Unreviewed, rolling out r234181 and r234189.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-26  Commit Queue  <commit-queue@webkit.org>
2
3         Unreviewed, rolling out r234181 and r234189.
4         https://bugs.webkit.org/show_bug.cgi?id=188075
5
6         These are not needed right now (Requested by thorton on
7         #webkit).
8
9         Reverted changesets:
10
11         "Enable Web Content Filtering on watchOS"
12         https://bugs.webkit.org/show_bug.cgi?id=187979
13         https://trac.webkit.org/changeset/234181
14
15         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
16         https://bugs.webkit.org/show_bug.cgi?id=187985
17         https://trac.webkit.org/changeset/234189
18
19 2018-07-26  Mark Lam  <mark.lam@apple.com>
20
21         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
22         https://bugs.webkit.org/show_bug.cgi?id=188065
23         <rdar://problem/42515726>
24
25         Reviewed by Saam Barati.
26
27         * runtime/ArrayPrototype.cpp:
28         (JSC::clearElement):
29         (JSC::copyElements):
30         (JSC::arrayProtoPrivateFuncConcatMemcpy):
31
32 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
33
34         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
35         https://bugs.webkit.org/show_bug.cgi?id=167991
36
37         Reviewed by Michael Catanzaro.
38
39         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
40         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
41         no more cases where you might have an invalid locale come back from resolveLocale.
42
43         * runtime/IntlObject.cpp:
44         (JSC::convertICULocaleToBCP47LanguageTag):
45         (JSC::defaultLocale):
46         (JSC::lookupMatcher):
47         * runtime/IntlObject.h:
48         * runtime/JSGlobalObject.cpp:
49         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
50         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
51         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
52         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
53
54 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
55
56         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
57         https://bugs.webkit.org/show_bug.cgi?id=188040
58
59         Unreviewed build fix for AppleWin port.
60
61         * API/tests/testapi.c: Disabled warning C4204.
62         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
63
64 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
65
66         [JSC API] We should support the symbol type in our C/Obj-C API
67         https://bugs.webkit.org/show_bug.cgi?id=175836
68
69         Unreviewed build fix for Windows port.
70
71         r234227 introduced a compilation error unresolved external symbol
72         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
73
74         Windows ports are compiling testapi.c as C++ by using /TP switch.
75
76         * API/tests/testapi.c:
77         (main): Removed `::` prefix of ::SetErrorMode Windows API.
78         (dllLauncherEntryPoint): Converted into C style.
79         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
80
81 2018-07-25  Keith Miller  <keith_miller@apple.com>
82
83         [JSC API] We should support the symbol type in our C/Obj-C API
84         https://bugs.webkit.org/show_bug.cgi?id=175836
85
86         Reviewed by Filip Pizlo.
87
88         This patch makes the following API additions:
89         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
90         2) Create a symbol on both APIs.
91         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
92         4) Add Get/Set/Delete in the C API.
93
94         We can do 3 because it is both binary and source compatable with
95         the existing API. I added (4) because the current property access
96         APIs only have the ability to get Strings. It was possible to
97         merge symbols into JSStringRef but that felt confusing and exposes
98         implementation details of our engine. The new functions match the
99         same meaning that they have in JS, thus should be forward
100         compatible with any future language extensions.
101
102         Lastly, this patch adds the same availability preproccessing phase
103         in WebCore to JavaScriptCore, which enables TBA features for
104         testing on previous releases.
105
106         * API/APICast.h:
107         * API/JSBasePrivate.h:
108         * API/JSContext.h:
109         * API/JSContextPrivate.h:
110         * API/JSContextRef.h:
111         * API/JSContextRefInternal.h:
112         * API/JSContextRefPrivate.h:
113         * API/JSManagedValue.h:
114         * API/JSObjectRef.cpp:
115         (JSObjectHasPropertyKey):
116         (JSObjectGetPropertyKey):
117         (JSObjectSetPropertyKey):
118         (JSObjectDeletePropertyKey):
119         * API/JSObjectRef.h:
120         * API/JSRemoteInspector.h:
121         * API/JSTypedArray.h:
122         * API/JSValue.h:
123         * API/JSValue.mm:
124         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
125         (performPropertyOperation):
126         (-[JSValue valueForProperty:valueForProperty:]):
127         (-[JSValue setValue:forProperty:setValue:forProperty:]):
128         (-[JSValue deleteProperty:deleteProperty:]):
129         (-[JSValue hasProperty:hasProperty:]):
130         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
131         (-[JSValue isSymbol]):
132         (-[JSValue objectForKeyedSubscript:]):
133         (-[JSValue setObject:forKeyedSubscript:]):
134         (-[JSValue valueForProperty:]): Deleted.
135         (-[JSValue setValue:forProperty:]): Deleted.
136         (-[JSValue deleteProperty:]): Deleted.
137         (-[JSValue hasProperty:]): Deleted.
138         (-[JSValue defineProperty:descriptor:]): Deleted.
139         * API/JSValueRef.cpp:
140         (JSValueGetType):
141         (JSValueIsSymbol):
142         (JSValueMakeSymbol):
143         * API/JSValueRef.h:
144         * API/WebKitAvailability.h:
145         * API/tests/CurrentThisInsideBlockGetterTest.mm:
146         * API/tests/CustomGlobalObjectClassTest.c:
147         * API/tests/DateTests.mm:
148         * API/tests/JSExportTests.mm:
149         * API/tests/JSNode.c:
150         * API/tests/JSNodeList.c:
151         * API/tests/Node.c:
152         * API/tests/NodeList.c:
153         * API/tests/minidom.c:
154         * API/tests/testapi.c:
155         (main):
156         * API/tests/testapi.cpp: Added.
157         (APIString::APIString):
158         (APIString::~APIString):
159         (APIString::operator JSStringRef):
160         (APIContext::APIContext):
161         (APIContext::~APIContext):
162         (APIContext::operator JSGlobalContextRef):
163         (APIVector::APIVector):
164         (APIVector::~APIVector):
165         (APIVector::append):
166         (testCAPIViaCpp):
167         (TestAPI::evaluateScript):
168         (TestAPI::callFunction):
169         (TestAPI::functionReturnsTrue):
170         (TestAPI::check):
171         (TestAPI::checkJSAndAPIMatch):
172         (TestAPI::interestingObjects):
173         (TestAPI::interestingKeys):
174         (TestAPI::run):
175         * API/tests/testapi.mm:
176         (testObjectiveCAPIMain):
177         * JavaScriptCore.xcodeproj/project.pbxproj:
178         * config.h:
179         * postprocess-headers.sh:
180         * shell/CMakeLists.txt:
181         * testmem/testmem.mm:
182
183 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
184
185         [INTL] Call Typed Array elements toLocaleString with locale and options
186         https://bugs.webkit.org/show_bug.cgi?id=185796
187
188         Reviewed by Keith Miller.
189
190         Improve ECMA 402 compliance of typed array toLocaleString, passing along
191         the locale and options to element toLocaleString calls.
192
193         * builtins/TypedArrayPrototype.js:
194         (toLocaleString):
195
196 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
197
198         [INTL] Intl constructor lengths should be configurable
199         https://bugs.webkit.org/show_bug.cgi?id=187960
200
201         Reviewed by Saam Barati.
202
203         Removed DontDelete from Intl constructor lengths.
204         Fixed DateTimeFormat formatToParts length.
205
206         * runtime/IntlCollatorConstructor.cpp:
207         (JSC::IntlCollatorConstructor::finishCreation):
208         * runtime/IntlDateTimeFormatConstructor.cpp:
209         (JSC::IntlDateTimeFormatConstructor::finishCreation):
210         * runtime/IntlDateTimeFormatPrototype.cpp:
211         (JSC::IntlDateTimeFormatPrototype::finishCreation):
212         * runtime/IntlNumberFormatConstructor.cpp:
213         (JSC::IntlNumberFormatConstructor::finishCreation):
214         * runtime/IntlPluralRulesConstructor.cpp:
215         (JSC::IntlPluralRulesConstructor::finishCreation):
216
217 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
218
219         runJITThreadLimitTests is failing
220         https://bugs.webkit.org/show_bug.cgi?id=187886
221         <rdar://problem/42561966>
222
223         Unreviewed build fix for MSVC.
224
225         MSVC doen't support ternary operator without second operand.
226
227         * dfg/DFGWorklist.cpp:
228         (JSC::DFG::getNumberOfDFGCompilerThreads):
229         (JSC::DFG::getNumberOfFTLCompilerThreads):
230
231 2018-07-24  Commit Queue  <commit-queue@webkit.org>
232
233         Unreviewed, rolling out r234183.
234         https://bugs.webkit.org/show_bug.cgi?id=187983
235
236         cause regression in Kraken gaussian blur and desaturate
237         (Requested by yusukesuzuki on #webkit).
238
239         Reverted changeset:
240
241         "[JSC] Record CoW status in ArrayProfile"
242         https://bugs.webkit.org/show_bug.cgi?id=187949
243         https://trac.webkit.org/changeset/234183
244
245 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
246
247         [JSC] Record CoW status in ArrayProfile
248         https://bugs.webkit.org/show_bug.cgi?id=187949
249
250         Reviewed by Saam Barati.
251
252         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
253         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
254         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
255         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
256         CoW arrays.
257
258         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
259         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
260
261         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
262
263                                       baseline                  patched
264
265         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
266         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
267
268         * bytecode/ArrayProfile.cpp:
269         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
270         * bytecode/ArrayProfile.h:
271         (JSC::asArrayModes):
272         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
273
274         (JSC::ArrayProfile::ArrayProfile):
275         (JSC::ArrayProfile::addressOfObservedIndexingModes):
276         (JSC::ArrayProfile::observedIndexingModes const):
277         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
278         So storing the union of seen IndexingMode in `unsigned` instead.
279
280         * dfg/DFGArrayMode.cpp:
281         (JSC::DFG::ArrayMode::fromObserved):
282         * dfg/DFGArrayMode.h:
283         (JSC::DFG::ArrayMode::withProfile const):
284         * jit/JITCall.cpp:
285         (JSC::JIT::compileOpCall):
286         * jit/JITCall32_64.cpp:
287         (JSC::JIT::compileOpCall):
288         * jit/JITInlines.h:
289         (JSC::JIT::emitArrayProfilingSiteWithCell):
290         * llint/LowLevelInterpreter.asm:
291         * llint/LowLevelInterpreter32_64.asm:
292         * llint/LowLevelInterpreter64.asm:
293
294 2018-07-24  Tim Horton  <timothy_horton@apple.com>
295
296         Enable Web Content Filtering on watchOS
297         https://bugs.webkit.org/show_bug.cgi?id=187979
298         <rdar://problem/42559346>
299
300         Reviewed by Wenson Hsieh.
301
302         * Configurations/FeatureDefines.xcconfig:
303
304 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
305
306         Don't modify Options when setting JIT thread limits
307         https://bugs.webkit.org/show_bug.cgi?id=187886
308
309         Reviewed by Filip Pizlo.
310
311         Previously, when setting the JIT thread limit prior to the worklist
312         initialization, it'd be set via Options, which didn't work if Options
313         hadn't been initialized yet. Change it to use a static variable in the
314         Worklist instead.
315
316         * API/JSVirtualMachine.mm:
317         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
318         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
319         * API/tests/testapi.mm:
320         (testObjectiveCAPIMain):
321         * dfg/DFGWorklist.cpp:
322         (JSC::DFG::getNumberOfDFGCompilerThreads):
323         (JSC::DFG::getNumberOfFTLCompilerThreads):
324         (JSC::DFG::setNumberOfDFGCompilerThreads):
325         (JSC::DFG::setNumberOfFTLCompilerThreads):
326         (JSC::DFG::ensureGlobalDFGWorklist):
327         (JSC::DFG::ensureGlobalFTLWorklist):
328         * dfg/DFGWorklist.h:
329
330 2018-07-24  Mark Lam  <mark.lam@apple.com>
331
332         Refactoring: make DFG::Plan a class.
333         https://bugs.webkit.org/show_bug.cgi?id=187968
334
335         Reviewed by Saam Barati.
336
337         This patch makes all the DFG::Plan fields private, and provide accessor methods
338         for them.  This makes it easier to reason about how these fields are used and
339         modified.
340
341         * dfg/DFGAbstractInterpreterInlines.h:
342         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
343         * dfg/DFGByteCodeParser.cpp:
344         (JSC::DFG::ByteCodeParser::handleCall):
345         (JSC::DFG::ByteCodeParser::handleVarargsCall):
346         (JSC::DFG::ByteCodeParser::handleInlining):
347         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
348         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
349         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
350         (JSC::DFG::ByteCodeParser::handleGetById):
351         (JSC::DFG::ByteCodeParser::handlePutById):
352         (JSC::DFG::ByteCodeParser::parseBlock):
353         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
354         (JSC::DFG::ByteCodeParser::parseCodeBlock):
355         (JSC::DFG::ByteCodeParser::parse):
356         * dfg/DFGCFAPhase.cpp:
357         (JSC::DFG::CFAPhase::run):
358         (JSC::DFG::CFAPhase::injectOSR):
359         * dfg/DFGClobberize.h:
360         (JSC::DFG::clobberize):
361         * dfg/DFGCommonData.cpp:
362         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
363         * dfg/DFGCommonData.h:
364         * dfg/DFGConstantFoldingPhase.cpp:
365         (JSC::DFG::ConstantFoldingPhase::foldConstants):
366         * dfg/DFGDriver.cpp:
367         (JSC::DFG::compileImpl):
368         * dfg/DFGFinalizer.h:
369         * dfg/DFGFixupPhase.cpp:
370         (JSC::DFG::FixupPhase::fixupNode):
371         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
372         * dfg/DFGGraph.cpp:
373         (JSC::DFG::Graph::Graph):
374         (JSC::DFG::Graph::watchCondition):
375         (JSC::DFG::Graph::inferredTypeFor):
376         (JSC::DFG::Graph::requiredRegisterCountForExit):
377         (JSC::DFG::Graph::registerFrozenValues):
378         (JSC::DFG::Graph::registerStructure):
379         (JSC::DFG::Graph::registerAndWatchStructureTransition):
380         (JSC::DFG::Graph::assertIsRegistered):
381         * dfg/DFGGraph.h:
382         (JSC::DFG::Graph::compilation):
383         (JSC::DFG::Graph::identifiers):
384         (JSC::DFG::Graph::watchpoints):
385         * dfg/DFGJITCompiler.cpp:
386         (JSC::DFG::JITCompiler::JITCompiler):
387         (JSC::DFG::JITCompiler::link):
388         (JSC::DFG::JITCompiler::compile):
389         (JSC::DFG::JITCompiler::compileFunction):
390         (JSC::DFG::JITCompiler::disassemble):
391         * dfg/DFGJITCompiler.h:
392         (JSC::DFG::JITCompiler::addWeakReference):
393         * dfg/DFGJITFinalizer.cpp:
394         (JSC::DFG::JITFinalizer::finalize):
395         (JSC::DFG::JITFinalizer::finalizeFunction):
396         (JSC::DFG::JITFinalizer::finalizeCommon):
397         * dfg/DFGOSREntrypointCreationPhase.cpp:
398         (JSC::DFG::OSREntrypointCreationPhase::run):
399         * dfg/DFGPhase.cpp:
400         (JSC::DFG::Phase::beginPhase):
401         * dfg/DFGPhase.h:
402         (JSC::DFG::runAndLog):
403         * dfg/DFGPlan.cpp:
404         (JSC::DFG::Plan::Plan):
405         (JSC::DFG::Plan::computeCompileTimes const):
406         (JSC::DFG::Plan::reportCompileTimes const):
407         (JSC::DFG::Plan::compileInThread):
408         (JSC::DFG::Plan::compileInThreadImpl):
409         (JSC::DFG::Plan::isStillValid):
410         (JSC::DFG::Plan::reallyAdd):
411         (JSC::DFG::Plan::notifyCompiling):
412         (JSC::DFG::Plan::notifyReady):
413         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
414         (JSC::DFG::Plan::finalizeAndNotifyCallback):
415         (JSC::DFG::Plan::key):
416         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
417         (JSC::DFG::Plan::finalizeInGC):
418         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
419         (JSC::DFG::Plan::cancel):
420         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
421         * dfg/DFGPlan.h:
422         (JSC::DFG::Plan::canTierUpAndOSREnter const):
423         (JSC::DFG::Plan::vm const):
424         (JSC::DFG::Plan::codeBlock):
425         (JSC::DFG::Plan::mode const):
426         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
427         (JSC::DFG::Plan::mustHandleValues const):
428         (JSC::DFG::Plan::threadData const):
429         (JSC::DFG::Plan::compilation const):
430         (JSC::DFG::Plan::finalizer const):
431         (JSC::DFG::Plan::setFinalizer):
432         (JSC::DFG::Plan::inlineCallFrames const):
433         (JSC::DFG::Plan::watchpoints):
434         (JSC::DFG::Plan::identifiers):
435         (JSC::DFG::Plan::weakReferences):
436         (JSC::DFG::Plan::transitions):
437         (JSC::DFG::Plan::recordedStatuses):
438         (JSC::DFG::Plan::willTryToTierUp const):
439         (JSC::DFG::Plan::setWillTryToTierUp):
440         (JSC::DFG::Plan::tierUpInLoopHierarchy):
441         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
442         (JSC::DFG::Plan::stage const):
443         (JSC::DFG::Plan::callback const):
444         (JSC::DFG::Plan::setCallback):
445         * dfg/DFGPlanInlines.h:
446         (JSC::DFG::Plan::iterateCodeBlocksForGC):
447         * dfg/DFGPreciseLocalClobberize.h:
448         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
449         * dfg/DFGPredictionInjectionPhase.cpp:
450         (JSC::DFG::PredictionInjectionPhase::run):
451         * dfg/DFGSafepoint.cpp:
452         (JSC::DFG::Safepoint::Safepoint):
453         (JSC::DFG::Safepoint::~Safepoint):
454         (JSC::DFG::Safepoint::begin):
455         * dfg/DFGSafepoint.h:
456         * dfg/DFGSpeculativeJIT.h:
457         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
458         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
459         * dfg/DFGStackLayoutPhase.cpp:
460         (JSC::DFG::StackLayoutPhase::run):
461         * dfg/DFGStrengthReductionPhase.cpp:
462         (JSC::DFG::StrengthReductionPhase::handleNode):
463         * dfg/DFGTierUpCheckInjectionPhase.cpp:
464         (JSC::DFG::TierUpCheckInjectionPhase::run):
465         * dfg/DFGTypeCheckHoistingPhase.cpp:
466         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
467         * dfg/DFGWorklist.cpp:
468         (JSC::DFG::Worklist::isActiveForVM const):
469         (JSC::DFG::Worklist::compilationState):
470         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
471         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
472         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
473         (JSC::DFG::Worklist::visitWeakReferences):
474         (JSC::DFG::Worklist::removeDeadPlans):
475         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
476         * dfg/DFGWorklistInlines.h:
477         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
478         * ftl/FTLCompile.cpp:
479         (JSC::FTL::compile):
480         * ftl/FTLFail.cpp:
481         (JSC::FTL::fail):
482         * ftl/FTLJITFinalizer.cpp:
483         (JSC::FTL::JITFinalizer::finalizeCommon):
484         * ftl/FTLLink.cpp:
485         (JSC::FTL::link):
486         * ftl/FTLLowerDFGToB3.cpp:
487         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
488         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
489         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
490         * ftl/FTLState.cpp:
491         (JSC::FTL::State::State):
492
493 2018-07-24  Saam Barati  <sbarati@apple.com>
494
495         Make VM::canUseJIT an inlined function
496         https://bugs.webkit.org/show_bug.cgi?id=187583
497
498         Reviewed by Mark Lam.
499
500         We know the answer to this query in initializeThreading after initializing
501         the executable allocator. This patch makes it so that we just hold this value
502         in a static variable and have an inlined function that just returns the value
503         of that static variable.
