Unreviewed revert Fujii's revert in r237214 with new WinCairo build fix.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-10-17  Keith Miller  <keith_miller@apple.com>
2
3         Unreviewed revert Fujii's revert in r237214 with new WinCairo build fix.
4
5 2018-10-16  Mark Lam  <mark.lam@apple.com>
6
7         GetIndexedPropertyStorage can GC.
8         https://bugs.webkit.org/show_bug.cgi?id=190625
9         <rdar://problem/45309366>
10
11         Reviewed by Saam Barati.
12
13         This is because if the ArrayMode type is String, the DFG and FTL will be emitting
14         a call to operationResolveRope, and operationResolveRope can GC.  This patch
15         updates doesGC() to reflect this.
16
17         * dfg/DFGDoesGC.cpp:
18         (JSC::DFG::doesGC):
19
20 2018-10-16  Fujii Hironori  <Hironori.Fujii@sony.com>
21
22         Unreviewed, rolling out r237188, r237189, and r237197.
23
24         It breaks WinCairo Debug builds and Release LayoutTests
25
26         Reverted changesets:
27
28         https://bugs.webkit.org/show_bug.cgi?id=189708
29         https://trac.webkit.org/changeset/237188
30
31         "Unreviewed, forgot to add untracked files."
32         https://trac.webkit.org/changeset/237189
33
34         "isASTErroneous in offlineasm should de-macroify before
35         looking for Errors"
36         https://bugs.webkit.org/show_bug.cgi?id=190634
37         https://trac.webkit.org/changeset/237197
38
39 2018-10-16  Devin Rousso  <drousso@apple.com>
40
41         Web Inspector: Canvas: capture previously saved states and add them to the recording payload
42         https://bugs.webkit.org/show_bug.cgi?id=190473
43
44         Reviewed by Joseph Pecoraro.
45
46         * inspector/protocol/Recording.json:
47         Add `states` key to `InitialState` object.
48
49 2018-10-16  Keith Miller  <keith_miller@apple.com>
50
51         isASTErroneous in offlineasm should de-macroify before looking for Errors
52         https://bugs.webkit.org/show_bug.cgi?id=190634
53
54         Reviewed by Mark Lam.
55
56         If a macro isn't usable in a configuration it might still cause us to
57         think the ast is invalid. This change runs the de-macroifier before
58         looking for errors.
59
60         Also, it adds a missing include to Printer.h.
61
62         * assembler/Printer.h:
63         * offlineasm/settings.rb:
64
65 2018-10-16  Justin Michaud  <justin_michaud@apple.com>
66
67         Implement feature flag and bindings for CSS Painting API
68         https://bugs.webkit.org/show_bug.cgi?id=190237
69
70         Reviewed by Ryosuke Niwa.
71
72         * Configurations/FeatureDefines.xcconfig:
73
74 2018-10-16  Keith Miller  <keith_miller@apple.com>
75
76         Unreviewed, forgot to add untracked files.
77
78         * llint/LLIntSettingsExtractor.cpp: Added.
79         (main):
80         * offlineasm/generate_settings_extractor.rb: Added.
81
82 2018-10-16  Keith Miller  <keith_miller@apple.com>
83
84         Unreviewed, reland https://bugs.webkit.org/show_bug.cgi?id=189708 with build fix.
85
86         * CMakeLists.txt:
87         * JavaScriptCore.xcodeproj/project.pbxproj:
88         * llint/LLIntOffsetsExtractor.cpp:
89         (JSC::LLIntOffsetsExtractor::dummy):
90         * offlineasm/generate_offset_extractor.rb:
91         * offlineasm/offsets.rb:
92         * offlineasm/settings.rb:
93
94 2018-10-16  Keith Miller  <keith_miller@apple.com>
95
96         Unreviewed, add missing include.
97
98         * runtime/BasicBlockLocation.h:
99
100 2018-10-15  Keith Miller  <keith_miller@apple.com>
101
102         Support arm64 CPUs with a 32-bit address space
103         https://bugs.webkit.org/show_bug.cgi?id=190273
104
105         Reviewed by Michael Saboff.
106
107         This patch adds support for arm64_32 in the LLInt. In order to
108         make this work we needed to add a new type that reflects the size
109         of a cpu register. This type is called CPURegister or UCPURegister
110         for the unsigned version. Most places that used void* or intptr_t
111         to refer to a register have been changed to use this new type.
112
113         * JavaScriptCore.xcodeproj/project.pbxproj:
114         * assembler/ARM64Assembler.h:
115         (JSC::isInt):
116         (JSC::is4ByteAligned):
117         (JSC::PairPostIndex::PairPostIndex):
118         (JSC::PairPreIndex::PairPreIndex):
119         (JSC::ARM64Assembler::readPointer):
120         (JSC::ARM64Assembler::readCallTarget):
121         (JSC::ARM64Assembler::computeJumpType):
122         (JSC::ARM64Assembler::linkCompareAndBranch):
123         (JSC::ARM64Assembler::linkConditionalBranch):
124         (JSC::ARM64Assembler::linkTestAndBranch):
125         (JSC::ARM64Assembler::loadRegisterLiteral):
126         (JSC::ARM64Assembler::loadStoreRegisterPairPostIndex):
127         (JSC::ARM64Assembler::loadStoreRegisterPairPreIndex):
128         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
129         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
130         (JSC::isInt7): Deleted.
131         (JSC::isInt11): Deleted.
132         * assembler/CPU.h:
133         (JSC::isAddress64Bit):
134         (JSC::isAddress32Bit):
135         * assembler/MacroAssembler.h:
136         (JSC::MacroAssembler::shouldBlind):
137         * assembler/MacroAssemblerARM64.cpp:
138         (JSC::MacroAssemblerARM64::collectCPUFeatures):
139         * assembler/MacroAssemblerARM64.h:
140         (JSC::MacroAssemblerARM64::load):
141         (JSC::MacroAssemblerARM64::store):
142         (JSC::MacroAssemblerARM64::isInIntRange): Deleted.
143         * assembler/Printer.h:
144         * assembler/ProbeContext.h:
145         (JSC::Probe::CPUState::gpr):
146         (JSC::Probe::CPUState::spr):
147         (JSC::Probe::Context::gpr):
148         (JSC::Probe::Context::spr):
149         * b3/B3ConstPtrValue.h:
150         * b3/B3StackmapSpecial.cpp:
151         (JSC::B3::StackmapSpecial::isArgValidForRep):
152         * b3/air/AirArg.h:
153         (JSC::B3::Air::Arg::stackSlot const):
154         (JSC::B3::Air::Arg::special const):
155         * b3/air/testair.cpp:
156         * b3/testb3.cpp:
157         (JSC::B3::testStoreConstantPtr):
158         (JSC::B3::testInterpreter):
159         (JSC::B3::testAddShl32):
160         (JSC::B3::testLoadBaseIndexShift32):
161         * bindings/ScriptFunctionCall.cpp:
162         (Deprecated::ScriptCallArgumentHandler::appendArgument):
163         * bindings/ScriptFunctionCall.h:
164         * bytecode/CodeBlock.cpp:
165         (JSC::roundCalleeSaveSpaceAsVirtualRegisters):
166         * dfg/DFGOSRExit.cpp:
167         (JSC::DFG::restoreCalleeSavesFor):
168         (JSC::DFG::saveCalleeSavesFor):
169         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
170         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
171         * dfg/DFGOSRExitCompilerCommon.cpp:
172         (JSC::DFG::reifyInlinedCallFrames):
173         * dfg/DFGSpeculativeJIT64.cpp:
174         (JSC::DFG::SpeculativeJIT::compile):
175         * disassembler/UDis86Disassembler.cpp:
176         (JSC::tryToDisassembleWithUDis86):
177         * ftl/FTLLowerDFGToB3.cpp:
178         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
179         * heap/MachineStackMarker.cpp:
180         (JSC::copyMemory):
181         * interpreter/CallFrame.h:
182         (JSC::ExecState::returnPC const):
183         (JSC::ExecState::hasReturnPC const):
184         (JSC::ExecState::clearReturnPC):
185         (JSC::ExecState::returnPCOffset):
186         (JSC::ExecState::isGlobalExec const):
187         (JSC::ExecState::setReturnPC):
188         * interpreter/CalleeBits.h:
189         (JSC::CalleeBits::boxWasm):
190         (JSC::CalleeBits::isWasm const):
191         (JSC::CalleeBits::asWasmCallee const):
192         * interpreter/Interpreter.cpp:
193         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
194         * interpreter/VMEntryRecord.h:
195         * jit/AssemblyHelpers.h:
196         (JSC::AssemblyHelpers::clearStackFrame):
197         * jit/RegisterAtOffset.h:
198         (JSC::RegisterAtOffset::offsetAsIndex const):
199         * jit/RegisterAtOffsetList.cpp:
200         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
201         * llint/LLIntData.cpp:
202         (JSC::LLInt::Data::performAssertions):
203         * llint/LLIntOfflineAsmConfig.h:
204         * llint/LowLevelInterpreter.asm:
205         * llint/LowLevelInterpreter64.asm:
206         * offlineasm/arm64.rb:
207         * offlineasm/asm.rb:
208         * offlineasm/ast.rb:
209         * offlineasm/backends.rb:
210         * offlineasm/parser.rb:
211         * offlineasm/x86.rb:
212         * runtime/BasicBlockLocation.cpp:
213         (JSC::BasicBlockLocation::dumpData const):
214         (JSC::BasicBlockLocation::emitExecuteCode const):
215         * runtime/BasicBlockLocation.h:
216         * runtime/HasOwnPropertyCache.h:
217         * runtime/JSBigInt.cpp:
218         (JSC::JSBigInt::inplaceMultiplyAdd):
219         (JSC::JSBigInt::digitDiv):
220         * runtime/JSBigInt.h:
221         * runtime/JSObject.h:
222         * runtime/Options.cpp:
223         (JSC::jitEnabledByDefault):
224         * runtime/Options.h:
225         * runtime/RegExp.cpp:
226         (JSC::RegExp::printTraceData):
227         * runtime/SamplingProfiler.cpp:
228         (JSC::CFrameWalker::walk):
229         * runtime/SlowPathReturnType.h:
230         (JSC::encodeResult):
231         (JSC::decodeResult):
232         * tools/SigillCrashAnalyzer.cpp:
233         (JSC::SigillCrashAnalyzer::dumpCodeBlock):
234
235 2018-10-15  Justin Fan  <justin_fan@apple.com>
236
237         Add WebGPU 2018 feature flag and experimental feature flag
238         https://bugs.webkit.org/show_bug.cgi?id=190509
239
240         Reviewed by Dean Jackson.
241
242         Re-add ENABLE_WEBGPU, an experimental feature flag, and a RuntimeEnabledFeature
243         for the 2018 WebGPU prototype.
244
245         * Configurations/FeatureDefines.xcconfig:
246
247 2018-10-15  Timothy Hatcher  <timothy@apple.com>
248
249         Add support for prefers-color-scheme media query
250         https://bugs.webkit.org/show_bug.cgi?id=190499
251         rdar://problem/45212025
252
253         Reviewed by Dean Jackson.
254
255         * Configurations/FeatureDefines.xcconfig: Added ENABLE_DARK_MODE_CSS.
256
257 2018-10-15  Commit Queue  <commit-queue@webkit.org>
258
259         Unreviewed, rolling out r237084, r237088, r237098, and
260         r237114.
261         https://bugs.webkit.org/show_bug.cgi?id=190602
262
263         Breaks internal builds. (Requested by ryanhaddad on #webkit).
264
265         Reverted changesets:
266
267         "Separate configuration extraction from offset extraction"
268         https://bugs.webkit.org/show_bug.cgi?id=189708
269         https://trac.webkit.org/changeset/237084
270
271         "Gardening: Build fix after r237084."
272         https://bugs.webkit.org/show_bug.cgi?id=189708
273         https://trac.webkit.org/changeset/237088
274
275         "Gardening: Build fix after r237084."
276         https://bugs.webkit.org/show_bug.cgi?id=189708
277         https://trac.webkit.org/changeset/237098
278
279         "REGRESSION (r237084): JavaScriptCore fails to build on Linux"
280         https://trac.webkit.org/changeset/237114
281
282 2018-10-15  Keith Miller  <keith_miller@apple.com>
283
284         BytecodeDumper should print all switch labels
285         https://bugs.webkit.org/show_bug.cgi?id=190596
286
287         Reviewed by Saam Barati.
288
289         Right now the bytecode dumper only prints the default target not any of the
290         non-default targets.
291
292         * bytecode/BytecodeDumper.cpp:
293         (JSC::BytecodeDumper<Block>::dumpBytecode):
294
295 2018-10-15  Saam barati  <sbarati@apple.com>
296
297         Emit fjcvtzs on ARM64E on Darwin
298         https://bugs.webkit.org/show_bug.cgi?id=184023
299
300         Reviewed by Yusuke Suzuki and Filip Pizlo.
301
302         ARMv8.3 introduced the fjcvtzs instruction which does double->int32
303         conversion using the semantics defined by JavaScript:
304         http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0801g/hko1477562192868.html
305         This patch teaches JSC to use that instruction when possible.
306
307         * assembler/ARM64Assembler.h:
308         (JSC::ARM64Assembler::fjcvtzs):
309         (JSC::ARM64Assembler::fjcvtzsInsn):
310         * assembler/MacroAssemblerARM64.cpp:
311         (JSC::MacroAssemblerARM64::collectCPUFeatures):
312         * assembler/MacroAssemblerARM64.h:
313         (JSC::MacroAssemblerARM64::supportsDoubleToInt32ConversionUsingJavaScriptSemantics):
314         (JSC::MacroAssemblerARM64::convertDoubleToInt32UsingJavaScriptSemantics):
315         * dfg/DFGSpeculativeJIT.cpp:
316         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
317         * disassembler/ARM64/A64DOpcode.cpp:
318         * disassembler/ARM64/A64DOpcode.h:
319         (JSC::ARM64Disassembler::A64DOpcode::appendInstructionName):
320         * ftl/FTLLowerDFGToB3.cpp:
321         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
322         * jit/JITRightShiftGenerator.cpp:
323         (JSC::JITRightShiftGenerator::generateFastPath):
324         * runtime/MathCommon.h:
325         (JSC::toInt32):
326
327 2018-10-15  Saam Barati  <sbarati@apple.com>
328
329         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
330         https://bugs.webkit.org/show_bug.cgi?id=190262
331         <rdar://problem/44986241>
332
333         Reviewed by Mark Lam.
334
335         We would take the fast path for shiftCountWithArrayStorage when the array
336         hasHoles(). However, the code for this was wrong. It'd incorrectly update
337         ArrayStorage::m_numValuesInVector. Since the hasHoles() for ArrayStorage
338         path is never taken in JetStream 2, this patch just removes that from
339         the fast path. Instead, we just fallback to the slow path when hasHoles().
340         If we find evidence that this matters for real use cases, we can
341         figure out a way to make the fast path work.
342
343         * runtime/JSArray.cpp:
344         (JSC::JSArray::shiftCountWithArrayStorage):
345
346 2018-10-15  Commit Queue  <commit-queue@webkit.org>
347
348         Unreviewed, rolling out r237054.
349         https://bugs.webkit.org/show_bug.cgi?id=190593
350
351         "this regressed JetStream 2 by 6% on iOS" (Requested by
352         saamyjoon on #webkit).
353
354         Reverted changeset:
355
356         "[JSC] JSC should have "parseFunction" to optimize Function
357         constructor"
358         https://bugs.webkit.org/show_bug.cgi?id=190340
359         https://trac.webkit.org/changeset/237054
360
361 2018-10-14  David Kilzer  <ddkilzer@apple.com>
362
363         REGRESSION (r237084): JavaScriptCore fails to build on Linux
364         <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10949>
365
366         * llint/LLIntSettingsExtractor.cpp: Attempt to fix build by
367         including <stdio.h>.
368
369 2018-10-15  Alex Christensen  <achristensen@webkit.org>
370
371         Shrink more enum classes
372         https://bugs.webkit.org/show_bug.cgi?id=190540
373
374         Reviewed by Chris Dumez.
375
376         * runtime/ConsoleTypes.h:
377
378 2018-10-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
379
380         [JSC] Disable DOMJIT on 32bit architecture
381         https://bugs.webkit.org/show_bug.cgi?id=190387
382
383         Reviewed by Mark Lam.
384
385         We disable DOMJIT on 32bit architecture due to exhaustion of registers.
386
387         * runtime/Options.h:
388
389 2018-10-15  Alex Christensen  <achristensen@webkit.org>
390
391         Include EnumTraits.h less
392         https://bugs.webkit.org/show_bug.cgi?id=190535
393
394         Reviewed by Chris Dumez.
395
396         * runtime/ConsoleTypes.h:
397
398 2018-10-14  Mark Lam  <mark.lam@apple.com>
399
400         Gardening: Build fix after r237084.
401         https://bugs.webkit.org/show_bug.cgi?id=189708
402
403         Unreviewd.
404
405         * llint/LLIntOffsetsExtractor.cpp:
406
407 2018-10-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
408
409         [JSC] Remove Option::useAsyncIterator
410         https://bugs.webkit.org/show_bug.cgi?id=190567
411
412         Reviewed by Saam Barati.
413
414         Async iterator is enabled by default at 2017-08-09. It is already shipped in several releases,
415         and we can think that it is already mature. Let's drop the option `Option::useAsyncIterator`.
416
417         * Configurations/FeatureDefines.xcconfig:
418         * bytecompiler/BytecodeGenerator.cpp:
419         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
420         (JSC::BytecodeGenerator::emitNewFunction):
421         * parser/ASTBuilder.h:
422         (JSC::ASTBuilder::createFunctionMetadata):
423         * parser/Parser.cpp:
424         (JSC::Parser<LexerType>::parseForStatement):
425         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
426         (JSC::Parser<LexerType>::parseClass):
427         (JSC::Parser<LexerType>::parseProperty):
428         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
429         * runtime/Options.h:
430
431 2018-10-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
432
433         [JSC] Remove Options::useObjectRestSpread
434         https://bugs.webkit.org/show_bug.cgi?id=190568
435
436         Reviewed by Saam Barati.
437
438         Options::useObjectRestSpread is enabled by default at 2017-06-27. It is already shipped in several releases,
439         and we can think that it is mature. Let's drop Options::useObjectRestSpread() flag.
