fa8e939126df332acf11819d5d84b27df7db4c2b
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
2
3         Gardening: Build fix after r237084.
4         https://bugs.webkit.org/show_bug.cgi?id=189708
5
6         Unreviewd.
7
8         * JavaScriptCore.xcodeproj/project.pbxproj:
9
10 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
11
12         Separate configuration extraction from offset extraction
13         https://bugs.webkit.org/show_bug.cgi?id=189708
14
15         Reviewed by Keith Miller.
16
17         Instead of generating a file with all offsets for every combination of
18         configurations, we first generate a file with only the configuration
19         indices and pass that to the offset extractor. The offset extractor then
20         only generates the offsets for valid configurations
21
22         * CMakeLists.txt:
23         * JavaScriptCore.xcodeproj/project.pbxproj:
24         * llint/LLIntOffsetsExtractor.cpp:
25         (JSC::LLIntOffsetsExtractor::dummy):
26         * llint/LLIntSettingsExtractor.cpp: Added.
27         (main):
28         * offlineasm/generate_offset_extractor.rb:
29         * offlineasm/generate_settings_extractor.rb: Added.
30         * offlineasm/offsets.rb:
31         * offlineasm/settings.rb:
32
33 2018-10-12  Ryan Haddad  <ryanhaddad@apple.com>
34
35         Unreviewed, rolling out r237063.
36
37         Caused layout test fast/dom/Window/window-postmessage-clone-
38         deep-array.html to fail on macOS and iOS Debug bots.
39
40         Reverted changeset:
41
42         "[JSC] Remove gcc warnings on mips and armv7"
43         https://bugs.webkit.org/show_bug.cgi?id=188598
44         https://trac.webkit.org/changeset/237063
45
46 2018-10-11  Guillaume Emont  <guijemont@igalia.com>
47
48         [JSC] Remove gcc warnings on mips and armv7
49         https://bugs.webkit.org/show_bug.cgi?id=188598
50
51         Reviewed by Mark Lam.
52
53         Fix many gcc/clang warnings that are false positives, mostly alignment
54         issues.
55
56         * assembler/MacroAssemblerPrinter.cpp:
57         (JSC::Printer::printMemory):
58         Use bitwise_cast instead of reinterpret_cast.
59         * assembler/testmasm.cpp:
60         (JSC::floatOperands):
61         marked as potentially unused as it is not used on all platforms.
62         (JSC::testProbeModifiesStackValues):
63         modifiedFlags is not used on mips, so don't declare it.
64         * bytecode/CodeBlock.h:
65         Make ScriptExecutable::prepareForExecution() return an
66         std::optional<Exception*> instead of a JSObject*.
67         * interpreter/Interpreter.cpp:
68         (JSC::Interpreter::executeProgram):
69         (JSC::Interpreter::executeCall):
70         (JSC::Interpreter::executeConstruct):
71         (JSC::Interpreter::prepareForRepeatCall):
72         (JSC::Interpreter::execute):
73         (JSC::Interpreter::executeModuleProgram):
74         Update calling code for the prototype change of
75         ScriptExecutable::prepareForExecution().
76         * jit/JITOperations.cpp: Same as for Interpreter.cpp.
77         * llint/LLIntSlowPaths.cpp:
78         (JSC::LLInt::setUpCall): Same as for Interpreter.cpp.
79         * runtime/JSBigInt.cpp:
80         (JSC::JSBigInt::dataStorage):
81         Use bitwise_cast instead of reinterpret_cast.
82         * runtime/ScriptExecutable.cpp:
83         * runtime/ScriptExecutable.h:
84         Make ScriptExecutable::prepareForExecution() return an
85         std::optional<Exception*> instead of a JSObject*.
86         * tools/JSDollarVM.cpp:
87         (JSC::codeBlockFromArg): Use bitwise_cast instead of reinterpret_cast.
88
89 2018-10-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
90
91         Use currentStackPointer more
92         https://bugs.webkit.org/show_bug.cgi?id=190503
93
94         Reviewed by Saam Barati.
95
96         * runtime/VM.cpp:
97         (JSC::VM::committedStackByteCount):
98
99 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
100
101         [JSC] JSC should have "parseFunction" to optimize Function constructor
102         https://bugs.webkit.org/show_bug.cgi?id=190340
103
104         Reviewed by Mark Lam.
105
106         The current Function constructor is suboptimal. We parse the piece of the same code three times to meet
107         the spec requirement. (1) check parameters syntax, (2) check body syntax, and (3) parse the entire function.
108         And to parse 1-3 correctly, we create two strings, the parameters and the entire function. This operation
109         is really costly and ideally we should meet the above requirement by the one time parsing.
110
111         To meet the above requirement, we add a special function for Parser, parseSingleFunction. This function
112         takes `std::optional<int> functionConstructorParametersEndPosition` and check this end position is correct in the parser.
113         For example, if we run the code,
114
115             Function('/*', '*/){')
116
117         According to the spec, this should produce '/*' parameter string and '*/){' body string. And parameter
118         string should be syntax-checked by the parser, and raise the error since it is incorrect. Instead of doing
119         that, in our implementation, we first create the entire string.
120
121             function anonymous(/*) {
122                 */){
123             }
124
125         And we parse it. At that time, we also pass the end position of the parameters to the parser. In the above case,
126         the position of the `function anonymous(/*)' <> is passed. And in the parser, we check that the last token
127         offset of the parameters is the given end position. This check allows us to raise the error correctly to the
128         above example while we parse the entire function only once. And we do not need to create two strings too.
129
130         This improves the performance of the Function constructor significantly. And web-tooling-benchmark/uglify-js is
131         significantly sped up (28.2%).
132
133         Before:
134             uglify-js:  2.94 runs/s
135         After:
136             uglify-js:  3.77 runs/s
137
138         * bytecode/UnlinkedFunctionExecutable.cpp:
139         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
140         * bytecode/UnlinkedFunctionExecutable.h:
141         * parser/Parser.cpp:
142         (JSC::Parser<LexerType>::parseInner):
143         (JSC::Parser<LexerType>::parseSingleFunction):
144         (JSC::Parser<LexerType>::parseFunctionInfo):
145         (JSC::Parser<LexerType>::parseFunctionDeclaration):
146         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
147         (JSC::Parser<LexerType>::parseClass):
148         (JSC::Parser<LexerType>::parsePropertyMethod):
149         (JSC::Parser<LexerType>::parseGetterSetter):
150         (JSC::Parser<LexerType>::parseFunctionExpression):
151         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
152         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
153         * parser/Parser.h:
154         (JSC::Parser<LexerType>::parse):
155         (JSC::parse):
156         (JSC::parseFunctionForFunctionConstructor):
157         * parser/ParserModes.h:
158         * parser/ParserTokens.h:
159         (JSC::JSTextPosition::JSTextPosition):
160         (JSC::JSTokenLocation::JSTokenLocation): Deleted.
161         * parser/SourceCodeKey.h:
162         (JSC::SourceCodeKey::SourceCodeKey):
163         (JSC::SourceCodeKey::operator== const):
164         * runtime/CodeCache.cpp:
165         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
166         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
167         * runtime/CodeCache.h:
168         * runtime/FunctionConstructor.cpp:
169         (JSC::constructFunctionSkippingEvalEnabledCheck):
170         * runtime/FunctionExecutable.cpp:
171         (JSC::FunctionExecutable::fromGlobalCode):
172         * runtime/FunctionExecutable.h:
173
174 2018-10-11  Ross Kirsling  <ross.kirsling@sony.com>
175
176         Fix non-existent define `CPU(JSVALUE64)`
177         https://bugs.webkit.org/show_bug.cgi?id=190479
178
179         Reviewed by Yusuke Suzuki.
180
181         * jit/CCallHelpers.h:
182         (JSC::CCallHelpers::setupArgumentsImpl):
183         Correct CPU(JSVALUE64) to USE(JSVALUE64).
184
185 2018-10-11  Keith Rollin  <krollin@apple.com>
186
187         CURRENT_ARCH should not be used in Run Script phase.
188         https://bugs.webkit.org/show_bug.cgi?id=190407
189         <rdar://problem/45133556>
190
191         Reviewed by Alexey Proskuryakov.
192
193         CURRENT_ARCH is used in a number of Xcode Run Script phases. However,
194         CURRENT_ARCH is not well-defined during this phase (and may even have
195         the value "undefined") since this phase is run just once per build
196         rather than once per supported architecture. Migrate away from
197         CURRENT_ARCH in favor of ARCHS, either by iterating over ARCHS and
198         performing an operation for each value, or by picking the first entry
199         in ARCHS and using that as a representative value.
200
201         * JavaScriptCore.xcodeproj/project.pbxproj: Store
202         LLIntDesiredOffsets.h into a directory with a name based on ARCHS
203         rather than CURRENT_ARCH.
204
205 2018-10-10  Mark Lam  <mark.lam@apple.com>
206
207         Changes towards allowing use of the ASAN detect_stack_use_after_return option.
208         https://bugs.webkit.org/show_bug.cgi?id=190405
209         <rdar://problem/45131464>
210
211         Reviewed by Michael Saboff.
212
213         The ASAN detect_stack_use_after_return option checks for use of stack variables
214         after they have been freed.  It does this by allocating relevant stack variables
215         in heap memory (instead of on the stack) if the code ever takes the address of
216         those stack variables.  Unfortunately, this is a common idiom that we use to
217         compute the approximate stack pointer value.  As a result, on such ASAN runs, the
218         computed approximate stack pointer value will point into the heap instead of the
219         stack.  This breaks the VM's expectations and wreaks havoc.
220
221         To fix this, we use the newly introduced WTF::currentStackPointer() instead of
222         taking the address of stack variables.
223
224         We also need to enhance ExceptionScopes to be able to work with ASAN
225         detect_stack_use_after_return which will allocated the scope in the heap.  We
226         work around this by passing the current stack pointer of the instantiating calling
227         frame into the scope constructor, and using that for the position check in
228         ~ThrowScope() instead.
229
230         The above is only a start towards enabling ASAN detect_stack_use_after_return on
231         the VM.  There are still other issues to be resolved before we can run with this
232         ASAN option.
233
234         * runtime/CatchScope.h:
235         * runtime/ExceptionEventLocation.h:
236         (JSC::ExceptionEventLocation::ExceptionEventLocation):
237         * runtime/ExceptionScope.h:
238         (JSC::ExceptionScope::stackPosition const):
239         * runtime/JSLock.cpp:
240         (JSC::JSLock::didAcquireLock):
241         * runtime/ThrowScope.cpp:
242         (JSC::ThrowScope::~ThrowScope):
243         * runtime/ThrowScope.h:
244         * runtime/VM.h:
245         (JSC::VM::needExceptionCheck const):
246         (JSC::VM::isSafeToRecurse const):
247         * wasm/js/WebAssemblyFunction.cpp:
248         (JSC::callWebAssemblyFunction):
249         * yarr/YarrPattern.cpp:
250         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
251
252 2018-10-10  Devin Rousso  <drousso@apple.com>
253
254         Web Inspector: create special Network waterfall for media events
255         https://bugs.webkit.org/show_bug.cgi?id=189773
256         <rdar://problem/44626605>
257
258         Reviewed by Joseph Pecoraro.
259
260         * inspector/protocol/DOM.json:
261         Add `didFireEvent` event that is fired when specific event listeners added by
262         `InspectorInstrumentation::addEventListenersToNode` are fired.
263
264 2018-10-10  Michael Saboff  <msaboff@apple.com>
265
266         Increase executable memory pool from 64MB to 128MB for ARM64
267         https://bugs.webkit.org/show_bug.cgi?id=190453
268
269         Reviewed by Saam Barati.
270
271         * jit/ExecutableAllocator.cpp:
272
273 2018-10-10  Devin Rousso  <drousso@apple.com>
274
275         Web Inspector: notify the frontend when a canvas has started recording via console.record
276         https://bugs.webkit.org/show_bug.cgi?id=190306
277
278         Reviewed by Brian Burg.
279
280         * inspector/protocol/Canvas.json:
281         Add `recordingStarted` event.
282
283         * inspector/protocol/Recording.json:
284         Add `Initiator` enum for determining who started the recording.
285
286 2018-10-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
287
288         [JSC] Rename createXXX to tryCreateXXX if it can return RefPtr
289         https://bugs.webkit.org/show_bug.cgi?id=190429
290
291         Reviewed by Saam Barati.
292
293         Some createXXX functions can fail. But sometimes the caller does not perform error checking.
294         To make it explicit that these functions can fail, we rename these functions from createXXX
295         to tryCreateXXX. In this patch, we focus on non-JS-managed factory functions. If the factory
296         function does not fail, it should return Ref<>. Otherwise, it should be named as tryCreateXXX
297         and it should return RefPtr<>.
298
299         This patch mainly focuses on TypedArray factory functions. Previously, these functions are
300         `RefPtr<XXXArray> create(...)`. This patch changes them to `RefPtr<XXXArray> tryCreate(...)`.
301         And we also introduce `Ref<XXXArray> create(...)` function which internally performs
302         RELEASE_ASSERT on the result of `tryCreate(...)`.
303
304         And we also convert OpaqueJSString::create to OpaqueJSString::tryCreate since it can fail.
305
306         This change actually finds one place which does not perform any null checkings while it uses
307         `RefPtr<> create(...)` function.
308
309         * API/JSCallbackObjectFunctions.h:
310         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
311         (JSC::JSCallbackObject<Parent>::put):
312         (JSC::JSCallbackObject<Parent>::putByIndex):
313         (JSC::JSCallbackObject<Parent>::deleteProperty):
314         (JSC::JSCallbackObject<Parent>::callbackGetter):
315         * API/JSClassRef.h:
316         (StaticValueEntry::StaticValueEntry):
317         * API/JSContext.mm:
318         (-[JSContext evaluateScript:withSourceURL:]):
319         (-[JSContext setName:]):
320         * API/JSContextRef.cpp:
321         (JSGlobalContextCopyName):
322         (JSContextCreateBacktrace):
323         * API/JSObjectRef.cpp:
324         (JSObjectCopyPropertyNames):
325         * API/JSScriptRef.cpp:
326         * API/JSStringRef.cpp:
327         (JSStringCreateWithCharactersNoCopy):
328         * API/JSValue.mm:
329         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
330         (+[JSValue valueWithNewErrorFromMessage:inContext:]):
331         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
332         (performPropertyOperation):
333         (-[JSValue invokeMethod:withArguments:]):
334         (containerValueToObject):
335         (objectToValueWithoutCopy):
336         (objectToValue):
337         * API/JSValueRef.cpp:
338         (JSValueCreateJSONString):
339         (JSValueToStringCopy):
340         * API/OpaqueJSString.cpp:
341         (OpaqueJSString::tryCreate):
342         (OpaqueJSString::create): Deleted.
343         * API/OpaqueJSString.h:
344         * API/glib/JSCContext.cpp:
345         (evaluateScriptInContext):
346         * API/glib/JSCValue.cpp:
347         (jsc_value_new_string_from_bytes):
348         * ftl/FTLLazySlowPath.h:
349         (JSC::FTL::LazySlowPath::createGenerator):
350         * ftl/FTLLazySlowPathCall.h:
351         (JSC::FTL::createLazyCallGenerator):
352         * ftl/FTLOSRExit.cpp:
353         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
354         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
355         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
356         * ftl/FTLOSRExit.h:
357         * ftl/FTLPatchpointExceptionHandle.cpp:
358         (JSC::FTL::PatchpointExceptionHandle::create):
359         (JSC::FTL::PatchpointExceptionHandle::createHandle):
360         * ftl/FTLPatchpointExceptionHandle.h:
361         * heap/EdenGCActivityCallback.h:
362         (JSC::GCActivityCallback::tryCreateEdenTimer):
363         (JSC::GCActivityCallback::createEdenTimer): Deleted.
364         * heap/FullGCActivityCallback.h:
365         (JSC::GCActivityCallback::tryCreateFullTimer):
366         (JSC::GCActivityCallback::createFullTimer): Deleted.