504
505         * runtime/InitializeThreading.cpp:
506         (JSC::initializeThreading):
507         * runtime/VM.cpp:
508         (JSC::VM::computeCanUseJIT):
509         (JSC::VM::canUseJIT): Deleted.
510         * runtime/VM.h:
511         (JSC::VM::canUseJIT):
512
513 2018-07-24  Mark Lam  <mark.lam@apple.com>
514
515         Placate exception check verification after recent changes.
516         https://bugs.webkit.org/show_bug.cgi?id=187961
517         <rdar://problem/42545394>
518
519         Reviewed by Saam Barati.
520
521         * runtime/IntlObject.cpp:
522         (JSC::intlNumberOption):
523
524 2018-07-23  Saam Barati  <sbarati@apple.com>
525
526         need to didFoldClobberWorld when we constant fold GetByVal
527         https://bugs.webkit.org/show_bug.cgi?id=187917
528         <rdar://problem/42505095>
529
530         Reviewed by Yusuke Suzuki.
531
532         * dfg/DFGAbstractInterpreterInlines.h:
533         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
534
535 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
536
537         [INTL] Language tags are not canonicalized
538         https://bugs.webkit.org/show_bug.cgi?id=185836
539
540         Reviewed by Keith Miller.
541
542         Canonicalize language tags, replacing deprecated tag parts with the
543         preferred values. Remove broken support for algorithmic numbering systems,
544         that can cause an error in icu, and are not supported in other engines.
545
546         Generate the lookup functions from the language-subtag-registry.
547
548         Also initialize the UNumberFormat in initializeNumberFormat so any
549         failures are thrown immediately instead of failing to format later.
550
551         * CMakeLists.txt:
552         * DerivedSources.make:
553         * JavaScriptCore.xcodeproj/project.pbxproj:
554         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
555         * runtime/IntlDateTimeFormat.cpp:
556         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
557         * runtime/IntlNumberFormat.cpp:
558         (JSC::IntlNumberFormat::initializeNumberFormat):
559         (JSC::IntlNumberFormat::formatNumber):
560         (JSC::IntlNumberFormat::formatToParts):
561         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
562         * runtime/IntlNumberFormat.h:
563         * runtime/IntlObject.cpp:
564         (JSC::intlNumberOption):
565         (JSC::intlDefaultNumberOption):
566         (JSC::preferredLanguage):
567         (JSC::preferredRegion):
568         (JSC::canonicalLangTag):
569         (JSC::canonicalizeLanguageTag):
570         (JSC::defaultLocale):
571         (JSC::removeUnicodeLocaleExtension):
572         (JSC::numberingSystemsForLocale):
573         (JSC::grandfatheredLangTag): Deleted.
574         * runtime/IntlObject.h:
575         * runtime/IntlPluralRules.cpp:
576         (JSC::IntlPluralRules::initializePluralRules):
577         * runtime/JSGlobalObject.cpp:
578         (JSC::addMissingScriptLocales):
579         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
580         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
581         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
582         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
583         * ucd/language-subtag-registry.txt: Added.
584
585 2018-07-23  Mark Lam  <mark.lam@apple.com>
586
587         Add some asserts to help diagnose a crash.
588         https://bugs.webkit.org/show_bug.cgi?id=187915
589         <rdar://problem/42508166>
590
591         Reviewed by Michael Saboff.
592
593         Add some asserts to verify that an CodeBlock alternative should always have a
594         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
595         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
596         so that we'll retain the state of the variables that failed the assertion (again
597         to help with diagnosis).
598
599         * bytecode/CodeBlock.cpp:
600         (JSC::CodeBlock::setAlternative):
601         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
602         * dfg/DFGPlan.cpp:
603         (JSC::DFG::Plan::Plan):
604
605 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
606
607         Unreviewed, fix no-JIT build.
608
609         * bytecode/CallLinkStatus.cpp:
610         (JSC::CallLinkStatus::computeFor):
611         * bytecode/CodeBlock.cpp:
612         (JSC::CodeBlock::finalizeUnconditionally):
613         * bytecode/GetByIdStatus.cpp:
614         (JSC::GetByIdStatus::computeFor):
615         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
616         * bytecode/InByIdStatus.cpp:
617         * bytecode/PutByIdStatus.cpp:
618         (JSC::PutByIdStatus::computeForStubInfo):
619
620 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
621
622         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
623         https://bugs.webkit.org/show_bug.cgi?id=187891
624
625         Reviewed by Saam Barati.
626
627         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
628         two variants are mergeable but they have "Miss" status. We make merging failed if
629         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
630         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
631         which patch have more chances to merge variants.
632
633         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
634         is not related since it does not use this check in Transition case.
635
636         * bytecode/GetByIdVariant.cpp:
637         (JSC::GetByIdVariant::attemptToMerge):
638         * bytecode/InByIdVariant.cpp:
639         (JSC::InByIdVariant::attemptToMerge):
640
641 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
642
643         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
644         https://bugs.webkit.org/show_bug.cgi?id=186462
645
646         Reviewed by Saam Barati.
647
648         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
649         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
650         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
651
652         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
653         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
654         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
655         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
656         changed and we can safely use it. We arrange our existing code to use this protocol.
657
658         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
659         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
660
661         This patch improves SixSpeed/template_string_tag.es6.
662
663                                           baseline                  patched
664
665         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
666
667         * dfg/DFGAbstractInterpreterInlines.h:
668         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
669         * runtime/JSArray.cpp:
670         (JSC::JSArray::setLengthWithArrayStorage):
671         * runtime/JSObject.cpp:
672         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
673         (JSC::JSObject::deletePropertyByIndex):
674         (JSC::JSObject::getOwnPropertyNames):
675         (JSC::putIndexedDescriptor):
676         (JSC::JSObject::defineOwnIndexedProperty):
677         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
678         (JSC::JSObject::putIndexedDescriptor): Deleted.
679         * runtime/JSObject.h:
680         * runtime/SparseArrayValueMap.cpp:
681         (JSC::SparseArrayValueMap::SparseArrayValueMap):
682         (JSC::SparseArrayValueMap::add):
683         (JSC::SparseArrayValueMap::putDirect):
684         (JSC::SparseArrayValueMap::getConcurrently):
685         (JSC::SparseArrayEntry::get const):
686         (JSC::SparseArrayEntry::getConcurrently const):
687         (JSC::SparseArrayEntry::put):
688         (JSC::SparseArrayEntry::getNonSparseMode const):
689         (JSC::SparseArrayValueMap::visitChildren):
690         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
691         * runtime/SparseArrayValueMap.h:
692         (JSC::SparseArrayEntry::SparseArrayEntry):
693         (JSC::SparseArrayEntry::attributes const):
694         (JSC::SparseArrayEntry::forceSet):
695         (JSC::SparseArrayEntry::asValue):
696
697 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
698
699         We should support CreateThis in the FTL
700         https://bugs.webkit.org/show_bug.cgi?id=164904
701
702         Reviewed by Yusuke Suzuki.
703         
704         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
705         inference adventure.
706         
707         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
708         benchmark's extremely perverse way of winning at type inference:
709         
710         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
711           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
712           benchmark was falling back to other mechanisms...
713         
714         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
715           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
716           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
717           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
718           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
719           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
720           
721           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
722           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
723           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
724           helper because it had a CreateThis.
725         
726         - Compilations that inlined the construction helper would have gotten super lucky with
727           parse-time constant folding, so they knew what structure the input to the get_by_id would
728           have at parse time. This is only profitable if the get_by_id parsing computed a
729           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
730           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
731           cases, we would indeed get a finite number of cases. The parser would then prune those
732           cases to just one - based on its knowledge of the structure - and that would result in that
733           get_by_id being folded at parse time to a constant.
734         
735         - The subsequent op_call would inline based on parse-time knowledge of that constant.
736         
737         This patch comprehensively fixes these issues, as well as other issues that come up along the
738         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
739         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
740         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
741         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
742         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
743         attack raytrace's problem as a shortcoming of polyvariant profiling.
744         
745         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
746           subset of the inline stack that includes the IC we're profiling. For example, if we have
747           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
748           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
749           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
750           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
751           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
752           from polyvariant profling. Previously, the polyvariant profiler would only look at the
753           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
754           had inlined bar and then baz. It may not have done that, because those calls could have
755           required polyvariant profiling that was only available in the FTL.
756           
757         - A particularly interesting case is when some IC in foo-baseline is also available in
758           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
759           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
760           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
761           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
762           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
763           because it warns us of historical polymorphism. Historical polymorphism usually means
764           future polymorphism. IC status code already had some merging functionality, but I needed to
765           beef it up a lot to make this work right.
766         
767         - Inlining an inline cache now preserves as much information as profiling. One challenge of
768           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
769           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
770           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
771           say "I don't have such an IC". At this point the DFG compilation that included that IC that
772           gave us the information that we used to inline the IC is no longer alive. To keep us from
773           losing the information we learned about the IC, there is now a RecordedStatuses data
774           structure that preserves the statuses we use for inlining ICs. We also filter those
775           statuses according to things we learn from AI. This further reduces the risk of information
776           about an IC being forgotten.
777         
778         - Exit profiling now considers whether or not an exit happened from inline code. This
779           protects us in the case where the not-inlined version of an IC exited a lot because of
780           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
781           profiling data, we consider only inlined exits.
782         
783         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
784           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
785           surprising that we've had this bug.
786         
787         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
788         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
789         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
790         prototype access folding in the bytecode parser and constant folder. That would require some
791         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
792         have a test that captures raytrace's behavior in the case that the parser cannot fold the
793         get_by_id.
794         
795         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
796         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
797         compile time regression anytime we fill in FTL coverage.
798         
799         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
800         speeds up and that raytrace slows down, but these changes balance out and don't affect the
801         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
802         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
803         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
804         see a significant difference. In all three cases the difference is <0.5% with a high p value,
805         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
806         an insignificant infinitesimal slow-down.
807         
808         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
809         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
810         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
811
812         * CMakeLists.txt:
813         * JavaScriptCore.xcodeproj/project.pbxproj:
814         * Sources.txt:
815         * bytecode/ByValInfo.h:
816         * bytecode/BytecodeDumper.cpp:
817         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
818         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
819         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
820         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
821         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
822         (JSC::BytecodeDumper<Block>::printCallOp):
823         (JSC::BytecodeDumper<Block>::dumpBytecode):
824         (JSC::BytecodeDumper<Block>::dumpBlock):
825         * bytecode/BytecodeDumper.h:
826         * bytecode/CallLinkInfo.h:
827         * bytecode/CallLinkStatus.cpp:
828         (JSC::CallLinkStatus::computeFor):
829         (JSC::CallLinkStatus::computeExitSiteData):
830         (JSC::CallLinkStatus::computeFromCallLinkInfo):
831         (JSC::CallLinkStatus::accountForExits):
832         (JSC::CallLinkStatus::finalize):
833         (JSC::CallLinkStatus::filter):
834         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
835         * bytecode/CallLinkStatus.h:
836         (JSC::CallLinkStatus::operator bool const):
837         (JSC::CallLinkStatus::operator! const): Deleted.
838         * bytecode/CallVariant.cpp:
839         (JSC::CallVariant::finalize):
840         (JSC::CallVariant::filter):
841         * bytecode/CallVariant.h:
842         (JSC::CallVariant::operator bool const):
843         (JSC::CallVariant::operator! const): Deleted.
844         * bytecode/CodeBlock.cpp:
845         (JSC::CodeBlock::dumpBytecode):
846         (JSC::CodeBlock::propagateTransitions):
847         (JSC::CodeBlock::finalizeUnconditionally):
848         (JSC::CodeBlock::getICStatusMap):
849         (JSC::CodeBlock::resetJITData):
850         (JSC::CodeBlock::getStubInfoMap): Deleted.
851         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
852         (JSC::CodeBlock::getByValInfoMap): Deleted.
853         * bytecode/CodeBlock.h:
854         * bytecode/CodeOrigin.cpp:
855         (JSC::CodeOrigin::isApproximatelyEqualTo const):
856         (JSC::CodeOrigin::approximateHash const):
857         * bytecode/CodeOrigin.h:
858         (JSC::CodeOrigin::exitingInlineKind const):
859         * bytecode/DFGExitProfile.cpp:
860         (JSC::DFG::FrequentExitSite::dump const):
861         (JSC::DFG::ExitProfile::add):
862         * bytecode/DFGExitProfile.h:
863         (JSC::DFG::FrequentExitSite::FrequentExitSite):
864         (JSC::DFG::FrequentExitSite::operator== const):
865         (JSC::DFG::FrequentExitSite::subsumes const):
866         (JSC::DFG::FrequentExitSite::hash const):
867         (JSC::DFG::FrequentExitSite::inlineKind const):
868         (JSC::DFG::FrequentExitSite::withInlineKind const):
869         (JSC::DFG::QueryableExitProfile::hasExitSite const):
870         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
871         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
872         * bytecode/ExitFlag.cpp: Added.
873         (JSC::ExitFlag::dump const):
874         * bytecode/ExitFlag.h: Added.
875         (JSC::ExitFlag::ExitFlag):
876         (JSC::ExitFlag::operator| const):
877         (JSC::ExitFlag::operator|=):
878         (JSC::ExitFlag::operator& const):
879         (JSC::ExitFlag::operator&=):
880         (JSC::ExitFlag::operator bool const):
881         (JSC::ExitFlag::isSet const):
882         * bytecode/ExitingInlineKind.cpp: Added.
883         (WTF::printInternal):
884         * bytecode/ExitingInlineKind.h: Added.
885         * bytecode/GetByIdStatus.cpp:
886         (JSC::GetByIdStatus::computeFor):
887         (JSC::GetByIdStatus::computeForStubInfo):
888         (JSC::GetByIdStatus::slowVersion const):
889         (JSC::GetByIdStatus::markIfCheap):
890         (JSC::GetByIdStatus::finalize):
891         (JSC::GetByIdStatus::hasExitSite): Deleted.
892         * bytecode/GetByIdStatus.h:
893         * bytecode/GetByIdVariant.cpp:
894         (JSC::GetByIdVariant::markIfCheap):
895         (JSC::GetByIdVariant::finalize):
896         * bytecode/GetByIdVariant.h:
897         * bytecode/ICStatusMap.cpp: Added.
898         (JSC::ICStatusContext::get const):
899         (JSC::ICStatusContext::isInlined const):
900         (JSC::ICStatusContext::inlineKind const):
901         * bytecode/ICStatusMap.h: Added.
902         * bytecode/ICStatusUtils.cpp: Added.
903         (JSC::hasBadCacheExitSite):
904         * bytecode/ICStatusUtils.h:
905         * bytecode/InstanceOfStatus.cpp:
906         (JSC::InstanceOfStatus::computeFor):
907         * bytecode/InstanceOfStatus.h:
908         * bytecode/PolyProtoAccessChain.h:
909         * bytecode/PutByIdStatus.cpp:
910         (JSC::PutByIdStatus::hasExitSite):
911         (JSC::PutByIdStatus::computeFor):
912         (JSC::PutByIdStatus::slowVersion const):
913         (JSC::PutByIdStatus::markIfCheap):
914         (JSC::PutByIdStatus::finalize):
915         (JSC::PutByIdStatus::filter):
916         * bytecode/PutByIdStatus.h:
917         * bytecode/PutByIdVariant.cpp:
918         (JSC::PutByIdVariant::markIfCheap):
919         (JSC::PutByIdVariant::finalize):
920         * bytecode/PutByIdVariant.h:
921         (JSC::PutByIdVariant::structureSet const):
922         * bytecode/RecordedStatuses.cpp: Added.
923         (JSC::RecordedStatuses::operator=):
924         (JSC::RecordedStatuses::RecordedStatuses):
925         (JSC::RecordedStatuses::addCallLinkStatus):
926         (JSC::RecordedStatuses::addGetByIdStatus):
927         (JSC::RecordedStatuses::addPutByIdStatus):
928         (JSC::RecordedStatuses::markIfCheap):
929         (JSC::RecordedStatuses::finalizeWithoutDeleting):
930         (JSC::RecordedStatuses::finalize):
931         (JSC::RecordedStatuses::shrinkToFit):
932         * bytecode/RecordedStatuses.h: Added.
933         (JSC::RecordedStatuses::RecordedStatuses):
934         (JSC::RecordedStatuses::forEachVector):
935         * bytecode/StructureSet.cpp:
936         (JSC::StructureSet::markIfCheap const):
937         (JSC::StructureSet::isStillAlive const):
938         * bytecode/StructureSet.h:
939         * bytecode/TerminatedCodeOrigin.h: Added.
940         (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
941         (JSC::TerminatedCodeOriginHashTranslator::hash):
942         (JSC::TerminatedCodeOriginHashTranslator::equal):
943         * bytecode/Watchpoint.cpp:
944         (WTF::printInternal):
945         * bytecode/Watchpoint.h:
946         * dfg/DFGAbstractInterpreter.h:
947         * dfg/DFGAbstractInterpreterInlines.h:
948         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
949         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
950         * dfg/DFGByteCodeParser.cpp:
951         (JSC::DFG::ByteCodeParser::handleCall):
952         (JSC::DFG::ByteCodeParser::handleVarargsCall):
953         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
954         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
955         (JSC::DFG::ByteCodeParser::handleGetById):
956         (JSC::DFG::ByteCodeParser::handlePutById):
957         (JSC::DFG::ByteCodeParser::parseBlock):
958         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
959         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
960         (JSC::DFG::ByteCodeParser::parse):
961         * dfg/DFGClobberize.h:
962         (JSC::DFG::clobberize):
963         * dfg/DFGClobbersExitState.cpp:
964         (JSC::DFG::clobbersExitState):
965         * dfg/DFGCommonData.h:
966         * dfg/DFGConstantFoldingPhase.cpp:
967         (JSC::DFG::ConstantFoldingPhase::foldConstants):
968         * dfg/DFGDesiredWatchpoints.h:
969         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
970         * dfg/DFGDoesGC.cpp:
971         (JSC::DFG::doesGC):
972         * dfg/DFGFixupPhase.cpp:
973         (JSC::DFG::FixupPhase::fixupNode):
974         * dfg/DFGGraph.cpp:
975         (JSC::DFG::Graph::dump):
976         * dfg/DFGMayExit.cpp:
977         * dfg/DFGNode.h:
978         (JSC::DFG::Node::hasCallLinkStatus):
979         (JSC::DFG::Node::callLinkStatus):
980         (JSC::DFG::Node::hasGetByIdStatus):
981         (JSC::DFG::Node::getByIdStatus):
982         (JSC::DFG::Node::hasPutByIdStatus):
983         (JSC::DFG::Node::putByIdStatus):
984         * dfg/DFGNodeType.h:
985         * dfg/DFGOSRExitBase.cpp:
986         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
987         * dfg/DFGObjectAllocationSinkingPhase.cpp:
988         * dfg/DFGPlan.cpp:
989         (JSC::DFG::Plan::reallyAdd):
990         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
991         (JSC::DFG::Plan::finalizeInGC):
992         * dfg/DFGPlan.h:
993         * dfg/DFGPredictionPropagationPhase.cpp:
994         * dfg/DFGSafeToExecute.h:
995         (JSC::DFG::safeToExecute):
996         * dfg/DFGSpeculativeJIT32_64.cpp:
997         (JSC::DFG::SpeculativeJIT::compile):
998         * dfg/DFGSpeculativeJIT64.cpp:
999         (JSC::DFG::SpeculativeJIT::compile):
1000         * dfg/DFGStrengthReductionPhase.cpp:
1001         (JSC::DFG::StrengthReductionPhase::handleNode):
1002         * dfg/DFGWorklist.cpp:
1003         (JSC::DFG::Worklist::removeDeadPlans):
1004         * ftl/FTLAbstractHeapRepository.h:
1005         * ftl/FTLCapabilities.cpp:
1006         (JSC::FTL::canCompile):
1007         * ftl/FTLLowerDFGToB3.cpp:
1008         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1009         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
1010         (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
1011         * jit/PolymorphicCallStubRoutine.cpp:
1012         (JSC::PolymorphicCallStubRoutine::hasEdges const):
1013         (JSC::PolymorphicCallStubRoutine::edges const):
1014         * jit/PolymorphicCallStubRoutine.h:
1015         * profiler/ProfilerBytecodeSequence.cpp:
1016         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1017         * runtime/FunctionRareData.cpp:
1018         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1019         * runtime/Options.h:
1020
1021 2018-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1022
1023         [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
1024         https://bugs.webkit.org/show_bug.cgi?id=187472
1025
1026         Reviewed by Mark Lam.
1027
1028         std::function allocates memory from standard malloc instead of bmalloc. Instead of
1029         using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
1030
1031         This patch attempts to replace std::function with the above WTF function types.
1032         If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
1033         is really efficient. Otherwise, we should use WTF::Function.