440
441         * parser/Parser.cpp:
442         (JSC::Parser<LexerType>::Parser):
443         (JSC::Parser<LexerType>::parseDestructuringPattern):
444         (JSC::Parser<LexerType>::parseProperty):
445         * parser/Parser.h:
446         * runtime/Options.h:
447
448 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
449
450         [JSC] JSON.stringify can accept call-with-no-arguments
451         https://bugs.webkit.org/show_bug.cgi?id=190343
452
453         Reviewed by Mark Lam.
454
455         JSON.stringify can accept `JSON.stringify()` call (call-with-no-arguments) according to the spec[1].
456         Instead of throwing an error, we should take the first argument as `undefined` if it is not given.
457
458         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
459
460         * runtime/JSONObject.cpp:
461         (JSC::JSONProtoFuncStringify):
462
463 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
464
465         Gardening: Build fix after r237084.
466         https://bugs.webkit.org/show_bug.cgi?id=189708
467
468         Unreviewd.
469
470         * JavaScriptCore.xcodeproj/project.pbxproj:
471
472 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
473
474         Separate configuration extraction from offset extraction
475         https://bugs.webkit.org/show_bug.cgi?id=189708
476
477         Reviewed by Keith Miller.
478
479         Instead of generating a file with all offsets for every combination of
480         configurations, we first generate a file with only the configuration
481         indices and pass that to the offset extractor. The offset extractor then
482         only generates the offsets for valid configurations
483
484         * CMakeLists.txt:
485         * JavaScriptCore.xcodeproj/project.pbxproj:
486         * llint/LLIntOffsetsExtractor.cpp:
487         (JSC::LLIntOffsetsExtractor::dummy):
488         * llint/LLIntSettingsExtractor.cpp: Added.
489         (main):
490         * offlineasm/generate_offset_extractor.rb:
491         * offlineasm/generate_settings_extractor.rb: Added.
492         * offlineasm/offsets.rb:
493         * offlineasm/settings.rb:
494
495 2018-10-12  Ryan Haddad  <ryanhaddad@apple.com>
496
497         Unreviewed, rolling out r237063.
498
499         Caused layout test fast/dom/Window/window-postmessage-clone-
500         deep-array.html to fail on macOS and iOS Debug bots.
501
502         Reverted changeset:
503
504         "[JSC] Remove gcc warnings on mips and armv7"
505         https://bugs.webkit.org/show_bug.cgi?id=188598
506         https://trac.webkit.org/changeset/237063
507
508 2018-10-11  Guillaume Emont  <guijemont@igalia.com>
509
510         [JSC] Remove gcc warnings on mips and armv7
511         https://bugs.webkit.org/show_bug.cgi?id=188598
512
513         Reviewed by Mark Lam.
514
515         Fix many gcc/clang warnings that are false positives, mostly alignment
516         issues.
517
518         * assembler/MacroAssemblerPrinter.cpp:
519         (JSC::Printer::printMemory):
520         Use bitwise_cast instead of reinterpret_cast.
521         * assembler/testmasm.cpp:
522         (JSC::floatOperands):
523         marked as potentially unused as it is not used on all platforms.
524         (JSC::testProbeModifiesStackValues):
525         modifiedFlags is not used on mips, so don't declare it.
526         * bytecode/CodeBlock.h:
527         Make ScriptExecutable::prepareForExecution() return an
528         std::optional<Exception*> instead of a JSObject*.
529         * interpreter/Interpreter.cpp:
530         (JSC::Interpreter::executeProgram):
531         (JSC::Interpreter::executeCall):
532         (JSC::Interpreter::executeConstruct):
533         (JSC::Interpreter::prepareForRepeatCall):
534         (JSC::Interpreter::execute):
535         (JSC::Interpreter::executeModuleProgram):
536         Update calling code for the prototype change of
537         ScriptExecutable::prepareForExecution().
538         * jit/JITOperations.cpp: Same as for Interpreter.cpp.
539         * llint/LLIntSlowPaths.cpp:
540         (JSC::LLInt::setUpCall): Same as for Interpreter.cpp.
541         * runtime/JSBigInt.cpp:
542         (JSC::JSBigInt::dataStorage):
543         Use bitwise_cast instead of reinterpret_cast.
544         * runtime/ScriptExecutable.cpp:
545         * runtime/ScriptExecutable.h:
546         Make ScriptExecutable::prepareForExecution() return an
547         std::optional<Exception*> instead of a JSObject*.
548         * tools/JSDollarVM.cpp:
549         (JSC::codeBlockFromArg): Use bitwise_cast instead of reinterpret_cast.
550
551 2018-10-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
552
553         Use currentStackPointer more
554         https://bugs.webkit.org/show_bug.cgi?id=190503
555
556         Reviewed by Saam Barati.
557
558         * runtime/VM.cpp:
559         (JSC::VM::committedStackByteCount):
560
561 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
562
563         [JSC] JSC should have "parseFunction" to optimize Function constructor
564         https://bugs.webkit.org/show_bug.cgi?id=190340
565
566         Reviewed by Mark Lam.
567
568         The current Function constructor is suboptimal. We parse the piece of the same code three times to meet
569         the spec requirement. (1) check parameters syntax, (2) check body syntax, and (3) parse the entire function.
570         And to parse 1-3 correctly, we create two strings, the parameters and the entire function. This operation
571         is really costly and ideally we should meet the above requirement by the one time parsing.
572
573         To meet the above requirement, we add a special function for Parser, parseSingleFunction. This function
574         takes `std::optional<int> functionConstructorParametersEndPosition` and check this end position is correct in the parser.
575         For example, if we run the code,
576
577             Function('/*', '*/){')
578
579         According to the spec, this should produce '/*' parameter string and '*/){' body string. And parameter
580         string should be syntax-checked by the parser, and raise the error since it is incorrect. Instead of doing
581         that, in our implementation, we first create the entire string.
582
583             function anonymous(/*) {
584                 */){
585             }
586
587         And we parse it. At that time, we also pass the end position of the parameters to the parser. In the above case,
588         the position of the `function anonymous(/*)' <> is passed. And in the parser, we check that the last token
589         offset of the parameters is the given end position. This check allows us to raise the error correctly to the
590         above example while we parse the entire function only once. And we do not need to create two strings too.
591
592         This improves the performance of the Function constructor significantly. And web-tooling-benchmark/uglify-js is
593         significantly sped up (28.2%).
594
595         Before:
596             uglify-js:  2.94 runs/s
597         After:
598             uglify-js:  3.77 runs/s
599
600         * bytecode/UnlinkedFunctionExecutable.cpp:
601         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
602         * bytecode/UnlinkedFunctionExecutable.h:
603         * parser/Parser.cpp:
604         (JSC::Parser<LexerType>::parseInner):
605         (JSC::Parser<LexerType>::parseSingleFunction):
606         (JSC::Parser<LexerType>::parseFunctionInfo):
607         (JSC::Parser<LexerType>::parseFunctionDeclaration):
608         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
609         (JSC::Parser<LexerType>::parseClass):
610         (JSC::Parser<LexerType>::parsePropertyMethod):
611         (JSC::Parser<LexerType>::parseGetterSetter):
612         (JSC::Parser<LexerType>::parseFunctionExpression):
613         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
614         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
615         * parser/Parser.h:
616         (JSC::Parser<LexerType>::parse):
617         (JSC::parse):
618         (JSC::parseFunctionForFunctionConstructor):
619         * parser/ParserModes.h:
620         * parser/ParserTokens.h:
621         (JSC::JSTextPosition::JSTextPosition):
622         (JSC::JSTokenLocation::JSTokenLocation): Deleted.
623         * parser/SourceCodeKey.h:
624         (JSC::SourceCodeKey::SourceCodeKey):
625         (JSC::SourceCodeKey::operator== const):
626         * runtime/CodeCache.cpp:
627         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
628         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
629         * runtime/CodeCache.h:
630         * runtime/FunctionConstructor.cpp:
631         (JSC::constructFunctionSkippingEvalEnabledCheck):
632         * runtime/FunctionExecutable.cpp:
633         (JSC::FunctionExecutable::fromGlobalCode):
634         * runtime/FunctionExecutable.h:
635
636 2018-10-11  Ross Kirsling  <ross.kirsling@sony.com>
637
638         Fix non-existent define `CPU(JSVALUE64)`
639         https://bugs.webkit.org/show_bug.cgi?id=190479
640
641         Reviewed by Yusuke Suzuki.
642
643         * jit/CCallHelpers.h:
644         (JSC::CCallHelpers::setupArgumentsImpl):
645         Correct CPU(JSVALUE64) to USE(JSVALUE64).
646
647 2018-10-11  Keith Rollin  <krollin@apple.com>
648
649         CURRENT_ARCH should not be used in Run Script phase.
650         https://bugs.webkit.org/show_bug.cgi?id=190407
651         <rdar://problem/45133556>
652
653         Reviewed by Alexey Proskuryakov.
654
655         CURRENT_ARCH is used in a number of Xcode Run Script phases. However,
656         CURRENT_ARCH is not well-defined during this phase (and may even have
657         the value "undefined") since this phase is run just once per build
658         rather than once per supported architecture. Migrate away from
659         CURRENT_ARCH in favor of ARCHS, either by iterating over ARCHS and
660         performing an operation for each value, or by picking the first entry
661         in ARCHS and using that as a representative value.
662
663         * JavaScriptCore.xcodeproj/project.pbxproj: Store
664         LLIntDesiredOffsets.h into a directory with a name based on ARCHS
665         rather than CURRENT_ARCH.
666
667 2018-10-10  Mark Lam  <mark.lam@apple.com>
668
669         Changes towards allowing use of the ASAN detect_stack_use_after_return option.
670         https://bugs.webkit.org/show_bug.cgi?id=190405
671         <rdar://problem/45131464>
672
673         Reviewed by Michael Saboff.
674
675         The ASAN detect_stack_use_after_return option checks for use of stack variables
676         after they have been freed.  It does this by allocating relevant stack variables
677         in heap memory (instead of on the stack) if the code ever takes the address of
678         those stack variables.  Unfortunately, this is a common idiom that we use to
679         compute the approximate stack pointer value.  As a result, on such ASAN runs, the
680         computed approximate stack pointer value will point into the heap instead of the
681         stack.  This breaks the VM's expectations and wreaks havoc.
682
683         To fix this, we use the newly introduced WTF::currentStackPointer() instead of
684         taking the address of stack variables.
685
686         We also need to enhance ExceptionScopes to be able to work with ASAN
687         detect_stack_use_after_return which will allocated the scope in the heap.  We
688         work around this by passing the current stack pointer of the instantiating calling
689         frame into the scope constructor, and using that for the position check in
690         ~ThrowScope() instead.
691
692         The above is only a start towards enabling ASAN detect_stack_use_after_return on
693         the VM.  There are still other issues to be resolved before we can run with this
694         ASAN option.
695
696         * runtime/CatchScope.h:
697         * runtime/ExceptionEventLocation.h:
698         (JSC::ExceptionEventLocation::ExceptionEventLocation):
699         * runtime/ExceptionScope.h:
700         (JSC::ExceptionScope::stackPosition const):
701         * runtime/JSLock.cpp:
702         (JSC::JSLock::didAcquireLock):
703         * runtime/ThrowScope.cpp:
704         (JSC::ThrowScope::~ThrowScope):
705         * runtime/ThrowScope.h:
706         * runtime/VM.h:
707         (JSC::VM::needExceptionCheck const):
708         (JSC::VM::isSafeToRecurse const):
709         * wasm/js/WebAssemblyFunction.cpp:
710         (JSC::callWebAssemblyFunction):
711         * yarr/YarrPattern.cpp:
712         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
713
714 2018-10-10  Devin Rousso  <drousso@apple.com>
715
716         Web Inspector: create special Network waterfall for media events
717         https://bugs.webkit.org/show_bug.cgi?id=189773
718         <rdar://problem/44626605>
719
720         Reviewed by Joseph Pecoraro.
721
722         * inspector/protocol/DOM.json:
723         Add `didFireEvent` event that is fired when specific event listeners added by
724         `InspectorInstrumentation::addEventListenersToNode` are fired.
725
726 2018-10-10  Michael Saboff  <msaboff@apple.com>
727
728         Increase executable memory pool from 64MB to 128MB for ARM64
729         https://bugs.webkit.org/show_bug.cgi?id=190453
730
731         Reviewed by Saam Barati.
732
733         * jit/ExecutableAllocator.cpp:
734
735 2018-10-10  Devin Rousso  <drousso@apple.com>
736
737         Web Inspector: notify the frontend when a canvas has started recording via console.record
738         https://bugs.webkit.org/show_bug.cgi?id=190306
739
740         Reviewed by Brian Burg.
741
742         * inspector/protocol/Canvas.json:
743         Add `recordingStarted` event.
744
745         * inspector/protocol/Recording.json:
746         Add `Initiator` enum for determining who started the recording.
747
748 2018-10-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
749
750         [JSC] Rename createXXX to tryCreateXXX if it can return RefPtr
751         https://bugs.webkit.org/show_bug.cgi?id=190429
752
753         Reviewed by Saam Barati.
754
755         Some createXXX functions can fail. But sometimes the caller does not perform error checking.
756         To make it explicit that these functions can fail, we rename these functions from createXXX
757         to tryCreateXXX. In this patch, we focus on non-JS-managed factory functions. If the factory
758         function does not fail, it should return Ref<>. Otherwise, it should be named as tryCreateXXX
759         and it should return RefPtr<>.
760
761         This patch mainly focuses on TypedArray factory functions. Previously, these functions are
762         `RefPtr<XXXArray> create(...)`. This patch changes them to `RefPtr<XXXArray> tryCreate(...)`.
763         And we also introduce `Ref<XXXArray> create(...)` function which internally performs
764         RELEASE_ASSERT on the result of `tryCreate(...)`.
765
766         And we also convert OpaqueJSString::create to OpaqueJSString::tryCreate since it can fail.
767
768         This change actually finds one place which does not perform any null checkings while it uses
769         `RefPtr<> create(...)` function.
770
771         * API/JSCallbackObjectFunctions.h:
772         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
773         (JSC::JSCallbackObject<Parent>::put):
774         (JSC::JSCallbackObject<Parent>::putByIndex):
775         (JSC::JSCallbackObject<Parent>::deleteProperty):
776         (JSC::JSCallbackObject<Parent>::callbackGetter):
777         * API/JSClassRef.h:
778         (StaticValueEntry::StaticValueEntry):
779         * API/JSContext.mm:
780         (-[JSContext evaluateScript:withSourceURL:]):
781         (-[JSContext setName:]):
782         * API/JSContextRef.cpp:
783         (JSGlobalContextCopyName):
784         (JSContextCreateBacktrace):
785         * API/JSObjectRef.cpp:
786         (JSObjectCopyPropertyNames):
787         * API/JSScriptRef.cpp:
788         * API/JSStringRef.cpp:
789         (JSStringCreateWithCharactersNoCopy):
790         * API/JSValue.mm:
791         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
792         (+[JSValue valueWithNewErrorFromMessage:inContext:]):
793         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
794         (performPropertyOperation):
795         (-[JSValue invokeMethod:withArguments:]):
796         (containerValueToObject):
797         (objectToValueWithoutCopy):
798         (objectToValue):
799         * API/JSValueRef.cpp:
800         (JSValueCreateJSONString):
801         (JSValueToStringCopy):
802         * API/OpaqueJSString.cpp:
803         (OpaqueJSString::tryCreate):
804         (OpaqueJSString::create): Deleted.
805         * API/OpaqueJSString.h:
806         * API/glib/JSCContext.cpp:
807         (evaluateScriptInContext):
808         * API/glib/JSCValue.cpp:
809         (jsc_value_new_string_from_bytes):
810         * ftl/FTLLazySlowPath.h:
811         (JSC::FTL::LazySlowPath::createGenerator):
812         * ftl/FTLLazySlowPathCall.h:
813         (JSC::FTL::createLazyCallGenerator):
814         * ftl/FTLOSRExit.cpp:
815         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
816         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
817         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
818         * ftl/FTLOSRExit.h:
819         * ftl/FTLPatchpointExceptionHandle.cpp:
820         (JSC::FTL::PatchpointExceptionHandle::create):
821         (JSC::FTL::PatchpointExceptionHandle::createHandle):
822         * ftl/FTLPatchpointExceptionHandle.h:
823         * heap/EdenGCActivityCallback.h:
824         (JSC::GCActivityCallback::tryCreateEdenTimer):
825         (JSC::GCActivityCallback::createEdenTimer): Deleted.
826         * heap/FullGCActivityCallback.h:
827         (JSC::GCActivityCallback::tryCreateFullTimer):
828         (JSC::GCActivityCallback::createFullTimer): Deleted.
829         * heap/GCActivityCallback.h:
830         * heap/Heap.cpp:
831         (JSC::Heap::Heap):
832         * inspector/AsyncStackTrace.cpp:
833         (Inspector::AsyncStackTrace::create):
834         * inspector/AsyncStackTrace.h:
835         * jsc.cpp:
836         (fillBufferWithContentsOfFile):
837         * runtime/ArrayBuffer.h:
838         * runtime/GenericTypedArrayView.h:
839         * runtime/GenericTypedArrayViewInlines.h:
840         (JSC::GenericTypedArrayView<Adaptor>::create):
841         (JSC::GenericTypedArrayView<Adaptor>::tryCreate):
842         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
843         (JSC::GenericTypedArrayView<Adaptor>::tryCreateUninitialized):
844         (JSC::GenericTypedArrayView<Adaptor>::subarray const):
845         * runtime/JSArrayBufferView.cpp:
846         (JSC::JSArrayBufferView::possiblySharedImpl):
847         * runtime/JSGenericTypedArrayViewInlines.h:
848         (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
849         (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
850         * wasm/WasmMemory.cpp:
851         (JSC::Wasm::Memory::create):
852         (JSC::Wasm::Memory::tryCreate):
853         * wasm/WasmMemory.h:
854         * wasm/WasmTable.cpp:
855         (JSC::Wasm::Table::tryCreate):
856         (JSC::Wasm::Table::create): Deleted.
857         * wasm/WasmTable.h:
858         * wasm/js/JSWebAssemblyInstance.cpp:
859         (JSC::JSWebAssemblyInstance::create):
860         * wasm/js/JSWebAssemblyMemory.cpp:
861         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
862         * wasm/js/WebAssemblyMemoryConstructor.cpp:
863         (JSC::constructJSWebAssemblyMemory):
864         * wasm/js/WebAssemblyModuleRecord.cpp:
865         (JSC::WebAssemblyModuleRecord::link):
866         * wasm/js/WebAssemblyTableConstructor.cpp:
867         (JSC::constructJSWebAssemblyTable):
868
869 2018-10-09  Devin Rousso  <drousso@apple.com>
870
871         Web Inspector: show redirect requests in Network and Timelines tabs
872         https://bugs.webkit.org/show_bug.cgi?id=150005
873         <rdar://problem/5378164>
874
875         Reviewed by Joseph Pecoraro.
876
877         * inspector/protocol/Network.json:
878         Add missing fields to `ResourceTiming`.
879
880 2018-10-09  Claudio Saavedra  <csaavedra@igalia.com>
881
882         [WPE] Explicitly link against gmodule where used
883         https://bugs.webkit.org/show_bug.cgi?id=190398
884
885         Reviewed by Michael Catanzaro.
886
887         * PlatformWPE.cmake:
888
889 2018-10-08  Justin Fan  <justin_fan@apple.com>
890
891         WebGPU: Rename old WebGPU prototype to WebMetal
892         https://bugs.webkit.org/show_bug.cgi?id=190325
893         <rdar://problem/44990443>
894
895         Reviewed by Dean Jackson.
896
897         Rename WebGPU prototype files to WebMetal in preparation for implementing the new (Oct 2018) WebGPU interface.