367         * heap/GCActivityCallback.h:
368         * heap/Heap.cpp:
369         (JSC::Heap::Heap):
370         * inspector/AsyncStackTrace.cpp:
371         (Inspector::AsyncStackTrace::create):
372         * inspector/AsyncStackTrace.h:
373         * jsc.cpp:
374         (fillBufferWithContentsOfFile):
375         * runtime/ArrayBuffer.h:
376         * runtime/GenericTypedArrayView.h:
377         * runtime/GenericTypedArrayViewInlines.h:
378         (JSC::GenericTypedArrayView<Adaptor>::create):
379         (JSC::GenericTypedArrayView<Adaptor>::tryCreate):
380         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
381         (JSC::GenericTypedArrayView<Adaptor>::tryCreateUninitialized):
382         (JSC::GenericTypedArrayView<Adaptor>::subarray const):
383         * runtime/JSArrayBufferView.cpp:
384         (JSC::JSArrayBufferView::possiblySharedImpl):
385         * runtime/JSGenericTypedArrayViewInlines.h:
386         (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
387         (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
388         * wasm/WasmMemory.cpp:
389         (JSC::Wasm::Memory::create):
390         (JSC::Wasm::Memory::tryCreate):
391         * wasm/WasmMemory.h:
392         * wasm/WasmTable.cpp:
393         (JSC::Wasm::Table::tryCreate):
394         (JSC::Wasm::Table::create): Deleted.
395         * wasm/WasmTable.h:
396         * wasm/js/JSWebAssemblyInstance.cpp:
397         (JSC::JSWebAssemblyInstance::create):
398         * wasm/js/JSWebAssemblyMemory.cpp:
399         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
400         * wasm/js/WebAssemblyMemoryConstructor.cpp:
401         (JSC::constructJSWebAssemblyMemory):
402         * wasm/js/WebAssemblyModuleRecord.cpp:
403         (JSC::WebAssemblyModuleRecord::link):
404         * wasm/js/WebAssemblyTableConstructor.cpp:
405         (JSC::constructJSWebAssemblyTable):
406
407 2018-10-09  Devin Rousso  <drousso@apple.com>
408
409         Web Inspector: show redirect requests in Network and Timelines tabs
410         https://bugs.webkit.org/show_bug.cgi?id=150005
411         <rdar://problem/5378164>
412
413         Reviewed by Joseph Pecoraro.
414
415         * inspector/protocol/Network.json:
416         Add missing fields to `ResourceTiming`.
417
418 2018-10-09  Claudio Saavedra  <csaavedra@igalia.com>
419
420         [WPE] Explicitly link against gmodule where used
421         https://bugs.webkit.org/show_bug.cgi?id=190398
422
423         Reviewed by Michael Catanzaro.
424
425         * PlatformWPE.cmake:
426
427 2018-10-08  Justin Fan  <justin_fan@apple.com>
428
429         WebGPU: Rename old WebGPU prototype to WebMetal
430         https://bugs.webkit.org/show_bug.cgi?id=190325
431         <rdar://problem/44990443>
432
433         Reviewed by Dean Jackson.
434
435         Rename WebGPU prototype files to WebMetal in preparation for implementing the new (Oct 2018) WebGPU interface.
436
437         * Configurations/FeatureDefines.xcconfig:
438         * inspector/protocol/Canvas.json:
439         * inspector/scripts/codegen/generator.py:
440
441 2018-10-08  Aditya Keerthi  <akeerthi@apple.com>
442
443         Make <input type=color> a runtime enabled (on-by-default) feature
444         https://bugs.webkit.org/show_bug.cgi?id=189162
445
446         Reviewed by Wenson Hsieh and Tim Horton.
447
448         * Configurations/FeatureDefines.xcconfig:
449
450 2018-10-08  Devin Rousso  <drousso@apple.com>
451
452         Web Inspector: group media network entries by the node that triggered the request
453         https://bugs.webkit.org/show_bug.cgi?id=189606
454         <rdar://problem/44438527>
455
456         Reviewed by Brian Burg.
457
458         * inspector/protocol/Network.json:
459         Add an optional `nodeId` field to the `Initiator` object that is set it is possible to
460         determine which ancestor node triggered the load. It may not correspond directly to the node
461         with the href/src, as that url may only be used by an ancestor for loading.
462
463 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
464
465         [JSC][Linux] Use non-truncated name for JIT workers in Linux
466         https://bugs.webkit.org/show_bug.cgi?id=190339
467
468         Reviewed by Mark Lam.
469
470         The current thread names are meaningless in Linux environment. We do not want to
471         have truncated name in Linux: we want to have clear name in Linux. Instead, we
472         should have the name for Linux separately from the name used in the non-Linux
473         environments. This patch adds FTLWorker, DFGWorker, and JITWorker names for
474         Linux environment.
475
476         * dfg/DFGWorklist.cpp:
477         (JSC::DFG::createWorklistName):
478         (JSC::DFG::Worklist::Worklist):
479         (JSC::DFG::Worklist::create):
480         (JSC::DFG::ensureGlobalDFGWorklist):
481         (JSC::DFG::ensureGlobalFTLWorklist):
482         * dfg/DFGWorklist.h:
483         * jit/JITWorklist.cpp:
484
485 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
486
487         Name Heap threads
488         https://bugs.webkit.org/show_bug.cgi?id=190337
489
490         Reviewed by Mark Lam.
491
492         Name heap threads as "Heap Helper Thread". In Linux, we name it "HeapHelper" since
493         Linux does not accept the name longer than 15. We do not want to use the short name
494         for non-Linux environment. And we want to have clear name in Linux: truncated name
495         is not good. So, having the two names is the only way.
496
497         * heap/HeapHelperPool.cpp:
498         (JSC::heapHelperPool):
499
500 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
501
502         [JSC] Avoid creating ProgramExecutable in checkSyntax
503         https://bugs.webkit.org/show_bug.cgi?id=190332
504
505         Reviewed by Mark Lam.
506
507         uglify-js in web-tooling-benchmark executes massive number of Function constructor calls.
508         In Function constructor code, we perform checkSyntax for body and parameters. So fast checkSyntax
509         is important when the performance of Function constructor matters. Current checkSyntax code
510         unnecessarily allocates ProgramExecutable. This patch removes this allocation and improves
511         the benchmark score slightly.
512
513         Before:
514             uglify-js:  2.87 runs/s
515         After:
516             uglify-js:  2.94 runs/s
517
518         * runtime/Completion.cpp:
519         (JSC::checkSyntaxInternal):
520         (JSC::checkSyntax):
521         * runtime/ProgramExecutable.cpp:
522         (JSC::ProgramExecutable::checkSyntax): Deleted.
523         * runtime/ProgramExecutable.h:
524
525 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
526
527         [ESNext][BigInt] Implement support for "|"
528         https://bugs.webkit.org/show_bug.cgi?id=186229
529
530         Reviewed by Yusuke Suzuki.
531
532         This patch is introducing support for BigInt into bitwise "or" operator.
533         In addition, we are also introducing 2 new DFG nodes, named "ArithBitOr" and
534         "ValueBitOr", to replace "BitOr" node. The idea is to follow the
535         difference that we make on Arith<op> and Value<op>, where ArithBitOr
536         handles cases when the operands are Int32 and ValueBitOr handles
537         the remaining cases.
538
539         We are also changing op_bitor to use ValueProfile. We are using
540         ValueProfile during DFG generation to emit "ArithBitOr" when
541         outcome prediction is Int32.
542
543         * bytecode/CodeBlock.cpp:
544         (JSC::CodeBlock::finishCreation):
545         (JSC::CodeBlock::arithProfileForPC):
546         * bytecompiler/BytecodeGenerator.cpp:
547         (JSC::BytecodeGenerator::emitBinaryOp):
548         * dfg/DFGAbstractInterpreterInlines.h:
549         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
550         * dfg/DFGBackwardsPropagationPhase.cpp:
551         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
552         (JSC::DFG::BackwardsPropagationPhase::propagate):
553         * dfg/DFGByteCodeParser.cpp:
554         (JSC::DFG::ByteCodeParser::parseBlock):
555         * dfg/DFGClobberize.h:
556         (JSC::DFG::clobberize):
557         * dfg/DFGDoesGC.cpp:
558         (JSC::DFG::doesGC):
559         * dfg/DFGFixupPhase.cpp:
560         (JSC::DFG::FixupPhase::fixupNode):
561         * dfg/DFGNodeType.h:
562         * dfg/DFGOperations.cpp:
563         (JSC::DFG::bitwiseOp):
564         * dfg/DFGOperations.h:
565         * dfg/DFGPredictionPropagationPhase.cpp:
566         * dfg/DFGSafeToExecute.h:
567         (JSC::DFG::safeToExecute):
568         * dfg/DFGSpeculativeJIT.cpp:
569         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
570         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
571         * dfg/DFGSpeculativeJIT.h:
572         (JSC::DFG::SpeculativeJIT::bitOp):
573         * dfg/DFGSpeculativeJIT32_64.cpp:
574         (JSC::DFG::SpeculativeJIT::compile):
575         * dfg/DFGSpeculativeJIT64.cpp:
576         (JSC::DFG::SpeculativeJIT::compile):
577         * dfg/DFGStrengthReductionPhase.cpp:
578         (JSC::DFG::StrengthReductionPhase::handleNode):
579         * ftl/FTLCapabilities.cpp:
580         (JSC::FTL::canCompile):
581         * ftl/FTLLowerDFGToB3.cpp:
582         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
583         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
584         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitOr):
585         (JSC::FTL::DFG::LowerDFGToB3::compileBitOr): Deleted.
586         * jit/JITArithmetic.cpp:
587         (JSC::JIT::emit_op_bitor):
588         * llint/LowLevelInterpreter32_64.asm:
589         * llint/LowLevelInterpreter64.asm:
590         * runtime/CommonSlowPaths.cpp:
591         (JSC::SLOW_PATH_DECL):
592         * runtime/JSBigInt.cpp:
593         (JSC::JSBigInt::bitwiseAnd):
594         (JSC::JSBigInt::bitwiseOr):
595         (JSC::JSBigInt::absoluteBitwiseOp):
596         (JSC::JSBigInt::absoluteAddOne):
597         * runtime/JSBigInt.h:
598
599 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
600
601         [JSC] Use new extra memory reporting in SparseArrayMap
602         https://bugs.webkit.org/show_bug.cgi?id=190278
603
604         Reviewed by Keith Miller.
605
606         This patch switches the extra memory reporting mechanism from deprecatedReportExtraMemory
607         to reportExtraMemoryAllocated & reportExtraMemoryVisited in SparseArrayMap.
608
609         * runtime/SparseArrayValueMap.cpp:
610         (JSC::SparseArrayValueMap::add):
611         (JSC::SparseArrayValueMap::visitChildren):
612
613 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
614
615         [JSC][Linux] Support Perf JITDump logging
616         https://bugs.webkit.org/show_bug.cgi?id=189893
617
618         Reviewed by Mark Lam.
619
620         This patch adds Linux `perf` command's JIT Dump support. It allows JSC to tell perf about JIT code information.
621         We add a command line option, `--logJITCodeForPerf`, which dumps `jit-%pid.dump` in the current directory.
622         By using this dump and perf.data output, we can annotate JIT code with profiling information.
623
624             $ echo "(function f() { var s = 0; for (var i = 0; i < 1000000000; i++) { s += i; } return s; })();" > test.js
625             $ perf record -k mono ../../WebKitBuild/perf/Release/bin/jsc test.js --logJITCodeForPerf=true
626             [ perf record: Woken up 1 times to write data ]
627             [ perf record: Captured and wrote 0.182 MB perf.data (4346 samples) ]
628             $ perf inject --jit -i perf.data -o perf.jit.data
629             $ perf report -i perf.jit.data
630
631         * Sources.txt:
632         * assembler/LinkBuffer.cpp:
633         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
634         * assembler/LinkBuffer.h:
635         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
636         * assembler/PerfLog.cpp: Added.
637         (JSC::PerfLog::singleton):
638         (JSC::generateTimestamp):
639         (JSC::getCurrentThreadID):
640         (JSC::PerfLog::PerfLog):
641         (JSC::PerfLog::write):
642         (JSC::PerfLog::flush):
643         (JSC::PerfLog::log):
644         * assembler/PerfLog.h: Added.
645         * jit/ExecutableAllocator.cpp:
646         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
647         * runtime/Options.cpp:
648         (JSC::Options::isAvailable):
649         * runtime/Options.h:
650
651 2018-10-05  Mark Lam  <mark.lam@apple.com>
652
653         Gardening: Build fix after r236880.
654         https://bugs.webkit.org/show_bug.cgi?id=190317
655
656         Unreviewed.
657
658         * jit/ExecutableAllocator.h:
659
660 2018-10-05  Mark Lam  <mark.lam@apple.com>
661
662         performJITMemcpy() should handle the case when the executable allocator is not initialized yet.
663         https://bugs.webkit.org/show_bug.cgi?id=190317
664         <rdar://problem/45039398>
665
666         Reviewed by Saam Barati.
667
668         When SeparatedWXHeaps is in use, jitWriteThunkGenerator() will call performJITMemcpy()
669         to copy memory before the JIT fixed memory pool is initialize.  Before r236864,
670         performJITMemcpy() would just do a memcpy in that case.  We need to restore the
671         equivalent behavior.
672
673         * jit/ExecutableAllocator.cpp:
674         (JSC::isJITPC):
675         * jit/ExecutableAllocator.h:
676         (JSC::performJITMemcpy):
677
678 2018-10-05  Carlos Eduardo Ramalho  <cadubentzen@gmail.com>
679
680         [WPE][JSC] Use Unified Sources for Platform-specific sources
681         https://bugs.webkit.org/show_bug.cgi?id=190300
682
683         Reviewed by Yusuke Suzuki.
684
685         Currently the GTK port already used Unified Sources with the same source files.
686         As WPE has conditional code using gmodule, we need to add GLIB_GMODULE_LIBRARIES
687         to the list of libraries to link with.
688
689         * PlatformWPE.cmake:
690         * SourcesWPE.txt: Added.
691         * shell/PlatformWPE.cmake:
692
693 2018-10-05  Mike Gorse  <mgorse@alum.wpi.edu>
694
695         [GTK] build fails with python 3 if LANG and LC_TYPE are unset
696         https://bugs.webkit.org/show_bug.cgi?id=190258
697
698         Reviewed by Konstantin Tokarev.
699
700         * Scripts/cssmin.py: Set stdout to UTF-8 on python 3.
701         * Scripts/generateIntlCanonicalizeLanguage.py: Open files with
702           encoding=UTF-8 on Python 3.
703         * yarr/generateYarrCanonicalizeUnicode: Ditto.
704         * yarr/generateYarrUnicodePropertyTables.py: Ditto.
705
706 2018-10-04  Mark Lam  <mark.lam@apple.com>
707
708         Move start/EndOfFixedExecutableMemoryPool pointers into the FixedVMPoolExecutableAllocator object.
709         https://bugs.webkit.org/show_bug.cgi?id=190295
710         <rdar://problem/19197193>
711
712         Reviewed by Saam Barati.
713
714         This allows us to use the tagging logic already baked into MacroAssemblerCodePtr
715         instead of needing to use our own custom version here.
716
717         * jit/ExecutableAllocator.cpp:
718         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
719         (JSC::FixedVMPoolExecutableAllocator::memoryStart):
720         (JSC::FixedVMPoolExecutableAllocator::memoryEnd):
721         (JSC::FixedVMPoolExecutableAllocator::isJITPC):
722         (JSC::ExecutableAllocator::allocate):
723         (JSC::startOfFixedExecutableMemoryPoolImpl):
724         (JSC::endOfFixedExecutableMemoryPoolImpl):
725         (JSC::isJITPC):
726         * jit/ExecutableAllocator.h:
727
728 2018-10-04  Mark Lam  <mark.lam@apple.com>
729
730         Disable Options::useWebAssemblyFastMemory() on linux if ASAN signal handling is not disabled.
731         https://bugs.webkit.org/show_bug.cgi?id=190283
732         <rdar://problem/45015752>
733
734         Reviewed by Keith Miller.
735
736         * runtime/Options.cpp:
737         (JSC::Options::initialize):
738         * wasm/WasmFaultSignalHandler.cpp:
739         (JSC::Wasm::enableFastMemory):
740
741 2018-10-03  Ross Kirsling  <ross.kirsling@sony.com>
742
743         [JSC] print() changes CRLF to CRCRLF on Windows
744         https://bugs.webkit.org/show_bug.cgi?id=190228
745
746         Reviewed by Mark Lam.
747
748         * jsc.cpp:
749         (main):
750         Ultimately, this is just the normal behavior of printf in text mode on Windows.
751         Since we're reading in files as binary, we need to be printing out as binary too
752         (just as we do in DumpRenderTree and ImageDiff.)
753
754 2018-10-03  Saam barati  <sbarati@apple.com>
755
756         lowXYZ in FTLLower should always filter the type of the incoming edge
757         https://bugs.webkit.org/show_bug.cgi?id=189939
758         <rdar://problem/44407030>
759
760         Reviewed by Michael Saboff.
761
762         For example, the FTL may know more about data flow than AI in certain programs,
763         and it needs to inform AI of these data flow properties to appease the assertion
764         we have in AI that a node must perform type checks on its child nodes.