1034         For recurring use cases, we can use RecursableLambda.
1035
1036         * assembler/MacroAssembler.cpp:
1037         (JSC::stdFunctionCallback):
1038         (JSC::MacroAssembler::probe):
1039         * assembler/MacroAssembler.h:
1040         * b3/air/AirDisassembler.cpp:
1041         (JSC::B3::Air::Disassembler::dump):
1042         * b3/air/AirDisassembler.h:
1043         * bytecompiler/BytecodeGenerator.cpp:
1044         (JSC::BytecodeGenerator::BytecodeGenerator):
1045         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1046         (JSC::BytecodeGenerator::emitEnumeration):
1047         * bytecompiler/BytecodeGenerator.h:
1048         * bytecompiler/NodesCodegen.cpp:
1049         (JSC::ArrayNode::emitBytecode):
1050         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1051         (JSC::ForOfNode::emitBytecode):
1052         * dfg/DFGSpeculativeJIT.cpp:
1053         (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
1054         (JSC::DFG::SpeculativeJIT::compileMathIC):
1055         * dfg/DFGSpeculativeJIT.h:
1056         * dfg/DFGSpeculativeJIT64.cpp:
1057         (JSC::DFG::SpeculativeJIT::compile):
1058         * dfg/DFGValidate.cpp:
1059         * ftl/FTLCompile.cpp:
1060         (JSC::FTL::compile):
1061         * heap/HeapSnapshotBuilder.cpp:
1062         (JSC::HeapSnapshotBuilder::json):
1063         * heap/HeapSnapshotBuilder.h:
1064         * interpreter/StackVisitor.cpp:
1065         (JSC::StackVisitor::Frame::dump const):
1066         * interpreter/StackVisitor.h:
1067         * runtime/PromiseDeferredTimer.h:
1068         * runtime/VM.cpp:
1069         (JSC::VM::whenIdle):
1070         (JSC::enableProfilerWithRespectToCount):
1071         (JSC::disableProfilerWithRespectToCount):
1072         * runtime/VM.h:
1073         * runtime/VMEntryScope.cpp:
1074         (JSC::VMEntryScope::addDidPopListener):
1075         * runtime/VMEntryScope.h:
1076         * tools/HeapVerifier.cpp:
1077         (JSC::HeapVerifier::verifyCellList):
1078         (JSC::HeapVerifier::validateCell):
1079         (JSC::HeapVerifier::validateJSCell):
1080         * tools/HeapVerifier.h:
1081
1082 2018-07-20  Michael Saboff  <msaboff@apple.com>
1083
1084         DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
1085         https://bugs.webkit.org/show_bug.cgi?id=187827
1086         rdar://problem/42146858
1087
1088         Reviewed by Saam Barati.
1089
1090         When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
1091         that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
1092         We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
1093         InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
1094         putByIndex() path that doesn't change the shape.
1095
1096         * dfg/DFGArrayMode.h:
1097         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1098
1099 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1100
1101         [DFG] Fold GetByVal if Array is CoW
1102         https://bugs.webkit.org/show_bug.cgi?id=186459
1103
1104         Reviewed by Saam Barati.
1105
1106         CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
1107         fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
1108         is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
1109
1110         This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
1111         to these constant arrays can be folded into an actual constant by this patch.
1112
1113                                            baseline                  patched
1114
1115         template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
1116         template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster
1117
1118         * dfg/DFGAbstractInterpreterInlines.h:
1119         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1120
1121 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1122
1123         [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
1124         https://bugs.webkit.org/show_bug.cgi?id=186602
1125
1126         Reviewed by Saam Barati.
1127
1128         JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
1129         change the part of the butterfly, length etc. We prove that our procedure is safe, and
1130         drop the cellLock() here.
1131
1132         * runtime/JSObject.cpp:
1133         (JSC::JSObject::convertContiguousToArrayStorage):
1134
1135 2018-07-20  Saam Barati  <sbarati@apple.com>
1136
1137         CompareEq should be using KnownOtherUse instead of OtherUse
1138         https://bugs.webkit.org/show_bug.cgi?id=186814
1139         <rdar://problem/39720030>
1140
1141         Reviewed by Filip Pizlo.
1142
1143         CompareEq in fixup phase was doing this:
1144         insertCheck(child, OtherUse)
1145         setUseKind(child, OtherUse)
1146         And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
1147         lead to edge verification crashing because a phase may optimize the check out
1148         by removing the node. However, AI may not be privy to that optimization, and
1149         AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
1150         backend to actually emit a check here, but it does not.
1151         
1152         This exact pattern is why we have KnownXYZ use kinds. This patch introduces
1153         KnownOtherUse and changes the above pattern to be:
1154         insertCheck(child, OtherUse)
1155         setUseKind(child, KnownOtherUse)
1156
1157         * dfg/DFGFixupPhase.cpp:
1158         (JSC::DFG::FixupPhase::fixupNode):
1159         * dfg/DFGSafeToExecute.h:
1160         (JSC::DFG::SafeToExecuteEdge::operator()):
1161         * dfg/DFGSpeculativeJIT.cpp:
1162         (JSC::DFG::SpeculativeJIT::speculate):
1163         * dfg/DFGUseKind.cpp:
1164         (WTF::printInternal):
1165         * dfg/DFGUseKind.h:
1166         (JSC::DFG::typeFilterFor):
1167         (JSC::DFG::shouldNotHaveTypeCheck):
1168         (JSC::DFG::checkMayCrashIfInputIsEmpty):
1169         * dfg/DFGWatchpointCollectionPhase.cpp:
1170         (JSC::DFG::WatchpointCollectionPhase::handle):
1171         * ftl/FTLCapabilities.cpp:
1172         (JSC::FTL::canCompile):
1173         * ftl/FTLLowerDFGToB3.cpp:
1174         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
1175         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1176
1177 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1178
1179         [JSC] A bit performance improvement for Object.assign by cleaning up code
1180         https://bugs.webkit.org/show_bug.cgi?id=187852
1181
1182         Reviewed by Saam Barati.
1183
1184         We clean up Object.assign code a bit.
1185
1186         1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
1187         2. canDoFastPath is not necessary. Restructuring the code to clean up things.
1188
1189         It improves the performance a bit.
1190
1191                                     baseline                  patched
1192
1193         object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
1194
1195         * runtime/ObjectConstructor.cpp:
1196         (JSC::objectConstructorAssign):
1197
1198 2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1199
1200         [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
1201         https://bugs.webkit.org/show_bug.cgi?id=187798
1202
1203         Reviewed by Michael Catanzaro.
1204
1205         Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
1206         jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
1207         functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
1208         patch adds JSAPIWrapperGlobalObject or that.
1209
1210         * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
1211         (jsAPIWrapperGlobalObjectHandleOwner):
1212         (JSAPIWrapperGlobalObjectHandleOwner::finalize):
1213         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
1214         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
1215         (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
1216         (JSC::JSAPIWrapperGlobalObject::finishCreation):
1217         (JSC::JSAPIWrapperGlobalObject::visitChildren):
1218         * API/glib/JSAPIWrapperGlobalObject.h: Added.
1219         (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
1220         (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
1221         * API/glib/JSCClass.cpp:
1222         (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
1223         (wrappedObjectClass): Return the class of a wrapped object.
1224         (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
1225         scope extension global object is used instead.
1226         (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
1227         (setProperty): Ditto.
1228         (hasProperty): Ditto.
1229         (deleteProperty): Ditto.
1230         (getPropertyNames): Ditto.
1231         (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
1232         * API/glib/JSCClassPrivate.h:
1233         * API/glib/JSCContext.cpp:
1234         (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
1235         (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
1236         * API/glib/JSCContext.h:
1237         * API/glib/JSCContextPrivate.h:
1238         * API/glib/JSCWrapperMap.cpp:
1239         (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
1240         when a JSCClass is used to create the JSAPIWrapperGlobalObject.
1241         (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
1242         * API/glib/JSCWrapperMap.h:
1243         * GLib.cmake:
1244
1245 2018-07-19  Saam Barati  <sbarati@apple.com>
1246
1247         Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
1248         https://bugs.webkit.org/show_bug.cgi?id=187836
1249         <rdar://problem/42409527>
1250
1251         Reviewed by Mark Lam.
1252
1253         We have crash reports that we're crashing on source->getDirect in Object.assign's
1254         fast path. Mark investigated this and determined we end up with a nullptr for
1255         butterfly. This is curious, because source's Structure indicated that it has
1256         out of line properties. My leading hypothesis for this at the moment is a bit
1257         handwavy, but it's essentially:
1258         - We end up firing a watchpoint when assigning to the target (this can happen
1259         if a watchpoint was set up for storing to that particular field)
1260         - When we fire that watchpoint, we end up doing some kind work on the source,
1261         perhaps causing it to flattenDictionaryStructure. Therefore, we end up
1262         mutating source.
1263         
1264         I'm not super convinced this is what we're running into, but just by reading
1265         the code, I think it needs to be something similar to this. Seeing if this change
1266         fixes the crasher will give us good data to determine if something like this is
1267         happening or if the bug is something else entirely.
1268
1269         * runtime/ObjectConstructor.cpp:
1270         (JSC::objectConstructorAssign):
1271
1272 2018-07-19  Commit Queue  <commit-queue@webkit.org>
1273
1274         Unreviewed, rolling out r233998.
1275         https://bugs.webkit.org/show_bug.cgi?id=187815
1276
1277         Not needed. (Requested by mlam|a on #webkit).
1278
1279         Reverted changeset:
1280
1281         "Temporarily mitigate a bug where a source provider is null
1282         when it shouldn't be."
1283         https://bugs.webkit.org/show_bug.cgi?id=187812
1284         https://trac.webkit.org/changeset/233998
1285
1286 2018-07-19  Mark Lam  <mark.lam@apple.com>
1287
1288         Temporarily mitigate a bug where a source provider is null when it shouldn't be.
1289         https://bugs.webkit.org/show_bug.cgi?id=187812
1290         <rdar://problem/41192691>
1291
1292         Reviewed by Michael Saboff.
1293
1294         Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
1295
1296         * runtime/Error.cpp:
1297         (JSC::addErrorInfo):
1298
1299 2018-07-19  Keith Rollin  <krollin@apple.com>
1300
1301         Adjust WEBCORE_EXPORT annotations for LTO
1302         https://bugs.webkit.org/show_bug.cgi?id=187781
1303         <rdar://problem/42351124>
1304
1305         Reviewed by Alex Christensen.
1306
1307         Continuation of Bug 186944. This bug addresses issues not caught
1308         during the first pass of adjustments. The initial work focussed on
1309         macOS; this one addresses issues found when building for iOS. From
1310         186944:
1311
1312         Adjust a number of places that result in WebKit's
1313         'check-for-weak-vtables-and-externals' script reporting weak external
1314         symbols:
1315
1316             ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
1317             ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
1318             ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
1319             ...
1320
1321         These cases are caused by inline methods being marked with WTF_EXPORT
1322         (or related macro) or with an inline function being in a class marked
1323         as such, and when enabling LTO builds.
1324
1325         For the most part, address these by removing the WEBCORE_EXPORT
1326         annotation from inline methods. In some cases, move the implementation
1327         out-of-line because it's the class that has the WEBCORE_EXPORT on it
1328         and removing the annotation from the class would be too disruptive.
1329         Finally, in other cases, move the implementation out-of-line because
1330         check-for-weak-vtables-and-externals still complains when keeping the
1331         implementation inline and removing the annotation; this seems to
1332         typically (but not always) happen with destructors.
1333
1334         * inspector/remote/RemoteAutomationTarget.cpp:
1335         (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
1336         * inspector/remote/RemoteAutomationTarget.h:
1337         * inspector/remote/RemoteInspector.cpp:
1338         (Inspector::RemoteInspector::Client::~Client):
1339         * inspector/remote/RemoteInspector.h:
1340
1341 2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1342
1343         Unreviewed, check scope after performing getPropertySlot in JSON.stringify
1344         https://bugs.webkit.org/show_bug.cgi?id=187807
1345
1346         Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
1347         that we know that exception occurrence and handle it well.
1348
1349         * runtime/JSONObject.cpp:
1350         (JSC::Stringifier::Holder::appendNextProperty):
1351
1352 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1353
1354         [JSC] Reduce size of AST nodes
1355         https://bugs.webkit.org/show_bug.cgi?id=187689
1356
1357         Reviewed by Mark Lam.
1358
1359         We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
1360         of ParserArena at peak state.
1361
1362         1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
1363         devirtualize a call to the function which are implemented in a final class.
1364
1365         2. Use default member initializers more.
1366
1367         3. And use `nullptr` instead of `0`.
1368
1369         4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
1370         of classes in multiple inheritance. In particular, StatementNode is decreased from 48
1371         to 40. This decreases the sizes of all the derived Statement nodes.
1372
1373         * parser/NodeConstructors.h:
1374         (JSC::Node::Node):
1375         (JSC::StatementNode::StatementNode):
1376         (JSC::ElementNode::ElementNode):
1377         (JSC::ArrayNode::ArrayNode):
1378         (JSC::PropertyListNode::PropertyListNode):
1379         (JSC::ObjectLiteralNode::ObjectLiteralNode):
1380         (JSC::ArgumentListNode::ArgumentListNode):
1381         (JSC::ArgumentsNode::ArgumentsNode):
1382         (JSC::NewExprNode::NewExprNode):
1383         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
1384         (JSC::BinaryOpNode::BinaryOpNode):
1385         (JSC::LogicalOpNode::LogicalOpNode):
1386         (JSC::CommaNode::CommaNode):
1387         (JSC::SourceElements::SourceElements):
1388         (JSC::ClauseListNode::ClauseListNode):
1389         * parser/Nodes.cpp:
1390         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1391         (JSC::FunctionMetadataNode::operator== const):
1392         (JSC::FunctionMetadataNode::dump const):
1393         * parser/Nodes.h:
1394         (JSC::BooleanNode::value): Deleted.
1395         (JSC::StringNode::value): Deleted.
1396         (JSC::TemplateExpressionListNode::value): Deleted.
1397         (JSC::TemplateExpressionListNode::next): Deleted.
1398         (JSC::TemplateStringNode::cooked): Deleted.
1399         (JSC::TemplateStringNode::raw): Deleted.
1400         (JSC::TemplateStringListNode::value): Deleted.
1401         (JSC::TemplateStringListNode::next): Deleted.
1402         (JSC::TemplateLiteralNode::templateStrings const): Deleted.
1403         (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
1404         (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
1405         (JSC::ResolveNode::identifier const): Deleted.
1406         (JSC::ElementNode::elision const): Deleted.
1407         (JSC::ElementNode::value): Deleted.
1408         (JSC::ElementNode::next): Deleted.
1409         (JSC::ArrayNode::elements const): Deleted.
1410         (JSC::PropertyNode::expressionName const): Deleted.
1411         (JSC::PropertyNode::name const): Deleted.
1412         (JSC::PropertyNode::type const): Deleted.
1413         (JSC::PropertyNode::needsSuperBinding const): Deleted.
1414         (JSC::PropertyNode::isClassProperty const): Deleted.
1415         (JSC::PropertyNode::isStaticClassProperty const): Deleted.
1416         (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
1417         (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
1418         (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
1419         (JSC::PropertyNode::putType const): Deleted.
1420         (JSC::BracketAccessorNode::base const): Deleted.
1421         (JSC::BracketAccessorNode::subscript const): Deleted.
1422         (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
1423         (JSC::DotAccessorNode::base const): Deleted.
1424         (JSC::DotAccessorNode::identifier const): Deleted.
1425         (JSC::SpreadExpressionNode::expression const): Deleted.
1426         (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
1427         (JSC::BytecodeIntrinsicNode::type const): Deleted.
1428         (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
1429         (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
1430         (JSC::TypeOfResolveNode::identifier const): Deleted.
1431         (JSC::BitwiseNotNode::expr): Deleted.
1432         (JSC::BitwiseNotNode::expr const): Deleted.
1433         (JSC::AssignResolveNode::identifier const): Deleted.
1434         (JSC::ExprStatementNode::expr const): Deleted.
1435         (JSC::ForOfNode::isForAwait const): Deleted.
1436         (JSC::ReturnNode::value): Deleted.
1437         (JSC::ProgramNode::startColumn const): Deleted.
1438         (JSC::ProgramNode::endColumn const): Deleted.
1439         (JSC::EvalNode::startColumn const): Deleted.
1440         (JSC::EvalNode::endColumn const): Deleted.
1441         (JSC::ModuleProgramNode::startColumn const): Deleted.
1442         (JSC::ModuleProgramNode::endColumn const): Deleted.
1443         (JSC::ModuleProgramNode::moduleScopeData): Deleted.
1444         (JSC::ModuleNameNode::moduleName): Deleted.
1445         (JSC::ImportSpecifierNode::importedName): Deleted.
1446         (JSC::ImportSpecifierNode::localName): Deleted.
1447         (JSC::ImportSpecifierListNode::specifiers const): Deleted.
1448         (JSC::ImportSpecifierListNode::append): Deleted.
1449         (JSC::ImportDeclarationNode::specifierList const): Deleted.
1450         (JSC::ImportDeclarationNode::moduleName const): Deleted.
1451         (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
1452         (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
1453         (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
1454         (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
1455         (JSC::ExportSpecifierNode::exportedName): Deleted.
1456         (JSC::ExportSpecifierNode::localName): Deleted.
1457         (JSC::ExportSpecifierListNode::specifiers const): Deleted.
1458         (JSC::ExportSpecifierListNode::append): Deleted.
