[JSC] Thread VM& to JSCell::methodTable(VM&)
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Thread VM& to JSCell::methodTable(VM&)
4         https://bugs.webkit.org/show_bug.cgi?id=187548
5
6         Reviewed by Saam Barati.
7
8         This patch threads VM& to methodTable(VM&) and remove methodTable().
9         We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
10
11         * API/APICast.h:
12         (toJS):
13         * API/JSCallbackObject.h:
14         * API/JSCallbackObjectFunctions.h:
15         (JSC::JSCallbackObject<Parent>::className):
16         * bytecode/CodeBlock.cpp:
17         (JSC::CodeBlock::estimatedSize):
18         * bytecode/CodeBlock.h:
19         * bytecode/UnlinkedCodeBlock.cpp:
20         (JSC::UnlinkedCodeBlock::estimatedSize):
21         * bytecode/UnlinkedCodeBlock.h:
22         * debugger/DebuggerScope.cpp:
23         (JSC::DebuggerScope::className):
24         * debugger/DebuggerScope.h:
25         * heap/Heap.cpp:
26         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
27         (JSC::GatherHeapSnapshotData::operator() const):
28         (JSC::Heap::gatherExtraHeapSnapshotData):
29         * heap/HeapSnapshotBuilder.cpp:
30         (JSC::HeapSnapshotBuilder::json):
31         * runtime/ArrayPrototype.cpp:
32         (JSC::arrayProtoFuncToString):
33         * runtime/ClassInfo.h:
34         * runtime/DirectArguments.cpp:
35         (JSC::DirectArguments::estimatedSize):
36         * runtime/DirectArguments.h:
37         * runtime/HashMapImpl.cpp:
38         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
39         * runtime/HashMapImpl.h:
40         * runtime/JSArrayBuffer.cpp:
41         (JSC::JSArrayBuffer::estimatedSize):
42         * runtime/JSArrayBuffer.h:
43         * runtime/JSBigInt.cpp:
44         (JSC::JSBigInt::estimatedSize):
45         * runtime/JSBigInt.h:
46         * runtime/JSCell.cpp:
47         (JSC::JSCell::dump const):
48         (JSC::JSCell::estimatedSizeInBytes const):
49         (JSC::JSCell::estimatedSize):
50         (JSC::JSCell::className):
51         * runtime/JSCell.h:
52         * runtime/JSCellInlines.h:
53         * runtime/JSGenericTypedArrayView.h:
54         * runtime/JSGenericTypedArrayViewInlines.h:
55         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
56         * runtime/JSObject.cpp:
57         (JSC::JSObject::estimatedSize):
58         (JSC::JSObject::className):
59         (JSC::JSObject::toStringName):
60         (JSC::JSObject::calculatedClassName):
61         * runtime/JSObject.h:
62         * runtime/JSProxy.cpp:
63         (JSC::JSProxy::className):
64         * runtime/JSProxy.h:
65         * runtime/JSString.cpp:
66         (JSC::JSString::estimatedSize):
67         * runtime/JSString.h:
68         * runtime/RegExp.cpp:
69         (JSC::RegExp::estimatedSize):
70         * runtime/RegExp.h:
71         * runtime/WeakMapImpl.cpp:
72         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
73         * runtime/WeakMapImpl.h:
74
75 2018-07-11  Commit Queue  <commit-queue@webkit.org>
76
77         Unreviewed, rolling out r233714.
78         https://bugs.webkit.org/show_bug.cgi?id=187579
79
80         it made tests time out (Requested by pizlo on #webkit).
81
82         Reverted changeset:
83
84         "Change the reoptimization backoff base to 1.3 from 2"
85         https://bugs.webkit.org/show_bug.cgi?id=187540
86         https://trac.webkit.org/changeset/233714
87
88 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
89
90         [GLIB] Add API to allow creating variadic functions
91         https://bugs.webkit.org/show_bug.cgi?id=187517
92
93         Reviewed by Michael Catanzaro.
94
95         Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
96         jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
97
98         * API/glib/JSCCallbackFunction.cpp:
99         (JSC::JSCCallbackFunction::create): Make the parameters optional.
100         (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
101         (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
102         JSCValue for the arguments.
103         (JSC::JSCCallbackFunction::construct): Ditto.
104         * API/glib/JSCCallbackFunction.h:
105         * API/glib/JSCClass.cpp:
106         (jscClassCreateConstructor): Make the parameters optional.
107         (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
108         (jscClassAddMethod): Make the parameters optional.
109         (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
110         * API/glib/JSCClass.h:
111         * API/glib/JSCValue.cpp:
112         (jsc_value_object_define_property_accessor): Update now that parameters are optional.
113         (jscValueFunctionCreate): Make the parameters optional.
114         (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
115         * API/glib/JSCValue.h:
116         * API/glib/docs/jsc-glib-4.0-sections.txt:
117
118 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
119
120         [GLIB] Add jsc_context_get_global_object() to GLib API
121         https://bugs.webkit.org/show_bug.cgi?id=187515
122
123         Reviewed by Michael Catanzaro.
124
125         This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
126         object. However, getting the global object could be useful in some cases, for example to give it a well known
127         name like 'window' in browsers and GJS.
128
129         * API/glib/JSCContext.cpp:
130         (jsc_context_get_global_object):
131         * API/glib/JSCContext.h:
132         * API/glib/docs/jsc-glib-4.0-sections.txt:
133
134 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
135
136         [GLIB] Handle G_TYPE_STRV in glib API
137         https://bugs.webkit.org/show_bug.cgi?id=187512
138
139         Reviewed by Michael Catanzaro.
140
141         Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
142
143         * API/glib/JSCContext.cpp:
144         (jscContextGValueToJSValue):
145         (jscContextJSValueToGValue):
146         * API/glib/JSCValue.cpp:
147         (jsc_value_new_array_from_strv):
148         * API/glib/JSCValue.h:
149         * API/glib/docs/jsc-glib-4.0-sections.txt:
150
151 2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
152
153         Iterator of Array.keys() returns object in wrong order
154         https://bugs.webkit.org/show_bug.cgi?id=185197
155
156         Reviewed by Keith Miller.
157
158         * builtins/ArrayIteratorPrototype.js:
159         (globalPrivate.arrayIteratorValueNext):
160         (globalPrivate.arrayIteratorKeyNext):
161         (globalPrivate.arrayIteratorKeyValueNext):
162         * builtins/AsyncFromSyncIteratorPrototype.js:
163         * builtins/AsyncGeneratorPrototype.js:
164         (globalPrivate.asyncGeneratorResolve):
165         * builtins/GeneratorPrototype.js:
166         (globalPrivate.generatorResume):
167         * builtins/MapIteratorPrototype.js:
168         (globalPrivate.mapIteratorNext):
169         * builtins/SetIteratorPrototype.js:
170         (globalPrivate.setIteratorNext):
171         * builtins/StringIteratorPrototype.js:
172         (next):
173         * runtime/IteratorOperations.cpp:
174         (JSC::createIteratorResultObjectStructure):
175         (JSC::createIteratorResultObject):
176
177 2018-07-10  Mark Lam  <mark.lam@apple.com>
178
179         constructArray() should always allocate the requested length.
180         https://bugs.webkit.org/show_bug.cgi?id=187543
181         <rdar://problem/41947884>
182
183         Reviewed by Saam Barati.
184
185         Currently, it does not when we're having a bad time.  We fix this by switching
186         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
187         If we detect that a structure transition is possible before we can initialize
188         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
189         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
190
191         Also enhanced the DisallowScope and ObjectInitializationScope to support this
192         eager initialization when needed.
193
194         * dfg/DFGOperations.cpp:
195         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
196           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
197           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
198           generated code, which will appear as a generic null pointer dereference.
199
200         * runtime/ArrayPrototype.cpp:
201         (JSC::concatAppendOne):
202         - the code here clearly wants to check for an allocation failure.  Switched to
203           using JSArray::tryCreate() instead of JSArray::create().
204
205         * runtime/DisallowScope.h:
206         (JSC::DisallowScope::disable):
207         * runtime/JSArray.cpp:
208         (JSC::JSArray::tryCreateUninitializedRestricted):
209         (JSC::JSArray::eagerlyInitializeButterfly):
210         (JSC::constructArray):
211         * runtime/JSArray.h:
212         * runtime/ObjectInitializationScope.cpp:
213         (JSC::ObjectInitializationScope::notifyInitialized):
214         * runtime/ObjectInitializationScope.h:
215         (JSC::ObjectInitializationScope::notifyInitialized):
216
217 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
218
219         [JSC] Remove getTypedArrayImpl
220         https://bugs.webkit.org/show_bug.cgi?id=187338
221
222         Reviewed by Mark Lam.
223
224         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
225         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
226         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
227
228         * runtime/ClassInfo.h:
229         * runtime/GenericTypedArrayView.h:
230         (JSC::GenericTypedArrayView::data const): Deleted.
231         (JSC::GenericTypedArrayView::set): Deleted.
232         (JSC::GenericTypedArrayView::setRange): Deleted.
233         (JSC::GenericTypedArrayView::zeroRange): Deleted.
234         (JSC::GenericTypedArrayView::zeroFill): Deleted.
235         (JSC::GenericTypedArrayView::length const): Deleted.
236         (JSC::GenericTypedArrayView::item const): Deleted.
237         (JSC::GenericTypedArrayView::set const): Deleted.
238         (JSC::GenericTypedArrayView::setNative const): Deleted.
239         (JSC::GenericTypedArrayView::getRange): Deleted.
240         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
241         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
242         * runtime/JSArrayBufferView.cpp:
243         (JSC::JSArrayBufferView::possiblySharedImpl):
244         * runtime/JSArrayBufferView.h:
245         * runtime/JSArrayBufferViewInlines.h:
246         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
247         * runtime/JSCell.cpp:
248         (JSC::JSCell::getTypedArrayImpl): Deleted.
249         * runtime/JSCell.h:
250         * runtime/JSDataView.cpp:
251         (JSC::JSDataView::getTypedArrayImpl): Deleted.
252         * runtime/JSDataView.h:
253         * runtime/JSGenericTypedArrayView.h:
254         * runtime/JSGenericTypedArrayViewInlines.h:
255         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
256
257 2018-07-10  Keith Miller  <keith_miller@apple.com>
258
259         hasOwnProperty returns true for out of bounds property index on TypedArray
260         https://bugs.webkit.org/show_bug.cgi?id=187520
261
262         Reviewed by Saam Barati.
263
264         * runtime/JSGenericTypedArrayViewInlines.h:
265         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
266
267 2018-07-10  Michael Saboff  <msaboff@apple.com>
268
269         DFG JIT: compileMathIC produces incorrect machine code
270         https://bugs.webkit.org/show_bug.cgi?id=187537
271
272         Reviewed by Saam Barati.
273
274         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
275         fall back to the fast path generator which handles such cases.
276
277         * jit/JITMulGenerator.cpp:
278         (JSC::JITMulGenerator::generateInline):
279
280 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
281
282         Change the reoptimization backoff base to 1.3 from 2
283         https://bugs.webkit.org/show_bug.cgi?id=187540
284
285         Reviewed by Saam Barati.
286         
287         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
288         
289         I also have data that hints that a backoff base of 1 might be even better, but I think that
290         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
291
292         * bytecode/CodeBlock.cpp:
293         (JSC::CodeBlock::reoptimizationRetryCounter const):
294         (JSC::CodeBlock::countReoptimization):
295         (JSC::CodeBlock::adjustedCounterValue):
296         * runtime/Options.cpp:
297         (JSC::recomputeDependentOptions):
298         * runtime/Options.h:
299
300 2018-07-10  Mark Lam  <mark.lam@apple.com>
301
302         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
303         https://bugs.webkit.org/show_bug.cgi?id=187362
304         <rdar://problem/42027210>
305
306         Reviewed by Saam Barati.
307
308         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
309         value to use for initializing unused properties.  Updated an assertion to account
310         for this.
311
312         * runtime/ObjectInitializationScope.cpp:
313         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
314
315 2018-07-10  Michael Saboff  <msaboff@apple.com>
316
317         YARR: . doesn't match non-BMP Unicode characters in some cases
318         https://bugs.webkit.org/show_bug.cgi?id=187248
319
320         Reviewed by Geoffrey Garen.
321
322         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
323         characters did not take into account that the character class is inverted.  In this case, we
324         represent '.' as "not a newline" using the newline character class with an inverted check.
325         Clearly that includes non-BMP characters.
326
327         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
328         inverted use of that character class.
329
330         * yarr/YarrJIT.cpp:
331         (JSC::Yarr::YarrGenerator::optimizeAlternative):
332
333 2018-07-09  Mark Lam  <mark.lam@apple.com>
334
335         Add --traceLLIntExecution and --traceLLIntSlowPath options.
336         https://bugs.webkit.org/show_bug.cgi?id=187479
337
338         Reviewed by Yusuke Suzuki and Saam Barati.
339
340         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
341
342         The details:
343         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
344         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
345            This makes it such that enabling LLINT_TRACING doesn't means that we'll
346            continually spammed with logging until we rebuild.
347         3. Fixed slow path LLINT tracing to work with exception check validation.
348
349         * llint/LLIntCommon.h:
350         * llint/LLIntExceptions.cpp:
351         (JSC::LLInt::returnToThrow):
352         (JSC::LLInt::callToThrow):
353         * llint/LLIntOfflineAsmConfig.h:
354         * llint/LLIntSlowPaths.cpp:
355         (JSC::LLInt::slowPathLog):
356         (JSC::LLInt::slowPathLn):
357         (JSC::LLInt::slowPathLogF):
358         (JSC::LLInt::slowPathLogLn):
359         (JSC::LLInt::llint_trace_operand):
360         (JSC::LLInt::llint_trace_value):
361         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
362         (JSC::LLInt::traceFunctionPrologue):
363         (JSC::LLInt::handleHostCall):
364         (JSC::LLInt::setUpCall):
365         * llint/LLIntSlowPaths.h:
366         * llint/LowLevelInterpreter.asm:
367         * runtime/CommonSlowPathsExceptions.cpp:
368         (JSC::CommonSlowPaths::interpreterThrowInCaller):
369         * runtime/Options.cpp:
370         (JSC::Options::isAvailable):
371         * runtime/Options.h:
372
373 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
374
375         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
376         https://bugs.webkit.org/show_bug.cgi?id=187477
377
378         Reviewed by Mark Lam.
379
380         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
381         However, it is not necessary since JSCells can be reside in a constant buffer.
382         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
383         vector from RareData.
384
385         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
386
387         * bytecode/BytecodeDumper.cpp:
388         (JSC::BytecodeDumper<Block>::dumpBytecode):
389         (JSC::BytecodeDumper<Block>::dumpBlock):
390         (JSC::regexpToSourceString): Deleted.
391         (JSC::regexpName): Deleted.
392         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
393         * bytecode/BytecodeDumper.h:
394         * bytecode/CodeBlock.h:
395         (JSC::CodeBlock::regexp const): Deleted.
396         (JSC::CodeBlock::numberOfRegExps const): Deleted.
397         * bytecode/UnlinkedCodeBlock.cpp:
398         (JSC::UnlinkedCodeBlock::visitChildren):
399         (JSC::UnlinkedCodeBlock::shrinkToFit):
400         * bytecode/UnlinkedCodeBlock.h:
401         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
402         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
403         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
404         * bytecompiler/BytecodeGenerator.cpp:
405         (JSC::BytecodeGenerator::emitNewRegExp):
406         (JSC::BytecodeGenerator::addRegExp): Deleted.
407         * bytecompiler/BytecodeGenerator.h:
408         * dfg/DFGByteCodeParser.cpp:
409         (JSC::DFG::ByteCodeParser::parseBlock):
410         * jit/JITOpcodes.cpp:
411         (JSC::JIT::emit_op_new_regexp):
412         * llint/LLIntSlowPaths.cpp:
413         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
414         * runtime/JSCJSValue.cpp:
415         (JSC::JSValue::dumpInContextAssumingStructure const):
416         * runtime/RegExp.cpp:
417         (JSC::regexpToSourceString):
418         (JSC::RegExp::dumpToStream):
419         * runtime/RegExp.h:
420
421 2018-07-09  Brian Burg  <bburg@apple.com>
422
423         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
424         https://bugs.webkit.org/show_bug.cgi?id=187350
425         <rdar://problem/41728249>
426
427         Reviewed by Matt Baker.
428
429         Add a new command that toggles whether or not to blackbox internal scripts.
430         If blackboxed, the scripts will not be shown to the frontend and the debugger will
431         not pause in source frames from blackboxed scripts. Sometimes we want to break into
432         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
433         that injects scripts.
434
435         * inspector/agents/InspectorDebuggerAgent.cpp:
436         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
437         (Inspector::InspectorDebuggerAgent::didParseSource):
438         * inspector/agents/InspectorDebuggerAgent.h:
439         * inspector/protocol/Debugger.json:
440
441 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
442
443         [JSC] Make some data members of UnlinkedCodeBlock private
444         https://bugs.webkit.org/show_bug.cgi?id=187467
445
446         Reviewed by Mark Lam.
447
448         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
449         We also remove m_numCapturedVars since it is no longer used.
450
451         * bytecode/CodeBlock.cpp:
452         (JSC::CodeBlock::CodeBlock):
453         * bytecode/CodeBlock.h:
454         * bytecode/UnlinkedCodeBlock.cpp:
455         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
456         * bytecode/UnlinkedCodeBlock.h:
457
458 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
459
460         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
461         https://bugs.webkit.org/show_bug.cgi?id=187465
462
463         Reviewed by Keith Miller.
464
465         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
466         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
467
468         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
469         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
470         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
471         from 104 to 96 since it inherits ProxyableAccessCase.