765         
766         For example, consider this program:
767         
768         ```
769         bb#1
770         a: Phi // Let's say it has an Int32 result, so it goes into the int32 hash table in FTLLower
771         Branch(...,  #2, #3)
772         
773         bb#2
774         ArrayifyToStructure(Cell:@a) // This modifies @a to have the its previous type union the type of some structure set.
775         Jump(#3)
776         
777         bb#3
778         c: Add(Int32:@something, Int32:@a)
779         ```
780         
781         When the Add node does lowInt32() for @a, FTL lower used to just grab it
782         from the int32 hash table without filtering the AbstractValue. However,
783         the parent node is asking for a type check to happen, so we must inform
784         AI of this "type check" if we want to appease the assertion that all nodes
785         perform type checks for their edges that semantically perform type checks.
786         This patch makes it so we filter the AbstractValue in the lowXYZ even
787         if FTLLower proved the value must be XYZ.
788
789         * ftl/FTLLowerDFGToB3.cpp:
790         (JSC::FTL::DFG::LowerDFGToB3::compilePhi):
791         (JSC::FTL::DFG::LowerDFGToB3::simulatedTypeCheck):
792         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
793         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
794         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
795
796 2018-10-03  Michael Saboff  <msaboff@apple.com>
797
798         Command line jsc should report memory footprint in bytes
799         https://bugs.webkit.org/show_bug.cgi?id=190267
800
801         Reviewed by Mark Lam.
802
803         Change to leave the footprint values from the system unmodified.
804
805         * jsc.cpp:
806         (JSCMemoryFootprint::finishCreation):
807
808 2018-10-03  Mark Lam  <mark.lam@apple.com>
809
810         Suppress unreachable code warning for LLIntAssembly.h code.
811         https://bugs.webkit.org/show_bug.cgi?id=190263
812         <rdar://problem/44986532>
813
814         Reviewed by Saam Barati.
815
816         This is needed because LLIntAssembly.h is template generated from LowLevelInterpreter
817         asm files, and may contain dead code which are harmless, but will trip up the warning.
818         We should suppress the warning so that it doesn't break builds.
819
820         * llint/LowLevelInterpreter.cpp:
821         (JSC::CLoop::execute):
822
823 2018-10-03  Dan Bernstein  <mitz@apple.com>
824
825         JavaScriptCore part of [Xcode] Update some build settings as recommended by Xcode 10
826         https://bugs.webkit.org/show_bug.cgi?id=190250
827
828         Reviewed by Alex Christensen.
829
830         * API/tests/Regress141275.mm:
831         (-[JSTEvaluator _sourcePerform]): Addressed newly-enabled CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF
832           by making the self-retaining explicit.
833
834         * API/tests/testapi.cpp:
835         (testCAPIViaCpp): Addressed newly-enabled CLANG_WARN_UNREACHABLE_CODE by breaking out of the
836           loop instead of returning from the lambda.
837
838         * Configurations/Base.xcconfig: Enabled CLANG_WARN_COMMA, CLANG_WARN_UNREACHABLE_CODE,
839           CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS, CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF, and
840           CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED.
841
842         * JavaScriptCore.xcodeproj/project.pbxproj: Removed a duplicate reference to
843           UnlinkedFunctionExecutable.h, and let Xcode update the project file.
844
845         * assembler/MacroAssemblerPrinter.cpp:
846         (JSC::Printer::printAllRegisters): Addressed newly-enabled CLANG_WARN_COMMA by replacing
847           some commas with semicolons.
848
849 2018-10-03  Mark Lam  <mark.lam@apple.com>
850
851         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
852         https://bugs.webkit.org/show_bug.cgi?id=190187
853         <rdar://problem/42512909>
854
855         Reviewed by Michael Saboff.
856
857         Allowing different max string lengths at each level opens up opportunities for
858         bugs to creep in.  With 2 different max length values, it is more difficult to
859         keep the story straight on how we do overflow / bounds checks at each place in
860         the code.  It's also difficult to tell if a seemingly valid check at the WTF level
861         will have bad ramifications at the JSC level.  Also, it's also not meaningful to
862         support a max length > INT_MAX.  To eliminate this class of bugs, we'll
863         standardize on a MaxLength of INT_MAX at all levels.
864
865         We'll also standardize the way we do length overflow checks on using
866         CheckedArithmetic, and add some asserts to document the assumptions of the code.
867
868         * runtime/FunctionConstructor.cpp:
869         (JSC::constructFunctionSkippingEvalEnabledCheck):
870         - Fix OOM error handling which crashed a test after the new MaxLength was applied.
871         * runtime/JSString.h:
872         (JSC::JSString::finishCreation):
873         (JSC::JSString::createHasOtherOwner):
874         (JSC::JSString::setLength):
875         * runtime/JSStringInlines.h:
876         (JSC::jsMakeNontrivialString):
877         * runtime/Operations.h:
878         (JSC::jsString):
879
880 2018-10-03  Koby Boyango  <koby.b@mce-sys.com>
881
882         [JSC] Add a C++ callable overload of objectConstructorSeal
883         https://bugs.webkit.org/show_bug.cgi?id=190137
884
885         Reviewed by Yusuke Suzuki.
886
887         * runtime/ObjectConstructor.cpp:
888         * runtime/ObjectConstructor.h:
889
890 2018-10-02  Dominik Infuehr  <dinfuehr@igalia.com>
891
892         Fix Disassembler-output on ARM Thumb2
893         https://bugs.webkit.org/show_bug.cgi?id=190203
894
895         On ARMv7 with Thumb2 addresses have bit 0 set to 1 to force
896         execution in thumb mode for jumps and calls. The actual machine
897         instructions are still aligned to 2-bytes though. Use dataLocation() as
898         start address for disassembling since it unsets the thumb bit.
899         Until now the disassembler would start at the wrong address (off by 1),
900         resulting in the wrong disassembled machine instructions.
901
902         Reviewed by Mark Lam.
903
904         * disassembler/CapstoneDisassembler.cpp:
905         (JSC::tryToDisassemble):
906
907 2018-10-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
908
909         [JSC] Add stub of ExecutableAllocator used when JIT is disabled
910         https://bugs.webkit.org/show_bug.cgi?id=190215
911
912         Reviewed by Mark Lam.
913
914         When ENABLE(JIT) is disabled, we do not use JIT. But we ExecutableAllocator is still available since
915         it is guarded by ENABLE(ASSEMBLER). ENABLE(ASSEMBLER) is necessary for LLInt ASM interpreter since
916         our MacroAssembler tells machine architecture information. Eventually, we would like to decouple
917         this machine architecture information from MacroAssembler. But for now, we use ENABLE(ASSEMBLER)
918         for LLInt ASM interpreter even if JIT is disabled by ENABLE(JIT).
919
920         To ensure any executable memory allocation is not done, we add a stub of ExecutableAllocator for
921         non-JIT configurations. This does not have any functionality allocating executable memory, thus
922         any accidental operation cannot attempt to allocate executable memory if ENABLE(JIT) = OFF.
923
924         * jit/ExecutableAllocator.cpp:
925         (JSC::ExecutableAllocator::initializeAllocator):
926         (JSC::ExecutableAllocator::singleton):
927         * jit/ExecutableAllocator.h:
928         (JSC::ExecutableAllocator::isValid const):
929         (JSC::ExecutableAllocator::underMemoryPressure):
930         (JSC::ExecutableAllocator::memoryPressureMultiplier):
931         (JSC::ExecutableAllocator::dumpProfile):
932         (JSC::ExecutableAllocator::allocate):
933         (JSC::ExecutableAllocator::isValidExecutableMemory):
934         (JSC::ExecutableAllocator::committedByteCount):
935         (JSC::ExecutableAllocator::getLock const):
936         (JSC::performJITMemcpy):
937
938 2018-10-01  Dean Jackson  <dino@apple.com>
939
940         Remove CSS Animation Triggers
941         https://bugs.webkit.org/show_bug.cgi?id=190175
942         <rdar://problem/44925626>
943
944         Reviewed by Simon Fraser.
945
946         * Configurations/FeatureDefines.xcconfig:
947
948 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
949
950         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
951         https://bugs.webkit.org/show_bug.cgi?id=190033
952
953         Reviewed by Yusuke Suzuki.
954
955         The implementation of JSBigInt::toStringToGeneric doesn't handle power
956         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
957         implemented JSBigInt::toStringBasePowerOfTwo that follows the
958         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
959         digit.
960
961         * runtime/JSBigInt.cpp:
962         (JSC::JSBigInt::toString):
963         (JSC::JSBigInt::toStringBasePowerOfTwo):
964         * runtime/JSBigInt.h:
965
966 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
967
968         [JSC] Add branchIfNaN and branchIfNotNaN
969         https://bugs.webkit.org/show_bug.cgi?id=190122
970
971         Reviewed by Mark Lam.
972
973         Add AssemblyHelpers::{branchIfNaN, branchIfNotNaN} to make code more readable.
974
975         * dfg/DFGSpeculativeJIT.cpp:
976         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
977         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
978         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
979         (JSC::DFG::SpeculativeJIT::compileSpread):
980         (JSC::DFG::SpeculativeJIT::compileNewArray):
981         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
982         (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
983         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
984         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
985         * dfg/DFGSpeculativeJIT32_64.cpp:
986         (JSC::DFG::SpeculativeJIT::compile):
987         * dfg/DFGSpeculativeJIT64.cpp:
988         (JSC::DFG::SpeculativeJIT::compile):
989         * jit/AssemblyHelpers.cpp:
990         (JSC::AssemblyHelpers::purifyNaN):
991         * jit/AssemblyHelpers.h:
992         (JSC::AssemblyHelpers::branchIfNaN):
993         (JSC::AssemblyHelpers::branchIfNotNaN):
994         * jit/JITPropertyAccess.cpp:
995         (JSC::JIT::emitGenericContiguousPutByVal):
996         (JSC::JIT::emitDoubleLoad):
997         (JSC::JIT::emitFloatTypedArrayGetByVal):
998         * jit/JITPropertyAccess32_64.cpp:
999         (JSC::JIT::emitGenericContiguousPutByVal):
1000         * wasm/js/JSToWasm.cpp:
1001         (JSC::Wasm::createJSToWasmWrapper):
1002
1003 2018-10-01  Mark Lam  <mark.lam@apple.com>
1004
1005         Function.toString() should also copy the source code Functions that are class definitions.
1006         https://bugs.webkit.org/show_bug.cgi?id=190186
1007         <rdar://problem/44733360>
1008
1009         Reviewed by Saam Barati.
1010
1011         Previously, if the Function is a class definition, functionProtoFuncToString()
1012         would create a String using StringView::toStringWithoutCopying(), and use that
1013         String to make a JSString.  This is not a problem if the underlying SourceProvider
1014         (that backs the characters in that StringView) is immortal.  However, this is
1015         not always the case in practice.
1016
1017         This patch fixes this issue by changing functionProtoFuncToString() to create the
1018         String using StringView::toString() instead, which makes a copy of the underlying
1019         characters buffer.  This detaches the resultant JSString from the SourceProvider
1020         characters buffer that it was created from, and ensure that the underlying
1021         characters buffer of the string will be alive for the entire lifetime of the
1022         JSString.
1023
1024         * runtime/FunctionPrototype.cpp:
1025         (JSC::functionProtoFuncToString):
1026
1027 2018-10-01  Keith Miller  <keith_miller@apple.com>
1028
1029         Create a RELEASE_AND_RETURN macro for ExceptionScopes
1030         https://bugs.webkit.org/show_bug.cgi?id=190163
1031
1032         Reviewed by Mark Lam.
1033
1034         The new RELEASE_AND_RETURN does all the work for cases
1035         where you want to return the result of some expression
1036         without explicitly checking for an exception. This is
1037         much like the existing RETURN_IF_EXCEPTION macro.