1459         (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
1460         (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
1461         (JSC::ArrayPatternNode::appendIndex): Deleted.
1462         (JSC::ObjectPatternNode::appendEntry): Deleted.
1463         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
1464         (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
1465         (JSC::DestructuringAssignmentNode::bindings): Deleted.
1466         (JSC::FunctionParameters::size const): Deleted.
1467         (JSC::FunctionParameters::append): Deleted.
1468         (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
1469         (JSC::FuncDeclNode::metadata): Deleted.
1470         (JSC::CaseClauseNode::expr const): Deleted.
1471         (JSC::CaseClauseNode::setStartOffset): Deleted.
1472         (JSC::ClauseListNode::getClause const): Deleted.
1473         (JSC::ClauseListNode::getNext const): Deleted.
1474         * runtime/ExceptionHelpers.cpp:
1475         * runtime/JSObject.cpp:
1476
1477 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1478
1479         JSON.stringify should emit non own properties if second array argument includes
1480         https://bugs.webkit.org/show_bug.cgi?id=187724
1481
1482         Reviewed by Mark Lam.
1483
1484         According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
1485         instead of [[GetOwnProperty]]. It means that we would look up a properties defined
1486         in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
1487         by using EnumerableOwnPropertyNames typically, we can pass replacer array including
1488         property names which does not reside in the own properties. Or we can modify the
1489         own properties by deleting properties while JSON.stringify is calling a getter. So,
1490         using [[Get]] instead of [[GetOwnProperty]] is user-visible.
1491
1492         This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
1493         The performance of Kraken/json-stringify-tinderbox is neutral.
1494
1495         [1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
1496
1497         * runtime/JSONObject.cpp:
1498         (JSC::Stringifier::toJSON):
1499         (JSC::Stringifier::toJSONImpl):
1500         (JSC::Stringifier::appendStringifiedValue):
1501         (JSC::Stringifier::Holder::Holder):
1502         (JSC::Stringifier::Holder::appendNextProperty):
1503
1504 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1505
1506         [JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
1507         https://bugs.webkit.org/show_bug.cgi?id=187755
1508
1509         Reviewed by Mark Lam.
1510
1511         JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
1512         But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
1513         makes one test262 test failed.
1514
1515         This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
1516         to align these checks to the spec's order.
1517
1518         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
1519
1520         * runtime/JSONObject.cpp:
1521         (JSC::Stringifier::Stringifier):
1522
1523 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1524
1525         [JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
1526         https://bugs.webkit.org/show_bug.cgi?id=187752
1527
1528         Reviewed by Mark Lam.
1529
1530         JSON.stringify has an implicit root wrapper object since we would like to call replacer
1531         with a wrapper object and a property name. While we always create this wrapper object,
1532         it is unnecessary if the given replacer is not callable.
1533
1534         This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
1535         allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.
1536
1537                                            baseline                  patched
1538
1539         json-stringify-tinderbox        39.730+-0.590      ^      38.853+-0.266         ^ definitely 1.0226x faster
1540
1541         * runtime/JSONObject.cpp:
1542         (JSC::Stringifier::isCallableReplacer const):
1543         (JSC::Stringifier::Stringifier):
1544         (JSC::Stringifier::stringify):
1545         (JSC::Stringifier::appendStringifiedValue):
1546
1547 2018-07-18  Carlos Garcia Campos  <cgarcia@igalia.com>
1548
1549         [GLIB] Add jsc_context_check_syntax() to GLib API
1550         https://bugs.webkit.org/show_bug.cgi?id=187694
1551
1552         Reviewed by Yusuke Suzuki.
1553
1554         A new function to be able to check for syntax errors without actually evaluating the code.
1555
1556         * API/glib/JSCContext.cpp:
1557         (jsc_context_check_syntax):
1558         * API/glib/JSCContext.h:
1559         * API/glib/docs/jsc-glib-4.0-sections.txt:
1560
1561 2018-07-17  Keith Miller  <keith_miller@apple.com>
1562
1563         Revert r233630 since it broke internal wasm benchmarks
1564         https://bugs.webkit.org/show_bug.cgi?id=187746
1565
1566         Unreviewed revert.
1567
1568         This patch seems to have broken internal Wasm benchmarks. This
1569         issue is likely due to an underlying bug but let's rollout while
1570         we investigate.
1571
1572         * bytecode/CodeType.h:
1573         * bytecode/UnlinkedCodeBlock.cpp:
1574         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1575         * bytecode/UnlinkedCodeBlock.h:
1576         (JSC::UnlinkedCodeBlock::codeType const):
1577         (JSC::UnlinkedCodeBlock::didOptimize const):
1578         (JSC::UnlinkedCodeBlock::setDidOptimize):
1579         * bytecode/VirtualRegister.h:
1580         (JSC::VirtualRegister::VirtualRegister):
1581         (): Deleted.
1582
1583 2018-07-17  Mark Lam  <mark.lam@apple.com>
1584
1585         CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
1586         https://bugs.webkit.org/show_bug.cgi?id=187736
1587         <rdar://problem/42114371>
1588
1589         Reviewed by Michael Saboff.
1590
1591         CodeBlock::baselineVersion() currently checks for a null replacement but does not
1592         account for the fact that that the replacement can also be null due to the
1593         executable having being purged of its codeBlocks due to a memory event (see
1594         ExecutableBase::clearCode()).  This patch adds code to account for this.
1595
1596         * bytecode/CodeBlock.cpp:
1597         (JSC::CodeBlock::baselineVersion):
1598
1599 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1600
1601         [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
1602         https://bugs.webkit.org/show_bug.cgi?id=187709
1603
1604         Reviewed by Mark Lam.
1605
1606         UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
1607
1608         * bytecode/UnlinkedCodeBlock.cpp:
1609         (JSC::UnlinkedCodeBlock::shrinkToFit):
1610
1611 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1612
1613         [JSC] Make SourceParseMode small
1614         https://bugs.webkit.org/show_bug.cgi?id=187705
1615
1616         Reviewed by Mark Lam.
1617
1618         Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
1619         Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
1620         But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
1621         within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
1622
1623         * parser/ParserModes.h:
1624         (JSC::SourceParseModeSet::SourceParseModeSet):
1625         (JSC::SourceParseModeSet::contains):
1626         (JSC::SourceParseModeSet::mergeSourceParseModes):
1627
1628 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1629
1630         [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
1631         https://bugs.webkit.org/show_bug.cgi?id=187585
1632
1633         Reviewed by Darin Adler.
1634
1635         This patch fixes Generator and AsyncGenerator's prototype issues.
1636
1637         1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
1638         We fix this by changing JSFunction::prototypeForConstruction.
1639
1640         2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
1641         to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
1642         to fix `prototype` issues for AsyncGeneratorMethod.
1643
1644         * bytecompiler/BytecodeGenerator.cpp:
1645         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1646         (JSC::BytecodeGenerator::emitNewFunction):
1647         * bytecompiler/NodesCodegen.cpp:
1648         (JSC::FunctionNode::emitBytecode):
1649         * parser/ASTBuilder.h:
1650         (JSC::ASTBuilder::createFunctionMetadata):
1651         * parser/Parser.cpp:
1652         (JSC::getAsynFunctionBodyParseMode):
1653         (JSC::Parser<LexerType>::parseInner):
1654         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1655         * parser/ParserModes.h:
1656         (JSC::isAsyncGeneratorParseMode):
1657         (JSC::isAsyncGeneratorWrapperParseMode):
1658         (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
1659         * runtime/FunctionExecutable.h:
1660         * runtime/JSFunction.cpp:
1661         (JSC::JSFunction::prototypeForConstruction):
1662         (JSC::JSFunction::getOwnPropertySlot):
1663
1664 2018-07-16  Mark Lam  <mark.lam@apple.com>
1665
1666         jsc shell's noFTL utility test function should be more robust.
1667         https://bugs.webkit.org/show_bug.cgi?id=187704
1668         <rdar://problem/42231988>
1669
1670         Reviewed by Michael Saboff and Keith Miller.
1671
1672         * jsc.cpp:
1673         (functionNoFTL):
1674         - only setNeverFTLOptimize() if the function is actually a JS function.
1675
1676 2018-07-15  Carlos Garcia Campos  <cgarcia@igalia.com>
1677
1678         [GLIB] Add API to evaluate code using a given object to store global symbols
1679         https://bugs.webkit.org/show_bug.cgi?id=187639
1680
1681         Reviewed by Michael Catanzaro.
1682
1683         Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
1684         evaluated script are added as properties to the new object instead of to the context global object. This is
1685         similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
1686         scope for assignments, so we have to create a new context and get its global object. This patch also updates
1687         jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
1688         jsc_context_evaluate_in_object().
1689
1690         * API/glib/JSCContext.cpp:
1691         (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
1692         (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
1693         (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
1694         (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
1695         scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
1696         * API/glib/JSCContext.h:
1697         * API/glib/docs/jsc-glib-4.0-sections.txt:
1698
1699 2018-07-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1700
1701         [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
1702         https://bugs.webkit.org/show_bug.cgi?id=187561
1703
1704         Reviewed by Darin Adler.
1705
1706         This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
1707         We clean up 32bit put_by_val code.
1708
1709         1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
1710         aligns 32bit implementation to 64bit implementation.
1711
1712         2. We add CoW array checking, which is done in 64bit implementation.
1713
1714         * jit/JITPropertyAccess.cpp:
1715         (JSC::JIT::emit_op_put_by_val):
1716         * jit/JITPropertyAccess32_64.cpp:
1717         (JSC::JIT::emit_op_put_by_val):
1718         (JSC::JIT::emitSlow_op_put_by_val):
1719
1720 2018-07-12  Mark Lam  <mark.lam@apple.com>
1721
1722         Need to handle CodeBlock::replacement() being null.
1723         https://bugs.webkit.org/show_bug.cgi?id=187569
1724         <rdar://problem/41468692>
1725
1726         Reviewed by Saam Barati.
1727
1728         CodeBlock::replacement() may return a nullptr.  Some of our code already checks
1729         for this while others do not.  We should add null checks in all the places that
1730         need it.
1731
1732         * bytecode/CodeBlock.cpp:
1733         (JSC::CodeBlock::hasOptimizedReplacement):
1734         (JSC::CodeBlock::jettison):
1735         (JSC::CodeBlock::numberOfDFGCompiles):
1736         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
1737         * dfg/DFGOperations.cpp:
1738         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1739         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
1740         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1741         * jit/JITOperations.cpp:
1742
1743 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1744
1745         [JSC] Thread VM& to JSCell::methodTable(VM&)
1746         https://bugs.webkit.org/show_bug.cgi?id=187548
1747
1748         Reviewed by Saam Barati.
1749
1750         This patch threads VM& to methodTable(VM&) and remove methodTable().
1751         We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
1752
1753         * API/APICast.h:
1754         (toJS):
1755         * API/JSCallbackObject.h:
1756         * API/JSCallbackObjectFunctions.h:
1757         (JSC::JSCallbackObject<Parent>::className):
1758         * bytecode/CodeBlock.cpp:
1759         (JSC::CodeBlock::estimatedSize):
1760         * bytecode/CodeBlock.h:
1761         * bytecode/UnlinkedCodeBlock.cpp:
1762         (JSC::UnlinkedCodeBlock::estimatedSize):
1763         * bytecode/UnlinkedCodeBlock.h:
1764         * debugger/DebuggerScope.cpp:
1765         (JSC::DebuggerScope::className):
1766         * debugger/DebuggerScope.h:
1767         * heap/Heap.cpp:
1768         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
1769         (JSC::GatherHeapSnapshotData::operator() const):
1770         (JSC::Heap::gatherExtraHeapSnapshotData):
1771         * heap/HeapSnapshotBuilder.cpp:
1772         (JSC::HeapSnapshotBuilder::json):
1773         * runtime/ArrayPrototype.cpp:
1774         (JSC::arrayProtoFuncToString):
1775         * runtime/ClassInfo.h:
1776         * runtime/DirectArguments.cpp:
1777         (JSC::DirectArguments::estimatedSize):
1778         * runtime/DirectArguments.h:
1779         * runtime/HashMapImpl.cpp:
1780         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
1781         * runtime/HashMapImpl.h:
1782         * runtime/JSArrayBuffer.cpp:
1783         (JSC::JSArrayBuffer::estimatedSize):
1784         * runtime/JSArrayBuffer.h:
1785         * runtime/JSBigInt.cpp:
1786         (JSC::JSBigInt::estimatedSize):
1787         * runtime/JSBigInt.h:
1788         * runtime/JSCell.cpp:
1789         (JSC::JSCell::dump const):
1790         (JSC::JSCell::estimatedSizeInBytes const):
1791         (JSC::JSCell::estimatedSize):
1792         (JSC::JSCell::className):
1793         * runtime/JSCell.h:
1794         * runtime/JSCellInlines.h:
1795         * runtime/JSGenericTypedArrayView.h:
1796         * runtime/JSGenericTypedArrayViewInlines.h:
1797         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
1798         * runtime/JSObject.cpp:
1799         (JSC::JSObject::estimatedSize):
1800         (JSC::JSObject::className):
1801         (JSC::JSObject::toStringName):
1802         (JSC::JSObject::calculatedClassName):
1803         * runtime/JSObject.h:
1804         * runtime/JSProxy.cpp:
1805         (JSC::JSProxy::className):
1806         * runtime/JSProxy.h:
1807         * runtime/JSString.cpp:
1808         (JSC::JSString::estimatedSize):
1809         * runtime/JSString.h:
1810         * runtime/RegExp.cpp:
1811         (JSC::RegExp::estimatedSize):
1812         * runtime/RegExp.h:
1813         * runtime/WeakMapImpl.cpp:
1814         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
1815         * runtime/WeakMapImpl.h:
1816
1817 2018-07-11  Commit Queue  <commit-queue@webkit.org>
1818
1819         Unreviewed, rolling out r233714.
1820         https://bugs.webkit.org/show_bug.cgi?id=187579
1821
1822         it made tests time out (Requested by pizlo on #webkit).
1823
1824         Reverted changeset:
1825
1826         "Change the reoptimization backoff base to 1.3 from 2"
1827         https://bugs.webkit.org/show_bug.cgi?id=187540
1828         https://trac.webkit.org/changeset/233714
1829
1830 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1831
1832         [GLIB] Add API to allow creating variadic functions
1833         https://bugs.webkit.org/show_bug.cgi?id=187517
1834
1835         Reviewed by Michael Catanzaro.
1836
1837         Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
1838         jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
1839
1840         * API/glib/JSCCallbackFunction.cpp:
1841         (JSC::JSCCallbackFunction::create): Make the parameters optional.
1842         (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
1843         (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
1844         JSCValue for the arguments.
1845         (JSC::JSCCallbackFunction::construct): Ditto.
1846         * API/glib/JSCCallbackFunction.h:
1847         * API/glib/JSCClass.cpp:
1848         (jscClassCreateConstructor): Make the parameters optional.
1849         (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
1850         (jscClassAddMethod): Make the parameters optional.
1851         (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
1852         * API/glib/JSCClass.h:
1853         * API/glib/JSCValue.cpp:
1854         (jsc_value_object_define_property_accessor): Update now that parameters are optional.
1855         (jscValueFunctionCreate): Make the parameters optional.
1856         (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
1857         * API/glib/JSCValue.h:
1858         * API/glib/docs/jsc-glib-4.0-sections.txt:
1859
1860 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1861
1862         [GLIB] Add jsc_context_get_global_object() to GLib API
1863         https://bugs.webkit.org/show_bug.cgi?id=187515
1864
1865         Reviewed by Michael Catanzaro.
1866
1867         This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
1868         object. However, getting the global object could be useful in some cases, for example to give it a well known
1869         name like 'window' in browsers and GJS.
1870
1871         * API/glib/JSCContext.cpp:
1872         (jsc_context_get_global_object):
1873         * API/glib/JSCContext.h:
1874         * API/glib/docs/jsc-glib-4.0-sections.txt:
1875
1876 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1877
1878         [GLIB] Handle G_TYPE_STRV in glib API
1879         https://bugs.webkit.org/show_bug.cgi?id=187512
1880
1881         Reviewed by Michael Catanzaro.
1882
1883         Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
1884
1885         * API/glib/JSCContext.cpp:
1886         (jscContextGValueToJSValue):
1887         (jscContextJSValueToGValue):
1888         * API/glib/JSCValue.cpp:
1889         (jsc_value_new_array_from_strv):
1890         * API/glib/JSCValue.h:
1891         * API/glib/docs/jsc-glib-4.0-sections.txt:
1892
1893 2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1894
1895         Iterator of Array.keys() returns object in wrong order
1896         https://bugs.webkit.org/show_bug.cgi?id=185197
1897
1898         Reviewed by Keith Miller.
1899
1900         * builtins/ArrayIteratorPrototype.js:
1901         (globalPrivate.arrayIteratorValueNext):
1902         (globalPrivate.arrayIteratorKeyNext):
1903         (globalPrivate.arrayIteratorKeyValueNext):
1904         * builtins/AsyncFromSyncIteratorPrototype.js:
1905         * builtins/AsyncGeneratorPrototype.js:
1906         (globalPrivate.asyncGeneratorResolve):
1907         * builtins/GeneratorPrototype.js:
1908         (globalPrivate.generatorResume):
1909         * builtins/MapIteratorPrototype.js:
1910         (globalPrivate.mapIteratorNext):
1911         * builtins/SetIteratorPrototype.js:
1912         (globalPrivate.setIteratorNext):
1913         * builtins/StringIteratorPrototype.js:
1914         (next):
1915         * runtime/IteratorOperations.cpp:
1916         (JSC::createIteratorResultObjectStructure):
1917         (JSC::createIteratorResultObject):
1918
1919 2018-07-10  Mark Lam  <mark.lam@apple.com>
1920
1921         constructArray() should always allocate the requested length.
1922         https://bugs.webkit.org/show_bug.cgi?id=187543
1923         <rdar://problem/41947884>
1924
1925         Reviewed by Saam Barati.
1926
1927         Currently, it does not when we're having a bad time.  We fix this by switching
1928         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
1929         If we detect that a structure transition is possible before we can initialize
1930         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
1931         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
1932
1933         Also enhanced the DisallowScope and ObjectInitializationScope to support this
1934         eager initialization when needed.
1935
1936         * dfg/DFGOperations.cpp:
1937         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
1938           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
1939           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
1940           generated code, which will appear as a generic null pointer dereference.
1941
1942         * runtime/ArrayPrototype.cpp:
1943         (JSC::concatAppendOne):
1944         - the code here clearly wants to check for an allocation failure.  Switched to
1945           using JSArray::tryCreate() instead of JSArray::create().
1946
1947         * runtime/DisallowScope.h:
1948         (JSC::DisallowScope::disable):
1949         * runtime/JSArray.cpp:
1950         (JSC::JSArray::tryCreateUninitializedRestricted):
1951         (JSC::JSArray::eagerlyInitializeButterfly):
1952         (JSC::constructArray):
1953         * runtime/JSArray.h:
1954         * runtime/ObjectInitializationScope.cpp:
1955         (JSC::ObjectInitializationScope::notifyInitialized):
1956         * runtime/ObjectInitializationScope.h:
1957         (JSC::ObjectInitializationScope::notifyInitialized):
1958
1959 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1960
1961         [JSC] Remove getTypedArrayImpl
1962         https://bugs.webkit.org/show_bug.cgi?id=187338
1963
1964         Reviewed by Mark Lam.
1965
1966         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
1967         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
1968         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
1969
1970         * runtime/ClassInfo.h:
1971         * runtime/GenericTypedArrayView.h:
1972         (JSC::GenericTypedArrayView::data const): Deleted.