898
899         * Configurations/FeatureDefines.xcconfig:
900         * inspector/protocol/Canvas.json:
901         * inspector/scripts/codegen/generator.py:
902
903 2018-10-08  Aditya Keerthi  <akeerthi@apple.com>
904
905         Make <input type=color> a runtime enabled (on-by-default) feature
906         https://bugs.webkit.org/show_bug.cgi?id=189162
907
908         Reviewed by Wenson Hsieh and Tim Horton.
909
910         * Configurations/FeatureDefines.xcconfig:
911
912 2018-10-08  Devin Rousso  <drousso@apple.com>
913
914         Web Inspector: group media network entries by the node that triggered the request
915         https://bugs.webkit.org/show_bug.cgi?id=189606
916         <rdar://problem/44438527>
917
918         Reviewed by Brian Burg.
919
920         * inspector/protocol/Network.json:
921         Add an optional `nodeId` field to the `Initiator` object that is set it is possible to
922         determine which ancestor node triggered the load. It may not correspond directly to the node
923         with the href/src, as that url may only be used by an ancestor for loading.
924
925 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
926
927         [JSC][Linux] Use non-truncated name for JIT workers in Linux
928         https://bugs.webkit.org/show_bug.cgi?id=190339
929
930         Reviewed by Mark Lam.
931
932         The current thread names are meaningless in Linux environment. We do not want to
933         have truncated name in Linux: we want to have clear name in Linux. Instead, we
934         should have the name for Linux separately from the name used in the non-Linux
935         environments. This patch adds FTLWorker, DFGWorker, and JITWorker names for
936         Linux environment.
937
938         * dfg/DFGWorklist.cpp:
939         (JSC::DFG::createWorklistName):
940         (JSC::DFG::Worklist::Worklist):
941         (JSC::DFG::Worklist::create):
942         (JSC::DFG::ensureGlobalDFGWorklist):
943         (JSC::DFG::ensureGlobalFTLWorklist):
944         * dfg/DFGWorklist.h:
945         * jit/JITWorklist.cpp:
946
947 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
948
949         Name Heap threads
950         https://bugs.webkit.org/show_bug.cgi?id=190337
951
952         Reviewed by Mark Lam.
953
954         Name heap threads as "Heap Helper Thread". In Linux, we name it "HeapHelper" since
955         Linux does not accept the name longer than 15. We do not want to use the short name
956         for non-Linux environment. And we want to have clear name in Linux: truncated name
957         is not good. So, having the two names is the only way.
958
959         * heap/HeapHelperPool.cpp:
960         (JSC::heapHelperPool):
961
962 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
963
964         [JSC] Avoid creating ProgramExecutable in checkSyntax
965         https://bugs.webkit.org/show_bug.cgi?id=190332
966
967         Reviewed by Mark Lam.
968
969         uglify-js in web-tooling-benchmark executes massive number of Function constructor calls.
970         In Function constructor code, we perform checkSyntax for body and parameters. So fast checkSyntax
971         is important when the performance of Function constructor matters. Current checkSyntax code
972         unnecessarily allocates ProgramExecutable. This patch removes this allocation and improves
973         the benchmark score slightly.
974
975         Before:
976             uglify-js:  2.87 runs/s
977         After:
978             uglify-js:  2.94 runs/s
979
980         * runtime/Completion.cpp:
981         (JSC::checkSyntaxInternal):
982         (JSC::checkSyntax):
983         * runtime/ProgramExecutable.cpp:
984         (JSC::ProgramExecutable::checkSyntax): Deleted.
985         * runtime/ProgramExecutable.h:
986
987 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
988
989         [ESNext][BigInt] Implement support for "|"
990         https://bugs.webkit.org/show_bug.cgi?id=186229
991
992         Reviewed by Yusuke Suzuki.
993
994         This patch is introducing support for BigInt into bitwise "or" operator.
995         In addition, we are also introducing 2 new DFG nodes, named "ArithBitOr" and
996         "ValueBitOr", to replace "BitOr" node. The idea is to follow the
997         difference that we make on Arith<op> and Value<op>, where ArithBitOr
998         handles cases when the operands are Int32 and ValueBitOr handles
999         the remaining cases.
1000
1001         We are also changing op_bitor to use ValueProfile. We are using
1002         ValueProfile during DFG generation to emit "ArithBitOr" when
1003         outcome prediction is Int32.
1004
1005         * bytecode/CodeBlock.cpp:
1006         (JSC::CodeBlock::finishCreation):
1007         (JSC::CodeBlock::arithProfileForPC):
1008         * bytecompiler/BytecodeGenerator.cpp:
1009         (JSC::BytecodeGenerator::emitBinaryOp):
1010         * dfg/DFGAbstractInterpreterInlines.h:
1011         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1012         * dfg/DFGBackwardsPropagationPhase.cpp:
1013         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
1014         (JSC::DFG::BackwardsPropagationPhase::propagate):
1015         * dfg/DFGByteCodeParser.cpp:
1016         (JSC::DFG::ByteCodeParser::parseBlock):
1017         * dfg/DFGClobberize.h:
1018         (JSC::DFG::clobberize):
1019         * dfg/DFGDoesGC.cpp:
1020         (JSC::DFG::doesGC):
1021         * dfg/DFGFixupPhase.cpp:
1022         (JSC::DFG::FixupPhase::fixupNode):
1023         * dfg/DFGNodeType.h:
1024         * dfg/DFGOperations.cpp:
1025         (JSC::DFG::bitwiseOp):
1026         * dfg/DFGOperations.h:
1027         * dfg/DFGPredictionPropagationPhase.cpp:
1028         * dfg/DFGSafeToExecute.h:
1029         (JSC::DFG::safeToExecute):
1030         * dfg/DFGSpeculativeJIT.cpp:
1031         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
1032         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
1033         * dfg/DFGSpeculativeJIT.h:
1034         (JSC::DFG::SpeculativeJIT::bitOp):
1035         * dfg/DFGSpeculativeJIT32_64.cpp:
1036         (JSC::DFG::SpeculativeJIT::compile):
1037         * dfg/DFGSpeculativeJIT64.cpp:
1038         (JSC::DFG::SpeculativeJIT::compile):
1039         * dfg/DFGStrengthReductionPhase.cpp:
1040         (JSC::DFG::StrengthReductionPhase::handleNode):
1041         * ftl/FTLCapabilities.cpp:
1042         (JSC::FTL::canCompile):
1043         * ftl/FTLLowerDFGToB3.cpp:
1044         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1045         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
1046         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitOr):
1047         (JSC::FTL::DFG::LowerDFGToB3::compileBitOr): Deleted.
1048         * jit/JITArithmetic.cpp:
1049         (JSC::JIT::emit_op_bitor):
1050         * llint/LowLevelInterpreter32_64.asm:
1051         * llint/LowLevelInterpreter64.asm:
1052         * runtime/CommonSlowPaths.cpp:
1053         (JSC::SLOW_PATH_DECL):
1054         * runtime/JSBigInt.cpp:
1055         (JSC::JSBigInt::bitwiseAnd):
1056         (JSC::JSBigInt::bitwiseOr):
1057         (JSC::JSBigInt::absoluteBitwiseOp):
1058         (JSC::JSBigInt::absoluteAddOne):
1059         * runtime/JSBigInt.h:
1060
1061 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1062
1063         [JSC] Use new extra memory reporting in SparseArrayMap
1064         https://bugs.webkit.org/show_bug.cgi?id=190278
1065
1066         Reviewed by Keith Miller.
1067
1068         This patch switches the extra memory reporting mechanism from deprecatedReportExtraMemory
1069         to reportExtraMemoryAllocated & reportExtraMemoryVisited in SparseArrayMap.
1070
1071         * runtime/SparseArrayValueMap.cpp:
1072         (JSC::SparseArrayValueMap::add):
1073         (JSC::SparseArrayValueMap::visitChildren):
1074
1075 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1076
1077         [JSC][Linux] Support Perf JITDump logging
1078         https://bugs.webkit.org/show_bug.cgi?id=189893
1079
1080         Reviewed by Mark Lam.
1081
1082         This patch adds Linux `perf` command's JIT Dump support. It allows JSC to tell perf about JIT code information.
1083         We add a command line option, `--logJITCodeForPerf`, which dumps `jit-%pid.dump` in the current directory.
1084         By using this dump and perf.data output, we can annotate JIT code with profiling information.
1085
1086             $ echo "(function f() { var s = 0; for (var i = 0; i < 1000000000; i++) { s += i; } return s; })();" > test.js
1087             $ perf record -k mono ../../WebKitBuild/perf/Release/bin/jsc test.js --logJITCodeForPerf=true
1088             [ perf record: Woken up 1 times to write data ]
1089             [ perf record: Captured and wrote 0.182 MB perf.data (4346 samples) ]
1090             $ perf inject --jit -i perf.data -o perf.jit.data
1091             $ perf report -i perf.jit.data
1092
1093         * Sources.txt:
1094         * assembler/LinkBuffer.cpp:
1095         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1096         * assembler/LinkBuffer.h:
1097         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1098         * assembler/PerfLog.cpp: Added.
1099         (JSC::PerfLog::singleton):
1100         (JSC::generateTimestamp):
1101         (JSC::getCurrentThreadID):
1102         (JSC::PerfLog::PerfLog):
1103         (JSC::PerfLog::write):
1104         (JSC::PerfLog::flush):
1105         (JSC::PerfLog::log):
1106         * assembler/PerfLog.h: Added.
1107         * jit/ExecutableAllocator.cpp:
1108         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1109         * runtime/Options.cpp:
1110         (JSC::Options::isAvailable):
1111         * runtime/Options.h:
1112
1113 2018-10-05  Mark Lam  <mark.lam@apple.com>
1114
1115         Gardening: Build fix after r236880.
1116         https://bugs.webkit.org/show_bug.cgi?id=190317
1117
1118         Unreviewed.
1119
1120         * jit/ExecutableAllocator.h:
1121
1122 2018-10-05  Mark Lam  <mark.lam@apple.com>
1123
1124         performJITMemcpy() should handle the case when the executable allocator is not initialized yet.
1125         https://bugs.webkit.org/show_bug.cgi?id=190317
1126         <rdar://problem/45039398>
1127
1128         Reviewed by Saam Barati.
1129
1130         When SeparatedWXHeaps is in use, jitWriteThunkGenerator() will call performJITMemcpy()
1131         to copy memory before the JIT fixed memory pool is initialize.  Before r236864,
1132         performJITMemcpy() would just do a memcpy in that case.  We need to restore the
1133         equivalent behavior.
1134
1135         * jit/ExecutableAllocator.cpp:
1136         (JSC::isJITPC):
1137         * jit/ExecutableAllocator.h:
1138         (JSC::performJITMemcpy):
1139
1140 2018-10-05  Carlos Eduardo Ramalho  <cadubentzen@gmail.com>
1141
1142         [WPE][JSC] Use Unified Sources for Platform-specific sources
1143         https://bugs.webkit.org/show_bug.cgi?id=190300
1144
1145         Reviewed by Yusuke Suzuki.
1146
1147         Currently the GTK port already used Unified Sources with the same source files.
1148         As WPE has conditional code using gmodule, we need to add GLIB_GMODULE_LIBRARIES
1149         to the list of libraries to link with.
1150
1151         * PlatformWPE.cmake:
1152         * SourcesWPE.txt: Added.
1153         * shell/PlatformWPE.cmake:
1154
1155 2018-10-05  Mike Gorse  <mgorse@alum.wpi.edu>
1156
1157         [GTK] build fails with python 3 if LANG and LC_TYPE are unset
1158         https://bugs.webkit.org/show_bug.cgi?id=190258
1159
1160         Reviewed by Konstantin Tokarev.
1161
1162         * Scripts/cssmin.py: Set stdout to UTF-8 on python 3.
1163         * Scripts/generateIntlCanonicalizeLanguage.py: Open files with
1164           encoding=UTF-8 on Python 3.
1165         * yarr/generateYarrCanonicalizeUnicode: Ditto.
1166         * yarr/generateYarrUnicodePropertyTables.py: Ditto.
1167
1168 2018-10-04  Mark Lam  <mark.lam@apple.com>
1169
1170         Move start/EndOfFixedExecutableMemoryPool pointers into the FixedVMPoolExecutableAllocator object.
1171         https://bugs.webkit.org/show_bug.cgi?id=190295
1172         <rdar://problem/19197193>
1173
1174         Reviewed by Saam Barati.
1175
1176         This allows us to use the tagging logic already baked into MacroAssemblerCodePtr
1177         instead of needing to use our own custom version here.
1178
1179         * jit/ExecutableAllocator.cpp:
1180         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1181         (JSC::FixedVMPoolExecutableAllocator::memoryStart):
1182         (JSC::FixedVMPoolExecutableAllocator::memoryEnd):
1183         (JSC::FixedVMPoolExecutableAllocator::isJITPC):
1184         (JSC::ExecutableAllocator::allocate):
1185         (JSC::startOfFixedExecutableMemoryPoolImpl):
1186         (JSC::endOfFixedExecutableMemoryPoolImpl):
1187         (JSC::isJITPC):
1188         * jit/ExecutableAllocator.h:
1189
1190 2018-10-04  Mark Lam  <mark.lam@apple.com>
1191
1192         Disable Options::useWebAssemblyFastMemory() on linux if ASAN signal handling is not disabled.
1193         https://bugs.webkit.org/show_bug.cgi?id=190283
1194         <rdar://problem/45015752>
1195
1196         Reviewed by Keith Miller.
1197
1198         * runtime/Options.cpp:
1199         (JSC::Options::initialize):
1200         * wasm/WasmFaultSignalHandler.cpp:
1201         (JSC::Wasm::enableFastMemory):
1202
1203 2018-10-03  Ross Kirsling  <ross.kirsling@sony.com>
1204
1205         [JSC] print() changes CRLF to CRCRLF on Windows
1206         https://bugs.webkit.org/show_bug.cgi?id=190228
1207
1208         Reviewed by Mark Lam.
1209
1210         * jsc.cpp:
1211         (main):
1212         Ultimately, this is just the normal behavior of printf in text mode on Windows.
1213         Since we're reading in files as binary, we need to be printing out as binary too
1214         (just as we do in DumpRenderTree and ImageDiff.)
1215
1216 2018-10-03  Saam barati  <sbarati@apple.com>
1217
1218         lowXYZ in FTLLower should always filter the type of the incoming edge
1219         https://bugs.webkit.org/show_bug.cgi?id=189939
1220         <rdar://problem/44407030>
1221
1222         Reviewed by Michael Saboff.
1223
1224         For example, the FTL may know more about data flow than AI in certain programs,
1225         and it needs to inform AI of these data flow properties to appease the assertion
1226         we have in AI that a node must perform type checks on its child nodes.
1227         
1228         For example, consider this program:
1229         
1230         ```
1231         bb#1
1232         a: Phi // Let's say it has an Int32 result, so it goes into the int32 hash table in FTLLower
1233         Branch(...,  #2, #3)
1234         
1235         bb#2
1236         ArrayifyToStructure(Cell:@a) // This modifies @a to have the its previous type union the type of some structure set.
1237         Jump(#3)
1238         
1239         bb#3
1240         c: Add(Int32:@something, Int32:@a)
1241         ```
1242         
1243         When the Add node does lowInt32() for @a, FTL lower used to just grab it
1244         from the int32 hash table without filtering the AbstractValue. However,
1245         the parent node is asking for a type check to happen, so we must inform
1246         AI of this "type check" if we want to appease the assertion that all nodes
1247         perform type checks for their edges that semantically perform type checks.
1248         This patch makes it so we filter the AbstractValue in the lowXYZ even
1249         if FTLLower proved the value must be XYZ.
1250
1251         * ftl/FTLLowerDFGToB3.cpp:
1252         (JSC::FTL::DFG::LowerDFGToB3::compilePhi):
1253         (JSC::FTL::DFG::LowerDFGToB3::simulatedTypeCheck):
1254         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
1255         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
1256         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
1257
1258 2018-10-03  Michael Saboff  <msaboff@apple.com>
1259
1260         Command line jsc should report memory footprint in bytes
1261         https://bugs.webkit.org/show_bug.cgi?id=190267
1262
1263         Reviewed by Mark Lam.
1264
1265         Change to leave the footprint values from the system unmodified.
1266
1267         * jsc.cpp:
1268         (JSCMemoryFootprint::finishCreation):
1269
1270 2018-10-03  Mark Lam  <mark.lam@apple.com>
1271
1272         Suppress unreachable code warning for LLIntAssembly.h code.
1273         https://bugs.webkit.org/show_bug.cgi?id=190263
1274         <rdar://problem/44986532>
1275
1276         Reviewed by Saam Barati.
1277
1278         This is needed because LLIntAssembly.h is template generated from LowLevelInterpreter
1279         asm files, and may contain dead code which are harmless, but will trip up the warning.
1280         We should suppress the warning so that it doesn't break builds.
1281
1282         * llint/LowLevelInterpreter.cpp:
1283         (JSC::CLoop::execute):
1284
1285 2018-10-03  Dan Bernstein  <mitz@apple.com>
1286
1287         JavaScriptCore part of [Xcode] Update some build settings as recommended by Xcode 10
1288         https://bugs.webkit.org/show_bug.cgi?id=190250
1289
1290         Reviewed by Alex Christensen.
1291
1292         * API/tests/Regress141275.mm:
1293         (-[JSTEvaluator _sourcePerform]): Addressed newly-enabled CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF
1294           by making the self-retaining explicit.
1295
1296         * API/tests/testapi.cpp:
1297         (testCAPIViaCpp): Addressed newly-enabled CLANG_WARN_UNREACHABLE_CODE by breaking out of the
1298           loop instead of returning from the lambda.
1299
1300         * Configurations/Base.xcconfig: Enabled CLANG_WARN_COMMA, CLANG_WARN_UNREACHABLE_CODE,
1301           CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS, CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF, and
1302           CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED.
1303
1304         * JavaScriptCore.xcodeproj/project.pbxproj: Removed a duplicate reference to
1305           UnlinkedFunctionExecutable.h, and let Xcode update the project file.
1306
1307         * assembler/MacroAssemblerPrinter.cpp:
1308         (JSC::Printer::printAllRegisters): Addressed newly-enabled CLANG_WARN_COMMA by replacing
1309           some commas with semicolons.