1038
1039         * dfg/DFGOperations.cpp:
1040         (JSC::DFG::newTypedArrayWithSize):
1041         * interpreter/Interpreter.cpp:
1042         (JSC::eval):
1043         * jit/JITOperations.cpp:
1044         (JSC::getByVal):
1045         * jsc.cpp:
1046         (functionDollarAgentReceiveBroadcast):
1047         * llint/LLIntSlowPaths.cpp:
1048         (JSC::LLInt::setUpCall):
1049         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1050         (JSC::LLInt::varargsSetup):
1051         * profiler/ProfilerDatabase.cpp:
1052         (JSC::Profiler::Database::toJSON const):
1053         * runtime/AbstractModuleRecord.cpp:
1054         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1055         * runtime/ArrayConstructor.cpp:
1056         (JSC::constructArrayWithSizeQuirk):
1057         * runtime/ArrayPrototype.cpp:
1058         (JSC::getProperty):
1059         (JSC::fastJoin):
1060         (JSC::arrayProtoFuncToString):
1061         (JSC::arrayProtoFuncToLocaleString):
1062         (JSC::arrayProtoFuncJoin):
1063         (JSC::arrayProtoFuncPop):
1064         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1065         * runtime/BigIntConstructor.cpp:
1066         (JSC::toBigInt):
1067         * runtime/CommonSlowPaths.h:
1068         (JSC::CommonSlowPaths::opInByVal):
1069         * runtime/ConstructData.cpp:
1070         (JSC::construct):
1071         * runtime/DateConstructor.cpp:
1072         (JSC::dateParse):
1073         * runtime/DatePrototype.cpp:
1074         (JSC::dateProtoFuncToPrimitiveSymbol):
1075         * runtime/DirectArguments.h:
1076         * runtime/ErrorConstructor.cpp:
1077         (JSC::Interpreter::constructWithErrorConstructor):
1078         * runtime/ErrorPrototype.cpp:
1079         (JSC::errorProtoFuncToString):
1080         * runtime/ExceptionScope.h:
1081         * runtime/FunctionConstructor.cpp:
1082         (JSC::constructFunction):
1083         * runtime/FunctionPrototype.cpp:
1084         (JSC::functionProtoFuncToString):
1085         * runtime/GenericArgumentsInlines.h:
1086         (JSC::GenericArguments<Type>::defineOwnProperty):
1087         * runtime/GetterSetter.cpp:
1088         (JSC::callGetter):
1089         * runtime/IntlCollatorConstructor.cpp:
1090         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1091         * runtime/IntlCollatorPrototype.cpp:
1092         (JSC::IntlCollatorFuncCompare):
1093         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1094         * runtime/IntlDateTimeFormatConstructor.cpp:
1095         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1096         * runtime/IntlDateTimeFormatPrototype.cpp:
1097         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1098         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1099         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1100         * runtime/IntlNumberFormatConstructor.cpp:
1101         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1102         * runtime/IntlNumberFormatPrototype.cpp:
1103         (JSC::IntlNumberFormatFuncFormatNumber):
1104         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1105         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1106         * runtime/IntlObject.cpp:
1107         (JSC::intlNumberOption):
1108         * runtime/IntlObjectInlines.h:
1109         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1110         * runtime/IntlPluralRules.cpp:
1111         (JSC::IntlPluralRules::resolvedOptions):
1112         * runtime/IntlPluralRulesConstructor.cpp:
1113         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
1114         * runtime/IntlPluralRulesPrototype.cpp:
1115         (JSC::IntlPluralRulesPrototypeFuncSelect):
1116         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1117         * runtime/JSArray.cpp:
1118         (JSC::JSArray::defineOwnProperty):
1119         (JSC::JSArray::put):
1120         (JSC::JSArray::setLength):
1121         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1122         * runtime/JSArrayBufferPrototype.cpp:
1123         (JSC::arrayBufferProtoGetterFuncByteLength):
1124         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1125         * runtime/JSArrayInlines.h:
1126         (JSC::toLength):
1127         * runtime/JSBoundFunction.cpp:
1128         (JSC::boundFunctionCall):
1129         (JSC::boundFunctionConstruct):
1130         * runtime/JSCJSValue.cpp:
1131         (JSC::JSValue::putToPrimitive):
1132         * runtime/JSCJSValueInlines.h:
1133         (JSC::JSValue::toIndex const):
1134         (JSC::JSValue::toPropertyKey const):
1135         (JSC::JSValue::get const):
1136         (JSC::JSValue::getPropertySlot const):
1137         (JSC::JSValue::getOwnPropertySlot const):
1138         (JSC::JSValue::equalSlowCaseInline):
1139         * runtime/JSDataView.cpp:
1140         (JSC::JSDataView::put):
1141         (JSC::JSDataView::defineOwnProperty):
1142         * runtime/JSFunction.cpp:
1143         (JSC::JSFunction::put):
1144         (JSC::JSFunction::defineOwnProperty):
1145         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1146         (JSC::constructGenericTypedArrayViewWithArguments):
1147         (JSC::constructGenericTypedArrayView):
1148         * runtime/JSGenericTypedArrayViewInlines.h:
1149         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1150         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1151         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1152         (JSC::speciesConstruct):
1153         (JSC::genericTypedArrayViewProtoFuncJoin):
1154         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1155         * runtime/JSGlobalObject.cpp:
1156         (JSC::JSGlobalObject::put):
1157         * runtime/JSGlobalObjectFunctions.cpp:
1158         (JSC::decode):
1159         (JSC::globalFuncEval):
1160         (JSC::globalFuncProtoGetter):
1161         * runtime/JSInternalPromise.cpp:
1162         (JSC::JSInternalPromise::then):
1163         * runtime/JSModuleEnvironment.cpp:
1164         (JSC::JSModuleEnvironment::put):
1165         * runtime/JSModuleLoader.cpp:
1166         (JSC::JSModuleLoader::provideFetch):
1167         (JSC::JSModuleLoader::loadAndEvaluateModule):
1168         (JSC::JSModuleLoader::loadModule):
1169         (JSC::JSModuleLoader::linkAndEvaluateModule):
1170         (JSC::JSModuleLoader::requestImportModule):
1171         (JSC::JSModuleLoader::getModuleNamespaceObject):
1172         (JSC::moduleLoaderRequestedModules):
1173         * runtime/JSONObject.cpp:
1174         (JSC::Stringifier::stringify):
1175         (JSC::Stringifier::toJSON):
1176         (JSC::Walker::walk):
1177         (JSC::JSONProtoFuncStringify):
1178         * runtime/JSObject.cpp:
1179         (JSC::ordinarySetSlow):
1180         (JSC::JSObject::putInlineSlow):
1181         (JSC::JSObject::toPrimitive const):
1182         (JSC::JSObject::hasInstance):
1183         (JSC::JSObject::toNumber const):
1184         (JSC::JSObject::defineOwnIndexedProperty):
1185         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1186         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1187         (JSC::JSObject::defineOwnNonIndexProperty):
1188         * runtime/JSObject.h:
1189         (JSC::JSObject::get const):
1190         * runtime/JSObjectInlines.h:
1191         (JSC::JSObject::getPropertySlot const):
1192         (JSC::JSObject::putInlineForJSObject):
1193         * runtime/MapConstructor.cpp:
1194         (JSC::constructMap):
1195         * runtime/NativeErrorConstructor.cpp:
1196         (JSC::Interpreter::constructWithNativeErrorConstructor):
1197         * runtime/ObjectConstructor.cpp:
1198         (JSC::constructObject):
1199         (JSC::objectConstructorGetPrototypeOf):
1200         (JSC::objectConstructorGetOwnPropertyDescriptor):
1201         (JSC::objectConstructorGetOwnPropertyDescriptors):
1202         (JSC::objectConstructorGetOwnPropertyNames):
1203         (JSC::objectConstructorGetOwnPropertySymbols):
1204         (JSC::objectConstructorKeys):
1205         (JSC::objectConstructorDefineProperty):
1206         (JSC::objectConstructorDefineProperties):
1207         (JSC::objectConstructorCreate):
1208         * runtime/ObjectPrototype.cpp:
1209         (JSC::objectProtoFuncToLocaleString):
1210         (JSC::objectProtoFuncToString):
1211         * runtime/Operations.cpp:
1212         (JSC::jsAddSlowCase):
1213         * runtime/Operations.h:
1214         (JSC::jsString):
1215         (JSC::jsLess):
1216         (JSC::jsLessEq):
1217         * runtime/ParseInt.h:
1218         (JSC::toStringView):
1219         * runtime/ProxyConstructor.cpp:
1220         (JSC::constructProxyObject):
1221         * runtime/ProxyObject.cpp:
1222         (JSC::ProxyObject::toStringName):
1223         (JSC::performProxyGet):
1224         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1225         (JSC::ProxyObject::performHasProperty):
1226         (JSC::ProxyObject::getOwnPropertySlotCommon):
1227         (JSC::ProxyObject::performPut):
1228         (JSC::ProxyObject::putByIndexCommon):
1229         (JSC::performProxyCall):
1230         (JSC::performProxyConstruct):
1231         (JSC::ProxyObject::performDelete):
1232         (JSC::ProxyObject::performPreventExtensions):
1233         (JSC::ProxyObject::performIsExtensible):
1234         (JSC::ProxyObject::performDefineOwnProperty):
1235         (JSC::ProxyObject::performSetPrototype):
1236         (JSC::ProxyObject::performGetPrototype):
1237         * runtime/ReflectObject.cpp:
1238         (JSC::reflectObjectConstruct):
1239         (JSC::reflectObjectDefineProperty):
1240         (JSC::reflectObjectGet):
1241         (JSC::reflectObjectGetOwnPropertyDescriptor):
1242         (JSC::reflectObjectGetPrototypeOf):
1243         (JSC::reflectObjectOwnKeys):
1244         (JSC::reflectObjectSet):
1245         * runtime/RegExpConstructor.cpp:
1246         (JSC::constructRegExp):
1247         * runtime/RegExpObject.cpp:
1248         (JSC::RegExpObject::defineOwnProperty):
1249         (JSC::RegExpObject::matchGlobal):
1250         * runtime/RegExpPrototype.cpp:
1251         (JSC::regExpProtoFuncTestFast):
1252         (JSC::regExpProtoFuncExec):
1253         (JSC::regExpProtoFuncToString):
1254         * runtime/ScriptExecutable.cpp:
1255         (JSC::ScriptExecutable::newCodeBlockFor):
1256         * runtime/SetConstructor.cpp:
1257         (JSC::constructSet):
1258         * runtime/SparseArrayValueMap.cpp:
1259         (JSC::SparseArrayValueMap::putEntry):
1260         (JSC::SparseArrayEntry::put):
1261         * runtime/StringConstructor.cpp:
1262         (JSC::stringFromCharCode):
1263         (JSC::stringFromCodePoint):
1264         * runtime/StringObject.cpp:
1265         (JSC::StringObject::put):
1266         (JSC::StringObject::putByIndex):
1267         (JSC::StringObject::defineOwnProperty):
1268         * runtime/StringPrototype.cpp:
1269         (JSC::jsSpliceSubstrings):
1270         (JSC::jsSpliceSubstringsWithSeparators):
1271         (JSC::removeUsingRegExpSearch):
1272         (JSC::replaceUsingRegExpSearch):
1273         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1274         (JSC::replaceUsingStringSearch):
1275         (JSC::repeatCharacter):
1276         (JSC::replace):
1277         (JSC::stringProtoFuncReplaceUsingRegExp):
1278         (JSC::stringProtoFuncReplaceUsingStringSearch):
1279         (JSC::stringProtoFuncSplitFast):
1280         (JSC::stringProtoFuncToLowerCase):
1281         (JSC::stringProtoFuncToUpperCase):
1282         (JSC::toLocaleCase):
1283         (JSC::trimString):
1284         (JSC::stringProtoFuncIncludes):
1285         (JSC::builtinStringIncludesInternal):
1286         (JSC::normalize):
1287         (JSC::stringProtoFuncNormalize):
1288         * runtime/SymbolPrototype.cpp:
1289         (JSC::symbolProtoFuncToString):
1290         (JSC::symbolProtoFuncValueOf):
1291         * tools/JSDollarVM.cpp:
1292         (WTF::functionWasmStreamingParserAddBytes):
1293         (JSC::functionGetPrivateProperty):
1294         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1295         (JSC::constructJSWebAssemblyCompileError):
1296         * wasm/js/WebAssemblyModuleConstructor.cpp:
1297         (JSC::constructJSWebAssemblyModule):
1298         (JSC::WebAssemblyModuleConstructor::createModule):
1299         * wasm/js/WebAssemblyTableConstructor.cpp:
1300         (JSC::constructJSWebAssemblyTable):
1301         * wasm/js/WebAssemblyWrapperFunction.cpp:
1302         (JSC::callWebAssemblyWrapperFunction):
1303
1304 2018-10-01  Koby Boyango  <koby.b@mce-sys.com>
1305
1306         [JSC] Add a JSONStringify overload that receives a JSValue space
1307         https://bugs.webkit.org/show_bug.cgi?id=190131
1308
1309         Reviewed by Yusuke Suzuki.
1310
1311         * runtime/JSONObject.cpp:
1312         * runtime/JSONObject.h:
1313
1314 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1315
1316         Unreviewed, rolling out r236647.
1317         https://bugs.webkit.org/show_bug.cgi?id=190124
1318
1319         Breaking test stress/big-int-to-string.js (Requested by
1320         caiolima_ on #webkit).
1321
1322         Reverted changeset:
1323
1324         "[BigInt] BigInt.proptotype.toString is broken when radix is
1325         power of 2"
1326         https://bugs.webkit.org/show_bug.cgi?id=190033
1327         https://trac.webkit.org/changeset/236647
1328
1329 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1330
1331         [WebAssembly] Move type conversion code of JSToWasm return type to JS wasm wrapper
1332         https://bugs.webkit.org/show_bug.cgi?id=189498
1333
1334         Reviewed by Saam Barati.
1335
1336         To call JS-to-Wasm code we need to convert the result value from wasm function to
1337         the JS type. Previously this is done by callWebAssemblyFunction by using swtich
1338         over signature.returnType(). But since we know the value of `signature.returnType()`
1339         at compiling phase, we can emit a small conversion code directly to JSToWasm glue
1340         and remove this switch from callWebAssemblyFunction.
1341
1342         In JSToWasm glue code, we do not have tag registers. So we use DoNotHaveTagRegisters
1343         in boxInt32 and boxDouble. Since boxDouble does not have DoNotHaveTagRegisters version,
1344         we add an implementation for that.
1345
1346         * jit/AssemblyHelpers.h:
1347         (JSC::AssemblyHelpers::boxDouble):
1348         * wasm/js/JSToWasm.cpp:
1349         (JSC::Wasm::createJSToWasmWrapper):
1350         * wasm/js/WebAssemblyFunction.cpp:
1351         (JSC::callWebAssemblyFunction):
1352
1353 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1354
1355         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1356         https://bugs.webkit.org/show_bug.cgi?id=190033
1357
1358         Reviewed by Yusuke Suzuki.
1359
1360         The implementation of JSBigInt::toStringToGeneric doesn't handle power
1361         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
1362         implemented JSBigInt::toStringBasePowerOfTwo that follows the
1363         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
1364         digit.
1365
1366         * runtime/JSBigInt.cpp:
1367         (JSC::JSBigInt::toString):
1368         (JSC::JSBigInt::toStringBasePowerOfTwo):
1369         * runtime/JSBigInt.h:
1370
1371 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1372
1373         [ESNext][BigInt] Implement support for "&"
1374         https://bugs.webkit.org/show_bug.cgi?id=186228
1375
1376         Reviewed by Yusuke Suzuki.
1377
1378         This patch introduces support of BigInt into bitwise "&" operation.
1379         We are also introducing the ValueBitAnd DFG node, that is responsible
1380         to take care of JIT for non-Int32 operands. With the introduction of this
1381         new node, we renamed the BitAnd node to ArithBitAnd. The ArithBitAnd
1382         follows the behavior of ArithAdd and other arithmetic nodes, where
1383         the Arith<op> version always results in Number (in the case of
1384         ArithBitAnd, its is always an Int32).
1385
1386         * bytecode/CodeBlock.cpp:
1387         (JSC::CodeBlock::finishCreation):
1388         * bytecompiler/BytecodeGenerator.cpp:
1389         (JSC::BytecodeGenerator::emitBinaryOp):
1390         * dfg/DFGAbstractInterpreterInlines.h:
1391         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1392         * dfg/DFGBackwardsPropagationPhase.cpp:
1393         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
1394         (JSC::DFG::BackwardsPropagationPhase::propagate):
1395         * dfg/DFGByteCodeParser.cpp:
1396         (JSC::DFG::ByteCodeParser::parseBlock):
1397         * dfg/DFGClobberize.h:
1398         (JSC::DFG::clobberize):
1399         * dfg/DFGDoesGC.cpp:
1400         (JSC::DFG::doesGC):
1401         * dfg/DFGFixupPhase.cpp:
1402         (JSC::DFG::FixupPhase::fixupNode):
1403         * dfg/DFGNodeType.h:
1404         * dfg/DFGOperations.cpp:
1405         * dfg/DFGOperations.h:
1406         * dfg/DFGPredictionPropagationPhase.cpp:
1407         * dfg/DFGSafeToExecute.h:
1408         (JSC::DFG::safeToExecute):
1409         * dfg/DFGSpeculativeJIT.cpp:
1410         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
1411         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
1412         * dfg/DFGSpeculativeJIT.h:
1413         (JSC::DFG::SpeculativeJIT::bitOp):
1414         * dfg/DFGSpeculativeJIT32_64.cpp:
1415         (JSC::DFG::SpeculativeJIT::compile):
1416         * dfg/DFGSpeculativeJIT64.cpp:
1417         (JSC::DFG::SpeculativeJIT::compile):
1418         * dfg/DFGStrengthReductionPhase.cpp:
1419         (JSC::DFG::StrengthReductionPhase::handleNode):
1420         * ftl/FTLCapabilities.cpp:
1421         (JSC::FTL::canCompile):
1422         * ftl/FTLLowerDFGToB3.cpp:
1423         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1424         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
1425         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitAnd):
1426         (JSC::FTL::DFG::LowerDFGToB3::compileBitAnd): Deleted.
1427         * jit/JIT.h:
1428         * jit/JITArithmetic.cpp:
1429         (JSC::JIT::emitBitBinaryOpFastPath):
1430         (JSC::JIT::emit_op_bitand):
1431         * llint/LowLevelInterpreter32_64.asm:
1432         * llint/LowLevelInterpreter64.asm:
1433         * runtime/CommonSlowPaths.cpp:
1434         (JSC::SLOW_PATH_DECL):
1435         * runtime/JSBigInt.cpp:
1436         (JSC::JSBigInt::JSBigInt):
1437         (JSC::JSBigInt::initialize):
1438         (JSC::JSBigInt::createZero):
1439         (JSC::JSBigInt::createFrom):
1440         (JSC::JSBigInt::bitwiseAnd):
1441         (JSC::JSBigInt::absoluteBitwiseOp):
1442         (JSC::JSBigInt::absoluteAnd):
1443         (JSC::JSBigInt::absoluteOr):
1444         (JSC::JSBigInt::absoluteAndNot):
1445         (JSC::JSBigInt::absoluteAddOne):
1446         (JSC::JSBigInt::absoluteSubOne):
1447         * runtime/JSBigInt.h:
1448         * runtime/JSCJSValue.h:
1449         * runtime/JSCJSValueInlines.h:
1450         (JSC::JSValue::toBigIntOrInt32 const):
1451
1452 2018-09-28  Mark Lam  <mark.lam@apple.com>
1453
1454         Gardening: speculative build fix.
1455         <rdar://problem/44869924>
1456
1457         Not reviewed.
1458
1459         * assembler/LinkBuffer.cpp:
1460         (JSC::LinkBuffer::copyCompactAndLinkCode):
1461
1462 2018-09-28  Guillaume Emont  <guijemont@igalia.com>
1463
1464         [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions.
1465         https://bugs.webkit.org/show_bug.cgi?id=190080
1466
1467         Reviewed by Mark Lam.
1468
1469         * assembler/ARMv7Assembler.h:
1470         (JSC::ARMv7Assembler::link):
1471         (JSC::ARMv7Assembler::linkJumpT1):
1472         (JSC::ARMv7Assembler::linkJumpT2):
1473         (JSC::ARMv7Assembler::linkJumpT3):
1474         (JSC::ARMv7Assembler::linkJumpT4):
1475         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1476         (JSC::ARMv7Assembler::linkBX):
1477         (JSC::ARMv7Assembler::linkConditionalBX):
1478         * assembler/MacroAssemblerARMv7.h:
1479         (JSC::MacroAssemblerARMv7::link):
1480
1481 2018-09-27  Saam barati  <sbarati@apple.com>
1482
1483         Verify the contents of AssemblerBuffer on arm64e
1484         https://bugs.webkit.org/show_bug.cgi?id=190057
1485         <rdar://problem/38916630>
1486
1487         Reviewed by Mark Lam.
1488
1489         * assembler/ARM64Assembler.h:
1490         (JSC::ARM64Assembler::ARM64Assembler):
1491         (JSC::ARM64Assembler::fillNops):
1492         (JSC::ARM64Assembler::link):
1493         (JSC::ARM64Assembler::linkJumpOrCall):
1494         (JSC::ARM64Assembler::linkCompareAndBranch):
1495         (JSC::ARM64Assembler::linkConditionalBranch):
1496         (JSC::ARM64Assembler::linkTestAndBranch):
1497         (JSC::ARM64Assembler::unlinkedCode): Deleted.