1973         (JSC::GenericTypedArrayView::set): Deleted.
1974         (JSC::GenericTypedArrayView::setRange): Deleted.
1975         (JSC::GenericTypedArrayView::zeroRange): Deleted.
1976         (JSC::GenericTypedArrayView::zeroFill): Deleted.
1977         (JSC::GenericTypedArrayView::length const): Deleted.
1978         (JSC::GenericTypedArrayView::item const): Deleted.
1979         (JSC::GenericTypedArrayView::set const): Deleted.
1980         (JSC::GenericTypedArrayView::setNative const): Deleted.
1981         (JSC::GenericTypedArrayView::getRange): Deleted.
1982         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
1983         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
1984         * runtime/JSArrayBufferView.cpp:
1985         (JSC::JSArrayBufferView::possiblySharedImpl):
1986         * runtime/JSArrayBufferView.h:
1987         * runtime/JSArrayBufferViewInlines.h:
1988         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
1989         * runtime/JSCell.cpp:
1990         (JSC::JSCell::getTypedArrayImpl): Deleted.
1991         * runtime/JSCell.h:
1992         * runtime/JSDataView.cpp:
1993         (JSC::JSDataView::getTypedArrayImpl): Deleted.
1994         * runtime/JSDataView.h:
1995         * runtime/JSGenericTypedArrayView.h:
1996         * runtime/JSGenericTypedArrayViewInlines.h:
1997         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
1998
1999 2018-07-10  Keith Miller  <keith_miller@apple.com>
2000
2001         hasOwnProperty returns true for out of bounds property index on TypedArray
2002         https://bugs.webkit.org/show_bug.cgi?id=187520
2003
2004         Reviewed by Saam Barati.
2005
2006         * runtime/JSGenericTypedArrayViewInlines.h:
2007         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2008
2009 2018-07-10  Michael Saboff  <msaboff@apple.com>
2010
2011         DFG JIT: compileMathIC produces incorrect machine code
2012         https://bugs.webkit.org/show_bug.cgi?id=187537
2013
2014         Reviewed by Saam Barati.
2015
2016         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
2017         fall back to the fast path generator which handles such cases.
2018
2019         * jit/JITMulGenerator.cpp:
2020         (JSC::JITMulGenerator::generateInline):
2021
2022 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
2023
2024         Change the reoptimization backoff base to 1.3 from 2
2025         https://bugs.webkit.org/show_bug.cgi?id=187540
2026
2027         Reviewed by Saam Barati.
2028         
2029         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
2030         
2031         I also have data that hints that a backoff base of 1 might be even better, but I think that
2032         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
2033
2034         * bytecode/CodeBlock.cpp:
2035         (JSC::CodeBlock::reoptimizationRetryCounter const):
2036         (JSC::CodeBlock::countReoptimization):
2037         (JSC::CodeBlock::adjustedCounterValue):
2038         * runtime/Options.cpp:
2039         (JSC::recomputeDependentOptions):
2040         * runtime/Options.h:
2041
2042 2018-07-10  Mark Lam  <mark.lam@apple.com>
2043
2044         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
2045         https://bugs.webkit.org/show_bug.cgi?id=187362
2046         <rdar://problem/42027210>
2047
2048         Reviewed by Saam Barati.
2049
2050         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
2051         value to use for initializing unused properties.  Updated an assertion to account
2052         for this.
2053
2054         * runtime/ObjectInitializationScope.cpp:
2055         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2056
2057 2018-07-10  Michael Saboff  <msaboff@apple.com>
2058
2059         YARR: . doesn't match non-BMP Unicode characters in some cases
2060         https://bugs.webkit.org/show_bug.cgi?id=187248
2061
2062         Reviewed by Geoffrey Garen.
2063
2064         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
2065         characters did not take into account that the character class is inverted.  In this case, we
2066         represent '.' as "not a newline" using the newline character class with an inverted check.
2067         Clearly that includes non-BMP characters.
2068
2069         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
2070         inverted use of that character class.
2071
2072         * yarr/YarrJIT.cpp:
2073         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2074
2075 2018-07-09  Mark Lam  <mark.lam@apple.com>
2076
2077         Add --traceLLIntExecution and --traceLLIntSlowPath options.
2078         https://bugs.webkit.org/show_bug.cgi?id=187479
2079
2080         Reviewed by Yusuke Suzuki and Saam Barati.
2081
2082         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
2083
2084         The details:
2085         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
2086         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
2087            This makes it such that enabling LLINT_TRACING doesn't means that we'll
2088            continually spammed with logging until we rebuild.
2089         3. Fixed slow path LLINT tracing to work with exception check validation.
2090
2091         * llint/LLIntCommon.h:
2092         * llint/LLIntExceptions.cpp:
2093         (JSC::LLInt::returnToThrow):
2094         (JSC::LLInt::callToThrow):
2095         * llint/LLIntOfflineAsmConfig.h:
2096         * llint/LLIntSlowPaths.cpp:
2097         (JSC::LLInt::slowPathLog):
2098         (JSC::LLInt::slowPathLn):
2099         (JSC::LLInt::slowPathLogF):
2100         (JSC::LLInt::slowPathLogLn):
2101         (JSC::LLInt::llint_trace_operand):
2102         (JSC::LLInt::llint_trace_value):
2103         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2104         (JSC::LLInt::traceFunctionPrologue):
2105         (JSC::LLInt::handleHostCall):
2106         (JSC::LLInt::setUpCall):
2107         * llint/LLIntSlowPaths.h:
2108         * llint/LowLevelInterpreter.asm:
2109         * runtime/CommonSlowPathsExceptions.cpp:
2110         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2111         * runtime/Options.cpp:
2112         (JSC::Options::isAvailable):
2113         * runtime/Options.h:
2114
2115 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2116
2117         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
2118         https://bugs.webkit.org/show_bug.cgi?id=187477
2119
2120         Reviewed by Mark Lam.
2121
2122         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
2123         However, it is not necessary since JSCells can be reside in a constant buffer.
2124         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
2125         vector from RareData.
2126
2127         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
2128
2129         * bytecode/BytecodeDumper.cpp:
2130         (JSC::BytecodeDumper<Block>::dumpBytecode):
2131         (JSC::BytecodeDumper<Block>::dumpBlock):
2132         (JSC::regexpToSourceString): Deleted.
2133         (JSC::regexpName): Deleted.
2134         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
2135         * bytecode/BytecodeDumper.h:
2136         * bytecode/CodeBlock.h:
2137         (JSC::CodeBlock::regexp const): Deleted.
2138         (JSC::CodeBlock::numberOfRegExps const): Deleted.
2139         * bytecode/UnlinkedCodeBlock.cpp:
2140         (JSC::UnlinkedCodeBlock::visitChildren):
2141         (JSC::UnlinkedCodeBlock::shrinkToFit):
2142         * bytecode/UnlinkedCodeBlock.h:
2143         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2144         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
2145         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
2146         * bytecompiler/BytecodeGenerator.cpp:
2147         (JSC::BytecodeGenerator::emitNewRegExp):
2148         (JSC::BytecodeGenerator::addRegExp): Deleted.
2149         * bytecompiler/BytecodeGenerator.h:
2150         * dfg/DFGByteCodeParser.cpp:
2151         (JSC::DFG::ByteCodeParser::parseBlock):
2152         * jit/JITOpcodes.cpp:
2153         (JSC::JIT::emit_op_new_regexp):
2154         * llint/LLIntSlowPaths.cpp:
2155         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2156         * runtime/JSCJSValue.cpp:
2157         (JSC::JSValue::dumpInContextAssumingStructure const):
2158         * runtime/RegExp.cpp:
2159         (JSC::regexpToSourceString):
2160         (JSC::RegExp::dumpToStream):
2161         * runtime/RegExp.h:
2162
2163 2018-07-09  Brian Burg  <bburg@apple.com>
2164
2165         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
2166         https://bugs.webkit.org/show_bug.cgi?id=187350
2167         <rdar://problem/41728249>
2168
2169         Reviewed by Matt Baker.
2170
2171         Add a new command that toggles whether or not to blackbox internal scripts.
2172         If blackboxed, the scripts will not be shown to the frontend and the debugger will
2173         not pause in source frames from blackboxed scripts. Sometimes we want to break into
2174         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
2175         that injects scripts.
2176
2177         * inspector/agents/InspectorDebuggerAgent.cpp:
2178         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
2179         (Inspector::InspectorDebuggerAgent::didParseSource):
2180         * inspector/agents/InspectorDebuggerAgent.h:
2181         * inspector/protocol/Debugger.json:
2182
2183 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2184
2185         [JSC] Make some data members of UnlinkedCodeBlock private
2186         https://bugs.webkit.org/show_bug.cgi?id=187467
2187
2188         Reviewed by Mark Lam.
2189
2190         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
2191         We also remove m_numCapturedVars since it is no longer used.
2192
2193         * bytecode/CodeBlock.cpp:
2194         (JSC::CodeBlock::CodeBlock):
2195         * bytecode/CodeBlock.h:
2196         * bytecode/UnlinkedCodeBlock.cpp:
2197         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2198         * bytecode/UnlinkedCodeBlock.h:
2199
2200 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2201
2202         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
2203         https://bugs.webkit.org/show_bug.cgi?id=187465
2204
2205         Reviewed by Keith Miller.
2206
2207         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
2208         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
2209
2210         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
2211         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
2212         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
2213         from 104 to 96 since it inherits ProxyableAccessCase.
2214
2215         * bytecode/AccessCase.h:
2216         (JSC::AccessCase::viaProxy const):
2217         (JSC::AccessCase::AccessCase):
2218         * bytecode/ProxyableAccessCase.cpp:
2219         (JSC::ProxyableAccessCase::ProxyableAccessCase):
2220         * bytecode/ProxyableAccessCase.h:
2221
2222 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2223
2224         Unreviewed, build fix for debug builds after r233630
2225         https://bugs.webkit.org/show_bug.cgi?id=187441
2226
2227         * jit/JIT.cpp:
2228         (JSC::JIT::frameRegisterCountFor):
2229         * llint/LLIntEntrypoint.cpp:
2230         (JSC::LLInt::frameRegisterCountFor):
2231
2232 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2233
2234         [JSC] Optimize layout of CodeBlock to reduce padding
2235         https://bugs.webkit.org/show_bug.cgi?id=187441
2236
2237         Reviewed by Mark Lam.
2238
2239         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
2240         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
2241         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
2242
2243         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
2244
2245         * bytecode/BytecodeDumper.cpp:
2246         (JSC::BytecodeDumper<Block>::dumpBlock):
2247         * bytecode/BytecodeUseDef.h:
2248         (JSC::computeDefsForBytecodeOffset):
2249         * bytecode/CodeBlock.cpp:
2250         (JSC::CodeBlock::CodeBlock):
2251         * bytecode/CodeBlock.h:
2252         (JSC::CodeBlock::numVars const):
2253         * bytecode/UnlinkedCodeBlock.h:
2254         (JSC::UnlinkedCodeBlock::numVars const):
2255         * dfg/DFGByteCodeParser.cpp:
2256         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2257         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
2258         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2259         (JSC::DFG::ByteCodeParser::inlineCall):
2260         (JSC::DFG::ByteCodeParser::handleGetById):
2261         (JSC::DFG::ByteCodeParser::handlePutById):
2262         (JSC::DFG::ByteCodeParser::parseBlock):
2263         * dfg/DFGGraph.h:
2264         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2265         * dfg/DFGOSREntrypointCreationPhase.cpp:
2266         (JSC::DFG::OSREntrypointCreationPhase::run):
2267         * dfg/DFGVariableEventStream.cpp:
2268         (JSC::DFG::VariableEventStream::reconstruct const):
2269         * ftl/FTLOSREntry.cpp:
2270         (JSC::FTL::prepareOSREntry):
2271         * ftl/FTLState.cpp:
2272         (JSC::FTL::State::State):
2273         * interpreter/Interpreter.cpp:
2274         (JSC::Interpreter::dumpRegisters):
2275         * jit/JIT.cpp:
2276         (JSC::JIT::frameRegisterCountFor):
2277         * jit/JITOpcodes.cpp:
2278         (JSC::JIT::emit_op_enter):
2279         * jit/JITOpcodes32_64.cpp:
2280         (JSC::JIT::emit_op_enter):
2281         * jit/JITOperations.cpp:
2282         * llint/LLIntEntrypoint.cpp:
2283         (JSC::LLInt::frameRegisterCountFor):
2284         * llint/LLIntSlowPaths.cpp:
2285         (JSC::LLInt::traceFunctionPrologue):
2286         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2287         * runtime/JSCJSValue.h:
2288
2289 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2290
2291         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
2292         https://bugs.webkit.org/show_bug.cgi?id=187448
2293
2294         Reviewed by Saam Barati.
2295
2296         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
2297         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
2298
2299         * bytecode/CodeType.h:
2300         * bytecode/UnlinkedCodeBlock.cpp:
2301         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2302         * bytecode/UnlinkedCodeBlock.h:
2303         (JSC::UnlinkedCodeBlock::codeType const):
2304         (JSC::UnlinkedCodeBlock::didOptimize const):
2305         (JSC::UnlinkedCodeBlock::setDidOptimize):
2306         * bytecode/VirtualRegister.h:
2307
2308 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2309
2310         [JSC] Optimize padding of InferredTypeTable by using cellLock
2311         https://bugs.webkit.org/show_bug.cgi?id=187447
2312
2313         Reviewed by Mark Lam.
2314
2315         Use cellLock() in InferredTypeTable to guard changes of internal structures.
2316         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
2317         reduce the size of InferredTypeTable from 40 to 32.
2318
2319         * runtime/InferredTypeTable.cpp:
2320         (JSC::InferredTypeTable::visitChildren):
2321         (JSC::InferredTypeTable::get):
2322         (JSC::InferredTypeTable::willStoreValue):
2323         (JSC::InferredTypeTable::makeTop):
2324         * runtime/InferredTypeTable.h:
2325         Using enum class and using. And remove `isEmpty()` since it is not used.
2326
2327         * runtime/Structure.h:
2328
2329 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2330
2331         [JSC] Optimize layout of SourceProvider to reduce padding
2332         https://bugs.webkit.org/show_bug.cgi?id=187440
2333
2334         Reviewed by Mark Lam.
2335
2336         Arrange members of SourceProvider to reduce the size from 80 to 72.
2337
2338         * parser/SourceProvider.cpp:
2339         (JSC::SourceProvider::SourceProvider):
2340         * parser/SourceProvider.h:
2341
2342 2018-07-08  Mark Lam  <mark.lam@apple.com>
2343
2344         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
2345         https://bugs.webkit.org/show_bug.cgi?id=187444
2346         <rdar://problem/41282849>
2347
2348         Reviewed by Saam Barati.
2349
2350         PropertyTable supports C++ iteration by offering begin() and end() methods, and
2351         an iterator class.  The begin() methods and the iterator operator++() method uses
2352         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
2353         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
2354         pointer from being incremented past the end of the table.  As a result, we can
2355         iterate past the end of the table.  Note that the C++ iteration protocol tests
2356         for the iterator not being equal to the end() value.  It does not do a <= test.
2357         If the iterator ever shoots past end, the loop will effectively not terminate.
2358
2359         This issue can manifest if and only if the last entry in the table is a deleted
2360         one, and the key field of the PropertyMapEntry shaped space at the end of the
2361         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
2362         value.
2363
2364         No test because manifesting this issue requires uncontrollable happenstance where
2365         memory just beyond the end of the table looks like a deleted entry.
2366
2367         * runtime/PropertyMapHashTable.h:
2368         (JSC::PropertyTable::begin):
2369         (JSC::PropertyTable::end):
2370         (JSC::PropertyTable::begin const):
2371         (JSC::PropertyTable::end const):
2372         (JSC::PropertyTable::skipDeletedEntries):
2373
2374 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2375
2376         [JSC] Optimize layout of SymbolTable to reduce padding
2377         https://bugs.webkit.org/show_bug.cgi?id=187437
2378
2379         Reviewed by Mark Lam.
2380
2381         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
2382
2383         * runtime/SymbolTable.h:
2384
2385 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2386
2387         [JSC] Optimize layout of RegExp to reduce padding
2388         https://bugs.webkit.org/show_bug.cgi?id=187438
2389
2390         Reviewed by Mark Lam.
2391
2392         Reduce the size of RegExp from 168 to 144.
2393
2394         * runtime/RegExp.cpp:
2395         (JSC::RegExp::RegExp):
2396         * runtime/RegExp.h:
2397         * runtime/RegExpKey.h:
2398         * yarr/YarrErrorCode.h:
2399
2400 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2401
2402         [JSC] Optimize layout of ValueProfile to reduce padding
2403         https://bugs.webkit.org/show_bug.cgi?id=187439
2404
2405         Reviewed by Mark Lam.
2406
2407         Reduce the size of ValueProfile from 40 to 32 by reordering members.
2408
2409         * bytecode/ValueProfile.h:
2410         (JSC::ValueProfileBase::ValueProfileBase):
2411
2412 2018-07-05  Saam Barati  <sbarati@apple.com>
2413
2414         ProgramExecutable may be collected as we checkSyntax on it
2415         https://bugs.webkit.org/show_bug.cgi?id=187359
2416         <rdar://problem/41832135>
2417
2418         Reviewed by Mark Lam.
2419
2420         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
2421         the ProgramExecutable itself may be collected. The fix here is to make a copy
2422         of the field instead of passing in a reference inside of ParserError::toErrorObject.
2423         
2424         No new tests here as this was already caught by our iOS JSC testers.
2425
2426         * parser/ParserError.h:
2427         (JSC::ParserError::toErrorObject):
2428
2429 2018-07-04  Tim Horton  <timothy_horton@apple.com>
2430
2431         Introduce PLATFORM(IOSMAC)
2432         https://bugs.webkit.org/show_bug.cgi?id=187315
2433
2434         Reviewed by Dan Bernstein.
2435
2436         * Configurations/Base.xcconfig:
2437         * Configurations/FeatureDefines.xcconfig:
2438
2439 2018-07-03  Mark Lam  <mark.lam@apple.com>
2440
2441         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
2442         https://bugs.webkit.org/show_bug.cgi?id=187255
2443         <rdar://problem/41785257>
2444
2445         Reviewed by Saam Barati.
2446
2447         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
2448         too: basically, do what the 64-bit code is doing.  At present, this change only
2449         serves to pacify an assertion.  It is not needed for correctness because the
2450         concurrent GC is not used on 32-bit builds.
2451
2452         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
2453         test.
2454
2455         * jit/JITOpcodes32_64.cpp:
2456         (JSC::JIT::emit_op_create_this):
2457
2458 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2459
2460         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
2461         https://bugs.webkit.org/show_bug.cgi?id=187290
2462
2463         Reviewed by Saam Barati.
2464
2465         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
2466         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
2467         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
2468         easily calculated from JSType.