472
473         * bytecode/AccessCase.h:
474         (JSC::AccessCase::viaProxy const):
475         (JSC::AccessCase::AccessCase):
476         * bytecode/ProxyableAccessCase.cpp:
477         (JSC::ProxyableAccessCase::ProxyableAccessCase):
478         * bytecode/ProxyableAccessCase.h:
479
480 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
481
482         Unreviewed, build fix for debug builds after r233630
483         https://bugs.webkit.org/show_bug.cgi?id=187441
484
485         * jit/JIT.cpp:
486         (JSC::JIT::frameRegisterCountFor):
487         * llint/LLIntEntrypoint.cpp:
488         (JSC::LLInt::frameRegisterCountFor):
489
490 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
491
492         [JSC] Optimize layout of CodeBlock to reduce padding
493         https://bugs.webkit.org/show_bug.cgi?id=187441
494
495         Reviewed by Mark Lam.
496
497         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
498         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
499         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
500
501         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
502
503         * bytecode/BytecodeDumper.cpp:
504         (JSC::BytecodeDumper<Block>::dumpBlock):
505         * bytecode/BytecodeUseDef.h:
506         (JSC::computeDefsForBytecodeOffset):
507         * bytecode/CodeBlock.cpp:
508         (JSC::CodeBlock::CodeBlock):
509         * bytecode/CodeBlock.h:
510         (JSC::CodeBlock::numVars const):
511         * bytecode/UnlinkedCodeBlock.h:
512         (JSC::UnlinkedCodeBlock::numVars const):
513         * dfg/DFGByteCodeParser.cpp:
514         (JSC::DFG::ByteCodeParser::ByteCodeParser):
515         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
516         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
517         (JSC::DFG::ByteCodeParser::inlineCall):
518         (JSC::DFG::ByteCodeParser::handleGetById):
519         (JSC::DFG::ByteCodeParser::handlePutById):
520         (JSC::DFG::ByteCodeParser::parseBlock):
521         * dfg/DFGGraph.h:
522         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
523         * dfg/DFGOSREntrypointCreationPhase.cpp:
524         (JSC::DFG::OSREntrypointCreationPhase::run):
525         * dfg/DFGVariableEventStream.cpp:
526         (JSC::DFG::VariableEventStream::reconstruct const):
527         * ftl/FTLOSREntry.cpp:
528         (JSC::FTL::prepareOSREntry):
529         * ftl/FTLState.cpp:
530         (JSC::FTL::State::State):
531         * interpreter/Interpreter.cpp:
532         (JSC::Interpreter::dumpRegisters):
533         * jit/JIT.cpp:
534         (JSC::JIT::frameRegisterCountFor):
535         * jit/JITOpcodes.cpp:
536         (JSC::JIT::emit_op_enter):
537         * jit/JITOpcodes32_64.cpp:
538         (JSC::JIT::emit_op_enter):
539         * jit/JITOperations.cpp:
540         * llint/LLIntEntrypoint.cpp:
541         (JSC::LLInt::frameRegisterCountFor):
542         * llint/LLIntSlowPaths.cpp:
543         (JSC::LLInt::traceFunctionPrologue):
544         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
545         * runtime/JSCJSValue.h:
546
547 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
548
549         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
550         https://bugs.webkit.org/show_bug.cgi?id=187448
551
552         Reviewed by Saam Barati.
553
554         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
555         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
556
557         * bytecode/CodeType.h:
558         * bytecode/UnlinkedCodeBlock.cpp:
559         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
560         * bytecode/UnlinkedCodeBlock.h:
561         (JSC::UnlinkedCodeBlock::codeType const):
562         (JSC::UnlinkedCodeBlock::didOptimize const):
563         (JSC::UnlinkedCodeBlock::setDidOptimize):
564         * bytecode/VirtualRegister.h:
565
566 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
567
568         [JSC] Optimize padding of InferredTypeTable by using cellLock
569         https://bugs.webkit.org/show_bug.cgi?id=187447
570
571         Reviewed by Mark Lam.
572
573         Use cellLock() in InferredTypeTable to guard changes of internal structures.
574         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
575         reduce the size of InferredTypeTable from 40 to 32.
576
577         * runtime/InferredTypeTable.cpp:
578         (JSC::InferredTypeTable::visitChildren):
579         (JSC::InferredTypeTable::get):
580         (JSC::InferredTypeTable::willStoreValue):
581         (JSC::InferredTypeTable::makeTop):
582         * runtime/InferredTypeTable.h:
583         Using enum class and using. And remove `isEmpty()` since it is not used.
584
585         * runtime/Structure.h:
586
587 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
588
589         [JSC] Optimize layout of SourceProvider to reduce padding
590         https://bugs.webkit.org/show_bug.cgi?id=187440
591
592         Reviewed by Mark Lam.
593
594         Arrange members of SourceProvider to reduce the size from 80 to 72.
595
596         * parser/SourceProvider.cpp:
597         (JSC::SourceProvider::SourceProvider):
598         * parser/SourceProvider.h:
599
600 2018-07-08  Mark Lam  <mark.lam@apple.com>
601
602         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
603         https://bugs.webkit.org/show_bug.cgi?id=187444
604         <rdar://problem/41282849>
605
606         Reviewed by Saam Barati.
607
608         PropertyTable supports C++ iteration by offering begin() and end() methods, and
609         an iterator class.  The begin() methods and the iterator operator++() method uses
610         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
611         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
612         pointer from being incremented past the end of the table.  As a result, we can
613         iterate past the end of the table.  Note that the C++ iteration protocol tests
614         for the iterator not being equal to the end() value.  It does not do a <= test.
615         If the iterator ever shoots past end, the loop will effectively not terminate.
616
617         This issue can manifest if and only if the last entry in the table is a deleted
618         one, and the key field of the PropertyMapEntry shaped space at the end of the
619         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
620         value.
621
622         No test because manifesting this issue requires uncontrollable happenstance where
623         memory just beyond the end of the table looks like a deleted entry.
624
625         * runtime/PropertyMapHashTable.h:
626         (JSC::PropertyTable::begin):
627         (JSC::PropertyTable::end):
628         (JSC::PropertyTable::begin const):
629         (JSC::PropertyTable::end const):
630         (JSC::PropertyTable::skipDeletedEntries):
631
632 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
633
634         [JSC] Optimize layout of SymbolTable to reduce padding
635         https://bugs.webkit.org/show_bug.cgi?id=187437
636
637         Reviewed by Mark Lam.
638
639         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
640
641         * runtime/SymbolTable.h:
642
643 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
644
645         [JSC] Optimize layout of RegExp to reduce padding
646         https://bugs.webkit.org/show_bug.cgi?id=187438
647
648         Reviewed by Mark Lam.
649
650         Reduce the size of RegExp from 168 to 144.
651
652         * runtime/RegExp.cpp:
653         (JSC::RegExp::RegExp):
654         * runtime/RegExp.h:
655         * runtime/RegExpKey.h:
656         * yarr/YarrErrorCode.h:
657
658 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
659
660         [JSC] Optimize layout of ValueProfile to reduce padding
661         https://bugs.webkit.org/show_bug.cgi?id=187439
662
663         Reviewed by Mark Lam.
664
665         Reduce the size of ValueProfile from 40 to 32 by reordering members.
666
667         * bytecode/ValueProfile.h:
668         (JSC::ValueProfileBase::ValueProfileBase):
669
670 2018-07-05  Saam Barati  <sbarati@apple.com>
671
672         ProgramExecutable may be collected as we checkSyntax on it
673         https://bugs.webkit.org/show_bug.cgi?id=187359
674         <rdar://problem/41832135>
675
676         Reviewed by Mark Lam.
677
678         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
679         the ProgramExecutable itself may be collected. The fix here is to make a copy
680         of the field instead of passing in a reference inside of ParserError::toErrorObject.
681         
682         No new tests here as this was already caught by our iOS JSC testers.
683
684         * parser/ParserError.h:
685         (JSC::ParserError::toErrorObject):
686
687 2018-07-04  Tim Horton  <timothy_horton@apple.com>
688
689         Introduce PLATFORM(IOSMAC)
690         https://bugs.webkit.org/show_bug.cgi?id=187315
691
692         Reviewed by Dan Bernstein.
693
694         * Configurations/Base.xcconfig:
695         * Configurations/FeatureDefines.xcconfig:
696
697 2018-07-03  Mark Lam  <mark.lam@apple.com>
698
699         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
700         https://bugs.webkit.org/show_bug.cgi?id=187255
701         <rdar://problem/41785257>
702
703         Reviewed by Saam Barati.
704
705         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
706         too: basically, do what the 64-bit code is doing.  At present, this change only
707         serves to pacify an assertion.  It is not needed for correctness because the
708         concurrent GC is not used on 32-bit builds.
709
710         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
711         test.
712
713         * jit/JITOpcodes32_64.cpp:
714         (JSC::JIT::emit_op_create_this):
715
716 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
717
718         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
719         https://bugs.webkit.org/show_bug.cgi?id=187290
720
721         Reviewed by Saam Barati.
722
723         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
724         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
725         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
726         easily calculated from JSType.
727         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
728
729         * runtime/ClassInfo.h:
730         * runtime/JSArrayBufferView.cpp:
731         (JSC::elementSize):
732         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
733         * runtime/JSArrayBufferView.h:
734         * runtime/JSArrayBufferViewInlines.h:
735         (JSC::JSArrayBufferView::possiblySharedBuffer):
736         * runtime/JSCell.cpp:
737         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
738         * runtime/JSCell.h:
739         * runtime/JSDataView.cpp:
740         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
741         * runtime/JSDataView.h:
742         * runtime/JSGenericTypedArrayView.h:
743         * runtime/JSGenericTypedArrayViewInlines.h:
744         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
745
746 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
747
748         Regular expressions with ".?" expressions at the start and the end match the entire string
749         https://bugs.webkit.org/show_bug.cgi?id=119191
750
751         Reviewed by Michael Saboff.
752
753         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
754         for "abc" first and then processing the leading and trailing dot stars
755         to find the beginning and the end of the match. However, it erroneously
756         enabled this optimization for regular expressions whose leading or
757         trailing dots had quantifiers that were not of arbitrary length, e.g.,
758         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
759         match the entire string when it shouldn't. This patch disables the
760         optimization for those cases.
761
762         * yarr/YarrPattern.cpp:
763         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
764
765 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
766
767         RegExp.exec returns wrong value with a long integer quantifier
768         https://bugs.webkit.org/show_bug.cgi?id=187042
769
770         Reviewed by Saam Barati.
771
772         Prior to this patch, the Yarr parser checked for integer overflow when
773         parsing quantifiers in regular expressions by adding one digit at a time
774         to a number and checking if the result got larger. This is wrong;
775         The parser would fail to detect overflow when parsing, for example,
776         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
777
778         Another issue was that once it detected overflow, it stopped consuming
779         the remaining digits. Since it didn't find the closing bracket, it
780         parsed the quantifier as a normal string instead.
781
782         This patch fixes these issues by reading all the digits and checking for
783         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
784         returns the largest possible value (quantifyInfinite in this case). This
785         matches Chrome [1], Firefox [2], and Edge [3].
786
787         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
788         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
789         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
790
791         * yarr/YarrParser.h:
792         (JSC::Yarr::Parser::consumeNumber):
793
794 2018-07-02  Keith Miller  <keith_miller@apple.com>
795
796         InstanceOf IC should do generic if the prototype is not an object.
797         https://bugs.webkit.org/show_bug.cgi?id=187250
798
799         Reviewed by Mark Lam.
800
801         The old code was wrong for two reasons. First, the AccessCase expected that
802         the prototype value would be non-null. Second, we would end up returning
803         false instead of throwing an exception.
804
805         * jit/Repatch.cpp:
806         (JSC::tryCacheInstanceOf):
807
808 2018-07-01  Mark Lam  <mark.lam@apple.com>
809
810         Builtins and host functions should get their own structures.
811         https://bugs.webkit.org/show_bug.cgi?id=187211
812         <rdar://problem/41646336>
813
814         Reviewed by Saam Barati.
815
816         JSFunctions do lazy reification of properties, but ordinary functions applies
817         different rules of property reification than builtin and host functions.  Hence,
818         we should give builtins and host functions their own structures.
819
820         * runtime/JSFunction.cpp:
821         (JSC::JSFunction::selectStructureForNewFuncExp):
822         (JSC::JSFunction::create):
823         (JSC::JSFunction::getOwnPropertySlot):
824         * runtime/JSGlobalObject.cpp:
825         (JSC::JSGlobalObject::init):
826         (JSC::JSGlobalObject::visitChildren):
827         * runtime/JSGlobalObject.h:
828         (JSC::JSGlobalObject::hostFunctionStructure const):
829         (JSC::JSGlobalObject::arrowFunctionStructure const):
830         (JSC::JSGlobalObject::sloppyFunctionStructure const):
831         (JSC::JSGlobalObject::strictFunctionStructure const):
832
833 2018-07-01  David Kilzer  <ddkilzer@apple.com>
834
835         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
836         <https://webkit.org/b/187233>
837
838         Reviewed by Mark Lam.
839
840         * b3/air/AirEliminateDeadCode.cpp:
841         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
842         * parser/ParserTokens.h:
843         (JSC::JSTextPosition::JSTextPosition): Add struct member
844         initialization. Simplify default constructor.
845         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
846         union to the beginning to make it easy to zero out all fields.
847         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
848         initialization.  Simplify default constructor.  Note that
849         `endOffset` was not being initialized previously.
850         (JSC::JSTextPosition::JSToken): Add struct member initialization
851         where necessary.
852         * runtime/IntlObject.cpp:
853         (JSC::MatcherResult): Add struct member initialization.
854
855 2018-06-23  Darin Adler  <darin@apple.com>
856
857         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
858         https://bugs.webkit.org/show_bug.cgi?id=186973
859
860         Reviewed by Dan Bernstein.
861
862         * API/JSContext.mm:
863         (WeakContextRef::WeakContextRef): Deleted.
864         (WeakContextRef::~WeakContextRef): Deleted.
865         (WeakContextRef::get): Deleted.
866         (WeakContextRef::set): Deleted.
867
868         * API/JSContextInternal.h: Removed unneeded header guards since this is
869         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
870         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
871         since neither is used outside the class implementation.
872
873         * API/JSManagedValue.mm:
874         (-[JSManagedValue initWithValue:]): Use a bridging cast.
875         (-[JSManagedValue dealloc]): Ditto.
876         (-[JSManagedValue didAddOwner:]): Ditto.
877         (-[JSManagedValue didRemoveOwner:]): Ditto.
878         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
879         (JSManagedValueHandleOwner::finalize): Ditto.
880         * API/JSValue.mm:
881         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
882         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
883         (-[JSValue valueForProperty:]): Ditto.
884         (-[JSValue setValue:forProperty:]): Ditto.
885         (-[JSValue deleteProperty:]): Ditto.
886         (-[JSValue hasProperty:]): Ditto.
887         (-[JSValue invokeMethod:withArguments:]): Ditto.
888         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
889         (valueToArray): Ditto.
890         (valueToDictionary): Ditto.
891         (objectToValueWithoutCopy): Ditto.
892         (objectToValue): Ditto.
893         * API/JSVirtualMachine.mm:
894         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
895         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
896         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
897         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
898         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
899         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
900         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
901         (scanExternalObjectGraph): Ditto.
902         (scanExternalRememberedSet): Ditto.
903         * API/JSWrapperMap.mm:
904         (makeWrapper): Ditto.
905         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
906         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
907         (tryUnwrapObjcObject): Ditto.
908         * API/ObjCCallbackFunction.mm:
909         (blockSignatureContainsClass): Ditto.
910         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
911         sure we will be keeping this the same way under ARC.
912         (objCCallbackFunctionForBlock): Use a bridging cast.
913
914         * API/ObjcRuntimeExtras.h:
915         (protocolImplementsProtocol): Use a more specific type that includes the
916         explicit __unsafe_unretained for copied protocol lists.
917         (forEachProtocolImplementingProtocol): Ditto.
918
919         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
920         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
921         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
922
923         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
924         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
925         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
926         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
927         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
928
929 2018-06-30  Adam Barth  <abarth@webkit.org>
930
931         Port JavaScriptCore to OS(FUCHSIA)
932         https://bugs.webkit.org/show_bug.cgi?id=187223
933
934         Reviewed by Daniel Bates.
935
936         * assembler/ARM64Assembler.h:
937         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
938         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
939         (JSC::MachineContext::stackPointerImpl):
940         (JSC::MachineContext::framePointerImpl):
941         (JSC::MachineContext::instructionPointerImpl):
942         (JSC::MachineContext::argumentPointer<1>):
943         (JSC::MachineContext::llintInstructionPointer):
944
945 2018-06-30  David Kilzer  <ddkilzer@apple.com>
946
947         Fix clang static analyzer warnings: Garbage return value
948         <https://webkit.org/b/187224>
949
950         Reviewed by Eric Carlson.
951
952         * bytecode/UnlinkedCodeBlock.cpp:
953         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
954         - Use brace initialization for local variables.
955         * debugger/DebuggerCallFrame.cpp:
956         (class JSC::LineAndColumnFunctor):
957         - Use class member initialization for member variables.
958
959 2018-06-29  Saam Barati  <sbarati@apple.com>
960
961         Unreviewed. Try to fix Windows build after r233377
962
963         * builtins/BuiltinExecutables.cpp:
964         (JSC::BuiltinExecutables::createExecutable):
965
966 2018-06-29  Saam Barati  <sbarati@apple.com>
967
968         Don't use tracePoints in JS/Wasm entry
969         https://bugs.webkit.org/show_bug.cgi?id=187196
970
971         Reviewed by Mark Lam.
972
973         This puts VM entry and Wasm entry tracePoints behind a runtime
974         option. This is a ~4x speedup on a soon to be released Wasm
975         benchmark. tracePoints should basically never run more than 50
976         times a second. Entering the VM and entering Wasm are user controlled,
977         and can happen hundreds of thousands of times in a second. Depending
978         on how the Wasm/JS code is structured, this can be disastrous for
979         performance.
980
981         * runtime/Options.h:
982         * runtime/VMEntryScope.cpp:
983         (JSC::VMEntryScope::VMEntryScope):
984         (JSC::VMEntryScope::~VMEntryScope):
985         * wasm/WasmBBQPlan.cpp:
986         (JSC::Wasm::BBQPlan::compileFunctions):
987         * wasm/js/WebAssemblyFunction.cpp:
988         (JSC::callWebAssemblyFunction):
989
990 2018-06-29  Saam Barati  <sbarati@apple.com>
991
992         We shouldn't recurse into the parser when gathering metadata about various function offsets
993         https://bugs.webkit.org/show_bug.cgi?id=184074
994         <rdar://problem/37165897>
995
996         Reviewed by Mark Lam.
997
998         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
999         for that builtin. This required calling into the parser. However, the parser
1000         may throw a stack overflow. We were not able to recover from that. The only
1001         reason we called into the parser here is that we were gathering text offsets
1002         and various metadata for things in the builtin function. This patch writes a
1003         mini parser that figures this information out without calling into the full
1004         parser. (I've also added a debug assert that verifies the mini parser stays in
1005         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
1006         always succeeds.
1007
1008         * builtins/AsyncFromSyncIteratorPrototype.js:
1009         (globalPrivate.createAsyncFromSyncIterator):
1010         (globalPrivate.AsyncFromSyncIteratorConstructor):
1011         * builtins/BuiltinExecutables.cpp:
1012         (JSC::BuiltinExecutables::createExecutable):
1013         * builtins/GlobalOperations.js:
1014         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
1015         (globalPrivate.speciesConstructor):
1016         (globalPrivate.copyDataProperties):
1017         (globalPrivate.copyDataPropertiesNoExclusions):
1018         * builtins/PromiseOperations.js:
1019         (globalPrivate.newHandledRejectedPromise):
1020         * builtins/RegExpPrototype.js:
1021         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
1022         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
1023         * builtins/StringPrototype.js:
1024         (globalPrivate.hasObservableSideEffectsForStringReplace):
1025         (globalPrivate.getDefaultCollator):
1026         * parser/Nodes.cpp:
1027         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1028         (JSC::FunctionMetadataNode::operator== const):
1029         (JSC::FunctionMetadataNode::dump const):
1030         * parser/Nodes.h:
1031         * parser/Parser.h:
1032         (JSC::parse):
1033         * parser/ParserError.h:
1034         (JSC::ParserError::type const):
1035         * parser/ParserTokens.h:
1036         (JSC::JSTextPosition::operator== const):
1037         (JSC::JSTextPosition::operator!= const):
1038         * parser/SourceCode.h:
1039         (JSC::SourceCode::operator== const):
1040         (JSC::SourceCode::operator!= const):
1041         (JSC::SourceCode::subExpression const):
1042         (JSC::SourceCode::subExpression): Deleted.
1043
1044 2018-06-28  Michael Saboff  <msaboff@apple.com>
1045   
1046         IsoCellSet::sweepToFreeList() not safe when Full GC in process
1047         https://bugs.webkit.org/show_bug.cgi?id=187157
1048
1049         Reviewed by Mark Lam.
1050
1051         * heap/IsoCellSet.cpp:
1052         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
1053         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
1054         or not we are in the process of marking during a full GC.