1498         * assembler/ARMAssembler.h:
1499         (JSC::ARMAssembler::fillNops):
1500         * assembler/ARMv7Assembler.h:
1501         (JSC::ARMv7Assembler::unlinkedCode): Deleted.
1502         * assembler/AbstractMacroAssembler.h:
1503         (JSC::AbstractMacroAssembler::emitNops):
1504         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
1505         * assembler/AssemblerBuffer.h:
1506         (JSC::ARM64EHash::ARM64EHash):
1507         (JSC::ARM64EHash::update):
1508         (JSC::ARM64EHash::hash const):
1509         (JSC::ARM64EHash::randomSeed const):
1510         (JSC::AssemblerBuffer::AssemblerBuffer):
1511         (JSC::AssemblerBuffer::putShort):
1512         (JSC::AssemblerBuffer::putIntUnchecked):
1513         (JSC::AssemblerBuffer::putInt):
1514         (JSC::AssemblerBuffer::hash const):
1515         (JSC::AssemblerBuffer::data const):
1516         (JSC::AssemblerBuffer::putIntegralUnchecked):
1517         (JSC::AssemblerBuffer::append): Deleted.
1518         * assembler/LinkBuffer.cpp:
1519         (JSC::LinkBuffer::copyCompactAndLinkCode):
1520         * assembler/MIPSAssembler.h:
1521         (JSC::MIPSAssembler::fillNops):
1522         * assembler/MacroAssemblerARM64.h:
1523         (JSC::MacroAssemblerARM64::jumpsToLink):
1524         (JSC::MacroAssemblerARM64::link):
1525         (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
1526         * assembler/MacroAssemblerARMv7.h:
1527         (JSC::MacroAssemblerARMv7::jumpsToLink):
1528         (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
1529         * assembler/X86Assembler.h:
1530         (JSC::X86Assembler::fillNops):
1531
1532 2018-09-27  Mark Lam  <mark.lam@apple.com>
1533
1534         ByValInfo should not use integer offsets.
1535         https://bugs.webkit.org/show_bug.cgi?id=190070
1536         <rdar://problem/44803430>
1537
1538         Reviewed by Saam Barati.
1539
1540         Also moved some fields around to allow the ByValInfo struct to be more densely packed.
1541
1542         * bytecode/ByValInfo.h:
1543         (JSC::ByValInfo::ByValInfo):
1544         * jit/JIT.cpp:
1545         (JSC::JIT::link):
1546         * jit/JITOpcodes.cpp:
1547         (JSC::JIT::privateCompileHasIndexedProperty):
1548         * jit/JITOpcodes32_64.cpp:
1549         (JSC::JIT::privateCompileHasIndexedProperty):
1550         * jit/JITPropertyAccess.cpp:
1551         (JSC::JIT::privateCompileGetByVal):
1552         (JSC::JIT::privateCompileGetByValWithCachedId):
1553         (JSC::JIT::privateCompilePutByVal):
1554         (JSC::JIT::privateCompilePutByValWithCachedId):
1555
1556 2018-09-27  Saam barati  <sbarati@apple.com>
1557
1558         DFG::OSRExit::m_patchableCodeOffset should not be an int
1559         https://bugs.webkit.org/show_bug.cgi?id=190066
1560         <rdar://problem/39498244>
1561
1562         Reviewed by Mark Lam.
1563
1564         * dfg/DFGJITCompiler.cpp:
1565         (JSC::DFG::JITCompiler::linkOSRExits):
1566         (JSC::DFG::JITCompiler::link):
1567         * dfg/DFGOSRExit.cpp:
1568         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1569         (JSC::DFG::OSRExit::compileOSRExit):
1570         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1571         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1572         (JSC::DFG::OSRExit::correctJump): Deleted.
1573         * dfg/DFGOSRExit.h:
1574         * dfg/DFGOSRExitCompilationInfo.h:
1575
1576 2018-09-27  Saam barati  <sbarati@apple.com>
1577
1578         Don't use int offsets in StructureStubInfo
1579         https://bugs.webkit.org/show_bug.cgi?id=190064
1580         <rdar://problem/44784719>
1581
1582         Reviewed by Mark Lam.
1583
1584         * bytecode/InlineAccess.cpp:
1585         (JSC::linkCodeInline):
1586         * bytecode/StructureStubInfo.h:
1587         (JSC::StructureStubInfo::slowPathCallLocation):
1588         (JSC::StructureStubInfo::doneLocation):
1589         (JSC::StructureStubInfo::slowPathStartLocation):
1590         * jit/JITInlineCacheGenerator.cpp:
1591         (JSC::JITInlineCacheGenerator::finalize):
1592
1593 2018-09-27  Mark Lam  <mark.lam@apple.com>
1594
1595         DFG::OSREntry::m_machineCodeOffset should be a CodeLocation.
1596         https://bugs.webkit.org/show_bug.cgi?id=190054
1597         <rdar://problem/44803543>
1598
1599         Reviewed by Saam Barati.
1600
1601         * dfg/DFGJITCode.h:
1602         (JSC::DFG::JITCode::appendOSREntryData):
1603         * dfg/DFGJITCompiler.cpp:
1604         (JSC::DFG::JITCompiler::noticeOSREntry):
1605         * dfg/DFGOSREntry.cpp:
1606         (JSC::DFG::OSREntryData::dumpInContext const):
1607         (JSC::DFG::prepareOSREntry):
1608         * dfg/DFGOSREntry.h:
1609         * runtime/JSCPtrTag.h:
1610
1611 2018-09-27  Mark Lam  <mark.lam@apple.com>
1612
1613         JITMathIC should not use integer offsets into machine code.
1614         https://bugs.webkit.org/show_bug.cgi?id=190030
1615         <rdar://problem/44803307>
1616
1617         Reviewed by Saam Barati.
1618
1619         We'll replace them with CodeLocation smart pointers instead.
1620
1621         * jit/JITMathIC.h:
1622         (JSC::isProfileEmpty):
1623
1624 2018-09-26  Mark Lam  <mark.lam@apple.com>
1625
1626         Options::useSeparatedWXHeap() should always be false when ENABLE(FAST_JIT_PERMISSIONS) && CPU(ARM64E).
1627         https://bugs.webkit.org/show_bug.cgi?id=190022
1628         <rdar://problem/44800928>
1629
1630         Reviewed by Saam Barati.
1631
1632         * jit/ExecutableAllocator.cpp:
1633         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1634         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1635         * jit/ExecutableAllocator.h:
1636         (JSC::performJITMemcpy):
1637         * runtime/Options.cpp:
1638         (JSC::recomputeDependentOptions):
1639
1640 2018-09-26  Mark Lam  <mark.lam@apple.com>
1641
1642         Assert that performJITMemcpy() is always called with instruction size aligned addresses on ARM64.
1643         https://bugs.webkit.org/show_bug.cgi?id=190016
1644         <rdar://problem/44802875>
1645
1646         Reviewed by Saam Barati.
1647
1648         Also assert in performJITMemcpy() that the entire buffer to be copied will fit in
1649         JIT memory.
1650
1651         * assembler/ARM64Assembler.h:
1652         (JSC::ARM64Assembler::fillNops):
1653         (JSC::ARM64Assembler::replaceWithVMHalt):
1654         (JSC::ARM64Assembler::replaceWithJump):
1655         (JSC::ARM64Assembler::replaceWithLoad):
1656         (JSC::ARM64Assembler::replaceWithAddressComputation):
1657         (JSC::ARM64Assembler::setPointer):
1658         (JSC::ARM64Assembler::repatchInt32):
1659         (JSC::ARM64Assembler::repatchCompact):
1660         (JSC::ARM64Assembler::linkJumpOrCall):
1661         (JSC::ARM64Assembler::linkCompareAndBranch):
1662         (JSC::ARM64Assembler::linkConditionalBranch):
1663         (JSC::ARM64Assembler::linkTestAndBranch):
1664         * assembler/LinkBuffer.cpp:
1665         (JSC::LinkBuffer::copyCompactAndLinkCode):
1666         (JSC::LinkBuffer::linkCode):
1667         * jit/ExecutableAllocator.h:
1668         (JSC::performJITMemcpy):
1669
1670 2018-09-25  Keith Miller  <keith_miller@apple.com>
1671
1672         Move Symbol API to SPI
1673         https://bugs.webkit.org/show_bug.cgi?id=189946
1674
1675         Reviewed by Michael Saboff.
1676
1677         Some of the property access methods on JSValue needed to be moved
1678         to a category so that SPI overloads don't result in a compiler
1679         error for internal users.
1680
1681         Additionally, this patch does not move the new enum entry for
1682         Symbols in the JSType enumeration.
1683
1684         * API/JSObjectRef.h:
1685         * API/JSObjectRefPrivate.h:
1686         * API/JSValue.h:
1687         * API/JSValuePrivate.h:
1688         * API/JSValueRef.h:
1689
1690 2018-09-26  Keith Miller  <keith_miller@apple.com>
1691
1692         We should zero unused property storage when rebalancing array storage.
1693         https://bugs.webkit.org/show_bug.cgi?id=188151
1694
1695         Reviewed by Michael Saboff.
1696
1697         In unshiftCountSlowCase we sometimes will move property storage to the right even when net adding elements.
1698         This can happen because we "balance" the pre/post-capacity in that code so we need to zero the unused
1699         property storage.
1700
1701         * runtime/JSArray.cpp:
1702         (JSC::JSArray::unshiftCountSlowCase):
1703
1704 2018-09-26  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1705
1706         Unreviewed, add scope verification handling
1707         https://bugs.webkit.org/show_bug.cgi?id=189780
1708
1709         * runtime/ArrayPrototype.cpp:
1710         (JSC::arrayProtoFuncIndexOf):
1711         (JSC::arrayProtoFuncLastIndexOf):
1712
1713 2018-09-26  Koby Boyango  <koby.b@mce.systems>
1714
1715         [JSC] offlineasm parser should handle CRLF in asm files
1716         https://bugs.webkit.org/show_bug.cgi?id=189949
1717
1718         Reviewed by Mark Lam.
1719
1720         * offlineasm/parser.rb:
1721
1722 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1723
1724         [JSC] Optimize Array#lastIndexOf
1725         https://bugs.webkit.org/show_bug.cgi?id=189780
1726
1727         Reviewed by Saam Barati.
1728
1729         Optimize Array#lastIndexOf as the same to Array#indexOf. We add a fast path
1730         for JSArray with contiguous storage.
1731
1732         * runtime/ArrayPrototype.cpp:
1733         (JSC::arrayProtoFuncLastIndexOf):
1734
1735 2018-09-25  Saam Barati  <sbarati@apple.com>
1736
1737         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1738         https://bugs.webkit.org/show_bug.cgi?id=189940
1739         <rdar://problem/43640987>
1740
1741         Reviewed by Mark Lam.
1742
1743         We were calling baselineCodeBlockForOriginAndBaselineCodeBlock with the FTL
1744         CodeBlock. There is nothing semantically wrong with doing that (except for
1745         poor naming), however, the poor naming here led us to make a real semantic
1746         mistake. We wanted the baseline CodeBlock's constant pool, but we were
1747         accessing the FTL CodeBlock's constant pool accidentally. We need to
1748         access the baseline CodeBlock's constant pool when we update the NewArrayBuffer
1749         constant value.
1750
1751         * bytecode/InlineCallFrame.h:
1752         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
1753         * ftl/FTLOperations.cpp:
1754         (JSC::FTL::operationMaterializeObjectInOSR):
1755
1756 2018-09-25  Joseph Pecoraro  <pecoraro@apple.com>
1757
1758         Web Inspector: Stricter block syntax in generated ObjC protocol interfaces
1759         https://bugs.webkit.org/show_bug.cgi?id=189962
1760         <rdar://problem/44648287>
1761
1762         Reviewed by Brian Burg.
1763
1764         * inspector/scripts/codegen/generate_objc_header.py:
1765         (ObjCHeaderGenerator._callback_block_for_command):
1766         If there are no return parameters include "void" in the block signature.
1767
1768         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1769         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1770         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1771         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1772         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1773         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1774         Rebaseline test results.
1775
1776 2018-09-24  Joseph Pecoraro  <pecoraro@apple.com>
1777
1778         Remove AUTHORS and THANKS files which are stale
1779         https://bugs.webkit.org/show_bug.cgi?id=189941
1780
1781         Reviewed by Darin Adler.
1782
1783         Included mentions below so their names are still in ChangeLogs.
1784
1785         * AUTHORS: Removed.
1786         Harri Porten (porten@kde.org) and Peter Kelly (pmk@post.com).
1787         These authors remain mentioned in copyrights in source files.
1788
1789         * THANKS: Removed.
1790         Richard Moore <rich@kde.org> - for filling the Math object with some life
1791         Daegeun Lee <realking@mizi.com> - for pointing out some bugs and providing much code for the String and Date object.
1792         Marco Pinelli <pinmc@libero.it> - for his patches
1793         Christian Kirsch <ck@held.mind.de> - for his contribution to the Date object
1794         
1795 2018-09-24  Fujii Hironori  <Hironori.Fujii@sony.com>
1796
1797         Rename WTF_COMPILER_GCC_OR_CLANG to WTF_COMPILER_GCC_COMPATIBLE
1798         https://bugs.webkit.org/show_bug.cgi?id=189733
1799
1800         Reviewed by Michael Catanzaro.
1801
1802         * assembler/ARM64Assembler.h:
1803         * assembler/ARMAssembler.h:
1804         (JSC::ARMAssembler::cacheFlush):
1805         * assembler/MacroAssemblerARM.cpp:
1806         (JSC::isVFPPresent):
1807         * assembler/MacroAssemblerARM64.cpp:
1808         * assembler/MacroAssemblerARMv7.cpp:
1809         * assembler/MacroAssemblerMIPS.cpp:
1810         * assembler/MacroAssemblerX86Common.cpp:
1811         * heap/HeapCell.cpp:
1812         * heap/HeapCell.h:
1813         * jit/HostCallReturnValue.h:
1814         * jit/JIT.h:
1815         * jit/JITOperations.cpp:
1816         * jit/ThunkGenerators.cpp:
1817         * runtime/ArrayConventions.cpp:
1818         (JSC::clearArrayMemset):
1819         * runtime/JSBigInt.cpp:
1820         (JSC::JSBigInt::digitDiv):
1821
1822 2018-09-24  Saam Barati  <sbarati@apple.com>
1823
1824         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
1825         https://bugs.webkit.org/show_bug.cgi?id=189922
1826         <rdar://problem/44651275>
1827
1828         Reviewed by Mark Lam.
1829
1830         The implementation was first getting the length to iterate up to,
1831         then getting the starting index. However, getting the starting
1832         index may perform effects. e.g, it could change the length of the
1833         array. This changes it so we verify the length is still valid.
1834
1835         * runtime/ArrayPrototype.cpp:
1836         (JSC::arrayProtoFuncIndexOf):
1837
1838 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
1839
1840         offlineasm: fix macro scoping
1841         https://bugs.webkit.org/show_bug.cgi?id=189902
1842
1843         Reviewed by Mark Lam.
1844
1845         In the code below, the reference to `f` in `g`, which should refer to
1846         the outer macro definition will instead refer to the f argument of the
1847         anonymous macro passed to `g`. That leads to this code failing to
1848         compile (f expected 0 args but got 1).
1849         
1850         ```
1851         macro f(x)
1852             move x, t0
1853         end
1854         
1855         macro g(fn)
1856             fn(macro () f(42) end)
1857         end
1858         
1859         g(macro(f) f() end)
1860         ```
1861
1862         * offlineasm/ast.rb:
1863         * offlineasm/transform.rb:
1864
1865 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
1866
1867         Add forEach method for iterating CodeBlock's ValueProfiles
1868         https://bugs.webkit.org/show_bug.cgi?id=189897
1869
1870         Reviewed by Mark Lam.
1871
1872         Add method to abstract how we find ValueProfiles in a CodeBlock in
1873         preparation for https://bugs.webkit.org/show_bug.cgi?id=189785, when
1874         ValueProfiles will be stored in the MetadataTable.
1875
1876         * bytecode/CodeBlock.cpp:
1877         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1878         (JSC::CodeBlock::updateAllValueProfilePredictions):
1879         (JSC::CodeBlock::shouldOptimizeNow):
1880         (JSC::CodeBlock::dumpValueProfiles):
1881         * bytecode/CodeBlock.h:
1882         (JSC::CodeBlock::forEachValueProfile):
1883         (JSC::CodeBlock::numberOfArgumentValueProfiles):
1884         (JSC::CodeBlock::valueProfileForArgument):
1885         (JSC::CodeBlock::numberOfValueProfiles):
1886         (JSC::CodeBlock::valueProfile):
1887         (JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
1888         (JSC::CodeBlock::getFromAllValueProfiles): Deleted.
1889         * tools/HeapVerifier.cpp:
1890         (JSC::HeapVerifier::validateJSCell):
1891
1892 2018-09-24  Saam barati  <sbarati@apple.com>
1893
1894         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
1895         https://bugs.webkit.org/show_bug.cgi?id=189682
1896         <rdar://problem/43557315>
1897
1898         Reviewed by Mark Lam.
1899
1900         Otherwise, if we have code like this:
1901         ```
1902         a: Arguments
1903         b: GetButterfly(@a)
1904         c: ForceExit
1905         d: GetArrayLength(@a, @b)
1906         ```
1907         it will get transformed into this invalid DFG IR:
1908         ```
1909         a: PhantomArguments
1910         b: Check(@a)
1911         c: ForceExit
1912         d: GetArrayLength(@a, @b)
1913         ```
1914         
1915         And we will fail DFG validation since @b does not have a result.
1916         
1917         The fix is to just remove all nodes after the ForceExit and plant an
1918         Unreachable after it. So the above code program will now turn into this:
1919         ```
1920         a: PhantomArguments
1921         b: Check(@a)
1922         c: ForceExit
1923         e: Unreachable
1924         ```
1925
1926         * dfg/DFGArgumentsEliminationPhase.cpp:
1927
1928 2018-09-22  Saam barati  <sbarati@apple.com>
1929
1930         The sampling should not use Strong<CodeBlock> in its machineLocation field
1931         https://bugs.webkit.org/show_bug.cgi?id=189319
1932
1933         Reviewed by Filip Pizlo.
1934
1935         The sampling profiler has a CLI mode where we gather information about inline
1936         call frames. That data structure was using a Strong<CodeBlock>. We were
1937         constructing this Strong<CodeBlock> during GC concurrently to processing all
1938         the Strong handles. This is a bug since we end up corrupting that data
1939         structure. This patch fixes this by just making this data structure use the
1940         sampling profiler's mechanism for holding onto and properly visiting heap pointers.
1941
1942         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1943         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1944         * runtime/SamplingProfiler.cpp:
1945         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1946
1947         (JSC::SamplingProfiler::reportTopFunctions):
1948         (JSC::SamplingProfiler::reportTopBytecodes):
1949         These CLI helpers needed a DeferGC otherwise we may end up deadlocking when we
1950         cause a GC to happen while already holding the sampling profiler's
1951         lock.
1952
1953 2018-09-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1954
1955         [JSC] Enable LLInt ASM interpreter on X64 and ARM64 in non JIT configuration
1956         https://bugs.webkit.org/show_bug.cgi?id=189778
1957
1958         Reviewed by Keith Miller.
1959
1960         LLInt ASM interpreter is 2x and 15% faster than CLoop interpreter on
1961         Linux and macOS respectively. We would like to enable it for non JIT
1962         configurations in X86_64 and ARM64.
1963
1964         This patch enables LLInt for non JIT builds in X86_64 and ARM64 architectures.
1965         Previously, we switch LLInt ASM interpreter and CLoop by using ENABLE(JIT)
1966         configuration. But it is wrong in the new scenario since we have a build
1967         configuration that uses LLInt ASM interpreter and JIT is disabled. We introduce
1968         ENABLE(C_LOOP) option, which represents that we use CLoop. And we replace
1969         ENABLE(JIT) with ENABLE(C_LOOP) if the previous ENABLE(JIT) is essentially just
1970         related to LLInt ASM interpreter and not related to JIT.
1971
1972         We also replace some ENABLE(JIT) configurations with ENABLE(ASSEMBLER).
1973         ENABLE(ASSEMBLER) is now enabled even if we disable JIT since MacroAssembler
1974         has machine register information that is used in LLInt ASM interpreter.
1975
1976         * API/tests/PingPongStackOverflowTest.cpp:
1977         (testPingPongStackOverflow):
1978         * CMakeLists.txt:
1979         * JavaScriptCore.xcodeproj/project.pbxproj:
1980         * assembler/MaxFrameExtentForSlowPathCall.h:
1981         * bytecode/CallReturnOffsetToBytecodeOffset.h: Removed. It is no longer used.
1982         * bytecode/CodeBlock.cpp:
1983         (JSC::CodeBlock::finishCreation):
1984         * bytecode/CodeBlock.h:
1985         (JSC::CodeBlock::calleeSaveRegisters const):
1986         (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters):
1987         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
1988         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1989         * bytecode/Opcode.h:
1990         (JSC::padOpcodeName):
1991         * heap/Heap.cpp:
1992         (JSC::Heap::gatherJSStackRoots):
1993         (JSC::Heap::stopThePeriphery):
1994         * interpreter/CLoopStack.cpp:
1995         * interpreter/CLoopStack.h:
1996         * interpreter/CLoopStackInlines.h:
1997         * interpreter/EntryFrame.h:
1998         * interpreter/Interpreter.cpp:
1999         (JSC::Interpreter::Interpreter):
2000         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2001         * interpreter/Interpreter.h:
2002         * interpreter/StackVisitor.cpp:
2003         (JSC::StackVisitor::Frame::calleeSaveRegisters):
2004         * interpreter/VMEntryRecord.h:
2005         * jit/ExecutableAllocator.h:
2006         * jit/FPRInfo.h:
2007         (WTF::printInternal):
2008         * jit/GPRInfo.cpp:
2009         * jit/GPRInfo.h:
2010         (WTF::printInternal):
2011         * jit/HostCallReturnValue.cpp:
2012         (JSC::getHostCallReturnValueWithExecState): Moved. They are used in LLInt ASM interpreter too.
2013         * jit/HostCallReturnValue.h:
2014         * jit/JITOperations.cpp:
2015         (JSC::getHostCallReturnValueWithExecState): Deleted.
2016         * jit/JITOperationsMSVC64.cpp:
2017         * jit/Reg.cpp:
2018         * jit/Reg.h:
2019         * jit/RegisterAtOffset.cpp:
2020         * jit/RegisterAtOffset.h:
2021         * jit/RegisterAtOffsetList.cpp:
2022         * jit/RegisterAtOffsetList.h:
2023         * jit/RegisterMap.h:
2024         * jit/RegisterSet.cpp:
2025         * jit/RegisterSet.h:
2026         * jit/TempRegisterSet.cpp:
2027         * jit/TempRegisterSet.h:
2028         * llint/LLIntCLoop.cpp:
2029         * llint/LLIntCLoop.h:
2030         * llint/LLIntData.cpp:
2031         (JSC::LLInt::initialize):
2032         (JSC::LLInt::Data::performAssertions):
2033         * llint/LLIntData.h:
2034         * llint/LLIntOfflineAsmConfig.h:
2035         * llint/LLIntOpcode.h:
2036         * llint/LLIntPCRanges.h:
2037         * llint/LLIntSlowPaths.cpp:
2038         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2039         * llint/LLIntSlowPaths.h:
2040         * llint/LLIntThunks.cpp:
2041         * llint/LowLevelInterpreter.cpp:
2042         * llint/LowLevelInterpreter.h:
2043         * runtime/JSCJSValue.h:
2044         * runtime/MachineContext.h:
2045         * runtime/SamplingProfiler.cpp:
2046         (JSC::SamplingProfiler::processUnverifiedStackTraces): Enable SamplingProfiler
2047         for LLInt ASM interpreter with non JIT configuration.
2048         * runtime/TestRunnerUtils.cpp:
2049         (JSC::optimizeNextInvocation):
2050         * runtime/VM.cpp:
2051         (JSC::VM::VM):
2052         (JSC::VM::getHostFunction):
2053         (JSC::VM::updateSoftReservedZoneSize):
2054         (JSC::sanitizeStackForVM):
2055         (JSC::VM::committedStackByteCount):
2056         * runtime/VM.h:
2057         * runtime/VMInlines.h:
2058         (JSC::VM::ensureStackCapacityFor):
2059         (JSC::VM::isSafeToRecurseSoft const):
2060
2061 2018-09-21  Keith Miller  <keith_miller@apple.com>
2062
2063         Add Promise SPI
2064         https://bugs.webkit.org/show_bug.cgi?id=189809
2065
2066         Reviewed by Saam Barati.
2067
2068         The Patch adds new SPI to create promises. It's mostly SPI because
2069         I want to see how internal users react to it before we make it
2070         public.
2071
2072         This patch adds a couple of new Obj-C SPI methods. The first
2073         creates a new promise using the same API that JS does where the
2074         user provides an executor callback. If an exception is raised
2075         in/to that callback the promise is automagically rejected. The
2076         other methods create a pre-resolved or rejected promise as this
2077         appears to be a common way to initialize a promise.
2078
2079         I was also considering adding a second version of executor API
2080         where it would catch specific Obj-C exceptions. This would work by
2081         taking a Class paramter and checking isKindOfClass: on the
2082         exception. I decided against this as nothing else in our API
2083         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2084         corrupt state if an Obj-C exception unwinds through JS frames.
2085
2086         This patch adds a new C function that will create a "deferred"
2087         promise. A deferred promise is a style of creating promise/futures
2088         where the resolve and reject functions are passed as outputs of a
2089         function. I went with this style for the C SPI because we don't have
2090         any concept of forwarding exceptions in the C API.
2091
2092         In order to make the C API work I refactored a bit of the promise code
2093         so that we can call a static method on JSDeferredPromise and just get
2094         the components without allocating an extra cell wrapper.
2095
2096         * API/JSContext.mm:
2097         (+[JSContext currentCallee]):
2098         * API/JSObjectRef.cpp:
2099         (JSObjectMakeDeferredPromise):
2100         * API/JSObjectRefPrivate.h:
2101         * API/JSValue.mm:
2102         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2103         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2104         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2105         * API/JSValuePrivate.h: Added.
2106         * API/JSVirtualMachine.mm:
2107         * API/JSVirtualMachinePrivate.h:
2108         * API/tests/testapi.c:
2109         (main):
2110         * API/tests/testapi.cpp:
2111         (APIContext::operator JSC::ExecState*):
2112         (TestAPI::failed const):
2113         (TestAPI::check):
2114         (TestAPI::basicSymbol):
2115         (TestAPI::symbolsTypeof):
2116         (TestAPI::symbolsGetPropertyForKey):
2117         (TestAPI::symbolsSetPropertyForKey):
2118         (TestAPI::symbolsHasPropertyForKey):
2119         (TestAPI::symbolsDeletePropertyForKey):
2120         (TestAPI::promiseResolveTrue):
2121         (TestAPI::promiseRejectTrue):
2122         (testCAPIViaCpp):
2123         (TestAPI::run): Deleted.
2124         * API/tests/testapi.mm:
2125         (testObjectiveCAPIMain):
2126         (promiseWithExecutor):
2127         (promiseRejectOnJSException):
2128         (promiseCreateResolved):
2129         (promiseCreateRejected):
2130         (parallelPromiseResolveTest):
2131         (testObjectiveCAPI):
2132         * JavaScriptCore.xcodeproj/project.pbxproj:
2133         * runtime/JSInternalPromiseDeferred.cpp:
2134         (JSC::JSInternalPromiseDeferred::create):
2135         * runtime/JSPromise.h:
2136         * runtime/JSPromiseConstructor.cpp:
2137         (JSC::constructPromise):
2138         * runtime/JSPromiseDeferred.cpp:
2139         (JSC::JSPromiseDeferred::createDeferredData):
2140         (JSC::JSPromiseDeferred::create):
2141         (JSC::JSPromiseDeferred::finishCreation):
2142         (JSC::newPromiseCapability): Deleted.
2143         * runtime/JSPromiseDeferred.h:
2144         (JSC::JSPromiseDeferred::promise const):
2145         (JSC::JSPromiseDeferred::resolve const):
2146         (JSC::JSPromiseDeferred::reject const):
2147
2148 2018-09-21  Ryan Haddad  <ryanhaddad@apple.com>
2149
2150         Unreviewed, rolling out r236359.
2151
2152         Broke the Windows build.
2153
2154         Reverted changeset:
2155
2156         "Add Promise SPI"
2157         https://bugs.webkit.org/show_bug.cgi?id=189809
2158         https://trac.webkit.org/changeset/236359
2159
2160 2018-09-21  Mark Lam  <mark.lam@apple.com>
2161
2162         JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState.
2163         https://bugs.webkit.org/show_bug.cgi?id=189855
2164         <rdar://problem/44680181>
2165
2166         Reviewed by Filip Pizlo.
2167
2168         tryGetValue() always passes a nullptr to JSRopeString::resolveRope() for the
2169         ExecState* argument.  This is intentional so that resolveRope() does not throw
2170         in the event of an OutOfMemory error.  Hence, JSRopeString::resolveRope() should
2171         get the VM from the cell instead of via the ExecState.
2172
2173         Also removed an obsolete and unused field in JSString.
2174
2175         * runtime/JSString.cpp:
2176         (JSC::JSRopeString::resolveRope const):
2177         (JSC::JSRopeString::outOfMemory const):
2178         * runtime/JSString.h:
2179         (JSC::JSString::tryGetValue const):
2180
2181 2018-09-21  Michael Saboff  <msaboff@apple.com>
2182
2183         Add functions to measure memory footprint to JSC
2184         https://bugs.webkit.org/show_bug.cgi?id=189768
2185
2186         Reviewed by Saam Barati.
2187
2188         Rolling this back in again.
2189
2190         Provide system memory metrics for the current process to aid in memory reduction measurement and
2191         tuning using native JS tests.
2192
2193         * jsc.cpp:
2194         (MemoryFootprint::now):
2195         (MemoryFootprint::resetPeak):
2196         (GlobalObject::finishCreation):
2197         (JSCMemoryFootprint::JSCMemoryFootprint):
2198         (JSCMemoryFootprint::createStructure):
2199         (JSCMemoryFootprint::create):
2200         (JSCMemoryFootprint::finishCreation):
2201         (JSCMemoryFootprint::addProperty):
2202         (functionResetMemoryPeak):
2203
2204 2018-09-21  Keith Miller  <keith_miller@apple.com>
2205
2206         Add Promise SPI
2207         https://bugs.webkit.org/show_bug.cgi?id=189809
2208
2209         Reviewed by Saam Barati.
2210
2211         The Patch adds new SPI to create promises. It's mostly SPI because
2212         I want to see how internal users react to it before we make it
2213         public.
2214
2215         This patch adds a couple of new Obj-C SPI methods. The first
2216         creates a new promise using the same API that JS does where the
2217         user provides an executor callback. If an exception is raised
2218         in/to that callback the promise is automagically rejected. The
2219         other methods create a pre-resolved or rejected promise as this
2220         appears to be a common way to initialize a promise.
2221
2222         I was also considering adding a second version of executor API
2223         where it would catch specific Obj-C exceptions. This would work by
2224         taking a Class paramter and checking isKindOfClass: on the
2225         exception. I decided against this as nothing else in our API
2226         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2227         corrupt state if an Obj-C exception unwinds through JS frames.
2228
2229         This patch adds a new C function that will create a "deferred"
2230         promise. A deferred promise is a style of creating promise/futures
2231         where the resolve and reject functions are passed as outputs of a
2232         function. I went with this style for the C SPI because we don't have
2233         any concept of forwarding exceptions in the C API.
2234
2235         In order to make the C API work I refactored a bit of the promise code
2236         so that we can call a static method on JSDeferredPromise and just get
2237         the components without allocating an extra cell wrapper.
2238
2239         * API/JSContext.mm:
2240         (+[JSContext currentCallee]):
2241         * API/JSObjectRef.cpp:
2242         (JSObjectMakeDeferredPromise):
2243         * API/JSObjectRefPrivate.h:
2244         * API/JSValue.mm:
2245         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2246         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2247         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2248         * API/JSValuePrivate.h: Added.
2249         * API/JSVirtualMachine.mm:
2250         * API/JSVirtualMachinePrivate.h:
2251         * API/tests/testapi.c:
2252         (main):
2253         * API/tests/testapi.cpp:
2254         (APIContext::operator JSC::ExecState*):
2255         (TestAPI::failed const):
2256         (TestAPI::check):
2257         (TestAPI::basicSymbol):
2258         (TestAPI::symbolsTypeof):
2259         (TestAPI::symbolsGetPropertyForKey):
2260         (TestAPI::symbolsSetPropertyForKey):
2261         (TestAPI::symbolsHasPropertyForKey):
2262         (TestAPI::symbolsDeletePropertyForKey):
2263         (TestAPI::promiseResolveTrue):
2264         (TestAPI::promiseRejectTrue):
2265         (testCAPIViaCpp):
2266         (TestAPI::run): Deleted.
2267         * API/tests/testapi.mm:
2268         (testObjectiveCAPIMain):
2269         (promiseWithExecutor):
2270         (promiseRejectOnJSException):
2271         (promiseCreateResolved):
2272         (promiseCreateRejected):
2273         (parallelPromiseResolveTest):
2274         (testObjectiveCAPI):
2275         * JavaScriptCore.xcodeproj/project.pbxproj:
2276         * runtime/JSInternalPromiseDeferred.cpp:
2277         (JSC::JSInternalPromiseDeferred::create):
2278         * runtime/JSPromise.h:
2279         * runtime/JSPromiseConstructor.cpp:
2280         (JSC::constructPromise):
2281         * runtime/JSPromiseDeferred.cpp:
2282         (JSC::JSPromiseDeferred::createDeferredData):
2283         (JSC::JSPromiseDeferred::create):
2284         (JSC::JSPromiseDeferred::finishCreation):
2285         (JSC::newPromiseCapability): Deleted.
2286         * runtime/JSPromiseDeferred.h:
2287         (JSC::JSPromiseDeferred::promise const):
2288         (JSC::JSPromiseDeferred::resolve const):
2289         (JSC::JSPromiseDeferred::reject const):
2290
2291 2018-09-21  Truitt Savell  <tsavell@apple.com>
2292
2293         Rebaseline tests after changes in https://trac.webkit.org/changeset/236321/webkit
2294         https://bugs.webkit.org/show_bug.cgi?id=156674
2295
2296         Unreviewed Test Gardening
2297
2298         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2299         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2300
2301 2018-09-21  Mike Gorse  <mgorse@suse.com>
2302
2303         Build tools should work when the /usr/bin/python is python3
2304         https://bugs.webkit.org/show_bug.cgi?id=156674
2305
2306         Reviewed by Michael Catanzaro.
2307
2308         * Scripts/cssmin.py:
2309         * Scripts/generate-js-builtins.py:
2310         (do_open):
2311         (generate_bindings_for_builtins_files):
2312         * Scripts/generateIntlCanonicalizeLanguage.py:
2313         * Scripts/jsmin.py:
2314         (JavascriptMinify.minify.write):
2315         (JavascriptMinify):
2316         (JavascriptMinify.minify):
2317         * Scripts/make-js-file-arrays.py:
2318         (chunk):
2319         (main):
2320         * Scripts/wkbuiltins/__init__.py:
2321         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2322         (generate_section_for_global_private_code_name_macro):
2323         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_header.py:
2324         (BuiltinsInternalsWrapperHeaderGenerator.__init__):
2325         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:
2326         (BuiltinsInternalsWrapperImplementationGenerator.__init__):
2327         * Scripts/wkbuiltins/builtins_model.py:
2328         (BuiltinFunction.__lt__):
2329         (BuiltinsCollection.copyrights):
2330         (BuiltinsCollection._parse_functions):
2331         * disassembler/udis86/ud_opcode.py:
2332         (UdOpcodeTables.pprint.printWalk):
2333         * generate-bytecode-files:
2334         * inspector/scripts/codegen/__init__.py:
2335         * inspector/scripts/codegen/cpp_generator.py:
2336         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2337         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
2338         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2339         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
2340         (CppBackendDispatcherHeaderGenerator.generate_output):
2341         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2342         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2343         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
2344         (CppBackendDispatcherImplementationGenerator.generate_output):
2345         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2346         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
2347         (CppFrontendDispatcherHeaderGenerator.generate_output):
2348         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2349         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
2350         (CppFrontendDispatcherImplementationGenerator.generate_output):
2351         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2352         (CppProtocolTypesHeaderGenerator.generate_output):
2353         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2354         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2355         (CppProtocolTypesImplementationGenerator.generate_output):
2356         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2357         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods):
2358         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2359         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
2360         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
2361         * inspector/scripts/codegen/generate_js_backend_commands.py:
2362         (JSBackendCommandsGenerator.should_generate_domain):
2363         (JSBackendCommandsGenerator.domains_to_generate):
2364         (JSBackendCommandsGenerator.generate_output):
2365         (JSBackendCommandsGenerator.generate_domain):
2366         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2367         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
2368         (ObjCBackendDispatcherHeaderGenerator.generate_output):
2369         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2370         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
2371         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2372         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2373         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2374         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2375         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2376         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
2377         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2378         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2379         * inspector/scripts/codegen/generate_objc_header.py:
2380         (ObjCHeaderGenerator.generate_output):
2381         (ObjCHeaderGenerator._generate_type_interface):
2382         * inspector/scripts/codegen/generate_objc_internal_header.py:
2383         (ObjCInternalHeaderGenerator.generate_output):
2384         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2385         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
2386         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
2387         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2388         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
2389         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2390         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
2391         (ObjCProtocolTypesImplementationGenerator.generate_output):
2392         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
2393         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
2394         * inspector/scripts/codegen/generator.py:
2395         (Generator.non_supplemental_domains):
2396         (Generator.open_fields):
2397         (Generator.calculate_types_requiring_shape_assertions):
2398         (Generator._traverse_and_assign_enum_values):
2399         (Generator.stylized_name_for_enum_value):
2400         * inspector/scripts/codegen/models.py:
2401         (find_duplicates):
2402         * inspector/scripts/codegen/objc_generator.py:
2403         * wasm/generateWasm.py:
2404         (opcodeIterator):
2405         * yarr/generateYarrCanonicalizeUnicode:
2406         * yarr/generateYarrUnicodePropertyTables.py:
2407         * yarr/hasher.py:
2408         (stringHash):
2409
2410 2018-09-21  Tomas Popela  <tpopela@redhat.com>
2411
2412         [ARM] Build broken on armv7hl after r235517
2413         https://bugs.webkit.org/show_bug.cgi?id=189831
2414
2415         Reviewed by Yusuke Suzuki.
2416
2417         Add missing implementation of patchebleBranch8() for traditional ARM.
2418
2419         * assembler/MacroAssemblerARM.h:
2420         (JSC::MacroAssemblerARM::patchableBranch8):
2421
2422 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
2423
2424         Unreviewed, rolling out r236293.
2425
2426         Internal build still broken.
2427
2428         Reverted changeset:
2429
2430         "Add functions to measure memory footprint to JSC"
2431         https://bugs.webkit.org/show_bug.cgi?id=189768
2432         https://trac.webkit.org/changeset/236293
2433
2434 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2435
2436         [JSC] Heap::reportExtraMemoryVisited shows contention if we have many JSString
2437         https://bugs.webkit.org/show_bug.cgi?id=189558
2438
2439         Reviewed by Mark Lam.
2440
2441         When running web-tooling-benchmark postcss test on Linux JSCOnly port, we get the following result in `perf report`.
2442
2443             10.95%  AutomaticThread  libJavaScriptCore.so.1.0.0  [.] JSC::Heap::reportExtraMemoryVisited
2444
2445         This is because postcss produces bunch of JSString, which require reportExtraMemoryVisited calls in JSString::visitChildren.
2446         And since reportExtraMemoryVisited attempts to update atomic counter, if we have bunch of marking threads, it becomes super contended.
2447
2448         This patch reduces the frequency of updating the atomic counter. Each SlotVisitor has per-SlotVisitor m_extraMemorySize counter.
2449         And we propagate this value to the global atomic counter when rebalance happens.
2450
2451         We also reduce HeapCell::heap() access by using `vm.heap`.
2452
2453         * heap/SlotVisitor.cpp:
2454         (JSC::SlotVisitor::didStartMarking):
2455         (JSC::SlotVisitor::propagateExternalMemoryVisitedIfNecessary):
2456         (JSC::SlotVisitor::drain):
2457         (JSC::SlotVisitor::performIncrementOfDraining):
2458         * heap/SlotVisitor.h:
2459         * heap/SlotVisitorInlines.h:
2460         (JSC::SlotVisitor::reportExtraMemoryVisited):
2461         * runtime/JSString.cpp:
2462         (JSC::JSRopeString::resolveRopeToAtomicString const):
2463         (JSC::JSRopeString::resolveRope const):
2464         * runtime/JSString.h:
2465         (JSC::JSString::finishCreation):
2466         * wasm/js/JSWebAssemblyInstance.cpp:
2467         (JSC::JSWebAssemblyInstance::finishCreation):
2468         * wasm/js/JSWebAssemblyMemory.cpp:
2469         (JSC::JSWebAssemblyMemory::finishCreation):
2470
2471 2018-09-20  Michael Saboff  <msaboff@apple.com>
2472
2473         Add functions to measure memory footprint to JSC
2474         https://bugs.webkit.org/show_bug.cgi?id=189768
2475
2476         Reviewed by Saam Barati.
2477
2478         Rolling this back in.
2479
2480         Provide system memory metrics for the current process to aid in memory reduction measurement and
2481         tuning using native JS tests.
2482
2483         * jsc.cpp:
2484         (MemoryFootprint::now):
2485         (MemoryFootprint::resetPeak):
2486         (GlobalObject::finishCreation):
2487         (JSCMemoryFootprint::JSCMemoryFootprint):
2488         (JSCMemoryFootprint::createStructure):
2489         (JSCMemoryFootprint::create):
2490         (JSCMemoryFootprint::finishCreation):
2491         (JSCMemoryFootprint::addProperty):
2492         (functionResetMemoryPeak):
2493
2494 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
2495
2496         Unreviewed, rolling out r236235.
2497
2498         Breaks internal builds.
2499
2500         Reverted changeset:
2501
2502         "Add functions to measure memory footprint to JSC"
2503         https://bugs.webkit.org/show_bug.cgi?id=189768
2504         https://trac.webkit.org/changeset/236235
2505
2506 2018-09-20  Fujii Hironori  <Hironori.Fujii@sony.com>
2507
2508         [Win][Clang] JITMathIC.h: error: missing 'template' keyword prior to dependent template name 'retagged'
2509         https://bugs.webkit.org/show_bug.cgi?id=189730
2510
2511         Reviewed by Saam Barati.
2512
2513         Clang for Windows can't compile the workaround for MSVC quirk in generateOutOfLine.
2514
2515         * jit/JITMathIC.h:
2516         (generateOutOfLine): Append "&& !COMPILER(CLANG)" to "#if COMPILER(MSVC)".
2517
2518 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2519
2520         [JSC] Optimize Array#indexOf in C++ runtime
2521         https://bugs.webkit.org/show_bug.cgi?id=189507
2522
2523         Reviewed by Saam Barati.
2524
2525         C++ Array#indexOf runtime function takes so much time in babylon benchmark in
2526         web-tooling-benchmark. While our DFG and FTL has Array#indexOf optimization
2527         and actually it is working well, C++ Array#indexOf is called significant amount
2528         of time before tiering up, and it takes 6.74% of jsc main thread samples according
2529         to perf command in Linux. This is because C++ Array#indexOf is too generic and
2530         misses the chance to optimize JSArray cases.
2531
2532         This patch adds JSArray fast path for Array#indexOf. If we know that indexed
2533         access to the given JSArray is non-observable and indexing type is good for the fast
2534         path, we go to the fast path. This makes sampling of Array#indexOf 3.83% in
2535         babylon web-tooling-benchmark.
2536
2537         * runtime/ArrayPrototype.cpp:
2538         (JSC::arrayProtoFuncIndexOf):
2539         * runtime/JSArray.h:
2540         * runtime/JSArrayInlines.h:
2541         (JSC::JSArray::canDoFastIndexedAccess):
2542         (JSC::toLength):
2543         * runtime/JSCJSValueInlines.h:
2544         (JSC::JSValue::JSValue):
2545         * runtime/JSGlobalObject.h:
2546         * runtime/JSGlobalObjectInlines.h:
2547         (JSC::JSGlobalObject::isArrayPrototypeIndexedAccessFastAndNonObservable):
2548         (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
2549         * runtime/MathCommon.h:
2550         (JSC::canBeStrictInt32):
2551         (JSC::canBeInt32):
2552
2553 2018-09-19  Michael Saboff  <msaboff@apple.com>
2554
2555         Add functions to measure memory footprint to JSC
2556         https://bugs.webkit.org/show_bug.cgi?id=189768
2557
2558         Reviewed by Saam Barati.
2559
2560         Provide system memory metrics for the current process to aid in memory reduction measurement and
2561         tuning using native JS tests.
2562
2563         * jsc.cpp:
2564         (MemoryFootprint::now):
2565         (MemoryFootprint::resetPeak):
2566         (GlobalObject::finishCreation):
2567         (JSCMemoryFootprint::JSCMemoryFootprint):
2568         (JSCMemoryFootprint::createStructure):
2569         (JSCMemoryFootprint::create):
2570         (JSCMemoryFootprint::finishCreation):
2571         (JSCMemoryFootprint::addProperty):
2572         (functionResetMemoryPeak):
2573
2574 2018-09-19  Saam barati  <sbarati@apple.com>
2575
2576         CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
2577         https://bugs.webkit.org/show_bug.cgi?id=189703
2578
2579         Reviewed by Mark Lam.
2580
2581         This fixes a crash that a TypeProfiler change revealed.
2582
2583         * dfg/DFGSpeculativeJIT64.cpp:
2584         (JSC::DFG::SpeculativeJIT::compile):
2585
2586 2018-09-19  Saam barati  <sbarati@apple.com>
2587
2588         AI rule for MultiPutByOffset executes its effects in the wrong order
2589         https://bugs.webkit.org/show_bug.cgi?id=189757
2590         <rdar://problem/43535257>
2591
2592         Reviewed by Michael Saboff.
2593
2594         The AI rule for MultiPutByOffset was executing effects in the wrong order.
2595         It first executed the transition effects and the effects on the base, and
2596         then executed the filtering effects on the value being stored. However, you
2597         can end up with the wrong type when the base and the value being stored
2598         are the same. E.g, in a program like `o.f = o`. These effects need to happen
2599         in the opposite order, modeling what happens in the runtime executing of
2600         MultiPutByOffset.
2601
2602         * dfg/DFGAbstractInterpreterInlines.h:
2603         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2604
2605 2018-09-18  Mark Lam  <mark.lam@apple.com>
2606
2607         Ensure that ForInContexts are invalidated if their loop local is over-written.
2608         https://bugs.webkit.org/show_bug.cgi?id=189571
2609         <rdar://problem/44402277>
2610
2611         Reviewed by Saam Barati.
2612
2613         Instead of hunting down every place in the BytecodeGenerator that potentially
2614         needs to invalidate an enclosing ForInContext (if one exists), we simply iterate
2615         the bytecode range of the loop body when the ForInContext is popped, and
2616         invalidate the context if we ever find the loop temp variable over-written.
2617
2618         This has 2 benefits:
2619         1. It ensures that every type of opcode that can write to the loop temp will be
2620            handled appropriately, not just the op_mov that we've hunted down.
2621         2. It avoids us having to check the BytecodeGenerator's m_forInContextStack
2622            every time we emit an op_mov (or other opcodes that can write to a local)
2623            even when we're not inside a for-in loop.
2624
2625         JSC benchmarks show that that this change is performance neutral.
2626
2627         * bytecompiler/BytecodeGenerator.cpp:
2628         (JSC::BytecodeGenerator::pushIndexedForInScope):
2629         (JSC::BytecodeGenerator::popIndexedForInScope):
2630         (JSC::BytecodeGenerator::pushStructureForInScope):
2631         (JSC::BytecodeGenerator::popStructureForInScope):
2632         (JSC::ForInContext::finalize):
2633         (JSC::StructureForInContext::finalize):
2634         (JSC::IndexedForInContext::finalize):
2635         (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted.
2636         * bytecompiler/BytecodeGenerator.h:
2637         (JSC::ForInContext::ForInContext):
2638         (JSC::ForInContext::bodyBytecodeStartOffset const):
2639         (JSC::StructureForInContext::StructureForInContext):
2640         (JSC::IndexedForInContext::IndexedForInContext):
2641         * bytecompiler/NodesCodegen.cpp:
2642         (JSC::PostfixNode::emitResolve):
2643         (JSC::PrefixNode::emitResolve):
2644         (JSC::ReadModifyResolveNode::emitBytecode):
2645         (JSC::AssignResolveNode::emitBytecode):
2646         (JSC::EmptyLetExpression::emitBytecode):
2647         (JSC::ForInNode::emitLoopHeader):
2648         (JSC::ForOfNode::emitBytecode):
2649         (JSC::BindingNode::bindValue const):
2650         (JSC::AssignmentElementNode::bindValue const):
2651         * runtime/CommonSlowPaths.cpp:
2652         (JSC::SLOW_PATH_DECL):
2653
2654 2018-09-17  Devin Rousso  <drousso@apple.com>
2655
2656         Web Inspector: generate CSSKeywordCompletions from backend values
2657         https://bugs.webkit.org/show_bug.cgi?id=189041
2658
2659         Reviewed by Joseph Pecoraro.
2660
2661         * inspector/protocol/CSS.json:
2662         Include an optional `aliases` array and `inherited` boolean for `CSSPropertyInfo`.
2663
2664 2018-09-17  Saam barati  <sbarati@apple.com>
2665
2666         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2667         https://bugs.webkit.org/show_bug.cgi?id=189676
2668         <rdar://problem/39682897>
2669
2670         Reviewed by Michael Saboff.
2671
2672         Because the incoming value may be TDZ, CheckStructure may end up crashing.
2673         Since the Type Profile does not currently record TDZ values in any of its
2674         data structures, this is not a semantic change in how it will show you data.
2675         It just fixes crashes when we emit a CheckStructure and the incoming value
2676         is TDZ.
2677
2678         * dfg/DFGFixupPhase.cpp:
2679         (JSC::DFG::FixupPhase::fixupNode):
2680         * dfg/DFGNode.h:
2681         (JSC::DFG::Node::convertToCheckStructureOrEmpty):
2682
2683 2018-09-17  Darin Adler  <darin@apple.com>
2684
2685         Use OpaqueJSString rather than JSRetainPtr inside WebKit
2686         https://bugs.webkit.org/show_bug.cgi?id=189652
2687
2688         Reviewed by Saam Barati.
2689
2690         * API/JSCallbackObjectFunctions.h: Removed an uneeded include of
2691         JSStringRef.h.
2692
2693         * API/JSContext.mm:
2694         (-[JSContext evaluateScript:withSourceURL:]): Use OpaqueJSString::create rather
2695         than JSStringCreateWithCFString, simplifying the code and also obviating the
2696         need for explicit JSStringRelease.
2697         (-[JSContext setName:]): Ditto.
2698
2699         * API/JSStringRef.cpp:
2700         (JSStringIsEqualToUTF8CString): Use adoptRef rather than explicit JSStringRelease.
2701         It seems that additional optimization is possible, obviating the need to allocate
2702         an OpaqueJSString, but that's true almost everywhere else in this patch, too.
2703
2704         * API/JSValue.mm:
2705         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Use
2706         OpaqueJSString::create and adoptRef as appropriate.
2707         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
2708         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Ditto.
2709         (performPropertyOperation): Ditto.
2710         (-[JSValue invokeMethod:withArguments:]): Ditto.
2711         (valueToObjectWithoutCopy): Ditto.
2712         (containerValueToObject): Ditto.
2713         (valueToString): Ditto.
2714         (objectToValueWithoutCopy): Ditto.
2715         (objectToValue): Ditto.
2716
2717 2018-09-08  Darin Adler  <darin@apple.com>
2718
2719         Streamline JSRetainPtr, fix leaks of JSString and JSGlobalContext
2720         https://bugs.webkit.org/show_bug.cgi?id=189455
2721
2722         Reviewed by Keith Miller.
2723
2724         * API/JSObjectRef.cpp:
2725         (OpaqueJSPropertyNameArray): Use Ref<OpaqueJSString> instead of
2726         JSRetainPtr<JSStringRef>.
2727         (JSObjectCopyPropertyNames): Remove now-unneeded use of leakRef and
2728         adopt constructor.
2729         (JSPropertyNameArrayGetNameAtIndex): Use ptr() instead of get() since
2730         the array elements are now Ref.
2731
2732         * API/JSRetainPtr.h: While JSRetainPtr is written as a template,
2733         it only works for two specific unrelated types, JSStringRef and
2734         JSGlobalContextRef. Simplified the default constructor using data
2735         member initialization. Prepared to make the adopt constructor private
2736         (got everything compiling that way, then made it public again so that
2737         Apple internal software will still build). Got rid of unneeded
2738         templated constructor and assignment operator, since it's not relevant
2739         since there is no inheritance between JSRetainPtr template types.
2740         Added WARN_UNUSED_RETURN to leakRef as in RefPtr and RetainPtr.
2741         Added move constructor and move assignment operator for slightly better
2742         performance. Simplified implementations of various member functions
2743         so they are more obviously correct, by using leakPtr in more of them
2744         and using std::exchange to make the flow of values more obvious.
2745
2746         * API/JSValue.mm:
2747         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Added a
2748         missing JSStringRelease to fix a leak.
2749
2750         * API/tests/CustomGlobalObjectClassTest.c:
2751         (customGlobalObjectClassTest): Added a JSGlobalContextRelease to fix a leak.
2752         (globalObjectSetPrototypeTest): Ditto.
2753         (globalObjectPrivatePropertyTest): Ditto.
2754
2755         * API/tests/ExecutionTimeLimitTest.cpp:
2756         (testResetAfterTimeout): Added a call to JSStringRelease to fix a leak.
2757         (testExecutionTimeLimit): Ditto, lots more.
2758
2759         * API/tests/FunctionOverridesTest.cpp:
2760         (testFunctionOverrides): Added a call to JSStringRelease to fix a leak.
2761
2762         * API/tests/JSObjectGetProxyTargetTest.cpp:
2763         (testJSObjectGetProxyTarget): Added a call to JSGlobalContextRelease to fix
2764         a leak.
2765
2766         * API/tests/PingPongStackOverflowTest.cpp:
2767         (testPingPongStackOverflow): Added calls to JSGlobalContextRelease and
2768         JSStringRelease to fix leaks.
2769
2770         * API/tests/testapi.c:
2771         (throwException): Added. Helper function for repeated idiom where we want
2772         to throw an exception, but with additional JSStringRelease calls so we don't
2773         have to leak just to keep the code simpler to read.
2774         (MyObject_getProperty): Use throwException.
2775         (MyObject_setProperty): Ditto.
2776         (MyObject_deleteProperty): Ditto.
2777         (isValueEqualToString): Added. Helper function for an idiom where we check
2778         if something is a string and then if it's equal to a particular string
2779         constant, but a version that has an additional JSStringRelease call so we
2780         don't have to leak just to keep the code simpler to read.
2781         (MyObject_callAsFunction): Use isValueEqualToString and throwException.
2782         (MyObject_callAsConstructor): Ditto.
2783         (MyObject_hasInstance): Ditto.
2784         (globalContextNameTest): Added a JSGlobalContextRelease to fix a leak.
2785         (testMarkingConstraintsAndHeapFinalizers): Ditto.
2786
2787 2018-09-14  Saam barati  <sbarati@apple.com>
2788
2789         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2790         https://bugs.webkit.org/show_bug.cgi?id=189628
2791         <rdar://problem/39481690>
2792
2793         Reviewed by Mark Lam.
2794
2795         An Availability may point to a Node. And that Node may be removed from
2796         the graph, e.g, it's freed and its memory is no longer owned by Graph.
2797         This patch makes it so we no longer dump this metadata by default. If
2798         this metadata is interesting to you, you'll need to go in and change
2799         Graph::dump to dump the needed metadata.
2800
2801         * dfg/DFGGraph.cpp:
2802         (JSC::DFG::Graph::dump):
2803
2804 2018-09-14  Mark Lam  <mark.lam@apple.com>
2805
2806         Refactor some ForInContext code for better encapsulation.
2807         https://bugs.webkit.org/show_bug.cgi?id=189626
2808         <rdar://problem/44466415>
2809
2810         Reviewed by Keith Miller.
2811
2812         1. Add a ForInContext::m_type field to store the context type.  This does not
2813            increase the class size, but eliminates the need for a virtual call to get the
2814            type.
2815
2816            Note: we still need a virtual destructor because we'll be mingling
2817            IndexedForInContexts and StructureForInContexts in the BytecodeGenerator::m_forInContextStack.
2818
2819         2. Add ForInContext::isIndexedForInContext() and ForInContext::isStructureForInContext()
2820            convenience methods.
2821
2822         3. Add ForInContext::asIndexedForInContext() and ForInContext::asStructureForInContext()
2823            to do the casting to the subclass types.  This ensures that we'll properly
2824            assert that the casting is legal.
2825
2826         * bytecompiler/BytecodeGenerator.cpp:
2827         (JSC::BytecodeGenerator::emitGetByVal):
2828         (JSC::BytecodeGenerator::popIndexedForInScope):
2829         (JSC::BytecodeGenerator::popStructureForInScope):
2830         * bytecompiler/BytecodeGenerator.h:
2831         (JSC::ForInContext::type const):
2832         (JSC::ForInContext::isIndexedForInContext const):
2833         (JSC::ForInContext::isStructureForInContext const):
2834         (JSC::ForInContext::asIndexedForInContext):
2835         (JSC::ForInContext::asStructureForInContext):
2836         (JSC::ForInContext::ForInContext):
2837         (JSC::StructureForInContext::StructureForInContext):
2838         (JSC::IndexedForInContext::IndexedForInContext):
2839         (JSC::ForInContext::~ForInContext): Deleted.
2840
2841 2018-09-14  Devin Rousso  <webkit@devinrousso.com>
2842
2843         Web Inspector: Record actions performed on ImageBitmapRenderingContext
2844         https://bugs.webkit.org/show_bug.cgi?id=181341
2845
2846         Reviewed by Joseph Pecoraro.
2847
2848         * inspector/protocol/Recording.json:
2849         * inspector/scripts/codegen/generator.py:
2850
2851 2018-09-14  Mike Gorse  <mgorse@suse.com>
2852
2853         builtins directory causes name conflict on Python 3
2854         https://bugs.webkit.org/show_bug.cgi?id=189552
2855
2856         Reviewed by Michael Catanzaro.
2857
2858         * CMakeLists.txt: builtins -> wkbuiltins.
2859         * DerivedSources.make: builtins -> wkbuiltins.
2860         * Scripts/generate-js-builtins.py: import wkbuiltins, rather than
2861           builtins.
2862         * Scripts/wkbuiltins/__init__.py: Renamed from Source/JavaScriptCore/Scripts/builtins/__init__.py.
2863         * Scripts/wkbuiltins/builtins_generate_combined_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_header.py.
2864         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py.
2865         * Scripts/wkbuiltins/builtins_generate_separate_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_header.py.
2866         * Scripts/wkbuiltins/builtins_generate_separate_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py.
2867         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_header.py.
2868         * Scripts/wkbuiltins/builtins_generate_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_implementation.py.
2869         * Scripts/wkbuiltins/builtins_generator.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generator.py.
2870         * Scripts/wkbuiltins/builtins_model.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_model.py.
2871         * Scripts/wkbuiltins/builtins_templates.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_templates.py.
2872         * Scripts/wkbuiltins/wkbuiltins.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins.py.
2873         * JavaScriptCore.xcodeproj/project.pbxproj: Update for the renaming.
2874
2875 2018-09-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2876
2877         [WebAssembly] Inline WasmContext accessor functions
2878         https://bugs.webkit.org/show_bug.cgi?id=189416
2879
2880         Reviewed by Saam Barati.
2881
2882         WasmContext accessor functions are very small while it resides in the critical path of
2883         JS to Wasm function call. This patch makes them inline to improve performance.
2884         This change improves a small benchmark (calling JS to Wasm function 1e7 times) from 320ms to 270ms.
2885
2886         * JavaScriptCore.xcodeproj/project.pbxproj:
2887         * Sources.txt:
2888         * interpreter/CallFrame.cpp:
2889         * jit/AssemblyHelpers.cpp:
2890         * wasm/WasmB3IRGenerator.cpp:
2891         * wasm/WasmContextInlines.h: Renamed from Source/JavaScriptCore/wasm/WasmContext.cpp.
2892         (JSC::Wasm::Context::useFastTLS):
2893         (JSC::Wasm::Context::load const):
2894         (JSC::Wasm::Context::store):
2895         * wasm/WasmMemoryInformation.cpp:
2896         * wasm/WasmModuleParser.cpp: Include <wtf/SHA1.h> due to changes of unified source combinations.
2897         * wasm/js/JSToWasm.cpp:
2898         * wasm/js/WebAssemblyFunction.cpp:
2899
2900 2018-09-12  David Kilzer  <ddkilzer@apple.com>
2901
2902         Move JavaScriptCore files to match Xcode project hierarchy
2903         <https://webkit.org/b/189574>
2904
2905         Reviewed by Filip Pizlo.
2906
2907         * API/JSAPIValueWrapper.cpp: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.cpp.
2908         * API/JSAPIValueWrapper.h: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.h.
2909         * CMakeLists.txt: Update for new path to
2910         generateYarrUnicodePropertyTables.py, hasher.py and
2911         JSAPIValueWrapper.h.
2912         * DerivedSources.make: Ditto. Add missing dependency on
2913         hasher.py captured by CMakeLists.txt.
2914         * JavaScriptCore.xcodeproj/project.pbxproj: Update for new file
2915         reference paths. Add hasher.py library to project.
2916         * Sources.txt: Update for new path to
2917         JSAPIValueWrapper.cpp.
2918         * runtime/JSImmutableButterfly.h: Add missing includes
2919         after changes to Sources.txt and regenerating unified
2920         sources.
2921         * runtime/RuntimeType.h: Ditto.
2922         * yarr/generateYarrUnicodePropertyTables.py: Rename from Source/JavaScriptCore/Scripts/generateYarrUnicodePropertyTables.py.
2923         * yarr/hasher.py: Rename from Source/JavaScriptCore/Scripts/hasher.py.
2924
2925 2018-09-12  David Kilzer  <ddkilzer@apple.com>
2926
2927         Let Xcode have its way with the JavaScriptCore project
2928
2929         * JavaScriptCore.xcodeproj/project.pbxproj:
2930
2931 2018-09-12  Guillaume Emont  <guijemont@igalia.com>
2932
2933         Add IGNORE_WARNING_.* macros
2934         https://bugs.webkit.org/show_bug.cgi?id=188996
2935
2936         Reviewed by Michael Catanzaro.
2937
2938         * API/JSCallbackObject.h:
2939         * API/tests/testapi.c:
2940         * assembler/LinkBuffer.h:
2941         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2942         * b3/B3LowerToAir.cpp:
2943         * b3/B3Opcode.cpp:
2944         * b3/B3Type.h:
2945         * b3/B3TypeMap.h:
2946         * b3/B3Width.h:
2947         * b3/air/AirArg.cpp:
2948         * b3/air/AirArg.h:
2949         * b3/air/AirCode.h:
2950         * bytecode/Opcode.h:
2951         (JSC::padOpcodeName):
2952         * dfg/DFGSpeculativeJIT.cpp:
2953         (JSC::DFG::SpeculativeJIT::speculateNumber):
2954         (JSC::DFG::SpeculativeJIT::speculateMisc):
2955         * dfg/DFGSpeculativeJIT64.cpp:
2956         * ftl/FTLOutput.h:
2957         * jit/CCallHelpers.h:
2958         (JSC::CCallHelpers::calculatePokeOffset):
2959         * llint/LLIntData.cpp:
2960         * llint/LLIntSlowPaths.cpp:
2961         (JSC::LLInt::slowPathLogF):
2962         * runtime/ConfigFile.cpp:
2963         (JSC::ConfigFile::canonicalizePaths):
2964         * runtime/JSDataViewPrototype.cpp:
2965         * runtime/JSGenericTypedArrayViewConstructor.h:
2966         * runtime/JSGenericTypedArrayViewPrototype.h:
2967         * runtime/Options.cpp:
2968         (JSC::Options::setAliasedOption):
2969         * tools/CodeProfiling.cpp:
2970         * wasm/WasmSections.h:
2971         * wasm/generateWasmValidateInlinesHeader.py:
2972
2973 == Rolled over to ChangeLog-2018-09-11 ==