1310
1311 2018-10-03  Mark Lam  <mark.lam@apple.com>
1312
1313         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1314         https://bugs.webkit.org/show_bug.cgi?id=190187
1315         <rdar://problem/42512909>
1316
1317         Reviewed by Michael Saboff.
1318
1319         Allowing different max string lengths at each level opens up opportunities for
1320         bugs to creep in.  With 2 different max length values, it is more difficult to
1321         keep the story straight on how we do overflow / bounds checks at each place in
1322         the code.  It's also difficult to tell if a seemingly valid check at the WTF level
1323         will have bad ramifications at the JSC level.  Also, it's also not meaningful to
1324         support a max length > INT_MAX.  To eliminate this class of bugs, we'll
1325         standardize on a MaxLength of INT_MAX at all levels.
1326
1327         We'll also standardize the way we do length overflow checks on using
1328         CheckedArithmetic, and add some asserts to document the assumptions of the code.
1329
1330         * runtime/FunctionConstructor.cpp:
1331         (JSC::constructFunctionSkippingEvalEnabledCheck):
1332         - Fix OOM error handling which crashed a test after the new MaxLength was applied.
1333         * runtime/JSString.h:
1334         (JSC::JSString::finishCreation):
1335         (JSC::JSString::createHasOtherOwner):
1336         (JSC::JSString::setLength):
1337         * runtime/JSStringInlines.h:
1338         (JSC::jsMakeNontrivialString):
1339         * runtime/Operations.h:
1340         (JSC::jsString):
1341
1342 2018-10-03  Koby Boyango  <koby.b@mce-sys.com>
1343
1344         [JSC] Add a C++ callable overload of objectConstructorSeal
1345         https://bugs.webkit.org/show_bug.cgi?id=190137
1346
1347         Reviewed by Yusuke Suzuki.
1348
1349         * runtime/ObjectConstructor.cpp:
1350         * runtime/ObjectConstructor.h:
1351
1352 2018-10-02  Dominik Infuehr  <dinfuehr@igalia.com>
1353
1354         Fix Disassembler-output on ARM Thumb2
1355         https://bugs.webkit.org/show_bug.cgi?id=190203
1356
1357         On ARMv7 with Thumb2 addresses have bit 0 set to 1 to force
1358         execution in thumb mode for jumps and calls. The actual machine
1359         instructions are still aligned to 2-bytes though. Use dataLocation() as
1360         start address for disassembling since it unsets the thumb bit.
1361         Until now the disassembler would start at the wrong address (off by 1),
1362         resulting in the wrong disassembled machine instructions.
1363
1364         Reviewed by Mark Lam.
1365
1366         * disassembler/CapstoneDisassembler.cpp:
1367         (JSC::tryToDisassemble):
1368
1369 2018-10-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1370
1371         [JSC] Add stub of ExecutableAllocator used when JIT is disabled
1372         https://bugs.webkit.org/show_bug.cgi?id=190215
1373
1374         Reviewed by Mark Lam.
1375
1376         When ENABLE(JIT) is disabled, we do not use JIT. But we ExecutableAllocator is still available since
1377         it is guarded by ENABLE(ASSEMBLER). ENABLE(ASSEMBLER) is necessary for LLInt ASM interpreter since
1378         our MacroAssembler tells machine architecture information. Eventually, we would like to decouple
1379         this machine architecture information from MacroAssembler. But for now, we use ENABLE(ASSEMBLER)
1380         for LLInt ASM interpreter even if JIT is disabled by ENABLE(JIT).
1381
1382         To ensure any executable memory allocation is not done, we add a stub of ExecutableAllocator for
1383         non-JIT configurations. This does not have any functionality allocating executable memory, thus
1384         any accidental operation cannot attempt to allocate executable memory if ENABLE(JIT) = OFF.
1385
1386         * jit/ExecutableAllocator.cpp:
1387         (JSC::ExecutableAllocator::initializeAllocator):
1388         (JSC::ExecutableAllocator::singleton):
1389         * jit/ExecutableAllocator.h:
1390         (JSC::ExecutableAllocator::isValid const):
1391         (JSC::ExecutableAllocator::underMemoryPressure):
1392         (JSC::ExecutableAllocator::memoryPressureMultiplier):
1393         (JSC::ExecutableAllocator::dumpProfile):
1394         (JSC::ExecutableAllocator::allocate):
1395         (JSC::ExecutableAllocator::isValidExecutableMemory):
1396         (JSC::ExecutableAllocator::committedByteCount):
1397         (JSC::ExecutableAllocator::getLock const):
1398         (JSC::performJITMemcpy):
1399
1400 2018-10-01  Dean Jackson  <dino@apple.com>
1401
1402         Remove CSS Animation Triggers
1403         https://bugs.webkit.org/show_bug.cgi?id=190175
1404         <rdar://problem/44925626>
1405
1406         Reviewed by Simon Fraser.
1407
1408         * Configurations/FeatureDefines.xcconfig:
1409
1410 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1411
1412         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1413         https://bugs.webkit.org/show_bug.cgi?id=190033
1414
1415         Reviewed by Yusuke Suzuki.
1416
1417         The implementation of JSBigInt::toStringToGeneric doesn't handle power
1418         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
1419         implemented JSBigInt::toStringBasePowerOfTwo that follows the
1420         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
1421         digit.
1422
1423         * runtime/JSBigInt.cpp:
1424         (JSC::JSBigInt::toString):
1425         (JSC::JSBigInt::toStringBasePowerOfTwo):
1426         * runtime/JSBigInt.h:
1427
1428 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1429
1430         [JSC] Add branchIfNaN and branchIfNotNaN
1431         https://bugs.webkit.org/show_bug.cgi?id=190122
1432
1433         Reviewed by Mark Lam.
1434
1435         Add AssemblyHelpers::{branchIfNaN, branchIfNotNaN} to make code more readable.
1436
1437         * dfg/DFGSpeculativeJIT.cpp:
1438         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1439         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1440         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
1441         (JSC::DFG::SpeculativeJIT::compileSpread):
1442         (JSC::DFG::SpeculativeJIT::compileNewArray):
1443         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
1444         (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
1445         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1446         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1447         * dfg/DFGSpeculativeJIT32_64.cpp:
1448         (JSC::DFG::SpeculativeJIT::compile):
1449         * dfg/DFGSpeculativeJIT64.cpp:
1450         (JSC::DFG::SpeculativeJIT::compile):
1451         * jit/AssemblyHelpers.cpp:
1452         (JSC::AssemblyHelpers::purifyNaN):
1453         * jit/AssemblyHelpers.h:
1454         (JSC::AssemblyHelpers::branchIfNaN):
1455         (JSC::AssemblyHelpers::branchIfNotNaN):
1456         * jit/JITPropertyAccess.cpp:
1457         (JSC::JIT::emitGenericContiguousPutByVal):
1458         (JSC::JIT::emitDoubleLoad):
1459         (JSC::JIT::emitFloatTypedArrayGetByVal):
1460         * jit/JITPropertyAccess32_64.cpp:
1461         (JSC::JIT::emitGenericContiguousPutByVal):
1462         * wasm/js/JSToWasm.cpp:
1463         (JSC::Wasm::createJSToWasmWrapper):
1464
1465 2018-10-01  Mark Lam  <mark.lam@apple.com>
1466
1467         Function.toString() should also copy the source code Functions that are class definitions.
1468         https://bugs.webkit.org/show_bug.cgi?id=190186
1469         <rdar://problem/44733360>
1470
1471         Reviewed by Saam Barati.
1472
1473         Previously, if the Function is a class definition, functionProtoFuncToString()
1474         would create a String using StringView::toStringWithoutCopying(), and use that
1475         String to make a JSString.  This is not a problem if the underlying SourceProvider
1476         (that backs the characters in that StringView) is immortal.  However, this is
1477         not always the case in practice.
1478
1479         This patch fixes this issue by changing functionProtoFuncToString() to create the
1480         String using StringView::toString() instead, which makes a copy of the underlying
1481         characters buffer.  This detaches the resultant JSString from the SourceProvider
1482         characters buffer that it was created from, and ensure that the underlying
1483         characters buffer of the string will be alive for the entire lifetime of the
1484         JSString.
1485
1486         * runtime/FunctionPrototype.cpp:
1487         (JSC::functionProtoFuncToString):
1488
1489 2018-10-01  Keith Miller  <keith_miller@apple.com>
1490
1491         Create a RELEASE_AND_RETURN macro for ExceptionScopes
1492         https://bugs.webkit.org/show_bug.cgi?id=190163
1493
1494         Reviewed by Mark Lam.
1495
1496         The new RELEASE_AND_RETURN does all the work for cases
1497         where you want to return the result of some expression
1498         without explicitly checking for an exception. This is
1499         much like the existing RETURN_IF_EXCEPTION macro.
1500
1501         * dfg/DFGOperations.cpp:
1502         (JSC::DFG::newTypedArrayWithSize):
1503         * interpreter/Interpreter.cpp:
1504         (JSC::eval):
1505         * jit/JITOperations.cpp:
1506         (JSC::getByVal):
1507         * jsc.cpp:
1508         (functionDollarAgentReceiveBroadcast):
1509         * llint/LLIntSlowPaths.cpp:
1510         (JSC::LLInt::setUpCall):
1511         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1512         (JSC::LLInt::varargsSetup):
1513         * profiler/ProfilerDatabase.cpp:
1514         (JSC::Profiler::Database::toJSON const):
1515         * runtime/AbstractModuleRecord.cpp:
1516         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1517         * runtime/ArrayConstructor.cpp:
1518         (JSC::constructArrayWithSizeQuirk):
1519         * runtime/ArrayPrototype.cpp:
1520         (JSC::getProperty):
1521         (JSC::fastJoin):
1522         (JSC::arrayProtoFuncToString):
1523         (JSC::arrayProtoFuncToLocaleString):
1524         (JSC::arrayProtoFuncJoin):
1525         (JSC::arrayProtoFuncPop):
1526         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1527         * runtime/BigIntConstructor.cpp:
1528         (JSC::toBigInt):
1529         * runtime/CommonSlowPaths.h:
1530         (JSC::CommonSlowPaths::opInByVal):
1531         * runtime/ConstructData.cpp:
1532         (JSC::construct):
1533         * runtime/DateConstructor.cpp:
1534         (JSC::dateParse):
1535         * runtime/DatePrototype.cpp:
1536         (JSC::dateProtoFuncToPrimitiveSymbol):
1537         * runtime/DirectArguments.h:
1538         * runtime/ErrorConstructor.cpp:
1539         (JSC::Interpreter::constructWithErrorConstructor):
1540         * runtime/ErrorPrototype.cpp:
1541         (JSC::errorProtoFuncToString):
1542         * runtime/ExceptionScope.h:
1543         * runtime/FunctionConstructor.cpp:
1544         (JSC::constructFunction):
1545         * runtime/FunctionPrototype.cpp:
1546         (JSC::functionProtoFuncToString):
1547         * runtime/GenericArgumentsInlines.h:
1548         (JSC::GenericArguments<Type>::defineOwnProperty):
1549         * runtime/GetterSetter.cpp:
1550         (JSC::callGetter):
1551         * runtime/IntlCollatorConstructor.cpp:
1552         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1553         * runtime/IntlCollatorPrototype.cpp:
1554         (JSC::IntlCollatorFuncCompare):
1555         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1556         * runtime/IntlDateTimeFormatConstructor.cpp:
1557         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1558         * runtime/IntlDateTimeFormatPrototype.cpp:
1559         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1560         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1561         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1562         * runtime/IntlNumberFormatConstructor.cpp:
1563         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1564         * runtime/IntlNumberFormatPrototype.cpp:
1565         (JSC::IntlNumberFormatFuncFormatNumber):
1566         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1567         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1568         * runtime/IntlObject.cpp:
1569         (JSC::intlNumberOption):
1570         * runtime/IntlObjectInlines.h:
1571         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1572         * runtime/IntlPluralRules.cpp:
1573         (JSC::IntlPluralRules::resolvedOptions):
1574         * runtime/IntlPluralRulesConstructor.cpp:
1575         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
1576         * runtime/IntlPluralRulesPrototype.cpp:
1577         (JSC::IntlPluralRulesPrototypeFuncSelect):
1578         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1579         * runtime/JSArray.cpp:
1580         (JSC::JSArray::defineOwnProperty):
1581         (JSC::JSArray::put):
1582         (JSC::JSArray::setLength):
1583         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1584         * runtime/JSArrayBufferPrototype.cpp:
1585         (JSC::arrayBufferProtoGetterFuncByteLength):
1586         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1587         * runtime/JSArrayInlines.h:
1588         (JSC::toLength):
1589         * runtime/JSBoundFunction.cpp:
1590         (JSC::boundFunctionCall):
1591         (JSC::boundFunctionConstruct):
1592         * runtime/JSCJSValue.cpp:
1593         (JSC::JSValue::putToPrimitive):
1594         * runtime/JSCJSValueInlines.h:
1595         (JSC::JSValue::toIndex const):
1596         (JSC::JSValue::toPropertyKey const):
1597         (JSC::JSValue::get const):
1598         (JSC::JSValue::getPropertySlot const):
1599         (JSC::JSValue::getOwnPropertySlot const):
1600         (JSC::JSValue::equalSlowCaseInline):
1601         * runtime/JSDataView.cpp:
1602         (JSC::JSDataView::put):
1603         (JSC::JSDataView::defineOwnProperty):
1604         * runtime/JSFunction.cpp:
1605         (JSC::JSFunction::put):
1606         (JSC::JSFunction::defineOwnProperty):
1607         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1608         (JSC::constructGenericTypedArrayViewWithArguments):
1609         (JSC::constructGenericTypedArrayView):
1610         * runtime/JSGenericTypedArrayViewInlines.h:
1611         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1612         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1613         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1614         (JSC::speciesConstruct):
1615         (JSC::genericTypedArrayViewProtoFuncJoin):
1616         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1617         * runtime/JSGlobalObject.cpp:
1618         (JSC::JSGlobalObject::put):
1619         * runtime/JSGlobalObjectFunctions.cpp:
1620         (JSC::decode):
1621         (JSC::globalFuncEval):
1622         (JSC::globalFuncProtoGetter):
1623         * runtime/JSInternalPromise.cpp:
1624         (JSC::JSInternalPromise::then):
1625         * runtime/JSModuleEnvironment.cpp:
1626         (JSC::JSModuleEnvironment::put):
1627         * runtime/JSModuleLoader.cpp:
1628         (JSC::JSModuleLoader::provideFetch):
1629         (JSC::JSModuleLoader::loadAndEvaluateModule):
1630         (JSC::JSModuleLoader::loadModule):
1631         (JSC::JSModuleLoader::linkAndEvaluateModule):
1632         (JSC::JSModuleLoader::requestImportModule):
1633         (JSC::JSModuleLoader::getModuleNamespaceObject):
1634         (JSC::moduleLoaderRequestedModules):
1635         * runtime/JSONObject.cpp:
1636         (JSC::Stringifier::stringify):
1637         (JSC::Stringifier::toJSON):
1638         (JSC::Walker::walk):
1639         (JSC::JSONProtoFuncStringify):
1640         * runtime/JSObject.cpp:
1641         (JSC::ordinarySetSlow):
1642         (JSC::JSObject::putInlineSlow):
1643         (JSC::JSObject::toPrimitive const):
1644         (JSC::JSObject::hasInstance):
1645         (JSC::JSObject::toNumber const):
1646         (JSC::JSObject::defineOwnIndexedProperty):
1647         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1648         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1649         (JSC::JSObject::defineOwnNonIndexProperty):
1650         * runtime/JSObject.h:
1651         (JSC::JSObject::get const):
1652         * runtime/JSObjectInlines.h:
1653         (JSC::JSObject::getPropertySlot const):
1654         (JSC::JSObject::putInlineForJSObject):
1655         * runtime/MapConstructor.cpp:
1656         (JSC::constructMap):
1657         * runtime/NativeErrorConstructor.cpp:
1658         (JSC::Interpreter::constructWithNativeErrorConstructor):
1659         * runtime/ObjectConstructor.cpp:
1660         (JSC::constructObject):
1661         (JSC::objectConstructorGetPrototypeOf):
1662         (JSC::objectConstructorGetOwnPropertyDescriptor):
1663         (JSC::objectConstructorGetOwnPropertyDescriptors):
1664         (JSC::objectConstructorGetOwnPropertyNames):
1665         (JSC::objectConstructorGetOwnPropertySymbols):
1666         (JSC::objectConstructorKeys):
1667         (JSC::objectConstructorDefineProperty):
1668         (JSC::objectConstructorDefineProperties):
1669         (JSC::objectConstructorCreate):
1670         * runtime/ObjectPrototype.cpp:
1671         (JSC::objectProtoFuncToLocaleString):
1672         (JSC::objectProtoFuncToString):
1673         * runtime/Operations.cpp:
1674         (JSC::jsAddSlowCase):
1675         * runtime/Operations.h:
1676         (JSC::jsString):
1677         (JSC::jsLess):
1678         (JSC::jsLessEq):
1679         * runtime/ParseInt.h:
1680         (JSC::toStringView):
1681         * runtime/ProxyConstructor.cpp:
1682         (JSC::constructProxyObject):
1683         * runtime/ProxyObject.cpp:
1684         (JSC::ProxyObject::toStringName):
1685         (JSC::performProxyGet):
1686         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1687         (JSC::ProxyObject::performHasProperty):
1688         (JSC::ProxyObject::getOwnPropertySlotCommon):
1689         (JSC::ProxyObject::performPut):
1690         (JSC::ProxyObject::putByIndexCommon):
1691         (JSC::performProxyCall):
1692         (JSC::performProxyConstruct):
1693         (JSC::ProxyObject::performDelete):
1694         (JSC::ProxyObject::performPreventExtensions):
1695         (JSC::ProxyObject::performIsExtensible):
1696         (JSC::ProxyObject::performDefineOwnProperty):
1697         (JSC::ProxyObject::performSetPrototype):
1698         (JSC::ProxyObject::performGetPrototype):
1699         * runtime/ReflectObject.cpp:
1700         (JSC::reflectObjectConstruct):
1701         (JSC::reflectObjectDefineProperty):
1702         (JSC::reflectObjectGet):
1703         (JSC::reflectObjectGetOwnPropertyDescriptor):
1704         (JSC::reflectObjectGetPrototypeOf):
1705         (JSC::reflectObjectOwnKeys):
1706         (JSC::reflectObjectSet):
1707         * runtime/RegExpConstructor.cpp:
1708         (JSC::constructRegExp):
1709         * runtime/RegExpObject.cpp:
1710         (JSC::RegExpObject::defineOwnProperty):
1711         (JSC::RegExpObject::matchGlobal):
1712         * runtime/RegExpPrototype.cpp:
1713         (JSC::regExpProtoFuncTestFast):
1714         (JSC::regExpProtoFuncExec):
1715         (JSC::regExpProtoFuncToString):
1716         * runtime/ScriptExecutable.cpp:
1717         (JSC::ScriptExecutable::newCodeBlockFor):
1718         * runtime/SetConstructor.cpp:
1719         (JSC::constructSet):
1720         * runtime/SparseArrayValueMap.cpp:
1721         (JSC::SparseArrayValueMap::putEntry):
1722         (JSC::SparseArrayEntry::put):
1723         * runtime/StringConstructor.cpp:
1724         (JSC::stringFromCharCode):
1725         (JSC::stringFromCodePoint):
1726         * runtime/StringObject.cpp:
1727         (JSC::StringObject::put):
1728         (JSC::StringObject::putByIndex):
1729         (JSC::StringObject::defineOwnProperty):
1730         * runtime/StringPrototype.cpp:
1731         (JSC::jsSpliceSubstrings):
1732         (JSC::jsSpliceSubstringsWithSeparators):
1733         (JSC::removeUsingRegExpSearch):
1734         (JSC::replaceUsingRegExpSearch):
1735         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1736         (JSC::replaceUsingStringSearch):
1737         (JSC::repeatCharacter):
1738         (JSC::replace):
1739         (JSC::stringProtoFuncReplaceUsingRegExp):
1740         (JSC::stringProtoFuncReplaceUsingStringSearch):
1741         (JSC::stringProtoFuncSplitFast):
1742         (JSC::stringProtoFuncToLowerCase):
1743         (JSC::stringProtoFuncToUpperCase):
1744         (JSC::toLocaleCase):
1745         (JSC::trimString):
1746         (JSC::stringProtoFuncIncludes):
1747         (JSC::builtinStringIncludesInternal):
1748         (JSC::normalize):
1749         (JSC::stringProtoFuncNormalize):
1750         * runtime/SymbolPrototype.cpp:
1751         (JSC::symbolProtoFuncToString):
1752         (JSC::symbolProtoFuncValueOf):
1753         * tools/JSDollarVM.cpp:
1754         (WTF::functionWasmStreamingParserAddBytes):
1755         (JSC::functionGetPrivateProperty):
1756         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1757         (JSC::constructJSWebAssemblyCompileError):
1758         * wasm/js/WebAssemblyModuleConstructor.cpp:
1759         (JSC::constructJSWebAssemblyModule):
1760         (JSC::WebAssemblyModuleConstructor::createModule):
1761         * wasm/js/WebAssemblyTableConstructor.cpp:
1762         (JSC::constructJSWebAssemblyTable):
1763         * wasm/js/WebAssemblyWrapperFunction.cpp:
1764         (JSC::callWebAssemblyWrapperFunction):
