161         * llint/LowLevelInterpreter64.asm:
1162
1163 2019-08-27  Mark Lam  <mark.lam@apple.com>
1164
1165         Refactor to use VM& instead of VM* at as many places as possible.
1166         https://bugs.webkit.org/show_bug.cgi?id=201172
1167
1168         Reviewed by Yusuke Suzuki.
1169
1170         Using VM& documents more clearly that the VM pointer is expected to never be null
1171         in most cases.  There are a few places where it can be null (e.g JSLock, and
1172         DFG::Plan).  Those will be left using a VM*.
1173
1174         Also converted some uses of ExecState* to using VM& instead since the ExecState*
1175         is only there to fetch the VM pointer.  Doing this also reduces the number of
1176         times we have to compute VM* from ExecState*.
1177
1178         This patch is not exhaustive in converting to use VM&, but applies the change to
1179         many commonly used pieces of code for a start.
1180
1181         Also fixed a missing exception check in JSString::toIdentifier() and
1182         JSValue::toPropertyKey() exposed by this patch.
1183
1184         * API/APICast.h:
1185         (toJS):
1186         * API/JSAPIGlobalObject.mm:
1187         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
1188         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1189         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
1190         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
1191         (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
1192         * API/JSCallbackConstructor.cpp:
1193         (JSC::JSCallbackConstructor::finishCreation):
1194         * API/JSCallbackObjectFunctions.h:
1195         (JSC::JSCallbackObject<Parent>::asCallbackObject):
1196         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
1197         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
1198         (JSC::JSCallbackObject<Parent>::putByIndex):
1199         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
1200         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1201         * API/JSContext.mm:
1202         (-[JSContext dependencyIdentifiersForModuleJSScript:]):
1203         * API/JSObjectRef.cpp:
1204         (JSObjectMakeFunction):
1205         (classInfoPrivate):
1206         (JSObjectGetPrivate):
1207         (JSObjectSetPrivate):
1208         (JSObjectCopyPropertyNames):
1209         (JSPropertyNameAccumulatorAddName):
1210         (JSObjectGetProxyTarget):
1211         * API/JSScriptRef.cpp:
1212         (parseScript):
1213         * API/JSValueRef.cpp:
1214         (JSValueMakeString):
1215         * API/OpaqueJSString.cpp:
1216         (OpaqueJSString::identifier const):
1217         * API/glib/JSCContext.cpp:
1218         (jsc_context_check_syntax):
1219         * KeywordLookupGenerator.py:
1220         (Trie.printSubTreeAsC):
1221         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py:
1222         (BuiltinsWrapperHeaderGenerator.generate_constructor):
1223         * Scripts/wkbuiltins/builtins_templates.py:
1224         * bindings/ScriptFunctionCall.cpp:
1225         (Deprecated::ScriptCallArgumentHandler::appendArgument):
1226         (Deprecated::ScriptFunctionCall::call):
1227         * bindings/ScriptValue.cpp:
1228         (Inspector::jsToInspectorValue):
1229         * builtins/BuiltinExecutables.cpp:
1230         (JSC::BuiltinExecutables::createExecutable):
1231         * builtins/BuiltinNames.cpp:
1232         (JSC::BuiltinNames::BuiltinNames):
1233         * builtins/BuiltinNames.h:
1234         (JSC::BuiltinNames::getPublicName const):
1235         * bytecode/BytecodeDumper.cpp:
1236         (JSC::BytecodeDumper<Block>::vm const):
1237         * bytecode/BytecodeDumper.h:
1238         * bytecode/BytecodeGeneratorification.cpp:
1239         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
1240         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
1241         (JSC::BytecodeGeneratorification::run):
1242         * bytecode/BytecodeIntrinsicRegistry.cpp:
1243         (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue):
1244         (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue):
1245         * bytecode/CallVariant.h:
1246         (JSC::CallVariant::internalFunction const):
1247         (JSC::CallVariant::function const):
1248         (JSC::CallVariant::isClosureCall const):
1249         (JSC::CallVariant::executable const):
1250         (JSC::CallVariant::functionExecutable const):
1251         (JSC::CallVariant::nativeExecutable const):
1252         * bytecode/CodeBlock.cpp:
1253         (JSC::CodeBlock::dumpSource):
1254         (JSC::CodeBlock::CodeBlock):
1255         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1256         (JSC::CodeBlock::setNumParameters):
1257         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
1258         (JSC::CodeBlock::unlinkIncomingCalls):
1259         (JSC::CodeBlock::replacement):
1260         (JSC::CodeBlock::computeCapabilityLevel):
1261         (JSC::CodeBlock::noticeIncomingCall):
1262         (JSC::CodeBlock::nameForRegister):
1263         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1264         * bytecode/CodeBlock.h:
1265         (JSC::CodeBlock::vm const):
1266         (JSC::CodeBlock::numberOfArgumentValueProfiles):
1267         (JSC::CodeBlock::valueProfileForArgument):
1268         * bytecode/DeferredSourceDump.cpp:
1269         (JSC::DeferredSourceDump::DeferredSourceDump):
1270         * bytecode/EvalCodeBlock.h:
1271         * bytecode/FunctionCodeBlock.h:
1272         * bytecode/GetByIdStatus.cpp:
1273         (JSC::GetByIdStatus::computeFromLLInt):
1274         * bytecode/GlobalCodeBlock.h:
1275         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1276         * bytecode/ModuleProgramCodeBlock.h:
1277         * bytecode/ObjectAllocationProfileInlines.h:
1278         (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
1279         * bytecode/PolyProtoAccessChain.cpp:
1280         (JSC::PolyProtoAccessChain::create):
1281         * bytecode/ProgramCodeBlock.h:
1282         * bytecode/PropertyCondition.cpp:
1283         (JSC::PropertyCondition::isWatchableWhenValid const):
1284         * bytecode/PutByIdStatus.cpp:
1285         (JSC::PutByIdStatus::computeFromLLInt):
1286         * bytecode/StructureStubInfo.cpp:
1287         (JSC::StructureStubInfo::initGetByIdSelf):
1288         (JSC::StructureStubInfo::initPutByIdReplace):
1289         (JSC::StructureStubInfo::initInByIdSelf):
1290         (JSC::StructureStubInfo::addAccessCase):
1291         (JSC::StructureStubInfo::visitWeakReferences):
1292         * bytecode/UnlinkedCodeBlock.cpp:
1293         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1294         * bytecode/UnlinkedCodeBlock.h:
1295         (JSC::UnlinkedCodeBlock::addSetConstant):
1296         (JSC::UnlinkedCodeBlock::addConstant):
1297         (JSC::UnlinkedCodeBlock::addFunctionDecl):
1298         (JSC::UnlinkedCodeBlock::addFunctionExpr):
1299         * bytecode/UnlinkedEvalCodeBlock.h:
1300         * bytecode/UnlinkedFunctionCodeBlock.h:
1301         * bytecode/UnlinkedFunctionExecutable.cpp:
1302         (JSC::generateUnlinkedFunctionCodeBlock):
1303         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1304         * bytecode/UnlinkedFunctionExecutable.h:
1305         * bytecode/UnlinkedGlobalCodeBlock.h:
1306         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1307         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1308         * bytecode/UnlinkedProgramCodeBlock.h:
1309         * bytecompiler/BytecodeGenerator.cpp:
1310         (JSC::BytecodeGenerator::BytecodeGenerator):
1311         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1312         (JSC::BytecodeGenerator::emitDirectPutById):
1313         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1314         (JSC::BytecodeGenerator::addBigIntConstant):
1315         (JSC::BytecodeGenerator::addTemplateObjectConstant):
1316         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
1317         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
1318         * bytecompiler/BytecodeGenerator.h:
1319         (JSC::BytecodeGenerator::vm const):
1320         (JSC::BytecodeGenerator::propertyNames const):
1321         (JSC::BytecodeGenerator::emitNodeInTailPosition):
1322         (JSC::BytecodeGenerator::emitDefineClassElements):
1323         (JSC::BytecodeGenerator::emitNodeInConditionContext):
1324         * bytecompiler/NodesCodegen.cpp:
1325         (JSC::RegExpNode::emitBytecode):
1326         (JSC::ArrayNode::emitBytecode):
1327         (JSC::FunctionCallResolveNode::emitBytecode):
1328         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1329         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1330         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
1331         (JSC::InstanceOfNode::emitBytecode):
1332         * debugger/Debugger.cpp:
1333         * debugger/DebuggerParseData.cpp:
1334         (JSC::gatherDebuggerParseData):
1335         * debugger/DebuggerScope.cpp:
1336         (JSC::DebuggerScope::next):
1337         (JSC::DebuggerScope::name const):
1338         (JSC::DebuggerScope::location const):
1339         * dfg/DFGDesiredIdentifiers.cpp:
1340         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1341         * dfg/DFGDesiredWatchpoints.cpp:
1342         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
1343         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
1344         * dfg/DFGFrozenValue.h:
1345         (JSC::DFG::FrozenValue::FrozenValue):
1346         * dfg/DFGGraph.cpp:
1347         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
1348         * dfg/DFGJITCompiler.cpp:
1349         (JSC::DFG::JITCompiler::linkOSRExits):
1350         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1351         (JSC::DFG::JITCompiler::link):
1352         (JSC::DFG::emitStackOverflowCheck):
1353         (JSC::DFG::JITCompiler::compileFunction):
1354         (JSC::DFG::JITCompiler::exceptionCheck):
1355         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
1356         * dfg/DFGJITCompiler.h:
1357         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
1358         (JSC::DFG::JITCompiler::fastExceptionCheck):
1359         (JSC::DFG::JITCompiler::vm):
1360         * dfg/DFGLazyJSValue.cpp:
1361         (JSC::DFG::LazyJSValue::getValue const):
1362         (JSC::DFG::LazyJSValue::emit const):
1363         * dfg/DFGOSREntry.cpp:
1364         (JSC::DFG::prepareOSREntry):
1365         * dfg/DFGOSRExit.cpp:
1366         (JSC::DFG::OSRExit::compileOSRExit):
1367         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1368         * dfg/DFGOSRExitCompilerCommon.h:
1369         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
1370         * dfg/DFGOperations.cpp:
1371         (JSC::DFG::newTypedArrayWithSize):
1372         (JSC::DFG::binaryOp):
1373         (JSC::DFG::bitwiseBinaryOp):
1374         * dfg/DFGPlan.cpp:
1375         (JSC::DFG::Plan::Plan):
1376         * dfg/DFGSpeculativeJIT.cpp:
1377         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1378         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1379         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1380         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
1381         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1382         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1383         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
1384         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
1385         (JSC::DFG::SpeculativeJIT::emitStringBranch):
1386         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
1387         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1388         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
1389         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1390         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1391         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1392         (JSC::DFG::SpeculativeJIT::compileSpread):
1393         (JSC::DFG::SpeculativeJIT::compileNewArray):
1394         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1395         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1396         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1397         (JSC::DFG::SpeculativeJIT::compileTypeOf):
1398         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1399         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1400         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
1401         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1402         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1403         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1404         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1405         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
1406         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1407         (JSC::DFG::SpeculativeJIT::compileStringReplace):
1408         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
1409         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1410         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1411         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
1412         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1413         (JSC::DFG::SpeculativeJIT::compileNewObject):
1414         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
1415         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
1416         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
1417         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1418         (JSC::DFG::SpeculativeJIT::compileProfileType):
1419         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1420         * dfg/DFGSpeculativeJIT.h:
1421         (JSC::DFG::SpeculativeJIT::vm):