2469         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
2470
2471         * runtime/ClassInfo.h:
2472         * runtime/JSArrayBufferView.cpp:
2473         (JSC::elementSize):
2474         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
2475         * runtime/JSArrayBufferView.h:
2476         * runtime/JSArrayBufferViewInlines.h:
2477         (JSC::JSArrayBufferView::possiblySharedBuffer):
2478         * runtime/JSCell.cpp:
2479         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
2480         * runtime/JSCell.h:
2481         * runtime/JSDataView.cpp:
2482         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
2483         * runtime/JSDataView.h:
2484         * runtime/JSGenericTypedArrayView.h:
2485         * runtime/JSGenericTypedArrayViewInlines.h:
2486         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
2487
2488 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2489
2490         Regular expressions with ".?" expressions at the start and the end match the entire string
2491         https://bugs.webkit.org/show_bug.cgi?id=119191
2492
2493         Reviewed by Michael Saboff.
2494
2495         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
2496         for "abc" first and then processing the leading and trailing dot stars
2497         to find the beginning and the end of the match. However, it erroneously
2498         enabled this optimization for regular expressions whose leading or
2499         trailing dots had quantifiers that were not of arbitrary length, e.g.,
2500         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
2501         match the entire string when it shouldn't. This patch disables the
2502         optimization for those cases.
2503
2504         * yarr/YarrPattern.cpp:
2505         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2506
2507 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2508
2509         RegExp.exec returns wrong value with a long integer quantifier
2510         https://bugs.webkit.org/show_bug.cgi?id=187042
2511
2512         Reviewed by Saam Barati.
2513
2514         Prior to this patch, the Yarr parser checked for integer overflow when
2515         parsing quantifiers in regular expressions by adding one digit at a time
2516         to a number and checking if the result got larger. This is wrong;
2517         The parser would fail to detect overflow when parsing, for example,
2518         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
2519
2520         Another issue was that once it detected overflow, it stopped consuming
2521         the remaining digits. Since it didn't find the closing bracket, it
2522         parsed the quantifier as a normal string instead.
2523
2524         This patch fixes these issues by reading all the digits and checking for
2525         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
2526         returns the largest possible value (quantifyInfinite in this case). This
2527         matches Chrome [1], Firefox [2], and Edge [3].
2528
2529         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
2530         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
2531         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
2532
2533         * yarr/YarrParser.h:
2534         (JSC::Yarr::Parser::consumeNumber):
2535
2536 2018-07-02  Keith Miller  <keith_miller@apple.com>
2537
2538         InstanceOf IC should do generic if the prototype is not an object.
2539         https://bugs.webkit.org/show_bug.cgi?id=187250
2540
2541         Reviewed by Mark Lam.
2542
2543         The old code was wrong for two reasons. First, the AccessCase expected that
2544         the prototype value would be non-null. Second, we would end up returning
2545         false instead of throwing an exception.
2546
2547         * jit/Repatch.cpp:
2548         (JSC::tryCacheInstanceOf):
2549
2550 2018-07-01  Mark Lam  <mark.lam@apple.com>
2551
2552         Builtins and host functions should get their own structures.
2553         https://bugs.webkit.org/show_bug.cgi?id=187211
2554         <rdar://problem/41646336>
2555
2556         Reviewed by Saam Barati.
2557
2558         JSFunctions do lazy reification of properties, but ordinary functions applies
2559         different rules of property reification than builtin and host functions.  Hence,
2560         we should give builtins and host functions their own structures.
2561
2562         * runtime/JSFunction.cpp:
2563         (JSC::JSFunction::selectStructureForNewFuncExp):
2564         (JSC::JSFunction::create):
2565         (JSC::JSFunction::getOwnPropertySlot):
2566         * runtime/JSGlobalObject.cpp:
2567         (JSC::JSGlobalObject::init):
2568         (JSC::JSGlobalObject::visitChildren):
2569         * runtime/JSGlobalObject.h:
2570         (JSC::JSGlobalObject::hostFunctionStructure const):
2571         (JSC::JSGlobalObject::arrowFunctionStructure const):
2572         (JSC::JSGlobalObject::sloppyFunctionStructure const):
2573         (JSC::JSGlobalObject::strictFunctionStructure const):
2574
2575 2018-07-01  David Kilzer  <ddkilzer@apple.com>
2576
2577         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
2578         <https://webkit.org/b/187233>
2579
2580         Reviewed by Mark Lam.
2581
2582         * b3/air/AirEliminateDeadCode.cpp:
2583         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
2584         * parser/ParserTokens.h:
2585         (JSC::JSTextPosition::JSTextPosition): Add struct member
2586         initialization. Simplify default constructor.
2587         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
2588         union to the beginning to make it easy to zero out all fields.
2589         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
2590         initialization.  Simplify default constructor.  Note that
2591         `endOffset` was not being initialized previously.
2592         (JSC::JSTextPosition::JSToken): Add struct member initialization
2593         where necessary.
2594         * runtime/IntlObject.cpp:
2595         (JSC::MatcherResult): Add struct member initialization.
2596
2597 2018-06-23  Darin Adler  <darin@apple.com>
2598
2599         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
2600         https://bugs.webkit.org/show_bug.cgi?id=186973
2601
2602         Reviewed by Dan Bernstein.
2603
2604         * API/JSContext.mm:
2605         (WeakContextRef::WeakContextRef): Deleted.
2606         (WeakContextRef::~WeakContextRef): Deleted.
2607         (WeakContextRef::get): Deleted.
2608         (WeakContextRef::set): Deleted.
2609
2610         * API/JSContextInternal.h: Removed unneeded header guards since this is
2611         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
2612         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
2613         since neither is used outside the class implementation.
2614
2615         * API/JSManagedValue.mm:
2616         (-[JSManagedValue initWithValue:]): Use a bridging cast.
2617         (-[JSManagedValue dealloc]): Ditto.
2618         (-[JSManagedValue didAddOwner:]): Ditto.
2619         (-[JSManagedValue didRemoveOwner:]): Ditto.
2620         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
2621         (JSManagedValueHandleOwner::finalize): Ditto.
2622         * API/JSValue.mm:
2623         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
2624         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
2625         (-[JSValue valueForProperty:]): Ditto.
2626         (-[JSValue setValue:forProperty:]): Ditto.
2627         (-[JSValue deleteProperty:]): Ditto.
2628         (-[JSValue hasProperty:]): Ditto.
2629         (-[JSValue invokeMethod:withArguments:]): Ditto.
2630         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
2631         (valueToArray): Ditto.
2632         (valueToDictionary): Ditto.
2633         (objectToValueWithoutCopy): Ditto.
2634         (objectToValue): Ditto.
2635         * API/JSVirtualMachine.mm:
2636         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
2637         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
2638         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
2639         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
2640         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
2641         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
2642         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
2643         (scanExternalObjectGraph): Ditto.
2644         (scanExternalRememberedSet): Ditto.
2645         * API/JSWrapperMap.mm:
2646         (makeWrapper): Ditto.
2647         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
2648         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
2649         (tryUnwrapObjcObject): Ditto.
2650         * API/ObjCCallbackFunction.mm:
2651         (blockSignatureContainsClass): Ditto.
2652         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
2653         sure we will be keeping this the same way under ARC.
2654         (objCCallbackFunctionForBlock): Use a bridging cast.
2655
2656         * API/ObjcRuntimeExtras.h:
2657         (protocolImplementsProtocol): Use a more specific type that includes the
2658         explicit __unsafe_unretained for copied protocol lists.
2659         (forEachProtocolImplementingProtocol): Ditto.
2660
2661         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2662         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
2663         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
2664
2665         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
2666         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
2667         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
2668         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
2669         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
2670
2671 2018-06-30  Adam Barth  <abarth@webkit.org>
2672
2673         Port JavaScriptCore to OS(FUCHSIA)
2674         https://bugs.webkit.org/show_bug.cgi?id=187223
2675
2676         Reviewed by Daniel Bates.
2677
2678         * assembler/ARM64Assembler.h:
2679         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
2680         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
2681         (JSC::MachineContext::stackPointerImpl):
2682         (JSC::MachineContext::framePointerImpl):
2683         (JSC::MachineContext::instructionPointerImpl):
2684         (JSC::MachineContext::argumentPointer<1>):
2685         (JSC::MachineContext::llintInstructionPointer):
2686
2687 2018-06-30  David Kilzer  <ddkilzer@apple.com>
2688
2689         Fix clang static analyzer warnings: Garbage return value
2690         <https://webkit.org/b/187224>
2691
2692         Reviewed by Eric Carlson.
2693
2694         * bytecode/UnlinkedCodeBlock.cpp:
2695         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
2696         - Use brace initialization for local variables.
2697         * debugger/DebuggerCallFrame.cpp:
2698         (class JSC::LineAndColumnFunctor):
2699         - Use class member initialization for member variables.
2700
2701 2018-06-29  Saam Barati  <sbarati@apple.com>
2702
2703         Unreviewed. Try to fix Windows build after r233377
2704
2705         * builtins/BuiltinExecutables.cpp:
2706         (JSC::BuiltinExecutables::createExecutable):
2707
2708 2018-06-29  Saam Barati  <sbarati@apple.com>
2709
2710         Don't use tracePoints in JS/Wasm entry
2711         https://bugs.webkit.org/show_bug.cgi?id=187196
2712
2713         Reviewed by Mark Lam.
2714
2715         This puts VM entry and Wasm entry tracePoints behind a runtime
2716         option. This is a ~4x speedup on a soon to be released Wasm
2717         benchmark. tracePoints should basically never run more than 50
2718         times a second. Entering the VM and entering Wasm are user controlled,
2719         and can happen hundreds of thousands of times in a second. Depending
2720         on how the Wasm/JS code is structured, this can be disastrous for
2721         performance.
2722
2723         * runtime/Options.h:
2724         * runtime/VMEntryScope.cpp:
2725         (JSC::VMEntryScope::VMEntryScope):
2726         (JSC::VMEntryScope::~VMEntryScope):
2727         * wasm/WasmBBQPlan.cpp:
2728         (JSC::Wasm::BBQPlan::compileFunctions):
2729         * wasm/js/WebAssemblyFunction.cpp:
2730         (JSC::callWebAssemblyFunction):
2731
2732 2018-06-29  Saam Barati  <sbarati@apple.com>
2733
2734         We shouldn't recurse into the parser when gathering metadata about various function offsets
2735         https://bugs.webkit.org/show_bug.cgi?id=184074
2736         <rdar://problem/37165897>
2737
2738         Reviewed by Mark Lam.
2739
2740         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
2741         for that builtin. This required calling into the parser. However, the parser
2742         may throw a stack overflow. We were not able to recover from that. The only
2743         reason we called into the parser here is that we were gathering text offsets
2744         and various metadata for things in the builtin function. This patch writes a
2745         mini parser that figures this information out without calling into the full
2746         parser. (I've also added a debug assert that verifies the mini parser stays in
2747         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
2748         always succeeds.
2749
2750         * builtins/AsyncFromSyncIteratorPrototype.js:
2751         (globalPrivate.createAsyncFromSyncIterator):
2752         (globalPrivate.AsyncFromSyncIteratorConstructor):
2753         * builtins/BuiltinExecutables.cpp:
2754         (JSC::BuiltinExecutables::createExecutable):
2755         * builtins/GlobalOperations.js:
2756         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
2757         (globalPrivate.speciesConstructor):
2758         (globalPrivate.copyDataProperties):
2759         (globalPrivate.copyDataPropertiesNoExclusions):
2760         * builtins/PromiseOperations.js:
2761         (globalPrivate.newHandledRejectedPromise):
2762         * builtins/RegExpPrototype.js:
2763         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
2764         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
2765         * builtins/StringPrototype.js:
2766         (globalPrivate.hasObservableSideEffectsForStringReplace):
2767         (globalPrivate.getDefaultCollator):
2768         * parser/Nodes.cpp:
2769         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2770         (JSC::FunctionMetadataNode::operator== const):
2771         (JSC::FunctionMetadataNode::dump const):
2772         * parser/Nodes.h:
2773         * parser/Parser.h:
2774         (JSC::parse):
2775         * parser/ParserError.h:
2776         (JSC::ParserError::type const):
2777         * parser/ParserTokens.h:
2778         (JSC::JSTextPosition::operator== const):
2779         (JSC::JSTextPosition::operator!= const):
2780         * parser/SourceCode.h:
2781         (JSC::SourceCode::operator== const):
2782         (JSC::SourceCode::operator!= const):
2783         (JSC::SourceCode::subExpression const):
2784         (JSC::SourceCode::subExpression): Deleted.
2785
2786 2018-06-28  Michael Saboff  <msaboff@apple.com>
2787   
2788         IsoCellSet::sweepToFreeList() not safe when Full GC in process
2789         https://bugs.webkit.org/show_bug.cgi?id=187157
2790
2791         Reviewed by Mark Lam.
2792
2793         * heap/IsoCellSet.cpp:
2794         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
2795         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
2796         or not we are in the process of marking during a full GC.
2797         * heap/MarkedBlock.h:
2798         * heap/MarkedBlockInlines.h:
2799         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
2800
2801 2018-06-27  Saam Barati  <sbarati@apple.com>
2802
2803         Add some more register state information when we crash in repatchPutById
2804         https://bugs.webkit.org/show_bug.cgi?id=187112
2805
2806         Reviewed by Mark Lam.
2807
2808         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
2809         with an offset that is different than what the put tells us.
2810
2811         * jit/Repatch.cpp:
2812         (JSC::tryCachePutByID):
2813
2814 2018-06-27  Mark Lam  <mark.lam@apple.com>
2815
2816         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
2817         https://bugs.webkit.org/show_bug.cgi?id=187119
2818
2819         Reviewed by Keith Miller.
2820
2821         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
2822         should be checking for codeBlock instead of !codeBlock
2823         before using the codeBlock.
2824
2825         I also renamed some other "print" functions to use "dump" instead
2826         to match their underlying C++ code that they will call e.g.
2827         CodeBlock::dumpSource().
2828
2829         * tools/JSDollarVM.cpp:
2830         (WTF::JSDollarVMCallFrame::finishCreation):
2831         (JSC::functionDumpSourceFor):
2832         (JSC::functionDumpBytecodeFor):
2833         (JSC::doPrint):
2834         (JSC::functionDataLog):
2835         (JSC::functionPrint):
2836         (JSC::functionDumpCallFrame):
2837         (JSC::functionDumpStack):
2838         (JSC::JSDollarVM::finishCreation):
2839         (JSC::functionPrintSourceFor): Deleted.
2840         (JSC::functionPrintBytecodeFor): Deleted.
2841         (JSC::doPrintln): Deleted.
2842         (JSC::functionPrintln): Deleted.
2843         (JSC::functionPrintCallFrame): Deleted.
2844         (JSC::functionPrintStack): Deleted.
2845         * tools/VMInspector.cpp:
2846         (JSC::DumpFrameFunctor::DumpFrameFunctor):
2847         (JSC::DumpFrameFunctor::operator() const):
2848         (JSC::VMInspector::dumpCallFrame):
2849         (JSC::VMInspector::dumpStack):
2850         (JSC::VMInspector::dumpValue):
2851         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
2852         (JSC::PrintFrameFunctor::operator() const): Deleted.
2853         (JSC::VMInspector::printCallFrame): Deleted.
2854         (JSC::VMInspector::printStack): Deleted.
2855         (JSC::VMInspector::printValue): Deleted.
2856         * tools/VMInspector.h:
2857
2858 2018-06-27  Keith Miller  <keith_miller@apple.com>
2859
2860         Add logging to try to diagnose where we get a null structure.
2861         https://bugs.webkit.org/show_bug.cgi?id=187106
2862
2863         Reviewed by Mark Lam.
2864
2865         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
2866         structure crash.
2867
2868         This code should be removed when we fix <rdar://problem/33451840>
2869
2870         * runtime/JSObject.cpp:
2871         (JSC::callToPrimitiveFunction):
2872         * runtime/JSObject.h:
2873         (JSC::JSObject::getPropertySlot):
2874
2875 2018-06-27  Mark Lam  <mark.lam@apple.com>
2876
2877         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
2878         https://bugs.webkit.org/show_bug.cgi?id=187091
2879         <rdar://problem/41395624>
2880
2881         Reviewed by Yusuke Suzuki.
2882
2883         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
2884         take their slow paths, the slow path would jump back to the fast path right after
2885         the emitted code which clears the unused property values.  As a result, the
2886         unused properties are not initialized.  We've fixed this by adding the slow path
2887         generators before we emit the code to clear the unused properties.
2888
2889         * dfg/DFGSpeculativeJIT.cpp:
2890         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2891         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2892
2893 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2894
2895         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
2896         https://bugs.webkit.org/show_bug.cgi?id=185943
2897
2898         Reviewed by Mark Lam.
2899
2900         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
2901         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
2902         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
2903         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
2904
2905         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
2906         but it should be done in a separate patch since it would be performance sensitive.
2907
2908         * bytecompiler/NodesCodegen.cpp:
2909         (JSC::ArrayPatternNode::emitDirectBinding):
2910
2911 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2912
2913         [JSC] Pass VM& to functions more
2914         https://bugs.webkit.org/show_bug.cgi?id=186241
2915
2916         Reviewed by Mark Lam.
2917
2918         This patch threads VM& to functions requiring VM& more.
2919
2920         * API/JSObjectRef.cpp:
2921         (JSObjectIsConstructor):
2922         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2923         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
2924         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2925         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
2926         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
2927         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2928         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2929         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
2930         * bytecode/CodeBlockJettisoningWatchpoint.h:
2931         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2932         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
2933         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2934         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2935         * bytecode/StructureStubClearingWatchpoint.cpp:
2936         (JSC::StructureStubClearingWatchpoint::fireInternal):
2937         * bytecode/StructureStubClearingWatchpoint.h:
2938         * bytecode/Watchpoint.cpp:
2939         (JSC::Watchpoint::fire):
2940         (JSC::WatchpointSet::fireAllWatchpoints):
2941         * bytecode/Watchpoint.h:
2942         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2943         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
2944         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2945         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2946         (JSC::DFG::AdaptiveStructureWatchpoint::install):
2947         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2948         * dfg/DFGAdaptiveStructureWatchpoint.h:
2949         * dfg/DFGDesiredWatchpoints.cpp:
2950         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
2951         * llint/LLIntSlowPaths.cpp:
2952         (JSC::LLInt::setupGetByIdPrototypeCache):
2953         * runtime/ArrayPrototype.cpp:
2954         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
2955         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2956         * runtime/ECMAScriptSpecInternalFunctions.cpp:
2957         (JSC::esSpecIsConstructor):
2958         * runtime/FunctionRareData.cpp:
2959         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
2960         * runtime/FunctionRareData.h:
2961         * runtime/InferredStructureWatchpoint.cpp:
2962         (JSC::InferredStructureWatchpoint::fireInternal):
2963         * runtime/InferredStructureWatchpoint.h:
2964         * runtime/InternalFunction.cpp:
2965         (JSC::InternalFunction::createSubclassStructureSlow):
2966         * runtime/InternalFunction.h:
2967         (JSC::InternalFunction::createSubclassStructure):
2968         * runtime/JSCJSValue.h:
2969         * runtime/JSCJSValueInlines.h:
2970         (JSC::JSValue::isConstructor const):
2971         * runtime/JSCell.h:
2972         * runtime/JSCellInlines.h:
2973         (JSC::JSCell::isConstructor):
2974         (JSC::JSCell::methodTable const):
2975         * runtime/JSGlobalObject.cpp:
2976         (JSC::JSGlobalObject::init):
2977         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2978         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
2979         * runtime/ProxyObject.cpp:
2980         (JSC::ProxyObject::finishCreation):
2981         * runtime/ReflectObject.cpp:
2982         (JSC::reflectObjectConstruct):
2983         * runtime/StructureRareData.cpp:
2984         (JSC::StructureRareData::setObjectToStringValue):
2985         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
2986         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2987         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
2988
2989 2018-06-26  Mark Lam  <mark.lam@apple.com>
2990
2991         eval() is wrong about the LiteralParser never throwing any exceptions.