1055         * heap/MarkedBlock.h:
1056         * heap/MarkedBlockInlines.h:
1057         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
1058
1059 2018-06-27  Saam Barati  <sbarati@apple.com>
1060
1061         Add some more register state information when we crash in repatchPutById
1062         https://bugs.webkit.org/show_bug.cgi?id=187112
1063
1064         Reviewed by Mark Lam.
1065
1066         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
1067         with an offset that is different than what the put tells us.
1068
1069         * jit/Repatch.cpp:
1070         (JSC::tryCachePutByID):
1071
1072 2018-06-27  Mark Lam  <mark.lam@apple.com>
1073
1074         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
1075         https://bugs.webkit.org/show_bug.cgi?id=187119
1076
1077         Reviewed by Keith Miller.
1078
1079         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
1080         should be checking for codeBlock instead of !codeBlock
1081         before using the codeBlock.
1082
1083         I also renamed some other "print" functions to use "dump" instead
1084         to match their underlying C++ code that they will call e.g.
1085         CodeBlock::dumpSource().
1086
1087         * tools/JSDollarVM.cpp:
1088         (WTF::JSDollarVMCallFrame::finishCreation):
1089         (JSC::functionDumpSourceFor):
1090         (JSC::functionDumpBytecodeFor):
1091         (JSC::doPrint):
1092         (JSC::functionDataLog):
1093         (JSC::functionPrint):
1094         (JSC::functionDumpCallFrame):
1095         (JSC::functionDumpStack):
1096         (JSC::JSDollarVM::finishCreation):
1097         (JSC::functionPrintSourceFor): Deleted.
1098         (JSC::functionPrintBytecodeFor): Deleted.
1099         (JSC::doPrintln): Deleted.
1100         (JSC::functionPrintln): Deleted.
1101         (JSC::functionPrintCallFrame): Deleted.
1102         (JSC::functionPrintStack): Deleted.
1103         * tools/VMInspector.cpp:
1104         (JSC::DumpFrameFunctor::DumpFrameFunctor):
1105         (JSC::DumpFrameFunctor::operator() const):
1106         (JSC::VMInspector::dumpCallFrame):
1107         (JSC::VMInspector::dumpStack):
1108         (JSC::VMInspector::dumpValue):
1109         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
1110         (JSC::PrintFrameFunctor::operator() const): Deleted.
1111         (JSC::VMInspector::printCallFrame): Deleted.
1112         (JSC::VMInspector::printStack): Deleted.
1113         (JSC::VMInspector::printValue): Deleted.
1114         * tools/VMInspector.h:
1115
1116 2018-06-27  Keith Miller  <keith_miller@apple.com>
1117
1118         Add logging to try to diagnose where we get a null structure.
1119         https://bugs.webkit.org/show_bug.cgi?id=187106
1120
1121         Reviewed by Mark Lam.
1122
1123         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
1124         structure crash.
1125
1126         This code should be removed when we fix <rdar://problem/33451840>
1127
1128         * runtime/JSObject.cpp:
1129         (JSC::callToPrimitiveFunction):
1130         * runtime/JSObject.h:
1131         (JSC::JSObject::getPropertySlot):
1132
1133 2018-06-27  Mark Lam  <mark.lam@apple.com>
1134
1135         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
1136         https://bugs.webkit.org/show_bug.cgi?id=187091
1137         <rdar://problem/41395624>
1138
1139         Reviewed by Yusuke Suzuki.
1140
1141         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
1142         take their slow paths, the slow path would jump back to the fast path right after
1143         the emitted code which clears the unused property values.  As a result, the
1144         unused properties are not initialized.  We've fixed this by adding the slow path
1145         generators before we emit the code to clear the unused properties.
1146
1147         * dfg/DFGSpeculativeJIT.cpp:
1148         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1149         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1150
1151 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1152
1153         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
1154         https://bugs.webkit.org/show_bug.cgi?id=185943
1155
1156         Reviewed by Mark Lam.
1157
1158         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
1159         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
1160         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
1161         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
1162
1163         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
1164         but it should be done in a separate patch since it would be performance sensitive.
1165
1166         * bytecompiler/NodesCodegen.cpp:
1167         (JSC::ArrayPatternNode::emitDirectBinding):
1168
1169 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1170
1171         [JSC] Pass VM& to functions more
1172         https://bugs.webkit.org/show_bug.cgi?id=186241
1173
1174         Reviewed by Mark Lam.
1175
1176         This patch threads VM& to functions requiring VM& more.
1177
1178         * API/JSObjectRef.cpp:
1179         (JSObjectIsConstructor):
1180         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
1181         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
1182         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
1183         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
1184         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
1185         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
1186         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
1187         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
1188         * bytecode/CodeBlockJettisoningWatchpoint.h:
1189         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1190         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
1191         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1192         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
1193         * bytecode/StructureStubClearingWatchpoint.cpp:
1194         (JSC::StructureStubClearingWatchpoint::fireInternal):
1195         * bytecode/StructureStubClearingWatchpoint.h:
1196         * bytecode/Watchpoint.cpp:
1197         (JSC::Watchpoint::fire):
1198         (JSC::WatchpointSet::fireAllWatchpoints):
1199         * bytecode/Watchpoint.h:
1200         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
1201         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
1202         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
1203         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
1204         (JSC::DFG::AdaptiveStructureWatchpoint::install):
1205         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
1206         * dfg/DFGAdaptiveStructureWatchpoint.h:
1207         * dfg/DFGDesiredWatchpoints.cpp:
1208         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
1209         * llint/LLIntSlowPaths.cpp:
1210         (JSC::LLInt::setupGetByIdPrototypeCache):
1211         * runtime/ArrayPrototype.cpp:
1212         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1213         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1214         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1215         (JSC::esSpecIsConstructor):
1216         * runtime/FunctionRareData.cpp:
1217         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
1218         * runtime/FunctionRareData.h:
1219         * runtime/InferredStructureWatchpoint.cpp:
1220         (JSC::InferredStructureWatchpoint::fireInternal):
1221         * runtime/InferredStructureWatchpoint.h:
1222         * runtime/InternalFunction.cpp:
1223         (JSC::InternalFunction::createSubclassStructureSlow):
1224         * runtime/InternalFunction.h:
1225         (JSC::InternalFunction::createSubclassStructure):
1226         * runtime/JSCJSValue.h:
1227         * runtime/JSCJSValueInlines.h:
1228         (JSC::JSValue::isConstructor const):
1229         * runtime/JSCell.h:
1230         * runtime/JSCellInlines.h:
1231         (JSC::JSCell::isConstructor):
1232         (JSC::JSCell::methodTable const):
1233         * runtime/JSGlobalObject.cpp:
1234         (JSC::JSGlobalObject::init):
1235         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
1236         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
1237         * runtime/ProxyObject.cpp:
1238         (JSC::ProxyObject::finishCreation):
1239         * runtime/ReflectObject.cpp:
1240         (JSC::reflectObjectConstruct):
1241         * runtime/StructureRareData.cpp:
1242         (JSC::StructureRareData::setObjectToStringValue):
1243         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
1244         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1245         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1246
1247 2018-06-26  Mark Lam  <mark.lam@apple.com>
1248
1249         eval() is wrong about the LiteralParser never throwing any exceptions.
1250         https://bugs.webkit.org/show_bug.cgi?id=187074
1251         <rdar://problem/41461099>
1252
1253         Reviewed by Saam Barati.
1254
1255         Added the missing exception check, and removed an erroneous assertion.
1256
1257         * interpreter/Interpreter.cpp:
1258         (JSC::eval):
1259
1260 2018-06-26  Saam Barati  <sbarati@apple.com>
1261
1262         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
1263         https://bugs.webkit.org/show_bug.cgi?id=186878
1264         <rdar://problem/40568659>
1265
1266         Reviewed by Filip Pizlo.
1267
1268         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
1269         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
1270         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
1271         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
1272         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
1273         conservative scan knows to treat it like a butterfly in when we we may be
1274         pointing into the middle of it.
1275         
1276         The way we were crashing on the stress GC bots is that our conservative marking
1277         won't do cell visiting for things that are Auxiliary. This meant that if the
1278         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
1279         that JSImmutableButterfly would not be visited. This is now fixed.
1280
1281         * bytecompiler/NodesCodegen.cpp:
1282         (JSC::ArrayNode::emitBytecode):
1283         * debugger/Debugger.cpp:
1284         * heap/ConservativeRoots.cpp:
1285         (JSC::ConservativeRoots::genericAddPointer):
1286         * heap/Heap.cpp:
1287         (JSC::GatherHeapSnapshotData::operator() const):
1288         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
1289         (JSC::Heap::globalObjectCount):
1290         (JSC::Heap::objectTypeCounts):
1291         (JSC::Heap::deleteAllCodeBlocks):
1292         * heap/HeapCell.cpp:
1293         (WTF::printInternal):
1294         * heap/HeapCell.h:
1295         (JSC::isJSCellKind):
1296         (JSC::hasInteriorPointers):
1297         * heap/HeapUtil.h:
1298         (JSC::HeapUtil::findGCObjectPointersForMarking):
1299         (JSC::HeapUtil::isPointerGCObjectJSCell):
1300         * heap/MarkedBlock.cpp:
1301         (JSC::MarkedBlock::Handle::didAddToDirectory):
1302         * heap/SlotVisitor.cpp:
1303         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1304         * runtime/JSGlobalObject.cpp:
1305         * runtime/JSImmutableButterfly.h:
1306         (JSC::JSImmutableButterfly::subspaceFor):
1307         * runtime/VM.cpp:
1308         (JSC::VM::VM):
1309         * runtime/VM.h:
1310         * tools/CellProfile.h:
1311         (JSC::CellProfile::CellProfile):
1312         (JSC::CellProfile::isJSCell const):
1313         * tools/HeapVerifier.cpp:
1314         (JSC::HeapVerifier::validateCell):
1315
1316 2018-06-26  Mark Lam  <mark.lam@apple.com>
1317
1318         Skip some unnecessary work in Interpreter::getStackTrace().
1319         https://bugs.webkit.org/show_bug.cgi?id=187070
1320
1321         Reviewed by Michael Saboff.
1322
1323         * interpreter/Interpreter.cpp:
1324         (JSC::Interpreter::getStackTrace):
1325
1326 2018-06-26  Mark Lam  <mark.lam@apple.com>
1327
1328         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
1329         https://bugs.webkit.org/show_bug.cgi?id=187060
1330         <rdar://problem/41452767>
1331
1332         Reviewed by Keith Miller.
1333
1334         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
1335         write conversion.  Hence, we can return early after the conversion if the vector
1336         length is already sufficient to cover the requested length.
1337
1338         * runtime/JSObject.cpp:
1339         (JSC::JSObject::ensureLengthSlow):
1340
1341 2018-06-26  Commit Queue  <commit-queue@webkit.org>
1342
1343         Unreviewed, rolling out r233184.
1344         https://bugs.webkit.org/show_bug.cgi?id=187059
1345
1346         "It regressed JetStream between 5-8%" (Requested by saamyjoon
1347         on #webkit).
1348
1349         Reverted changeset:
1350
1351         "JSImmutableButterfly can't be allocated from a subspace with
1352         HeapCell::Kind::Auxiliary"
1353         https://bugs.webkit.org/show_bug.cgi?id=186878
1354         https://trac.webkit.org/changeset/233184
1355
1356 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
1357
1358         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
1359         https://bugs.webkit.org/show_bug.cgi?id=187051
1360
1361         Reviewed by Mark Lam.
1362
1363         Revert r233065 changes over UnlinkedCodeBlock.h to allow
1364         clang-3.8 to be able to compile this back (with libstdc++5)
1365
1366         * bytecode/UnlinkedCodeBlock.h:
1367         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
1368
1369 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
1370
1371         Fix testapi build when DFG_JIT is disabled
1372         https://bugs.webkit.org/show_bug.cgi?id=187038
1373
1374         Reviewed by Mark Lam.
1375
1376         r233158 added a new API and tests for configuring the number of JIT threads, but
1377         the API is only available when DFG_JIT is enabled and so should the tests.
1378
1379         * API/tests/testapi.mm:
1380         (runJITThreadLimitTests):
1381
1382 2018-06-25  Saam Barati  <sbarati@apple.com>
1383
1384         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
1385         https://bugs.webkit.org/show_bug.cgi?id=186878
1386         <rdar://problem/40568659>
1387
1388         Reviewed by Mark Lam.
1389
1390         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
1391         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
1392         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
1393         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
1394         bots is that our conservative marking won't do cell marking for things that
1395         are Auxiliary. This means that if the stack is the only thing pointing to a
1396         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
1397         not be visited. This patch fixes this bug. This patch also extends our conservative
1398         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
1399
1400         * bytecompiler/NodesCodegen.cpp:
1401         (JSC::ArrayNode::emitBytecode):
1402         * heap/HeapUtil.h:
1403         (JSC::HeapUtil::findGCObjectPointersForMarking):
1404         * runtime/JSImmutableButterfly.h:
1405         (JSC::JSImmutableButterfly::subspaceFor):
1406
1407 2018-06-25  Mark Lam  <mark.lam@apple.com>
1408
1409         constructArray() should set m_numValuesInVector to the specified length.
1410         https://bugs.webkit.org/show_bug.cgi?id=187010
1411         <rdar://problem/41392167>
1412
1413         Reviewed by Filip Pizlo.
1414
1415         Its client will fill in the storage vector with some values using initializeIndex()
1416         and expects m_numValuesInVector to be set to the length i.e. the number of values
1417         to be initialized.
1418
1419         * runtime/JSArray.cpp:
1420         (JSC::constructArray):
1421
1422 2018-06-25  Mark Lam  <mark.lam@apple.com>
1423
1424         Add missing exception check in RegExpObjectInlines.h's collectMatches.
1425         https://bugs.webkit.org/show_bug.cgi?id=187006
1426         <rdar://problem/41418412>
1427
1428         Reviewed by Keith Miller.
1429
1430         * runtime/RegExpObjectInlines.h:
1431         (JSC::collectMatches):
1432
1433 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
1434
1435         Add API for configuring the number of threads used by DFG and FTL
1436         https://bugs.webkit.org/show_bug.cgi?id=186859
1437         <rdar://problem/41093519>
1438
1439         Reviewed by Filip Pizlo.
1440
1441         Add new private APIs for limiting the number of threads to be used by
1442         the DFG and FTL compilers. It was already possible to configure the
1443         limit through JSC Options, but now it can be changed at runtime, even
1444         in the case when the VM is already running.
1445
1446         Add a test for both cases: when trying to configure the limit before
1447         and after the Worklist has been created, but in order to simulate the
1448         first scenario, we must guarantee that the test runs at the very
1449         beginning, so I also added a check for that.
1450
1451         * API/JSVirtualMachine.mm:
1452         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
1453         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
1454         * API/JSVirtualMachinePrivate.h:
1455         * API/tests/testapi.mm:
1456         (runJITThreadLimitTests):
1457         (testObjectiveCAPIMain):
1458         * dfg/DFGWorklist.cpp:
1459         (JSC::DFG::Worklist::finishCreation):
1460         (JSC::DFG::Worklist::createNewThread):
1461         (JSC::DFG::Worklist::setNumberOfThreads):
1462         * dfg/DFGWorklist.h:
1463
1464 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1465
1466         [JSC] Remove unnecessary PLATFORM guards
1467         https://bugs.webkit.org/show_bug.cgi?id=186995
1468
1469         Reviewed by Mark Lam.
1470
1471         * assembler/AssemblerCommon.h:
1472         (JSC::isIOS):
1473         Add constexpr.
1474
1475         * inspector/JSGlobalObjectInspectorController.cpp:
1476         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1477         StackFrame works in all the platforms. If StackFrame::demangle failed,
1478         it just returns std::nullopt. And it is correctly handled in this code.
1479
1480 2018-06-23  Mark Lam  <mark.lam@apple.com>
1481
1482         Add more debugging features to $vm.
1483         https://bugs.webkit.org/show_bug.cgi?id=186947
1484
1485         Reviewed by Keith Miller.
1486
1487         Adding the following features:
1488
1489             // We now have println in addition to print.
1490             // println automatically adds a '\n' at the end.
1491             $vm.println("Hello");
1492
1493             // We can now capture some info about a stack frame.
1494             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
1495             var callerCallerFrame = $vm.callFrame(2);
1496
1497             // We can inspect the following values associated with the frame:
1498             if (currentFrame.valid) {
1499                 $vm.println("name is ", currentFrame.name));
1500
1501                 // Note: For a WASM frame, all of these will be undefined.
1502                 $vm.println("callee is ", $vm.value(currentFrame.callee));
1503                 $vm.println("codeBlock is ", currentFrame.codeBlock);
1504                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
1505                 $vm.println("executable is ", currentFrame.executable);
1506             }
1507
1508             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
1509             // to dataLog its JSValue instead of its toString() result.
1510
1511             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
1512             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
1513             // toString on a non-object.
1514
1515             // Does what it says about enabling/disabling debugger mode.
1516             $vm.enableDebuggerModeWhenIdle();
1517             $vm.disableDebuggerModeWhenIdle();
1518
1519         * tools/JSDollarVM.cpp:
1520         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
1521         (WTF::JSDollarVMCallFrame::createStructure):
1522         (WTF::JSDollarVMCallFrame::create):
1523         (WTF::JSDollarVMCallFrame::finishCreation):
1524         (WTF::JSDollarVMCallFrame::addProperty):
1525         (JSC::functionCallFrame):
1526         (JSC::functionCodeBlockForFrame):
1527         (JSC::codeBlockFromArg):
1528         (JSC::doPrintln):
1529         (JSC::functionPrint):
1530         (JSC::functionPrintln):
1531         (JSC::changeDebuggerModeWhenIdle):
1532         (JSC::functionEnableDebuggerModeWhenIdle):
1533         (JSC::functionDisableDebuggerModeWhenIdle):
1534         (JSC::JSDollarVM::finishCreation):
1535
1536 2018-06-22  Keith Miller  <keith_miller@apple.com>
1537
1538         We need to have a getDirectConcurrently for use in the compilers
1539         https://bugs.webkit.org/show_bug.cgi?id=186954
1540
1541         Reviewed by Mark Lam.
1542
1543         It used to be that the propertyStorage of an object never shrunk
1544         so if you called getDirect with some offset it would never be an
1545         OOB read. However, this property storage can shrink when calling
1546         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
1547         holds the Structure's ConcurrentJSLock while shrinking. This patch,
1548         adds a getDirectConcurrently that will safely try to load from the
1549         butterfly.