1422         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
1423         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1424         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1425         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
1426         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1427         * dfg/DFGSpeculativeJIT32_64.cpp:
1428         (JSC::DFG::SpeculativeJIT::emitCall):
1429         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1430         (JSC::DFG::SpeculativeJIT::emitBranch):
1431         (JSC::DFG::SpeculativeJIT::compile):
1432         * dfg/DFGSpeculativeJIT64.cpp:
1433         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1434         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1435         (JSC::DFG::SpeculativeJIT::emitCall):
1436         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1437         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1438         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1439         (JSC::DFG::SpeculativeJIT::emitBranch):
1440         (JSC::DFG::SpeculativeJIT::compile):
1441         * dfg/DFGThunks.cpp:
1442         (JSC::DFG::osrExitThunkGenerator):
1443         (JSC::DFG::osrExitGenerationThunkGenerator):
1444         (JSC::DFG::osrEntryThunkGenerator):
1445         * dfg/DFGThunks.h:
1446         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1447         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
1448         * dfg/DFGWorklist.cpp:
1449         (JSC::DFG::Worklist::visitWeakReferences):
1450         * dynbench.cpp:
1451         (main):
1452         * ftl/FTLLowerDFGToB3.cpp:
1453         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1454         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1455         (JSC::FTL::DFG::LowerDFGToB3::boolify):
1456         * ftl/FTLThunks.cpp:
1457         (JSC::FTL::genericGenerationThunkGenerator):
1458         (JSC::FTL::osrExitGenerationThunkGenerator):
1459         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1460         * ftl/FTLThunks.h:
1461         * heap/CellContainer.h:
1462         * heap/CellContainerInlines.h:
1463         (JSC::CellContainer::vm const):
1464         (JSC::CellContainer::heap const):
1465         * heap/CompleteSubspace.cpp:
1466         (JSC::CompleteSubspace::tryAllocateSlow):
1467         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
1468         * heap/GCActivityCallback.h:
1469         * heap/GCAssertions.h:
1470         * heap/HandleSet.cpp:
1471         (JSC::HandleSet::HandleSet):
1472         * heap/HandleSet.h:
1473         (JSC::HandleSet::vm):
1474         * heap/Heap.cpp:
1475         (JSC::Heap::Heap):
1476         (JSC::Heap::lastChanceToFinalize):
1477         (JSC::Heap::releaseDelayedReleasedObjects):
1478         (JSC::Heap::protect):
1479         (JSC::Heap::unprotect):
1480         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
1481         (JSC::Heap::finalizeUnconditionalFinalizers):
1482         (JSC::Heap::completeAllJITPlans):
1483         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
1484         (JSC::Heap::gatherJSStackRoots):
1485         (JSC::Heap::gatherScratchBufferRoots):
1486         (JSC::Heap::removeDeadCompilerWorklistEntries):
1487         (JSC::Heap::isAnalyzingHeap const):
1488         (JSC::Heap::gatherExtraHeapData):
1489         (JSC::Heap::protectedObjectTypeCounts):
1490         (JSC::Heap::objectTypeCounts):
1491         (JSC::Heap::deleteAllCodeBlocks):
1492         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1493         (JSC::Heap::deleteUnmarkedCompiledCode):
1494         (JSC::Heap::checkConn):
1495         (JSC::Heap::runEndPhase):
1496         (JSC::Heap::stopThePeriphery):
1497         (JSC::Heap::finalize):
1498         (JSC::Heap::requestCollection):
1499         (JSC::Heap::sweepInFinalize):
1500         (JSC::Heap::sweepArrayBuffers):
1501         (JSC::Heap::deleteSourceProviderCaches):
1502         (JSC::Heap::didFinishCollection):
1503         (JSC::Heap::addCoreConstraints):
1504         * heap/Heap.h:
1505         * heap/HeapCell.h:
1506         * heap/HeapCellInlines.h:
1507         (JSC::HeapCell::heap const):
1508         (JSC::HeapCell::vm const):
1509         * heap/HeapInlines.h:
1510         (JSC::Heap::vm const):
1511         * heap/IsoSubspacePerVM.cpp:
1512         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1513         * heap/LargeAllocation.cpp:
1514         (JSC::LargeAllocation::sweep):
1515         (JSC::LargeAllocation::assertValidCell const):
1516         * heap/LargeAllocation.h:
1517         (JSC::LargeAllocation::vm const):
1518         * heap/LocalAllocator.cpp:
1519         (JSC::LocalAllocator::allocateSlowCase):
1520         * heap/MarkedBlock.cpp:
1521         (JSC::MarkedBlock::Handle::Handle):
1522         (JSC::MarkedBlock::aboutToMarkSlow):
1523         (JSC::MarkedBlock::assertMarksNotStale):
1524         (JSC::MarkedBlock::areMarksStale):
1525         (JSC::MarkedBlock::isMarked):
1526         (JSC::MarkedBlock::assertValidCell const):
1527         * heap/MarkedBlock.h:
1528         (JSC::MarkedBlock::Handle::vm const):
1529         (JSC::MarkedBlock::vm const):
1530         * heap/MarkedBlockInlines.h:
1531         (JSC::MarkedBlock::heap const):
1532         (JSC::MarkedBlock::Handle::specializedSweep):
1533         * heap/SlotVisitor.cpp:
1534         (JSC::validate):
1535         * heap/SlotVisitorInlines.h:
1536         (JSC::SlotVisitor::vm):
1537         (JSC::SlotVisitor::vm const):
1538         * heap/StopIfNecessaryTimer.cpp:
1539         (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
1540         * heap/StopIfNecessaryTimer.h:
1541         * heap/Strong.h:
1542         (JSC::Strong::operator=):
1543         * heap/WeakSet.h:
1544         (JSC::WeakSet::WeakSet):
1545         (JSC::WeakSet::vm const):
1546         * inspector/JSInjectedScriptHost.cpp:
1547         (Inspector::JSInjectedScriptHost::savedResultAlias const):
1548         (Inspector::JSInjectedScriptHost::internalConstructorName):
1549         (Inspector::JSInjectedScriptHost::subtype):
1550         (Inspector::JSInjectedScriptHost::functionDetails):
1551         (Inspector::constructInternalProperty):
1552         (Inspector::JSInjectedScriptHost::getInternalProperties):
1553         (Inspector::JSInjectedScriptHost::weakMapEntries):
1554         (Inspector::JSInjectedScriptHost::weakSetEntries):
1555         (Inspector::JSInjectedScriptHost::iteratorEntries):
1556         (Inspector::JSInjectedScriptHost::queryInstances):
1557         (Inspector::JSInjectedScriptHost::queryHolders):
1558         * inspector/JSJavaScriptCallFrame.cpp:
1559         (Inspector::valueForScopeLocation):
1560         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
1561         (Inspector::JSJavaScriptCallFrame::functionName const):
1562         (Inspector::JSJavaScriptCallFrame::type const):
1563         * inspector/ScriptCallStackFactory.cpp:
1564         (Inspector::extractSourceInformationFromException):
1565         * inspector/agents/InspectorAuditAgent.cpp:
1566         (Inspector::InspectorAuditAgent::populateAuditObject):
1567         * inspector/agents/InspectorHeapAgent.cpp:
1568         (Inspector::InspectorHeapAgent::gc):
1569         * interpreter/FrameTracers.h:
1570         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1571         * interpreter/Interpreter.cpp:
1572         (JSC::Interpreter::executeProgram):
1573         (JSC::Interpreter::prepareForRepeatCall):
1574         (JSC::Interpreter::execute):
1575         (JSC::Interpreter::executeModuleProgram):
1576         * interpreter/StackVisitor.cpp:
1577         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1578         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1579         * jit/AssemblyHelpers.cpp:
1580         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1581         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1582         (JSC::AssemblyHelpers::branchIfValue):
1583         * jit/AssemblyHelpers.h:
1584         (JSC::AssemblyHelpers::vm):
1585         * jit/JIT.cpp:
1586         (JSC::JIT::JIT):
1587         (JSC::JIT::emitEnterOptimizationCheck):
1588         (JSC::JIT::privateCompileMainPass):
1589         (JSC::JIT::privateCompileExceptionHandlers):
1590         * jit/JIT.h:
1591         * jit/JITCall.cpp:
1592         (JSC::JIT::compileCallEvalSlowCase):
1593         * jit/JITCall32_64.cpp:
1594         (JSC::JIT::compileCallEvalSlowCase):
1595         * jit/JITExceptions.cpp:
1596         (JSC::genericUnwind):
1597         * jit/JITExceptions.h:
1598         * jit/JITInlineCacheGenerator.cpp:
1599         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1600         * jit/JITOpcodes.cpp:
1601         (JSC::JIT::emit_op_is_undefined):
1602         (JSC::JIT::emit_op_jfalse):
1603         (JSC::JIT::emit_op_jeq_null):
1604         (JSC::JIT::emit_op_jneq_null):
1605         (JSC::JIT::emit_op_jtrue):
1606         (JSC::JIT::emit_op_throw):
1607         (JSC::JIT::emit_op_catch):
1608         (JSC::JIT::emit_op_eq_null):
1609         (JSC::JIT::emit_op_neq_null):
1610         (JSC::JIT::emitSlow_op_loop_hint):
1611         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1612         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1613         * jit/JITOpcodes32_64.cpp:
1614         (JSC::JIT::emit_op_jfalse):
1615         (JSC::JIT::emit_op_jtrue):
1616         (JSC::JIT::emit_op_throw):
1617         (JSC::JIT::emit_op_catch):
1618         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1619         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1620         * jit/JITOperations.cpp:
1621         (JSC::operationNewFunctionCommon):
1622         (JSC::tryGetByValOptimize):
1623         * jit/JITPropertyAccess.cpp:
1624         (JSC::JIT::emitWriteBarrier):
1625         * jit/JITThunks.cpp:
1626         (JSC::JITThunks::ctiNativeCall):
1627         (JSC::JITThunks::ctiNativeConstruct):
1628         (JSC::JITThunks::ctiNativeTailCall):
1629         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1630         (JSC::JITThunks::ctiInternalFunctionCall):
1631         (JSC::JITThunks::ctiInternalFunctionConstruct):
1632         (JSC::JITThunks::ctiStub):
1633         (JSC::JITThunks::hostFunctionStub):
1634         * jit/JITThunks.h:
1635         * jit/JITWorklist.cpp:
1636         (JSC::JITWorklist::Plan::vm):
1637         (JSC::JITWorklist::completeAllForVM):
1638         (JSC::JITWorklist::poll):
1639         (JSC::JITWorklist::compileLater):
1640         (JSC::JITWorklist::compileNow):
1641         * jit/Repatch.cpp:
1642         (JSC::readPutICCallTarget):
1643         (JSC::ftlThunkAwareRepatchCall):
1644         (JSC::linkSlowFor):
1645         (JSC::linkFor):
1646         (JSC::linkDirectFor):
1647         (JSC::revertCall):
1648         (JSC::unlinkFor):
1649         (JSC::linkVirtualFor):
1650         (JSC::linkPolymorphicCall):
1651         * jit/SpecializedThunkJIT.h:
1652         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
1653         * jit/ThunkGenerator.h:
1654         * jit/ThunkGenerators.cpp:
1655         (JSC::throwExceptionFromCallSlowPathGenerator):
1656         (JSC::slowPathFor):
1657         (JSC::linkCallThunkGenerator):
1658         (JSC::linkPolymorphicCallThunkGenerator):
1659         (JSC::virtualThunkFor):
1660         (JSC::nativeForGenerator):
1661         (JSC::nativeCallGenerator):
1662         (JSC::nativeTailCallGenerator):
1663         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1664         (JSC::nativeConstructGenerator):
1665         (JSC::internalFunctionCallGenerator):
1666         (JSC::internalFunctionConstructGenerator):
1667         (JSC::arityFixupGenerator):
1668         (JSC::unreachableGenerator):
1669         (JSC::stringGetByValGenerator):
1670         (JSC::charToString):
1671         (JSC::charCodeAtThunkGenerator):
1672         (JSC::charAtThunkGenerator):
1673         (JSC::fromCharCodeThunkGenerator):
1674         (JSC::clz32ThunkGenerator):
1675         (JSC::sqrtThunkGenerator):
1676         (JSC::floorThunkGenerator):
1677         (JSC::ceilThunkGenerator):
1678         (JSC::truncThunkGenerator):
1679         (JSC::roundThunkGenerator):
1680         (JSC::expThunkGenerator):
1681         (JSC::logThunkGenerator):
1682         (JSC::absThunkGenerator):
1683         (JSC::imulThunkGenerator):
1684         (JSC::randomThunkGenerator):
1685         (JSC::boundThisNoArgsFunctionCallGenerator):
1686         * jit/ThunkGenerators.h:
1687         * jsc.cpp:
1688         (GlobalObject::finishCreation):
1689         (GlobalObject::addFunction):
1690         (GlobalObject::moduleLoaderImportModule):
1691         (GlobalObject::moduleLoaderResolve):
1692         (GlobalObject::moduleLoaderCreateImportMetaProperties):
1693         (functionDescribe):
1694         (functionDescribeArray):
1695         (JSCMemoryFootprint::addProperty):
1696         (functionRun):
1697         (functionRunString):
1698         (functionReadFile):
1699         (functionCallerSourceOrigin):
1700         (functionReadline):
1701         (functionDollarCreateRealm):
1702         (functionDollarEvalScript):
1703         (functionDollarAgentGetReport):
1704         (functionWaitForReport):
1705         (functionJSCOptions):
1706         (functionCheckModuleSyntax):
1707         (functionGenerateHeapSnapshotForGCDebugging):
1708         (functionWebAssemblyMemoryMode):
1709         (dumpException):
1710         (checkUncaughtException):
1711         * llint/LLIntSlowPaths.cpp:
1712         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1713         (JSC::LLInt::handleHostCall):
1714         * parser/ASTBuilder.h:
1715         (JSC::ASTBuilder::ASTBuilder):
1716         (JSC::ASTBuilder::createResolve):
1717         (JSC::ASTBuilder::createGetterOrSetterProperty):
1718         (JSC::ASTBuilder::createProperty):