1765
1766 2018-10-01  Koby Boyango  <koby.b@mce-sys.com>
1767
1768         [JSC] Add a JSONStringify overload that receives a JSValue space
1769         https://bugs.webkit.org/show_bug.cgi?id=190131
1770
1771         Reviewed by Yusuke Suzuki.
1772
1773         * runtime/JSONObject.cpp:
1774         * runtime/JSONObject.h:
1775
1776 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1777
1778         Unreviewed, rolling out r236647.
1779         https://bugs.webkit.org/show_bug.cgi?id=190124
1780
1781         Breaking test stress/big-int-to-string.js (Requested by
1782         caiolima_ on #webkit).
1783
1784         Reverted changeset:
1785
1786         "[BigInt] BigInt.proptotype.toString is broken when radix is
1787         power of 2"
1788         https://bugs.webkit.org/show_bug.cgi?id=190033
1789         https://trac.webkit.org/changeset/236647
1790
1791 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1792
1793         [WebAssembly] Move type conversion code of JSToWasm return type to JS wasm wrapper
1794         https://bugs.webkit.org/show_bug.cgi?id=189498
1795
1796         Reviewed by Saam Barati.
1797
1798         To call JS-to-Wasm code we need to convert the result value from wasm function to
1799         the JS type. Previously this is done by callWebAssemblyFunction by using swtich
1800         over signature.returnType(). But since we know the value of `signature.returnType()`
1801         at compiling phase, we can emit a small conversion code directly to JSToWasm glue
1802         and remove this switch from callWebAssemblyFunction.
1803
1804         In JSToWasm glue code, we do not have tag registers. So we use DoNotHaveTagRegisters
1805         in boxInt32 and boxDouble. Since boxDouble does not have DoNotHaveTagRegisters version,
1806         we add an implementation for that.
1807
1808         * jit/AssemblyHelpers.h:
1809         (JSC::AssemblyHelpers::boxDouble):
1810         * wasm/js/JSToWasm.cpp:
1811         (JSC::Wasm::createJSToWasmWrapper):
1812         * wasm/js/WebAssemblyFunction.cpp:
1813         (JSC::callWebAssemblyFunction):
1814
1815 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1816
1817         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1818         https://bugs.webkit.org/show_bug.cgi?id=190033
1819
1820         Reviewed by Yusuke Suzuki.
1821
1822         The implementation of JSBigInt::toStringToGeneric doesn't handle power
1823         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
1824         implemented JSBigInt::toStringBasePowerOfTwo that follows the
1825         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
1826         digit.
1827
1828         * runtime/JSBigInt.cpp:
1829         (JSC::JSBigInt::toString):
1830         (JSC::JSBigInt::toStringBasePowerOfTwo):
1831         * runtime/JSBigInt.h:
1832
1833 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1834
1835         [ESNext][BigInt] Implement support for "&"
1836         https://bugs.webkit.org/show_bug.cgi?id=186228
1837
1838         Reviewed by Yusuke Suzuki.
1839
1840         This patch introduces support of BigInt into bitwise "&" operation.
1841         We are also introducing the ValueBitAnd DFG node, that is responsible
1842         to take care of JIT for non-Int32 operands. With the introduction of this
1843         new node, we renamed the BitAnd node to ArithBitAnd. The ArithBitAnd
1844         follows the behavior of ArithAdd and other arithmetic nodes, where
1845         the Arith<op> version always results in Number (in the case of
1846         ArithBitAnd, its is always an Int32).
1847
1848         * bytecode/CodeBlock.cpp:
1849         (JSC::CodeBlock::finishCreation):
1850         * bytecompiler/BytecodeGenerator.cpp:
1851         (JSC::BytecodeGenerator::emitBinaryOp):
1852         * dfg/DFGAbstractInterpreterInlines.h:
1853         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1854         * dfg/DFGBackwardsPropagationPhase.cpp:
1855         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
1856         (JSC::DFG::BackwardsPropagationPhase::propagate):
1857         * dfg/DFGByteCodeParser.cpp:
1858         (JSC::DFG::ByteCodeParser::parseBlock):
1859         * dfg/DFGClobberize.h:
1860         (JSC::DFG::clobberize):
1861         * dfg/DFGDoesGC.cpp:
1862         (JSC::DFG::doesGC):
1863         * dfg/DFGFixupPhase.cpp:
1864         (JSC::DFG::FixupPhase::fixupNode):
1865         * dfg/DFGNodeType.h:
1866         * dfg/DFGOperations.cpp:
1867         * dfg/DFGOperations.h:
1868         * dfg/DFGPredictionPropagationPhase.cpp:
1869         * dfg/DFGSafeToExecute.h:
1870         (JSC::DFG::safeToExecute):
1871         * dfg/DFGSpeculativeJIT.cpp:
1872         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
1873         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
1874         * dfg/DFGSpeculativeJIT.h:
1875         (JSC::DFG::SpeculativeJIT::bitOp):
1876         * dfg/DFGSpeculativeJIT32_64.cpp:
1877         (JSC::DFG::SpeculativeJIT::compile):
1878         * dfg/DFGSpeculativeJIT64.cpp:
1879         (JSC::DFG::SpeculativeJIT::compile):
1880         * dfg/DFGStrengthReductionPhase.cpp:
1881         (JSC::DFG::StrengthReductionPhase::handleNode):
1882         * ftl/FTLCapabilities.cpp:
1883         (JSC::FTL::canCompile):
1884         * ftl/FTLLowerDFGToB3.cpp:
1885         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1886         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
1887         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitAnd):
1888         (JSC::FTL::DFG::LowerDFGToB3::compileBitAnd): Deleted.
1889         * jit/JIT.h:
1890         * jit/JITArithmetic.cpp:
1891         (JSC::JIT::emitBitBinaryOpFastPath):
1892         (JSC::JIT::emit_op_bitand):
1893         * llint/LowLevelInterpreter32_64.asm:
1894         * llint/LowLevelInterpreter64.asm:
1895         * runtime/CommonSlowPaths.cpp:
1896         (JSC::SLOW_PATH_DECL):
1897         * runtime/JSBigInt.cpp:
1898         (JSC::JSBigInt::JSBigInt):
1899         (JSC::JSBigInt::initialize):
1900         (JSC::JSBigInt::createZero):
1901         (JSC::JSBigInt::createFrom):
1902         (JSC::JSBigInt::bitwiseAnd):
1903         (JSC::JSBigInt::absoluteBitwiseOp):
1904         (JSC::JSBigInt::absoluteAnd):
1905         (JSC::JSBigInt::absoluteOr):
1906         (JSC::JSBigInt::absoluteAndNot):
1907         (JSC::JSBigInt::absoluteAddOne):
1908         (JSC::JSBigInt::absoluteSubOne):
1909         * runtime/JSBigInt.h:
1910         * runtime/JSCJSValue.h:
1911         * runtime/JSCJSValueInlines.h:
1912         (JSC::JSValue::toBigIntOrInt32 const):
1913
1914 2018-09-28  Mark Lam  <mark.lam@apple.com>
1915
1916         Gardening: speculative build fix.
1917         <rdar://problem/44869924>
1918
1919         Not reviewed.
1920
1921         * assembler/LinkBuffer.cpp:
1922         (JSC::LinkBuffer::copyCompactAndLinkCode):
1923
1924 2018-09-28  Guillaume Emont  <guijemont@igalia.com>
1925
1926         [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions.
1927         https://bugs.webkit.org/show_bug.cgi?id=190080
1928
1929         Reviewed by Mark Lam.
1930
1931         * assembler/ARMv7Assembler.h:
1932         (JSC::ARMv7Assembler::link):
1933         (JSC::ARMv7Assembler::linkJumpT1):
1934         (JSC::ARMv7Assembler::linkJumpT2):
1935         (JSC::ARMv7Assembler::linkJumpT3):
1936         (JSC::ARMv7Assembler::linkJumpT4):
1937         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1938         (JSC::ARMv7Assembler::linkBX):
1939         (JSC::ARMv7Assembler::linkConditionalBX):
1940         * assembler/MacroAssemblerARMv7.h:
1941         (JSC::MacroAssemblerARMv7::link):
1942
1943 2018-09-27  Saam barati  <sbarati@apple.com>
1944
1945         Verify the contents of AssemblerBuffer on arm64e
1946         https://bugs.webkit.org/show_bug.cgi?id=190057
1947         <rdar://problem/38916630>
1948
1949         Reviewed by Mark Lam.
1950
1951         * assembler/ARM64Assembler.h:
1952         (JSC::ARM64Assembler::ARM64Assembler):
1953         (JSC::ARM64Assembler::fillNops):
1954         (JSC::ARM64Assembler::link):
1955         (JSC::ARM64Assembler::linkJumpOrCall):
1956         (JSC::ARM64Assembler::linkCompareAndBranch):
1957         (JSC::ARM64Assembler::linkConditionalBranch):
1958         (JSC::ARM64Assembler::linkTestAndBranch):
1959         (JSC::ARM64Assembler::unlinkedCode): Deleted.
1960         * assembler/ARMAssembler.h:
1961         (JSC::ARMAssembler::fillNops):
1962         * assembler/ARMv7Assembler.h:
1963         (JSC::ARMv7Assembler::unlinkedCode): Deleted.
1964         * assembler/AbstractMacroAssembler.h:
1965         (JSC::AbstractMacroAssembler::emitNops):
1966         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
1967         * assembler/AssemblerBuffer.h:
1968         (JSC::ARM64EHash::ARM64EHash):
1969         (JSC::ARM64EHash::update):
1970         (JSC::ARM64EHash::hash const):
1971         (JSC::ARM64EHash::randomSeed const):
1972         (JSC::AssemblerBuffer::AssemblerBuffer):
1973         (JSC::AssemblerBuffer::putShort):
1974         (JSC::AssemblerBuffer::putIntUnchecked):
1975         (JSC::AssemblerBuffer::putInt):
1976         (JSC::AssemblerBuffer::hash const):
1977         (JSC::AssemblerBuffer::data const):
1978         (JSC::AssemblerBuffer::putIntegralUnchecked):
1979         (JSC::AssemblerBuffer::append): Deleted.
1980         * assembler/LinkBuffer.cpp:
1981         (JSC::LinkBuffer::copyCompactAndLinkCode):
1982         * assembler/MIPSAssembler.h:
1983         (JSC::MIPSAssembler::fillNops):
1984         * assembler/MacroAssemblerARM64.h:
1985         (JSC::MacroAssemblerARM64::jumpsToLink):
1986         (JSC::MacroAssemblerARM64::link):
1987         (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
1988         * assembler/MacroAssemblerARMv7.h:
1989         (JSC::MacroAssemblerARMv7::jumpsToLink):
1990         (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
1991         * assembler/X86Assembler.h:
1992         (JSC::X86Assembler::fillNops):
1993
1994 2018-09-27  Mark Lam  <mark.lam@apple.com>
1995
1996         ByValInfo should not use integer offsets.
1997         https://bugs.webkit.org/show_bug.cgi?id=190070
1998         <rdar://problem/44803430>
1999
2000         Reviewed by Saam Barati.
2001
2002         Also moved some fields around to allow the ByValInfo struct to be more densely packed.
2003
2004         * bytecode/ByValInfo.h:
2005         (JSC::ByValInfo::ByValInfo):
2006         * jit/JIT.cpp:
2007         (JSC::JIT::link):
2008         * jit/JITOpcodes.cpp:
2009         (JSC::JIT::privateCompileHasIndexedProperty):
2010         * jit/JITOpcodes32_64.cpp:
2011         (JSC::JIT::privateCompileHasIndexedProperty):
2012         * jit/JITPropertyAccess.cpp:
2013         (JSC::JIT::privateCompileGetByVal):
2014         (JSC::JIT::privateCompileGetByValWithCachedId):
2015         (JSC::JIT::privateCompilePutByVal):
2016         (JSC::JIT::privateCompilePutByValWithCachedId):
2017
2018 2018-09-27  Saam barati  <sbarati@apple.com>
2019
2020         DFG::OSRExit::m_patchableCodeOffset should not be an int
2021         https://bugs.webkit.org/show_bug.cgi?id=190066
2022         <rdar://problem/39498244>
2023
2024         Reviewed by Mark Lam.
2025
2026         * dfg/DFGJITCompiler.cpp:
2027         (JSC::DFG::JITCompiler::linkOSRExits):
2028         (JSC::DFG::JITCompiler::link):
2029         * dfg/DFGOSRExit.cpp:
2030         (JSC::DFG::OSRExit::codeLocationForRepatch const):
2031         (JSC::DFG::OSRExit::compileOSRExit):
2032         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2033         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2034         (JSC::DFG::OSRExit::correctJump): Deleted.
2035         * dfg/DFGOSRExit.h:
2036         * dfg/DFGOSRExitCompilationInfo.h:
2037
2038 2018-09-27  Saam barati  <sbarati@apple.com>
2039
2040         Don't use int offsets in StructureStubInfo
2041         https://bugs.webkit.org/show_bug.cgi?id=190064
2042         <rdar://problem/44784719>
2043
2044         Reviewed by Mark Lam.
2045
2046         * bytecode/InlineAccess.cpp:
2047         (JSC::linkCodeInline):
2048         * bytecode/StructureStubInfo.h:
2049         (JSC::StructureStubInfo::slowPathCallLocation):
2050         (JSC::StructureStubInfo::doneLocation):
2051         (JSC::StructureStubInfo::slowPathStartLocation):
2052         * jit/JITInlineCacheGenerator.cpp:
2053         (JSC::JITInlineCacheGenerator::finalize):
2054
2055 2018-09-27  Mark Lam  <mark.lam@apple.com>
2056
2057         DFG::OSREntry::m_machineCodeOffset should be a CodeLocation.
2058         https://bugs.webkit.org/show_bug.cgi?id=190054
2059         <rdar://problem/44803543>
2060
2061         Reviewed by Saam Barati.
2062
2063         * dfg/DFGJITCode.h:
2064         (JSC::DFG::JITCode::appendOSREntryData):
2065         * dfg/DFGJITCompiler.cpp:
2066         (JSC::DFG::JITCompiler::noticeOSREntry):
2067         * dfg/DFGOSREntry.cpp:
2068         (JSC::DFG::OSREntryData::dumpInContext const):
2069         (JSC::DFG::prepareOSREntry):
2070         * dfg/DFGOSREntry.h:
2071         * runtime/JSCPtrTag.h:
2072
2073 2018-09-27  Mark Lam  <mark.lam@apple.com>
2074
2075         JITMathIC should not use integer offsets into machine code.
2076         https://bugs.webkit.org/show_bug.cgi?id=190030
2077         <rdar://problem/44803307>
2078
2079         Reviewed by Saam Barati.
2080
2081         We'll replace them with CodeLocation smart pointers instead.
2082
2083         * jit/JITMathIC.h:
2084         (JSC::isProfileEmpty):
2085
2086 2018-09-26  Mark Lam  <mark.lam@apple.com>
2087
2088         Options::useSeparatedWXHeap() should always be false when ENABLE(FAST_JIT_PERMISSIONS) && CPU(ARM64E).
2089         https://bugs.webkit.org/show_bug.cgi?id=190022
2090         <rdar://problem/44800928>
2091
2092         Reviewed by Saam Barati.
2093
2094         * jit/ExecutableAllocator.cpp:
2095         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2096         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2097         * jit/ExecutableAllocator.h:
2098         (JSC::performJITMemcpy):
2099         * runtime/Options.cpp:
2100         (JSC::recomputeDependentOptions):
2101
2102 2018-09-26  Mark Lam  <mark.lam@apple.com>
2103
2104         Assert that performJITMemcpy() is always called with instruction size aligned addresses on ARM64.
2105         https://bugs.webkit.org/show_bug.cgi?id=190016
2106         <rdar://problem/44802875>
2107
2108         Reviewed by Saam Barati.
2109
2110         Also assert in performJITMemcpy() that the entire buffer to be copied will fit in
2111         JIT memory.
2112
2113         * assembler/ARM64Assembler.h:
2114         (JSC::ARM64Assembler::fillNops):
2115         (JSC::ARM64Assembler::replaceWithVMHalt):
2116         (JSC::ARM64Assembler::replaceWithJump):
2117         (JSC::ARM64Assembler::replaceWithLoad):
2118         (JSC::ARM64Assembler::replaceWithAddressComputation):
2119         (JSC::ARM64Assembler::setPointer):
2120         (JSC::ARM64Assembler::repatchInt32):
2121         (JSC::ARM64Assembler::repatchCompact):
2122         (JSC::ARM64Assembler::linkJumpOrCall):
2123         (JSC::ARM64Assembler::linkCompareAndBranch):
2124         (JSC::ARM64Assembler::linkConditionalBranch):
2125         (JSC::ARM64Assembler::linkTestAndBranch):
2126         * assembler/LinkBuffer.cpp:
2127         (JSC::LinkBuffer::copyCompactAndLinkCode):
2128         (JSC::LinkBuffer::linkCode):
2129         * jit/ExecutableAllocator.h:
2130         (JSC::performJITMemcpy):
2131
2132 2018-09-25  Keith Miller  <keith_miller@apple.com>
2133
2134         Move Symbol API to SPI
2135         https://bugs.webkit.org/show_bug.cgi?id=189946
2136
2137         Reviewed by Michael Saboff.
2138
2139         Some of the property access methods on JSValue needed to be moved
2140         to a category so that SPI overloads don't result in a compiler
2141         error for internal users.