2992         https://bugs.webkit.org/show_bug.cgi?id=187074
2993         <rdar://problem/41461099>
2994
2995         Reviewed by Saam Barati.
2996
2997         Added the missing exception check, and removed an erroneous assertion.
2998
2999         * interpreter/Interpreter.cpp:
3000         (JSC::eval):
3001
3002 2018-06-26  Saam Barati  <sbarati@apple.com>
3003
3004         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
3005         https://bugs.webkit.org/show_bug.cgi?id=186878
3006         <rdar://problem/40568659>
3007
3008         Reviewed by Filip Pizlo.
3009
3010         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
3011         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
3012         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
3013         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
3014         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
3015         conservative scan knows to treat it like a butterfly in when we we may be
3016         pointing into the middle of it.
3017         
3018         The way we were crashing on the stress GC bots is that our conservative marking
3019         won't do cell visiting for things that are Auxiliary. This meant that if the
3020         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
3021         that JSImmutableButterfly would not be visited. This is now fixed.
3022
3023         * bytecompiler/NodesCodegen.cpp:
3024         (JSC::ArrayNode::emitBytecode):
3025         * debugger/Debugger.cpp:
3026         * heap/ConservativeRoots.cpp:
3027         (JSC::ConservativeRoots::genericAddPointer):
3028         * heap/Heap.cpp:
3029         (JSC::GatherHeapSnapshotData::operator() const):
3030         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
3031         (JSC::Heap::globalObjectCount):
3032         (JSC::Heap::objectTypeCounts):
3033         (JSC::Heap::deleteAllCodeBlocks):
3034         * heap/HeapCell.cpp:
3035         (WTF::printInternal):
3036         * heap/HeapCell.h:
3037         (JSC::isJSCellKind):
3038         (JSC::hasInteriorPointers):
3039         * heap/HeapUtil.h:
3040         (JSC::HeapUtil::findGCObjectPointersForMarking):
3041         (JSC::HeapUtil::isPointerGCObjectJSCell):
3042         * heap/MarkedBlock.cpp:
3043         (JSC::MarkedBlock::Handle::didAddToDirectory):
3044         * heap/SlotVisitor.cpp:
3045         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3046         * runtime/JSGlobalObject.cpp:
3047         * runtime/JSImmutableButterfly.h:
3048         (JSC::JSImmutableButterfly::subspaceFor):
3049         * runtime/VM.cpp:
3050         (JSC::VM::VM):
3051         * runtime/VM.h:
3052         * tools/CellProfile.h:
3053         (JSC::CellProfile::CellProfile):
3054         (JSC::CellProfile::isJSCell const):
3055         * tools/HeapVerifier.cpp:
3056         (JSC::HeapVerifier::validateCell):
3057
3058 2018-06-26  Mark Lam  <mark.lam@apple.com>
3059
3060         Skip some unnecessary work in Interpreter::getStackTrace().
3061         https://bugs.webkit.org/show_bug.cgi?id=187070
3062
3063         Reviewed by Michael Saboff.
3064
3065         * interpreter/Interpreter.cpp:
3066         (JSC::Interpreter::getStackTrace):
3067
3068 2018-06-26  Mark Lam  <mark.lam@apple.com>
3069
3070         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
3071         https://bugs.webkit.org/show_bug.cgi?id=187060
3072         <rdar://problem/41452767>
3073
3074         Reviewed by Keith Miller.
3075
3076         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
3077         write conversion.  Hence, we can return early after the conversion if the vector
3078         length is already sufficient to cover the requested length.
3079
3080         * runtime/JSObject.cpp:
3081         (JSC::JSObject::ensureLengthSlow):
3082
3083 2018-06-26  Commit Queue  <commit-queue@webkit.org>
3084
3085         Unreviewed, rolling out r233184.
3086         https://bugs.webkit.org/show_bug.cgi?id=187059
3087
3088         "It regressed JetStream between 5-8%" (Requested by saamyjoon
3089         on #webkit).
3090
3091         Reverted changeset:
3092
3093         "JSImmutableButterfly can't be allocated from a subspace with
3094         HeapCell::Kind::Auxiliary"
3095         https://bugs.webkit.org/show_bug.cgi?id=186878
3096         https://trac.webkit.org/changeset/233184
3097
3098 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3099
3100         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
3101         https://bugs.webkit.org/show_bug.cgi?id=187051
3102
3103         Reviewed by Mark Lam.
3104
3105         Revert r233065 changes over UnlinkedCodeBlock.h to allow
3106         clang-3.8 to be able to compile this back (with libstdc++5)
3107
3108         * bytecode/UnlinkedCodeBlock.h:
3109         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
3110
3111 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
3112
3113         Fix testapi build when DFG_JIT is disabled
3114         https://bugs.webkit.org/show_bug.cgi?id=187038
3115
3116         Reviewed by Mark Lam.
3117
3118         r233158 added a new API and tests for configuring the number of JIT threads, but
3119         the API is only available when DFG_JIT is enabled and so should the tests.
3120
3121         * API/tests/testapi.mm:
3122         (runJITThreadLimitTests):
3123
3124 2018-06-25  Saam Barati  <sbarati@apple.com>
3125
3126         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
3127         https://bugs.webkit.org/show_bug.cgi?id=186878
3128         <rdar://problem/40568659>
3129
3130         Reviewed by Mark Lam.
3131
3132         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
3133         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
3134         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
3135         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
3136         bots is that our conservative marking won't do cell marking for things that
3137         are Auxiliary. This means that if the stack is the only thing pointing to a
3138         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
3139         not be visited. This patch fixes this bug. This patch also extends our conservative
3140         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
3141
3142         * bytecompiler/NodesCodegen.cpp:
3143         (JSC::ArrayNode::emitBytecode):
3144         * heap/HeapUtil.h:
3145         (JSC::HeapUtil::findGCObjectPointersForMarking):
3146         * runtime/JSImmutableButterfly.h:
3147         (JSC::JSImmutableButterfly::subspaceFor):
3148
3149 2018-06-25  Mark Lam  <mark.lam@apple.com>
3150
3151         constructArray() should set m_numValuesInVector to the specified length.
3152         https://bugs.webkit.org/show_bug.cgi?id=187010
3153         <rdar://problem/41392167>
3154
3155         Reviewed by Filip Pizlo.
3156
3157         Its client will fill in the storage vector with some values using initializeIndex()
3158         and expects m_numValuesInVector to be set to the length i.e. the number of values
3159         to be initialized.
3160
3161         * runtime/JSArray.cpp:
3162         (JSC::constructArray):
3163
3164 2018-06-25  Mark Lam  <mark.lam@apple.com>
3165
3166         Add missing exception check in RegExpObjectInlines.h's collectMatches.
3167         https://bugs.webkit.org/show_bug.cgi?id=187006
3168         <rdar://problem/41418412>
3169
3170         Reviewed by Keith Miller.
3171
3172         * runtime/RegExpObjectInlines.h:
3173         (JSC::collectMatches):
3174
3175 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
3176
3177         Add API for configuring the number of threads used by DFG and FTL
3178         https://bugs.webkit.org/show_bug.cgi?id=186859
3179         <rdar://problem/41093519>
3180
3181         Reviewed by Filip Pizlo.
3182
3183         Add new private APIs for limiting the number of threads to be used by
3184         the DFG and FTL compilers. It was already possible to configure the
3185         limit through JSC Options, but now it can be changed at runtime, even
3186         in the case when the VM is already running.
3187
3188         Add a test for both cases: when trying to configure the limit before
3189         and after the Worklist has been created, but in order to simulate the
3190         first scenario, we must guarantee that the test runs at the very
3191         beginning, so I also added a check for that.
3192
3193         * API/JSVirtualMachine.mm:
3194         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
3195         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
3196         * API/JSVirtualMachinePrivate.h:
3197         * API/tests/testapi.mm:
3198         (runJITThreadLimitTests):
3199         (testObjectiveCAPIMain):
3200         * dfg/DFGWorklist.cpp:
3201         (JSC::DFG::Worklist::finishCreation):
3202         (JSC::DFG::Worklist::createNewThread):
3203         (JSC::DFG::Worklist::setNumberOfThreads):
3204         * dfg/DFGWorklist.h:
3205
3206 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3207
3208         [JSC] Remove unnecessary PLATFORM guards
3209         https://bugs.webkit.org/show_bug.cgi?id=186995
3210
3211         Reviewed by Mark Lam.
3212
3213         * assembler/AssemblerCommon.h:
3214         (JSC::isIOS):
3215         Add constexpr.
3216
3217         * inspector/JSGlobalObjectInspectorController.cpp:
3218         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3219         StackFrame works in all the platforms. If StackFrame::demangle failed,
3220         it just returns std::nullopt. And it is correctly handled in this code.
3221
3222 2018-06-23  Mark Lam  <mark.lam@apple.com>
3223
3224         Add more debugging features to $vm.
3225         https://bugs.webkit.org/show_bug.cgi?id=186947
3226
3227         Reviewed by Keith Miller.
3228
3229         Adding the following features:
3230
3231             // We now have println in addition to print.
3232             // println automatically adds a '\n' at the end.
3233             $vm.println("Hello");
3234
3235             // We can now capture some info about a stack frame.
3236             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
3237             var callerCallerFrame = $vm.callFrame(2);
3238
3239             // We can inspect the following values associated with the frame:
3240             if (currentFrame.valid) {
3241                 $vm.println("name is ", currentFrame.name));
3242
3243                 // Note: For a WASM frame, all of these will be undefined.
3244                 $vm.println("callee is ", $vm.value(currentFrame.callee));
3245                 $vm.println("codeBlock is ", currentFrame.codeBlock);
3246                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
3247                 $vm.println("executable is ", currentFrame.executable);
3248             }
3249
3250             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
3251             // to dataLog its JSValue instead of its toString() result.
3252
3253             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
3254             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
3255             // toString on a non-object.
3256
3257             // Does what it says about enabling/disabling debugger mode.
3258             $vm.enableDebuggerModeWhenIdle();
3259             $vm.disableDebuggerModeWhenIdle();
3260
3261         * tools/JSDollarVM.cpp:
3262         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
3263         (WTF::JSDollarVMCallFrame::createStructure):
3264         (WTF::JSDollarVMCallFrame::create):
3265         (WTF::JSDollarVMCallFrame::finishCreation):
3266         (WTF::JSDollarVMCallFrame::addProperty):
3267         (JSC::functionCallFrame):
3268         (JSC::functionCodeBlockForFrame):
3269         (JSC::codeBlockFromArg):
3270         (JSC::doPrintln):
3271         (JSC::functionPrint):
3272         (JSC::functionPrintln):
3273         (JSC::changeDebuggerModeWhenIdle):
3274         (JSC::functionEnableDebuggerModeWhenIdle):
3275         (JSC::functionDisableDebuggerModeWhenIdle):
3276         (JSC::JSDollarVM::finishCreation):
3277
3278 2018-06-22  Keith Miller  <keith_miller@apple.com>
3279
3280         We need to have a getDirectConcurrently for use in the compilers
3281         https://bugs.webkit.org/show_bug.cgi?id=186954
3282
3283         Reviewed by Mark Lam.
3284
3285         It used to be that the propertyStorage of an object never shrunk
3286         so if you called getDirect with some offset it would never be an
3287         OOB read. However, this property storage can shrink when calling
3288         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
3289         holds the Structure's ConcurrentJSLock while shrinking. This patch,
3290         adds a getDirectConcurrently that will safely try to load from the
3291         butterfly.
3292
3293         * bytecode/ObjectPropertyConditionSet.cpp:
3294         * bytecode/PropertyCondition.cpp:
3295         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
3296         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
3297         * dfg/DFGGraph.cpp:
3298         (JSC::DFG::Graph::tryGetConstantProperty):
3299         * runtime/JSObject.h:
3300         (JSC::JSObject::getDirectConcurrently const):
3301
3302 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3303
3304         [WTF] Use Ref<> for the result type of non-failing factory functions
3305         https://bugs.webkit.org/show_bug.cgi?id=186920
3306
3307         Reviewed by Darin Adler.
3308
3309         * dfg/DFGWorklist.cpp:
3310         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
3311         (JSC::DFG::Worklist::finishCreation):
3312         * dfg/DFGWorklist.h:
3313         * heap/Heap.cpp:
3314         (JSC::Heap::Thread::Thread):
3315         * heap/Heap.h:
3316         * jit/JITWorklist.cpp:
3317         (JSC::JITWorklist::Thread::Thread):
3318         * jit/JITWorklist.h:
3319         * runtime/VMTraps.cpp:
3320         * runtime/VMTraps.h:
3321         * wasm/WasmWorklist.cpp:
3322         * wasm/WasmWorklist.h:
3323
3324 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3325
3326         [WTF] Add user-defined literal for ASCIILiteral
3327         https://bugs.webkit.org/show_bug.cgi?id=186839
3328
3329         Reviewed by Darin Adler.
3330
3331         * API/JSCallbackObjectFunctions.h:
3332         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3333         (JSC::JSCallbackObject<Parent>::callbackGetter):
3334         * API/JSObjectRef.cpp:
3335         (JSObjectMakeFunctionWithCallback):
3336         * API/JSTypedArray.cpp:
3337         (JSObjectGetArrayBufferBytesPtr):
3338         * API/JSValue.mm:
3339         (valueToArray):
3340         (valueToDictionary):
3341         * API/ObjCCallbackFunction.mm:
3342         (JSC::objCCallbackFunctionCallAsFunction):
3343         (JSC::objCCallbackFunctionCallAsConstructor):
3344         (JSC::ObjCCallbackFunctionImpl::call):
3345         * API/glib/JSCCallbackFunction.cpp:
3346         (JSC::JSCCallbackFunction::call):
3347         (JSC::JSCCallbackFunction::construct):
3348         * API/glib/JSCContext.cpp:
3349         (jscContextJSValueToGValue):
3350         * API/glib/JSCValue.cpp:
3351         (jsc_value_object_define_property_accessor):
3352         (jscValueFunctionCreate):
3353         * builtins/BuiltinUtils.h:
3354         * bytecode/CodeBlock.cpp:
3355         (JSC::CodeBlock::nameForRegister):
3356         * bytecompiler/BytecodeGenerator.cpp:
3357         (JSC::BytecodeGenerator::emitEnumeration):
3358         (JSC::BytecodeGenerator::emitIteratorNext):
3359         (JSC::BytecodeGenerator::emitIteratorClose):
3360         (JSC::BytecodeGenerator::emitDelegateYield):
3361         * bytecompiler/NodesCodegen.cpp:
3362         (JSC::FunctionCallValueNode::emitBytecode):
3363         (JSC::PostfixNode::emitBytecode):
3364         (JSC::PrefixNode::emitBytecode):
3365         (JSC::AssignErrorNode::emitBytecode):
3366         (JSC::ForInNode::emitBytecode):
3367         (JSC::ForOfNode::emitBytecode):
3368         (JSC::ClassExprNode::emitBytecode):
3369         (JSC::ObjectPatternNode::bindValue const):
3370         * dfg/DFGDriver.cpp:
3371         (JSC::DFG::compileImpl):
3372         * dfg/DFGOperations.cpp:
3373         (JSC::DFG::newTypedArrayWithSize):
3374         * dfg/DFGStrengthReductionPhase.cpp:
3375         (JSC::DFG::StrengthReductionPhase::handleNode):
3376         * inspector/ConsoleMessage.cpp:
3377         (Inspector::ConsoleMessage::addToFrontend):
3378         (Inspector::ConsoleMessage::clear):
3379         * inspector/ContentSearchUtilities.cpp:
3380         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
3381         * inspector/InjectedScript.cpp:
3382         (Inspector::InjectedScript::InjectedScript):
3383         (Inspector::InjectedScript::evaluate):
3384         (Inspector::InjectedScript::callFunctionOn):
3385         (Inspector::InjectedScript::evaluateOnCallFrame):
3386         (Inspector::InjectedScript::getFunctionDetails):
3387         (Inspector::InjectedScript::functionDetails):
3388         (Inspector::InjectedScript::getPreview):
3389         (Inspector::InjectedScript::getProperties):
3390         (Inspector::InjectedScript::getDisplayableProperties):
3391         (Inspector::InjectedScript::getInternalProperties):
3392         (Inspector::InjectedScript::getCollectionEntries):
3393         (Inspector::InjectedScript::saveResult):
3394         (Inspector::InjectedScript::wrapCallFrames const):
3395         (Inspector::InjectedScript::wrapObject const):
3396         (Inspector::InjectedScript::wrapJSONString const):
3397         (Inspector::InjectedScript::wrapTable const):
3398         (Inspector::InjectedScript::previewValue const):
3399         (Inspector::InjectedScript::setExceptionValue):
3400         (Inspector::InjectedScript::clearExceptionValue):
3401         (Inspector::InjectedScript::findObjectById const):
3402         (Inspector::InjectedScript::inspectObject):
3403         (Inspector::InjectedScript::releaseObject):
3404         (Inspector::InjectedScript::releaseObjectGroup):
3405         * inspector/InjectedScriptBase.cpp:
3406         (Inspector::InjectedScriptBase::makeEvalCall):
3407         * inspector/InjectedScriptManager.cpp:
3408         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
3409         * inspector/InjectedScriptModule.cpp:
3410         (Inspector::InjectedScriptModule::ensureInjected):
3411         * inspector/InspectorBackendDispatcher.cpp:
3412         (Inspector::BackendDispatcher::dispatch):
3413         (Inspector::BackendDispatcher::sendResponse):
3414         (Inspector::BackendDispatcher::sendPendingErrors):
3415         * inspector/JSGlobalObjectConsoleClient.cpp:
3416         (Inspector::JSGlobalObjectConsoleClient::profile):
3417         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
3418         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3419         * inspector/JSGlobalObjectInspectorController.cpp:
3420         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3421         * inspector/JSInjectedScriptHost.cpp:
3422         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3423         (Inspector::JSInjectedScriptHost::subtype):
3424         (Inspector::JSInjectedScriptHost::getInternalProperties):
3425         * inspector/JSJavaScriptCallFrame.cpp:
3426         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3427         (Inspector::JSJavaScriptCallFrame::type const):
3428         * inspector/ScriptArguments.cpp:
3429         (Inspector::ScriptArguments::getFirstArgumentAsString):
3430         * inspector/ScriptCallStackFactory.cpp:
3431         (Inspector::extractSourceInformationFromException):
3432         * inspector/agents/InspectorAgent.cpp:
3433         (Inspector::InspectorAgent::InspectorAgent):
3434         * inspector/agents/InspectorConsoleAgent.cpp:
3435         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
3436         (Inspector::InspectorConsoleAgent::clearMessages):
3437         (Inspector::InspectorConsoleAgent::count):
3438         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
3439         * inspector/agents/InspectorDebuggerAgent.cpp:
3440         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3441         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
3442         (Inspector::buildObjectForBreakpointCookie):
3443         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3444         (Inspector::parseLocation):
3445         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3446         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3447         (Inspector::InspectorDebuggerAgent::continueToLocation):
3448         (Inspector::InspectorDebuggerAgent::searchInContent):
3449         (Inspector::InspectorDebuggerAgent::getScriptSource):