1550
1551         * bytecode/ObjectPropertyConditionSet.cpp:
1552         * bytecode/PropertyCondition.cpp:
1553         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1554         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
1555         * dfg/DFGGraph.cpp:
1556         (JSC::DFG::Graph::tryGetConstantProperty):
1557         * runtime/JSObject.h:
1558         (JSC::JSObject::getDirectConcurrently const):
1559
1560 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1561
1562         [WTF] Use Ref<> for the result type of non-failing factory functions
1563         https://bugs.webkit.org/show_bug.cgi?id=186920
1564
1565         Reviewed by Darin Adler.
1566
1567         * dfg/DFGWorklist.cpp:
1568         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
1569         (JSC::DFG::Worklist::finishCreation):
1570         * dfg/DFGWorklist.h:
1571         * heap/Heap.cpp:
1572         (JSC::Heap::Thread::Thread):
1573         * heap/Heap.h:
1574         * jit/JITWorklist.cpp:
1575         (JSC::JITWorklist::Thread::Thread):
1576         * jit/JITWorklist.h:
1577         * runtime/VMTraps.cpp:
1578         * runtime/VMTraps.h:
1579         * wasm/WasmWorklist.cpp:
1580         * wasm/WasmWorklist.h:
1581
1582 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1583
1584         [WTF] Add user-defined literal for ASCIILiteral
1585         https://bugs.webkit.org/show_bug.cgi?id=186839
1586
1587         Reviewed by Darin Adler.
1588
1589         * API/JSCallbackObjectFunctions.h:
1590         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1591         (JSC::JSCallbackObject<Parent>::callbackGetter):
1592         * API/JSObjectRef.cpp:
1593         (JSObjectMakeFunctionWithCallback):
1594         * API/JSTypedArray.cpp:
1595         (JSObjectGetArrayBufferBytesPtr):
1596         * API/JSValue.mm:
1597         (valueToArray):
1598         (valueToDictionary):
1599         * API/ObjCCallbackFunction.mm:
1600         (JSC::objCCallbackFunctionCallAsFunction):
1601         (JSC::objCCallbackFunctionCallAsConstructor):
1602         (JSC::ObjCCallbackFunctionImpl::call):
1603         * API/glib/JSCCallbackFunction.cpp:
1604         (JSC::JSCCallbackFunction::call):
1605         (JSC::JSCCallbackFunction::construct):
1606         * API/glib/JSCContext.cpp:
1607         (jscContextJSValueToGValue):
1608         * API/glib/JSCValue.cpp:
1609         (jsc_value_object_define_property_accessor):
1610         (jscValueFunctionCreate):
1611         * builtins/BuiltinUtils.h:
1612         * bytecode/CodeBlock.cpp:
1613         (JSC::CodeBlock::nameForRegister):
1614         * bytecompiler/BytecodeGenerator.cpp:
1615         (JSC::BytecodeGenerator::emitEnumeration):
1616         (JSC::BytecodeGenerator::emitIteratorNext):
1617         (JSC::BytecodeGenerator::emitIteratorClose):
1618         (JSC::BytecodeGenerator::emitDelegateYield):
1619         * bytecompiler/NodesCodegen.cpp:
1620         (JSC::FunctionCallValueNode::emitBytecode):
1621         (JSC::PostfixNode::emitBytecode):
1622         (JSC::PrefixNode::emitBytecode):
1623         (JSC::AssignErrorNode::emitBytecode):
1624         (JSC::ForInNode::emitBytecode):
1625         (JSC::ForOfNode::emitBytecode):
1626         (JSC::ClassExprNode::emitBytecode):
1627         (JSC::ObjectPatternNode::bindValue const):
1628         * dfg/DFGDriver.cpp:
1629         (JSC::DFG::compileImpl):
1630         * dfg/DFGOperations.cpp:
1631         (JSC::DFG::newTypedArrayWithSize):
1632         * dfg/DFGStrengthReductionPhase.cpp:
1633         (JSC::DFG::StrengthReductionPhase::handleNode):
1634         * inspector/ConsoleMessage.cpp:
1635         (Inspector::ConsoleMessage::addToFrontend):
1636         (Inspector::ConsoleMessage::clear):
1637         * inspector/ContentSearchUtilities.cpp:
1638         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
1639         * inspector/InjectedScript.cpp:
1640         (Inspector::InjectedScript::InjectedScript):
1641         (Inspector::InjectedScript::evaluate):
1642         (Inspector::InjectedScript::callFunctionOn):
1643         (Inspector::InjectedScript::evaluateOnCallFrame):
1644         (Inspector::InjectedScript::getFunctionDetails):
1645         (Inspector::InjectedScript::functionDetails):
1646         (Inspector::InjectedScript::getPreview):
1647         (Inspector::InjectedScript::getProperties):
1648         (Inspector::InjectedScript::getDisplayableProperties):
1649         (Inspector::InjectedScript::getInternalProperties):
1650         (Inspector::InjectedScript::getCollectionEntries):
1651         (Inspector::InjectedScript::saveResult):
1652         (Inspector::InjectedScript::wrapCallFrames const):
1653         (Inspector::InjectedScript::wrapObject const):
1654         (Inspector::InjectedScript::wrapJSONString const):
1655         (Inspector::InjectedScript::wrapTable const):
1656         (Inspector::InjectedScript::previewValue const):
1657         (Inspector::InjectedScript::setExceptionValue):
1658         (Inspector::InjectedScript::clearExceptionValue):
1659         (Inspector::InjectedScript::findObjectById const):
1660         (Inspector::InjectedScript::inspectObject):
1661         (Inspector::InjectedScript::releaseObject):
1662         (Inspector::InjectedScript::releaseObjectGroup):
1663         * inspector/InjectedScriptBase.cpp:
1664         (Inspector::InjectedScriptBase::makeEvalCall):
1665         * inspector/InjectedScriptManager.cpp:
1666         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1667         * inspector/InjectedScriptModule.cpp:
1668         (Inspector::InjectedScriptModule::ensureInjected):
1669         * inspector/InspectorBackendDispatcher.cpp:
1670         (Inspector::BackendDispatcher::dispatch):
1671         (Inspector::BackendDispatcher::sendResponse):
1672         (Inspector::BackendDispatcher::sendPendingErrors):
1673         * inspector/JSGlobalObjectConsoleClient.cpp:
1674         (Inspector::JSGlobalObjectConsoleClient::profile):
1675         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
1676         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
1677         * inspector/JSGlobalObjectInspectorController.cpp:
1678         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1679         * inspector/JSInjectedScriptHost.cpp:
1680         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1681         (Inspector::JSInjectedScriptHost::subtype):
1682         (Inspector::JSInjectedScriptHost::getInternalProperties):
1683         * inspector/JSJavaScriptCallFrame.cpp:
1684         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1685         (Inspector::JSJavaScriptCallFrame::type const):
1686         * inspector/ScriptArguments.cpp:
1687         (Inspector::ScriptArguments::getFirstArgumentAsString):
1688         * inspector/ScriptCallStackFactory.cpp:
1689         (Inspector::extractSourceInformationFromException):
1690         * inspector/agents/InspectorAgent.cpp:
1691         (Inspector::InspectorAgent::InspectorAgent):
1692         * inspector/agents/InspectorConsoleAgent.cpp:
1693         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
1694         (Inspector::InspectorConsoleAgent::clearMessages):
1695         (Inspector::InspectorConsoleAgent::count):
1696         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
1697         * inspector/agents/InspectorDebuggerAgent.cpp:
1698         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
1699         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
1700         (Inspector::buildObjectForBreakpointCookie):
1701         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1702         (Inspector::parseLocation):
1703         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1704         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1705         (Inspector::InspectorDebuggerAgent::continueToLocation):
1706         (Inspector::InspectorDebuggerAgent::searchInContent):
1707         (Inspector::InspectorDebuggerAgent::getScriptSource):
1708         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1709         (Inspector::InspectorDebuggerAgent::resume):
1710         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
1711         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1712         (Inspector::InspectorDebuggerAgent::didParseSource):
1713         (Inspector::InspectorDebuggerAgent::assertPaused):
1714         * inspector/agents/InspectorHeapAgent.cpp:
1715         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
1716         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
1717         (Inspector::InspectorHeapAgent::getPreview):
1718         (Inspector::InspectorHeapAgent::getRemoteObject):
1719         * inspector/agents/InspectorRuntimeAgent.cpp:
1720         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
1721         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1722         (Inspector::InspectorRuntimeAgent::getPreview):
1723         (Inspector::InspectorRuntimeAgent::getProperties):
1724         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1725         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1726         (Inspector::InspectorRuntimeAgent::saveResult):
1727         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1728         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1729         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1730         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
1731         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1732         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
1733         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1734         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
1735         * inspector/scripts/codegen/cpp_generator_templates.py:
1736         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1737         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1738         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1739         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1740         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1741         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1742         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1743         (CppProtocolTypesImplementationGenerator):
1744         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1745         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1746         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
1747         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1748         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1749         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1750         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1751         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
1752         * inspector/scripts/codegen/objc_generator_templates.py:
1753         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1754         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1755         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1756         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1757         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1758         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1759         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1760         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1761         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1762         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1763         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1764         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1765         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1766         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1767         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1768         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1769         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1770         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1771         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1772         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1773         * interpreter/CallFrame.cpp:
1774         (JSC::CallFrame::friendlyFunctionName):
1775         * interpreter/Interpreter.cpp:
1776         (JSC::Interpreter::execute):
1777         * interpreter/StackVisitor.cpp:
1778         (JSC::StackVisitor::Frame::functionName const):
1779         (JSC::StackVisitor::Frame::sourceURL const):
1780         * jit/JIT.cpp:
1781         (JSC::JIT::doMainThreadPreparationBeforeCompile):
1782         * jit/JITOperations.cpp:
1783         * jsc.cpp:
1784         (resolvePath):
1785         (GlobalObject::moduleLoaderImportModule):
1786         (GlobalObject::moduleLoaderResolve):
1787         (functionDescribeArray):
1788         (functionRun):
1789         (functionLoad):
1790         (functionCheckSyntax):
1791         (functionDollarEvalScript):
1792         (functionDollarAgentStart):
1793         (functionDollarAgentReceiveBroadcast):
1794         (functionDollarAgentBroadcast):
1795         (functionTransferArrayBuffer):
1796         (functionLoadModule):
1797         (functionSamplingProfilerStackTraces):
1798         (functionAsyncTestStart):
1799         (functionWebAssemblyMemoryMode):
1800         (runWithOptions):
1801         * parser/Lexer.cpp:
1802         (JSC::Lexer<T>::invalidCharacterMessage const):
1803         (JSC::Lexer<T>::parseString):
1804         (JSC::Lexer<T>::parseComplexEscape):
1805         (JSC::Lexer<T>::parseStringSlowCase):
1806         (JSC::Lexer<T>::parseTemplateLiteral):
1807         (JSC::Lexer<T>::lex):
1808         * parser/Parser.cpp:
1809         (JSC::Parser<LexerType>::parseInner):
1810         * parser/Parser.h:
1811         (JSC::Parser::setErrorMessage):
1812         * runtime/AbstractModuleRecord.cpp:
1813         (JSC::AbstractModuleRecord::finishCreation):
1814         * runtime/ArrayBuffer.cpp:
1815         (JSC::errorMesasgeForTransfer):
1816         * runtime/ArrayBufferSharingMode.h:
1817         (JSC::arrayBufferSharingModeName):
1818         * runtime/ArrayConstructor.cpp:
1819         (JSC::constructArrayWithSizeQuirk):
1820         (JSC::isArraySlowInline):
1821         * runtime/ArrayPrototype.cpp:
1822         (JSC::setLength):
1823         (JSC::shift):
1824         (JSC::unshift):
1825         (JSC::arrayProtoFuncPop):
1826         (JSC::arrayProtoFuncReverse):
1827         (JSC::arrayProtoFuncUnShift):
1828         * runtime/AtomicsObject.cpp:
1829         (JSC::atomicsFuncWait):
1830         (JSC::atomicsFuncWake):
1831         * runtime/BigIntConstructor.cpp:
1832         (JSC::BigIntConstructor::finishCreation):
1833         (JSC::toBigInt):
1834         (JSC::callBigIntConstructor):
1835         * runtime/BigIntObject.cpp:
1836         (JSC::BigIntObject::toStringName):
1837         * runtime/BigIntPrototype.cpp:
1838         (JSC::bigIntProtoFuncToString):
1839         (JSC::bigIntProtoFuncValueOf):
1840         * runtime/CommonSlowPaths.cpp:
1841         (JSC::SLOW_PATH_DECL):
1842         * runtime/ConsoleClient.cpp:
1843         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1844         * runtime/ConsoleObject.cpp:
1845         (JSC::valueOrDefaultLabelString):
1846         (JSC::consoleProtoFuncTime):
1847         (JSC::consoleProtoFuncTimeEnd):
1848         * runtime/DatePrototype.cpp:
1849         (JSC::formatLocaleDate):
1850         (JSC::formateDateInstance):
1851         (JSC::DatePrototype::finishCreation):
1852         (JSC::dateProtoFuncToISOString):
1853         (JSC::dateProtoFuncToJSON):
1854         * runtime/Error.cpp:
1855         (JSC::createNotEnoughArgumentsError):
1856         (JSC::throwSyntaxError):
1857         (JSC::createTypeError):
1858         (JSC::createOutOfMemoryError):
1859         * runtime/Error.h:
1860         (JSC::throwVMError):
1861         * runtime/ErrorConstructor.cpp:
1862         (JSC::ErrorConstructor::finishCreation):
1863         * runtime/ErrorInstance.cpp:
1864         (JSC::ErrorInstance::sanitizedToString):
1865         * runtime/ErrorPrototype.cpp:
1866         (JSC::ErrorPrototype::finishCreation):
1867         (JSC::errorProtoFuncToString):
1868         * runtime/ExceptionFuzz.cpp:
1869         (JSC::doExceptionFuzzing):
1870         * runtime/ExceptionHelpers.cpp:
1871         (JSC::TerminatedExecutionError::defaultValue):
1872         (JSC::createStackOverflowError):
1873         (JSC::createNotAConstructorError):
1874         (JSC::createNotAFunctionError):
1875         (JSC::createNotAnObjectError):
1876         * runtime/GetterSetter.cpp:
1877         (JSC::callSetter):
1878         * runtime/IntlCollator.cpp:
1879         (JSC::sortLocaleData):
1880         (JSC::searchLocaleData):
1881         (JSC::IntlCollator::initializeCollator):
1882         (JSC::IntlCollator::compareStrings):
1883         (JSC::IntlCollator::usageString):
1884         (JSC::IntlCollator::sensitivityString):
1885         (JSC::IntlCollator::caseFirstString):
1886         (JSC::IntlCollator::resolvedOptions):
1887         * runtime/IntlCollator.h:
1888         * runtime/IntlCollatorConstructor.cpp:
1889         (JSC::IntlCollatorConstructor::finishCreation):
1890         * runtime/IntlCollatorPrototype.cpp:
1891         (JSC::IntlCollatorPrototypeGetterCompare):
1892         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1893         * runtime/IntlDateTimeFormat.cpp:
1894         (JSC::defaultTimeZone):
1895         (JSC::canonicalizeTimeZoneName):
1896         (JSC::IntlDTFInternal::localeData):
1897         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
1898         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1899         (JSC::IntlDateTimeFormat::weekdayString):
1900         (JSC::IntlDateTimeFormat::eraString):
1901         (JSC::IntlDateTimeFormat::yearString):
1902         (JSC::IntlDateTimeFormat::monthString):
1903         (JSC::IntlDateTimeFormat::dayString):
1904         (JSC::IntlDateTimeFormat::hourString):
1905         (JSC::IntlDateTimeFormat::minuteString):
1906         (JSC::IntlDateTimeFormat::secondString):
1907         (JSC::IntlDateTimeFormat::timeZoneNameString):
1908         (JSC::IntlDateTimeFormat::resolvedOptions):
1909         (JSC::IntlDateTimeFormat::format):
1910         (JSC::IntlDateTimeFormat::partTypeString):
1911         (JSC::IntlDateTimeFormat::formatToParts):
1912         * runtime/IntlDateTimeFormat.h:
1913         * runtime/IntlDateTimeFormatConstructor.cpp:
1914         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1915         * runtime/IntlDateTimeFormatPrototype.cpp:
1916         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1917         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1918         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1919         * runtime/IntlNumberFormat.cpp:
1920         (JSC::IntlNumberFormat::initializeNumberFormat):
1921         (JSC::IntlNumberFormat::formatNumber):
1922         (JSC::IntlNumberFormat::styleString):
1923         (JSC::IntlNumberFormat::currencyDisplayString):
1924         (JSC::IntlNumberFormat::resolvedOptions):
1925         (JSC::IntlNumberFormat::partTypeString):
1926         (JSC::IntlNumberFormat::formatToParts):
1927         * runtime/IntlNumberFormat.h:
1928         * runtime/IntlNumberFormatConstructor.cpp:
1929         (JSC::IntlNumberFormatConstructor::finishCreation):
1930         * runtime/IntlNumberFormatPrototype.cpp:
1931         (JSC::IntlNumberFormatPrototypeGetterFormat):
1932         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1933         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1934         * runtime/IntlObject.cpp:
1935         (JSC::grandfatheredLangTag):
1936         (JSC::canonicalizeLocaleList):
1937         (JSC::resolveLocale):
1938         (JSC::supportedLocales):
1939         * runtime/IntlPluralRules.cpp:
1940         (JSC::IntlPluralRules::initializePluralRules):
1941         (JSC::IntlPluralRules::resolvedOptions):
1942         (JSC::IntlPluralRules::select):
1943         * runtime/IntlPluralRulesConstructor.cpp:
1944         (JSC::IntlPluralRulesConstructor::finishCreation):
1945         * runtime/IntlPluralRulesPrototype.cpp:
1946         (JSC::IntlPluralRulesPrototypeFuncSelect):
1947         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1948         * runtime/IteratorOperations.cpp:
1949         (JSC::iteratorNext):
1950         (JSC::iteratorClose):
1951         (JSC::hasIteratorMethod):
1952         (JSC::iteratorMethod):
1953         * runtime/JSArray.cpp:
1954         (JSC::JSArray::tryCreateUninitializedRestricted):
1955         (JSC::JSArray::defineOwnProperty):
1956         (JSC::JSArray::put):
1957         (JSC::JSArray::setLengthWithArrayStorage):
1958         (JSC::JSArray::appendMemcpy):
1959         (JSC::JSArray::pop):
1960         * runtime/JSArray.h:
1961         * runtime/JSArrayBufferConstructor.cpp:
1962         (JSC::JSArrayBufferConstructor::finishCreation):
1963         * runtime/JSArrayBufferPrototype.cpp:
1964         (JSC::arrayBufferProtoFuncSlice):