2142
2143         Additionally, this patch does not move the new enum entry for
2144         Symbols in the JSType enumeration.
2145
2146         * API/JSObjectRef.h:
2147         * API/JSObjectRefPrivate.h:
2148         * API/JSValue.h:
2149         * API/JSValuePrivate.h:
2150         * API/JSValueRef.h:
2151
2152 2018-09-26  Keith Miller  <keith_miller@apple.com>
2153
2154         We should zero unused property storage when rebalancing array storage.
2155         https://bugs.webkit.org/show_bug.cgi?id=188151
2156
2157         Reviewed by Michael Saboff.
2158
2159         In unshiftCountSlowCase we sometimes will move property storage to the right even when net adding elements.
2160         This can happen because we "balance" the pre/post-capacity in that code so we need to zero the unused
2161         property storage.
2162
2163         * runtime/JSArray.cpp:
2164         (JSC::JSArray::unshiftCountSlowCase):
2165
2166 2018-09-26  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2167
2168         Unreviewed, add scope verification handling
2169         https://bugs.webkit.org/show_bug.cgi?id=189780
2170
2171         * runtime/ArrayPrototype.cpp:
2172         (JSC::arrayProtoFuncIndexOf):
2173         (JSC::arrayProtoFuncLastIndexOf):
2174
2175 2018-09-26  Koby Boyango  <koby.b@mce.systems>
2176
2177         [JSC] offlineasm parser should handle CRLF in asm files
2178         https://bugs.webkit.org/show_bug.cgi?id=189949
2179
2180         Reviewed by Mark Lam.
2181
2182         * offlineasm/parser.rb:
2183
2184 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2185
2186         [JSC] Optimize Array#lastIndexOf
2187         https://bugs.webkit.org/show_bug.cgi?id=189780
2188
2189         Reviewed by Saam Barati.
2190
2191         Optimize Array#lastIndexOf as the same to Array#indexOf. We add a fast path
2192         for JSArray with contiguous storage.
2193
2194         * runtime/ArrayPrototype.cpp:
2195         (JSC::arrayProtoFuncLastIndexOf):
2196
2197 2018-09-25  Saam Barati  <sbarati@apple.com>
2198
2199         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2200         https://bugs.webkit.org/show_bug.cgi?id=189940
2201         <rdar://problem/43640987>
2202
2203         Reviewed by Mark Lam.
2204
2205         We were calling baselineCodeBlockForOriginAndBaselineCodeBlock with the FTL
2206         CodeBlock. There is nothing semantically wrong with doing that (except for
2207         poor naming), however, the poor naming here led us to make a real semantic
2208         mistake. We wanted the baseline CodeBlock's constant pool, but we were
2209         accessing the FTL CodeBlock's constant pool accidentally. We need to
2210         access the baseline CodeBlock's constant pool when we update the NewArrayBuffer
2211         constant value.
2212
2213         * bytecode/InlineCallFrame.h:
2214         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
2215         * ftl/FTLOperations.cpp:
2216         (JSC::FTL::operationMaterializeObjectInOSR):
2217
2218 2018-09-25  Joseph Pecoraro  <pecoraro@apple.com>
2219
2220         Web Inspector: Stricter block syntax in generated ObjC protocol interfaces
2221         https://bugs.webkit.org/show_bug.cgi?id=189962
2222         <rdar://problem/44648287>
2223
2224         Reviewed by Brian Burg.
2225
2226         * inspector/scripts/codegen/generate_objc_header.py:
2227         (ObjCHeaderGenerator._callback_block_for_command):
2228         If there are no return parameters include "void" in the block signature.
2229
2230         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2231         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2232         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2233         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2234         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2235         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2236         Rebaseline test results.
2237
2238 2018-09-24  Joseph Pecoraro  <pecoraro@apple.com>
2239
2240         Remove AUTHORS and THANKS files which are stale
2241         https://bugs.webkit.org/show_bug.cgi?id=189941
2242
2243         Reviewed by Darin Adler.
2244
2245         Included mentions below so their names are still in ChangeLogs.
2246
2247         * AUTHORS: Removed.
2248         Harri Porten (porten@kde.org) and Peter Kelly (pmk@post.com).
2249         These authors remain mentioned in copyrights in source files.
2250
2251         * THANKS: Removed.
2252         Richard Moore <rich@kde.org> - for filling the Math object with some life
2253         Daegeun Lee <realking@mizi.com> - for pointing out some bugs and providing much code for the String and Date object.
2254         Marco Pinelli <pinmc@libero.it> - for his patches
2255         Christian Kirsch <ck@held.mind.de> - for his contribution to the Date object
2256         
2257 2018-09-24  Fujii Hironori  <Hironori.Fujii@sony.com>
2258
2259         Rename WTF_COMPILER_GCC_OR_CLANG to WTF_COMPILER_GCC_COMPATIBLE
2260         https://bugs.webkit.org/show_bug.cgi?id=189733
2261
2262         Reviewed by Michael Catanzaro.
2263
2264         * assembler/ARM64Assembler.h:
2265         * assembler/ARMAssembler.h:
2266         (JSC::ARMAssembler::cacheFlush):
2267         * assembler/MacroAssemblerARM.cpp:
2268         (JSC::isVFPPresent):
2269         * assembler/MacroAssemblerARM64.cpp:
2270         * assembler/MacroAssemblerARMv7.cpp:
2271         * assembler/MacroAssemblerMIPS.cpp:
2272         * assembler/MacroAssemblerX86Common.cpp:
2273         * heap/HeapCell.cpp:
2274         * heap/HeapCell.h:
2275         * jit/HostCallReturnValue.h:
2276         * jit/JIT.h:
2277         * jit/JITOperations.cpp:
2278         * jit/ThunkGenerators.cpp:
2279         * runtime/ArrayConventions.cpp:
2280         (JSC::clearArrayMemset):
2281         * runtime/JSBigInt.cpp:
2282         (JSC::JSBigInt::digitDiv):
2283
2284 2018-09-24  Saam Barati  <sbarati@apple.com>
2285
2286         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2287         https://bugs.webkit.org/show_bug.cgi?id=189922
2288         <rdar://problem/44651275>
2289
2290         Reviewed by Mark Lam.
2291
2292         The implementation was first getting the length to iterate up to,
2293         then getting the starting index. However, getting the starting
2294         index may perform effects. e.g, it could change the length of the
2295         array. This changes it so we verify the length is still valid.
2296
2297         * runtime/ArrayPrototype.cpp:
2298         (JSC::arrayProtoFuncIndexOf):
2299
2300 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
2301
2302         offlineasm: fix macro scoping
2303         https://bugs.webkit.org/show_bug.cgi?id=189902
2304
2305         Reviewed by Mark Lam.
2306
2307         In the code below, the reference to `f` in `g`, which should refer to
2308         the outer macro definition will instead refer to the f argument of the
2309         anonymous macro passed to `g`. That leads to this code failing to
2310         compile (f expected 0 args but got 1).
2311         
2312         ```
2313         macro f(x)
2314             move x, t0
2315         end
2316         
2317         macro g(fn)
2318             fn(macro () f(42) end)
2319         end
2320         
2321         g(macro(f) f() end)
2322         ```
2323
2324         * offlineasm/ast.rb:
2325         * offlineasm/transform.rb:
2326
2327 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
2328
2329         Add forEach method for iterating CodeBlock's ValueProfiles
2330         https://bugs.webkit.org/show_bug.cgi?id=189897
2331
2332         Reviewed by Mark Lam.
2333
2334         Add method to abstract how we find ValueProfiles in a CodeBlock in
2335         preparation for https://bugs.webkit.org/show_bug.cgi?id=189785, when
2336         ValueProfiles will be stored in the MetadataTable.
2337
2338         * bytecode/CodeBlock.cpp:
2339         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2340         (JSC::CodeBlock::updateAllValueProfilePredictions):
2341         (JSC::CodeBlock::shouldOptimizeNow):
2342         (JSC::CodeBlock::dumpValueProfiles):
2343         * bytecode/CodeBlock.h:
2344         (JSC::CodeBlock::forEachValueProfile):
2345         (JSC::CodeBlock::numberOfArgumentValueProfiles):
2346         (JSC::CodeBlock::valueProfileForArgument):
2347         (JSC::CodeBlock::numberOfValueProfiles):
2348         (JSC::CodeBlock::valueProfile):
2349         (JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
2350         (JSC::CodeBlock::getFromAllValueProfiles): Deleted.
2351         * tools/HeapVerifier.cpp:
2352         (JSC::HeapVerifier::validateJSCell):
2353
2354 2018-09-24  Saam barati  <sbarati@apple.com>
2355
2356         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2357         https://bugs.webkit.org/show_bug.cgi?id=189682
2358         <rdar://problem/43557315>
2359
2360         Reviewed by Mark Lam.
2361
2362         Otherwise, if we have code like this:
2363         ```
2364         a: Arguments
2365         b: GetButterfly(@a)
2366         c: ForceExit
2367         d: GetArrayLength(@a, @b)
2368         ```
2369         it will get transformed into this invalid DFG IR:
2370         ```
2371         a: PhantomArguments
2372         b: Check(@a)
2373         c: ForceExit
2374         d: GetArrayLength(@a, @b)
2375         ```
2376         
2377         And we will fail DFG validation since @b does not have a result.
2378         
2379         The fix is to just remove all nodes after the ForceExit and plant an
2380         Unreachable after it. So the above code program will now turn into this:
2381         ```
2382         a: PhantomArguments
2383         b: Check(@a)
2384         c: ForceExit
2385         e: Unreachable
2386         ```
2387
2388         * dfg/DFGArgumentsEliminationPhase.cpp:
2389
2390 2018-09-22  Saam barati  <sbarati@apple.com>
2391
2392         The sampling should not use Strong<CodeBlock> in its machineLocation field
2393         https://bugs.webkit.org/show_bug.cgi?id=189319
2394
2395         Reviewed by Filip Pizlo.
2396
2397         The sampling profiler has a CLI mode where we gather information about inline
2398         call frames. That data structure was using a Strong<CodeBlock>. We were
2399         constructing this Strong<CodeBlock> during GC concurrently to processing all
2400         the Strong handles. This is a bug since we end up corrupting that data
2401         structure. This patch fixes this by just making this data structure use the
2402         sampling profiler's mechanism for holding onto and properly visiting heap pointers.
2403
2404         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2405         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2406         * runtime/SamplingProfiler.cpp:
2407         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2408
2409         (JSC::SamplingProfiler::reportTopFunctions):
2410         (JSC::SamplingProfiler::reportTopBytecodes):
2411         These CLI helpers needed a DeferGC otherwise we may end up deadlocking when we
2412         cause a GC to happen while already holding the sampling profiler's
2413         lock.
2414
2415 2018-09-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2416
2417         [JSC] Enable LLInt ASM interpreter on X64 and ARM64 in non JIT configuration
2418         https://bugs.webkit.org/show_bug.cgi?id=189778
2419
2420         Reviewed by Keith Miller.
2421
2422         LLInt ASM interpreter is 2x and 15% faster than CLoop interpreter on
2423         Linux and macOS respectively. We would like to enable it for non JIT
2424         configurations in X86_64 and ARM64.
2425
2426         This patch enables LLInt for non JIT builds in X86_64 and ARM64 architectures.
2427         Previously, we switch LLInt ASM interpreter and CLoop by using ENABLE(JIT)
2428         configuration. But it is wrong in the new scenario since we have a build
2429         configuration that uses LLInt ASM interpreter and JIT is disabled. We introduce
2430         ENABLE(C_LOOP) option, which represents that we use CLoop. And we replace
2431         ENABLE(JIT) with ENABLE(C_LOOP) if the previous ENABLE(JIT) is essentially just
2432         related to LLInt ASM interpreter and not related to JIT.
2433
2434         We also replace some ENABLE(JIT) configurations with ENABLE(ASSEMBLER).
2435         ENABLE(ASSEMBLER) is now enabled even if we disable JIT since MacroAssembler
2436         has machine register information that is used in LLInt ASM interpreter.
2437
2438         * API/tests/PingPongStackOverflowTest.cpp:
2439         (testPingPongStackOverflow):
2440         * CMakeLists.txt:
2441         * JavaScriptCore.xcodeproj/project.pbxproj:
2442         * assembler/MaxFrameExtentForSlowPathCall.h:
2443         * bytecode/CallReturnOffsetToBytecodeOffset.h: Removed. It is no longer used.
2444         * bytecode/CodeBlock.cpp:
2445         (JSC::CodeBlock::finishCreation):
2446         * bytecode/CodeBlock.h:
2447         (JSC::CodeBlock::calleeSaveRegisters const):
2448         (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters):
2449         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
2450         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2451         * bytecode/Opcode.h:
2452         (JSC::padOpcodeName):
2453         * heap/Heap.cpp:
2454         (JSC::Heap::gatherJSStackRoots):
2455         (JSC::Heap::stopThePeriphery):
2456         * interpreter/CLoopStack.cpp:
2457         * interpreter/CLoopStack.h:
2458         * interpreter/CLoopStackInlines.h:
2459         * interpreter/EntryFrame.h:
2460         * interpreter/Interpreter.cpp:
2461         (JSC::Interpreter::Interpreter):
2462         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2463         * interpreter/Interpreter.h:
2464         * interpreter/StackVisitor.cpp:
2465         (JSC::StackVisitor::Frame::calleeSaveRegisters):
2466         * interpreter/VMEntryRecord.h:
2467         * jit/ExecutableAllocator.h:
2468         * jit/FPRInfo.h:
2469         (WTF::printInternal):
2470         * jit/GPRInfo.cpp:
2471         * jit/GPRInfo.h:
2472         (WTF::printInternal):
2473         * jit/HostCallReturnValue.cpp:
2474         (JSC::getHostCallReturnValueWithExecState): Moved. They are used in LLInt ASM interpreter too.
2475         * jit/HostCallReturnValue.h:
2476         * jit/JITOperations.cpp:
2477         (JSC::getHostCallReturnValueWithExecState): Deleted.
2478         * jit/JITOperationsMSVC64.cpp:
2479         * jit/Reg.cpp:
2480         * jit/Reg.h:
2481         * jit/RegisterAtOffset.cpp:
2482         * jit/RegisterAtOffset.h:
2483         * jit/RegisterAtOffsetList.cpp:
2484         * jit/RegisterAtOffsetList.h:
2485         * jit/RegisterMap.h:
2486         * jit/RegisterSet.cpp:
2487         * jit/RegisterSet.h:
2488         * jit/TempRegisterSet.cpp:
2489         * jit/TempRegisterSet.h:
2490         * llint/LLIntCLoop.cpp:
2491         * llint/LLIntCLoop.h:
2492         * llint/LLIntData.cpp:
2493         (JSC::LLInt::initialize):
2494         (JSC::LLInt::Data::performAssertions):
2495         * llint/LLIntData.h:
2496         * llint/LLIntOfflineAsmConfig.h:
2497         * llint/LLIntOpcode.h:
2498         * llint/LLIntPCRanges.h:
2499         * llint/LLIntSlowPaths.cpp:
2500         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2501         * llint/LLIntSlowPaths.h:
2502         * llint/LLIntThunks.cpp:
2503         * llint/LowLevelInterpreter.cpp:
2504         * llint/LowLevelInterpreter.h:
2505         * runtime/JSCJSValue.h:
2506         * runtime/MachineContext.h:
2507         * runtime/SamplingProfiler.cpp:
2508         (JSC::SamplingProfiler::processUnverifiedStackTraces): Enable SamplingProfiler
2509         for LLInt ASM interpreter with non JIT configuration.
2510         * runtime/TestRunnerUtils.cpp:
2511         (JSC::optimizeNextInvocation):
2512         * runtime/VM.cpp:
2513         (JSC::VM::VM):
2514         (JSC::VM::getHostFunction):
2515         (JSC::VM::updateSoftReservedZoneSize):
2516         (JSC::sanitizeStackForVM):
2517         (JSC::VM::committedStackByteCount):
2518         * runtime/VM.h:
2519         * runtime/VMInlines.h:
2520         (JSC::VM::ensureStackCapacityFor):
2521         (JSC::VM::isSafeToRecurseSoft const):
2522
2523 2018-09-21  Keith Miller  <keith_miller@apple.com>
2524
2525         Add Promise SPI
2526         https://bugs.webkit.org/show_bug.cgi?id=189809
2527
2528         Reviewed by Saam Barati.
2529
2530         The Patch adds new SPI to create promises. It's mostly SPI because
2531         I want to see how internal users react to it before we make it
2532         public.
2533
2534         This patch adds a couple of new Obj-C SPI methods. The first
2535         creates a new promise using the same API that JS does where the
2536         user provides an executor callback. If an exception is raised
2537         in/to that callback the promise is automagically rejected. The
2538         other methods create a pre-resolved or rejected promise as this
2539         appears to be a common way to initialize a promise.
2540
2541         I was also considering adding a second version of executor API
2542         where it would catch specific Obj-C exceptions. This would work by
2543         taking a Class paramter and checking isKindOfClass: on the
2544         exception. I decided against this as nothing else in our API
2545         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2546         corrupt state if an Obj-C exception unwinds through JS frames.
2547
2548         This patch adds a new C function that will create a "deferred"
2549         promise. A deferred promise is a style of creating promise/futures
2550         where the resolve and reject functions are passed as outputs of a
2551         function. I went with this style for the C SPI because we don't have
2552         any concept of forwarding exceptions in the C API.
2553
2554         In order to make the C API work I refactored a bit of the promise code
2555         so that we can call a static method on JSDeferredPromise and just get
2556         the components without allocating an extra cell wrapper.
2557
2558         * API/JSContext.mm:
2559         (+[JSContext currentCallee]):
2560         * API/JSObjectRef.cpp:
2561         (JSObjectMakeDeferredPromise):
2562         * API/JSObjectRefPrivate.h:
2563         * API/JSValue.mm:
2564         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2565         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2566         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2567         * API/JSValuePrivate.h: Added.