1719         (JSC::ASTBuilder::createFuncDeclStatement):
1720         (JSC::ASTBuilder::makeFunctionCallNode):
1721         * parser/Lexer.cpp:
1722         (JSC::Lexer<T>::Lexer):
1723         (JSC::Lexer<LChar>::parseIdentifier):
1724         (JSC::Lexer<UChar>::parseIdentifier):
1725         * parser/Lexer.h:
1726         (JSC::Lexer<T>::lexExpectIdentifier):
1727         * parser/ModuleAnalyzer.cpp:
1728         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1729         * parser/ModuleAnalyzer.h:
1730         (JSC::ModuleAnalyzer::vm):
1731         * parser/Parser.cpp:
1732         (JSC::Parser<LexerType>::Parser):
1733         (JSC::Parser<LexerType>::parseInner):
1734         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1735         (JSC::Parser<LexerType>::parseSourceElements):
1736         (JSC::Parser<LexerType>::parseModuleSourceElements):
1737         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1738         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
1739         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1740         (JSC::Parser<LexerType>::parseSingleFunction):
1741         (JSC::Parser<LexerType>::parseStatementListItem):
1742         (JSC::Parser<LexerType>::parseObjectRestAssignmentElement):
1743         (JSC::Parser<LexerType>::parseAssignmentElement):
1744         (JSC::Parser<LexerType>::parseDestructuringPattern):
1745         (JSC::Parser<LexerType>::parseForStatement):
1746         (JSC::Parser<LexerType>::parseBreakStatement):
1747         (JSC::Parser<LexerType>::parseContinueStatement):
1748         (JSC::Parser<LexerType>::parseStatement):
1749         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
1750         (JSC::Parser<LexerType>::createGeneratorParameters):
1751         (JSC::Parser<LexerType>::parseFunctionInfo):
1752         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1753         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1754         (JSC::Parser<LexerType>::parseClassDeclaration):
1755         (JSC::Parser<LexerType>::parseClass):
1756         (JSC::Parser<LexerType>::parseImportClauseItem):
1757         (JSC::Parser<LexerType>::parseImportDeclaration):
1758         (JSC::Parser<LexerType>::parseExportSpecifier):
1759         (JSC::Parser<LexerType>::parseExportDeclaration):
1760         (JSC::Parser<LexerType>::parseAssignmentExpression):
1761         (JSC::Parser<LexerType>::parseProperty):
1762         (JSC::Parser<LexerType>::parseGetterSetter):
1763         (JSC::Parser<LexerType>::parseObjectLiteral):
1764         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
1765         (JSC::Parser<LexerType>::parseClassExpression):
1766         (JSC::Parser<LexerType>::parseFunctionExpression):
1767         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
1768         (JSC::Parser<LexerType>::parsePrimaryExpression):
1769         (JSC::Parser<LexerType>::parseMemberExpression):
1770         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1771         (JSC::Parser<LexerType>::parseUnaryExpression):
1772         * parser/Parser.h:
1773         (JSC::isArguments):
1774         (JSC::isEval):
1775         (JSC::isEvalOrArgumentsIdentifier):
1776         (JSC::Scope::Scope):
1777         (JSC::Scope::declareParameter):
1778         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1779         (JSC::Scope::collectFreeVariables):
1780         (JSC::Parser::canRecurse):
1781         (JSC::parse):
1782         (JSC::parseFunctionForFunctionConstructor):
1783         * parser/ParserArena.h:
1784         (JSC::IdentifierArena::makeIdentifier):
1785         (JSC::IdentifierArena::makeEmptyIdentifier):
1786         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
1787         (JSC::IdentifierArena::makeNumericIdentifier):
1788         * parser/SyntaxChecker.h:
1789         (JSC::SyntaxChecker::SyntaxChecker):
1790         (JSC::SyntaxChecker::createProperty):
1791         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1792         * profiler/ProfilerBytecode.cpp:
1793         (JSC::Profiler::Bytecode::toJS const):
1794         * profiler/ProfilerBytecodeSequence.cpp:
1795         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
1796         * profiler/ProfilerBytecodes.cpp:
1797         (JSC::Profiler::Bytecodes::toJS const):
1798         * profiler/ProfilerCompilation.cpp:
1799         (JSC::Profiler::Compilation::toJS const):
1800         * profiler/ProfilerCompiledBytecode.cpp:
1801         (JSC::Profiler::CompiledBytecode::toJS const):
1802         * profiler/ProfilerEvent.cpp:
1803         (JSC::Profiler::Event::toJS const):
1804         * profiler/ProfilerOSRExit.cpp:
1805         (JSC::Profiler::OSRExit::toJS const):
1806         * profiler/ProfilerOSRExitSite.cpp:
1807         (JSC::Profiler::OSRExitSite::toJS const):
1808         * profiler/ProfilerUID.cpp:
1809         (JSC::Profiler::UID::toJS const):
1810         * runtime/AbstractModuleRecord.cpp:
1811         (JSC::AbstractModuleRecord::finishCreation):
1812         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1813         (JSC::AbstractModuleRecord::resolveExportImpl):
1814         (JSC::getExportedNames):
1815         (JSC::AbstractModuleRecord::getModuleNamespace):
1816         * runtime/ArrayBufferNeuteringWatchpointSet.cpp:
1817         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
1818         * runtime/ArrayIteratorPrototype.cpp:
1819         (JSC::ArrayIteratorPrototype::finishCreation):
1820         * runtime/ArrayPrototype.cpp:
1821         (JSC::fastJoin):
1822         (JSC::arrayProtoFuncToLocaleString):
1823         (JSC::slowJoin):
1824         (JSC::arrayProtoFuncJoin):
1825         (JSC::arrayProtoFuncPush):
1826         * runtime/AsyncFunctionPrototype.cpp:
1827         (JSC::AsyncFunctionPrototype::finishCreation):
1828         * runtime/AsyncGeneratorFunctionPrototype.cpp:
1829         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
1830         * runtime/AsyncGeneratorPrototype.cpp:
1831         (JSC::AsyncGeneratorPrototype::finishCreation):
1832         * runtime/AtomicsObject.cpp:
1833         (JSC::AtomicsObject::finishCreation):
1834         (JSC::atomicsFuncWait):
1835         (JSC::operationAtomicsAdd):
1836         (JSC::operationAtomicsAnd):
1837         (JSC::operationAtomicsCompareExchange):
1838         (JSC::operationAtomicsExchange):
1839         (JSC::operationAtomicsIsLockFree):
1840         (JSC::operationAtomicsLoad):
1841         (JSC::operationAtomicsOr):
1842         (JSC::operationAtomicsStore):
1843         (JSC::operationAtomicsSub):
1844         (JSC::operationAtomicsXor):
1845         * runtime/BigIntPrototype.cpp:
1846         (JSC::BigIntPrototype::finishCreation):
1847         (JSC::bigIntProtoFuncToString):
1848         * runtime/CachedTypes.cpp:
1849         (JSC::CachedUniquedStringImplBase::decode const):
1850         (JSC::CachedIdentifier::decode const):
1851         (JSC::CachedJSValue::decode const):
1852         * runtime/CodeCache.cpp:
1853         (JSC::CodeCacheMap::pruneSlowCase):
1854         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1855         * runtime/CodeCache.h:
1856         (JSC::generateUnlinkedCodeBlockImpl):
1857         * runtime/CommonIdentifiers.cpp:
1858         (JSC::CommonIdentifiers::CommonIdentifiers):
1859         * runtime/CommonIdentifiers.h:
1860         * runtime/CommonSlowPaths.cpp:
1861         (JSC::SLOW_PATH_DECL):
1862         * runtime/Completion.cpp:
1863         (JSC::checkSyntaxInternal):
1864         (JSC::checkModuleSyntax):
1865         (JSC::loadAndEvaluateModule):
1866         (JSC::loadModule):
1867         * runtime/DateConstructor.cpp:
1868         (JSC::callDate):
1869         * runtime/DatePrototype.cpp:
1870         (JSC::formatLocaleDate):
1871         (JSC::formateDateInstance):
1872         (JSC::DatePrototype::finishCreation):
1873         (JSC::dateProtoFuncToISOString):
1874         * runtime/Error.cpp:
1875         (JSC::addErrorInfo):
1876         * runtime/ErrorInstance.cpp:
1877         (JSC::appendSourceToError):
1878         (JSC::ErrorInstance::finishCreation):
1879         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1880         * runtime/ErrorPrototype.cpp:
1881         (JSC::ErrorPrototype::finishCreation):
1882         (JSC::errorProtoFuncToString):
1883         * runtime/ExceptionHelpers.cpp:
1884         (JSC::TerminatedExecutionError::defaultValue):
1885         * runtime/FunctionPrototype.cpp:
1886         (JSC::functionProtoFuncToString):
1887         * runtime/FunctionRareData.cpp:
1888         (JSC::FunctionRareData::clear):
1889         * runtime/GeneratorFunctionPrototype.cpp:
1890         (JSC::GeneratorFunctionPrototype::finishCreation):
1891         * runtime/GeneratorPrototype.cpp:
1892         (JSC::GeneratorPrototype::finishCreation):
1893         * runtime/GenericArgumentsInlines.h:
1894         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1895         * runtime/GetterSetter.h:
1896         * runtime/Identifier.cpp:
1897         (JSC::Identifier::add):
1898         (JSC::Identifier::add8):
1899         (JSC::Identifier::from):
1900         (JSC::Identifier::checkCurrentAtomStringTable):
1901         * runtime/Identifier.h:
1902         (JSC::Identifier::fromString):
1903         (JSC::Identifier::createLCharFromUChar):
1904         (JSC::Identifier::Identifier):
1905         (JSC::Identifier::add):
1906         * runtime/IdentifierInlines.h:
1907         (JSC::Identifier::Identifier):
1908         (JSC::Identifier::add):
1909         (JSC::Identifier::fromUid):
1910         (JSC::Identifier::fromString):
1911         (JSC::identifierToJSValue):
1912         (JSC::identifierToSafePublicJSValue):
1913         * runtime/InternalFunction.cpp:
1914         (JSC::InternalFunction::finishCreation):
1915         * runtime/IntlCollator.cpp:
1916         (JSC::IntlCollator::resolvedOptions):
1917         * runtime/IntlCollatorPrototype.cpp:
1918         (JSC::IntlCollatorPrototype::finishCreation):
1919         * runtime/IntlDateTimeFormat.cpp:
1920         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
1921         (JSC::IntlDateTimeFormat::resolvedOptions):
1922         (JSC::IntlDateTimeFormat::format):
1923         (JSC::IntlDateTimeFormat::formatToParts):
1924         * runtime/IntlDateTimeFormatPrototype.cpp:
1925         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1926         * runtime/IntlNumberFormat.cpp:
1927         (JSC::IntlNumberFormat::initializeNumberFormat):
1928         (JSC::IntlNumberFormat::formatNumber):
1929         (JSC::IntlNumberFormat::resolvedOptions):
1930         (JSC::IntlNumberFormat::formatToParts):
1931         * runtime/IntlNumberFormatPrototype.cpp:
1932         (JSC::IntlNumberFormatPrototype::finishCreation):
1933         * runtime/IntlObject.cpp:
1934         (JSC::lookupSupportedLocales):
1935         (JSC::supportedLocales):
1936         (JSC::intlObjectFuncGetCanonicalLocales):
1937         * runtime/IntlPluralRules.cpp:
1938         (JSC::IntlPluralRules::initializePluralRules):
1939         (JSC::IntlPluralRules::resolvedOptions):
1940         (JSC::IntlPluralRules::select):
1941         * runtime/IntlPluralRulesPrototype.cpp:
1942         (JSC::IntlPluralRulesPrototype::finishCreation):
1943         * runtime/JSArray.h:
1944         (JSC::asArray):
1945         (JSC::isJSArray):
1946         * runtime/JSArrayBufferPrototype.cpp:
1947         (JSC::JSArrayBufferPrototype::finishCreation):
1948         * runtime/JSArrayBufferView.cpp:
1949         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
1950         * runtime/JSCJSValue.cpp:
1951         (JSC::JSValue::putToPrimitiveByIndex):
1952         (JSC::JSValue::dumpForBacktrace const):
1953         (JSC::JSValue::toStringSlowCase const):
1954         * runtime/JSCJSValueInlines.h:
1955         (JSC::JSValue::toPropertyKey const):
1956         (JSC::JSValue::get const):
1957         * runtime/JSCast.h:
1958         (JSC::jsCast):
1959         * runtime/JSCell.cpp:
1960         (JSC::JSCell::dump const):
1961         (JSC::JSCell::dumpToStream):
1962         (JSC::JSCell::putByIndex):
1963         * runtime/JSCellInlines.h:
1964         (JSC::JSCell::structure const):
1965         (JSC::ExecState::vm const):
1966         (JSC::tryAllocateCellHelper):
1967         * runtime/JSDataViewPrototype.cpp:
1968         (JSC::JSDataViewPrototype::finishCreation):
1969         * runtime/JSFixedArray.cpp:
1970         (JSC::JSFixedArray::dumpToStream):
1971         * runtime/JSFunction.cpp:
1972         (JSC::JSFunction::finishCreation):
1973         (JSC::RetrieveCallerFunctionFunctor::operator() const):
1974         (JSC::JSFunction::reifyName):
1975         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1976         (JSC::JSFunction::assertTypeInfoFlagInvariants):
1977         * runtime/JSGenericTypedArrayViewInlines.h:
1978         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
1979         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
1980         * runtime/JSGlobalObject.cpp:
1981         (JSC::JSGlobalObject::init):
1982         (JSC::JSGlobalObject::exposeDollarVM):
1983         * runtime/JSGlobalObjectFunctions.cpp:
1984         (JSC::encode):
1985         (JSC::decode):
1986         (JSC::globalFuncEscape):
1987         (JSC::globalFuncUnescape):
1988         (JSC::globalFuncBuiltinDescribe):
1989         * runtime/JSLexicalEnvironment.cpp:
1990         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1991         * runtime/JSModuleEnvironment.cpp:
1992         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1993         (JSC::JSModuleEnvironment::put):
1994         (JSC::JSModuleEnvironment::deleteProperty):
1995         * runtime/JSModuleLoader.cpp:
1996         (JSC::JSModuleLoader::finishCreation):
1997         (JSC::JSModuleLoader::requestImportModule):
1998         (JSC::moduleLoaderParseModule):
1999         (JSC::moduleLoaderRequestedModules):
2000         * runtime/JSModuleNamespaceObject.cpp:
2001         (JSC::JSModuleNamespaceObject::finishCreation):
2002         (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
2003         * runtime/JSModuleRecord.cpp:
2004         (JSC::JSModuleRecord::instantiateDeclarations):
2005         * runtime/JSONObject.cpp:
2006         (JSC::JSONObject::finishCreation):
2007         (JSC::PropertyNameForFunctionCall::value const):
2008         (JSC::Stringifier::Stringifier):
2009         (JSC::Stringifier::stringify):
2010         (JSC::Stringifier::Holder::appendNextProperty):
2011         (JSC::Walker::walk):
2012         * runtime/JSObject.cpp:
2013         (JSC::getClassPropertyNames):
2014         (JSC::JSObject::getOwnPropertySlotByIndex):
2015         (JSC::JSObject::putByIndex):
2016         (JSC::JSObject::deletePropertyByIndex):
2017         (JSC::JSObject::toString const):
2018         (JSC::JSObject::reifyAllStaticProperties):
2019         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2020         * runtime/JSObject.h:
2021         (JSC::JSObject::putByIndexInline):
2022         (JSC::JSObject::butterflyPreCapacity):
2023         (JSC::JSObject::butterflyTotalSize):
2024         (JSC::makeIdentifier):
2025         * runtime/JSPromisePrototype.cpp:
2026         (JSC::JSPromisePrototype::finishCreation):
2027         * runtime/JSPropertyNameEnumerator.cpp:
2028         (JSC::JSPropertyNameEnumerator::finishCreation):
2029         * runtime/JSPropertyNameEnumerator.h:
2030         (JSC::propertyNameEnumerator):
2031         * runtime/JSRunLoopTimer.cpp:
2032         (JSC::JSRunLoopTimer::JSRunLoopTimer):
2033         * runtime/JSRunLoopTimer.h:
2034         * runtime/JSString.cpp:
2035         (JSC::JSString::dumpToStream):
2036         (JSC::JSRopeString::resolveRopeWithFunction const):
2037         (JSC::jsStringWithCacheSlowCase):
2038         * runtime/JSString.h:
2039         (JSC::jsEmptyString):
2040         (JSC::jsSingleCharacterString):
2041         (JSC::jsNontrivialString):
2042         (JSC::JSString::toIdentifier const):
2043         (JSC::JSString::toAtomString const):
2044         (JSC::JSString::toExistingAtomString const):
2045         (JSC::JSString::value const):
2046         (JSC::JSString::tryGetValue const):
2047         (JSC::JSString::getIndex):
2048         (JSC::jsString):
2049         (JSC::jsSubstring):
2050         (JSC::jsOwnedString):
2051         (JSC::jsStringWithCache):
2052         (JSC::JSRopeString::unsafeView const):
2053         (JSC::JSRopeString::viewWithUnderlyingString const):
2054         (JSC::JSString::unsafeView const):
2055         * runtime/JSStringInlines.h:
2056         (JSC::jsMakeNontrivialString):
2057         (JSC::repeatCharacter):
2058         * runtime/JSStringJoiner.cpp:
2059         (JSC::JSStringJoiner::join):
2060         * runtime/JSSymbolTableObject.cpp:
2061         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2062         * runtime/JSTemplateObjectDescriptor.cpp:
2063         (JSC::JSTemplateObjectDescriptor::createTemplateObject):
2064         * runtime/JSTypedArrayViewPrototype.cpp:
2065         (JSC::typedArrayViewProtoGetterFuncToStringTag):
2066         * runtime/LazyClassStructure.cpp:
2067         (JSC::LazyClassStructure::Initializer::setConstructor):
2068         * runtime/LazyProperty.h:
2069         (JSC::LazyProperty::Initializer::Initializer):
2070         * runtime/LiteralParser.cpp:
2071         (JSC::LiteralParser<CharType>::tryJSONPParse):
2072         (JSC::LiteralParser<CharType>::makeIdentifier):
2073         (JSC::LiteralParser<CharType>::parse):
2074         * runtime/Lookup.h:
2075         (JSC::reifyStaticProperties):
2076         * runtime/MapIteratorPrototype.cpp:
2077         (JSC::MapIteratorPrototype::finishCreation):
2078         * runtime/MapPrototype.cpp:
2079         (JSC::MapPrototype::finishCreation):
2080         * runtime/MathObject.cpp:
2081         (JSC::MathObject::finishCreation):
2082         * runtime/NumberConstructor.cpp:
2083         (JSC::NumberConstructor::finishCreation):
2084         * runtime/NumberPrototype.cpp:
2085         (JSC::numberProtoFuncToExponential):
2086         (JSC::numberProtoFuncToFixed):
2087         (JSC::numberProtoFuncToPrecision):
2088         (JSC::int32ToStringInternal):
2089         (JSC::numberToStringInternal):
2090         (JSC::int52ToString):
2091         * runtime/ObjectConstructor.cpp:
2092         (JSC::objectConstructorGetOwnPropertyDescriptors):
2093         (JSC::objectConstructorAssign):
2094         (JSC::objectConstructorValues):
2095         (JSC::defineProperties):
2096         (JSC::setIntegrityLevel):
2097         (JSC::testIntegrityLevel):
2098         (JSC::ownPropertyKeys):
2099         * runtime/ObjectPrototype.cpp:
2100         (JSC::objectProtoFuncToString):
2101         * runtime/Operations.h:
2102         (JSC::jsString):
2103         (JSC::jsStringFromRegisterArray):
2104         (JSC::jsStringFromArguments):
2105         * runtime/ProgramExecutable.cpp:
2106         (JSC::ProgramExecutable::initializeGlobalProperties):
2107         * runtime/PromiseDeferredTimer.cpp:
2108         (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
2109         (JSC::PromiseDeferredTimer::hasPendingPromise):
2110         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
2111         (JSC::PromiseDeferredTimer::cancelPendingPromise):
2112         * runtime/PropertyNameArray.h:
2113         (JSC::PropertyNameArray::PropertyNameArray):
2114         (JSC::PropertyNameArray::vm):
2115         * runtime/PropertySlot.h:
2116         (JSC::PropertySlot::getValue const):
2117         * runtime/ProxyObject.cpp:
2118         (JSC::performProxyGet):
2119         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2120         (JSC::ProxyObject::performHasProperty):
2121         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2122         (JSC::ProxyObject::performPut):
2123         (JSC::ProxyObject::putByIndexCommon):
2124         (JSC::ProxyObject::performDelete):
2125         (JSC::ProxyObject::deletePropertyByIndex):
2126         (JSC::ProxyObject::performDefineOwnProperty):
2127         (JSC::ProxyObject::performGetOwnPropertyNames):
2128         * runtime/RegExpGlobalData.cpp:
2129         (JSC::RegExpGlobalData::getBackref):
2130         (JSC::RegExpGlobalData::getLastParen):
2131         * runtime/RegExpMatchesArray.cpp:
2132         (JSC::createEmptyRegExpMatchesArray):
2133         * runtime/RegExpMatchesArray.h:
2134         (JSC::createRegExpMatchesArray):
2135         * runtime/RegExpPrototype.cpp:
2136         (JSC::regExpProtoGetterFlags):
2137         (JSC::regExpProtoGetterSourceInternal):
2138         (JSC::regExpProtoGetterSource):
2139         * runtime/RegExpStringIteratorPrototype.cpp:
2140         (JSC::RegExpStringIteratorPrototype::finishCreation):
2141         * runtime/SamplingProfiler.cpp:
2142         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2143         * runtime/ScriptExecutable.cpp:
2144         (JSC::ScriptExecutable::installCode):
2145         (JSC::ScriptExecutable::newCodeBlockFor):
2146         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
2147         (JSC::setupJIT):
2148         * runtime/SetIteratorPrototype.cpp:
2149         (JSC::SetIteratorPrototype::finishCreation):
2150         * runtime/SetPrototype.cpp:
2151         (JSC::SetPrototype::finishCreation):
2152         * runtime/StackFrame.cpp:
2153         (JSC::StackFrame::computeLineAndColumn const):
2154         * runtime/StringConstructor.cpp:
2155         (JSC::stringFromCharCode):
2156         (JSC::stringFromCodePoint):
2157         (JSC::stringConstructor):
2158         (JSC::callStringConstructor):
2159         * runtime/StringIteratorPrototype.cpp:
2160         (JSC::StringIteratorPrototype::finishCreation):
2161         * runtime/StringObject.cpp:
2162         (JSC::StringObject::getOwnPropertySlotByIndex):
2163         (JSC::StringObject::getOwnPropertyNames):
2164         * runtime/StringObject.h:
2165         (JSC::StringObject::create):
2166         (JSC::jsStringWithReuse):
2167         (JSC::jsSubstring):
2168         * runtime/StringPrototype.cpp:
2169         (JSC::StringPrototype::finishCreation):
2170         (JSC::StringPrototype::create):
2171         (JSC::jsSpliceSubstrings):
2172         (JSC::jsSpliceSubstringsWithSeparators):
2173         (JSC::replaceUsingRegExpSearch):
2174         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
2175         (JSC::operationStringProtoFuncReplaceRegExpString):
2176         (JSC::replaceUsingStringSearch):
2177         (JSC::operationStringProtoFuncReplaceGeneric):
2178         (JSC::stringProtoFuncCharAt):
2179         (JSC::stringProtoFuncSplitFast):
2180         (JSC::stringProtoFuncSubstr):
2181         (JSC::stringProtoFuncToLowerCase):
2182         (JSC::stringProtoFuncToUpperCase):
2183         (JSC::toLocaleCase):
2184         (JSC::trimString):
2185         (JSC::normalize):
2186         * runtime/StringPrototypeInlines.h:
2187         (JSC::stringSlice):
2188         * runtime/StringRecursionChecker.cpp:
2189         (JSC::StringRecursionChecker::emptyString):
2190         * runtime/Structure.cpp:
2191         (JSC::Structure::didTransitionFromThisStructure const):
2192         * runtime/StructureInlines.h:
2193         (JSC::Structure::didReplaceProperty):
2194         (JSC::Structure::shouldConvertToPolyProto):
2195         * runtime/SymbolConstructor.cpp:
2196         (JSC::symbolConstructorKeyFor):
2197         * runtime/SymbolPrototype.cpp:
2198         (JSC::SymbolPrototype::finishCreation):
2199         (JSC::symbolProtoGetterDescription):
2200         (JSC::symbolProtoFuncToString):
2201         * runtime/SymbolTable.cpp:
2202         (JSC::SymbolTable::setRareDataCodeBlock):
2203         * runtime/TestRunnerUtils.cpp:
2204         (JSC::getExecutableForFunction):
2205         * runtime/VM.cpp:
2206         (JSC::VM::VM):
2207         (JSC::VM::getHostFunction):
2208         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2209         (JSC::VM::shrinkFootprintWhenIdle):
2210         (JSC::logSanitizeStack):
2211         (JSC::sanitizeStackForVM):
2212         (JSC::VM::emptyPropertyNameEnumeratorSlow):
2213         * runtime/VM.h:
2214         (JSC::VM::getCTIStub):
2215         (JSC::WeakSet::heap const):
2216         * runtime/VMTraps.cpp:
2217         * runtime/WeakMapPrototype.cpp:
2218         (JSC::WeakMapPrototype::finishCreation):
2219         * runtime/WeakObjectRefPrototype.cpp:
2220         (JSC::WeakObjectRefPrototype::finishCreation):
2221         * runtime/WeakSetPrototype.cpp:
2222         (JSC::WeakSetPrototype::finishCreation):
2223         * tools/HeapVerifier.cpp:
2224         (JSC::HeapVerifier::printVerificationHeader):
2225         (JSC::HeapVerifier::verifyCellList):
2226         (JSC::HeapVerifier::validateJSCell):
2227         (JSC::HeapVerifier::reportCell):
2228         * tools/JSDollarVM.cpp:
2229         (JSC::JSDollarVMCallFrame::finishCreation):
2230         (JSC::JSDollarVMCallFrame::addProperty):
2231         (JSC::CustomGetter::getOwnPropertySlot):
2232         (JSC::CustomGetter::customGetter):
2233         (JSC::CustomGetter::customGetterAcessor):
2234         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
2235         (JSC::DOMJITGetter::finishCreation):
2236         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2237         (JSC::DOMJITGetterComplex::finishCreation):
2238         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
2239         (JSC::DOMJITFunctionObject::finishCreation):
2240         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
2241         (JSC::DOMJITCheckSubClassObject::finishCreation):
2242         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2243         (JSC::DOMJITGetterBaseJSObject::finishCreation):
2244         (JSC::customSetAccessor):
2245         (JSC::customSetValue):
2246         (JSC::JSTestCustomGetterSetter::finishCreation):
2247         (JSC::WasmStreamingParser::finishCreation):
2248         (JSC::getExecutableForFunction):
2249         (JSC::functionCodeBlockFor):
2250         (JSC::functionIndexingMode):
2251         (JSC::functionValue):
2252         (JSC::functionCreateBuiltin):
2253         (JSC::functionGetPrivateProperty):
2254         (JSC::JSDollarVM::finishCreation):
2255         (JSC::JSDollarVM::addFunction):
2256         (JSC::JSDollarVM::addConstructibleFunction):
2257         * tools/VMInspector.cpp:
2258         (JSC::VMInspector::dumpRegisters):
2259         (JSC::VMInspector::dumpCellMemoryToStream):
2260         * wasm/WasmInstance.cpp:
2261         (JSC::Wasm::Instance::setGlobal):
2262         (JSC::Wasm::Instance::setFunctionWrapper):
2263         (JSC::Wasm::setWasmTableElement):
2264         (JSC::Wasm::doWasmRefFunc):
2265         * wasm/WasmTable.cpp:
2266         (JSC::Wasm::Table::set):
2267         (JSC::Wasm::FuncRefTable::setFunction):
2268         * wasm/js/JSWebAssembly.cpp:
2269         (JSC::resolve):
2270         * wasm/js/JSWebAssemblyInstance.cpp:
2271         (JSC::JSWebAssemblyInstance::create):
2272         * wasm/js/WasmToJS.cpp:
2273         (JSC::Wasm::handleBadI64Use):
2274         (JSC::Wasm::wasmToJS):
2275         (JSC::Wasm::wasmToJSException):
2276         * wasm/js/WebAssemblyFunction.cpp:
2277         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2278         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2279         (JSC::constructJSWebAssemblyMemory):
2280         * wasm/js/WebAssemblyModuleConstructor.cpp:
2281         (JSC::webAssemblyModuleImports):
2282         (JSC::webAssemblyModuleExports):
2283         * wasm/js/WebAssemblyModuleRecord.cpp:
2284         (JSC::WebAssemblyModuleRecord::finishCreation):
2285         (JSC::WebAssemblyModuleRecord::link):
2286         * wasm/js/WebAssemblyTableConstructor.cpp:
2287         (JSC::constructJSWebAssemblyTable):
2288
2289 2019-08-27  Devin Rousso  <drousso@apple.com>
2290
2291         Web Inspector: don't attach properties to `injectedScript` for the CommandLineAPI
2292         https://bugs.webkit.org/show_bug.cgi?id=201193
2293
2294         Reviewed by Joseph Pecoraro.
2295
2296         For some reason, adding `injectedScript._inspectObject` inside CommandLineAPIModuleSource.js
2297         causes inspector/debugger/tail-deleted-frames-this-value.html to fail.
2298
2299         We should have a similar approach to adding command line api getters and functions, in that
2300         the CommandLineAPIModuleSource.js calls a function with a callback.
2301
2302         * inspector/InjectedScriptSource.js:
2303         (InjectedScript.prototype.inspectObject):
2304         (InjectedScript.prototype.setInspectObject): Added.
2305         (InjectedScript.prototype._evaluateOn):
2306
2307 2019-08-27  Mark Lam  <mark.lam@apple.com>
2308
2309         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
2310         https://bugs.webkit.org/show_bug.cgi?id=201196
2311         <rdar://problem/54703775>
2312
2313         Reviewed by Yusuke Suzuki.
2314
2315         * runtime/FunctionConstructor.cpp:
2316         (JSC::constructFunctionSkippingEvalEnabledCheck):
2317
2318 2019-08-27  Keith Miller  <keith_miller@apple.com>
2319
2320         When dumping Air Graphs BBQ should dump patchpoints.
2321         https://bugs.webkit.org/show_bug.cgi?id=201167
2322
2323         Reviewed by Filip Pizlo.
2324
2325         * wasm/WasmAirIRGenerator.cpp:
2326         (JSC::Wasm::AirIRGenerator:: const):
2327         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2328         (JSC::Wasm::parseAndCompileAir):
2329
2330 2019-08-27  Basuke Suzuki  <Basuke.Suzuki@sony.com>
2331
2332         [RemoteInspector][Socket] Restructuring the components of Socket implementation
2333         https://bugs.webkit.org/show_bug.cgi?id=201079
2334
2335         Reviewed by Ross Kirsling.
2336
2337         Since the change for WeakPtr on r248386, our port start assertion failure on the usage of
2338         RemoteInspectorSocketEndpoint. We have to send a message to connection client, but if that
2339         has to be done in the same thread which weakPtr generated, it's a little bit stronger
2340         restriction for us to handle. In this restructure, we are stopping to use weakPtr to
2341         resolve circular dependency, but using a reference with invalidation method because
2342         everything is under our control.
2343
2344         - Make SocketEndpoint a singleton. This class represents a central place to handle socket
2345           connections and there's no need to instantiate more than one in a process. Once every
2346           connection goes away, it just start sleeping until next connection is created. Very low
2347           resource usage when it is idle.
2348         - Move Socket::Connection structure from global definition to SocketEndpoint local
2349           structure. It is directly used in SocketEndpoint privately.
2350         - Move responsibility to handle message encoding/decoding task from SocketEndpoint to
2351           ConnectionClient. Make SocketEndpoint as plain socket handling as possible to keep it
2352           simple to exist long span.
2353         - Extract an interface from ConnectionClient as SocketEndpoint::Client which is required
2354           to work with SocketEndpoint. Now SocketEndpoint is very independent from others.
2355           SocketEndpoint::Client is the required parameter to create a connection.
2356
2357         Many responsibilities are moved into ConnectionClient which was a thin interface for
2358         communication between RemoteInspector, RemoteInspectorServer and RemoteInspectorClient.
2359         It now handles followings:
2360         - life cycle of connection: create, listen and close or invalidation
2361         - sending and receiving data packed in a message.
2362
2363         RemoteInspector and RemoteInspectorServer are now free from creation of SocketEndpoint.
2364         All communication to SocketEndpoint id now the duty of super class.
2365
2366         * inspector/remote/RemoteInspector.h:
2367         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
2368         (Inspector::RemoteInspectorConnectionClient::~RemoteInspectorConnectionClient): Make all connection invalidated.
2369         (Inspector::RemoteInspectorConnectionClient::connectInet): Add itself as a listener of socket.
2370         (Inspector::RemoteInspectorConnectionClient::listenInet): Ditto.
2371         (Inspector::RemoteInspectorConnectionClient::createClient): Ditto.
2372         (Inspector::RemoteInspectorConnectionClient::send): Add message processing.
2373         (Inspector::RemoteInspectorConnectionClient::didReceive): Ditto.
2374         (Inspector::RemoteInspectorConnectionClient::extractEvent): Extracted from send.
2375         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
2376         * inspector/remote/socket/RemoteInspectorMessageParser.cpp:
2377         (Inspector::MessageParser::MessageParser):
2378         (Inspector::MessageParser::pushReceivedData):
2379         (Inspector::MessageParser::parse):
2380         * inspector/remote/socket/RemoteInspectorMessageParser.h:
2381         (Inspector::MessageParser::MessageParser):
2382         (Inspector::MessageParser::Function<void):
2383         * inspector/remote/socket/RemoteInspectorServer.cpp:
2384         (Inspector::RemoteInspectorServer::connect): Remove direct communication to Socket Endpoint.
2385         (Inspector::RemoteInspectorServer::listenForTargets): Ditto.
2386         (Inspector::RemoteInspectorServer::sendWebInspectorEvent): Ditto.
2387         (Inspector::RemoteInspectorServer::start): Ditto.
2388         * inspector/remote/socket/RemoteInspectorServer.h:
2389         * inspector/remote/socket/RemoteInspectorSocket.cpp:
2390         (Inspector::RemoteInspector::sendWebInspectorEvent): Remove direct communication to Socket Endpoint.
2391         (Inspector::RemoteInspector::start): Ditto.
2392         (Inspector::RemoteInspector::stopInternal): Ditto.
2393         (Inspector::RemoteInspector::pushListingsNow): Change the target of validity check to ID.
2394         (Inspector::RemoteInspector::pushListingsSoon): Ditto.
2395         (Inspector::RemoteInspector::sendMessageToRemote): Ditto.
2396         * inspector/remote/socket/RemoteInspectorSocket.h: Move Connection structure to RemoteInspectorSocketEndpoint.
2397         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
2398         (Inspector::RemoteInspectorSocketEndpoint::singleton): Added.
2399         (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint): Use hard-coded thread name.
2400         (Inspector::RemoteInspectorSocketEndpoint::connectInet): Accept RemoteInspectorSocketEndpoint::Client as listener.
2401         (Inspector::RemoteInspectorSocketEndpoint::listenInet): Ditto.
2402         (Inspector::RemoteInspectorSocketEndpoint::createClient): Ditto.
2403         (Inspector::RemoteInspectorSocketEndpoint::invalidateClient): Added. Invalidate all connection from the client.
2404         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled): Remove message parser handling.
2405         (Inspector::RemoteInspectorSocketEndpoint::send): Remove message packing.
2406         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
2407         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
2408         (Inspector::RemoteInspectorSocketEndpoint::Connection::Connection):
2409
2410 2019-08-26  Devin Rousso  <drousso@apple.com>
2411
2412         Web Inspector: use more C++ keywords for defining agents
2413         https://bugs.webkit.org/show_bug.cgi?id=200959
2414
2415         Reviewed by Joseph Pecoraro.
2416
2417          - make constructors `protected` when the agent isn't meant to be constructed directly
2418          - add `virtual` destructors that are defined in the *.cpp so forward-declarations work
2419          - use `final` wherever possible
2420          - add comments to indicate where any virtual functions come from
2421
2422         * inspector/agents/InspectorAgent.h:
2423         * inspector/agents/InspectorAgent.cpp:
2424         * inspector/agents/InspectorAuditAgent.h:
2425         * inspector/agents/InspectorAuditAgent.cpp:
2426         * inspector/agents/InspectorConsoleAgent.h:
2427         * inspector/agents/InspectorConsoleAgent.cpp:
2428         * inspector/agents/InspectorDebuggerAgent.h:
2429         * inspector/agents/InspectorDebuggerAgent.cpp:
2430         * inspector/agents/InspectorHeapAgent.h:
2431         * inspector/agents/InspectorHeapAgent.cpp:
2432         * inspector/agents/InspectorRuntimeAgent.h:
2433         * inspector/agents/InspectorScriptProfilerAgent.h:
2434         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2435         * inspector/agents/InspectorTargetAgent.h:
2436         * inspector/agents/InspectorTargetAgent.cpp:
2437         * inspector/agents/JSGlobalObjectAuditAgent.h:
2438         * inspector/agents/JSGlobalObjectAuditAgent.cpp:
2439         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2440         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2441         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2442         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2443
2444 2019-08-26  Devin Rousso  <drousso@apple.com>
2445
2446         Web Inspector: unify agent command error messages
2447         https://bugs.webkit.org/show_bug.cgi?id=200950
2448
2449         Reviewed by Joseph Pecoraro.
2450
2451         Different agents can sometimes have different error messages for commands that have a
2452         similar intended effect.  We should make our error messages more similar.
2453
2454         * inspector/JSGlobalObjectConsoleClient.cpp:
2455         * inspector/agents/InspectorAgent.cpp:
2456         * inspector/agents/InspectorAuditAgent.cpp:
2457         * inspector/agents/InspectorConsoleAgent.cpp:
2458         * inspector/agents/InspectorDebuggerAgent.cpp:
2459         * inspector/agents/InspectorHeapAgent.cpp:
2460         * inspector/agents/InspectorRuntimeAgent.cpp:
2461         * inspector/agents/InspectorTargetAgent.cpp:
2462         * inspector/agents/JSGlobalObjectAuditAgent.cpp:
2463         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2464         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2465         Elide function lists to avoid an extremely large ChangeLog entry.
2466
2467 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
2468
2469         [JSC] Ensure x?.y ?? z is fast
2470         https://bugs.webkit.org/show_bug.cgi?id=200875
2471
2472         Reviewed by Yusuke Suzuki.
2473
2474         We anticipate `x?.y ?? z` to quickly become a common idiom in JS. With a little bytecode rearrangement,
2475         we can avoid the "load undefined and check it" dance in the middle and just turn this into two jumps.
2476
2477         Before:
2478                 (get x)
2479           ----- jundefined_or_null
2480           |     (get y)
2481           | --- jmp
2482           > |   (load undefined)
2483             > - jnundefined_or_null
2484               | (get z)
2485               > end
2486
2487         After:
2488                 (get x)
2489             --- jundefined_or_null
2490             |   (get y)
2491             | - jnundefined_or_null
2492             > | (get z)
2493               > end
2494
2495         * bytecompiler/BytecodeGenerator.cpp:
2496         (JSC::BytecodeGenerator::popOptionalChainTarget): Added specialization.
2497         * bytecompiler/BytecodeGenerator.h:
2498         * bytecompiler/NodesCodegen.cpp:
2499         (JSC::CoalesceNode::emitBytecode):
2500         (JSC::OptionalChainNode::emitBytecode):
2501         * parser/ASTBuilder.h:
2502         (JSC::ASTBuilder::makeDeleteNode):
2503         (JSC::ASTBuilder::makeCoalesceNode): Added.
2504         (JSC::ASTBuilder::makeBinaryNode):
2505         * parser/NodeConstructors.h:
2506         (JSC::CoalesceNode::CoalesceNode):
2507         * parser/Nodes.h:
2508         (JSC::ExpressionNode::isDeleteNode const): Added. (Replaces OptionalChainNode::m_isDelete.)
2509
2510 2019-08-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2511
2512         Missing media controls when WebKit is built with Python3
2513         https://bugs.webkit.org/show_bug.cgi?id=194367
2514
2515         Reviewed by Carlos Garcia Campos.
2516
2517         The JavaScript minifier script jsmin.py expects a text stream
2518         with text type as input, but the script make-js-file-arrays.py
2519         was passing to it a FileIO() object. So, when the jsmin script
2520         called read() over this object, python3 was returning a type of
2521         bytes, but for python2 it returns type str.
2522
2523         This caused two problems: first that jsmin failed to do any minifying
2524         because it was comparing strings with a variable of type bytes.
2525         The second major problem was in the write() function, when the
2526         jsmin script tried to convert a byte character to text by calling
2527         str() on it. Because what this does is not to convert from byte
2528         type to string, but to simply generate a string with the format b'c'.
2529         So the jsmin script was returning back as minified JS complete
2530         garbage in the form of "b't'b'h'b'h'b'i" for python3.
2531
2532         Therefore, when WebKit was built with python3 this broke everything
2533         that depended on the embedded JS code that make-js-file-arrays.py
2534         was supposed to generate, like the media controls and the WebDriver
2535         atoms.
2536
2537         Fix this by reworking the code in make-js-file-arrays script to
2538         read the data from the file using a TextIOWrapper in python 3
2539         with decoding for 'utf-8'. This ensures that the jsmin receives
2540         a text type. For python2 keep using the same FileIO class.
2541
2542         On the jsmin.py script remove the problematic call to str() inside
2543         the write() function when running with python3.
2544         On top of that, add an extra check in jsmin.py script to make it
2545         fail if the character type read is not the one expected. This
2546         will cause the build to fail instead of failing silently like
2547         now. I did some tests and the runtime cost of this extra check
2548         is almost zero.
2549
2550         * Scripts/jsmin.py:
2551         (JavascriptMinify.minify.write):
2552         (JavascriptMinify):
2553         * Scripts/make-js-file-arrays.py:
2554         (main):
2555
2556 2019-08-23  Devin Rousso  <drousso@apple.com>
2557
2558         Web Inspector: create additional command line api functions for other console methods
2559         https://bugs.webkit.org/show_bug.cgi?id=200971
2560
2561         Reviewed by Joseph Pecoraro.
2562
2563         Expose all `console.*` functions in the command line API, since they're all already able to
2564         be referenced via the `console` object.
2565
2566         Provide a simpler interface for other injected scripts to modify the command line API.
2567
2568         * inspector/InjectedScriptModule.cpp:
2569         (Inspector::InjectedScriptModule::ensureInjected):
2570
2571         * inspector/InjectedScriptSource.js:
2572         (InjectedScript.prototype.inspectObject):
2573         (InjectedScript.prototype.addCommandLineAPIGetter): Added.
2574         (InjectedScript.prototype.addCommandLineAPIMethod): Added.
2575         (InjectedScript.prototype.hasInjectedModule): Added.
2576         (InjectedScript.prototype.injectModule):
2577         (InjectedScript.prototype._evaluateOn):
2578         (InjectedScript.CommandLineAPI): Added.
2579         (InjectedScript.prototype.module): Deleted.
2580         (InjectedScript.prototype._savedResult): Deleted.
2581         (bind): Deleted.
2582         (BasicCommandLineAPI): Deleted.
2583         (clear): Deleted.
2584         (table): Deleted.
2585         (profile): Deleted.
2586         (profileEnd): Deleted.
2587         (keys): Deleted.
2588         (values): Deleted.
2589         (queryInstances): Deleted.
2590         (queryObjects): Deleted.
2591         (queryHolders): Deleted.
2592
2593 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
2594
2595         Remove MaximalFlushInsertionPhase
2596         https://bugs.webkit.org/show_bug.cgi?id=201036
2597
2598         Reviewed by Saam Barati.
2599
2600         Maximal flush has found too many false positives recently, so we decided it's finally time
2601         to remove it instead of hacking it to fix the most recent false positive.
2602
2603         The most recent false positive was caused by a LoadVarargs followed by a SetArgumentDefinitely
2604         for the argument count that was being flushed in a much later block. Now, since that block was
2605         the head of a loop, and there was a SetLocal in the same block to the same variable, this
2606         generated a Phi of both values, which then led to the unification of their VariableAccessData
2607         in the unification phase. This caused AI to assign the Int52 type to argument count, which
2608         broke the AI’s assumption that it should always be an Int32.
2609
2610         * JavaScriptCore.xcodeproj/project.pbxproj:
2611         * Sources.txt:
2612         * dfg/DFGByteCodeParser.cpp:
2613         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
2614         * dfg/DFGMaximalFlushInsertionPhase.cpp: Removed.
2615         * dfg/DFGMaximalFlushInsertionPhase.h: Removed.
2616         * dfg/DFGPlan.cpp:
2617         (JSC::DFG::Plan::compileInThreadImpl):
2618         * runtime/Options.cpp:
2619         (JSC::recomputeDependentOptions):
2620         * runtime/Options.h:
2621
2622 2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>
2623
2624         Unreviewed WinCairo build fix following r249058.
2625
2626         * API/tests/testapi.cpp:
2627         (TestAPI::callFunction):
2628         WinCairo chokes on `JSValueRef args[sizeof...(arguments)]` when there are no arguments, but AppleWin does not...
2629         MSVC must have changed somehow.
2630
2631 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
2632
2633         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
2634         https://bugs.webkit.org/show_bug.cgi?id=200952
2635
2636         Reviewed by Saam Barati.
2637
2638         The c call that we emitted was incorrect. If we had an int argument that was supposed to be placed in GPR0 by this loop,
2639         we would clobber it while making the call (among many other possible registers). To fix this, we just inline the call 
2640         to isWebassemblyHostFunction.
2641
2642         * wasm/js/WebAssemblyFunction.cpp:
2643         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2644
2645 2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>
2646
2647         JSC should have public API for unhandled promise rejections
2648         https://bugs.webkit.org/show_bug.cgi?id=197172
2649
2650         Reviewed by Keith Miller.
2651
2652         This patch makes it possible to register a unhandled promise rejection callback via the JSC API.
2653         Since there is no event loop in such an environment, this callback fires off of the microtask queue.
2654         The callback receives the promise and rejection reason as arguments and its return value is ignored.
2655
2656         * API/JSContextRef.cpp:
2657         (JSGlobalContextSetUnhandledRejectionCallback): Added.
2658         * API/JSContextRefPrivate.h:
2659         Add new C++ API call.
2660
2661         * API/tests/testapi.cpp:
2662         (TestAPI::promiseResolveTrue): Clean up test output.
2663         (TestAPI::promiseRejectTrue): Clean up test output.
2664         (TestAPI::promiseUnhandledRejection): Added.
2665         (TestAPI::promiseUnhandledRejectionFromUnhandledRejectionCallback): Added.
2666         (TestAPI::promiseEarlyHandledRejections): Added.
2667         (testCAPIViaCpp):
2668         Add new C++ API test.
2669
2670         * jsc.cpp:
2671         (GlobalObject::finishCreation):
2672         (functionSetUnhandledRejectionCallback): Added.
2673         Add corresponding global to JSC shell.
2674
2675         * runtime/JSGlobalObject.h:
2676         (JSC::JSGlobalObject::setUnhandledRejectionCallback): Added.
2677         (JSC::JSGlobalObject::unhandledRejectionCallback const): Added.
2678         Keep a strong reference to the callback.
2679
2680         * runtime/JSGlobalObjectFunctions.cpp:
2681         (JSC::globalFuncHostPromiseRejectionTracker):
2682         Add default behavior.
2683
2684         * runtime/VM.cpp:
2685         (JSC::VM::callPromiseRejectionCallback): Added.
2686         (JSC::VM::didExhaustMicrotaskQueue): Added.
2687         (JSC::VM::promiseRejected): Added.
2688         (JSC::VM::drainMicrotasks):
2689         When microtask queue is exhausted, deal with any pending unhandled rejections
2690         (in a manner based on RejectedPromiseTracker's reportUnhandledRejections),
2691         then make sure this didn't cause any new microtasks to be added to the queue.
2692
2693         * runtime/VM.h:
2694         Store unhandled rejections.
2695         (This collection will always be empty in the presence of WebCore.)
2696
2697 2019-08-22  Mark Lam  <mark.lam@apple.com>
2698
2699         VirtualRegister::dump() can use more informative CallFrame header slot names.
2700         https://bugs.webkit.org/show_bug.cgi?id=201062
2701
2702         Reviewed by Tadeu Zagallo.
2703
2704         For example, it currently dumps head3 instead of callee.  This patch changes the
2705         dump as follows (for 64-bit addressing):
2706             head0 => callerFrame
2707             head1 => returnPC
2708             head2 => codeBlock
2709             head3 => callee
2710             head4 => argumentCount
2711
2712         Now, one might be wondering when would bytecode ever access callerFrame and
2713         returnPC?  The answer is never.  However, I don't think its the role of the
2714         dumper to catch a bug where these header slots are being used.  The dumper's role
2715         is to clearly report them so that we can see that these unexpected values are
2716         being used.
2717
2718         * bytecode/VirtualRegister.cpp:
2719         (JSC::VirtualRegister::dump const):
2720
2721 2019-08-22  Andy Estes  <aestes@apple.com>
2722
2723         [watchOS] Disable Content Filtering in the simulator build
2724         https://bugs.webkit.org/show_bug.cgi?id=201047
2725
2726         Reviewed by Tim Horton.
2727
2728         * Configurations/FeatureDefines.xcconfig:
2729
2730 2019-08-22  Adrian Perez de Castro  <aperez@igalia.com>
2731
2732         [GTK][WPE] Fixes for non-unified builds after r248547
2733         https://bugs.webkit.org/show_bug.cgi?id=201044
2734
2735         Reviewed by Philippe Normand.
2736
2737         * b3/B3ReduceLoopStrength.cpp: Add missing inclusions of B3BasicBlockInlines.h,
2738         B3InsertionSet.h, and B3NaturalLoops.h
2739         * wasm/WasmOMGForOSREntryPlan.h: Include WasmCallee.h instead of forward-declaring
2740         BBQCallee in order to avoid build failure due to incomplete definition on template
2741         expansions.
2742
2743 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
2744
2745         Add missing exception check in canonicalizeLocaleList
2746         https://bugs.webkit.org/show_bug.cgi?id=201021
2747
2748         Reviewed by Mark Lam.
2749
2750         * runtime/IntlObject.cpp:
2751         (JSC::canonicalizeLocaleList):
2752
2753 2019-08-17  Darin Adler  <darin@apple.com>
2754
2755         Use makeString and multi-argument StringBuilder::append instead of less efficient multiple appends
2756         https://bugs.webkit.org/show_bug.cgi?id=200862
2757
2758         Reviewed by Ryosuke Niwa.
2759
2760         * runtime/ExceptionHelpers.cpp:
2761         (JSC::createUndefinedVariableError): Got rid of unnecessary local variable.
2762         (JSC::notAFunctionSourceAppender): Use single append instead of multiple.
2763         Eliminate unneeded and unconventional use of makeString on a single string literal.
2764         (JSC::invalidParameterInstanceofNotFunctionSourceAppender): Ditto.
2765         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender): Ditto.
2766         (JSC::createInvalidFunctionApplyParameterError): Ditto.
2767         (JSC::createInvalidInParameterError): Ditto.
2768         (JSC::createInvalidInstanceofParameterErrorNotFunction): Ditto.
2769         (JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction): Ditto.
2770
2771         * runtime/FunctionConstructor.cpp:
2772         (JSC::constructFunctionSkippingEvalEnabledCheck): Use single append instead of multiple.
2773         * runtime/Options.cpp:
2774         (JSC::Options::dumpOption): Ditto.
2775         * runtime/TypeProfiler.cpp:
2776         (JSC::TypeProfiler::typeInformationForExpressionAtOffset): Ditto.
2777         * runtime/TypeSet.cpp:
2778         (JSC::StructureShape::stringRepresentation): Ditto. Also use a modern for loop.
2779
2780 2019-08-21  Mark Lam  <mark.lam@apple.com>
2781
2782         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
2783         https://bugs.webkit.org/show_bug.cgi?id=201016
2784         <rdar://problem/54579911>
2785
2786         Reviewed by Yusuke Suzuki.
2787
2788         Currently, Wasm::FunctionParser is allowing
2789
2790             maxFunctionParams + maxFunctionLocals * maxFunctionLocals
2791
2792         ... locals, which is 0x9502FCE8.  It should be enforcing max locals of
2793         maxFunctionLocals instead.
2794
2795         * wasm/WasmFunctionParser.h:
2796         (JSC::Wasm::FunctionParser<Context>::parse):
2797
2798 2019-08-21  Michael Saboff  <msaboff@apple.com>
2799
2800         [JSC] incorrent JIT lead to StackOverflow
2801         https://bugs.webkit.org/show_bug.cgi?id=197823
2802
2803         Reviewed by Tadeu Zagallo.
2804
2805         Added stack overflow check to the bound function thunk generator.  Added a new C++ operation
2806         throwStackOverflowErrorFromThunk() to throw the error.
2807         
2808         * jit/JITOperations.cpp:
2809         * jit/JITOperations.h:
2810         * jit/ThunkGenerators.cpp:
2811         (JSC::boundThisNoArgsFunctionCallGenerator):
2812
2813 2019-08-21  Devin Rousso  <drousso@apple.com>
2814
2815         Web Inspector: Page: re-add enable/disable after r248454
2816         https://bugs.webkit.org/show_bug.cgi?id=200947
2817
2818         Reviewed by Joseph Pecoraro.
2819
2820         We shouldn't design the agent system with only Web Inspector in mind. Other clients may want
2821         to have different functionality, not being told about frames creation/updates/destruction.
2822         In these cases, we should have graceful error message failures for other agents that rely on
2823         the Page agent.
2824
2825         * inspector/protocol/Page.json:
2826
2827 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
2828
2829         Identify memcpy loops in b3
2830         https://bugs.webkit.org/show_bug.cgi?id=200181
2831
2832         Reviewed by Saam Barati.
2833
2834         Add a new pass in B3 to identify one type of forward byte copy loop and replace it with a call to a custom version of memcpy
2835         that will not cause GC tearing and have the correct behaviour when overlapping regions are passed in. 
2836
2837         Microbenchmarks show memcpy-typed-loop-large is about 6x faster, and everything else is neutral. The optimization is disabled
2838         on arm for now, until we add a memcpy implementation for it.
2839
2840         * JavaScriptCore.xcodeproj/project.pbxproj:
2841         * Sources.txt:
2842         * b3/B3Generate.cpp:
2843         (JSC::B3::generateToAir):
2844         * b3/B3ReduceLoopStrength.cpp: Added.
2845         (JSC::B3::fastForwardCopy32):
2846         (JSC::B3::ReduceLoopStrength::AddrInfo::appendAddr):
2847         (JSC::B3::ReduceLoopStrength::ReduceLoopStrength):
2848         (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy):
2849         (JSC::B3::ReduceLoopStrength::hoistValue):
2850         (JSC::B3::ReduceLoopStrength::run):
2851         (JSC::B3::reduceLoopStrength):
2852         * b3/B3ReduceLoopStrength.h: Added.
2853         * b3/testb3.h:
2854         * b3/testb3_1.cpp:
2855         (run):
2856         * b3/testb3_8.cpp:
2857         (testFastForwardCopy32):
2858         (testByteCopyLoop):
2859         (testByteCopyLoopStartIsLoopDependent):
2860         (testByteCopyLoopBoundIsLoopDependent):
2861         (addCopyTests):
2862
2863 2019-08-20  Devin Rousso  <drousso@apple.com>
2864
2865         Unreviewed, speculative build fix for High Sierra after r248925
2866
2867         * inspector/JSInjectedScriptHost.cpp:
2868         (Inspector::HeapHolderFinder::dump):
2869
2870 2019-08-20  Mark Lam  <mark.lam@apple.com>
2871
2872         Remove superfluous size argument to allocateCell() for fixed size objects.
2873         https://bugs.webkit.org/show_bug.cgi?id=200958
2874
2875         Reviewed by Yusuke Suzuki.
2876
2877         The size is already automatically computed by the allocateCell() template's default
2878         arguments.  Removing these superfluous arguments will make it easier for us to
2879         grep for cases where we do allocate variable size cells (for later analysis work).
2880
2881         * jsc.cpp:
2882         (JSC::Masquerader::create):
2883         (JSCMemoryFootprint::create):
2884         * tools/JSDollarVM.cpp:
2885         (JSC::JSDollarVMCallFrame::create):
2886         (JSC::Element::create):
2887         (JSC::Root::create):
2888         (JSC::SimpleObject::create):
2889         (JSC::ImpureGetter::create):
2890         (JSC::CustomGetter::create):
2891         (JSC::DOMJITNode::create):
2892         (JSC::DOMJITGetter::create):
2893         (JSC::DOMJITGetterComplex::create):
2894         (JSC::DOMJITFunctionObject::create):
2895         (JSC::DOMJITCheckSubClassObject::create):
2896         (JSC::DOMJITGetterBaseJSObject::create):
2897         (JSC::JSTestCustomGetterSetter::create):
2898         (JSC::WasmStreamingParser::create):
2899
2900 2019-08-20  Mark Lam  <mark.lam@apple.com>
2901
2902         JSBigInt::m_length should be immutable.
2903         https://bugs.webkit.org/show_bug.cgi?id=200956
2904
2905         Reviewed by Yusuke Suzuki.
2906
2907         This is because the JSBigInt cell size is allocated with that length.  Changing
2908         the length after construction does not change the size of the cell, and hence,
2909         makes no sense.
2910
2911         This patch removes the setLength() method, and decorates the m_length field with
2912         const to enforce that it is immutable after construction.
2913
2914         * runtime/JSBigInt.h:
2915
2916 2019-08-20  Devin Rousso  <drousso@apple.com>
2917
2918         Web Inspector: Implement `queryHolders` Command Line API
2919         https://bugs.webkit.org/show_bug.cgi?id=200458
2920
2921         Reviewed by Joseph Pecoraro.
2922
2923         Call `queryHolders(object)` from the Console to return an array of objects that strongly
2924         reference the given `object`. This could be very useful for finding JavaScript "leaks".
2925
2926         * inspector/InjectedScriptSource.js:
2927         (queryHolders): Added.
2928         * inspector/JSInjectedScriptHost.h:
2929         * inspector/JSInjectedScriptHost.cpp:
2930         (Inspector::HeapHolderFinder::HeapHolderFinder): Added.
2931         (Inspector::HeapHolderFinder::holders): Added.
2932         (Inspector::HeapHolderFinder::analyzeEdge): Added.
2933         (Inspector::HeapHolderFinder::analyzePropertyNameEdge): Added.
2934         (Inspector::HeapHolderFinder::analyzeVariableNameEdge): Added.
2935         (Inspector::HeapHolderFinder::analyzeIndexEdge): Added.
2936         (Inspector::HeapHolderFinder::analyzeNode): Added.
2937         (Inspector::HeapHolderFinder::setOpaqueRootReachabilityReasonForCell): Added.
2938         (Inspector::HeapHolderFinder::setWrappedObjectForCell): Added.
2939         (Inspector::HeapHolderFinder::setLabelForCell): Added.
2940         (Inspector::HeapHolderFinder::dump): Added.
2941         (Inspector::JSInjectedScriptHost::queryHolders): Added.
2942         * inspector/JSInjectedScriptHostPrototype.cpp:
2943         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2944         (Inspector::jsInjectedScriptHostPrototypeFunctionQueryHolders): Added.
2945
2946         * heap/HeapAnalyzer.h: Added.
2947         Create an abstract base class for analyzing the Heap during a GC. Rather than create an
2948         entire `HeapSnapshot` for `queryHolders`, the `HeapHolderFinder` can just walk the Heap and
2949         only save the information it needs to determine the holders of the given `object`.
2950
2951         * heap/Heap.h:
2952         * heap/Heap.cpp:
2953         (JSC::Heap::isAnalyzingHeap const): Added.
2954         (JSC::GatherExtraHeapData::GatherExtraHeapData): Added.
2955         (JSC::GatherExtraHeapData::operator() const): Added.
2956         (JSC::Heap::gatherExtraHeapData): Added.
2957         (JSC::Heap::didFinishCollection): Added.
2958         (JSC::Heap::isHeapSnapshotting const): Deleted.
2959         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData): Deleted.
2960         (JSC::GatherHeapSnapshotData::operator() const): Deleted.
2961         (JSC::Heap::gatherExtraHeapSnapshotData): Deleted.
2962         * heap/SlotVisitor.h:
2963         (JSC::SlotVisitor::isAnalyzingHeap const): Added.
2964         (JSC::SlotVisitor::heapAnalyzer const): Added.
2965         (JSC::SlotVisitor::isBuildingHeapSnapshot const): Deleted.
2966         (JSC::SlotVisitor::heapSnapshotBuilder const): Deleted.
2967         * heap/SlotVisitor.cpp:
2968         (JSC::SlotVisitor::didStartMarking):
2969         (JSC::SlotVisitor::reset):
2970         (JSC::SlotVisitor::appendSlow):
2971         (JSC::SlotVisitor::visitChildren):
2972         * heap/SlotVisitorInlines.h:
2973         (JSC::SlotVisitor::appendUnbarriered):
2974         * heap/WeakBlock.cpp:
2975         (JSC::WeakBlock::specializedVisit):
2976         * runtime/Structure.cpp:
2977         (JSC::Structure::visitChildren):
2978         Rename `HeapAnalyzer` functions to be less specific to building a `HeapSnapshot`.
2979
2980         * heap/HeapProfiler.h:
2981         (JSC::HeapProfiler::activeHeapAnalyzer const): Added.
2982         (JSC::HeapProfiler::activeSnapshotBuilder const): Deleted.
2983         * heap/HeapProfiler.cpp:
2984         (JSC::HeapProfiler::setActiveHeapAnalyzer): Added.
2985         (JSC::HeapProfiler::setActiveSnapshotBuilder): Deleted.
2986         * heap/HeapSnapshotBuilder.h:
2987         * heap/HeapSnapshotBuilder.cpp:
2988         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
2989         (JSC::HeapSnapshotBuilder::buildSnapshot):
2990         (JSC::HeapSnapshotBuilder::analyzeNode): Added.
2991         (JSC::HeapSnapshotBuilder::analyzeEdge): Added.
2992         (JSC::HeapSnapshotBuilder::analyzePropertyNameEdge): Added.
2993         (JSC::HeapSnapshotBuilder::analyzeVariableNameEdge): Added.
2994         (JSC::HeapSnapshotBuilder::analyzeIndexEdge): Added.
2995         (JSC::HeapSnapshotBuilder::appendNode): Deleted.
2996         (JSC::HeapSnapshotBuilder::appendEdge): Deleted.
2997         (JSC::HeapSnapshotBuilder::appendPropertyNameEdge): Deleted.
2998         (JSC::HeapSnapshotBuilder::appendVariableNameEdge): Deleted.
2999         (JSC::HeapSnapshotBuilder::appendIndexEdge): Deleted.
3000
3001         * inspector/InjectedScriptManager.h:
3002         * inspector/agents/InspectorRuntimeAgent.cpp:
3003
3004         * runtime/ClassInfo.h:
3005         * runtime/JSCell.h:
3006         * runtime/JSCell.cpp:
3007         (JSC::JSCell::analyzeHeap): Added.
3008         (JSC::JSCell::heapSnapshot): Deleted.
3009         * runtime/JSLexicalEnvironment.h:
3010         * runtime/JSLexicalEnvironment.cpp:
3011         (JSC::JSLexicalEnvironment::analyzeHeap): Added.
3012         (JSC::JSLexicalEnvironment::heapSnapshot): Deleted.
3013         * runtime/JSObject.h:
3014         * runtime/JSObject.cpp:
3015         (JSC::JSObject::analyzeHeap): Added.
3016         (JSC::JSObject::heapSnapshot): Deleted.
3017         * runtime/JSSegmentedVariableObject.h:
3018         * runtime/JSSegmentedVariableObject.cpp:
3019         (JSC::JSSegmentedVariableObject::analyzeHeap): Added.
3020         (JSC::JSSegmentedVariableObject::heapSnapshot): Deleted.
3021         Rename `heapSnapshot` to `analyzeHeap`.
3022
3023         * CMakeLists.txt:
3024         * JavaScriptCore.xcodeproj/project.pbxproj:
3025
3026 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
3027
3028         [WASM-References] Enable by default
3029         https://bugs.webkit.org/show_bug.cgi?id=200931
3030
3031         Reviewed by Saam Barati.
3032
3033         * runtime/Options.h:
3034
3035 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
3036
3037         [JSC] Array.prototype.toString should not get "join" function each time
3038         https://bugs.webkit.org/show_bug.cgi?id=200905
3039
3040         Reviewed by Mark Lam.
3041
3042         We avoid looking up `join` every time Array#toString is called. This patch implements the most profitable and easy
3043         case first as we are doing optimization for Array#slice: non-modified original Array. Configuring watchpoint for
3044         Array.prototype.join change and use this information and structure information to determine whether `join` lookup
3045         in Array.prototype.toString is unnecessary. This improves JetStream2/3d-raytrace-SP score by 1.6%
3046
3047             ToT:     363.56
3048             Patched: 369.26
3049
3050         This patch also renames InlineWatchpointSet fields from Watchpoint to WatchpointSet since they are not Watchpoint.
3051
3052         * dfg/DFGByteCodeParser.cpp:
3053         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3054         * dfg/DFGGraph.h:
3055         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
3056         (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
3057         * runtime/ArrayPrototype.cpp:
3058         (JSC::speciesWatchpointIsValid):
3059         (JSC::canUseDefaultArrayJoinForToString):
3060         (JSC::arrayProtoFuncToString):
3061         * runtime/JSGlobalObject.cpp:
3062         (JSC::JSGlobalObject::JSGlobalObject):
3063         (JSC::JSGlobalObject::init):
3064         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
3065         * runtime/JSGlobalObject.h:
3066         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpointSet):
3067         (JSC::JSGlobalObject::mapIteratorProtocolWatchpointSet):
3068         (JSC::JSGlobalObject::setIteratorProtocolWatchpointSet):
3069         (JSC::JSGlobalObject::stringIteratorProtocolWatchpointSet):
3070         (JSC::JSGlobalObject::mapSetWatchpointSet):
3071         (JSC::JSGlobalObject::setAddWatchpointSet):
3072         (JSC::JSGlobalObject::arraySpeciesWatchpointSet):
3073         (JSC::JSGlobalObject::arrayJoinWatchpointSet):
3074         (JSC::JSGlobalObject::numberToStringWatchpointSet):
3075         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint): Deleted.
3076         (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint): Deleted.
3077         (JSC::JSGlobalObject::setIteratorProtocolWatchpoint): Deleted.
3078         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint): Deleted.
3079         (JSC::JSGlobalObject::mapSetWatchpoint): Deleted.
3080         (JSC::JSGlobalObject::setAddWatchpoint): Deleted.
3081         (JSC::JSGlobalObject::arraySpeciesWatchpoint): Deleted.
3082         (JSC::JSGlobalObject::numberToStringWatchpoint): Deleted.
3083         * runtime/JSGlobalObjectInlines.h:
3084         (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
3085         (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
3086         (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
3087         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
3088         (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
3089         (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
3090
3091 2019-08-20  Joseph Pecoraro  <pecoraro@apple.com>
3092
3093         Web Inspector: Support for JavaScript BigInt
3094         https://bugs.webkit.org/show_bug.cgi?id=180731
3095         <rdar://problem/36298748>
3096
3097         Reviewed by Devin Rousso.        
3098         
3099         * inspector/InjectedScriptSource.js:
3100         (toStringDescription):
3101         (isSymbol):
3102         (isBigInt):
3103         (let.InjectedScript.prototype._fallbackWrapper):
3104         (let.RemoteObject):
3105         (let.RemoteObject.subtype):
3106         (let.RemoteObject.describe):
3107         (let.RemoteObject.prototype._appendPropertyPreviews):
3108         (let.RemoteObject.set _isPreviewableObjectInternal):
3109         (let.RemoteObject.prototype._isPreviewableObject.set add):
3110         * inspector/protocol/Runtime.json:
3111         New RemoteObject type and preview support.
3112
3113         * runtime/RuntimeType.cpp:
3114         (JSC::runtimeTypeForValue):
3115         (JSC::runtimeTypeAsString):
3116         * runtime/RuntimeType.h:
3117         * runtime/TypeSet.cpp:
3118         (JSC::TypeSet::displayName const):
3119         (JSC::TypeSet::inspectorTypeSet const):
3120         New type for the type profiler.
3121
3122         * heap/HeapSnapshotBuilder.cpp:
3123         (JSC::HeapSnapshotBuilder::json):
3124         * inspector/agents/InspectorHeapAgent.cpp:
3125         (Inspector::InspectorHeapAgent::getPreview):
3126         * runtime/JSBigInt.cpp:
3127         (JSC::JSBigInt::toString):
3128         (JSC::JSBigInt::tryGetString):
3129         (JSC::JSBigInt::toStringBasePowerOfTwo):
3130         (JSC::JSBigInt::toStringGeneric):
3131         * runtime/JSBigInt.h:
3132         BigInts are not tied to a GlobalObject, so provide a way to get a
3133         String for HeapSnapshot previews that are not tied to an ExecState.
3134
3135 2019-08-19  Devin Rousso  <drousso@apple.com>
3136
3137         Web Inspector: Debugger: add a global breakpoint for pausing in the next microtask
3138         https://bugs.webkit.org/show_bug.cgi?id=200652
3139
3140         Reviewed by Joseph Pecoraro.
3141
3142         * inspector/protocol/Debugger.json:
3143         Add `setPauseOnMicrotasks` command.
3144
3145         * inspector/agents/InspectorDebuggerAgent.h:
3146         * inspector/agents/InspectorDebuggerAgent.cpp:
3147         (Inspector::InspectorDebuggerAgent::disable):
3148         (Inspector::InspectorDebuggerAgent::setPauseOnMicrotasks): Added.
3149         (Inspector::InspectorDebuggerAgent::willRunMicrotask): Added.
3150         (Inspector::InspectorDebuggerAgent::didRunMicrotask): Added.
3151
3152         * debugger/Debugger.h:
3153         (JSC::Debugger::willRunMicrotask): Added.
3154         (JSC::Debugger::didRunMicrotask): Added.
3155         * inspector/ScriptDebugListener.h:
3156         * inspector/ScriptDebugServer.h:
3157         * inspector/ScriptDebugServer.cpp:
3158         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
3159         (Inspector::ScriptDebugServer::sourceParsed):
3160         (Inspector::ScriptDebugServer::willRunMicrotask): Added.
3161         (Inspector::ScriptDebugServer::didRunMicrotask): Added.
3162         (Inspector::ScriptDebugServer::canDispatchFunctionToListeners const): ADded.
3163         (Inspector::ScriptDebugServer::dispatchFunctionToListeners): ADded.
3164         (Inspector::ScriptDebugServer::handlePause):
3165         (Inspector::ScriptDebugServer::dispatchDidPause): Deleted.
3166         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Deleted.
3167         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Deleted.
3168         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Deleted.
3169         (Inspector::ScriptDebugServer::dispatchDidContinue): Deleted.
3170         (Inspector::ScriptDebugServer::dispatchDidParseSource): Deleted.
3171         (Inspector::ScriptDebugServer::dispatchFailedToParseSource): Deleted.
3172         Unify the various `dispatch*` functions to use lambdas so state management is centralized.
3173
3174         * runtime/JSMicrotask.cpp:
3175         (JSC::JSMicrotask::run):
3176
3177         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3178
3179 2019-08-19  Devin Rousso  <drousso@apple.com>
3180
3181         Web Inspector: Debugger: pause on assertion failures breakpoint doesn't work when inspecting a JSContext
3182         https://bugs.webkit.org/show_bug.cgi?id=200874
3183
3184         Reviewed by Joseph Pecoraro.
3185
3186         * inspector/JSGlobalObjectConsoleClient.cpp:
3187         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3188
3189 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
3190
3191         Proxy constructor should throw if handler is revoked Proxy
3192         https://bugs.webkit.org/show_bug.cgi?id=198755
3193
3194         Reviewed by Saam Barati.
3195
3196         Reword error message and check if handler is revoked Proxy.
3197         (step 4 of https://tc39.es/ecma262/#sec-proxycreate)
3198
3199         * runtime/ProxyObject.cpp:
3200         (JSC::ProxyObject::finishCreation): Add isRevoked check.
3201
3202 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
3203
3204         [JSC] OSR entry to Wasm OMG
3205         https://bugs.webkit.org/show_bug.cgi?id=200362
3206
3207         Reviewed by Michael Saboff.
3208
3209         This patch implements Wasm OSR entry mechanism from BBQ tier to OMG tier.
3210         We found that one of JetStream2 test heavily relies on OSR entry feature. gcc-loops-wasm consumes
3211         most of time in BBQ tier since one of the function takes significantly long time. And since we did
3212         not have OSR entry feature, we cannot use OMG function until that BBQ function finishes.
3213
3214         To implement Wasm OSR feature, we first capture all locals and stacks in the patchpoint to generate
3215         the stackmap. Once the threshold is crossed, the patchpoint calls `MacroAssembler::probe` feature to
3216         capture whole register context, and C++ runtime function reads stackmap and Probe::Context to perform
3217         OSR entry. This patch intentionally makes OSR entry written in C++ runtime side as much as possible
3218         to make it easily reusable for the other tiers. For example, we are planning to introduce Wasm interpreter,
3219         and it can easily use this tier-up function. Because of this simplicity, this generic implementation can
3220         cover both BBQ Air and BBQ B3 tier-up features. So, in the feature, it is possible that we revive BBQ B3,
3221         and construct the wasm pipeline like, interpreter->BBQ B3->OMG B3.
3222
3223         To generate OMG code for OSR entry, we add a new mode OMGForOSREntry, which mimics the FTLForOSREntry.
3224         In FTLForOSREntry, we cut unrelated blocks including the usual entry point in DFG tier and later convert
3225         graph to SSA. This is possible because DFG is not SSA. On the other hand, B3 is SSA and we cannot take the
3226         same thing without a hack.
3227
3228         This patch introduce a hack: making all wasm locals and stack values B3::Variable for OMGForOSREntry mode.
3229         Then, we can cut blocks easily and we can generate the B3 graph without doing reachability analysis from the
3230         OSR entry point. B3 will remove unreachable blocks later.
3231
3232         Tier-up function mimics DFG->FTL OSR entry heuristics and threshold as much as possible. And this patch adjusts
3233         the tier-up count threshold to make it close to DFG->FTL ones. Wasm tier-up is now using ExecutionCounter, which
3234         is inherited from Wasm::TierUpCount. Since wasm can execute concurrently, the tier-up counter can be racily updated.
3235         But this is OK in practice. Even if we see some more tier-up function calls or tier-up function calls are delayed,
3236         the critical part is guarded by a lock in tier-up function.
3237
3238         In iMac Pro, it shows ~4x runtime improvement for gcc-loops-wasm. On iOS device (iPhone XR), we saw ~2x improvement.
3239
3240             ToT:
3241                 HashSet-wasm:Score: 24.6pt stdev=4.6%
3242                             :Time:Geometric: 204ms stdev=4.4%
3243                             Runtime:Time: 689ms stdev=1.0%
3244                             Startup:Time: 60.3ms stdev=8.4%
3245                 gcc-loops-wasm:Score: 8.41pt stdev=6.7%
3246                               :Time:Geometric: 597ms stdev=6.5%
3247                               Runtime:Time: 8.509s stdev=0.7%
3248                               Startup:Time: 42ms stdev=12.4%
3249                 quicksort-wasm:Score: 347pt stdev=20.9%
3250                               :Time:Geometric: 15ms stdev=18.6%
3251                               Runtime:Time: 28.2ms stdev=7.9%
3252                               Startup:Time: 8.2ms stdev=35.0%
3253                 richards-wasm:Score: 77.6pt stdev=4.5%
3254                              :Time:Geometric: 64.6ms stdev=4.4%
3255                              Runtime:Time: 544ms stdev=3.3%
3256                              Startup:Time: 7.67ms stdev=6.7%
3257                 tsf-wasm:Score: 47.9pt stdev=4.5%
3258                         :Time:Geometric: 104ms stdev=4.8%
3259                         Runtime:Time: 259ms stdev=4.4%
3260                         Startup:Time: 42.2ms stdev=8.5%
3261
3262             Patched:
3263                 HashSet-wasm:Score: 24.1pt stdev=4.1%
3264                             :Time:Geometric: 208ms stdev=4.1%
3265                             Runtime:Time: 684ms stdev=1.1%
3266                             Startup:Time: 63.2ms stdev=8.1%
3267                 gcc-loops-wasm:Score: 15.7pt stdev=5.1%
3268                               :Time:Geometric: 319ms stdev=5.3%
3269                               Runtime:Time: 2.491s stdev=0.7%
3270                               Startup:Time: 41ms stdev=11.0%
3271                 quicksort-wasm:Score: 353pt stdev=13.7%
3272                               :Time:Geometric: 14ms stdev=12.7%
3273                               Runtime:Time: 26.2ms stdev=2.9%
3274                               Startup:Time: 8.0ms stdev=23.7%
3275                 richards-wasm:Score: 77.4pt stdev=5.3%
3276                              :Time:Geometric: 64.7ms stdev=5.3%
3277                              Runtime:Time: 536ms stdev=1.5%
3278                              Startup:Time: 7.83ms stdev=9.6%
3279                 tsf-wasm:Score: 47.3pt stdev=5.7%
3280                         :Time:Geometric: 106ms stdev=6.1%
3281                         Runtime:Time: 250ms stdev=3.5%
3282                         Startup:Time: 45ms stdev=13.8%
3283
3284         * JavaScriptCore.xcodeproj/project.pbxproj:
3285         * Sources.txt:
3286         * assembler/MacroAssemblerARM64.h:
3287         (JSC::MacroAssemblerARM64::branchAdd32):
3288         * b3/B3ValueRep.h:
3289         * bytecode/CodeBlock.h:
3290         * bytecode/ExecutionCounter.cpp:
3291         (JSC::applyMemoryUsageHeuristics):
3292         (JSC::ExecutionCounter<countingVariant>::setThreshold):
3293         * bytecode/ExecutionCounter.h:
3294         (JSC::ExecutionCounter::clippedThreshold):
3295         * dfg/DFGJITCode.h:
3296         * dfg/DFGOperations.cpp:
3297         * jit/AssemblyHelpers.h:
3298         (JSC::AssemblyHelpers::prologueStackPointerDelta):
3299         * runtime/Options.h:
3300         * wasm/WasmAirIRGenerator.cpp:
3301         (JSC::Wasm::AirIRGenerator::createStack):
3302         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
3303         (JSC::Wasm::AirIRGenerator::outerLoopIndex const):
3304         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3305         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
3306         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
3307         (JSC::Wasm::AirIRGenerator::addLoop):