1965         (JSC::arrayBufferProtoGetterFuncByteLength):
1966         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1967         * runtime/JSArrayBufferView.cpp:
1968         (JSC::JSArrayBufferView::toStringName):
1969         * runtime/JSArrayInlines.h:
1970         (JSC::JSArray::pushInline):
1971         * runtime/JSBigInt.cpp:
1972         (JSC::JSBigInt::divide):
1973         (JSC::JSBigInt::remainder):
1974         (JSC::JSBigInt::toNumber const):
1975         * runtime/JSCJSValue.cpp:
1976         (JSC::JSValue::putToPrimitive):
1977         (JSC::JSValue::putToPrimitiveByIndex):
1978         (JSC::JSValue::toStringSlowCase const):
1979         * runtime/JSCJSValueInlines.h:
1980         (JSC::toPreferredPrimitiveType):
1981         * runtime/JSDataView.cpp:
1982         (JSC::JSDataView::create):
1983         (JSC::JSDataView::put):
1984         (JSC::JSDataView::defineOwnProperty):
1985         * runtime/JSDataViewPrototype.cpp:
1986         (JSC::getData):
1987         (JSC::setData):
1988         * runtime/JSFunction.cpp:
1989         (JSC::JSFunction::callerGetter):
1990         (JSC::JSFunction::put):
1991         (JSC::JSFunction::defineOwnProperty):
1992         * runtime/JSGenericTypedArrayView.h:
1993         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1994         (JSC::constructGenericTypedArrayViewWithArguments):
1995         (JSC::constructGenericTypedArrayView):
1996         * runtime/JSGenericTypedArrayViewInlines.h:
1997         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1998         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1999         (JSC::speciesConstruct):
2000         (JSC::genericTypedArrayViewProtoFuncSet):
2001         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2002         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2003         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2004         * runtime/JSGlobalObject.cpp:
2005         (JSC::JSGlobalObject::init):
2006         * runtime/JSGlobalObjectDebuggable.cpp:
2007         (JSC::JSGlobalObjectDebuggable::name const):
2008         * runtime/JSGlobalObjectFunctions.cpp:
2009         (JSC::encode):
2010         (JSC::decode):
2011         (JSC::globalFuncProtoSetter):
2012         * runtime/JSGlobalObjectFunctions.h:
2013         * runtime/JSMap.cpp:
2014         (JSC::JSMap::toStringName):
2015         * runtime/JSModuleEnvironment.cpp:
2016         (JSC::JSModuleEnvironment::put):
2017         * runtime/JSModuleNamespaceObject.cpp:
2018         (JSC::JSModuleNamespaceObject::put):
2019         (JSC::JSModuleNamespaceObject::putByIndex):
2020         (JSC::JSModuleNamespaceObject::defineOwnProperty):
2021         * runtime/JSONObject.cpp:
2022         (JSC::Stringifier::appendStringifiedValue):
2023         (JSC::JSONProtoFuncParse):
2024         (JSC::JSONProtoFuncStringify):
2025         * runtime/JSObject.cpp:
2026         (JSC::getClassPropertyNames):
2027         (JSC::JSObject::calculatedClassName):
2028         (JSC::ordinarySetSlow):
2029         (JSC::JSObject::putInlineSlow):
2030         (JSC::JSObject::setPrototypeWithCycleCheck):
2031         (JSC::callToPrimitiveFunction):
2032         (JSC::JSObject::ordinaryToPrimitive const):
2033         (JSC::JSObject::defaultHasInstance):
2034         (JSC::JSObject::defineOwnIndexedProperty):
2035         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2036         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2037         (JSC::validateAndApplyPropertyDescriptor):
2038         * runtime/JSObject.h:
2039         * runtime/JSObjectInlines.h:
2040         (JSC::JSObject::putInlineForJSObject):
2041         * runtime/JSPromiseConstructor.cpp:
2042         (JSC::JSPromiseConstructor::finishCreation):
2043         * runtime/JSSet.cpp:
2044         (JSC::JSSet::toStringName):
2045         * runtime/JSSymbolTableObject.h:
2046         (JSC::symbolTablePut):
2047         * runtime/JSTypedArrayViewConstructor.cpp:
2048         (JSC::constructTypedArrayView):
2049         * runtime/JSTypedArrayViewPrototype.cpp:
2050         (JSC::typedArrayViewPrivateFuncLength):
2051         (JSC::typedArrayViewProtoFuncSet):
2052         (JSC::typedArrayViewProtoFuncCopyWithin):
2053         (JSC::typedArrayViewProtoFuncLastIndexOf):
2054         (JSC::typedArrayViewProtoFuncIndexOf):
2055         (JSC::typedArrayViewProtoFuncJoin):
2056         (JSC::typedArrayViewProtoGetterFuncBuffer):
2057         (JSC::typedArrayViewProtoGetterFuncLength):
2058         (JSC::typedArrayViewProtoGetterFuncByteLength):
2059         (JSC::typedArrayViewProtoGetterFuncByteOffset):
2060         (JSC::typedArrayViewProtoFuncReverse):
2061         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
2062         (JSC::typedArrayViewProtoFuncSlice):
2063         (JSC::JSTypedArrayViewPrototype::finishCreation):
2064         * runtime/JSWeakMap.cpp:
2065         (JSC::JSWeakMap::toStringName):
2066         * runtime/JSWeakSet.cpp:
2067         (JSC::JSWeakSet::toStringName):
2068         * runtime/LiteralParser.cpp:
2069         (JSC::LiteralParser<CharType>::Lexer::lex):
2070         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2071         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
2072         (JSC::LiteralParser<CharType>::parse):
2073         * runtime/LiteralParser.h:
2074         (JSC::LiteralParser::getErrorMessage):
2075         * runtime/Lookup.cpp:
2076         (JSC::reifyStaticAccessor):
2077         * runtime/Lookup.h:
2078         (JSC::putEntry):
2079         * runtime/MapPrototype.cpp:
2080         (JSC::getMap):
2081         * runtime/NullSetterFunction.cpp:
2082         (JSC::NullSetterFunctionInternal::callReturnUndefined):
2083         * runtime/NumberPrototype.cpp:
2084         (JSC::numberProtoFuncToExponential):
2085         (JSC::numberProtoFuncToFixed):
2086         (JSC::numberProtoFuncToPrecision):
2087         (JSC::extractToStringRadixArgument):
2088         * runtime/ObjectConstructor.cpp:
2089         (JSC::objectConstructorSetPrototypeOf):
2090         (JSC::objectConstructorAssign):
2091         (JSC::objectConstructorValues):
2092         (JSC::toPropertyDescriptor):
2093         (JSC::objectConstructorDefineProperty):
2094         (JSC::objectConstructorDefineProperties):
2095         (JSC::objectConstructorCreate):
2096         (JSC::objectConstructorSeal):
2097         (JSC::objectConstructorFreeze):
2098         * runtime/ObjectPrototype.cpp:
2099         (JSC::objectProtoFuncDefineGetter):
2100         (JSC::objectProtoFuncDefineSetter):
2101         * runtime/Operations.cpp:
2102         (JSC::jsAddSlowCase):
2103         * runtime/Operations.h:
2104         (JSC::jsSub):
2105         (JSC::jsMul):
2106         * runtime/ProgramExecutable.cpp:
2107         (JSC::ProgramExecutable::initializeGlobalProperties):
2108         * runtime/ProxyConstructor.cpp:
2109         (JSC::makeRevocableProxy):
2110         (JSC::proxyRevocableConstructorThrowError):
2111         (JSC::ProxyConstructor::finishCreation):
2112         (JSC::constructProxyObject):
2113         * runtime/ProxyObject.cpp:
2114         (JSC::ProxyObject::toStringName):
2115         (JSC::ProxyObject::finishCreation):
2116         (JSC::performProxyGet):
2117         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2118         (JSC::ProxyObject::performHasProperty):
2119         (JSC::ProxyObject::performPut):
2120         (JSC::performProxyCall):
2121         (JSC::performProxyConstruct):
2122         (JSC::ProxyObject::performDelete):
2123         (JSC::ProxyObject::performPreventExtensions):
2124         (JSC::ProxyObject::performIsExtensible):
2125         (JSC::ProxyObject::performDefineOwnProperty):
2126         (JSC::ProxyObject::performGetOwnPropertyNames):
2127         (JSC::ProxyObject::performSetPrototype):
2128         (JSC::ProxyObject::performGetPrototype):
2129         * runtime/ReflectObject.cpp:
2130         (JSC::reflectObjectConstruct):
2131         (JSC::reflectObjectDefineProperty):
2132         (JSC::reflectObjectGet):
2133         (JSC::reflectObjectGetOwnPropertyDescriptor):
2134         (JSC::reflectObjectGetPrototypeOf):
2135         (JSC::reflectObjectIsExtensible):
2136         (JSC::reflectObjectOwnKeys):
2137         (JSC::reflectObjectPreventExtensions):
2138         (JSC::reflectObjectSet):
2139         (JSC::reflectObjectSetPrototypeOf):
2140         * runtime/RegExpConstructor.cpp:
2141         (JSC::RegExpConstructor::finishCreation):
2142         (JSC::toFlags):
2143         * runtime/RegExpObject.cpp:
2144         (JSC::RegExpObject::defineOwnProperty):
2145         * runtime/RegExpObject.h:
2146         * runtime/RegExpPrototype.cpp:
2147         (JSC::regExpProtoFuncCompile):
2148         (JSC::regExpProtoGetterGlobal):
2149         (JSC::regExpProtoGetterIgnoreCase):
2150         (JSC::regExpProtoGetterMultiline):
2151         (JSC::regExpProtoGetterDotAll):
2152         (JSC::regExpProtoGetterSticky):
2153         (JSC::regExpProtoGetterUnicode):
2154         (JSC::regExpProtoGetterFlags):
2155         (JSC::regExpProtoGetterSourceInternal):
2156         (JSC::regExpProtoGetterSource):
2157         * runtime/RuntimeType.cpp:
2158         (JSC::runtimeTypeAsString):
2159         * runtime/SamplingProfiler.cpp:
2160         (JSC::SamplingProfiler::StackFrame::displayName):
2161         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
2162         * runtime/ScriptExecutable.cpp:
2163         (JSC::ScriptExecutable::prepareForExecutionImpl):
2164         * runtime/SetPrototype.cpp:
2165         (JSC::getSet):
2166         * runtime/SparseArrayValueMap.cpp:
2167         (JSC::SparseArrayValueMap::putEntry):
2168         (JSC::SparseArrayValueMap::putDirect):
2169         (JSC::SparseArrayEntry::put):
2170         * runtime/StackFrame.cpp:
2171         (JSC::StackFrame::sourceURL const):
2172         (JSC::StackFrame::functionName const):
2173         * runtime/StringConstructor.cpp:
2174         (JSC::stringFromCodePoint):
2175         * runtime/StringObject.cpp:
2176         (JSC::StringObject::put):
2177         (JSC::StringObject::putByIndex):
2178         * runtime/StringPrototype.cpp:
2179         (JSC::StringPrototype::finishCreation):
2180         (JSC::toLocaleCase):
2181         (JSC::stringProtoFuncNormalize):
2182         * runtime/Symbol.cpp:
2183         (JSC::Symbol::toNumber const):
2184         * runtime/SymbolConstructor.cpp:
2185         (JSC::symbolConstructorKeyFor):
2186         * runtime/SymbolObject.cpp:
2187         (JSC::SymbolObject::toStringName):
2188         * runtime/SymbolPrototype.cpp:
2189         (JSC::SymbolPrototype::finishCreation):
2190         * runtime/TypeSet.cpp:
2191         (JSC::TypeSet::dumpTypes const):
2192         (JSC::TypeSet::displayName const):
2193         (JSC::StructureShape::leastCommonAncestor):
2194         * runtime/TypeSet.h:
2195         (JSC::StructureShape::setConstructorName):
2196         * runtime/VM.cpp:
2197         (JSC::VM::dumpTypeProfilerData):
2198         * runtime/WeakMapPrototype.cpp:
2199         (JSC::getWeakMap):
2200         (JSC::protoFuncWeakMapSet):
2201         * runtime/WeakSetPrototype.cpp:
2202         (JSC::getWeakSet):
2203         (JSC::protoFuncWeakSetAdd):
2204         * tools/JSDollarVM.cpp:
2205         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2206         (WTF::DOMJITGetterComplex::customGetter):
2207         (JSC::functionSetImpureGetterDelegate):
2208         (JSC::functionCreateElement):
2209         (JSC::functionGetHiddenValue):
2210         (JSC::functionSetHiddenValue):
2211         (JSC::functionFindTypeForExpression):
2212         (JSC::functionReturnTypeFor):
2213         (JSC::functionLoadGetterFromGetterSetter):
2214         * wasm/WasmB3IRGenerator.cpp:
2215         (JSC::Wasm::B3IRGenerator::fail const):
2216         * wasm/WasmIndexOrName.cpp:
2217         (JSC::Wasm::makeString):
2218         * wasm/WasmParser.h:
2219         (JSC::Wasm::FailureHelper::makeString):
2220         (JSC::Wasm::Parser::fail const):
2221         * wasm/WasmPlan.cpp:
2222         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
2223         * wasm/WasmValidate.cpp:
2224         (JSC::Wasm::Validate::fail const):
2225         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2226         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2227         * wasm/js/JSWebAssemblyHelpers.h:
2228         (JSC::toNonWrappingUint32):
2229         (JSC::getWasmBufferFromValue):
2230         * wasm/js/JSWebAssemblyInstance.cpp:
2231         (JSC::JSWebAssemblyInstance::create):
2232         * wasm/js/JSWebAssemblyMemory.cpp:
2233         (JSC::JSWebAssemblyMemory::grow):
2234         * wasm/js/WasmToJS.cpp:
2235         (JSC::Wasm::handleBadI64Use):
2236         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2237         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
2238         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2239         (JSC::constructJSWebAssemblyInstance):
2240         (JSC::WebAssemblyInstanceConstructor::finishCreation):
2241         * wasm/js/WebAssemblyInstancePrototype.cpp:
2242         (JSC::getInstance):
2243         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2244         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
2245         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2246         (JSC::constructJSWebAssemblyMemory):
2247         (JSC::WebAssemblyMemoryConstructor::finishCreation):
2248         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2249         (JSC::getMemory):
2250         * wasm/js/WebAssemblyModuleConstructor.cpp:
2251         (JSC::webAssemblyModuleCustomSections):
2252         (JSC::webAssemblyModuleImports):
2253         (JSC::webAssemblyModuleExports):
2254         (JSC::WebAssemblyModuleConstructor::finishCreation):
2255         * wasm/js/WebAssemblyModuleRecord.cpp:
2256         (JSC::WebAssemblyModuleRecord::link):
2257         (JSC::dataSegmentFail):
2258         (JSC::WebAssemblyModuleRecord::evaluate):
2259         * wasm/js/WebAssemblyPrototype.cpp:
2260         (JSC::resolve):
2261         (JSC::webAssemblyInstantiateFunc):
2262         (JSC::webAssemblyInstantiateStreamingInternal):
2263         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2264         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
2265         * wasm/js/WebAssemblyTableConstructor.cpp:
2266         (JSC::constructJSWebAssemblyTable):
2267         (JSC::WebAssemblyTableConstructor::finishCreation):
2268         * wasm/js/WebAssemblyTablePrototype.cpp:
2269         (JSC::getTable):
2270         (JSC::webAssemblyTableProtoFuncGrow):
2271         (JSC::webAssemblyTableProtoFuncGet):
2272         (JSC::webAssemblyTableProtoFuncSet):
2273
2274 2018-06-22  Keith Miller  <keith_miller@apple.com>
2275
2276         unshift should zero unused property storage
2277         https://bugs.webkit.org/show_bug.cgi?id=186960
2278
2279         Reviewed by Saam Barati.
2280
2281         Also, this patch adds the zeroed unused property storage assertion
2282         to one more place it was missing.
2283
2284         * runtime/JSArray.cpp:
2285         (JSC::JSArray::unshiftCountSlowCase):
2286         * runtime/JSObjectInlines.h:
2287         (JSC::JSObject::putDirectInternal):
2288
2289 2018-06-22  Mark Lam  <mark.lam@apple.com>
2290
2291         PropertyCondition::isValidValueForAttributes() should also consider deleted values.
2292         https://bugs.webkit.org/show_bug.cgi?id=186943
2293         <rdar://problem/41370337>
2294
2295         Reviewed by Saam Barati.
2296
2297         PropertyCondition::isValidValueForAttributes() should check if the passed in value
2298         is a deleted one before it does a jsDynamicCast on it.
2299
2300         * bytecode/PropertyCondition.cpp:
2301         (JSC::PropertyCondition::isValidValueForAttributes):
2302         * runtime/JSCJSValueInlines.h:
2303         - removed an unnecessary #if.
2304
2305 2018-06-22  Keith Miller  <keith_miller@apple.com>
2306
2307         performProxyCall should toThis the value passed to its handler
2308         https://bugs.webkit.org/show_bug.cgi?id=186951
2309
2310         Reviewed by Mark Lam.
2311
2312         * runtime/ProxyObject.cpp:
2313         (JSC::performProxyCall):
2314
2315 2018-06-22  Saam Barati  <sbarati@apple.com>
2316
2317         ensureWritableX should only convert away from CoW when it will succeed
2318         https://bugs.webkit.org/show_bug.cgi?id=186898
2319
2320         Reviewed by Keith Miller.
2321
2322         Otherwise, when we OSR exit, we'll end up profiling the array after
2323         it has been converted away from CoW. It's better for the ArrayProfile
2324         to see the array as it's still in CoW mode.
2325         
2326         This patch also renames ensureWritableX to tryMakeWritableX since these
2327         were never really "ensure" operations -- they may fail and return null.
2328
2329         * dfg/DFGOperations.cpp:
2330         * runtime/JSObject.cpp:
2331         (JSC::JSObject::tryMakeWritableInt32Slow):
2332         (JSC::JSObject::tryMakeWritableDoubleSlow):
2333         (JSC::JSObject::tryMakeWritableContiguousSlow):
2334         (JSC::JSObject::ensureWritableInt32Slow): Deleted.
2335         (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
2336         (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
2337         * runtime/JSObject.h:
2338         (JSC::JSObject::tryMakeWritableInt32):
2339         (JSC::JSObject::tryMakeWritableDouble):
2340         (JSC::JSObject::tryMakeWritableContiguous):
2341         (JSC::JSObject::ensureWritableInt32): Deleted.
2342         (JSC::JSObject::ensureWritableDouble): Deleted.
2343         (JSC::JSObject::ensureWritableContiguous): Deleted.
2344
2345 2018-06-22  Keith Miller  <keith_miller@apple.com>
2346
2347         We should call visitChildren on Base not the exact typename
2348         https://bugs.webkit.org/show_bug.cgi?id=186928
2349
2350         Reviewed by Mark Lam.
2351
2352         A lot of places were not properly calling visitChildren on their
2353         superclass. For most of them it didn't matter because they had
2354         immortal structures. If code changed in the future this might
2355         break things however.
2356
2357         Also, block off more of the MethodTable for GetterSetter objects.
2358
2359         * bytecode/CodeBlock.cpp:
2360         (JSC::CodeBlock::visitChildren):
2361         * bytecode/ExecutableToCodeBlockEdge.cpp:
2362         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2363         * debugger/DebuggerScope.cpp:
2364         (JSC::DebuggerScope::visitChildren):
2365         * runtime/EvalExecutable.cpp:
2366         (JSC::EvalExecutable::visitChildren):
2367         * runtime/FunctionExecutable.cpp:
2368         (JSC::FunctionExecutable::visitChildren):
2369         * runtime/FunctionRareData.cpp:
2370         (JSC::FunctionRareData::visitChildren):
2371         * runtime/GenericArgumentsInlines.h:
2372         (JSC::GenericArguments<Type>::visitChildren):
2373         * runtime/GetterSetter.cpp:
2374         (JSC::GetterSetter::visitChildren):
2375         * runtime/GetterSetter.h:
2376         * runtime/InferredType.cpp:
2377         (JSC::InferredType::visitChildren):
2378         * runtime/InferredTypeTable.cpp:
2379         (JSC::InferredTypeTable::visitChildren):
2380         * runtime/InferredValue.cpp:
2381         (JSC::InferredValue::visitChildren):
2382         * runtime/JSArrayBufferView.cpp:
2383         (JSC::JSArrayBufferView::visitChildren):
2384         * runtime/JSGenericTypedArrayViewInlines.h:
2385         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2386         * runtime/ModuleProgramExecutable.cpp:
2387         (JSC::ModuleProgramExecutable::visitChildren):
2388         * runtime/ProgramExecutable.cpp:
2389         (JSC::ProgramExecutable::visitChildren):
2390         * runtime/ScopedArguments.cpp:
2391         (JSC::ScopedArguments::visitChildren):
2392         * runtime/ScopedArguments.h:
2393         * runtime/Structure.cpp:
2394         (JSC::Structure::visitChildren):
2395         * runtime/StructureRareData.cpp:
2396         (JSC::StructureRareData::visitChildren):
2397         * runtime/SymbolTable.cpp:
2398         (JSC::SymbolTable::visitChildren):
2399
2400 2018-06-20  Darin Adler  <darin@apple.com>
2401
2402         [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
2403         https://bugs.webkit.org/show_bug.cgi?id=186875
2404
2405         Reviewed by Anders Carlsson.
2406
2407         * API/tests/testapi.mm:
2408         (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
2409
2410 2018-06-22  Carlos Garcia Campos  <cgarcia@igalia.com>
2411
2412         [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
2413         https://bugs.webkit.org/show_bug.cgi?id=186915
2414
2415         Reviewed by Žan Doberšek.
2416
2417         Update StartAutomationSession message handling to receive a dictionary of session capabilities.
2418
2419         * inspector/remote/glib/RemoteInspectorServer.cpp:
2420         (Inspector::processSessionCapabilities): Helper method to process the session capabilities.