2568         * API/JSVirtualMachine.mm:
2569         * API/JSVirtualMachinePrivate.h:
2570         * API/tests/testapi.c:
2571         (main):
2572         * API/tests/testapi.cpp:
2573         (APIContext::operator JSC::ExecState*):
2574         (TestAPI::failed const):
2575         (TestAPI::check):
2576         (TestAPI::basicSymbol):
2577         (TestAPI::symbolsTypeof):
2578         (TestAPI::symbolsGetPropertyForKey):
2579         (TestAPI::symbolsSetPropertyForKey):
2580         (TestAPI::symbolsHasPropertyForKey):
2581         (TestAPI::symbolsDeletePropertyForKey):
2582         (TestAPI::promiseResolveTrue):
2583         (TestAPI::promiseRejectTrue):
2584         (testCAPIViaCpp):
2585         (TestAPI::run): Deleted.
2586         * API/tests/testapi.mm:
2587         (testObjectiveCAPIMain):
2588         (promiseWithExecutor):
2589         (promiseRejectOnJSException):
2590         (promiseCreateResolved):
2591         (promiseCreateRejected):
2592         (parallelPromiseResolveTest):
2593         (testObjectiveCAPI):
2594         * JavaScriptCore.xcodeproj/project.pbxproj:
2595         * runtime/JSInternalPromiseDeferred.cpp:
2596         (JSC::JSInternalPromiseDeferred::create):
2597         * runtime/JSPromise.h:
2598         * runtime/JSPromiseConstructor.cpp:
2599         (JSC::constructPromise):
2600         * runtime/JSPromiseDeferred.cpp:
2601         (JSC::JSPromiseDeferred::createDeferredData):
2602         (JSC::JSPromiseDeferred::create):
2603         (JSC::JSPromiseDeferred::finishCreation):
2604         (JSC::newPromiseCapability): Deleted.
2605         * runtime/JSPromiseDeferred.h:
2606         (JSC::JSPromiseDeferred::promise const):
2607         (JSC::JSPromiseDeferred::resolve const):
2608         (JSC::JSPromiseDeferred::reject const):
2609
2610 2018-09-21  Ryan Haddad  <ryanhaddad@apple.com>
2611
2612         Unreviewed, rolling out r236359.
2613
2614         Broke the Windows build.
2615
2616         Reverted changeset:
2617
2618         "Add Promise SPI"
2619         https://bugs.webkit.org/show_bug.cgi?id=189809
2620         https://trac.webkit.org/changeset/236359
2621
2622 2018-09-21  Mark Lam  <mark.lam@apple.com>
2623
2624         JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState.
2625         https://bugs.webkit.org/show_bug.cgi?id=189855
2626         <rdar://problem/44680181>
2627
2628         Reviewed by Filip Pizlo.
2629
2630         tryGetValue() always passes a nullptr to JSRopeString::resolveRope() for the
2631         ExecState* argument.  This is intentional so that resolveRope() does not throw
2632         in the event of an OutOfMemory error.  Hence, JSRopeString::resolveRope() should
2633         get the VM from the cell instead of via the ExecState.
2634
2635         Also removed an obsolete and unused field in JSString.
2636
2637         * runtime/JSString.cpp:
2638         (JSC::JSRopeString::resolveRope const):
2639         (JSC::JSRopeString::outOfMemory const):
2640         * runtime/JSString.h:
2641         (JSC::JSString::tryGetValue const):
2642
2643 2018-09-21  Michael Saboff  <msaboff@apple.com>
2644
2645         Add functions to measure memory footprint to JSC
2646         https://bugs.webkit.org/show_bug.cgi?id=189768
2647
2648         Reviewed by Saam Barati.
2649
2650         Rolling this back in again.
2651
2652         Provide system memory metrics for the current process to aid in memory reduction measurement and
2653         tuning using native JS tests.
2654
2655         * jsc.cpp:
2656         (MemoryFootprint::now):
2657         (MemoryFootprint::resetPeak):
2658         (GlobalObject::finishCreation):
2659         (JSCMemoryFootprint::JSCMemoryFootprint):
2660         (JSCMemoryFootprint::createStructure):
2661         (JSCMemoryFootprint::create):
2662         (JSCMemoryFootprint::finishCreation):
2663         (JSCMemoryFootprint::addProperty):
2664         (functionResetMemoryPeak):
2665
2666 2018-09-21  Keith Miller  <keith_miller@apple.com>
2667
2668         Add Promise SPI
2669         https://bugs.webkit.org/show_bug.cgi?id=189809
2670
2671         Reviewed by Saam Barati.
2672
2673         The Patch adds new SPI to create promises. It's mostly SPI because
2674         I want to see how internal users react to it before we make it
2675         public.
2676
2677         This patch adds a couple of new Obj-C SPI methods. The first
2678         creates a new promise using the same API that JS does where the
2679         user provides an executor callback. If an exception is raised
2680         in/to that callback the promise is automagically rejected. The
2681         other methods create a pre-resolved or rejected promise as this
2682         appears to be a common way to initialize a promise.
2683
2684         I was also considering adding a second version of executor API
2685         where it would catch specific Obj-C exceptions. This would work by
2686         taking a Class paramter and checking isKindOfClass: on the
2687         exception. I decided against this as nothing else in our API
2688         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2689         corrupt state if an Obj-C exception unwinds through JS frames.
2690
2691         This patch adds a new C function that will create a "deferred"
2692         promise. A deferred promise is a style of creating promise/futures
2693         where the resolve and reject functions are passed as outputs of a
2694         function. I went with this style for the C SPI because we don't have
2695         any concept of forwarding exceptions in the C API.
2696
2697         In order to make the C API work I refactored a bit of the promise code
2698         so that we can call a static method on JSDeferredPromise and just get
2699         the components without allocating an extra cell wrapper.
2700
2701         * API/JSContext.mm:
2702         (+[JSContext currentCallee]):
2703         * API/JSObjectRef.cpp:
2704         (JSObjectMakeDeferredPromise):
2705         * API/JSObjectRefPrivate.h:
2706         * API/JSValue.mm:
2707         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2708         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2709         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2710         * API/JSValuePrivate.h: Added.
2711         * API/JSVirtualMachine.mm:
2712         * API/JSVirtualMachinePrivate.h:
2713         * API/tests/testapi.c:
2714         (main):
2715         * API/tests/testapi.cpp:
2716         (APIContext::operator JSC::ExecState*):
2717         (TestAPI::failed const):
2718         (TestAPI::check):
2719         (TestAPI::basicSymbol):
2720         (TestAPI::symbolsTypeof):
2721         (TestAPI::symbolsGetPropertyForKey):
2722         (TestAPI::symbolsSetPropertyForKey):
2723         (TestAPI::symbolsHasPropertyForKey):
2724         (TestAPI::symbolsDeletePropertyForKey):
2725         (TestAPI::promiseResolveTrue):
2726         (TestAPI::promiseRejectTrue):
2727         (testCAPIViaCpp):
2728         (TestAPI::run): Deleted.
2729         * API/tests/testapi.mm:
2730         (testObjectiveCAPIMain):
2731         (promiseWithExecutor):
2732         (promiseRejectOnJSException):
2733         (promiseCreateResolved):
2734         (promiseCreateRejected):
2735         (parallelPromiseResolveTest):
2736         (testObjectiveCAPI):
2737         * JavaScriptCore.xcodeproj/project.pbxproj:
2738         * runtime/JSInternalPromiseDeferred.cpp:
2739         (JSC::JSInternalPromiseDeferred::create):
2740         * runtime/JSPromise.h:
2741         * runtime/JSPromiseConstructor.cpp:
2742         (JSC::constructPromise):
2743         * runtime/JSPromiseDeferred.cpp:
2744         (JSC::JSPromiseDeferred::createDeferredData):
2745         (JSC::JSPromiseDeferred::create):
2746         (JSC::JSPromiseDeferred::finishCreation):
2747         (JSC::newPromiseCapability): Deleted.
2748         * runtime/JSPromiseDeferred.h:
2749         (JSC::JSPromiseDeferred::promise const):
2750         (JSC::JSPromiseDeferred::resolve const):
2751         (JSC::JSPromiseDeferred::reject const):
2752
2753 2018-09-21  Truitt Savell  <tsavell@apple.com>
2754
2755         Rebaseline tests after changes in https://trac.webkit.org/changeset/236321/webkit
2756         https://bugs.webkit.org/show_bug.cgi?id=156674
2757
2758         Unreviewed Test Gardening
2759
2760         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2761         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2762
2763 2018-09-21  Mike Gorse  <mgorse@suse.com>
2764
2765         Build tools should work when the /usr/bin/python is python3
2766         https://bugs.webkit.org/show_bug.cgi?id=156674
2767
2768         Reviewed by Michael Catanzaro.
2769
2770         * Scripts/cssmin.py:
2771         * Scripts/generate-js-builtins.py:
2772         (do_open):
2773         (generate_bindings_for_builtins_files):
2774         * Scripts/generateIntlCanonicalizeLanguage.py:
2775         * Scripts/jsmin.py:
2776         (JavascriptMinify.minify.write):
2777         (JavascriptMinify):
2778         (JavascriptMinify.minify):
2779         * Scripts/make-js-file-arrays.py:
2780         (chunk):
2781         (main):
2782         * Scripts/wkbuiltins/__init__.py:
2783         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2784         (generate_section_for_global_private_code_name_macro):
2785         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_header.py:
2786         (BuiltinsInternalsWrapperHeaderGenerator.__init__):
2787         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:
2788         (BuiltinsInternalsWrapperImplementationGenerator.__init__):
2789         * Scripts/wkbuiltins/builtins_model.py:
2790         (BuiltinFunction.__lt__):
2791         (BuiltinsCollection.copyrights):
2792         (BuiltinsCollection._parse_functions):
2793         * disassembler/udis86/ud_opcode.py:
2794         (UdOpcodeTables.pprint.printWalk):
2795         * generate-bytecode-files:
2796         * inspector/scripts/codegen/__init__.py:
2797         * inspector/scripts/codegen/cpp_generator.py:
2798         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2799         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
2800         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2801         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
2802         (CppBackendDispatcherHeaderGenerator.generate_output):
2803         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2804         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2805         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
2806         (CppBackendDispatcherImplementationGenerator.generate_output):
2807         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2808         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
2809         (CppFrontendDispatcherHeaderGenerator.generate_output):
2810         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2811         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
2812         (CppFrontendDispatcherImplementationGenerator.generate_output):
2813         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2814         (CppProtocolTypesHeaderGenerator.generate_output):
2815         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2816         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2817         (CppProtocolTypesImplementationGenerator.generate_output):
2818         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2819         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods):
2820         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2821         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
2822         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
2823         * inspector/scripts/codegen/generate_js_backend_commands.py:
2824         (JSBackendCommandsGenerator.should_generate_domain):
2825         (JSBackendCommandsGenerator.domains_to_generate):
2826         (JSBackendCommandsGenerator.generate_output):
2827         (JSBackendCommandsGenerator.generate_domain):
2828         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2829         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
2830         (ObjCBackendDispatcherHeaderGenerator.generate_output):
2831         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2832         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
2833         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2834         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2835         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2836         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2837         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2838         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
2839         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2840         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2841         * inspector/scripts/codegen/generate_objc_header.py:
2842         (ObjCHeaderGenerator.generate_output):
2843         (ObjCHeaderGenerator._generate_type_interface):
2844         * inspector/scripts/codegen/generate_objc_internal_header.py:
2845         (ObjCInternalHeaderGenerator.generate_output):
2846         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2847         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
2848         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
2849         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2850         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
2851         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2852         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
2853         (ObjCProtocolTypesImplementationGenerator.generate_output):
2854         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
2855         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
2856         * inspector/scripts/codegen/generator.py:
2857         (Generator.non_supplemental_domains):
2858         (Generator.open_fields):
2859         (Generator.calculate_types_requiring_shape_assertions):
2860         (Generator._traverse_and_assign_enum_values):
2861         (Generator.stylized_name_for_enum_value):
2862         * inspector/scripts/codegen/models.py:
2863         (find_duplicates):
2864         * inspector/scripts/codegen/objc_generator.py:
2865         * wasm/generateWasm.py:
2866         (opcodeIterator):
2867         * yarr/generateYarrCanonicalizeUnicode:
2868         * yarr/generateYarrUnicodePropertyTables.py:
2869         * yarr/hasher.py:
2870         (stringHash):
2871
2872 2018-09-21  Tomas Popela  <tpopela@redhat.com>
2873
2874         [ARM] Build broken on armv7hl after r235517
2875         https://bugs.webkit.org/show_bug.cgi?id=189831
2876
2877         Reviewed by Yusuke Suzuki.
2878
2879         Add missing implementation of patchebleBranch8() for traditional ARM.
2880
2881         * assembler/MacroAssemblerARM.h:
2882         (JSC::MacroAssemblerARM::patchableBranch8):
2883
2884 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
2885
2886         Unreviewed, rolling out r236293.
2887
2888         Internal build still broken.
2889
2890         Reverted changeset:
2891
2892         "Add functions to measure memory footprint to JSC"
2893         https://bugs.webkit.org/show_bug.cgi?id=189768
2894         https://trac.webkit.org/changeset/236293
2895
2896 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2897
2898         [JSC] Heap::reportExtraMemoryVisited shows contention if we have many JSString
2899         https://bugs.webkit.org/show_bug.cgi?id=189558
2900
2901         Reviewed by Mark Lam.
2902
2903         When running web-tooling-benchmark postcss test on Linux JSCOnly port, we get the following result in `perf report`.
2904
2905             10.95%  AutomaticThread  libJavaScriptCore.so.1.0.0  [.] JSC::Heap::reportExtraMemoryVisited
2906
2907         This is because postcss produces bunch of JSString, which require reportExtraMemoryVisited calls in JSString::visitChildren.
2908         And since reportExtraMemoryVisited attempts to update atomic counter, if we have bunch of marking threads, it becomes super contended.
2909
2910         This patch reduces the frequency of updating the atomic counter. Each SlotVisitor has per-SlotVisitor m_extraMemorySize counter.
2911         And we propagate this value to the global atomic counter when rebalance happens.
2912
2913         We also reduce HeapCell::heap() access by using `vm.heap`.
2914
2915         * heap/SlotVisitor.cpp:
2916         (JSC::SlotVisitor::didStartMarking):
2917         (JSC::SlotVisitor::propagateExternalMemoryVisitedIfNecessary):
2918         (JSC::SlotVisitor::drain):
2919         (JSC::SlotVisitor::performIncrementOfDraining):
2920         * heap/SlotVisitor.h:
2921         * heap/SlotVisitorInlines.h:
2922         (JSC::SlotVisitor::reportExtraMemoryVisited):
2923         * runtime/JSString.cpp:
2924         (JSC::JSRopeString::resolveRopeToAtomicString const):
2925         (JSC::JSRopeString::resolveRope const):
2926         * runtime/JSString.h:
2927         (JSC::JSString::finishCreation):
2928         * wasm/js/JSWebAssemblyInstance.cpp:
2929         (JSC::JSWebAssemblyInstance::finishCreation):
2930         * wasm/js/JSWebAssemblyMemory.cpp:
2931         (JSC::JSWebAssemblyMemory::finishCreation):
2932
2933 2018-09-20  Michael Saboff  <msaboff@apple.com>
2934
2935         Add functions to measure memory footprint to JSC
2936         https://bugs.webkit.org/show_bug.cgi?id=189768
2937
2938         Reviewed by Saam Barati.
2939
2940         Rolling this back in.
2941
2942         Provide system memory metrics for the current process to aid in memory reduction measurement and
2943         tuning using native JS tests.
2944
2945         * jsc.cpp:
2946         (MemoryFootprint::now):
2947         (MemoryFootprint::resetPeak):
2948         (GlobalObject::finishCreation):
2949         (JSCMemoryFootprint::JSCMemoryFootprint):
2950         (JSCMemoryFootprint::createStructure):
2951         (JSCMemoryFootprint::create):
2952         (JSCMemoryFootprint::finishCreation):
2953         (JSCMemoryFootprint::addProperty):
2954         (functionResetMemoryPeak):
2955
2956 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
2957
2958         Unreviewed, rolling out r236235.
2959
2960         Breaks internal builds.
2961
2962         Reverted changeset:
2963
2964         "Add functions to measure memory footprint to JSC"
2965         https://bugs.webkit.org/show_bug.cgi?id=189768
2966         https://trac.webkit.org/changeset/236235
2967
2968 2018-09-20  Fujii Hironori  <Hironori.Fujii@sony.com>
2969
2970         [Win][Clang] JITMathIC.h: error: missing 'template' keyword prior to dependent template name 'retagged'
2971         https://bugs.webkit.org/show_bug.cgi?id=189730
2972
2973         Reviewed by Saam Barati.
2974
2975         Clang for Windows can't compile the workaround for MSVC quirk in generateOutOfLine.
2976
2977         * jit/JITMathIC.h:
2978         (generateOutOfLine): Append "&& !COMPILER(CLANG)" to "#if COMPILER(MSVC)".
2979
2980 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2981
2982         [JSC] Optimize Array#indexOf in C++ runtime
2983         https://bugs.webkit.org/show_bug.cgi?id=189507
2984
2985         Reviewed by Saam Barati.
2986
2987         C++ Array#indexOf runtime function takes so much time in babylon benchmark in
2988         web-tooling-benchmark. While our DFG and FTL has Array#indexOf optimization
2989         and actually it is working well, C++ Array#indexOf is called significant amount
2990         of time before tiering up, and it takes 6.74% of jsc main thread samples according
2991         to perf command in Linux. This is because C++ Array#indexOf is too generic and
2992         misses the chance to optimize JSArray cases.
2993
2994         This patch adds JSArray fast path for Array#indexOf. If we know that indexed
2995         access to the given JSArray is non-observable and indexing type is good for the fast
2996         path, we go to the fast path. This makes sampling of Array#indexOf 3.83% in
2997         babylon web-tooling-benchmark.
2998
2999         * runtime/ArrayPrototype.cpp:
3000         (JSC::arrayProtoFuncIndexOf):
3001         * runtime/JSArray.h:
3002         * runtime/JSArrayInlines.h:
3003         (JSC::JSArray::canDoFastIndexedAccess):
3004         (JSC::toLength):
3005         * runtime/JSCJSValueInlines.h:
3006         (JSC::JSValue::JSValue):
3007         * runtime/JSGlobalObject.h:
3008         * runtime/JSGlobalObjectInlines.h:
3009         (JSC::JSGlobalObject::isArrayPrototypeIndexedAccessFastAndNonObservable):
3010         (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
3011         * runtime/MathCommon.h:
3012         (JSC::canBeStrictInt32):
3013         (JSC::canBeInt32):
3014
3015 2018-09-19  Michael Saboff  <msaboff@apple.com>
3016
3017         Add functions to measure memory footprint to JSC
3018         https://bugs.webkit.org/show_bug.cgi?id=189768
3019
3020         Reviewed by Saam Barati.
3021
3022         Provide system memory metrics for the current process to aid in memory reduction measurement and
3023         tuning using native JS tests.