3450         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
3451         (Inspector::InspectorDebuggerAgent::resume):
3452         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
3453         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
3454         (Inspector::InspectorDebuggerAgent::didParseSource):
3455         (Inspector::InspectorDebuggerAgent::assertPaused):
3456         * inspector/agents/InspectorHeapAgent.cpp:
3457         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
3458         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
3459         (Inspector::InspectorHeapAgent::getPreview):
3460         (Inspector::InspectorHeapAgent::getRemoteObject):
3461         * inspector/agents/InspectorRuntimeAgent.cpp:
3462         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
3463         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3464         (Inspector::InspectorRuntimeAgent::getPreview):
3465         (Inspector::InspectorRuntimeAgent::getProperties):
3466         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
3467         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
3468         (Inspector::InspectorRuntimeAgent::saveResult):
3469         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3470         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3471         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3472         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
3473         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3474         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
3475         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3476         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
3477         * inspector/scripts/codegen/cpp_generator_templates.py:
3478         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3479         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
3480         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3481         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3482         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3483         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3484         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3485         (CppProtocolTypesImplementationGenerator):
3486         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3487         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3488         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
3489         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3490         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3491         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3492         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
3493         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
3494         * inspector/scripts/codegen/objc_generator_templates.py:
3495         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3496         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3497         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3498         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3499         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3500         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3501         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3502         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3503         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3504         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3505         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3506         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3507         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3508         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3509         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3510         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3511         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3512         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3513         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3514         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3515         * interpreter/CallFrame.cpp:
3516         (JSC::CallFrame::friendlyFunctionName):
3517         * interpreter/Interpreter.cpp:
3518         (JSC::Interpreter::execute):
3519         * interpreter/StackVisitor.cpp:
3520         (JSC::StackVisitor::Frame::functionName const):
3521         (JSC::StackVisitor::Frame::sourceURL const):
3522         * jit/JIT.cpp:
3523         (JSC::JIT::doMainThreadPreparationBeforeCompile):
3524         * jit/JITOperations.cpp:
3525         * jsc.cpp:
3526         (resolvePath):
3527         (GlobalObject::moduleLoaderImportModule):
3528         (GlobalObject::moduleLoaderResolve):
3529         (functionDescribeArray):
3530         (functionRun):
3531         (functionLoad):
3532         (functionCheckSyntax):
3533         (functionDollarEvalScript):
3534         (functionDollarAgentStart):
3535         (functionDollarAgentReceiveBroadcast):
3536         (functionDollarAgentBroadcast):
3537         (functionTransferArrayBuffer):
3538         (functionLoadModule):
3539         (functionSamplingProfilerStackTraces):
3540         (functionAsyncTestStart):
3541         (functionWebAssemblyMemoryMode):
3542         (runWithOptions):
3543         * parser/Lexer.cpp:
3544         (JSC::Lexer<T>::invalidCharacterMessage const):
3545         (JSC::Lexer<T>::parseString):
3546         (JSC::Lexer<T>::parseComplexEscape):
3547         (JSC::Lexer<T>::parseStringSlowCase):
3548         (JSC::Lexer<T>::parseTemplateLiteral):
3549         (JSC::Lexer<T>::lex):
3550         * parser/Parser.cpp:
3551         (JSC::Parser<LexerType>::parseInner):
3552         * parser/Parser.h:
3553         (JSC::Parser::setErrorMessage):
3554         * runtime/AbstractModuleRecord.cpp:
3555         (JSC::AbstractModuleRecord::finishCreation):
3556         * runtime/ArrayBuffer.cpp:
3557         (JSC::errorMesasgeForTransfer):
3558         * runtime/ArrayBufferSharingMode.h:
3559         (JSC::arrayBufferSharingModeName):
3560         * runtime/ArrayConstructor.cpp:
3561         (JSC::constructArrayWithSizeQuirk):
3562         (JSC::isArraySlowInline):
3563         * runtime/ArrayPrototype.cpp:
3564         (JSC::setLength):
3565         (JSC::shift):
3566         (JSC::unshift):
3567         (JSC::arrayProtoFuncPop):
3568         (JSC::arrayProtoFuncReverse):
3569         (JSC::arrayProtoFuncUnShift):
3570         * runtime/AtomicsObject.cpp:
3571         (JSC::atomicsFuncWait):
3572         (JSC::atomicsFuncWake):
3573         * runtime/BigIntConstructor.cpp:
3574         (JSC::BigIntConstructor::finishCreation):
3575         (JSC::toBigInt):
3576         (JSC::callBigIntConstructor):
3577         * runtime/BigIntObject.cpp:
3578         (JSC::BigIntObject::toStringName):
3579         * runtime/BigIntPrototype.cpp:
3580         (JSC::bigIntProtoFuncToString):
3581         (JSC::bigIntProtoFuncValueOf):
3582         * runtime/CommonSlowPaths.cpp:
3583         (JSC::SLOW_PATH_DECL):
3584         * runtime/ConsoleClient.cpp:
3585         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3586         * runtime/ConsoleObject.cpp:
3587         (JSC::valueOrDefaultLabelString):
3588         (JSC::consoleProtoFuncTime):
3589         (JSC::consoleProtoFuncTimeEnd):
3590         * runtime/DatePrototype.cpp:
3591         (JSC::formatLocaleDate):
3592         (JSC::formateDateInstance):
3593         (JSC::DatePrototype::finishCreation):
3594         (JSC::dateProtoFuncToISOString):
3595         (JSC::dateProtoFuncToJSON):
3596         * runtime/Error.cpp:
3597         (JSC::createNotEnoughArgumentsError):
3598         (JSC::throwSyntaxError):
3599         (JSC::createTypeError):
3600         (JSC::createOutOfMemoryError):
3601         * runtime/Error.h:
3602         (JSC::throwVMError):
3603         * runtime/ErrorConstructor.cpp:
3604         (JSC::ErrorConstructor::finishCreation):
3605         * runtime/ErrorInstance.cpp:
3606         (JSC::ErrorInstance::sanitizedToString):
3607         * runtime/ErrorPrototype.cpp:
3608         (JSC::ErrorPrototype::finishCreation):
3609         (JSC::errorProtoFuncToString):
3610         * runtime/ExceptionFuzz.cpp:
3611         (JSC::doExceptionFuzzing):
3612         * runtime/ExceptionHelpers.cpp:
3613         (JSC::TerminatedExecutionError::defaultValue):
3614         (JSC::createStackOverflowError):
3615         (JSC::createNotAConstructorError):
3616         (JSC::createNotAFunctionError):
3617         (JSC::createNotAnObjectError):
3618         * runtime/GetterSetter.cpp:
3619         (JSC::callSetter):
3620         * runtime/IntlCollator.cpp:
3621         (JSC::sortLocaleData):
3622         (JSC::searchLocaleData):
3623         (JSC::IntlCollator::initializeCollator):
3624         (JSC::IntlCollator::compareStrings):
3625         (JSC::IntlCollator::usageString):
3626         (JSC::IntlCollator::sensitivityString):
3627         (JSC::IntlCollator::caseFirstString):
3628         (JSC::IntlCollator::resolvedOptions):
3629         * runtime/IntlCollator.h:
3630         * runtime/IntlCollatorConstructor.cpp:
3631         (JSC::IntlCollatorConstructor::finishCreation):
3632         * runtime/IntlCollatorPrototype.cpp:
3633         (JSC::IntlCollatorPrototypeGetterCompare):
3634         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
3635         * runtime/IntlDateTimeFormat.cpp:
3636         (JSC::defaultTimeZone):
3637         (JSC::canonicalizeTimeZoneName):
3638         (JSC::IntlDTFInternal::localeData):
3639         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
3640         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3641         (JSC::IntlDateTimeFormat::weekdayString):
3642         (JSC::IntlDateTimeFormat::eraString):
3643         (JSC::IntlDateTimeFormat::yearString):
3644         (JSC::IntlDateTimeFormat::monthString):
3645         (JSC::IntlDateTimeFormat::dayString):
3646         (JSC::IntlDateTimeFormat::hourString):
3647         (JSC::IntlDateTimeFormat::minuteString):
3648         (JSC::IntlDateTimeFormat::secondString):
3649         (JSC::IntlDateTimeFormat::timeZoneNameString):
3650         (JSC::IntlDateTimeFormat::resolvedOptions):
3651         (JSC::IntlDateTimeFormat::format):
3652         (JSC::IntlDateTimeFormat::partTypeString):
3653         (JSC::IntlDateTimeFormat::formatToParts):
3654         * runtime/IntlDateTimeFormat.h:
3655         * runtime/IntlDateTimeFormatConstructor.cpp:
3656         (JSC::IntlDateTimeFormatConstructor::finishCreation):
3657         * runtime/IntlDateTimeFormatPrototype.cpp:
3658         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
3659         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
3660         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
3661         * runtime/IntlNumberFormat.cpp:
3662         (JSC::IntlNumberFormat::initializeNumberFormat):
3663         (JSC::IntlNumberFormat::formatNumber):
3664         (JSC::IntlNumberFormat::styleString):
3665         (JSC::IntlNumberFormat::currencyDisplayString):
3666         (JSC::IntlNumberFormat::resolvedOptions):
3667         (JSC::IntlNumberFormat::partTypeString):
3668         (JSC::IntlNumberFormat::formatToParts):
3669         * runtime/IntlNumberFormat.h:
3670         * runtime/IntlNumberFormatConstructor.cpp:
3671         (JSC::IntlNumberFormatConstructor::finishCreation):
3672         * runtime/IntlNumberFormatPrototype.cpp:
3673         (JSC::IntlNumberFormatPrototypeGetterFormat):
3674         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
3675         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
3676         * runtime/IntlObject.cpp:
3677         (JSC::grandfatheredLangTag):
3678         (JSC::canonicalizeLocaleList):
3679         (JSC::resolveLocale):
3680         (JSC::supportedLocales):
3681         * runtime/IntlPluralRules.cpp:
3682         (JSC::IntlPluralRules::initializePluralRules):
3683         (JSC::IntlPluralRules::resolvedOptions):
3684         (JSC::IntlPluralRules::select):
3685         * runtime/IntlPluralRulesConstructor.cpp:
3686         (JSC::IntlPluralRulesConstructor::finishCreation):
3687         * runtime/IntlPluralRulesPrototype.cpp:
3688         (JSC::IntlPluralRulesPrototypeFuncSelect):
3689         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
3690         * runtime/IteratorOperations.cpp:
3691         (JSC::iteratorNext):
3692         (JSC::iteratorClose):
3693         (JSC::hasIteratorMethod):
3694         (JSC::iteratorMethod):
3695         * runtime/JSArray.cpp:
3696         (JSC::JSArray::tryCreateUninitializedRestricted):
3697         (JSC::JSArray::defineOwnProperty):
3698         (JSC::JSArray::put):
3699         (JSC::JSArray::setLengthWithArrayStorage):
3700         (JSC::JSArray::appendMemcpy):
3701         (JSC::JSArray::pop):
3702         * runtime/JSArray.h:
3703         * runtime/JSArrayBufferConstructor.cpp:
3704         (JSC::JSArrayBufferConstructor::finishCreation):
3705         * runtime/JSArrayBufferPrototype.cpp:
3706         (JSC::arrayBufferProtoFuncSlice):
3707         (JSC::arrayBufferProtoGetterFuncByteLength):
3708         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
3709         * runtime/JSArrayBufferView.cpp:
3710         (JSC::JSArrayBufferView::toStringName):
3711         * runtime/JSArrayInlines.h:
3712         (JSC::JSArray::pushInline):
3713         * runtime/JSBigInt.cpp:
3714         (JSC::JSBigInt::divide):
3715         (JSC::JSBigInt::remainder):
3716         (JSC::JSBigInt::toNumber const):
3717         * runtime/JSCJSValue.cpp:
3718         (JSC::JSValue::putToPrimitive):
3719         (JSC::JSValue::putToPrimitiveByIndex):
3720         (JSC::JSValue::toStringSlowCase const):
3721         * runtime/JSCJSValueInlines.h:
3722         (JSC::toPreferredPrimitiveType):
3723         * runtime/JSDataView.cpp:
3724         (JSC::JSDataView::create):
3725         (JSC::JSDataView::put):
3726         (JSC::JSDataView::defineOwnProperty):
3727         * runtime/JSDataViewPrototype.cpp:
3728         (JSC::getData):
3729         (JSC::setData):
3730         * runtime/JSFunction.cpp:
3731         (JSC::JSFunction::callerGetter):
3732         (JSC::JSFunction::put):
3733         (JSC::JSFunction::defineOwnProperty):
3734         * runtime/JSGenericTypedArrayView.h:
3735         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3736         (JSC::constructGenericTypedArrayViewWithArguments):
3737         (JSC::constructGenericTypedArrayView):
3738         * runtime/JSGenericTypedArrayViewInlines.h:
3739         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
3740         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3741         (JSC::speciesConstruct):
3742         (JSC::genericTypedArrayViewProtoFuncSet):
3743         (JSC::genericTypedArrayViewProtoFuncIndexOf):
3744         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
3745         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
3746         * runtime/JSGlobalObject.cpp:
3747         (JSC::JSGlobalObject::init):
3748         * runtime/JSGlobalObjectDebuggable.cpp:
3749         (JSC::JSGlobalObjectDebuggable::name const):
3750         * runtime/JSGlobalObjectFunctions.cpp:
3751         (JSC::encode):
3752         (JSC::decode):
3753         (JSC::globalFuncProtoSetter):
3754         * runtime/JSGlobalObjectFunctions.h:
3755         * runtime/JSMap.cpp:
3756         (JSC::JSMap::toStringName):
3757         * runtime/JSModuleEnvironment.cpp:
3758         (JSC::JSModuleEnvironment::put):
3759         * runtime/JSModuleNamespaceObject.cpp:
3760         (JSC::JSModuleNamespaceObject::put):
3761         (JSC::JSModuleNamespaceObject::putByIndex):
3762         (JSC::JSModuleNamespaceObject::defineOwnProperty):
3763         * runtime/JSONObject.cpp:
3764         (JSC::Stringifier::appendStringifiedValue):
3765         (JSC::JSONProtoFuncParse):
3766         (JSC::JSONProtoFuncStringify):
3767         * runtime/JSObject.cpp:
3768         (JSC::getClassPropertyNames):
3769         (JSC::JSObject::calculatedClassName):
3770         (JSC::ordinarySetSlow):
3771         (JSC::JSObject::putInlineSlow):
3772         (JSC::JSObject::setPrototypeWithCycleCheck):
3773         (JSC::callToPrimitiveFunction):
3774         (JSC::JSObject::ordinaryToPrimitive const):
3775         (JSC::JSObject::defaultHasInstance):
3776         (JSC::JSObject::defineOwnIndexedProperty):
3777         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3778         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3779         (JSC::validateAndApplyPropertyDescriptor):
3780         * runtime/JSObject.h:
3781         * runtime/JSObjectInlines.h:
3782         (JSC::JSObject::putInlineForJSObject):
3783         * runtime/JSPromiseConstructor.cpp:
3784         (JSC::JSPromiseConstructor::finishCreation):
3785         * runtime/JSSet.cpp:
3786         (JSC::JSSet::toStringName):
3787         * runtime/JSSymbolTableObject.h:
3788         (JSC::symbolTablePut):
3789         * runtime/JSTypedArrayViewConstructor.cpp:
3790         (JSC::constructTypedArrayView):
3791         * runtime/JSTypedArrayViewPrototype.cpp:
3792         (JSC::typedArrayViewPrivateFuncLength):
3793         (JSC::typedArrayViewProtoFuncSet):
3794         (JSC::typedArrayViewProtoFuncCopyWithin):
3795         (JSC::typedArrayViewProtoFuncLastIndexOf):
3796         (JSC::typedArrayViewProtoFuncIndexOf):
3797         (JSC::typedArrayViewProtoFuncJoin):
3798         (JSC::typedArrayViewProtoGetterFuncBuffer):
3799         (JSC::typedArrayViewProtoGetterFuncLength):
3800         (JSC::typedArrayViewProtoGetterFuncByteLength):
3801         (JSC::typedArrayViewProtoGetterFuncByteOffset):
3802         (JSC::typedArrayViewProtoFuncReverse):
3803         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
3804         (JSC::typedArrayViewProtoFuncSlice):
3805         (JSC::JSTypedArrayViewPrototype::finishCreation):
3806         * runtime/JSWeakMap.cpp:
3807         (JSC::JSWeakMap::toStringName):
3808         * runtime/JSWeakSet.cpp:
3809         (JSC::JSWeakSet::toStringName):
3810         * runtime/LiteralParser.cpp:
3811         (JSC::LiteralParser<CharType>::Lexer::lex):
3812         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
3813         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
3814         (JSC::LiteralParser<CharType>::parse):
3815         * runtime/LiteralParser.h:
3816         (JSC::LiteralParser::getErrorMessage):
3817         * runtime/Lookup.cpp:
3818         (JSC::reifyStaticAccessor):
3819         * runtime/Lookup.h:
3820         (JSC::putEntry):
3821         * runtime/MapPrototype.cpp:
3822         (JSC::getMap):
3823         * runtime/NullSetterFunction.cpp:
3824         (JSC::NullSetterFunctionInternal::callReturnUndefined):
3825         * runtime/NumberPrototype.cpp:
3826         (JSC::numberProtoFuncToExponential):
3827         (JSC::numberProtoFuncToFixed):
3828         (JSC::numberProtoFuncToPrecision):
3829         (JSC::extractToStringRadixArgument):
3830         * runtime/ObjectConstructor.cpp:
3831         (JSC::objectConstructorSetPrototypeOf):
3832         (JSC::objectConstructorAssign):
3833         (JSC::objectConstructorValues):
3834         (JSC::toPropertyDescriptor):
3835         (JSC::objectConstructorDefineProperty):
3836         (JSC::objectConstructorDefineProperties):
3837         (JSC::objectConstructorCreate):
3838         (JSC::objectConstructorSeal):
3839         (JSC::objectConstructorFreeze):
3840         * runtime/ObjectPrototype.cpp:
3841         (JSC::objectProtoFuncDefineGetter):
3842         (JSC::objectProtoFuncDefineSetter):
3843         * runtime/Operations.cpp:
3844         (JSC::jsAddSlowCase):
3845         * runtime/Operations.h:
3846         (JSC::jsSub):
3847         (JSC::jsMul):
3848         * runtime/ProgramExecutable.cpp:
3849         (JSC::ProgramExecutable::initializeGlobalProperties):
3850         * runtime/ProxyConstructor.cpp:
3851         (JSC::makeRevocableProxy):
3852         (JSC::proxyRevocableConstructorThrowError):
3853         (JSC::ProxyConstructor::finishCreation):
3854         (JSC::constructProxyObject):
3855         * runtime/ProxyObject.cpp:
3856         (JSC::ProxyObject::toStringName):
3857         (JSC::ProxyObject::finishCreation):
3858         (JSC::performProxyGet):
3859         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3860         (JSC::ProxyObject::performHasProperty):
3861         (JSC::ProxyObject::performPut):
3862         (JSC::performProxyCall):
3863         (JSC::performProxyConstruct):
3864         (JSC::ProxyObject::performDelete):
3865         (JSC::ProxyObject::performPreventExtensions):
3866         (JSC::ProxyObject::performIsExtensible):