2421
2422 2018-06-21  Mark Lam  <mark.lam@apple.com>
2423
2424         WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
2425         https://bugs.webkit.org/show_bug.cgi?id=185947
2426         <rdar://problem/40131933>
2427
2428         Reviewed by Saam Barati.
2429
2430         Newer Clang versions (due to C++17 support) is not happy with how I implemented
2431         conversions between CodeLocation types.  We'll fix this by adding a conversion
2432         operator for converting between CodeLocation types.
2433
2434         * assembler/CodeLocation.h:
2435         (JSC::CodeLocationCommon::operator T):
2436
2437 2018-06-21  Saam Barati  <sbarati@apple.com>
2438
2439         Do some CoW cleanup
2440         https://bugs.webkit.org/show_bug.cgi?id=186896
2441
2442         Reviewed by Mark Lam.
2443
2444         * bytecode/UnlinkedCodeBlock.h:
2445         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
2446         We don't need to WTFMove() ints
2447
2448         * dfg/DFGByteCodeParser.cpp:
2449         (JSC::DFG::ByteCodeParser::parseBlock):
2450         remove a TODO.
2451
2452         * runtime/JSObject.cpp:
2453         (JSC::JSObject::putByIndex):
2454         We were checking for isCopyOnWrite even after we converted away
2455         from CoW in above code.
2456         (JSC::JSObject::ensureWritableInt32Slow):
2457         Model this in the same way the other ensureWritableXSlow are modeled.
2458
2459 2018-06-20  Keith Miller  <keith_miller@apple.com>
2460
2461         flattenDictionaryStruture needs to zero inline storage.
2462         https://bugs.webkit.org/show_bug.cgi?id=186869
2463
2464         Reviewed by Saam Barati.
2465
2466         This patch also adds the assetion that unused property storage is
2467         zero or JSValue() to putDirectInternal. Additionally, functions
2468         have been added to $vm that flatten dictionary objects and return
2469         the inline capacity of an object.
2470
2471         * runtime/JSObjectInlines.h:
2472         (JSC::JSObject::putDirectInternal):
2473         * runtime/Structure.cpp:
2474         (JSC::Structure::flattenDictionaryStructure):
2475         * tools/JSDollarVM.cpp:
2476         (JSC::functionInlineCapacity):
2477         (JSC::functionFlattenDictionaryObject):
2478         (JSC::JSDollarVM::finishCreation):
2479
2480 2018-06-21  Mark Lam  <mark.lam@apple.com>
2481
2482         Use IsoCellSets to track Executables with clearable code.
2483         https://bugs.webkit.org/show_bug.cgi?id=186877
2484
2485         Reviewed by Filip Pizlo.
2486
2487         Here’s an example of the results that this fix may yield: 
2488         1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
2489         2. Statistics on memory touched and memory freed by VM::deleteAllCode():
2490
2491            Visiting Executables:
2492                                                         Old             New
2493            Number of objects visited:                   70897           14264
2494            Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
2495            Number of memory pages visited:              3224            1602
2496            Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)
2497
2498            Visitng UnlinkedFunctionExecutables:
2499                                                         Old             New
2500            Number of objects visited:                   105454          17231
2501            Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
2502            Number of memory pages visited:              4796            1349
2503            Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)
2504
2505         ** The number of objects differ because the old code only visit unlinked
2506            executables indirectly via linked executables, whereas the new behavior visit
2507            all unlinked executables with deletable code directly.  This means:
2508
2509            a. we used to not visit unlinked executables that have not been linked yet
2510               i.e. deleteAllCode() may not delete all code (especially code that is not
2511               used).
2512            b. we had to visit all linked executables to check if they of type
2513               FunctionExecutable, before going on to visit their unlinked executable, and
2514               this includes the ones that do not have deletable code.  This means that we
2515               would touch more memory in the process.
2516
2517            Both of these these issues are now fixed with the new code.
2518
2519         This code was tested with manually inserted instrumentation to track the above
2520         statistics.  It is not feasible to write an automated test for this without
2521         leaving a lot of invasive instrumentation in the code.
2522
2523         * bytecode/UnlinkedFunctionExecutable.cpp:
2524         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2525         * bytecode/UnlinkedFunctionExecutable.h:
2526         * heap/CodeBlockSetInlines.h:
2527         (JSC::CodeBlockSet::iterateViaSubspaces):
2528         * heap/Heap.cpp:
2529         (JSC::Heap::deleteAllCodeBlocks):
2530         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2531         (JSC::Heap::deleteUnmarkedCompiledCode):
2532         (JSC::Heap::clearUnmarkedExecutables): Deleted.
2533         (JSC::Heap::addExecutable): Deleted.
2534         * heap/Heap.h:
2535         * runtime/DirectEvalExecutable.h:
2536
2537         * runtime/ExecutableBase.cpp:
2538         (JSC::ExecutableBase::hasClearableCode const):
2539         - this is written based on the implementation of ExecutableBase::clearCode().
2540
2541         * runtime/ExecutableBase.h:
2542         * runtime/FunctionExecutable.h:
2543         * runtime/IndirectEvalExecutable.h:
2544         * runtime/ModuleProgramExecutable.h:
2545         * runtime/ProgramExecutable.h:
2546         * runtime/ScriptExecutable.cpp:
2547         (JSC::ScriptExecutable::clearCode):
2548         (JSC::ScriptExecutable::installCode):
2549         * runtime/ScriptExecutable.h:
2550         (JSC::ScriptExecutable::finishCreation):
2551         * runtime/VM.cpp:
2552         (JSC::VM::VM):
2553         * runtime/VM.h:
2554         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
2555         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
2556         (JSC::VM::forEachScriptExecutableSpace):
2557         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
2558         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
2559
2560 2018-06-21  Zan Dobersek  <zdobersek@igalia.com>
2561
2562         [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
2563         https://bugs.webkit.org/show_bug.cgi?id=186884
2564
2565         Reviewed by Carlos Garcia Campos.
2566
2567         Add a tuple array input parameter to the StartAutomationSession DBus
2568         message, representing a list of host-and-certificate pairs that have to
2569         be allowed for a given session. This array is then unpacked and used to
2570         fill out the certificates Vector object in the SessionCapabilities
2571         struct.
2572
2573         * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
2574         String pairs representing hosts and the certificate file paths.
2575         * inspector/remote/glib/RemoteInspectorServer.cpp:
2576
2577 2018-06-20  Keith Miller  <keith_miller@apple.com>
2578
2579         Expand concurrent GC assertion to accept JSValue() or 0
2580         https://bugs.webkit.org/show_bug.cgi?id=186855
2581
2582         Reviewed by Mark Lam.
2583
2584         We tend to set unused property slots to either JSValue() or 0
2585         depending on the context. On 64-bit these are the same but on
2586         32-bit JSValue() has a NaN tag. This patch makes it so we
2587         the accept either JSValue() or 0.
2588
2589         * runtime/JSObjectInlines.h:
2590         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2591
2592 2018-06-20  Guillaume Emont  <guijemont@igalia.com>
2593
2594         [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
2595         https://bugs.webkit.org/show_bug.cgi?id=186765
2596
2597         Reviewed by Michael Saboff.
2598
2599         This widens the check for 0 so that we handle that case more correctly.
2600
2601         * assembler/LinkBuffer.h:
2602         (JSC::LinkBuffer::executableOffsetFor):
2603
2604 2018-06-19  Keith Miller  <keith_miller@apple.com>
2605
2606         Fix broken assertion on 32-bit
2607         https://bugs.webkit.org/show_bug.cgi?id=186830
2608
2609         Reviewed by Mark Lam.
2610
2611         The assertion was intended to catch concurrent GC issues. We don't
2612         run them on 32-bit so we don't need this assertion there. The
2613         assertion was broken because zero is not JSValue() on 32-bit.
2614
2615         * runtime/JSObjectInlines.h:
2616         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2617
2618 2018-06-19  Keith Miller  <keith_miller@apple.com>
2619
2620         flattenDictionaryStructure needs to zero properties that have been compressed away
2621         https://bugs.webkit.org/show_bug.cgi?id=186828
2622
2623         Reviewed by Mark Lam.
2624
2625         This patch fixes a bunch of crashing Mozilla tests on the bots.
2626
2627         * runtime/Structure.cpp:
2628         (JSC::Structure::flattenDictionaryStructure):
2629
2630 2018-06-19  Saam Barati  <sbarati@apple.com>
2631
2632         DirectArguments::create needs to initialize to undefined instead of the empty value
2633         https://bugs.webkit.org/show_bug.cgi?id=186818
2634         <rdar://problem/38415177>
2635
2636         Reviewed by Filip Pizlo.
2637
2638         The bug here is that we will emit code that just loads from DirectArguments as
2639         long as the index is within the known capacity of the arguments object (op_get_from_arguments).
2640         The arguments object has at least enough capacity to hold the declared parameters.
2641         When we materialized this object in OSR exit, we initialized up to to the capacity
2642         with JSValue(). In OSR exit, though, we only filled up to the length of the
2643         object with actual values. So we'd end up with a DirectArguments object with
2644         capacity minus length slots of JSValue(). To fix this, we need initialize up to
2645         capacity with jsUndefined during construction. The invariant of this object is
2646         that the capacity minus length slots at the end are filled in with jsUndefined.
2647
2648         * runtime/DirectArguments.cpp:
2649         (JSC::DirectArguments::create):
2650
2651 2018-06-19  Michael Saboff  <msaboff@apple.com>
2652
2653         Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
2654         https://bugs.webkit.org/show_bug.cgi?id=186827
2655
2656         Reviewed by Saam Barati.
2657
2658         Need to set VM::lastStackTop before any possible calls to sanitizeStack().
2659
2660         * runtime/JSLock.cpp:
2661         (JSC::JSLock::didAcquireLock):
2662
2663 2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
2664
2665         ShadowChicken crashes with stack overflow in the LLInt
2666         https://bugs.webkit.org/show_bug.cgi?id=186540
2667         <rdar://problem/39682133>
2668
2669         Reviewed by Saam Barati.
2670
2671         Stack overflows in the LLInt were crashing in ShadowChicken when compiling
2672         with debug opcodes because it was accessing the scope of the incomplete top
2673         frame, which hadn't been set yet. Check that we have moved past the first
2674         opcode (enter) and that the scope is not undefined (enter will
2675         initialize it to undefined).
2676
2677         * interpreter/ShadowChicken.cpp:
2678         (JSC::ShadowChicken::update):
2679
2680 2018-06-19  Keith Miller  <keith_miller@apple.com>
2681
2682         constructArray variants should take the slow path for subclasses of Array
2683         https://bugs.webkit.org/show_bug.cgi?id=186812
2684
2685         Reviewed by Saam Barati and Mark Lam.
2686
2687         This patch fixes a crashing test in ObjectInitializationScope where we would
2688         allocate a new structure for an indexing type change while initializing
2689         a subclass of Array. Since the new array hasn't been fully initialized
2690         if the GC ran it would see garbage and we might crash.
2691
2692         * runtime/JSArray.cpp:
2693         (JSC::constructArray):
2694         (JSC::constructArrayNegativeIndexed):
2695         * runtime/JSArray.h:
2696         (JSC::constructArray): Deleted.
2697         (JSC::constructArrayNegativeIndexed): Deleted.
2698
2699 2018-06-19  Saam Barati  <sbarati@apple.com>
2700
2701         Wasm: Any function argument of type Void should be a validation error
2702         https://bugs.webkit.org/show_bug.cgi?id=186794
2703         <rdar://problem/41140257>
2704
2705         Reviewed by Keith Miller.
2706
2707         * wasm/WasmModuleParser.cpp:
2708         (JSC::Wasm::ModuleParser::parseType):
2709
2710 2018-06-18  Keith Miller  <keith_miller@apple.com>
2711
2712         JSImmutableButterfly should assert m_header is adjacent to the data
2713         https://bugs.webkit.org/show_bug.cgi?id=186795
2714
2715         Reviewed by Saam Barati.
2716
2717         * runtime/JSImmutableButterfly.cpp:
2718         * runtime/JSImmutableButterfly.h:
2719
2720 2018-06-18  Keith Miller  <keith_miller@apple.com>
2721
2722         Unreviewed, fix the build...
2723
2724         * runtime/JSArray.cpp:
2725         (JSC::JSArray::tryCreateUninitializedRestricted):
2726
2727 2018-06-18  Keith Miller  <keith_miller@apple.com>
2728
2729         Unreviewed, remove bad assertion.
2730
2731         * runtime/JSArray.cpp:
2732         (JSC::JSArray::tryCreateUninitializedRestricted):
2733
2734 2018-06-18  Keith Miller  <keith_miller@apple.com>
2735
2736         Properly zero unused property storage offsets
2737         https://bugs.webkit.org/show_bug.cgi?id=186692
2738
2739         Reviewed by Filip Pizlo.
2740
2741         Since the concurrent GC might see a property slot before the mutator has actually
2742         stored the value there, we need to ensure that slot doesn't have garbage in it.
2743
2744         Right now when calling constructConvertedArrayStorageWithoutCopyingElements
2745         or creating a RegExp matches array, we never cleared the unused
2746         property storage. ObjectIntializationScope has also been upgraded
2747         to look for our invariants around property storage. Additionally,
2748         a new assertion has been added to check for JSValue() when adding
2749         a new property.
2750
2751         We used to put undefined into deleted property offsets. To
2752         make things simpler, this patch causes us to store JSValue() there
2753         instead.
2754
2755         Lastly, this patch fixes an issue where we would initialize the
2756         array storage of RegExpMatchesArray twice. First with 0 and
2757         secondly with the actual result. Now we only zero memory between
2758         vector length and public length.
2759
2760         * runtime/Butterfly.h:
2761         (JSC::Butterfly::offsetOfVectorLength):
2762         * runtime/ButterflyInlines.h:
2763         (JSC::Butterfly::tryCreateUninitialized):
2764         (JSC::Butterfly::createUninitialized):
2765         (JSC::Butterfly::tryCreate):
2766         (JSC::Butterfly::create):
2767         (JSC::Butterfly::createOrGrowPropertyStorage):
2768         (JSC::Butterfly::createOrGrowArrayRight):
2769         (JSC::Butterfly::growArrayRight):
2770         (JSC::Butterfly::resizeArray):
2771         * runtime/JSArray.cpp:
2772         (JSC::JSArray::tryCreateUninitializedRestricted):
2773         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2774         * runtime/JSArray.h:
2775         (JSC::tryCreateArrayButterfly):
2776         * runtime/JSObject.cpp:
2777         (JSC::JSObject::createArrayStorageButterfly):
2778         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2779         (JSC::JSObject::deleteProperty):
2780         (JSC::JSObject::shiftButterflyAfterFlattening):
2781         * runtime/JSObject.h:
2782         * runtime/JSObjectInlines.h:
2783         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2784         * runtime/ObjectInitializationScope.cpp:
2785         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2786         * runtime/ObjectInitializationScope.h:
2787         (JSC::ObjectInitializationScope::release):
2788         * runtime/RegExpMatchesArray.h:
2789         (JSC::tryCreateUninitializedRegExpMatchesArray):
2790         (JSC::createRegExpMatchesArray):
2791
2792         * runtime/Butterfly.h:
2793         (JSC::Butterfly::offsetOfVectorLength):
2794         * runtime/ButterflyInlines.h:
2795         (JSC::Butterfly::tryCreateUninitialized):
2796         (JSC::Butterfly::createUninitialized):
2797         (JSC::Butterfly::tryCreate):
2798         (JSC::Butterfly::create):
2799         (JSC::Butterfly::createOrGrowPropertyStorage):
2800         (JSC::Butterfly::createOrGrowArrayRight):
2801         (JSC::Butterfly::growArrayRight):
2802         (JSC::Butterfly::resizeArray):
2803         * runtime/JSArray.cpp:
2804         (JSC::JSArray::tryCreateUninitializedRestricted):
2805         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2806         * runtime/JSArray.h:
2807         (JSC::tryCreateArrayButterfly):
2808         * runtime/JSObject.cpp:
2809         (JSC::JSObject::createArrayStorageButterfly):
2810         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2811         (JSC::JSObject::deleteProperty):
2812         (JSC::JSObject::shiftButterflyAfterFlattening):
2813         * runtime/JSObject.h:
2814         * runtime/JSObjectInlines.h:
2815         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2816         * runtime/ObjectInitializationScope.cpp:
2817         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2818         * runtime/RegExpMatchesArray.cpp:
2819         (JSC::createEmptyRegExpMatchesArray):
2820         * runtime/RegExpMatchesArray.h:
2821         (JSC::tryCreateUninitializedRegExpMatchesArray):
2822         (JSC::createRegExpMatchesArray):
2823
2824 2018-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2825
2826         Share structure across instances of classes exported through the ObjC API
2827         https://bugs.webkit.org/show_bug.cgi?id=186579
2828         <rdar://problem/40969212>
2829
2830         Reviewed by Saam Barati.
2831
2832         A new structure was being created for each instance of exported ObjC
2833         classes due to setting the prototype in the structure for every object,
2834         since prototype transitions are not cached by the structure. Cache the
2835         Structure in the JSObjcClassInfo to avoid the transition.
2836
2837         * API/JSWrapperMap.mm:
2838         (-[JSObjCClassInfo wrapperForObject:inContext:]):
2839         (-[JSObjCClassInfo structureInContext:]):
2840         * API/tests/JSWrapperMapTests.h: Added.
2841         * API/tests/JSWrapperMapTests.mm: Added.
2842         (+[JSWrapperMapTests testStructureIdentity]):
2843         (runJSWrapperMapTests):
2844         * API/tests/testapi.mm:
2845         (testObjectiveCAPIMain):
2846         * JavaScriptCore.xcodeproj/project.pbxproj:
2847
2848 2018-06-18  Michael Saboff  <msaboff@apple.com>
2849
2850         Support Unicode 11 in RegExp
2851         https://bugs.webkit.org/show_bug.cgi?id=186685
2852
2853         Reviewed by Mark Lam.
2854
2855         Updated the UCD tables used to generate RegExp property tables to version 11.0.
2856
2857         * Scripts/generateYarrUnicodePropertyTables.py:
2858         * ucd/CaseFolding.txt:
2859         * ucd/DerivedBinaryProperties.txt:
2860         * ucd/DerivedCoreProperties.txt:
2861         * ucd/DerivedNormalizationProps.txt:
2862         * ucd/PropList.txt:
2863         * ucd/PropertyAliases.txt:
2864         * ucd/PropertyValueAliases.txt:
2865         * ucd/ScriptExtensions.txt:
2866         * ucd/Scripts.txt:
2867         * ucd/UnicodeData.txt:
2868         * ucd/emoji-data.txt:
2869
2870 2018-06-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2871
2872         [WTF] Remove workarounds needed to support libstdc++-4
2873         https://bugs.webkit.org/show_bug.cgi?id=186762
2874
2875         Reviewed by Michael Catanzaro.
2876
2877         Revert r226299, r226300 r226301 and r226302.
2878
2879         * API/tests/TypedArrayCTest.cpp:
2880         (assertEqualsAsNumber):
2881
2882 2018-06-16  Michael Catanzaro  <mcatanzaro@igalia.com>
2883
2884         REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
2885         https://bugs.webkit.org/show_bug.cgi?id=182923
2886
2887         Reviewed by Mark Lam.
2888
2889         The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
2890         Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
2891
2892         * heap/MarkedBlock.h:
2893
2894 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2895
2896         [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
2897         https://bugs.webkit.org/show_bug.cgi?id=186723
2898
2899         Reviewed by Mark Lam.
2900
2901         Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
2902         to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
2903
2904         This patch improves SixSpeed/spread-literal.es5.
2905
2906                                      baseline                  patched
2907
2908         spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster
2909
2910         * runtime/JSArrayInlines.h:
2911         (JSC::JSArray::pushInline):
2912         * runtime/Structure.cpp:
2913         (JSC::Structure::nonPropertyTransitionSlow):
2914         (JSC::Structure::nonPropertyTransition): Deleted.
2915         * runtime/Structure.h:
2916         * runtime/StructureInlines.h:
2917         (JSC::Structure::nonPropertyTransition):
2918
2919 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2920
2921         [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
2922         https://bugs.webkit.org/show_bug.cgi?id=186721
2923
2924         Reviewed by Keith Miller.
2925
2926         We still have several other OSRExits, but this patch reduces that.
2927
2928         1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
2929         So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
2930
2931         2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
2932         non-appropriate.
2933
2934         These changes a bit fix Kraken/crypto-aes regression.
2935
2936                                       baseline                  patched
2937
2938         stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster
2939
2940
2941         * dfg/DFGByteCodeParser.cpp:
2942         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2943         * ftl/FTLOperations.cpp:
2944         (JSC::FTL::operationMaterializeObjectInOSR):
2945         * runtime/CommonSlowPaths.cpp:
2946         (JSC::SLOW_PATH_DECL):
2947
2948 2018-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2949
2950         [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
2951         https://bugs.webkit.org/show_bug.cgi?id=186460
2952
2953         Reviewed by Saam Barati.
2954
2955         Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
2956         We should return JSFixedArray for Spread. This patch adds a code generating
2957         a JSFixedArray from JSImmutableButterfly.
2958
2959         Merging JSFixedArray into JSImmutableButterfly is possible future extension.
2960
2961         * ftl/FTLLowerDFGToB3.cpp:
2962         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2963         * runtime/JSFixedArray.h:
2964
2965 2018-06-15  Saam Barati  <sbarati@apple.com>
2966
2967         Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
2968         https://bugs.webkit.org/show_bug.cgi?id=186687
2969         <rdar://problem/40071332>
2970
2971         Reviewed by Keith Miller.
2972
2973         * API/JSVirtualMachinePrivate.h:
2974
2975 2018-06-15  Saam Barati  <sbarati@apple.com>
2976
2977         Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
2978         https://bugs.webkit.org/show_bug.cgi?id=186648
2979
2980         Reviewed by Michael Saboff.
2981
2982         This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
2983         regressed with my first version of ForceOSRExit CFG pruning. This patch makes
2984         ForceOSRExit CFG pruning more aggressive by not ignoring everything that
2985         can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
2986         if it's the plan's osr entry bytecode target. The goal is to get a speedometer
2987         2 speedup with this change on iOS.
2988
2989         * dfg/DFGByteCodeParser.cpp:
2990         (JSC::DFG::ByteCodeParser::parse):
2991
2992 2018-06-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2993
2994         Unreviewed, rolling out r232816.
2995
2996         Suggested by Caitlin:
2997         "this patch clearly does get some things wrong, and it's not
2998         easy to find what those things are"
2999
3000         Reverted changeset:
3001
3002         "[LLInt] use loadp consistently for
3003         get_from_scope/put_to_scope"
3004         https://bugs.webkit.org/show_bug.cgi?id=132333
3005         https://trac.webkit.org/changeset/232816
3006
3007 2018-06-14  Michael Saboff  <msaboff@apple.com>
3008
3009         REGRESSION(232741): Crash running ARES-6
3010         https://bugs.webkit.org/show_bug.cgi?id=186630
3011
3012         Reviewed by Saam Barati.
3013
3014         The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
3015         treated edges between identical predecessor->successor pairs independently.
3016         This fixes the issue by handling such edges once, using the added intermediate
3017         pad for all instances of the edges between the same pairs.
3018
3019         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3020         (JSC::DFG::CriticalEdgeBreakingPhase::run):
3021         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
3022
3023 2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>
3024
3025         [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
3026         https://bugs.webkit.org/show_bug.cgi?id=186560
3027
3028         Reviewed by Brian Burg.
3029
3030         Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
3031         that always receives the session capabilities.
3032
3033         * inspector/remote/RemoteInspector.h:
3034         * inspector/remote/RemoteInspectorConstants.h:
3035         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3036         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
3037         WebKit here and fill the SessionCapabilities instead.
3038         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3039         (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
3040         * inspector/remote/glib/RemoteInspectorServer.cpp:
3041         (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
3042         * inspector/remote/glib/RemoteInspectorServer.h:
3043
3044 2018-06-13  Adrian Perez de Castro  <aperez@igalia.com>
3045
3046         [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
3047         https://bugs.webkit.org/show_bug.cgi?id=186588
3048
3049         Reviewed by Carlos Garcia Campos.
3050
3051         Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
3052         for resource paths, which avoids needing a switcheroo depending on the port.
3053
3054         * inspector/remote/glib/RemoteInspectorUtils.cpp:
3055
3056 2018-06-13  Caitlin Potter  <caitp@igalia.com>
3057
3058         [LLInt] use loadp consistently for get_from_scope/put_to_scope
3059         https://bugs.webkit.org/show_bug.cgi?id=132333
3060
3061         Reviewed by Mark Lam.
3062
3063         Using `loadis` for register indexes and `loadp` for constant scopes /
3064         symboltables makes sense, but is problematic for big-endian
3065         architectures.
3066
3067         Consistently treating the operand as a pointer simplifies determining
3068         how to access the operand, and helps avoid bad accesses and crashes on
3069         big-endian ports.
3070
3071         * bytecode/CodeBlock.cpp:
3072         (JSC::CodeBlock::finishCreation):
3073         * bytecode/Instruction.h:
3074         * jit/JITOperations.cpp:
3075         * llint/LLIntSlowPaths.cpp:
3076         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3077         * llint/LowLevelInterpreter32_64.asm:
3078         * llint/LowLevelInterpreter64.asm:
3079         * runtime/CommonSlowPaths.h:
3080         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
3081         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
3082
3083 2018-06-13  Keith Miller  <keith_miller@apple.com>
3084
3085         AutomaticThread should have a way to provide a thread name
3086         https://bugs.webkit.org/show_bug.cgi?id=186604
3087
3088         Reviewed by Filip Pizlo.
3089
3090         Add names for JSC's automatic threads.
3091
3092         * dfg/DFGWorklist.cpp:
3093         * heap/Heap.cpp:
3094         * jit/JITWorklist.cpp:
3095         * runtime/VMTraps.cpp:
3096         * wasm/WasmWorklist.cpp:
3097
3098 2018-06-13  Saam Barati  <sbarati@apple.com>
3099
3100         CFGSimplificationPhase should de-dupe jettisonedBlocks
3101         https://bugs.webkit.org/show_bug.cgi?id=186583
3102
3103         Reviewed by Filip Pizlo.
3104
3105         When making the predecessors list unique in r232741, it revealed a bug inside
3106         of CFG simplification, where we try to remove the same predecessor more than
3107         once from a blocks predecessors list. We built the list of blocks to remove
3108         from the list of successors, which is not unique, causing us to try to remove
3109         the same predecessor more than once. The solution here is to just add to this
3110         list of blocks to remove only if the block is not already in the list.
3111
3112         * dfg/DFGCFGSimplificationPhase.cpp:
3113         (JSC::DFG::CFGSimplificationPhase::run):
3114
3115 2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3116
3117         [JSC] Always use Nuke & Set procedure for x86
3118         https://bugs.webkit.org/show_bug.cgi?id=186592
3119
3120         Reviewed by Keith Miller.
3121
3122         We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
3123         By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
3124         threads.
3125
3126         * runtime/JSObject.cpp:
3127         (JSC::JSObject::convertContiguousToArrayStorage):
3128
3129 2018-06-12  Saam Barati  <sbarati@apple.com>
3130
3131         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
3132         https://bugs.webkit.org/show_bug.cgi?id=186071
3133
3134         Reviewed by Mark Lam.
3135
3136         * API/JSVirtualMachine.mm:
3137         (-[JSVirtualMachine shrinkFootprint]): Deleted.
3138         * API/JSVirtualMachinePrivate.h:
3139
3140 2018-06-11  Saam Barati  <sbarati@apple.com>
3141
3142         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
3143         https://bugs.webkit.org/show_bug.cgi?id=181409
3144         <rdar://problem/36383749>
3145
3146         Reviewed by Keith Miller.
3147
3148         This patch is me redoing r226655. This is a patch I wrote when
3149         profiling Speedometer. Fil rolled this change out in r230928. He
3150         showed this slowed down a sunspider tests by ~2x. This sunspider
3151         regression revealed a real performance bug in the original change:
3152         we would kill blocks that reached OSR entry targets, sometimes leading
3153         us to not do OSR entry into the DFG, since we could end up deleting
3154         entire loops from the CFG. The reason for this is that code that has run
3155         ~once and that reaches loops often has ForceOSRExits inside of it. The
3156         solution to this is to not perform this optimization on blocks that can
3157         reach OSR entry targets.
3158         
3159         The reason I'm redoing this patch is that it turns out Fil rolling
3160         out the change was a Speedometer 2 regression.
3161         
3162         This is a modified version of the original ChangeLog I wrote in r226655:
3163         
3164         When I was looking at profiler data for Speedometer, I noticed that one of
3165         the hottest functions in Speedometer is around 1100 bytecode operations long.
3166         Only about 100 of those bytecode ops ever execute. However, we ended up
3167         spending a lot of time compiling basic blocks that never executed. We often
3168         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
3169         This is the case when such a node never executes.
3170         
3171         This patch makes it so that anytime a block has a ForceOSRExit, and that block
3172         can not reach an OSR entry target, we replace its terminal node with an Unreachable
3173         node, and remove all nodes after the ForceOSRExit. This cuts down the graph
3174         size since it removes control flow edges from the CFG. This allows us to get
3175         rid of huge chunks of the CFG in certain programs. When doing this transformation,
3176         we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
3177         live-in to the ForceOSRExit.
3178         
3179         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
3180         does not get rid of all the CFG that it could. If we decide it's worth
3181         it, we could use additional inputs into this mechanism. For example, we could
3182         profile if a basic block ever executes inside the LLInt/Baseline, and
3183         remove parts of the CFG based on that.
3184         
3185         When running Speedometer with the concurrent JIT turned off, this patch
3186         improves DFG/FTL compile times by around 5%.
3187
3188         * dfg/DFGByteCodeParser.cpp:
3189         (JSC::DFG::ByteCodeParser::addToGraph):
3190         (JSC::DFG::ByteCodeParser::inlineCall):
3191         (JSC::DFG::ByteCodeParser::parse):
3192         * dfg/DFGGraph.cpp:
3193         (JSC::DFG::Graph::blocksInPostOrder):
3194
3195 2018-06-11  Saam Barati  <sbarati@apple.com>
3196
3197         The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
3198         https://bugs.webkit.org/show_bug.cgi?id=184829
3199
3200         Reviewed by Michael Saboff.
3201
3202         This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
3203         In B3/Air, this just meant writing a validation rule. In DFG, this meant
3204         ensuring this property when building up the predecessors list, and also adding
3205         a validation rule. The NaturalLoops algorithm relies on this property.
3206
3207         * b3/B3Validate.cpp:
3208         * b3/air/AirValidate.cpp:
3209         * b3/testb3.cpp:
3210         (JSC::B3::testLoopWithMultipleHeaderEdges):
3211         (JSC::B3::run):
3212         * dfg/DFGGraph.cpp:
3213         (JSC::DFG::Graph::handleSuccessor):
3214         * dfg/DFGValidate.cpp:
3215
3216 2018-06-11  Keith Miller  <keith_miller@apple.com>
3217
3218         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
3219         https://bugs.webkit.org/show_bug.cgi?id=186467
3220
3221         Reviewed by Simon Fraser.
3222
3223         This patch adds a LazyFireDetail that wraps ScopedLambda so that
3224         we don't actually malloc any strings for firing unless those
3225         Strings are actually going to be printed.
3226
3227         * bytecode/Watchpoint.h:
3228         (JSC::LazyFireDetail::LazyFireDetail):
3229         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
3230         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
3231         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
3232         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
3233         * runtime/ArrayPrototype.cpp:
3234         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
3235
3236 2018-06-11  Mark Lam  <mark.lam@apple.com>
3237
3238         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
3239         https://bugs.webkit.org/show_bug.cgi?id=186451
3240         <rdar://problem/40875792>
3241
3242         Reviewed by Tim Horton.
3243
3244         Enhance setOptions() to be able to take a comma separated options string in
3245         addition to white space separated options strings.
3246
3247         * runtime/Options.cpp:
3248         (JSC::isSeparator):
3249         (JSC::Options::setOptions):
3250
3251 2018-06-11  Michael Saboff  <msaboff@apple.com>
3252
3253         JavaScriptCore: Disable 32-bit JIT on Windows
3254         https://bugs.webkit.org/show_bug.cgi?id=185989
3255
3256         Reviewed by Mark Lam.
3257
3258         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
3259
3260         * llint/LLIntData.h:
3261         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
3262         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
3263         have a case label because these aren't opcodes.
3264         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
3265         on the JIT being enabled.
3266         (JSC::recomputeDependentOptions):
3267
3268 2018-06-11  Michael Saboff  <msaboff@apple.com>
3269
3270         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
3271         https://bugs.webkit.org/show_bug.cgi?id=186477
3272
3273         Reviewed by Filip Pizlo.
3274
3275         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
3276         YARR interpreter nodes.  This caused us to overwrite other frame information.
3277
3278         Added frame offset debugging code to YARR interpreter.
3279
3280         * yarr/YarrInterpreter.cpp:
3281         (JSC::Yarr::ByteCompiler::emitDisjunction):
3282         (JSC::Yarr::ByteCompiler::dumpDisjunction):
3283
3284 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3285
3286         [JSC] Array.prototype.sort should rejects null comparator
3287         https://bugs.webkit.org/show_bug.cgi?id=186458
3288
3289         Reviewed by Keith Miller.
3290
3291         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
3292         the behavior to Chrome and Firefox.
3293
3294         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
3295         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
3296         the spec issue.
3297
3298         * builtins/ArrayPrototype.js:
3299         (sort):
3300
3301 2018-06-09  Dan Bernstein  <mitz@apple.com>
3302
3303         [Xcode] Clean up and modernize some build setting definitions
3304         https://bugs.webkit.org/show_bug.cgi?id=186463
3305
3306         Reviewed by Sam Weinig.
3307
3308         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
3309           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
3310           is true for all supported Xcode versions.
3311         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
3312         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
3313           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
3314         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
3315         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
3316
3317 2018-06-09  Dan Bernstein  <mitz@apple.com>
3318
3319         Added missing file references to the Configuration group.
3320
3321         * JavaScriptCore.xcodeproj/project.pbxproj:
3322
3323 2018-06-08  Darin Adler  <darin@apple.com>
3324
3325         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
3326         https://bugs.webkit.org/show_bug.cgi?id=186436
3327
3328         Reviewed by Anders Carlsson.
3329
3330         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
3331         objc-internal.h and explicitly declaring the alternative.
3332
3333 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
3334
3335         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
3336         https://bugs.webkit.org/show_bug.cgi?id=186442
3337         <rdar://problem/40879364>
3338
3339         Reviewed by Tim Horton.
3340
3341         * Configurations/FeatureDefines.xcconfig:
3342
3343 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
3344
3345         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
3346         https://bugs.webkit.org/show_bug.cgi?id=186446
3347         <rdar://problem/40949995>
3348
3349         Reviewed by Mark Lam.
3350
3351         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
3352         boolean literals, but it would only work for false. Change it so that it
3353         takes the fast path for true, false, null and undefined.
3354
3355         * llint/LowLevelInterpreter.asm:
3356         * llint/LowLevelInterpreter64.asm:
3357
3358 2018-06-08  Brian Burg  <bburg@apple.com>
3359
3360         [Cocoa] Web Automation: include browser name and version in listing for automation targets
3361         https://bugs.webkit.org/show_bug.cgi?id=186204
3362         <rdar://problem/36950423>
3363
3364         Reviewed by Darin Adler.
3365
3366         Ask the client what the reported browser name and version should be, then
3367         send this as part of the listing for an automation target.
3368
3369         * inspector/remote/RemoteInspectorConstants.h:
3370         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3371         (Inspector::RemoteInspector::listingForAutomationTarget const):
3372
3373 2018-06-07  Chris Dumez  <cdumez@apple.com>
3374
3375         Add base class to get WeakPtrFactory member and avoid some boilerplate code
3376         https://bugs.webkit.org/show_bug.cgi?id=186407
3377
3378         Reviewed by Brent Fulgham.
3379
3380         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
3381         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
3382         This also gets rid of old-style createWeakPtr() methods in favor of the newer
3383         makeWeakPtr().
3384
3385         * wasm/WasmInstance.h:
3386         * wasm/WasmMemory.cpp:
3387         (JSC::Wasm::Memory::registerInstance):
3388
3389 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
3390
3391         Don't try to allocate JIT memory if we don't have the JIT entitlement
3392         https://bugs.webkit.org/show_bug.cgi?id=182605
3393         <rdar://problem/38271229>
3394
3395         Reviewed by Mark Lam.
3396
3397         Check that the current process has the correct entitlements before
3398         trying to allocate JIT memory to silence warnings.
3399
3400         * jit/ExecutableAllocator.cpp:
3401         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
3402         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
3403
3404 2018-06-07  Saam Barati  <sbarati@apple.com>
3405
3406         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
3407         https://bugs.webkit.org/show_bug.cgi?id=186386
3408
3409         Reviewed by Filip Pizlo.
3410
3411         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
3412
3413         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3414         (JSC::DFG::TierUpCheckInjectionPhase::run):
3415
3416 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
3417
3418         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
3419         https://bugs.webkit.org/show_bug.cgi?id=186237
3420
3421         Reviewed by Saam Barati.
3422
3423         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
3424         that means that we never notice that it fired if it fires between when the DFG decides to
3425         watch it and when it actually adds the watchpoint.
3426         
3427         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
3428         reason for being initialized blind: that's how we knew to ignore changes to the prototype
3429         before the first allocation. However, that functionality also arose out of the fact that the
3430         rare data is created lazily and usually won't exist until the first allocation.
3431         
3432         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
3433         object allocation profile.
3434         
3435         It's hard to repro this race, however it started causing spurious test failures for me after
3436         bug 164904.
3437
3438         * runtime/FunctionRareData.cpp:
3439         (JSC::FunctionRareData::FunctionRareData):
3440         (JSC::FunctionRareData::initializeObjectAllocationProfile):
3441
3442 2018-06-07  Saam Barati  <sbarati@apple.com>
3443
3444         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
3445         https://bugs.webkit.org/show_bug.cgi?id=186218
3446         <rdar://problem/38449540>
3447
3448         Reviewed by Filip Pizlo.
3449
3450         This patch makes tierUpCommon a tad bit more sane. There are a few things
3451         that I did:
3452         - There were a few release asserts that were crashing. Those release asserts
3453         were incorrect. They were making assumptions about how the code and data
3454         structures were ordered that were wrong. This patch removes them. The code
3455         was using the loop hierarchy vector to make assumptions about which loop we
3456         were currently executing in, which is incorrect. The only information that
3457         can be used about where we're currently executing is the bytecode index we're
3458         at.
3459         - This makes it so that we go back to trying to compile outer loops before
3460         inner loops. JF accidentally reverted this behavior that Ben implemented.
3461         JF made it so that we just compiled the inner most loop. I make this
3462         functionality work by first triggering a compile for the outer most loop
3463         that the code is currently executing in and that can perform OSR entry.
3464         However, some programs can get stuck in inner loops. The code works by
3465         progressively asking inner loops to compile if program execution has not
3466         yet reached an outer loop.
3467
3468         * dfg/DFGOperations.cpp:
3469
3470 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
3471
3472         ArityFixup should adjust SP first on 32-bit platforms too
3473         https://bugs.webkit.org/show_bug.cgi?id=186351
3474
3475         Reviewed by Yusuke Suzuki.
3476
3477         * jit/ThunkGenerators.cpp:
3478         (JSC::arityFixupGenerator):
3479
3480 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3481
3482         [DFG] Compare operations do not respect negative zeros
3483         https://bugs.webkit.org/show_bug.cgi?id=183729
3484
3485         Reviewed by Saam Barati.
3486
3487         Compare operations do not respect negative zeros. So propagating this can
3488         reduce the size of the produced code for negative zero case. This pattern
3489         can be seen in Kraken stanford-crypto-aes.
3490
3491         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
3492         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
3493         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
3494
3495         * bytecode/SpeculatedType.cpp:
3496         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
3497         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
3498         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
3499         SpecDoubleReal.
3500
3501         * dfg/DFGBackwardsPropagationPhase.cpp:
3502         (JSC::DFG::BackwardsPropagationPhase::propagate):
3503
3504 2018-06-06  Saam Barati  <sbarati@apple.com>
3505
3506         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
3507         https://bugs.webkit.org/show_bug.cgi?id=186363
3508
3509         Rubber-stamped by Filip Pizlo.
3510
3511         The code was assuming that the object it was creating an OPC for always
3512         had a non-poly-proto structure. However, this assumption was wrong. For
3513         example, an object in the prototype chain could be poly proto. That type 
3514         of object graph would cause a crash in this code. This patch makes it so
3515         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
3516         object as we traverse the prototype chain.
3517
3518         * bytecode/ObjectPropertyConditionSet.cpp:
3519         (JSC::generateConditionsForInstanceOf):
3520
3521 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
3522
3523         Adjust compile and runtime flags to match shippable state of features
3524         https://bugs.webkit.org/show_bug.cgi?id=186319
3525         <rdar://problem/40352045>
3526
3527         Reviewed by Maciej Stachowiak, Jon Lee, and others.
3528
3529         This patch revises the compile time and runtime state for various features to match their
3530         suitability for end-user releases.
3531
3532         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
3533         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
3534         Cocoa builds.
3535         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
3536         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
3537         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
3538         at runtime for non-production builds.
3539
3540 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
3541
3542         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
3543         https://bugs.webkit.org/show_bug.cgi?id=186286
3544         <rdar://problem/40782992>
3545
3546         Reviewed by Dan Bernstein.
3547
3548         Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
3549         to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
3550         change this flag when preparing for a production release.
3551
3552         * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
3553         whether experimental features should be enabled, and use it to properly define the
3554         feature flag.
3555
3556 2018-06-05  Darin Adler  <darin@apple.com>
3557
3558         [Cocoa] Update some JavaScriptCore code to be more ready for ARC
3559         https://bugs.webkit.org/show_bug.cgi?id=186301
3560
3561         Reviewed by Anders Carlsson.
3562
3563         * API/JSContext.mm:
3564         (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
3565         (-[JSContext setName:]): Removed unnecessary call to copy, since the
3566         JSStringCreateWithCFString function already reads the characters out
3567         of the string and does not retain the string, so there is no need to
3568         make an immutable copy. And used __bridge for typecast.
3569         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3570         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
3571         Ditto.
3572
3573         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
3574         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3575         Use CFBridgingRelease instead of autorelease for a CF dictionary that
3576         we return as an NSDictionary.
3577
3578 2018-06-04  Keith Miller  <keith_miller@apple.com>
3579
3580         Remove missing files from JavaScriptCore Xcode project
3581         https://bugs.webkit.org/show_bug.cgi?id=186297
3582
3583         Reviewed by Saam Barati.
3584
3585         * JavaScriptCore.xcodeproj/project.pbxproj:
3586
3587 2018-06-04  Keith Miller  <keith_miller@apple.com>
3588
3589         Add test for CoW conversions in the DFG/FTL
3590         https://bugs.webkit.org/show_bug.cgi?id=186295
3591
3592         Reviewed by Saam Barati.
3593
3594         Add a function to $vm that returns a JSString containing the
3595         dataLog dump of the indexingMode of an Object.
3596
3597         * tools/JSDollarVM.cpp:
3598         (JSC::functionIndexingMode):
3599         (JSC::JSDollarVM::finishCreation):
3600
3601 2018-06-04  Saam Barati  <sbarati@apple.com>
3602
3603         Set the activeLength of all ScratchBuffers to zero when exiting the VM
3604         https://bugs.webkit.org/show_bug.cgi?id=186284
3605         <rdar://problem/40780738>
3606
3607         Reviewed by Keith Miller.
3608
3609         Simon recently found instances where we leak global objects from the
3610         ScratchBuffer. Yusuke found that we forgot to set the active length
3611         back to zero when doing catch OSR entry in the DFG/FTL. His solution
3612         to this was adding a node that cleared the active length. This is
3613         a good node to have, but it's not a complete solution: the DFG/FTL
3614         could OSR exit before that node executes, which would cause us to leak
3615         the data in it.
3616         
3617         This patch makes it so that we set each scratch buffer's active length
3618         to zero on VM exit. This helps prevent leaks for JS code that eventually
3619         exits the VM (which is essentially all code on the web and all API users).
3620
3621         * runtime/VM.cpp:
3622         (JSC::VM::clearScratchBuffers):
3623         * runtime/VM.h:
3624         * runtime/VMEntryScope.cpp:
3625         (JSC::VMEntryScope::~VMEntryScope):
3626
3627 2018-06-04  Keith Miller  <keith_miller@apple.com>
3628
3629         JSLock should clear last exception when releasing the lock
3630         https://bugs.webkit.org/show_bug.cgi?id=186277
3631
3632         Reviewed by Mark Lam.
3633
3634         If we don't clear the last exception we essentially leak the
3635         object and everything referenced by it until another exception is
3636         thrown.
3637
3638         * runtime/JSLock.cpp:
3639         (JSC::JSLock::willReleaseLock):
3640
3641 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3642
3643         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
3644         https://bugs.webkit.org/show_bug.cgi?id=180248
3645
3646         Reviewed by Sam Weinig.
3647
3648         As a final step, this patch removes ListableHandler from JSC.
3649         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
3650
3651         * CMakeLists.txt:
3652         * JavaScriptCore.xcodeproj/project.pbxproj:
3653         * heap/Heap.h:
3654         * heap/ListableHandler.h: Removed.
3655
3656 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3657
3658         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
3659         https://bugs.webkit.org/show_bug.cgi?id=186223
3660
3661         Reviewed by Keith Miller.
3662
3663         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
3664         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
3665
3666         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
3667         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
3668         this ClearCatchLocals valid.
3669
3670         The existing tests for ExtractCatchLocal just pass.
3671
3672         * dfg/DFGAbstractHeap.h:
3673         * dfg/DFGAbstractInterpreterInlines.h:
3674         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3675         * dfg/DFGByteCodeParser.cpp:
3676         (JSC::DFG::ByteCodeParser::parseBlock):
3677         * dfg/DFGClobberize.h:
3678         (JSC::DFG::clobberize):
3679         * dfg/DFGDoesGC.cpp:
3680         (JSC::DFG::doesGC):
3681         * dfg/DFGFixupPhase.cpp:
3682         (JSC::DFG::FixupPhase::fixupNode):
3683         * dfg/DFGMayExit.cpp:
3684         * dfg/DFGNodeType.h:
3685         * dfg/DFGOSREntry.cpp:
3686         (JSC::DFG::prepareCatchOSREntry):
3687         * dfg/DFGPredictionPropagationPhase.cpp:
3688         * dfg/DFGSafeToExecute.h:
3689         (JSC::DFG::safeToExecute):
3690         * dfg/DFGSpeculativeJIT.cpp:
3691         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
3692         * dfg/DFGSpeculativeJIT.h:
3693         * dfg/DFGSpeculativeJIT32_64.cpp:
3694         (JSC::DFG::SpeculativeJIT::compile):
3695         * dfg/DFGSpeculativeJIT64.cpp:
3696         (JSC::DFG::SpeculativeJIT::compile):
3697         * ftl/FTLCapabilities.cpp:
3698         (JSC::FTL::canCompile):
3699         * ftl/FTLLowerDFGToB3.cpp:
3700         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3701         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
3702
3703 2018-06-02  Darin Adler  <darin@apple.com>
3704
3705         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
3706         https://bugs.webkit.org/show_bug.cgi?id=186227
3707
3708         Reviewed by Dan Bernstein.
3709
3710         * API/JSContext.mm:
3711         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
3712         * API/JSValue.mm:
3713         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
3714         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
3715         ARC-compatible, but more efficient.
3716         (valueToString): Use CFBridgingRelease instead of autorelease.
3717
3718 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
3719
3720         [ESNext][BigInt] Implement support for addition operations
3721         https://bugs.webkit.org/show_bug.cgi?id=179002
3722
3723         Reviewed by Yusuke Suzuki.
3724
3725         This patch is implementing support to BigInt Operands into binary "+"
3726         and binary "-" operators. Right now, we have limited support to DFG
3727         and FTL JIT layers, but we plan to fix this support in future
3728         patches.
3729
3730         * jit/JITOperations.cpp:
3731         * runtime/CommonSlowPaths.cpp:
3732         (JSC::SLOW_PATH_DECL):
3733         * runtime/JSBigInt.cpp:
3734         (JSC::JSBigInt::parseInt):
3735         (JSC::JSBigInt::stringToBigInt):
3736         (JSC::JSBigInt::toString):
3737         (JSC::JSBigInt::multiply):
3738         (JSC::JSBigInt::divide):
3739         (JSC::JSBigInt::remainder):
3740         (JSC::JSBigInt::add):
3741         (JSC::JSBigInt::sub):
3742         (JSC::JSBigInt::absoluteAdd):
3743         (JSC::JSBigInt::absoluteSub):
3744         (JSC::JSBigInt::toStringGeneric):
3745         (JSC::JSBigInt::allocateFor):
3746         (JSC::JSBigInt::toNumber const):
3747         (JSC::JSBigInt::getPrimitiveNumber const):
3748         * runtime/JSBigInt.h:
3749         * runtime/JSCJSValueInlines.h:
3750         * runtime/Operations.cpp:
3751         (JSC::jsAddSlowCase):
3752         * runtime/Operations.h:
3753         (JSC::jsSub):
3754
3755 2018-06-02  Commit Queue  <commit-queue@webkit.org>
3756
3757         Unreviewed, rolling out r232439.
3758         https://bugs.webkit.org/show_bug.cgi?id=186238
3759
3760         It breaks gtk-linux-32-release (Requested by caiolima on
3761         #webkit).
3762
3763         Reverted changeset:
3764
3765         "[ESNext][BigInt] Implement support for addition operations"
3766         https://bugs.webkit.org/show_bug.cgi?id=179002
3767         https://trac.webkit.org/changeset/232439
3768
3769 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3770
3771         Baseline op_jtrue emits an insane amount of code
3772         https://bugs.webkit.org/show_bug.cgi?id=185708
3773
3774         Reviewed by Filip Pizlo.
3775
3776         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
3777
3778         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
3779            to jump directly. This tightens the code.
3780
3781         2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
3782
3783         This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
3784
3785         [  12] jtrue             arg1, 6(->18)
3786               0x7f233170162c: mov 0x30(%rbp), %rax
3787               0x7f2331701630: mov %rax, %rsi
3788               0x7f2331701633: xor $0x6, %rsi
3789               0x7f2331701637: test $0xfffffffffffffffe, %rsi
3790               0x7f233170163e: jnz 0x7f2331701654
3791               0x7f2331701644: cmp $0x7, %eax
3792               0x7f2331701647: setz %sil
3793               0x7f233170164b: movzx %sil, %esi
3794               0x7f233170164f: jmp 0x7f2331701705
3795               0x7f2331701654: test %rax, %r14
3796               0x7f2331701657: jz 0x7f233170169c
3797               0x7f233170165d: cmp %r14, %rax
3798               0x7f2331701660: jb 0x7f2331701675
3799               0x7f2331701666: test %eax, %eax
3800               0x7f2331701668: setnz %sil
3801               0x7f233170166c: movzx %sil, %esi
3802               0x7f2331701670: jmp 0x7f2331701705
3803               0x7f2331701675: lea (%r14,%rax), %rsi
3804               0x7f2331701679: movq %rsi, %xmm0
3805               0x7f233170167e: xorps %xmm1, %xmm1
3806               0x7f2331701681: ucomisd %xmm1, %xmm0
3807               0x7f2331701685: jz 0x7f2331701695
3808               0x7f233170168b: mov $0x1, %esi
3809               0x7f2331701690: jmp 0x7f2331701705
3810               0x7f2331701695: xor %esi, %esi
3811               0x7f2331701697: jmp 0x7f2331701705
3812               0x7f233170169c: test %rax, %r15
3813               0x7f233170169f: jnz 0x7f2331701703
3814               0x7f23317016a5: cmp $0x1, 0x5(%rax)
3815               0x7f23317016a9: jnz 0x7f23317016c1
3816               0x7f23317016af: mov 0x8(%rax), %esi
3817               0x7f23317016b2: test %esi, %esi
3818               0x7f23317016b4: setnz %sil
3819               0x7f23317016b8: movzx %sil, %esi
3820               0x7f23317016bc: jmp 0x7f2331701705
3821               0x7f23317016c1: test $0x1, 0x6(%rax)
3822               0x7f23317016c5: jz 0x7f23317016f9
3823               0x7f23317016cb: mov (%rax), %esi
3824               0x7f23317016cd: mov $0x7f23315000c8, %rdx
3825               0x7f23317016d7: mov (%rdx), %rdx
3826               0x7f23317016da: mov (%rdx,%rsi,8), %rsi
3827               0x7f23317016de: mov $0x7f2330de0000, %rdx
3828               0x7f23317016e8: cmp %rdx, 0x18(%rsi)
3829               0x7f23317016ec: jnz 0x7f23317016f9
3830               0x7f23317016f2: xor %esi, %esi
3831               0x7f23317016f4: jmp 0x7f2331701705
3832               0x7f23317016f9: mov $0x1, %esi
3833               0x7f23317016fe: jmp 0x7f2331701705
3834               0x7f2331701703: xor %esi, %esi
3835               0x7f2331701705: test %esi, %esi
3836               0x7f2331701707: jnz 0x7f233170171b
3837
3838         [  12] jtrue             arg1, 6(->18)
3839               0x7f6c8710156c: mov 0x30(%rbp), %rax
3840               0x7f6c87101570: test %rax, %r15
3841               0x7f6c87101573: jnz 0x7f6c871015c8
3842               0x7f6c87101579: cmp $0x1, 0x5(%rax)
3843               0x7f6c8710157d: jnz 0x7f6c87101592
3844               0x7f6c87101583: cmp $0x0, 0x8(%rax)
3845               0x7f6c87101587: jnz 0x7f6c87101623
3846               0x7f6c8710158d: jmp 0x7f6c87101615
3847               0x7f6c87101592: test $0x1, 0x6(%rax)
3848               0x7f6c87101596: jz 0x7f6c87101623
3849               0x7f6c8710159c: mov (%rax), %esi
3850               0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
3851               0x7f6c871015a8: mov (%rdx), %rdx
3852               0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
3853               0x7f6c871015af: mov $0x7f6c867e0000, %rdx
3854               0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
3855               0x7f6c871015bd: jnz 0x7f6c87101623
3856               0x7f6c871015c3: jmp 0x7f6c87101615
3857               0x7f6c871015c8: cmp %r14, %rax
3858               0x7f6c871015cb: jb 0x7f6c871015de
3859               0x7f6c871015d1: test %eax, %eax
3860               0x7f6c871015d3: jnz 0x7f6c87101623
3861               0x7f6c871015d9: jmp 0x7f6c87101615
3862               0x7f6c871015de: test %rax, %r14
3863               0x7f6c871015e1: jz 0x7f6c87101602
3864               0x7f6c871015e7: lea (%r14,%rax), %rsi
3865               0x7f6c871015eb: movq %rsi, %xmm0
3866               0x7f6c871015f0: xorps %xmm1, %xmm1
3867               0x7f6c871015f3: ucomisd %xmm1, %xmm0
3868               0x7f6c871015f7: jz 0x7f6c87101615
3869               0x7f6c871015fd: jmp 0x7f6c87101623
3870               0x7f6c87101602: mov $0x7, %r11
3871               0x7f6c8710160c: cmp %r11, %rax
3872               0x7f6c8710160f: jz 0x7f6c87101623
3873
3874         * dfg/DFGSpeculativeJIT32_64.cpp:
3875         (JSC::DFG::SpeculativeJIT::emitBranch):
3876         * dfg/DFGSpeculativeJIT64.cpp:
3877         (JSC::DFG::SpeculativeJIT::emitBranch):
3878         * jit/AssemblyHelpers.cpp:
3879         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
3880         (JSC::AssemblyHelpers::branchIfValue):
3881         * jit/AssemblyHelpers.h:
3882         (JSC::AssemblyHelpers::branchIfTruthy):
3883         (JSC::AssemblyHelpers::branchIfFalsey):
3884         * jit/JIT.h:
3885         * jit/JITInlines.h:
3886         (JSC::JIT::addJump):
3887         * jit/JITOpcodes.cpp:
3888         (JSC::JIT::emit_op_jfalse):
3889         (JSC::JIT::emit_op_jtrue):
3890         * jit/JITOpcodes32_64.cpp:
3891         (JSC::JIT::emit_op_jfalse):
3892         (JSC::JIT::emit_op_jtrue):
3893
3894 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3895
3896         [JSC] Remove WeakReferenceHarvester
3897         https://bugs.webkit.org/show_bug.cgi?id=186102
3898
3899         Reviewed by Filip Pizlo.
3900
3901         After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
3902         Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
3903         by using output constraints & Subspace iteration.
3904
3905         This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
3906         output constraint set iterates marked JSWeakMap by using Subspace.
3907
3908         And we also add locking for JSWeakMap's rehash and output constraint visiting.
3909
3910         Attached microbenchmark&