3024
3025         * jsc.cpp:
3026         (MemoryFootprint::now):
3027         (MemoryFootprint::resetPeak):
3028         (GlobalObject::finishCreation):
3029         (JSCMemoryFootprint::JSCMemoryFootprint):
3030         (JSCMemoryFootprint::createStructure):
3031         (JSCMemoryFootprint::create):
3032         (JSCMemoryFootprint::finishCreation):
3033         (JSCMemoryFootprint::addProperty):
3034         (functionResetMemoryPeak):
3035
3036 2018-09-19  Saam barati  <sbarati@apple.com>
3037
3038         CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
3039         https://bugs.webkit.org/show_bug.cgi?id=189703
3040
3041         Reviewed by Mark Lam.
3042
3043         This fixes a crash that a TypeProfiler change revealed.
3044
3045         * dfg/DFGSpeculativeJIT64.cpp:
3046         (JSC::DFG::SpeculativeJIT::compile):
3047
3048 2018-09-19  Saam barati  <sbarati@apple.com>
3049
3050         AI rule for MultiPutByOffset executes its effects in the wrong order
3051         https://bugs.webkit.org/show_bug.cgi?id=189757
3052         <rdar://problem/43535257>
3053
3054         Reviewed by Michael Saboff.
3055
3056         The AI rule for MultiPutByOffset was executing effects in the wrong order.
3057         It first executed the transition effects and the effects on the base, and
3058         then executed the filtering effects on the value being stored. However, you
3059         can end up with the wrong type when the base and the value being stored
3060         are the same. E.g, in a program like `o.f = o`. These effects need to happen
3061         in the opposite order, modeling what happens in the runtime executing of
3062         MultiPutByOffset.
3063
3064         * dfg/DFGAbstractInterpreterInlines.h:
3065         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3066
3067 2018-09-18  Mark Lam  <mark.lam@apple.com>
3068
3069         Ensure that ForInContexts are invalidated if their loop local is over-written.
3070         https://bugs.webkit.org/show_bug.cgi?id=189571
3071         <rdar://problem/44402277>
3072
3073         Reviewed by Saam Barati.
3074
3075         Instead of hunting down every place in the BytecodeGenerator that potentially
3076         needs to invalidate an enclosing ForInContext (if one exists), we simply iterate
3077         the bytecode range of the loop body when the ForInContext is popped, and
3078         invalidate the context if we ever find the loop temp variable over-written.
3079
3080         This has 2 benefits:
3081         1. It ensures that every type of opcode that can write to the loop temp will be
3082            handled appropriately, not just the op_mov that we've hunted down.
3083         2. It avoids us having to check the BytecodeGenerator's m_forInContextStack
3084            every time we emit an op_mov (or other opcodes that can write to a local)
3085            even when we're not inside a for-in loop.
3086
3087         JSC benchmarks show that that this change is performance neutral.
3088
3089         * bytecompiler/BytecodeGenerator.cpp:
3090         (JSC::BytecodeGenerator::pushIndexedForInScope):
3091         (JSC::BytecodeGenerator::popIndexedForInScope):
3092         (JSC::BytecodeGenerator::pushStructureForInScope):
3093         (JSC::BytecodeGenerator::popStructureForInScope):
3094         (JSC::ForInContext::finalize):
3095         (JSC::StructureForInContext::finalize):
3096         (JSC::IndexedForInContext::finalize):
3097         (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted.
3098         * bytecompiler/BytecodeGenerator.h:
3099         (JSC::ForInContext::ForInContext):
3100         (JSC::ForInContext::bodyBytecodeStartOffset const):
3101         (JSC::StructureForInContext::StructureForInContext):
3102         (JSC::IndexedForInContext::IndexedForInContext):
3103         * bytecompiler/NodesCodegen.cpp:
3104         (JSC::PostfixNode::emitResolve):
3105         (JSC::PrefixNode::emitResolve):
3106         (JSC::ReadModifyResolveNode::emitBytecode):
3107         (JSC::AssignResolveNode::emitBytecode):
3108         (JSC::EmptyLetExpression::emitBytecode):
3109         (JSC::ForInNode::emitLoopHeader):
3110         (JSC::ForOfNode::emitBytecode):
3111         (JSC::BindingNode::bindValue const):
3112         (JSC::AssignmentElementNode::bindValue const):
3113         * runtime/CommonSlowPaths.cpp:
3114         (JSC::SLOW_PATH_DECL):
3115
3116 2018-09-17  Devin Rousso  <drousso@apple.com>
3117
3118         Web Inspector: generate CSSKeywordCompletions from backend values
3119         https://bugs.webkit.org/show_bug.cgi?id=189041
3120
3121         Reviewed by Joseph Pecoraro.
3122
3123         * inspector/protocol/CSS.json:
3124         Include an optional `aliases` array and `inherited` boolean for `CSSPropertyInfo`.
3125
3126 2018-09-17  Saam barati  <sbarati@apple.com>
3127
3128         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3129         https://bugs.webkit.org/show_bug.cgi?id=189676
3130         <rdar://problem/39682897>
3131
3132         Reviewed by Michael Saboff.
3133
3134         Because the incoming value may be TDZ, CheckStructure may end up crashing.
3135         Since the Type Profile does not currently record TDZ values in any of its
3136         data structures, this is not a semantic change in how it will show you data.
3137         It just fixes crashes when we emit a CheckStructure and the incoming value
3138         is TDZ.
3139
3140         * dfg/DFGFixupPhase.cpp:
3141         (JSC::DFG::FixupPhase::fixupNode):
3142         * dfg/DFGNode.h:
3143         (JSC::DFG::Node::convertToCheckStructureOrEmpty):
3144
3145 2018-09-17  Darin Adler  <darin@apple.com>
3146
3147         Use OpaqueJSString rather than JSRetainPtr inside WebKit
3148         https://bugs.webkit.org/show_bug.cgi?id=189652
3149
3150         Reviewed by Saam Barati.
3151
3152         * API/JSCallbackObjectFunctions.h: Removed an uneeded include of
3153         JSStringRef.h.
3154
3155         * API/JSContext.mm:
3156         (-[JSContext evaluateScript:withSourceURL:]): Use OpaqueJSString::create rather
3157         than JSStringCreateWithCFString, simplifying the code and also obviating the
3158         need for explicit JSStringRelease.
3159         (-[JSContext setName:]): Ditto.
3160
3161         * API/JSStringRef.cpp:
3162         (JSStringIsEqualToUTF8CString): Use adoptRef rather than explicit JSStringRelease.
3163         It seems that additional optimization is possible, obviating the need to allocate
3164         an OpaqueJSString, but that's true almost everywhere else in this patch, too.
3165
3166         * API/JSValue.mm:
3167         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Use
3168         OpaqueJSString::create and adoptRef as appropriate.
3169         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
3170         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Ditto.
3171         (performPropertyOperation): Ditto.
3172         (-[JSValue invokeMethod:withArguments:]): Ditto.
3173         (valueToObjectWithoutCopy): Ditto.
3174         (containerValueToObject): Ditto.
3175         (valueToString): Ditto.
3176         (objectToValueWithoutCopy): Ditto.
3177         (objectToValue): Ditto.
3178
3179 2018-09-08  Darin Adler  <darin@apple.com>
3180
3181         Streamline JSRetainPtr, fix leaks of JSString and JSGlobalContext
3182         https://bugs.webkit.org/show_bug.cgi?id=189455
3183
3184         Reviewed by Keith Miller.
3185
3186         * API/JSObjectRef.cpp:
3187         (OpaqueJSPropertyNameArray): Use Ref<OpaqueJSString> instead of
3188         JSRetainPtr<JSStringRef>.
3189         (JSObjectCopyPropertyNames): Remove now-unneeded use of leakRef and
3190         adopt constructor.
3191         (JSPropertyNameArrayGetNameAtIndex): Use ptr() instead of get() since
3192         the array elements are now Ref.
3193
3194         * API/JSRetainPtr.h: While JSRetainPtr is written as a template,
3195         it only works for two specific unrelated types, JSStringRef and
3196         JSGlobalContextRef. Simplified the default constructor using data
3197         member initialization. Prepared to make the adopt constructor private
3198         (got everything compiling that way, then made it public again so that
3199         Apple internal software will still build). Got rid of unneeded
3200         templated constructor and assignment operator, since it's not relevant
3201         since there is no inheritance between JSRetainPtr template types.
3202         Added WARN_UNUSED_RETURN to leakRef as in RefPtr and RetainPtr.
3203         Added move constructor and move assignment operator for slightly better
3204         performance. Simplified implementations of various member functions
3205         so they are more obviously correct, by using leakPtr in more of them
3206         and using std::exchange to make the flow of values more obvious.
3207
3208         * API/JSValue.mm:
3209         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Added a
3210         missing JSStringRelease to fix a leak.
3211
3212         * API/tests/CustomGlobalObjectClassTest.c:
3213         (customGlobalObjectClassTest): Added a JSGlobalContextRelease to fix a leak.
3214         (globalObjectSetPrototypeTest): Ditto.
3215         (globalObjectPrivatePropertyTest): Ditto.
3216
3217         * API/tests/ExecutionTimeLimitTest.cpp:
3218         (testResetAfterTimeout): Added a call to JSStringRelease to fix a leak.
3219         (testExecutionTimeLimit): Ditto, lots more.
3220
3221         * API/tests/FunctionOverridesTest.cpp:
3222         (testFunctionOverrides): Added a call to JSStringRelease to fix a leak.
3223
3224         * API/tests/JSObjectGetProxyTargetTest.cpp:
3225         (testJSObjectGetProxyTarget): Added a call to JSGlobalContextRelease to fix
3226         a leak.
3227
3228         * API/tests/PingPongStackOverflowTest.cpp:
3229         (testPingPongStackOverflow): Added calls to JSGlobalContextRelease and
3230         JSStringRelease to fix leaks.
3231
3232         * API/tests/testapi.c:
3233         (throwException): Added. Helper function for repeated idiom where we want
3234         to throw an exception, but with additional JSStringRelease calls so we don't
3235         have to leak just to keep the code simpler to read.
3236         (MyObject_getProperty): Use throwException.
3237         (MyObject_setProperty): Ditto.
3238         (MyObject_deleteProperty): Ditto.
3239         (isValueEqualToString): Added. Helper function for an idiom where we check
3240         if something is a string and then if it's equal to a particular string
3241         constant, but a version that has an additional JSStringRelease call so we
3242         don't have to leak just to keep the code simpler to read.
3243         (MyObject_callAsFunction): Use isValueEqualToString and throwException.
3244         (MyObject_callAsConstructor): Ditto.
3245         (MyObject_hasInstance): Ditto.
3246         (globalContextNameTest): Added a JSGlobalContextRelease to fix a leak.
3247         (testMarkingConstraintsAndHeapFinalizers): Ditto.
3248
3249 2018-09-14  Saam barati  <sbarati@apple.com>
3250
3251         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3252         https://bugs.webkit.org/show_bug.cgi?id=189628
3253         <rdar://problem/39481690>
3254
3255         Reviewed by Mark Lam.
3256
3257         An Availability may point to a Node. And that Node may be removed from
3258         the graph, e.g, it's freed and its memory is no longer owned by Graph.
3259         This patch makes it so we no longer dump this metadata by default. If
3260         this metadata is interesting to you, you'll need to go in and change
3261         Graph::dump to dump the needed metadata.
3262
3263         * dfg/DFGGraph.cpp:
3264         (JSC::DFG::Graph::dump):
3265
3266 2018-09-14  Mark Lam  <mark.lam@apple.com>
3267
3268         Refactor some ForInContext code for better encapsulation.
3269         https://bugs.webkit.org/show_bug.cgi?id=189626
3270         <rdar://problem/44466415>
3271
3272         Reviewed by Keith Miller.
3273
3274         1. Add a ForInContext::m_type field to store the context type.  This does not
3275            increase the class size, but eliminates the need for a virtual call to get the
3276            type.
3277
3278            Note: we still need a virtual destructor because we'll be mingling
3279            IndexedForInContexts and StructureForInContexts in the BytecodeGenerator::m_forInContextStack.
3280
3281         2. Add ForInContext::isIndexedForInContext() and ForInContext::isStructureForInContext()
3282            convenience methods.
3283
3284         3. Add ForInContext::asIndexedForInContext() and ForInContext::asStructureForInContext()
3285            to do the casting to the subclass types.  This ensures that we'll properly
3286            assert that the casting is legal.
3287
3288         * bytecompiler/BytecodeGenerator.cpp:
3289         (JSC::BytecodeGenerator::emitGetByVal):
3290         (JSC::BytecodeGenerator::popIndexedForInScope):
3291         (JSC::BytecodeGenerator::popStructureForInScope):
3292         * bytecompiler/BytecodeGenerator.h:
3293         (JSC::ForInContext::type const):
3294         (JSC::ForInContext::isIndexedForInContext const):
3295         (JSC::ForInContext::isStructureForInContext const):
3296         (JSC::ForInContext::asIndexedForInContext):
3297         (JSC::ForInContext::asStructureForInContext):
3298         (JSC::ForInContext::ForInContext):
3299         (JSC::StructureForInContext::StructureForInContext):
3300         (JSC::IndexedForInContext::IndexedForInContext):
3301         (JSC::ForInContext::~ForInContext): Deleted.
3302
3303 2018-09-14  Devin Rousso  <webkit@devinrousso.com>
3304
3305         Web Inspector: Record actions performed on ImageBitmapRenderingContext
3306         https://bugs.webkit.org/show_bug.cgi?id=181341
3307
3308         Reviewed by Joseph Pecoraro.
3309
3310         * inspector/protocol/Recording.json:
3311         * inspector/scripts/codegen/generator.py:
3312
3313 2018-09-14  Mike Gorse  <mgorse@suse.com>
3314
3315         builtins directory causes name conflict on Python 3
3316         https://bugs.webkit.org/show_bug.cgi?id=189552
3317
3318         Reviewed by Michael Catanzaro.
3319
3320         * CMakeLists.txt: builtins -> wkbuiltins.
3321         * DerivedSources.make: builtins -> wkbuiltins.
3322         * Scripts/generate-js-builtins.py: import wkbuiltins, rather than
3323           builtins.
3324         * Scripts/wkbuiltins/__init__.py: Renamed from Source/JavaScriptCore/Scripts/builtins/__init__.py.
3325         * Scripts/wkbuiltins/builtins_generate_combined_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_header.py.
3326         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py.
3327         * Scripts/wkbuiltins/builtins_generate_separate_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_header.py.
3328         * Scripts/wkbuiltins/builtins_generate_separate_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py.
3329         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_header.py.
3330         * Scripts/wkbuiltins/builtins_generate_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_implementation.py.
3331         * Scripts/wkbuiltins/builtins_generator.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generator.py.
3332         * Scripts/wkbuiltins/builtins_model.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_model.py.
3333         * Scripts/wkbuiltins/builtins_templates.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_templates.py.
3334         * Scripts/wkbuiltins/wkbuiltins.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins.py.
3335         * JavaScriptCore.xcodeproj/project.pbxproj: Update for the renaming.
3336
3337 2018-09-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3338
3339         [WebAssembly] Inline WasmContext accessor functions
3340         https://bugs.webkit.org/show_bug.cgi?id=189416
3341
3342         Reviewed by Saam Barati.
3343
3344         WasmContext accessor functions are very small while it resides in the critical path of
3345         JS to Wasm function call. This patch makes them inline to improve performance.
3346         This change improves a small benchmark (calling JS to Wasm function 1e7 times) from 320ms to 270ms.
3347
3348         * JavaScriptCore.xcodeproj/project.pbxproj:
3349         * Sources.txt:
3350         * interpreter/CallFrame.cpp:
3351         * jit/AssemblyHelpers.cpp:
3352         * wasm/WasmB3IRGenerator.cpp:
3353         * wasm/WasmContextInlines.h: Renamed from Source/JavaScriptCore/wasm/WasmContext.cpp.
3354         (JSC::Wasm::Context::useFastTLS):
3355         (JSC::Wasm::Context::load const):
3356         (JSC::Wasm::Context::store):
3357         * wasm/WasmMemoryInformation.cpp:
3358         * wasm/WasmModuleParser.cpp: Include <wtf/SHA1.h> due to changes of unified source combinations.
3359         * wasm/js/JSToWasm.cpp:
3360         * wasm/js/WebAssemblyFunction.cpp:
3361
3362 2018-09-12  David Kilzer  <ddkilzer@apple.com>
3363
3364         Move JavaScriptCore files to match Xcode project hierarchy
3365         <https://webkit.org/b/189574>
3366
3367         Reviewed by Filip Pizlo.
3368
3369         * API/JSAPIValueWrapper.cpp: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.cpp.
3370         * API/JSAPIValueWrapper.h: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.h.
3371         * CMakeLists.txt: Update for new path to
3372         generateYarrUnicodePropertyTables.py, hasher.py and
3373         JSAPIValueWrapper.h.
3374         * DerivedSources.make: Ditto. Add missing dependency on
3375         hasher.py captured by CMakeLists.txt.
3376         * JavaScriptCore.xcodeproj/project.pbxproj: Update for new file
3377         reference paths. Add hasher.py library to project.
3378         * Sources.txt: Update for new path to
3379         JSAPIValueWrapper.cpp.
3380         * runtime/JSImmutableButterfly.h: Add missing includes
3381         after changes to Sources.txt and regenerating unified
3382         sources.
3383         * runtime/RuntimeType.h: Ditto.
3384         * yarr/generateYarrUnicodePropertyTables.py: Rename from Source/JavaScriptCore/Scripts/generateYarrUnicodePropertyTables.py.
3385         * yarr/hasher.py: Rename from Source/JavaScriptCore/Scripts/hasher.py.
3386
3387 2018-09-12  David Kilzer  <ddkilzer@apple.com>
3388
3389         Let Xcode have its way with the JavaScriptCore project
3390
3391         * JavaScriptCore.xcodeproj/project.pbxproj:
3392
3393 2018-09-12  Guillaume Emont  <guijemont@igalia.com>
3394
3395         Add IGNORE_WARNING_.* macros
3396         https://bugs.webkit.org/show_bug.cgi?id=188996
3397
3398         Reviewed by Michael Catanzaro.
3399
3400         * API/JSCallbackObject.h:
3401         * API/tests/testapi.c:
3402         * assembler/LinkBuffer.h:
3403         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3404         * b3/B3LowerToAir.cpp:
3405         * b3/B3Opcode.cpp:
3406         * b3/B3Type.h: